ANTI-MONEY LAUNDERING AND CLIENT IDENTIFICATION POLICY

SpendX L.L.C-FZ

Dubai, United Arab Emirates

Registration number: 104939822300001

Effective Date: December 23, 2025

1. Introduction and Policy Purpose

SpendX L.L.C-FZ ("SpendX", "Company", "We", "Our" or "Us") is committed to preventing money laundering, terrorist financing, and other financial crimes. The Company operates under the supervision of the Dubai Virtual Assets Regulatory Authority (VARA) and complies with international standards of the Financial Action Task Force (FATF), as well as federal legislation of the United Arab Emirates.

This Anti-Money Laundering (AML) and Know Your Customer (KYC) Policy establishes comprehensive procedures that SpendX uses either independently or through delegation to the certified contractor SAFELEMENT LIMITED (registration number: 3148041, Hong Kong) based on the AML/KYC Services Agreement dated [date].

The Policy applies to all users, clients, partners, and counterparties using the SpendX platform for cryptocurrency payments, transfers, exchanges, and related services.

2. Regulatory and Legal Basis

2.1 Applicable Legislation

SpendX operates in accordance with the following legislation and requirements:

UAE Charter Bodies and Regulations:

• VARA Rulebooks (Compliance and Risk, Virtual Assets and Related Activities Regulations 2023)
• UAE Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering
• Dubai Law No. 4 of 2022 on Virtual Assets
• UAE Federal Cabinet Resolution No. 111 of 2022
• UAE Cabinet of Ministers Resolution No. (10) of 2019 on Travel Rule Implementation
• UAE Cabinet of Ministers Resolution No. (24) of 2022 on Travel Rule Execution
• Central Bank of UAE (CBUAE) AML/CFT Guidelines

International Standards:

• FATF Recommendations 1-40
• International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation (IMFS)
• FATF Recommendation 15 (Travel Rule)

2.2 Supervisory Authority

SpendX's direct supervisory authority is the Dubai Virtual Assets Regulatory Authority (VARA). SpendX operates under a VARA license and is subject to its requirements, including periodic compliance reviews and ratings assessments.

3. Key Terms and Definitions

Anti-Money Laundering (AML): A set of measures and procedures aimed at preventing the laundering of illicit funds through virtual asset operations, including client identification, transaction monitoring, sanctions screening, and reporting suspicious activity to competent authorities.

Know Your Customer (KYC): The process of identifying, verifying, and checking the identity, legitimacy of activities, and financial profiles of clients before allowing them to conduct operations on the SpendX platform.

Customer Due Diligence (CDD): Standard procedures for collecting, verifying, and documenting client information, including full name, date of birth, residential address, and government-issued ID details.

Enhanced Due Diligence (EDD): Additional, more intensive verification and analysis procedures applied to high-risk clients, including detailed examination of source of funds, source of wealth, beneficial ownership structure, and business purpose.

Politically Exposed Persons (PEPs): Individuals who are or have been entrusted with prominent public functions (senior government officials, heads of state-owned enterprises, senior international organization officials), as well as their immediate family members and close associates.

Beneficial Owner: The natural person(s) who ultimately owns, controls, or has significant influence over the management of the client or has a legal or effective ownership right of more than 5% in a legal entity or structure.

AMLKYT Check: An automated search service provided by contractor SAFELEMENT LIMITED to ensure compliance with FATF anti-money laundering and terrorist financing standards, available for 25+ supported blockchains and their native assets.

Risk Scoring: Automated risk level assessment for clients and individual transactions using SAFELEMENT LIMITED's proprietary algorithms, with scores from 0 to 100 (standard monitoring threshold: <60).

Money Laundering Reporting Officer (MLRO): The appointed SpendX employee (Compliance Officer) responsible for overseeing the AML/KYC program implementation, coordination with SAFELEMENT LIMITED, receiving and processing suspicious activity reports, filing SARs with UAE FIU, and ensuring regulatory compliance.

Suspicious Activity Report (SAR): A formal report submitted to the UAE Financial Intelligence Unit (FIU) via the goAML system within 48 hours of detecting activity presumed to be related to money laundering, terrorist financing, proliferation financing, or other financial crimes.

Travel Rule: A requirement under FATF Recommendation 15 and UAE law (Resolution No. 24/2022) mandating Virtual Asset Service Providers (VASPs) to collect, verify, and transmit originator and beneficiary information for virtual asset transfers exceeding thresholds (>1000 USD equivalent).

Virtual Asset Service Provider (VASP): An organization providing services involving transfers, custody, exchange, issuance, or administration of virtual assets, including SpendX as a payment platform.

Sanctions Screening: The process of checking client and counterparty data against international sanctions lists, including UN, EU, US (OFAC), INTERPOL, Hong Kong, and VARA/UAE authorities lists.

Address Monitoring: An automated tool for checking specified blockchain addresses and notifying of risk score increases, provided by SAFELEMENT LIMITED (applicable only to addresses with risk <60 and not blacklisted).

SAFELEMENT LIMITED (AMLBot): Certified contractor providing AMLKYT checks, risk scoring, address monitoring, API integration, and test KYC services under the AML/KYC Services Agreement (registration number: 3148041, Hong Kong).

4. Organizational Structure and Responsibilities

4.1 Board of Directors and Senior Management

The Board of Directors and senior management of SpendX are responsible for:

• Approving and supporting the AML/KYC policy
• Allocating sufficient financial and human resources for compliance functions
• Ensuring independent audits of AML/KYC procedures (at least annually)
• Periodic review and approval of policy updates
• Fostering a compliance-first organizational culture
• Overseeing contractual relationships with SAFELEMENT LIMITED

4.2 Money Laundering Reporting Officer (MLRO/Compliance Officer)

SpendX appoints a qualified MLRO responsible for:

Supervisory Functions:

• Overall oversight of AML/KYC program implementation and maintenance
• Coordination with SAFELEMENT LIMITED on all KYC/AML matters
• Managing client onboarding and verification processes
• Receiving and investigating suspicious activity reports from staff and systems
• Determining adequacy of AMLKYT check results from SAFELEMENT LIMITED

Reporting Functions:

• Filing Suspicious Activity Reports (SARs) with the UAE Financial Intelligence Unit (FIU) via the goAML system within 48 hours of detecting suspicious activity
• Preparing and submitting mandatory regulatory reports to VARA
• Informing management of identified risks and SARs

Training and Documentation Functions:

• Coordinating and ensuring mandatory training of all employees in AML/KYC procedures within 30 days of hire and annually
• Maintaining complete documentation and records of compliance activities
• Organizing periodic internal audits of the AML/KYC program
• Archiving all KYC files and AMLKYT check results

Interaction Functions:

• Responding to regulator requests and audits (VARA, FIU, justice authorities)
• Coordinating with law enforcement when necessary
• Interacting with other VASPs for Travel Rule information exchange

MLRO Contact Information:

SpendX L.L.C-FZ

Meydan Grandstand, 6th floor

Meydan Road, Nad Al Sheba

Dubai, U.A.E.

support@gmail.com

4.3 Compliance Team

SpendX maintains a specialized compliance team under direct MLRO supervision, responsible for:

• Initial reception and processing of documentation for new client onboarding
• Submission of client data to SAFELEMENT LIMITED for AMLKYT checks and risk scoring
• Analysis and interpretation of AMLKYT check results received from SAFELEMENT LIMITED
• Making decisions on client approval, requesting additional information (EDD), or rejection
• Ongoing monitoring of client transactions and behavior
• Reviewing address monitoring results from SAFELEMENT LIMITED
• Initiating conversations with clients when suspicious patterns are identified
• Documentation and archiving of all compliance files

4.4 Information Security Division

SpendX's security team is responsible for:

• Protection of personal and financial client data
• Access management to systems containing sensitive information
• Audit of access logs and detection of unauthorized use
• Rapid response to security incidents
• Coordination with SAFELEMENT LIMITED on data security matters

4.5 All SpendX Employees

Obligations:

• Full understanding and compliance with AML/KYC procedures
• Mandatory training completion within 30 days of hire and annual updates
• Immediate reporting of suspicious activity to the Compliance Officer or MLRO
• Maintaining confidentiality of client information and compliance records
• Cooperation with internal and external compliance audits
• Upholding ethical standards in accordance with company policy

5. Delegation of Functions to SAFELEMENT LIMITED

5.1 Basis for Delegation

SpendX, based on the Agreement on the Provision of Anti-Money Laundering and Client Identification Services (signed October 28, 2025, DocuSign Envelope ID: 34FE5DDF-DD22-45CC-A38D-7ABF715A8CC3), delegates the following functions to contractor SAFELEMENT LIMITED.

5.2 Delegated Functions

1. AMLKYT Checks (15,000 checks per year)

SAFELEMENT LIMITED conducts automated searches of blockchain data and external sources to assess client and address compliance with FATF standards. Checks are available for 25+ supported blockchains (including Bitcoin, Ethereum, Tether, and others) and their native assets.

2. Automated Risk Scoring

SAFELEMENT LIMITED provides risk assessments on a 0-100 scale with a threshold of <60 for standard monitoring. Scoring considers multiple factors, including country of origin, transaction patterns, connection with sanctions lists, and PEP status.

3. Address Monitoring

For addresses with risk <60, SAFELEMENT LIMITED conducts continuous monitoring, notifying SpendX of risk score increases or blacklisting.

4. API Integration

SAFELEMENT LIMITED provides technical API integration, allowing SpendX to automatically request AMLKYT checks in real-time during client onboarding and transaction monitoring.

5. Test KYC (100 free checks)

For validation of integration processes and testing, SpendX may use 100 free AMLKYT checks.

6. Priority 24/7 Support

SAFELEMENT LIMITED provides continuous technical support for addressing integration issues, fixing errors, and providing consultations.

5.3 Remaining SpendX Responsibilities

Despite delegating functions, SpendX retains full regulatory responsibility for:

• Final decision-making on client approval or rejection (SAFELEMENT LIMITED results are recommendations, not final decisions)
• Conducting EDD for high-risk clients requiring additional analysis
• Filing SARs to UAE FIU via the goAML system (SAFELEMENT LIMITED provides information, but SpendX is responsible for filing)
• Storage and archiving of all KYC documents for minimum 8 years
• Travel Rule compliance when transmitting virtual assets to counterparties
• Sanctions screening through additional internal systems
• Work with regulators (VARA, FIU, justice authorities) - SpendX remains the point of contact

5.4 Quality Control

SpendX conducts periodic quality reviews of SAFELEMENT LIMITED's work:

• Monthly Review: Analysis of a representative sample of 50 AMLKYT checks
• Quarterly Audit: Verification of timeline compliance, accuracy of scoring, completeness of documentation
• Annual Re-evaluation: Assessment of contractor compliance with Agreement terms and VARA requirements

Upon identifying defects, MLRO immediately notifies SAFELEMENT LIMITED and requires remediation.

6. Client Identification and Verification (CDD)

6.1 Timeliness Principle

Client identification and verification must be completed before providing the client access to SpendX services, opening an account, or conducting any transactions on the platform.

No exceptions. No client may access the platform until CDD is completed.

6.2 Required Information for Natural Persons

For all individual SpendX clients (through SAFELEMENT LIMITED or directly), SpendX collects and verifies:

Personal Data:

• Full legal name (as stated in government document)
• Date of birth
• Citizenship and residency status
• Gender (for biometric verification)

Contact Information:

• Current residential address (complete, including postal code)
• Telephone number (with country code)
• Email address

Documents:

• Scan of valid government-issued photo identification (passport, national ID, driver's license, or equivalent)
• Proof of residence issued within the last 6 months (utility bill, bank statement, official government letter)

Financial and Business Information:

• Primary occupation or income source
• Intended account purpose/platform usage
• Expected transaction volume (monthly and one-time payments)
• Source of funds to be used through the platform

If PEP Status Exists:

• Full identification of government official position
• Date of commencement and termination of official position
• Information about immediate family members and close associates

6.3 Required Information for Legal Entities

For companies, LLCs, partnerships, and other structures, SpendX collects:

Organization Information:

• Full legal name (as in registration documents)
• Date of formation/registration
• Jurisdiction of registration
• Registration number in the registry
• Legal address (cannot be a mailbox or virtual office)

Activity and Structure:

• Detailed description of business activities (business model)
• Primary income sources
• Client base and geography of operations
• Organizational structure and reporting

Management and Ownership:

• Names, dates of birth, residential addresses, and citizenship of all directors/managers
• Names, dates of birth, residential addresses, citizenship, and ownership percentage of all beneficial owners (including owners >5%)
• Complete ownership chain to ultimate natural persons (100% traceability)
• For trust structures: identification of settlor, trustee, beneficiaries

Authority:

• Identification of the natural person authorized to manage the account and conduct transactions on behalf of the legal entity
• Documents confirming such authority (registry extract, board resolution, power of attorney)

Required Documents:

• Certificate of registration/registry extract (original or certified copy)
• Charter, articles of association, and other founding documents
• List of directors approved by the registry
• Beneficial ownership documents (if required by law)
• Confirmation of legal address (utility bills, registration documents, lease agreement)
• Board Resolution authorizing account opening and transaction conduct

6.4 Simplified Verification (SDD for Low-Risk Clients)

SpendX may apply simplified CDD to low-risk clients as determined by SAFELEMENT LIMITED's risk assessment:

Low-Risk Criteria:

• UAE citizens with official employment and annual income >500,000 AED
• Businesses registered in UAE with positive compliance history
• UAE government bodies and employees
• UAE banks and licensed financial institutions
• Other VASPs licensed by VARA with verified AML/KYC programs

Simplified Documentation:

• Government-issued identification
• One proof of address
• Basic SAFELEMENT LIMITED verification (score <30)

Simplified CDD does not exclude identity verification and beneficial ownership verification.

6.5 Verification Methods

SpendX uses a multi-layered verification approach through SAFELEMENT LIMITED and internal systems:

Documentary Verification:

• Visual examination of original documents (during in-person contact)
• High-resolution scanning and digital storage of copies
• Verification of document authenticity by security features
• Verification by date of issue and validity period

Biometric Verification:

• Face-to-document matching (via SAFELEMENT LIMITED API)
• Automated liveness detection
• OCR (Optical Character Recognition) for information extraction and verification
• Cross-verification of information across multiple documents

Electronic Verification:

• Requests to government registries (where available and permitted)
• Real-time verification through SAFELEMENT LIMITED
• Address verification through utility companies
• Bank account verification (if necessary)

SAFELEMENT LIMITED Integration (AMLBOT):

• Automated AMLKYT checks across 25+ blockchains
• Risk scoring (0-100) with threshold <60
• Sanctions screening (UN, EU, USA, OFAC, VARA, INTERPOL)
• PEP list checks
• Address monitoring for high-risk clients

6.6 Risk-Based Approach to CDD

SpendX applies a risk-based approach, where verification intensity is proportional to identified risk factors:

Low-Risk Factors (<30):

• UAE residents with official employment
• Small transaction volumes (<50,000 AED monthly)
• Clear financial history
• Work in low-risk industries (services, education, healthcare)
• Bank accounts in UAE or Europe

Result: Standard CDD is sufficient

Medium-Risk Factors (30-59):

• High transaction volumes (50,000-500,000 AED monthly)
• Foreign non-residents
• Frequent cross-border operations
• Ownership of businesses in trade, import, export
• Work in sensitive sectors (gaming, casinos, DeFi)

Result: Standard CDD + Enhanced address verification + More frequent monitoring

High-Risk Factors (60-100):

• Politically exposed persons (PEPs) or their immediate relatives
• Clients from FATF grey/blacklist countries
• Businesses in high-risk jurisdictions
• Business ownership in high-risk industries (precious metals, casinos, money transfer)
• Structuring patterns (multiple small payments instead of one large payment)
• History of compliance violations or negative media coverage
• Opaque ownership structures or use of nominees
• Any positive sanctions screening result

Result: Full EDD (see section 7)

7. Enhanced Due Diligence (EDD)

7.1 When EDD is Required

SpendX applies Enhanced Due Diligence (EDD) upon identifying one or more of the following scenarios:

Mandatory Scenarios:

1. Client or beneficial owner is a Politically Exposed Person (PEP) or family member of a PEP
2. Jurisdiction of residence or beneficial ownership is on FATF grey or blacklist
3. Positive sanctions screening result (INTERPOL, UN, EU, USA, VARA, local lists)
4. Risk score from SAFELEMENT LIMITED exceeds 60
5. Transaction volume exceeds 1,000,000 AED in 30 days
6. Attempt to bypass verification systems or provision of false information detected
7. Client uses nominee, agent, or intermediary to open account
8. Business activity connected with high-risk sectors (weapons, drugs, gambling, money transfer, precious metals)

7.2 EDD Procedures

For high-risk clients, the MLRO initiates expanded procedures:

Phase 1: Extended Information Collection (within 5 business days)

The Compliance Officer requests from the client:

• Detailed Business Justification: Description of business model, platform usage goals, expected volumes, counterparties
• Source of Funds: Documents confirming asset origin (6-month bank statements, payroll records, property sale certificates, loan agreements)
• Source of Wealth: Full explanation of wealth accumulation process (investments, inheritance, business income, asset sales)
• Beneficial Ownership: For legal entities - complete traceability to ultimate natural persons (100%), including all intermediate structures
• Bank References: Letters from current banks confirming good compliance status
• Business References: Letters from business partners, suppliers, customers confirming reputation and reliability

Phase 2: Third-Party Verification (within 10 business days)

The Compliance Officer initiates:

• Bank Contact: Requests to client's current financial institutions about compliance status
• Trade Verification: Verification of business relationships, supplier and customer references
• Biographical Check: If necessary - open-source information searches about client, directors, beneficiaries (news sites, court registries, delinquency registries)
• Site Visit: In critical cases - personal visit by SpendX representative to registered business address for verification

Phase 3: Analysis and Documentation

The MLRO prepares a detailed EDD Report containing:

• Description of identified risks
• Results of conducted checks
• Analysis of source of funds and wealth
• Risk acceptability assessment
• Recommendation: approval (with conditions), rejection, or relationship termination

Phase 4: Senior Management Approval

Before final approval, high-risk clients must be approved by:

• MLRO (mandatory)
• Chief Compliance Officer (if position exists)
• SpendX General Director (in critical cases)

7.3 PEP Procedures and Management

For PEP clients (current or former senior government officials):

Identification:

• Check against VARA PEP lists
• Check against INTERPOL Red Notices
• Check against UN, EU, USA, and other international PEP lists
• Check news sources and court registries

PEP Processing:

• Automatic Rejection: Current PEPs in critical jurisdictions (corruption index >90, high international sanctions) are rejected without exception
• Enhanced Analysis: Former PEPs, PEPs from low-risk jurisdictions, PEP family members require full EDD and CEO-level approval
• Annual Re-certification: Annual PEP status re-evaluation (may change upon assumption/departure from office)

PEP Monitoring:

• Weekly monitoring of transactions (compared to monthly for regular clients)
• Detailed analysis of each transaction (purpose, counterparty, justification)
• Quarterly review of all transactions for the period
• Automatic blocking upon red flags

8. Verification of Legal Entities and Beneficial Ownership

8.1 Beneficial Ownership Verification

For all legal entities, SpendX conducts full ownership traceability:

Requirements:

• Identification of all beneficiaries with ownership exceeding 5%
• Complete ownership chain from company to ultimate natural person (100% traceability)
• Control Documentation - who actually makes decisions (board of directors, general director, founders)
• Annual Re-verification - confirmation that ownership has not changed

Special Structures:

• Trusts: Identification of settlor, trustee, beneficiaries, protectors
• Foundations: Identification of founder, administrator, target beneficiaries
• Partnerships: Identification of all partners and stake owners
• Holdings: Complete ownership chain traceability

Verification of Beneficial Ownership

For all legal entities SpendX conducts full ownership traceability:

Requirements:

• Identification of all beneficiaries with ownership exceeding 5%
• Complete ownership chain from company to ultimate natural person (100% traceability)
• Control documentation - who actually makes decisions
• Annual re-verification

High-Risk Ownership Structures:

The following structures require additional analysis:

• Opaque Ownership: Nominees, intermediaries, hidden owners
• Multiple Levels: Company behind company (holding of holdings)
• Blurred Responsibility: Impossible to determine who makes decisions
• Frequent Changes: Rapid changes in directors, beneficiaries, addresses
• Connection to PEPs: Beneficiaries or directors have PEP status

Result: Full EDD or rejection

8.2 Legal Entity Address Verification

The legal address of a company must be a real business address, not a mailbox or virtual office:

• Google Maps/Street View Check: Presence of office at the address
• Phone Call Verification: Confirmation that it is a business address
• Document Verification: Utility bills, registration documents
• Personal Visit: In high-risk cases

9. Continuous Client and Transaction Monitoring

9.1 General Monitoring Principles

SpendX has implemented a comprehensive monitoring program combining:

• Automated Monitoring through SAFELEMENT LIMITED and internal systems
• Manual Monitoring by the Compliance Officer
• Behavioral Analysis - detection of deviations from baseline patterns
• Sanctions Screening - verification against growing sanctions lists

9.2 Automated Monitoring through SAFELEMENT LIMITED

Monitoring Parameters:

• AMLKYT checks on each transaction (or selective when volume-based)
• Real-time address risk scoring (update when score >60)
• Address monitoring for known high-risk addresses
• Sanctions screening - checking counterparties against INTERPOL, UN, EU, USA, VARA lists

Frequency:

• Low Risk (score <30): Weekly automated scanning + monthly manual review
• Medium Risk (30-59): Daily automated scanning + weekly manual review
• High Risk (60-100): Continuous scanning + daily manual review + additional checks

9.3 Manual Monitoring

The Compliance Officer manually reviews:

• All transactions flagged by the system as requiring attention
• All high-risk clients - regardless of absence of alerts
• All PEP transactions - detailed analysis of each
• All cross-border payments (between countries)
• All large transactions (>100,000 AED)
• Structuring patterns - multiple payments instead of one

9.4 Suspicious Activity Indicators

SpendX identifies and investigates the following indicators:

Transaction Level:

• Structuring ("Smurfing"): Multiple operations just below reporting thresholds (attempt to avoid monitoring)
• Circular Payments: Transfers that soon return to the sender
• Rapid Disconnections: Immediate forwarding of received funds to third parties
• Sum Asymmetry: Receiving small payments, sending large payments (or vice versa)
• Sanctioned Jurisdictions: Operations with UN-sanctioned jurisdictions
• Mismatch with Goals: Payments inconsistent with stated account purpose
• Zero Spreads: Buying and selling the same assets without price difference
• Fund Mixing: Combining different sources in suspicious patterns

Client Level:

• Contradictory Information: Mismatch between stated and actual data
• Rapid Changes: Unexpected changes in directors, beneficiaries, ownership
• Uncommunicative: Refusal to provide required EDD information
• Document Issues: Fake, altered, or expired documents
• Activation and Inactivity: Accounts inactive for months, then suddenly active with large payments
• Nominees and Agents: Use of third parties for account opening or operations
• Profile Mismatch: Activities inconsistent with stated business

Operation Patterns:

• Timing Patterns: Payments linked to suspicious dates (sanctions, political events)
• Multiple Accounts: Single client managing multiple accounts to hide operations
• Price Negotiations: Attempts to negotiate special conditions to hide fund sources
• VPN and Masking: Use of technologies to hide real location
• Automated Operations: Bots and scripts suspiciously quickly conducting operations

9.5 SAFELEMENT LIMITED Address Monitoring

For addresses with risk <60, SAFELEMENT LIMITED checks daily:

• Risk Score Increases (above 60 threshold) - SpendX notification
• Blacklist Inclusion - SpendX notification and action
• Source Changes - detection of connection with new potential risk sources

10. Travel Rule Compliance

10.1 Travel Rule Definition

The Travel Rule is a FATF Recommendation 15 and UAE law (Resolution No. 24/2022) requirement mandating VASPs to collect, verify, and securely transmit originator and beneficiary information for virtual asset transfers exceeding established thresholds (>1000 USD equivalent or VARA-established threshold).

10.2 Travel Rule Applicability

SpendX applies Travel Rule to:

• Outgoing Transfers: When a SpendX client sends virtual assets to another VASP or a third party's blockchain address
• Incoming Transfers: When SpendX receives virtual assets from another VASP
• Thresholds: Transfers >1000 USD equivalent or other threshold established by VARA

10.3 Originator Information

For each outgoing transfer >1000 USD, SpendX collects and verifies:

Originator Data:

• Full legal name (matching ID document)
• Date of birth (for natural persons)
• Citizenship / Country of registration (for legal entities)
• Residential / Registration address
• SpendX account number or client wallet identifier
• Beneficial owner (if different from primary client)

Verification:

• Cross-check against SpendX KYC files
• Confirmation of client authorization for transaction
• Verification that originator is not blocked or sanctioned

10.4 Beneficiary Information

For each incoming payment >1000 USD, SpendX collects from the sending VASP:

Beneficiary Data:

• Full name (as in identification document)
• Client type (natural or legal person)
• Address
• Account/wallet number at SpendX
• Beneficial owner (if applicable)

Verification:

• Verification of sending VASP information match with SpendX beneficiary records
• Confirmation that beneficiary is an active SpendX client
• Sanctions status check of beneficiary

10.5 Information Transfer Between VASPs

SpendX transmits originator information to counterparty VASPs using:

Secure Channels:

• Encrypted transmission (TLS/SSL or equivalent)
• Digital signatures for authentication
• Delivery/receipt confirmation

Format:

• Standardized format (SWIFT equivalent or other VARA-approved format)
• Structured fields for clarity and completeness

Timeline:

• Transmission within transactional window (usually <1 hour after initiation)
• If unable to transmit before transaction - transmission upon receipt

10.6 Travel Rule Record Keeping and Archiving

SpendX maintains complete records:

• Originator Information for each outgoing payment >1000 USD
• Beneficiary Information for each incoming payment >1000 USD
• Transfer/Receipt Confirmations between VASPs
• Date and Time of each operation
• Any Exceptions or Errors during transmission

Archiving Duration: Minimum 5 years from payment date

11. Sanctions Screening and Terrorist Financing Countermeasures

11.1 Sanctions Screening Program

SpendX implements multi-level screening against the following lists:

International Sanctions Lists:

• UN: Consolidated Sanctions Lists (All Committees)
• European Union: Consolidated List of Persons, Groups, Entities
• USA: OFAC Lists (SDN, Blocked Persons, Sectoral Lists)
• United Kingdom: FCDO Consolidated List
• Canada: GAC Consolidated List (if applicable)

Regional and Local Lists:

• UAE: MOFAIC Lists, CBUAE Lists
• VARA: VARA Administrative Orders, Enforcement Actions
• Hong Kong: ICAC List (if counterparty from Hong Kong)

11.2 Client-Level Screening

During Onboarding:

• 100% screening of all new clients before account opening
• Client and all beneficiary screening against sanctions lists
• PEP list screening

Upon Data Changes:

• Re-assessment when client information changes
• Screening upon expansion of client activity

Periodic Screening:

• Monthly screening of all active clients
• Weekly screening of high-risk clients
• Daily screening of known high-risk addresses (via SAFELEMENT LIMITED)

11.3 Transaction-Level Screening

For each payment, SpendX checks:

• Sanctions Status of Recipient/Sender
• Sanctions Status of Counterparties (companies client works with)
• Jurisdictions - payments to/from sanctioned countries
• Blockchain Addresses - verification against known sanctioned addresses (via SAFELEMENT LIMITED)

11.4 Screening Methods

Exact Matching:

• Direct comparison of client name against sanctions lists
• Search for name variations (transliteration, surname-first name order)

Fuzzy Matching:

• Phonetic comparison (similar sounds - Alexei = Aleksey)
• Visual comparison (similar characters - o=0, l=1)
• Tolerance for errors and typos

Manual Review:

• All potential matches require Compliance Officer manual review
• Context analysis - determining if same person or namesake
• Decision documentation (approval or exception)

11.5 Positive Sanctions Screening Results

Upon positive screening result (match):

1. Immediate Transaction Blocking (if not yet processed)

2. Account Freezing (if sanctioned client)

3. Investigation - verification whether error or real match

4. Documentation - detailed incident report

5. SAR Filing - Suspicious Activity Report to FIU within 48 hours

6. VARA Notification - informing regulator of incident

11.6 False Positives

If sanctions match is determined to be an error (namesake, typo):

• Documentation - detailed explanation of why false positive
• Whitelist Development - adding to exceptions for future screenings
• Access Restoration - account unblocking and transaction completion
• Client Notification - informing client of temporary blocking (without disclosing sanctions process details)

12. Suspicious Activity Reports (SAR)

12.1 Reporting Obligations

SpendX has a mandatory requirement to report suspicious activity to the UAE Financial Intelligence Unit (FIU) via goAML system within 48 hours of detecting activity presumed to be related to:

• Money laundering
• Terrorist financing
• Financing of weapons of mass destruction proliferation
• Other financial crimes

12.2 Types of Suspicious Activity Subject to SAR

Transaction Level:

• Structuring ("Smurfing"): Multiple operations just below reporting thresholds, clearly intended to avoid monitoring
• Disproportionate Transactions: Operation amount significantly exceeds typical for this client
• Circular Payments: Receiving funds and their rapid return (often to different person)
• Rapid Disconnections: Immediate forwarding of received funds to third parties without logical explanation
• Sanctioned Jurisdictions: Any operations with sanctioned countries, persons, or entities
• Complex Other Transactions: Unusual structure, multiple transfers to achieve end goal

Client Level:

• False Information: Providing knowingly false data upon registration (forged documents, false address)
• PEP Status Disclosure After Account Opening: Discovery that client is politically exposed person hidden during registration
• Refusal to Cooperate: Inability to verify client information, refusal to provide required documents
• Rapid Structural Changes: Multiple and rapid changes in directors, owners, registration address
• Third-Party Monitoring: Notifications from partner banks about client suspicious activity

Company Level:

• Lack of Visible Business: Registered company without visible office, employees, activity
• Activity Discontinuity: Company inactive for extended period, then suddenly conducting large payments
• Multiple Jurisdictions: Complex holding structure dispersed across countries without logical reason

12.3 SAR Preparation Process

Step 1: Detection (Immediate)

Upon suspicious activity detection, Compliance Officer:

• Initiates formal investigation
• Documents date and time of detection
• Documents information source (system, employee report, SAFELEMENT LIMITED)
• Documents specific facts and observations

Step 2: Investigation (within 24-48 hours)

Compliance Officer conducts detailed investigation:

• Document Collection: All KYC files, transaction records, client correspondence, AMLKYT check results from SAFELEMENT LIMITED
• Transaction Analysis: Map of all payments, incoming and outgoing, with dates and amounts
• Client Relationship Review: Historical account activity, patterns, growth trajectory
• Third-Party Information: Bank reports, news searches, social media presence
• Regulatory Database Check: Review of previous SARs, enforcement actions

Step 3: Risk Assessment

Assessment of the following:

• Likelihood of money laundering/terrorist financing
• Identification of suspicious activity type
• Connection to known criminal networks or sanctioned jurisdictions
• Quantum of financial impact

Step 4: SAR Filing

Filing of formal SAR to FIU via goAML system containing:

• Case Information: SpendX identification, MLRO identification, submission date
• Suspicious Activity Description: Detailed narrative of detected activities
• Client Information: Full client details, account number, verification date
• Transaction Details: All relevant transaction information
• Investigative Findings: Conclusions and risk assessment
• Recommended Actions: Recommendations for regulatory follow-up
• Supporting Documentation: Copies of relevant documents, correspondence, transaction records

Step 5: Post-Filing Actions

• Account Freeze: Account immediately frozen pending FIU response
• Management Notification: MLRO informs SpendX leadership
• Restriction on Disclosure: SAR filing kept confidential (with limited internal access)
• Documentation Retention: Complete SAR file maintained for minimum 5 years

13. Staff Training and Awareness

13.1 Mandatory Training Requirements

All SpendX employees receive mandatory AML/KYC training:

Timing:

• Initial Training: Within 30 days of hire
• Refresher Training: Annually for all staff
• Ad-Hoc Training: Upon policy changes or regulatory updates

Content:

• Overview of AML/KYC requirements and SpendX policies
• Identification of suspicious activity indicators
• Client onboarding and verification procedures
• Travel Rule implementation
• Sanctions screening processes
• SAR preparation and filing
• Confidentiality and data protection obligations
• Real-world case studies and examples
• Role-specific training (for compliance, operations, customer service teams)

Delivery:

• In-person or online training sessions
• Documentation of training attendance and dates
• Certification required after completion
• Refresher certifications every 12 months

13.2 Training Records

SpendX maintains detailed training records:

• Employee name, position, date of hire
• Training dates and content attended
• Training materials and assessment results
• Signature of employee confirming understanding
• Trainer identification and credentials
• Updates to training records upon refresher completion

13.3 Role-Specific Training

Compliance and AML Team:

• Advanced training on AMLKYT procedures
• Deep-dive on SAFELEMENT LIMITED systems
• EDD and high-risk client procedures
• SAR preparation in detail
• Travel Rule implementation

Operations and Customer Service:

• Client onboarding requirements
• Suspicious activity reporting procedures
• Confidentiality obligations
• Escalation procedures

Senior Management and Board:

• AML/KYC governance and oversight
• Regulatory requirements and VARA expectations
• Emerging threats and risk trends
• Remediation of compliance failures

14. Audit and Testing

14.1 Internal Audits

SpendX conducts periodic internal audits of the AML/KYC program:

Frequency:

• Minimum annually
• More frequently for high-risk areas
• Immediately following significant regulatory changes or incidents

Scope:

• Compliance with this policy and all procedures
• Effectiveness of client verification processes
• Quality of AMLKYT checks and risk scoring
• Transaction monitoring and detection of suspicious activities
• SAR preparation and timely filing
• Training program effectiveness
• Staff understanding and compliance with procedures
• Travel Rule implementation and record-keeping
• Sanctions screening accuracy
• General compliance with VARA and international standards

Conduct:

• Independent audit team (separate from compliance operations)
• Detailed audit plan and testing procedures
• Sample-based testing of processes
• Interviews with relevant staff
• Review of documentation and records
• Detailed audit report with findings and recommendations

14.2 External Audits

SpendX engages independent external auditors annually:

Scope:

• Assessment of AML/KYC program design and effectiveness
• Testing of all procedures and controls
• Evaluation of SAFELEMENT LIMITED contractor performance
• Assessment of regulatory compliance
• Industry benchmark comparison

Auditor Independence:

• External auditor unaffiliated with SpendX
• Professional independence and qualifications
• No conflicts of interest in reporting

Reporting:

• Detailed audit report to Board of Directors
• Audit findings and recommendations
• Remediation plan for identified deficiencies
• Follow-up audit 6 months after findings

14.3 Regulatory Examinations

SpendX maintains readiness for regulatory examinations by VARA:

Preparation:

• Maintaining all required documentation and records
• Regular compliance assessments
• Staff training and awareness
• Effective AML/KYC controls

Examination Cooperation:

• Full cooperation with VARA examination requests
• Prompt provision of requested documents and data
• Honest and complete responses to inquiries
• Implementation of examination findings and recommendations

Records Maintenance:

• Minimum 8-year retention of all KYC files
• Transaction records retention for minimum 5 years
• SAR and investigation files for minimum 5 years
• Training and compliance records for minimum 3 years

15. Data Protection and Confidentiality

15.1 Data Protection Standards

SpendX treats all personal data and client information with utmost confidentiality:

Standards:

• Compliance with UAE data protection regulations
• Implementation of industry-standard security measures
• Access restrictions to necessary personnel only
• Encryption of sensitive data in transit and at rest
• Regular security audits and penetration testing
• Incident response procedures

Access Controls:

• Role-based access (employees access only data necessary for their functions)
• Multi-factor authentication for sensitive systems
• Audit logging of all data access
• Regular review of access permissions

Data Retention:

• KYC files retained minimum 8 years after account closure
• Transaction records retained minimum 5 years
• SAR and investigation files retained minimum 5 years
• Regular secure deletion of outdated records

15.2 Confidentiality of SAR Information

Information relating to SARs is strictly confidential:

• SAR filing kept confidential (prohibition on "tipping off" clients)
• Limited internal access to SAR information (MLRO and relevant management only)
• No disclosure to clients that SAR has been filed
• Training of staff on SAR confidentiality obligations
• Potential criminal penalties for unauthorized disclosure

15.3 Sharing of Information with Authorities

SpendX shares information with authorities as required or authorized:

• Full cooperation with FIU requests and investigations
• Prompt responses to VARA requests
• Cooperation with law enforcement investigations
• Information sharing with other VASPs for Travel Rule purposes
• No disclosure to clients regarding such sharing (where legally permitted to withhold)

16. Record Keeping and Documentation

16.1 Required Records

SpendX maintains comprehensive records:

Client Records:

• Complete KYC files for all clients
• All identity verification documents
• Beneficial ownership documentation
• AMLKYT check results from SAFELEMENT LIMITED
• Risk scoring results
• EDD files for high-risk clients
• Periodic monitoring results

Transaction Records:

• Transaction date, amount, currency
• Identification of parties
• Beneficiary information
• Travel Rule information (for large transfers)
• Transaction purpose (where applicable)
• Sanctions screening results

Compliance Records:

• AML/KYC Policy and all updates
• SAR filings and responses
• Internal audit reports
• External audit reports
• VARA examination reports
• Training records for all staff
• Investigation files
• Quality control reviews of contractor performance

Communication Records:

• Correspondence with VARA
• Correspondence with FIU
• Correspondence with other VASPs
• Client correspondence regarding KYC/AML matters

16.2 Record Retention Periods

SpendX maintains records for the following minimum periods:

• KYC Files: 8 years after account closure or relationship termination
• Transaction Records: 5 years from transaction date
• SAR Records: 5 years from filing
• Training Records: 3 years
• Audit Reports: 5 years
• Policy and Procedures: Permanently (archived versions)

16.3 Record Organization and Retrieval

Records are organized to permit timely retrieval:

• Systematic filing and database organization
• Index systems for rapid location
• Digital archive with search functionality
• Secure storage (physical and digital)
• Backup systems for data recovery
• Regular testing of retrieval procedures

17. Policy Review and Updates

17.1 Annual Review

SpendX conducts annual review of the AML/KYC Policy:

Review Process:

• Comprehensive assessment of policy effectiveness
• Evaluation of compliance with current regulations
• Analysis of detected suspicious activity and SAR trends
• Review of contractor (SAFELEMENT LIMITED) performance
• Industry developments and best practices review
• Feedback from staff and compliance officers
• Regulator feedback and expectations

Documentation:

• Written review report
• Identification of any policy gaps or deficiencies
• Recommendations for updates
• Implementation timeline for changes

17.2 Policy Updates

Significant changes to regulations, VARA guidance, or internal practices trigger policy updates:

Update Triggers:

• Changes in VARA regulations
• Changes in FATF recommendations
• Changes in international sanctions lists or standards
• Changes in travel rule requirements
• Results of external audits or regulatory examinations
• Identified deficiencies in current procedures
• Contractor performance issues

Update Procedure:

• Drafting of proposed changes
• Legal and compliance review
• Board approval (for significant changes)
• Staff notification and training on changes
• Effective date implementation
• Documentation of update history

17.3 Policy Distribution

The AML/KYC Policy is distributed to:

• All staff members (copy provided upon hire)
• Board of Directors
• External auditors and regulators upon request
• Contractors (SAFELEMENT LIMITED for relevant sections)
• Available to clients upon request

18. Escalation and Decision-Making Process

18.1 Escalation Procedures

SpendX has clear escalation procedures for suspicious activities:

Level 1 (Initial Detection):

• Employee or system detects suspicious activity
• Report to Compliance Officer or MLRO
• Initial assessment of risk level

Level 2 (Compliance Review):

• Compliance Officer conducts investigation
• Assessment of whether SAR is required
• Low-risk findings documented and filed
• High-risk findings escalated

Level 3 (MLRO Decision):

• MLRO determines if SAR filing is necessary
• High-risk decisions escalated to management

Level 4 (Management Review):

• Significant SAR cases reviewed by CEO or Chief Compliance Officer
• Decisions on relationship continuation
• Actions regarding account freezing or termination

18.2 Account Closure and Client Termination

SpendX may terminate client relationships for:

• Non-cooperation with KYC or EDD procedures
• Provision of false or misleading information
• Suspicious activity inconsistent with client profile
• Positive sanctions screening with no resolution
• Regulatory directive
• PEP status with unacceptable risk
• Refusal of enhanced due diligence

Termination Process:

• Prior written notice to client (where not prohibited)
• Opportunity for client response (where appropriate)
• Management approval of decision
• Documentation of reasons
• Wind-down of account activities
• Final report to VARA if required
• Record retention per regulations

Account Freezing:

• Immediate freeze upon SAR filing
• Freeze of transfers and withdrawals
• Client notification prohibited (where legally permitted)
• Maintenance of freeze pending FIU direction

19. Conclusion

SpendX's AML/KYC Policy reflects the Company's commitment to preventing financial crime and maintaining the integrity of the virtual asset ecosystem. Through comprehensive procedures, staff training, use of advanced technologies, and cooperation with regulators, SpendX maintains robust controls to detect and report suspicious activity while serving its customers effectively.

The ongoing success of this program depends on the engagement of all staff members, the cooperation of clients, the effectiveness of contractor (SAFELEMENT LIMITED) services, and the oversight of senior management and the Board of Directors.

________________________________________

References

Original document: SpendX L.L.C-FZ Anti-Money Laundering and Client Identification Policy (Effective December 23, 2025)