PREAMBLE

XPAID UAB, a company registered in Lithuania at Vilnius Salnos g. 28, registration number 306120408 (hereinafter, referred to as "XPAID", "the Company") is a provider of virtual currency-related services which, in its own economic and professional activity, accepts an order for exchanging virtual currency through an electronic platform and exchanges it for money, doing business as a fintech company that offers an app, software and crypto exchange to optimize and revolutionize mobile and online banking.

The purpose of this Policy is (i) to establish the principles and standards that must be adhered by XPAID in relation to the prevention and control of money laundering and terrorist financing (hereinafter referred to as the "AML Policy"), and also for the purposes of compliance with international sanction programs, (ii) to define roles and responsibilities in this area, (iii) to establish the policies and procedures that must be undertaken by the Company and (iv) to define the essential features of the governance.

This document is a short form of the Company`s AML ANTI-MONEY LAUNDERING AND COUNTERING TERRORISM FINANCING POLICY.

DEFINITIONS

Counterterrorism fighting (CTF): financial countermeasures against the illegal smuggling of cash to terrorist organizations.

European supervisory authorities shall mean the European Banking Authority established under Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ 2010 L 331, p. 12), the European Insurance and Occupational Pensions Authority established under Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ 2010 L 331, p. 48), and the European Securities and Markets Authority established under Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ 2010 L 331, p. 84).

International sanction and programs: Instruments of a political, diplomatic and economic nature used by international institutions and countries to exert influence in areas such as the prevention and pursuit of terrorism, support and defence of human rights and civil liberties, deterrence of possible armed conflicts or the prohibition of the development of weapons of mass destruction.

Money laundering (ML): Participation in any activity that has the aim of acquiring, possessing, controlling, using, converting, transferring, concealing or disguising the nature, source, location, disposition, movement or rights with respect to, or ownership of, criminal property in the knowledge that that property is the proceeds of criminal activity or participation in such activity.

Terrorist financing (TF): The provision, deposit, distribution or collection of any property, in any means, directly or indirectly, with the intention that the property be used, or knowing that the property will be used, in whole or in part, to commit a terrorist act.

The Financial Crimes Investigation Service (FCIS) - Lithuanian national Financial Intelligence Unit (FIU) which responsible for implements of money laundering and terrorist financing prevention measures aimed at creating an effective national anti-money laundering system and ensures its proper functioning as well as conducts pre-trial investigation of legalization of the funds and property derived from the criminal activity. The Service is the main state institution responsible for co-ordination of cooperation of the institutions related to the implementation of money laundering prevention measures.

The Financial Action Task Force (FATF) is an inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. The objectives of the FATF are to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. The FATF is therefore a "policy-making body" which works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.

The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. OFAC acts under Presidential national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under US jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied government.

Virtual currency means a value represented in the digital form, which is digitally transferable, preservable or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, pp 35-127) or a payment transaction for the purposes of points (k) and (I) of Article 3 of the same Directive.

Money laundering and terrorist financing are universal globalized phenomena that take advantage of the international economy and the gradual elimination of barriers to trade globally, calling for a coordinated global response by the international community and the financial sector to prevent the sector being used for illicit purposes. The Company recognizes the importance of the fight against money laundering and terrorist financing as it affects essential aspects of social life. The Company will always fully cooperate with the relevant authorities in this area.

This Policy has been developed based on the following legislative acts:

Republic of Lithuania Law on the prevention of money laundering and terrorist financing, 19 June 1997 No VIII-275

Anti-money laundering - Directive (EU) 2018/843;

Anti-money laundering - Directive (EU) 2015/849;

Joint Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced Client due diligence and the factors credit and financial institutions

and other relevant and applicable to the Company international legislation.

SCOPE OF APPLICATION

This Policy:

is applicable throughout the whole Company, is applied on a mandatory basis and compliance with it must be evidenced;

shall be adopted by the Board of Directors of the Company;

shall be adhered to by the Company with any adaptations being strictly limited to those required by local law and regulation. Any adaptation or waiver for any part of this framework must be limited to those required by local law and regulation and submitted to the Company for consideration and approval;

includes reference to specific elements for local implementation all of which should be submitted to the Company for validation to ensure they are consistent with this Policy. This should also be subject to periodic review and updates.

PRINCIPLES

The following principles reflect the minimum Company's expectations of the AML Policy as a whole. These principles are mandatory and must be applied at all times.

Assessment and management of business risk: All Company's branches and/or departments, if any, will be classified by levels of risk for the purposes of designing and implementing measures and controls to mitigate such risks, and for applying greater supervision to high-risk areas of business, products and channels. This acknowledges that the risk of involvement in money laundering or terrorist financing is directly related to the type of business carried on by the Company or their branches, the products they distribute, and the channels used. It also considers that this threat may be managed more efficiently if there is prior knowledge of the potential risk concerning the various types of business and products.

Client risk segmentation, Identification and Know Your Client: Clients of the Company must be classified by risk level for the purposes of designing and implementing measures and controls to mitigate these risks, and for applying greater control over high-risk Clients and transactions. This acknowledges that the risks inherent to money laundering may be managed more efficiently if there is prior knowledge of the potential risk concerning the various types of Clients and transactions.

Counterparties monitoring. Counterparties and transactions must be monitored on a continuous basis once such counterparties have established a formal relationship with the Company.

Know Your Client obligations (hereinafter referred to as the "KYC") to identify (and know your client and their activities) must be established by appropriate due diligence. This obligation will be met in accordance with the provisions made by the applicable legislation and the risk level in areas of business, activities, products, services, distribution or sales channels, countries of operation and transactions carried out.

Prohibited counterparties with enhanced acceptance measures: The Company will not accept counterparties where the necessary data is not available, or which fall into one of the Company agreed categories of prohibited counterparties. Prohibited counterparties are as follows:

Persons on official sanctioned lists or persons that are related to1 countries prohibited by the Company in the terms determined.

Persons where information is available to suggest that they may be involved in criminal activities.

Persons with businesses the nature of which makes it impossible to verify the legitimacy of the activities or the origin of the funds.

Persons who refuse to provide the information or documentation required.

Legal where the shareholder structure or control structure cannot be determined.

Casinos or gambling companies that are not officially authorized.

Counterparties on the list of prohibited Clients in the Company's corporate policies.

Persons/entities on official sanctioned lists or persons that are related to countries prohibited by the Company in the terms determined.

Unlicensed financial institutions

Entities providing Pornography, violent or obscenity content or services

Counterparties involved with the production or distribution of weapons and other military products.

The following categories of Clients will only be accepted with prior authorization by the internal governance body responsible for anti-money laundering and financing of terrorism1

Casinos or gambling companies officially authorized.

Foreign exchange companies, money transmission companies or similar.

Financial institutions that are registered in countries or territories in which they do not have a physical presence (also known as "shell banks").

Politically exposed persons (PEPs) and their relatives and close associates.

Transaction monitoring and analysis: Ongoing monitoring of a business relationship with all types of Clients must be conducted, controlling and analysing sensitive or high-risk transactions in connection with money laundering and terrorist financing, in order to detect suspicious transactions.

Suspicious transaction reporting and systematic reporting: The Company must fulfil the obligation of reporting and cooperate with the relevant authorities.

The Company ensures that all employees are aware of their obligations to immediately report potentially suspicious transactions to the internal AML function, in order to, in accordance with the law, make the necessary reviews and report or notify suspicious transactions to the authorities if required by the law.

The Company ensures that all employees are aware of their obligations when reporting a potentially suspicious transaction or activity to the internal AML function, including not to provide any information, internally or externally, on concerned counterparties or transactions.

The Company ensures that the blocking of transactions and movement of funds and/or the prohibition of opening accounts is executed in line with local law and regulation.

Recordkeeping: The Company ensures that robust record-keeping is maintained and that, as a minimum, documents listed below are kept for a period of at least five (5) years as required by the law1 or any longer periods where applicable:

Documentation regarding identifying and knowing your clients/counterparties.

Reports submitted to the authorities concerning the suspicious activities of clients/ counterparties in connection with potential money laundering and/or terrorist financing, along with any supporting documentation.

Registers of training on money laundering and terrorist financing.

Any other documents or registers that must be kept by applicable legislation of anti-money laundering or terrorist financing.

AML/CTF Training: All employees receive ongoing training on the obligations arising from regulations on the anti-money laundering and terrorist financing

Sanction programs: The Company has effective policies and procedures in place in order to effectively comply with the restrictions under sanction programs and international financial countermeasures.

The Company identifies and follows sanction programs and financial countermeasures, monitors the international sanction programs issued by the Lithuanian Republic, UN, EU and OFAC that might affect the activities of the Company.

The Company assesses risks and manages to determine the extent to which a business relationship or activity may be affected by international restrictions, and approach must be taken into account in risk assessment methodology.

The Company refrains from conducting business relationships with restricted persons and no direct or indirect relations shall be established with persons who are subject to international restrictions. To this end, appropriate and up to date knowledge of counterparties, their activity, and other persons and carrying on relationships with the Company should be obtained.

The Company implements internal controls and prevention mechanisms. Controls and specific measures must be implemented for the prevention and detection of deficiencies in systems and negligent or irregular action taken by employees that may result in a failure or malfunctions in the application of international restrictions.

Consolidated management of know-your-Client risks: Consolidated management of know-your-Client risk constitutes a principle for coordinating and sharing information throughout the Company that helps identify, monitor and reduce risks, and comply with applicable legislation and regulations.

The Company establishes the same above-mentioned discipline for local units/subsidiaries or subsidiaries in third-party jurisdictions, if any, that are directly controlled by them in relation to AML/CTF.

The Company, in all cases, establishes safeguard mechanisms so that information concerning counterparties and their transactions are kept strictly confidential, subject to privacy laws in the country of origin.

ROLES AND RESPONSIBILITIES

The following is a description of the roles and responsibilities of functions involved in the matters covered by this Policy. Such roles and responsibilities are exercised respecting the three lines of defence.

The Company has at least one person appointed as a head of the function level, who will take responsibility for the application of this framework, and its implementation, and enter into dialogue with local supervisors if necessary. The company has special electronic address for external communication with their customers and public authorities regarding all AML issues: aml@exchangepaid.com

The Company may appoint special Compliance Officer who will be responsible for AML/CTF in specific business areas, which operate under the coordination and dependency of the anti-money laundering and terrorist financing function.

First line of defence:

As a general rule and in the context of AML/CFT, the business and support units are the first line of defence in charge of identifying, assessing and controlling the risks of their business. They should know and carry out the policies and procedures such as KYC and risk management procedures and be allotted sufficient resources to do this effectively. As part of the first line of defence, policies and procedures are clearly specified in writing, and communicated to all personnel.

Second line of defence:

Risk and Compliance & Conduct, as the second line of defence, will provide independent challenge and oversight of the risk management activities performed by the first line of defence. This second line of defence ensures that risks are managed in accordance with the risk appetite defined by senior management and promote a strong risk culture throughout the organization as noted in the XPAID UAB Risk management Policy.

As an independent second line of defence, the risk management and compliance function is responsible for monitoring and overseeing risks arising from AML/TF and sanction programs, assessing the impact on risk appetite and the risk profile of the Company and taking account of the provisions of this framework.

The risk management function is responsible for integrating and consolidating the risks arising from conduct and reputational risks, assessing the impact on risk appetite and the risk profile of the entity, and taking account of the provisions of this framework.

The Management Board have appointed an (Money laundering reporting officer (MLRO) for performing the second line of defence functions. This person is not operationally involved in the areas that the MLRO will be monitoring and verifying and is thus independent in relation to these. The MLRO is accountable for the following activities:

produce and when necessary, update the Company's Guidelines;

monitoring and verifying on an ongoing basis that the Company is fulfilling the requirements prescribed by these Guidelines and related documents and according to external laws and regulations

provide the Company's staff and Members of the Board with advice and support regarding the rules relating to money laundering and terrorist financing

inform and train the members of the Management Board and relevant persons about the rules relating to money laundering and terrorist financing

investigate and register sufficient data on received internal notifications and decide whether the activity can be justified or whether it is suspicious;

file the relevant reports (i.e. UARs, SARs, STRs, etc.) with the appropriate regulatory authorities in accordance with local jurisdictional requirements;

check and regularly assess whether the Company's procedures and guidelines to prevent the use of the business for money laundering or terrorist financing are fit for purpose and effective;

identify the incidents in accordance with the Guidelines and take measures regarding such incidents.

The MLRO reports to the Management Board quarterly. This report must be in writing and include at least the following items:

number of customers under all risk classifications

number of hits of persons in relation to the Sanctions lists and applied measures;

number of customers or customers' representatives identified as PEPs or persons with a connection to a PEP;

number of internal notifications on suspicious activity or transactions;

number of the relevant reports (SARs, UARs, etc.) reported to the Financial Intelligence Unit(FIU);

number and content of a request for information from the FIU within the framework of an investigation;

confirmation that the Company's risk assessment for money laundering and terrorist financing is up to date;

confirmation that these Guidelines and other related documents are up to date;

confirmation that the staffing in respect of AML measures is sufficient;

all inadequacies (if any) identified by control function have been addressed;

list of obligatory trainings which have been held for the staff in respect of AML measures.

Third line of defence:

As part of the third line of defence, the Internal Audit Function regularly assesses that policies, methods and procedures are adequate and effectively implemented for the management and control of the system for the prevention of money laundering and terrorist financing for compliance with sanction programs in the Company, providing an independent assessment.

KEY PROCESSES

The Company has an effective internal procedure in place enabling to demonstrate that the AML/CTF activities and related processes are properly executed and are in line with all applicable laws and regulations including sanction programs and international financial countermeasures.

To be in compliance with these obligations, the Company has an appropriate procedure for the prevention of ML and TF and ensuring their effectiveness and compliance with all relevant legal and regulatory requirements:

Adopts and changes procedures, where applicable, for dealing with ML and TF reflecting the current statutory and regulatory requirements;

ensures that the content of this Policy is relevant and understood by all staff members;

regularly reviews the policies and procedure to ensure their effectiveness (at least once a year);

adopts client acceptance policies and procedures;

undertakes client due diligence (CDD) measures to an extent that is sensitive to the risk of ML and TF depending on the type of client, business relationship or transaction;

identifies, monitors and reports suspected ML or TF transactions to the law enforcement authorities.

Internal regulations drawn up by the Company are validated for the prevention of money laundering and terrorist financing before they are approved by the most senior local management committee in relation to AML/CTF.

KEY PROCESSES

In case if the Company will engage any client's operations and deal with any counterparties the following rules for Clients Due diligence will be applicable:

Obtain sufficient information about the client in order to identify who is the actual beneficial owner or on whose behalf transaction is conducted.

Verify the Client's identity using reliable, independent source document, data or information (for example, verification of clients' registration from the relevant State web site, etc).

Client Due Diligence Process includes following specific parameters;

Procedure for Clients Acceptance;

Risk based approach;

Client Identification Procedure;

Client classification based on risk category.

Client Acceptance Procedures

Do not accept clients with identity matching persons known to have criminal background.

Do not accept clients with identity matching with banned person/entity as per relevant Stock Exchanges in capital market in any jurisdiction where the Company has its business.

If monies from a counterparty are accepted, each such client/counterparty should be met in person: perform the in-person verification process very diligently. Either the client should visit the Company`s office or concerned official/employees may visit the client at their residence/office address. Officials/employees also verify photocopy of the documents with the original, or if applicable use a special certified interactive authorization service for such a verification. If the counterparty was referred to by another existing Company`s counterparty the introducer detail would be set in account opening form.

Accept clients/counterparties on whom we are able to apply appropriate KYC procedures:

Obtain complete identification information from the client. It should be ensured that the initial forms taken by the client are filled in completely.

All photocopies submitted by the client should be checked against original documents without any exception.

'Know Your Client' guidelines should be followed without any exception.

Where possible, the Company identifies the ultimate beneficial owners of the counterparties. The identification procedure includes obtaining reliable data on persons who are the final beneficiaries and exercising control and/or ownership of assets / shares /corporate rights of legal entities directly or via the chain of mediated owners.

The counterparty provides the Company with information on the entire chain of owners and discloses data on final beneficiaries who own not less than 10% of property rights in the company1, or submit a corresponding document confirming that such identification is not possible if the company is managed by trust funds, has a significant amount of minority shares. owners, etc.

Do not compromise on submission of mandatory information/ documents: business relationships should be started only upon receipt of all mandatory information along with authentic supporting documents as per the regulatory guidelines. Where the counterparty refuses to provide information/documents business relationships should not be continued.

The Company should capture data of key persons like director & shareholder of all non-individual counterparties and also taking complete details/documents of Director/Trustee/Partners etc., which is mandatory while granting the services or making other business relationships. In case of a corporate client in order to identify client with cross holding, we capture key persons' data, for example, details of director, shareholders.

Special attention should be paid while accepting clients/counterparties of the special categories listed below:

Trust,

Charities,

NGOs,

Politically Exposed Persons (PEP),

Companies having close shareholding/ beneficial ownership,

Financial institutions that are registered in countries or territories in which they do not have a physical presence (also known as "shell banks").

Clients in high-risk countries to special list of high-risk jurisdictions as set in Annex 2),

Non-face to face clients,

Clients with dubious background,

Clients belonging to countries where corruption/fraud level is high (e.g. Nigeria, Albania, etc., according to the special list for specific jurisdictions as per Transparency International).

Scrutinize the records / documents pertaining to clients belonging to aforesaid categories.

Check if the client identity is in the national ban list or lists of FATF, OFAC. Try to match the name/identity number from the available information from these lists. If we find any client name in these lists, then we should inform to Special authority in the relevant Exchange jurisdiction immediately & do not start cooperation with such a client as a requirement for security dealers.

Client due diligence measures implementation

Client due diligence (CDD) measures are required for verifying the identity of a new or existing Client as a well-performing risk-based ongoing monitoring of the business relationship with the Client. The CDD measures consist of 3 levels, including the simplified and enhanced due diligence measures, as specified below.

The CDD measures are taken and performed to the extent necessary considering the Client's risk profile and other circumstances in the following cases:

upon establishment of the business relationship and ongoing monitoring of the business relationship;

upon verification of information gathered while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;

upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided for in these Guidelines and applicable legislation.

The Company does not establish or maintain the business relationship and not perform transaction if:

the Company is not able to take and perform any of required CDD measures;

the Company has any suspicions that the Company's services or transaction will be used for ML or TF;

the risk level of the Client does not comply with the Company's risk appetite.

In the case of receiving information in foreign languages within the framework of CDD implementation, the Company may request to demand translation of the documents to another language appliable for the Company. The use of translations should be avoided in situations when the original documents are prepared in a language appliable for the Company.

The Services Provided

The Company's main economic activity is virtual currency services. For this reason, the Company offers to the Clients the following transaction types:

providing virtual currency wallet service, which allows the Client to open virtual currency wallet on their name (hereinafter - the Client's Wallet) and make transactions with this wallet: to send virtual currency, deposited to this wallet, to other wallet(s) and to receive virtual currency sent from other wallet(s);

providing a virtual currency exchange service, which allows to buy (by using credit card, like VISA or wire transfer) virtual currency from the Company and deposit it to the Client's Wallet;

providing a virtual currency exchange service, which allows to exchange virtual currency deposited at the Client's Wallet against fiat currency (EUR, USD, etc.) and send this fiat currency to the Client's credit card or bank account;

providing virtual currency exchange service, which allows exchange virtual currency deposited at the Client's Wallet against other virtual currency with depositing latest to the relevant wallet of the same Client.

The aforementioned services shall be provided only within the established Business Relationship.

The Verification of Information used for the Client's Identification

Verification of the information for the Client's identification means using data from a reliable and independent source to confirm that the data is true and correct, also confirming, if necessary, that the data directly related to the Client is true and correct. This inter alia means that the purpose of verification of information is to obtain reassurance that the Client who wants to establish the Business Relationship is the person they claim to be.

The face-to-face identification (personal meeting with the Client) or identification using information technology means (using of high-confidence e-identification system) is deemed to be the reliable and independent verification of the information obtained in the course of identification.

Application of Simplified Due Diligence Measures (level 1)

Simplified due diligence (SDD) is applied where the Client's risk profile indicates low risk and where, in accordance with the risk assessment produced by the Company, it has been identified that in such circumstances the risk of money laundering or terrorist financing is lower than usual. Regarding the Company services provided and the Company's risk assessment, the Company will not apply SDD measures to their Clients. Thus, to all Clients at least standard due diligence measures shall be applied as specified below.

Application of Standard Due Diligence Measures (level 2)

Standard due diligence measures are applied to all Clients if CDD measures must be applied in accordance with the Guidelines. The following standard due diligence measures should be applied:

identification of the Client and verification of the submitted information based on information obtained from a reliable and independent source, including using means of electronic identification and of trust services for electronic transactions;

identification and verification of a representative of the Client and their right of representation;

identification of the beneficial owner and, for the purpose of verifying their identity, taking measures to the extent that allows the Company to make certain that it knows who the beneficial owner is, and understands the ownership and control structure of the Client;

understanding of the Business Relationships, transaction or operation and, where relevant, gathering information thereon;

gathering information on whether the Client is PEP, their family member or a person known to be close associate;

monitoring of the Business Relationship.

The CDD measures specified above must be applied before establishing the Business Relationship. The exact instruction and requirements for application standard due diligence measures is provided in the Guidelines and its annexes.

Application of Enhanced Due Diligence Measures (level 3)

In addition to CDD, the Company applies enhanced due diligence (EDD) measures in order to manage and mitigate an established risk of money laundering and terrorist financing that is higher than usual.

The Company always applies EDD measures, when:

the Client's risk profile indicates high risk level;

upon identification of the Client or verification of submitted information, there are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner;

the Client is a PEP;

the Client is from a high-risk third country or their place of residence or seat or the seat of the payment service provider of the payee is in a high-risk third country;

the Client is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the Financial Action Task Force, or that is considered a low tax rate territory;

the Client's economic or professional activity, field or factors indicate the risk of money laundering or terrorist financing, which is higher than usual;

the Client's total amount of incoming or outgoing payments related to the Business Relationship exceeds the limits, established by the Company.

Prior to applying EDD measures, the Company assesses whether the features described above are present and applies them as independent grounds (that is, each of the factors identified allows application of EDD measures with respect to the Client).

When applying EDD measures, the following additional and relevant due diligence measures shall be followed:

verification of information additionally submitted upon identification of the Client based on additional documents, data or information originating from a credible and independent source;

gathering additional information on the purpose and nature of the Business Relationship or transaction and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source;

gathering additional information and documents regarding the actual execution of transactions made in the Business Relationship in order to rule out the ostensibility of the transactions;

gathering additional information and documents for the purpose of identifying the source and origin of the funds used in a transaction made in the Business Relationship in order to rule out the ostensibility of the transactions;

the making of the first payment related to a transaction via an account that has been opened in the name of the Client participating in the transaction in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force;

the application of due diligence measures regarding the Client or their representative while being at the same place as the Client or their representative;

gathering additional information about the Client and its beneficial owner, including identification of all owners of the Client, incl. those whose shareholding is below 25%;2

athering information on the origin of the funds and wealth of the Client and its beneficial owner;2,3

improving the monitoring of the Business Relationship by increasing the number and frequency of the applied control measures and by choosing transaction indicators or transaction patterns that are additionally verified;2,3

an analysis of the Client's digital impression on the Internet is made (Adverse Media Search);

obtaining the approval of the Management Board for transactions with new and existing Clients;2,3

In the case of application of EDD measures, the Company monitors the Business Relationship more often than usual and reassesses the Client's risk profile no later than every six months

Identification of the Client - natural person

The Company identifies the Client who is a natural person and, where relevant, their representative and retains the following data on the Client:

first and last name(s);

personal identification code;

date of birth;

the place of residence or seat;

information about economic or professional activity;

information about expected turnover when using the Company's services;

contact details.

The following valid identity documents may be used as the basis for the identification of a natural person:

an identity card;

a residence permit card;

a citizen's passport;

an alien's passport;

a driving permit issued in the EU countries;

a driving permit issued in a foreign country if the document includes user's name, photograph or facial image, signature or image of a signature and date of birth or personal identification code;

a travel document issued in a foreign country (passport).

During the verification of the data obtained during the identification of the Client and representative from a credible and independent source, the first credible and independent sources is always:

an identity document specified above or a coloured and legible copy/image of this document.

The following information obtained may be the second reliable and independent source:

the Client's photo (selfie) with identity document;

proof of address (e. g. invoice, issued and paid once a month from utilities, including electric, natural gas, water, waste, etc.)

information for checking the data directly associated with the person (e. g. place of work, residence or study).

The Client who is natural person can't use representative in the course of the Business Relationship with the Company.

Identification of the Client - legal entity

The Company identifies the Client which is a legal entity and their representative and retains the following data on the Client:

business name or name (with the legal form);

registry code or registration number and date of registration;

name and date(s) of birth of the director(s) or member(s) of the management board or member(s) of another equivalent body;

address;

place of business;

area of activity;

payment practices;

main business partners;

information about expected turnover when using the Company's services;

contact details.

The following documents issued by a competent authority or body not earlier than six months before their use may be implied for identification of the Client:

registry card of the relevant register; or

registration certificate of the relevant register; or

a document equivalent with an aforementioned documents or relevant documents of establishment of the Client.

The Company verifies the correctness of the Client's data specified above, using information originating from a credible and independent source for that purpose. Where the Company has access to the commercial register, register of non-profit associations and foundations or the data of the relevant registers of a foreign country, the submission of the documents specified about does not need to be demanded from the Client.

The identity of legal entity and the right of legal entity's representation can be verified on the basis of a document specified above, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

During the verification of the data from a credible and independent source obtained during the identification of the legal entity, the source considered credible and independent when the Company:

sees the original of the document specified above;

sees a copy of the document specified above that has been authenticated by a notary, certified by a notary or officially certified; or

has access to the data in the commercial register, register of non-profit associations and foundations or the relevant registers of foreign countries via a computer network.

Two different sources during the identification of a legal entity means that the data medium, place or measure of obtaining information must be different (i.e. it cannot be the same data medium).

The representative of the legal entity shall be identified as the Client, who is a natural person in accordance with these Guidelines. The Company must also identify and verify the nature and scope of the right of representation. The name, date of issue and name of issuer of the document that serves as a basis for the right of representation must be ascertained and retained, except in case, when the right of representation was verified using information originating from the relevant register (e. g. the commercial register, register of non-profit associations and foundations or the relevant register of a foreign country).

The Company must observe the conditions of the right of representation granted to the legal entity's representatives and provide services only within the scope of the right of representation.

The identification of the Client's beneficial owner

The Company must identify the beneficial owner of the Client and take measures to verify the identity of the beneficial owner to the extent that allows the Company to make sure that they know who the beneficial owner is.

The Company shall request from the Client information to the Client's beneficial owner (e. g. providing the Client with an opportunity to specify their beneficial owner in KYC questionnaire).

The Company doesn't establish the Business Relationship, if the Client, who is a natural person has beneficial owner who is not the same person as the Client.

The beneficial owner of a legal entity is identified in stages where the obliged entity proceeds to each subsequent stage if the beneficial owner of the legal entity cannot be determined in the case of the previous stage.

If the documents used for the legal entity's identification or the other submitted documents do not indicate directly who the beneficial owner of the legal entity is, the relevant data (incl. data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statement of the representative of the legal entity or the document written by hand by the representative of the legal entity.

The beneficial owner does not have to be identified in the case of the Client listed on a regulated market that is subject to disclosure requirements consistent with European Union law or subject to equivalent international standards which ensure adequate transparency of ownership information.

Political Exposed Person's identification

The Company shall take measures to ascertain whether the Client, the beneficial owner of the Client or the representative of this Client is a PEP, their family member or close associate, or if the Client has become such a person.

The Company shall request from the Client information to identify if the Client is a PEP, their family member or close associate (e. g. providing the Client with an opportunity to specify the relevant information in KYC questionnaire).

The Company shall verify the data received from the Client by making inquiries in relevant databases or public databases or making inquiries or verifying data on the websites of the relevant supervisory authorities or institutions of the country in which the Client has place of residence or seat. PEP must be additionally verified using Google and the local search engine of the Client's country of origin, if any, by entering the Client's name in both Latin and local alphabet with the Client's date of birth.

At least the following persons are deemed to be PEPs:

head of State or head of government;

minister, deputy minister or assistant minister;

member of a legislative body;

member of a governing body of a political party;

judge of the highest court of a country;

auditor general or a member of the supervisory board or executive board of a central bank;

the Chancellor of Justice;

ambassador, envoy or chargé d'affaires;

high-ranking officer in the armed forces;

member of an administrative, management or supervisory body of a state-owned enterprise;

director, deputy director and member of a management body of an international organisation;

person in list of Governmental positions whose holders are considered politically exposed persons is established by a regulation of the minister responsible for the field;

person in list of positions, which is established by international organisation accredited in Lithuania;

a person who, as per list published by the European Commission, is considered a performer of prominent public functions by a Member State of the European Union, the European Commission or an international organisation accredited on the territory of the European Union is deemed a politically exposed person.

Middle-ranking or more junior officials are not considered PEPs.

The Company shall identify close associates and family members of PEPs only if their connection with PEP is known to the public or if the Company has reason to believe that such a connection exists.

Where the Client who is a PEP no longer performs important public functions placed upon them, the Company shall at least within 12 months take into account the risks that remain related to the Client and apply relevant and risk sensitivity-based measures as long as it is certain that the risks characteristic of PEPs no longer exist in the case of the Client.

Identification of the purpose and nature of the Business Relationship or a transaction

The Company shall understand the purpose and nature of the establishing the Business Relationship or performing transaction. Regarding the services provided, the Company shall request from the Client at least the following information for understanding the purpose and nature of the Business Relationship or transaction:

the estimated transactions turnover with the Company per month;

the estimated source of funds used in the Business Relationship or transaction.

The Company shall apply additional measures and collect additional information to identify the purpose and nature of the Business Relationship in cases where:

there is a situation that refers to high value or is unusual and/or

where the risk and/or risk profile associated with the Client and the nature of the Business Relationship gives reason for the performance of additional actions in order to be able to appropriately monitor to the Business Relationship later.

If the Client is a legal entity, in addition to aforementioned the Company shall identify the Client's:

area of activity, where the Company shall understand what the Client deals with and intends to deal with in the course of the Business Relationship and how this corresponds to the purpose and nature of the Business Relationship in general and whether it is reasonable, understandable and plausible;

payment practices, including the countries from which payments are received and to which payments are made, the expected duration of the Business Relationship, the extent and channels of cash and cryptocurrency use, payment channels (branch, Internet bank, card payments), etc.;

main business partners, where the Company must identify who are the Client's main partners with which transactions will be concluded in the declared area of activity and with the declared activity volumes.

The area of activity, payment practices and main business partners must fit into the experience profile of the Client's representative (or key persons) and/or the beneficial owner. Thus, the Company has to identify where the representative's and/or beneficial owner's capacity, capability, skills and knowledge (experience in general) comes from in order to operate in this area of activity, with these business volumes and with these main business partners.

Monitoring of the Business Relationship

The Company shall monitor established the Business Relationships where the following ongoing due diligence (ODD) measures are implemented:

ensuring that the documents, data, or information collected in the course of the application of due diligence measures are updated regularly and in the case of trigger events, i.e., primarily the data concerning the Client, their representative (incl. the right of representation) and beneficial owner as well as the purpose and nature of the Business Relationship;

ongoing monitoring of the Business Relationship, which covers transactions carried out in the Business Relationship to ensure that the transactions correspond to the Company's knowledge of the Client, their activities and risk profile;

identification of the source and origin of funds used in the transaction(s).

The Company shall regularly check and update the documents, data and information collected within the course of the implementation of CDD measures. The regularity of the checks must be based on the risk profile of the Client and the checks must take place at least:

once semi-annually for the high-risk profile Client;

once annually for the medium-risk profile Client;

once every two years for the low-risk profile Client.

The collected documents, data and information must also be checked if an event has occurred which indicates the need to update the collected documents, data and information.

In the course of the ongoing monitoring of the Business Relationship, the Company applies the following measures:

screening i.e., monitoring transactions in real-time;

monitoring i.e., analysing transactions later.

The objective of screening is to identify:

suspicious and unusual transactions and transaction patterns;

transactions exceeding the provided thresholds;

politically exposed persons and circumstances regarding international sanctions.

The screening of the transactions is performed automatically and includes the following measures:

established thresholds for the Client's transactions, depending on the Client's risk profile and the estimated transactions turnover declared by the Client;

the scoring of virtual currency wallets where the virtual currency shall be sent in accordance with the Client's order;

the scoring of virtual currency wallets from which the virtual currency is received.

If the Client gives order for transaction which exceeds the threshold established or for transaction to the virtual currency wallet with high-risk score (e.g. wallets related to fraud, crime, etc.), the transaction shall be manually approved by the Employee, which shall access before the approval a necessity to apply any additional CDD measures (e. g. applying EDD measures, asking source and origin of funds or asking additional information regarding the transaction).

When monitoring transactions the Employee shall assess transaction with a view to detect activities and transactions that:

deviate from what there is reason to expect based on the CDD measures performed, the services provided, the information provided by the Client and other circumstances (e.g. exceeding estimated transactions turnover, virtual currency sending each time to new virtual currency wallet, volume of transactions exceeding limit);

without deviating according to previous clause, may be assumed to be part of a money laundering or terrorist financing;

may affect the Client's risk profile score.

In case, when aforementioned fact is detected, the Employee shall notify MLRO and postpone any transaction of the Client until MLRO's decision regarding this.

In addition to aforementioned, the MLRO shall review the Company's transaction regularly (at least once per week) to ensure that:

the Employees properly performed the aforementioned obligations;

there are no transactions and transaction patterns that are complicated, high-value and unusual and that have no reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features.

The Company identifies the source and origin of the funds used in transaction(s) if necessary. The need to identify the source and origin of funds depends on the Client's previous activities as well as other known information. Thereby the identification of the source and origin of the funds used in transaction shall be performed in the following cases:

the transactions exceed the limits established by the Company;

if the transactions do not correspond to the information previously known about the Client;

if the Company wants to or should reasonably consider it necessary to assess whether the transactions correspond to the information previously known about the Client;

if the Company suspects that the transactions indicate criminal activities, money laundering or terrorist financing or that the relation of transactions to money laundering or terrorist financing is probable, incl. complicated, high-value and unusual transactions and transaction patterns that do not have any reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features of the business in question.

RISK PROFILING OF THE CLIENT/COUNTERPARTY

The Company should accept the clients/counterparties based on the risk they are likely to impose. The aim is to identify clients who are likely to bear a higher-than-average risk of money laundering or terrorist financing. For this purpose, the Company classifies the clients as low risk, medium risk and high-risk clients.

Special attention is be paid to the transactions which are complex, unusually large or pattern which appears to have no economic purpose. Risk profiling is divided in to two broad categories: on-board risk assessment and ongoing risk assessment.

In order to achieve this objective, all clients should be classified in the following category:

Category A - Low Risk: At the time of business cooperation all clients other than special category clients will be marked as Low risk client.

Category B - Medium Risk: To enhance the due diligence of a client who initially falls in low-risk category & has abnormal transaction pattern. Depend on the pattern a client can be shifted to medium risk category or high-risk category directly.

Category C - High risk: Any client falls in special category mentioned above at the time of business cooperation will be considered as High risk and as a part of identifying ongoing risk, other clients which come under review & found high risk due to their transaction pattern will be marked as high risk.

The various factors which are considered while marking a client as Medium/High Risk are (1) Percentage of volume in exchange is very high & amount in absolute term is substantial and/or (2) High volume transactions, Illiquid or such other high-risk stock and/or (3) a Client who does not have financial status aligned with its transaction volume and/or (4) a Client having abnormal transaction pattern. Then an alert is created to classifying as Medium/High Risk category. But classification is being done after looking at the other qualitative criteria also.

SUSPICIOUS TRANSACTION MONITORING AND REPORTING

The Company analyses the suspicious transactions on a routine basis.

Suspicious transaction means a transaction, which to a person acting in good faith -

Gives rise to a reasonable ground of suspicion that it may involve the proceeds of crime; or

Appears to be made in circumstance of unusual or unjustified complexity; or

Appears to have no economic rationale or bona fide purpose.

Reasons for Suspicion

Identity of a client/counterparty

False identification documents

Identification documents which could not be verified within reasonable time

Non-face to face client

Clients in a high-risk jurisdiction

Doubt over the real beneficiary of the account

Business transactions are similar or very close to the business identification (name, address, etc.) of other established business entities

Policy: Generally, the Company starts business cooperation only after ensuring that identity of a client is valid and genuine.

Suspicious Background

Suspicious background or links with criminals

Policy: Generally, the Company starts business cooperation only after ensuring that a client does not fall under list of entities issued by the relevant authority in relevant Jurisdiction or United Nations Sanctions List.

Accordingly, the Company takes evidence for source of income. As well as, checks shareholding pattern and list of Director of a counterparty to establish the person behind the company. In our client registration form, we insist our client to provide us the details of his/her annual income range as per IT return/salary slip, etc. Source of finance is essential for a counterparty who wants to trade in derivative segment. On a routine basis, we monitor the client volume in scrip with exchange volume.

What to Report

In any case the Company has to report the following information in the desired format to relevant state authority in respect of suspicious transactions:

The nature of the transactions

The amount of the transaction

The date on which the transaction was conducted

The parties to the transaction

The reason of suspicion

Details of person who have made such transactions.

At the request of the relevant authorities, if such a request is provided for in accordance with the current legislation, the Company undertakes to provide any other available information on suspicious transactions.

Reporting Procedure

In general, as a Lithuanian legal entity, the Company should report to Lithunian Financial Intelligence Unit) (FCIS being the national Financial Intelligence Unit in Lithunia (FIU)) if knows or has reasonable grounds to suspect that assets involved in the business relationship:

are the proceeds of a felony or of an aggravated tax misdemeanour;

are connected to money laundering (or to a criminal organisation which pursues the objective of committing crimes of violence or which aims at financial gain by criminal means

serve the financing of terrorism;

are subject to the power of disposal of a criminal organisation; or

are related to persons contained on ‘terrorist lists'.

In addition to the duty to file a report, the Company has a right to report to FIU about any observations that indicate that assets originate from a felony or an aggravated tax misdemeanour

If in the process of identifying and researching of the counterparty it is determined that the counterparty, by any of the identifying criteria, is included in the list of persons for whom prohibitive and or sanction measures in accordance with the requirements of the national financial regulators, FATF, OFAC, etc.,

GOVERNANCE

The Governance applied in the Company promotes efficient governance structures that ensures adequate participation by all relevant functions.

The governance bodies for the Company are to be structured taking into account local regulatory and legal requirements, as well as the size and complexity of each subsidiary, if any, whilst ensuring that they are consistent with those of the parent company. Any such governance bodies must promote clear and effective decision-making and clarity of accountability.

Carrying out the AML/CTF function properly in terms of decision-making, supervision and control requires a governance structure, which can provide a response in an efficient and agile manner at both a corporate and subsidiary level if applicable.

In its application of this Policy, the Company shall identify the governance bodies or committees responsible for defining, monitoring, controlling and overseeing the AML/CTF regulatory risks.

VALIDITY DATE AND PERIODIC REVIEW

This Policy is effective on the Company's wide basis from the date of its publication.

Its contents will be reviewed periodically, and any changes or modifications will be made as appropriate.