Financial Crime Policy

LiquidityOne Group

1. INTRODUCTION

Money laundering (“ML”) is the process by which criminals seek to disguise the true origin and ownership of the proceeds of crime in order to make the funds appear to have originated from a legitimate source and facilitate their entrance into the lawful economy.

The financing of terrorism (“FT”) is the act of willingly providing, collecting or raising funds (whether directly or indirectly) with the intention that they should be used, or in the knowledge that they are likely to be used, in support of an act of terrorism. For the purposes of this policy, financing related to the proliferation of weapons of mass destruction, is encompassed within the definition of FT. The act of FT is often linked to ML activities. However, funds used for FT are not only obtained from criminal activity but legitimate means also, such as charitable donations or lawful business
operations.

LiquidityOne (the “Company”) is committed to preventing ML/FT, and to maintaining compliance with all applicable anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) laws and regulations. This document sets out the Company’s policy on AML/CFT (the “Policy”). The purpose of the Policy is to establish standards for the Company’s AML/CFT compliance program. If you have any questions about the application of the Policy, please contact Compliance.

2. ACCOUNTABILITY

The Company operates in accordance with a “three lines of defence” model:

• The first line of defence consists of client-facing positions. The Company will ensure that staff in these functions are sufficiently trained and have in place controls to be able to detect the signs of illegal activity.
• The second line of defence focusses on the Company’s Compliance Team, and its senior management, but includes all other support and control functions. The Compliance Team is primarily responsible for ongoing monitoring of the Company’s compliance with its legal obligations, and its employees’ compliance with internal policies, guidelines and processes.
• The compliance Team should provide regular feedback to senior management and Directors on the Company’s and its employees’ performance in this regard. The Compliance Team constitutes the contact point for liaising with regulatory and law enforcement authorities.
• The third line of defence consists of the Company’s appointed auditors, who should conduct regular and holistic assessments of the Company’s framework to combat ML/FT risks, including assessments of the Company’s policies, procedures and controls, measuring their effectiveness, implementation and employees’ adherence thereto.
• Every employee is responsible for complying with this Policy and for ensuring the effective management of ML/FT risks within the scope of their organisational responsibilities. Failure to comply with this Policy can have serious consequences for the Company, including criminal and civil fines, regulatory action, public censure and significant reputational damage.

Any breach of this Policy, or attempt to undermine or circumvent it, will lead to disciplinary action and/or loss of employment and, beyond internal disciplinary action, may have serious consequences for individual staff members such as criminal prosecution, regulatory action, fines and/or imprisonment. Accordingly, it is vital for all directors, senior management and employees at all levels of the Company to comply with the terms of this Policy and remain vigilant against the risks that ML and FT pose to our business and wider society.

3. RISK ASSESSMENTS

The Compliance Team shall lead periodic risk assessments, at least annually, to determine the extent of the Company’s vulnerabilities to ML/FT risks, and shall set out a detailed methodology to identify and measure such risks. This methodology will be reviewed at least annually, and where appropriate,
modified in accordance with lessons learned from previous assessments, regulatory changes and any relevant new regulatory guidance.

Each risk assessment shall, at a minimum, seek to identify and assess the ML/FT risks in relation to:

• Its clients;
• The countries or jurisdictions its clients are from or in which they are located;
• The countries or jurisdictions in which it operates;
• Its products, services and transactions; and
• Its technologies and delivery channels/mechanisms.

The Compliance Team shall take appropriate steps to identify, assess and understand the ML/FT risks relating to the above, including but not limited to:

• documenting its risk assessments;
• considering all the relevant risk factors before determining the level of overall risk and the appropriate type and extent of mitigation to be applied;
• ensuring risk assessments remain up-to-date; and
• having appropriate mechanisms to provide its risk assessment information to relevant regulatory
  authorities.

The Compliance Team shall develop and implement policies, procedures and controls, with the approval of senior management, to manage and mitigate all risks identified, with enhanced measures put in place where higher risks are identified.

Implementation of such measures shall be closely monitored and further enhanced where required, to ensure that risks are effectively managed and mitigated, and remain in compliance with risk assessments carried out and guidance from relevant regulatory authorities.

Each risk assessment shall be approved by senior management and, on request, be made available to relevant regulatory authorities; any input or recommendations received in response will be readily implemented.

4. NEW PRODUCTS, PRACTICES AND TECHNOLOGIES

Where the Company intends to offer a new product or service, or implement a new delivery mechanism or technology, a further risk assessment shall be undertaken prior to its launch. In conducting such a risk assessment the Company should pay particular attention to whether the new
product or technology:

• has characteristics that promote anonymity, obfuscate transactions or undermine the Company’s ability to identify its clients and/or their counterparties, or implement effective CDD and other AML/CFT measures;
• whether the product is known to be used by criminals for illicit purposes;
• whether the volatility and liquidity of the product render it susceptible to market manipulation and fraud; and
• whether the product has been developed and/or issued by reputable entities for lawful and legitimate purposes.

Risk assessments of all new products, services, delivery mechanisms and technologies dealing with client funds or the movement thereof must be approved by senior management prior to launch.

5. CLIENT DUE DILLIGENCE

The Company operates a risk-based approach to client due diligence (“CDD”). The Compliance Team is responsible for formulating the CDD standards that the Company must adhere to at the time of onboarding a new client and on an ongoing basis, in order to ensure that the Company understands
the nature of that client throughout the entire course of their business relationship, commensurate with the risks involved.

The Company’s CDD standards adhere to the following principles, applied within the context of a risk based approach:

• The Company does not do business with entities and individuals known to be involved with ML/FT or other criminal activity including but not limited to that related to drug trafficking, human trafficking or corruption;
• The Company does not do business with trusts or similar legal arrangements;
• The Company will not open an account for a client, effect any transaction for or on behalf of a client, or receive any funds from that client, until the client has satisfied all stipulated CDD requirements and screening checks;
• The Company will not enter into any business relations with a party operating under an alias or anonymously;
• Sufficient information must be obtained in order to reasonably identify a potential client, its source of funds and, where appropriate, its beneficial owners;
• Sufficient due diligence must be carried out to reasonably establish a profile for the client;
• Information collated must, to a reasonable extent, be verified as accurate;
• Circumstances where reliance on third party service providers in connection with implementing CDD measures is permitted should be clearly defined;
• Consistent escalation and approval requirements, based on risk, must be applied across clients;
• CDD information must be monitored and reviewed to ensure its currency and that previously assigned risk ratings remain accurate and consistent with contemporaneous CDD methodology;
• Determinants of high-risk categories of clients requiring enhanced CDD and ongoing monitoring must be clearly defined and continuously reviewed; and
• Further CDD checks should be carried out promptly on any suspicion being raised of ML or FT, or where doubts have arisen over the veracity or adequacy of any information previously provided.

6. CLIENT IDENTIFICATION

All clients’ identities will be confirmed and verified at onboarding, prior to the undertaking of any transaction with or on behalf of the client. Where the client is a natural person, the Company shall obtain and verify, as a minimum, the following information with respect to that client:

• full name, including any aliases;
• unique identification number (such as an identity card number, birth certificate
• number or passport number);
• residential address;
• date of birth; and
• nationality.

Where the client is a legal person, the Company shall obtain and verify, as a minimum, the following
information with respect to that client:

• registered or business address and, if different, principal place of business;
• date of establishment, incorporation or registration (as appropriate);
• place of incorporation or place of registration (as appropriate);
• the client’s legal form, constitution and articles of association (or similar documentary evidence demonstrating the powers that regulate it);
• information clarifying the nature of the client’s business, ownership and control structure;
• the ultimate beneficial owners and, where that ultimate beneficial owner is not a natural person, the natural person(s) having executive authority or control over that legal person;
• with respect to any director, partner or manager (in the case of limited liability partnerships or limited partnership) of the entity, or any individual exercising executive authority over it or purporting to act on its behalf, all of the aforementioned information required of natural persons; and
• with respect to any natural person appointed to act on the legal entity’s behalf, appropriate documentary evidence authorising such appointment and the specimen signature of each natural person so appointed.

As part of the Company’s ongoing monitoring of clients, and in accordance with a client’s risk profile,
the Company will conduct periodic CDD checks to ensure client information remains up to date. CDD
information shall also be updated on the occurrence of stipulated trigger events such as when a
significant transaction takes place or a material change occurs in the way a client’s account is
operated.

7. VERIFICATION

Verification checks will take place on a non-face-to-face basis and so it is crucial that the Company
imposes standards that are no less stringent than those that would need to be carried out on a face
to face basis.

The Company shall verify all information obtained using reliable and independent source data,
documents and information. The Compliance Team will be responsible for implementing additional
checks to mitigate the risk of impersonation that is inherent in verifying identities via electronic
means.

Verification checks shall include measures such as:

• Phone contact with the client at a personal, residential or business number than can be independently verified;
• Confirmation of the client’s salary or other sources of income by requiring provision of recent bank statements;
• Provision of certified identification documents by lawyers or notaries public;
• Measures to demonstrate the client’s control over the digital payment token or digital token wallet address making the initial deposit of digital payment tokens or digital tokens into the client’s account (e.g. by effecting a transfer of any amount specified by the Company within a
  specified period);
• Collection of client device identifiers, IP addresses with associated time stamps, geo-location data etc.;
• Real time video conferencing; and
• Technology solutions matching photographs to photo-identification provided.

Upon both (i) conducting its first non-face-to-face business contact and (ii) any substantial change to
the Company’s policies and procedures relating to non-face-to-face onboarding (the “Relevant
Date”), the Company shall appoint an external auditor or an independent qualified consultant to
assess the effectiveness of its policies and procedures relating to non-face-to-face onboarding,
including the effectiveness of any technology solutions used to manage impersonation risk. The
The company shall submit such reports to the relevant regulatory authorities no later than one year after
the Relevant Date.

8. DUE DILLIGENCE (CDD)

The Compliance Team shall document minimum standards and procedures to be followed with respect to determining whether a client presents a heightened risk for ML or TF. Factors which should be taken into consideration include but are not limited to the following:

• Whether the client is from a higher risk business;
• Whether the client, any natural person appointed to act on behalf of the client, any connected party of the client or any beneficial owner of the client is a politically exposed person, or a family member or close associate of a politically exposed person;
• Whether the client possesses an unusually complex ownership structure relative to the client’s business;
• Whether the client has nominee shareholders or shares in bearer form;
• Whether the client operates a cash-intensive business;
• Whether the client or its beneficial owners are from a jurisdiction classified as high-risk by the Company; and
• Whether the client or its beneficial owners are from a country or jurisdiction that is known to have inadequate AML/CFT measures, as determined by the Company or as notified generally by relevant regulatory authorities.

Where a heightened risk for ML or TF is identified by the Company additional enhanced CDD measures will be carried out on the client, including at least the following:

• obtaining approval from the Company’s senior management to establish or continue business relations with the client;
• establishing the source of wealth of the client and any of its beneficial owners; and
• conducting ongoing and enhanced monitoring of business relations with the client and its transactions in order to determine whether they appear unusual or suspicious.

Other enhanced CDD measures that may be performed, as required by the Compliance Team, include:

• using public sources of information such as websites to gain a better understanding of the reputation of the client and any beneficial owners of a client.
• Where the client finds information containing allegations of wrongdoing by a client or a beneficial owner of a client, the Company must assess how this affects the level of risk associated with the business relations; and
• commissioning external intelligence reports where it is not possible for the Company to easily obtain information through public sources or where there are doubts about the reliability of public information.

9. POLITICALLY EXPOSED PERSONS

Where a client or any beneficial owner of a client is a politically exposed person, or a family member
or close associate of a politically exposed person, enhanced CDD measures, as determined by
compliance on a case-by-case basis, may be required. Where business relations are assessed by the
Compliance Team as not presenting a higher risk for ML/FT, the Company shall adopt a risk-based
approach in determining whether to perform enhanced CDD measures or the extent of enhanced
CDD measures to be performed for:

• domestic politically exposed persons, their family members and close associates;
• international organisation politically exposed persons, their family members and close associates; or
• politically exposed persons who have stepped down from their prominent public functions, taking into consideration the level of influence such persons may continue to exercise after stepping down from their prominent public functions, their family members and close associates.

10. SIMPLIFIED CDD

The Company will not in any circumstances perform simplified CDD on clients at onboarding or
thereafter. All clients will be subject to the full due diligence process.

11. CORRESPONDENTS

Where the Company wishes to engage a financial institution that is not a registered bank or merchant
bank to provide digital token payment services, digital token payment transfer services, custodial
wallet services or similar services (together “correspondent account services”), whether as principal
or on behalf of the Company’s clients, AML/CFT due diligence checks should be carried out on that
financial institution prior to the establishing of business relations.

The Compliance Team shall document, implement and maintain procedures for effecting AML/CFT
due diligence checks on financial institutions. In addition to the incorporation of similar checks to
CDD measures relevant to onboarding client legal entities, such procedures shall require that the
suitability of the financial institution be assessed. Such assessment shall include but not be limited to
the following actions:

• Gathering adequate information about the financial institution to fully understand the nature of its business, including making appropriate inquires on its management, business activities and operating jurisdictions;
• Determining from available sources the reputation and quality of its internal supervision;
• Determining whether it has been the subject of any money laundering or terrorism financing investigations or regulatory action; and
• Assessing the effectiveness and adequacy of its AML/CFT controls The division between the Company’s and the financial institution’s AML/CFT responsibilities should be assessed and clearly documented and senior management approval must be obtained prior to commencing business relations.

The Company shall not enter into or continue a correspondent account services relationship with a financial institution that does not have adequate AML/CFT controls, is not effectively supervised by the relevant authorities, or is a shell financial institution.

12. SURVEILLANCE

The Company operates a risk-based approach to the surveillance of client activity, ensuring that proportionate systems are put in place to mitigate risk throughout the duration of the business relationship. The Compliance Team is responsible for ensuring that minimum surveillance standards pertaining to scope, frequency and key data requirements are documented, implemented and adhered to.

13. NAME SCREENING

The Compliance Team shall document minimum standards regarding the screening of clients, their appointed representatives, connected parties and beneficial owners against sanctions lists and PEP databases, ML/TF information sources, and regulations issued by relevant regulatory authorities from time to time, and in respect of adverse media. All screening results shall be recorded.

Name Screening shall take place:

• at on-boarding, prior to the effecting of any transaction or value transfer;
• periodically, in accordance with the Company’s risk assessment of the party/parties in question;

When there are any changes or updates to:

• sanctions lists, relevant regulations, or other information provided by relevant regulatory authorities; or
• the natural persons appointed to act on behalf of the client or its connected parties or beneficial owners;
• with respect to value transfer originators and beneficiaries, ahead of the execution of any value transfer request.

Adequate processes and systems will be implemented across the Company to ensure that name screening requirements are adhered to and where positive hits are identified, appropriate steps are taken in response.

14. TRANSACTION MONITORING

The Company shall during the course of its business relations with a client, and in accordance with
the client’s assessed risk profile, monitor its transactions to ensure that they remain consistent with
the Company’s knowledge of the client, its business and, where appropriate, its source of funds.

The Compliance Team will establish and document minimum standards and parameters with respect
to ongoing transaction monitoring and supervise the operation of systems and processes designed
to detect and report suspicious, complex or unusual transactions or patterns of transactions including
but not limited to:

• Frequent transfers of digital payment tokens / digital tokens to the same recipient;
• Frequent orders to buy or sell digital payment tokens / digital tokens over a short period of time;
• Multiple transfers of digital payment tokens / digital tokens at insubstantial amounts when viewed in isolation, but at amounts exceeding reporting thresholds when viewed cumulatively;
• Transaction/transaction requests to/from jurisdictions classified as high risk, or jurisdictions classified as medium-risk that have been assessed as posing a significant ML/TF threat; and
• Transactions/transaction requests to/from high risk, blacklisted or sanctioned parties.

The Company shall, to the extent possible, investigate the background and purpose of any transactions identified as suspicious or unusual and document the outcome of such investigations. Where reasonable grounds for suspecting ML and/or TF are determined, and the Compliance Team considers it appropriate to retain the client, it shall substantiate and document the reasons for the proposed retention and obtain senior management’s approval. Where a client is retained in such circumstances, enhanced risk mitigation, CDD and ongoing monitoring should be put in place.

15. SUSPICIOUS TRANSACTION REPORTING

The Compliance Team shall implement and maintain adequate processes and systems to support the reporting of suspicious activity identified to the prevailing Suspicious Transactions Reporting Office (“STRO”) or other relevant authorities, and meet the Company’s legal obligations in connection therewith.

16. INTERNAL REPORTING

The Company makes it the responsibility of all employees and officers to report suspicious activity internally. All employees and officers of the Company must promptly refer all transactions which they know, suspect, or have reasonable grounds for suspecting are in any way connected to ML or TF, to the Head of Compliance who, until further notice, is designated as the Company’s Money Laundering Reporting Officer (“MLRO”). Unless required by law, regulation or order of a relevant authority, an employee must not disclose to the client or suspected party (or anyone else other than with the consent of the MLRO) that they are investigating the client or have reported the matter internally. Disclosure to the client or the suspected party may constitute the criminal offence of “tipping off” and leave the employee open to disciplinary action, termination of employment, a fine and/or imprisonment.

17. EXTERNAL REPORTING

The MLRO shall, with respect to any internal report of suspicious behaviour, consider whether the circumstances warrant the filing of a STR to the STRO and, if applicable, any other relevant authority located in a connected jurisdiction, document the basis for its determination and, if relevant, any additional monitoring measures that have been implemented with respect to the client or suspected party.

Where it is determined that a STR should be made, the STR should be submitted promptly to the STRO, with a copy also to be provided to the relevant regulatory authority. The MLRO should consider whether the Company should continue business relations with the relevant party and, if so, whether enhanced monitoring measures should be implemented, again documenting the basis of any determination reached.

18. THE TRAVEL RULE

In order to Comply with the Travel Rule, the Company must ensure that the requisite information is attached to all incoming and outgoing value transfers to/from other VASPs, in order to identify the originator and beneficiary and, where relevant, the intermediary financial institutions of a payment, and that such information is transmitted in an accurate and meaningful manner.

Ensuring that the Company’s processes and procedures pertaining to identify verification and name screening of all clients at the time of onboarding are strictly adhered to, so that all value transfers into and out of the Company can be linked to a verified individual or entity, is crucial in this regard. All details of value transfers into and out of the Company, including but not limited to, the date of value transfer, the type and value of digital payment token(s) being transferred, and the value date, must be recorded by the Company in order to enable full reconstruction of the value transfer.

19. THE COMPANY AS AN ORDERING INSTITUTION

The Company will be acting as ordering institution where it effects a value transfer on behalf of a client to a value transfer beneficiary at a beneficiary institution. This will most commonly occur where a client places an order to transfer digital payment tokens to a digital wallet address held at a cryptocurrency exchange, brokerage or bank, irrespective of whether such digital wallet address is within the ownership of the client or not.

For value transfers less than or equal to USD 1,000 where the Company is acting as Ordering Institution, clients will be required to input the name or registered legal entity name of the value transfer beneficiary before a value transfer can be effected. The Company will attach the following information to all value transfers made to beneficiary institutions or intermediary institutions:

• The name of the value transfer originator;
• The value transfer originator’s account number;
• The value transfer beneficiary’s name or registered legal entity name; and
• The value transfer beneficiary’s account number (or unique transaction reference number where no account number exists).

For value transfers exceeding USD 1,000 the Company shall identify and verify the value transfer originator’s identity and, in addition to the aforementioned details, attach the value transfer originator’s unique identification number e.g. identity card number, birth certificate number, passport number, incorporation number, business registration number (as appropriate).

Where the Company is unable to comply with the above requirements with regard to any proposed value transfer, irrespective of its quantum, the value transfer will not be executed. If a client is unable or unwilling to provide, in whole or in part, the above information, the client’s account must be frozen until all necessary information requirements have been satisfied, or further investigation has been conducted to the satisfaction of the Compliance Team, including but not limited to re- screening and further verification and identity checks. The need to file an STR and/or report to any relevant competent authority must also be considered by the Company’s MLRO and any decision taken documented accordingly.

20. THE COMPANY AS A BENEFICIARY INSTITUTION

The Company will be acting as beneficiary institution where it receives a value transfer on behalf of a client, sent from an ordering institution, either directly or through an intermediary institution. This will most commonly occur where a client receives digital payment tokens from a digital wallet address held at a cryptocurrency exchange, brokerage or bank. Incoming value transfers will be monitored to ensure that all information required to be attached to incoming value transfers, where required.

Depending on the method of communication, value transfers that do not meet the above information requirements will be blocked in realtime, or if this is not possible, funds will be frozen until such a time as the above information requirements can be verified. Where such information cannot be verified, the need to file an STR and/or report to any relevant competent authority must be considered by the Company’s MLRO and any decision taken documented accordingly.

21. OTHER TRANSFERS

Where digital payment tokens are transferred to or from persons that do not fall within the definition of “ordering institution” or a “beneficiary institution” respectively, the Company will ensure it performs enhanced risk mitigation measures, where the transaction involves a transfer of a digital payment token to or a receipt of a digital payment token from an entity other than a financial institution that is subject to and supervised for compliance with AML/CFT requirements consistent with standards set by the FATF.

In such circumstances the Company shall:

• identify and verify the identities of the originator and beneficiary of the transfers;
• where the transfer of digital payment tokens has been received from or sent to the Company’s own client’s personal digital wallet address, require the client to demonstrate control of such address, by effecting a transfer of digital payment tokens in an amount specified by the Company;
• where the originator or beneficiary is identified to be a third party, taking reasonable steps to verify the identity of the third party commensurate to verification checks carried out on the Company’s own clients;
• where the beneficiary is an entity, establish the identity of the beneficial owners of such beneficiaries; and
• performing screening and enhanced monitoring over such transactions.

22. RECORD RETENTION

The Company shall prepare, maintain and retain transparent and accessible records of all data, documents and information required to establish compliance with all legal requirements including but not limited to all due diligence, transactions, training, assurance activities and incident reports/investigations. Such records should be kept in a manner that enables:

• All individual transactions and value transfers to be reconstructed;
• Relevant authorities, and the Company’s internal/external auditors to review the Company’s business relations, STRs, transactions, records and due diligence information in order to assess compliance with applicable law and guidelines; and
• The Company to satisfy any inquiries or orders from a relative authority within a reasonable time period or any time periods stipulated by law or that authority.

Due diligence information, correspondence and account files relating to business relations, value
transfers and transactions shall be retained for a period of at least 5 years following the termination
of such business relations or the completion of such value transfers or transactions. All information,
data and documents required to explain and reconstruct a particular transaction shall be retained for
a period of at least 5 years following completion of a transaction.

The Company shall retain records of data, documents and information on all its business relations
with or transactions for a client pertaining to a matter which is under investigation or which has been
the subject of an STR, in accordance with any request or order from the prevailing STRO or other
relevant regulatory authority.

23. PERSONAL DATA

The Company shall, as soon as reasonably practicable, upon the request of a client, an individual appointed to act on behalf of a client, an individual connected party of a client or an individual beneficial owner of a client, provide the requesting individual with the right to access the following types of personal data of that individual, that is in the possession or under the control of the Company:

• full name, including any alias;
• unique identification number (such as an official government-issued identity card number, birth certificate number or passport number);
• residential address;
• date of birth;
• nationality;
• any other personal data of the respective individual provided by that individual to the Company, provided the Company is satisfied that there are reasonable grounds for such request.

24. COMPLIANCE RESPONSIBILITIES

The Company shall ensure that its Head of Compliance has the necessary resources, authority and seniority to effectively perform his responsibilities, which shall include but not be limited to the following:

• carrying out, or overseeing the carrying out of ongoing monitoring of business relations and transactions undertaken, and sample reviews of accounts or transactions for the purpose of compliance with prevailing AML requirements;
• promoting compliance with relevant Anti-Financial Crime rules and Regulations, and taking overall charge of all AML/CFT matters within the Company;
• informing employees and officers promptly of regulatory changes;
• ensuring a speedy and appropriate reaction to any matter in which ML/FT is suspected;
• reporting, or overseeing the reporting of, suspicious transactions;
• advising and training employees and officers on developing and implementing internal policies,
• procedures and controls on AML/CFT;
• reporting to senior management on the outcome of reviews of the Company’s compliance with the relevant Anti-Financial Crime rules and Regulations; and
• reporting regularly on key AML/CFT risk management and control issues, including, and any necessary remedial actions, arising from audit, inspection, and compliance monitoring.

The Company shall ensure that its business interests do not interfere with the effective discharge of the above-mentioned responsibilities of the Head of Compliance, and that potential conflicts of interest are avoided. To enable unbiased judgments and facilitate impartial advice to management, the Head of Compliance will remain distinct from the internal audit and business line functions.

Procedures should be put in place and maintained ensuring that where any conflicts between business lines and the responsibilities of the Head of Compliance arise, AML/CFT concerns are objectively considered and addressed at the appropriate level of the Company’s management.

25. AUDIT RESPONSIBILITIES

The Company’s AML/CFT framework will be subjected to periodic audits (including sample testing), at least annually, pursuant to which auditors will assess the effectiveness of measures taken to prevent ML/FT, including but not limited to:

• determining the adequacy of the Company’s AML/CFT policies, procedures and controls, ML/FT risk assessment framework and application of risk-based approach;
• reviewing the content and frequency of AML/CFT training programmes, and the extent of employees’ and officers’ compliance with established AML/CFT policies and procedures; and
• assessing whether instances of non-compliance are reported to senior management on a timely basis.

26. EMPLOYEE HIRING

Screening procedures shall be in place to ensure high standards when hiring employees and
appointing officers. Screening procedures may include the following:

• background checks with past employers;
• screening against ML/TF information sources; and
• bankruptcy searches.

In addition, the Company should conduct credit history checks, on a risk-based approach, when hiring employees and appointing officers.

27. TRAINING

The Company must provide its staff and officers with relevant, specific and targeted training to detect and prevent money laundering and terrorism financing risks. Staff and officers should receive periodic training including but not limited to the following:

• This Policy and internal AML/CFT procedures and controls in place;
• Roles and responsibilities of employees and officers in AML/CFT;
• Applicable AML/CFT laws and regulations;
• CDD measures and the detecting and reporting of suspicious transactions
• Tipping off offences under relevant Anti-Financial Crime rules and regulations; and
• Prevailing techniques, methods and trends in ML/FT.

The training programme should ensure that staff are appropriately trained within 7 days of being assigned. Refresher training should be carried out at least once every two years, or more regularly as appropriate, to ensure that employees and officers are reminded of their responsibilities and kept updated on new developments related to ML/FT.

The Company will monitor the effectiveness of the training provided to its employees and officers.

This may be achieved by:

• testing their understanding of the Company’s policies and procedures to combat ML/TF, their obligations under relevant laws and regulations, and their ability to recognise suspicious transactions;
• monitoring their compliance with the Company’s AML/CFT policies, procedures and controls as well as the quality and quantity of internal reports so that further training needs may be identified and appropriate action taken; and
• monitoring attendance and following up with employees and officers who miss such training without reasonable cause.

APPENDIX

APPENDIX A – COUNTRY RISK SCHEDULE

The Company classifies countries/regions into three risk categories: low, medium, and high risk.

1. Low Risk

All countries that satisfy all of the following criteria will be considered low-risk:

• Countries that are FATF-members;
• Countries with a rating of 5.25 or lower on the Basel AML index; and
• Countries with a rating of 50 or higher on the European Commission Corruption Perceptions Index.

According to the above-mentioned standard, the low-risk countries are:

Australia, Germany*, South Korea, Saudi Arabia, Austria, Greece, Luxembourg*, Singapore, Belgium, Iceland, Netherlands*, Spain, Canada, Ireland, New Zealand,  Sweden, Denmark, Israel, Norway, Switzerland, Finland, Italy, Portugal, United Kingdom

* Germany, Luxembourg, and Netherlands’s Basel AML indexes are not available to the public, thus the Company cannot categorize the three countries as low-risk countries. However, given that they are on the top 10 list on the CPI index (Netherlands ranked 8th, Luxembourg ranked 9th, and Germany ranked 10th) and the three countries have well-regulated financial markets, therefore, Germany, Luxembourg, and Netherlands are grouped into low-risk countries by the Company.

The Company shall ensure its classification of low-risk countries is reviewed regularly and remains consistent with notifications provided by relevant regulatory authorities and government agencies. Where the Company is notified, or the Company otherwise determines, that a country or region does not have adequate AML/CFT measures, it shall not be classified as low-risk even if it satisfies all of the above criteria.

2. High Risk

All countries/regions that fulfil either of the following criteria shall be considered high-risk:

• Countries/regions that are subject to country-wide or territorial economic sanctions laws promulgated by the USA, UK, UN, EU, Switzerland or Singapore; or
• Countries/regions in relation to which the FATF has called for countermeasures.

Below are the countries considered as high-risk to the company:

Afghanistan, Guinea-Bissau, Malta, Tajikistan, Belarus, Haiti, Mauritania, Tanzania, Cambodia, Iran, Mozambique, Turkey, Central African Republic, Iraq, Myanmar, Uganda, Colombia, North Korea, Russia, Venezuela, Congo, Democratic Republic of the Laos, Somalia, Yemen, Congo, Republic of the Lebanon, Sudan, Zimbabwe, Cuba, Libya, South Sudan, Crimea**, Eritrea, Mali, Syria

** Crimea (Ukraine) is blocked due to ongoing political issues (in response to Russian threat to the sovereignty and territorial integrity of Ukraine).

The Company will not onboard clients from high-risk jurisdictions.
The Company also temporarily blocks several countries and regions due to being unlicensed in offering cryptocurrency services. The countries and regions are as follows:

China, Japan, Thailand, Hong Kong, Malaysia, Ontario (Canada), Indonesia, Taiwan, New York (USA)

3. Medium Risk

All countries/regions that do not fall into low risk or high-risk categories shall be classified as medium risk, with the degree of country-risk for any particular jurisdiction assessed on a case-by-case basis. Countries with the status of jurisdictions under increased monitoring by the FATF will be reviewed periodically as to their risk to the company.

Note: the FATF makes it clear that a country’s appearance on the list of jurisdictions with strategic deficiencies is not a call for other FATF member countries to take enhanced due diligence measures, considering that the listed countries are actively working with the FATF to resolve the issues identified.

APPENDIX B – CUSTOMER ONBOARDING PROCEDURES

CUSTOMER ONBOARDING AND MAINTENANCE

LiquidityOne maintains a low risk tolerance, therefore customers that fall outside of this risk tolerance must not be onboarded. Please refer to the Appendix A for further information on the Company’s approach to customer and country risk.

Before a customer can be onboarded to trade with the Company, appropriate levels of Customer Due Diligence (“CDD”) must be performed, including verification of identity, confirmation of eligibility to use LiquidityOne, and screening for sanctions, criminal association, and/or any other adverse factors that would cause the customer to fall outside of the Company’s risk appetite.

1. Customer Jurisdictions

The Company only accepts clients from permissible jurisdictions as outlined in the Country risk Schedule under APPENDIX A of this document.

2. Customer Identity

The identity of the customer must be fully established, either via the standard Know Your Customer (“KYC”) process for individuals, or in the case of a body corporate, a formal assessment of the entity and ultimate beneficial ownership. The company must obtain from all customers (both individuals and corporations and legal entities), at a minimum, confirmation of the following:

The following attributes will be required for individuals:

• Full Name, including any aliases;
• Date of Birth;
• Unique government ID;
• Residential address; and
• Nationality.

The following documentation will also be required for individuals:

• LiquidityOne will accept a current valid passport as proof of identity.
• LiquidityOne will accept a copy of a recent Bank statement, Credit Card Statement, or utility bill as proof of residential address. The individual’s name, matching their onboarding application, must appear on the address documentation.

The following attributes will be required for Corporations and Legal Entities:

• Full legal entity name;
• Date of incorporation or registration;
• Incorporation or business registration number;
• Registered business address, or principal place of business (as may be appropriate); and
• Country or place of incorporation, or place of registration (as may be appropriate).

The following documentation will also be required for Corporations and Legal Entities:

• Articles of association;
• A list of the members of the Board of Directors or its equivalent;
• Detailed overview of the company ownership structure;
• A list of persons authorized to commit the capital of the company, along with the requisite board resolution where relevant;
• A list of persons authorized to execute a trade or agree on a price to be traded; and
• A list of people authorized to sign on behalf of the company.

A. Screening

All potential customers must be screened for sanctions, criminal watchlists, fitness and probity and adverse media, before they can be permitted for onboarding. The Company uses a specialist third party provider to conduct its KYC screening.

Customers that are flagged against any of the below screening scenarios cannot be automatically onboarded and must be diverted to Compliance for a review of their application. Compliance is then responsible for determining whether the flag is a positive match or a false positive.

Screening Scenario Analysis:

 Screening Matches

Customers that flag as a positive match against sanctions screening or criminal watchlist checks where the crime would cause failure of a prevailing regulatory Fit and Proper test, cannot be onboarded and a Suspicious Transaction Report (“STR”) must be filed by the Chief Compliance Officer with the relevant Authority. All other criminal matches will be reviewed by Compliance on a case- by-case basis.

Adverse Media

Where a potential customer returns a positive match against adverse media, Compliance must determine the legitimacy of the media and whether it has been proven or whether it is simply speculation. The jurisdiction and type of allegation can be considered in order to determine the risk that the customer poses to LiquidityOne.

PEPs

Where a customer is identified as a PEP, or as a family member or close associate of a PEP, the nature of the individual’s political association must be taken into account, including whether they have stepped down from a prominent public function and whether they are still perceived to have influence despite having stepped down.

The risk of the jurisdiction from which the PEP originates must also be considered, for instance, jurisdictions that score low on the Corruptions Perceptions Index present a higher risk for political corruption. PEPs from high-risk jurisdictions (as set out in the Country Risk Register) cannot be onboarded. All other PEPs must be reviewed by Compliance on a case-by-case basis and may be required to provide additional documentation such as source of funds and proof of income.

Red Flags and Suspicious Activity

Either at onboarding or during the course of business, there may be red flags raised against existing or potential new customers that are related to possible findings in relation to sanction or other financial crime watchlists, or in relation to established adverse media. If a material red flag is raised, then LiquidityOne must take appropriate action, up to and including filing a STR with the authorities.

If a material red flag is raised during KYC screening conducted during the onboarding process, onboarding will be automatically rejected and a STR must be filed. Where a material red flag is raised for an existing customer, that customer must be placed under enhanced surveillance and a STR must be filed with the authorities, and the customer may need to be offboarded.

It is important that in the process of taking remedial action, that the Company does not alert the customer or take any action that could prejudice any investigation which might be conducted following an STR, or any other action that could amount to “tipping off” under relevant Anti-Financial Crime rules and regulations. Any remedial action up to and including offboarding and termination of account, must be approved by the Chief compliance Officer.

All suspicious activity must be escalated to the Chief Compliance Officer who will be responsible for filing a STR with the prevailing Suspicious Transaction reporting office.

3. Customer Wallets

The company does not support third party payments, therefore all clients must demonstrate control over all wallets that they wish to transfer digital assets to or from, and those wallets must appear on the wallet Whitelist before a transfer can be made.

In order to have a wallet added to the whitelist a client must complete one of the following ownership
confirmation methods:

• Complete a pre-specified qualifying value transfer (a “Satoshi Test”), or
• Demonstrate ownership of the wallet by completing a cryptographic hash confirmation.

The above actions help to establish control over a wallet, so that the wallet can then be added to the Whitelist. Clients will not have the option to initiate a value transfer from LiquidityOne to a wallet that is not on the Whitelist.

If funds are received from a wallet that is not on the Whitelist or is not in the process of an ongoing Satoshi Test or cryptographic hash confirmation, the customer will be prevented from making any further value transfers until either a Satoshi Test, or cryptographic hash confirmation on the wallet in question has been validated.

If the client fails to confirm ownership by using one of the above methods within one month from the funds being received, the account will be frozen, and a full KYC refresh will be required before any activity can take place. Compliance may also consider whether a suspicious transaction report will need to be filed.

4. KYC Refresh

All customers will be subject to a routine refresh of KYC and screening as per the following schedule:

CUSTOMER OFFBOARDING

There may be instances where Customers need to be offboarded due to non-financial crime-related reasons, such as regulatory or license changes in a specific jurisdiction. In such instances a timeline for Compliance plan must be agreed with the Chief Compliance Officer, Chief Legal Counsel and Head of Sales.