Pitex Wallet

ANTI-MONEY LAUNDERING AND COUNTER TERRORIST FINANCING COMPLIANCE POLICY (GUIDELINES)

1. INTRODUCTION

The purpose of these Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT) and Sanctions Guidelines is to ensure that Pitex has robust internal policies and procedures designed to prevent the use of its services for money laundering, terrorist financing, or the evasion of international and domestic sanctions.

These Guidelines are intended to ensure full compliance with the applicable laws and regulations of the United Arab Emirates, including but not limited to:

Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering, Combating the Financing of Terrorism, and Financing of Illegal Organizations.
Cabinet Decision No. 10 of 2019 concerning the Implementing Regulations of Federal Decree-Law No. 20 of 2018.
Cabinet Resolution No. 74 of 2020 concerning the Terrorism Lists Regulation and Implementation of UN Security Council Resolutions.
Virtual Assets Regulatory Authority (VARA) – Compliance & Risk Management Rulebook and AML/CFT & Sanctions Rulebook.
Central Bank of the UAE AML/CFT Guidelines and requirements for financial institutions and licensed virtual asset service providers.
FATF Recommendations as adopted by the UAE.
All relevant United Nations Security Council Resolutions and applicable international sanctions regimes (including OFAC, UK, and EU sanctions where relevant).

These Guidelines also incorporate best practices and compliance standards for:

Customer identification and verification, including secure remote onboarding procedures in line with UAE requirements.
Continuous monitoring of customer transactions to detect suspicious activities.
Immediate reporting of suspicious transactions to the UAE Financial Intelligence Unit (FIU) through the goAML platform.
Implementation of asset freeze measures in accordance with UAE Cabinet and UN Security Council directives.

Review and Updates

These Guidelines will be reviewed by the Management Board at least annually. The review may occur more frequently if required by changes in legislation, VARA Rulebooks, or upon the request of the Money Laundering Reporting Officer (MLRO) or the Compliance Department.

2. DEFINITIONS

“Beneficial Owner” means any natural person who, by virtue of ownership, control, or other means of influence, ultimately directs, controls, or otherwise exercises significant influence over a transaction, operation, activity, or over another legal person or arrangement, and in whose interest or for whose benefit such transaction, operation, or activity is conducted.

In the case of a legal entity, a Beneficial Owner is a natural person who directly or indirectly — or through a combination of direct and indirect holdings — owns or controls more than 25% of the entity’s shares, voting rights, or other ownership interests, including bearer shares or equivalent forms of ownership.

Under UAE legislation (Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, and Cabinet Resolution No. 58 of 2020 on the Regulation of Beneficial Owner Procedures) and Dubai VARA regulations, where multiple natural persons collectively meet this threshold, each shall be identified as a Beneficial Owner. Furthermore, individuals who, without holding a qualifying ownership interest, nevertheless exercise ultimate effective control or have the power to make significant decisions over the entity’s operations are also deemed Beneficial Owners.

“Business Relationship” means any business, professional, or commercial relationship between a Customer and Pitex, which is connected with the Company’s regulated virtual asset activities under VARA licensing, and which, at the time the relationship is established, is expected to have an element of duration. This includes, but is not limited to, ongoing exchange, custody, or related virtual asset services provided in accordance with UAE Federal AML/CFT legislation, Cabinet Decision No. (10) of 2019, and any applicable VARA Rulebooks.

“Company" means the legal entity with the following details:

Company Name: Pitex FZE (and, where applicable, Pitexo Exchange FZCO for exchange services)
Jurisdiction of Incorporation: Dubai, United Arab Emirates, registered in the Dubai Free Zone under the relevant authority (e.g., DMCC or DWTC as applicable)
License & Regulation: Licensed and regulated by the Virtual Assets Regulatory Authority (VARA) under the Exchange Services Rulebook and Custody Services Rulebook.
Registered Address:
Email:
Registration Number:

“Customer” (also referred to as Client or User) means any natural person or legal entity that has established a Business Relationship with the Company in accordance with the applicable laws and regulations of the United Arab Emirates, including the requirements of the Virtual Assets Regulatory Authority (VARA) and other competent UAE authorities.

“Employee” means any person employed by the Company, whether on a full-time, part-time, or temporary basis, as well as any other individual, consultant, contractor, or third- party service provider who is directly or indirectly involved in the implementation, monitoring, or enforcement of these Guidelines within the Company.

“Guidelines” means this document, including, inter alia, the Company’s internal control procedures established in accordance with applicable United Arab Emirates legislation, including the Federal AML/CFT Law, the Cabinet Decision No. (10) of 2019, and the Virtual Assets Regulatory Authority (VARA) Rulebooks. These Guidelines also incorporate the Company’s internal risk assessment policy, which applies a risk-based approach to identifying, assessing, and mitigating Money Laundering (ML) and Terrorist Financing (TF) risks in connection with its virtual asset activities.

“Management Board” means management board of the Company. If the Company has no management board – the manager of the Company shall be considered as the Management Board member and he or she shall be responsible for the Management Board duties in the context of the Guidelines.

“MLRO” means Money Laundering Reporting Officer, who is appointed to the Company as a person responsible for receiving internal disclosures and making reports to the Financial Crime Investigation Service (FCIS) and other duties as described above.

“Monetary Operation” means any payment, transfer, or receipt of funds — whether in fiat currency or virtual assets — conducted through the Company’s systems or related third-party service providers.

“Money Laundering (ML)” means the process of concealing the origins of illicit funds or assets by introducing them into the legitimate financial and economic system in a way that disguises their true source. This is done through transactions or arrangements that create the appearance of lawful activity.

Under applicable UAE legislation, including Federal Decree-Law No. (20) of 2018 on AML/CFT, Cabinet Decision No. (10) of 2019, and the VARA Rulebooks, ML encompasses activities involving both fiat and virtual assets, whether conducted domestically or cross-border.

There are three recognized stages of the ML process:

Placement – Introducing the proceeds of crime into the financial or virtualasset system. This may involve deposits, asset purchases, or transfers into wallets orbank accounts.
Layering – Converting illicit proceeds into other forms and creating complex layers of financial or blockchain transactions to obscure the audit trail, conceal ownership, and disguise the source of the funds.
Integration – Reintroducing laundered funds or assets into the legitimate economy, making them appear to originate from lawful activities.

The Company adopts a risk-based approach and employs transaction monitoring, KYC/ CDD procedures, and blockchain analytics tools to detect and prevent ML at all stages.

“Politically Exposed Person (PEP)” means a natural person who is or has been entrusted with a prominent public function, whether domestically or in a foreign country, and for whom related ML/TF risks may still exist due to their position, influence, or access to resources.

In the context of UAE Federal Decree-Law No. (20) of 2018, Cabinet Decision No. (10) of 2019, and VARA AML/CFT Rulebooks, PEPs include, but are not limited to:

Heads of State or Government, Ministers, and Senior Politicians
Senior Government, Judicial, or Military Officials
Senior Executives of State-Owned Enterprises
Members of Ruling Families with Significant Political Influence
High-Ranking Officials of Political Parties

A PEP also includes family members (spouse, children, parents, siblings) and close associates (individuals with joint business interests, beneficial ownership, or known close personal relationships) of the primary PEP.

The Company applies enhanced due diligence (EDD) to all PEPs, including:

Verifying the source of wealth and source of funds;
Obtaining senior management approval before establishing or continuing the business relationship;
Conducting enhanced ongoing monitoring for unusual or suspicious activity.

“Sanctions” mean a regulatory and enforcement mechanism, mandated under applicable UAE federal laws, Dubai Virtual Assets Regulatory Authority (VARA) directives, United Nations Security Council resolutions, and other relevant international agreements, aimed at supporting the maintenance or restoration of peace, international security, democracy, and the rule of law. Sanctions also seek to ensure adherence to human rights and international law, or to achieve other objectives under the UAE’s foreign policy and international commitments. This includes, but is not limited to, measures adopted under the United Nations Charter, the UAE’s commitments to the Gulf Cooperation Council (GCC), and other recognized intergovernmental bodies, as well as decisions of competent supervisory and enforcement authorities both in the UAE and internationally.

The subject of Sanctions refers to any natural person, legal entity, organization, or body designated in the relevant legal act imposing or implementing the sanctions, and to which such sanctions apply.

“Terrorist Financing” refers to the direct or indirect provision, collection, or facilitation of funds, assets, or other resources with the knowledge or intention that they will be used, in whole or in part, to support the commission of a terrorist act, terrorist organization, or terrorist travel, as defined under:

Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended),
UAE Cabinet Decision No. 10 of 2019 concerning the implementing regulation of the above law,
and other applicable UAE laws, regulations, and directives issued by competent authorities, including the Executive Office of Anti-Money Laundering and Counter Terrorism Financing and Dubai Virtual Assets Regulatory Authority (VARA).

This includes:

Financing or supporting terrorist acts regardless of whether the funds are actually used for the commission of such acts,
Providing or collecting funds or assets intended for use by individuals or groups for travel related to terrorism,
Facilitating access to financial services, virtual assets, or other resources for individuals or entities designated on UAE or international sanctions lists.

“Third Country” refers to any jurisdiction that is not a member of the Gulf Cooperation Council (GCC) or the United Arab Emirates (UAE) and, for the purposes of the Company’s compliance framework, also includes jurisdictions:

Listed as High-Risk Jurisdictions or under increased monitoring by the Financial Action Task Force (FATF),
Classified as high-risk or non-cooperative by the UAE Ministry of Economy or other competent UAE authorities,
Designated by the Dubai Virtual Assets Regulatory Authority (VARA) or the UAE Central Bank as restricted or prohibited jurisdictions for virtual asset activities.

“A crypto-asset” means a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes, as defined in Federal Decree-Law No. (20) of 2018 on AML/CFT, Cabinet Decision No. (10) of 2019, and the Dubai Virtual Assets Regulatory Authority (VARA) Virtual Assets and Related Activities Regulations.

For the purposes of these Guidelines, a crypto-asset includes any virtual asset that:

Falls within the definition of “Virtual Asset” under the VARA Rulebooks;
Is recorded or transferred using distributed ledger technology or a similar technology;
Is not considered fiat currency, legal tender, or funds under UAE law;
Does not fall within an exclusion category under applicable UAE legislation (e.g., central bank digital currency, securities regulated under the SCA, or other exempt categories).

This definition excludes:

Assets classified as “funds” or “securities” under UAE Central Bank or Securities and Commodities Authority (SCA) regulations;
Virtual assets expressly excluded under VARA’s guidance or any FATF interpretive note adopted by the UAE.

“Crypto-asset Service Provider” means any legal entity or individual that conducts one or more Virtual Asset (VA) activities on behalf of or for another person, as defined under Dubai Virtual Assets Regulatory Authority (VARA) Virtual Assets and Related Activities Regulations and Federal Decree-Law No. (20) of 2018 on AML/CFT, read together with Cabinet Decision No. (10) of 2019.

“Intermediary Crypto-Asset Service Provider (ICASP)” means a crypto-asset service provider that is not the primary crypto-asset service provider of either the originator or the beneficiary, but acts as an intermediary in the transfer of crypto-assets. An ICASP receives and transmits a transfer of crypto-assets on behalf of:

the crypto-asset service provider of the originator,
the crypto-asset service provider of the beneficiary, or
another intermediary crypto-asset service provider.

“Payment Service Provider (PSP)” means any natural or legal person that provides transfer of funds services and falls into one of the categories set out under applicable UAE legislation, including:

Entities licensed by the Central Bank of the UAE (CBUAE) under the Retail Payment Services and Card Scheme Regulation or equivalent framework to conduct payment services, including the transfer of funds, payment processing, and settlement;
Entities authorized under outsourcing arrangements with a CBUAE-licensed PSP, in line with the CBUAE’s outsourcing guidelines;
PSPs must comply with Federal Decree-Law No. 20 of 2018 on AML/CFT, Cabinet Decision No. 10 of 2019, and relevant VARA requirements, including customer due diligence (CDD), sanctions screening, and suspicious transaction reporting;
Any arrangement with a PSP must ensure the segregation of client funds, robust operational resilience, data protection, and adherence to VARA’s Exchange and Custody Services Rulebooks when relevant to Pitex operations.

“Intermediary Payment Service Provider (IPSP)” means any payment service provider, licensed or authorized under applicable UAE laws and regulations, that is not the payment service provider of the payer or the payee, and that receives and transmits a transfer of funds on behalf of:

The payment service provider of the payer;
The payment service provider of the payee; or
Another intermediary payment service provider.

In the context of Pitex operations, an IPSP must:

Hold the relevant authorization from the Central Bank of the UAE (CBUAE) or operate under an outsourcing arrangement with a CBUAE-licensed PSP;
Comply with Federal Decree-Law No. 20 of 2018 on AML/CFT, Cabinet Decision No. 10 of 2019, and VARA requirements when facilitating transactions involving virtual assets;
Implement robust AML/CFT measures, sanctions screening, and transaction monitoring to detect suspicious activity;
Maintain operational and cybersecurity controls to protect transaction integrity and client data;
Ensure transaction traceability in line with the Travel Rule obligations applicable under UAE law and VARA rulebooks.

3. PRINCIPLES AND MANAGEMENT OF THE COMPANY

The organizational structure of the Company shall be designed in accordance with UAE regulatory requirements, including VARA Rulebooks (for virtual asset activities) and other applicable laws, to ensure alignment with its size, operational model, and the nature, scope, and complexity of the services provided. The structure must also reflect the Company’s risk appetite and the potential risks inherent in its activities.

3.1. The Management Board

The Management Board acts as the custodian of the Company’s compliance culture regarding the prevention of Money Laundering (ML) and Terrorist Financing (TF), ensuring that all Board members and Employees operate in an environment where they are fully aware of the applicable AML/CFT requirements, their related obligations, and the associated risk considerations. These considerations must be appropriately integrated into the Company’s decision-making processes.

In the context of the United Arab Emirates regulatory framework, including Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019, and VARA Rulebooks applicable to virtual asset service providers, the Management Board holds ultimate responsibility for ensuring that the Company’s services are not misused for ML/TF purposes.

The Management Board shall provide oversight and be accountable for:

Establishing and Maintaining AML/CFT Systems: Designing, implementing, and continually improving AML/CFT processes, procedures, and risk control measures to meet both domestic and international compliance standards.
Approving Internal Policies: Adopting these Guidelines and other internal instructions aligned with VARA and Central Bank of the UAE expectations.
Defining AML/CFT Strategy: Setting the Company’s AML/CFT policy, defining acceptable risk appetite, and ensuring alignment with strategic objectives.
Appointing an MLRO: Designating a qualified Money Laundering Reporting Officer (MLRO) with the authority, resources, and expertise to perform their duties independently and effectively.
Allocating Resources: Ensuring adequate human, technological, and financial resources are dedicated to compliance, risk management, and monitoring functions.
Training Obligations: Guaranteeing that all relevant Employees undergo annual AML/CFT training in accordance with UAE regulatory requirements and best practices, with additional ad-hoc training as necessary based on emerging risks or regulatory updates.

By fulfilling these obligations, the Management Board ensures the Company maintains a robust governance framework that supports operational integrity, regulatory compliance, and effective risk management across all business activities.

3.2. The First Line of Defense – Employees

The first line of defense consists of the Company’s operational units and Employees whose activities are directly associated with inherent risks and who are responsible for identifying, assessing, and managing these risks within their day-to-day operations. This includes applying due diligence measures both at the start of a Business Relationship and throughout its duration.

In the UAE context, aligned with Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019, and relevant VARA Rulebooks, the first line of defense carries the primary responsibility for implementing effective AML/CFT controls during the normal course of business.

The Company recognizes that risks arising from its services are owned and managed at this level, and therefore:

Employees act as risk owners for their respective activities.
They must perform their duties with the professional competence, diligence, and foresight expected for their role.
They must protect the integrity of the Company’s financial systems by preventing misuse for Money Laundering or Terrorist Financing.

Employee Suitability and Training

Before assuming AML-related responsibilities, Employees undergo suitability assessments and relevant training to ensure competence.

Employees in the first line of defense are required to:

Comply with all requirements outlined in these Guidelines and related internal documents.
Collect and verify all required Customer information according to their role and responsibilities.
Identify and report any unusual information, situations, activities, transactions, or attempted transactions—regardless of the amount or completion status to the MLRO without delay.
Maintain confidentiality by refraining from informing Customers or third parties about any suspicion or reporting actions (prohibition of tipping-off).
Complete AML/CFT training appropriate for their position, with periodic refreshers as determined by regulatory requirements and the Company’s risk assessment.

3.3. The Second Line of Defense – Risk Management, Compliance, and MLRO

The second line of defense comprises the Risk Management and Compliance functions, which may be executed by the same individual or unit depending on the Company’s size, activities, and complexity, as well as its risk appetite and inherent risk exposure.

In the UAE context, consistent with Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019, and VARA Rulebooks, the second line of defense ensures that the Company’s operations comply with applicable AML/CFT regulations and risk management requirements, without engaging in revenue-generating or risk-taking activities.

Role of the Compliance Function

The Compliance function’s primary objectives are to:

Ensure adherence to all applicable laws, guidelines, and regulatory obligations.
Monitor the impact of regulatory changes on Company operations and internal policies.
Assist the first line of defense in identifying, assessing, and mitigating risks, such as reviewing unusual or suspicious transactions using specialized skills and investigative techniques.

The Compliance Department is responsible for:

Implementing the Company’s Risk Policy.
Ensuring that all risks are identified, assessed, measured, monitored, and reported to the relevant units.
Coordinating with operational and development teams to support business continuity and operational resilience.

Role of the MLRO

The Money Laundering Reporting Officer (MLRO), appointed by the Management Board, operates independently from the business functions being monitored. The MLRO is tasked with ensuring ongoing AML/CFT compliance and serves as the central point for suspicious activity reporting.

MLRO responsibilities include:

Drafting, updating, and maintaining the Company’s AML/CFT Guidelines.
Continuously monitoring compliance with internal and external AML/CFT requirements.
Advising management and staff on AML/CFT obligations.
Delivering AML/CFT training and awareness programs.
Investigating internal suspicious activity reports and deciding whether they are justified or require external reporting.
Submitting suspicious transaction/activity reports (STRs/SARs) to the UAE Financial Intelligence Unit (FIU) in accordance with applicable law.
Reviewing the effectiveness of AML/CFT measures and recommending improvements.
Implementing risk-based monitoring procedures.
Maintaining secure internal reporting mechanisms.

MLRO Reporting to the Management Board

The MLRO submits quarterly written reports to the Management Board, covering at least:

Number of Customers in each risk classification.
Sanctions list hits and actions taken.
Number of Customers or representatives identified as PEPs or PEP-related.
Number of internal suspicious activity reports received.
Number of reports submitted to the FIU.
FIU requests for information and related responses.
Confirmation that the Company’s ML/TF risk assessment is up to date.
Confirmation that AML/CFT Guidelines and related documents are current.
Confirmation that AML staffing levels are adequate.
Identified deficiencies and remediation measures.
Details of mandatory AML/CFT trainings conducted.

3.4. THE THIRD LINE OF DEFENSE – INTERNAL AUDIT

The third line of defense is comprised of an independent and effective internal audit function. This function may be performed by:

One or more Employees within the Company,
A dedicated structural unit of the Company assigned with internal audit responsibilities, or
An external third-party service provider engaged to perform internal audit activities.

The individuals, structural unit, or third party responsible for the internal audit function must possess the necessary competence, tools, and unrestricted access to relevant information across all structural units of the Company. Internal audit methodologies must be tailored to align with:

The size of the Company,
The nature, scope, and complexity of its activities and services,
The risk appetite of the Company, and
The specific risks arising from the Company’s operations.

The decision to initiate an internal audit is made through a formal resolution of the Management Board. The Management Board must review and assess the need for conducting an internal audit at least once annually to ensure ongoing alignment with regulatory obligations and internal governance standards.

4. CUSTOMER DUE DILIGENCE (CDD) MEASURES

Customer Due Diligence (CDD) measures are mandatory for verifying the identity of a new or existing Customer and for performing ongoing risk-based monitoring of the Business Relationship in accordance with the applicable UAE Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, Cabinet Decision No. (10) of 2019, and the Virtual Assets Regulatory Authority (VARA) Rulebooks.

The CDD process applies to all natural and legal persons engaging with the Company’s services and must be conducted prior to establishing any relationship or executing any transaction that meets the thresholds defined under UAE regulations.

4.1. MAIN PRINCIPLES

The Company applies CDD measures to the extent necessary, considering the Customer’s risk profile and other relevant circumstances, in the following cases:

Upon establishment of the Business Relationship and during ongoing monitoring of the Business Relationship;
Upon verification or updating of information gathered during previous due diligence measures, or in case of doubt regarding the sufficiency or accuracy of previously obtained documents or data;
Upon suspicion of Money Laundering or Terrorist Financing, regardless of any exemptions or thresholds in these Guidelines or applicable UAE legislation.

The Company will not establish or maintain a Business Relationship and will not execute any transaction if:

The Company cannot perform the required CDD measures;
There are suspicions that the services or transaction will be used for Money Laundering or Terrorist Financing;
The risk level of the Customer or the transaction does not comply with the Company’s approved risk appetite.

If the Company receives information or documents in foreign languages during CDD, it may request translations into English or Arabic (as applicable for UAE compliance). Translations should be avoided where original documents are already in an applicable language.

CDD is an ongoing process starting with the application of due diligence measures. Upon completion, the Customer is assigned a documented individual risk level, forming the basis for ongoing monitoring and review. The risk classification must be updated when necessary.

The Company is considered to have applied CDD measures adequately when it has a reasonable conviction that it has met its due diligence obligations. This “principle of reasonability” means the Company must acquire sufficient knowledge and understanding of:

The Customer and their business activities;
The purpose and intended nature of the Business Relationship;
The source of funds;
The nature and expected volume of transactions;
The Customer’s risk level and related risk factors.

Such a level of understanding must enable the Company to identify complex, high-value, or unusual transactions and transaction patterns that lack an apparent economic or lawful purpose or are inconsistent with the Customer’s business profile.

4.2. THE SERVICES PROVIDED

The Company’s primary economic activity is the provision of Virtual Asset (VA) services in accordance with the Dubai Virtual Assets Regulatory Authority (VARA) Rulebooks and relevant UAE legislation.

Pursuant to its VARA licence(s), the Company offers the following services to its Customers:

Custody and administration of Virtual Assets on behalf of clients;
Exchange of Virtual Assets for fiat currency;
Exchange of one Virtual Asset for another;
Any other Virtual Asset services that the Company is authorised to provide under its VARA licence.

The Company provides these services for a range of Virtual Assets, including but not limited to BTC, ETH, LTC, TRX, and other tokens approved for listing and supported by the Company’s risk management framework, in compliance with VARA’s Market Conduct and AML/CFT Rulebooks.

4.3. THE VERIFICATION OF INFORMATION USED FOR THE CUSTOMER’S IDENTIFICATION

Verification of Customer identification information means confirming, through reliable and independent sources, that the data provided is accurate, valid, and up to date. Where necessary, the Company also verifies that data directly related to the Customer is genuine and correct.

The purpose of this verification is to ensure that the Customer establishing a Business Relationship is indeed the person they claim to be, in line with VARA AML/CFT Compliance Rulebook, UAE Cabinet Resolution No. 10 of 2019, and other applicable UAE legislation.

A reliable and independent source (which must cumulatively meet the criteria below) is defined as verification of information obtained during identification:

Originates from at least two different independent sources;
Is issued (e.g., identity documents) or obtained from a third party or entity that has no vested interest or connection with the Customer or the Company — i.e., a neutral party;
Has reliability and independence that can be objectively confirmed and understood by a third party not involved in the Business Relationship;
Contains data that is current, relevant, and verifiable without undue difficulty.

Information obtained from the Internet is not considered an independent source if it originates directly from the Customer or is otherwise self-provided. Where documents are in a foreign language, the Company may request an official translation into a language acceptable under its compliance framework.

4.3.1. DIGITAL IDENTITY VERIFICATION

As part of its Customer identification process, the Company uses approved third-party KYC service providers such as Sumsub for secure and automated verification. These providers utilize advanced technologies, including biometric verification, facial recognition, liveness detection, document authenticity checks, and database screening, to ensure that:

Identity documents are genuine and valid;
The individual presenting the document is the rightful holder;
The Customer is screened against global sanctions lists, PEP databases, and adverse media sources;
The verification process meets VARA, CBUAE, and international FATF standards.

All digital verification records are securely stored in accordance with UAE data protection laws and are accessible for regulatory inspections.

4.4. APPLICATION OF SIMPLIFIED DUE DILIGENCE MEASURES (LEVEL 1)

Simplified Due Diligence (“SDD”) measures are applied by the Company where the Customer’s risk profile, based on the Company’s internal risk assessment and in line with the requirements of the UAE Federal AML/CFT framework and the Virtual Assets Regulatory Authority (“VARA”) Rulebooks, indicates a low risk level of Money Laundering or Terrorist Financing (ML/TF).

When applying SDD measures, the Company limits the scope of data collection and verification to essential identification data only, provided that there are no red flags, unusual circumstances, or risk indicators contradicting the classification.

For natural persons (individual Customers):

Full name (first name(s) and surname(s));
Official personal identification number or passport number;
Date of birth;
Nationality.

For legal entities (corporate Customers):

The registered name of the legal entity;
Legal form (e.g., Limited Liability Company, Free Zone Company);
Legal Entity Identifier (LEI) or company registration number issued by the competent authority in the UAE or relevant jurisdiction;
Registered and official office address;
Details of the authorized representative (full name, identification number or passport number, date of birth).

The Company ensures that the use of SDD measures does not exempt it from its ongoing monitoring obligations. Continuous monitoring of transactions and business relationships is conducted to ensure that any unusual or suspicious activity is identified and escalated in accordance with the Company’s AML/CFT policy and applicable UAE legislation.

4.5. APPLICATION OF STANDARD DUE DILIGENCE MEASURES (LEVEL 2)

Standard Due Diligence (SDD) measures are applied to all Customers where Customer Due Diligence (CDD) obligations arise under these Guidelines. These measures are designed to establish a sufficient understanding of the Customer, the Business Relationship, and related risks before services are provided.

The Company applies the following measures:

Identification of the Customer and verification of submitted information using reliable and independent sources;
Identification and verification of the Customer’s representative, including confirmation of their right to represent the Customer;
Identification of the Beneficial Owner (UBO), and verification to the extent necessary to ensure that the Company understands both the identity of the UBO and the ownership/control structure of the Customer;
Understanding the nature and purpose of the Business Relationship, as well as relevant transactions or operations, including gathering additional information where required;
Screening the Customer and related parties against Politically Exposed Persons (PEPs) lists, including identification of family members and close associates;
Ongoing monitoring of the Business Relationship in line with the Customer’s risk profile.

All of the above measures must be implemented prior to establishing a Business Relationship or executing a transaction. Detailed procedural instructions for applying these standard due diligence measures are set forth in the Company’s internal Guidelines.

4.6. APPLICATION OF ENHANCED DUE DILIGENCE MEASURES (LEVEL 3)

In addition to standard CDD measures, the Company applies Enhanced Due Diligence (EDD) measures to manage and mitigate elevated Money Laundering (ML) and Terrorist Financing (TF) risks, in strict compliance with UAE Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019, and VARA’s Compliance & Risk Management Rulebook.

Triggers for EDD Application

The Company must always apply EDD measures when any of the following high-risk criteria are met:

The Customer shows a high ML/TF risk profile upon risk assessment (including internal risk models in line with VARA’s framework).
There are doubts about the authenticity or validity of submitted KYC data, documents, or Beneficial Ownership information.
Establishing cross-border correspondent relationships with financial institutions located in high-risk (third) jurisdictions.
The Customer is a Politically Exposed Person (PEP), a PEP’s relative, or a close associate.
The Customer or payee/provider is from a high-risk country as identified by FATF mutual evaluations or internal policies.
Transactions involve crypto-asset transfers to or from self-hosted wallets, particularly when a VASP is involved.
Unusual or suspicious transaction patterns emerge that are characteristic of heightened ML/TF risk.

Specific EDD Measures

A. For High-Risk Institutions

Collect comprehensive information on business nature, reputation, and supervisory oversight.
Evaluate adequacy of the Customer’s internal AML/CFT controls.
Secure Management Board approval before initiating or continuing such relationships.
Document roles and responsibilities, and ensure Customer has conducted its own compliant CDD measures.

B. For PEP-Related Relationships

Obtain prior senior management approval.
Fully verify source of funds and wealth.
Implement more frequent and detailed transaction monitoring.

C. For High-Risk Jurisdictions

Collect additional data on the Customer and UBOs.
Assess legitimacy of transaction purpose.
Confirm Wealth origins and fund sources.
Require first transaction through a regulated UAE or equivalent bank.

D. For Weak AML Jurisdictions

Same elevated procedures as above — senior management approval, enhanced source verification, and heightened monitoring.

E. For Self-Hosted Wallet Transfers

EDD applies to transfers exceeding AED equivalent to €1,000.
Verify control or ownership of wallet via:
Test transactions,
Signing challenges,
Secure verification tools or attended checks, as per VARA capabilities.
Whitelist verified addresses, with continuous monitoring for ownership change or risk shifts.

Additional EDD Tools (as needed)

Collect supplemental documents from reliable, independent sources.
Gather extra data on transaction intent and verify via credible evidence.
Identify all shareholders, even those with <25% ownership.
Increase frequency and depth of monitoring.
Secure Management Board approval for all high-risk engagements.

Governance & Reporting

Notify the MLRO within 2 working days after EDD initiation.
Reassess customer risk profiles at least monthly if under EDD scope.
Train Employees regularly on AML/CFT risk detection, specifically for high-risk scenarios like PEPs, self-hosted wallets, and cross-border risks.

5. CUSTOMER DUE DILIGENCE MEASURES

5.1. IDENTIFICATION OF THE CUSTOMER – NATURAL PERSON

The Company identifies and verifies the identity of each Customer who is a natural person, as well as (where applicable) their legal representative, in accordance with:

UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT);
Cabinet Decision No. 10 of 2019;
Virtual Assets Regulatory Authority (VARA) Compliance & Risk Management Rulebook.

Data Collected

The Company shall obtain and retain, at minimum, the following data points of the natural person Customer:

Full legal name (as per official identification document);
Date of birth and official identification number (e.g., Emirates ID, passport number, or other equivalent number);
Citizenship and residency status;
Residential address in the UAE (if applicable) or abroad;
Valid email address and mobile phone number for ongoing correspondence;
High-resolution color photograph;
Specimen signature (digital or physical, as accepted under UAE law);
Where applicable, tax identification number (TIN) or equivalent.

Acceptable Identification Documents

For the purpose of identity verification, the following original and valid documents are accepted:

UAE Nationals: Emirates ID card or UAE passport;
UAE Residents (expatriates): Emirates ID card and/or residence visa endorsed in a valid passport;
Non-residents: Valid passport issued by a foreign state (with visa page if physically present in UAE);
Driving License: UAE-issued driving license (supplementary only, not primary proof of identity);
Other documents deemed acceptable under Cabinet Decision No. 10 of 2019 (e.g., consular ID cards, government-issued permits, or VARA-approved onboarding documentation).

Verification Procedure

Identity verification must be conducted via reliable and independent sources, including government databases, biometric verification systems (Emirates ID Authority), or regulated third-party KYC providers approved by VARA (e.g.,Sumsub).
Where onboarding is performed remotely, the Company follows VARA’s Remote Customer Onboarding Guidelines, ensuring secure biometric liveness checks, document authenticity verification, and geolocation verification.
The Company shall also verify the origin of funds and source of wealth for medium and high-risk customers as per the risk assessment framework.

Representation Restrictions

A Customer who is a natural person may not ordinarily act through a representative for the establishment of a Business Relationship with the Company.
Exceptions may apply in limited circumstances (e.g., minors, guardianship, court-appointed legal representatives), provided that legal authority is proven through notarized documentation recognized in the UAE.

Retention and Monitoring

All identification records shall be securely retained for at least eight (8) years, in accordance with UAE AML Law and VARA requirements.
The Company conducts ongoing monitoring to ensure data remains accurate, up-to-date, and relevant. Updates are required whenever a Customer’s identification document expires or changes occur in residency or citizenship status.

5.2. IDENTIFICATION OF THE CUSTOMER – LEGAL ENTITY

The Company identifies the Customer which is a legal entity and its authorized representatives, in compliance with:

Federal Decree-Law No. 20 of 2018 (AML Law);
Cabinet Decision No. 10 of 2019;
Virtual Assets Regulatory Authority (VARA) Rulebooks;
UAE Commercial Companies Law (Federal Law No. 32 of 2021).

Data Collected

The Company shall obtain and retain at minimum the following information on the Customer (legal entity):

Registered legal name;
Legal form and jurisdiction of incorporation;
Trade license number or Commercial Registration Number issued by the relevant UAE authority (or equivalent for foreign entities);
Legal Entity Identifier (LEI) where available;
Registered and principal office address;
Tax registration number (if applicable);
Names, dates of birth, nationality, and identification numbers of the directors, authorized signatories, and members of the management board;
Powers of representation granted to each director/representative;
Details of the Ultimate Beneficial Owner(s) (UBOs), including ownership percentage, nationality, and Emirates ID/passport details;
An extract from the official commercial register, issued within the last six (6) months;
Valid trade license and Memorandum & Articles of Association, or equivalent constitutive documents.

Verification of Data

The Company verifies the correctness of the Customer’s data using credible and independent sources, including but not limited to:
UAE Ministry of Economy Commercial Registry;
Dubai Economy and Tourism (DET) / free zone authority databases (e.g., DIFC, DMCC, IFZA, ADGM);
Equivalent foreign commercial registries for non-UAE entities.
Where the Company has direct access to the relevant registry, submission of corporate documents may not be required from the Customer.
The identity of the legal entity and the authority of its representative(s) can be verified on the basis of notarized documents, certified copies issued by a competent authority, or by means of reliable electronic identification tools approved under UAE law.
At least two independent verification sources must be used where possible. Ongoing Monitoring of UBOs
The Company shall identify and verify all Ultimate Beneficial Owners (UBOs) holding, directly or indirectly, 25% or more ownership or control.
In case of complex ownership structures, the Company shall require certified organizational charts and supporting documentation.
The UBO information is reassessed on an ongoing basis and updated whenever there are changes in the ownership structure or management.

Transaction Information (Travel Rule Compliance)

In line with FATF Recommendation 16, UAE AML/CFT Law, and VARA Transfer & Travel Rule Guidance, the Company ensures that all virtual asset transfers include the following information before execution:

For the Originator (Sender):

Full legal name;
Wallet address or unique transaction identifier;
Account number or other unique identifier;
Official identification number (passport, Emirates ID, or equivalent);
LEI or equivalent official identifier (if applicable).

For the Beneficiary (Receiver):

Full legal name;
Wallet address or unique transaction identifier;
Account number or other unique identifier;
Official identification number (passport, Emirates ID, or equivalent);
LEI or equivalent official identifier (if applicable).

Controls on Execution of Transactions

No transaction is executed unless all mandatory originator and beneficiary information is received and verified.
If information is incomplete or suspicious, the transaction is:
Suspended or rejected; and
Escalated to the MLRO for further review under the Company’s suspicious transaction reporting procedures.
All records are retained for a minimum of eight (8) years, in line with UAE requirements.

5.3. IDENTIFICATION OF THE CUSTOMER’S (LEGAL ENTITY’S) REPRESENTATIVE AND RIGHT OF REPRESENTATION

The Company identifies the representative(s) of the Customer who is a natural person, in accordance with the standards for natural person identification under Section 5.1 of this Policy, and verifies their authority to act on behalf of the Customer.

Verification of Representative Identity

The Company must collect and retain, at minimum, the following information on the representative:

Full name (as stated in the official identity document);
Date of birth;
Nationality;
Emirates ID or passport number, date of issue, and issuing authority;
Valid visa or residence permit (for foreign nationals, where applicable);
Position or role within the legal entity;
Specimen signature.

Acceptable documents include:

Emirates ID (mandatory for UAE residents);
Valid passport (for UAE and non-UAE nationals);
UAE residence visa (where applicable).

Verification of Right of Representation

The Company must also identify and verify the scope and nature of the representative’s authority to act on behalf of the Customer. The following documents may serve as proof:

Valid Power of Attorney, notarized and legalized in the UAE (or bearing an Apostille if issued abroad and accepted under UAE law);
Board Resolution authorizing the representative to act;
Articles of Association (AoA) / Memorandum of Association (MoA) granting signing authority;
Commercial Register Extract or Trade License issued by the relevant UAE authority, confirming authorized signatories.

Where the right of representation is clearly reflected in official documents (such as the UAE Commercial Register extract or free zone licensing authority database), no separate Power of Attorney is required.

Legalization and Apostille Requirements

Documents executed abroad must be notarized and legalized through the UAE Embassy/Consulate or bear an Apostille, in accordance with UAE Cabinet Decision No. 10 of 2019.
Electronic authorizations may be accepted where issued via UAE-approved digital notary or e-signature services.

Service Limitations

The Company shall observe the specific conditions and limitations of the right of representation and provide services only within the scope of the authorization granted.

Transactions or business relationships outside the verified authority shall be declined or escalated to the MLRO and the Compliance Department.

5.4. IDENTIFICATION OF THE CUSTOMER’S (LEGAL ENTITY’S) BENEFICIAL OWNER

The Company must identify and verify the Beneficial Owner(s) (“UBO(s)”) of the Customer in accordance with UAE AML/CFT legislation, the Guidance issued by the UAE Central Bank and VARA Rulebooks, and take all reasonable measures to ensure that the true natural persons who ultimately own or control the Customer are known.

Data to be Collected

For each identified Beneficial Owner, the Company must collect and retain, at a minimum, the following information:

Full name and surname (as stated in official identification document);
Emirates ID number (for UAE residents) or passport number (for non- residents);
Date of birth;
Nationality;
Proof of residence (UAE residence visa, Emirates ID, or foreign address proof, as applicable);
Ownership percentage and/or control mechanism within the entity.

Determination of Beneficial Ownership

Beneficial ownership shall be established in stages, applying a risk-based approach:

1. Direct or Indirect Ownership

Identify any natural person(s) who directly or indirectly hold 25% or more of the shares, voting rights, or ownership interests of the Customer.
Where indirect ownership exists, all layers of ownership (including parent companies, holding companies, trusts, or foundations) must be traced until the natural person(s) are identified.

2. Control through Other Means

Where no individual qualifies under direct or indirect ownership, identify any natural person(s) who exercise control over the Customer through other means, such as contractual rights, family connections, or the ability to appoint senior management.

3. Senior Management Official

If no Beneficial Owner is identified under stages (1) or (2), the most senior managing official (e.g., CEO, Managing Director, or equivalent) shall be recorded as the Beneficial Owner for compliance purposes, in accordance with Cabinet Decision No. 58 of 2020 on UBO Disclosure.

Verification of Beneficial Ownership

Verification must be conducted using credible and independent sources, including but not limited to:
UAE Ministry of Economy’s UBO Register;
Free Zone Authority records (DWTC registry extracts);
Trade licenses, Articles of Association (AoA), Memorandum of Association (MoA), and share registers;
Board resolutions or shareholder agreements;
Publicly available filings and audited financial statements.
Where documents are issued abroad, they must be notarized, legalized, and attested by the UAE Embassy/Consulate or bear an Apostille, in accordance with UAElaw.

Refusal of Business Relationship

The Company shall not establish or maintain a Business Relationship where:

The Customer refuses to disclose its Beneficial Owner(s);
The information provided is false, misleading, or unverifiable;
The Beneficial Owner is identified as a sanctioned individual, is on the UAE FIU watchlist, or presents an unacceptably high risk of Money Laundering/Terrorist Financing.

Ongoing Monitoring

The Company shall maintain an updated record of Beneficial Ownership and require Customers to notify the Company of any changes within 15 business days, in line with UAE UBO reporting obligations.
The Compliance Department shall perform periodic reviews (at least annually, or more frequently in high-risk cases) to ensure Beneficial Owner information remains accurate and up to date.

5.5. USE OF THE OFFICIAL REGISTERS AND UBO DISCLOSURE SYSTEMS

When identifying the Beneficial Owner, the Company shall utilize the official registers and systems of the United Arab Emirates to obtain and verify Beneficial Ownership information of the Customer.

Applicable Registers and Sources

UAE Ministry of Economy – UBO Register (Cabinet Decision No. 58 of 2020 on the Regulation of Beneficial Owner Procedures);
Registrar of Companies in the relevant Free Zone (DWTC);
Department of Economic Development (DED) Commercial Registry for onshore entities;
Other official state databases and reliable, independent public sources that maintain information on shareholders and UBOs.

Verification Process

4. Cross-checking Records

The Company must compare the Beneficial Ownership information provided by the Customer with the information available in the above registers.
Any discrepancies must be escalated to the Compliance Officer and the Customer shall be notified and required to rectify the information.

5. Documentary Evidence

Acceptable documents include Trade License, Memorandum & Articles of Association, Shareholder Register, UBO Register filings, and notarized Power of Attorney (if applicable).
Where documents originate abroad, they must be legalized, attested, or bear an Apostille before acceptance.

6. Refusal of Business Relationship

The Company shall not establish or maintain a Business Relationship, nor execute transactions, if:
The Customer refuses to provide UBO information;
The UBO information is absent, unverifiable, or inconsistent with official registers;
The UBO is a sanctioned person or poses unacceptable ML/TF risks.

Ongoing Obligations

The Customer must notify the Company within 15 business days of any change in its Beneficial Ownership information, in line with UAE Cabinet Decision No. 58 of 2020.
The Company’s Compliance Department will conduct periodic reviews of UBO information against official registers to ensure accuracy and compliance with VARA Rulebooks and UAE AML Laws.

5.6. Politically Exposed Person (PEP) Identification

The Company shall take adequate measures to determine whether the Customer, the Customer’s Beneficial Owner, or the Customer’s representative is a Politically Exposed Person (PEP), their immediate family member, or a close associate, or if the Customer subsequently becomes such a person.

PEP status represents an inherently higher risk of Money Laundering and Terrorist Financing due to the position of influence, access to public funds, and exposure to bribery or corruption risks. Therefore, the Company applies Enhanced Due Diligence (EDD) measures whenever a PEP relationship is established.

Sources and Methods of Verification

7. Self-Declaration:

At onboarding, Customers are required to declare whether they or their Beneficial Owners are PEPs, family members of PEPs, or close associates of PEPs.

8. Database Screening:

The Company verifies Customer-provided information against reputable PEP and Sanctions databases (e.g., World-Check, Dow Jones Risk & Compliance, Refinitiv, LexisNexis).
Screening also includes public registers, official government/supervisory authority websites, and international organizations.

9. Open-Source Checks:

Additional searches are conducted via international search engines (e.g., Google, Bing) and, where applicable, local search engines of the Customer’s country of origin.
Searches include both Latin script and local alphabet spelling of the individual’s name, combined with date of birth to minimize false positives.

Who Qualifies as a PEP (UAE Definition)

In line with Federal AML Law and FATF guidance, the following categories are considered PEPs:

Heads of state, heads of government, ministers, deputy ministers, and members of parliament;
Senior judicial officials (Supreme Court, Constitutional Court, or equivalent high-level judicial bodies);
Senior executives of central banks, sovereign wealth funds, and state-owned enterprises;
Ambassadors, senior military officers, and senior law enforcement officials;
Members of the management or supervisory boards of state-owned or government-controlled enterprises;Senior officials of international organizations (e.g., United Nations, IMF, World Bank);
Leaders and senior officials of political parties.

Family Members and Close Associates

Family Members: spouse, parents, children, siblings, and in-laws of a PEP.
Close Associates: individuals known to have a close business relationship with a PEP, or persons who jointly own legal entities or arrangements with a PEP, or any person benefiting from the PEP’s business or personal activities.

Risk-Based Treatment

PEP Customers are subject to Enhanced Due Diligence, including senior management approval for onboarding and continued relationship.
The source of wealth and source of funds must be established and verifiedfor all transactions involving PEPs.
Ongoing monitoring is conducted at a higher frequency for PEP accounts.

De-PEP Treatment

Where a Customer has ceased to perform a prominent public function, the Company shall:

Treat them as a PEP for at least 12 months after they leave office;
Continue to apply a risk-based approach beyond 12 months if residual risk remains;
Reclassify them only after Compliance determines that the inherent risks no longer exist.

5.7. IDENTIFICATION OF THE PURPOSE AND NATURE OF THE BUSINESS RELATIONSHIP OR TRANSACTION

The Company shall establish and document a clear understanding of the purpose and intended nature of each Business Relationship or transaction in line with:

Federal Decree Law No. 20 of 2018 on AML/CFT,
Cabinet Decision No. 10 of 2019,
Cabinet Decision No. 58 of 2020 (UBO Regulation), and
VARA Exchange & Custody Rulebooks.

This process is essential to ensure that the Customer’s activities and transactional behavior are legitimate, consistent with their declared profile, and free from ML/TF or other illicit financial risks.

Information Collected from Customers

The Company may request, retain, and verify the following information in order to assess the purpose and nature of the Business Relationship:

Whether the Customer is acting on their own behalf or on behalf of another person (including disclosure of any agency/mandate relationships);
Full contact details (email, phone, and physical address for natural persons; registered and operating address for legal entities);
Declared residential address (natural persons) and registered office address (legal entities);
Anticipated transaction volume and turnover with the Company on a monthly and annual basis;
Source of funds and, where applicable, source of wealth relevant to the relationship or transaction;
Whether the relationship or transaction relates to the Customer’s business, professional, or investment activities, and description of such activities;
Where transaction values exceed established thresholds defined under UAE AML Law or VARA requirements, additional verification of the source of funds must be conducted and documented.

Enhanced Measures for Higher Risk Situations

The Company shall apply enhanced due diligence in cases where:

The transaction involves high-value crypto transfers or is inconsistent with the Customer’s declared profile;
The transaction pattern is unusual, complex, or lacks a clear economic rationale;
The Customer’s risk profile, nature of business, or geographic exposure indicates elevated ML/TF risk.

In such cases, the Company may:

Request additional documentation such as bank statements, audited financials, tax returns, or contracts;
Conduct more detailed source of wealth verification;
Require senior management approval before establishing or continuing the relationship.

Legal Entities – Economic and Professional Activities

When the Customer is a legal entity, the Company shall additionally:

Identify the business sector, activities, and counterparties of the Customer;
Assess whether the entity’s declared activities are plausible and consistent with the background, expertise, and professional history of its directors, key managers, and Beneficial Owners;Verify that the stated activities align with the entity’s corporate structure, financial capacity, and jurisdictional presence.

Plausibility Assessment

The Company shall evaluate whether the purpose and nature of the Customer’s relationship are:

Reasonable given the Customer’s profile;
Understandable in the context of declared activities; and
Plausible in terms of business capacity, skillset, and expected counterparties.

Where inconsistencies arise, the Company shall apply risk-based mitigation measures, including additional verification or rejection of the business relationship.

5.8 MONITORING OF THE BUSINESS RELATIONSHIP (VARA COMPLIANT VERSION)

Continuous Monitoring Obligations

The Company shall maintain ongoing monitoring of all established Business Relationships, in compliance with:

Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (AML Law);
Cabinet Decision No. 10 of 2019 (AML Implementing Regulations);
Cabinet Decision No. 58 of 2020 on Beneficial Ownership; and
VARA Exchange and Custody Rulebooks.

This includes:

Regularly updating Customer, Representative, and Beneficial Owner information;
Ensuring transactions are consistent with the Customer’s profile, declared source of funds, and nature of the relationship;
Identifying and verifying the source and origin of funds for higher-risk transactions.

Frequency of Review Based on Risk Profile

Monitoring frequency will depend on the Customer’s assigned risk profile:

High-risk Customers – at least monthly review;
Medium-risk Customers – at least semi-annual review;
Low-risk Customers – at least annual review.

In addition, any trigger event (e.g. change of ownership, new jurisdictional link, unusual activity) will lead to immediate review and re-assessment of the Customer’s risk rating.

Transaction Monitoring Framework

The Company shall employ a two-tier monitoring system:

Real-time screening: Transactions are automatically monitored against pre-defined thresholds, sanctions lists, PEP databases, and wallet scoring tools (e.g. blockchain analytics providers such as Chainalysis, Elliptic, or equivalent).
Post-event monitoring: Transaction patterns are analyzed periodically to identify structuring, unusual volume, or deviations from expected behavior.

Transactions flagged for exceeding thresholds, involving high-risk wallets, or indicating suspicious activity will be suspended pending manual review by Compliance staff, with final determination by the MLRO.

Suspicious Activity Indicators

Employees must escalate to the MLRO if transactions:

Exceed declared annual turnover or involve recurring high-value activity inconsistent with the Customer’s profile;
Show signs of structuring to evade the AED 3,500 (approx. EUR 1,000) Travel Rule threshold, as mandated under UAE Cabinet Decision No. 111/2022 and VARA’s AML Rulebook;
Originate from, or are destined to, wallets associated with darknet activity, fraud, sanctions, or terrorism financing;
Lack clear economic rationale or appear unusual in the context of the Customer’s known business.

MLRO Oversight

The MLRO shall conduct daily review of transaction monitoring reports to ensure:
Staff correctly applied AML/CFT procedures;
All alerts were investigated and documented;
No suspicious patterns are missed.
The MLRO is also responsible for STR (Suspicious Transaction Report) filings to the UAE Financial Intelligence Unit (goAML system) when activity reasonably indicates potential ML/TF risk.

Threshold Evasion and Linked Transactions

The Company actively detects linked or related-party transactions designed to bypass thresholds (structuring/smurfing).

Examples include:

Multiple small-value transfers below AED 3,500 within a short timeframe;
Circular transfers between related wallets/accounts;
Unjustified transfers across multiple exchanges or intermediaries.

Where detected, such activity is escalated immediately to the MLRO for investigation andpossible STR filing.

6. Implementation of Sanctions

Legal Framework

The Company shall comply with all applicable Sanctions regimes including:

United Nations Security Council Resolutions (UNSCRs) as adopted by the UAE;
UAE Federal Law No. 20 of 2018 on AML/CFT;
Cabinet Decision No. 10 of 2019 (Implementing Regulations);
Cabinet Decision No. 74 of 2020 on the UAE List of Terrorists and Terrorist Organizations;
Office of Foreign Assets Control (OFAC) and other internationally recognized sanctions lists;
VARA AML and CFT Rulebook requirements.

Screening Obligations

Upon the entry into force, amendment, or termination of Sanctions, the Company shall:

Screen all Customers, Beneficial Owners, and relevant representatives against UN, UAE, OFAC, EU, and UK sanctions lists;
Ensure that ongoing business relationships and transactions are continuously monitored for sanctions exposure through automated screening tools and blockchain analytics providers;
Immediately flag and escalate potential matches to the MLRO for further investigation.

Prohibited Transactions

If the Company identifies that a Customer, their Beneficial Owner, or a related transaction is subject to Sanctions, the Company shall:

Immediately freeze the transaction or account, if applicable;
Refrain from entering into or continuing any business relationship;
Escalate the matter to the Financial Intelligence Unit (FIU) via the goAML portal, in accordance with UAE law;
Notify VARA where the sanctioned party or transaction falls under its regulatory scope.

Reporting Timelines

The Company shall report to the FIU (goAML system) without delay, and in any case within 24 hours of identification of a confirmed sanctions match.
All reports shall be documented internally and retained for a minimum of five (5) years in compliance with UAE AML laws.

Ongoing Controls

The Company shall maintain up-to-date sanctions screening software and lists.
Employees must undergo regular training to identify sanctions-related risks.
Sanctions compliance shall be reviewed periodically by the MLRO and subject to independent audit testing.

6.1. PROCEDURE FOR IDENTIFYING THE SUBJECT OF SANCTIONS AND A TRANSACTION VIOLATING SANCTIONS (VARA/UAE COMPLIANT)

Sanctions Databases and Sources

The Company shall use at least, but not limited to, the following sources to verify whether a Customer, Beneficial Owner, or related party is subject to Sanctions:

UAE Local Terrorist List (Cabinet Decision No. 74 of 2020) published by the UAE Ministry of Foreign Affairs (MoFAIC);
United Nations Consolidated Sanctions List (https://scsanctions.un.org/search/);
Office of Foreign Assets Control (OFAC) Sanctions List (https://sanctionssearch.ofac.treas.gov/);
European Union Consolidated Financial Sanctions List (https://www.sanctionsmap.eu/);
UK HM Treasury Sanctions List;
Any other reliable international or local databases and blockchain analytics providers.
Other credible commercial screening databases (e.g., Refinitiv World-Check, ComplyAdvantage, or equivalent), as determined by the MLRO.

The MLRO may approve the use of supplementary commercial sanctions screening tools for real-time monitoring.

Verification of Identity

To confirm whether a potential match is the same person as the one identified in a sanctions list, the Company shall use personal and corporate identifiers:

Legal Entities: Registered name, Legal Entity Identifier (LEI), registration/ commercial license number.
Natural Persons: Full name as per ID, date of birth, nationality, Emirates ID (if available), passport number.

Special consideration shall be given to spelling variations, transliterations, order of words, diacritics, and common aliases.

Ongoing Monitoring Frequency

The Company shall perform above mentioned verification on an ongoing basis in the course of an established Business Relationship. The frequency of the ongoing verifications depends on the Customer’s risk profile:

High-risk profile Customers – daily;
Medium-risk profile Customers – weekly;
Low-risk profile Customers – monthly.

Automated sanctions screening tools must run real-time monitoring for all transactions and updates to international or UAE sanctions lists.

If the Employee has doubts that a person is a subject of Sanctions, the Employee shall immediately notify the MLRO or the Management Board member. In this case the MLRO or the Management Board member shall decide whether to ask or acquire additional data from the person or notify the FIU immediately of their suspicion.

Ultimate responsibility for the implementation and oversight of Sanctions compliance rests with the Company’s Board of Directors. The Board shall review at least annually the effectiveness of the Sanctions compliance framework, including MLRO reports, escalation cases, and freeze actions.

Escalation and Decision-Making

If the Employee identifies a potential sanctions match, they must immediately escalate it to the MLRO.
The MLRO shall verify the match and, if confirmed, ensure that the transaction is frozen and no further relationship or activity is carried out.
The MLRO shall report the confirmed match via the UAE FIU’s goAML portal within 24 hours of identification.
Where relevant, the MLRO shall also notify VARA of the case and the actions taken.

Additional Information Gathering

Where a match is uncertain:

The Company shall first seek independent and credible sources (e.g., government registers, regulatory filings, reliable media) to resolve identity.
If insufficient, the Company may request further clarification directly from the Customer.
Any responses shall be documented and assessed carefully before proceeding.

6.2. ACTIONS WHEN IDENTIFYING THE SANCTIONS SUBJECT OR A TRANSACTION VIOLATING SANCTIONS

If the Employee of the Company becomes aware that the Customer which is in Business Relationship or is performing a transaction with the Company, as well as a person intending to establish the Business Relationship or to perform a transaction with the Company, is the subject of Sanctions, the Employee shall immediately notify the MLRO or the Management Board member, about the identification of the subject of Sanctions, of the doubt thereof and of the measures taken.

The MLRO or the Management Board member shall refuse to conclude a transaction or proceeding, shall take measures provided for in the act on the imposition or implementation of the Sanctions and shall notify immediately the UAE Financial Intelligence Unit (FIU) via the goAML system of their doubts and of the measures taken, and where applicable, notify VARA.

The Company shall also immediately freeze any funds, accounts, or assets related to the sanctioned person or entity, in line with UAE Cabinet Decision No. 74/2020, and refrain from releasing, transferring, converting, or otherwise dealing with such assets until further instructions are received from the competent UAE authority.

When identifying the subject of the Sanctions, it is necessary to identify the measures that are taken to Sanction this person. These measures are described in the legal act implementing the Sanctions, therefore it is necessary to identify the exact sanction that is implemented against the person to ensure legal and proper application of measures.

The MLRO shall maintain an internal sanctions log, documenting all alerts, escalations, freeze actions, notifications to authorities, and final outcomes. This log shall be reviewed by the Board of Directors at least annually as part of the Company’s governance and compliance oversight.

7. REFUSAL TO THE TRANSACTION OR BUSINESS RELATIONSHIP AND THEIR TERMINATION

The Company is prohibited from establishing a Business Relationship, and any established Business Relationship or transaction shall be terminated (unless it is objectively impossible to do so), in the following cases:

The Company suspects Money Laundering or Terrorist Financing, or has reasonable grounds to believe the Customer is attempting to use the Company’s services for unlawful purposes.
It is impossible for the Company to apply the Customer Due Diligence (CDD) measures, because the Customer does not submit the required information, refuses to submit it, or the information provided is deemed unreliable or insufficient.
The Customer’s structure or instruments (e.g., bearer shares) create opacity that prevents proper identification of the Beneficial Owner.
There are reasonable grounds to suspect that the Customer is acting as a nominee or front person on behalf of another individual.
The Customer’s risk profile becomes inconsistent with the Company’s Risk Appetite Statement (e.g., risk category escalates to “Prohibited”).
The Customer, Beneficial Owner, or transaction is subject to international sanctions applicable in the UAE (UN, OFAC, EU where applicable, and UAE Cabinet Sanctions List).

Where the Company identifies missing, incomplete, or meaningless information in a transaction (e.g., random characters, missing names, incoherent fields), the Company shall request clarification from the Customer or the originating VASP/financial institution. If information is not provided within a reasonable timeframe (not exceeding 5 working days), the Company may reject, suspend, or return the transaction in line with its risk-based approach.

In cases of repeated failures or non-cooperation, the Company shall terminate the Business Relationship and report the matter to the UAE Financial Intelligence Unit (FIU) via goAML, and where applicable, notify VARA.

Before terminating a Business Relationship, the Company shall assess whether risks can be mitigated through enhanced due diligence measures. If termination is necessary, Customer assets shall be returned within a reasonable time (preferably not later than 30 calendar days), to an account in a reputable financial institution regulated in a jurisdiction with equivalent AML/CFT standards.

The Company shall not onboard or maintain Business Relationships with Customers or counterparties from jurisdictions designated as High-Risk or Non-Cooperative by the UAE authorities, FATF, or VARA. This includes, but is not limited to, jurisdictions listed on the UAE Sanctions List and the FATF “blacklist”.

8. REPORTING OBLIGATION

The Company must suspend the transaction, regardless of its amount, except in cases where suspension is objectively impossible due to the nature or execution of the transaction. In all such cases, the Company shall immediately, through its Money Laundering Reporting Officer (MLRO), file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) with the UAE Financial Intelligence Unit (FIU) via the goAML platform, and notify the Virtual Assets Regulatory Authority (VARA) in accordance with applicable regulations, where:

The Company has established that the Customer is carrying out a suspicious transaction;
The Company knows or suspects that assets of any value are obtained directly or indirectly from criminal activity, terrorism financing, or proliferation financing, or participation in such activity;
Virtual Asset Service Providers (VASPs), including PSPs, CASPs, IPSPs, or ICASPs, repeatedly fail to provide the required Travel Rule information in line with VARA’s Rulebooks and the UAE AML/CFT legislation.

The minimum characteristics of suspicious transactions are provided in the guidelines issued by the FIU and VARA.

The reports specified above must be submitted immediately and without delay, and prior to the completion of the transaction if the suspicion arises before execution. Where suspicions are identified after the completion of the transaction, the Company shall still report without delay upon the emergence of the suspicion.

If an Employee becomes aware of such circumstances, they must immediately notify the MLRO. The MLRO shall ensure the report is filed via goAML, and that all relevant information, including customer data, transaction records, and internal assessments, is documented in accordance with record-keeping obligations.

All Employees must be trained and remain aware of the Company’s internal escalation procedures to ensure timely and accurate reporting. The Company’s Management shall support the MLRO in ensuring full compliance with the Federal Decree-Law No. 20 of 2018, Cabinet Decision No. 10 of 2019, and VARA Rulebooks.

8.1. REPORTING OBLIGATION REGARDING SPECIFIC TYPES OF TRANSACTIONS

The Company, through its MLRO, must report to the UAE Financial Intelligence Unit (FIU) via the goAML platform, and where applicable notify the Virtual Assets Regulatory Authority (VARA), in the following cases:

(a) Threshold Reporting Obligation

Where a single virtual asset transaction, or a series of linked transactions, is equal to or exceeds AED 55,000 (or its equivalent in foreign currency), the Company must report the transaction within 7 business days of its identification.
The report must include:
Data confirming the Customer’s identity, and if executed via a representative, the representative’s identity details;
The amount of the transaction;
The virtual asset or fiat currency in which the transaction was executed;
The date of execution;
The manner of execution (on-chain, off-chain, through an exchange, etc.);
The beneficiary details, where identifiable;
Any additional information required under the FIU/VARA guidelines.

(b) Reporting of Non-Cooperative Counterparties

The Company, through its MLRO, must submit a report to the FIU without undue delay, and no later than three months after identifying any repeatedly non- cooperative Virtual Asset Service Provider (VASP), including PSPs, CASPs, IPSPs, or ICASPs, that fail to provide required Travel Rule information.
The report shall include:
The name of the VASP identified as repeatedly failing;
The jurisdiction in which the VASP is authorised;
The nature of the breach, including frequency, time period, and justifications (if any) provided by the VASP;
Details of the steps the Company took in response to the breach.

(c) Confidentiality Obligation

The Company, its Management, the MLRO, or any Employee is strictly prohibited from disclosing to the Customer, its Beneficial Owner, representatives, or third parties:
That a report has been submitted to the FIU or VARA,
That a report is intended to be submitted,
That reporting procedures have commenced,
Or that criminal investigations or supervisory measures have been triggered as a result.

All reports shall be filed in accordance with the Company’s internal reporting guidelines, ensuring secure transmission and full confidentiality in line with UAE AML/CFT legislation and VARA Rulebooks.

9. TRAINING OBLIGATION

The Company ensures that its Employees, its contractors and others participating in the business on a similar basis and who perform work tasks that are of importance for preventing the use of the Company’s business for Money Laundering or Terrorist Financing (‘Relevant Persons’) have the relevant qualifications for these work tasks.

When a Relevant Person is recruited or engaged, the Relevant Person’s qualifications are checked as part of the recruitment/appointment process by carrying out background checks, which is documented using a special standard form assessing Employee suitability.

In accordance with the requirements applicable to the Company on ensuring the suitability of Relevant Persons, the Company makes sure that such persons receive appropriate training and information on an ongoing basis to be able to fulfill the Company’s obligations in compliance with the applicable legislation. It is ensured through training that such persons are knowledgeable within the area of AML/CFT to an appropriate extent considering the person’s tasks and function. The training must provide, first and foremost, information on all the most contemporary money laundering and terrorist financing methods and risks arising therefrom.

This training refers to relevant parts of the content of the applicable rules and regulations, the Company’s risk assessment, the Company’s Guidelines and procedures and information that should facilitate such Relevant Persons detecting suspected Money Laundering and Terrorist Financing. The training is structured on the basis of the risks identified through the risk assessment policy.

The content and frequency of the training is adapted to the person’s tasks and function on issues relating to AML/CFT measures. If the Guidelines is updated or amended in some way, the content and frequency of the training is adjusted appropriately.

For new Employees, the training comprises a review of the content of the applicable rules and regulations, the Company’s risk assessment policy, these Guidelines and other relevant procedures.

The Employees and the Management Board members receive training on an ongoing basis under the auspices of the MLRO in accordance with the following training plan:

Periodicity: at least once a year for the Management Board members. At least once a year for the Company’s Employees and Relevant persons engaged. In addition, training shall be conducted on an ad-hoc basis whenever there are material regulatory updates, business model changes, or identified compliance weaknesses.
Scope: review of applicable rules and regulations, the Company’s Guidelines and other relevant procedures. Specific information relating to new/updated features in the applicable rules and regulations. Report and exchange of experience relating to transactions reviewed since the previous training.

In addition to the above, Relevant Persons are kept informed on an ongoing basis about new trends, patterns and methods and are provided with other information relevant to the prevention of Money Laundering and Terrorist Financing.

The training held is to be documented electronically and confirmed with the Relevant Person signature. This documentation should include the content of the training, names of participants, date of the training, and the outcome of the assessment verifying the effectiveness of the training.

9.1. Additional Requirements for VARA Compliance

The Company ensures that training programs explicitly cover applicable UAE legislation, including Federal Decree-Law No. 20 of 2018 on AML/CFT, Cabinet Resolution No. 10 of 2019, as well as VARA AML Rulebook obligations.

The MLRO is responsible for ensuring training effectiveness through documented assessments (e.g., quizzes or tests) and must periodically report training outcomes to the Board of Directors.

10. COLLECTION AND STORING OF DATA, LOGBOOKS

The Company automatically or through the person (incl. Employees, Management Board members and MLRO) who firstly receives the relevant information or documents shall register and retain the following data:

all data collected within CDD measures implementation;
information about the circumstances of refusal of the establishment of the Business Relationship by the Company;
the circumstances of the refusal to establish Business Relationship on the initiative of the Customer if the refusal is related to the application of CDD measures by the Company;
information on all of the operations made to identify the person participating in the transaction or the Customer´s Beneficial Owner;
information if it is impossible to perform the CDD measures;
information on the circumstances of termination of the Business Relationship in connection with the impossibility of application of the CDD measures;
each transaction date or period and a description of the contents of the transaction, in accordance with the Company’s Policy on record-keeping of crypto-asset services, activities, orders and transactions;
information serving as the basis for the reporting obligations specified in the Guidelines;
data of suspicious or unusual transactions or circumstances of which the FCIS was not notified (e.g. complex or unusually large transactions, transactions conducted in an unusual pattern and transactions that do not have an apparent economic or lawful purpose, Business Relationships or Monetary Operations with customers from Third Countries where measures to prevent Money Laundering and/or Terrorist Financing are insufficient or do not meet international standards according to information officially published by international intergovernmental organizations);
information about Originator and Beneficiary of crypto-asset transactions.

Some of the data specified above shall be entered in the logbook (as described below) in chronological order on the basis of documents confirming a Monetary Operation or transaction or other legally valid documents related to the execution of Monetary Operations or transactions, immediately, but not later than within 3 business days after the execution of a Monetary Operation or transaction.

The data specified above shall be retained for 8 years after the expiry of the Business Relationship or the completion of the transaction. The correspondence of a Business Relationship with the Customer must be retained for 5 years from the date of termination of transactions or Business Relationship.

Documents and data must be retained in a manner that allows for exhaustive and immediate response to the queries made by the competent authorities (e.g., VARA, UAE FIU, UAE Central Bank, or courts).

The Company implements all rules of protection of personal data upon application of the requirements arising from the applicable law. All personal data are retained in compliance with Regulation (EU) 2016/679 and UAE Federal Decree-Law No. 45/2021 (Personal Data Protection Law). The Company is allowed to process personal data gathered upon CDD implementation only for the purpose of preventing Money Laundering and Terrorist Financing and the data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.

The Company deletes the retained data after the expiry of the time period, unless the legislation regulating the relevant field establishes a different procedure. On the basis of a precept of the competent supervisory authority, data of importance for prevention, detection or investigation of Money Laundering or Terrorist Financing may be retained for a longer period, but not for more than two years after the expiry of the first time period.

The company retains all relevant transaction records, including payer/originator and payee/beneficiary details, in compliance with Directive (EU) 2015/849, Regulation (EU) 2016/679, Regulation (EU) 2023/1113, UAE AML-CFT Decree Law No. 20 of 2018 (as amended), and other applicable regulation. All AML-relevant transaction data is stored for a minimum period of eight years from the date of the transaction. Records are maintained in a secure, tamper-proof system to ensure their integrity and accessibility for regulatory audits.

The company ensures that data transfers comply with applicable data protection laws, including Regulation (EU) 2016/679 and UAE Federal Decree-Law No. 45/2021, when transmitting information outside the UAE/EU.

Additional Safeguards Implemented:

Data is stored in secure cloud environments with encryption-at-rest and encryption-in-transit to protect confidentiality and integrity.
The Company ensures secure backup and disaster recovery arrangements for AML-relevant data to guarantee business continuity.
Access to stored AML data is strictly restricted on a need-to-know basis, monitored through audit logs, and subject to periodic access reviews to prevent unauthorized use.

10.1. REGISTRATION LOGBOOKS KEEPING

For the purposes of performing AML/CFT obligations, the Company shall maintain comprehensive registration logbooks reflecting Monetary Operations and transactions (hereinafter – logbooks). These logbooks must be secure, tamper-proof, and readily available for regulatory audits by the UAE Financial Intelligence Unit (FIU), the Virtual Assets Regulatory Authority (VARA), or the Central Bank of the UAE (CBUAE).

The Company shall maintain the following logbooks:

Logbook of single or several interrelated monetary or crypto-asset transactions the amount of which is equal to or exceeds AED 55,000 (or its equivalent in any foreign currency), regardless of whether the transaction is carried out in the form of one or several related transactions, and logbook of suspicious monetary transactions and their reports.
Logbook of Customers with whom transactions or Business Relationships were refused or terminated under the circumstances related to violations of AML/CFT obligations.

The registration logbook of suspicious monetary operations and transactions shall include the following in chronological order:

Data confirming the identity of the Customer and their representative (if applicable): full name, nationality, date of birth, personal identification number (where available), and contact information.
Identification of the suspicious criteria in accordance with the UAE FIU and VARA guidelines.
Method of execution of the suspicious transaction.
Date and time of the suspicious transaction; description of the assets involved (fiat currency, crypto-assets, cash, etc.); value and currency.
Beneficiary details: for natural persons, full name and ID number (or date of birth if no ID number is available); for legal entities, registered name, legal form, registration number, and LEI (if applicable).
Contact details of the Customer, including phone number(s), email address(es), and authorized contact persons.
Description of assets that the Customer cannot access or use from the moment of suspension of the suspicious transaction.
Reasons for non-suspension of a suspicious transaction (if applicable).
Relevant blockchain identifiers such as crypto wallet addresses, transaction hash values, IP addresses, and email addresses linked to the activity.
Where applicable, reference to blockchain analytics or third-party verification tools (e.g. Chainalysis, Elliptic) used in the monitoring process.
Other relevant details, as determined by the Employee or MLRO.

The registration logbook of Customers whose transactions or Business Relationships were terminated shall include, in chronological order:

Data confirming the identity of the Customer and their representative (if applicable).
Data on the transaction: date, description of the assets involved (cash, real estate, virtual assets, etc.) and their value.
In the case of crypto-asset transactions where it is not possible to objectively identify the payee, other information enabling the crypto-asset address to be linked to the identity of the crypto-asset owner (such as IP address, email address, or device identifiers).
Crypto-asset wallet address(es) and transaction hash(es) associated with the Customer.
Beneficiary details as above.
Reasons for termination of the transaction or Business Relationship, especially if related to AML/CFT breaches or regulatory obligations.

All logbooks must be maintained for a minimum of 8 years after the expiry of the Business Relationship or completion of the transaction, in accordance with UAE law. Upon request, they must be made immediately available to the UAE FIU, VARA, CBUAE, law enforcement authorities, or competent UAE courts.

11. INTERNAL CONTROL OF EXECUTION OF THE GUIDELINES

The performance of the Guidelines shall be internally controlled by the Company’s Head of the Management Board, who is responsible for ensuring the Company’s adherence to applicable regulatory requirements in the field of AML/CFT.

The Head of the Management Board must have the necessary competence, authority, and access to all relevant information across the Company’s business units.

11.1. SCOPE OF INTERNAL CONTROL

The Head of the Management Board shall perform internal control functions covering at least the following fields:

the Company’s compliance with the established risk assessment framework and risk appetite;
implementation of Customer Due Diligence (CDD) measures;
implementation of Sanctions screening;
the Company’s obligations to refuse or terminate transactions or business relationships when required under AML/CFT laws;
the Company’s reporting obligations to the UAE Financial Intelligence Unit (FIU) and VARA;
the Company’s training obligations for Employees and Management regarding AML/CFT requirements;
the Company’s obligations for collection, storage, and preservation of AML-relevant data.

The internal control measures must be proportionate to the Company’s size, business model, and the complexity of its services.

11.2. EXECUTION OF INTERNAL CONTROL

Internal control checks must be performed at a frequency determined by the Head of the Management Board, but not less than monthly, unless otherwise justified.
All results of internal control (hereinafter “Internal Control Data”) shall be stored separately, securely, and retained for 5 years.
Access to Internal Control Data is limited to members of the Management Board. The Head of the Management Board may extend access to advisors, auditors, or third parties only with prior Board approval.

11.3. REPORTING

The Head of the Management Board shall prepare internal control reports:

Quarterly to the Management Board;
Annually to the shareholders’ General Meeting. Each report must include at least:
the review period;
the responsible person’s name and role;
description of the internal control measures performed;
results and general conclusions;
deficiencies identified and actions taken to remedy them;
deficiencies outstanding at the end of the reporting period;
proposed corrective measures.

The Management Board shall review each internal control report, issue resolutions, and instruct corrective actions.

11.4. UPDATING OF INTERNAL CONTROL PROCEDURES

The Company shall review and update its internal control procedures at least annually, and additionally in the following cases:

following the publication of updates by VARA or the CBUAE regarding AML/ CFT frameworks;
following the issuance of new risk assessments or guidance by the UAE FIU;
upon receipt of an instruction from the UAE FIU, VARA, or CBUAE to strengthen internal controls;
in the event of significant operational or management changes in the Company;
after material AML/CFT breaches, compliance failures, or findings from audits/inspections.

EXPLANATORY NOTES

When identifying a customer who is a natural person in their physical presence, if the identity document presented does not contain data on the customer’s citizenship, financial institutions and other obliged entities are required to request and obtain this information directly from the customer.

Ownership within a company can be either direct or indirect. Direct ownership arises where a natural person holds more than twenty-five percent plus one share of the company’s capital or voting rights, thereby exercising control. Indirect ownership, by contrast, occurs when the same threshold is achieved through another company or several companies that are under the control of the same natural person.

The concept of senior management refers to individuals who make strategic decisions that fundamentally shape the company’s business activities, practices, or overall direction. In the absence of such strategic functions, senior management also includes those entrusted with everyday or regular management responsibilities within the scope of executive power, such as a Chief Executive Officer (CEO), Chief Financial Officer (CFO), director, or president.

For the purposes of these Guidelines, the definition of a family member covers spouses, registered partners or cohabitants, parents, siblings, children, and also the spouses or cohabitants of children. Close associates are defined as natural persons who, together with a Politically Exposed Person (PEP), are members of the same legal entity or body without legal personality, or who maintain other business relationships with the PEP. It further includes individuals who are the sole beneficial owners of entities or arrangements established or operating for the purpose of acquiring property or other benefits on behalf of the PEP.

Finally, the term “source of funds” refers to the explanation, legal basis, and underlying relationship that justifies why particular funds have been transferred, while distinguishing this from the “origin” of funds, which describes the activity or means through which the funds were actually earned or received.