CFT Policy

Policy to know the clientele and prevent money laundering and financing of terrorist acts


XCAO SYSTEM GROUP SRL (“XCAO” the “company” the “firm”) Anti-Money Laundering/Counter-Terrorism Financing and Know Your Customer policy is designated to prevent and mitigate possible risks of XCAO being involved in any kind of illegal and unauthorized activity. The KYC & AML/CFT policy is issued in order to ensure the activity of the XCAO Ecosystem, in accordance with current national and international legal obligations regarding the prevention of money laundering and terrorist financing, ensuring the observance of prudent and healthy practices. and with the purpose of promoting high standards of ethics and professionalism and preventing the use of the XCAO ecosystem, intentionally or unintentionally, in the performance of criminal activities by its clients. As with any financial systems, there is a risk of XCAO products and services being used to launder money and finance terrorism. The National Office for Prevention and Control of Money Laundering (ONPCSB) provisions and applicable local laws in the jurisdictions in which we operate, requires us to put training, processes and systems in place to identify, manage and mitigate this risk. We do this to protect the firm’s reputation and to comply with relevant laws as shown below:

## Law no. 129/2019 for the prevention and combating money laundering and terrorism financing, as well as for amending and completing some legal acts;

## no. 37/2021 regarding the approval of the Norms for the application of the provisions of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for amending and supplementing some normative acts for the reporting entities supervised and controlled by the National Office for Prevention and Combating Money Laundering.

## Order no. 47/2021 for the approval of the Regulation on the registration of the reporting entity in the records of the National Office for Prevention and Combating Money Laundering.
## Order no. 14/2021 for the approval of the form and content of the reports provided in art. 6 and 7 of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for modifying and completing some normative acts and the methodology for their transmission.

The firm is also aware of the Financial Supervisory Authority (FSA) Regulation no. 18/2022 amending and supplementing FSA Regulation no. 13/2019 on prevention and combating of money laundering (ML) and terrorism financing (TF). The new Regulation will go into force in February 2023. XCAO has now developed an AML Program in an effort to maintain the highest possible compliance with applicable laws and regulations relating to the prevention of Money Laundering and Terrorist Financing in Romania and other appropriate jurisdictions. This includes, but is not limited to:

## Establishing a system of policies, procedures and internal controls designed to combat any attempted use of the Company for illegal or illicit purposes;

##  Designating a Compliance Officer/Money Laundering Reporting Officer (MLRO) to be responsible for the implementation and oversight of the Company’s AML Program and complying with the applicable regulations and guidance set forth by the ONPCSB;

##  Executing Know Your Customer (“KYC”) procedures on all customers;

##  Filing Suspicious Transaction Reports (“STRs”) and Suspicious Activity Reports (“SARs”);

##  Following record retention requirements;

##  Performing independent audits of the company’s AML Program;

##  Implementing a formal and ongoing compliance training program for all employees.

Policies, Procedures and Internal Controls

XCAO has established a system of policies and procedures which are approved by the Company’s Board of Directors. All policies and procedures will be reviewed and updated or revised as needed, no less often than annually, in an effort to comply with applicable rules, regulations and policies. We have developed and implemented internal controls for the purpose of ensuring that all its operations comply with Anti Money Laundering (“AML”) requirements and Combating the Financing of Terrorism (“CFT”). These Policies include:

##  Training Policy which includes AML training for relevant Employees.

##  Asset Management Policy which includes controls to prevent Money Laundering.

##  Incident Management and Response Program.

Policy Aim

It is the aim of this policy to align the company’s internal controls with the requirements of current Money Laundering Regulations and to put in place appropriate systems and controls to forestall money laundering and terrorist financing. The policy aims to drive the development of internal controls alongside relevant time sensitive monitoring and reporting. The anti-money laundering (“AML”) and counter-terrorist financing (“CTF”) regime has been designed to prevent XCAO’s services being used by criminals. The company is obligated to spot and report money laundering and terrorist financing. Failure to meet these obligations can lead to criminal penalties, substantial fines and untold damage to XCAO’s reputation.

Description of the Money Laundering Process

“Money Laundering” is a process by which some illegally obtained profits are given an appearance of legality by criminals who, without being compromised, later benefit from the amounts obtained. In the money laundering process, the criminal hides the illegal source of the funds to make them appear legitimate, and investment ecosystems and banks are used as intermediaries in depositing, transferring or investing funds derived from criminal activities. Money laundering is a vital component in drug and arms trafficking and other illegal operations (ie terrorist activity, robbery and
fraud, theft, counterfeiting, receiving illegal benefits, blackmail, bribery, and tax evasion). Money laundering activity can range from a simple transfer of funds to a diverse and complex process. The money laundering cycle begins with the illicit activity and continues through three stages that include placement, layering, and integration, as detailed below: Placement: represents the leakage, literally, of the income obtained from illegal activities, through the investment of cash. Layering: separation of illicit proceeds from their source through complex financial transactions (cash conversion in any type of bank transaction, transfer of funds to various accounts). Integration: assign an apparent legality to illicit funds. Illicit funds are placed in the economy in the form of normal business profits, property acquisitions, fake business invoices, cash-backed loans, documentary transaction payment schemes, etc.

National Office for the Prevention and Control of Money Laundering (ONPCSB)

Pursuant to the anti-money laundering provisions, the National Office for Prevention and Fight against Money Laundering (ONPCSB) is the Romanian Financial Unit (FIU). The ONPCSB is directly subordinate to the Government of Romania. The objective of the Money Laundering Prevention Office is to prevent and combat money laundering and terrorist financing activities. For this reason, it receives and analyzes the information and notifies the judicial authorities if it deems it necessary. The ONPCSB has the right to request any type of information from the company and the company is obliged to comply with the REQUESTS of THE ONPCSB, based on the provisions of the previous law.
The XCAO SYSTEM GROUP company is responsible for making the mandatory reports available to the ONPCSB, in coordination with the bank of the main account of the XCAO SYSTEM GROUP COMPANY AT THE BRD BANK – Groupe Société Générale de ROMANIA: the Bank sends daily to the FIU – Reports on Cash Transactions (RTN) and External Transfers (RTE) and Suspicious Transaction Report (STR) that are transmitted whenever suspicious activities are identified in the accounts. The suspicious nature of a banking transaction results from the unusual way in which it is carried out, in relation to the transactional profile and the current activity of the respective client. Suspicions come from leads or assumptions about a transaction related to money laundering activity. Suspicions can be subjective, generate a lack of trust in the people who carry out the transaction, and doubt about the correctness and legality of the facts or sincere intentions of the person involved.

Duties and Responsibilities of Compliance Officer/Money Laundering Reporting Officer (MLRO)

The Company has appointed DANIEL CONSTANTIN MIREA as Chief Compliance Officer/ MLRO who is empowered for the global responsibilities of the AML/CFT function and has full authority for ongoing compliance monitoring of all AML/CFT tasks and is also the point of contact regarding all aspects of AML/CFT for internal and external authorities, including supervisory authorities and FIUs (ONPCSB). Mr. Daniel will have working knowledge of all AML laws and be qualified by knowledge, experience and training. He is required to report any violations of XCAO’s AML Program directly to their Board. In addition, the Compliance Officer will be responsible for filing (if applicable) and keeping a record of suspicious transaction reports (“STRs”) and suspicious activity reports (“SARs”). The Compliance Officer will oversee all corrective action of any audit findings or other AML-related issues from the annual, independent AML audit.

Compliance Officer’s principal duties are:
##  acting as a contact person of the ONPCSB;
##  monitoring compliance with applicable legislation and procedures established by the AML Program;
##  managing the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the customer;
##  reporting to the ONPCSB in the event of suspicion of money laundering or terrorist financing;
##  reporting and submitting written statements on compliance with the requirements arising from the AML/CFT regulation;
##  performing any other duties and obligations related to compliance with the requirements of the AML/CFT regulation.
The contact person can transfer the information or data that has become known to him in connection with the suspicion of money laundering only:
##  the ONPCSB;
##  authority conducting an investigation in connection with the criminal case;
##  the court on the basis of a court order or a court decision.

Appropriate Transaction Monitoring Tools

The company has implemented monitoring tools to ensure efficient AML/CFT activity and allows the company to analyze trends in business activity and identify business relationships and unusual transactions to prevent ML and TF. The existing surveillance information system uses the appropriate parameters defined on the basis of national and international standards. Based on the management of exports and crypto active products with recognized platforms. In addition, specific scenarios and alerts are defined and implemented, as additional monitoring tools, to identify unusual transactions in customer accounts, such as products by a traceability and certification system

Know Your Customer

The process of knowing your clientele is an important part of the AML/CFT process. The company will open files for customers in accordance with the Initial Database Registration Procedure and other protocols given from the online store, where it will fill out a verification form. Such as the verification protocols of the platforms where it operates, such as BINANCE who performs said verification of its clients. A client opening file will include all documents in accordance with the Procedure and any other documents the Legal Division Officer or Manager deems necessary.

Customer acceptance policy (KYC standards) Essential elements of Know Your Customer (KYC) standards

The company has issued appropriate internal regulations that promote high standards of customer knowledge and has defined the key elements regarding:
1.- Customer acceptance rules.
2.- Due diligence measures with respect to the client.
3.- Customer identification.
4.- Risk-based customer assessment.
5.- Continuous monitoring of high-risk clients.
6.- Supervise the activity in the accounts from the perspective of the fight against money laundering and the financing of terrorism.
7.- Termination of relationships
8.- Training programs on “Know your clientele”

For this purpose, the company will contract the services of a recognized platform in the evaluation of clients apart from the internal system for such action.

The company will enter into correspondent relationships, or continue these relationships, with entities that have implemented appropriate know-your-customer and anti-money laundering policies and practices. The correspondent relationship will not be established with financial institutions or SPAM platforms of which there is any doubt about the possibility that the FI or the platform is fraudulent.
The company will not open or operate in anonymous accounts or with fictitious names for which the identity of the owner is not known and is not adequately declared.
The company’s customer identification process is defined by the internal know-your-customer procedure or guides and includes the following:
1. Identification of the client.
2. Customer identity verification:
    a. Establish the commercial profile of the client.
    b. Determine the source of the client’s funds
     c. Monitoring of customer business activity

Customer Identification Program

The Company has developed and implemented a Customer Identification Program (“CIP”) that establishes procedures for verifying the identity of each customer that operates on the company’s platform. The CIP helps the Company detect suspicious activity in a timely manner and prevent fraud. • Excluded Customers XCAO has established a list of Customers who are excluded of establishing a business relationship or an execution of an occasional transaction with the company, according to the Company’s Geo-restriction Measure and any other reasonable factor that makes the Company suspects money laundering, terrorist financing or directly sanctioned by the European Union or globally. The list used is a copy of the official government sanctions list.

Geo-restriction Measure

The Geo-restriction Measure is applied to the following list of Customers:
## Customers outside Romania; (in some cases, outside the EU region)
## Customers from state jurisdictions that are being banned by internal policies from the company or regulations;
XCAO is actively blocking users from restricted jurisdictions from using its services, by implementing IP-blocking tools to deny access of users from the restricted jurisdictions.
In order to avoid circumvention of this tool with VPN, the company employs certain VPN detection tools which identify IP addresses and block IPs suspected as VPN.

Customer Identity Verification

In order to use XCAO, customer identity must be verified, authenticated, and checked against AML Screening: government watchlists, PEPs, and Adverse Media, and according to certain transaction limits. Failure to complete any of these steps will result in the inability to use our platform. Before accepting a transaction from an individual customer, the Company attempts to collect, verify and authenticate the following information:

A Individuals:
## Full legal name
## Date of birth
## Email address;
## Mobile phone number;
## Acceptable and valid government-issued identification document (e.g., driver’s license, passport, national identification card)
## Residential address

B. Institutions:  
## Institution name
## Address (principal place of business and/or other physical location);
## Employer Identification Number (“EIN”) or any comparable identification number issued by the government;
## Proof of legal existence (e.g., state-certified articles of incorporation or certificate of formation, unexpired government-issued business license, trust instrument, or other comparable legal documents as applicable);
## Proof of identity (e.g., driver’s license, passport, or government-issued ID) for each individual beneficial owner that owns 25% or more, as well as all account signatories;
## All identifying information with respect to each beneficial owner will use risk-based procedures to verify the identity of such beneficial owners (see individual customer information collected above for more details).

Lack of Verification

When the company is not satisfied with the verification details, they will do the following:
##  Not establish any business relationship;
## Impose terms under which a customer may conduct transactions while XCAO attempts to verify the customer’s identity;
## Determine whether it is necessary to file a SAR in accordance with applicable laws and regulations.

Customers’ Refusal to Provide Information

XCAO will not open a new business establishment for a potential or existing customer who refuses to provide the information when requested, or provides any misleading information. Hence, the company’s AML Compliance officer will be reviewing the scenario so that they can come to a decision whether they should report the situation to ONPCSB on a SAR.

Risk-based Approach

It is important that the XCAO’s principals and personnel adopt and implement the policies contained in this manual. However, it is recognized that a prescriptive approach in certain circumstances might prevent financial service providers from engaging in some legitimate businesses.
A risk-based approach is one of the most effective ways to protect against money laundering. It is essential to understand that certain risks associated with the various elements of a customer profile may be indicative of potential criminal activity, such as geographic and jurisdictional issues, business and product types, distribution channels and prevailing transaction types and amounts.
Customers will be reviewed, assessed and allocated with an appropriate level of risk of money laundering. Customers will be designated as High, Medium or Low risk.

## High-risk customers will be subject to enhanced levels of due diligence that go beyond the core policies and principles contained in this manual;
## Medium-risk customers will be subject to the core policies and procedures contained within this manual;
## Low-risk customers may be subject to certain flexibility within the policies and procedures contained within this manual, however, great care should be exercised to ensure that the company continues to meet its legal obligations.
All customers are subject to a risk assessment in order that likely future monitoring levels are anticipated and reasonable. Risk ratings will be recorded in the file. Due diligence requirements and future planned monitoring must be commensurate with the risk level associated with the customer and enhanced due diligence will be necessary for all higher-risk customers.

Ongoing Monitoring

Once customer identification procedures are fulfilled and the customer is accepted, we will still be necessary to ensure that due diligence documentation continues to remain appropriate. In addition, it is essential for XCAO to ensure that ongoing activity, if any, is consistent with the future plans and expectations that were advised at the outset of the relationship.

Sanctioned Individuals/Entities

When considering accepting new customers, care must be taken to ensure that XCAO is not conducting business with countries affected by sanctions imposed by the EU (European Union) UN (United Nations) as a result of accepting that new business. The company shall document and record all the actions that were taken to comply with the sanction regime and the rationale for such action. Senior management, in consultation with the AML Compliance officer, will consider if any further action is required such as freezing funds and/or informing the authorities as required under relevant laws. The Compliance officer will also review existing accounts against the EU/UN listings of current sanctions and embargoes when they are updated and he will document the review.

Policy for the Identification of Correspondent Entities

When deciding to enter into any type of correspondent business relationship, you will have enough information to fully understand the nature of the business being conducted by the entity. Information is required on management, main economic activities, level of AMl/ CFT.
The company will establish correspondent relationships only with entities abroad that are effectively supervised by the competent authorities and that have effective customer due diligence programs in place. The Company must refuse to establish correspondent relationships or to continue such relationships with a commercial entity, registered in a jurisdiction in which it does not have a physical presence, that is, the development of the activity and the official documents of the entity are not located in said jurisdiction and pay special attention regarding the knowledge of the clientele or that has been identified as non-cooperative in the fight against money laundering. When establishing correspondent, franchise or other relationships, the company must take into account certain factors, including, but not limited to, the following:
1. Information on the management of the correspondent commercial entity, on the basic activity, where it is located, and its efforts to prevent and detect money laundering.
2. The purpose for which the correspondent point is installed.
3. The identity of any third party that will use the correspondent services.
4. The situation of the regulation and the supervision system in the country of origin of the correspondent commercial entity.
5. Approval of the XCAO SYSTEM GROUP Management regarding the opening of the commercial correspondent relationship.
The company will not enter into a correspondent relationship with commercial institutions, or individuals located in countries under the international sanctions regime and/or that are directly related to or under the control of persons/entities mentioned in the international sanctions lists.

Independent Audits

The Company’s AML program will be subject to independent testing through an independent AML audit at least annually. The audit will be conducted by an independent third party with working knowledge of AML requirements, or by Company personnel with working knowledge of AML requirements, none of whom work for or with the Compliance Officer. The Compliance Officer will develop corrective action plans for all issues that are raised in the audit, supervise the remediation performed, and report all updates to the corrective action plans to the Company’s Board.

KYC & AML/CFT Training Program

All officers and employees of the company receive AML training as well as position-specific training. XCAO repeats this training at least once every twelve (12) months to ensure employees are knowledgeable and in compliance with all pertinent laws and regulations. New employees receive training within thirty (30) days of their start date. All documentation related to compliance training including materials, tests, results, attendance and date are maintained and tracked. In addition, our compliance training program will be updated as necessary to reflect current laws and regulations.
The training programs will include information on the requirements of the legislation in terms of know your customer (KYC) as well as specific practical aspects, in particular in order to enable staff to recognize suspicious transactions related to money laundering and terrorist financing operations and to take appropriate measures.
All personnel will be trained to ensure they are aware of their responsibilities and will be informed of any news related to compliance. The main objective of the training programs is to develop the skills of the employees of the XCAO SYSTEM GROUP company, promote high ethical and professional standards, and prevent the use of the company to carry out criminal activities or other activities.

The main objective of the training programs is to develop the skills of the employees of the XCAO SYSTEM GROUP company, promote high ethical and professional standards, and prevent the use of the company to carry out criminal activities or other activities. that are contrary to the law, and to ensure the conduct of business in accordance with the requirements of the law. The company will continuously carry out training programs in the field of KYC in order to prevent money laundering and terrorist financing, so that people who have responsibilities in this area are properly trained.

Record Keeping

All reports requested by the bank and (RTS / RTN / RTE) transmitted to ONPCSB, as well as related documents, including alerts received from agency employees through the whistleblowing procedure, as well as related alerts with clients suspected of ML / TF must be kept for at least 5 years before being sent to the company’s Archive, extending the term no more than 5 years, if there is information that could be requested by the competent authorities.

Statement of Policy

Personnel shall not permit any use of the funds or other assets of the company for any unlawful or improper use. Personnel shall not make, or authorize anyone to make on behalf of the company or receive, any loan, reward, advantage or benefit payments or gifts or offers or promises to pay money or give anything of value to or for the benefit of any person, or organization, including government agencies, individual government officials, any “Public Officer” or member of the Legislative Assembly, private companies and employees of those private companies under any circumstances. All personnel should be mindful of any unusual payment or transaction that may be seen as a bribe, purchasing influence, election fraud, breach of trust, or cash for honors. Any uncertainty or questions should be referred to the compliance Officer. If any personnel suspect corrupt activity, an Internal Suspicious Activity Reporting Form must be submitted to the Compliance Officer.


January 31, 2023