Internal AML Policy

1. Policy Purpose
1.1 All Pay Way LLC (hereafter – “Daxil” or “provider”) operates as a licensed payment service provider under Georgian law and is subject to oversight by the National Bank of Georgia.
1.2 Daxil is committed to full adherence to all applicable regulatory and legal requirements governing its activities.
1.3 The company’s leadership acknowledges that combating money laundering, terrorism financing, and financial crime is a matter of global concern — one that demands active cooperation between private-sector participants and public institutions.
1.4 Guided by both local regulatory requirements and internationally recognised best practices, Daxil maintains internal processes and documented procedures designed to mitigate threats in the financial sector while delivering a safe and reliable service environment to its customers.
1.5 The company strives to build and maintain internal mechanisms capable of addressing present and emerging challenges in the evolving financial landscape.
1.6 Daxil places strong emphasis on customer protection, recognising that a secure service environment is fundamental. To this end, the company applies appropriate preventive controls that address not only financial risk but also potential reputational exposure.
1.7 Daxil upholds rigorous standards in the area of anti-money laundering and counter-terrorism financing, pursues strict compliance with Georgian legislative and regulatory requirements, and works to embed international best practices into its local operations.
1.8 This policy is grounded in the Law of Georgia “On Facilitating the Prevention of Money Laundering and Terrorism Financing”, as well as normative acts, guidelines, and binding rules issued by the National Bank of Georgia and the Financial Monitoring Service of Georgia as they apply to payment service providers.

2. Money Laundering and Terrorism Financing
2.1 Under Georgian law, money laundering refers to the process of legitimising proceeds derived from illegal activities — that is, attributing a lawful appearance to property that is illegal and/or undocumented — through any form of use, acquisition, possession, conversion, transfer, or other similar action. This includes concealing or disguising the true nature, origin, location, movement, or ownership of such property, as well as facilitating a person’s evasion of legal liability.
2.2 Illegal property encompasses any assets — including income and equity interests derived therefrom — obtained in violation of applicable law by a person, their family members, close relatives, or associated parties.
2.3 Undocumented property refers to assets — including income and equity interests — for which a person, their family members, close relatives, or associated parties are unable to provide documentation confirming lawful acquisition, or which were obtained using proceeds from the disposal of illegal property.
2.4 Terrorism financing is defined as the collection or provision of funds or other assets with the knowledge — whether prior or reasonably foreseeable — that they will be used, in whole or in part, by a terrorist, a terrorist organisation, or in furtherance of terrorist
activity. This includes the provision of services, resources, or other material support to a terrorist or terrorist organisation with such knowledge.
2.5 Daxil treats the fight against money laundering and terrorism financing as inseparable objectives and applies equal diligence in assessing and mitigating ML/TF risks across all customer relationships.
2.6 In countering terrorism financing specifically, Daxil applies the same preventive framework used in combating money laundering — encompassing customer identification and verification, due diligence procedures, and transaction monitoring.

3. Compliance Control
3.1 Commensurate with the nature and scale of its operations, Daxil maintains an effective system for identifying and managing money laundering and terrorism financing risks (hereinafter — the “compliance control system”).
3.2 The compliance control system encompasses, among other elements, the following core principles:
• Development and formal approval of internal AML policies governing the operation of the compliance control system;
• Assessment of ML/TF risks associated with individual customers and determination of customer risk ratings in accordance with applicable legislation;
• Application of Customer Due Diligence (CDD) measures as required by law, including customer identification and verification procedures;
• Screening of customers against lists of politically exposed persons (PEPs), as well as sanctions lists issued pursuant to UN Security Council resolutions and
other sanctions regimes required by the National Bank of Georgia;
• Maintenance of a transaction monitoring system proportionate to the nature, volume, and ML/TF risk profile of the company’s operations;
• Retention of records and documentation in the manner and for the periods prescribed by law.
3.3 To carry out the above obligations, Daxil has established a dedicated Compliance function within its organisational structure.
3.4 The Compliance function is responsible for all activities related to the prevention of money laundering and terrorism financing, including the development of relevant internal policies and procedures, execution of financial monitoring tasks, and fulfilment of
obligations arising from regulatory requirements and international standards.

4. Preventive Measures
4.1 On the basis of information and documentation gathered through preventive measures — including data on the products and services used by the customer — Daxil:
• Establishes the customer’s risk profile;
• Determines the scope of additional information to be collected;
• Defines the required format and nature of supporting documentation;
• Sets the type and intensity of ongoing monitoring.
4.2 The outcomes of preventive measures directly inform Daxil’s decisions regarding the establishment, continuation, or termination of a business relationship.
4.3 Daxil applies preventive measures in a manner suited to the specific circumstances of each case, with a view to maintaining full compliance with applicable legal requirements.
4.4 The scope of preventive measures includes:
• Customer identification and verification based on reliable, independent sources;
• Identification of the beneficial owner and, where applicable, reasonable steps to verify their identity using reliable sources;
• Determining the purpose and intended nature of the business relationship;
• Ongoing monitoring of the business relationship.
4.5 In the case of legal entities, Daxil additionally examines the customer’s ownership structure and governance arrangements.
4.6 When establishing the purpose and nature of a business relationship, Daxil seeks to understand the substance of the customer’s activities and collects information on the expected type, volume, and frequency of transactions.
4.7 During ongoing monitoring, Daxil reviews transactions initiated, concluded, or executed by or on behalf of the customer to assess their consistency with the company’s knowledge of the customer, including their commercial or professional profile and assigned risk level.
4.8 Identification data and related information obtained through preventive measures are updated at intervals specified by applicable legislation and internal policy.
4.9 The application of preventive measures is calibrated to the customer’s risk level and is carried out:
• Prior to the execution of a one-off transaction;
• Prior to the establishment of a business relationship;
• During the course of an ongoing business relationship;
• Upon any material change in circumstances relating to the customer.
4.10 Daxil applies the following tiers of preventive measures:
• Simplified due diligence;
• Standard due diligence;
• Enhanced due diligence.
4.11 Daxil is authorised to carry out preventive measures through remote (electronic) channels, without requiring in-person contact with the customer.

5. KYC Standard
5.1 The Know Your Customer (KYC) standard represents a formalised process established by Daxil that encompasses identification, verification, and related procedures applied to customers and business partners. It includes the collection, recording, and storage of information and documentation obtained during these procedures, as well as periodic reviews and updates.
5.2 The KYC process is continuous and ongoing in nature. Adherence to it is mandatory both at the outset of a business relationship and throughout its entire duration.
5.3 Daxil’s KYC framework incorporates the following steps:
• Initial customer/partner identification — including the collection of identification data and documents, completion of questionnaires, registration, and record
retention;
• Verification of information obtained during identification, including cross-referencing against reliable independent sources, and analysis of findings;
• Establishing the purpose and intended nature of the business relationship at the time of onboarding, followed by ongoing analysis and review;
• Review, analysis, and appropriate follow-up with respect to transactions carried out by or for the benefit of the customer or business partner;
• Periodic refresh of identification data and documentation in line with legal requirements.
5.4 Customer identification and verification are completed prior to granting access to the platform. A business relationship is established only upon successful completion of the verification process.
5.5 Beyond initial onboarding, identification and verification may be repeated during an existing business relationship where circumstances warrant — for example, where doubts arise regarding the accuracy or authenticity of identification data, where an
identification document has expired, or where key recorded information has changed.
5.6 Daxil conducts customer identification and verification in accordance with Georgian law — in particular, the Law of Georgia “On Facilitating the Prevention of Money Laundering and Terrorism Financing” — as well as normative acts issued by the Financial Monitoring Service of Georgia, applicable regulatory recommendations, and internal policy.
5.7 Daxil is entitled to request any information or documentation from customers necessary to support a sound and effective compliance control process. At its discretion and taking account of specific contextual factors, Daxil may also request supplementary materials needed to understand the customer, their activities, or their transaction history.
5.8 Daxil screens customers and persons in business relationships — including their beneficial owners — against sanctions lists required under Georgian law, relevant acts and written instructions of the National Bank of Georgia, applicable international sanctions regimes, and lists of politically exposed persons.
5.9 Daxil will decline to establish or will terminate a business relationship, and will not execute a one-off transaction, in the following circumstances:
• Required preventive measures cannot be adequately applied;
• The person appears on a sanctions list referred to in clause 5.8;
• Daxil is unable to ensure effective risk management in relation to that person.
5.10 Within the context of long-term business relationships, identification data is updated in accordance with the applicable risk level assigned to the customer.
5.11 For identification purposes, the customer completes the KYC form prescribed by Daxil.

6. Risk-Based Approach
6.1 Daxil’s risk-based approach is aligned with the legislative requirements of Georgia, guidance issued by the Financial Monitoring Service of Georgia, recommendations of the Financial Action Task Force (FATF), and other relevant international standards.
6.2 This approach enables Daxil to conduct a well-calibrated assessment of risks inherent to its business and the activities it supports.
6.3 Through a risk-based approach, Daxil identifies proportionate responses to each risk in order to reduce and manage it effectively, ensuring efficient allocation of compliance resources.
6.4 Daxil’s leadership takes responsibility for developing and maintaining an effective compliance control system — one that reflects the organisation’s size, the specific nature of its activities, and its ML/TF risk exposure.
6.5 The risk-based approach covers:
• Organisational risk assessment;
• Establishment of a comprehensive risk perspective;
• Application of preventive measures (including the KYC standard);
• Ongoing monitoring and periodic review.
6.6 Risks identified and assessed by Daxil — including organisational, customer-related, and other risks — are subject to periodic review at frequencies determined by the applicable risk level.
6.7 Reviews are also triggered by changes in material circumstances, such as modifications to existing services or products, the introduction of new offerings, emerging threats identified during operations, or changes in applicable legislation.

7. Monitoring, Record-Keeping, and Control
7.1 Monitoring
7.1.1 In line with legal requirements and international best practices, Daxil monitors transactions that have been executed or are in the process of being executed.
7.1.2 Monitoring is conducted in accordance with a risk-based approach.
7.1.3 Transaction monitoring focuses on identifying indicators that may be suggestive of money laundering or terrorism financing.
7.1.4 Upon detection of suspicious or unusual transactions, Daxil takes action in accordance with Georgian law, including reporting to the relevant competent authorities.
7.2 Record-Keeping
7.2.1 To support the effective functioning of the compliance control system, Daxil maintains customer records in electronic form (and in physical form where required by law).
7.2.2 Daxil additionally retains records generated in the course of preventive measures and associated monitoring activities.
7.3 Control
7.3.1 Daxil places significant importance on staffing its team with qualified individuals of sound reputation, in order to maintain service quality and mitigate risks across multiple areas — including fraud, reputational, and financial risks.
7.3.2 Building a strong culture of compliance is a key objective, supported through regular consultation and training of employees on ML/TF-related topics.