ANTI-MONEY LAUNDERING (AML) AND COUNTER-TERRORIST FINANCING (CTF) AND KNOW-YOUR CUSTOMER (KYC) POLICY

The following policy has been derived from the general principles, laws, regulations and directives for combating money laundering. In addition to the above, Exchange Point is owned and operated by Waypoint Ventures OÜ, holder of a license with the Estonian Financial Intelligence Unit, License Number FVR000140 for providing services of exchanging a virtual currency against a fiat currency. Estonian Cryptocurrency Exchanges are defined in Estonian law as “Providers of Alternative Means of Payment, licensed as an Estonian Financial Institution by holding a Financial Activity License from the Estonian Financial Intelligence Unit (FIU)”, which is the AML authority in Estonia with the ability to grant, revoke and supervise financial activity licenses. The AML and KYC requirements of the service providers are subject to the Estonian Money Laundering and Terrorist Financing Act and other legal guidelines given by the Estonian Minister of Finance. An integral part of the licensing procedure, and a significant FIU consideration for granting licenses, is the quality of the Rules of Procedures. These Rules of Procedure must comply with the Estonian law’s various requirements, which require them, among other things, to include specification of customer due diligence measures the company intends to take, assessment of money laundering risk, the manner of the collection and keeping of records and internal control rules. APPLICATION Exchange Point is taking security measures and has adopted policies, practices and procedures that promote high ethical and professional standards and prevent Exchange Point from being used, intentionally or unintentionally, by criminal elements. Exchange Point has put in place KYC programs as an essential element for service, risk management and control procedures. Such programs include: • Customer Acceptance • Customer Identification • On-going Monitoring of High / Medium Risk Accounts • Risk Management Exchange Point is obliged not only to establish the identity of its customers, but also to monitor account activity to determine those transactions that do not conform with the normal or expected transactions for that customer or type of account. KYC constitutes a core feature of risk management and control procedures. The intensity of our KYC programs beyond these essential elements is tailored to the degree of risk. CUSTOMER ACCEPTANCE POLICY Exchange Point maintains clear customer acceptance policies and procedures, including a description of the types of customer that are likely to pose a higher than average risk. Before accepting a potential client, KYC and due diligence procedures are followed, by examining factors such as customers’ background, country of origin, public or high profile position, linked accounts, business activities or other risk indicators. Extensive due diligence is essential for an individual with high net worth but whose source of funds is unclear. A decision to enter into business relationships with higher risk customers, such as politically exposed persons, is taken exclusively at senior management level. \Please note that we do not accept US Citizens. CUSTOMER IDENTIFICATION Customer identification is an essential element of KYC standards. For the purposes of this document, a customer includes: • The person or entity that maintains an account with Exchange Point or those on whose behalf an account is maintained (i.e. beneficial owners); • Any person or entity connected with a financial transaction who can pose a significant reputational or other risk to Exchange Point. Exchange Point maintains a systematic procedure for identifying new customers and cannot enter into a service relationship until the identity of a new customer is satisfactorily verified. The ideal documents for verifying the identity of customers are those most difficult to obtain illicitly and to counterfeit. The customer identification process applies naturally at the outset of the relationship. To ensure that records remain up-to-date and relevant, Exchange Point undertakes regular reviews of existing records. An appropriate time to do so is when a transaction of significance takes place, when customer documentation standards change substantially, or when there is a material change in the way that the account is operated. However, if the AML/CFT Supervisor for Exchange Point (AML/CFT Supervisor) becomes aware at any time, through compliance and/or AML/CFT Supervisor reviews, that it lacks sufficient information about an existing customer, immediate steps are taken to ensure that all relevant information is obtained as quickly as possible. Exchange Point will not accept as customers, persons or entities from restricted or sanctioned countries, organisations. Exchange Point can be exposed to reputational risk, and should therefore apply enhanced due diligence to such operations. Private accounts, which by nature involve a large measure of confidentiality, can be opened in the name of an individual or a commercial business. In each case reputational risk may arise if Exchange Point does not diligently follow established KYC procedures. All new clients and new accounts are approved by at least one person - the Company’s Customer Financial Officer or its own AML/CFT Officer. In case of a new high risk customer, the final decision is taken by the Company’s Head of Compliance. Particular safeguards have been put in place internally to protect confidentiality of customers and their business (please refer to our privacy Policy). Exchange Point ensures that equivalent scrutiny and monitoring of these customers and their business is conducted, e.g. it is available to be reviewed by the AML/CFT Supervisor and auditors. Exchange Point maintains clear standards and policies, on what records must be kept for customer identification and individual transactions. Such practice is essential to permit Exchange Point to monitor its relationship with the customer, to understand the customer’s on-going business and, if necessary, to provide evidence in the event of disputes, legal action, or a financial investigation that could lead to criminal prosecution. As the starting point and follow-up of the identification process, Exchange Point obtains customer identification papers and retain copies of them for at least five years after an account is closed. Exchange Point also retains all financial transaction records for at least five years from the date when Exchange Point’s relationship with the customer was terminated or a transaction was completed. GENERAL IDENTIFICATION REQUIREMENTS Exchange Point obtains all information necessary to establish to its full satisfaction the identity of each new customer and the purpose and intended nature of the business relationship. The extent and nature of the information depends on the type of applicant (personal / corporate) and the expected size of the account. When an account has been opened, but problems of verification arise in the service relationship which cannot be resolved, Exchange Point can close the account and return the money to the source from which it was received. While the transfer of an opening balance from an account in the customer’s name in another organization subject to the same KYC standard will be considered, Exchange Point follows its own KYC procedures. Exchange Point can consider the possibility that the previous account manager may have asked for the account to be removed because of a concern about dubious activithy. Naturally, customers have the right to move their business from one organization to another. However, if Exchange Point has any reason to believe that an applicant is being refused service facilities by another organization, Exchange Point is duty-bound to engage in enhanced due diligence procedures to the customer. Exchange Point will not agree to open an account or conduct on-going business with a customer who insists on anonymity or who gives a fictitious name. SPECIFIC CUSTOMER DUE DILIGENCE AND IDENTITY PROCEDURES Client identification must be carried out as soon as reasonably practicable after first contact is made. As part of its obligation to exercise due diligence in customer identification, Exchange Point must confirm that the identity information which it holds for its customers remains fully updated with all necessary identification and information throughout the business relationship. Exchange Point reviews and monitors on a regular basis the validity and adequacy of customer identification information in its possession. Notwithstanding the above and taking into account the degree of risk, if it becomes apparent at any time during the business relationship that Exchange Point lacks sufficient or reliable evidence (data) and information on the identity and financial profile of an existing customer, Exchange Point will immediately take all necessary actions using the identification procedures and measures to provide due diligence, in order to collect the missing data and information as quickly as possible and in order to determine the identity and create a comprehensive financial profile of the customer. Furthermore, Exchange Point monitors the adequacy of the information held and identity and economic portrait of its customers when and where one of the following events occurrences: • Conduct of a significant transaction that appears to be unusual and/or significant as against the usual type of trade and economic profile of the customer; • A significant change in the situation and legal status of the customer such as: • Change of directors/secretary • Change of registered shareholders and/or actual beneficiaries, • Change of registered office • Change of corporate name and/or trade name • Change of main trading partners and/or significant new business • A significant change in the operating rules of the customer’s account, such as: • Change of persons authorized to operate its account, • Request for opening a new account in order to provide new investment services and/or financial instruments. Where the customer refuses or fails to provide Exchange Point with the required documents and information for identification and creation of a financial portrait, before entering into the business relationship, or during the execution of an individual transaction without adequate justification, Exchange Point will not proceed in a contractual relationship or will not execute the transaction and may also report it to the AML/CFT Supervisor. This can lead to a suspicion that the customer is engaged in money laundering and terrorist financing. If during the business relationship the customer refuses or fails to submit all required documents and information, within reasonable time, Exchange Point has the right to terminate the business relationship and close the accounts of the customer. The compliance department also examines whether to report the case to the AML/CFT Supervisor. Personal Customer’s details required 1. True full name and/or names used 2. Current permanent address, including postal code 3. Date of birth 4. Profession or occupation 5. For transactions above a designated threshold (currently 5000 USD) a client will need to confirm transaction with a “Selfie” i.e a self-portrait picture of customer holding his/her valid identity document. Names should be verified by reference obtained from a reputable source which bears a photograph, such as: • Current valid full passport • Government issued photo identification card In addition to the customer’s name verification, the current permanent address should be verified by obtaining any one of the following documents in original form: • Copy of a recent utility bill • Local tax authority bill • Bank statement • Checking a telephone directory • Credit card monthly statement Accounts for Corporate Customers: • Company searches, and other commercial enquiries to ensure that the applicant has not been or in the process of being dissolved, struck off, wound up or terminated. • If changes to Company structure occur or ownership occurs subsequent to opening of an account with the Company, further checks should be made. • Identity verification should aim to identify • The Company • The directors • All persons duly authorized to operate the account • In case of private companies, the major beneficial shareholders • The Company’s business profile in terms of nature and scale of activities The following documents are required: • The original or certified copy of the Certificate of incorporation • Constitution • Resolution of the Board of Directors to enter into transactions on the Cryptocurrency market and conferring authority to those who will act for the customer • Where appropriate a search of the file at the Companies’ Registry • Identity of individuals who are connected with the Company • Exchange Point must be satisfied that it is dealing with a real person, and for this purpose, obtains sufficient identification documents to prove that the applicant is who he/she claims to be. • Exchange Point must verify the identity of beneficial owners of accounts. For legal persons, Exchange Point requires such data and information to understand the ownership and control structure of the customer. Regardless of the customer’s type (e.g. natural or legal person), Exchange Point takes adequate data and information on the customer’s business activities and the expected pattern and level of transactions. • The identity of all customers is verified on the basis of reliable data and information given or received from independent and reliable sources, i.e. those data and information that is difficult to be falsified or to be obtained in an illegal way. • The home and work addresses are considered a key element of the identity of a person. All data and information must be collected before entering into business relationship with the customer. In order to create a financial portrait of the customer and, as a minimum, Exchange Point must establish the following from the information provided by the customer: • the purpose and justification (reason) for the conclusion of the business relationship; • the nature of transactions, the expected source of money to be credited to the account and the expected destination of outgoing payments; • the size of assets and annual income, a clear description of the major business / professional activities / work. The data and information that assist in establishing a financial portrait of the client (legal entity) include: • brand name • Country of incorporation • Headquarters address • Names and identity of beneficial owners • Directors, authorized signatories • Financial data • Information of the group and/or companies that may be associated with the customer (country of incorporation of holding Company, subsidiaries and associated companies, the principal activities, financial results). All above data and information will be recorded on a separate form which is filed in the customer’s file along with all other documents, and internal memos from the minutes of the meetings with the client. This form is updated on a regular basis or whenever new information on any changes or additions occur which affect the financial profile of the customer. Enhanced due diligence measures Exchange Point applies increased due diligence measures and customer identification procedures in the following cases: • If Exchange Point establishes a business relationship with a customer that is— • a non-resident customer from a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place: • a Company with nominee shareholders or shares in bearer form. • If a customer seeks to conduct, through Exchange Point, a complex, unusually large transaction or unusual pattern of transactions that has or have no apparent or visible economic or lawful purpose. • When Exchange Point considers that the level of risk involved is such that enhanced due diligence should apply to a particular situation. • Any other circumstances specified in regulations. • In respect of transactions or business relationships with politically exposed persons residing in a country within the European Economic Area or a third country. Exchange Point must conduct enhanced customer due diligence if: • It establishes a business relationship with a customer who it has determined is a politically exposed person; or • A customer who it has determined is a politically exposed person seeks to conduct an occasional transaction through the reporting entity. Exchange Point must conduct enhanced due diligence if— • It establishes a business relationship with a customer that involves new or developing technologies, or new or developing products, that might favour anonymity; or • A customer seeks to conduct an occasional transaction through the reporting entity that involves new or developing technologies, or new or developing products, that might favour anonymity. Enhanced customer due diligence measures are taken in all other instances which due to their nature entail a higher risk of money laundering or terrorist financing. Performance by third parties Exchange Point may rely on third parties for applying the requirements in respect of customer’s identification procedures and customer due diligence measures provided that all data and information is held by the third person for customer identification, and certified copies of the originals are provided to Exchange Point. ON-GOING MONITORING AND RECORDING OF ACCOUNTS AND TRANSACTIONS On-going monitoring is an essential aspect of effective KYC procedures. Exchange Point can only effectively control and reduce the risk if it understands normal and reasonable account activity of its customers so that it has means of identifying transactions which fall outside the regular pattern of an account’s activity. Without such knowledge, it is likely to fail in its duty to report suspicious transactions to the appropriate authorities in cases where they are required to do so. The extent of the monitoring needs to be risk-sensitive. For all accounts, Exchange Point has systems in place to detect unusual or suspicious patterns of activity. This can be done by establishing limits for a particular class or category of accounts. Particular attention is paid to transactions that exceed these limits. Certain types of transactions alert to the possibility that the customer is conducting unusual or suspicious activities. They may include transactions that do not appear to make economic or commercial sense (big transactions). Intensified monitoring for higher risk accounts is conducted. Exchange Point has set key indicators for such accounts, taking note of the background of the customer, such as the country of origin and source of funds, the type of transactions involved, and other risk factors. RECORD KEEPING Exchange Point is required to keep records for a period of at least five years by law. The five year period is calculated following the carrying out of the transactions or the end of the business relationship. The following records must be kept: • Copies of the evidential material of the customer identity. • Relevant evidential material and details of all business relations and transactions, including documents for recording transactions in the accounting books and • Relevant documents of correspondence with the customers and other persons with whom they keep a business relation. All documents and information are available rapidly and without delay to the authorities for the purpose of discharging the duties imposed on them by the law. The AML/CFT Supervisor needs to be able to compile a satisfactory audit trail. Document retention may be in original documents or certified true copies and be kept in hard copy, or other format such as electronic form given that they can be available at any time and without delay. When setting up document retention policies, Exchange Point considers the statutory requirements and the potential needs of the unit. Documents and information must be original or true copies. In cases where the documents are being certified by another person and not Exchange Point, or the third party, then the documents must be notarized. RISK MANAGEMENT Effective KYC procedures embrace routines for proper management oversight, systems and controls, segregation of duties, training and other related policies. The senior management of Exchange Point is fully committed to an effective KYC programme and procedures that ensures their effectiveness. Explicit responsibility is allocated within the organization for ensuring that Exchange Point policies and procedures are managed effectively and are in accordance with local supervisory practice. The channels for reporting suspicious transactions are clearly specified and communicated to all personnel. Exchange Point maintains an ongoing employee training program so that the staff are adequately trained in KYC procedures. The timing and content of training for various staff categories is adapted by Exchange Point for its own needs. Training requirements have a different focus for new staff, front-line staff, compliance staff or staff dealing with new customers. New staff are educated in the importance of KYC policies and the basic requirements at Exchange Point. Staff members who deal directly with the customers are trained to verify the identity of new customers, to exercise due diligence in handling accounts of existing customers on an on-going basis and to detect patterns of suspicious activity. Regular refresher training is provided to ensure that employees are reminded of their responsibilities and are kept informed of new developments. It is crucial that all relevant staff fully understand the need for and implement KYC policies consistently. A culture within services that promotes such understanding is the key to a successful implementation. SPECIFIC CUSTOMER DUE-DILIGENCE AND IDENTITY PROCEDURES. Natural Person/s 1. Full name and / or names used, based on birth certificate or passport, or document issued by an independent and reliable source and which bears a photograph of the customer 2. Full permanent address, including the postcode, presentation of a recent (up to 3 months) telephone bill, electricity, rates, taxes, or bank account statement, or similar, with the above, documents. 3. Phone number, landline and mobile, and fax 4. E-mail address, if any 5. Date and place of birth 6. Nationality 7. Details of profession and other occupations, including the name of the employer / business organization Joint accounts In cases of joint accounts of two or more persons, the identity of all persons (individuals) that hold or have the right to manage the account must be verified. Accounts for Legal Persons 1. Registration number – certificate of registration 2. Registered name and trade name used 3. Full corporate registered address and head officers 4. Phone number, fax and email address 5. Members of the board of directors 6. Persons authorized to operate the account and to act on behalf of the legal person 7. Real beneficiaries of private and public companies that are not listed in regulated market of a European Economic Area country or a third country with equivalent disclosure and transparency requirements. 8. Registered shareholders that act as nominees of the actual beneficiaries’ The financial portrait of the legal person 1. Identity info 2. Identity of beneficiaries 3. In case of legal persons (ownership and control structure, of the customer) 4. Information regarding the business activities and the expected pattern and level of transactions 5. Residence and business address 6. The purpose and reason for the establishment of a business relationship 7. Anticipated account turnover, the nature of the transactions, the expected origin of incoming funds to be credited to the account and the expected destination of outgoing transfers/payments 8. The customer’s size of wealth and annual income, and a clear description of the main business / professional activities / operation 9. Company’s name, country of incorporation, head offices address, names and identity of beneficial owners, directors, authorized signatories, financial information, ownership structure of the group that Exchange Point may be a part of (country of incorporation of the parent Company, subsidiaries and associate companies, the main activities, financial information) It is noted that at any times during the business relationship, Exchange Point can obtain additional documents and information if required. Accounts for Legal Person (Companies or Legal Entities) 1. All documents and information as stated above must be provided 2. Exchange Point can conduct research and receive information from the Companies Registry or equivalent authority in the country of incorporation (legal entity) abroad and / or request information from other sources in order to ensure that the Company (legal person) is not nor is in the process of being dissolved or liquidated or struck off the registry and that it continues to be registered as an operating Company. Nominees or agents of third persons The following information is required: 1. Verify the identity of the nominees or the agent of the third person (above) 2. Verify the identity of any third person on whose behalf the nominee is acting (above) 3. Copy of the authorization agreement that has been concluded between the interested Parties ADDITIONAL INFORMATION NOTICE Exchange point can at any time inquire and obtain additional documents and information if required. If at any later stage any changes occur in the structure of the ownership status or to any details, the customers has to inform exchange point and provide any new information and documents. If in the country of the potential/existing client any of the required document does not exist in the form required by exchange point the compliance officer may accept a similar document serving the needs of due diligence.