AML/CFT Policy

African Regulatory Instruments

• Ghana: Anti-Money Laundering Act 2020 (Act 1044) and the AML/CFT Guidelines issued by the Bank of Ghana
• Nigeria: Money Laundering (Prevention and Prohibition) Act 2022 and the NFIU AML/CFT/CPF Regulations
• Kenya: Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) and the Financial Reporting Centre (FRC) Regulations
• South Africa: Financial Intelligence Centre Act 38 of 2001 (FICA) and subsequent amendments
• Regional: ECOWAS and ESAAMLG mutual evaluation recommendations and action plans

International Standards

• Financial Action Task Force (FATF) 40 Recommendations — the primary international standard for AML/CFT
• FATF Guidance on Virtual Assets and Virtual Asset Service Providers, where applicable
• United Nations Security Council Resolutions on counter-terrorism financing
• Office of Foreign Assets Control (OFAC) sanctions programmes
• UK Office of Financial Sanctions Implementation (OFSI) consolidated sanctions list
• European Union sanctions regulations and AML Directives (as applicable to operations touching EU counterparties)

Applicable Guidance

• Basel Committee on Banking Supervision: Customer Due Diligence for Banks (revised)
• Wolfsberg Group AML Principles for Correspondent Banking
• Egmont Group financial intelligence unit guidance on transaction monitoring

Enterprise-Level Risk Assessment

• Crednce conducts and formally documents an Enterprise Risk Assessment (ERA) at least annually, and upon material changes to the business, product, or geographic footprint
• The ERA considers: customer risk, geographic risk, product and service risk, delivery channel risk, and transaction risk
• Risk assessment outputs inform policy updates, control enhancements, and resource allocation decisions
• The ERA is reviewed and approved by the Chief Compliance Officer (CCO) and the Board Risk Committee

Customer Risk Rating

• Each customer is assigned a risk rating (Low, Medium, High, or Unacceptable) based on defined risk factors at onboarding and through ongoing monitoring
• Risk factors include: customer type (individual vs. business), country of residence, occupation or industry, transaction patterns, PEP/sanctions status, and source of funds/wealth
• High-risk customers are subject to Enhanced Due Diligence (EDD) and more frequent review cycles
• Unacceptable-risk customers or transactions are declined, and where legally required, a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) is filed

Product & Channel Risk

• Transaction facilitated on the platform, particularly those involving cross-border counterparties, may present elevated risk and are subjected to enhanced monitoring controls.
• Payment methods such as Mobile Money and other cash-equivalent channels are reviewed in coordination with licensed payment partners, with additional safeguards applied where appropriate.
• Unusual platform activity, including high-frequency deal creation or atypical usage patterns, may trigger automated or manual review.
• New features and product updates are subject to an internal risk assessment process to evaluate potential misuse and implement appropriate safeguards prior to launch.

Standard CDD (All Users)

• Full legal name and date of birth (for individuals) or registered entity name and company number (for businesses)
• Government-issued photo identification: national ID card, passport, or driver's licence — verified against the original document
• Proof of residential address: utility bill, bank statement, or official correspondence — dated within 90 days
• A real-time selfie or liveness check matched against the provided identity document via biometric analysis
• Mobile or email verification to confirm ownership of the registered contact detail
• Declaration of intended use of the Platform and primary source of funds

Business Customer CDD

• Certificate of Incorporation and current business registration certificate
• Memorandum and Articles of Association (or equivalent constitutional documents)
• Ownership and control structure, including identification of all shareholders holding 10% or more
• Identification and verification of all Ultimate Beneficial Owners (UBOs) using the same standard as individual CDD
• Identification and verification of all Directors and Authorised Signatories
• Nature of business, industry classification, and anticipated transaction volumes
• Audited financial statements or management accounts for entities with annual revenue above defined thresholds

Enhanced Due Diligence (EDD)

• EDD is applied to all High-risk customers and is triggered by: PEP status, high-risk jurisdiction, complex ownership structure, unusual transaction patterns, or adverse media findings
• EDD includes: independent source of wealth and source of funds verification, senior management approval, more frequent periodic review (at minimum every 12 months), and enhanced transaction monitoring thresholds
• For Politically Exposed Persons (PEPs): we identify all domestic, foreign, and international organisation PEPs, their immediate family members, and known close associates. PEP onboarding requires CCO approval
• For high-risk countries: we apply the specific measures recommended by FATF for non-cooperative or high-risk jurisdictions, and may decline to onboard customers with primary exposure to FATF blacklisted countries

Simplified Due Diligence (SDD)

• SDD may be applied to customers assessed as Low risk where specific criteria are met — including where the customer is a regulated financial institution in an equivalent jurisdiction, a listed company subject to disclosure requirements, or a government entity
• SDD is not applied to any customer category where local regulation mandates full CDD or where red flags are present
• SDD does not mean no due diligence — it means proportionate verification, with ongoing monitoring still required

Tiered Verification & Transaction Limits

• Tier 0 (Unverified): Platform browsing only. No financial transactions permitted
• Tier 1 (Basic KYC): Email and phone verified plus government ID. Maximum transaction limit of $500 USD equivalent per deal and $2,000 per month
• Tier 2 (Full KYC): All Tier 1 requirements plus proof of address and selfie verification. Maximum $10,000 per deal and $25,000 per month
• Tier 3 (Business or Enhanced KYC): Full business CDD completed plus EDD where applicable. No standard upper limit; monitored individually
• Limits may be adjusted by risk decision of the Compliance team with documented rationale

Screening Coverage

• All customers are screened against consolidated global sanctions lists at onboarding, including: OFAC SDN and Consolidated Sanctions List, UN Security Council Consolidated List, EU Consolidated Sanctions List, UK OFSI Consolidated List, and applicable domestic sanctions lists (e.g. Ghana, Nigeria)
• Screening is also conducted against major Politically Exposed Persons (PEP) databases and adverse media sources
• Real-time screening is applied at transaction initiation — not just at onboarding
• Bulk screening of the existing customer base is performed upon release of materially updated sanctions lists

Match Handling

• All potential matches are reviewed by a trained compliance analyst before action is taken, distinguishing true matches from false positives
• True matches result in: immediate transaction blocking, account suspension, notification to the relevant Financial Intelligence Unit (FIU), and — where required — asset freezing and regulatory reporting
• False positives are documented with the analyst's rationale, cleared in the system, and retained for audit purposes
• Attempted transactions with sanctions-listed parties are reported regardless of whether the transaction was completed

Jurisdiction Restrictions

• Crednce does not knowingly onboard or facilitate transactions involving individuals or entities with a primary nexus in comprehensively sanctioned jurisdictions
• Geographic restrictions are reviewed quarterly and updated in line with FATF, OFAC, UN, and domestic authority designations
• Where geolocation or IP data conflicts with declared address information, enhanced scrutiny is applied

Automated Monitoring Systems

• All Platform transactions are processed through an automated transaction monitoring system with defined rule sets and risk scoring models
• Rules are designed to detect: structuring (breaking transactions into sub-threshold amounts), rapid fund movement, round-sum transactions, geographic inconsistencies, velocity anomalies, and unusual deal patterns
• The system generates alerts for human review when transactions exceed defined risk thresholds or match predefined typology patterns
• Monitoring rules are reviewed and calibrated at least quarterly to address new typologies and reduce false positive rates

Suspicious Activity Indicators

• Frequent deal creation and cancellation without completion — a possible indicator of layering
• Payments received from, or sent to, third parties not party to the underlying deal
• Deals with unusually vague or implausible scope descriptions
• Rapid escalation in transaction volumes inconsistent with stated business profile
• Multiple accounts controlled by the same device, IP address, or payment instrument
• Repeated failed KYC attempts followed by a successful pass shortly after
• Requests to transact in high-risk currencies or with counterparties in high-risk jurisdictions
• Adverse media hits linking the customer to criminal investigations, fraud, or financial misconduct

Alert Review & Escalation

• All system-generated alerts are reviewed within 5 business days by a trained AML analyst
• Alerts assessed as suspicious are escalated to the Compliance Manager within 24 hours for a SAR/STR filing decision
• Where an alert involves possible sanctions exposure, escalation is immediate and the transaction is held pending senior review
• Alert dispositions and analyst reasoning are documented in the case management system for a minimum of 7 years

Filing Obligations

• Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) are filed with the relevant national FIU — including the Ghana Financial Intelligence Centre (GFIC), Nigeria Financial Intelligence Unit (NFIU), Financial Reporting Centre (Kenya), and Financial Intelligence Centre (South Africa) — as applicable
• Reports are filed within the timeframe mandated by local law, and no later than 72 hours from the decision to file
• Currency Transaction Reports (CTRs) or equivalent threshold-based reports are submitted for cash-equivalent transactions above the threshold specified by applicable law in each jurisdiction
• Crednce maintains a SAR/STR register with case ID, filing date, submitting officer, and outcome for audit purposes

Tipping-Off Prohibition

• Crednce staff must not disclose to any customer, or any third party, that a SAR/STR has been filed or that a suspicious activity investigation is underway. This prohibition (known as "tipping off") applies regardless of any relationship with the customer
• Staff must not decline to proceed with a transaction or close an account in a manner that would alert the customer to the existence of a suspicion filing
• If a customer directly asks why a transaction has been delayed or an account suspended, staff may state only that "regulatory requirements" require the action. No further explanation is to be given
• Breach of the tipping-off prohibition is a criminal offence under the applicable legislation of most jurisdictions in which we operate

Non-Prosecution Safe Harbour

• Filing a SAR/STR with the relevant FIU in good faith, in accordance with applicable law, provides Crednce and the reporting officer statutory protection from civil and criminal liability for the disclosure of customer information in the filing
• This protection applies only to reports filed honestly and in compliance with the relevant reporting regime — it does not protect against reports filed maliciously or in bad faith

Retention Requirements

• Customer identification and KYC documents: retained for a minimum of 5 years after the termination of the business relationship
• Platform activity records (e.g. deal agreements, milestones, and transaction references): retained for a minimum of 7 years
• Internal reports, reviews, and case documentation related to suspicious or high-risk activity: retained for at least 7 years
• Sanctions screening records, match analysis, and dispositions: retained for 7 years
• Training records, policy acknowledgements, and compliance assessments: retained for 5 years
• All records are retained in secure, access-controlled digital repositories with version control and tamper-evident logging

Regulatory Production

• Records will be produced to competent authorities, regulators, and law enforcement within the timeframe specified in a valid legal request or regulatory notice
• All requests for records from external parties are routed through the Legal & Compliance team. Staff must not independently respond to such requests
• Crednce will not destroy, conceal, alter, or falsify records that may be relevant to a known or reasonably anticipated investigation

Chief Compliance Officer (CCO)

• Crednce designates a qualified Chief Compliance Officer who holds ultimate responsibility for the design, implementation, and oversight of the AML/CFT programme
• The CCO reports directly to the Board and has the authority to escalate AML/CFT matters to the highest level of the organisation
• The CCO must hold, or be working towards, a recognised AML/CFT qualification (e.g. CAMS, ICA Certificate, or equivalent)
• The CCO is the nominated Money Laundering Reporting Officer (MLRO) and the designated officer for SAR/STR filings with relevant FIUs

Three Lines of Defence

• First Line — Business Operations: Business units and customer-facing teams are responsible for applying CDD procedures, identifying suspicious indicators, and escalating concerns. They own AML risk in their daily operations
• Second Line — Compliance Function: The Compliance team sets policy, provides guidance, operates transaction monitoring systems, reviews alerts, files reports, and conducts ongoing oversight of first-line adherence
• Third Line — Internal Audit: The Internal Audit function independently tests the effectiveness of the AML/CFT controls and reports its findings directly to the Board Audit Committee

Board & Senior Management Oversight

• The Board of Directors approves this Policy and any material amendments to it on an annual basis
• The Board Risk Committee receives quarterly AML/CFT risk reports covering: SAR/STR filing volumes, alert statistics, training completion rates, and any material compliance incidents
• Senior Management is accountable for ensuring sufficient resources — human, technological, and financial — are allocated to the compliance function
• Material compliance failures are reportable to the Board within 5 business days of identification

Policy Review

• This Policy is reviewed and updated at least annually, and whenever there is a material change in: the regulatory environment, the Platform's product offering, geographic footprint, or risk profile
• Ad hoc updates may be issued between annual reviews when urgent regulatory changes require immediate action
• All Policy revisions are version-controlled, dated, and retained for a minimum of 10 years

Mandatory Training

• All new employees and contractors with any customer or financial transaction exposure complete AML/CFT induction training within 30 days of starting, and before being given unsupervised access to customer accounts
• All in-scope staff complete annual refresher training that covers regulatory updates, emerging typologies, internal case studies, and policy changes
• The Compliance and Legal teams complete specialist training aligned to their functions — including MLRO certification, sanctions compliance, and investigations training — as appropriate
• Training completion is tracked; failure to complete mandatory training within defined windows triggers escalation to the employee's manager and HR

Training Content

• What money laundering and terrorist financing are, and why they matter
• Crednce's specific AML/CFT risk profile and the typologies most relevant to our business
• CDD and EDD procedures — how and why we collect customer information
• Recognising and escalating suspicious activity — the internal referral process
• The tipping-off prohibition and confidentiality of SAR/STR filings
• Consequences of non-compliance — for the individual and for Crednce
• How to raise a concern without fear of retaliation — whistleblowing protections

Financial Institution Partners

• Correspondent banking and payment processing partners are subject to enhanced due diligence before engagement and on a recurring annual basis
• We will not establish or maintain relationships with shell banks or financial institutions that permit their accounts to be used by shell banks
• Partner relationships are subject to ongoing monitoring for adverse events including licence revocations, enforcement actions, or material sanctions findings

KYC & Technology Vendors

• Third-party identity verification and KYC providers are assessed for regulatory accreditation, data security standards, accuracy metrics, and geographic coverage
• Vendors are contractually required to notify Crednce of any material changes to their regulatory status, data practices, or service coverage within 5 business days
• Crednce retains ultimate legal responsibility for the adequacy of CDD performed through outsourced providers — we cannot outsource our AML/CFT obligations

Introducers & Referral Partners

• Third parties who introduce customers to Crednce must themselves be subject to equivalent AML/CFT obligations in their jurisdiction
• Crednce does not accept reliance on third-party CDD where the introducer is not a regulated entity or where the quality of their CDD cannot be verified
• All introducer agreements are reviewed by Legal & Compliance before execution

Internal Consequences

• Failure to follow CDD procedures, delayed escalation of suspicious activity, or breach of the tipping-off prohibition may result in formal disciplinary action up to and including termination
• Deliberate falsification of KYC records, suppression of SAR/STR filings, or facilitation of financial crime constitutes gross misconduct and will result in immediate termination and referral to relevant authorities
• All material compliance breaches are documented, investigated, and reported to the Board

External & Regulatory Consequences

• AML/CFT violations can result in significant civil and criminal penalties for Crednce as a legal entity, including monetary fines, licence revocation, and reputational damage
• Individual officers, directors, and MLRO-level personnel may face personal criminal liability for failures of oversight or wilful facilitation
• Crednce will not indemnify any individual against criminal sanctions arising from their own deliberate or grossly negligent conduct