Anti-Money Laundering Policy (AML/CFT)

KEY REGULATIONS AND GUIDANCE

This document sets forth Rox Pay S.r.l.'s Policy on countering money laundering, terrorism financing and the violation of restrictive measures1 and applies to Rox Pay S.r.l. and its operations.

Standards are to be considered complementary and applicable since they are not in conflict with the provisions issued by the local Authorities.

RECIPIENTS AND METHODS OF IMPLEMENTATION

The Policy applies to Rox Pay S.r.l.

AML-CFT REGULATORY FRAMEWORK

The laundering of proceeds from illegal and criminal activities is one of the most serious forms of crime in the financial markets and is an area of specific interest for organized criminal activities.

Money laundering has a significant negative impact on the entire economy: reinvesting illegal proceeds in legal activities and collusion between individuals or financial institutions and criminal organizations deeply affect market mechanisms, undermine the efficiency and fairness of financial activities and have a weakening effect on the economy. Financing terrorist activities may involve using legally derived proceeds and/or criminally derived proceeds.

The changing nature of money laundering and terrorist financing, also facilitated by the continuous evolution of technology, requires a constant adaptation of the prevention and contrast measures.

The Anti-Money Laundering (AML) and Counter Financing Terrorism (CFT) regulatory framework is based on a comprehensive set of national, EU and international regulatory sources.

At an international level, a key contribution to regulatory harmonization has come from the Financial Action Task Force (FATF), the foremost international body active in the fight against money laundering, terrorist financing and the proliferation of weapons of mass destruction.

1 As defined in the EBA Guidelines (EBA/GL/2024/14): “The Union restrictive measures as referred to in Article 2, point (1) of Directive (EU) 2024/1226 and national restrictive measures adopted by Member States in compliance with their national legal order (to the extent that they apply to financial institutions).

In fulfilling its responsibilities, the FATF established a set of international standards, the "40 recommendations", to which a further 9 special recommendations were added in 2001 to combat international terrorism financing. The subject was fully revised in February 2012 with the adoption of International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, then summarized in in the aforementioned "40 Recommendations".

As part of the fight against the proliferation of weapons of mass destruction, the United Nations prepared a set of measures to combat financing of proliferation programs, including the prohibition to assist or finance any persons involved in such activities.

In implementing the Resolutions adopted in the framework of the United Nations, the European Union issued a set of provisions in order to implement restrictive measures such as the freezing of funds and economic resources of persons or entities involved in developing proliferation- sensitive activities of mass destruction weapons.

The FATF has developed guidelines to implement the financial sanctions adopted by the United Nations.

Specific measures addressing the proliferation of weapons of mass destruction have recently been included in the Recommendations, in accordance with the resolutions of the United Nations Security Council.

EU guidelines on preventing the use of the financial system for money laundering and terrorist financing are contained in EU Directive 2015/8492of the European Parliament and of the Council of 20 May 2015 (Fourth Anti-Money Laundering Directive), as amended by EU Directive 2018/843 (Fifth Anti-Money Laundering Directive) as well as in the Regulations and Guidelines issued time by time respectively by the EU – European Union and by the EBA – European Banking Authority.

At a national level, prevention and fight against money laundering and terrorism financing is regulated by the following primary laws:

• Italian Legislative Decree no. 109 of 22 June 2007 and subsequent amendments and supplements which sets forth “Provisions to prevent, counter and repress the financing of terrorism and the activity of Countries that threaten peace and international security”, implementing Directive 2015/849 as modified by EU Directive 2018/843;
• Italian Legislative Decree no. 231 of 21 November 2007, and subsequent amendments and supplements implementing Directive 2015/849/EU, which modifies Directive 2009/138/EC and 2013/36/EU, modified by Directive 2018/843/EU on preventing use of the financial system for the purpose of money laundering and terrorist financing (hereinafter, also the Decree).

2 EU Directive 2024/1640 of the European Parliament and of the Council of 31/05/2024 about the proceedings to be put in place by Member States to prevent the use of the financial system for the purposes of money laundering or terrorist financing, to be transposed by 10 July 2027, amends EU Directive 2019/1937 and abrogates EU Directive 2015/849.

Finally, there is also secondary legislation at national level that was issued by the Bank of Italy

and the Financial Information Unit (“FIU”), and it is contained in the following regulatory sources:

• Provision of 26 March 2019 laying down the implementing provisions on organisation, procedures and internal controls aimed at preventing the use of financial intermediaries and other entities for the purposes of money laundering and terrorist financing, as amended by the Bank of Italy Provision of 1 August 2023;
• Provision of 28 March 2019 setting out instructions on objective communications;
• Provision of 30 July 2019 laying down implementing provisions on customer due diligence, as amended by the Bank of Italy Provision of 13 June 2023;
• Provision of 24 March 2020 laying down implementing provisions for storage and availability of documents, data and information regarding anti-money laundering and counter-terrorism financing;
• Provision of 25 August 2020 laying down provisions for submitting aggregated AML reports;
• Provision of 12 May 2023 on anomaly indicators for intermediaries to facilitate the identification of suspicious transactions, effective from 1 January 2024.

Rox Pay S.r.l. (hereinafter “the Company”) implements the above regulations in its internal regulatory documents.

At a general level, the Company has adopted this "Policy on combating money laundering and terrorist financing" (hereinafter the "Policy") as an expression of its commitment to combat the aforementioned criminal phenomena on an international basis, paying particular attention to contrast, in the awareness that the pursuit of profitability and efficiency must be combined with the continuous and effective monitoring of the integrity of corporate structures.

The Policy applied within the Company describes the policy adopted by Rox Pay S.r.l. in accordance with the rules and principles dictated by national and EU regulatory provisions, in compliance with the relevant international standards and is implemented jointly with the internal procedures on Anti-Money Laundering and Counter-Terrorism Financing, the Code of Ethics and internal procedures that implement the local primary and secondary legislation in force specifying processes, roles and responsibilities.

The current Policy was approved by the Company's Board of Directors.

The AML and CFT guidelines are applied by Rox Pay S.r.l. in coherence with applicable laws.

The Company is committed to complying with this regulatory framework as well as any implementing provisions issued by the Bank of Italy on customer due diligence, data and information retention, organization, procedures, controls and enhanced controls against the financing of programs aimed at the proliferation of weapons of mass destruction.

The Company is thoroughly committed to ensuring that operational organization and the control system are complete, adequate, functional and reliable for strategic supervision, to protecting the Company from tolerance or admixture of forms of illegality that can damage its reputation and affect its stability.

For these reasons, Rox Pay S.r.l. has adopted organisational and behavioural rules and monitoring and control systems aimed at ensuring compliance with current legislation by the administrative and control bodies, staff, collaborators and consultants of the Company. These controls are also consistent with the rules and procedures established by the personal data protection code.

The Company also relies on indicators of anomalies and patterns of irregular behaviours in the economic and financial environment, which are issued over time by the Financial Intelligence Unit (FIU) regarding potential money laundering and terrorist financing activities.

All the restrictive measures established to counter the financing of terrorism and all the illicit or suspicious activities that threaten international peace and security can be either commercial, such as import/export restrictions from/to a Country, or financial, such as the partial or total blocking of funds transfer but also operational limitations and freezing of funds.

Restrictive measures include international financial sanctions, also referred to as embargoes, implemented by the Italian State, foreign agencies (e.g. OFAC, UKSL) and supranational organizations (UN, EU) through a series of obligations that the Company is required to comply with. Certain restrictive measures (sanctions) are imposed to all the UN Member States by the Council to implement the Resolutions adopted by the UN Security Council under Chapter VII of the UN Charter. Furthermore, sanctions may be adopted, or autonomously decided, by the European Union through Council regulations, which are immediately enforceable in each Member State to ensure their timely and simultaneous application.

On an international level, there are regulations that establish specific prohibitions or restrictions on investing in certain industrial sectors or importing/exporting from/to “high or significant risk Countries”. In particular, it regards UN Security Council (UNSC) resolutions under Article 41 of Chapter VII of the UN Charter, through which restrictive measures are imposed with regard to persons and/or Countries.

As regards Community legislation, the main provisions are:

• the European Parliament and Council Regulation 2021/821 of 20 May 20213 and subsequent amendments, by which an EU regime is established in order to control exports, transfer, brokering and transit of dual-use items;

3 which replaced Council Regulation 428/2009/EC of 5 May 2009

• the Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto- assets and amending Directive (EU) 2015/849 (recast);
• the Regulation (EU) 2024/886 of the European Parliament and of the Council of 13 March 2024 amending Regulations (EU) No 260/2012 and (EU) 2021/1230 and Directives 98/26/EC and (EU) 2015/2366 as regards instant credit transfers in euro;
• the Directive (EU) 2024/1226 of the European Parliament and of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union restrictive measures and amending Directive (EU) 2018/1673 transposed into Italian law by Legislative Decree 211/2025.
• European Banking Authority Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (EBA/GL/2024/14)4;
• European Banking Authority Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures, in accordance with Regulation (EU) 2023/1113 (EBA/GL/2024/15) on information accompanying transfers of funds and certain crypto-assets, and amending Directive (EU) 2015/8495.

Finally, at national level, embargoes are regulated as follows:

Primary Legislation:

• Legislative Decree No. 221/2017, which amended and simplified authorization procedures to export dual-use items and technologies and sanctions on trade embargoes as well as all types of export operations of proliferating materials.

Secondary Legislation:

• Bank of Italy Provision of 12 May 2023 containing anomaly indicators for intermediaries in order to facilitate the identification of suspicious transactions.

Finally, all the regulations issued by the US Authorities are relevant to the Company's activity in view of the reputational aspects and the reference to these regulations in contractual undertakings involving the potential application of sanctions with extraterritorial effect (so-called US ‘secondary sanctions’). Such regulatory provisions are contained in the USA Patriot Act6 and in the measures relating to economic and trade sanctions issued by the US Government through the Treasury Department's Office of Foreign Assets Control (OFAC).6

4 which the Bank of Italy declared its intention to comply with in Note no. 48 of 8 April 2025 and applicable from 30 December 2025.

5 which the Bank of Italy declared its intention to comply with in Note no. 52 of 19 May 2025 and applicable from 30 December 2025.

6 US federal law of October 26, 2001, officially titled “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”.

GENERAL ASPECTS

The established national regulatory framework for preventive action against money laundering, terrorist financing and violations of the Restrictive Measures is based on a series of obligations

that the recipients are required to respect:

• obligation to adopt appropriate organisational structures, procedures and internal control measures;
• obligation to adopt consistent and coherent procedures for analysis and evaluation of the risks related to money laundering, terrorism financing and violation of the Restrictive Measures as well as to establish supervision, controls and procedures needed to mitigate and manage those risks;
• obligation to customer due diligence, through which the Company acquires and verifies information regarding the identity of a customer and any beneficial owner, as well as the purpose and intended nature of the relationship or of the transaction, whilst ensuring the constant monitoring of all transactions undertaken by the customer;
• a risk-based approach, whereby customer due diligence obligations are divided into different degrees of due diligence commensurate with the customer's risk profile;
• obligation to retain documents, data and information in order to allow their timely acquisition, transparency, completeness, inalterability and integrity, and an overall and prompt accessibility;
• obligation to reporting of suspicious transactions;
• obligation to refraining from entering into any new customer relationship, conducting occasional transactions or maintaining an existing customer relationship where due diligence has not been conducted or it is suspected that there may be a link to money laundering or terrorist financing;
• obligation to notify the Ministry of Economy and Finance of the infringements referred to in Articles 49 and 50 of Legislative Decree 231/07, and to comply with the limitations on the use of cash and bearer securities;
• monitoring all transactions with natural and legal persons and/or with Countries included in European Union Council Lists (UE), in the Office of Foreign Assets Control List (OFAC), in the UK Sanctions List (UKSL)7, in the Consolidated United Nations Security Council Sanctions List (UN) in the Provisions issued by the National Authorities containing specific restrictive measures for combating terrorism;
• monitoring transactions entered into with countries considered non-cooperative in matters of tax, financial supervision and anti-money laundering, generally referred to as “tax havens” or “offshore financial centres”;
• adopting appropriate staff training programs to ensure the implementation and proper application of laws and regulations;
• obligation to providing FIU with “objective communications” in accordance with specific

instructions regarding methods and frequency of communications;

7 The OFSI list (Office of Financial Sanctions Implementation HMT) was closed on 28 January 2026; from that date, the UK Sancti ons List is the only official source for all UK sanctions designations.

• obligation to disclose any breaches or infringements that may come to the attention of the Control Bodies in carrying out their tasks;
• obligation to adopt procedures to manage internal reporting of violations submitted by employees (Whistleblowing).

With regard to counter-terrorist financing activities, Italian legislation requires the obligated parties to do the following:

• freezing of funds and economic resources of certain persons included in EU lists;
• informing the Financial Intelligence Unit (FIU) of the measures applied for the freezing of funds, or the Special Currency Police Unit of the Guardia di Finanza (Financial Police) in case of economic resources;
• informing the FIU of suspicious transactions, business relationships and any other information available regarding parties included in the blacklists published by the FIU itself;
• reporting suspicious transactions which, on the basis of available information, are either directly or indirectly related to terrorist financing activities.

With regard to international sanctions (so called Embargoes) and exposure to restrictive measures, legislation requires certain measures to be taken, including but not limited to:

• personal data and transactional controls on operations connected to imports and/or exports carried out by customers, aimed at blocking imports/exports from or to a country, and corresponding regulations. The ban may be either general, involving all types of goods unless specifically authorised, or restricted to certain types of goods, e.g. armaments (refer to customs code);
• total or partial restrictions on financial transfers from/to a Country;
• prior authorization requirement in order to carry out transfers;
• obligation to notify transfers (outgoing or incoming);
• prohibition to fund, provide financial assistance or make subsidised loans available to the Government (directly or in some cases indirectly via affiliated companies or participation in international financial institutions);
• prohibition to finance customers operating with sanctioned countries;
• implementation of restrictive measures against Russian and Belarusian subjects;
• the traceability of controls carried out on operations coming from or directed towards countries, persons and entities subject to restrictions.

General aspects

The Company undertakes all customer due diligence measures when:

• establishing business relations;
• performing occasional transactions, arranged by customers, such as wire transfers or other transactions equal to or above the applicable designated threshold, regardless of whether the transaction is carried out in a single operation or in several related operations or that it consists of a transfer of funds, exceeding the legal limits;
• there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or designated threshold that may apply;
• there are doubts about the completeness, reliability and veracity of the information or documentation previously acquired for the purposes of identifying a Customer.

Due diligence obligations:

• are fulfilled:
• towards new customers before the establishment of an ongoing relationship or the execution of an occasional transaction;
• towards existing customers, whenever due diligence is appropriate in light of a change in the level of money laundering or terrorist financing risk associated with the customer or where there are suspicions or doubts as to the accuracy or adequacy of information previously obtained from the customer;
• and consist of the following activities:
• identifying the Customer, the beneficial owner and the executor and verifying their identity on the basis of documents, data or information obtained from a reliable and independent source;
• obtaining and assessing information on the purpose and intended nature of the business relationship;
• performing continuous monitoring throughout the entire duration of the customer relationship.

To this end, the Company - through its employees and/or through agents/financial advisors authorised to make off-premises offers and who come into direct contact with the Customer- obtains the information required by the regulations and collects any other relevant documentation as specified in this Policy and in the Company's procedural documents.

The Company applies ordinary, simplified or enhanced customer due diligence measures according to the risk-based approach applied to customers.

Customer remote onboarding

In cases where the Company uses remote identification methods as permitted by Legislative Decree no. 231/07, Article 19(1)(a)(2) and (5), it adopts special procedures for carrying out its due diligence obligations, also in view of the risk of fraud associated with identity theft. In this case, identification is based on the acquisition of the qualified electronic signature certificate, which is generated after an identification process carried out through:

• the use of the Public Digital Identity System (SPID) or Electronic Identity Card;
• by means of secure and regulated electronic identification techniques and procedures that are authorised or recognised by the Agency for Digital Italy.

In all cases, the remote identification process involves collecting the customer’s and any executor’s identification data in electronic format, as well as performing verifications and checks on the authenticity of the data, in addition to those provided for in-person identification, according to a risk-based approach, including through telephone contact on a certified number (welcome call) or a money transfer carried out by the customer via a banking and financial intermediary based in Italy.

With a view to limiting exposure to potential money laundering and/or fraud risks, it is not permitted to establish remote banking relationships with legal entities or natural persons acting on behalf of a legal entity, unless they have been identified in-person (face-to-face).

The establishment of remote banking relationships with customers who are not resident in Italy is not permitted.

Pre-Implementation Assessment and ongoing monitoring of processes for opening remote relationships.

The processes of remote customer identification and onboarding are formalized and detailed in the internal regulations. The model for overseeing these processes includes:

• the preliminary assessment of the remote onboarding solution (so-called Pre-Implementation Assessment8) aimed at:
• assessing the adequacy of the solution in terms of the completeness and accuracy of the data and documents to be collected, as well as the reliability and independence of the information sources used;
• assess the impact of the use of the solution on business risks including operational, reputational and legal risks through the involvement of the relevant technical and specialist functions;
• identify mitigation measures and corrective actions for each identified risk;
• define ex ante tests to assess ICT and fraud risks and end-to-and tests on the operation of the solution.
• ongoing monitoring of the onboarding solution adopted through periodic and event-driven controls to ensure its proper functioning over time (so-called Ongoing Monitoring).
• the review of preliminary assessment in the remote onboarding solution (so-called Pre- Implementation Assessment) when structural changes in the solution adopted or certain events occur such as:
• changes in the exposure to risks in the areas of anti-money laundering and countering the financing of terrorism, as well as embargoes;
• shortcomings detected for our solution to work;
• an increase in attempted fraud;

(iv) changes in legislation.

Simplified due diligence obligations

Generally, the Company uses a risk-based approach to identify the types of customers to whom simplified due diligence measures may be applied. This includes cases where “low risk indicators” are present, as indicated in Annex 1 of the Bank of Italy’s Provision on customer due diligence of 30 July 2019 (hereinafter “The Provision”).

8 Note No. 32 of 13 June 2023 through which the Bank of Italy declared its intention to comply with the EBA Guidelines (EBA/GL/2022/15) on the use of remote customer onboarding solutions.

The relevant “low risk indicators” in order to apply a simplified due diligence procedure are based on the type of customer, executer or beneficial owner, the geographical area of residence or in which the head office is established, specific product, service or distribution channel.

In detail, the types of customers considered to be at low money laundering risk, to which the simplified due diligence may apply, include:

• Public Administrations, Institutions or Bodies performing public functions, in accordance with the law of the European Union;
• Companies listed on a regulated market and subject to disclosure requirements, including ensuring adequate transparency of ultimate beneficial ownership;
• the European Community credit and financial institutions listed in Article 3 (2) of the Anti-Money Laundering Decree— except for those at the letters i), o), s), v)9— and the credit and financial institutions residing in Member States or third countries with effective money laundering and terrorist financing systems;
• Customers, executors or beneficial owners residing or established in geographical areas with a low money laundering risk.

The Company does not apply simplified customer due diligence measures when:

• doubts, uncertainties or inconsistencies arise regarding the identifying data and information gathered during identification of the customer, executor or beneficial owner;
• the conditions for simplified customer due diligence are no longer met based on the risk indicators provided for by the anti-money laundering decree and relevant secondary regulation;
• monitoring of overall operations carried out by the customer and the information gathered throughout the relationship exclude a low risk type;
• the suspect of money laundering or terrorist financing still arises.

The Anti-Money Laundering Function has exclusive responsibility over the evaluation and authorization of simplified customer due diligence measures, carried out by following all the steps required for the ordinary customer due diligence process - including the obligation to identify and verify the identity of the customer, the executor and the Beneficial Owner, and acquire all data and documents necessary for their complete registration (e.g., name, legal status, registered office, and, where applicable, tax code) - albeit reducing their level of depth, scope, and frequency.

Enhanced due diligence obligations

The Company applies enhanced customer due diligence measures in the presence of customers or situations with a higher risk of money laundering or terrorist financing and in all cases referred to in Article 24 of the Decree. These enhanced measures include, inter alia, the involvement of roles of responsibility commensurate with the level of risk identified in relation to the customer.

9 i) stockbrokers referred to in Article 201 of the TUF; o) insurance intermediaries referred to in Article 109, paragraph 2, letters a), b), and d), of the CAP, operating in the branches of activity referred to in Article 2, paragraph 1, of the CAP; s) trust companies registered in the register established pursuant to Article 106 of the TUB; v) financial advisors referred to in Article 18 -bis of the TUF and financial consultancy firms referred to in Article 18-ter of the TUF.

Regarding private banking clients, the Company assesses the specific risk factors inherent to the nature of their business and applies enhanced due diligence measures based on the overall information available, and the assessments carried out.

The involvement of the Anti-Money Laundering Function is required in the following cases:

• natural and legal persons included in the lists of persons or entities subject to fund- freezing measures under European regulations or decrees pursuant to Legislative Decree 109/07, as well as those closely associated with them;
• a cross-border correspondent banking relationship established with a bank or an institution located in a third country, based on geographic high-risk factors (as reported in Annex 2 of Bank of Italy’s provisions on Customer Due Diligence);
• relationships or transactions in which the customer or ultimate beneficial owner is a politically exposed person10;
• situations involving risk elements that require the application of specific confidentiality measures;
• situation with a higher risk of money laundering or terrorist financing due to objective, environmental or subjective contingencies;
• customers classified as a “Trust”, Money Transfer services and Virtual Currency Exchanges;
• trust Companies, except as provided in paragraph 3.4;

Moreover, before entering into, continuing or maintaining an ongoing relationship with Politically Exposed Persons or Correspondent Entities of third countries, it is necessary to obtain the appropriate authorisation from the General Manager or his delegate, after obtaining the opinion of the Anti-Money Laundering Function. In the case of delegates pursuant to Article 25 of Legislative Decree 231/07 belonging to the Anti-Money Laundering Function, this authorisation is included in the enhanced due diligence process.

In all other cases, the application of enhanced measures is commensurate with the level of risk attributed to the customer. If the risk is considered medium/high, or if certain risk factors are present regardless of the score assigned, the involvement of the Head of the business unit responsible for the commercial management of the customer is required.

Examples of such cases are:

• legal entity customers with an Executor identified as a PEP or indirect PEP, regardless of the risk profile;
• services offered through networks of financial agents, financial advisers, contractors and agents;
• customers classified as Foundation/Non-profit organizations;
• legal entity customers during the onboarding phase;
• customers with negative news during the onboarding phase ("Adverse news");

10 Politically Exposed Persons (PEPs): as listed by art. 1, paragraph 2, letter dd) Legislative Decree 231/07.

• customers residing or based in high-risk third countries or in the case of ongoing relationships, professional services and operations involving high risk countries;
• companies that have issued bearer shares or that have a company issuing bearer shares within their control chain structure;
• relationships or transactions in which the customer and the ultimate beneficial owner hold a public office other than those listed for politically exposed persons11;
• companies owned by Trusts, Trust companies, Foundations, joint-stock companies through multiple levels of participation or cross holdings;
• customers engaged in a type of economic activity that is particularly exposed to the risk of money laundering or in “controversial” sectors of activity12 or cash-intensive commercial activities, such as cash-for-gold, money exchange, gambling/betting, including on-line, arms industry, mining, waste collection and disposal, renewable energy production, companies operating in the crypto-asset sector, construction, procurement of pharmaceutical instruments;
• customers participating in public contracts or receiving public financing (health care, construction, waste collection and disposal, production of renewable energy, mining, supply of pharmaceutical instruments);
• in cases of customers who have acquired citizenship of a Member State or obtained residence rights in a Member State (EU) through a citizenship by investment programme or a residence by investment programme;
• in cases of customer legal entities resident in an EU country, where the company's ownership rights are held - directly or indirectly - for more than 40% by a legal entity, organization or body established in Russia, or by a natural person with Russian residence or citizenship.

The involvement of the Head of the business unit responsible for the commercial management of the customer is also required in the event of any IT errors that might prevent the real-time calculation of the customer’s money laundering risk.

Enhanced due diligence measures include acquiring additional information on the customer, the executor and the beneficial owner, investigating the purpose and nature of the relationship and increasing the frequency of procedures aimed at ensuring continuous monitoring during the ongoing relationship.

In full compliance with current legislation and with the provisions of the internal procedures on Anti-Money Laundering and Counter-Terrorist Financing and in line with the Company's Code of Ethics, the Company does not support transactions with customers operating in controversial sectors that

(i) are not compliant with current national legislation and (ii) are not, where applicable, authorised in advance by the competent Italian national authorities, in particular:

• the production, transit and/or marketing of armament materials;
• the production and sale of light marijuana, adult entertainment venues;

11 Public office other than those held by Politically Exposed Persons (PEPs) as referred to in note 1), applying to all those holding office in, but not limited to, public bodies, consortia, associations of a public nature as listed at section A 8) of Annex 2 of the Provision.

12 an economic sector is "controversial" if the goods / services manufactured / offered and / or the ways in which they are produced / offered are in contrast with the widely shared values of ethics and sustainability, even when services or activities are lawful and therefore not in contrast with legal obligations.

• cash-intensive commercial activities other than those listed above, such as non- regulated charities and NGOs, the production of precious metals and stones, money remittances.

Furthermore, the Company pays particular attention to compliance with restrictive measures put in place by the Italian State, foreign bodies (e.g. OFAC, UKSL) and/or supranational bodies (UN, EU). These measures may be of a commercial nature (e.g., blocking of imports/exports) or of a financial nature, such as partial/total blocking of money transfers from or to a specific country or limitations on operations and/or freezing of funds held with financial intermediaries.

In order to comply with the obligations set out in Italian Legislative Decree 109/07 - aimed at preventing and combating the financing of terrorism and the activities of Countries threatening international peace and security, through the application of restrictive measures to "freeze" funds and economic resources held by natural and legal persons, groups and entities specifically identified by the United Nations and the European Union ("designated subjects") - and the enhanced due diligence obligations set out in Italian Legislative Decree 231/07, the Company has adopted automatic control procedures. These procedures are capable of verifying the consistency between customer identification data obtained through the due diligence process and that contained in the lists produced by the EU and other international institutions and bodies, such as:

• individuals that are entrusted with a prominent public office or have ceased to hold office for less than a year (PEP), their family members and those having close ties with them accordi to the definition of art. 1 c. 2 letter dd of Legislative Decree 231/07 (resident and non-resident PEPs);
• individuals residing in Italy who hold public office, that do not fall within the definition of PEPs, but are nevertheless exposed to a significant risk of corruption and money laundering;
• natural and legal persons operating, even partially, in States which do not impose equivalent measures and regulations, according to the guidelines of the Bank of Italy or other national or supranational institutions engaged in the prevention of crime;
• natural and legal persons subject to embargo measures or freezing of funds/economic resources and financial assets (Sanction Lists UN, EU, UKSL, OFAC).

The Company adopts suitable procedures aimed at defining the money laundering and terrorist financing risk profile (RPs) attributable to each customer, based on the information acquired and analyses carried out, with reference both to the assessment elements indicated in the Provision and to further elements that may be adopted by the Company itself over time (so-called profiling).

On the basis of customer profiling, which is also conducted periodically, the Company applies standard or enhanced measures, which include the involvement of roles of responsibility commensurate with the customer’s identified risk level. The prior opinion of the Anti-Money Laundering Function is required in accordance with the responsibilities set out in the internal document "Internal Anti-Money Laundering and Counter-Terrorism Financing Procedures”.

Classification of customers for simplified due diligence is authorized by the Anti-Money Laundering Function, at the request of the Head of the Operational Business Unit.

In such a case the scope and frequency of the requirements are reduced, with verification expiring after 8 years regardless of the risk score, unless conditions for applying simplified due diligence are no longer met.

Furthermore, the Company has put in place an IT procedure to assess the customer's risk profile and to consistently define a re-evaluation time frame appropriate to the risk level calculated; the re- evaluation frequency depends on the process identified in the last assessment carried out or, in the absence of a KYC questionnaire, on the customer's risk profile, as specified below:

(*) provided should the risk score calculated or resulting from the KYC performed be at least medium. (**) provided even in the presence of defined risk elements that keep the risk profile below medium.

(***) provided even in the presence of Legal Entities with RP >39, if they carry out commercial activities related to gold purchasing, gaming and betting and waste collection and disposal (high-risk ATECO codes) and/or if they are subject to audits/investigations.

The Company has implemented technologically advanced tools to support anti-money laundering processes, alongside the traditional applications already in use:

• Robotic Process Automation (RPA) applied to data collection activities in the areas of customer due diligence and reporting of suspicious transactions;
• Artificial Intelligence Engine, based on statistical components and predictive indicators (Predict Index AML, Reputational Index and Criminal Infiltration Index) built with Data Analytics techniques, applied to the regular customer review process;
• Cogito intelligence platform, an application used for collecting news, documents, and textual information to search for adverse news regarding customers subject to due diligence;
• Rozes, a data intelligence tool which, by analyzing financial statements in real time, enables the identification of companies whose balance sheet and financial indicators are similar to those found in companies subject to criminal infiltration.

Moreover, within the scope of the advanced tools mentioned above, certain "trigger events" have been identified, aimed at intercepting events regarding the customer and/or related relationships, determining a variation in the expiry date of the "Customer Evaluation - KYC", e.g.:

• in the event of changes in the registry data of the beneficial owner and legal representative;
• in the event of a change in the Risk Profile due to the presence of certain high-risk factors among those envisaged by the Provision;
• in the event of a beneficial owner assuming the role of PEP, or the registration of a new PEP beneficial owner;
• in the event of delegation to a natural person customer relationship given to a person classified as PEP;
• in the event of a discrepancy between the beneficial owner registered in the registry and the evidence gathered from Chamber of Commerce extracts;
• in the event of second-level controls by the AML Function.

The responsibility for a customer’s due diligence process rests with the customer’s relationship management unit, which typically handles the establishment of new ongoing relationships, executes any occasional transactions, periodically re-evaluates existing customers, and ensures ongoing monitoring of the customer relationship.

The Company refrains from establishing, executing or continuing the relationship, operations and professional services (so-called abstention obligation) in the event of an objective impossibility to carry out customer due diligence, assessing whether to report a suspicious transaction to the FIU.

In those cases, in which abstention is not possible, as there is a legal obligation to execute the operation which cannot be postponed or if to decline it could hinder the investigation, the Company is nonetheless obliged to report the suspicious transaction immediately.

Moreover, if after further evaluation or downstream of the enhanced due diligence process, elements of high risk emerge which could affect the legal and/or reputational profile of the Company, the Company reserves the right to limit or terminate the business relationship with the customer. These limitations may concern i.e., customer access to certain types of products or result in the interruption of services offered by the Company in connection with the account/relationship.

The customer due diligence measures adopted by the Company do not, however, preclude/deny access to financial services for customers or entire categories of high-risk customers who would be entitled to them under current legislation, except in the cases expressly provided for by Legislative Decree 231/07, regarding prohibition to maintain relationships with certain types of entities.

The Company does not enter into a correspondent relationship with a shell bank and refrains from entering into relationships with entities which allow access to correspondent relationships to a shell Bank. It shall not enter in a business relationship with entities whose ownership structure (corporate, fiscal and financial) is characterized by a high degree of opacity which prevents the clear identification of the beneficial owner or the nature and purpose of the structure.

To this end, the Company takes all measures to ensure that it does not deliberately and knowingly collaborate with financial institutions that in turn operate with shell banks.

In addition, the Company refrains from entering into or continuing a business relationship with persons particularly exposed to the risk of money-laundering/terrorist financing, such as:

• Trust companies having their registered office in a country indicated by the FATF as being at higher money laundering risk or that do not adopt measures consistent with the obligations imposed by Legislative Decree 231/07 or European Directives;
• Trusts for which appropriate, accurate and updated information on the beneficial ownership of the trust and its nature and purpose is not available;
• Betting companies, including on-line gambling, casinos and Bingo operators for which authorisation and/or licenses required under Italian and international legislation have not been issued and/or verified;
• Affiliated entities and agents of payment service providers (referred to in the definition of art.1 c. 2 letter nn) and electronic money institutions that do not comply with the provisions of Chapter V of Legislative Decree 231/07 in Articles 43 et seq.;
• Private limited companies or companies controlled through bearer shares, headquartered in high-risk Countries;
• Customers operating in the production and sale of light marijuana or adult entertainment venues, if it is unable to verify the authorisations required by law.

The Company uses all the information acquired during the due diligence process regarding its customers and their transactions to determine whether a transaction or business relationship is, directly or indirectly, linked to persons or entities involved in money laundering, terrorist financing or in the development of weapons of mass destruction, and in no way it supports transactions involving weapons that are controversial and/or banned by international treaties,

e.g. nuclear, biological and chemical weapons, cluster bombs, weapons containing depleted uranium, anti-personnel landmines.

With regard to the production, transit and/or marketing of armament materials other than those mentioned above, the Company may support transactions that have been duly authorised by the competent authorities and are compliant with applicable and current legislation.

Whenever the Company suspects or has reasonable grounds for suspecting that a money laundering or terrorist financing operation has been or is being conducted or attempted:

• it submits a suspicious transaction report to the Financial Intelligence Unit (FIU), if the transaction is based in Italy;
• if the transaction is based in another Country, it complies with the provisions of local legislation and, where the latter provides for the application of measures that are equivalent to those laid down by EU Law, it promptly informs the Head of Anti-Money Laundering, taking all the necessary precautions to protect the identity of the persons reporting the suspicious transaction.

The Company has put in place procedures and processes to monitor, identify and report suspicious activities in accordance with the timing and methods required by applicable Law.

Employees promptly report any knowledge or suspicion of money laundering, terrorist financing or other criminal activities, or proceeds from criminal activities, regardless of their size, in accordance with the updated organizational model and operating modes provided in reference internal regulation. Until the reporting process is complete, the Company refrains from executing the transaction, unless that is impossible as there is a legal obligation to accept the deed or the execution of the operation cannot be postponed due to the normal conduct of business or where it might obstruct investigations. In these cases, the report is submitted immediately after the transaction has been executed.

Grounds for suspicion include the characteristics, scale and nature of the transaction, the attempt to split the transaction and any other circumstance which comes to the employees’ knowledge as a result of their duties, also taking into account the financial scope and nature of the business carried out by the subject of the suspicious transaction, based on the elements acquired pursuant to anti-money laundering legislation (e.g. during due diligence).

To limit the Company’s risk of involvement – even if unintentional – in the illegal activities mentioned above, an enhanced due diligence process is activated in fund transfer arrangements where the players involved in this type of transaction (originator, beneficiary, the banks involved in the fund transfer) may lead to the suspicion of money laundering, terrorist financing or violations of applicable international restrictions on certain goods, persons or entities.

Downstream of the reporting process, the Company may limit and/or interrupt the business relationship with customers, in particular where said relationship may constitute a significant legal or reputational risk for Rox Pay S.r.l.

The Company retains all documents and records all data obtained through the customer due diligence process, ensuring the traceability of customer transactions to facilitate the Bank of Italy’s and the FIU’s control functions, including inspections.

To this end, Rox Pay S.r.l., as a financial intermediary based in Italy, set up a Single Electronic Archive (Archivio Unico Informatico or AUI) that enables it to provide information to the Bank of Italy and the FIU according to the technical standards specified in Annex 2 of the Provisions on data retention. This archive electronically stores all identification data and other information related to ongoing business relationships and customer transactions as required by applicable Law.

In this regard, in response to the recent updates introduced by the “Provisions on Data Retention and Access to Documents, Data and Information” and the “Provisions on Aggregate Data Transmission”, the Company has decided to adopt certain principles for exemption from registration obligations as expressly provided. In particular, data and information regarding transactions arranged by banking and financial intermediaries, which fall under the cases specified in Article

8 of the Provisions on Data Retention and Article 3 of the Provisions on Aggregate Data are not recorded in the Single Electronic Archive.

Regarding customer due diligence requirements, the Company retains copies or records of all documents required for a period of ten years after the business relationship has ended.

As for transactions and ongoing business relationships, all supporting evidence and records, e.g., original documents or copies admissible in court proceedings, are kept for a period of ten years after the execution of the transaction or after the business relationship has ended.

Given the nature, size, and complexity of its business, as well as the range and type of services provided, the Company is exposed to the risk of violating restrictive measures.

In order to maintain an organizational and procedural system aimed at ensuring compliance with EU and national international restrictive measures, the risk of breaches of restrictive measures is assessed by the Anti-Money Laundering Function on the basis of geographical, customers, products/services and distribution channel factors, ensuring constant monitoring of system effectiveness, also guaranteed through the periodic conduction of a self-assessment exercise, which allows the identification of any corrective actions in response to the detection of existing critical issues and/or the adoption of suitable risk prevention and mitigation measures.

The Company has established procedures and processes to monitor, identify, and report activities that violate restrictive measures, with timings and methods consistent with legal requirements.

The existing controls on individuals/entities and transactions are carried out through an automated screening process, which is performed both daily and during the onboarding phase, by using specific lists – updated twice a day - concerning customers, counterparties, countries and transactions.

Processes are in place to monitor incoming or outgoing flows with countries and/or entities subject to international financial sanctions, with responsibilities defined among the competent departments.

Staff is ensured to be adequately trained and made aware of the policies, procedures, and controls in order to comply with restrictive measures.

MONEY-LAUNDERING AND TERRORIST FINANCING RISK MANAGEMENT

The “Money-Laundering and Terrorism Financing Risk Management” process is the process by which the following activities are carried out within the Company in order to mitigate the risk of non-compliance with anti-money laundering and counter-terrorism financing requirements:

• Identifying the risk of non-compliance with AML-CFT requirements through continuous supervision of changes in legislation and the assessment of impacts on business processes and procedures as well as AML-CFT risk identification and assessment using a risk-based approach;
• Management and mitigation of money laundering and terrorism financing risk by implementing and monitoring non-compliance risk mitigation actions set out in the Annual Plan (AML Plan) or identified by the Governance of the Company as applied by all relevant business functions in the implementation of procedures (internal regulations, IT applications, operational processes, controls);
• Compliance checks (ex-ante and ex-post) in the regulatory areas assigned by ownership by defining and monitoring risk indicators and their evolution over time. The aim is to find possible non-compliance situations as well as to carry out the ex-ante and ex-post control activities;
• Provide advisory and support on AML/CFT issues, participating in cross-functional working teams and providing support either to business structures or to the Top Management Bodies in business issues and processes where the risk of money laundering and terrorist financing is relevant, by carrying out the fulfilments foreseen by the supervisory regulations and performing a preliminary conformity assessment in this area when offering new products/services;
• AML/CFT risk monitoring and control by analysing the information flows received from Level I and other control functions related to operational anti-money laundering requirements and by implementing risk monitoring controls and constantly verifying their adequacy;
• Conducting AML self-assessment by carrying out preliminary activities necessary to complete the so called “System” and “Operational” Questionnaires as well as to determine the residual risk;
• Reporting to Top Corporate Bodies and Supervisory Authorities, more specifically preparing to report annually to the Corporate Bodies and the Supervisory Board as well as preparing to report periodically on the activities performed and any specific requests from the Supervisory Authorities;
• Providing specific AML/CFT training courses by organizing an adequate training plan together with the other corporate functions responsible for training. The aim is to achieve a continuous training of employees and collaborators.

The Company's specific rules and responsibilities regarding this process are detailed in the internal

document, "Internal Anti-Money Laundering and Counter-Terrorism Financing Procedures”.

MANAGEMENT OF RELATIONS WITH SUPERVISORY AUTHORITIES TO COMBAT MONEY LAUNDERING AND TERRORISM FINANCING

The AML/CFT Regulatory Relationship Management process is the process by which activities are carried out within the Company to manage, analyse, direct and monitor all communications with regulators on matters related to anti-money laundering and counter terrorism financing. The objective is to oversee these activities, including the archiving of documents in a single repository.

The following activities are carried out as part of this process:

• Management of relations with Supervisory Authorities (Anti-Money Laundering), managing, analysing and addressing communications and requests from Supervisory Authorities regarding conformity in the field;
• Management of Supervisory anti-money laundering reports, by preparing the flow and sending of Supervisory anti-money laundering reports;
• Handling of administrative procedures related to anti-money laundering through the examination of counterclaims relating to administrative proceedings notified to the Company by the competent authorities (GdF and FIU) as well as representing the Company before the MEF, by being responsible for the proceedings census in the related application and for allocation to the Provision for Risks and Charges and possible sanctions payments, in coordination with the Budget Function.

The Company's specific rules and responsibilities regarding this process are detailed in the internal document, "Internal Anti-Money Laundering and Counter-Terrorism Financing Procedures”.

MANAGEMENT OF OPERATIONAL REQUIREMENTS TO COMBAT MONEY LAUNDERING AND TERRORISM FINANCING

The AML/CFT Operational Requirements Management process is the process by which the following activities are carried out within the Company in order to comply with regulatory requirements:

• limiting the use of cash and bearer securities, by carrying out regulation requirements concerning limitations to the use of cash and bearer bonds/securities;
• managing adequate customer due diligence obligations, by executing the activities of customer due diligence (or enhanced due diligence) in the cases established by the Italian Law (Legislative Decree 231/07 and subsequent amendments) depending on the customers’ risk profile, supporting the Company’s Network in fulfilling the obligations required by current laws and regulations, and providing support to the Company's structures managing relationships with customers and banking and financial counterparties in order to enable the establishment and maintenance of relationships;
• managing suspicious transactions reporting obligations, by carrying out the activities of reporting of suspicious transactions by executing the delegations of authority of the Board of Directors (ex art. 36 Legislative Decree 231/07) and monitoring requests received from the FIU;
• managing obligations regarding counter terrorism financing, by defining the screening methodology aimed at ensuring the implementation of Union and national restrictive measures, verifying the transposition of Sanction List updates as well as reporting to the competent Authorities (national and supervisory) about restrictive measures (FIU, MAECI and MEF) on capital freezing measures (ex-Legislative Decree 109/07) and carrying out the necessary operating requirements;
• managing data retention obligations, by verifying the reliability of the Information System by updating the Archivio Unico Informatico (AUI), making any revisions, periodically sending aggregated data to the FIU and transmitting to the FIU and Bank of Italy the notifications required by regulations;
• monitoring the proper implementation of international financial sanctions (financial embargoes);
• continuous monitoring of customers at highest risk of money laundering and terrorist financing, monitoring requests for further investigation of customers who potentially expose the Company to high money laundering risks, activating, where necessary, the process of assessing suspicious transactions and the process of screening customers who potentially expose the Company to high money laundering risks.

The Company's specific rules and responsibilities regarding this process are detailed in the internal

document, "Internal Anti-Money Laundering and Counter-Terrorism Financing Procedures”.

To effectively manage the risk of money laundering and terrorist financing, as well as violation of the Restrictive Measures, the Company has identified the organisational functions, resources and procedures that are consistent with and proportionate to the type and size of activity carried out, the organisational complexity as well as the operational characteristics.

The monitoring of risks relating to money laundering and terrorist financing is ensured:

• by Rox Pay S.r.l.'s Anti-Money Laundering Function, whose responsibility is assigned to the Head of the AML Function that reports directly to the Chief Executive Officer.
• By the Member of the management body responsible for Anti-Money Laundering, with responsibility given to the CEO, which is the main point of contact between the Head of the Anti-Money Laundering Function and the Board of Directors and ensures the Board has the necessary information to fully understand the relevance of the money laundering risks to which Rox Pay S.r.l. is exposed.

The monitoring of risks related to the violation of Restrictive Measures:

• is ensured by the Senior Staff Member responsible for Restrictive Measures, whose responsibility is assigned to the Head of the AML Department, that supervises the adequacy and effectiveness of policies, internal procedures and controls relating to the management of Restrictive Measures, sanctions, and embargoes. The Senior Staff Member proposes, in collaboration with the relevant company functions, organizational and procedural changes necessary and/or appropriate to ensure adequate monitoring of the risk of violation of restrictive measures, sanctions and embargoes.

In accordance with current regulations, the Company has established its organizational structure and corporate governance so as to protect the interests of the Company while, at the same time, ensuring sound and prudent management and to avoid the risk - even if unintentional

- of any direct involvement in acts of money laundering and/or terrorist financing.

To that end, in accordance with the Internal Control System adopted by the Company, the Board of Directors and Statutory Auditors are involved in mitigating the above risks through clearly defined tasks and responsibilities.

In addition, the Company has established a centralised unit for the management of the internal violations reporting system, with the responsibility of supervising the activities of receiving, analysing and evaluating alerts forwarded by employees via the Whistleblowing procedure.

The Anti-Money Laundering Function reviews the policy at least annually, updates it if and where necessary and prepares the text for approval by the Board of Directors on the proposal of the Chief Executive Officer.

Any amendments to the Policy approved by the Board of Directors of Rox Pay S.r.l. are subsequently implemented across the Company by resolution of the senior management, aligning responsibilities, processes and internal rules.