ExactFlow p.s.a. Anti-Money Laundering Policy

ExactFlow's AML/CFT programme is designed to comply with the following legislative framework:

ExactFlow conducts and maintains a documented, enterprise-wide ML/TF Risk Assessment, reviewed annually and updated whenever material changes in business model, client base, or regulatory environment occur. The Risk Assessment covers:

• Client risk: business type, sector, jurisdiction, transaction volume, Beneficial Owner identity
• Product / service risk: payment facilitation, Escrow, cross-border transactions, digital goods
• Geographic risk: countries of Seller/Buyer registration; shipping destinations; payment origins
• Channel risk: online-only transactions with no face-to-face verification
• Transaction risk: high-value transactions; unusual patterns; cash-like payment methods

Each Seller and significant Buyer relationship is assigned an AML risk score at onboarding and reviewed periodically:

ExactFlow applies Standard CDD to all Sellers at onboarding. CDD must be completed before a Seller is permitted to publish Listings or receive Payouts. Standard CDD requires:

• Verification of the Seller's legal name, registered address, and legal form
• Verification of company registration number (KRS, CEIDG, or equivalent) against official registries
• Identification and verification of all Beneficial Owners holding more than 25% of shares or voting rights
• Identification and verification of the Account Administrator (the natural person managing the Account) including full name, date of birth, and identity document
• Verification of VAT/NIP number
• Screening of the Seller entity, Beneficial Owners, and Account Administrator against: EU Consolidated Sanctions List; UN Security Council lists; OFAC SDN list; Polish national sanctions list; PEP databases
• Assessment of the Seller's business sector and the ML/TF risk profile of the products to be sold

EDD is applied to Sellers and Buyers who present higher ML/TF risk, including:

• Sellers established in or shipping to/from High-Risk Third Countries identified by the European Commission
• Sellers or Buyers where a Beneficial Owner or Account Administrator is identified as a PEP or close associate of a PEP
• Sellers in high-risk product categories: luxury goods above PLN 10,000 / €2,300 per item; art and antiques; precious metals and gemstones; electronic goods with high resale value
• Sellers or Buyers with adverse media coverage, prior law enforcement contact, or previous SAR involvement
• Transactions above EDD thresholds (see Section 4.3)
• Any case where Standard CDD is insufficient to adequately verify identity or assess risk

EDD measures include: obtaining senior management approval before establishing or continuing the relationship; collecting additional information on the source of funds and source of wealth; conducting enhanced ongoing monitoring of transactions; obtaining board-level authorization for Payouts above defined thresholds.

ExactFlow screens all Sellers, Buyers (above CDD thresholds), Beneficial Owners, and Account Administrators against PEP databases at onboarding and on an ongoing basis. A PEP is defined under Article 2(1)(9) of the Polish AML Act and includes:

• Heads of state, heads of government, ministers, deputy ministers, secretaries of state
• Members of parliament, members of similar legislative bodies
• Members of supreme courts, constitutional courts, or other high-level judicial bodies
• Members of courts of auditors and boards of central banks
• Ambassadors, chargés d'affaires, and high-ranking officers in the armed forces
• Members of the administrative, management, or supervisory bodies of state-owned enterprises
• Directors, deputy directors, members of the board, or equivalent of international organisations

The PEP classification applies for 12 months after a person leaves the public function (Article 37(5) of the Polish AML Act). Close associates and family members of PEPs are treated as PEPs for CDD purposes.

PEPs may not be onboarded without written approval from ExactFlow's Senior Management

• All PEP relationships are subject to EDD — source of funds and source of wealth must be documented
• PEP relationships are reviewed quarterly
• Transactions with PEPs above PLN 10,000 / €2,300 require senior management notification
• PEP relationships where source of funds cannot be adequately explained are terminated

AML compliance does not end at onboarding. ExactFlow conducts ongoing monitoring of all Seller and significant Buyer relationships throughout the lifecycle of the relationship:

Automated real-time transaction monitoring for: rapid succession of transactions from new accounts; transactions just below CDD thresholds (structuring); unusual volume spikes; rapid Payout requests following high-value deposits; transactions to/from high-risk jurisdictions

• Automated sanctions screening of all transactions against EU, UN, OFAC, and Polish national sanctions lists in real time
• Daily batch screening of all active Accounts against updated sanctions and PEP databases
• Human review of all transactions flagged by automated monitoring within 24 hours

Annual re-verification of CDD information for all active Sellers

• Event-triggered re-verification upon: change of Beneficial Owner; change of legal form; change of business activity; adverse media identification; receipt of a law enforcement enquiry
• Quarterly review of all EDD-rated accounts
• Monitoring of Payout patterns for: sudden large Payout requests; Payouts to new bank accounts; Payouts to accounts in high-risk jurisdictions; multiple small Payouts aggregating to large sums

ExactFlow is required to file a SAR with the GIIF where there is knowledge, suspicion, or reasonable grounds to suspect that a transaction or activity involves the proceeds of crime or is intended to finance terrorism. Indicators of suspicious activity include:

The SAR filing procedure is as follows:

• Any ExactFlow staff member who identifies a suspicious indicator must report it immediately to the AML Compliance Officer at compliance@exactflow.com
• The AML Compliance Officer reviews the report and determines whether to file a SAR within 24 hours
• Where the AML Compliance Officer determines a SAR is required, it is filed with the GIIF electronically through the GIIF reporting system without delay
• For urgent cases involving imminent terrorist financing risk, the GIIF is notified by telephone immediately, followed by written report within 24 hours
• All SAR filings, decisions not to file, and the reasoning thereof are recorded in ExactFlow's confidential AML case management system

ExactFlow and all its staff are legally prohibited from disclosing to any person — including the subject of the SAR — that a SAR has been filed or that an ML/TF investigation is underway (Article 54 of the Polish AML Act). Violation of the tipping-off prohibition is a criminal offence. Staff who receive enquiries from Sellers or Buyers about account holds related to AML investigations must redirect to standard 'account under review' messaging only and immediately notify the AML Compliance Officer.

ExactFlow maintains the following AML records in accordance with Article 49 of the Polish AML Act:

ExactFlow screens all Sellers, Buyers (above thresholds), Beneficial Owners, and Account Administrators against the following sanctions lists in real time at onboarding and on an ongoing basis:

• EU Consolidated Sanctions List (Council Regulation (EC) 2580/2001; Council Regulation (EU) 2016/1686 and subsequent)
• United Nations Security Council Consolidated List
• US OFAC Specially Designated Nationals (SDN) List and Consolidated Sanctions List
• Polish National Sanctions List (maintained by the Polish Ministry of Finance under the Polish AML Act)
• UK Office of Financial Sanctions Implementation (OFSI) Consolidated List (post-Brexit equivalence monitoring)

Where a potential sanctions match is identified:

• The transaction or Payout is automatically blocked within seconds of detection
• The AML Compliance Officer is notified immediately
• A human review of the match is conducted within 2 hours to confirm or clear the match
• If the match is confirmed: all assets are frozen; no further transactions are processed; the Polish Ministry of Finance and relevant authorities are notified as required by law; legal advice is obtained before any further action
• If the match is a false positive: the block is lifted; the false positive is documented; the screening parameters are reviewed

Where ExactFlow identifies that a Seller or Buyer is subject to asset-freezing sanctions, ExactFlow is legally required to freeze all assets held by or for that person immediately and notify the competent authority. ExactFlow does not require a court order to freeze assets where an applicable sanctions regulation requires it.

ExactFlow has appointed a dedicated AML Compliance Officer (AMLCO) with overall responsibility for ExactFlow's AML/CFT programme. The AMLCO reports directly to the ExactFlow Board and has the authority to: reject or terminate client relationships; file SARs; escalate to law enforcement; halt transactions; and impose account restrictions. Contact: compliance@exactflow.com.

All ExactFlow staff who interact with Sellers, Buyers, or payment transactions complete mandatory AML training covering:

• Fundamentals of money laundering and terrorist financing
• ExactFlow's AML obligations as an Obligated Institution
• How to identify and report suspicious activity
• The tipping-off prohibition
• Sanctions compliance and how to respond to a sanctions match

New staff complete AML training within 30 days of joining. All staff complete annual refresher training. Training records are maintained for the duration of employment plus 5 years.

ExactFlow's AML programme is subject to independent audit at least annually. Audit findings are reported to the Board and any material deficiencies remediated within 90 days. ExactFlow cooperates fully with inspections by the GIIF and other competent authorities.

Platform Clients and Marketplace Sellers must:

• Provide accurate, complete, and current information during KYC/KYB verification and update ExactFlow within 5 business days of any material change
• Disclose all Beneficial Owners holding more than 25% of the entity and any PEP status
• Not use ExactFlow's Platform for any purpose that constitutes money laundering, terrorist financing, or sanctions evasion
• Cooperate with ExactFlow's AML monitoring requests, including providing source of funds documentation within 5 business days when requested
• Immediately report to compliance@exactflow.com any suspicion that a transaction or counterparty on the Platform may be involved in ML/TF activity

ExactFlow reserves the right to suspend accounts, withhold Payouts, and terminate relationships where Clients or Sellers fail to cooperate with AML obligations, provide false information, or where ExactFlow has grounds to suspect ML/TF involvement. ExactFlow will not be liable for any loss arising from such actions taken in good faith compliance with AML obligations.

— END OF ANTI-MONEY LAUNDERING POLICY — EXACTFLOW P.S.A. —