Crypto-to-Fiat Payments Risk Assessment and Management Policy

Effective date: May 5, 2023

Pay.so Core provides a fintech service that facilitates crypto-to-fiat payments, where the sender sends cryptocurrencies (’Inbound Payment’) and the recipient receives fiat currency (’Outbound Payment’) . As part of our commitment to regulatory compliance and risk mitigation, we have implemented a comprehensive risk assessment and management policy. This document outlines the risks associated with our service and provides details on how we assess and review these risks on an ongoing basis. Additionally, it identifies the key individuals responsible for overseeing risk management efforts.

Risk Assessment

Performing third-party crypto-to-fiat payments exposes the company to financial and regulatory risks. The top three identified risks are detailed below:

Abuse of the platform for the purposes of Money Laundering and Terrorist Financing a) Customers are determined to be legitimate but utilise the platform for the conversion of illicit funds into legitimate funds. b) Customers are determined to be legitimate but utilise the platform to funnel funds to terrorist groups or other illegal activity. c) Bad actors seize control of a legitimate customer account to perform the above functions in the name of the legitimate customer.

1.2. Handling of customer funds

a) Pay.so loses a customer’s Inbound Payment funds through technical negligence or internal corruption, thus becoming liable for their return from its own balance sheet.

b) Pay.so sends an Outbound Payment to the wrong recipient, thus becoming liable for its recovery or rectification off its own balance sheet.

1.3.

2.2. Customer Risk Factors To assess the risks mentioned above, we consider various customer risk factors, including but not limited to: a) Identification and verification processes to ensure the legitimacy of customers. b) Geographical factors and jurisdictions with higher risk profiles. c) Transaction volumes and patterns that may indicate suspicious activities. d) Politically exposed persons (PEPs) or high-risk individuals/entities.

Risk Assessment Process 3.1. Initial Risk Assessment When onboarding new customers, we conduct a comprehensive risk assessment to determine their level of risk based on the factors mentioned in Section 2.2. We employ various tools and techniques to evaluate the risk associated with each customer, which may include Know Your Customer (KYC) procedures, customer due diligence (CDD), and screening against sanctions lists.

3.2. Ongoing Risk Monitoring We have established systems and procedures to monitor customer activity continuously. This includes monitoring transaction patterns, conducting periodic reviews, and implementing robust fraud detection and monitoring mechanisms. Any suspicious or high-risk activities are flagged for further investigation and appropriate action.

3.3. Enhanced Due Diligence (EDD) For customers identified as higher risk during the initial risk assessment or ongoing monitoring, we conduct enhanced due diligence. EDD involves gathering additional information about the customer's source of funds, business activities, and transaction purposes to further mitigate risks.

Risk Review and Mitigation 4.1. Regular Risk Reviews We conduct regular risk reviews to evaluate the effectiveness of our risk management measures and to identify any emerging risks or vulnerabilities. These reviews are conducted by the risk management team or designated individuals responsible for risk oversight.

4.2. Risk Mitigation Measures To mitigate the risks associated with our service, we have implemented the following measures: a) Strong KYC and CDD procedures to ensure the identification and verification of customers. b) Monitoring tools and systems to detect suspicious activities and patterns. c) Employee training programs to enhance awareness and understanding of money laundering and terrorist financing risks. d) Collaboration with regulatory authorities and compliance with applicable laws and regulations. e) Regular internal and external audits to assess the effectiveness of our risk management efforts.

Responsibility and Accountability 5.1. Chief Risk Officer (CRO) The CRO or equivalent role is responsible for overseeing the risk management activities related to our crypto-to-fiat payment service. This includes conducting risk assessments, implementing risk mitigation measures, and ensuring ongoing compliance with regulatory requirements.

5.2. Compliance Officer The Compliance Officer is responsible for ensuring adherence to anti-money laundering (AML) and counter-terrorist financing (CTF) regulations and guidelines. They are involved in the risk assessment process, ongoing monitoring, and implementation of risk mitigation measures.

5.3. Risk Management Team The risk management team, under the guidance of the CRO, assists in the identification, assessment, and mitigation of risks associated with our service. They collaborate with various departments within the company to implement effective risk management practices.

Conclusion Our risk assessment and management policy for crypto-to-fiat payments outlines our commitment to identifying and mitigating the risks associated with our services. By following this policy, we aim to maintain a secure and compliant environment while providing a seamless experience for our customers. Regular reviews and ongoing monitoring ensure that our risk management practices remain up-to-date and effective in combating money laundering and terrorist financing risks.

[Insert Company Name] [Insert Date]