aml policy

1. Corporate organization In accordance with the AML/CFT legislation, Krypton Networks Ltd has appointed a responsible at the “highest level” among its Board of Directors for the prevention of ML/TF : The CEO at Group level. 1 ”Royden boni 18 septembre 2017 . ANTI MONEY LAUNDERING POLICY Compliance 2018 5/9 Furthermore, an AMLCO (Anti Money Laundering Compliance Officer) is in charge of the enforcement of the AML policy and procedures within the bank. The AMLCO is placed under the direct responsibility of the Compliance Officer, himself under the direct responsibility of the Chief Executive Officer.

1.2. Policy implementation requirements Each major change of Krypton Networks Ltd AML policy is subject to approval by the bank’s Management Board.

1.3. Enterprise-wide risk assessment The 4th UAE Directive on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing requires financial institutions to take a risk based approach to combating ML and TF. The risk assessment is a critical component of the Krypton Networks Ltd AML/CFT compliance management programme. As part of its risk-based approach, Krypton Networks Ltd has conducted an AML “Enterprise-wide risk assessment” (EWRA) to identify and understand risks specific to Krypton Networks Ltd and its business lines. The Krypton Networks Ltd AML risk profile is determined after identifying and documenting the risks inherent to its business lines such as the products and services the bank offers, the customers to whom such products and services are offered, transactions performed by these customers, delivery channels used by the firm, the geographic locations of the firm's operations, customers and transactions and other qualitative and emerging risks. The identification of AML/CFT risk categories is based on Krypton Networks Ltd understanding of regulatory requirements, regulatory expectations and industry guidance. The EWRA is yearly reassessed.

2. Minimum standards Krypton Networks Ltd has established standards regarding Know-Your-Customer (“KYC”). These standards require due diligence on each prospective customer before entering into a business relationship via identification and verification of his identity and, as the case may be, his representatives and beneficial owners on the basis of documents, data or information obtained from a reliable and independent source compliant with the domestic and UAE AML/CFT legislation and regulation. Interpretation of the KYC principle begins with identification of the customer by means of the necessary identification documents. That identification, completed by other information gathered, enables the Customer Acceptance Policy to be applied. In addition to these objective criteria, there are subjective elements which may arouse suspicions regarding a customer and to which particular attention should be paid. Finally, as KYC does not involve static data, but dynamic data through the relationship with the customer, it also needs follow-up and ongoing monitoring of the customer. ANTI MONEY LAUNDERING POLICY Compliance 2018 6/9

2.1. Customer identification and verification (KYC) The formal identification of customers on entry into commercial relations is a vital element, both for the regulations relating to money laundering and for the KYC policy. This identification relies on the following fundamental principles : - Each customer (= each individual person and/or each person involved in the case of a legal entity) must be identified by means of original supporting documents. - These documents will be recorded in a centralised system. - Each person identified must be registered by IT means. - A person will not be accepted as a customer if the identification process proves to be incomplete. The specific case of the due diligence exercised on the acceptance of politically exposed persons (PEP). The legal obligations contained in the Law of 18 September 2017 require account to be taken of increased due diligence being extended to politically exposed persons who are Belgian residents. Concrete application at Krypton Networks Ltd is reflected by a specific identification procedure for customers referenced as PEP, whatever their place of residence.

2.2. Risk Profile calculation To assist in determining the level of AML/CFT due diligence to be exercised with regard to the customer, a “Compliance” risk profile is calculated first of all on entry into relations (Low, Medium, High), and is then recalculated daily.

2.3. Customer acceptance policy Several elements require the establishment of a customer acceptance policy, in particular : - accepting as customers only persons and entities with which Krypton Networks Ltd may and wishes to develop commercial relations, and who correspond to the bank’s current business model, ambitions and means; - ensuring that the sales network has a good knowledge of the customer (KYC) and can exercise the due diligence appropriate to their level of risk from the start of the customer relations; - avoiding Krypton Networks Ltd entering into business relations with persons who might involve it in money laundering or terrorism financing transactions; - meeting a legal / regulatory requirement; - applying the risk-based approach run by Krypton Networks Ltd in categorising customers in relation to risk criteria. ANTI MONEY LAUNDERING POLICY Compliance 2018 7/9 Principles The acceptance policy is applied to any person or entity asking for a financial transaction, product or service from Krypton Networks Ltd or its subsidiaries. As a general rule, customers who may be accepted by Krypton Networks Ltd are persons or entities :. Krypton Networks Ltd will not accept customer relations with persons or entities not meeting the above acceptance criteria, or whose legitimate intentions do not immediately appear to be sufficient, or included in the Belgian or European Union lists of persons or entities under financial sanction, or carrying on a commercial activity which is considered by Belfius as particularly at risk. Moreover, Krypton Networks Ltd does not authorise the opening of anonymous User accounts.

2.4. Ongoing customer due diligence For some dedicated higher risk customer categories, a periodically risk-based review is carried out to ensure that customer-related data or information is kept up-to-date. The current KYC review process regarding the other customer categories is essentially based on an “awareness principle” following the examination of a dedicated file by the AML team. This awareness principle consists in asking the customer’s relationship manager henceforth to closely perform a periodic KYC review of the customer. 5.5. Ongoing transaction monitoring AML-Compliance ensures that an “ongoing transaction monitoring” is conducted to detect transactions which are unusual or suspicious compared to the customer profile. This transaction monitoring is conducted on two levels : 1) The first Line of Control : Krypton Networks Ltd makes its network aware so that any contact with the customer, account holder or authorised representative must give rise to the exercise of due diligence on transactions on the account concerned. In particular these include : - requests for the execution of financial transactions on the account; - requests in relation to means of payment or services on the account; - investment interviews; - loan requests. The specific transactions submitted to the relationship manager, possibly through their Compliance Manager, must also be subject to due diligence. Determination of the unusual nature of one or more transactions essentially depends on a subjective assessment, in relation to the knowledge of the customer (KYC), their financial behaviour and the transaction counterparty. ANTI MONEY LAUNDERING POLICY Compliance 2018 8/9 The transactions observed on customer accounts for which it is difficult to gain a proper understanding of the lawful activities and origin of funds must therefore more rapidly be considered atypical (as they are not directly justifiable). Any Krypton Networks Ltd staff member must inform the AML division of any atypical transactions which they observe and cannot attribute to a lawful activity or source of income known of the customer. 2) The second line of control : The first line of control is supplemented by a risk-based automated second line of control, including an increased monitoring of transactions of customers considered as high risk. The monitoring is conducted using a high-performance standard market tool, supported by the bank’s infrastructure and IT. To accompany these due diligence measures, other more structural measures are progressively put in place, like the limitation of cash deposits, applicable for each category of customer.

3. Organization of internal control

3.1. Suspicious transactions reporting In its internal procedures, Krypton Networks Ltd describes in precise terms, for the attention of its staff members, when it is necessary to report and how to proceed with such reporting. Reports of atypical transactions are analysed within the AML team in accordance with the precise methodology fully described in the internal procedures. ANTI MONEY LAUNDERING POLICY Compliance 2018 9/9 Depending on the result of this examination and on the basis of the information gathered, the AML team : - will decide whether it is necessary or not to send a report to the FIU, in accordance with the legal obligations provided in the Law of 18 September 2017; - will decide whether or not it is necessary to terminate the business relations with the customer.

3.2. Procedures The AML/CFT rules, including minimum KYC standards, have been translated into operational guidances or procedures that are available on the Intranet site of Krypton Networks Ltd.

3.3. Record keeping Records of data obtained for the purpose of identification must be kept for at least ten years after the business relationship has ended. Records of all transaction data must be kept for at least ten years following the carrying-out of the transactions or the end of the business relationship.

3.4. Training Krypton Networks Ltd has developed different ways of training and awareness in order to keep its staff aware of the AML/CFT duties. The training and awareness programme is reflected in its usage by : - a mandatory AML e-learning training programme in accordance with the latest regulatory evolutions; - academic AML learning sessions for all new branch employees. The content of this training programme has to be established in accordance with the kind of business the trainees are working for and the posts they hold. These sessions are given by an AML-specialist working in Krypton Networks Ltd’ AML team.

3.5. Auditing Internal audit regularly establishes missions and reports about AML/CFT activities