Legal

Anti-Money Laundering Policy

Last updated: July 2, 2026

XLY Technology is committed to the highest standards of anti-money laundering (AML) and counter-terrorist financing (CTF) compliance. This policy sets out our obligations and procedures to detect, prevent, and report money laundering and terrorist financing activities in connection with our payment processing services.

1. Purpose and Scope

This Anti-Money Laundering Policy applies to XLY Technology, its employees, contractors, and all merchants and partners who use our payment processing services. The policy is designed to ensure compliance with applicable AML and CTF laws and regulations, including the Bank Secrecy Act (BSA), the USA PATRIOT Act, and guidance issued by the Financial Crimes Enforcement Network (FinCEN). This policy covers all financial transactions processed through our platform, including card payments, fund settlements, refunds, and chargebacks.

2. What Is Money Laundering?

Money laundering is the process by which individuals or organisations attempt to conceal the origins of illegally obtained funds by passing them through a series of transactions to make them appear as legitimate income. It typically involves three stages: • Placement: introducing illicit funds into the financial system. • Layering: concealing the trail through complex transactions. • Integration: reintroducing the funds into the economy as apparently legitimate. Terrorist financing involves providing financial support for terrorist activities, regardless of whether the funds themselves are derived from legitimate or illegitimate sources.

3. Know Your Customer (KYC)

XLY Technology applies a risk-based Know Your Customer (KYC) programme to all merchants and business partners. Before activating a merchant account, we collect and verify: • Legal business name and registration details. • Beneficial ownership information (individuals owning 25% or more). • Government-issued identification for key principals. • Business address and contact information. • Nature of business, products or services sold, and expected transaction volumes. We use third-party identity verification services and cross-reference applicants against government sanctions lists, politically exposed persons (PEP) databases, and adverse media sources. Accounts that cannot be satisfactorily verified will not be activated.

4. Ongoing Monitoring

We continuously monitor transactions processed through our platform for indicators of suspicious activity. Our monitoring programme includes: • Automated transaction screening against sanctions lists (OFAC SDN list and others). • Detection of unusual transaction patterns, including sudden volume spikes, high-value transactions inconsistent with the merchant's profile, and structuring behaviour. • Periodic review and re-verification of merchant accounts, particularly those in higher-risk categories. • Monitoring for geographic risk factors, including transactions involving high-risk jurisdictions. Merchants are required to notify us promptly of any material changes to their business, ownership structure, or the nature of goods and services they sell.

5. Suspicious Activity Reporting

Where we identify or suspect money laundering, terrorist financing, or other financial crime, we are required by law to file a Suspicious Activity Report (SAR) with FinCEN. We will not tip off the subject of a SAR that a report has been or may be filed. Employees and contractors who identify suspicious activity must report it immediately to our designated Compliance Officer. Failure to report known or suspected money laundering is a criminal offence. XLY Technology will cooperate fully with law enforcement and regulatory authorities in any investigation relating to financial crime.

6. Prohibited Activities and Restricted Merchants

XLY Technology will not knowingly provide payment services to businesses or individuals engaged in: • Drug trafficking or the sale of controlled substances. • Human trafficking or exploitation. • Terrorism financing or activities supporting sanctioned entities. • Unlicensed money services businesses (MSBs). • Illegal gambling operations. • Fraud, identity theft, or phishing schemes. • Any activity that violates US federal or state law. Merchants found to be engaged in prohibited activities will have their accounts terminated immediately, and we will report the matter to the relevant authorities where required.

7. Sanctions Compliance

XLY Technology screens all merchants, beneficial owners, and counterparties against applicable sanctions lists, including: • The OFAC Specially Designated Nationals and Blocked Persons (SDN) List. • The US Department of Commerce Denied Persons List. • UN Security Council consolidated sanctions lists. • EU and UK consolidated sanctions lists where applicable. We will not process transactions involving sanctioned individuals, entities, or jurisdictions. Any potential sanctions match is escalated immediately to our Compliance Officer for review. Confirmed matches result in account suspension and mandatory reporting.

8. Record Keeping

We maintain records of all customer identification and verification documents, transaction records, and suspicious activity reports in accordance with applicable law. Records are retained for a minimum of five (5) years from the date of the transaction or the end of the business relationship, whichever is later. All records are stored securely and are available for inspection by regulatory authorities upon lawful request.

9. Employee Training

All XLY Technology employees and contractors who handle financial transactions or customer onboarding receive mandatory AML and CTF training upon joining and on an ongoing annual basis. Training covers: • Recognition of money laundering and terrorist financing red flags. • KYC and customer due diligence procedures. • Internal reporting obligations and escalation procedures. • Applicable laws and regulatory requirements. Employees who fail to complete required training or who knowingly facilitate financial crime will be subject to disciplinary action, up to and including termination and referral to law enforcement.

10. Risk-Based Approach

XLY Technology applies a risk-based approach to AML compliance, allocating greater scrutiny to higher-risk merchants, transaction types, and geographies. Risk factors we consider include: • Business type and industry sector. • Geographic location and cross-border transaction exposure. • Transaction volumes and average ticket sizes. • Ownership structure complexity. • Adverse media or prior regulatory action. Higher-risk merchants may be subject to enhanced due diligence (EDD), including additional documentation requirements, more frequent reviews, and lower transaction limits pending satisfactory verification.

11. Merchant Obligations

By using XLY Technology's services, merchants agree to: • Provide accurate and complete information during onboarding and keep it updated. • Cooperate with any KYC, EDD, or investigation requests promptly. • Not use our services to process transactions on behalf of undisclosed third parties. • Maintain their own AML compliance programme where required by applicable law. • Immediately notify us if they become aware of any suspicious activity involving their account. Failure to comply with these obligations may result in account suspension or termination and may be reported to the relevant authorities.

12. Policy Review

This AML Policy is reviewed at least annually by our Compliance Officer and updated as necessary to reflect changes in applicable law, regulatory guidance, and business operations. Material updates will be communicated to affected merchants and partners.

13. Contact — Compliance

For questions about this policy or to report a compliance concern, please contact: XLY Technology — Compliance 5142 N Academy Blvd, Unit 4328 Colorado Springs, CO 80918 United States Email: [email protected] Phone: +1 (719) 249-2280