Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) Policy

1. Introduction

1.1. NCDC COMMUNICATIONS LTD (the "Company"), a legal entity registered and operating in the Republic of Cyprus, affirms its commitment to full compliance with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (Law 188(I)/2007), including all subsequent amendments, as well as relevant EU Directives and international AML/CFT standards.

1.2. This Policy sets out the core principles and internal control measures designed to prevent the Company’s services from being misused for the purposes of money laundering or terrorist financing. NCDC COMMUNICATIONS LTD operates in the field of electronic communications.

1.3. The objectives of this Policy are to:

• Ensure the implementation of robust risk management systems capable of identifying, assessing, monitoring, and mitigating money laundering and terrorist financing risks;
• Establish uniform standards for customer due diligence (CDD), ongoing transaction monitoring, record-keeping, and reporting of suspicious activities;
• Ensure that employees are adequately trained and fully understand their responsibilities under applicable AML/CFT legislation.

1.4. This document will be reviewed and updated on a regular basis to reflect changes in legislation, risk exposure, or operational procedures.

2. Company Information

Legal Name: NCDC COMMUNICATIONS LTD

Jurisdiction: Republic of Cyprus

Registered Address: 20 Laxion Avenue, Office 11, 8575 Peyia, Paphos, Cyprus.

Registration number: 414282

Email: [email protected]

Senior Management:

• Director: Mykola Kosovskyi
• Compliance Officer/MLCO: Mykola Kosovskyi

NCDC COMMUNICATIONS LTD cooperates with MOKAS (Unit for Combating Money Laundering), the official Financial Intelligence Unit (FIU) of Cyprus.

3. Scope and Applicability

3.1. This Policy is applicable to:

• All employees, contractors, and authorized agents of the Company;
• All customers and business partners who interact with the Company’s services.

3.2. The provisions of this Policy apply irrespective of whether the data pertains to natural or legal persons, and regardless of whether it is obtained through direct integration methods (such as REST APIs or Webhooks) or via third-party platforms.

4. Definitions

4.1. For the purposes of this Policy, the following terms shall have the meanings set out below:

"Applicable Legislation": Refers to the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (Law 188(I)/2007), including all amendments, as well as relevant Directives issued by the Cyprus Securities and Exchange Commission (CySEC) or any other competent authority.

"Authority": Refers to MOKAS, the Financial Intelligence Unit (FIU) of the Republic of Cyprus responsible for combating money laundering.

"Beneficial Owner": A natural person who ultimately owns or controls a legal entity, either directly or indirectly, through ownership of 25% or more of the shares or voting rights, or by exercising control over the entity’s management in any other manner.

"Business Relationship": A commercial or professional arrangement between the Company and a Customer that is intended to continue over time.

"Customer": Any natural or legal person who engages with the Company’s services.

"Politically Exposed Person (PEP)": An individual who is or has been entrusted with a prominent public function, along with their immediate family members or close associates, as defined under the AML legislation of the Republic of Cyprus.

"Sanctions Lists": Official registers of individuals or entities subject to restrictions under the sanctions regimes of the United Nations, the European Union, OFAC (U.S.), or other recognized authorities.

"Suspicious Transaction": Any transaction or activity that appears abnormal, inconsistent with the customer’s known profile, or potentially linked to criminal proceeds or terrorist financing.

"Risk Scoring": The Company’s automated methodology for evaluating a client's financial and behavioral risk, utilizing transaction data, profiling techniques, and machine learning algorithms.

"Source of Funds": The origin of the monetary resources involved in a transaction, such as salary, business income, or investment returns.

"Source of Wealth": The origin of an individual’s overall financial status or net worth, including accumulated assets.

"Reliable Source": Any trusted and credible source used to verify a customer’s identity or risk profile, such as government registries, regulated databases, or international watchlists.

5. Governance and Oversight

5.1. As the Company is managed by a sole Director, all responsibilities related to anti-money laundering (AML) compliance and oversight rest solely with the Director, who acts in a fiduciary capacity. The Director is responsible for ensuring that the Company operates in full adherence to applicable legislation, upholds an effective internal control framework, and promotes a robust culture of compliance throughout the organization.

5.2. The Director’s responsibilities include:

• Approving and periodically reviewing the AML Manual and all related internal policies;
• Appointing a Money Laundering Compliance Officer (MLCO) in accordance with CySEC Directive DI87-01;
• Ensuring that the MLCO has adequate authority, independence, and unrestricted access to all relevant information and departments;
• Overseeing the implementation of effective AML controls, procedures, and staff training programmes;
• Reviewing and approving all reports submitted by the MLCO, including the Annual Report and the Monthly Prevention Statement.

6. Role and Duties of the Money Laundering Compliance Officer (MLCO)

6.1. The MLCO is appointed by the Director and is responsible for the day-to-day management and oversight of the Company’s anti-money laundering and counter-terrorist financing (AML/CFT) framework.

6.2. Core duties include:

• Designing, maintaining, and implementing AML policies and internal controls tailored to the Company’s risk exposure;
• Monitoring adherence to the AML framework across all departments and functions;
• Receiving and evaluating Internal Suspicion Reports, drafting Internal Evaluation Reports, and submitting Suspicious Transaction Reports (STRs) to MOKAS when deemed appropriate;
• Acting as the designated point of contact with MOKAS and cooperating fully during investigations;
• Preparing and submitting the Annual AML Compliance Report and Monthly Prevention Statements in accordance with CySEC deadlines;
• Updating the Company’s risk assessments and client classifications in line with emerging risks and regulatory expectations;
• Facilitating regular AML training for all relevant personnel and maintaining training records;
• Keeping registers of suspicious activity and STRs submitted to the authorities.

6.3. The MLCO must perform their duties independently and without undue influence, and shall have full access to all necessary records, systems, and personnel to fulfil their responsibilities effectively.

7. Risk-Based Approach (RBA)

7.1. The Company adopts a Risk-Based Approach (RBA) to anti-money laundering and counter-terrorist financing, in line with international best practices and applicable legislation.

7.2. Risk considerations include:

• Nature and complexity of client structures (e.g., PEPs, bearer shares, offshore entities);
• Geographical risk exposure (e.g., high-risk third countries, FATF blacklists);
• Client behaviour and transaction patterns lacking economic rationale;
• Use of anonymity-enhancing instruments or non-face-to-face onboarding;
• Services offered and distribution channels used.

7.3. The Company’s RBA framework forms the basis for:

• Customer onboarding procedures and due diligence levels;
• Frequency and depth of transaction monitoring;
• Internal controls and escalation procedures;
• Resource allocation and staff training priorities.

7.4. Clients are categorised into Low Risk, Normal Risk, or High Risk based on documented assessments, which inform the extent of due diligence required.

8. Client Due Diligence (CDD) and Know-Your-Customer (KYC) Procedures

8.1. The Company implements robust Client Due Diligence (CDD) and Know-Your-Customer (KYC) procedures to verify the identity of its clients and assess associated risks, in accordance with applicable AML/CFT legislation and best practices. The Company undertakes CDD and KYC procedures:

• Prior to establishing a business relationship;
• When conducting occasional transactions exceeding €10,000;
• Where there is suspicion of money laundering or terrorist financing;
• In cases where existing identification information appears unreliable or incomplete.

8.2. The MLCO shall ensure that all required identification and verification data is obtained and retained for the prescribed statutory period.

8.3. Documentation Requirements

To satisfy CDD obligations, the Company may request and obtain, where applicable and proportionate to the assessed risk, the following documentation from clients, depending on their status:

8.3.1. For natural persons:

• Valid government-issued photo identification (e.g., passport, national ID card, residence permit);
• Proof of address dated within the last 3 months (e.g., utility bill, bank statement, official government correspondence);
• Source of funds and/or source of wealth declarations, supported by documentation where applicable (e.g., payslips, tax returns, inheritance documents, property sale agreements).

8.3.2. For legal entities:

• Certificate of Incorporation and recent Certificate of Good Standing (if applicable);
• Memorandum and Articles of Association or equivalent founding documents;
• Company registry extract or equivalent document indicating directors, shareholders, and registered office;
• Identification and proof of authority for directors and authorised representatives;
• Identification of beneficial owners (in line with the 25% threshold or control criterion), including relevant ID and address documents;
• Ownership structure chart, especially where multi-tier or cross-border;
• Documentation confirming source of funds or source of wealth (e.g., audited financials, contracts, tax returns);
• Regulatory license or proof of supervision if the entity operates in a regulated sector;
• Where applicable, enhanced due diligence measures shall be applied for entities established in high-risk jurisdictions or offshore centres.

8.4. Enhanced Due Diligence (EDD) is applied in higher-risk scenarios, including but not limited to:

• Clients identified as Politically Exposed Persons (PEPs);
• Clients operating in high-risk jurisdictions;
• Unusual or complex transactions with no apparent economic or lawful purpose.

8.5. Simplified Due Diligence (SDD) may be applied in low-risk cases, provided it is permitted under applicable law and regulatory guidance.

8.6. The Company ensures that CDD and KYC records are maintained in accordance with legal retention requirements and are readily accessible for review by competent authorities.

9. Ongoing Monitoring

9.1. The Company monitors the business relationship throughout its duration to ensure that transactions are consistent with the client’s risk profile, expected activity, and declared source of funds.

9.2. The frequency and depth of monitoring shall be proportionate to the client’s risk classification, and any unusual activity will be escalated to the MLCO for assessment.

9.3. Monitoring is supported by automated tools and alerts where applicable, ensuring timely detection of risk indicators across the Company’s services and systems.

10. Reporting of Suspicious Transactions

10.1. If, following evaluation, the MLCO concludes that there is knowledge or reasonable suspicion that a transaction, or an attempted transaction, may involve the proceeds of criminal activity or be linked to terrorist financing, a formal Suspicious Transaction Report (STR) shall be submitted to MOKAS without delay.

10.2. In accordance with Section 48 of the AML Law, employees and officers of the Company are strictly prohibited from disclosing to the client or any third party that a report has been or may be submitted to the authorities. Such disclosure constitutes a criminal offence known as “tipping-off.”

11. Record-Keeping

11.1. All records, including but not limited to due diligence documents, risk assessments, internal reports, and communication with MOKAS, must be retained for a minimum of five (5) years from the termination of the business relationship or the completion of the transaction, whichever is later.

11.2. Records shall be stored in both physical and electronic formats, ensuring they are securely maintained and readily accessible for regulatory inspection or audit by competent authorities.

12. Training

12.1. The Company is committed to the ongoing education and training of all relevant staff concerning their anti-money laundering (AML) obligations, the identification of red flags, reporting duties, and updates to procedures.

12.2. The MLCO is responsible for overseeing and maintaining training schedules, ensuring that all employees receive training appropriate to their roles. Records of completed training, including schedules and attendance logs, shall be maintained.

13. Conclusion

13.1. This Policy reflects the Company’s firm commitment to preventing money laundering and terrorist financing, ensuring full compliance with Cypriot legal requirements and international best practices. The AML Manual will be reviewed and updated annually, or as needed, to reflect changes in the regulatory environment or business operations.