1. Company Policy

It is the policy of the Company to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities by complying with all applicable requirements under the Anti-Money Laundering Amendment Act 2017 and its implementing regulations.

Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origins of criminally derived proceeds so that the proceeds appear to have derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages. Cash first enters the financial system at the “placement” stage, where the cash generated from criminal activities is converted into monetary instruments, such as money orders or traveler’s checks, or deposited into accounts at financial institutions. At the “layering” stage, the funds are transferred or moved into other accounts or other financial institutions to further separate the money from its criminal origin. At the “integration” stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or

Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal either the origin of the funds or their intended use, which could be for criminal purposes. Legitimate sources of funds are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership, and personal employment. Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.

Our AML policies, procedures, and internal controls are designed to ensure compliance with all applicable Anti- Money Laundering Laws and regulations and will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place to account for both changes in regulations and changes in our business.

2. AML Compliance Person Designation and Duties

The Company has designated […………] as its Anti-Money Laundering Program Compliance Person (AML Compliance Person), with full responsibility for the firm’s AML program. [Name of person nominated] has a working knowledge of the
Anti- Money Laundering Laws and its implementing regulations and is qualified by experience, knowledge, and training. The duties of the AML Compliance Person will include monitoring the firm’s compliance with AML obligations, and overseeing communication and training for employees.

The AML Compliance Person will also ensure that the Company keeps and maintains all of the required AML records and will ensure that Suspicious Activity Reports (SARs) are filed with the Financial Intelligence Authority
(FIA) when appropriate. The AML Compliance Person is vested with full responsibility and authority to enforce the Company AML program.

The Company will provide FIA with contact information for the AML Compliance Person through its Contact System, including: (1) name; (2) title; (3) mailing address; (4) email address; (5) telephone number; and (6) facsimile (if any).

The Company will promptly notify FIA of any change in this information and will review, and if necessary update, this information within 17 business days after the end of each calendar year. The annual review of this information will be conducted by [Name] and will be completed with all necessary updates being provided no later than 17 business days following the end of each
calendar year. In addition, if there is any change to the information, [Name] will update the information promptly, but in any event not later than 30 days following the change.

3. Giving AML Information to Law Enforcement Agencies and Other Financial Institutions

1. FIA Requests under Anti- Money Laundering Act and Financial Intelligence Act.

We will respond to a Financial Intelligence Authority request concerning accounts and transactions by immediately searching our records to determine whether we maintain or have maintained any account for, or have engaged in any transaction with, each individual, entity or organization named in the Request as outlined in the request.

We understand that this has to be done within a reasonable time (unless otherwise specified by FIA from the transmission date of the request to respond to a Request.

We will designate through the FIA Contact System (FCS) one or more persons to be the point of contact (POC) for Requests and will promptly update the POC information following any change in such information. (See also Section 2 above regarding updating of contact information for the AML Compliance Person.) Unless otherwise stated in the Request or specified by FIA, we are required to search those documents outlined in FIA’s Request. If we find a match, Winopay will report it to FIA via FIA’s Secure Information Sharing System within 14 days or within the time requested by FIA in the request. If the search parameters differ from those mentioned above (for example, if FIA limits the search to a geographic location), Winopay will structure our search accordingly.

If Winopay searches our records and does not find a matching account or transaction, then Winopay will not reply to the Request. We will maintain documentation that we have performed the required search by We will not disclose the fact that FIA has requested or obtained information from us, except to the extent necessary to comply with the information request. Winopay will review, maintain and implement procedures to protect the security and confidentiality of requests from FIA similar to those procedures established by the FIA to satisfy the requirements with regard to the protection of customers’ nonpublic information.

We will direct any questions we have about the Request to the requesting law enforcement agency as designated in the request. Unless otherwise stated in the  Request, we will not be required to treat the information request as continuing in nature, and we will not be required to treat the periodic requests as a government-provided list of suspected terrorists for purposes of the customer identification and verification requirements.

1. National Security Letters

We understand that the receipt of a National Security Letter (NSL) is highly confidential. We understand that none of our officers, employees or agents may directly or indirectly disclose to any person that the Police or other government authority has sought or obtained access to any of our records.

To maintain the confidentiality of any NSL we receive, we will process and maintain the NSL by . If we file a SAR after receiving an NSL, the SAR will not contain any reference to the receipt or existence of the NSL. The SAR will only contain detailed information about the facts and circumstances of the detected suspicious activity.

1. c. Voluntary Information Sharing With Other Financial Institutions

We will share information with other Payment Service Providers and financial institutions regarding individuals, entities, organizations and countries for purposes of identifying and, where appropriate, reporting activities that we suspect may involve possible terrorist activity or money laundering.

Winopay will ensure that the firm files with FIA an initial notice before any sharing occurs and annual notices thereafter. Before we share information with another financial institution, we will take reasonable steps to verify that the other financial institution has submitted the requisite notice to FIA, either by obtaining confirmation from the financial institution or by consulting a list of such financial institutions that FIA will make available. We understand that this requirement applies even to financial institutions with which we are affiliated, and that we will obtain the requisite notices from affiliates and follow all required procedures.

We will employ strict procedures both to ensure that only relevant information is shared and to protect the security and confidentiality of this information, for example, by segregating it from the Company’s other books and records. We also will employ procedures to ensure that any information received from another financial institution shall not be used for any purpose other than:

• identifying and, where appropriate, reporting on money laundering or terrorist activities;
• determining whether to establish or maintain an account, or to engage in a transaction; or
• Assisting the financial institution in complying with performing such<activities.

1. d. Joint Filing of SARs by affiliates and Other Financial Institutions

We will file joint SARs in the following circumstances. We will also share information about a particular suspicious transaction with any Financial Institution, as appropriate, involved in that particular transaction for purposes of determining whether we will file jointly a SAR.

We will share information about particular suspicious transactions with our partners for purposes of determining whether we and our partner will file jointly a SAR. In cases in which we file a joint SAR for a transaction that has been handled both by us and by the partner, we may share with the partner a copy of the filed SAR.

If we determine it is appropriate to jointly file a SAR, we understand that we cannot disclose that we have filed a SAR to any financial institution except the financial institution that is filing jointly. If we determine it is not appropriate to file jointly e.g.because the SAR concerns the other partner, Financial institution or one of its employees), we understand that we cannot disclose that we have filed a SAR to any other financial institution or insurance company.

4. 4. Customer Identification Program

In addition to the information we must collect under the laws of Uganda, we have established, documented and maintained a Know Your Customer (KYC). We will collect certain minimum customer identification information from each customer who opens an account; utilize risk-based measures to verify the identity of each customer who opens an account; record customer identification information and the verification methods and results; provide the required adequate KYC notice to customers that we will seek identification information to verify their identities; and compare customer identification information with government-provided lists of suspected terrorists, once such lists have been issued by the government..

1. Required Customer Information

Prior to opening an account, Winopay will collect the following information for all accounts, if applicable, for any person, entity or organization that is opening a new account and whose name is on the account:

(1) the name;

(2) date of birth (for an individual);

(3) an address, which will be a residential or business street address (for an individual), box number, or residential or business street address of next of kin or another contact individual (for an individual who does not have a residential or business street address), or a principal place of business, local office, or other physical location (for a person other than an individual); and

(4) an identification number, which will be a taxpayer identification number or one or more of the following: a taxpayer identification number, passport number and country of issuance, alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence bearing a photograph or other similar safeguard (for non-Ugandan. persons).

In the event that a customer has applied for, but has not received, a taxpayer identification number, we will confirm that the application was filed before the customer opens the account and to obtain the taxpayer identification number within a reasonable period of time after the account is opened. When opening an account for a foreign business or enterprise that does not have an identification number, we will request alternative government-issued documentation certifying the existence of the business or enterprise.

1. Customers Who Refuse to Provide Information

If a potential or existing customer either refuses to provide the information described above when requested, or appears to have intentionally provided misleading information, our firm will not open a new account and, after considering the risks involved, consider closing any existing account. In either case, our AML Compliance Person will be notified so that we can determine whether we should report the situation to FIA on a SAR.

1. Verifying Information

Based on the risk, and to the extent reasonable and practicable, we will ensure that we have a reasonable belief that we know the true identity of our customers by using risk-based procedures to verify and document the accuracy of the information we get about our customers.

Winopay will analyze the information we obtain to determine whether the information is sufficient to form a reasonable belief that we know the true identity of the customer e.g whether the information is logical or contains inconsistencies).

We will verify customer identity through documentary means, non-documentary means or both.  We will use documents to verify customer identity when appropriate documents are available. In light of the increased instances of identity fraud, we will supplement the use of documentary evidence by using the non-documentary means described below whenever necessary. We may also use non-documentary means, if we are still uncertain about whether we know the true identity of the customer. In verifying the information, we will consider whether the identifying information that we receive, such as the customer’s name, street address, P.O.Box , telephone number (if provided), date of birth and TIN, allow us to determine that we have a reasonable belief that we know the true identity of the customer e.g. whether the information is logical or contains inconsistencies).

Appropriate documents for verifying the identity of customers include the following:

• For an individual, an unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a national Identification Card, a driver’s license or passport.
• For a person other than an individual, documents showing the existence of the entity, such as certified articles of incorporation, a government-issued
  business license, a partnership agreement or a trust instrument.

We understand that we are not required to take steps to determine whether the document that the customer has provided to us for identity verification has been validly issued and that we may rely on a government-issued identification as verification of a customer’s identity. If, however, we note that the document shows some obvious form of fraud, we must consider that factor in determining whether we can form a reasonable belief that we know the customer’s true identity. We will use the following non-documentary methods of verifying identity:

• Independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a public database or any other source.
• Checking references with other financial institutions
• Obtaining a financial statement.

We will use non-documentary methods of verification when:

(1) the customer is unable to present an unexpired government-issued identification document with a photograph or other similar safeguard;

(2) The Company is unfamiliar with the documents the customer presents for identification verification;

(3) The customer and Company do not have face-to-face contact; and

(4) there are other circumstances that increase the risk that the firm will
be unable to verify the true identity of the customer through documentary means.

We will verify the information within a reasonable time before or after the account is opened. Depending on the nature of the account and requested transactions, we may refuse to complete a transaction before we have verified the information, or in some instances when we need more time, we may, pending verification, restrict the types of transactions or dollar amount of transactions. If we find suspicious information that indicates possible money laundering, terrorist financing activity, or other suspicious activity, we will, after internal consultation with the Company’s AML Compliance Person, file a SAR in accordance with applicable laws and regulations.

We recognize that the risk that we may not know the customer’s true identity may be heightened for certain types of accounts, such as an account opened in the name of a corporation, partnership or trust that is created or conducts substantial business in a jurisdiction that has been designated by Uganda as a primary money laundering jurisdiction, a terrorist concern, or has been designated as a non-cooperative country or territory. We will identify customers that pose a heightened risk of not being properly identified. We will also take the following additional measures that may be used to obtain information about the identity of the individuals associated with the customer when standard documentary methods prove to be insufficient:

1. Lack of Verification

When we cannot form a reasonable belief that we know the true identity of a customer, we will do the following: (1) not open an account; (2) impose terms under which a customer may conduct transactions while we attempt to verify the customer’s identity; (3) close an account after attempts to verify a customer’s identity fail; and (4) determine whether it is necessary to file a SAR in accordance with applicable laws and regulations.

1. Recordkeeping

We will document our verification, including all identifying information provided by a customer, the methods used and results of verification, and the resolution of any discrepancies identified in the verification process. We will keep records containing a description of any document that we relied on to verify a customer’s identity, noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date. With respect to non-documentary verification, we will retain documents that describe the methods and the results of any measures we took to verify the identity of a customer. We will also keep records containing a description of the resolution of each substantive discrepancy discovered when verifying the identifying information obtained. We will retain records of all identification information for five years after the account has been closed; we will retain records made about verification of the customer’s identity for five years after the record is made.

1. Comparison with Government-Provided Lists of Terrorists.

At such time as we receive notice that a  government agency has issued a list of known or suspected terrorists and identified the list as a list for KYC purposes, we will, within a reasonable period of time after an account is opened (or earlier, if required by another-law or regulation or government directive issued in connection with an applicable list), determine whether a customer appears on any such list of known or suspected terrorists or terrorist organizations issued by any federal government agency and designated as such by Treasury in consultation with the government functional regulators. We will follow all federal directives issued in connection with such lists.

1. Notice to Customers

We will provide notice to customers that the firm is requesting information from them to verify their identities, as required by law. We will use the following method to provide notice to customers

Important Information About Procedures for Opening a New Account

To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.What this means for you: When you open an account, we will ask for your name, address, date of birth and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.

1. Reliance on another Financial Institution for Identity Verification.

We may, under the following circumstances, rely on the performance by another financial institution (including an affiliate) of some or all of the elements of our KYC with respect to any customer that is opening an account or has established an account or similar business relationship with the other financial institution to provide or engage in services, dealings or other financial transactions:

• when such reliance is reasonable under the circumstances;
• when the other financial institution is subject to a rule implementing the anti-money laundering compliance program requirements and
• when the other financial institution has entered into a contract with our company requiring it to certify annually to us that it has implemented its anti-money laundering program and that it will perform (or its agent will perform) specified requirements of the customer identification program.

5. 
   Customer Due Diligence Rule

In addition to the information collected under the Know Your Customer, we have established, documented and maintained written policies and procedures reasonably designed to identify and verify beneficial owners of legal entity customers and comply with other aspects of the Customer Due Diligence (CDD) Rule. We will collect certain minimum CDD information from beneficial owners of legal entity customers. We will understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile.
We will conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, maintain and update customer information.

1. Identification and Verification of Beneficial Owners

At the time of opening an account for a legal entity customer, [ will identify any individual that is a beneficial owner of the legal entity customer by identifying any individuals who directly or indirectly own 25% or more of the equity interests of the legal entity customer, and any individual with significant responsibility to control, manage, or direct a legal entity customer. The following information will be collected for each beneficial
owner:

(1) the name;

(2) date of birth (for an individual);

(3) an address, which will be a residential or business street address (for an individual), box number, or residential or business street address of next of kin or another contact individual (for an individual who does not have a residential or business street address); and

(4) an identification number, Tax Identification Number or one or more of the following: a passport number and country of issuance, or other similar
identification number, such as an alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or other
similar safeguard.

For verification, we will describe any document relied on (noting the type, any identification number, place of issuance and, if any, date of issuance and expiration). We will also describe any non-documentary methods and the results of any measures undertaken.

1. Understanding the Nature and Purpose of Customer Relationships.

We will understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile through the following methods.

• The type of customer
• The account or service being offered
• The customer’s income
• The customer’s net worth
• The customer’s domicile
• The customer’s principal occupation or business
• In the case of existing customers, the customer’s history of activity.

1. Conducting Ongoing Monitoring to Identify and Report Suspicious Transactions

We will conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information,
including information regarding the beneficial ownership of legal entity customers, using the customer risk profile as a baseline against which customer activity is assessed for suspicious transaction reporting.

6. Due Diligence and Enhanced Due Diligence Requirements for Correspondent Accounts of Foreign Financial Institutions

1. Due Diligence for Correspondent Accounts of Foreign Financial Institutions

We will conduct an inquiry to determine whether a foreign financial institution has a correspondent account established, maintained, administered or managed by the Company. If we have correspondent accounts for foreign
financial institutions, we will assess the money laundering risk posed, based on a consideration of relevant risk factors. We can apply all or a subset of
these risk factors depending on the nature of the foreign financial institutions and the relative money laundering risk posed by such institutions. The relevant risk factors can include:

• the nature of the foreign financial institution’s business and the markets it serves
• the type, purpose and anticipated activity of such correspondent account
• the nature and duration of the firm’s relationship with the foreign financial institution and its affiliates
• the anti-money laundering and supervisory regime of the jurisdiction that issued the foreign financial institution’s charter or license and, to the
  extent reasonably available, the jurisdiction in which any company that is an owner of the foreign financial institution is incorporated or chartered
• information known or reasonably available to the covered financial institution about the foreign financial institution’s anti-money laundering

In addition, our due diligence program will consider additional factors that have not been enumerated above when assessing foreign financial institutions that pose a higher risk of money laundering.

We will apply our risk-based due diligence procedures and controls to each financial foreign institution correspondent account on an ongoing basis. This
includes periodically reviewing the activity of each foreign financial institution correspondent sufficient to ensure whether the nature and volume of account activity is generally consistent with the information regarding the
purpose and expected account activity and to ensure that the firm can adequately identify suspicious transactions. Ordinarily, we will not conduct this periodic review by scrutinizing every transaction taking place within the
account. One procedure we may use instead is to use any account profiles for our correspondent accounts (to the extent we maintain these) that we ordinarily use to anticipate how the account might be used and the expected volume of activity to help establish baselines for detecting unusual activity.

7.Monitoring Accounts for Suspicious Activity

We will monitor account activity for unusual size, volume, pattern or type of transactions, taking into account risk factors and red flags that are appropriate to our business. (Red flags are identified in Section 7.b. below.)

Monitoring will be conducted through the following methods: [The customer risk profile will serve as a baseline for assessing potentially suspicious activity. The AML Compliance Person or his or her designee will be responsible for this monitoring, will review any activity that our monitoring system detects, will determine whether any additional steps are required, will document when and how this monitoring is carried out, and will report suspicious activities to the appropriate authorities.

We will conduct the following reviews of activity that our monitoring system detects: We will document our monitoring and reviews as follows: . The AML Compliance Person or his or her designee will conduct an appropriate investigation and review relevant information from internal or third-party sources before a SAR is filed.

1. Emergency Notification to Law Enforcement by Telephone

In situations involving violations that require immediate attention, such as terrorist financing or ongoing money laundering schemes, we will immediately call an appropriate law enforcement authority.

If a customer or company appears on either the Uganda Police, FIA or any security organ red list, we will call the relevant Authority.  Especially to report transactions relating to terrorist activity).

If we notify the appropriate law enforcement authority of any such activity, we must still file a timely a SAR.

Although we are not required to, in cases where we have filed a SAR that may require immediate attention by Law enforcement, we may contact the relevant enforcement Authority to alert the them about the filing.

1. Red Flags

Red flags that signal possible money laundering or terrorist financing include, but are not limited to:

Potential Red Flags in Customer Due Diligence and Interactions with Customers

The customer provides the firm with unusual or suspicious identification documents that cannot be readily verified or are inconsistent with other
statements or documents that the customer has provided. Or, the customer provides information that is inconsistent with other available information
about the customer. This indicator may apply to account openings and to interaction subsequent to account opening.

• The customer is reluctant or refuses to provide the firm with complete customer due diligence information as required by the firm’s procedures,
  which may include information regarding the nature and purpose of the customer’s business, prior financial relationships, anticipated account
  activity, business location and, if applicable, the entity’s officers and directors.
• The customer refuses to identify a legitimate source of funds or information is false, misleading or substantially incorrect.
• The customer is domiciled in, doing business in or regularly transacting with counterparties in a jurisdiction that is known as a bank secrecy haven,
  tax shelter, high-risk geographic location (, known as a narcotics producing jurisdiction, known to have ineffective AML/Combating the Financing of Terrorism systems) or conflict zone, including those with an established threat of terrorism.
• The customer has difficulty describing the nature of his or her business or lacks general knowledge of his or her industry.
• The customer has no discernable reason for using the Company’s service or the Company’s location (, the customer lacks roots to the local community or has gone out of his or her way to use the Company).
• The customer has been rejected or has had its relationship terminated as a customer by other financial services firms.
• The customer’s legal or mailing address is associated with multiple other accounts or businesses that do not appear related.
• The customer appears to be acting as an agent for an undisclosed principal, but is reluctant to provide information.
• The customer is a trust, shell company or private investment company that is reluctant to provide information on controlling parties and underlying
• The customer is publicly known or known to the Company to have criminal, civil or regulatory proceedings against him or her for crime, corruption or misuse of public funds, or is known to associate with such persons. Sources for this information could include news items, the Internet or commercial database searches.
• The customer’s background is questionable or differs from expectations based on business activities.
• The customer maintains multiple accounts, or maintains accounts in the names of corporate entities, with no apparent business or other purpose.
• An account is opened in the name of a legal entity that is involved in the activities of an association, organization or foundation whose aims are related to the claims or demands of a known terrorist entity.

Potential Red Flags in Money Movements

• The customer seemingly breaks funds transfers into smaller transfers to avoid raising attention to a larger funds transfer. The smaller funds transfers do not appear to be based on legitimate regular deposit and withdrawal strategies.
• The customer frequently changes bank account details or information for redemption proceeds, in particular when followed by redemption requests.
• The customer makes a funds deposit followed by an immediate request that the money be wired out or transferred to a third party, or to another firm/company, without any apparent business purpose.
• Transfers are made in small amounts in an apparent effort to avoid triggering identification or reporting requirements.
• Transfers are made to or from financial secrecy havens, tax havens, high-risk geographic locations or conflict zones, including those with an
  established presence of terrorism.
• Transfers originate from jurisdictions that have been highlighted in relation to black market exchange activities.
• The parties to the transaction (, originator or beneficiary) are from countries that are known to support terrorist activities and
  organizations.
• There is transfer activity that is unexplained, repetitive, unusually large, shows unusual patterns or has no apparent business purpose.
• The securities account is used for payments or outgoing transfers with little or no securities activities (, account appears to be used
  as a depository account or a conduit for transfers, which may be purported to be for business operating needs).
• Funds are transferred to financial or depository institutions other than those from which the funds were initially received, specifically when
  different countries are involved.
• The customer engages in excessive journal entries of funds between related or unrelated accounts without any apparent business purpose.
• The customer uses a personal/individual account for business purposes or vice versa.
• There are frequent transactions involving round or whole dollar amounts purported to involve payments for goods or services.
• Upon request, a customer is unable or unwilling to produce appropriate documentation (, invoices) to support a transaction, or documentation appears doctored or fake (e.g., documents contain
  significant discrepancies between the descriptions on the transport document or bill of lading, the invoice, or other documents such as the certificate
  of origin or packing list).
• The customer requests that certain payments be routed through nostro^{14</sup >
  or correspondent accounts held by the financial intermediary instead of its own accounts, for no apparent business purpose.}
• Funds are transferred into an account and are subsequently transferred out of the account in the same or nearly the same amounts, especially when the origin and destination locations are high-risk jurisdictions.
• A dormant account suddenly becomes active without a plausible explanation large deposits that are suddenly wired out).
• Wire transfer activity, when viewed over a period of time, reveals suspicious or unusual patterns, which could include round dollar, repetitive transactions or circuitous money movements.

c.Responding to Red Flags and Suspicious Activity

When an employee of the company detects any red flag, or other activity that may be suspicious, he or she will notify the AML Compliance Person, the
company will determine whether or not and how to further investigate the matter. This may include gathering additional information internally or from
third-party sources, contacting the government, freezing the account and/or filing a SAR.

8. Suspicious Transactions and Reporting

1. Filing a SAR

We will file SARs with FIA for any transactions conducted or attempted by, at or through our company involving $5,000 or more of funds or assets where we
know, suspect or have reason to suspect:

(1) the transaction involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade  law or regulation or to avoid any transaction reporting requirement under federal law or regulation;

(2) The transaction is designed, whether through structuring or otherwise, to evade any requirements of the FIA regulations;

(3) the transaction has no business or apparent lawful purpose or is not the sort in which the customer would normally be expected to engage, and after examining the background, possible purpose of the transaction and other facts, we know of no reasonable explanation for the transaction; or

(4) The transaction involves the use of the company to facilitate criminal activity.

We will also file a SAR and notify the appropriate law enforcement authority in situations involving violations that require immediate attention, such as terrorist financing or ongoing money laundering schemes.

In addition, although we are not required to, we may contact that FIA in cases where a SAR we have filed may require immediate attention by the FIA. We also understand that, even if we notify a regulator of a violation, unless it is specifically covered by one of the exceptions in the SAR rule, we must file a SAR reporting the violation.

We may file a voluntary SAR for any suspicious transaction that we believe is relevant to the possible violation of any law or regulation but that is not
required to be reported by us. It is our policy that all SARs will be reported regularly to the Board of Directors and appropriate senior management, with a clear reminder of the need to maintain the confidentiality of the SAR.

We will report suspicious transactions by completing a SAR, and we will collect and maintain supporting documentation as required by the regulations.
We will file a SAR-SF no later than 30 calendar days after the date of the initial detection of the facts that constitute a basis for filing a SAR.

If no suspect is identified on the date of initial detection, we may delay filing the SAR for an additional 30 calendar days pending identification of a suspect, but in no case will the reporting be delayed more than 60 calendar
days after the date of initial detection. The phrase “initial detection” does not mean the moment a transaction is highlighted for review. The 30-day (or 60-day) period begins when an appropriate review is conducted and a
determination is made that the transaction under review is “suspicious” within the meaning of the SAR requirements. A review must be initiated promptly upon
identification of unusual activity that warrants investigation.

We will retain copies of any SAR filed and the original or business record equivalent of any supporting documentation for five years from the date of
filing the SAR-SF. We will identify and maintain supporting documentation and make such information available to FIA, any other appropriate law enforcement
agencies upon request.

We will not notify any person involved in the transaction that the transaction has been reported, except as permitted by the Anti- Money Laundering Act and
Regulations.

We understand that anyone who is required to disclose a SAR or the information contained in the SAR will, except where disclosure is requested by FIA, or another appropriate law enforcement or regulatory agency, decline to produce the SAR or to provide any information that would disclose that a SAR was prepared or filed. We will notify FIA of any such request and our response.

9. AML Recordkeeping
10. Responsibility for Required AML Records and SAR Filing

Our AML Compliance Person and his or her designee will be responsible for ensuring that AML records are maintained properly and that SARs are filed as
required.

In addition, as part of our AML program, our Company will create and maintain SARs, and relevant documentation on customer identity and verification and
funds transmittals. We will maintain SARs and their accompanying documentation for at least five years.

1. SAR Maintenance and Confidentiality

We will hold SARs and any supporting documentation confidential. We will not inform anyone outside of FIA, or other appropriate law enforcement or regulatory agency about a SAR.

We will refuse any requests for SARs or for information that would disclose that a SAR has been prepared or filed and immediately notify FIA of any such requests that we receive.

We will segregate SAR filings and copies of supporting documentation from other firm books and records to avoid disclosing SAR filings. Our AML Compliance Person will handle all for SARs.

We may share information with another financial institution about suspicious transactions in order to determine whether we will jointly file a SAR.

In cases in which we file a joint SAR for a transaction that has been handled both by us and another financial institution, both financial institutions will
maintain a copy of the filed SAR.

10. Training Programs

We will develop ongoing employee training under the leadership of the AML Compliance Person and senior management. Our training will occur on at least
an annual basis. It will be based on our company size, our customer base, and our resources and be updated as necessary to reflect any new developments in
the law.

Our training will include, at a minimum:

(1) How to identify red flags and signs of money laundering that arise during the course of the employees’ duties.

(2) What to do once the risk is identified (including how, when and to whom to escalate unusual customer activity or other red flags for analysis and, where appropriate, the filing of SARs).

(3) What employees’ roles are in the firm’s compliance efforts and how to perform them.

(4) The firm’s record retention policy.

(5) The disciplinary consequences (including civil and criminal penalties) for non-compliance with the Anti- Money Laundering Laws in Uganda.

We will develop training in our company, or contract for it. Delivery of the training may include educational pamphlets, videos, intranet systems, in-person lectures and explanatory memos.

We will maintain records to show the persons trained, the dates of training and the subject matter of their training.

We will review our operations to see if certain employees, such as those in compliance, margin and corporate security, require specialized additional
training. Our written procedures will be updated to reflect any such changes.

11. Program to Independently Test AML Program
12. Staffing

The testing of our AML program will be performed at least annually by FIA, an independent third party. Independent testing will be performed more frequently
if circumstances warrant.

1. Evaluation and Reporting

After we have completed the independent testing, staff will report its findings to senior management. We will promptly address each of the resulting recommendations and keep a record of how each noted deficiency was resolved.

12. Monitoring Employee Conduct.

We will subject employees to the same AML procedures as customer, under the supervision of the AML Compliance Person. We will also review the AML
performance of supervisors, as part of their annual performance review. The AML Compliance Person’s will be reviewed by senior management.

• Confidential Reporting of AML Non-Compliance

Employees will promptly report any potential violations of the company’s AML compliance program to the AML Compliance Person, unless the violations implicate
the AML Compliance Person, in which case the employee shall report to the Managing Director. Such reports will be confidential, and the employee will suffer no retaliation for making them.

• Additional Risk Areas

The company has reviewed all areas of its business to identify potential money laundering risks that may not be covered in the procedures described above. The major additional areas of risk include [Additional procedures to address these major risks are]

• Senior Manager Approval

Senior management has approved this AML compliance program in writing as reasonably designed to achieve and monitor our company’s ongoing compliance with the requirements of the Anti- Money Laundering Act and the implementing regulations under it.