AML Policy

Done.com Inc. (“Company”) has developed this KYC/AML Policy to comply with applicable laws relating to anti-money laundering and terrorist financing. Company is registered as a Money Service Business (“MSB”) with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”).

Background

In accordance with the prescribed legislative requirements set forth in the Canadian Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”), Company must fulfill certain record keeping, identification, and reporting requirements. Company has chosen to implement and maintain a compliance regime that includes the following:

● appointing a Chief Compliance Officer (“CCO”) who is responsible for the development, implementation, and oversight of Company’s anti-money laundering (“AML”) obligations

● maintaining and providing both written and in-person compliance training for Company employees to ensure that they understand their responsibilities under the PCMLFTA

● fully following all Know Your Customer (“KYC”) processes and procedures in respect of all users of Company’s services to identify them in accordance with the PCMLFTA

● establishing and maintaining internal policies, procedures and controls to combat any attempted use of Company’s services for illegal or illicit purposes

● continuously assessing Company’s risks respecting AML and AML regulatory compliance

● following all applicable record retention requirements of the PCMLFTA

● monitoring all transactions for suspicious and attempted suspicious activities for the purposes of filing Suspicious Transaction Reports (“STRs”) or Attempted Suspicious Transaction Reports (“ASTRs”);

● reviewing Company’s compliance regime to test its effectiveness related to AML compliance at least once every two years

Policies and Procedures

Company has adopted a risk assessment regime approved by its board of directors. Company personnel and board of directors recognize the importance of implementing and maintaining a sound KYC/AML Policy that meets or exceeds the requirements of all applicable laws and regulations, including the PCMLFTA. Company’s internal policies and procedures are reviewed on a regular basis and, if necessary, revised in an effort to comply with regulatory changes.

Chief Compliance Officer

In accordance with the PCMLTFA, Company has designated a CCO who is responsible for the implementation and oversight of the compliance function. The CCO is authorized, and is provided with sufficient resources, to ensure the ongoing compliance of Company respecting the identification and prevention of money laundering and terrorist financing in Canada. The Company CCO and compliance team can be reached at contact@done.com.

Monitoring of Business Relationships

Company monitors all business relationships. When a customer sends money, Company will always do the following:

● Determine the identity of the individual confirm the existence of a corporation or other entity in accordance with FINTRAC guidance.

● Risk-rate all business relationships and amending their risk-ratings if the need arises.

● Conduct ongoing monitoring of each business relationship as determined by the risk-rating (high/low) assigned to the customer.

● Keep a record of the measures that Company has taken to monitor the relationship and the information we obtained as a result.

● If necessary, Company may require customers to provide additional documentation or information to confirm source of funds for the purpose of any transaction.

Company uses a combination of automated and manual monitoring procedures with an appropriate escalation process based on risk. Company’s compliance staff will review any transactions that trigger a system alert and determine if the activities are within the customer’s stated activity and/or normal usage behavior before being completed. In some cases, Company will require additional information from the customer, such as source of income, proof of employment, proof of corporate registration, and nature of the business, as well as review of customer’s transaction history.

Know Your Customer Processes

Prior to a customer being able to perform a transaction using Company’s products or services, Company must identify the customer, known as the KYC process, in accordance with applicable regulations. Company has a policy which requires all customers to be verified in the following circumstances:

(a) prior to the customer’s being able to issue closed loop prepaid stored value products (i.e., gift cards) for customer’s own business;

(b) when a business customer accepts more than $1,000 in cumulative payment processing payments volume using the Company Services;

(c) when a customer purchases or attempt to purchase a total monetary sum of gift cards equal to or greater than $9,500 per 24 hours;

(d) when a customer sends equal to or greater than $1,000 in a single transaction or $9,500 per 24 hours to another Company customer; and

(e) when a customer has a Company account balance equal or greater than $10,000.

All transaction and account limits are denoted in local fiat currency value. Company accounts are at present made available only to residents in certain countries in order to minimize the risk of money laundering and terrorist financing activities. Please see our Restricted Use Policy for more details.

Information Company Collects

Company may collect the following in order verify and authenticate a customer or beneficial owner:

(a) Email address;

(b) Mobile phone number;

(c) Full legal name;

(d) Home Address (not a mailing address or P.O. Box);

(e) Date of birth (DOB);

(f) IP Address

(g) Unique device information

(h) Proof of identity (as outlined below);

Additional information or documentation may be required at the discretion of the Company compliance team.

Individual customers may be verified by way of the following methods, which are explained in FINTRAC guidance:

Single Process Identity Verification Method

Using this method, we determine the identity of a customer by referring to a credit file or financial institution account that has been established with a third party credit file provider or financial institution. To be verified, the details provided by the third party must match the name, date of birth and address provided by an individual customer, or match two trade lines within the credit file. If any of the information does not match, the individual will need to use another method to prove their identity.

Dual Process Identity Verification Method

This method involves referring to information from reliable and independent sources which can be submitted by the individual in original paper form or an un-altered electronic form. As part of the account sign up process, customers are asked to upload to our site the original electronic or paper documents they received or downloaded. All documents must be valid and unaltered in order to be acceptable. If any information has been redacted, it is not acceptable. Such documents typically include, but are not limited to:

Government issued photo identification

Bank or credit card statement

Utility bill

All files are submitted over encrypted channels and stored encrypted in our data centres or with third party data processors. Review to our Security Policy and our Privacy Policy for more information on the procedures we employ to keep your data safe.

Identifying Corporations and Other Entities

Corporate entities, non-profits, or charities, must confirm their existence as an entity, and the entity’s beneficial ownership.

Corporations

Company confirms the existence of a corporation as well as the corporation’s name and address by collecting and verifying the following information:

(a) Corporate Email address;

(b) Corporate phone number;

(c) Full Corporate legal name;

(d) Operating name;

(e) Government registration number (e.g., CRA Business Number);

(f) Business Address (not a mailing address or P.O. Box);

(g) Proof of existence (as outlined below);

(h) Confirmed identity of all beneficial owners (as outlined below).

Additional information or documentation at the discretion of the compliance team.

One or more of the following documents may be used to verify the business information collected:

Proof of existence:

1. Certificate of Corporate Status (if incorporated within the previous 12 months); or 2. Notice of registration (either provincial or federal); or

3. A letter or a notice of assessment from a municipal, provincial, state, territorial or federal; or

4. Corporation’s published annual report signed by an independent audit firm; or 5. Trade name registration (if applicable)

6. Proof of corporate address (utility bill, bank statement or any government record)

7. Completed business account information (including the nature of business and estimated transaction volumes)

8. Completed beneficial ownership information and identity verification for all beneficial owners of the organization (i.e., any actual person who owns or controls, directly or indirectly, 25% or more of the corporation’s shares).

Partnerships, Cooperatives, Sole Proprietorships

The existence of an entity other than a corporation is confirmed in the same way as a corporation; however, supporting documentation that is deemed acceptable is different. Acceptable supporting documentation may include, but is not limited to:

1. a partnership agreement; or

2. articles of association; or

3. sole proprietorship registration; or

4. any other similar record that confirms the entity’s existence.

In confirming an entity’s existence, Company must be able to refer to a paper or electronic record and retain a copy of it. Verbal confirmation is not sufficient. Electronic records must be from a public source and we must record the type and source and corporation’s registration number. In addition, complete beneficial ownership information and identity verification for all beneficial owners of the organization (i.e., any actual person who owns or controls, directly or indirectly, 25% or more of the entity’s shares) are required.

Not-for-profits and Charities

The existence of an entity other than a corporation is confirmed in the same way as a corporation; however, supporting documentation that is deemed acceptable for non-profits may differ. Acceptable supporting documentation may also include, but is not limited to:

1. proof of charity or non-profit registration; or

2. articles of association; or

3. any other similar record that confirms the entity’s existence.

If the entity is a not-for-profit organization, Company also must:

1. Determine whether or not the entity is a registered charity for income tax purposes

2. If that entity is not a registered charity, determine whether or not it solicits charitable financial donations from the public

3. Obtain completed beneficial ownership information and identity verification for all beneficial owners of the organization (i.e., any actual person who owns or controls, directly or indirectly, 25% or more of the entity’s shares or is a director of the non-profit)

Beneficial Ownership Records

In addition to confirming the existence of a corporation or other entity, Company also must also determine and confirm the accuracy of the entity’s beneficial ownership through the following:

If the entity is a corporation:

1. The name and occupation of all directors and officers of the corporation; and

2. The name, address and occupation of all individuals who directly or indirectly own or control 25% or more of the shares of the corporation.

If the entity is other than a corporation, the name, address and occupation of all individuals who directly or indirectly own or control 25% or more of the entity.

Keeping Client Identification Information Updated

Company customers who present an elevated risk are required to have their identification information updated at least every two years, or sooner depending on risk evaluation. Customers who present an elevated risk include (but are not limited to) Politically Exposed Persons (“PEPs”) (whether domestic or foreign) or individuals from certain countries. This is done by reviewing original identity or entity documents and recording the updated identification or information details as appropriate.

Record Keeping

As a registered MSB, Company is required to keep certain types of records depending on the client type and transaction type, including records of any STRs or ASTRs submitted to FINTRAC. There is no threshold (that is, no dollar amount) for a suspicious transaction. When Company sends an STR or ASTR to FINTRAC, we must take reasonable measures, before the

transaction is reported, to ascertain the identity of the individual who conducted or attempted to conduct the transaction.

Company is required to maintain an effective record keeping system to enable FINTRAC to have access to the records in a timely fashion. Records must be kept for a minimum of 5 years, and in such a way that they can be provided to FINTRAC within 30 days of a request to examine them.

Reporting Requirements

Company complies with all the reporting requirements as per the PCMLTFA and regulations as enforced by FINTRAC. There are multiple situations where we are obligated to submit reports.

Suspicious Transaction Reports

In order to operate legally Company must report any transactions or attempted transactions where there are reasonable grounds to suspect such transactions relate to money laundering or terrorist activity. There is no monetary threshold for submitting a STR or ASTR.

The CCO has the authority to file STRs and ASTRs with FINTRAC and is required to maintain a log of all reports filed in accordance with Company’s record keeping procedures.

Terrorist Property Reporting and Sanctions Requirements

There are two situations where we must send a terrorist property report to FINTRAC immediately:

1. Knowing that a property is owned or controlled by or on behalf of a terrorist or terrorist group; or,

2. Believing that a property is owned or controlled by or on behalf of a listed person.

Where there are economic sanctions, Company is required to prohibit or restrict activities in accordance with the legal requirements. In some cases, Company may be required to freeze property, in addition to making reports to various government and law agencies.

Ongoing Monitoring of Business Relationships

If in the course of reviewing and monitoring, Company identifies unexplainable or unusual patterns or activity, Company will work to obtain further information so that questions surrounding the suspicious activity are satisfactorily answered. Company may also report the activity internally to the CCO, who is required to maintain a record/log of all internally reported concerns and perform a review to determine if an STR is to be filed with FINTRAC.

If Company cannot reach a clear understanding of the customer’s identity, or the sources and movement of funds, the customer’s account may be permanently closed. This will be followed by terminating the business relationship and blacklisting the account owner to prevent them from re-opening a new account.

Policy Audits

Internally the CCO is responsible for performing an audit of our KYC/AML Policy at least annually and presenting the results to the CEO and the Company Board of Directors for review. The KYC/AML Policy is updated on a regular basis as new products and services are developed and legislation changes.

Independent review will occur a minimum of once every two years. The independent review of the AML/CTF compliance regime will be performed by a qualified AML/CTF regime auditor as per FINTRAC’s guidelines. The process will assess Company’s internal controls, transactional systems and procedures. The findings from such examination are sent directly to the CEO and Board of Directors for review.

Training

All Company employees and officers receive ongoing broad-based AML training, as well as position-specific training. They must repeat this training at least once every twelve (12) months to ensure they are knowledgeable and in compliance with all pertinent laws and regulations. New employees receive training within thirty (30) days of their start date. All documentation related to compliance training including: materials, tests, results, attendance and date of completion are maintained. In addition, the compliance training program is updated as necessary to reflect current laws and regulations.

If you have any questions or concerns feel free to contact contact@done.com.

‍