AML/KYC Policy

Troopix - AML/CFT & Sanctions Compliance Policy

1. Introduction and Policy Statement

1.1. Policy Statement LIGIGA LLC, doing business as "Troopix" (hereinafter referred to as the "Company"), is committed to the highest standards of compliance with all applicable Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) laws and regulations. It is the policy of the Company to actively prevent its services from being used to facilitate money laundering, terrorist financing, proliferation financing, sanctions evasion, or other illicit financial crimes.

The Company adopts a zero-tolerance approach to financial crime. We will not knowingly transact with, facilitate payments for, or provide services to any individual or entity involved in illegal activities, nor will we operate in jurisdictions subject to comprehensive sanctions.

1.2. Regulatory Framework As a limited liability company organized under the laws of the State of Michigan, United States, the Company designs its compliance program in accordance with United States federal laws and international best practices, including but not limited to:

• The Bank Secrecy Act (BSA) (31 U.S.C. § 5311 et seq.);

• The USA PATRIOT Act of 2001 (specifically Section 326 regarding Customer Identification Programs and Section 314 regarding Information Sharing);

• The rules and regulations of the Financial Crimes Enforcement Network (FinCEN);

• The economic sanctions programs administered by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury; and

• The recommendations of the Financial Action Task Force (FATF) regarding virtual assets and cross-border payments.

Although the Company operates under an "Agent of Payee" exemption model for money transmission licensing in certain contexts, we voluntarily adhere to the rigorous AML/CFT standards required of regulated Money Services Businesses (MSBs) to ensure the safety of the financial system and our partners.

1.3. Scope and Applicability This AML/CFT Policy applies to all officers, directors, employees, contractors, and agents of LIGIGA LLC. It governs all business relationships and operational flows, specifically including the collection of funds via local payment methods (e.g., PIX), the internal conversion of funds into virtual assets for treasury settlement, and the disbursement of Fiat funds to merchants globally.

1.4. Consequences of Non-Compliance Strict adherence to this Policy is a condition of employment and partnership. Failure to comply with the procedures outlined herein may result in disciplinary action, up to and including termination of employment or contract. Furthermore, individuals who violate AML/CFT laws may be subject to severe civil and criminal penalties, including fines and imprisonment.

2. Governance and Designation of Compliance Officer

2.1. Designation of the BSA/AML Compliance Officer In accordance with the Bank Secrecy Act requirements, LIGIGA LLC has designated a qualified individual to serve as the BSA/AML Compliance Officer (the "Compliance Officer"). The Compliance Officer is appointed by the Board of Directors (or Senior Management) and is vested with the full authority and resources necessary to effectively administer the AML/CFT Program.

The Compliance Officer operates independently from the business development and revenue-generating functions of the Company to ensuring objective decision-making regarding risk and compliance matters.

2.2. Roles and Responsibilities The Compliance Officer is responsible for the day-to-day management of the Company's AML/CFT Program. Key responsibilities include, but are not limited to:

• Program Maintenance: Regularly reviewing and updating this Policy and associated procedures to reflect changes in regulations, business activities, or risk profiles.

• Training: Developing and overseeing the ongoing AML/CFT training program for all relevant employees and officers.

• Reporting: Acting as the primary liaison with regulatory authorities (such as FinCEN) and financial partners regarding compliance matters. This includes the filing of Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) when applicable.

• Monitoring: Overseeing the transaction monitoring systems and the investigation of suspicious activities.

• Audit Coordination: Facilitating independent audits of the AML/CFT Program and ensuring that corrective actions are implemented to address any identified deficiencies.

2.3. Senior Management Oversight The Board of Directors (or owners) of LIGIGA LLC bears the ultimate responsibility for the Company’s compliance culture. Senior Management is responsible for:

• Approving this AML/CFT Policy and any major amendments.

• Ensuring that the Compliance Officer has sufficient authority, staffing, and technological resources to execute their duties.

• Reviewing periodic reports submitted by the Compliance Officer regarding the status of the compliance program and any significant risk issues.

3. Risk-Based Approach (RBA)

3.1. Overview The Company employs a Risk-Based Approach (RBA) to compliance, aligning its resources and controls with the specific risks posed by its customers, products, and jurisdictions. This approach ensures that higher-risk areas receive enhanced scrutiny and monitoring, while lower-risk areas are subject to simplified, yet effective, measures.

3.2. Risk Assessment Categories In assessing the money laundering and terrorist financing risk associated with a merchant or transaction, the Company evaluates risk across four primary categories:

• Customer Risk: Analyzing the nature of the merchant's business, its ownership structure (e.g., complex shell companies), and the background of its Ultimate Beneficial Owners (UBOs). Entities such as charities, unregulated financial businesses, or cash-intensive businesses are inherently treated as higher risk.

• Geographic Risk: Evaluating the jurisdictions where the merchant is incorporated, operates, or where its UBOs reside. The Company utilizes FATF lists, OFAC sanctions lists, and Transparency International’s Corruption Perception Index to classify jurisdictional risk.

• Product/Service Risk: Recognizing the risks associated with cross-border payments and high-velocity transaction environments (e.g., instant payments like PIX). Note: While the Company utilizes virtual assets for internal settlement, this product risk is significantly mitigated by our "Closed-Loop" architecture, where merchants have no direct access to cryptocurrency wallets or private keys.

• Channel Risk: Acknowledging the risks of non-face-to-face onboarding. To mitigate this, we employ robust digital identity verification technologies (e.g., liveness detection, document forensics).

3.3. Customer Risk Rating (CRR) Upon onboarding, every merchant is assigned a risk rating based on the factors above:

• Low Risk: Standard merchants with transparent ownership, operating in low-risk industries (e.g., retail goods, hospitality) within cooperative jurisdictions, with expected transaction volumes consistent with their business size.

• Medium Risk: Merchants with higher transaction volumes, complex but verifiable structures, or operating in industries with moderate fraud exposure.

• High Risk: Merchants that, while within our risk appetite, require Enhanced Due Diligence (EDD). This includes Politically Exposed Persons (PEPs), high-volume merchants, or businesses in sectors vulnerable to money laundering.

3.4. Prohibited Risks The Company maintains a definitive list of "Prohibited Risks" that fall outside our risk appetite and will not be onboarded under any circumstances. This includes, but is not limited to:

• Individuals or entities sanctioned by OFAC, the UN, or the EU.

• Shell banks or unlicensed Money Service Businesses (MSBs).

• Businesses engaged in illegal activities as defined in our Acceptable Use Policy (AUP).

• Entities located in jurisdictions designated as "High-Risk Jurisdictions subject to a Call for Action" by the FATF.

4. Know Your Business (KYB) and Customer Due Diligence (CDD)

4.1. General Requirement LIGIGA LLC employs a rigorous "Know Your Business" (KYB) program. We must form a reasonable belief that we know the true identity of every merchant to whom we provide services. No business account may be opened, and no transactions processed, until the identity of the business entity and its authorized representative has been successfully verified.

4.2. Information Collection For every corporate merchant applicant, the Company collects the following core information prior to onboarding:

• Legal Entity Name: The full registered name of the business.

• Trade Name (DBA): "Doing Business As" name, if applicable.

• Registered Address: A physical street address for the principal place of business (P.O. Boxes are not acceptable).

• Identification Number: A government-issued business registration number (e.g., EIN for US entities, CNPJ for Brazilian entities, or equivalent).

• Jurisdiction of Incorporation: The country and state/province of legal formation.

• Contact Information: Official business phone number and email address.

4.3. Documentary Verification To verify the information collected, the Company relies on reliable, independent source documents or data. Acceptable verification methods include:

• Government Registries: Validating the entity’s existence and "Active" status directly via the relevant Secretary of State, Commercial Registry (Junta Comercial), or Federal Tax Authority database.

• Formation Documents: Collecting certified copies of Articles of Incorporation, Articles of Organization, Certificates of Good Standing, or Government-issued Business Licenses.

• Proof of Address: Recent utility bill, bank statement, or lease agreement in the company’s name.

4.4. Authorized Representative Verification The Company must also verify the identity of the individual opening the account on behalf of the business (the "Authorized Representative"). For this individual, we perform standard Know Your Customer (KYC) checks, collecting:

• Full Legal Name;

• Date of Birth;

• Residential Address;

• Government-issued Identification Number (e.g., SSN, CPF, Passport Number).

We verify this individual’s identity using documentary evidence (e.g., unexpired passport or driver’s license) and non-documentary methods (e.g., ID database checks). Furthermore, we verify that this individual has the legal authority to bind the entity to our Terms of Service (e.g., via a corporate resolution or by confirming their role as a Director/Officer in public records).

4.5. Nature and Purpose of Business To establish a customer risk profile, we collect information regarding the nature of the merchant’s business, including:

• Description of goods or services sold;

• Expected monthly transaction volume and ticket size;

• Website URL or proof of business operations;

• Target customer base and geographic markets.

5. Ultimate Beneficial Ownership (UBO) Identification

5.1. Requirement In compliance with the FinCEN Customer Due Diligence (CDD) Rule (31 C.F.R. § 1010.230), LIGIGA LLC identifies and verifies the identity of the beneficial owners of all legal entity customers (merchants) at the time of account opening. We do not open accounts for legal entities that refuse to disclose their beneficial ownership structure.

5.2. Definition of Beneficial Owner The Company utilizes the standard "Two-Prong" definition to identify beneficial owners:

• The Ownership Prong: Each individual, if any, who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25 percent or more of the equity interests of the legal entity customer.

• The Control Prong: A single individual with significant responsibility to control, manage, or direct the legal entity customer (e.g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer).

5.3. Collection of Information For every individual identified under the Ownership or Control prongs, the Company collects the following Personal Identifiable Information (PII):

• Full Legal Name;

• Date of Birth;

• Residential Address;

• Government-issued Identification Number (e.g., SSN, CPF, Passport Number).

5.4. Verification of Beneficial Owners The Company verifies the identity of each beneficial owner using risk-based procedures identical to those used for individual customers. This includes:

• Collecting a copy of a valid government-issued photo ID (Passport, Driver's License, or National ID Card);

• Utilizing non-documentary methods (such as database checks) to confirm the validity of the ID and check for any negative media or sanctions presence.

5.5. Complex Structures If a legal entity merchant is owned by another legal entity, the Company will drill down through the corporate structure ("unwrapping the corporate veil") until the ultimate natural persons who own 25% or more are identified.

5.6. Ongoing Certification Merchants are required to notify the Company of any significant changes to their beneficial ownership structure. Additionally, the Company may periodically require merchants to re-certify the accuracy of their beneficial ownership information based on their risk rating.

6. Enhanced Due Diligence (EDD)

6.1. Triggers for EDD The Company applies Enhanced Due Diligence (EDD) measures to any merchant or transaction that presents a higher risk of money laundering or terrorist financing. EDD is automatically triggered in the following scenarios:

• High-Risk Jurisdictions: Merchants located in or dealing significantly with countries identified as high-risk by the FATF, OFAC, or internal risk assessments.

• Politically Exposed Persons (PEPs): If a merchant’s UBO or authorized representative is identified as a PEP.

• Complex Ownership Structures: Entities with ownership structures that appear unnecessarily complex or opaque (e.g., use of nominee shareholders or bearer shares).

• High-Volume/High-Value Activity: Merchants whose transaction volumes significantly exceed the established thresholds or initial expectations without a clear economic rationale.

• Adverse Media: Identification of negative news or allegations of financial misconduct involving the merchant or its owners.

6.2. EDD Measures When EDD is triggered, the Company implements additional verification and monitoring steps beyond the standard CDD process. These measures may include:

• Source of Wealth (SoW) and Source of Funds (SoF): Obtaining evidence to verify the origin of the merchant’s capital and the specific funds used in the transaction (e.g., bank statements, financial audits, proof of sales).

• Senior Management Approval: Requiring explicit approval from the Compliance Officer or Senior Management before onboarding or continuing the relationship.

• Additional Identity Verification: Requesting additional forms of identification or utilizing higher-assurance verification methods.

• Enhanced Monitoring: Subjecting the account to more frequent reviews and lower thresholds for transaction monitoring alerts.

6.3. Politically Exposed Persons (PEPs) A PEP is defined as an individual who is or has been entrusted with a prominent public function (e.g., Heads of State, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations), including their immediate family members and close associates.

• Foreign PEPs: Are automatically classified as High Risk.

• Domestic PEPs: Are assessed on a case-by-case basis but generally treated as elevated risk.

Relationships with PEPs are not prohibited but are subject to strict controls. The Company takes reasonable measures to establish the source of wealth and source of funds of all PEPs and requires Senior Management approval to establish or maintain the relationship.

6.4. Ongoing Review of High-Risk Customers Merchants subject to EDD are reviewed on a periodic basis (at least annually) to ensure that their risk profile remains within the Company’s risk appetite and that KYC information is up to date.

7. Sanctions Screening (OFAC and Global Lists)

7.1. Policy Statement LIGIGA LLC is committed to full compliance with the economic and trade sanctions laws and regulations administered by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury, as well as applicable international sanctions regimes mandated by the United Nations (UN), the European Union (EU), and the United Kingdom (HM Treasury).

The Company will not open accounts, process transactions, or facilitate business for any individual or entity that is a target of these sanctions or located in a comprehensive sanctioned jurisdiction.

7.2. Screening Lists The Company utilizes automated screening solutions to verify all customers, beneficial owners (UBOs), authorized representatives, and counterparties against the following watchlists:

• OFAC Specially Designated Nationals (SDN) and Blocked Persons List;

• OFAC Consolidated Non-SDN List;

• United Nations Security Council Consolidated List;

• EU Consolidated List of Financial Sanctions;

• HM Treasury (UK) Consolidated List of Targets.

7.3. Timing of Screening Sanctions screening is performed at multiple stages of the customer lifecycle:

• Onboarding: Prior to opening an account or establishing a business relationship.

• Ongoing Monitoring: The customer base is re-screened daily against updated lists to detect if an existing customer has been subsequently sanctioned.

• Transaction Screening: Sender and beneficiary details (where applicable) are screened in real-time before a transaction is released.

7.4. Handling Potential Matches (Alerts) When the screening system generates an alert (a "hit"), the account or transaction is automatically placed on hold. The Compliance Officer (or designated analyst) must conduct a review to determine if the match is a "False Positive" or a "True Match."

• False Positive: If the alert is determined to be a false alarm (e.g., similar name but different date of birth or location), the hold is released, and the rationale is documented.

• True Match: If the alert is confirmed as a valid match against a sanctions list, the relationship is immediately rejected or terminated.

7.5. Blocking and Reporting In the event of a confirmed match against an OFAC list:

• Blocking of Funds: If required by law, LIGIGA LLC will block (freeze) the funds or property of the sanctioned party and segregate them into an interest-bearing account.

• Rejection: If blocking is not required but the transaction is prohibited, the transaction will be rejected.

• Reporting: The Compliance Officer will file a Blocked Property Report or Rejected Transaction Report with OFAC within 10 business days of the occurrence, as required by U.S. law.

8. Transaction Monitoring and Behavioral Analysis

8.1. Objective LIGIGA LLC implements a comprehensive transaction monitoring program designed to detect, analyze, and report suspicious activities that may indicate money laundering, terrorist financing, or other illegal acts. Monitoring is conducted on an ongoing basis to ensure that transactions are consistent with the Company’s knowledge of the merchant, its business profile, and source of funds.

8.2. Monitoring Methodology The Company utilizes a combination of automated monitoring systems and manual oversight. The system is configured with specific rule-based scenarios and thresholds that generate alerts for unusual activity. These rules are periodically reviewed and tuned based on actual data and evolving risk typologies.

8.3. Key Red Flags and Typologies Our monitoring system is designed to detect specific "Red Flags," including but not limited to:

• Structuring (Smurfing): Frequent transactions in amounts just below reporting or recording thresholds (e.g., just below $3,000 or $10,000) to avoid detection.

• Velocity Checks: A sudden spike in transaction frequency or volume that is inconsistent with the merchant’s historical baseline or expected business activity (e.g., a small retailer suddenly processing millions).

• Profile Mismatch: Transactions involving jurisdictions or industries that do not align with the merchant’s stated business purpose during onboarding.

• Dormant Accounts: Sudden activation of previously dormant accounts followed by significant fund movement ("pass-through" activity).

• Round Dollar Amounts: High volume of transactions in round dollar amounts, which is often indicative of non-commercial activity.

8.4. Alert Management and Investigation When the monitoring system generates an alert, the Compliance team initiates an investigation:

• Level 1 Review: An analyst reviews the alert to determine if there is a reasonable economic explanation (e.g., seasonal sales spike). If explained, the alert is closed with a rationale.

• Level 2 Investigation: If the activity remains unexplained, the analyst escalates the case. The Company may contact the merchant to request supporting documentation (invoices, contracts, proof of delivery) to justify the transaction.

• Freezing of Funds: The Company reserves the right to temporarily hold settlement funds while an investigation is pending.

8.5. Escalation If an investigation confirms that the activity is suspicious and has no lawful or reasonable explanation, the case is escalated to the Compliance Officer for a final determination on whether to file a Suspicious Activity Report (SAR) and/or terminate the business relationship.

9. Virtual Asset Settlement and Closed-Loop Controls

9.1. Internal Settlement Rail Only LIGIGA LLC utilizes virtual assets (specifically stablecoins such as USDC/USDT) solely as an internal back-end settlement rail to facilitate cross-border liquidity. Crucially, the Company does not offer cryptocurrency wallets, custody, or exchange services directly to Merchants.

• Merchants transact and price goods in Fiat currency.

• Merchants receive settlements (Payouts) exclusively in Fiat currency.

• Merchants have no direct access to private keys, wallet addresses, or the ability to initiate on-chain transfers to external third parties.

9.2. Closed-Loop Fiat Settlement Policy To mitigate the risks associated with money laundering, the Company enforces a strict "Closed-Loop" policy for all fund movements:

• Inbound: Funds are accepted solely via regulated local payment methods (e.g., PIX in Brazil) linked to a verifiable commercial transaction. We do not accept direct crypto deposits from merchants or third parties.

• Outbound: Funds are converted from stablecoins to Fiat currency by the Company (or its licensed partners) and disbursed exclusively to a verified bank account held in the same legal name as the Merchant ("Same-Name Rule").

• No Third-Party Withdrawals: Withdrawals to third-party bank accounts or external cryptocurrency wallets are strictly prohibited and technically blocked by the platform.

9.3. Liquidity Partner Due Diligence Since the Company executes the crypto-asset conversion on behalf of the merchant, our AML controls focus on vetting our upstream liquidity partners (Exchanges and OTC Desks). We only transact with licensed or regulated Virtual Asset Service Providers (VASPs) that maintain robust AML/CFT programs and conduct blockchain monitoring (Chainalysis/Elliptic) on their own pools of liquidity.

9.4. Compliance with Travel Rule (Backend) Although merchants do not transact in crypto, LIGIGA LLC ensures that its internal treasury transfers to liquidity partners (e.g., transferring USDT to a US-based partner for payout) comply with applicable "Travel Rule" requirements. We ensure that all necessary originator information (identifying LIGIGA LLC or the underlying commercial purpose) is transmitted to the beneficiary financial institution as required by FinCEN.

10. Suspicious Activity Reporting (SAR) and Internal Reporting

10.1. Policy Statement LIGIGA LLC is committed to monitoring, investigating, and reporting suspicious activities to the appropriate financial intelligence unit (FIU). As a US-based entity complying with the Bank Secrecy Act (BSA), the Company will file a Suspicious Activity Report (SAR) with the Financial Crimes Enforcement Network (FinCEN) whenever it detects a known or suspected violation of federal law or a suspicious transaction related to money laundering or terrorist financing.

10.2. Thresholds for Reporting The Company will file a SAR for any transaction (conducted or attempted) involving or aggregating to $2,000 or more, if the Company knows, suspects, or has reason to suspect that:

• The transaction involves funds derived from illegal activities;

• The transaction is designed to evade the requirements of the Bank Secrecy Act (e.g., Structuring);

• The transaction serves no business or apparent lawful purpose and involves the use of the Company to facilitate criminal activity;

• The transaction involves the use of the Company to facilitate criminal activity.

10.3. Filing Deadlines A SAR must be filed with FinCEN within 30 calendar days after the date of initial detection of facts that may constitute a basis for filing a SAR. If no suspect can be identified on the date of detection of the incident requiring the filing, a SAR may be filed within 60 days.

10.4. Confidentiality and Prohibition on "Tipping Off" The filing of a SAR is strictly confidential. Under US federal law (31 U.S.C. § 5318(g)(2)), it is a criminal offense for the Company, its officers, employees, or agents to notify any person involved in the transaction that the transaction has been reported.

• No Disclosure: Employees must never discuss a SAR or an internal investigation with the customer or any unauthorized third party.

• Internal Need-to-Know: Information regarding SARs is restricted internally to the Compliance Officer, Senior Management, and legal counsel.

10.5. Internal Reporting Procedures Any employee who suspects that a transaction or activity may be suspicious must immediately report it to the Compliance Officer using an Internal Suspicious Activity Report (ISAR) form.

• Employees are not required to determine if the activity is illegal; they must only report what they find unusual.

• The Compliance Officer is solely responsible for investigating the internal report and making the final determination on whether to file an official SAR with FinCEN.

• Failure to report suspicious activity internally is grounds for disciplinary action.

10.6. Record Retention Copies of all SARs filed, and the original related documentation (supporting evidence), will be maintained by the Company for a period of five (5) years from the date of the filing.

11. Record Retention and Data Privacy

11.1. Retention Policy LIGIGA LLC maintains a comprehensive record retention program in strict compliance with the Bank Secrecy Act (31 CFR § 1010.410) and applicable privacy laws. We retain all records necessary to reconstruct a transaction and to verify the identity of our customers for a minimum period of five (5) years.

11.2. Types of Records Retained The Company retains the following categories of records:

• Identification Records (KYC/KYB): Copies of all documents used to verify the identity of the merchant, its UBOs, and authorized representatives (e.g., driver’s licenses, passports, articles of incorporation, proof of address).

• Transaction Records: A complete audit trail of all financial activity, including:

  • Originating PIX transaction details (date, amount, payer information);

  • Internal currency conversion logs (rates, timestamps, stablecoin conversion hashes);

  • Settlement/Payout instructions sent to banking partners (ACH/Wire confirmation numbers).

• Compliance Records: Copies of all internal reports, risk assessments, negative media screenings, sanctions alerts (and their resolution), and Suspicious Activity Reports (SARs) with their supporting documentation.

11.3. Retention Period Calculation

• For Customer Identity Records: The five-year retention period begins after the account is closed or the business relationship is terminated.

• For Transaction Records: The five-year retention period begins after the date the transaction is completed.

11.4. Data Privacy and Security All retained records are stored securely in electronic format with industry-standard encryption (AES-256 or equivalent). Access to these records is strictly limited to authorized compliance, legal, and operational personnel on a "need-to-know" basis. The Company implements robust cybersecurity measures to protect this sensitive data from unauthorized access, alteration, or destruction, in accordance with our Privacy Policy and applicable data protection regulations.

12. Employee Training and Awareness

12.1. Training Requirement LIGIGA LLC recognizes that its employees are the first line of defense against money laundering and terrorist financing. Therefore, the Company has established an ongoing AML/CFT Employee Training Program. Participation in this training is mandatory for all employees, officers, and contractors whose duties require knowledge of the BSA, including those in compliance, operations, customer support, and engineering roles related to payment flows.

12.2. Frequency and Timing

• New Hires: All relevant new employees must complete the initial AML/CFT training within thirty (30) days of their start date.

• Ongoing Training: Existing employees are required to complete refresher training at least annually, or more frequently if there are significant changes to regulations, the Company’s risk profile, or internal procedures.

• Targeted Training: Specific roles (e.g., Compliance Analysts) may receive additional, specialized training relevant to their specific job functions (e.g., advanced blockchain analytics or sanctions screening).

12.3. Training Content The training program is designed to ensure employees understand their obligations under the law and this Policy. The curriculum includes, but is not limited to:

• The general history and purpose of the Bank Secrecy Act (BSA), USA PATRIOT Act, and OFAC sanctions;

• How to identify "Red Flags" and suspicious customer behavior (e.g., structuring, unusual velocity);

• The Company’s specific Know Your Business (KYB) and Customer Due Diligence (CDD) procedures;

• The strict confidentiality rules regarding Suspicious Activity Reports (SARs) and the prohibition on "tipping off";

• The internal procedure for reporting suspicious activity to the Compliance Officer.

12.4. Documentation and Tracking The Compliance Officer is responsible for maintaining records of all training sessions. These records include:

• The date of the training;

• Attendance logs or digital completion certificates;

• Copies of the training materials used;

• Results of any comprehension tests or quizzes administered.

These records are retained for a minimum of five years and are made available to auditors or regulators upon request.

13. Independent Audit and Testing

13.1. Audit Requirement LIGIGA LLC establishes an independent audit function to monitor and evaluate the effectiveness of its AML/CFT Program. This review provides Senior Management and the Board of Directors with an objective assessment of the Company’s compliance health and adherence to the Bank Secrecy Act and applicable regulations.

13.2. Frequency and Scope An independent audit will be conducted periodically, generally every 12 to 18 months, or more frequently if deemed necessary based on the Company’s risk profile or significant changes in business operations. The scope of the audit includes, but is not limited to:

• Evaluation of the overall integrity and effectiveness of the AML/CFT Program;

• Testing of a representative sample of merchant files (KYB/CDD) to ensure adherence to onboarding procedures;

• Review of transaction monitoring alerts and Suspicious Activity Reports (SARs) to ensure accuracy and timeliness;

• Verification of the effectiveness of the employee training program;

• Assessment of the adequacy of record retention practices.

13.3. Independence The audit must be performed by a qualified party who is independent of the AML compliance function. This may be:

• An external third-party auditor or consultant with expertise in AML compliance; or

• An internal audit department (if applicable), provided that the auditors do not report to the Compliance Officer and are not involved in the execution of the compliance functions being tested.

The Compliance Officer cannot conduct the independent audit of their own program.

13.4. Reporting and Corrective Action The findings of the independent audit must be documented in a written report and presented directly to the Board of Directors (or Senior Management). If the audit identifies any deficiencies or violations:

• Management must implement a corrective action plan to address the issues promptly.

• The Compliance Officer is responsible for tracking the progress of these corrective actions and reporting their completion to the Board.