Entity Name: Zennopay Inc.

Registered Address: 131 Continental Dr Suite 305, Newark, DE, 19713, United States

Incorporation: September 15, 2025 (Delaware, USA)

Regulator / Licensing Authority: FinCEN (USA)

Last Updated: December 2025

1. Purpose

The purpose of this Anti-Money Laundering and Counter‑Financing of Terrorism (AML/CFT) Policy is to ensure that Zennopay Inc. (“Zennopay”, “Company”, “we”) maintains robust controls to prevent its platform from being used for money laundering, terrorist financing, fraud, or other financial crimes.

This policy establishes a risk‑based framework aligned with:

• U.S. Bank Secrecy Act (BSA)

• FinCEN AML regulations

• FATF Recommendations

• Applicable local laws in countries where Zennopay operates

2. Scope

This policy applies to:

• All Zennopay employees, founders, directors, officers, and contractors

• All customers (individuals and businesses)

• All products and services offered by Zennopay

• All jurisdictions where Zennopay operates or processes transactions

3. Business Overview

Zennopay is a fintech platform enabling cross‑border payments for travelers and global users. Core activities include:

• Customer payments via cards and alternative payment methods

• Settlement and disbursement via regulated payment partners

• FX conversion and payout to local merchants or service providers

Zennopay acts as Merchant of Record where applicable and partners with regulated PSPs for collection, custody, and payout.

4. AML/CFT Governance

4.1 Compliance Officer

Zennopay has appointed a Chief Compliance Officer (CCO) responsible for:

• Implementing and maintaining the AML/CFT program

• Liaising with regulators and partners

• Reviewing suspicious activity

• Ensuring regulatory reporting

CCO: Aman Pal

4.2 Board & Senior Management Oversight

Senior management is responsible for:

• Approving this policy

• Ensuring adequate compliance resources

• Promoting a culture of compliance

5. Risk‑Based Approach

Zennopay adopts a risk‑based approach considering:

5.1 Customer Risk

• Individual vs business customers

• Residency and nationality

• Transaction behavior

• Use of proxies or intermediaries

5.2 Geographic Risk

• Countries subject to sanctions, FATF grey/blacklists

• High‑risk or non‑cooperative jurisdictions

5.3 Product & Transaction Risk

• Cross‑border payments

• FX conversions

• High‑velocity or high‑value transactions

Controls are proportionate to the assessed risk level.

6. Customer Due Diligence (CDD)

6.1 Individual Customers

At onboarding, Zennopay collects and verifies customer identity using Stripe Identity, a regulated identity verification service. Stripe Identity enables automated KYC checks including document verification and biometric validation.

Information collected and verified includes:

• Full legal name

• Date of birth

• Nationality

• Government-issued ID

• Selfie / liveness check (where applicable)

At onboarding, Zennopay collects and verifies:

• Full legal name

• Date of birth

• Nationality

• Government‑issued ID

• Selfie / liveness check (where applicable)

6.2 Business Customers (If Applicable)

For merchants or partners, Zennopay collects:

• Legal entity name

• Registration documents

• Ownership structure

• Ultimate Beneficial Owners (UBOs ≥25%)

• Authorized signatories

7. Enhanced Due Diligence (EDD)

EDD is applied to high‑risk customers, including:

• Politically Exposed Persons (PEPs)

• High‑risk jurisdictions

• Unusual transaction patterns

EDD measures may include:

• Additional documentation

• Source of funds verification

• Senior management approval

8. Sanctions & Watchlist Screening

Zennopay screens customers and transactions against:

• OFAC sanctions lists

• UN sanctions lists

• EU and UK sanctions

• Internal and partner watchlists

Matches are reviewed and escalated prior to transaction approval.

9. Transaction Monitoring

Zennopay implements a combination of automated and manual transaction monitoring controls to detect and prevent suspicious activity.

9.1 Automated Monitoring

Zennopay leverages Stripe Radar, Stripe’s machine-learning–based fraud detection and monitoring system, to:

• Monitor card and payment transactions in real time

• Detect anomalous behavior and high-risk payment patterns

• Block or flag transactions based on risk scores and custom rules

Stripe Radar signals are used as an initial risk filter before funds are accepted or settled.

9.2 Internal Monitoring Controls

In addition to Stripe Radar, Zennopay applies internal monitoring to identify:

• Structuring or smurfing behavior

• Rapid transaction velocity

• Repeated failed or reversed transactions

• Unusual geographic or device patterns

Alerts generated by Stripe Radar or internal systems are reviewed by the compliance team and documented with appropriate actions taken.

Zennopay implements automated and manual monitoring to detect:

• Structuring or smurfing

• Rapid transaction velocity

• Unusual geographic patterns

• Repeated failed transactions

Alerts are reviewed by the compliance team and documented.

10. Suspicious Activity Reporting (SAR)

Zennopay files Suspicious Activity Reports (SARs) with FinCEN when:

• There is reasonable suspicion of money laundering or terrorist financing

• Activity lacks lawful purpose

• Transactions appear structured to evade reporting

SARs are filed confidentially and within regulatory timelines.

11. Record Keeping

Zennopay maintains records for a minimum of 5 years, including:

• Customer identification data

• Transaction records

• Compliance reviews

• SAR filings and investigations

12. Training & Awareness

All relevant personnel receive:

• AML/CFT training at onboarding

• Annual refresher training

• Role‑specific compliance guidance

Training completion is documented.

13. Third‑Party & Partner Risk Management

Zennopay conducts due diligence on:

• Payment processors

• On‑ramp / off‑ramp providers

• Banking and settlement partners

Only regulated and reputable partners are engaged.

14. Data Protection & Confidentiality

All AML/CFT data is:

• Stored securely

• Access‑restricted

• Processed in compliance with applicable data protection laws

SARs and investigations are strictly confidential.

15. Policy Review & Updates

This policy is reviewed:

• At least annually

• Upon regulatory changes

• When business activities materially change

Updates require senior management approval.

16. Enforcement & Disciplinary Action

Violations of this policy may result in:

• Disciplinary action

• Termination of employment or contracts

• Reporting to regulators where required

Approved By: Board of Directors, Zennopay Inc.

Effective Date: December 2025