Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Policy

This Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Policy (the “Policy”) sets forth the principles, controls, and procedures implemented by TWENTY FOUR TWELVE SOCIETY INTERNATIONAL LIMITED ("the Company", "we", "our") to detect, prevent, and report any potential misuse of its platform for purposes of money laundering, terrorism financing, or other financial crimes.

This Policy applies to all directors, officers, staff, contractors, and third-party service providers engaged with the Company.

1. Purpose and Scope of the Policy

The purpose of this Policy is to outline the Company’s firm commitment to preventing its services from being used for money laundering or the financing of terrorism. In accordance with theFinancial Action Task Force (FATF) recommendations and Hong Kong’s Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615), the Company enforces stringent controls to mitigate financial crime risk.

This Policy applies to all activities and operations carried out by the Company, including but not limited to:

• Onboarding of users and clients;

• Transactions involving financial flows or asset transfers;

• Use of third-party payment processors;

• Engagement with vendors, partners, and sub-contractors.

All stakeholders are required to adhere strictly to this Policy and report any suspected or actual breach immediately to the designated Compliance Officer.

2. Definition of Money Laundering and Terrorist Financing

Money laundering refers to the process by which individuals or entities conceal the origin of illegally obtained funds, typically by transferring them through legitimate businesses or financial systems to make them appear lawful. This process generally involves three stages: placement,layering, and integration.

Terrorist financing involves the solicitation, collection, or provision of funds with the intention or knowledge that they will be used, in whole or in part, to support terrorist activities, irrespective of whether the funds are of legitimate or illicit origin.

The Company recognizes that even unintentional involvement in such activities can lead to serious legal, reputational, and financial consequences. As such, strict zero-tolerance principles are applied, and all users, clients, and stakeholders are screened and monitored accordingly.

3. Client Due Diligence (CDD) and Enhanced Due Diligence (EDD)

The Company implements a risk-based approach to Client Due Diligence (CDD), ensuring that the level of scrutiny applied to users corresponds to the level of risk they pose. As a general principle, the identity of all clients and users must be verified prior to the establishment of any business relationship or the execution of any financial transaction above a threshold determined by internal compliance guidelines.

At a minimum, standard CDD procedures include:

• Full legal name

• Residential or business address

• Date and place of birth (for individuals)

• Company registration number and proof of incorporation (for entities)

• A valid government-issued photo ID or official corporate documentation

• Verification of beneficial ownership (UBO)

Enhanced Due Diligence (EDD) is applied to clients assessed as higher risk, such as:

• Politically Exposed Persons (PEPs)

• Clients residing in or associated with high-risk jurisdictions (as per FATF listings)

• Clients executing large or complex transactions with no apparent economic rationale

• Clients using intermediary or third-party payment channels

EDD measures may include obtaining:

• Additional identification documents

• Source of funds and source of wealth documentation

• Ongoing monitoring and transaction limits

• Approval from a senior manager or compliance officer before onboarding

Failure to satisfactorily complete CDD/EDD will result in denial or termination of services.

4. Risk Assessment and Customer Risk Profiling

The Company maintains a comprehensive AML Risk Assessment Framework, which identifies and evaluates the potential exposure of the business to money laundering and terrorist financing risks. Each customer is assigned a risk profile based on a combination of factors, including:

• Geographic location and jurisdiction of residence

• Type of client (individual, corporate, intermediary)

• Nature and expected volume of activity on the platform

• Payment methods used (bank transfer, escrow, crypto, etc.)

• History of suspicious behavior or flagged activity

This profile determines the frequency and intensity of monitoring, the documentation required during onboarding, and any internal controls that must be applied.

Risk profiles are reviewed periodically and adjusted dynamically based on new information, behavior changes, or external alerts from regulatory or enforcement bodies. A high-risk rating may trigger alerts, escalation to the Compliance Officer, and reporting to relevant authorities if necessary.

The risk classification methodology is documented and reviewed annually by the AML Compliance Officer, with updates made as needed to reflect changes in regulation or business model.

5. Ongoing Monitoring and Reporting Obligations

The Company enforces continuous monitoring of customer activity throughout the lifecycle of the business relationship. This includes reviewing transactions to ensure they are consistent with the customer’s risk profile, business type, and known source of funds.

Key components of ongoing monitoring include:

• Automated detection of suspicious patterns (e.g., structuring, rapid movement of funds, use of multiple payment instruments)

• Periodic review of customer documentation and risk classification

• Alerts generated for transactions exceeding pre-defined thresholds

• Flagging of unusual changes in behavior or transaction frequency

Where a transaction or customer behavior raises suspicion of money laundering or terrorist financing, the Company is legally obliged to file a Suspicious Transaction Report (STR) orSuspicious Activity Report (SAR) with the competent authority in Hong Kong, such as the Joint Financial Intelligence Unit (JFIU).

No tipping-off is allowed: staff are strictly prohibited from informing a customer or third party that a report has been filed or an investigation is underway.

The Compliance Officer maintains a register of all STRs/SARs, including internal justifications and follow-up actions, in line with regulatory obligations and confidentiality requirements.

6. Record Keeping and Documentation Retention

The Company maintains all AML-relevant records for a minimum period of seven (7) years, or longer where required by applicable laws or in connection with pending investigations or litigation.

Records retained include:

• Identification documents and KYC files

• Transaction records and logs

• Risk assessments and customer profiling documents

• Copies of STRs/SARs and correspondence with regulatory bodies

• Internal compliance reports and audit results

These records must be readily accessible and retrievable upon request by competent authorities. The Company uses secure and encrypted storage systems to ensure data integrity, confidentiality, and availability.

Access to AML-related records is strictly limited to authorized personnel. Any breach or attempted breach of data access protocols will be investigated and reported to the Compliance Officer and, if necessary, to relevant authorities.

7. Internal Controls and Staff Training

The Company maintains a robust system of internal controls to ensure ongoing compliance with AML and CTF regulations. These controls are embedded across operational, compliance, and risk management departments and are regularly reviewed to adapt to evolving threats and regulatory updates.

Key internal control measures include:

• Segregation of duties between client-facing, operational, and compliance staff

• Mandatory two-factor authentication and audit trails for system access

• Automated transaction monitoring tools integrated with manual review procedures

• Periodic independent internal audits of AML systems and controls

In addition, AML training programs are mandatory for all employees, including:

• Initial onboarding training within 30 days of hire

• Annual refresher training for all staff

• Specialized modules for high-risk departments (e.g., client onboarding, finance)

Training covers:

• Red flags and typologies of money laundering

• Company-specific AML procedures and escalation paths

• Legal consequences for non-compliance

• Obligations to detect, report, and document suspicious activity

Employees are required to certify completion of training and are tested periodically to ensure understanding. Disciplinary measures, including termination, apply in cases of willful disregard of AML obligations.

8. Appointment and Responsibilities of the AML Compliance Officer

The Company designates a qualified AML Compliance Officer (CAMLO) who holds ultimate responsibility for the implementation, supervision, and continuous improvement of the AML/CTF framework.

The Compliance Officer must:

• Have sufficient authority, independence, and resources

• Report directly to senior management or the board of directors

• Possess up-to-date knowledge of AML laws, regulations, and typologies

• Ensure all staff receive adequate training and support

Core responsibilities include:

• Overseeing client due diligence and enhanced due diligence processes

• Managing the transaction monitoring system and reviewing alerts

• Filing STRs/SARs to competent authorities and maintaining relevant logs

• Liaising with law enforcement, regulators, and financial intelligence units

• Conducting internal AML risk assessments and coordinating external audits

• Updating internal procedures in response to changes in legal or operational risk

The AML Compliance Officer’s name and contact information are documented internally and made available to regulatory authorities upon request.

9. Third-Party Reliance and Outsourcing

The Company may, in specific cases, rely on third parties to perform certain aspects of the Customer Due Diligence (CDD) process, including the collection and verification of identification data, subject to strict conditions and contractual safeguards.

Third-party reliance is only permitted when:

• The third party is a regulated financial or professional institution subject to equivalent AML standards;

• A formal agreement is in place, outlining responsibilities, data sharing obligations, and breach consequences;

• The third party agrees to provide all identification data, verification documentation, and risk assessments immediately upon request.

Nevertheless, ultimate responsibility for compliance remains with the Company. The AML Compliance Officer ensures:

• Due diligence is performed on all outsourced service providers;

• Regular audits are conducted to verify compliance with the agreement and applicable regulations;

• Records of third-party arrangements are securely maintained for inspection by regulators.

Outsourcing of transaction monitoring or KYC onboarding functions never entails a transfer of accountability. The Company retains full supervisory control and reserves the right to revoke outsourcing agreements if standards are not met.

10. Sanctions Screening and PEP Checks

All customers, counterparties, and beneficial owners are systematically screened against relevant sanctions lists and PEP (Politically Exposed Persons)databases prior to onboarding and on a continuous basis thereafter.

Screening covers:

• United Nations Security Council Sanctions Lists

• EU Consolidated Financial Sanctions List

• U.S. OFAC SDN (Specially Designated Nationals) List

• UK HM Treasury Sanctions List

• Hong Kong Monetary Authority (HKMA) and JFIU watchlists

• Commercial PEP and Adverse Media databases

If a match is found:

• The onboarding process is halted or the account is frozen, depending on severity;

• An internal investigation is launched under the oversight of the AML Compliance Officer;

• A Suspicious Transaction Report (STR) may be filed with the JFIU;

• External legal advice is sought when necessary to evaluate the risk and legal implications.

Customers flagged as PEPs are subject to Enhanced Due Diligence, including verification of the source of funds and wealth, approval from senior management, and closer ongoing monitoring. PEP status is reassessed regularly, and relationships with high-risk individuals may be terminated at the Company’s discretion.