Back to website
Neo Pay LLP

AML/CFT Internal Control Rules

Published at neopay.tech

RULES

of Internal Control for the Purposes of Counteracting Money Laundering and Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction in the Payment Organization Neo Pay LLP

Almaty

Chapter 1. General Provisions

Article 1. Basic Terms

1. These Internal Control Rules of Neo Pay LLP (hereinafter – the “Payment Organization”) for the purposes of counteracting money laundering and financing of terrorism (hereinafter — the “Rules”) use the following terms and abbreviations: 1) Customer Profile — a customer card in the Neo Pay automated information system (hereinafter — the “System”), which records information necessary for the identification of the customer (its representative) and beneficial owner; 2) FMA — the Financial Monitoring Agency of the Republic of Kazakhstan, the authorized state body exercising financial monitoring and implementing other measures for AML/CFT and countering the financing of proliferation of weapons of mass destruction in accordance with the AML/CFT Law; 3) ARDFM — the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market; 4) Beneficial Owner — a natural person: a) who directly or indirectly owns more than twenty-five percent of participation interests in the authorized capital or issued (less preferred and repurchased shares) of a legal entity customer; b) who exercises control over the customer in another manner; c) for whose benefit transactions with money and/or other property are conducted by the customer; 5) Proceeds of Crime — money and/or other property obtained as a result of a criminal offense; 6) Business Relationship — a relationship involving the provision of services (products) by the Payment Organization to a customer; 7) AML/CFT Law — the Law of the Republic of Kazakhstan dated 28 August 2009 “On Counteracting Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism”; 8) Freezing of Transactions with Money and/or Other Property — measures taken by financial monitoring entities and state authorities to suspend the transfer, conversion, alienation, or movement of money and/or other property; 9) National Public Official (NPO) — a person holding a responsible public position; an official; a person authorized to perform state functions; or a person performing managerial functions in a state organization or in the quasi-public sector; 10) Foreign Public Official (FPO) — a person appointed or elected to a position in legislative, executive, administrative, judicial bodies or armed forces of a foreign state; a person performing any public function for a foreign state; or a person holding a senior position in organizations established by states under agreements having the status of international treaties; 11) Customer — a natural person who applies to the Payment Organization for the provision of services; 12) Money Laundering (ML) — the process of integrating into the legitimate circulation of money and/or other property obtained through criminal means by conducting transactions in the form of conversion or transfer of property representing proceeds of criminal offenses, or possession and use of such property, concealment or disguise of its true nature, source, location, disposition method, movement, rights to property or its ownership, provided that such property is known to represent proceeds of criminal offenses, as well as mediation in the legalization of money and/or other property obtained through criminal means. 13) Unusual transaction (operation) — a customer transaction (operation) subject to mandatory review in accordance with paragraph 4 of Article 4 of the AML/CFT Law, taking into account the criteria for identifying suspicious transactions defined by the authorized state body exercising financial monitoring and implementing other measures for counteracting money laundering, financing of terrorism, and financing of proliferation of weapons of mass destruction (hereinafter — the “Authorized Body”) in accordance with paragraph 2 of Article 10 of the AML/CFT Law, as well as criteria developed independently by the Organization; 14) ML/TF/PF — money laundering, financing of terrorism, and financing of proliferation of weapons of mass destruction; 15) Transactions subject to financial monitoring — customer transactions with money and/or other property in respect of which financial monitoring is established in accordance with the AML/CFT Law; 16) AML/CFT Responsible Officer — an employee of the Payment Organization responsible for oversight and implementation of internal control over counteracting money laundering and financing of terrorism within the Payment Organization; 17) FMA List — the list of organizations and individuals associated with financing of terrorism and extremism, compiled and published on the official website of the Financial Monitoring Agency (FMA); 18) PF/WMD List — the list of organizations and individuals associated with financing and proliferation of weapons of mass destruction, compiled and published on the official website of the Financial Monitoring Agency (FMA); 19) AML/CFT — counteraction to money laundering, financing of terrorism, and financing of proliferation of weapons of mass destruction; 20) Suspicious transaction — a customer transaction (including an attempt to carry out such transaction, a transaction in the process of being carried out, or a completed transaction) in respect of which there are grounds for suspicion that the money and/or other property used for its execution are proceeds of criminal activity, or that the transaction itself is aimed at money laundering, financing of terrorism, or other criminal activity. 21) Threshold transaction — a customer transaction with money and/or other property which, in accordance with paragraph 1 of Article 4 of the AML/CFT Law, is subject to financial monitoring; 22) Employee of the Payment Organization — employees of the structural units of the Payment Organization participating in customer servicing and transaction processing within Neo Pay; 23) ML/TF risk — the risk of intentional or unintentional involvement of the Payment Organization in money laundering and financing of terrorism processes or other criminal activities; 24) Senior Officer — the Chief Executive Officer (General Director) of the Payment Organization; 25) AML/CFT risk management — a set of measures taken within the Payment Organization to identify, assess, monitor, and mitigate ML/TF risks, including in relation to services, customers, and transactions carried out by customers; 26) FATF — the Financial Action Task Force on Money Laundering, an intergovernmental organization developing financial measures to combat money laundering and financing of terrorism; 27) Financing of Terrorism — the provision or collection of money and/or other property, rights to property, or property-related benefits, as well as donations, exchange, charitable contributions, or provision of informational or other services, or financial services to an individual or group of persons or a legal entity, carried out by a person who knowingly understands the terrorist nature of such activity or that the provided property, services, or assistance will be used for terrorist activities or to support a terrorist group, terrorist organization, or illegal paramilitary formation; 28) Financing of Proliferation of Weapons of Mass Destruction — the provision of funds or financial services used, in whole or in part, for the manufacture, acquisition, possession, development, export, cross-border transfer, brokering, transportation, transfer, accumulation, or use of nuclear, chemical, or biological weapons and their means of delivery, as well as related materials (including dual-use technologies and goods used for illicit purposes), in violation of national legislation or, where applicable, international obligations. 29) Financial monitoring — a set of measures for the collection, processing, analysis, and use of information and data on transactions with money and/or other property, carried out by the FMA and the Payment Organization in accordance with the AML/CFT Law;

30) Targeted financial sanctions — measures involving the freezing of transactions with money and/or other property, applied by the Payment Organization and state authorities in accordance with the Law and resolutions of the United Nations Security Council relating to the prevention and suppression of terrorism and terrorist financing, as well as the prevention, obstruction, and cessation of proliferation of weapons of mass destruction and its financing. 2. Other terms and abbreviations used in these Rules and not defined in paragraph 1 of these Rules shall be applied in accordance with the meanings established by the legislation of the Republic of Kazakhstan.

Article 2. General Provisions

1. These Rules have been developed in accordance with the AML/CFT Law, regulatory legal acts of the Republic of Kazakhstan governing AML/CFT matters, taking into account the FATF Recommendations and clarifications issued by the state authorities of the Republic of Kazakhstan (ARDFM, FMA, and the National Bank of the Republic of Kazakhstan). 2. The Payment Organization shall take measures to ensure that the services (products) provided by it are not used by other persons for the purposes of committing or facilitating money laundering and/or financing of terrorism. 3. These Rules are aimed at establishing mechanisms enabling proper customer due diligence (CDD) of the customer (its representative) and beneficial owner with whom the Payment Organization enters into business relationships, and whose transactions it processes, in order to ensure the management of risks of intentional or unintentional involvement of the Payment Organization in money laundering and financing of terrorism processes.

4. These Rules are mandatory and shall be complied with by all employees of the Payment Organization.

5. Internal AML/CFT control shall be implemented by the Payment Organization for the purposes of: 1) ensuring compliance by the Payment Organization with AML/CFT legislation requirements; 2) maintaining the effectiveness of the internal control system at a level sufficient to manage ML/TF risks and associated risks (operational, reputational); 3) preventing the involvement of the Payment Organization, its officers, and employees in ML/TF processes; 4) maintaining the business reputation of the Payment Organization as a financial institution not associated with illicit money flows in its relations with customers and other persons. In addition to the internal control measures provided for in the first part of this paragraph, the Payment Organization shall also ensure compliance with targeted financial sanctions related to the prevention, suppression, and cessation of proliferation of weapons of mass destruction and its financing, as provided for in Articles 12-1 and 13 of the AML/CFT Law. 6. Within the framework of the organization of internal control for AML/CFT purposes, the Payment Organization develops internal control rules, including requirements for the internal audit function of the organization or any other body authorized to conduct internal audit, to assess the effectiveness of the internal control system for AML/CFT purposes. 7. The internal control system for AML/CFT purposes consists of programs developed by the Payment Organization independently and representing a set of the Rules and other internal AML/CFT documents. 8. The components of the internal AML/CFT system include: 1) the internal control organization program for AML/CFT purposes, including the appointment of the AML/CFT compliance officer; 2) the risk management program for ML/TF, taking into account customer risks and risks of using services (products) for criminal purposes, including the risk of use of technological advancements, as a set of measures taken by the Payment Organization to identify, assess, and monitor ML/TF risks, as well as to mitigate them; 3) the customer (including their representatives) and beneficial owner identification program; 4) the customer transaction monitoring and examination program, including the examination of complex and unusual customer transactions; 5) the AML/CFT training and capacity-building program.

Chapter 2. Internal Control Program for Combating Money Laundering and Terrorist Financing

Article 3. Internal Control System for Combating Money Laundering and Terrorist Financing

1. The internal control organization program for AML/CFT purposes includes, but is not limited to: 1) the procedure for recording information, as well as storing documents and data obtained in the course of implementing internal control for AML/CFT purposes; 2) the procedure for the application of targeted financial sanctions, including screening of the client (its representative) and the beneficial owner against the list of organizations and individuals associated with the financing of terrorism and extremism, compiled in accordance with Articles 12 and 12-1 of the AML/CFT Law; 3) the procedure for lifting targeted financial sanctions upon the removal of client information from the relevant lists; 4) the procedure for informing employees of the Payment Organization, including the AML/CFT Compliance Officer and the senior management, of any known violations of the AML/CFT Law and the Rules committed by employees of the Payment Organization. 2. The internal control system of the Payment Organization comprises three lines of defense, where: 1) first line of defense – all employees of the Payment Organization involved in establishing business relationships with clients and conducting transactions, who are responsible for the timely escalation of information regarding violations, deficiencies, events, or transactions that may give rise to ML/TF risk; 2) second line of defense – the AML/CFT Compliance Officer, risk managers, and the security function; 3) third line of defense – the internal audit function or another body whose functions are not combined with those of the AML/CFT Compliance Officer or other employees of the Payment Organization, which performs, upon instruction of senior management, an independent assessment of the effectiveness of the AML/CFT internal control system.

Article 4. Compliance Officer for Combating Money Laundering and Financing of Terrorism

1. For the purposes of effective implementation of the AML/CFT system within the Payment Organization, an AML/CFT Compliance Officer shall be appointed. The AML/CFT Compliance Officer is responsible for monitoring compliance with the internal control rules. The AML/CFT Compliance Officer shall have higher education, at least two (2) years of work experience in financial organizations or organizations engaged in microfinance activities (excluding experience in technical or support positions), and must have no outstanding or unexpunged criminal record. 2. The functions of the AML/CFT Compliance Officer include: 1) ensuring that the Rules and/or amendments and additions thereto are developed and maintained within the Payment Organization, as well as monitoring compliance therewith; 2) organizing the submission and monitoring the submission of reports to the AFM; making decisions on recognizing client transactions as suspicious and on the necessity of submitting reports to the AFM in the cases and procedures provided for by the AML/CFT Law and the Rules; 3) informing senior management of identified clients and measures taken in relation to the application of targeted financial sanctions; 4) making or coordinating with senior management decisions on refusal to conduct client transactions, as well as on the establishment, continuation, or termination of business relationships with clients in the cases and procedures provided for by the AML/CFT Law and the Rules; 5) informing senior management of identified violations of internal control rules in accordance with the procedure established by internal documents; 6) developing and assigning AML/CFT training courses and assessment questions for the purpose of training employees of the Payment Organization on AML/CFT matters; 7) preparing and coordinating with senior management information on the results of implementation of the internal control rules and recommended measures to improve risk management and internal control systems for AML/CFT purposes for reporting purposes; 8) coordinating the collection of quantitative and qualitative indicators for assessing the risk of the organization’s involvement in ML/TF processes and submitting the required information to the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market on an annual basis, no later than 5 February of the year following the reporting year; 9) submitting requests to senior management for decision-making on the establishment, continuation, or termination of business relationships with clients in the cases and procedures provided for by the AML/CFT Law and/or internal documents of the organization. 3. In performing its functions, the AML/CFT Compliance Officer shall be entitled to: 1) access all premises of the Payment Organization, information systems, telecommunications tools, documents, information, and files to the extent necessary for the full performance of its duties; 2) request additional information and/or documents from employees of the Payment Organization, and such employees shall be obliged to provide the requested information and/or documents; 3) issue instructions to employees of the Payment Organization regarding transactions with money and/or other property; 4) coordinate employees of the Payment Organization on AML/CFT matters. 4. In performing its functions, the AML/CFT Compliance Officer shall be obliged to: 1) ensure the confidentiality of information obtained in the course of performing its functions; 2) ensure the safekeeping of all documents and files received. 5. The functions of the AML/CFT Compliance Officer shall not be combined with the functions of the internal audit function or any other body authorized to conduct internal audit, nor with the functions of other employees of the Payment Organization.

Article 5. Employees of the Payment Organization and Senior Management

1. Employees of the Payment Organization shall ensure the safekeeping and confidentiality of received information, accurate and complete recording of information on the client (its representative), beneficial owner, and client transactions, timely updating of client (its representative) and beneficial owner information in the client profile, and compliance with other requirements provided for by these Rules. 2. Employees of the Payment Organization are prohibited from informing clients or any other persons about the forms, methods, or procedures of internal control for AML/CFT purposes applied within the Payment Organization, including disclosure of information, data, and documents relating to clients and their transactions submitted to the AFM. 3. To prevent any undue influence on the AML/CFT Compliance Officer, the Payment Organization shall ensure the protection of information relating to the AML/CFT Compliance Officer, including full name, contact telephone numbers, and residential address. Employees of the Payment Organization are prohibited from disclosing information about the AML/CFT Compliance Officer to clients. 4. All employees of the Payment Organization, regardless of their position, shall, within the scope of their competence, participate in activities aimed at implementing these Rules. 5. Employees responsible for the development and implementation of technical enhancements, modifications, and/or additions to AML/CFT-related processes shall coordinate all new enhancements and/or changes affecting AML/CFT processes with the AML/CFT Compliance Officer at the development stage. 6. Employees of the Security Service of the Payment Organization shall, upon request of the AML/CFT Compliance Officer, provide assistance in carrying out activities aimed at identifying and investigating suspicious situations, violations, transactions, and operations related to AML/CFT matters.

Article 6. Procedure for Recording Information and Storage of Documents and Data

1. Information on clients and their transactions obtained in the course of implementing internal control measures for AML/CFT purposes is confidential. 2. Documents and information obtained as a result of customer due diligence (CDD) of the client (its representative) and the beneficial owner shall be recorded in documentary form and included in the client file, and shall be retained by the Payment Organization throughout the entire duration of the business relationship with the client and for at least five (5) years from the date of termination thereof. 3. Documents and information on transactions involving money and/or other property that are subject to financial monitoring, as well as suspicious transactions, including the results of examination of all complex, unusually large, and other unusual transactions, shall be retained by the Payment Organization for at least five (5) years after the completion of the transaction. 4. The documents and information specified in paragraphs 2 and 3 of this Article shall contain information sufficient to enable the reconstruction of the client’s transactions, including transaction amounts. 5. For the purposes of implementing internal control for AML/CFT purposes, the Payment Organization uses an automated System enabling the collection and storage of information on the client (its representative) and the beneficial owner, as well as the history of client servicing and use of services.

Chapter 3. Risk Management Program for Money Laundering and Terrorist Financing

Article 7. Objectives of the Program for Managing Risks of Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism

1. The program for managing risks of legalization (laundering) of proceeds from crime and financing of terrorism defines the procedure for organizing risk management in relation to such risks across the structural divisions of the Payment Organization, the functional responsibilities of employees of the Payment Organization in the risk management process, the methodology for calculating risk assessments, the procedure for assigning risk levels, the timeframes and grounds for reviewing client risk levels, the procedure for conducting regular monitoring, analysis and control of client risks and the degree of exposure of the Payment Organization’s services (products) to risks of legalization (laundering) of proceeds from crime and financing of terrorism, as well as a list of preventive measures. 2. The objective of the program for managing risks of legalization (laundering) of proceeds from crime and financing of terrorism is the classification of clients and services (products) by risk levels in order to concentrate efforts on areas exposed to the highest level of risk. 3. When implementing the program for managing risks of legalization (laundering) of proceeds from crime and financing of terrorism, the Payment Organization shall take into account published information from the risk assessment report on legalization (laundering) of proceeds from crime and financing of terrorism in accordance with paragraph 6 of Article 11-1 of the AML/CFT Law. Risk assessment results shall be provided upon request of the authorized body for regulation, control and supervision of the financial market and financial organizations in accordance with part one of Article 14 of the Law of the Republic of Kazakhstan “On State Regulation, Control and Supervision of the Financial Market and Financial Organizations.”

Article 8. Procedure for Organizing ML/TF Risk Management within the Payment Organization across Structural Divisions

1. The organization of ML/TF risk management within the Payment Organization is carried out by employees of the Payment Organization’s structural divisions in accordance with the three lines of defense provided for in paragraph 2 of Article 3 of these Rules. 2. For the purposes of ML/TF risk management, employees of the Payment Organization shall be obliged to perform the following procedures: 1) First line of defense (employees of the Payment Organization’s branches involved in customer service and transaction processing): a) perform customer due diligence in accordance with the requirements of these Rules; b) identify ML/TF risk and assign a risk level to the client upon establishment of business relationships in accordance with the requirements of these Rules; c) immediately inform the AML/CFT Compliance Officer of identified risks, violations, deficiencies, events, or transactions that may give rise to ML/TF risk; d) promptly implement measures to prevent and mitigate ML/TF risk; e) develop and implement technical enhancements, modifications, and/or additions to AML/CFT-related processes in compliance with the legislation of the Republic of Kazakhstan on AML/CFT and these Rules; 2) Second line of defense (AML/CFT Compliance Officer) – performs the functions provided for in Article 4 of these Rules; 3) Third line of defense (audit) – performs, upon instruction of senior management, an independent assessment of the effectiveness of the AML/CFT internal control system.

Article 9. Risk Assessment Methodology. Risk Categories and Factors

On an annual basis, the Payment Organization assesses the degree of exposure of its services (products) to Anti–Money Laundering and Counter–Financing of Terrorism risks, taking into account at least the following risk categories: 1) client-type risk; 2) country (geographical) risk; 3) service (product) risk and/or the method of its delivery. 2. The assessment of the exposure of the Payment Organization’s services (products) to Anti–Money Laundering and Counter–Financing of Terrorism risks is accompanied by a description of possible measures aimed at mitigating identified risks, including changes to customer identification and transaction monitoring procedures, setting limits on the provision of microloans, changes in service (product) conditions, and refusal to provide services (products).

Article 10. Client-Type Risk

1. Client types whose status and/or activities increase Anti–Money Laundering and Counter–Financing of Terrorism risk include the following: 1) politically exposed persons, their spouses, and close relatives; 2) persons located (registered) in foreign states specified in paragraph 2 of Article 11 of these Rules, as well as branches and representative offices of such persons located in the Republic of Kazakhstan; 3) foreign financial organizations; 4) legal entities and individual entrepreneurs whose activities are associated with intensive cash turnover.

Article 11. Country (Geographical) Risk

1. The Payment Organization shall assess country (geographical) risk associated with the provision of services (products) to clients from foreign jurisdictions specified in paragraph 2 of this Article. 2. Foreign jurisdictions whose transactions increase the risk of money laundering and terrorist financing (ML/TF) include: 1) jurisdictions included in the list of countries (territories) that do not comply or insufficiently comply with the recommendations of the Financial Action Task Force (FATF), compiled by the Financial Monitoring Agency (AFM); 2) jurisdictions subject to international sanctions (embargoes) imposed by resolutions of the United Nations Security Council; 3) jurisdictions included in the list of offshore zones in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market (ARDFM) dated February 24, 2020 No. 8 “On Establishing the List of Offshore Zones for the purposes of banking and insurance activities, activities of professional participants of the securities market and other licensed types of securities market activities, activities of joint-stock investment funds and activities of organizations engaged in microfinance activities” (registered in the State Register of Regulatory Legal Acts under No. 20095); 4) jurisdictions identified by the Payment Organization as high-risk for ML/TF based on other factors (information on the level of corruption, illegal production, trafficking and/or transit of drugs, and information on support for international terrorism). 3. References to the lists of such jurisdictions specified in subparagraphs 1) and 2) of paragraph 2 of this Article are published on the official website of the Financial Monitoring Agency (AFM). 4. The source of information on the jurisdictions specified in subparagraph 4) of paragraph 2 of this Article shall be publicly available open sources.

Article 12. Risk of Services (Products) and/or Methods of Their Provision

1. Services (products) and/or methods of their provision that increase the risk of money laundering and terrorist financing (ML/TF) include, but are not limited to: 1) remote customer servicing, including servicing via personal computers, telephones, and electronic terminals; 2) cash withdrawals exceeding 10,000,000 tenge or an equivalent amount in foreign currency exceeding 10,000,000 tenge; 3) new products and business practices involving mechanisms for information transfer using new and emerging technologies for both existing and newly introduced products. 2. When assessing the degree of exposure of the Payment Organization’s services (products) to ML/TF risks in accordance with the risk categories and factors specified in Articles 10–12 of these Rules, the Payment Organization shall take into account additional information affecting the overall risk level, including but not limited to: 1) the number of suspicious transaction reports submitted by the Payment Organization to the AFM regarding client transactions; 2) the number of threshold transaction reports submitted by the Payment Organization to the AFM regarding client transactions.

Article 13. Procedure for Assignment, Timing, and Grounds for Review of Client Risk Levels

1. The client risk level is assigned by the Payment Organization based on the analysis of client information obtained through customer identification and transaction monitoring procedures, and is assessed according to the risk rating scale developed by the Payment Organization, which includes the following levels: 1) low; 2) high. 2. For the classification of clients and risk assessment, the risk categories and factors defined in Articles 10–12 of these Rules are applied, including client type risk, country (geographical) risk, service (product) risk and/or method of its provision, as well as other risk categories and factors in accordance with the risk calculation methodology set out in Annex 5 to these Rules. 3. The initial risk assessment of a client is carried out automatically based on identification data obtained from the client at the time of establishing a business relationship, which is entered by the Payment Organization employee into the client profile in the System. 4. The client (or group of clients) risk level is reviewed by the Payment Organization as client (or group) information is updated. 5. The risk level may also be recalculated at any time when necessary (identification of suspicious transactions, termination of business relationships, etc.). The Payment Organization shall identify and assess ML/TF risks that may arise in connection with: 1) the development of new products and new business practices, including new transmission mechanisms; 2) the use of new or emerging technologies for both new and existing products. The ML/TF risk assessment shall be carried out prior to the launch of new products, business practices, or the use of new (emerging) technologies.

Article 14. Procedure for Monitoring, Analysis, and Control of Client Risks and the Degree of Exposure of the Payment Organization’s Services (Products) to ML/TF Risks

List of Preventive Measures 1. Preventive measures aimed at managing client risk shall be implemented both at the stage of establishing business relationships with a client and during the course of such business relationships. 2. Preventive measures aimed at managing ML/TF risk, including its mitigation, include: 1) Measures implemented at the stage of establishing business relationships with a client: a) refusal to establish business relationships in cases provided for in Article 22 of the Rules; b) implementation of client risk assessment measures at the stage of establishing business relationships; 2) Measures implemented during the course of business relationships with a client, including: a) monitoring and examination of client transactions and activities during servicing; b) updating client profile information in cases of changes in identification data, as provided for in paragraph 2 of Article 5 of the AML/CFT Law, as well as in accordance with the frequency of updating information depending on the client’s risk level; c) review of the client risk level based on information obtained during servicing, including updates of information and results of monitoring and examination of client transactions and/or activities; d) application of enhanced due diligence measures in accordance with customer transaction monitoring and examination procedures; e) submission, where necessary, of reports on transactions subject to financial monitoring to the AFM; f) termination of business relationships with clients in cases provided for in Article 22 of the Rules. 3. Measures aimed at mitigating the risk of misuse of the Payment Organization’s services (products) for ML/TF purposes include: a) modification of customer identification and transaction monitoring procedures; b) establishment of transaction limits and/or cumulative transaction limits in order to prohibit transactions exceeding the established threshold; c) establishment of transaction limits and/or cumulative transaction limits for the purpose of applying enhanced due diligence measures and/or transaction examination; d) modification of terms and conditions for the provision of services (products); e) modification of applicable tariffs of the Payment Organization for services (products); f) refusal to provide services (products).

4. Training and capacity building of Payment Organization employees in the area of AML/CFT.

Chapter 4. Customer Identification Programme

Article 15. General Provisions on Customer Due Diligence (CDD) and Beneficial Ownership

1. For the purposes of implementing the requirements of the Law on Anti–Money Laundering and Countering the Financing of Terrorism (hereinafter – AML/CFT Law) with respect to customer due diligence, the Payment Organization shall implement a customer identification programme covering the identification of the customer (or their representative) and the beneficial owner. 2. The Customer Identification Programme shall include measures undertaken by the Payment Organization for the identification and updating of previously obtained information on customers (or their representatives) and beneficial owners, including information on the source of funds used for transactions conducted by the customer, as well as measures relating to the refusal to establish business relationships, termination of business relationships, refusal to execute transactions involving money and/or other property, and the application of measures to freeze transactions involving money and/or other property. 3. The Payment Organization shall perform customer due diligence (CDD) on the customer (or their representative) and the beneficial owner: 1) prior to establishing business relationships with the customer, except in cases provided for in paragraph 12 of this Article; 2) prior to carrying out transactions involving money and/or other property subject to financial monitoring, including suspicious transactions, except in cases provided for in paragraph 12 of this Article and where customer due diligence has already been performed at the time of establishing business relationships. 4. Identification of the customer (or their representative) and the beneficial owner shall be carried out on the basis of documents and information provided by the customer to the Payment Organization in accordance with internal documents and the Rules. 5. Customer due diligence (CDD) by the Payment Organization with respect to its customers (or their representatives) and beneficial owners shall include the following measures: 1) recording information required for the identification of a natural person: details of the identity document, Individual Identification Number (IIN), except where an IIN has not been assigned in accordance with the legislation of the Republic of Kazakhstan, as well as residential address; 2) recording information required for the identification of a legal entity (branch or representative office): details of the certificate of state (registration/accounting) primary registration and re-registration of the legal entity (branch or representative office), Business Identification Number (BIN), except where a BIN has not been assigned in accordance with the legislation of the Republic of Kazakhstan, or the registration number under which a foreign legal entity is registered in a foreign jurisdiction, as well as the registered address of the place of incorporation or location; 3) identification of the beneficial owner and recording of information necessary for their identification in accordance with subparagraph 1) of this paragraph, except for the residential address; 4) establishment of the intended purpose and nature of the business relationship; 5) ongoing monitoring of the business relationship and examination of transactions conducted by the customer through the Payment Organization, including, where necessary, obtaining and recording information on the source of funds used for such transactions in accordance with Chapter 5 of the Rules; 6) verification of the accuracy of information required for customer (or their representative) and beneficial owner identification, and updating of information on the customer (or their representative) and beneficial owner. 6. For the purpose of identifying the beneficial owner of a corporate customer, the Payment Organization shall determine the ownership and management structure of such customer on the basis of its constituent documents, the register of shareholders of such customer, or information obtained from other sources. 7. If, as a result of the measures provided for in paragraph 6 of this Article, the beneficial owner of a corporate customer is not identified, the beneficial owner may be deemed to be the sole executive body or the head of the collegial executive body of the corporate customer. 8. Recording of information required for the identification of the beneficial owner shall be carried out by the Payment Organization on the basis of information and/or documents provided by the customer (or its representative), or obtained from other sources. 9. With respect to a customer’s representative, the authority of such person to act on behalf of and/or in the interests of the customer shall additionally be verified. 10. Updating of information shall be carried out where there are grounds to doubt the accuracy of previously obtained information on the customer or beneficial owner, as well as in cases provided for by these Rules. 11. In the course of customer due diligence, the Payment Organization shall be entitled to request from the customer (or its representative) information and documents necessary or sufficient for the identification of the customer (or its representative), the identification of the beneficial owner, as well as information on the nature of the customer’s activities and the source of funds used for transactions conducted. The customer (or its representative) shall be obliged to provide the Payment Organization with information and documents necessary for the Payment Organization to fulfil its obligations under the AML/CFT Law, including information on beneficial owners.

Article 16. Procedure for Onboarding Customers

1. When onboarding a customer, an employee of the Payment Organization shall perform the following AML/CFT-related actions: 1) request documents specified in Annex 1, as well as those required under internal regulatory documents, and verify the authenticity of the obtained documents in accordance with Article 17 of the Rules; 2) if the customer acts through a representative, conduct customer due diligence to verify the completeness and legality of the representative’s authority; 3) enter information on the customer (or their representative) and the beneficial owner into the customer profile within the System, completing all mandatory fields; 4) upon completion of all the above customer due diligence procedures in respect of the customer (or their representative) and the beneficial owner, and in the absence of grounds for refusal, establish a business relationship with the customer (or their representative); 5) refuse to establish a business relationship in cases provided for in Article 22 of the Rules, where applicable.

Article 17. Procedure for Identification and Specific Features of Applying Customer Due Diligence Measures for Customers (or Their Representatives) and Beneficial Owners

1. Identification of the customer (or their representative) and the beneficial owner consists of measures undertaken by the Payment Organization for recording and verifying the accuracy of customer information (or their representative), identifying the beneficial owner and recording information about them, establishing and documenting the intended purpose of the business relationship, as well as obtaining and recording information on the customer (or their representative) and the beneficial owner as required by the AML/CFT Law, other regulatory legal acts of the Republic of Kazakhstan, the Rules, and/or other internal documents. Verification of the accuracy of submitted information shall be carried out by comparing it with original documents or notarised copies of relevant documents provided by the customer (or their representative), by cross-checking against available sources (databases), and by other verification methods. 2. Depending on the customer’s risk level, the scope of due diligence measures applied by the Payment Organization shall be expressed through the following types of CDD measures: 1) simplified customer due diligence measures; 2) enhanced customer due diligence measures. 3. Enhanced due diligence measures for the identification of the customer (or their representative) and the beneficial owner shall be applied by the Payment Organization in the following cases: 1) assignment of a high-risk level to the customer in accordance with Chapter 3 of the Rules; 2) existence of doubts regarding the accuracy of information provided by the customer; 3) establishment of business relationships with customers registered, residing, or located in countries (or territories) that do not implement or insufficiently implement FATF Recommendations; 4) by decision of the AML/CFT Officer. 4. When applying enhanced due diligence measures, the Payment Organization shall, in addition to the measures provided for in paragraph 5 of Article 15 of the Rules, undertake one or more of the following actions: 1) establish the purpose of planned or executed transactions; 2) increase the frequency and intensity of monitoring and examination of transactions requiring further review; 3) obtain information on the nature of the customer’s activities and the source of funds used for transactions; 4) obtain approval from the Senior Executive Officer for the establishment or continuation of business relationships with the customer. 5. In all other cases not provided for in paragraph 4 of this Article, simplified customer due diligence measures shall be applied in accordance with paragraph 5 of Article 15 of the Rules.

Article 18. Measures for Identifying Politically Exposed Persons and Procedures for Establishing and Maintaining Business Relationships with Them, Their Spouses and Close Relatives

1. As part of the customer (or representative) identification process and the identification of the beneficial owner, the Payment Organization shall verify whether such customer (or representative) and beneficial owner are a National Politically Exposed Person (NPEP) or a Foreign Politically Exposed Person (FPEP), or are the spouse or a close relative of such persons. 2. In addition to the measures provided for in paragraph 3 of Article 5 of the AML/CFT Law, the AML/CFT Officer shall undertake the following measures with respect to FPEPs: 1) assess the reputation of the relevant PEP with regard to any involvement in money laundering and terrorist financing activities; 2) obtain approval from the Senior Executive Officer of the Payment Organization for the establishment or continuation of a business relationship with such customer. Where the decision of the Senior Executive Officer is negative (establishment or continuation of the business relationship is prohibited), the Payment Organization shall refuse to establish or continue the business relationship. Where the decision is positive (establishment or continuation of the business relationship is permitted), the Payment Organization shall proceed with the establishment or continuation of the business relationship. The AML/CFT Officer shall print and include the AML opinion and the decision of the Senior Executive Officer in the customer file; 3) take reasonable measures to establish the source of funds of the customer (or representative) and the beneficial owner; 4) apply enhanced customer due diligence measures to the customer (or representative) and beneficial owner. 3. In addition to the measures provided for in paragraph 3 of Article 5 of the AML/CFT Law, with respect to NPEPs included in the list of politically exposed persons approved by the President of the Republic of Kazakhstan, as well as their spouses and close relatives who have been assigned a high-risk rating, the AML/CFT Officer shall apply the measures set out in subparagraphs 2), 3), 4) and 5) of paragraph 1 of Article 8 of the AML/CFT Law. The list of NPEPs, excluding FPEPs, shall be approved by the President of the Republic of Kazakhstan. 4. Following the cessation of the functions of a PEP included in the list of NPEPs approved by the President of the Republic of Kazakhstan, the provisions of paragraph 2 of Article 8 of the AML/CFT Law shall continue to apply to such PEP, his or her spouse, and close relatives for a period of twelve (12) months from the date of cessation of such functions.

Article 19. Procedure for the Application and Lifting of Targeted Financial Sanctions

1. Within twenty-four hours from the publication on the official website of the Agency for Financial Monitoring of the Republic of Kazakhstan (AFM) of information on the inclusion of organizations and/or individuals in the List of Terrorists, the FPWMD List (List of Organizations and Persons Associated with the Financing of the Proliferation of Weapons of Mass Destruction), and the Temporary List of Terrorists, the Payment Organization shall, without delay, except in cases provided for by paragraphs 5 and 6 of Article 12-1 of the AML/CFT Law, apply the following measures to freeze transactions involving money and/or other property: 1) suspend the execution of payment or money transfer instructions without the use of a bank account for such organizations and individuals, as well as instructions of a client whose beneficial owner is such an individual; 2) refuse to conduct any other transactions involving money and/or other property carried out by or for the benefit of such organization or individual, as well as by or for the benefit of a client whose beneficial owner is such an individual. 2. The freezing measures specified in paragraph 1 of this Article shall not apply to transactions under agreements concluded with the Payment Organization prior to the inclusion of a person in the List of Terrorists, where such transactions relate to payments made towards the discharge of obligations under a service agreement. 3. Transactions involving money and/or other property of organizations or individuals included in the List of Terrorists may be carried out by the Payment Organization pursuant to a court decision, collection orders issued by state revenue authorities, resolutions of state revenue authorities on enforcement against restricted property, as well as following the removal of the organization or individual from the List of Terrorists, the FPWMD List, or the Temporary List of Terrorists in accordance with the AML/CFT Law. 4. Freezing measures in respect of organizations and/or individuals included in the Temporary List of Terrorists shall apply for a period of up to fifteen (15) calendar days. 5. The removal of organizations and/or individuals from the List of Terrorists, the FPWMD List, or the Temporary List of Terrorists shall constitute grounds for lifting the freezing measures applied to money and/or other property belonging to such organizations and/or individuals. 6. The AML/CFT Compliance Officer shall, no later than one (1) business day following the publication on the official AFM website of information on the inclusion of organizations and/or individuals in the List of Terrorists or the Temporary List of Terrorists, verify within the System the existence of such persons, as well as clients whose beneficial owners are such persons. Where such persons are identified, the AML/CFT Compliance Officer shall apply the freezing measures specified in paragraph 1 of this Article. 7. The AML/CFT Compliance Officer shall, no later than one (1) business day following the application of freezing measures with respect to money and/or other property, submit a report to the AFM on the freezing measures taken. 8. The AML/CFT Compliance Officer shall, no later than one (1) business day following the publication on the official AFM website of information on the removal of organizations and/or individuals from the List of Terrorists, the FPWMD List, or the Temporary List of Terrorists, verify within the System the existence of such persons, as well as clients whose beneficial owners are such persons. Where such persons are identified, the AML/CFT Compliance Officer shall lift the freezing measures applied to money and/or other property.

Article 20. Procedure for Screening a Client (its Representative) and Beneficial Owner Against the Blacklist

1. Screening of a client (its representative) and beneficial owner against the blacklist shall be performed irrespective of the client's risk level and shall be conducted whenever amendments are made to the blacklist. 2. Screening of a client (its representative) and beneficial owner for potential matches against the blacklist shall be performed automatically upon the establishment of a business relationship (during the creation of a client profile), when updating information on the client (its representative) and beneficial owner, and when conducting transactions through the System. 3. Upon the establishment of a business relationship (during the creation of a client profile), when updating information on the client (its representative) and beneficial owner, or when conducting a client transaction, if the name of the client (its representative), beneficial owner, or transaction participant matches an entry in the blacklist, the System shall generate an alert and prevent completion of the client profile creation or transaction by blocking further actions of the Payment Organization Employee. In such a case, the Payment Organization Employee shall immediately contact the AML/CFT Compliance Officer, send by e-mail a copy of the client’s identity document and a screenshot of the completed Questionnaire, and await the AML/CFT Compliance Officer’s decision and instructions regarding further servicing of the client. 4. The AML/CFT Compliance Officer shall verify whether the client (its representative) and beneficial owner constitute a full or partial match with an entry in the blacklist. In the event of a partial (false-positive) match, the AML/CFT Compliance Officer shall remove the block, thereby authorizing the creation of the client profile and/or the execution of the transaction. 5. In the event of a confirmed full match between the client (its representative) or beneficial owner and an entry in the blacklist, the AML/CFT Compliance Officer shall make a decision in accordance with the AML/CFT Law. 6. The AML/CFT Compliance Officer shall communicate the decision taken and recommendations regarding further servicing of the client to the relevant branch of the Payment Organization by e-mail.

Article 21. Verification of the Accuracy of Information on a Client (its Representative) and Beneficial Owner. Requirements for the Form, Content and Maintenance of the Client Credit File; Updating Information Contained in the Credit File

1. Verification of the accuracy of information required for client identification shall be carried out by visually comparing the photograph contained in the original identity document with the client (or the client's representative), including through the use of information systems.

2. The Payment Organization shall maintain credit files for individual clients.

3. Information on a client shall be updated in accordance with the client's risk level as follows: 1) for a high-risk client – once every one (1) year; 2) for a medium-risk client – once every three (3) years; 3) for a low-risk client – once every five (5) years. 4. Information obtained as a result of client identification shall be included in the client's credit file, which shall be maintained by the Payment Organization throughout the entire period of the business relationship with the client and for at least five (5) years following its termination.

Article 22. Procedure and Grounds for Refusal to Establish Business Relationships and/or Conduct Transactions, as well as Termination of Business Relationships

1. The Payment Organization shall be obliged to refuse a client (its representative) the establishment of business relationships in cases where it is impossible to carry out the customer due diligence measures for the client (its representative) and beneficial owner, as provided for in subparagraphs 1), 2), 3) and 4) of paragraph 5 of Article 15 of these Rules. 2. The Payment Organization shall be obliged to refuse a client (its representative) the execution of transactions involving money and/or other property in cases where it is impossible to carry out customer due diligence measures for the client (its representative) and beneficial owner, as provided for in subparagraphs 1), 2), 3), 4) and 6) of paragraph 5 of Article 15 of these Rules. 3. The Payment Organization shall have the right to refuse to conduct transactions involving money and/or other property, as well as to refuse to establish business relationships and/or to terminate existing business relationships with a client in the following cases:1) identification of the client (its representative) or beneficial owner in the blacklist; 2) existence of suspicions that the business relationship is being used, or may be used, by the client for purposes of money laundering and/or terrorist financing (ML/TF). 4. The AML/CFT Compliance Officer shall, no later than one (1) business day following the date of the relevant decision, submit a report to the Financial Monitoring Agency (AFM) regarding the refusal to establish business relationships, termination of business relationships with a client, or refusal to conduct a transaction involving money and/or other property.

Chapter 5. Customer Transaction Monitoring and Analysis Program

Article 23. General Provisions of the Customer Transaction Monitoring and Analysis Program

1. In order to implement the requirements of the AML/CFT Law regarding customer due diligence, as well as the identification and submission to the AFM of reports on threshold and suspicious transactions, the Payment Organization develops a Customer Transaction Monitoring and Analysis Program. 2. Within the framework of the Customer Transaction Monitoring and Analysis Program, measures are carried out to update and/or obtain additional information on clients (their representatives) and beneficial owners, as well as to analyze client transactions and identify threshold, complex, unusual, and suspicious transactions. 3. The results of transaction monitoring and analysis are used by the Payment Organization for the annual assessment of the degree of exposure of its services to ML/TF risks, as well as for the reassessment of client risk levels. 4. Information obtained within the framework of the Customer Transaction Monitoring and Analysis Program shall be included in the client's credit file and/or stored throughout the entire period of the business relationship with the client and for at least five (5) years following its termination. 5. The frequency of updating and/or the necessity of obtaining additional information on the client (its representative) and beneficial owner shall be determined taking into account the client's risk level (or group of clients) and/or the degree of exposure of the Payment Organization’s services/products used by the client to ML/TF risks. 6. The Customer Transaction Monitoring and Analysis Program of the Payment Organization includes, but is not limited to: 1) a list of indicators of suspicious transactions, developed based on the indicators defined by the Financial Monitoring Agency in accordance with the AML/CFT Law, as well as those developed independently by the Payment Organization; 2) updating by Payment Organization Employees of previously obtained information and/or obtaining additional information on the client (its representative) and beneficial owner in cases provided for in Chapter 4 of these Rules; 3) identification by Payment Organization Employees and the AML/CFT Compliance Officer of threshold, complex, unusual, and suspicious transactions; 4) procedures, grounds, and timelines for the AML/CFT Compliance Officer’s decision-making regarding the classification of a client’s transaction; 5) procedures for recording (including methods of recording) and storing information on the results of analysis of complex and unusual transactions, as well as information on threshold and suspicious transactions (including transaction amounts); 6) procedures for taking and describing measures applied to a client and its transactions in cases where the client systematically and/or in significant volumes conducts unusual and/or suspicious transactions. 7. Transactions shall be classified as suspicious in accordance with the Customer Transaction Monitoring and Analysis Program. In cases where a client systematically and/or in significant volumes conducts unusual and/or suspicious transactions, measures shall be taken to analyze the client’s transactions, and where necessary, measures such as refusal to execute transactions and/or termination of business relationships shall be applied in accordance with Article 22 of these Rules.

Article 24. Procedure for Identification of Threshold Transactions

1. A transaction involving money and/or other property (a threshold transaction) shall be subject to financial monitoring if, by its nature, it falls under one of the types of transactions specified in Annex 2 to these Rules. 2. The AML/CFT Compliance Officer or a designated person shall carry out daily monitoring of threshold transactions conducted in the System to determine whether there are grounds for submitting reports to the AFM. 3. Information on threshold transactions specified in Annex 2 to these Rules shall be communicated by the Payment Organization Employee conducting such transactions to the AML/CFT Compliance Officer on the same day the transaction is performed in the System.

Article 25. Procedure for Identifying Unusual and Suspicious Transactions

1. Suspicious transactions are subject to financial monitoring regardless of the form in which they are carried out and the amount involved, or the amount that may be involved or could have been involved. 2. The list of indicators of unusual and suspicious transactions established by AML/CFT legislation is provided in Annex 3 to the Rules. 3. Such indicators may be defined using qualitative assessment categories, including: systematic nature, regularity, significance, materiality, excessive concern, unreasonable haste, short time period, high volume, and level of risk. 4. Mandatory grounds for the Payment Organization to review a client’s transactions and record the results include: 1) execution by a client of a complex, unusually large transaction, or a transaction with no apparent economic sense or visible lawful purpose involving money and/or other property; 2) actions by a client aimed at circumventing customer due diligence and/or financial monitoring requirements under the AML/CFT Law; 3) execution of a transaction involving money and/or other property where a participant is registered (or resides) in a country or territory that does not implement or insufficiently implements the recommendations of the Financial Action Task Force. The list of such countries (territories) is published on the official website of the Financial Monitoring Agency of the Republic of Kazakhstan. 5. Identification of a suspicious transaction prior to its execution shall be carried out by the Responsible AML/CFT Officer: 1) based on information (notification) on suspicious and/or unusual transactions received from an Employee of the Payment Organization as a result of monitoring and analysis of transactions in accordance with the indicators set out in Annex 3 to the Rules; 2) based on information (notification) received from an Employee of the Payment Organization in cases where the System blocks the client onboarding process and/or transaction execution due to a match with the blacklist. 6. An Employee of the Payment Organization shall: 1) in case a client (or their representative) or beneficial owner included in the blacklist attempts to conduct a transaction; or 2) upon detection of a transaction meeting the criteria of an unusual or suspicious transaction as defined in Annex 3 to the Rules, suspend the client onboarding process and/or transaction execution and immediately submit full information to the Responsible AML/CFT Officer via corporate email, including: full name of the client / individual identification data; Business Identification Number (BIN) / Individual Identification Number (IIN); transaction details; scanned copies of transaction-related documents; system screenshots of transaction notifications; and any additional relevant information. 7. The Responsible AML/CFT Officer, upon receiving the notification referred to in paragraph 5 of this Article, shall analyze the information and make a preliminary decision on suspension or refusal of the transaction. 8. If the Responsible AML/CFT Officer decides to proceed with the transaction, they shall notify the Employee of the Payment Organization via corporate email of the decision taken. 9. Identification of suspicious transactions after execution shall be carried out by the Responsible AML/CFT Officer: 1) based on information (notification) on suspicious and/or unusual transactions received from an Employee of the Payment Organization as a result of transaction monitoring under Annex 3 to the Rules; 2) based on information obtained from other sources, the analysis of which may indicate suspicious and/or unusual transactions.

Article 26. Procedure for Suspension of Suspicious Transactions

1. If, in accordance with Chapter 5 of the Rules, a transaction is classified as suspicious and a decision is made to suspend it (except for cases provided for by the AML/CFT Law), the Responsible AML/CFT Officer shall immediately: 1) include the client involved in the transaction in the blacklist; 2) inform the Employee of the Payment Organization involved in servicing the client via corporate email about the impossibility of executing the transaction; 3) submit a report to the Financial Monitoring Agency of the Republic of Kazakhstan 2. The Employee of the Payment Organization servicing the client shall inform the client about the expected timeframe for the decision on the transaction (up to 4 (four) business days) and explain that the transaction is undergoing internal approval at the head office of the Payment Organization. 3. Upon receipt of a report on a suspicious transaction, the FMA of the Republic of Kazakhstan shall, within 24 (twenty-four) hours, decide either: 1) to suspend the execution of the suspicious transaction for up to 3 (three) business days, if the report submitted by the Payment Organization is deemed justified; or 2) that there is no need to suspend the suspicious transaction. 4. The Payment Organization shall not execute the transaction until the FMA of the Republic of Kazakhstan issues a decision either on suspension or on the absence of necessity to suspend the transaction. 5. If the Payment Organization does not receive a decision from the FMA of the Republic of Kazakhstan within 24 (twenty-four) hours from the submission of the report, the transaction shall be executed, unless there are other grounds provided for by the legislation of the Republic of Kazakhstan preventing its execution. 6. On the day of receipt of the FMA notification, the Responsible AML/CFT Officer shall inform the Employee of the Payment Organization of the decision taken. 7. If the FMA of the Republic of Kazakhstan issues a decision to suspend the transaction for up to 15 (fifteen) calendar days, the Responsible AML/CFT Officer shall inform the Employee of the Payment Organization accordingly. 8. After the expiration of the suspension period and upon receipt of the FMA decision, the Responsible AML/CFT Officer shall lift the restriction on the transaction, provided that no other legal grounds exist under the legislation of the Republic of Kazakhstan preventing its execution. 9. All Employees of the Payment Organization who become aware, in the course of their duties, of the suspension of a suspicious transaction are prohibited from informing clients or third parties about the submission of information, data, or documents to the FMA or about any measures taken in relation to such client and their transactions, in accordance with AML/CFT legislation.

10. Procedure for interaction of the Payment Organization in relation to transaction suspension:

Article 27. Procedure for Submitting Reports on Transactions Subject to Financial Monitoring to the Financial Monitoring Agency of the Republic of Kazakhstan

1. The Payment Organization shall provide the Financial Monitoring Agency of the Republic of Kazakhstan with information and data on transactions subject to financial monitoring, including information about the Payment Organization, transaction details, participants of the transaction, and where necessary, indicators of suspicious transaction identification, as well as additional information related to such transactions. 2. The Payment Organization shall submit information on transactions subject to financial monitoring using Form FM-1 in accordance with the Rules for the submission by reporting entities of information and data on transactions subject to financial monitoring and indicators for identifying suspicious transactions, approved by the FMA of the Republic of Kazakhstan. 3. Collection of information and data on transactions subject to financial monitoring (threshold transactions) shall be carried out in accordance with Article 24 of these Rules. 4. Information and data on transactions subject to financial monitoring shall be recorded in documentary form and submitted to the FMA electronically via dedicated communication channels no later than 1 (one) business day following the date of execution of the transaction. 5. Information on a suspicious transaction prior to its execution shall be submitted to the FMA immediately after its suspension. 6. Reports on transactions that were not initially classified as suspicious prior to execution shall be submitted to the FMA no later than 24 (twenty-four) hours after the transaction is classified as suspicious. 7. The deadlines for submitting reports to the FMA regarding refusals to establish business relationships, termination of business relationships with a client, and refusal to execute transactions are set out in Article 22 of these Rules. 8. The deadlines for submitting reports to the FMA regarding the application of measures to freeze funds are set out in Article 20 of these Rules. 9. The FMA shall, within 4 (four) hours from the moment of receipt of information from the Payment Organization, send an electronic notification confirming acceptance or non-acceptance of the submitted report. 10. In case of receipt of a non-acceptance notification from the FMA, the Responsible AML/CFT Officer shall, within 24 (twenty-four) hours (excluding weekends and public holidays), take measures to eliminate the reasons for rejection specified in the notification and resubmit the corrected information to the FMA. 11. In case amendments and/or additions are required to a previously submitted report, the Responsible AML/CFT Officer shall, no later than 1 (one) business day from the date of detection of the information subject to correction, submit updated information to the FMA replacing the previously submitted report. 12. Where necessary for the analysis of transactions, the FMA may send electronic requests to the Payment Organization for the provision of required information, data, and documents. 13. The Payment Organization shall provide the FMA with the requested information, data, and documents within 3 (three) business days from the date of receipt of the request. 14. Upon request of the FMA related to the analysis of a suspicious transaction, the Payment Organization shall provide the required information, data, and documents no later than 1 (one) business day from the date of receipt of the request. 15. Where additional time is required to process a request, the Payment Organization may submit a request to the FMA for extension of the deadline for up to 10 (ten) business days, in accordance with the prescribed form, via the telecommunications network of the Republican State Enterprise on the right of economic management “Kazakhstan Center for Interbank Settlements of the National Bank of the Republic of Kazakhstan” or the web portal of the authorized body.

Chapter 6. Training and Professional Development Program for Employees of the Payment Organization on Anti-Money Laundering and Countering the Financing of Terrorism

Article 28. Training and Development of Employees of the Payment Organization

1.The purpose of the training and professional development program on AML/CFT is to ensure that employees of the Payment Organization acquire the knowledge and develop the skills necessary to comply with the requirements of the legislation of the Republic of Kazakhstan, these Rules, and other internal documents in the field of Anti-Money Laundering and Countering the Financing of Terrorism. 2. AML/CFT training of the Payment Organization's Employees shall be divided into the following types: 1) Internal training – training provided to the Employees of the Payment Organization; 2) Specialized training – training provided to the AML/CFT Compliance Officer (Responsible AML/CFT Employee). 3. The internal training program includes: 1) study of regulatory legal acts of the Republic of Kazakhstan in the field of AML/CFT, as well as international AML/CFT standards; 2) study of internal control rules and related implementation programs in the course of the Organization’s official duties, as well as liability measures for non-compliance with AML/CFT legislation of the Republic of Kazakhstan, as established by Article 214 of the Code of the Republic of Kazakhstan dated July 5, 2014 “On Administrative Offences”; 3) study of typologies, schemes, and methods of legalization (laundering) of proceeds obtained from criminal activity and financing of terrorism, in accordance with paragraph 5 of Article 4 of the AML/CFT Law, as well as indicators for identifying suspicious transactions. 4. The internal training program shall be developed by the Responsible AML/CFT Officer, who must meet the following requirements: 1) higher education; 2) at least 5 (five) years of professional experience in the field of AML/CFT; 3) certificates confirming completion of AML/CFT training. 5. Training shall be conducted remotely or in written form and shall consist of: 1) 1) completion of a training course; 2) passing a test assessment. 6. Training shall be assigned to new Employees of the Payment Organization hired into positions related to AML/CFT compliance, as well as to employees returning from maternity leave, prior to the commencement of their job duties. 7. Additional training shall be conducted in the event of amendments to existing or the entry into force of new regulatory legal acts of the Republic of Kazakhstan in the field of AML/CFT, as well as upon approval of new internal Rules of the Payment Organization or amendments to the existing Rules. 8. Where necessary, unscheduled training may be conducted for Employees of the Payment Organization at the initiative of the Responsible AML/CFT Officer or the Managing Officer of the Payment Organization. 9. If an Employee of the Payment Organization fails to complete the required training within the established timeframe, the Payment Organization may apply disciplinary measures in accordance with the labor legislation of the Republic of Kazakhstan, internal regulatory documents, and applicable legal procedures. 10. The passing score for the training course is 75%. In case of an unsatisfactory result, the training shall be reassigned. An Employee of the Payment Organization is allowed 3 (three) attempts to pass the test. 11. The Responsible AML/CFT Officer shall maintain records of training completion by Employees of the Payment Organization. 12. Completion of training by an Employee of the Payment Organization shall be confirmed by the employee’s handwritten signature in the relevant document in accordance with Annex 4 to the Rules. 13. Documents confirming the completion of training by an employee of the Payment Organization shall be included in the employee’s personal file. 14. Specialized training shall be conducted through the following activities: 1) training provided by an authorized training organization; 2) self-study; 3) additional courses, seminars, trainings, webinars, and other learning formats. 15. For the purpose of confirming completion of specialized training, the Responsible AML/CFT Officer shall undergo testing at least once every 3 (three) years from the date of passing the test at the Public Joint Stock Company “National Center for Human Resources Development of the Civil Service” (hereinafter – the Center), in accordance with the Resolution of the Government of the Republic of Kazakhstan dated December 31, 2008 No. 1305.

16. Successful completion of the testing shall be confirmed by a document issued by the Center.

17. The validity period of the test results is 3 (three) years from the date of passing the test with a positive result. 18. After completion of testing, the Payment Organization shall upload information on the testing results to its personal account on the web portal of the Financial Monitoring Agency of the Republic of Kazakhstan.

Chapter 7. Final Provisions

Article 29. Liability

1. The provisions of these Rules shall apply and be mandatory for all Employees of the Payment Organization.

2. Employees of the Payment Organization shall be liable for the following violations: 1) failure to perform or improper performance of the procedures and requirements set forth in these Rules, including incomplete or incorrect recording of information about the client (its representative) and the beneficial owner during the customer due diligence process, as well as untimely updating of such information in the client credit file and/or the System; 2) disclosure or transfer of information containing commercial, official, or other legally protected secrets; 3) disclosure of information obtained in the course of implementing internal AML/CFT control procedures, including information about the client (its representative) and beneficial owner, as well as methods and procedures of AML/CFT internal control; 4) informing the client or other persons about the submission by the Payment Organization to the Agency for Financial Monitoring of information, data, and documents concerning the client (its representative) and beneficial owner, as well as about the client’s transactions; 5) disclosure to the client (its representative) or other persons of the specifics of the AML/CFT control arrangements within the Payment Organization. 3. The following actions of an Employee of the Payment Organization may serve as grounds for analyzing possible involvement of the Employee in money laundering and/or financing of terrorism, including one or more of the following: 1) providing false information regarding the client’s reputation, financial condition, and sources of income; 2) repeatedly violating or attempting to circumvent the requirements of internal regulatory documents; 3) maintaining a lifestyle disproportionate to their income; 4) sudden changes in lifestyle associated with increased religious influence.

Article 30. Entry into Force

1. These Rules shall enter into force on the day following their publication on the internal website of the Payment Organization, unless otherwise provided in the decision of the Management Officer of the Payment Organization upon approval. Issues not expressly regulated by these Rules shall be resolved in accordance with the legislation of the Republic of Kazakhstan and/or the internal regulatory documents of the Payment Organization.

2. These Rules shall be updated as necessary, including in case of changes in AML/CFT legislation.

3. In case of any inconsistency between the provisions of these Rules and the legislation of the Republic of Kazakhstan, the provisions of the legislation shall prevail.

Annex 1

to the Internal Control Rules for countering the legalization (laundering) of proceeds obtained through crime, financing of terrorism, and financing of proliferation of weapons of mass destruction in the Payment Organization Neo Pay LLP

List of documents required for conducting customer (or its representative) due diligence Application Form for Individuals Full Name (Surname, First Name, Patronymic)

Date and Place of Birth

Citizenship / Residency Status

Identification Document Details

Type of identification document, document number, series (if applicable), issuing authority, date of issue, and expiration date

Tax Residency, including Tax Identification Number in a foreign jurisdiction

Individual Identification Number (IIN)

Residential Address (registration address) (country/jurisdiction, postal code, city/locality, street/district, building number)

Actual Residence Address (country/jurisdiction, postal code, city/locality, street/district, building number)

Marital Status

Contact Phone Numbers

Email Address

Place of Employment, Position Held

Employment Information □ Individual Entrepreneur □ Employee □ Business Owner □ Student □ Pensioner □ Unemployed □ Other (please specify) Information on Individual Entrepreneurial Activity (Name of individual entrepreneur, certificate number, date of issue, place of issue)

Bank Details Beneficiary Name / Full Name

Name and country of location of the bank(s)

Bank Code (BIC)

Account Number (IBAN)

Beneficiary Code (Kbe)

Information on Authorized Representative

Surname, First Name, Patronymic

Date and Place of Birth

Citizenship / Residency Statu

Identification Document Details

Individual Identification Number (IIN)

Residential Address (registration address) (country/jurisdiction, postal code, city/locality, street/district, building number)

Actual Residence Address (country/jurisdiction, postal code, city/locality, street/district, building number)

Contact Phone Numbers Email Address

Details of the document on the basis of which the representative acts (type, series, number, date of issue, issuing authority)

Full name of the notary (if applicable) who certified the client’s authorization granted to the representative, notary license number and date of issue or name of the issuing authority

Visa details (number, date of issue, validity period) if a foreign passport is used as an identity document (except for citizens of countries with visa-free entry to the Republic of Kazakhstan)

Migration card details (number, date of issue, validity period) if a foreign passport is used as an identity document

Information on Anti–Money Laundering Matters / FATCA Are you a foreign public official? (Foreign public official is a person appointed or elected to a legislative, executive, administrative, or judicial body of a foreign state, as well as any person performing a public function for a foreign state) □ YES □ NO Do you have any affiliation with a foreign public official? □ YES □ NO Do you have bank accounts in offshore jurisdictions? □ YES □ NO Are you a tax resident of the United States? □ YES □ NO Tax residency of which countries are you a taxpayer of? □ Kazakhstan □ USA □ Other Do you have a contact telephone number and/or fax number registered in the United States? □ YES □ NO Do you have a postal address in the United States? □ YES □ NO Additional Information on Individual Entrepreneur Number and date of issuance of the document confirming registration of the individual as an individual entrepreneur, including as the head of a peasant (farm) enterprise

Business Identification Number (if available) Type of business activity

License Number, Date of Issue, and Expiry Date (if the business activity is subject to licensing)

Business Address (country/jurisdiction, postal code, city/locality, street/district, building number)

Additional Information on a Foreign Individual Visa Number, Date of Issue, and Expiry Date (if a foreign passport is provided as the identification document) (except for citizens of countries entering the Republic of Kazakhstan under a visa-free regime)

Migration Card Number, Date of Issue, and Validity Period (if a foreign passport is provided as the identification document) (for citizens of countries entering the Republic of Kazakhstan under a visa-free regime)

Whether the Individual is a Foreign Politically Exposed Person or a Related Person (Family Member)

Beneficial Owner Information Full Name (Surname, First Name, Patronymic, if any) of the Individual(s) on Whose Behalf a Business Relationship is Established (or a Transaction is Conducted), or an Indication that the Individual Establishing the Business Relationship (Conducting the Transaction) on Their Own Behalf Acts in Their Own Interest

Citizenship of the Beneficial Owner (if any)

Individual Identification Number (IIN) of the Beneficial Owner (if any)

Type of Identification Document, Number, and Series (if applicable) of the Beneficial Owner

Name of the Authority Issuing the Beneficial Owner’s Identification Document, Date of Issue, and Expiry Date

Tax Residency, Including the Taxpayer Identification Number Assigned to the Beneficial Owner in a Foreign State

Contact Telephone Number of the Beneficial Owner (if any)

Whether the Beneficial Owner is a Foreign Politically Exposed Person or a Related Person (Family Member)

Information on the Sources of Funds for Transactions Sources of Income / Sources of Funds for Transactions Conducted by the Individual (salary, dividends, income from entrepreneurial activity, or other)

Accounts Held with Other Banks / Financial Institutions (if any) (name of the bank / financial institution where the account is maintained)

Financial Standing □ Real estate □ Valuables □ Share in capital / percentage of shares in another legal entity (please specify) □ Other (please specify)

Application Form for Legal Entities Full Name of the Legal Entity

Abbreviated Name

Residency Status

Name and Number of the Document Confirming Registration of the Legal Entity

State Registration (Re-registration) Number: Date of State Registration (Re-registration)

Issuing Authority (Registration Body)

Business Identification Number (BIN)

Legal Address (Registered Address)

Actual Address / Mailing Address

Contact Phone / Fax

Email Address

Information on Founders / Shareholders of the Legal Entity (to be provided for all founders with an ownership share of 10% or more) For Individuals: Full name, IIN, date of birth, identity document details, contact phone number, residential address Residency Share (%)

For legal entities: name, BIN, registration number, actual address

Ultimate Beneficial Owners Surname, First Name, Patronymic

Date of Birth

Citizenship

Identification Document Details

Identification number (IIN)

Contact details (telephone, email)

Residential address

Share, %

Information on the First Head Surname, First Name, Patronymic

Date of Birth

Citizenship

Identification Document Details

Identification number (IIN)

Contact details (telephone, email)

Information on the Economic Activity of the Legal Entity Main Types of Business Activities of the Legal Entity

Code of the General Classifier of Economic Activities (OKED)

Type of License

Place and Date of Issuance of the License

Issuing Authority

License Number

Validity Period of the License

Authorized Capital

Information on Banks Where the Legal Entity Holds Accounts Name and Country of Location of the Bank(s)

Bank Identification Code (BIC)

Account Number (IBAN)

Beneficiary Code (Kbe)

Information on the Authorized Representative Surname, First Name, Patronymic

Date of Birth

Citizenship

Identification Document Details

Series/Number, Issuing Authority, Date of Issue, Validity Period of Identity Document

Identification number (IIN)

Taxpayer Registration Number (RNN)

Residential Address (Registration)

Actual Residential Address

Contact Telephone Numbers

Email Address

Details of the Document on the Basis of Which the Representative Acts (Type, Series, Number, Date of Issue, Issuing Authority, or Full Name of the Issuer)

Visa Number, Date of Issue, Validity Period (if a foreign passport is used as an identity document) (except for citizens of countries with visa-free entry to the Republic of Kazakhstan)

Migration Card Number, Date of Issue, Validity Period (if a foreign passport is used as an identity document)

Information on Anti-Money Laundering / FATCA Matters Information on the Ownership and Management Structure Structure and Name of Governing Bodies (supreme body, executive body, and other bodies in accordance with the constituent documents)

Date of the Latest Amendment of the Constituent Documents on the basis of which the structure of the legal entity’s governing bodies is established

Information on the Composition of the Supreme Body Full names (if any) of natural persons and/or full names of legal entities included in the supreme body

Citizenship (if applicable) of natural persons and/or country of registration of legal entities included in the supreme body

Individual Identification Numbers (if available) or numbers, series (if any), date of issue and validity period of identity documents of natural persons included in the supreme body

Business Identification Numbers (if available) or registration numbers (codes) assigned by the competent authority in the country of registration for legal entities included in the supreme body

Date of the latest amendment of the constituent documents, or date of extract from the register of shareholders (participants), or other document on the basis of which the composition of the supreme body was established

Information on the Composition of the Executive Body ull name (if applicable) of the person performing the functions of the sole executive body, or surnames, first names, and patronymics (if applicable) of the head and members of the collegial executive body

Date and place of birth of the person performing the functions of the sole executive body, or the head and members of the collegial executive body

Citizenship (if applicable) of the person performing the functions of the sole executive body, or the head and members of the collegial executive body

Individual Identification Number (IIN) (if applicable) of the person performing the functions of the sole executive body, or the head and members of the collegial executive body

Type of identity document, number, series (if applicable) of the person performing the functions of the sole executive body, or the head and members of the collegial executive body

Name of the issuing authority of the identity document, date of issue, and validity period of the document of the person performing the functions of the sole executive body, or the head and members of the collegial executive body

Residential address and/or place of stay (country/jurisdiction, postal code, city/locality, street/district, building number, and apartment number if applicable) of the person performing the functions of the sole executive body, or the head and members of the collegial executive body

Contact telephone number of the person performing the functions of the sole executive body, or the head and members of the collegial executive body

Number and date of the document (order, general meeting minutes, board of directors minutes, decision of the sole shareholder (founder), or other equivalent document) on the basis of which the person performs the functions of the sole executive body or acts as a member of the collegial executive body

Information on the Composition of Other Governing Bodies (if applicable) Full name (if applicable) of the head and members of the governing body

Date and place of birth of the head and members of the governing body

Citizenship (if applicable) of the head and members of the governing body

Individual Identification Number (IIN) (if applicable) of the head and members of the governing body

Information on the Beneficial Owner Indication of whether there is a natural person(s) who directly or indirectly owns more than twenty-five percent of the share capital or issued (excluding preferred and treasury shares) shares of the legal entity

Indication of whether there is a natural person(s) exercising control over the legal entity on other grounds

Indication of whether there is a natural person(s) on whose behalf the legal entity establishes business relations (conducts transactions)

Surname, first name, and patronymic (if any) of the beneficial owner

Citizenship (if applicable) of the beneficial owner

Individual Identification Number (IIN) (if applicable) of the beneficial owner

Type of identity document, number, and series (if applicable) of the beneficial owner

Name of the issuing authority of the identity document, date of issue, and validity period

Tax residency, including the taxpayer identification number in a foreign state of the beneficial owner

Contact telephone number (if applicable) of the beneficial owner

Whether the beneficial owner is a foreign politically exposed person

Whether the beneficial owner has a family member and/or close relative who is a foreign politically exposed person Financial profile of the client’s beneficial owner (if available) □ Real Estate □ Valuables □ Share in Capital / Percentage of Shares in Another Legal Entity (specify) □ Other (specify) Additional Information on a Branch (Representative Office) of a Legal Entity

Name of the branch (representative office)

Business Identification Number (if available)

Type of registration document, date of issue, and number (if available)

Name of the registering authority and date of registration (re-registration)

Type(s) of activity performed and code of the General Classifier of Economic Activities (OKED) (if available)

License number, date of issue, and validity period (if the activity is subject to licensing)

Address of the branch (representative office) as stated in the registration document (country, postal code, city/locality, street/district, building number)

Contact telephone number and email address (if available)

Information on the Sources of Funds for Transactions Conducted Sources of income of the legal entity / financing of transactions conducted (income from business activities, dividends, voluntary contributions and donations, other) □ Regular income derived from core business activities □ Profit from occasional transactions and deals □ Contributions of Participants (Shareholders) □ Loan Funds (specify from whom) □ Dividends □ Voluntary Property Contributions □ Donations □ Receipts from Customers or Recipients of Goods/Services □ Other (specify) Accounts with other banks / financial institutions (if any) (name of the bank / financial institution where the account is held) Financial profile of the Client (if available) □ Real Estate □ Valuables □ Share in Capital / Percentage of Shares in Another Legal Entity (specify) □ Other (specify) Information on AML/CFT Matters Does your organization have a written anti-money laundering (AML) policy applicable to all branches and other offices? If “NO”, when is it planned to be adopted? □ YES □ NO □ Are you willing, upon request, to provide copies of your AML (Anti-Money Laundering) policy? □ YES □ NO Does your organization have procedures requiring the collection of general information and documentation on all clients prior to establishing business relations? □ YES □ NO Does your organization maintain records relating to client identification and transactions? If “YES”, for what period of time? □ YES □ NO □ Does your organization maintain anonymous accounts? □ YES □ NO Does your organization provide services to occasional clients? □ YES □ NO Does your organization conduct business with offshore companies that do not have a physical presence in any country? □ YES □ NO Does your organization provide training to all employees on AML/CFT legislation and regulations? □ YES □ NO Does your organization verify client identity when conducting large transactions? □ YES □ NO Does your organization monitor client account activity and other transactions to identify large or suspicious operations? □ YES □ NO Does your organization report suspicious transactions to the relevant governmental authorities? □ YES □ NO Is any of the organization’s directors or beneficial owners a foreign politically exposed person (PEP)? (A foreign politically exposed person is a person appointed or elected to a position in the legislative, executive, administrative, or judicial body of a foreign state, or any person performing a public function for a foreign state.) □ YES □ NO

Annex 2

to the Internal Control Rules for the purposes of combating money laundering of proceeds from crime, financing of terrorism and financing of the proliferation of weapons of mass destruction in the Payment Organization Neo Pay LLP

Threshold Transactions Subject to Financial Monitoring Transactions with money and/or other property are subject to financial monitoring (threshold transactions) if, by their nature, they fall under one of the following types of transactions

Code Transaction Name Form of Execution Threshold Amount 6230 Payments and transfers made by an individual included in the list of organizations and persons associated with the financing of terrorism and extremism, for the payment of taxes, utility and social payments, other mandatory budget payments, penalties and fines Non-cash

0911 Payments and money transfers made by a client in favor of another person on a gratuitous basis, in cash or non-cash form Non-cash 7 000 000 1111 Transactions conducted by legal entities within three months from the date of state registration, in cash or non-cash form Non-cash 10 000 000 1721 Sale by a client of precious metals and precious stones, and jewelry made thereof, in cash and non-cash form Non-cash 3 000 000

Top-ups and transfers of homogeneous amounts within one day Non-cash 500 000

Annex 3

to the Internal Control Rules for the purposes of combating money laundering of proceeds from crime, financing of terrorism and financing the proliferation of weapons of mass destruction in the Payment Organization Neo Pay LLP

Indicators for Identifying Suspicious Transactions for Financial Monitoring Entities

Code Indicators for Identifying Suspicious Transactions

1 2

1. General Indicators

1 1035 The client is registered (or resides) in, or systematically conducts transactions involving persons registered (or residing) in a state (territory) that does not comply with the Financial Action Task Force (FATF) Recommendations, or uses an account held in a bank registered in such a state (territory). 2 1040 Transactions involving money and/or other property with participation of non-profit organizations engaged in charitable activities and/or other donations (except for transactions specified under code 3003). 3 1041 Receipt of funds from abroad to the accounts of non-profit organizations. 4 1046 Transactions involving a non-profit organization (except for transactions related to payment of taxes, other mandatory budget payments, penalties and fines, pension and social contributions, membership fees, utility payments, insurance premiums under compulsory insurance contracts, as well as transactions specified under suspicious transaction codes 1040, 3002, 3003, 3004, and 1041). 5 1048 Systematic transfers by a client of own funds in large amounts to a bank account opened in an offshore jurisdiction. 6 1049 Foreign exchange contracts providing for export of goods (works, services) by a resident, or import payments in favor of a non-resident registered in a state or territory offering preferential tax treatment and/or not ensuring disclosure and provision of information in financial transactions (offshore jurisdictions). 7 1050 Transactions conducted by a client under the guidance of third parties and/or persons present during the transaction. 8 1051 Transactions conducted by a person included in the list of organizations and individuals associated with financing of terrorism and extremism by court decision (except transactions on individual pension accounts for mandatory pension contributions and mandatory professional pension contributions). 9 1052 Transactions where there are grounds to believe that the transaction(s) are aimed at financing the proliferation of weapons of mass destruction. 10 1053 Transfers related to payments by a resident to a non-resident of penalties (late fees, fines) for non-performance of a goods supply contract (performance of works, provision of services) or for breach of contract terms, if the amount of the penalty exceeds ten percent of the value of undelivered goods (unperformed works, unprovided services). 11 1054 Receipt into a client’s account of a large sum of money, where the recipient has low transaction turnover and less than one year has passed since the date of its state registration. 12 1055 Receipt into a client’s account of large sums of money, where the recipient does not pay, or pays only minimal amounts of, taxes or other mandatory budget payments, or has outstanding debts to second-tier banks. 13 1056 Systematic crediting to and debiting from a client’s account of approximately the same amounts of money, where the financial monitoring entity has reasonable grounds to believe that such transaction(s) are related to the activity of a financial pyramid scheme. 14 1057 Systematic transfers from accounts of legal entities and/or individual entrepreneurs to individuals in large amounts in the form of dividends or profit distributions. 15 1058 Transfers of large amounts of money in the form of grants, financial assistance, loans, or gratuitous aid, including involving non-residents between whom no business relations exist. 16 3001 Execution of transactions involving money and/or other property to or from a country with a high risk of financing terrorism. 17 3002 Execution of transactions involving money and/or other property related to charitable activities and/or donations, except for participation of non-profit organizations. 18 3003 Execution of transactions involving money and/or other property involving religious non-profit organizations (except for transactions related to payment of taxes, other mandatory budget payments, penalties and fines, pension and social contributions, membership fees, utility payments, and insurance premiums under compulsory insurance contracts). 19 3003 Transactions performed by a client where there are grounds to believe that such transaction(s) are aimed at financing terrorism and/or extremism. 20 7002 Transactions involving money and/or other property related to the purchase, sale, transportation, manufacture, storage, or distribution of items classified as chemical, biological, or nuclear weapons, and their components, if this does not relate to the client’s declared activity. 21 7003 Transactions involving money and/or other property related to the purchase and sale of military-purpose goods or pharmaceuticals, if this does not relate to the client’s declared activity. 22 7004 Transactions involving money and/or other property related to the purchase and sale of substances, including not only medicinal products but also other synthetic and natural substances that are toxic or highly potent, if this does not relate to the client’s declared activity. 23 7006 Clients, their activities, transactions, or attempted transactions that are recognized as suspicious in accordance with the internal procedures of the financial monitoring entity. 24 8002 Attempted execution of a suspicious transaction in respect of which the financial monitoring entity has reasonable grounds to suspect that the transaction is aimed at financing terrorism. 25

A short time interval (10 minutes or less) between the crediting of funds (or increase in electronic money balance) and their debit (or reduction of electronic money balance). 26

Within a 24-hour period, transactions involving crediting and/or debiting of funds are conducted, resulting in accumulation and subsequent transfer to another account, with an end-of-day balance not exceeding 5% of the average daily transaction volume on the bank account (or electronic payment instrument). 27

Transactions involving debiting of funds or electronic money characterized by the absence of payments to legal entities and/or individual entrepreneurs for the client’s basic living needs (e.g., utilities, communication services, or other services, goods, or works). 28

Matching of device identification information (e.g., MAC address, device fingerprint, etc.) used by different individual clients for remote access to financial services related to money or electronic money transfers. 29

Crediting of funds to card accounts via terminals from a large number of individuals (P2P, card top-ups), exceeding 10 transactions per day, 20 transactions per week, and 50 transactions per month. 30

Execution of transactions in favor of unregistered cryptocurrency exchanges and crypto-asset service providers operating outside the jurisdiction of the Astana International Financial Centre. 31

Clients who are non-residents of the Republic of Kazakhstan. 32 7011 Receipt of payments in favor of the client using electronic money in large amounts, or repeated receipt of electronic money payments in the absence of information on the client’s involvement in e-commerce activities. 33 7012 Frequent receipt of payments in favor of a client using electronic money from unidentified holders of electronic money (except for payments of taxes and other mandatory budget payments, utility services, communication services, and television and radio broadcasting services). 34 1094 Systematic execution of transactions with money and/or other property where the nature, frequency, amount of the transaction, information on the payer (recipient), and other available data give grounds to believe that such transaction(s) may be related to the illicit trafficking of narcotic drugs, psychotropic substances or their analogues, and/or precursors.

Annex 4

to the Internal Control Rules for the purposes of counteracting legalization (laundering) of proceeds from crime, financing of terrorism, and financing of proliferation of weapons of mass destruction in the Payment Organization Neo Pay LLP

Training Completion Protocol for Employees of Neo Pay LLP in the Area of Counteracting Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism I, _____________________________________________________________ (Full name) have successfully completed training in the area of AML/CFT. I confirm that I have been familiarized with: • regulatory legal acts of the Republic of Kazakhstan in the area of AML/CFT and international standards in the field of AML/CFT; • the Internal Control Rules and their implementation programs in the course of performing the Organization’s official duties, as well as liability for failure to comply with AML/CFT legislation of the Republic of Kazakhstan, as established by Article 214 of the Code of the Republic of Kazakhstan “On Administrative Offences”; • typologies, schemes, and methods of money laundering (ML) and financing of terrorism (FT), in accordance with paragraph 5 of Article 4 of the AML/CFT Law, as well as indicators for identifying suspicious transactions. Date__________________ Signature _____________

Annex 5

to the Internal Control Rules for the purposes of combating money laundering of proceeds from crime, financing of terrorism and financing of the proliferation of weapons of mass destruction in the Payment Organization

Methodology for AML/CFT Risk Assessment High AML/CFT Risk Level shall be assigned to clients exhibiting the following characteristics: 1. The client, its representative, or beneficial owner is a foreign politically exposed person, or their spouse or close relatives. 2. By decision of the responsible officer, based on the results of analysis where negative factors are identified in relation to the client, its representative, or beneficial owner included in the list of domestic politically exposed persons approved by the President of the Republic of Kazakhstan, as well as their spouses and close relatives.

3. Non-profit organizations in the form of foundations or religious associations.

4. The client, its representative, or beneficial owner is included in official sanctions lists.

5. The client, its representative, or beneficial owner is registered, resides, or is located in the following jurisdictions: 1) foreign states (territories) included in the list of jurisdictions that do not comply or insufficiently comply with FATF Recommendations, compiled by the Financial Monitoring Agency (FMA); 2) foreign states (territories) subject to international sanctions (embargoes) imposed by United Nations Security Council resolutions. 6. Information provided by the client or its representative for proper customer identification contains knowingly false information.

7. Foreign financial institutions.

8. The client, its representative, or beneficial owner is included in the list of domestic politically exposed persons approved by the President of the Republic of Kazakhstan, as well as their spouses and close relatives.

9. Legal entities and individual entrepreneurs whose activities are associated with intensive cash turnover.

10. Registration, place of residence, or location of the client, its representative, or beneficial owner in the following jurisdictions: 1) foreign states (territories) included in the list of offshore zones for the purposes of the Law of the Republic of Kazakhstan “On Counteracting Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism”, approved by Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 24, 2020 No. 8 “On Establishing the List of Offshore Zones for Banking and Insurance Activities, Activities of Professional Securities Market Participants and Other Licensed Activities in the Securities Market, Activities of Mutual Investment Funds and Activities of Microfinance Organizations” (registered in the State Register of Normative Legal Acts under No. 20095); 2) foreign states (territories) included in the list of low-tax jurisdictions, approved by Order of the Minister of Finance of the Republic of Kazakhstan dated February 8, 2018 No. 142 “On Approval of the List of Low-Tax Jurisdictions” (registered in the State Register of Normative Legal Acts under No. 16404); 3) foreign states (territories) identified by the Organization as presenting AML/CFT risk based on other factors (levels of corruption, illicit production, trafficking and/or transit of drugs, information on support for international terrorism, etc.). 7. Upon detection during monitoring and analysis of client transactions of a suspicious transaction (deal) or an attempt to conduct such transaction;

8. In cases of remote customer servicing, only where the client or its transactions raise suspicion;

9. In case of doubts regarding the reliability of information provided by the client;

10. By decision of the Responsible Officer.

A low AML/CFT risk level may be assigned to clients whose identification criteria do not meet the high-risk criteria described above.