BSA / AML Policy

It is the policy of Patch Cap, Inc (“PCI”) to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities by complying with all applicable requirements under the Bank Secrecy Act (BSA) and its implementing regulations.

Money laundering is generally defined as “engaging in acts designed to conceal or disguise the true origins of criminally derived proceeds so that the proceeds appear to have derived from legitimate origins or constitute legitimate assets.” Generally, money laundering occurs in three stages. Illicit proceeds first enter the financial system at the "placement" stage, where funds generated from criminal activities are converted into monetary instruments, such as money orders or traveler's checks, or deposited into accounts at financial institutions. At the "layering" stage, the funds are transferred or moved into other assets, accounts, or other financial institutions to further separate the money from its criminal origin. At the "integration" stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.

Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal either the origin of the funds or their intended use, which could be for criminal purposes. Legitimate sources of funds are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership, and personal employment. Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.

PCIs BSA/AML policies and internal controls are designed to ensure compliance with all applicable BSA regulations and will be reviewed and updated on a regular basis to account for both changes in regulations and changes in PCIs business model.

The Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Program was implemented on June 1, 2022.

A Bureau of the United States Department of Treasury charged with implementing and enforcing the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations.

A report to be filed electronically with FinCEN when a customer of PCI transacts over $10,000 cash via single transaction or multiple transactions that aggregate to over $10,000 in a single day.

A report to be filed electronically with FinCEN when PCI detects unusual or suspicious activity or has reason to believe unusual or suspicious activity has occurred.

The purpose of the BSA/AML Program is to establish a procedure for PCI to operate in compliance with FinCEN regulations regarding anti-money laundering, suspicious activity, and other reporting responsibilities. On March 18, 2013, FinCEN released guidance requiring persons administrating or exchanging foreign currencies to register as a money services business (MSB), specifically a money transmitter, and thus comply with FinCEN MSB regulatory requirements to establish an AML program, complete certain government filings, and retain records for presentation as required.

FinCEN’s BSA/AML regulatory requirements are applicable to PCI under FinCEN Guidance FIN-2013-G001.

Headquartered in Bozeman, Montana, PCI provides forex services to business customers in Nigeria, enabling them to utilize the local naira to access foreign exchange liquidity in which they already conduct business. The company will initially be focused on businesses in Nigeria, with planned expansion to other African nations. Within Nigeria, the company plans to provide forex services to businesses at favorable exchange rates.

The roles and responsibilities applicable to PCIs BSA/AML compliance program are detailed below.

PCIs Board of Directors (“Board”) is responsible for approving the BSA/AML Program and associated initiatives. The Board also oversees the BSA Compliance Officer and overall performance of the initiatives associated with the BSA/AML Program, including day-to-day operations, training, monitoring, and updates.

PCIs BSA Compliance Officer is responsible for leading the day-to-day compliance activities and ensuring the following:

1. The BSA/AML Program is developed and implemented effectively
2. The BSA/AML Program is updated as necessary
3. PCI provides ongoing training of appropriate persons concerning their responsibilities under the BSA/AML Program
4. PCI uses independent testing to monitor and maintain the BSA/AML Program.

The BSA Compliance Officer is responsible for overseeing the analysis and disposition of any attempted or completed transactions that raise AML concerns. The BSA Compliance Officer is responsible for analysis and disposition of any attempted or completed transactions that may require reporting to FinCEN, including, but not limited to, Suspicious Activity Report (SAR) filings and Currency Transaction Report (CTR) filings. Furthermore, the BSA Compliance Officer is responsible for analysis and disposition of any attempted or completed transactions that raise an obligation to file a report to governmental officials or law enforcement. The BSA Compliance Officer is responsible for providing PCI with interpretations of the requirements of the BSA/AML Program and for resolving conflicts that may arise thereto.

PCI must comply with legal and regulatory requirements designed to detect and prevent money laundering and terrorist financing activities. The AML Program states what employees and contractors must do in order to fulfill PCIs compliance obligations. Failure to follow the AML Program or supporting policies and procedures thereto violates PCIs policy and may violate the law. Violation of this program may result in termination of employment or contractual relationship. Violation of the law may result in civil penalties and/or criminal prosecution.

In connection with their duties, employees, contractors, and volunteers of PCI will thoroughly consider whether attempted or completed transactions are potentially suspicious or unusual and escalate any such instances to the BSA Compliance Officer within one (1) business day.

As stated in previous sections, PCI is required to:

1. Designate a BSA Compliance Officer for the purposes of the BSA/AML Program
2. Develop and implement a written anti-money laundering program reasonably designed to prevent PCI from being used to facilitate money laundering or terrorist financing
3. File reports regarding certain transactions (e.g., currency in excess of $10,000)
4. File reports of suspicious or unusual activity
5. Engage in monitoring, testing, and training relating to the BSA/AML Program
6. Regularly update the policies associated with the BSA/AML Program
7. Respond to information requests from FinCEN and/or law enforcement
8. Take other steps, as required, to establish and maintain compliance with FinCEN regulations

PCI hereby affirms Jeff Kern as the BSA Compliance Officer for the purposes of the BSA/AML Program.

PCI hereby establishes a written BSA/AML Program. Broadly speaking, the goals of the BSA/AML Program are as follows:

1. Assess the universe of transactions in which PCI engages
2. Develop an understanding of the attributes of the transactions in order to differentiate between routine, commonplace transactions in which PCI engages, and suspicious or unusual transactions that may warrant SAR filing
3. Develop a culture and process within PCI to identify transactions that may warrant escalation to the BSA Compliance Officer
4. Adjust the BSA Program, as necessary, to maintain compliance with evolving requirements.

Federal

‍PCI is registered as a money services business (MSB) pursuant to the Bank Secrecy Act (BSA) regulations at 31 CFR 1022.380(a)-(f), administered by the Financial Crimes Enforcement Network (FinCEN) under the Department of Treasury. Therein, PCI is registered to conduct money transmitter activities. Renewal of MSB registration is due within two (2) calendar years or sooner under certain circumstances as identified by FinCEN. After an MSB completes its initial registration, the form to renew its registration must be filed by December 31 of the second calendar year preceding the 24-month renewal period and is accomplished by filing the Registration of Money Services Business Form, FinCEN Form 107. Thereafter, registration renewal must be filed every 24 months by December 31. See Section 13.7 for FinCEN MSB Registration.

State

PCI may be required under the terms of its FinCEN registration to obtain state-level licensure from the state(s) within which it maintains operations and conducts business.

In order to comply with state law and the terms of its FinCEN registration, PCI may be required to obtain a money transmitter license from certain states. The regulatory interpretation and application of licensure or other formal permissions varies by state and is subject to change, often without formal or immediate notification to affected parties.

PCI shall continuously invest time and resources in ensuring compliance with state regulations surrounding money transmitter license requirements. PCI will not offer its service to customers residing in or transacting from any state(s) for which it believes it cannot meet regulatory requirements.

PCI established a KYC/CDD Policy in order to mitigate the risk of being used, intentionally or unintentionally, by criminal elements for money laundering activities. The KYC/CDD Policy enables PCI to know and understand its customer and his/her financial dealing.

The KYC/CDD Policy identifies the specific customer and transaction information collected and recorded, as well as the verification of customer identification and government filings in accordance with regulatory expectations (see “Know Your Customer/Customer Due Diligence Policy”).

PCI will provide notice to all prospective customers that information will be requested of them to help mitigate risks associated with money laundering, and to verify their identities as required by federal law. The notice shall read as follows:

Important Information About Procedures for Conducting Transactions
‍To help the government fight the funding of terrorism and money laundering activities, federal law may require us to obtain, verify, and record information that identifies each person who conducts a transaction involving the sale or exchange of currency.
What this means for you
‍When you conduct a transaction with us, we may ask for your name, address, date of birth, and other information that will allow us to identify you, including your Social Security number. We may also ask to see your driver’s license or other identifying documents.

PCI shall communicate the above notice via conspicuous text on the institution’s official company website, at the time of application download, and/or via other forms of written or digital correspondence with both prospective and existing customers.

PCI established an Enhanced Due Diligence (EDD) Policy to mitigate the increased exposure to money laundering and/or terrorist financing posed by higher-risk customers. Certain customers pose a higher risk to financial service providers due to their business activity, ownership structure, anticipated or actual volume, and types of transactions.

The EDD Policy identifies the process for classifying high-risk customers, the specific customer information and supporting documentation to be obtained and reviewed, and the frequency of review (see “Enhanced Due Diligence Policy”).

PCI established an Ongoing Monitoring Policy to identify and flag potential suspicious or unusual activity for review and provide for the timely SAR filing of such activity if ultimately determined suspicious or unusual. The Ongoing Monitoring Policy identifies specific alert routines developed to screen customer and transactional information for potentially suspicious or unusual activity. The alert routines monitor customers for unusual size, volume, or pattern of transactions, taking into account risk factors and “red flags” appropriate to PCIs business model (see “Ongoing Monitoring Policy”).

The Office of Foreign Assets Control (OFAC) of the United States Department of Treasury administers and enforces economic and trade sanctions against targeted foreign countries and groups of individuals, terrorism sponsoring organizations, and international narcotics traffickers based on U.S. foreign policy and national security goals. (see “Know Your Customer/Customer Due Diligence Policy”).

PCI screens users against OFAC’s Specially Designated Nationals (SDN) List. In the event a match has been determined, PCI will contact OFAC via hotline, as well as refuse any pending or future transactions.

PCI monitors financial transactions performed by or through its network and agents to detect those that involve any entity or person subject to OFAC laws and regulations.

In the event a match has been determined, PCI will contact OFAC via hotline, as well as refuse any pending or future transactions. (see “Know Your Customer/Customer Due Diligence Policy”).

PCI screens user information and transactional information to determine if it involves individuals and entities with ties to OFAC-sanctioned geographic regions and governments (e.g., address and government-issued identification). OFAC administers a number of U.S. economic sanctions and embargoes that target geographic regions and governments. Some programs are comprehensive in nature, block the government, and include broad-based trade restrictions, while others target specific individuals and entities.

PCI shall refer to the Sanctions Programs and Country Information page on the official website of the Office of Foreign Assets Control for information on specific programs.

In the event a match has been determined, PCI will contact OFAC via hotline, as well as refuse any pending or future transactions.

Politically Exposed Persons (PEPs) are individuals who have been entrusted with a prominent public function. A PEP generally presents a higher risk for potential involvement in bribery and corruption by virtue of their position and the influence that they may hold. The terms politically exposed person and senior foreign political figure are often used interchangeably, particularly in international forums. Foreign official is a term for individuals deemed as government persons under the Foreign Corrupt Practices Act (FCPA), and although definitions are similar to PEP, there are quite a few differences and they should not be used interchangeably. The term PEP is typically used to refer to customers in the financial services industry, while foreign officials refer to the risks of third-party relationships in all industries.

PCI screens all customers to detect those that may be classified as a PEP and applies commensurate controls in conjunction with the KYC/CDD Policy (see “KYC/CDD Policy”). Specifically, the customer name and personally identifiable information of all customers will be screened against one or more PEP watchlists through automated means. Once identified, all PEPs shall be classified as high-risk and will undergo enhanced due diligence in accordance with the Enhanced Due Diligence Policy (see “Enhanced Due Diligence Policy”).

The Funds Transfer Rule requires all financial institutions engaged in funds transmittals to obtain and retain certain information.

For each exchange totaling $3,000 or more, PCI shall obtain and retain a record of the following information:

• Name and address of the customer
• Customer taxpayer identification number (e.g., SSN or EIN) or, if none, alien identification number or passport number and country of issuance, or a notation in the record of the lack thereof
• Transaction amount
• Transaction date
• Record of the payment method
• Any payment instructions received from the customer
• Identity of the customer’s financial institution
• As many of the following items as are received:
  ◦ Name and address of the recipient;
  ◦ Account number of the recipient; and,
  ◦ Any other specific identifier of the recipient
• Any form relating to the transmittal of funds that is completed or signed by the customer

If PCI has knowledge that the customer is not the transmitter, the institution shall obtain and retain a record of the transmitter’s taxpayer identification number (e.g., SSN or EIN) or, if none, alien identification number or passport number and country of issuance, if known by the person placing the order, or a notation in the record of the lack thereof.

The Funds Travel Rule requires all financial institutions in certain funds transmittals involving more than one financial institution to pass on certain information to the next financial institution and to maintain records of the aforementioned information, including:

• Any payment instructions
• Identity of the beneficiary’s institution
• Originator’s TIN (e.g., SSN or EIN) or, if none, the alien identification number or passport number and country of issuance, or a notation in the record of the lack thereof
• Copy or record of the method of payment for the funds transfer
• As many of the following items, as possible:
  ◦ Name and address of the beneficiary
  ◦ Account number of the beneficiary
  ◦ Any other specific identifier of the beneficiary
  ◦ Name and address of the person placing the payment order

PCI has undertaken a Risk Assessment to identify its BSA/AML risk profile, which is the first step in designing tailored controls to mitigate risks and identify gaps in existing controls. The Risk Assessment examined the composition of PCIs customer base, products and services, and geographic footprint. The Risk Assessment will assist the Board in understanding where risks related to BSA/AML compliance lie. The assessment included: (a) an evaluation of the adequacy and appropriateness of the policies, procedures, and controls established by PCI in order to comply with the Bank Secrecy Act and mitigate the associated risk; (b) identification of any significant gaps or weaknesses; and (c) recommendations for improvements that will serve to strengthen PCIs overall BSA/AML Compliance Program (see “BSA Risk Assessment”).

PCI will update the BSA/AML Program on an annual basis, at minimum, to ensure compliance with regulatory requirements and adaptation to evolving risk.

PCI mandates all employees and contractors participate in, complete, and adhere to its BSA/AML training as a condition of continued employment. To that end, PCI has developed and implemented a formal AML compliance training program that incorporates the requirements of the Bank Secrecy Act (BSA), the USA PATRIOT Act, anti-money laundering laws, and other applicable federal and state laws and regulations. PCI has tailored its ongoing employee training based on its risk profile.

PCI facilitates the training program via an e-learning module. The training course materials examine how to identify red flags and signs of money laundering that arise during the course of one's duties, what to do once the risk is identified, individual and collective roles in PCIs compliance efforts and how to perform them, record retention obligations, and the disciplinary consequences (including civil and criminal penalties) for non-compliance with anti-money laundering laws and regulations.

PCI requires training for all employees and contractors as follows:

1. Every new employee and contractor must be trained on PCIs compliance policies and procedures before the employee commences work
2. Every employee and contractor already actively under the employ of PCI shall be trained within thirty (30) days of the BSA/AML Program approval date
3. Every employee and contractor must be retrained, at minimum, on an annual basis going forward and as required by changing laws and regulations.

Further, whenever possible, PCI encourages and sponsors officer, employee, and contractor participation in targeted and relevant AML compliance training courses, seminars, conferences, and other opportunities.

PCI shall maintain a detailed log of its AML training activities, including participation in its e-learning module and any of the above-referenced training opportunities.

PCI will arrange for independent testing of its BSA/AML Program on an annual basis. This testing may be performed by a third-party or by an employee of PCI other than the BSA Compliance Officer.

Testing performed by PCI personnel must be conducted by someone other than the BSA Compliance Officer or anyone who engaged in the BSA/AML functions under review. His/her/their qualifications should include, at least, a working knowledge of BSA regulations and regulatory requirements.

As a general matter, independent testing of PCIs BSA/AML Program will include, at a minimum: (1) evaluating the overall integrity and effectiveness of PCIs BSA/AML Program; (2) evaluating PCIs policies pertaining to BSA/AML reporting and recordkeeping requirements; (3) evaluating the implementation and maintenance of PCIs KYC/CDD Program; (4) evaluating PCIs transactions; (5) evaluating the adequacy of PCIs staff training program; (6) evaluating PCIs systems, whether automated or manual, for identifying potential suspicious activity; (7) evaluating PCIs system for reporting suspicious activity; and (8) evaluating PCIs response to previously identified deficiencies, if any (see Section 13.5 for a Sample Testing Log).

In addition to any other transaction reporting obligations that apply to PCI, under the BSA/AML Program, PCI must file FinCEN Form 112 “Currency Transaction Report” (CTR) in connection with covered transactions. FinCEN Form 112 “Currency Transaction Report” (CTR) is used generally to report cash transactions in excess of $10,000 or a series of related cash transactions that, when aggregated, exceed $10,000. For the purposes of this reporting requirement, cash means “U.S. or foreign currency.” Regardless of the type of transaction, there must be over $10,000 cash to trigger the reporting requirement. See Section 13.3 for a CTR Retention Checklist.

FinCEN has electronic means for completing and filing CTRs. A CTR must be filed no later than fifteen (15) calendar days after the date of the transaction(s).

PCI will maintain a copy of any CTR it originates, as well as any supporting documentation, for a period of five (5) years from the date of filing.

In addition to any other transaction reporting obligations that apply to PCI, under the BSA/AML Program, PCI must file a Suspicious Activity Report (SAR) to report transactions that are or appear to be suspicious, unusual, or both, as well as any possible violations of law or regulation.

PCI established a Suspicious Activity Report (SAR) Policy for the timely and uniform preparation and filing of SARs. The SAR Policy details the SAR filling process, criteria, relevant customer and transactional information to be included, filing deadlines, the confidentiality requirement, and frequency for continued activity review (see “Suspicious Activity Report Policy”).

PCI will maintain a copy of any SAR it originates (including joint reports), as well as any supporting documentation, for a period of five (5) years from the date of filing.

Supporting documentation must be identified as such and maintained by PCI. PCI will make all supporting documentation available to FinCEN, or any federal, state, or local law enforcement agency, or any federal regulatory authority that examines PCI for compliance with the Bank Secrecy Act, or any state regulatory authority administering a state law that requires PCI to comply with the Bank Secrecy Act or otherwise authorizes the state authority to ensure that PCI complies with the Bank Secrecy Act, upon request. See Section 13.2 for a SAR Retention Checklist.

PCI will retain BSA/AML records for a period of five (5) years, at minimum. These records will be filed or stored in such a way as to be accessible within a reasonable period of time.

The retention of records includes, but is in no way limited to, the following:

1. ‍FinCEN Registration — MSBs must maintain copies of their FinCEN registration form and registration number assigned to the business, including any renewal or subsequent forms (see Section 8.3.1).
2. ‍Funds Transfer Rule — MSBs engaged in the transmission of funds must obtain and retain certain customer and transactional information for individual transactions of $3,000 or more (see Section 8.3.9).

In situations involving violations that require immediate attention, such as terrorist financing or ongoing money laundering schemes, PCI will immediately contact an appropriate law enforcement authority. If an individual or entity appears on OFAC’s SDN List (See Section 8.3.7.1), PCI will call the OFAC Hotline at (800) 540-6322. Other relevant contacts include FinCEN’s Financial Institution Hotline (866) 556-3974 and appropriate local law enforcement authorities.

FinCEN requires PCI to comply with information sharing requests regarding accounts and transactions. In the event PCI receives such a request, PCI will verify that the requester is a member of law enforcement and the order is properly served before responding. The response shall be made in a timely manner and any deadlines observed. PCI shall at all times cooperate completely and thoroughly with the underlying inquiry. Prior to cooperating with any law enforcement information requests, PCI shall require the corresponding agency to submit its request in writing on official agency letterhead. The institution may consult with legal counsel prior to and throughout the process of responding to the law enforcement information request.

PCI will respond to National Security Letters (“NSLs”) to obtain financial records, among other things, by querying its records to determine whether the individual, entity, or organization named in an NSL has engaged in any transactional activities. PCI is required to report matches no later than fourteen (14) calendar days after the date of request. The receipt of an NSL is highly confidential.

No member of PCI will disclose to any person that a government authority or the FBI has sought or obtained access to records of each individual, entity, or organization named in the NSL. If a SAR is filed after receiving an NSL, the SAR will not contain any reference to the receipt or existence of the NSL.

Upon receipt of a grand jury subpoena concerning a customer, PCI will conduct a review of that customer and his/her activities. If the review uncovers suspicious or unusual activity, PCI will file a SAR in accordance with the SAR Policy (See “SAR Policy”). If a SAR is filed after receiving a grand jury subpoena, the SAR will not contain any reference to the receipt or existence of the subpoena. Regardless of the decision to file a SAR, no member of PCI will disclose to any person, including the named individual, of the existence of the subpoena or its contents.

In the event of a question regarding the operation or implementation of the BSA/AML Program, or in the event PCI staff require an interpretation relating to the Program, the conflict or interpretation request will be escalated to the BSA Compliance Officer, who will resolve the conflict or provide the interpretation.

There are no exceptions permitted to the BSA/AML Program without the written approval of the BSA Compliance Officer.

PCIs BSA/AML Program will be reviewed and updated, at minimum, on an annual basis. PCI will review and update its BSA/AML Program following any material changes to business operations, company ownership, or both.

PCIs BSA/AML Program must be approved in writing by a member of Senior Management.

Senior Management has approved this BSA/AML Program in writing as reasonably designed to achieve and monitor PCIs ongoing compliance with the requirements of the Bank Secrecy Act (BSA) and the implementing regulations thereunder.