Policy on Know Your Customer (KYC) & Anti-Money Laundering (AML) Standards

This Know Your Customer (KYC) and Anti-Money Laundering (AML) Policy (the “Policy”) has been formulated in accordance with the Master Direction – Know Your Customer (KYC) Direction, 2016, issued by the Reserve Bank of India (“RBI”), as amended from time to time, and pursuant to the provisions of the Prevention of Money Laundering Act, 2002 (“PMLA”), the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PMLR”), and all other applicable laws, rules, regulations, circulars, and notifications issued by competent authorities, as amended or re-enacted from time to time.

This Policy outlines the minimum standards that SecurePay shall adhere to in the identification and verification of merchants, and in conducting due diligence prior to establishing an account-based relationship or processing transactions. Merchant Due Diligence is a core component of the Company’s efforts to ensure that merchants are accurately identified, are not listed on any restricted or prohibited service lists, and are appropriately assessed for risk. This process is fundamental to mitigating the risks associated with money laundering, terrorist financing, and other illicit financial activities.

KYC and AML measures are essential not only for legal and regulatory compliance but also for upholding the Company’s ethical standards, preserving its reputation, and fostering the trust of stakeholders. Robust implementation of these measures ensures the integrity of the Company’s operations and supports the broader financial ecosystem in combating financial crimes.

Failure to adhere to AML obligations, including KYC requirements, may result in severe regulatory sanctions, including suspension or revocation of licenses, significant financial penalties, and reputational harm. Recognizing these risks, the Board of Directors of Direct2pay Devraaj Payments and Tech Solutions Private Limited (“Direct2pay” or the “Company”, operating under the brand name “SecurePay”) has adopted this comprehensive Policy framework governing its AML and KYC practices, in alignment with RBI directives and best industry practices.

The Company is committed to continuously adopting evolving best practices as prescribed by regulatory authorities and shall, where necessary, revise and adapt this Policy to remain consistent with prevailing legal and regulatory standards. This Policy is applicable to all business verticals, departments, and employees of the Company. It must be read in conjunction with any internal operating procedures or guidelines issued from time to time.

This Policy is a dynamic document and shall be reviewed periodically, at a minimum on an annual basis, or earlier if warranted by changes in applicable laws, regulations, or internal risk assessments. Any revisions arising from such reviews shall be incorporated into the Policy following formal approval by the Board of Directors.

Definitions

This Policy is a dynamic document and shall be reviewed periodically, at a minimum on an annual basis, or earlier if warranted by changes in applicable laws, regulations, or internal risk assessments. Any revisions arising from such reviews shall be incorporated into the Policy following formal approval by the Board of Directors.

1. Aadhaar Number
   Means an identification number issued to an individual by the Unique Identification Authority of India (UIDAI) upon submission of demographic and biometric information, in accordance with the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, as amended from time to time. Aadhaar serves as a valid document for the purposes of both identity and address verification.

2. Act and Rules
   Refer respectively to the Prevention of Money Laundering Act, 2002 ("PMLA") and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 ("PMLR"), as amended from time to time.

3. Authentication
   Shall have the meaning assigned under Section 2(c) of the Aadhaar Act and refers to the process wherein the Aadhaar number, together with demographic and/or biometric information, is submitted to the Central Identities Data Repository (CIDR) for verification, which then confirms or denies the authenticity based on its stored data.

4. Beneficial Owner (BO)
   Shall be determined as follows:

   • In the case of a company: The natural person(s) who, either individually or collectively, or through one or more juridical persons, holds a controlling ownership interest (i.e., more than 10% of shares/capital/profits), or exercises control through other means.

   • In the case of a partnership firm: The natural person(s) holding more than 10% ownership or entitlement to capital/profits, or exercising control by any means.

   • In the case of an unincorporated association or body of individuals (including societies): The natural person(s) owning or entitled to more than 15% of the property, capital, or profits.

   • In the case of a trust: The BO includes the author of the trust, trustees, beneficiaries with 10% or more interest, and any other individual exercising ultimate effective control over the trust.

5. Where no natural person is identified under the above, the beneficial owner shall be deemed to be the relevant natural person who holds the position of senior managing official.

6. Biometric Information
   Includes photograph, fingerprint, iris scan, or any other biological attribute of an individual as specified under the Aadhaar (Authentication) Regulations.

7. Central Identities Data Repository (CIDR)
   Means the centralized database maintained by UIDAI containing Aadhaar numbers and associated demographic and biometric information of Aadhaar number holders.

8. Central KYC Records Registry (CKYCR)
   Refers to the entity defined under Rule 2(1)(aa) of the PMLR, established to receive, store, safeguard, and retrieve KYC records of clients in digital form.

9. Customer
   Means the end user or client of the services provided by a Merchant with whom the Company has entered into a contractual arrangement for the provision of Payment gateway (PG) services.

10. Demographic Information
    Comprises the name, date of birth, address, and other relevant personal details of an individual, as prescribed for issuance of an Aadhaar number, but excludes sensitive personal information.

11. Designated Director
    Denotes the individual appointed by the Company to ensure compliance with the obligations imposed under the PMLA and the PMLR.

12. Enrollment Number
    Means the 28-digit Enrollment Identification Number issued to an individual at the time of Aadhaar enrollment.

13. E-KYC Authentication Facility
    Refers to a mode of Aadhaar authentication where biometric information and/or OTP along with the Aadhaar number is securely submitted by a consenting Aadhaar holder through a requesting entity for real-time verification, with a digitally signed response containing e-KYC data returned by the UIDAI.

14. Group
    Shall have the same meaning as under the Income-tax Act, 1961, and includes entities required to be consolidated for financial reporting purposes (i.e., parent companies, subsidiaries, and associates).

15. Identity Information
    Includes an individual’s Aadhaar number, biometric information, and demographic information as defined under the Aadhaar Act.

16. Key Controller
    Refers to individuals who govern or manage the affairs of a legal entity:

    • In the case of a company: The natural person(s) who, either individually or collectively, or through one or more juridical persons, holds a controlling ownership interest (i.e., more than 10% of shares/capital/profits), or exercises control through other means.

    • In the case of a partnership firm: The natural person(s) holding more than 10% ownership or entitlement to capital/profits, or exercising control by any means.

    • In the case of an unincorporated association or body of individuals (including societies): The natural person(s) owning or entitled to more than 15% of the property, capital, or profits.

    • In the case of a trust: The BO includes the author of the trust, trustees, beneficiaries with 10% or more interest, and any other individual exercising ultimate effective control over the trust.

17. KYC Templates
    Means standard formats prescribed for the submission of KYC data to the CKYCR, applicable to both individuals and legal entities.

18. Merchant
    Means any individual or legal entity based in India that has entered into a contractual arrangement (Merchant Agreement) with the Company for the purpose of availing PA services.

19. Merchant Due Diligence (MDD)
    Refers to the process of identifying and verifying the Merchant and its ultimate beneficial owner(s) during onboarding and ongoing review. MDD includes:

    • Collection and validation of identity and background information of the Merchant.

    • Risk assessment and classification of the Merchant.

    • Application of simplified, standard, or enhanced due diligence depending on the risk profile.

20. Merchant Identification
    Means the process undertaken to complete Merchant Due Diligence.

21. Officially Valid Document (OVD)
    Includes:

    • Aadhaar Card

    • Passport

    • Driving License

    • Voter Identity Card issued by the Election Commission of India

    • Job card issued by NREGA duly signed by a State Government officer

    • Letter issued by the National Population Register containing name and address details.

22. On-going Due Diligence
    Means continuous monitoring of transactions to ensure alignment with the Merchant’s profile and source of funds.

23. Periodic Updating
    Refers to the periodic review and updating of documents, data, or information collected during the MDD process to ensure their relevance and accuracy.

24. Person
    Shall have the meaning ascribed in the PMLA and includes:

    • an individual

    • a company

    • a firm

    • Voter Identity Card issued by the Election Commission of India

    • an association of persons or a body of individuals, whether incorporated or not and

    • any agency, office, or branch owned or controlled by any of the aforementioned.

25. Politically Exposed Persons (PEPs)
    Means individuals who are or have been entrusted with prominent public functions in a foreign country, including heads of state/government, senior politicians, senior government/judicial/military officials, executives of state-owned corporations, and key political party officials.

26. Principal Officer
    Means a senior management-level officer nominated by the Company, responsible for overseeing the implementation of the AML, KYC, and CFT measures specified under this Policy.

27. Resident
    Means an individual who has resided in India for a total period of 182 days or more during the twelve months immediately preceding the date of application for Aadhaar enrolment.

28. Senior Management
    Refers to personnel who are part of the Company’s core management team (excluding the Board of Directors), and includes all individuals at one level below the Chief Executive Officer/Managing Director/Whole-Time Director, including the Company Secretary and Chief Financial Officer (CFO), if not members of the Board.

29. Suspicious Transaction
    Means a transaction, including attempted or incomplete transactions, whether conducted in cash or otherwise, which:

    • gives rise to a reasonable suspicion that it involves proceeds of a scheduled offence under the PMLA

    • appears to be conducted under suspicious or unjustifiable circumstances

    • lacks apparent economic rationale or legitimate purpose; or

    • gives rise to suspicion of involvement in terrorist financing.

30. Transaction
    Means any activity involving the opening of an account, or transfer of funds by electronic or other means, including any purchase or sale of goods or services.

Objectives and Key Elements of the Policy

The principal objective of this Policy is to establish a robust framework of internal controls, procedures, and systems aimed at mitigating the risks of financial fraud, identifying and deterring money laundering and other unlawful financial activities, and ensuring that the Company is adequately protected against being used, intentionally or otherwise, for any illicit or criminal purpose.

This Policy seeks to institutionalize a comprehensive approach to merchant onboarding and transaction monitoring, including procedures for the accurate identification and verification of merchants, the scrutiny of transactional behavior, and the reporting of suspicious activities. The framework further ensures that all relevant personnel are appropriately trained in Anti-Money Laundering (AML), Know Your Customer (KYC), and Countering the Financing of Terrorism (CFT) protocols.

In furtherance of the above objectives, the Company is committed to full compliance with all applicable laws, regulations, and directives issued by regulatory and enforcement authorities.

The Policy is structured around seven key elements, which collectively underpin the Company’s AML/CFT compliance architecture:

1. Merchant Acceptance Policy (MAP): Establishes the criteria and risk parameters for accepting merchants, ensuring that only those entities that meet the Company’s legal, ethical, and risk standards are onboarded.

2. Merchant Identification Procedures (MIP): Sets out the procedural requirements for the collection, verification, and validation of information to establish the identity and address of merchants in accordance with applicable regulatory norms.

3. Monitoring of Transactions: Implements mechanisms for the ongoing surveillance of merchant transactions to detect patterns or activities that may be indicative of money laundering, fraud, or other suspicious behaviour.

4. Record Retention: Prescribes the standards and timeframes for maintaining records of customer identification data, transactional history, and other relevant documents, in line with statutory requirements.

5. Reporting of Suspicious Transactions: Establishes protocols for the identification and timely reporting of suspicious transactions to the Financial Intelligence Unit India (FIU-IND) or other designated authorities, in compliance with PMLA and PMLR provisions.

6. Risk Management: Provides a risk-based approach for classifying merchants and transactions based on their risk profile, and applying enhanced due diligence where warranted.

7. Training and Awareness: Ensures that employees, particularly those in sensitive or compliance-related functions, receive regular and effective training on AML/KYC/CFT policies, procedures, and emerging risks.

Compliance with the AML/KYC Policy

The Company is committed to ensuring full and effective compliance with its Anti-Money Laundering (AML) and Know Your Customer (KYC) Policy through a structured and accountable governance framework. To this end, the following mechanisms and oversight responsibilities have been established:

Responsibility for the oversight and enforcement of AML/KYC compliance is vested in designated members of the Senior Management, who are entrusted with ensuring that the relevant policies and procedures are implemented rigorously and consistently across the organization. Senior Management is also responsible for ensuring that all functional units adhere to applicable legal and regulatory requirements and that the Company’s AML/KYC protocols remain aligned with the evolving regulatory landscape.

To maintain the integrity and effectiveness of the compliance framework, the Company subjects its AML/KYC functions, policies, and procedures to periodic independent evaluations. These evaluations assess both operational adherence and the adequacy of internal controls in meeting statutory obligations.

In addition, a robust internal/concurrent audit system is in place to regularly assess compliance with AML and KYC requirements. Audit findings and compliance status reports are submitted to the Audit Committee of the Board for their review and oversight, ensuring transparency and institutional accountability.

Importantly, the Company retains full control and accountability over all decision-making functions relating to AML and KYC compliance. No such functions are outsourced, thereby preserving the sanctity, confidentiality, and effectiveness of the compliance process.

Appointment of Key Personnel

In furtherance of its commitment to full compliance with the Know Your Customer (KYC) Master Directions, the Prevention of Money Laundering Act, 2002 (PMLA), and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PMLR), SecuePay shall designate two key compliance personnel: A Principal Officer and a Designated Director. These positions shall be held by distinct individuals in order to preserve functional independence, enhance oversight capabilities, and ensure clear lines of accountability.

Principal Officer

The Principal Officer shall serve as the nodal officer responsible for the implementation and operational oversight of the Company’s Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT), and KYC frameworks. The Principal Officer’s core responsibilities shall include:

• Ensuring the Company’s day-to-day compliance with all applicable statutory, regulatory, and supervisory requirements pertaining to AML, KYC, and CFT.

• Establishing, maintaining, and overseeing a robust system for transaction monitoring designed to detect, investigate, and escalate suspicious activities in a timely manner.

• Serving as the primary liaison with regulatory and enforcement authorities, including but not limited to the Financial Intelligence Unit India (FIU-IND), and ensuring the prompt and accurate submission of information, reports, and disclosures as mandated under applicable legal frameworks.

Designated Director

The Designated Director shall assume overall responsibility for the Company’s compliance with all obligations under the PMLA, PMLR, and any associated directives issued by the Reserve Bank of India or other competent authorities. The Designated Director shall:

• Exercise oversight over the Company’s enterprise-wide AML/KYC/CFT compliance posture.

• Ensure the formulation and enforcement of governance structures, policies, and procedures necessary to fulfil statutory and regulatory obligations.

• Be accountable for the Company’s adherence to the broader compliance framework and for fostering a culture of compliance across all levels of the organization.

MERCHANT IDENTIFICATION PROCEDURE (MIP)

A fundamental objective of the Company's Know Your Customer (KYC) framework is the proper and reliable identification of all Merchants. This process encompasses the verification of official identification documents, supporting proof of address such as utility bills, and biometric authentication, where applicable. These procedures are designed to ensure the integrity of the onboarding process and to uphold the Company’s commitment to compliance with legal and regulatory obligations.

The Merchant Identification Procedure forms an integral part of the Company’s Anti-Money Laundering (AML) compliance program, developed in accordance with the requirements of the Prevention of Money Laundering Act, 2002 (PMLA), along with the associated rules and notifications issued thereunder. Under this framework, the Company is required to verify, to the extent reasonably practicable, the identity of any person or entity engaging in financial transactions with it. Furthermore, the Company is obligated to maintain comprehensive records of the data and documents used to verify each Merchant’s identity, including identifying information such as name, address, and other relevant details. In addition, the Company shall consult applicable watch lists and sanctions registers particularly those identifying known or suspected terrorists or terrorist organizations issued by competent governmental authorities, to ensure that no Merchant is listed therein.

In line with its risk-based approach, the Company shall undertake appropriate due diligence to establish and verify the identities of its Merchants. Where warranted by the risk profile or nature of the business relationship, the Company will apply Enhanced Due Diligence (EDD) measures to mitigate potential exposure to money laundering, terrorist financing, or other unlawful activities.

The Company may, in certain cases, rely on Merchant Due Diligence (MDD) performed by third-party entities. Such reliance shall be permissible only where the third party is subject to regulatory supervision in accordance with the obligations set forth under the PMLA and is not established in a jurisdiction identified as high-risk. It is further required that all records and information pertaining to the MDD process be readily accessible to the Company, whether directly from the third party or through the Central KYC Records Registry (CKYCR), and that such records be provided without delay upon request. Despite any reliance placed on a third party, the Company shall retain full and ultimate responsibility for conducting MDD and implementing any necessary EDD measures.

REQUIRED KYC DUE DILIGENCE

The Merchant Due Diligence (MDD) process undertaken by SecurePay is designed to ensure compliance with the Reserve Bank of India’s KYC Master Direction, the RBI Guidelines for Payment Gateways, the Prevention of Money Laundering Act, 2002 (PMLA), and all other applicable legal and regulatory requirements. This process is structured into a six-stage framework to identify, assess, and mitigate risks associated with money laundering, terrorist financing, and other financial crimes.

At the core of the MDD process is the identification and verification of the Merchant’s identity, supported by documentary evidence or data obtained from reliable and independent sources. Where the Merchant is a legal entity, the process includes verification of the entity itself as well as its legal representatives. SecurePay further identifies the ultimate beneficial owners (UBOs) being natural persons who ultimately own or control the Merchant and verifies their identities through reasonable measures. Adverse media screening, sanctions checks, and Politically Exposed Person (PEP) assessments are conducted in respect of the Merchant, its UBOs, and legal representatives. Information concerning the purpose and intended nature of the proposed business relationship is obtained, and the Merchant’s industry and legal structure are examined in order to contextualize the risk profile.

The first stage of the MDD involves verification through both documentary and non-documentary means. For individual Merchants such as sole proprietors, SecurePay verifies identity using Officially Valid Documents (OVDs) including Aadhaar, PAN, passport, or driver’s license, and obtains proof of address where necessary. Additional documents to assess financial or business standing may be requested with the individual’s explicit consent. For corporate entities, the process entails verification of incorporation documents (e.g., certificate of incorporation, Memorandum and Articles of Association), governance records (e.g., board resolutions or powers of attorney), and operational licenses. Business PAN, GST verification for address confirmation, and UBO identification and verification are also performed. Non-documentary verification methods may include contacting or visiting the Merchant, independent identity verification from other sources, references from financial institutions, or reviewing financial statements.

At the second stage, the identities of the Merchant, its UBOs, and legal representatives are screened against domestic and international sanctions and watch lists, including those relating to terrorism and PEPs. Screening is conducted against lists issued by the Financial Intelligence Unit of India (FIU-IND), the Reserve Bank of India, Ministry of Corporate Affairs, SEBI, the Enforcement Directorate, and international bodies such as the Office of Foreign Assets Control (OFAC). If a match is found, a Suspicious Transaction Report (STR) will be filed with the FIU-IND without alerting the Merchant. Industry classification, the Merchant's legal structure, and the purpose of the business relationship are also evaluated at this stage.

The third stage comprises the Merchant onboarding process, which is governed by an internal Merchant Onboarding Policy. This includes antecedent and background checks to establish the authenticity and legitimacy of the Merchant’s operations. SecurePay undertakes reviews of licenses, registrations, financial health (including profit and loss statements and balance sheets), and publicly available data such as websites, product offerings, customer reviews, and social media activity. Merchants are also assessed for compliance with applicable technical standards, such as the Payment Card Industry Data Security Standard (PCI-DSS), where relevant.

Following this, the fourth stage involves Merchant profiling and risk categorization. Based on a risk assessment that considers geographical location, the nature of goods or services offered, transactional behavior, and delivery channels, Merchants are classified into low, medium, high, or unacceptable risk categories. The degree of due diligence to be applied corresponds to the assessed risk level. SecurePay employs Simplified, Standard, or Enhanced Due Diligence (SDD, CDD, or EDD) processes accordingly. High-risk businesses, including those involved in pharmaceuticals, matrimony, gaming, and virtual assets, are subject to heightened scrutiny and increased monitoring. Certain sectors, such as those dealing with weapons or hacking tools, are outright prohibited.

Simplified Due Diligence (SDD) is applied to Merchants assessed as low-risk, for whom only basic identity and transactional information is collected and verified. Publicly listed companies and their wholly owned subsidiaries generally fall into this category unless other high-risk indicators are present.

Standard Customer Due Diligence (CDD) is applied to medium-risk Merchants, including non-listed companies and associations. In such cases, both the corporate identity and the identities of UBOs and legal representatives are verified, subject to applicable laws and regulations.

Enhanced Due Diligence (EDD) is required where the Merchant presents a high risk. In such cases, the Company will perform in-depth transactional scrutiny, assess delivery mechanisms for goods and services, conduct quarterly account reviews, collect source of funds information, and verify associated documents such as invoices and proof of delivery. Additionally, the initial transaction must originate from a KYC-compliant bank account. Field verification may be conducted where necessary. When a Merchant or its beneficial owner is identified as a PEP, further EDD measures are implemented, including management approval prior to onboarding, detailed wealth and source of funds assessments, and continuous monitoring. If an existing Merchant is subsequently classified as a PEP, renewed senior management approval is required to continue the relationship.

Stage five pertains to ongoing due diligence, which includes continual monitoring of the Merchant’s behavior, transactional activity, and any changes in risk factors. The Company will utilize sanctions screening tools and may adopt Artificial Intelligence (AI) and Machine Learning (ML) techniques to identify anomalies such as website alterations or the introduction of high-risk products.

Finally, stage six mandates periodic updating of KYC and risk profiles. In compliance with regulatory timelines, SecurePay will update KYC documentation every ten years for low-risk Merchants, every eight years for medium-risk Merchants, and every two years for high-risk Merchants. Aadhaar-based OTP e-KYC may be used for periodic updates, though positive confirmation is not required for address changes verified through OTP-based mechanisms. Merchants are obligated to notify the Company of any material changes and submit updated documents within thirty days.

MONITORING OF TRANSACTIONS

Ongoing monitoring constitutes a critical and indispensable component of an effective Anti-Money Laundering (AML) and Know Your Customer (KYC) compliance framework. SecurePay shall continuously monitor Merchant transactions in a manner that is commensurate with the risk profile and sensitivity associated with each Merchant account. The objective of such monitoring is to develop an informed understanding of the Merchant’s typical transactional behavior and business activities, thereby enabling the identification of any transactions that deviate materially from established patterns or norms.

In particular, the Company shall pay heightened attention to transactions that are unusually large, complex, or lack an apparent economic or lawful purpose. Transactions that are inconsistent with the known profile of the Merchant, or that raise reasonable grounds for suspicion, shall be flagged for further scrutiny.

Securepay shall maintain appropriate mechanisms and controls to detect and evaluate such anomalous activity in real-time or through periodic reviews, depending on the assessed level of risk. The nature, frequency, and depth of monitoring shall be directly proportional to the risk categorization of the Merchant.

In accordance with Section 12 of the Prevention of Money Laundering Act, 2002 (PMLA), the Company shall ensure that any transaction or series of transactions suspected of being related to money laundering, terrorist financing, or other unlawful activity is promptly reported to the appropriate authority, including but not limited to, the Financial Intelligence Unit - India (FIU-IND), through the filing of a Suspicious Transaction Report (STR), in the manner and format prescribed under applicable law. Such reports shall be filed without tipping off the concerned Merchant or disclosing the existence or nature of the investigation.

The Company shall also retain records of monitored transactions and any internal escalations or reports for the prescribed statutory period, and shall ensure that all relevant staff are trained and equipped to identify and escalate suspicious activity in accordance with internal procedures and regulatory requirements.

RECORDS RETENTION

SecurePay shall establish, document, and implement robust procedures to ensure the retention and availability of all records relating to Know Your Customer (KYC) due diligence and Anti-Money Laundering (AML) compliance, in accordance with the requirements prescribed under the Prevention of Money Laundering Act, 2002, and applicable regulatory guidelines.

The Company shall maintain a secure and auditable system for recordkeeping, which shall include:

• Transactional Records: Preservation of all relevant transaction records between SecurePay and its Merchants for a minimum period of five (5) years from the date of the respective transaction. Such records shall be sufficient to permit reconstruction of individual transactions to provide, if necessary, evidence for prosecution or regulatory review.

• Identification and Due Diligence Records: Retention of all records obtained for the purposes of identifying Merchants, including those collected during onboarding and throughout the course of the business relationship. These records shall be preserved for a minimum period of five (5) years following the termination of the business relationship with the Merchant.

• Availability to Authorities: All identification documents, updated due diligence records, and transaction data shall be made readily available to regulatory and law enforcement authorities, including but not limited to the Financial Intelligence Unit – India (FIU-IND) and the Reserve Bank of India (RBI), upon request and without undue delay.

All employees of SecurePay involved in the Merchant Due Diligence (MDD) process and compliance functions shall be fully informed of their obligation to maintain and preserve such records in accordance with the prescribed retention periods. Internal compliance audits shall periodically verify adherence to these requirements, and appropriate disciplinary measures shall be taken in the event of non-compliance.

These recordkeeping measures are critical to supporting SecurePay’s AML/KYC framework, enabling effective monitoring, investigation, and reporting of suspicious activity, and ensuring full cooperation with competent authorities as required under applicable law.

REPORTING OF SUSPICIOUS TRANSACTIONS

SecurePay adheres to the statutory obligations set forth under the Prevention of Money Laundering Act, 2002 (PMLA) and the applicable rules and regulatory directives, including those issued by the Financial Intelligence Unit – India (FIU-IND), with respect to the identification and reporting of suspicious transactions.

The Company adopts a risk-based approach to ongoing monitoring and transaction screening, designed to detect patterns of activity that deviate from a Merchant’s known or expected business profile. Where such monitoring gives rise to suspicion, additional information may be requested to assess the nature and legitimacy of the transaction or Merchant activity in question. If a reasonable basis for suspicion is established, such transactions shall be subject to reporting requirements.

The Company adopts a risk-based approach to ongoing monitoring and transaction screening, designed to detect patterns of activity that deviate from a Merchant’s known or expected business profile. Where such monitoring gives rise to suspicion, additional information may be requested to assess the nature and legitimacy of the transaction or Merchant activity in question. If a reasonable basis for suspicion is established, such transactions shall be subject to reporting requirements.

Indicators or “red flags” that may trigger internal investigation include, but are not limited to:

• Incomplete, inaccurate, or misleading information provided by the Merchant;

• Inconsistencies between the Merchant’s business profile and the type or volume of transactions being processed;

• The use of agents or financial intermediaries acting without appropriate legal authority (e.g., in the absence of a valid power of attorney);

• Submission of documents indicating an unclear, overly complex, or opaque ownership structure;

• Use of suspicious identification documents or refusal to produce originals or required documentation;

• Reluctance to disclose the nature of business operations or to provide financial statements;

• Requests for funds to be transferred to offshore accounts without legitimate explanation;

• Attempts to evade reporting or record-keeping requirements by discussing or questioning such obligations.

Upon identification of a suspicious transaction, SecurePay will initiate a comprehensive internal review. If the findings confirm the transaction as suspicious, the Company’s Principal Officer will prepare and file a Suspicious Transaction Report (STR) with the Director of the FIU-IND within a maximum of seven (7) working days from the date of determination.

The filing of an STR shall not, in itself, trigger restrictions on the Merchant’s account, unless such measures are legally mandated. In such cases, appropriate action shall be taken without notifying the Merchant.

SecurePay strictly prohibits all forms of “tipping off,” which is defined as directly or indirectly informing a Merchant or any related party that their account or activity is under scrutiny or has been reported. This prohibition applies to all employees, officers, and agents of the Company. However, routine requests for information or documentation in the course of due diligence shall not constitute tipping off, provided such requests are made in accordance with standard procedures and without disclosing the purpose.

The Company is duly registered with the FIU-IND and complies with its obligation to submit mandatory monthly reports, including STRs, in accordance with applicable legal and regulatory timelines. Details of the Company’s Principal Officer and Designated Director are submitted to both the FIU-IND and the Reserve Bank of India (RBI) and are kept up to date.

SecurePay shall preserve, for the prescribed statutory period, all information pertaining to the reported transactions, including the nature and value of the transaction, the currency involved, the date of execution, and the identities of the transacting parties.

RISK MANAGEMENT

The Board of Directors of the Company shall ensure that an effective KYC programme is established by implementing appropriate procedures and ensuring their diligent execution. This framework shall encompass adequate management oversight, robust systems and controls, segregation of duties, staff training, and other related aspects. Responsibilities for the enforcement of the Company’s policies and procedures shall be explicitly assigned. In consultation with the Board, the Company shall develop procedures to create Risk Profiles for both existing and new Merchants and apply Anti-Money Laundering measures commensurate with the risks associated with the transaction, account, or business relationship.

The Company shall adopt a risk-based approach under which Merchants are categorised as low, medium, or high risk based on the Company’s assessment. Such categorisation shall consider factors including, but not limited to, the Merchant’s identity, social and financial status, nature of business activities, business information, and geographical location.

TRAINING

Training and education of all SecurePay employees are essential to effectively implement and comply with the requirements set forth in this Policy and the applicable local AML and Merchant Due Diligence (MDD) programs. Such training shall cover, and assess understanding of, relevant laws and regulations, SecurePay’s policies and procedures, and prohibited conduct. SecurePay and its subsidiaries shall maintain a comprehensive local AML and MDD training program that addresses jurisdiction-specific requirements and circumstances.

RISK ASSESSMENT OF MONEY LAUNDERING AND TERRORIST FINANCING

SecurePay shall establish a comprehensive and structured framework to proactively assess and manage risks related to money laundering and terrorist financing (ML/TF). This framework shall include conducting a thorough evaluation of all relevant risk factors to determine the overall risk exposure and implementing appropriate mitigation measures. The assessment process will incorporate sector-specific vulnerabilities as identified by regulatory and supervisory authorities.

Risk assessments will be aligned with SecurePay’s operational scale, geographic presence, organizational complexity, and business model. All such assessments shall be documented in detail, with findings formally submitted to the Board of Directors or a designated committee. These records shall be maintained and made available to competent authorities upon request.

The Board or its designated committee shall have the responsibility to determine the frequency of these assessments, which shall be conducted at least annually.

SecurePay will adopt a risk-based approach to effectively manage and mitigate identified ML/TF risks. To this end, the Company shall implement and maintain a Board-approved Risk Management Policy alongside robust operational procedures to address these risks comprehensively.

SECRECY OBLIGATIONS

SecurePay shall uphold the highest standards of confidentiality with respect to all information obtained through its contractual relationships with Merchants. In the event of requests for data or information by governmental or regulatory authorities, SecurePay shall ensure that any disclosure is made strictly in accordance with applicable legal provisions governing the confidentiality of transactions and customer information.

Disclosure of such information shall be permitted only under the following exceptional circumstances:

• Where disclosure is mandated by law;

• Where there exists a legal obligation to inform the public;

• Where disclosure is necessary to protect SecurePay’s legitimate interests; or

• Where the Merchant has provided express or implied consent to such disclosure.

CKYCR COMPLIANCE

SecurePay shall register with the Central KYC Records Registry (CKYCR) for the purpose of receiving, storing, safeguarding, and retrieving Merchant KYC records in digital format. The Company shall ensure strict adherence to the Master Direction, Know Your Customer (KYC) guidelines, including the timely and accurate uploading of KYC data in accordance with the Operational Guidelines issued by the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI).

In this regard, SecurePay shall undertake the following actions:

• Collect and record KYC information using CERSAI-prescribed templates applicable to both “Individuals” and “Legal Entities,” and ensure submission of such data to the CKYCR in the prescribed format and manner, as stipulated under applicable laws and regulations.

• Upload KYC records to the CKYCR within ten (10) days of establishing an account-based relationship with the Merchant.

• Communicate the KYC Identifier generated by the CKYCR to the concerned Merchant without undue delay.

• Retrieve KYC records from the CKYCR using the Merchant’s KYC Identifier and, where necessary, request additional documentation in the following circumstances:

  • Any changes in the Merchant’s information as recorded in the CKYCR;

  • Deficiencies or non-compliance in KYC records with current regulatory requirements;

  • Communicate the KYC Identifier generated by the CKYCR to the concerned Merchant without undue delay.

  • Communicate the KYC Identifier generated by the CKYCR to the concerned Merchant without undue delay.

• Furnish updated or corrected KYC data to the CKYCR within seven (7) days of receiving new information, or within any alternate period as may be notified by the Central Government or regulatory authorities from time to time.

ADOPTION OF NEW TECHNOLOGIES

Prior to the introduction or deployment of any new technologies, products, or services, SecurePay shall undertake the following measures:

• Conduct a comprehensive risk assessment to identify and evaluate potential money laundering and terrorist financing (ML/TF) risks associated with the proposed innovation;

• Implement a risk-based mitigation plan to address the identified risks, which may include the application of Enhanced Due Diligence (EDD) measures and the strengthening of transaction monitoring mechanisms, as deemed appropriate.

These practices shall be integrated into SecurePay’s overarching compliance and risk management framework to ensure that technological advancements remain consistent with regulatory obligations and the Company’s internal governance standards.

GENERAL

The Company shall ensure strict compliance with all applicable laws, including relevant provisions of governing statutes and the rules and regulations framed thereunder.

In any instance where the Company is unable to apply adequate KYC measures, it shall, after issuing due notice and providing an explanation to the concerned Merchant, proceed to close the account or terminate the business relationship. Such determinations shall be made at an appropriately senior level of authority.

The Company shall adhere to all applicable guidelines, directives, instructions, and advisories issued by the Reserve Bank of India (RBI), as amended from time to time. The contents of this Policy shall be interpreted and applied in conjunction with such RBI directions and any other applicable regulatory framework.