Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Policy

1. Introduction & Purpose

This Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Policy establishes the framework, systems, and controls adopted by AXIS Easy Prosper Limited (易發技有限公司), a Hong Kong-registered private limited company. As an AI-first SaaS technology provider to licensed gaming operators, AXIS prioritizes compliance with the Hong Kong Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO Cap. 615), Companies Ordinance, and international standards (FATF, Wolfsberg, GDPR, ISO). The purpose of this policy is to prevent the Company, its employees, clients, or systems from being misused for money laundering, terrorist financing, or other forms of financial crime.

2. Definitions

For the purpose of this Policy, key terms are defined in line with FATF guidance, the Hong Kong AML Ordinance, and AXIS business context. These include Money Laundering, Terrorist Financing, Customer Due Diligence (CDD), Know Your Customer (KYC), Politically Exposed Persons (PEPs), Beneficial Owners, and others. Definitions are adapted to AXIS’s SaaS B2B model, where clients are exclusively licensed gaming operators, aggregators, and payment partners, not individual end-users.

3. Responsibilities

The responsibility for compliance with this Policy lies with all employees of AXIS Easy Prosper Limited. The Money Laundering Reporting Officer (MLRO) is responsible for the implementation and oversight of the Policy, supported by the Risk and Compliance Committee and senior management. Employees must remain vigilant, report suspicious activity promptly, and comply with all internal procedures.

4. Regulatory Frameworks

AXIS Easy Prosper Limited adheres to applicable Hong Kong laws (AMLO Cap. 615, Companies Ordinance), international standards (FATF, Wolfsberg Principles), and data protection rules (GDPR, ISO 27001). In addition, AXIS aligns its AML/CTF practices with best practices in international SaaS and gaming B2B technology sectors, ensuring risk-based controls and compliance reporting are embedded in operations.

5. Risk Management & Controls

AXIS applies a risk-based approach to AML/CTF compliance. The Company evaluates risks related to: cross-border SaaS integrations, onboarding of licensed operators in high-risk jurisdictions, exposure to virtual assets, and regulatory gaps in developing markets (CIS, LATAM, SEA). Risk mitigation includes stringent corporate onboarding, beneficial ownership checks, license verification, sanctions screening, and enhanced due diligence for high-risk clients or regions.

6. Customer Due Diligence (CDD)

AXIS conducts CDD exclusively on its corporate clients – licensed gaming operators, aggregators, and payment partners. The process includes verifying regulatory licenses, beneficial ownership structures, geographic risk exposure, and financial crime history (adverse media, sanctions, enforcement actions). Enhanced CDD applies to high-risk regions or politically exposed persons (PEPs). AXIS does not onboard private individuals or unlicensed operators.

7. Suspicious Activity Reporting (SAR)

All employees are required to escalate any suspicious activity or transaction to the MLRO without delay. The MLRO has sole authority to investigate and file Suspicious Activity Reports (SAR) with the Joint Financial Intelligence Unit (JFIU) in Hong Kong or other relevant regulators. Tipping-off is strictly prohibited.

8. Training & Awareness

AML/CTF training is mandatory for all AXIS staff, tailored to their roles. Training covers red flags, transaction monitoring, regulatory updates, sanctions lists, and case studies relevant to the SaaS B2B model. The MLRO maintains a training register, ensuring annual updates.

Appendices

Detailed appendices include:
- Corporate Onboarding Procedures
- Risk Assessment Methodology
- Sanctions Screening Policy
- Reporting Templates
- Prohibited Jurisdictions & Industries

2.1 Key Definitions (Expanded)

Money Laundering (ML): The process of concealing or disguising the origin of illicit funds to make them appear legitimate. ML typically involves three stages: placement, layering, and integration.

Terrorist Financing (TF): The provision or collection of funds, whether from legitimate or illicit sources, with the intention or knowledge that they will be used to support terrorist acts or organizations.

Customer Due Diligence (CDD): The process of verifying the identity and legitimacy of AXIS’s clients (licensed operators, aggregators, or payment partners). CDD involves verifying licenses, beneficial ownership, and assessing the risk profile.

Know Your Customer (KYC): A regulatory and risk management process ensuring that AXIS conducts sufficient due diligence on all business counterparties to prevent misuse of its SaaS solutions.

Politically Exposed Person (PEP): An individual who holds or has held a prominent public function, along with their close associates and family members. PEPs are treated as higher-risk clients and require enhanced due diligence.

Beneficial Owner: The natural person(s) who ultimately owns or controls an entity. AXIS ensures all corporate clients disclose beneficial owners with 25% or more control or adapts thresholds to capture true control when necessary.

Suspicious Activity Report (SAR): A formal report submitted to regulators when there are grounds to suspect money laundering, terrorist financing, or related crimes.

5.1 Applying a Risk-Based Approach (RBA)

AXIS applies a Risk-Based Approach (RBA) in all areas of AML/CTF compliance. This approach ensures resources are allocated effectively to higher-risk areas. RBA includes:

- Business-wide risk assessments conducted annually by the MLRO and reviewed by the Board.
- Geographic risk mapping of target markets (CIS, LATAM, SEA), incorporating FATF advisories.
- Product and service risk assessments for SaaS integrations, APIs, and virtual asset exposure.
- Client risk assessments based on licensing status, ownership structure, jurisdiction, and compliance history.
- Enhanced monitoring for clients in high-risk jurisdictions or those with adverse regulatory or media findings.

The outcome of the RBA determines the level of due diligence, transaction monitoring intensity, and ongoing oversight applied to each client relationship.

6.1 Timing of CDD

CDD must be completed prior to establishing any business relationship or providing AXIS SaaS services. In exceptional cases where a delay is justified (e.g., urgent technical integration), CDD may be finalized within 30 days with MLRO approval, provided the risk is low and no red flags are present. Failure to complete CDD within the permitted timeframe will result in suspension or termination of the relationship.

6.2 Ongoing CDD

AXIS performs ongoing monitoring of all corporate clients. This includes:

- Reviewing client licenses and registrations annually.
- Updating beneficial ownership data in line with regulatory filings.
- Screening against sanctions and PEP lists daily through automated systems.
- Reviewing adverse media and enforcement actions on a quarterly basis.
- Monitoring API usage and transaction data for anomalies.

Clients with significant changes in structure, ownership, or business activities are subject to immediate reassessment and may be escalated for Enhanced Due Diligence (EDD).

7.1 Filing Suspicious Activity Reports (SARs)

All employees of AXIS Easy Prosper Limited are required to promptly report any suspicion or knowledge of money laundering, terrorist financing, or related activities to the MLRO. Suspicious indicators may include: unusual integration requests, clients attempting to conceal beneficial ownership, discrepancies in licensing documents, or API traffic inconsistent with the declared business model.

The MLRO must begin investigating within 24 hours of receiving an internal notification. Based on findings, the MLRO decides whether to escalate and file a SAR with the Joint Financial Intelligence Unit (JFIU) in Hong Kong or other relevant authorities. All decisions, whether to file or not, must be documented. Employees must not disclose or discuss suspicions with the client or third parties to avoid 'tipping-off'.

7.2 Tipping-Off Prohibition

Tipping-off is strictly prohibited. Employees must not reveal to any client or third party that a SAR has been filed, is under consideration, or that they are being investigated. Any breach of this rule is treated as a serious violation and may lead to disciplinary action, termination, and legal consequences under Hong Kong law.

8. Roles and Responsibilities

AXIS maintains a clear governance structure for AML/CTF compliance. Responsibilities are divided as follows:

8.1 Money Laundering Reporting Officer (MLRO)

The MLRO is responsible for day-to-day compliance with AML/CTF requirements. Duties include:
- Conducting AML risk assessments of the Company and its clients.
- Reviewing and approving all client onboarding decisions for high-risk jurisdictions.
- Investigating and filing SARs with the JFIU.
- Maintaining records of all AML/CTF matters.
- Providing quarterly and annual compliance reports to the Board.
- Acting as the main contact for regulators and auditors on AML/CTF matters.

8.2 Deputy MLRO (DMLRO)

The DMLRO acts in the absence of the MLRO and assists with investigations, reporting, and compliance oversight. The DMLRO must be equally trained and empowered to perform MLRO responsibilities.

8.3 Board of Directors

The Board is ultimately accountable for AML/CTF compliance. The Board:
- Approves this Policy and annual AML risk assessments.
- Ensures adequate resources are allocated for AML/CTF compliance.
- Reviews MLRO reports quarterly.
- Holds the authority to suspend or terminate client relationships on compliance grounds.

8.4 Risk and Compliance Committee

The Committee supports the MLRO by:
- Reviewing client risk ratings.
- Approving onboarding of high-risk or politically exposed clients.
- Monitoring overall effectiveness of AML/CTF systems.
- Ensuring compliance culture is embedded across AXIS.

9. Training and Awareness

All employees receive AML/CTF training during induction and annually thereafter. The training program includes:
- Overview of Hong Kong AML Ordinance (AMLO Cap. 615) and FATF standards.
- Identification of suspicious activity red flags in SaaS B2B contexts.
- Procedures for internal reporting and escalation.
- Responsibilities for maintaining client confidentiality.
- Case studies relevant to SaaS and gaming aggregation.

A training log is maintained by the MLRO. Non-compliance with training requirements results in disciplinary action.

10. Record Keeping

AXIS Easy Prosper Limited maintains accurate and complete records of all AML/CTF-related activities. This ensures compliance with Hong Kong regulations (AMLO Cap. 615), FATF standards, and internal policy. Records are securely stored, accessible only to authorized personnel, and retained for at least 7 years.

The following records must be maintained:
- Client identification and verification documents (licenses, ownership structure, proof of business legitimacy).
- Beneficial ownership records and any subsequent changes.
- Results of due diligence, risk assessments, and enhanced due diligence reviews.
- Details of all suspicious activity reports (SARs) filed internally and externally.
- Records of training provided to employees, including attendance logs and materials.
- Internal communications and compliance reviews relevant to AML/CTF.

Electronic records must be backed up and encrypted. Physical records, where applicable, must be stored securely in compliance with AXIS’s data security and GDPR-compliant frameworks.

11. Sanctions and International Findings

AXIS complies with international sanctions regimes and ensures that no business relationship is established with sanctioned entities, individuals, or jurisdictions. The MLRO oversees daily sanctions screening through automated systems integrated with reliable databases (e.g., UN, OFAC, EU, HKSAR).

Sanctions screening applies to:
- All prospective and existing corporate clients.
- All beneficial owners and directors of clients.
- Counterparties and third-party service providers involved in AXIS integrations.

Clients flagged during sanctions screening are reviewed by the MLRO. If confirmed, AXIS will immediately terminate the relationship and file a SAR with the JFIU. AXIS also adheres to Hong Kong and international lists of high-risk jurisdictions and does not onboard clients domiciled or operating from those regions unless explicitly approved under Enhanced Due Diligence and Board oversight.

12. Prohibited Jurisdictions

AXIS Easy Prosper Limited does not conduct business with clients, partners, or counterparties domiciled in, or operating from, jurisdictions identified as high-risk or subject to comprehensive international sanctions. These include but are not limited to: North Korea, Iran, Syria, Sudan, and regions subject to territorial sanctions (such as Crimea, Luhansk, and Donetsk). AXIS follows the lists issued by the UN, FATF, OFAC, EU, and the Hong Kong government.

If a client is discovered to be operating from a prohibited jurisdiction after onboarding, the relationship is immediately suspended and reported to the MLRO for escalation. All such cases are filed as suspicious activity reports with the relevant authorities.

13. Prohibited Industries

AXIS maintains a strict policy of avoiding business with industries or activities considered inherently high-risk or illegal under international standards. These include:
- Unlicensed gambling operators.
- Shell banks and anonymous companies.
- Arms and weapons trafficking.
- Human trafficking and exploitation.
- Drug trafficking.
- Prostitution and escort services.
- Ponzi schemes, pyramid sales, and fraudulent investment platforms.
- Businesses involved in the production or distribution of illegal pornography.
- Cryptocurrency tumblers, mixers, or anonymity-enhancing services.
- Counterfeit goods or intellectual property infringement operations.

Any attempt to establish a business relationship in these industries is automatically rejected. Where suspicion arises post-onboarding, AXIS will immediately terminate services and escalate to the MLRO.

14. Onboarding Procedures

The onboarding of new corporate clients follows strict compliance checks to ensure AXIS only partners with licensed and reputable operators. The onboarding workflow includes:

1. Submission of Application Documents:
- Certificate of Incorporation and company registration documents.
- Copies of valid gaming or service licenses from relevant regulators.
- Details of directors, shareholders, and beneficial owners.
- Articles of Association or equivalent governing documents.
- Proof of trading address.

2. Verification:
- Independent verification of licenses with issuing regulators.
- Beneficial ownership checks using reliable corporate registries.
- Screening against sanctions, PEP, and adverse media databases.

3. Risk Assessment:
- Client assigned a risk rating (low, medium, high).
- High-risk clients subject to Enhanced Due Diligence (EDD).
- Board approval required for onboarding clients in high-risk jurisdictions.

4. Final Approval:
- MLRO and Compliance Committee approval required before onboarding.
- Records of all checks and approvals stored for at least 7 years.

AXIS does not onboard individuals or entities unable to provide transparent ownership or valid licensing documentation.

15. Enhanced Due Diligence (EDD)

Enhanced Due Diligence (EDD) is applied when clients or jurisdictions present higher risks of money laundering or terrorist financing. AXIS applies EDD in the following situations:
- Clients operating in high-risk jurisdictions identified by FATF, OFAC, EU, or HKSAR.
- Clients with complex or opaque ownership structures.
- Clients with Politically Exposed Persons (PEPs) as beneficial owners or directors.
- Clients with adverse media or regulatory enforcement history.

EDD measures include:
- Obtaining additional documentation on ownership and control.
- Independent verification of source of funds and source of wealth.
- Conducting detailed adverse media checks.
- Requiring initial payments from bank accounts held in the client’s legal name.
- Escalating onboarding decisions to the Board for approval.
- Increased frequency of ongoing monitoring and transaction reviews.

16. Transaction Monitoring

AXIS monitors the usage of its SaaS platforms and APIs to detect suspicious or unusual activity. While AXIS does not handle player funds directly, monitoring focuses on:
- Patterns of API usage inconsistent with declared business operations.
- Abnormal volume of transactions compared to client risk profile.
- Use of AXIS services by unlicensed third parties connected to clients.
- Access attempts from prohibited jurisdictions.

Transaction monitoring is both automated and manual. Automated monitoring systems flag anomalies, which are reviewed by Compliance for escalation to the MLRO if necessary.

17. Red Flags

AXIS employees must remain alert to signs that may indicate money laundering or terrorist financing. Examples of red flags include:
- Client reluctance to provide required KYC or licensing documents.
- Ownership structures involving unnecessary complexity or offshore entities.
- Clients seeking to onboard despite lacking valid licenses.
- Frequent changes in beneficial ownership or directors without clear reasons.
- Sudden spikes in SaaS usage inconsistent with prior activity.
- Attempts to obscure or misrepresent geographic location of operations.
- Clients linked to adverse media involving fraud, corruption, or sanctions breaches.

If any red flags are observed, employees must report them immediately to the MLRO for investigation.

18. Internal Reporting of Suspicious Activity

All AXIS employees are obligated to report suspicions of money laundering or terrorist financing to the MLRO. Reports may be submitted through designated internal channels, including secure email, compliance reporting tools, or in-person escalation. Employees must provide full details of the suspicious activity, including relevant documents or communications. Failure to report suspicions is considered a breach of company policy and may lead to disciplinary action.

19. External Reporting of Suspicious Activity

The MLRO is solely responsible for filing Suspicious Activity Reports (SARs) externally with the Joint Financial Intelligence Unit (JFIU) in Hong Kong or other relevant regulators where applicable. Employees must not contact external authorities directly regarding AML/CTF matters, except under explicit instruction from the MLRO. All SAR filings and related documentation are retained for a minimum of 7 years.

20. Investigations

The MLRO leads internal investigations into suspected money laundering or terrorist financing. This may include:
- Reviewing KYC and CDD documentation.
- Analyzing SaaS platform usage logs and API activity.
- Reviewing adverse media and external data sources.
- Conducting interviews with relevant employees.

If suspicion is substantiated, the MLRO will escalate to the Board and file an SAR. If suspicion is not substantiated, the MLRO will document the rationale for closing the case. All investigations must be completed promptly and confidentially.

21. Cooperation with Regulators

AXIS Easy Prosper Limited maintains an open and cooperative relationship with regulators and law enforcement authorities. This includes:
- Responding promptly to requests for information from the JFIU, SFC, or other relevant bodies.
- Providing accurate and complete records upon lawful request.
- Informing regulators of any significant AML/CTF breaches or risks within AXIS operations.
- Ensuring all communications with regulators are coordinated through the MLRO and Board.

AXIS is committed to maintaining transparency with regulators as part of its compliance-first business strategy.

22. Record Retention

AXIS Easy Prosper Limited retains all AML/CTF-related records for a minimum of 7 years from the end of a business relationship or completion of a transaction. This includes client identification, due diligence records, risk assessments, SAR filings, training logs, and internal compliance communications. Extensions beyond 7 years may be applied if legally required. All records are stored securely and in compliance with GDPR, ISO 27001, and AXIS’s internal data protection policies.

23. Training Registers

The MLRO maintains an AML/CTF training register that tracks:
- Names of employees trained.
- Dates of training sessions.
- Training topics covered.
- Trainers and training providers.

This register ensures accountability and allows AXIS to demonstrate compliance to regulators during inspections.

24. No Retaliation Policy

AXIS has a zero-tolerance policy against retaliation towards employees who report suspicions of money laundering or terrorist financing in good faith. Whistleblowers are protected under Hong Kong law, and AXIS guarantees their anonymity and protection from adverse employment consequences.

Appendix A – Source of Funds (SoF)

To mitigate risks, AXIS requires verification of the source of funds from all corporate clients. Acceptable sources include:
- Revenue from licensed gaming or technology operations.
- Equity financing documented through audited statements.
- Loans supported by regulated financial institutions.
- Mergers and acquisitions documented with legal contracts.

Unverifiable or high-risk funding sources will result in rejection of onboarding.

Appendix B – Source of Wealth (SoW)

AXIS requires clients to demonstrate the legitimacy of their source of wealth, particularly for beneficial owners. Acceptable sources include:
- Shareholding in regulated entities.
- Verified inheritance with supporting probate documents.
- Documented sale of property or businesses.
- Verified long-term investments.

Opaque wealth sources, or those linked to adverse media or sanctions, trigger Enhanced Due Diligence or rejection.

Appendix C – Onboarding Requirements

AXIS enforces strict onboarding requirements for corporate clients, including:
- Certificate of Incorporation.
- Valid licenses from gaming or regulatory authorities.
- Articles of Association and governance documents.
- Proof of address (bank statement, utility bill).
- List of directors, shareholders, and beneficial owners.
- Audited financial statements (where available).

All documentation must be independently verified before client approval.

Appendix D – Prohibited Jurisdictions and Industries

AXIS will not onboard clients from jurisdictions or industries prohibited under this Policy. The Compliance Committee reviews the prohibited list annually to reflect updates from FATF, OFAC, UN, EU, and Hong Kong regulators.

Appendix E – Risk Assessment Methodology

AXIS applies a structured risk assessment framework that evaluates each client, jurisdiction, and service integration against defined AML/CTF criteria. Risk assessment is conducted during onboarding and updated annually.

Key risk factors include:
- Jurisdictional risk (based on FATF, OFAC, and Hong Kong advisories).
- Licensing and regulatory environment of the client.
- Ownership and control structures, including beneficial ownership transparency.
- Nature of services requested (standard SaaS integration vs. custom virtual asset-enabled modules).
- Historical regulatory compliance and adverse media findings.

Clients are rated Low, Medium, or High risk. High-risk clients undergo Enhanced Due Diligence and require Board approval for onboarding.

Appendix F – Due Diligence Checklists

The following checklists guide compliance staff in conducting thorough due diligence:

Corporate Clients:
- Certificate of Incorporation and proof of registration.
- Valid gaming or operating license from a recognized regulator.
- Articles of Association or equivalent.
- Identification and verification of all directors and beneficial owners (25%+).
- Audited financial statements or equivalent financial records.
- Proof of operating address.
- Adverse media and sanctions screening results.

Third-Party Providers and Partners:
- License or regulatory approval (if applicable).
- Ownership and management details.
- Sanctions, PEP, and adverse media checks.
- AML/CTF policies and procedures (where applicable).
- Evidence of ongoing compliance training and monitoring.

Appendix G – Reporting Templates

To standardize AML/CTF reporting, AXIS provides internal templates, including:

Suspicious Activity Report (SAR) Template:
- Date and time of report.
- Name and role of reporting employee.
- Client details (name, license, jurisdiction).
- Description of suspicious activity.
- Supporting documents or evidence.
- MLRO review notes and decision.

Training Log Template:
- Employee name.
- Date of training.
- Training topics.
- Trainer name.

Risk Assessment Form:
- Client identification.
- Risk factors and scoring.
- Assigned risk rating.
- Reviewer signature.

Appendix H – Compliance Review Procedures

AXIS conducts annual compliance reviews to evaluate the effectiveness of AML/CTF measures. The MLRO leads this review with support from the Compliance Committee. Reviews include:
- Sampling CDD files for completeness and accuracy.
- Evaluating transaction monitoring effectiveness.
- Reviewing SARs filed and outcomes.
- Assessing training completion and effectiveness.
- Benchmarking AXIS compliance program against international best practices.

Findings are documented in an annual Compliance Review Report, submitted to the Board for approval.

Appendix I – Training Content

All employees of AXIS Easy Prosper Limited must undergo AML/CTF training annually. Training programs are tailored to roles and include the following modules:

- Overview of Hong Kong AML Ordinance (AMLO Cap. 615) and international FATF standards.
- The role of AI and SaaS systems in mitigating money laundering and terrorist financing risks.
- How to identify suspicious activity in the SaaS B2B gaming aggregation context.
- Red flags associated with client onboarding, beneficial ownership, and SaaS integrations.
- Procedures for escalating suspicious activity internally.
- Prohibitions on tipping-off.
- Responsibilities of staff, MLRO, and Compliance Committee.

Training is delivered via workshops, e-learning modules, and case study simulations relevant to the Company’s business model. Completion is mandatory, and results are logged in the training register.

Appendix J – Regulatory References

The AXIS AML/CTF Policy is aligned with the following regulatory frameworks and guidelines:

- Hong Kong Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO Cap. 615).
- Hong Kong Companies Ordinance (Cap. 622).
- Guidance issued by the Hong Kong Monetary Authority (HKMA).
- Guidance from the Hong Kong Securities and Futures Commission (SFC).
- Financial Action Task Force (FATF) Recommendations.
- Wolfsberg Group Principles.
- ISO 27001 standards for data protection.
- EU General Data Protection Regulation (GDPR).

This ensures AXIS maintains compliance across multiple jurisdictions and aligns with international best practices.

Appendix K – Prohibited Lists

AXIS will not engage with entities or individuals appearing on the following prohibited lists:

- United Nations Security Council Consolidated List.
- Office of Foreign Assets Control (OFAC) Sanctions List.
- European Union Consolidated Financial Sanctions List.
- Hong Kong Government Gazette – Sanctioned Individuals and Entities.
- FATF High-Risk Jurisdictions subject to a Call for Action.
- Adverse Media databases indicating financial crime involvement.

Screening against these lists is conducted daily using automated compliance software, with all matches reviewed by the MLRO.

Signatory Page

This AML/CTF Policy has been approved and adopted by the Board of Directors of AXIS Easy Prosper Limited.

Managing Director – AXIS Easy Prosper Limited

Date: August 28, 2025
Place: Hong Kong

反洗錢（AML）及反恐怖分子融資（CTF）政策

__AXIS Easy Prosper Limited (易發技有限公司)
__ 香港火炭坳背灣街2-12號威力工業中心6樓R18室S-V

1. 簡介與目的

本反洗錢（AML）及反恐怖分子融資（CTF）政策，旨在建立AXIS Easy Prosper Limited（易發技有限公司，以下簡稱「本公司」）之合規框架、制度及控制措施。本公司為一間在香港註冊之私人有限公司，主要業務為向已獲牌照的遊戲營運商提供人工智能（AI）優先的SaaS技術解決方案。

本公司嚴格遵守以下法律及國際準則：

• 《香港反洗錢及反恐怖分子融資條例》（AMLO, Cap. 615）

• 《香港公司條例》（Cap. 622）

• 國際標準（金融行動特別工作組 FATF、Wolfsberg原則、GDPR、ISO）

本政策之目的在於防止本公司、其員工、客戶或系統被濫用作為洗錢、恐怖分子融資或其他金融犯罪之工具。

2. 定義

為本政策之目的，以下術語按照FATF、香港AML條例及本公司業務背景界定：

• 洗錢（Money Laundering, ML）：將非法資金之來源隱藏或掩飾，使其看似合法。過程一般包括三階段：置入、分層、整合。

• 恐怖分子融資（Terrorist Financing, TF）：籌集或提供資金，不論其來源合法與否，用以支持恐怖活動或恐怖組織。

• 客戶盡職審查（Customer Due Diligence, CDD）：核實本公司企業客戶（已獲牌照的營運商、聚合商或支付夥伴）的身份與合法性，包括核查牌照、實益擁有人及風險評估。

• 認識你的客戶（Know Your Customer, KYC）：確保本公司對所有業務夥伴進行充分盡職調查，以防範其SaaS技術被濫用。

• 政治公職人士（Politically Exposed Person, PEP）：曾擔任或正在擔任重要公職的人士，以及其直系親屬或密切關係人。PEP需進行加強盡職審查（EDD）。

• 實益擁有人（Beneficial Owner）：最終擁有或控制實體的自然人。本公司要求企業客戶披露擁有25%或以上權益之實益擁有人，必要時可調低門檻以確保真實控制權得以揭露。

• 可疑交易報告（Suspicious Activity Report, SAR）：於懷疑存在洗錢、恐怖分子融資或相關犯罪時，向監管機構提交之正式報告。

3. 責任

所有AXIS員工均須遵守本政策。

• 洗錢報告主任（MLRO）：負責政策實施與監督，並由風險及合規委員會及高層管理支持。

• 員工必須保持警覺，及時舉報可疑活動，並遵守內部程序。

4. 法規框架

本公司遵守：

• 《反洗錢及反恐怖分子融資條例》（AMLO, Cap. 615）

• 《公司條例》（Cap. 622）

• 國際標準（FATF、Wolfsberg、GDPR、ISO 27001）

同時，本公司AML/CTF實踐與國際SaaS及遊戲B2B技術行業最佳做法保持一致，確保以風險為本的控制措施及合規匯報內嵌於日常運作中。

5. 風險管理與控制

本公司採用「風險為本」的方法（Risk-Based Approach, RBA）以分配資源至高風險領域。

重點風險包括：

• 跨境SaaS整合

• 在高風險司法管轄區內之客戶

• 涉及虛擬資產之業務

• 新興市場（CIS、拉美、東南亞）的監管差距

風險緩解措施包括：

• 嚴格的企業客戶盡職審查

• 實益擁有人檢查

• 牌照核實

• 制裁名單篩查

• 對高風險客戶/地區進行加強盡職審查（EDD）

6. 客戶盡職審查（CDD）

AXIS僅對企業客戶進行CDD，包括：已獲牌照之遊戲營運商、聚合商及支付夥伴。
流程包括：

• 核實監管牌照

• 檢查實益擁有結構

• 評估地理風險

• 審查金融犯罪紀錄（不利新聞、制裁、監管處分）

對於高風險地區或涉及PEP之客戶，適用加強盡職審查（EDD）。
AXIS不會為個人或未獲牌照營運商提供服務。

7. 可疑活動報告（SAR）

所有員工必須即時向MLRO報告任何可疑活動或交易。

• MLRO擁有唯一權力調查並向香港聯合財富情報組（JFIU）或其他相關監管機構提交SAR。

• 禁止向客戶或第三方披露（tipping-off）。

7.1 SAR提交流程

• 員工提交內部報告 → MLRO於24小時內開始調查。

• MLRO記錄是否向JFIU提交SAR之決定及理由。

7.2 禁止洩密（Tipping-Off）

• 嚴禁員工透露任何與SAR或調查相關之訊息。

• 違反規定將受到紀律處分，甚至法律追訴。

8. 職責與責任

本公司AML/CTF治理架構如下：

8.1 洗錢報告主任（MLRO）

• 負責公司及客戶AML風險評估。

• 審批高風險司法管轄區之客戶入職。

• 調查並提交SAR。

• 保存所有AML/CTF相關紀錄。

• 每季及每年向董事會提交合規報告。

• 作為監管機構及審計之主要聯絡人。

8.2 副MLRO（DMLRO）

• 於MLRO缺席時履行其職責。

• 協助調查、報告及合規監督。

8.3 董事會

• 對AML/CTF承擔最終責任。

• 批准政策及年度風險評估。

• 確保配置充足資源。

• 有權基於合規理由暫停或終止客戶合作。

8.4 風險及合規委員會

• 審核客戶風險評級。

• 審批高風險或PEP客戶之入職。

• 監察整體AML/CTF系統之有效性。

• 推動公司合規文化。

9. 培訓與意識

• 所有員工於入職時及每年必須接受AML/CTF培訓。

• 課程涵蓋：

  • 香港《反洗錢及反恐怖分子融資條例》與FATF標準

  • SaaS B2B環境下之可疑交易紅旗

  • 內部舉報及升級程序

  • 保密責任

  • 遊戲聚合業務之案例分析

不遵守培訓要求將受到紀律處分。

10. 紀錄保存

AXIS保留所有AML/CTF相關紀錄最少七年，包括：

• 客戶身份及核實文件

• 實益擁有人資料及變更

• 盡職審查、風險評估、EDD記錄

• SAR內部及外部報告

• 員工培訓記錄

• 合規審核及內部通訊

紀錄必須安全儲存並加密，符合GDPR與ISO 27001標準。

11. 制裁與國際監察

• 每日自動篩查客戶、董事、實益擁有人及第三方供應商，數據來源包括：聯合國、OFAC、歐盟、香港政府。

• 若確認命中，立即終止合作並向JFIU提交SAR。

• 高風險司法管轄區之客戶必須經EDD及董事會審批。

12. 禁止司法管轄區

不與以下地區之客戶合作：

• 北韓、伊朗、敘利亞、蘇丹

• 克里米亞、盧甘斯克、頓涅茨克等受制裁地區
  名單依據UN、FATF、OFAC、EU及香港政府公告。

13. 禁止行業

不接受以下高風險或非法行業：

• 無牌賭博營運商

• 空殼銀行或匿名公司

• 軍火走私

• 人口販運

• 毒品走私

• 賣淫或陪伴服務

• 金字塔騙局、龐氏騙局

• 非法色情製品

• 加密貨幣混幣或匿名化服務

• 偽冒商品與知識產權侵權

14. 客戶入職程序

1. 文件提交

• 公司註冊證明

• 有效賭博或服務牌照

• 董事、股東及實益擁有人資料

• 公司章程

• 營業地址證明

2. 核實

• 與監管機構交叉驗證牌照

• 使用公司登記資料檢查實益擁有人

• 制裁、PEP及不利新聞篩查

3. 風險評估

• 分為低、中、高風險

• 高風險客戶 → EDD + 董事會批准

4. 最終批准

• MLRO + 合規委員會簽署

• 所有紀錄保存7年

15. 加強盡職審查（EDD）

適用於：

• 高風險司法管轄區之客戶

• 複雜或不透明結構

• 涉及PEP之客戶

• 有不利新聞或監管處分紀錄

措施包括：

• 要求額外文件

• 驗證資金來源與財富來源

• 詳細不利新聞調查

• 初期付款必須來自客戶名下之銀行賬戶

• 須經董事會審批

• 提高監控頻率

16. 交易監控

雖然AXIS不直接處理玩家資金，但仍進行監控：

• API使用模式是否與業務不符

• 交易量是否異常

• 客戶服務是否被未獲牌照第三方使用

• 來自受限司法管轄區的存取企圖

自動化監控+人工覆核，必要時升級至MLRO。

17. 可疑徵兆（Red Flags）

• 客戶拒絕提供KYC文件

• 不必要複雜之持股結構

• 無牌照仍要求入職

• 頻繁變更股東或董事

• SaaS使用量突然激增

• 隱匿地理位置

• 涉及詐騙、貪腐或制裁新聞

所有徵兆必須即時報告MLRO。

18. 內部舉報可疑活動

所有AXIS員工有義務向MLRO舉報任何懷疑涉及洗錢或恐怖分子融資的情況。

• 舉報渠道：安全電郵、內部合規報告工具或當面升級。

• 舉報內容：包括可疑活動之完整細節、文件或通訊記錄。

• 未舉報可疑活動將被視為違反公司政策，可能導致紀律處分。

19. 外部舉報可疑活動

• 只有MLRO有權對外提交SAR至香港JFIU或其他監管機構。

• 員工不得自行聯絡外部監管機構，除非獲得MLRO明確授權。

• 所有SAR及相關文件須保存最少七年。

20. 調查程序

MLRO主導內部調查，包括：

• 審查KYC與CDD文件

• 分析SaaS平台使用日誌與API活動

• 檢視不利新聞及外部數據

• 訪談相關員工

若懷疑成立 → MLRO升級至董事會並提交SAR；
若懷疑不成立 → MLRO需記錄結案理由。
所有調查必須即時且保密完成。

21. 與監管機構合作

AXIS承諾與監管及執法機關保持合作關係，包括：

• 及時回覆JFIU、證監會（SFC）、或其他機構的資料要求

• 在合法要求下提供完整紀錄

• 就重大AML/CTF風險或違規情況主動通報

• 所有對外溝通須經由MLRO及董事會統一處理

22. 紀錄保存

• 所有AML/CTF相關紀錄保存最少七年，自業務關係結束或交易完成起計算。

• 包括：客戶身份、CDD紀錄、風險評估、SAR、培訓紀錄及合規通訊。

• 若法律要求，可延長保存期限。

• 紀錄須安全保存並符合GDPR及ISO 27001標準。

23. 培訓紀錄冊

MLRO須保存培訓紀錄冊，包括：

• 受訓員工姓名

• 培訓日期

• 涵蓋課題

• 培訓導師或機構

此紀錄冊用於證明AXIS符合監管機構檢查要求。

24. 反報復政策

AXIS對於善意舉報AML/CTF問題的員工實行零容忍報復政策。

• 吹哨人依法受香港法律保護。

• 公司保證其匿名性及免受任何就業懲罰。

附錄A – 資金來源（SoF）

客戶必須證明其資金來源合法，包括：

• 來自持牌遊戲或科技業務之收入

• 有審計財報支持的股權融資

• 合規金融機構支持的貸款

• 有法律文件支持的併購交易
  未能驗證或高風險資金來源將導致拒絕入職。

附錄B – 財富來源（SoW）

特別針對實益擁有人，本公司要求證明財富來源合法：

• 在受規管實體的股權

• 有遺產文件支持的繼承

• 物業或企業出售紀錄

• 可驗證的長期投資
  不透明或涉及不利新聞的財富來源將觸發EDD或拒絕入職。

附錄C – 入職要求

企業客戶必須提交：

• 公司註冊證書

• 有效牌照

• 公司章程

• 地址證明（銀行單、公共事業帳單）

• 董事、股東、實益擁有人清單

• 審計財務報表（如有）
  所有文件須獨立驗證。

附錄D – 禁止司法管轄區與行業

合規委員會每年檢討更新，依據FATF、OFAC、UN、EU及香港政府最新名單。

附錄E – 風險評估方法

風險評估於入職及每年進行一次，涵蓋：

• 司法管轄區風險

• 監管環境

• 所有權與控制結構透明度

• 服務類型（標準SaaS或虛擬資產相關）

• 合規紀錄與不利新聞
  結果分為低、中、高風險；高風險需EDD與董事會批准。

附錄F – 盡職調查清單

企業客戶：

• 公司註冊、牌照、章程

• 董事及實益擁有人核實

• 財務紀錄

• 地址證明

• 制裁與不利新聞篩查

第三方供應商：

• 牌照或監管批准

• 所有權與管理層資料

• 制裁與PEP檢查

• AML/CTF政策

• 持續合規培訓證據

附錄G – 報告範本

SAR範本：日期、舉報員工、客戶資料、可疑活動描述、證據、MLRO決定。
培訓紀錄表：員工姓名、日期、課題、導師。
風險評估表：客戶資料、風險因素、評級、簽署。

附錄H – 合規審核程序

每年進行一次，包括：

• 抽查CDD文件

• 評估交易監控系統

• 檢視SAR提交情況

• 評估培訓完成度

• 與國際最佳實踐對標
  結果匯總成《年度合規審核報告》，提交董事會。

附錄I – 培訓內容

員工必須每年接受培訓，課題包括：

• 香港AMLO及FATF標準

• AI與SaaS在AML中的角色

• SaaS遊戲聚合業務下的可疑徵兆

• 入職、實益擁有人、整合服務的紅旗

• 舉報與禁止洩密程序

• 員工、MLRO及合規委員會的責任
  培訓形式：工作坊、網上課程、案例演練。

附錄J – 法規參考

• 香港《反洗錢及反恐怖分子融資條例》

• 香港《公司條例》

• 香港金融管理局（HKMA）指引

• 證券及期貨事務監察委員會（SFC）指引

• FATF建議

• Wolfsberg原則

• ISO 27001

• GDPR

附錄K – 禁止名單

每日自動篩查：

• 聯合國安理會名單

• 美國OFAC制裁名單

• 歐盟制裁名單

• 香港政府憲報名單

• FATF高風險司法管轄區

• 涉及金融犯罪的不利新聞資料庫

簽署頁

本反洗錢及反恐怖分子融資政策，已由AXIS Easy Prosper Limited 董事會批准及採納。

董事總經理 - AXIS Easy Prosper Limited (易發技有限公司)