Anti-Money Laundering, Counter-Terrorist Financing, and Sanctions Compliance Policy

ALC Media LLC, a limited liability company organized under the laws of the State of Wyoming, United States of America (the “Company”, “ALC Media”, “we”, “us”, or “our”), operates the SouthPay platform, a software and payment orchestration layer that enables merchants to accept cryptocurrency payments through integrations with regulated third-party payment service providers (“PSPs”).

This Anti-Money Laundering, Counter-Terrorist Financing, and Sanctions Compliance Policy (this “Policy”) establishes the framework, principles, controls, and responsibilities through which the Company prevents, detects, and reports activity that may involve money laundering, terrorist financing, proliferation financing, sanctions evasion, fraud, or other financial crime (“Financial Crime”).

Applicability. This Policy applies to (a) the Company and all of its officers, employees, contractors, and agents, (b) all merchants and counterparties that access or use the SouthPay platform (each, a “Merchant”), and (c) all transactions, payment flows, and merchant relationships facilitated through the SouthPay platform, regardless of the service track elected by the Merchant.

Role limitation. The Company operates as a software, technology, and payment orchestration provider. The Company does not take custody of Merchant or end-user funds, does not execute settlement, does not perform fiat conversion, and does not act as a bank, money services business, or virtual asset service provider. Regulated payment, custody, settlement, and conversion activities are performed exclusively by PSPs, each of which operates under its own license, registration, or regulatory authorization. Notwithstanding the foregoing, the Company maintains and enforces this Policy as a matter of internal governance, contractual obligation to its PSPs and other counterparties, and good-faith commitment to the integrity of the financial system.

This Policy is informed by, and is intended to operate consistently with, the following legal and regulatory frameworks and international standards, as applicable to the Company and to the activities conducted through the SouthPay platform:

• the Bank Secrecy Act, 31 U.S.C. § 5311 et seq., and its implementing regulations promulgated by the Financial Crimes Enforcement Network (“FinCEN”);
• the USA PATRIOT Act of 2001, as amended;
• economic sanctions programs administered by the Office of Foreign Assets Control (“OFAC”) of the U.S. Department of the Treasury;
• the Wyoming Money Transmitter Act and the Wyoming Digital Asset Framework, to the extent applicable;
• sanctions regimes administered by the United Nations Security Council, the European Union, and His Majesty’s Treasury of the United Kingdom;
• the Recommendations of the Financial Action Task Force (“FATF”), including Recommendation 15 (virtual assets and virtual asset service providers) and Recommendation 16 (the “Travel Rule”); and
• the compliance frameworks and contractual requirements imposed by the Company’s PSPs and infrastructure providers, including those of Cobo, Confirmo, and any successor or additional providers integrated with the SouthPay platform.

Where any obligation under this Policy conflicts with a mandatory requirement of applicable law, the requirement of applicable law shall prevail. Where applicable law imposes a higher standard than this Policy, that higher standard shall govern.

3.1 Compliance Officer

The Company has designated a Compliance Officer who functions as the Money Laundering Reporting Officer (“MLRO”) for the Company and the SouthPay platform. The Compliance Officer is responsible for the day-to-day administration of this Policy, including the design, implementation, and oversight of internal controls, the review of escalated alerts, the determination of suspicious activity, the maintenance of compliance records, and direct reporting to the management of the Company on Financial Crime matters.

The Compliance Officer has sufficient authority, independence, seniority, and resources to perform these responsibilities effectively, and has direct access to the senior management of the Company without reprisal. The contact details of the Compliance Officer are available to PSPs, regulators, and competent authorities upon written request to compliance@southpay.io.

3.2 Senior Management Oversight

The senior management of the Company maintains ultimate responsibility for the adequacy and effectiveness of this Policy. Senior management receives, at minimum, an annual report from the Compliance Officer summarizing the operation of the program, alert volumes and dispositions, suspicious activity escalations, training completion, audit findings, and material changes in risk exposure. Material Financial Crime matters are escalated to senior management on a real-time basis.

3.3 Three Lines of Defense

The Company operates a three-lines-of-defense model: (i) operational and product personnel, who are responsible for executing controls in the course of business; (ii) the compliance function, headed by the Compliance Officer, which designs and monitors controls and conducts ongoing oversight; and (iii) independent testing, conducted at least annually by a qualified party independent of the operational and compliance functions, the results of which are reported to senior management.

The Company applies a risk-based approach to Financial Crime, calibrated to the size of the Company, the nature of the SouthPay platform, the segments of merchants served, and the geographies in which Merchants operate. The Company maintains an enterprise-wide risk assessment that is reviewed and refreshed at least annually, and on an event-driven basis upon any material change in product, jurisdiction, counterparty, or regulatory expectation.

4.1 Risk Factors

The risk assessment evaluates, at minimum, the following categories of risk:

• Customer risk: Merchant type, business model, ownership and control structure, presence of politically exposed persons (“PEPs”), industry sector, expected and actual transaction patterns, and adverse media findings.
• Geographic risk: Jurisdictions of incorporation, operation, and beneficial ownership of the Merchant; the location of the Merchant’s end customers; and the location of payout destinations, assessed against sanctions designations, FATF listings, and country-level corruption and Financial Crime indicators.
• Product and channel risk: The risks specific to crypto-to-crypto and crypto-to-fiat payment flows, the use of payment links, the volatility and pseudonymity characteristics of supported digital assets, and the absence of face-to-face onboarding.
• Transaction risk: Volume, velocity, value, frequency, counterparty exposure, source of funds, and the presence of indicators consistent with structuring, layering, integration, or other typologies.

The Company applies tiered due diligence to Merchants in coordination with the applicable PSP. The Company does not onboard Merchants where the required level of due diligence cannot be completed, where the Merchant cannot be identified or verified to a reasonable standard, or where the Merchant operates in a manner inconsistent with this Policy.

5.1 Standard Due Diligence (KYB)

At onboarding, the Company collects and verifies information sufficient to identify and risk-rate the Merchant, including:

• full legal name and any trading or “doing business as” names;
• country of incorporation or residence and registered address;
• registration or incorporation number and supporting registry documentation;
• the nature of the Merchant’s business, products, and services;
• expected transaction volumes, currencies, and counterparties;
• identity of directors, senior managing officials, and authorized representatives;
• identity of all ultimate beneficial owners (“UBOs”) holding, directly or indirectly, twenty-five percent (25%) or more of the ownership or voting interests in the Merchant, with verification of UBO identity to the same standard as the Merchant principal;
• payout destination details, including bank account information for fiat settlement and wallet address information for crypto settlement; and
• a validly accepted Merchant Payment Services Agreement and acceptance of this Policy as incorporated by reference therein.

Where the applicable PSP performs equivalent or more stringent customer due diligence on the Merchant pursuant to its own regulatory program, the Company may rely on the PSP’s due diligence outcomes in accordance with applicable law, while retaining ultimate responsibility for the Company’s own onboarding decision.

5.2 Enhanced Due Diligence (EDD)

Enhanced Due Diligence is required, and onboarding is suspended pending its completion, where any of the following triggers is present:

• the Merchant, a director, a UBO, or an authorized representative is identified as a PEP, a family member of a PEP, or a known close associate of a PEP;
• the Merchant is incorporated, operates, or holds material assets in a jurisdiction listed in Schedule A as high-risk;
• the Merchant operates in a higher-risk industry sector, including (without limitation) money services, gambling, adult content, unregistered investment activity, precious metals dealing, or arms-related trade;
• adverse media, sanctions, or law enforcement findings are identified during screening;
• the ownership structure is opaque, layered through multiple jurisdictions, or includes bearer shares or nominee arrangements;
• expected transaction volumes are materially elevated relative to the stated business profile; or
• the Compliance Officer otherwise determines that the Merchant relationship presents an elevated risk of Financial Crime.

EDD measures include, as appropriate, additional documentation of source of funds and source of wealth, additional UBO and control-person verification, written narrative explanation of the business model and counterparty network, and senior-management approval of the relationship before onboarding is finalized.

5.3 Prohibited Relationships

The Company will not enter into or maintain a relationship with, and will reject or terminate any application or account associated with, any of the following:

• any person or entity appearing on a sanctions list maintained by OFAC, the United Nations Security Council, the European Union, or His Majesty’s Treasury;
• any person or entity that the Company knows, suspects, or has reasonable grounds to suspect is a shell entity (defined as a legal person with no genuine business activity, physical presence, or operating staff);
• any person or entity that the Company knows, suspects, or has reasonable grounds to suspect is engaged in Financial Crime;
• any payable-through, nested, or correspondent arrangement that would obscure the identity of the underlying customer;
• any Merchant whose principal business is the provision of unlicensed money services, unlicensed virtual asset services, mixers, tumblers, or anonymity-enhanced asset services; and
• any Merchant in any jurisdiction listed in Schedule A as a comprehensively sanctioned or prohibited jurisdiction.

The Company maintains a sanctions compliance program designed to prevent the Company and the SouthPay platform from being used to facilitate any transaction or relationship prohibited under applicable sanctions laws.

6.1 Screening

The Company screens, at minimum:

• every Merchant applicant, director, authorized representative, and UBO at the point of onboarding;
• the entire Merchant base on an ongoing basis against updated sanctions lists, with rescreening triggered by list updates;
• every payout destination, whether a fiat bank account or a digital asset wallet address, against sanctions lists and, in the case of digital assets, against blockchain analytics designations of sanctioned addresses; and
• outgoing on-chain transactions, in coordination with the Company’s infrastructure providers, against sanctions and blockchain risk indicators prior to execution.

Screening is performed against, at minimum: the OFAC Specially Designated Nationals and Blocked Persons List, the OFAC Sectoral Sanctions Identifications List, the OFAC Non-SDN Lists as applicable, the United Nations Consolidated List, the EU Consolidated List, the UK Sanctions List, and lists of sanctioned digital asset addresses maintained by reputable blockchain analytics providers.

6.2 Hits, Blocking, and Reporting

Confirmed sanctions hits are immediately blocked or rejected as required by the applicable sanctions program. Blocked or rejected transactions are reported to OFAC within the timeframes prescribed by 31 C.F.R. Part 501, and reports are filed with other relevant authorities as required. The Company maintains records of all sanctions hits, dispositions, and reports.

6.3 Geographic Restrictions

The Company does not onboard Merchants, accept transactions, or facilitate payouts where any party, payout destination, or end-customer base is located in, ordinarily resident in, or organized under the laws of any jurisdiction listed in Schedule A as a comprehensively sanctioned or prohibited jurisdiction. Restrictions on high-risk and product-restricted jurisdictions, also set out in Schedule A, are applied through enhanced due diligence, transaction limits, or exclusion as the Compliance Officer determines.

The Company conducts ongoing monitoring of Merchant relationships and transactions to detect activity that is unusual, inconsistent with the Merchant’s established profile, or otherwise suggestive of Financial Crime.

7.1 Layered Controls

Transaction monitoring operates at two layers:

• Infrastructure layer. The Company’s infrastructure provider applies pre-execution screening to outgoing on-chain transactions, including merchant payouts, refunds to payers, and internal fund movements. Transactions that fail infrastructure-layer screening are blocked and do not proceed. The Company’s platform reflects this outcome and does not release funds for blocked transactions.
• Platform layer. The Company applies its own monitoring across the Merchant base, designed to detect patterns consistent with established Financial Crime typologies, including (without limitation) structuring, layering, integration, money mule activity, sanctions evasion, fraud, and abuse of payment infrastructure. The specific monitoring rules, thresholds, and detection logic are confidential and are not disclosed publicly so as to preserve their effectiveness.

7.2 Alert Handling and Investigation

Alerts generated through monitoring are triaged by the compliance function. Each alert is documented, investigated, and dispositioned within a defined service-level expectation. Investigations may include review of transaction history, requests for additional information from the Merchant, on-chain analysis, and consultation with the applicable PSP. Outcomes include (i) closure with no further action, (ii) enhanced monitoring of the Merchant, (iii) restriction or suspension of platform access, (iv) escalation as a suspicious activity matter, or (v) termination of the Merchant relationship.

7.3 Periodic Review

Each Merchant relationship is subject to periodic review at a frequency determined by its risk rating: low-risk Merchants no less than every thirty-six (36) months, medium-risk no less than every twenty-four (24) months, and high-risk no less than every twelve (12) months, with event-driven review triggered by material changes in ownership, business activity, transaction patterns, adverse media, or sanctions designations.

Where the Company knows, suspects, or has reasonable grounds to suspect that a transaction, attempted transaction, or relationship involves Financial Crime, the matter is escalated to the Compliance Officer for determination of suspicious activity.

Where a determination of suspicious activity is made, the Company will (a) report the matter to the relevant competent authority in the manner and within the timeframe required by applicable law, (b) cooperate with any related lawful request from a competent authority, (c) coordinate with the applicable PSP where the PSP has a parallel reporting obligation, and (d) take such action with respect to the Merchant relationship as the Compliance Officer determines, including suspension or termination.

No tipping off. No officer, employee, contractor, or agent of the Company shall disclose to any Merchant, end user, or other person, directly or indirectly, that a suspicious activity report has been or may be filed, that an investigation is underway, or that information has been provided to a competent authority, except as expressly permitted by applicable law.

Where applicable, the Company supports the implementation of FATF Recommendation 16 (the “Travel Rule”) through its PSPs and infrastructure providers. For transactions subject to the Travel Rule, originator and beneficiary information is collected, transmitted, and retained by the applicable PSP in accordance with the PSP’s regulatory obligations and the Company’s contractual integration with that PSP. The Company does not facilitate transactions that the applicable PSP determines cannot be processed in compliance with applicable Travel Rule requirements.

The Company retains records relating to this Policy for not less than five (5) years from the date of the relevant activity or the end of the Merchant relationship, whichever is later, or such longer period as may be required by applicable law. Records retained include:

• Merchant onboarding documentation, identity and UBO verification evidence, and risk ratings;
• payment intents, transaction records, ledger entries, and on-chain transaction references;
• sanctions screening results, alerts, investigations, dispositions, and any reports filed with competent authorities;
• communications with Merchants concerning compliance matters;
• training records, independent testing reports, and risk assessments; and
• records of decisions taken under this Policy, including approvals, escalations, and terminations.

Records are maintained in a secure, retrievable format, protected against unauthorized access, alteration, or destruction, and made available to competent authorities promptly upon lawful request. Personal data within these records is processed in accordance with applicable data protection law and the Company’s privacy policy.

All officers, employees, and contractors of the Company whose duties touch the SouthPay platform receive AML, sanctions, and Financial Crime training (a) at the commencement of their engagement, (b) annually thereafter, and (c) on an ad-hoc basis when material changes in regulation, typology, or platform functionality warrant. Training is tailored to role, covers obligations under this Policy, red flags relevant to crypto payment orchestration, and reporting and escalation channels. Training completion is recorded and reviewed by the Compliance Officer.

The Company’s AML and sanctions compliance program is subject to independent testing not less frequently than every twelve (12) months, conducted by a qualified internal or external party that is independent of the operational and compliance functions. The scope of testing covers, at minimum, the design and operating effectiveness of controls described in this Policy, the adequacy of the risk assessment, the quality of merchant due diligence files, the disposition of monitoring alerts, sanctions screening, training, and record keeping. Findings, root causes, and remediation plans are reported to senior management and tracked through to closure.

The Company cooperates with lawful requests from competent authorities, law enforcement, and its PSPs, in each case in accordance with applicable law and the Company’s contractual undertakings. Subpoenas, court orders, regulatory inquiries, and equivalent requests are routed to the Compliance Officer and handled with appropriate legal counsel.

This Policy is owned by the Compliance Officer and approved by the senior management of the Company. The Policy is reviewed at least annually, and on an event-driven basis upon any material change in regulation, business model, counterparty risk, or independent testing finding. Material amendments are approved by senior management. The Company may update this Policy from time to time without prior notice; the version published on the Company’s website at any given time is the version then in force.

Questions, requests, and reports relating to this Policy may be directed to: