Anti-Money-Laundering and Know-Your-Customer Policy

Regulatory Basis

Upmos’s regulatory status: Upmos operates an online marketplace and does not itself directly hold, transmit, exchange, or custody customer funds in a manner that would render it a “money services business” (“MSB”) under FinCEN’s rules (31 C.F.R. § 1010.100(ff)). All payment processing, fund custody, payout, and settlement is performed by regulated third-party payment processors and their banking partners (currently including Stripe, Inc. and its sponsoring bank, plus regulated card networks); those entities bear the primary statutory AML/KYC obligations under the Bank Secrecy Act and analogous laws. Upmos’s AML/KYC program described below is therefore a voluntary, best-practices compliance program implemented to (a) support our payment processors’ compliance obligations, (b) protect our marketplace participants from financial-crime risk, and (c) discharge any directly applicable obligations (most notably OFAC sanctions screening, which applies to all U.S. persons regardless of MSB status under 31 C.F.R. Chapter V).

This program references and aligns with the following U.S. and international financial-crimes frameworks:

• U.S. — Bank Secrecy Act (BSA), 31 U.S.C. § 5311 et seq., and FinCEN implementing regulations at 31 C.F.R. Chapter X, as modernized by the Anti-Money Laundering Act of 2020 (AMLA 2020, Title LXIII of the William M. (Mac) Thornberry NDAA for FY 2021);
• USA PATRIOT Act of 2001, particularly Title III (International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001), Sections 311–326 (special measures, CIP, correspondent accounts);
• Corporate Transparency Act (CTA), 31 U.S.C. § 5336, and FinCEN’s Beneficial Ownership Information (BOI) Reporting Rule (31 C.F.R. § 1010.380; nationwide enforcement was paused by court orders in early 2025 and remains subject to ongoing litigation and rule revisions — Upmos monitors and complies with the rule’s current operative scope);
• OFAC sanctions regulations, 31 C.F.R. Chapter V (mandatory for all U.S. persons; see also our Sanctions Compliance Policy);
• FinCEN Customer Due Diligence Rule (CDD Rule), 31 C.F.R. § 1010.230, including beneficial-owner identification for legal entity customers (applicable to our payment processors; Upmos voluntarily aligns vendor onboarding with these standards);
• FFIEC BSA/AML Examination Manual (risk-based approach guidance); FinCEN AML/CFT National Priorities (Section 6101 of AMLA 2020) covering corruption, cybercrime including cryptocurrency, foreign and domestic terrorist financing, fraud, transnational criminal organizations, drug trafficking, human trafficking, and proliferation financing;
• EU 6th Anti-Money Laundering Directive (Directive (EU) 2018/1673) and the AML Regulation (EU) 2024/1624 (single rulebook, effective July 10, 2027); the EU’s Transfer of Funds Regulation (Regulation (EU) 2023/1113) implementing the FATF Travel Rule for crypto-asset transfers;
• United Kingdom — Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), and Proceeds of Crime Act 2002;
• Canada — Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC regulations;
• Singapore — Payment Services Act 2019 and MAS Notice PSN02; Australia — AML/CTF Act 2006 and AUSTRAC rules;
• Mexico — Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (LFPIORPI) and SAT rules;
• FATF (Financial Action Task Force) 40 Recommendations and the FATF Travel Rule (Recommendation 16);
• State laws: applicable U.S. state money-transmitter and financial-services laws (collected through our regulated payment processors’ state licensure).

Risk-Based Approach

Upmos’s voluntary AML/KYC program is risk-based, consistent with the FFIEC BSA/AML Examination Manual and the four-pillar BSA AML program structure codified at 31 U.S.C. § 5318(h):

• Internal controls (this Policy and supporting procedures);
• Designated compliance officer (see §Designated AML Compliance Officer below);
• Ongoing training (see §Employee Training below);
• Independent testing (see §Independent Testing below).

Risk factors evaluated include: customer/vendor jurisdiction (with elevated review for FATF gray- and black-listed countries and comprehensively sanctioned jurisdictions), transaction volume and velocity, product category (with elevated review for high-risk categories such as precious metals, art, antiquities, firearms, and ammunition where permitted), beneficial-ownership complexity (multi-tier or offshore entity structures), adverse-media and politically-exposed-person (PEP) findings, payment-instrument risk, and unusual transaction patterns. Higher-risk customers and vendors are subject to enhanced due diligence (EDD); all others are subject to standard customer due diligence (CDD).

Customer Identification Program (CIP)

The statutory Customer Identification Program (CIP) Rule (31 C.F.R. § 1020.220) applies to banks and certain financial institutions. As Upmos is not itself a bank or MSB, the procedures below are voluntary KYC procedures implemented to align with our payment processors’ CIP obligations, satisfy OFAC screening requirements, and protect the marketplace from financial-crime risk. Before a vendor receives a payout or before a flagged consumer transaction is processed, Upmos collects and verifies the following information:

• Full legal name;
• Date of birth (for individuals);
• Physical address (PO boxes alone are not sufficient for individuals);
• Government-issued identification number (driver’s license, passport, tax identification number, or foreign-government equivalent);
• For business vendors: legal business name, principal place of business, Employer Identification Number (EIN) or equivalent foreign tax identifier, jurisdiction of formation, and beneficial-owner information for any natural person owning 25% or more of the entity, and one natural person with significant managerial control (aligned with the FinCEN CDD Rule, 31 C.F.R. § 1010.230, which applies to our payment processors);
• Bank account or payout account verification (via Plaid, micro-deposit verification, or equivalent open-banking verification through our regulated payment processors).

Data retention & privacy: KYC information is collected and processed in accordance with our Privacy Policy, retained for the periods specified in §Recordkeeping below, and used solely for AML/KYC compliance, fraud prevention, sanctions screening, and lawful disclosure to regulators or our payment processors. KYC information is not used for marketing.

Sanctions Screening

Sanctions screening is a mandatory obligation that applies to Upmos and to every U.S. person regardless of MSB status (31 C.F.R. Chapter V). Every customer, vendor, and beneficial owner identity is screened on enrollment and re-screened on a continuous basis against the following sanctions lists at minimum:

• United States — OFAC: Specially Designated Nationals (SDN) List, Sectoral Sanctions Identifications (SSI) List, Foreign Sanctions Evaders (FSE) List, Non-SDN Menu-Based Sanctions (NS-MBS) List, Palestinian Legislative Council List, and Capta List;
• United Nations: UN Security Council Consolidated Sanctions List;
• European Union: EU Consolidated Financial Sanctions List;
• United Kingdom: HM Treasury Office of Financial Sanctions Implementation (OFSI) Consolidated List;
• Canada: Special Economic Measures Act (SEMA) and Justice for Victims of Corrupt Foreign Officials Act sanctions lists;
• Australia: Department of Foreign Affairs and Trade (DFAT) Consolidated List;
• Switzerland: SECO Sanctions List;
• Singapore: Monetary Authority of Singapore (MAS) targeted sanctions lists.

Comprehensively sanctioned jurisdictions (with which Upmos does not transact): Iran, North Korea (DPRK), Syria, Cuba, Crimea region of Ukraine, the so-called Donetsk People’s Republic and Luhansk People’s Republic regions of Ukraine, and Russia (sector-specific sanctions per Executive Orders 14024, 14066, 14068, and 14071). Beneficial owners of vendor entities are screened independently of the entity itself. See Sanctions Compliance Policy for full details on screening tooling, false-positive resolution, blocked-transaction reporting (31 C.F.R. § 501.603), and OFAC license requirements.

Suspicious Activity Reports (SARs)

Upmos employees are trained to identify and escalate transactions that exhibit common money-laundering, terrorist-financing, or financial-crime red flags. Where Upmos detects suspicious activity, Upmos will (i) escalate internally to the AML Compliance Officer for review, and (ii) provide complete information to our payment processors so that they may file a Suspicious Activity Report (FinCEN Form 111) under their statutory obligations at 31 C.F.R. §§ 1020.320 (banks), 1022.320 (MSBs), or 1029.320 (loan or finance companies). Upmos does not itself file SARs (as it is not an MSB), but cooperates fully and on a timely basis with processor SAR investigations and with direct regulator and law-enforcement inquiries.

Money-laundering & terrorist-financing red flags tracked by Upmos include the following (non-exhaustive list, expanded to reflect e-commerce marketplace risks):

• Structuring — arranging transactions to evade reporting or detection thresholds (e.g., multiple sub-$10,000 deposits, multiple sub-$3,000 payment-instrument purchases);
• Unusually large cash, gift-card, prepaid-card, or cryptocurrency settlements;
• Multi-account abuse — multiple accounts traced to a single beneficial owner, common device fingerprints, common IP addresses, or common payment instruments;
• Transactions inconsistent with the customer’s or vendor’s stated business model, geographic footprint, or income;
• Transactions involving comprehensively sanctioned jurisdictions, FATF gray- or black-listed countries, or persons appearing on sanctions or watch lists;
• Refusal to provide standard KYC information, providing forged or inconsistent documentation, or recurring document-quality issues;
• Sudden unexplained increases in transaction volume, velocity, or average order value;
• Trade-Based Money Laundering (TBML) indicators — over- or under-invoicing relative to fair market value, phantom shipments, multiple invoicing for the same goods, or product descriptions inconsistent with shipping weights;
• Refund-fraud / chargeback laundering — coordinated refund or chargeback patterns inconsistent with normal returns behavior;
• Gift-card layering — use of buyer-funded gift cards to layer or obscure source-of-funds;
• Use of synthetic or stolen identities, particularly where bank-account and identity attributes diverge;
• Patterns matching FinCEN AML/CFT National Priorities (Section 6101 of AMLA 2020), including indicators of human trafficking, corruption, cybercrime, drug trafficking, or proliferation financing.

SAR confidentiality: Suspicious-activity reports and the underlying support are confidential under 31 U.S.C. § 5318(g)(2) and may not be disclosed to the subject of the report; Upmos and its employees may not confirm or deny the existence of a SAR filing. The BSA’s safe harbor (31 U.S.C. § 5318(g)(3)) protects Upmos, our payment processors, and our employees from civil liability for good-faith reporting.

Currency Transaction Reports (CTRs)

Currency Transaction Reports (CTRs; FinCEN Form 112) are required to be filed by banks and MSBs for any cash transaction or aggregated cash transactions exceeding USD $10,000 in a single business day from a single customer (31 C.F.R. §§ 1010.311, 1020.310, 1022.310). Upmos does not directly accept, hold, or transmit cash and is not itself an MSB, so Upmos does not file CTRs. Where cash-equivalent transactions (such as money orders or cash-funded gift cards) flow through our regulated payment processors, those processors discharge their own CTR obligations, and Upmos provides any underlying transaction support requested for those filings.

Recordkeeping

Upmos retains AML/KYC-related records for the periods set forth below, aligned with BSA retention requirements (31 C.F.R. § 1010.430) and longer where required by applicable state, foreign, or contractual obligations. Records are retained in encrypted form with access limited to authorized compliance personnel.

• CIP / KYC records — not less than five (5) years after the date the account is closed (per 31 C.F.R. § 1020.220(a)(3) applicable to our payment processors; Upmos voluntarily aligns);
• SAR support and processor-filed SARs — not less than five (5) years from the date of filing (31 U.S.C. § 5318(g); 31 C.F.R. § 1010.430(d));
• CTR support and processor-filed CTRs — not less than five (5) years from the date of filing;
• Transaction records (orders, payments, payouts, refunds) — not less than five (5) years from the date of the transaction;
• Beneficial-owner identification records — not less than five (5) years after the date the vendor account is closed (31 C.F.R. § 1010.230(i)(2));
• Sanctions-screening logs and OFAC-match resolution records — not less than five (5) years (31 C.F.R. § 501.601);
• Training records — not less than five (5) years from completion;
• Independent-testing reports and remediations — not less than five (5) years from issuance.

Designated AML Compliance Officer

Upmos has designated an internal AML Compliance Officer (“AMLCO”) with day-to-day responsibility for this program. The AMLCO reports to the Chief Compliance Officer and quarterly to the Board of Directors. Inquiries from regulators or law enforcement should be directed in the first instance to the AMLCO at aml@upmos.com.

Independent Testing

The Upmos AML/KYC program is independently tested by a qualified third-party auditor on at least an annual basis. Findings, recommendations, and remediations are documented and reported to the Board.

Employee Training

All Upmos employees, including contractors, who work in payments, payouts, vendor onboarding, customer support, or trust & safety receive AML training on enrollment and at least annually thereafter. Training covers red-flag identification, escalation procedures, SAR confidentiality, and the personal liability associated with willful AML failures.

Customer Cooperation Required

By using Upmos, you agree to provide such additional KYC information as we (or our payment processors) may reasonably request from time to time in connection with your account, transactions, or payouts. KYC requests will specify (i) the information requested, (ii) the legal or compliance basis for the request, (iii) the timeframe for response (typically fourteen (14) calendar days, expedited to seventy-two (72) hours for sanctions-related inquiries), and (iv) the consequences of non-response. Failure to provide requested information within the specified timeframe may result in:

• For buyers: account restriction or, for high-risk patterns, suspension of purchase functionality pending verification;
• For vendors: payout hold (with escrow funds held pending verification), payout-method restriction, listing suspension, or full account closure for sustained non-response or where the AML risk cannot be mitigated.

Appeal process. Any account action arising from an AML/KYC review is appealable. To appeal, contact aml@upmos.com within thirty (30) days of the action with (a) your account identifier, (b) the action being appealed, and (c) any additional documentation supporting your appeal. Upmos will acknowledge the appeal within five (5) business days and issue a final decision within thirty (30) business days. Appeals are reviewed by a person not involved in the original decision. Appeals do not extend statutory holds imposed by our payment processors or by law enforcement.

SAR-related actions are not separately appealable beyond the general appeal process described above; under 31 U.S.C. § 5318(g)(2), Upmos cannot confirm or deny the existence of any suspicious-activity report, and certain account actions may not be reversed for that reason alone.

Privacy of your KYC information. KYC information you provide is processed in accordance with our Privacy Policy, is retained per §Recordkeeping above, is shared only with our regulated payment processors, our auditors, regulators, and law enforcement as legally required or permitted, and is not used for marketing. EU/UK residents may exercise GDPR rights through our EU Representative (see §How Can You Contact Us About This Policy?).

Reporting and Contact

To report suspected money-laundering, fraud, sanctions evasion, or terrorist financing involving the Upmos marketplace, contact us first; we will coordinate with our payment processors and regulators as appropriate.

Reports may also be made directly to the appropriate government authority:

• U.S. FinCEN Regulatory Helpline: 1-800-949-2732 · fincen.gov
• U.S. Treasury OFAC Sanctions Hotline: 1-800-540-6322 · ofac.treasury.gov
• FBI Internet Crime Complaint Center (IC3): ic3.gov for cybercrime and online fraud
• U.S. National Human Trafficking Hotline: 1-888-373-7888 · humantraffickinghotline.org
• EU — National Financial Intelligence Unit (FIU) of your member state (list at fatf-gafi.org)
• UK — National Crime Agency (UKFIU): nationalcrimeagency.gov.uk
• Canada — FINTRAC: fintrac-canafe.gc.ca

AMLA 2020 Whistleblower Program. Whistleblowers reporting BSA violations may be eligible for an award of 10–30% of the monetary sanctions collected, under the AMLA 2020 whistleblower program (31 U.S.C. § 5323; FinCEN Form 114a). Whistleblowers are protected from employer retaliation under 31 U.S.C. § 5323(g). To report a BSA violation directly to FinCEN’s Office of the Whistleblower, file FinCEN Form 114a.

Updates

This Policy is reviewed at least annually and whenever there is a material change to Upmos’s AML/KYC program, our payment processors’ obligations, or applicable law. For material changes (defined as changes that meaningfully expand the categories of KYC information collected, change a reporting or recordkeeping commitment, alter a consumer right or appeal SLA, or add or remove an AML/CFT obligation), Upmos will provide affected users with at least thirty (30) days’ advance notice through (a) email to the address associated with the user’s Upmos account, (b) an in-product banner displayed on the user’s next sign-in, and (c) a dated entry in the Version History section of this Policy. Minor clarifications, citation updates, and typographical fixes are made without advance notice and are reflected only in the Version History.