Policy for the governance and management of money laundering and terrorist financing risk pursuant to Legislative Decree 231/2007 as amended.

Young Platform S.p.a.

Approved by: Board of Directors on 18/09/2025

Updated on: 25/08/2025

Version: 1.4 Modification of the policy for continuous updates (14/11/2025)

Young Platform S.p.A.

Young Platform S.p.A. has its registered office in Turin (Italy) at via Cigna 96/17, Postal Code 10155, Tax Code and VAT No. 11931440017 (hereinafter simply “Young”).

Young, pending the submission and subsequent acceptance of the application for authorization as a crypto-asset service provider in accordance with Regulation (EU) 1114/2023 (hereinafter “MiCAR”), recognizes its services within the following definition set forth in Art. 1, paragraph 2, letter mm-bis) of Legislative Decree no. 231 of November 21, 2007, as amended (hereinafter also “Anti-Money Laundering Decree”):

mm-bis) ‘crypto-asset services’: services as defined in Article 3, paragraph 1, point 16), of Regulation (EU) 2023/1114.

Therefore, Young is included among the “obliged entities” as it is listed by the Anti-Money Laundering Decree among non-financial operators, in Art. 3, paragraph 5, letter v-bis:

v-bis) providers of crypto-asset services as defined in Article 3, paragraph 1, point 15), of Regulation (EU) 2023/1114, authorized in Italy to provide such services, with the exception of the service of providing advice on crypto-assets.

From 30/12/2024, with the update of the Anti-Money Laundering Decree, Young falls within the recipients supervised by the Bank of Italy and therefore follows the anti-money laundering indications of the secondary legislation of the Bank of Italy.

Recipients

All Young personnel.

Purpose

Pursuant to the Anti-Money Laundering Decree, money laundering means:

a) the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action;

b) the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity;

c) the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity;

d) participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points a), b) and c).

Money laundering shall be regarded as such even where the activities which generated the property to be laundered were carried out outside the national borders. Knowledge, intent or purpose required as an element of the money laundering activities may be inferred from objective factual circumstances.

Terrorist financing means any activity directed, by any means, to the provision, collection, procurement, intermediation, deposit, custody or disbursement, in any manner realized, of funds and economic resources, directly or indirectly, in whole or in part, usable for the commission of one or more conducts, with terrorist purposes according to the provisions of criminal laws, regardless of the actual use of the funds and economic resources for the commission of the aforementioned conducts.

Therefore, money laundering and terrorist financing represent criminal phenomena which, also by virtue of their possible transnational dimension, constitute a serious threat to the real economy and may determine destabilizing effects, especially for the banking and financial system.

The soundness, integrity and stability of credit institutions and financial institutions, as well as confidence in the financial system as a whole, could be seriously jeopardized by the efforts of criminals and their associates to disguise the origin of criminal proceeds or to channel funds of licit or illicit origin for terrorist financing purposes.

Young responds responsibly to the complexity and danger of these phenomena, dedicating maximum attention to contrasting actions and tools, in the awareness that the pursuit of profitability and efficiency must be combined with continuous and effective oversight of the integrity of the corporate structure.

For this reason, the involvement of corporate bodies and the correct fulfillment of the obligations incumbent upon them is a priority. In particular, it is up to the Board of Directors (hereinafter also BoD) to identify policies for the governance of money laundering and terrorist financing risk adequate to the size and type of risk profiles to which Young’s activity is concretely exposed.

This Policy for the “Governance and management of money laundering and terrorist financing risk” (hereinafter also “Policy”) therefore aims to define the measures, roles and responsibilities, the organizational and operational model, and the information flows for the governance and management of money laundering and terrorist financing risk within Young, in full compliance with the external reference legislation.

The unambiguous definition of the qualifying elements of the management of money laundering and terrorist financing risk at Young and the guidelines that must be respected in their exercise represent the fundamental prerequisite for ensuring homogeneity of behavior within the Company.

Scope of applicability, approval and update

The Policy is intended for all Young corporate bodies and its personnel.

This Policy is approved by Young’s BoD and is updated whenever there are significant organizational changes or developments in the reference regulatory context. The Head of the Anti-Money Laundering Function evaluates and submits any subsequent relevant updates to the BoD for approval.

This Policy governs the regular and ordinary conduct of processes and any extraordinary intervention powers by the Anti-Money Laundering Function.

Related Procedures

This document is to be read in conjunction with the following internal regulations:

• Anti-Money Laundering Manual;
• Procedure for Customer Due Diligence;
• Procedure for Data Retention;
• Procedure for Reporting Suspicious Transactions.

General Provisions

The Policy for the governance and management of money laundering and terrorist financing risk falls within the following general provisions:

• The reference regulatory context and the related measures regarding the fight against money laundering and terrorist financing adopted in Young;
• The duties and responsibilities of the Corporate Bodies, the Anti-Money Laundering Function, the Head of Suspicious Transaction Reporting and other Corporate Functions involved in the management of money laundering and terrorist financing risk;
• The main information flows necessary for the functioning of the risk governance and management model.

Main regulatory references

For the purposes of preventing and combating money laundering and terrorist financing, in recent years there has been a significant process of harmonization and strengthening of the reference discipline at the international level, indispensable in an increasingly competitive and globalized market, affected by technological and financial innovations that have profoundly expanded the field of action and the tools available to subjects intending to carry out money laundering or terrorist financing acts.

Considering that money laundering and terrorist financing operations often take place at an international level, the reference regulatory framework consists of an articulation of sources, represented by international conventions, recommendations developed by the Financial Action Task Force (i.e., GAFI or FATF), as well as European Community legislation, subject to transposition at the national level by member states, as well as implementing provisions issued by the competent national Supervisory Authorities.

Young’s organizational choices, as well as this document, reflect European-based rules, as well as national laws and regulations.

Young is not included among the addressees of the secondary legislation of the Bank of Italy, nor of other supervisory authorities.

In this regulatory uncertainty, Young has decided to take the secondary legislation of the Bank of Italy as a reference, adapting to it as far as possible according to the principle of proportionality, consistent with the nature, size, complexity of the activity carried out, the type and range of services provided.

In particular, Community and local requirements and recommendations derive from:

• Legislative Decree 21 November 2007, n. 231 (Decree) and subsequent amendments;
• Joint Guidelines of the European Supervisory Authorities on simplified and enhanced customer due diligence measures and on risk factors, published on January 4, 2018;
• EU Directive 2015/849 (so-called “IV Anti-Money Laundering Directive“) of the European Parliament and of the Council of 20/05/2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC. The discipline expanded the objective scope of application of the Anti-Money Laundering legislation, combining the financing of terrorism with the activity of laundering money from criminal activities;
• Directive (EU) 2018/843 (so-called “V Anti-Money Laundering Directive“) of the European Parliament and of the Council of May 30, 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU;
• Communication from the Bank of Italy on the identification and enhanced due diligence of Politically Exposed Persons: best practices and critical issues detected in control activity, of January 31, 2018;
• Provisions on organization, procedures and internal controls aimed at preventing the use of intermediaries for the purposes of money laundering and terrorist financing of March 26, 2019 and subsequent amendments;
• Implementing provisions on Customer Due Diligence for combating money laundering and terrorist financing issued by the Bank of Italy on July 30, 2019;
• Legislative Decree 22 June 2007, n. 109 and subsequent amendments, Measures to prevent, combat and suppress the financing of terrorism and the activity of countries threatening international peace and security, implementing Directive 2005/60/EC;
• Provisions for the retention and making available of documents, data and information for combating money laundering and terrorist financing issued by the Bank of Italy on 24/3/2020;
• Anomalous use of virtual currencies issued by the UIF on 29/5/2019;
• Measure setting out anomaly indicators issued by the UIF on 12/05/2023;
• Guidance for a risk-based approach, Virtual assets and virtual asset service providers issued by the FATF in June 2019;
• Decree of the Ministry of Economy and Finance of January 13, 2022 – Modalities and timing with which service providers related to the use of virtual currency and digital wallet service providers are required to communicate their operations on the national territory as well as forms of cooperation between the Ministry of Economy and Finance and the police forces;
• Circular 41/22 of the Organismo Agenti e Mediatori (OAM).

Roles and responsibilities in the AML field

For the purposes of mitigating the risk of Young’s involvement in money laundering and/or terrorist financing events, the involvement of corporate bodies and the correct fulfillment of obligations assumes priority importance.

The following paragraphs detail the duties and responsibilities in the anti-money laundering field of Young’s corporate bodies.

8.1 Board of Directors

The BoD is responsible for defining the overall governance and management model for money laundering and terrorist financing risk.

It is the task of the BoD to approve this Policy and the organizational model for the governance and management of such risk.

In particular, the BoD:

• approves and periodically reviews the strategic guidelines and governance policies for risks connected with money laundering; adhering to the risk-based approach, the policies are adequate to the size and type of risks to which Young’s activity is concretely exposed;
• approves a policy that illustrates and justifies the choices that Young makes on the various relevant profiles regarding organizational structures, internal procedures and controls, customer due diligence and data retention, consistent with the principle of proportionality and the actual exposure to money laundering risk (so-called anti-money laundering policy);
• approves the establishment of the anti-money laundering function, identifying its duties and responsibilities as well as methods of coordination and collaboration with other internal control functions;
• approves the guidelines for an organic and coordinated internal control system, functional to the prompt detection and management of money laundering risk and ensures its effectiveness over time;
• approves the principles for managing relationships with “high risk” classified customers;
• appoints and revokes the head of suspicious transaction reporting and the head of the anti-money laundering function, having consulted the body with control functions and verified the possession of the necessary requirements;
• ensures that tasks and responsibilities in anti-money laundering matters are allocated clearly and appropriately, guaranteeing that operational and control functions are distinct and provided with qualitatively and quantitatively adequate resources;
• ensures that an adequate, complete and timely information flow system is set up towards corporate bodies and between control functions as well as a documentation sharing system that allows corporate bodies direct access to the reports of the control functions on anti-money laundering matters, to the relevant communications exchanged with Authorities and to the supervisory measures imposed or sanctions inflicted;
• ensures the protection of confidentiality within the suspicious transaction reporting procedure;
• at least annually, examines the reports relating to the activity carried out by the anti-money laundering manager and the controls performed by the competent functions, as well as the document on the results of the self-assessment of money laundering risks;
• at least annually, evaluates the activity of the anti-money laundering function and the adequacy of the human and technical resources assigned to it, also in light of the periodic verification carried out by the internal audit function;
• ensures that deficiencies and anomalies found as a result of checks at various levels are promptly brought to its attention and promotes the adoption of suitable corrective measures, evaluating their effectiveness;
• evaluates the risks resulting from operations with third countries associated with higher money laundering risks, identifying the safeguards to mitigate them, the effectiveness of which it monitors;
• appoints the Exponent responsible for anti-money laundering.

8.2 Chief Executive Officer

The Chief Executive Officer (CEO) of Young, as the body with management function:

• oversees the implementation of the strategic guidelines and money laundering risk governance policies approved by the BoD and is responsible for adopting all measures necessary to ensure the effectiveness of the organization and the anti-money laundering control system; to this end, the CEO examines the proposals for organizational and procedural interventions presented by the anti-money laundering manager and formalizes, providing reasons, any decision not to accept them;
• defines and oversees the implementation of an internal control system functional to the prompt detection and management of money laundering risk and ensures its effectiveness over time, consistent with the outcomes of the risk self-assessment exercise;
• ensures that operational procedures and information systems allow for the correct fulfillment of customer due diligence obligations and the retention of documents and information;
• regarding suspicious transaction reporting, defines and oversees the implementation of a procedure adequate to the specificities of the activity, the size and complexity of the company, according to the principle of proportionality and the risk-based approach;
• adopts, moreover, measures aimed at ensuring compliance with the confidentiality requirements of the reporting procedure as well as tools, including IT tools, for the detection of anomalous transactions;
• defines the anti-money laundering policy submitted for approval to the body with strategic supervision function and oversees its implementation;
• defines and oversees the implementation of information procedures aimed at ensuring knowledge of risk factors by all involved corporate structures and bodies charged with control functions;
• defines and oversees the implementation of procedures for managing relationships with “high risk” classified customers, consistent with the principles set by the strategic supervision body;
• establishes training and education programs for personnel on the obligations envisaged by anti-money laundering regulations; the training activity must be continuous and systematic and take into account the evolution of the legislation and procedures prepared by Young;
• establishes suitable tools to allow verification of the activity carried out by personnel so as to detect any anomalies that emerge, specifically, in behaviors, in the quality of communications addressed to referees and corporate structures as well as in personnel relationships with customers;
• ensures, in cases of outsourcing of operational tasks of the anti-money laundering function, compliance with applicable legislation and receives periodic information on the performance of outsourced activities;
• ensures, in cases of remote operations (e.g., carried out through digital channels), the adoption of specific IT procedures for compliance with anti-money laundering legislation, with particular reference to the automatic identification of anomalous transactions;
• oversees the implementation of initiatives and procedures necessary to ensure the timely fulfillment of communication obligations to Authorities envisaged by the legislation.

8.3 Board of Statutory Auditors

The Board of Statutory Auditors (hereinafter also BSA) supervises the completeness, adequacy, functionality and reliability of the Internal Control System in its entirety and therefore also the model of governance and management of money laundering and terrorist financing risk, ascertaining the adequacy of all functions involved, as well as the correct fulfillment of tasks and adequate coordination thereof.

In the exercise of its attributions, this body avails itself of internal structures for carrying out necessary verifications and assessments and uses information flows coming from other corporate bodies, the anti-money laundering manager and other internal control functions.

In this context, the BSA:

• evaluates the suitability of existing procedures for customer due diligence, retention of information and reporting of suspicious transactions;
• communicates, without delay, to the Head of Suspicious Transaction Reporting (hereinafter also SOS Head) potentially suspicious transactions of which it has become aware in the exercise of its functions;
• informs without delay the sectoral Supervisory Authorities and the interested administrations and bodies, by reason of their respective attributions, of all facts or acts of which it becomes aware that may constitute serious or repeated or multiple violations of the provisions of law and the related implementing provisions on the matter;
• stimulates action to investigate the reasons for deficiencies, anomalies and irregularities found and promotes the adoption of appropriate corrective measures;
• expresses its opinion regarding decisions on the appointment of the Head of the Anti-Money Laundering Function and the definition of the elements of the overall architecture of the system for management and control of money laundering and terrorist financing risk.

8.4 The Internal Audit Function

The Internal Audit Function (hereinafter also IA) constitutes the safeguard of third-level control activities, aimed at evaluating the completeness, adequacy, functionality and reliability of Young’s internal control system, providing, based on the results of its checks, recommendations to Corporate Bodies.

Regarding the prevention and contrast of the use of the financial system for purposes of money laundering and terrorist financing, the IA continuously verifies the degree of adequacy of Young’s organizational arrangement and its compliance with the regulations in force pro tempore and supervises the functionality of the overall internal control system.

The IA, inter alia, through systematic checks, including inspections, verifies:

• constant compliance with the due diligence obligation, both in the relationship establishment phase and in the development of the relationship over time;
• the effective acquisition and orderly retention of data and documents as prescribed by the legislation;
• the effective degree of involvement of employees and collaborators as well as managers of central and peripheral structures, in the implementation of the obligation of “active collaboration”.

Interventions, both remote and inspections, are subject to planning to ensure that all operational structures are subjected to verification within a reasonable timeframe and that initiatives are more frequent towards structures most exposed to money laundering risks as well as with reference to “high” risk profile relationships.

Furthermore, the IA periodically verifies the adequacy and effectiveness of the Anti-Money Laundering Function.

The findings of the intervention activities by the IA are shared with the Anti-Money Laundering Manager.

The IA also carries out follow-up interventions to ensure the adoption of corrective measures for deficiencies and irregularities found and their suitability to avoid similar situations in the future.

The responsibility for the function has been attributed, through an outsourcing agreement, to the company Regulatory Consulting S.r.l..

8.5 The Anti-Money Laundering Function

Young has established the Anti-Money Laundering Function (hereinafter also AMLF) deputed to prevent and contrast the realization of money laundering operations. The function has been organized consistently with the principle of proportionality; in any case, the AMLF is independent and equipped with resources qualitatively and quantitatively adequate for the tasks to be performed, activatable also autonomously.

The AMLF reports directly to the BoD, the CEO and the BSA and has access to all Young’s activities as well as any information relevant to the performance of its tasks.

The AMLF informs corporate bodies directly in case of significant violations and deficiencies. Personnel performing tasks attributable to the AMLF are adequate in number, technical-professional skills and updating, including through continuous training programs.

The tasks of the Anti-Money Laundering Function have been outsourced by Young to the company Arkes S.r.l. (hereinafter also the “provider”), maintaining internally the responsibility for the correct management of money laundering risks. Arkes S.r.l. also provides continuous consultancy.

The Head of the Anti-Money Laundering Function (hereinafter also “H-AMLF”):

• monitors, through periodic checks, compliance with contractual obligations and the correct execution of the service by the provider;
• verifies that the service provided by the provider allows for the effective fulfillment of anti-money laundering obligations;
• reports regularly to corporate bodies regarding the performance of outsourced tasks so as to ensure that any necessary corrective measures are promptly adopted.

The outsourcing agreement between Young and the provider defines:

• respective rights and obligations; expected service levels, expressed in objective and measurable terms, as well as information necessary for verifying their compliance; any conflicts of interest and appropriate precautions to prevent or, if not possible, mitigate them; the duration of the agreement and renewal methods as well as mutual commitments connected with the interruption of the relationship;
• the minimum frequency of information flows towards the H-AMLF and corporate bodies and control functions, without prejudice to the obligation to respond promptly to any request for information and advice;
• confidentiality obligations regarding information acquired in the exercise of the function;
• the possibility of reviewing service conditions upon the occurrence of regulatory changes or changes in Young’s operations and organization;
• the possibility for Young, the Supervisory Authorities and the UIF to access useful information and the premises where the service provider operates for monitoring, supervision and control activity.

8.5.1. Tasks

The AMLF continuously verifies that corporate procedures are consistent with the objective of preventing and contrasting the violation of anti-money laundering rules. To this end, the function provides to:

• identify applicable rules and evaluate their impact on internal processes and procedures;
• collaborate in defining the internal control system and procedures aimed at preventing and contrasting money laundering risks;
• continuously verify the adequacy of the money laundering risk management process and the suitability of the internal control system and procedures and propose organizational and procedural changes aimed at ensuring adequate oversight of money laundering risks;
• conduct, in coordination with the SOS Head, checks on the functionality of the reporting process and the congruity of assessments made on customer operations;
• collaborate in defining policies for the governance of money laundering risk and the various phases in which the management process of such risk is articulated;
• conduct, in coordination with other interested corporate functions, the annual self-assessment exercise of money laundering risks to which Young is exposed;
• provide support and assistance to corporate bodies and senior management;
• preventively evaluate the money laundering risk connected with the offer of new products and services, significant modification of products or services already offered, entry into a new market or the start of new activities and recommends measures necessary to mitigate and manage these risks;
• verify the reliability of the information system for the fulfillment of obligations regarding customer due diligence, data retention and reporting of suspicious transactions;
• transmit monthly to the UIF the aggregate data concerning Young’s overall operations. At the moment Young does not fall among the subjects obliged to send aggregate data to the UIF;
• define, in agreement with the head of suspicious transaction reporting, procedures for managing internal reports (coming from the so-called first level) concerning particularly high-risk situations to be treated with due urgency;
• oversee, in coordination with other corporate functions competent in training matters, the preparation of an adequate training plan, aimed at achieving continuous updating of personnel, and indicators of the effectiveness of the training activity carried out;
• promptly inform corporate bodies of significant violations or deficiencies found in the exercise of relative tasks;
• periodically inform corporate bodies about the progress of corrective actions adopted in the face of deficiencies found in control activity and about any inadequacy of human and technical resources assigned to the anti-money laundering function and the need to strengthen them;
• prepare information flows directed to corporate bodies and senior management;
• provide the Chief Executive Officer with a prior opinion in cases where, by law, his authorization is required for the start or continuation of the continuous relationship.

Young has attributed the responsibility for carrying out enhanced due diligence to the H-AMLF.

The AMLF drafts and transmits the anti-money laundering manual to the BoD, the CEO and the BSA. The document – constantly updated – is available and easily accessible to all personnel.

The AMLF pays particular attention: to the adequacy of internal systems and procedures regarding customer due diligence and retention obligations as well as systems for identifying, evaluating and reporting suspicious transactions; to the effective detection of other situations subject to communication obligation as well as the appropriate retention of documentation and evidence required by legislation.

The AMLF may carry out, in coordination with the internal audit function, sample checks to verify the effectiveness and functionality of internal systems and procedures and identify any critical areas.

At least once a year, the AMLF presents to the BoD, the CEO and the BSA a report on the initiatives adopted, dysfunctions ascertained and related corrective actions to be undertaken as well as on personnel training activity. The report also includes the results of the self-assessment exercise conducted pursuant to Part Seven of the Provisions on Organization, procedures and internal controls of the Bank of Italy.

The AMLF collaborates with the Authorities referred to in Title I, Chapter II of the anti-money laundering decree.

8.5.2. The Head of the Function

The H-AMLF, appointed by the BoD, is Dr. Saajan Sharma Nepal: he falls within the category of heads of corporate control functions and was selected following verification of possession of adequate independence, competence, professional and reputational requirements. He has the necessary time for the effective fulfillment of his tasks.

The selection procedure of the H-AMLF is based on the analysis of objective criteria such as professional knowledge and experience gained by the candidate in internal controls, with specific reference to those in the anti-money laundering field, as well as the sensitivity gained in identifying risks of involvement in money laundering phenomena and adequate mitigation safeguards.

The requirements considered for the appointment of the H-AMLF are detailed below:

• Independence: a person who is in any situation of connection with an exponent of Young’s corporate bodies cannot be appointed H-AMLF;
• Competence and Professionalism: a person who demonstrates having theoretical knowledge in the anti-money laundering field acquired through studies and training and having gained practical experience, achieved in carrying out previous work activities, can be appointed H-AMLF;
• Reputational Requirements: a person who is in a state of legal interdiction, who has been sentenced by a final judgment to imprisonment or confinement, who is subjected to prevention measures, who at the time of assuming the office is in a state of temporary interdiction from offices or interdiction from carrying out administration, management and control functions cannot be appointed H-AMLF.

The H-AMLF reports directly to corporate bodies, without restrictions or intermediations.

The H-AMLF is placed in an adequate hierarchical-functional position and has no direct responsibilities for operational areas nor is hierarchically dependent on subjects responsible for these areas.

Personnel called to collaborate with the AMLF report directly to the H-AMLF for matters pertaining to relative tasks.

8.5.3. The Head of Suspicious Transaction Reporting

The Head of Suspicious Transaction Reporting (hereinafter SOS Head), appointed by BoD resolution, is Dr. Saajan Sharma Nepal.

The SOS Head possesses adequate requirements of independence, authority and professionalism and carries out his activity with autonomy of judgment and in compliance with confidentiality obligations envisaged by the anti-money laundering decree, also towards exponents and other corporate functions.

The role of the SOS Head is adequately formalized and made known within the structure.

The appointment and revocation of the same manager are promptly communicated to the UIF in the manner indicated by the same.

It is the responsibility of the SOS Head to:

• Evaluate promptly, in light of all available elements, suspicious transactions communicated by personnel;
• Evaluate promptly, in light of all available elements, suspicious transactions of which he has otherwise become aware within the scope of his activity;
• Transmit to the UIF reports deemed well-founded, omitting the indication of the names of subjects involved in the transaction reporting procedure;
• Maintain evidence of assessments made within the procedure, even in case of failure to send the report to the UIF.

The SOS Head:

• Acquires internally every useful piece of information;
• Has free access to information flows directed to corporate bodies and structures significant for the prevention and contrast of money laundering (e.g., requests received from judicial authority or investigative bodies);
• Uses in assessments also any elements deducible from freely accessible information sources.

The SOS Head is required to know and apply with rigor and effectiveness instructions, schemes and indicators issued by the UIF; performs a role of interlocution with the UIF and responds promptly to any requests for further information coming from the same.

The SOS Head communicates, with organizational methods suitable to ensure compliance with confidentiality obligations envisaged by the anti-money laundering decree, the outcome of his assessment to the first-level responsible subject who originated the report.

In compliance with confidentiality obligations envisaged by the anti-money laundering decree on the identity of subjects taking part in the transaction reporting procedure, the SOS Head updates the risk profile of reported customers.

8.6 OAM: VASP Transmission Contact Person

The transmission contact person is responsible for managing quarterly transmissions intended for the OAM.

The following are the functions that a contact person fulfills:

• signs the quarterly transmission file;
• verifies through the diagnostic on the VASP Transmission Portal, the correspondence of the file to OAM specifications;
• uploads the transmission file to the VASP Transmission Portal in order to respond to the regulation;
• views from the VASP Transmission Portal, the outcome of the transmission processing, also downloading the outcome file with details of errors and/or remarks;
• requests the rectification of a quarterly transmission already sent and associated with a quarter.

For sending quarterly transmissions, Young has appointed Dr. Saajan Sharma Nepal as Contact Person.

8.7 Coordination with other Corporate Control Functions

The Anti-Money Laundering Function falls within the overall framework of the internal control system. The interaction between this and other Control Functions is therefore inserted into the more general coordination between all structures with control tasks in order to ensure the correct functioning of the internal control system based on profitable interaction, avoiding overlaps or control deficiencies.

The contribution to value creation by the Anti-Money Laundering Function is therefore greater the stronger the synergies realized with other actors of the internal control system. Collaboration between such functions allows the Anti-Money Laundering Function to develop its risk management methodologies consistently with corporate strategies and operations, designing processes compliant with legislation and providing consultancy activities.

In evaluating the adequacy of internal systems and procedures, the Anti-Money Laundering Function may carry out, in coordination with the IA, on-site checks on a sample basis to verify their effectiveness and functionality and identify any critical areas.

8.8 Anti-Money Laundering Measures and Guidelines

Young is committed continuously to spreading the culture aimed at preventing and mitigating money laundering and terrorist financing.

Young’s Anti-Money Laundering Function ensures the correct coordination of safeguards regarding the prevention and contrast of money laundering and terrorist financing, in compliance with the regulatory dictates in force pro-tempore.

The action of prevention and contrast of money laundering and terrorist financing put in place in Young is based on the following measures:

• Customer Due Diligence;
• Attribution to the customer of the money laundering risk profile;
• Registration of relationships and transactions and retention of related supporting documents;
• Adoption of organizational procedures and internal control safeguards;
• Monitoring and reporting of suspicious transactions;
• Personnel training.

8.9 Customer Due Diligence Measures

Due diligence represents the key activity of anti-money laundering legislation which translates into one of the major fulfillments placed on obliged entities, both for the safeguard activities that must be established for its execution and for the activities that, depending on its outcomes, obliged entities are then obliged to carry out.

Customer due diligence consists of a process composed of a succession of multiple activities. Of these, some are carried out in the phase of entering into a relationship with customers (such as identification, verification of identity and truthfulness of documents exhibited by the customer), whilst others are intended to receive continuous application throughout the duration of the relationship (in particular, monitoring of transactions performed and assessment regarding the congruity of the customer’s economic-institutional profile).

Customer due diligence aims to obtain in-depth knowledge of the customer’s economic, and possibly financial, profile so as to subsequently analyze and evaluate whether requested transactions are consistent with the identified profile. These measures are proportionate in relation to the level of money laundering and terrorist financing risk identified in the census phase and continuously.

Consistent with the Risk Based Approach (hereinafter also RBA), in Young customer due diligence activity is graduated by calibrating it based on the money laundering risk associated with the individual customer, business relationship, product or transaction in question and therefore applying measures on three levels: ordinary, enhanced and simplified fulfillments in the presence of a higher or lower risk.

The ordinary due diligence adopted in Young has been designed and includes the information necessary and sufficient to cover the risks identified during the Risk Self-Assessment.

8.9.1. Subdivision of clientele

Young has decided to classify its customers differently depending on the phase reached in the onboarding process:

The onboarding due diligence process (acceptance of a new customer) in Young is articulated in three steps:

1. Registration on the platform;
2. Customer Identification and Verification (KYC);
3. Execution of the first financial transaction.

“Registered” Subjects

Subjects classified in this category have completed registration on the platform but have not yet completed the identification and verification process (KYC): for this reason, Young has decided not to consider them “customers” as the data provided by the subject are not only insufficient for any check, but are not even reliable as provided by the customer without any possibility of verification.

“Prospect” Subjects

Subjects classified in this category are registered on the platform and have passed the KYC identification and verification phase. They have therefore been identified and sufficient information has been collected to comply with due diligence obligations. However, subjects classified in this category are not operational, for this reason Young has decided not to consider them as Customers.

“Customer” Subjects

Subjects classified in this category have passed the KYC phase and have executed at least one financial transaction with Young.

Young has decided to consider as Customers only subjects belonging to this category, i.e., those subjects who have completed the due diligence process and have executed at least one financial transaction with Young.

8.9.2. Customer Acceptance Policy

Young’s clientele is acquired electronically.

Young does not exclude a priori any category of customers but instead excludes potential customers resident in high-risk third countries.

Customers excluded by country:

Customers resident in high-risk third countries, i.e., countries not belonging to the European Union whose legal systems present strategic deficiencies in their respective national regimes for preventing money laundering and terrorist financing, as identified by the European Commission in the exercise of powers under Articles 9 and 64 of the directive, with respect to which countries the H-AMLF has evaluated the need to exclude a priori every potential customer.

Excluded countries are those included in the list of high-risk third countries as defined from time to time by the European Commission and other countries defined by Young, which the H-AMLF has included in the list of countries excluded in acceptance.

The H-AMLF guarantees the update, from time to time, of countries excluded in acceptance by requesting the adjustment of tables contained in IT systems.

8.9.3. Policy for admission of “ransomware” victim customers

Ransomware is malicious computer software (“malware”) that can “infect” a digital device (PC, tablet, smartphone, smart TV), blocking access to all or some of its contents (photos, videos, files, etc.) and then demanding a ransom to be paid to “release” them.

The payment request, with related instructions, usually appears in a window that opens automatically on the screen of the infected device. The user is threateningly informed that they have a few hours or a few days to make the ransom payment, otherwise the blocking of contents will become permanent.

A ransomware victim could turn to Young to be able to convert a certain amount of fiat currency into virtual currency, in order to pay such ransom, often collected through this type of transfer.

With reference to ransomware victims asking to open a Young account with a high amount limit in order to pay the ransom, Young has decided not to provide its services, as it could incur legal proceedings for having facilitated the payment of the requested ransom.

8.9.4. Cash operations

Young never operates directly in cash; however, through authorized partner points of sale, customers can purchase gift cards also in cash. Reference is made for details to the Due Diligence Procedure.

8.9.5. Specific measures for remote operations

Remote operations

Remote operations mean those carried out without the physical presence of the customer with Young personnel or other personnel appointed by Young, at Young’s premises or elsewhere, (e.g., through telephone or computer communication systems); when the customer is a subject other than a natural person, it is considered present when its executor is.

Young always operates remotely, both in establishing the continuous relationship and for occasional transactions (e.g., purchase of virtual currency against legal tender currency, with simultaneous transfer to a wallet – digital portfolio – not under Young’s control).

Considering remote operations, especially with new customers, identification must be performed in such ways as to lead to certain certainty of identity itself.

Considering new technologies and their continuous evolution, the BoD delegates to the Anti-Money Laundering Function and the Control Committee to define remote identification methods and to report results and any subsequent changes to the BoD.

As required by the Bank of Italy Due Diligence Provision, Young identifies in this anti-money laundering policy document the mechanisms it uses to verify data acquired during remote identification and illustrates the assessments conducted by the anti-money laundering function on risk profiles characterizing remote identification tools and related security safeguards.

Remote Identification

The potential customer’s online video identification procedure takes place through Onfido software.

The customer manually enters identity document details in the appropriate masks provided by the Onfido platform, and proceeds to upload a selfie and an image of the identity document whose details they have input.

To ensure user authenticity and prevent fraudulent activities, Onfido implements a sophisticated “liveness” check. This system analyzes the acquired selfie to verify the user’s physical presence and vitality at the time of image capture. The tool is specifically designed to detect and mitigate spoofing attempts, including use of reproductions from digital screens, two-dimensional (2D) and three-dimensional (3D) masks, as well as manipulations through digital alterations or fraudulent image uploads, ensuring that the presented face is genuine and not a static reproduction or artificial alteration.

Subsequently, the system conducts a series of advanced biometric checks:

• Biometric Comparison: A comparison is performed between the face represented in the selfie and the identification photograph reported in the identity document. This check aims to verify consistency between the two images, confirming they belong to the same person.
• Facial Recognition: A biometric search is performed on the customer’s face to ascertain that they have not already registered previously on the platform using different or multiple identities.

Following checks, in doubtful cases Onfido returns three different potential block types: two, named Consider and Suspect, which the first-level control officer proceeds to verify manually accepting on Young’s online platform potential customers for whom the reported anomaly is groundless, and the third named Rejected, i.e., formal anomalies of such severity that Onfido automatically proceeds to refuse registration.

Finally, an automatic check is performed on the originality of the uploaded identity document, that the document is not expired and image quality, as well as consistency of data acquired from the document with those manually entered in the mask by the user.

All potential operational blocks produced by Onfido checks flow into the Housekeeping platform, developed internally by Young and dedicated to collecting alerts generated by various anti-money laundering systems.

Verification of Onfido rejections

Should potential customer onboarding checks produce an Onfido outcome other than clear, intervention by a Function officer is requested.

Onfido returns three different potential causes of block to the Housekeeping platform:

• Consider: generic anomaly which the AMLF officer proceeds to verify manually accepting on Young’s online platform potential customers for whom the anomaly is resolved and rejecting from the platform cases with real and unsolvable anomalies, asking the potential customer, via email notice, to perform the video identification procedure again;
• Suspect: anomaly linked to image quality uploaded which the AMLF officer evaluates case by case, accepting on Young’s online platform potential customers for whom the anomaly is resolved and rejecting from the platform cases with real and unsolvable anomalies, asking the potential customer, via email notice, to perform the video identification procedure again.
• Rejected: serious anomaly linked to image quality uploaded, for which the AMLF officer does not accept the potential customer in Young’s online platform, asking them, via email notice, to perform the video identification procedure again.

In doubtful cases, the operator proceeds with denial in the following cases:

• it is not possible to read information reported on the identity document;
• the document is excessively worn;
• the document is seriously damaged;
• the photo was not taken correctly;
• the photo is too blurry;
• there are signs or markings making reading impossible;
• the image does not represent the document, but another image representing the document;
• the image does not represent the subject, but another image representing the subject;
• other indications leading to believe the image is a fake.

8.9.6. Specific risk factors inherent to country or geographical area

In Young, risk factors linked to the country or geographical area connected to operations implemented by customers are analyzed with particular importance.

In particular, careful analysis is given to transactions where funds are received from or sent to third countries associated with terrorist activities or funds used in the continuous relationship were produced in a third country.

For Young, high-risk countries have a dual value:

• Customers resident in high-risk third countries
• Relationships, transactions involving (both inbound and outbound) high-risk third countries

In the Customer Acceptance Policy, customers resident in high-risk third countries as identified by the European Commission have already been excluded.

Young operates mainly with customers resident in the EEA Area, with a reduced number of customers resident in third countries.

The BoD recommends operating with caution and maximum security with third countries.

8.9.7. Ordinary due diligence obligations

Legislation provides that due diligence obligations must be fulfilled in the following cases:

• when establishing a continuous relationship;
• when an occasional transaction arranged by the customer involving the transmission or movement of means of payment of an amount equal to or greater than 15,000 euros is executed, regardless of whether it is carried out with a single transaction or with several fractionated transactions;
• when there is suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or applicable threshold;
• when doubts arise about the completeness, reliability or truthfulness of information or documentation previously acquired (e.g., in case of non-delivery of correspondence to the communicated address or inconsistencies between documents presented by the customer or otherwise acquired by Young).
• whenever it becomes appropriate considering the raising of the level of money laundering or terrorist financing risk associated with an already acquired customer.

In this context, provision must be made for:

• identification of the customer and any executor;
• identification of any beneficial owner;
• verification of the identity of the customer, any executor and any beneficial owner based on documents, data or information obtained from a reliable and independent source;
• with particular regard to the figure of the executor, acquire detailed information relating to the granting of the proxy with power of representation by virtue of which they operate in the name and on behalf of the customer and the relationship existing with the same;
• acquisition and evaluation of information on the purpose and nature of the continuous relationship as well as, in the presence of a high risk of money laundering and terrorist financing, of the occasional transaction;
• carry out continuous monitoring on the customer’s overall operations during the relationship in order to identify profiles of inconsistency with previously acquired information;
• Update data and information collected in relation to the application of due diligence measures.

The BoD delegates the anti-money laundering function to define more detailedly and, if necessary, with limits lower than those provided for by legislation, the methods of due diligence also as a function of amounts moved.

Regarding implementation methods of ordinary due diligence measures, reference is made to the Procedure for Customer Due Diligence.

8.9.8. Enhanced due diligence obligations

Enhanced due diligence measures consist of acquiring greater information on the customer and beneficial owner; in a more accurate assessment of the nature and purpose of the relationship; in intensifying the frequency of checks and in greater depth of analyses carried out within the activity of constant control of the continuous relationship.

Enhanced due diligence measures must be applied to continuous relationships, customers and transactions presenting a higher risk of money laundering or terrorist financing, identified both by specific sector rules and by each obliged entity’s own assessment.

Pursuant to current legislation, it has been arranged that enhanced due diligence must always be applied anyway, in the cases reported below:

• Subjects with high risk profile;
• relationships and occasional transactions involving high-risk third countries in cases of Customers and/or related beneficial owners resident in high-risk Third Countries identified by the European Commission;
• continuous relationships or occasional transactions with customers and related beneficial owners holding the qualification of politically exposed persons.

Furthermore, in order to effectively oversee and mitigate money laundering and terrorist financing risk, the following cases/types of clientele have also been evaluated as high-risk categories to which enhanced verification measures should be applied:

• Customers and/or beneficial owners and/or executors affected by negative reputational elements and/or negative press news (anyway connected and/or related to financial crime phenomena or terrorist financing) such as the existence of relevant criminal proceedings on the matter (by way of non-exhaustive example: mafia-type association, criminal conspiracy, corruption, fraud, crimes against public administration, proceedings for tax damage, proceedings for administrative liability 231/01, sanctions for serious violations of anti-money laundering provisions);
• Customers subject to detailed and circumstantial seizure or confiscation requests or measures by Judicial and Control Authority such as Judiciary, Guardia di Finanza, UIF, anyway connected and/or related to phenomena relating to financial crime or terrorist financing;
• Previous suspicious transaction report to the UIF;
• customers to whom the “HIGH” risk class has been assigned, automatically or manually.
• Trusts;
• Fiduciary Companies or relationships opened on behalf of fiduciaries;
• Subjects controlled directly or indirectly by Fiduciaries/Trusts also in case of issuance of bearer shares;
• Subjects other than natural persons controlled, directly or indirectly, by Companies having registered office in a tax haven or in a Third State or territory considered high risk referred to in lists issued and updated from time to time;
• Subjects operating in certain high-risk sectors:

• Sectors considered high risk are the following:
• Production and trade of weapons
• Trade of animals or derived material, such as ivory, furs and skins
• Gold buying, money transfer, physical and online gambling operators, ferrous metals trade, renewable energies, cleaning activities. Earthmoving, political parties and subjects connected to them;
• Subjects controlled, directly or indirectly, by Companies having registered office in a tax haven or in a Third State or territory considered high risk referred to in lists issued and updated from time to time;
• Customers operating mainly in economic activities attributable to sectors particularly exposed to corruption risk such as: subjects operating in public procurement, waste disposal, healthcare.

Finally, for prevention against tax fraud risks linked to so-called “paper companies” (shell companies), Young does not accept among its clientele Simplified Limited Liability Companies that have not yet filed the first financial statements unless with written approval of the Chief Executive Officer.

Although not automatically falling into high-risk categories, enhanced verification measures must be applied to the following cases/types of clientele or transactions:

• Discrepancy between conclusions reached by appointed personnel and declarations of the customer or executor regarding identification of the beneficial owner.
• Young must examine the context and purposes of transactions characterized by unusually high amounts or regarding which doubts exist about the purpose to which they are, concretely, preordained and, in any case, strengthen the degree and nature of checks suitable to determine if transactions are suspicious.
• The BoD delegates to the Anti-Money Laundering Function and Young Operation to define amount limits, initially theoretical, but which subsequently must be periodically assisted by statistical surveys.

Regarding detailed fulfillments in implementation of enhanced due diligence measures, reference is made to the Procedure for Customer Due Diligence.

8.9.9. Simplified due diligence measures

In the presence of a low risk of money laundering or terrorist financing, simplified due diligence measures can be applied in terms of extent and frequency of fulfillments.

The rule establishes as low-risk factors the customer’s belonging to one of the following categories:

• companies admitted to listing on a regulated market and subject to disclosure obligations including those of ensuring adequate transparency of beneficial ownership;
• public administrations or institutions or bodies performing public functions, in accordance with European Union law;
• banking and financial intermediaries listed in Article 3, paragraph 2, of the anti-money laundering decree – excluding those under letters i), o), s), v) – and community banking and financial intermediaries or those based in a third country with an effective regime for combating money laundering and terrorist financing.

Provision is made for the Anti-Money Laundering Function to verify the existence, moreover, of a money laundering and terrorist financing risk profile.

Simplified due diligence does not represent an exemption from applying due diligence measures but only the possibility to adapt/graduate them to make them commensurate with the low risk identified in relation to:

• type of clientele;
• products, services, transactions, distribution channels;
• geographical areas.

The application of simplified customer due diligence measures must be strictly excluded when there is suspicion of money laundering or terrorist financing (or in the presence of high-risk factors).

Young has decided never to avail itself of simplified due diligence.

8.10. Risk-based approach for risk profile attribution

Customer due diligence measures are proportionate and commensurate with the actual degree of money laundering and terrorist financing risk.

To this end, in Young procedures and safeguards are defined and adopted allowing assignment to each customer of a score representative of the level of money laundering and terrorist financing risk based on collected information and operations carried out, as well as establishing the level of depth, extent and update frequency of due diligence obligations according to four risk bands.

It is the task of personnel to verify that the risk class proposed automatically by IT systems is consistent with their knowledge of the customer, applying, if appropriate, higher risk classes.

Lowering the risk level or checks by authorized personnel must be limited to exceptional cases and detailedly motivated in writing.

In identifying risk factors inherent to a customer, the Anti-Money Laundering Function must also take into account the beneficial owner and, where relevant, the executor.

The scope of activity and characteristics of the customer, beneficial owner and, where relevant, executor, as well as the country or geographical area in which they have their headquarters or residence or domicile or from which funds originate must be evaluated.

Also relevant are the location of activity carried out and countries with which the customer or beneficial owner and, where relevant, executor have significant connections.

The importance of risk factors linked to country or geographical area varies in relation to the type of continuous relationship or transaction.

The Anti-Money Laundering Function also takes into account behavior held by the customer or executor at the time of opening continuous relationships or carrying out transactions.

In the case of a customer other than a natural person, consideration must be given to purposes of its constitution, aims pursued, ways in which it operates to achieve them, as well as legal form adopted, especially if it presents particular elements of complexity or opacity.

It must be strictly verified whether the customer and beneficial owner are included in “lists” of persons and entities associated with terrorist financing activities adopted by the European Commission.

The Anti-Money Laundering Function must also avail itself, as aid tools, of anomaly indicators and Communications on preventing terrorist financing published by the UIF.

Regarding the relationship or transaction, consideration must be given to the structure of the product or service requested, in terms of transparency and complexity, and channels through which it is distributed.

In evaluating risk associated with complexity of product, service or transaction, account must be taken of any involvement of a plurality of parties or countries.

The Anti-Money Laundering Function pays particular attention to any new or innovative products or services, particularly in the case where, for the offer of these products or services, use is made of new technologies or new payment methods.

Consideration must also be given to whether the product, service or transaction are normally associated with use of cash and if they allow high amount transactions.

Reasonableness of the continuous relationship or transaction must also be evaluated in relation to activity carried out and overall economic profile of the customer and beneficial owner, taking into account all available information (e.g., income and asset capacity) and nature and purpose of relationship.

In this context, comparative assessments can be made with operations of subjects with similar professional or dimensional characteristics, economic sector, geographical area.

The Anti-Money Laundering Function must draw information for identifying customer risk profile from every useful source and document, “National Risk Analysis”; reports published by investigative and judicial authorities; documents coming from supervisory authorities (such as communications and sanctioning measures) and from the UIF, such as, for example, indicators, anomaly schemes and money laundering case studies.

The Anti-Money Laundering Function may, moreover, take into consideration information coming from statistical institutes and authoritative journalistic sources.

In case of relationships or transactions involving a third country, overall robustness of anti-money laundering safeguards in place in that country must be evaluated.

Update of customer risk profile must be performed automatically on a monthly basis.

In presence of circumstances justifying attribution of a higher risk profile, it is necessary to modulate extent of due diligence to higher risk class assigned, if necessary, updating information and documentation collected.

For updating data and information acquired, use must be made of available automatic procedures for signaling expiration of documents, certifications, powers of representation, mandate relationships, as well as signaling acquisition of specific qualities (e.g., that of PEP).

Regarding customer profiling methods as well as frequency of due diligence update, reference is made to the Procedure for Customer Due Diligence.

8.11. Obligations of abstention and termination of continuous relationships

Should it be impossible to comply with customer due diligence obligations, personnel are required to abstain, if possible, from establishing the continuous relationship/executing the transaction.

Pursuant to provisions on the matter, it is also specified that personnel are required to abstain from establishing continuous relationships, executing transactions and terminate continuous relationships of which trusts, fiduciary companies, anonymous companies or those controlled through bearer shares having headquarters in high-risk third countries are party, directly or indirectly.

The aforementioned measures apply, moreover, towards subjects other than natural persons, if access is not given to information inherent to the beneficial owner and therefore it is not possible to verify identity and fulfill due diligence obligations.

In cases recalled above, personnel evaluate whether or not to make a suspicious transaction report.

Young must not start new relationships nor execute occasional transactions with counterparties, not already customers, belonging to customer categories listed in paragraph “Customer Acceptance Policy”.

With regard to any existing relationships with customers belonging to such categories, it is necessary to apply specific enhanced due diligence and continuous monitoring measures thus after obtaining authorization from a senior manager.

8.12. Constant control during the relationship

In accordance with the Anti-Money Laundering Decree, personnel are required to carry out constant control of customer operations “…through examination of the customer’s overall operations, verification and update of data and information acquired, also regarding, if necessary as a function of risk, verification of provenance of funds and resources available to the customer, based on information acquired or possessed by reason of exercise of activity”.

This safeguard is explained through update of data inherent to customer due diligence according to a risk-based approach, i.e., modulating intensity and frequency of control as a function of customer risk profile.

Maximum timeframes for updating customer due diligence and related forms are defined by the Anti-Money Laundering Function in the Procedure for Customer Due Diligence.

Regarding monitoring of customer’s overall operations, in Young use is made of IT and telematic tools which, based on specific known anomaly indicators, determine detection of transactions presenting elements of inconsistency such as to configure transaction as anomalous, which appointed personnel must evaluate.

In case of negative evaluation, personnel must start reporting process according to methodology indicated in Procedure regarding suspicious transaction reporting described in Anti-Money Laundering Manual.

The Anti-Money Laundering Function must define a common catalog of anomaly indicators, ascertainable also through extra-procedural checks on specific IT applications, further to those currently used in dedicated procedures, also in line with Measures and communications issued by UIF from time to time, and establish first and second level safeguards aimed at guaranteeing that detected transactions are subject of appropriate and timely investigations and analyses.

8.13. Suspicious Transaction Reporting

Reference legislation envisages obligation on personnel regarding sending a suspicious transaction report whenever reasonable grounds arise to suspect that money laundering or terrorist financing transactions are in progress or have been carried out or attempted or that anyway funds come from criminal activity. In particular, suspicion is inferred “…from characteristics, entity, nature of transactions, their connection or fractionation or from any other circumstance known, by reason of functions exercised, taking into account also economic capacity and activity carried out by subject to whom it refers”.

In this regard, Anti-Money Laundering Function must regulate, through specific manual (Procedure for Reporting Suspicious Transactions), phases of suspicious transaction reporting process in order to guarantee that all Young personnel adopt common approach within evaluation of potential elements of anomaly and suspicion.

Defined procedure must ensure:

• Timeliness by personnel in communicating potentially suspicious activities to SOS Head;
• Transmission of report, without delay, to Authorities appointed for this (UIF) should SOS Head deem communications received well-founded in light of set of elements and evidence deducible from data and information kept;
• Active collaboration with Supervisory Authorities through punctual response to any requests for information and/or investigations regarding transactions and reported subjects.

Firstly, identification of suspicious transactions occurs based on careful and punctual analysis of characteristics, entity, nature of transactions, connection or fractionation or any other circumstance known by reason of functions exercised, taking into account also economic capacity and activity carried out by subject to whom it refers, based on elements acquired within customer due diligence activities and continuous update.

Supplementing regulatory provisions, Anti-Money Laundering Function recalls for purposes of analysis of anomalous and potentially suspicious transactions anomaly indicators established in “Measure setting out anomaly indicators” issued by Financial Intelligence Unit for Italy on 15/05/2023 as well as models and schemes of anomalous behaviors issued by UIF. Mentioned Measure outlines anomaly indicators as attributable to following types:

• Anomaly indicators connected to customer;
• Anomaly indicators connected to transactions or relationships;
• Anomaly indicators connected to means and methods of payment;
• Anomaly indicators connected to transactions in financial instruments and insurance contracts;
• Anomaly indicators relating to terrorist financing.

Based on sector legislation, Anti-Money Laundering Function must define following principles underlying reporting obligation:

• In presence of elements of suspicion, personnel, if possible, abstain from performing transaction until moment they have perfected report to UIF;
• Personnel are required to report transactions regardless of relative amount;
• Personnel report refused, not concluded, attempted suspicious transactions, including transactions whose countervalue is settled in whole or in part at other intermediaries;
• Analysis of operations by own clientele is performed by personnel, considering entire duration of relationship, including any activities subsequent or coincident with expiration/termination of relationships.

Anti-Money Laundering Function conducts, in coordination with SOS Head, checks on functionality of reporting process and congruity of evaluations performed by first level on customer operations.

Should outcome of analysis performed confirm presence of elements of suspicion, SOS Head proceeds to official sending of suspicious transaction report to UIF, reporting regarding data, information, description of transactions and reasons for suspicion.

Without prejudice to above, regarding management process of suspicious transactions and detail of anomaly indicators reference is made to procedure on matter issued and operational manuals of Anti-Money Laundering applications in use.

8.13.1. Obligations for protection of reporter

In compliance with provisions on matter, suspicious transaction reports must be devoid of name of reporting subject in order to ensure confidentiality regarding identity of persons making such communication. SOS Head must oversee custody of documents and evidence relating to transactions subject to analysis in which personal details of reporting subject are indicated and avoid transmission of such information to third parties outside cases envisaged by legislation.

Reporter’s name can be provided only upon request of Judicial Authority, with motivated decree, when deemed fundamental for purposes of ascertaining crimes for which proceeding was started.

8.13.2. Prohibition of communications inherent to suspicious transaction reports

Pursuant to legislation, it is absolutely forbidden for subjects required to report or anyone aware of suspicious transactions to provide information to interested customer or third parties regarding report made to UIF.

Anti-Money Laundering Function must adopt all measures necessary to guarantee confidentiality of identity of subjects taking part in transaction reporting process.

Said criteria apply, towards clientele, also regarding common refusal to perform a transaction or, for example, request for supplementary information on transaction (as in case where transaction involves one or more obliged entities), avoiding providing any indication regarding resource, structure from which prohibition or request originates, unless express authorization of latter.

Within Young, Article 39, paragraph 5, of Legislative Decree n. 231/07 must find full application, which does not prevent, in cases relating to same customer or same transaction involving two or more banking and/or financial intermediaries and not, sharing, for purposes of prevention of money laundering or terrorist financing, of information inherent to names subject of report to UIF, without prejudice to full respect of what established by Articles 42, 43 and 44 of Code regarding personal data protection.

8.13.3. Data retention obligation

In compliance with provisions on matter, in Young one is required to fulfill obligations of recording and retention of documents, data and information useful for preventing proliferation of illicit and criminal activities and to allow carrying out of potential analyses by Sector Supervisory Authorities.

In this regard, Anti-Money Laundering Function must establish that data acquired during customer due diligence and original of writings and recordings of transactions put in place by customer be retained for a period of at least 10 years from date of termination of continuous relationship or execution of occasional transaction. Anti-Money Laundering Function therefore commits to guaranteeing through retention of documents, cited above, evidence of following data:

• Date of establishment of continuous relationship;
• Identification data of customer, beneficial owner, executor and information relating to purpose and nature of continuous relationship;
• Date, amount and causal of transaction;
• Means of payment used.

Anti-Money Laundering Function verifies reliability of information system for correct fulfillment of retention and recording obligations, defining uniform requirements.

Regarding data retention methods, Anti-Money Laundering Function commits to verify complete and timely accessibility to data in face of inspections or requests by Authorities as well as acquisition at least of totality of data required by Anti-Money Laundering Decree within thirty days from establishment, variation or closure of continuous relationship or execution of transaction.

Following issuance of Provisions on Retention, Young has decided to make information available to Bank of Italy and UIF through specific extractions from computerized retention systems performed in conformity with technical standards indicated in annex n. 1 of said Provisions.

Young has decided, in conformity with Article 8 of aforementioned provisions, not to apply dictates of making available data and information envisaged in Articles 5 and 6 for following subjects:

• banking and financial intermediaries referred to in Article 3, paragraph 2, of anti-money laundering decree, excluding those referred to in letters i), o), s) and v), having headquarters in Italy or in another Member State;
• banking and financial intermediaries headquartered in a third country characterized by low risk of money laundering and terrorist financing, according to criteria indicated in annex 1 to provisions on customer due diligence;
• subjects referred to in Article 3, paragraph 8, of anti-money laundering decree;
• State provincial treasury or Bank of Italy.

The Procedure for Retention must transpose provisions on recording and retention of data reported in this paragraph and activate adequate control safeguards.

8.14. Aggregate Anti-Money Laundering Reports (SARA) and objective communications

Young is not subject to obligation of sending to UIF Aggregate Anti-Money Laundering Reports (SARA) and objective communications.

8.15. OAM – VASP quarterly transmissions

Young transmits to Body data relating to overall operations per individual customer obtained taking into consideration all services provided as service provider relating to use of virtual currency and digital wallet services.

For each customer, represented, in digital format, are identification data of customer and those of their operations, in aggregate form, carried out in quarter of interest.

Communications relating to a specific quarter can be transmitted starting from first day of month following reference quarter and must reach OAM by 15th of month following reference quarter.

8.16. Internal reporting system of violations

Reference legislation prescribes equipping oneself with procedures for reporting internally violations of provisions dictated as function of prevention of money laundering and terrorist financing (so-called whistleblowing).

In compliance with legal provisions, Anti-Money Laundering Function adopts specific procedures to facilitate reporting internally, by employees and collaborators, potential or actual violations of provisions regarding anti-money laundering and contrast to terrorist financing, ensuring:

• protection of confidentiality of identity of reporter and alleged person responsible for violations, without prejudice to rules governing investigations and proceedings started by judicial authority in relation to facts subject of reports;
• protection of subject making report against retaliatory, discriminatory or anyway unfair conduct consequent to report;
• provision of specific reporting channel, anonymous and independent, proportionate to nature and size of obliged entity.

Measures for contrast to terrorist financing

Within internal control system defined by Anti-Money Laundering Function safeguards aimed at preventing use of financial system for purposes of terrorist financing must fall in compliance with resolutions issued by United Nations Security Council pursuant to Chapter VII of UN Charter. Objective of regulatory provisions lies in freezing funds and economic resources held directly or through intermediaries by subjects, groups and/or entities subject to restrictive measures in compliance with criteria and procedures defined by resolutions of United Nations Security Council or by Committee designated for this purpose.

National reference regulatory framework is represented by Decree 109/2007 and Anti-Money Laundering Decree, which confirms validity of previous provisions.

In order to identify any natural, legal person or entity subject to restrictive sanctions, in Young internal procedures must be defined aimed at verifying belonging of clientele, whether occasional and/or already acquired, to anti-terrorism lists through IT outsourcer Nordest Technology, such as:

• UN or Al-Qaeda List relating to subjects involved in international terrorism acts and subject to restrictive sanctions upon indication of Security Council;
• Consolidated List of subjects, groups and/or entities subject to funds freezing measures in European Union territory;
• OFAC List, which censuses subjects reported by US Authorities by reason of their involvement in activities aimed at undermining security and peace both with reference to United States and foreign countries.

Should from aforementioned check emerge that subjects and/or entities result censused in anti-terrorism lists, Young must commit to:

• Freeze sums of natural and legal persons included in aforementioned lists possibly identified. Such sums cannot therefore constitute object of any act of transfer or management under penalty of nullity of such acts;
• Prepare timely information flows towards Anti-Money Laundering Function;
• Carry out every investigation rendered necessary;
• Evaluate whether transactions carried out configure as suspicious and, where necessary, proceed with reporting to UIF.

In compliance with Article 7 “Communication obligations” of Decree 109, Young also has burden to:

• Communicate to UIF freezing measures applied to designated subjects, indicating names, amount and nature of funds or economic resources. Such information must be provided within 30 days from date of entry into force of community regulations or UN resolutions or, if subsequent, from date of holding funds and economic resources;
• Report to competent Authorities freezing measures or existing relationships with customers included in lists published by such Authorities as well as transactions connected to terrorist financing;
• Regarding economic resources, provide information to Special Currency Police Unit of Guardia di Finanza.

Procedure to follow in such cases is defined in detail by Anti-Money Laundering Function in Procedure for Customer Due Diligence.

Process of self-assessment of money laundering and terrorist financing risks

International and community legislation has established obligation for obliged entities to periodically perform self-assessment of money laundering and terrorist financing risks. Cardinal principle of such obligation lies in adoption of risk approach reflecting actual exposure of obliged entity and in refinement of safeguards with respect to changing market conditions. Italian legislator regulated such obligation pursuant to Article 15 of Anti-Money Laundering Decree and Bank of Italy detailed it further in Organization measure in Part VII.

In compliance with current legislation, risk self-assessment process in Young is declined in following three macro-phases:

• Identification of inherent risk: assessment of risks, current and potential, of money laundering and terrorist financing to which Young is exposed;
• Vulnerability analysis: analysis of adequacy and effectiveness of apparatus and prevention and contrast safeguards adopted by Young with respect to previously identified risks in order to identify any vulnerabilities;
• Determination of residual risk: identification of residual risk to which Young is exposed and relative mitigation actions proposed downstream of exercise also in relation to detected vulnerabilities.

This exercise is coordinated by Anti-Money Laundering Function, which is responsible for following actions:

• Definition of methodological guidelines regarding risk self-assessment;
• Supervision and consolidation of results emerged;
• Assessment of residual risk within Report to be transmitted to Authorities.

Outcomes of self-assessment intervention must flow into Annual Report produced by Anti-Money Laundering Function.

To complete above, Anti-Money Laundering Function will consider, within definition of its internal methodology for self-assessment purposes, Provisions on matter of Bank of Italy on matter.

Self-assessment results expressed in annual report as well as annual judgments expressed to BoD by Anti-Money Laundering Function are taken into consideration by BoD, CEO and BSA in order to possibly update this Policy.

Training

In Young specific training programs are promoted and organized aimed at sensitizing all employees, collaborators as well as Corporate Bodies regarding roles and responsibilities deriving from obligations envisaged by discipline regarding anti-money laundering and terrorist financing and relative behaviors, procedures and tools to be adopted to comply with such provisions.

Training programs take into account evolution of reference regulatory context and are differentiated by role and function with particular reference to personnel belonging to Anti-Money Laundering Function and employees and collaborators carrying out sensitive activities from point of view of money laundering and terrorist financing risk or anyway involved in suspicious transaction reporting process.

Continuous update on evolution of money laundering risks and typical schemes of criminal financial transactions is required from these personnel members.

In this context, particular attention in preparation of training programs is paid to theme of customer due diligence and recognition and evaluation of transactions connected to money laundering or terrorist financing.

To this end, in Young must be promoted:

• training activities intended for methods of execution of due diligence with particular reference to enhanced ones, as well as sharing of case studies with objective of homogenizing criteria for identification and evaluation of suspicious transactions;
• specific sensitization actions in relation to areas presenting profiles of greater criticality in order to guarantee uniformity of approach.

Anti-money laundering training programs must be drafted by Anti-Money Laundering Function. At end of training sessions, effectiveness of training must be evaluated.

Information flows

11.1. Information flows towards Corporate Bodies

Given responsibilities of BoD, CEO and BSA of Young with reference to management of money laundering and terrorist financing risk, such bodies must be periodically informed by Anti-Money Laundering Function on level of risk oversight.

Main reporting flows are summarized below:

• Planning of activities to be carried out
  • Type: Planning
  • Owner: FA
  • Recipients: Board of Directors, CEO, Control Body
  • Frequency: Annual
• Monthly report
  • Type:
    • Activities carried out
    • Results of control activities
  • Owner: FA
  • Recipients: RFA
  • Frequency: Monthly
• Quarterly report
  • Type:
    • Activities carried out
    • Results of control activities
  • Owner: FA
  • Recipients: Board of Directors, CEO, Control Body, RFA
  • Frequency: Quarterly
• Annual summary report
  • Type:
    • Activities carried out
    • Results of control activities
    • Identified weaknesses
    • Management/mitigation actions
    • Training activities
    • Progress status of remediation initiatives defined through the self-assessment exercise
  • Owner: FA
  • Recipients: Board of Directors, CEO, Control Body
  • Frequency: Annual
• Immediate notification of serious violations or deficiencies
  • Type: Violations or deficiencies considered significant in terms of severity
  • Owner: FA
  • Recipients: Board of Directors, CEO, Control Body
  • Frequency: Event-driven

For detail of information flows towards other Control Functions reference is made to Anti-Money Laundering Manual.

Glossary

• Freezing of funds – prohibition, by virtue of community regulations and national legislation, of movement, transfer, modification, use and management of funds or access to them, so as to modify their volume, amount, location, ownership, possession, nature, destination or any other change allowing use of funds, including portfolio management.
• Identification data: name and surname, place and date of birth, registered residence and domicile, where different from registered residence, details of identification document and, where assigned, tax code or, in case of subjects other than natural person, denomination, registered office and, where assigned, tax code;
• Cash: banknotes and metal coins, in euro or foreign currencies, having legal tender;
• Anti-Money Laundering Function (or AMLF) – Corporate Function deputed to verify continuously that corporate procedures are consistent with objective of preventing and contrasting violation of hetero-regulation rules (laws and regulatory norms) and self-regulation regarding money laundering and terrorist financing.
• Corporate Control Functions – Corporate Functions responsible for 2nd level controls (Compliance, Risk Management, Anti-Money Laundering) and 3rd level (Internal Audit).
• Control Functions – set of Functions having control tasks by legislative, regulatory, statutory or self-regulation provision.
• GAFI: Financial Action Task Force (FATF)
• Means of payment: cash, bank and postal checks, cashier’s checks and other checks similar or comparable to them such as drawing checks, postal money orders, crediting or payment orders, credit cards and other payment cards, transferable insurance policies, pledge policies and any other instrument allowing transfer, movement or acquisition, also electronically, of funds, values or financial availability. Source of such definition is Article n. 1, paragraph 2, sub.i, of Anti-Money Laundering Decree;
• Fractionated transaction: a unitary transaction from viewpoint of economic value, of amount equal to or greater than limits established by current provisions, put in place through multiple transactions, individually lower than aforesaid limits, carried out at different times and in circumscribed period of time fixed at seven days, without prejudice to existence of fractionated transaction when elements recur to deem it such;
• Occasional transaction: a transaction not attributable to an existing continuous relationship;
• Transaction: activity consisting of movement, transfer or transmission of means of payment or performance of negotiating acts with patrimonial content; constituting transaction is also stipulation of negotiating act, with patrimonial content, falling within exercise of professional or commercial activity;
• Corporate Bodies: BoD, CEO and Board of Statutory Auditors
• High-risk third countries: Countries not belonging to European Union whose legal systems present strategic deficiencies in respective national regimes for preventing money laundering and terrorist financing, as identified by European Commission in exercise of powers under Articles 9 and 64 of directive;
• Politically Exposed Persons (i.e. PEP): natural persons who occupy or have ceased to occupy for less than a year important public offices, as well as their family members and those who notoriously entertain close ties with aforesaid subjects, as listed below:
• natural persons who occupy or have occupied important public offices are those who hold or have held office of:

• President of Republic, Prime Minister, Minister, Vice-Minister and Undersecretary, President of Region, regional assessor, Mayor of provincial capital or metropolitan city, Mayor of municipality with population not less than 15,000 inhabitants as well as analogous offices in foreign States;
• Deputy, senator, European parliamentarian, regional councilor as well as analogous offices in foreign States;
• member of central directive bodies of political parties;
• judge of Constitutional Court, magistrate of Court of Cassation or Court of Auditors, State councilor and other members of Council of Administrative Justice for Sicilian Region as well as analogous offices in foreign States;
• member of directive bodies of central banks and independent authorities;
• ambassador, chargé d’affaires or equivalent offices in foreign States, high-ranking officer of armed forces or analogous offices in foreign States;
• component of administration, management or control bodies of companies controlled, even indirectly, by Italian State or foreign State or participated, in prevalent or totalitarian measure, by Regions, by provincial capital municipalities and metropolitan cities and by municipalities with total population not less than 15,000 inhabitants;
• general director of ASL (Local Health Authority) and hospital company, university hospital company and other entities of national health service.
• director, deputy director and member of management body or subject performing equivalent functions in international organizations;

• family members of politically exposed persons are: parents, spouse or person linked in civil union or de facto cohabitation or similar institutions to politically exposed person, children and their spouses as well as persons linked to children in civil union or de facto cohabitation or similar institutions;
• subjects with whom politically exposed persons notoriously entertain close ties are:

• natural persons linked to politically exposed person by way of joint beneficial ownership of legal entities or other close business relationship;
• natural persons who hold only formally totalitarian control of an entity notoriously constituted, in fact, in interest and for benefit of a politically exposed person;

• Continuous relationship: falling within definition of continuous relationship are relationships satisfying following criteria: i) existence of ad-hoc contract with customer and therefore not connected to ancillary service; ii) temporal character of duration of relationship; iii) faculty of movement or transfer of means of payment; iv) faculty of realizing multiple transactions on same relationship by customer.
• Head of Suspicious Transaction Reporting (or SOS Head) – holder of activity of evaluating suspicious transaction reports received and transmitting to Financial Intelligence Unit (UIF) reports deemed well-founded.
• Money laundering and terrorist financing risk: reference is made to definitions contained in this Policy.
• Transfer of funds – a transaction carried out at least partially electronically on behalf of a payer by a payment service provider, with aim of making funds available to payee through a payment service provider, regardless of fact that payer and payee are same subject and that payment service provider of payer and that of payee coincide, including: a) credit transfer, as defined in Article 2, point 1), of Regulation (EU) no. 260/2012; b) direct debit, as defined in Article 2, point 2), of Regulation (EU) no. 260/2012; c) money remittance, as defined in Article 4, point 13), of Directive 2007/64/EC, national or cross-border; d) transfer carried out using payment card, electronic money instrument or telephone.
• UIF: Financial Intelligence Unit for Italy

• Wallet (or digital portfolio): a wallet is a secure digital portfolio used to store, send and receive digital currency.

—

Internal procedures concerning customer due diligence and record-keeping obligations, as well as systems for detecting, assessing, and reporting suspicious transactions, for effectively identifying other situations subject to mandatory reporting, and for the proper storage of documentation and evidence required by the regulation.

For the original Onfido product guides, please refer to this webpage: https://documentation.onfido.com/guide/

i) The stockbrokers referred to in Article 201 of the TUF.

o) The insurance intermediaries referred to in Article 109(2), letters a), b), and d) of the CAP, operating in the business lines referred to in Article 2(1) of the CAP.

s) Trust companies registered in the register provided for under Article 106 of the TUB.

v) The financial advisors referred to in Article 18-bis of the TUF and the financial advisory firms referred to in Article 18-ter of the TUF.