AML/CFT Policy

GruuvyPay Limited is committed to preventing money laundering, terrorism financing, and other financial crimes. We maintain a robust Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) compliance programme that meets the requirements of:

- The Money Laundering (Prevention and Prohibition) Act 2022 - The Terrorism (Prevention and Prohibition) Act 2022 - Central Bank of Nigeria (CBN) AML/CFT Regulations - SEC Nigeria Virtual Assets Service Provider (VASP) guidelines - Financial Action Task Force (FATF) Recommendations

GruuvyPay processes payments through Flutterwave (CBN-licensed PSSP) and crypto through Quidax (SEC Nigeria-licensed exchange). Both partners carry primary AML reporting obligations and maintain their own independent compliance programmes.

We verify the identity of every user before allowing financial transactions. Our tiered KYC system meets CBN requirements:

Tier 0 — Account created Basic account. No transactions permitted until phone is verified.

Tier 1 — Phone + BVN verified BVN is verified through NIBSS via our payment partner. Daily transaction limits apply as required by CBN.

Tier 2 — NIN verified National Identification Number verified against the NIMC database via MetaMap. Higher transaction limits.

Tier 3 — Full KYC Address verification completed. Maximum transaction limits.

We do not permit anonymous accounts. All identity documents are verified against government databases before activation.

GruuvyPay operates an automated transaction monitoring system that screens every transaction for suspicious patterns including:

- High-value transactions — single transactions at or above the NFIU mandatory reporting threshold of ₦5,000,000 - Structuring — transactions just below reporting thresholds that may indicate deliberate avoidance - Velocity — unusually high transaction frequency or volume within short time windows - New account risk — large transactions on recently created accounts - Round-amount patterns — exact round-million amounts associated with structuring

Flagged transactions are reviewed by our Compliance Officer. Where warranted, Suspicious Transaction Reports (STRs) are filed with the Nigerian Financial Intelligence Unit (NFIU) via the goAML platform.

For cryptocurrency withdrawals to external wallets above the equivalent of $1,000 USD (approximately ₦1,650,000), GruuvyPay collects and retains:

- Originator information: name and account details of the sending GruuvyPay user - Beneficiary information: name and wallet address of the recipient

This is required under the FATF Travel Rule, which applies to Virtual Asset Service Providers (VASPs) globally. The information is stored securely and shared with Quidax as our licensed crypto partner for compliance reporting purposes.

GruuvyPay screens all users and transactions against international sanctions lists including:

- OFAC Specially Designated Nationals (SDN) list - United Nations Security Council consolidated sanctions list - European Union consolidated sanctions list

Any match triggers an immediate account review. Accounts confirmed to match a sanctions designation are suspended and reported to relevant authorities. We do not permit transactions involving sanctioned individuals, entities, or jurisdictions.

Politically Exposed Persons and their immediate family members or close associates are subject to Enhanced Due Diligence (EDD). If you are or become a PEP, you are required to notify us at compliance@gruuvypay.com.

EDD may include additional identity verification, source of funds documentation, and ongoing enhanced monitoring of transactions.

GruuvyPay has a zero-tolerance policy for financial crime. If you suspect that your account has been used fraudulently, or if you observe suspicious activity, report it immediately:

Email: compliance@gruuvypay.com General support: support@gruuvypay.com

All reports are treated confidentially. You will not be penalised for making a good-faith report of suspicious activity (the "tipping-off" protection under Nigerian law applies).

Do not attempt to complete a transaction you believe may be fraudulent — contact us first.

In accordance with CBN regulations and the Money Laundering (Prevention and Prohibition) Act 2022, GruuvyPay retains:

- Customer identification and KYC documents — for the duration of the business relationship and 5 years after closure - Transaction records — for 7 years from the date of the transaction - STR and compliance records — for 5 years from the date of filing

All records are stored securely in encrypted form and are available to regulatory authorities upon lawful request.

All GruuvyPay staff with customer-facing or financial roles receive mandatory AML/CFT training covering:

- Recognition of money laundering red flags - Reporting obligations and procedures - Sanctions screening requirements - Data protection obligations related to AML records

Training is conducted at onboarding and refreshed annually.

GruuvyPay has appointed a dedicated Chief Compliance Officer (CCO) responsible for overseeing our AML/CFT programme:

Name: Ikorgu Ibinabo Desmond Email: compliance@gruuvypay.com Appointed by: Maxwell Kemeasuode, CEO, GruuvyPay Limited Appointment date: 28 May 2026

The CCO reports directly to the CEO and has the authority and independence to implement the AML/CFT programme without commercial or operational pressure.

This policy is reviewed at least annually and updated to reflect changes in applicable law, regulatory guidance, and our business operations. Material changes will be communicated to users via the app and our website.

Questions about this policy should be directed to compliance@gruuvypay.com.