AML & KYC Policy — Ajaro Vendor Center

1

Introduction & Scope

1.1 Purpose

Ajaro is committed to the highest standards of anti-money laundering (AML), counter-terrorism financing (CTF), and know your customer (KYC) compliance. This Policy establishes the controls, procedures, and obligations required to detect, prevent, and report financial crime in accordance with Nigerian law and international best practice, including the recommendations of the Financial Action Task Force (FATF).

1.2 Scope of Application

This Policy applies to:

All registered Vendors and their authorised Admins;
All Ajaro directors, employees, contractors, and agents;
All transactions processed through the Platform, including product sales, payouts, subscription payments, and promotional credits;
Any third-party service provider engaged by Ajaro in connection with payment processing, identity verification, or financial services.

1.3 Policy Owner

This Policy is owned and maintained by Ajaro's designated Money Laundering Reporting Officer (MLRO). The MLRO is responsible for overseeing AML/KYC compliance, receiving internal suspicious activity reports, and filing Suspicious Transaction Reports (STRs) with the Nigerian Financial Intelligence Unit (NFIU) as required. The MLRO can be reached at compliance@ajaro.com.ng.

Legal Obligation

Ajaro is required by Nigerian law — specifically the Money Laundering (Prevention & Prohibition) Act 2022 and the EFCC (Establishment) Act 2004 — to implement and enforce AML/KYC controls. Non-compliance with these laws carries criminal penalties including imprisonment of up to 14 years and fines of up to ₦10 million for individuals, and up to ₦25 million for corporate bodies.

2

Key Definitions

Term	Definition
Money Laundering (ML)	The process by which proceeds of crime are concealed, disguised, or integrated into the legitimate financial system to make them appear to have a lawful origin. Money laundering typically involves three stages: placement, layering, and integration.
Terrorism Financing (TF)	The provision or collection of funds, directly or indirectly, with the knowledge or intent that they will be used to carry out terrorist acts or support terrorist organisations, regardless of whether the funds themselves are from lawful or unlawful sources.
KYC (Know Your Customer)	The process of verifying the identity of a customer, understanding the nature of their business, and assessing the risk they pose to the Platform being used for financial crime.
CDD (Customer Due Diligence)	The set of measures taken to identify and verify the identity of a customer and their beneficial owner(s), and to understand the purpose and intended nature of the business relationship.
EDD (Enhanced Due Diligence)	Additional, more intensive verification and monitoring measures applied to higher-risk customers, relationships, or transactions.
PEP (Politically Exposed Person)	An individual who is or has been entrusted with a prominent public function, including heads of state, senior government officials, senior military officers, judicial officials, and their immediate family members and close associates.
Beneficial Owner	Any natural person who ultimately owns or controls a business, or on whose behalf a transaction is being conducted, including persons who exercise effective control through ownership of 25% or more of shares or voting rights.
STR (Suspicious Transaction Report)	A formal report filed with the Nigerian Financial Intelligence Unit (NFIU) when a transaction is suspected of being connected to money laundering, terrorism financing, or other financial crime.
MLRO	Money Laundering Reporting Officer — the designated individual within Ajaro responsible for AML compliance oversight and STR filing.
NFIU	Nigerian Financial Intelligence Unit — the government agency responsible for receiving, analysing, and disseminating financial intelligence relating to money laundering and terrorism financing in Nigeria.

3

Our AML Framework

Ajaro's AML/CFT framework is built on four pillars, each of which is essential to our overall compliance posture:

3.1 Prevention

We prevent financial crime by implementing robust KYC procedures at onboarding, applying risk-based due diligence to all Vendors, and restricting access to the Platform for individuals or entities that fail to meet our verification standards. No Vendor may go live on the Platform without completing the KYC process set out in Section 4.

3.2 Detection

We detect suspicious activity through automated transaction monitoring systems that flag unusual patterns, manual review by our compliance team, ongoing screening of Vendors against sanctions lists and PEP databases, and internal reporting channels that allow staff and Vendors to escalate concerns.

3.3 Reporting

Where suspicious activity is identified, we report it to the relevant Nigerian authorities — primarily the NFIU and the EFCC — in accordance with the timelines and procedures set out in Section 7. We cooperate fully with all lawful requests from Nigerian regulatory and law enforcement authorities.

3.4 Record Keeping

We maintain comprehensive records of all KYC documents, transaction data, due diligence assessments, and suspicious activity reports for the minimum periods required by Nigerian law. Full details are set out in Section 10.

4

Know Your Customer (KYC)

All Vendors must complete KYC verification before their account is activated. KYC is applied in tiers based on the Vendor's business type and transaction volumes:

1

Standard CDD — Individual Vendors & Sole Traders

Applies to: All individual Vendors, sole traders, and informal business operators

Standard

Valid Govt-issued Photo ID BVN Verification Proof of Address (≤3 months) Bank Account (in Vendor's name) Active Phone Number

2

Standard CDD — Registered Business Vendors

Applies to: Limited liability companies, partnerships, and CAC-registered business names

Standard

CAC Certificate of Incorporation Certified Memorandum & Articles Tax Identification Number (TIN) Board Resolution (for companies) ID of all Directors / Partners Business Bank Account Beneficial Ownership Declaration

3

Enhanced Due Diligence (EDD)

Applies to: High-risk Vendors, PEPs, GMV exceeding ₦10M/month, or sectors flagged for elevated risk

Enhanced

All Tier 1 or 2 documents Source of Funds Declaration Last 6-Month Bank Statement Audited Financial Statements Senior Management Approval Ongoing Enhanced Monitoring

!

Prohibited — No KYC Can Satisfy

Applies to: Entities and individuals that cannot be onboarded regardless of documents provided

Refused

Sanctioned individuals or entities Shell companies with no economic purpose Entities in FATF high-risk jurisdictions Persons previously convicted of ML/TF Anonymous or pseudonymous applicants

4.1 Ongoing KYC Refresh

KYC is not a one-time exercise. Ajaro conducts periodic KYC reviews of all active Vendors on the following schedule: standard-risk Vendors — every 24 months; medium-risk Vendors — every 12 months; high-risk Vendors and PEPs — every 6 months. Reviews are also triggered by material changes such as a change of ownership, business address, or bank account, or by a significant and unexplained change in transaction volume or patterns.

4.2 Beneficial Ownership

For corporate Vendors, we are required to identify and verify every person who ultimately owns or controls 25% or more of the shares or voting rights in the business ("Beneficial Owner"). Vendors must declare all Beneficial Owners and provide the same identity verification documents required for individual Vendors for each one. Any change in beneficial ownership must be notified to Ajaro within fourteen (14) days of the change occurring.

5

Risk-Based Approach

Ajaro applies a risk-based approach (RBA) to AML/KYC compliance, allocating more intensive controls to higher-risk relationships and transactions. All Vendors are assigned a risk rating at onboarding and this rating is reviewed periodically and whenever a material trigger event occurs.

Low Risk

Standard Monitoring

Applies to Vendors who meet all of the following:

Individual or Nigerian-registered SME with transparent ownership
Operates in a low-risk product category (e.g. fashion, electronics, household goods)
Monthly GMV below ₦2 million
No adverse media, sanctions, or PEP flags
Account in good standing with consistent transaction patterns

Medium Risk

Elevated Monitoring

Applies to Vendors with one or more of the following:

Monthly GMV between ₦2 million and ₦10 million
Operates in a medium-risk category (e.g. health products, food & beverages)
Business registered in a jurisdiction outside Nigeria
Complex corporate structure with multiple shareholders
New Vendor with limited trading history in first 90 days

High Risk

Enhanced Due Diligence

Applies to Vendors with one or more of the following:

Monthly GMV exceeding ₦10 million
PEP status or close associate of a PEP
Operates in high-risk sectors (luxury goods, cash-intensive trades)
Prior adverse regulatory finding or law enforcement contact
Geographic connection to a FATF high-risk or monitored jurisdiction
Abnormal transaction patterns or high dispute rate

Risk ratings are not permanent. A Vendor may be upgraded or downgraded based on ongoing monitoring results, changes in business profile, or information received from regulatory or law enforcement agencies. Vendors are not routinely informed of their risk rating to preserve the integrity of our compliance processes.

6

Transaction Monitoring

Ajaro operates automated transaction monitoring systems that analyse all Platform transactions in real time against defined risk parameters. The following red-flag indicators are monitored continuously:

Structuring (Smurfing)

Multiple transactions just below reporting thresholds (e.g. repeated ₦4.9M transactions) designed to avoid triggering monitoring rules. Also includes splitting a large single sale into many smaller identical transactions.

Unusual Volume Spikes

A sudden and unexplained increase in transaction volume of more than 300% compared to the Vendor's 90-day rolling average, without a corresponding change in business activity, promotional event, or seasonal pattern.

Unusual Geographic Patterns

Transactions originating from or destined for FATF high-risk jurisdictions, multiple unrelated countries in a short timeframe, or IP addresses inconsistent with stated business location without a legitimate explanation.

Circular or Collusive Transactions

Evidence of coordinated purchasing activity between a small group of accounts — for example, the same buyer repeatedly purchasing from the same Vendor with no apparent commercial purpose, or accounts that appear to recycle funds in a circular pattern.

Payout Pattern Anomalies

Requests to change payout bank accounts to accounts in different names than the registered Vendor, withdrawal of entire balance immediately after large orders with no delivery fulfilment, or payout requests to multiple different accounts in quick succession.

Mismatch Between Activity and Business Profile

Transaction values, product types, or buyer demographics that are substantially inconsistent with the Vendor's stated business type, size, or market — for example, a newly registered food vendor generating ₦20M in luxury goods sales in their first month.

Flagged transactions are automatically escalated to the compliance team for manual review. During a review, the affected payout may be temporarily held. The Vendor will be contacted for clarification and must respond within five (5) business days.

7

Suspicious Activity Reporting

Where our compliance team concludes that a transaction or pattern of activity is suspicious, we are legally obligated to file a Suspicious Transaction Report (STR) with the NFIU. The following process governs how we handle suspicious activity from detection through to resolution:

Detection & Initial Triage

Suspicious activity is identified — either through automated monitoring alerts, a staff report, or a Vendor-submitted concern. The transaction or account is flagged and assigned to a compliance analyst for initial assessment.

Within 24 hours of flag

Compliance Review

The analyst reviews all available evidence — transaction records, KYC documents, account history, Vendor communications, and any third-party intelligence — and prepares an assessment. The MLRO reviews the analyst's conclusion.

Within 3 business days

STR Filing (if required)

If the MLRO determines the activity is suspicious, an STR is filed with the NFIU. The MLRO may also notify the EFCC or other relevant authorities directly where terrorism financing or serious financial crime is suspected.

Within 24 hours of MLRO decision

Account Action & Documentation

Depending on the outcome, the account may be suspended, terminated, or returned to normal operation with enhanced monitoring. All decisions and the evidence supporting them are documented and retained for the legally required period.

Concurrent with filing

Tipping Off is a Criminal Offence

Under the Money Laundering (Prevention & Prohibition) Act 2022, it is a criminal offence to disclose to a subject of investigation — or to any other person — that a suspicious transaction report has been or is being made, or that a money laundering investigation is underway. Ajaro staff, Vendors, and their Admins are legally prohibited from "tipping off" suspects. Violation carries criminal penalties including imprisonment.

8

Politically Exposed Persons (PEPs)

Politically Exposed Persons present an elevated risk of involvement in corruption, bribery, and the laundering of proceeds of public office. Ajaro screens all Vendor applicants and their beneficial owners against PEP databases at onboarding and on an ongoing basis.

8.1 Who Qualifies as a PEP

Under Nigerian law and FATF guidance, PEPs include current and former holders of prominent public functions, specifically:

Heads of state, heads of government, ministers, and deputy ministers;
Members of the National Assembly, State Houses of Assembly, and their equivalents;
Senior judicial officers, including justices of the Supreme Court, Appeal Court, and Federal High Court;
Ambassadors, high commissioners, and senior diplomats;
Senior military officers above the rank of Colonel (Army/Air Force) or Captain (Navy);
Chairmen and directors of state-owned enterprises and government bodies;
Senior officials of international organisations;
Immediate family members of any of the above (spouse, parents, children, siblings);
Close associates who are known to have joint beneficial ownership or business interests with any of the above.

8.2 Treatment of PEP Vendors

Where a Vendor or their beneficial owner is identified as a PEP, the following additional steps apply before account approval:

Senior management approval is required before the account may be activated;
Enhanced Due Diligence (Tier 3 KYC) is applied, including a source of funds and source of wealth declaration;
The business relationship is subject to enhanced ongoing monitoring throughout its duration;
The KYC review cycle is reduced to every six (6) months regardless of transaction volume;
Any transaction by a PEP Vendor that exceeds ₦5 million requires additional manual review before the payout is processed.

Former PEPs retain their elevated risk classification for a minimum of twelve (12) months after leaving their public position. The risk classification may be reduced thereafter based on an individual risk assessment.

9

Sanctions Screening

Ajaro screens all Vendor applicants, beneficial owners, and Admins against applicable sanctions lists at onboarding, and re-screens all active Vendors on a daily basis against updated lists. The following sanctions regimes are applied:

Sanctions List	Administered By	Screening Frequency
UN Security Council Consolidated List	United Nations	Daily automated screening
OFAC SDN List	US Treasury (Office of Foreign Assets Control)	Daily automated screening
EU Consolidated Sanctions List	European Union	Daily automated screening
UK HM Treasury Financial Sanctions List	United Kingdom	Daily automated screening
NFIU / CBN Designations	Nigerian Financial Intelligence Unit / Central Bank of Nigeria	Immediate upon publication
FATF High-Risk Jurisdictions	Financial Action Task Force	Updated quarterly

9.1 Sanctions Matches

Where a Vendor, beneficial owner, or Admin is matched against any of the above sanctions lists:

The account is immediately frozen pending review;
All pending payouts are suspended;
The MLRO is notified within one (1) hour of the match being identified;
The match is assessed to determine whether it is a true match or a false positive;
If confirmed as a true match, the account is permanently terminated, all funds are frozen, and the matter is referred to the EFCC and NFIU without delay;
Ajaro does not notify the Vendor of a confirmed sanctions match until advised by the relevant authority that it is lawful to do so.

10

Record Keeping

Ajaro is required by the Money Laundering (Prevention & Prohibition) Act 2022 to maintain comprehensive records of all KYC documentation, transactions, and compliance activities. Our record-keeping obligations are as follows:

Record Type	Minimum Retention Period	Format
KYC identity documents	7 years after end of business relationship	Encrypted digital copies
Transaction records	7 years from date of transaction	Structured database records
Suspicious Transaction Reports (STRs)	7 years from date of filing	Secure encrypted records
Risk assessments & due diligence files	7 years after end of business relationship	Encrypted digital files
Correspondence with regulatory authorities	Indefinitely (or as directed by authority)	Secure archived records
AML training records	5 years from date of training	HR and compliance system
Internal suspicious activity reports	7 years from date of report	MLRO secure case management system

All records are stored in encrypted form with access restricted to authorised compliance personnel. Records are available for production to the NFIU, EFCC, CBN, and other competent authorities upon lawful request without delay.

11

Training & Awareness

11.1 Staff Training

All Ajaro employees involved in customer onboarding, transaction processing, or compliance functions receive mandatory AML/KYC training upon joining and at least annually thereafter. Training covers: the legal framework for AML/KYC in Nigeria; how to identify and report suspicious activity; the tipping-off prohibition; Ajaro's internal reporting procedures; and their personal criminal liability for AML failures. Training completion is recorded and forms part of each employee's performance record.

11.2 Vendor Awareness

All Vendors are required to acknowledge this AML/KYC Policy at registration. By registering as a Vendor, you confirm that you have read and understood this Policy and agree to comply with its requirements. Ajaro provides guidance resources in the Vendor Center to help Vendors understand their compliance obligations. Vendors who have specific compliance questions may contact our MLRO at compliance@ajaro.com.ng.

12

Vendor Obligations

By registering as a Vendor on Ajaro, you agree to the following specific AML/KYC obligations in addition to your general obligations under the Vendor Agreement:

Provide accurate KYC information. All identity, business, and financial information provided during onboarding and at any subsequent review must be truthful, complete, and not intended to mislead. Providing false KYC information is a criminal offence in Nigeria.
Notify Ajaro of material changes. You must notify us within 14 days of any material change to your business — including changes of ownership, directorship, registered address, or bank account — that may affect your risk profile or KYC status.
Cooperate with compliance requests. You must respond to requests for additional information or documentation from our compliance team within the timeframe specified in the request. Failure to respond without a legitimate reason will be treated as grounds for account suspension.
Conduct your own customer checks. Where you engage sub-vendors, agents, or fulfilment partners in connection with your Ajaro business, you are responsible for ensuring they are legitimate and not subject to sanctions. You must not knowingly facilitate transactions on behalf of sanctioned or prohibited persons.
Report concerns immediately. If you become aware or reasonably suspect that any transaction on your account may be connected to money laundering, terrorism financing, or any other financial crime, you must report it immediately to our compliance team at compliance@ajaro.com.ng.
Do not structure transactions. You must not deliberately structure your sales, withdrawals, or other Platform transactions in a way designed to avoid AML monitoring thresholds or reporting requirements. This includes splitting transactions, using multiple accounts, or coordinating with buyers to circumvent monitoring systems.

13

Consequences of Non-Compliance

Non-compliance with this AML/KYC Policy may result in any or all of the following consequences, depending on the nature and severity of the breach:

Account Suspension

Temporary suspension of the Vendor Account and all associated Stores pending compliance investigation. All payouts are held during the suspension period.

Permanent Termination

Permanent and irrevocable closure of the Vendor Account with no right of appeal. Termination for AML reasons also results in blacklisting from re-registration on the Platform.

Fund Freezing

Immediate freezing of all payout balances pending regulatory direction. Frozen funds may be forfeited to the state if linked to confirmed financial crime through legal process.

Regulatory Referral

Mandatory referral of confirmed or reasonably suspected financial crime to the NFIU, EFCC, CBN, FIRS, or other relevant Nigerian authorities. Ajaro will cooperate fully with any resulting investigation or prosecution.

Personal Criminal Liability

Under the Money Laundering (Prevention & Prohibition) Act 2022, individuals who knowingly engage in or facilitate money laundering or terrorism financing face imprisonment of up to 14 years and fines of up to ₦10 million. Corporate bodies face fines of up to ₦25 million and are liable to have their assets confiscated. These are personal and corporate criminal sanctions and cannot be indemnified by Ajaro.

14

Reporting & Contact

If you wish to report a concern, request clarification, or submit additional compliance documentation, please use the following contacts:

Money Laundering Reporting Officer (MLRO)	compliance@ajaro.com.ng
Suspicious Activity Reports (internal)	compliance@ajaro.com.ng — marked "CONFIDENTIAL: SAR"
KYC Document Submissions	Vendor Dashboard → Account → Verification Documents
General Compliance Queries	compliance@ajaro.com.ng
External Reports — NFIU	nfiu.gov.ng — Nigeria Financial Intelligence Unit
External Reports — EFCC	efcc.gov.ng — Economic & Financial Crimes Commission
External Reports — CBN	cbn.gov.ng — Central Bank of Nigeria Financial Policy

Whistleblower Protection

Any Vendor, Admin, or employee who in good faith reports suspected financial crime to our MLRO or to a regulatory authority is protected from retaliation under this Policy and Nigerian law. Ajaro will not penalise, disadvantage, or disclose the identity of any person who makes a good-faith report of suspected AML/CTF non-compliance.

This AML & KYC Policy was last reviewed and updated in March 2025. Document reference: DBM-AML-V1.2-2025. This Policy is reviewed at least annually and updated whenever applicable laws, FATF recommendations, or CBN/NFIU guidelines change materially. It is to be read in conjunction with the Vendor Agreement (DBM-VA-V2.0-2025) and Terms & Conditions (DBM-TC-V3.2-2025).