meCash

Oxford 19 Limited (AML and CTF) Policy

Oxford 19 Limited is a private limited company registered in Nigeria with Company Registration number 1949303. Registered office is located in Lagos, Nigeria. Oxford 19Limited is a financial services organisation with a specific focus on money transfer services. We operate our services from Lagos, Nigeria but remit money to beneficiaries in other African countries and around the world.

Our principal business activities include online money transfer services for individual and corporate customers.

Money laundering and terrorist financing have become a subject of significant concern in many countries. With that in mind, we have established on a strong legal compliance base, endowed with efficient, tailored and risk-based anti-money laundering procedures and controls.

Our commitment is to promote best practice along with a high standard of efficient anti- money laundering/combating terrorism financing procedures.

To accomplish this task, Oxford 19 will provide a clear understanding of anti-money laundering legal procedures combined with a strong internal Policy which goes beyond the legal scope, in this way making our staff adhere to the highest standards.

1.1 PURPOSE

This document (the “Policy”) sets out practical guidance and direction to all users in gaining awareness and understanding of the relevant AML/CTF matters concerning the customer onboarding, ongoing monitoring, systems, and controls that must be applied byOxford 19 in its efforts to combat money laundering and terrorist financing. The Policy also sets out the responsibilities of the Senior Managers, Money Laundering Reporting Officer (MLRO),Nominated Officer (NO)and all staff in recognizing and dealing with AML/CTF risks and obligations.

1.2 POLICY STATEMENT

Oxford 19 Limited abides by and adheres to all applicable laws and regulations regarding AML and CTF in all jurisdictions where it conducts its business.

To achieve that,Oxford 19 will develop and implement a comprehensive set of measures to identify, manage and control all AML and CTF risks at all stages of the business relationship with its customers.

Oxford 19 Limited and its staff are committed to the highest standards of openness and integrity. A risk-based Anti-Money Laundering (AML), Counter Terrorist Financing (CTF), anti-fraud and anti-corruption approach is taken, which includes all necessary measures to mitigate the financial crime risks.

The Nigerian Financial Intelligence Unit (NFIU) imposes a duty to have systems and controls to counter and prevent the furtherance of financial crime. As a business, the firm has implemented AML/CTF risk framework and risk management strategies to reduce exposure to financial crime risks.

Failure of Oxford 19 or its staff to effectively demonstrate and evidence it has taken all reasonable and proportionate steps to forestall being used for financial-crime purposes, has direct and significant risks in terms of the regulatory, legal, financial, commercial, integrity and reputational standing of Oxford 19 and relevant individuals with senior management responsibilities.

Any technical queries or concerns on specific policy provisions and requirements should be directed to the MLRO.

1.3 SCOPE

The Policy relates to all staff (including permanent, fixed term, and temporary staff, any third- party representatives or sub-contractors, agency workers, volunteers, interns, and customers engaged with the Company in Nigeria) within the organisation. It also applies to all subsidiary firms, whether in the Nigeria or overseas.

Any willful, significant, or negligent non-observance of any internal policy arrangements or standards may result in internal disciplinary action being taken against the relevant individual(s).

1.4 CHANGES AND REVISION

As an institution, there is only the Managing Director who has overall responsibility for ensuring this policy complies with Oxford 19 legal and ethical obligations, and that all those under our control comply with it.

The Managing Director who also carries out functions of a Compliance Officer/MLRO/NO has primary and day-to-day responsibility for implementing this Policy, monitoring its use and effectiveness, dealing with any queries about it. Internal audit process evaluates the internal control systems and procedures to ensure they are effective.

Management at all levels will be responsible for ensuring those reporting to them understand and comply with this Policy and are given adequate and regular training. Where significant changes are made, role-specific training shall be provided to relevant staff in the impact of the changes.

This document shall be subject to periodic review (at least annually) in accordance with:

i. Local and international legislation
ii. Industry best-practice
iii. Internal changes in the business including but not limited to:

o new product/service lines

o variations in product/service lines

o extension to new jurisdictions

Changes to this document are made by the Money Laundering Reporting Officer (MLRO) who is also the same person as the Nominated Officer. Small changes shall be reflected by incrementing the version number as 1.1, 1.2, 1.3, etc. Where significant changes to the document occur, this shall be reflected in a new version number, e.g., 1, 2, 3, etc.

When more Senior Managers and Directors are appointed, the Managing Director of Oxford 19 must approve all changes before they are put into effect and the approved Policy document must be shared with all relevant staff with the exception of changes to content in Appendix 2 which is provided as a reference/aide de memoire only.

Oxford 19 will seek to utilise periodic self-certification to verify and affirm individual staff awareness and continued adherence with specific Policy standards and requirements issued or accessible. Please refer to Appendix 1 to confirm the receipt and acceptance of this document.

1.5 DISTRIBUTION LIST

When the approval process is to be followed, following Board approval, this document shall be distributed to the following individuals:

iv. All Board Members
v. All Senior Managers
vi. All Operations/Compliance staff
vii. Any other relevant staff

This confidential document is the exclusive property of Oxford 19 Limited and may not be copied, duplicated, or otherwise reproduced without prior written consent of the Company. The AML regime is in line with the following regulations and guidance (Refer to Appendix 2):

viii. The Money Laundering (Prevention and Prohibition) Act, 2022 – MLA, 2022
ix. Economic and Financial Crimes Commissions Act, 2004
x. Terrorism (Prevention and Prohibition) Act, 2022
xi. Economic and Financial Crimes (Anti-Money Laundering, Combating the Financing of Terrorism and Proliferation of Weapons of Mass Destruction for Designation of Non-Financial Businesses and Professions and other Related Matters) Regulation, 2022
xii. Proceeds of Crime (Recovery and Management) Act, 2022
xiii. Nigerian Financial Intelligence Unit Act, 2018
xiv. Independent Corrupt Practices and other Related Offences Commission Act, 2000
xv.Central Bank of Nigeria (AML/CFT) Regulation, 2013
xvi.National Insurance Commission (AML/CFT) Regulation, 2013
xvii.Central Bank of Nigeria (Administrative Sanctions) Regulations, 2018
xviii.Central Bank of Nigeria (AML/CFT) Regulation, 2019
xix.Terrorism (Prevention) Regulation, 2013

2. MONEY LAUNDERING AND TERRORIST FINANCING

2.1 Money Laundering

2.1.1 Introduction

Money Laundering is the term used to describe the process or act (or attempted act) of disguising or hiding the identity of illegally obtained proceeds so that they appear to have originated from legitimate sources. In practice, it consists of turning dirty money into clean money so that it appears to have come from a legal source. It encourages crime by making it profitable and threatens the financial system and its institutions, both domestically and internationally. Common ML methods are:

“Cash-based”- which involves the physical movement of currency, with payments being broken down into smaller amounts to avoid detection.

“High-End”– which usually involves transactions of substantial value and the use of the financial sector with the so-called ‘professional enablers’, such as solicitors, accountants, and other professionals.

Money laundering is traditionally broken down in three separate steps which aim to conceal the origins of illicit funds and introduce them to the formal financial sector.

2.1.2 Placement

The first stage in the money laundering process is placement. This is of contact between illicit funds and the financial system. This is a particular risk to firms accepting transactions from clients as cash, bank transfers and card payments. It may involve using several individuals to conduct transactions seemingly on their own behalf to break up the funds into smaller amounts below compliance thresholds.

2.1.3 Layering

Once illicit funds have been placed in the financial system, criminals aim to separate the funds from their source to make it harder to establish the true origin of the funds. This stage can take many different forms such as international transfers and making investments.

2.1.4 Integration

In the final stage, the funds are used as if legitimately derived, with a seemingly legitimate origin. Here they may be used for purchases or investment without arousing suspicion. The overall aim of the laundering process is to allow criminals to enjoy their proceeds of crime without fear of detection or suspicion.

2.1.5 Predicate Offences

The most common predicate offences in the ML regulations are listed here, but are not limited to: Arson, Concealment of assets, Illegal drugs and narcotics trade, Illegal arms trading, Sexual exploitation and Prostitution rings, Violent Crime – Murder & Grievous Bodily Injury, Insider Trading, Corruption, Bribery, Forgery, Armed robberies, Blackmail, Extortion, Arts and antique fraud, Internet or cyber fraud,Smuggling, Tax fraud, Kidnapping, Piracy, Human trafficking etc.

2.2 Terrorist Financing

Terrorism is the use or threat of action, both in and outside of Nigeria, designed to influence any international government organisation or to intimidate the public. It must also be for the purpose of advancing a political, religious racial, or ideological cause.

Examples include:

i. serious violence against a person or damage to property,

ii. endangering a person s life (other than that of the person committing the action),

iii. creating a serious risk to the health or safety of the public or a section of the public,

iv. action designed to seriously interfere with or seriously to disrupt an electronic system.

It is important to note that to be convicted of a terrorism offence a person does not actually have to commit what could be considered a terrorist attack. Planning,assisting and even collecting information on how to commit terrorist acts are all crimes under Nigerian terrorism legislation.

The principal terrorist financing offences are outlined in the Terrorism(Prevention and Prohibition) Act, 2022 and include:

i. raising, providing, receiving, using, or possessing funds or other property that the offender has reasonable cause to suspect may be used for the purposes of terrorism (including for the benefit of a proscribed organisation); and
ii. becoming involved in an arrangement that makes funds available to another for the purposes of terrorism (likewise) or that facilitates the retention or control by another of ‘terrorist property’, which includes:

o property likely to be used for the purposes of terrorism.
o the resources of a proscribed organisation
o the proceeds of acts of terrorism; or
o the proceeds of acts carried out for the purposes of terrorism.

Secondary terrorist financing offences include failing to report suspicions about terrorist acts, property, and suspects. The principal fraud offences are outlined in Sections 2 to 4 of the Fraud Act and include:

iii. making a false representation
iv. failing to disclose information which the offender is under a legal duty to disclose; and
v. abusing a position in which he or she is expected to safeguard (or not act against) the financial interests of another person.

GOVERNANCE

3.1 Management Structure

Oxford 19 Limited will put a governance framework in place focusing on People, Purpose, Process and Performance, helping all staff to be aligned to our vision and goal. This framework will clearly define the risk appetite and tolerance towards financial crime, the terms of reference (Purpose) for all Senior Managers and the Board (when appointed) (People) helping them to oversee the AML and CTF risk assessment framework (Process) and receive periodic reports from the management (Performance) to have full control and oversight. We have an articulated business strategy, based around its business plans and goals which reflects its perceived risk profile and risk appetite. It sets out our aim and objectives.

The Managing Director demonstrates and evidence they have appropriate and effective arrangements which forestall it from being used for financial crime purposes. Our processes will be therefore pro-active in identifying, assessing, managing (monitoring and reporting), and mitigating its risks.

3.2 Risk Appetite and Tolerance

Our Business Strategy and Plan is created by the Managing Director and its delivery is monitored by her.

This sets out the aim, goals, and values for the current planning period.

Oxford 19 is evolving its understanding of its perceived business risk profile and its appetite and tolerance towards risk and loss, including relevant thresholds and parameters of control.

We are aware that any inability to effectively demonstrate any evidence we have taken all reasonable and proportionate steps to forestall being used for financial crime purposes can have direct and significant risks in terms of the regulatory, legal, financial, commercial, integrity and reputational standing.

Oxford 19 Limited has zero-tolerance to its products and services being used to support or facilitate financial crime.

3.3 AML and CTF Risk Assessment Framework

The Special Control Unit Against Money Laundering requires designated financial institutions and designated non-financial institutions to carry out a focused (and documented) risk assessment of Money Laundering (ML) and Terrorist Financing (TF) risks faced by them.

This assessment should include factors like jurisdictions where firms operate and where

customers are from as well as products and services offered and their delivery channel. To be a meaningful document, the risk assessment must include all the steps institutions have decided to take to mitigate those risks.

We continue to implement and develop a formal and articulated framework to underpin its approach to risk identification, assessment, and management. The MLRO is responsible for ensuring implementation of a robust risk assessment framework to prevent financial crime. The key elements of the AML and CTF Risk Assessment Framework are to:

i. Develop, review and update AML and CTF policies, procedures, and controls.
ii.Evaluate systems, tools, and controls to identify, assess, monitor, and manage ML and TF risks.
iii. Ensure ongoing monitoring and oversight of compliance with regulatory obligations.
iv. Comply with regular internal management reporting and adherence to regulatory reporting schedule.
v. train all relevant staff periodically on AML and CTF related topics.
vi. enforce strict record keeping measures.

3.4 Monitoring and Oversight

The MLRO will ensure to remain alert and suitably informed of circumstances and events across the business to properly oversee and control the financial crime risks within the business.

This also allows to react and make informed decisions concerning the identification, assessment, and mitigation of risks. To support this important governance process, various reporting systems and tools will be maintained, which collate and present information and analysis to inform and aid operational decision-making and the prudent exercise of judgement.

Periodic monitoring will be undertaken using a risk-based approach to test and provide evidence and support internal assurance on the effective implementation and maintenance of our financial crime arrangements. This may include the use and reliance on specific processes, systems, and controls as well as the full and proper application and observance of related policies. Where sample testing is employed, this will be determined on a reasonable statistical basis to provide meaningful and valid outcomes and determinations.

The detailed list of monitoring activity that we will perform on a regular basis will be included in the Compliance Monitoring Programme (“CMP”), for which the MLRO and the Compliance Officer will be responsible. The result of this monitoring activity will be evaluated on a regular basis by the MLRO.

In addition to this, if an independent MLRO is appointed, the MLRO will produce an annual written MLRO report for the Managing Director on the effectiveness of the firm’s

implemented arrangements, and makes recommendations to address any weaknesses, needs and potential future gaps in our AML/CTF programme.

3.5 Reporting and Notifications

An internal reporting process will enable all staff to promptly report to the Nominated Officer (“NO”) any suspicious activity or transactions identified for investigation. The NO and MLROis the same person since these roles are combined.

Where considered appropriate by the NO, they will then make an external report to the relevant government agency.

The NO will also handle any consequent follow-up, feedback, or act as point of contact for providing any specific information and evidence as requested by the external authorities.

The Senior Management will receive periodic management information (MI) such as:

i.Monthly, quarterly, bi-annual, and annual reports from each department

ii. Reports or minutes from the Board meetings (as the business expands).

iii. Annual MLRO report

iv. Other reports as deemed necessary by department heads.

The Compliance team (when business expands) will be expected to share quarterly reports including the following:

i. Any ongoing issues to be flagged for review at the Board Meeting.

ii. Any failings and/or areas of emerging risks and action plans

iii. Update on policies and procedures review.

iv. Update on staff training.

v. Updates on external regulatory reporting, any upcoming changes in regulation and industry guidance

vi. Status on business risk profile, upcoming changes which may alter the risk profile affecting any services, customer types, PEP and Sanctioned individuals identified etc

We may also receive contact and communication from other official investigators and enforcement agencies regarding any matters being investigated.

This could take the form of court orders and directions requiring Oxford 19 Limited to respond or provide specified information.

It could also take the form of contact from the police or other investigation units in any relevant business jurisdiction.

The MLRO will remain as the main point of contact along with the external Legal Counsel (where necessary) for all external investigations. The MLRO remains responsible for all other regulatory reporting and notifications to the regulators.

3.6 Escalations and Approvals

For the Managing Director to make informed decisions around risk in a proper and robust way, it is important that the circumstances or scenarios that warrant prompt and effective

escalation are both transparent and can be applied in a reliable and consistent manner. This will ensure that perceived or actual significant risks or exposures can be quickly assessed and hopefully action taken to minimize the adverse or unacceptable impacts, harm, or loss. Any staff (once appointed) who are in doubt as to whether any matter warrants prompt and formal escalation should refer it directly to the MLRO.

3.6.1 Escalation Criteria and Requirement for Senior Management Sign Off (when further staff are appointed)

Escalation Criteria	Authorised Signatories (Approval and Sign Off)
Suspicious Activity Reporting.	Nominated Officer or MLRO
External Investigation	Legal Counsel (external where necessary), Compliance Officer and the MLRO, Managing Director (Regulatory or enforcement authorities)
Incident Reporting & Notification	IT Manager Compliance Officer and the MLRO Managing Director
Risk Industries• High Risk Third Countries Review of Individual Clients	Transaction Monitoring referrals Customer Complaints Escalation•
Fraud Investigations New Products• New Technology	Additions of new High-Risk Industries• Additions of new High-Risk Jurisdictions
Compliance Officer and the MLRO Managing Director	Regulatory Compliance Potential PEPs, their family members, or close associates• Financial Sanctions High Risk business relationships•

MLRO and Managing Director sign offs will be required when high risk parameters are associated with a client like association with potential PEPs, links to high risk third countries,

negative media reports which may pose significant risk to us. All contact received from any external supervisory, investigatory or enforcement body e.g., Police Financial Investigators or the EFCC, and received in whatever form i.e., written, oral or electronic, should be immediately referred to the MLRO who will immediately take responsibility for its action.

It is particularly important that such communication be quickly and fully disclosed and

referred as they might incorporate deadlines and content which could otherwise impose some adverse financial, legal, or reputational exposure or consequences to Oxford 19, its staff (when appointed), or customers. For example, any non-response or delay of a court order requiring information or evidence to be produced, or even assets to be frozen, could potentially create the risk of Oxford 19, or its staff being held in contempt of court. This is likely to have serious legal and other consequences.

3.7 Roles and Responsibilities – Senior Managers

Senior Management is defined as:

“An officer or employee of the relevant person with sufficient knowledge of the relevant person’s money laundering and terrorist financing risk exposure, and of sufficient authority, to take decisions affecting its risk exposure.”

Relevant examples for the Company include a:

i. Managing Director
ii. Legal Counsel (external where necessary)
iii. Money Laundering Reporting Officer (MLRO)
iv. Nominated Officer (NO)
v. Internal Auditors (external compliance specialist firm may be appointed where necessary

The Managing Director will duly vet all new applicants for Senior Manager positions, prior to their appointment to a position of responsibility.

Appointment For New Senior Managers

Senior Managers must:

i. possess necessary experience at an appropriate level of seniority to hold the position.
ii. possess necessary qualifications where applicable.
iii. be of good character, as attested by employment references.
iv. not have any convictions against them.
v. have any spent convictions.
vi. be approved as a PSD Individual by the FCA prior to appointment.

3.7.2 Regulatory Obligation for Senior Managers

Senior Managers to:

i. appoint one individual who is a member of the Board of Directors or of its Senior Management as the officer responsible for Oxford 19’s compliance with ML regulations (MLRO and NO – is the same person since these roles are combined)

ii. appoint a Nominated Officer to report suspicious activity to theRelevant Government Agency and allow them to carry out their responsibilities independently.
iii. appoint a Money Laundering Reporting Officer (MLRO) who will be responsible for all regulatory reporting and supervising the firm’s compliance with its AML obligations.

i.Carry out screening of relevant employees appointed by Oxford 19, both before the appointment is made and during the course of the appointment. Screening means an assessment of—
ii. the skills, knowledge, and expertise of the individual to carry out their functions effectively and the conduct and integrity of the individual

A relevant employee is an employee whose work is—

i. relevant to the relevant person’s compliance with any requirement in these Regulations, or otherwise, capable of contributing to the—

ii. identification or mitigation of the risks of money laundering and terrorist financing to which the relevant person’s business is subject, or

iii. prevention or detection of money laundering and terrorist financing in relation to the relevant person’s business.

iv. establish an independent audit function, where appropriate to the size and nature of the business, to examine and evaluate the adequacy and effectiveness of policies, procedures, controls adopted by Oxford 19 and to monitor the overall compliance and the wider regulatory requirements.

Senior Managers will be personally liable where they have failed to take appropriate measures to prevent money laundering within Oxford 19. Senior Managers will also be responsible for:

i. setting the right tone and demonstrating leadership on financial crime issues

ii. having a clearly defined organisation structure, reporting lines, roles, and responsibilities for all staff.

iii. devoting adequate skilled resources including appropriate staff and technology to deal with money laundering and terrorist financing.

iv. ensuring screening of all employees for their skills, knowledge, conduct and integrity both before and during the appointment is carried out.

v. overseeing, controlling, and monitoring the mitigation actions for all business and financial crime risks identified through the risk assessments.

vi. actively dealing with escalations in relation to financial crime issues based on clear criteria.

vii. taking a risk-based approach to managing these risks that focuses more effort on higher risks

viii. reviewing and approving changes to existing or new written policies, controls,and procedures to show how Oxford 19 will manage the risks of money laundering and terrorist financing identified in risk assessments.

ix. ensuring that the policies, controls, and procedures are communicated to and applied to subsidiaries or branches in or outside NIGERIA (where applicable).

x. monitoring effectiveness of the business’s policy, controls and procedures and make improvements where required.

xi. having systems to identify when Oxford 19 transacts with high risk third countries identified by the regulatory authorities or financial sanctions targets advised by CBN, EFCC, NFIU, OFAC, UN and take additional measures to manage and lessen the risks.

3.8 Roles and Responsibilities – Money Laundering Reporting Officer (MLRO)

Oxford 19‘s MLRO, Kehinde Iroche, who acts as the central focus on all financial-crime related matters is resident in NIGERIA. The MLRO will oversee the design and delivery of staff training on all relevant NIGERIA financial crime matters and is also Oxford “19’s

Nominated Officer (NO) responsible for making all external reports of suspicious activity. MLRO will manage the relationship with external investigation and enforcement agencies including the Police, the courts, or any national Financial Intelligence Unit (FIU), such as the Economic and Financial Crimes Commission. The MLRO’s responsibilities include but are not limited to:

i. responsible for oversight of the firm’s compliance with the domestic and international regulations and licensing requirements where the business operates.

ii. monitor the day-to-day operation of the Company’sAML/CTF policies and respond fully and rapidly to enquiries for information made by the FCA or law enforcement.

iii. obtaining and using national and international findings

iv. taking reasonable steps to establish and maintain adequate arrangements for awareness and training (whether by themselves or an appropriately trained nominated company or person); and

v. making annual reports to the firm’s Managing Director (where applicable).

vi.ensuring periodic reviews as part of the Compliance Monitoring Plan (CMP)including checking effectiveness of the internal policies and procedures are carried out and reported to the Managing Director (internal audit)

vii. scheduling review dates for records held by SCUML and the CBN, including ensuring records are kept up to date where applicable.

viii. review dates for policies, procedures, and risk assessment (at least annually)

ix. review of adequacy of compliance resources

x. review geographical risk assessment and update policy and procedure documents.

xi. risk management review, including risk scorings.

f an independent MLRO is appointed, the MLRO will report to the Managing Director on the effective implementation and application of the firm’s arrangements to forestall it being used for financial-crime purposes.

The MLRO and the NO must be part of Oxford 19 (i.e., these roles cannot be outsourced). MLRO will also be responsible for monitoring and managing compliance with this policy.

3.9 Roles and Responsibilities – Nominated Officer

A Nominated Officer (NO), Kehinde Iroche, is also the MLRO at Oxford 19. The NO is

responsible for receiving internal reports of suspicious activity and for making disclosures of suspicious activity to the Economic and Financial Crimes Commission (EFCC).When a new Nominated Officer is appointed, we shall notify SCUML, by submitting details online via the Government Gateway prior to the appointment.

FCA will assess the fitness and propriety of a qualifying holding/controller and individuals, directors, and persons responsible for its payment services activities on the information

provided in the application form, including EMD Individual/Qualifying Holding (Controller) forms and other information available to them from their own and external sources.

Oxford 19 must satisfy SCUML that any person who will be responsible for the management of the Company and its payment services, are of good repute and have the appropriate knowledge and experience to perform payment and e-money services. The SCUML will assess and approve:

i. Persons responsible for payment services activities, - any person within Oxford 19 who is responsible for managing the Payment Services activities including any Nominated officer, MLRO, Compliance Officer.

ii. Directors - engaged in the day-to-day management of the Company,

iii. Controllers – A controller is an individual or firm that does one of the following:

- holds 10% or more of the shares in the Company including through a parent;

- is able to exercise significant influence over the management of the Company through their holding in the Company or a parent;

- is entitled to control or exercise control of 10% or more of the voting power in the Company (including through a parent<company>); or

- is able to exercise significant influence over the management of the Company through their voting power in it or a parent.

The NO is responsible for:

i. receiving internal reports from employees concerning suspicions of ML.
ii. considering all reports and evaluating whether there is or seems to be any suspicion of money laundering or terrorist financing.
iii. completing and submitting Suspicious Activity Reports (SARs) to the NFIU by informing them of any suspicious activities or transactions.
iv. liaising with the EFCC for a defence to a money laundering offence (DAML) in relation to any reported transaction that has not been processed, to ensure the transaction does not continue to be processed where there is a suspicion of money laundering or terrorist financing facilitation.
v. manages the relationship with SCUML regarding all matters of investigation regarding suspicious activity reports submitted to them.

NOTE: MLRO and the NO roles are performed by the same person, due to the size and nature of the firm.

4. RISK, ASSESSMENT & MANAGEMENT

4.1 Business-wide Risk Assessment (BWRA)

4.1.1 Risk-Based Approach

A risk-based approach requires Oxford 19 to assess the risks that its business may be used for money laundering or terrorist financing and put in place appropriate measures to manage and reduce those risks, allocating resources according to the risk associated with each area of its business. An effective risk-based approach will identify the highest risks of money laundering and terrorist financing that the business faces and put in place measures to manage these risks.

Such an approach should balance the costs to the business and customers with a realistic assessment of the risk that the business may be exploited for the purpose of money laundering and terrorist financing. It allows firms to use informed judgement to focus its efforts on the highest risk areas and reduce unnecessary burdens on customers presenting a limited risk of money laundering and/or terrorist financing.

Some industry/product/customer type could be classified as high risk and restricted based on Oxford 19’s risk appetite.

4.1.2 Methodology

Our AML/CTF risk assessment framework will aim to follow a structured approach in identifying, assessing, evaluating, controlling, and periodically monitoring the risks to the business and its customers. The high-level process of the risk assessment will be:

i. Identifying ML/TF/Fraud risk – The first step to managing business risks is to identify what situations pose a risk to Oxford 19’s and its customers. This includes assessing the five areas identified in the Money Laundering Regulations (MLRs), namely:

o customers
o geography
o products or services
o transactions; and
o delivery channels

ii. Assessing ML/TF/Fraud a priori risk – Consider the likelihood of the risk and the impact such a risk would have on the business were it to occur.
iii. Controlling ML/TF/Fraud risk – Plan mitigating actions for each risk to eliminate, reduce, absorb, or transfer the risk.
iv. Residual risk – There may be residual risks after a mitigation action is executed. These require a decision from the risk manager based on the 4 Ts:

o Terminate – terminate the activity that leads to the risk. This may be used where the residual risk is outside our risk appetite.
o Treat – take steps to treat the residual risk. This will require drawing up an action plan for treatment and follow-up.
o Transfer – transfer the risk to another party. This could include referring business to a partner firm or covering the liability with an insurance product.
o Tolerate – accept the residual risk as being within our risk appetite/tolerance.

v. Monitoring and reviewing ML/TF/Fraud risk – Identify individuals inOxford 19’s who will be responsible for managing each risk. Establish a process for reporting and handling risks, including an escalation process for high-risk scenarios.

The MLRO will be responsible for reviewing the effectiveness of the risk management process and make necessary adjustments to the policies and procedures where necessary.

4.1.3 Risk Factors

Our risk assessment will help identify the potential money laundering and terrorism financing risks the business will be exposed to, when establishing a business relationship with the customers or providing a one-off transaction.

Once the potential risks are established it is likely not all customers and services will pose the same level of risk. As such it is unlikely that we will need to know all customers equally.

It is key to understand Oxford 19’s overall exposure, and design systems and controls to deal with them. Changing economic conditions, new competitors, natural disasters, changing regulations, changing customer demand can be classified as external risks. Other risks may include financial, marketing, operational, reputational, legal, resourcing risks which could cause harm to the business and its customers. Our risk assessment will be maintained as a standalone document.

The Regulations require Oxford 19 to consider the following factors for identifying risks:

i. customer risk factors, including whether—

o the business relationship is conducted in unusual circumstances.
o the customer is resident in a geographical area of high risk.
o the customer is a beneficiary of a life insurance policy

ii. product, service, transaction, or delivery channel risk factors,

including whether—

o the product involves private banking.
o the product or transaction is one which might favour anonymity.
o the situation involves non-face-to-face business relationships or transactions,

without certain safeguards, such as electronic signatures.

o payments will be received from unknown or unrelated third parties.
o new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.

iii. geographical risk factors, including—

o countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering or terrorist financing.
o countries identified by credible sources as having significant levels of corruption or other criminal activity, such as terrorism (within the meaning of

Identify
Assess
Evaluate
Control
Monitor
Review

o countries subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations.
o countries providing funding or support for terrorism.
o countries that have organisations operating within their territory which have been designated—

▪ by the government of Nigeria as proscribed organisations under the Terrorism (Prevention and Prohibition) Act 2022, or
▪ by other countries, international organisations, or by the United Nations as terrorist organisations.
o countries identified by credible sources, such as evaluations, detailed assessment reports or published follow-up reports published by the Nigerian Financial Intelligence Unit, Financial Action Task Force, the International Monetary Fund, the World Bank, the

Organisation for Economic Co-operation and Development or other international bodies or non-governmental organisations as not implementing requirements to counter money laundering and terrorist financing that are consistent with the recommendations published by the Financial Action Task Force.

We shall deem the following situations to automatically present a high risk (including 5MLD high-risk scenarios):

i. there are relevant transactions between parties based in high-risk third countries.
ii. any suspicion of fraud, money laundering or terrorist financing activities
iii. the customer is the beneficiary of a life insurance policy.
iv. the customer is a third-country national seeking residence rights or citizenship in exchange for transfers of capital, purchase of a property, governments bonds or investment in corporate entities.
v.non-face to face business relationships or transactions without certain safeguards.
vi. transactions related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory, or other items related to protected species, or archaeological, historical, cultural, and religious significance, or of rare scientific value.
vii. presence of a PEP, their family members, close associates or sanctioned individual or entity.
viii. negative media news.
ix. transactions above threshold and velocity limits.
x. presence of other high-risk industry and/or geography.

4.1.4 Process

We will take the following steps to apply risk-based approach to risk assessments carried out within the business:

i. conduct comprehensive business wide risk assessments to determine level of risks associated with individual/business/third party relationships.
ii. maintain clearly documented policies, procedures and risk registers which are reviewed, updated, and approved by Senior Management on a periodic basis. It must only be shared with external parties including regulators, law enforcement bodies, third party vendors, credit institutions upon request or if deemed necessary.
iii. take note of information on risk and emerging trends from the National Risk Assessment and regulatory risk assessment to amend procedures, as necessary.
iv. assess, and keep under regular review, the risks posed by:
o customer types, e.g., individual, partnership, limited company, trust, charity. o products and services offered by the customer (industry type) and particularly any ways that those services could be exploited by criminals for money laundering and/or terrorist financing (e.g., money remittance v/s e-money services)
o nature of transaction - whether the transaction is conducted face to face or remotely or whether the customer is the beneficial owner of the funds involved in the transaction.
o financing and payment methods used by customers to pay for services, e.g., cash, bank transfer, online card payments.
o delivery channels - whether the customer is on-boarded face to face or remotely, for example cash over the counter, wire transfer or cheque.
o geographical areas connected to the client and the transaction, including:
▪ client’s country of residence and nationality
▪ location of account from which funds are received for services.
▪ destination country of funds
▪ any high-risk third countries through which funds will need to pass.
▪ FATF AML deficiency and/or Third Country status.
o association with high risk factors like PEPs, their family or close associates.
o whether the customer is on a list of sanctioned individuals.
o complexity and volume of transactions processed by the customer.

4.1.5 Updates to the Risk Assessment

The Policy will be updated at least annually, and when one or more of the following events takes place at Oxford 19 (where those events are not already covered in the risk assessment):

i. offering a new product or service.
ii. offering payments to new destinations.
iii. offering products or services to customers from new industries.
iv. accepting payments from a new jurisdiction.
v. accepting new payment method.
vi. a failing is identified in the way a particular risk is managed.
vii. audit findings reveal failings/deficiencies or poorly allocated resources.
Where possible, the risk assessment is to be updated proactively, prior to the change taking place.

4.2 Individual Customer Risk Assessment

Based on risk assessment carried out, we will determine the level of CDD that should be applied in respect of each customer and beneficial owner.

Risk assessment process will involve measures to verify the customer’s identity, collecting additional information about the customer, monitoring their transactions and activity to determine whether there are reasonable grounds for knowing or suspecting that money laundering or terrorist financing could be taking place.

The assessment framework will involve decisions as to whether the verification should take place electronically, extend to which Oxford 19 can use customer verification procedures carried out by other firms.

Customers will be risk assessed on an on-going basis, where the following factors will be considered as a minimum:

i. customer type
ii. transaction type and aggregate value
iii. products and services offered.
iv. purpose of transaction and source of funds.
v. customer predicted annual send amount.
vi. geographical risk - country from which funds originate and are being sent to
vii. delivery channel - whether the customer is present for on-boarding or transaction is done remotely.
viii. payment method used by the customer.
ix. customer sending to many different beneficiaries.
x. customer is sending to a very common beneficiary (suggesting possible transaction structuring).

Risk scores will be assigned as low, medium, or high risk. A record will also be maintained of the risk score for each customer, assigned to a risk owner, and any updates made to controls and residual risk will be clearly documented.

5. CUSTOMER DUE DILIGENCE (CDD)

5.1 Customer Identification & Verification

Customer due diligence is defined as:

(a) identifying the customer and verifying the customer’s identity based on documents, data or information obtained from a reliable and independent source.

(b) identifying, where there is a beneficial owner who is not the customer, the beneficial owner and taking adequate measures, on a risk-sensitive basis, to verify his identity so that the relevant person is satisfied that he knows who the beneficial owner is, including, in the case of a legal person, trust or similar legal arrangement, measures to understand the ownership and control structure of the person, trust or arrangement; and

(d) conducting ongoing monitoring on business relationships and associated transactions.

The Customer is defined as the person or entity with whom the Company forms a contractual relationship.

A Business Relationship is a business, professional or commercial relationship between Oxford 19 and a customer, which the business expects, on establishing the contact, to have an element of duration.

We will do customer due diligence when the firm:

i. suspects money laundering or terrorist financing.
ii. sets up a business relationship with a customer.
iii. carries out an occasional transaction.
iv. has doubt about any information provided by the customer for identification or verification.

5.1.1 Simplified Due Diligence (SDD)

Simplified due diligence is the lowest level of due diligence that can be completed on a customer. SDD measures may be applied to a business relationship or transaction if the risk assessment shows lower degree of risk in becoming involved in money laundering or terrorist financing.

i. Where Oxford 19 is satisfied that a customer, product, and services fall into simplified due diligence criteria then only requirement will be to identify the customer. When completing simplified due diligence, there is no requirement to verify customer's identity needed with a standard or enhanced due diligence approach.
ii. The business relationship will be continually monitored for trigger events which may create a requirement for further due diligence in future.
iii. If at any point during the relationship with the customer additional intelligence becomes available which suggests that the customer or product may pose a higher risk than originally thought a more enhanced level of due diligence should be conducted.
iv. Where automated customer profiling or electronic verification is used, Oxford 19 must document the rationale behind the risk scoring and demonstrate how a customer is classified as low, medium, and high risk. Customer cannot default to a low risk profile.

In each of the SDD cases, the information constitutes a minimum level of due diligence, though additional information and/or documentation may be required as determined by the Oxford 19 risk-based approach.

Oxford 19 Limited currently chooses not to apply SDD on the individual customers.

5.1.2 Standard /Customer Due Diligence (CDD)

In majority of cases, standard due diligence is the level of due diligence that will be used. These are generally situations where there is a potential risk, but it is unlikely that these risks will be realized. Standard due diligence requires Oxford 19 to identify the customer as well as verify their identity. In addition, there is a requirement to gather information to understand the nature of the business relationship. This due diligence will provide us with confidence that we know who our customer is and that our service or product is not being used as a tool to launder money or any other criminal activity. Ultimate Beneficial Owners (UBO’s) with ownership and control of 25% and more will be identified and verified.

In each of the CDD cases, the information constitutes a standard level of due diligence, though additional information and/or documentation may be required as determined by our risk- based approach.

5.1.2.1 Small & Medium Sized Corporates

For a Small & Medium Sized Corporate (SME), we will obtain as a minimum the following information:

i. Name of Company (as registered with the Corporate Affairs Commission).
ii. Certificate of Incorporation (a certified true copy will suffice).
iii. Certificate of Business Name Registration (where registered as a business name).
iv. Memorandum and Articles of Association.
v. CAC 1.1 or CAC 7 and CAC 2 (For limited liability companies only).
vi. Business email address (to be verified).
vii. Business Phone number (to be verified).
viii. Contact person/Business Owner (first name, middle name and last name – to be verified by the production of a government issued identification card)
ix. Business Address (will be verified by the production of a government issued utility bill)

5.1.2.2 Private Individuals

For a NIGERIAN-resident private individual, we will obtain as a minimum the following information:

i. Full name
ii. Date of birth
iii. Residential Address

In accordance with Oxford 19 policy this information will be verified for all customers independent of transaction value via credible reliable sources. Where this information is verified using documents, we shall accept government issued proof of identity with photograph and proof of address documents as defined in the list below:

Table A: Proof of Identity

i. Valid passport.
ii. Valid photo card driving licence.
iii. National identification Number (NIN).
iv. Identity card issued by the Independent National Electoral Commission

Table B: Proof of Address

i. Current bank statement issued within last 3 months by a regulated financial institution in NIGERIA.
ii. Utility bills (Electricity, water, fixed landline) (Internet based documents and mobile phone bills will not be acceptable).
iii. Tax Clearance Certificate issued by relevant tax authorities in NIGERIA.
iv. Address may also be verified electronically. Where the electronic checks fail, and a photocopy of the government issued ID and address verification document will be requested by Oxford 19 Where the quality of the photocopy if not satisfactory, we will accept a photocopy of the original document, endorsed, or certified by one of the following appropriate persons:
a) Accountant
b) Legal Practitioner
c) Notary Public

Where certification is applicable the documents must be stamped, dated, and signed by any one professional listed above. Certification must include the following:

i. Stamp stating, “Certified True Copy” (the same wordings could be handwritten if a stamp is not available).
ii. Wording confirming that the photo on the document (where applicable) is a true likeness. iii. Name of the organisation who certified the documents. iv. Name of the certifier and their signature. v. Date of certification. vi. Membership number and the name of the professional organisation the accountant or lawyer is registered with. Example: Supreme Court Enrollment Number /ICAN, ACCA membership number NIGERIA.

Translation – Please note that if any KYC documents submitted to Oxford 19 (like the proof of ID and address verification) are in a language other than English, then a translated transcript of the document will be required. This must be signed by a certified translator preferably from an accredited translation company. The translated copies will need to be provided to Oxford 19 along with the copies of the original documents.

PEP, sanction screening, adverse media and anti-impersonation checks will also be completed.

5.1.3 Enhanced Due Diligence (EDD)

Enhanced due diligence will be applied on a risk sensitive basis in situations that present a higher risk of Money Laundering (ML) and Terrorist Financing (TF). The additional due diligence could take many forms from gathering additional information to verify the customers identity or source of income. The frequency of ongoing monitoring will be increased to keep a closer eye on the customer’s transaction patterns and activities. UBO verification deepens as ownership and control of over 10% is identified and verified.

In each of the EDD cases, the information constitutes an enhanced level of due diligence, though additional information and/or documentation may be required as determined by our risk-based approach. The checks should be relative and proportionate to the level of risk identified and provide confidence that any risk has been mitigated and that the risk is unlikely to be realised. In such cases, additional measures will be taken by us to verify:

i. identity of the customer including additional information on their residential status, employment, and salary details.
ii. source of funds or wealth (proof of savings, inheritance, employment, financial, business details may be requested)
iii. the purpose of the transaction
5.1.3.1 Conditions for applying EDD.

EDD will be applied under the following conditions (includes 5MLD scenarios):

i. any situation where a suspicion of money laundering or an increased risk of money laundering is present or where Oxford 19 risk assessment indicates higher risk of ML and TF.
ii. correspondent relationships with a credit or financial institution
iii. any business relationship or transaction with a person established in a high-risk third country. Refer to Geographical Risk Rating.
iv. a party to the transaction is a politically exposed person.
v. customer or potential customer is a politically exposed person (PEP), or a family member or known close associate of a PEP.
vi. customer provides false or stolen identification documentation or information, and the company proposes to continue to deal with that customer.
vii. transaction is complex and unusually large, or there is an unusual pattern of transactions.
viii. transaction or transactions have no apparent economic or legal purpose.

ix. complex transactions between parties based in high-risk third countries.
x. customer is the beneficiary of a life insurance policy.
xi. customer is a third-country national seeking residence rights or citizenship in exchange for transfers of capital, purchase of a property, governments bonds or investment in corporate entities.
xii. non-face to face business relationships or transactions without certain safeguards.
xiii. transactions related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory, or other items related to protected species, or archaeological,
historical, cultural, and religious significance, or of rare scientific value. xiv. introduction made by third parties.

Refer to Appendix 2 for further regulatory guidance.

5.2 Sanctions List Screening

Oxford 19 will review all Customers at the point of registration, and prior to the processing of each transaction, against sanctions lists like:

i. OFAC SDN (Specially Designated Nationals)
ii. NIGERIAN Sanctions Committee
iii. UN sanctions List - United Nations Security Council Consolidated List
iv. Consolidated list of persons, groups, and entities subject to Financial Action Task Force (FATF) financial sanctions.
v. We will also screen all senders and beneficiaries before sending each transaction.

Where a partial match is present for the Customer and/or beneficiary, the transaction will be held, the Customer and beneficiary records will be blocked, and the accounts will require signoff by the MLRO before proceeding. If the match is confirmed, funds will be frozen, account blocked, then the MLRO shall make a disclosure and inform the partner banks, who in turn have a regulatory obligation to inform the NFIU as soon as possible by emailing:info@nfiu.gov.ngand the application will be rejected as Oxford 19 restricts any connections with any sanctioned individuals or entities (positive match). If the match is confirmed, then the Nominated Officer may also make a disclosure to the Economic and Financial Crimes Commission (EFCC) through its regulatory Special Control Unit Against Money Laundering (SCUML) reporting requirement.

5.3 Prohibited Business Types

i. Production or trade in weapons and munitions, including explosives and nuclear weapons.
ii. Any business relating to pornography or prostitution, including child pornography.
iii. Human body parts and pathogens.
iv. Unlicensed online businesses: Casino, Online Poker, Online Gambling, Online Betting, Prize Draws etc.
v. Multi-Level Marketing Structures.
vi. Unlicensed Forex/Binary Options.
vii. Trade in Cryptocurrencies.
viii. Trade in wildlife, especially endangered wildlife.
ix. High Valuer Dealer.
x. Any business that the ultimate beneficial owner is a Shell Company situate in known tax havens.
xi. Any business that has or has provided Oxford 19 with Shell Company accounts, and/or Shell Company acccounts in known tax havens and high-risk countries.

5.4 Politically Exposed Persons (PEPs)

Definition: A Politically Exposed Person (PEP) is one who has been entrusted with one of the following functions in the past year:

i. Heads of state, Heads of Government, Ministers and Deputy or Assistant Ministers.
ii. Members of Parliaments
iii. Members of the Governing Bodies of Political Parties
iv. Members of Supreme Courts, of constitutional courts or of other high level judicial bodies.
v. Members of Courts of Auditors or of the Boards of Central Banks.
vi. Ambassadors, Chargés d 'affaires and high-ranking officers in the armed forces.
vii. Members of the Administrative, Management or Supervisory bodies of state- owned enterprises.
viii. Directors, Deputy Directors and Members of the Board or equivalent function of an international organization.

Definition: A family member of a PEP includes:

i. a Spouse or Civil Partner of the PEP.
ii. Children of the PEP and the Spouses or Civil Partners of the PEP’s Children.
iii. Parents of the PEP

Definition: A known close associate of a PEP means:

i. an individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP.
ii. an individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP.

Relationships with PEPs, their family members and known close associates are considered high-risk. Therefore, it will be our that all customers will be screened against a reliable third-party database of PEPs, their family members and known close associates. Additional documents are requested to investigate further into the business or transaction. We will prohibit business relationships wherever a positive match is identified, and the funds will be returned to source if a transaction involves a PEP, their family member or close associate.

We will screen customers:

i. During on-boarding (prior to any transactions taking place).
ii. Real-time basis.
iii. On an on-going basis, where any change in status is updated.

MLRO must:

i. investigate all escalations involving a potential PEP or close association with a PEP in a business relationship or a transaction.
ii. receive a monthly report of transactions involving PEPs, their family members and known close associates.
iii. review the report for any unusual transactions and investigate accordingly.

5.5 Adverse Media Screening

As part of standard CDD, it is necessary, by using publicly available sources, to gain a better understanding of the client or beneficial owner, their reputation, and their role in public life. Where we find information containing allegations of wrongdoing or court judgments, we will assess how this affects the level of risk associated with the business relationship or occasional transaction. We will use reliable third-party AML system for real-time monitoring of adverse media information against all our clients. Should it be difficult to clarify the match with an acceptable level of comfort, the case will be escalated to the MLRO for further review.

5.6 Electronic Verification of Identity

5.6.1 Requirement

The regulations now expressly confirm that electronic ID verification from independent and reliable sources is acceptable for CDD purposes if it is free from fraud and provides sufficient assurance as to the identity of the individual. This provision does not make electronic ID mandatory – it clarifies that it can be used to meet CDD requirements if it meets a certain standard. Therefore, Oxford 19’s is permitted to verify the identity of its clients electronically providing those checks are done from at least two separate online sources or performed by a service provider that does so.

5.6.2 Oxford 19’s Policy for Electronic Verification

We choose to use electronic identity checks where this is possible, either on its own or in conjunction with documentary evidence. We rely on credible and independent third-party service provider who can provide wide range of confirmatory material without directly involving the customer, although external searches and screening are performed in line with customer’s consent obtained as part of the on-boarding agreement.

We also rely on regulatory registers, public listings, credible online sources and other document or biometric verification services. The process must be secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.

Use of a third-party does not remove the requirement for us to risk assess its customers, their transactions, and the business relationship Oxford 19 has with those customers. We remain liable for any failure to apply appropriate due diligence measures.

The MLRO when selecting a third-party verification service, will also perform due diligence checks. Level of due diligence checks will be determined based on the level of risk associated with the third-party business relationship.

5.6.3 Criteria for third-party verification services

If a third-party system or tool is used for electronic verification, we must ensure that the service provider is credible and reliable. The following criteria should be followed by the Managing Director when selecting a third-party verification service.

i. it is registered with the Information Commissioner’s Office to store personal data.
ii. it is accredited to give identity verification services through a government, industry or trade association process that involves meeting minimum standards.
iii. the standards it works to, or accreditation, require its information to be kept up to date.
iv. it is compliance with the standards are assessed.
v. it uses a range positive information source, and links a person, through other sources, to both current and previous circumstances.
vi. it uses negative information sources, such as databases relating to identity fraud and deceased persons.
vii. it uses a wide range of alert source, such as up to date financial sanctions information.
viii. it has transparent processes that enable the firm to know what checks were carried out, what the results of these checks were, and what they mean in terms of how much certainty they give as to the identity of the subject.
ix. should be able to keep records of the information used to verify identity information.

The process must be secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.

5.6.4 Mitigation of impersonation risk

We will perform further checks to ensure that the person dealing with Oxford 19 and the person being identified electronically are the same person.

When conducting remote verification of identity, it is important for us to establish that it is dealing with the individual named in/on the documentation/information that has been provided – i.e., that the risk of impersonation/identity theft is adequately mitigated. The risk of impersonation will be significantly reduced by:

i. only accepting a first payment from the customer from a bank account in their own name with a regulated credit institution in NIGERIA or overseas.
ii. requiring copy documents to be certified by an appropriate person (when ekyc fails and quality of ID and AV documents are not satisfactory).
iii. site visits (where possible).

5.7 Reliance on Third Parties for Due Diligence

5.7.1 Persons on which reliance can be placed.

We are permitted to rely on the following persons to apply customer due diligence for it before entering a business relationship with a customer:

i. another NIGERIAN business subject to the Regulations.
ii. a business in the European Economic Area (EEA) subject to the 5th Money.

Laundering Directive

iii. a branch or subsidiary established in a high risk third country who fully complies with an EEA parent’s procedures and policies.
iv. a business in a third country who is subject to equivalent measures.

5.7.2 Persons in Third Countries

Oxford 19 may not rely on a business established in a country that has been identified by the EU as a high risk third country. The third-party must agree to being relied upon. The agreement between the third-party and the Company must include arrangements to:

i. obtain immediately on request (or within 2 working days) copies of the customer due diligence information from the third party.
ii. ensure the third party retains copies of the due diligence information for five years from the date the reliance was agreed.

5.7.3 Requirements to be met when relying on third parties.

The third-party must agree to being relied upon. The agreement between the third-party and Oxford 19 must include arrangements to:

i. obtain immediately on request (or within 2 working days) copies of the customer due diligence information from the third party.
ii. ensure the third party retains copies of the due diligence information for five years from the date the reliance was agreed.

5.7.4 Third Party Due Diligence Model

Oxford 19 initiates a check/process and interacts directly with Onfido:

Client Interaction method with Onfido	Description	Personal Data Process
Application Programming Interface (API)	The API is based on REST principles and uses standard HTTP response codes to enable Client to transmit and receive data from Onfido, as further described in theAPI Documentation.	Categories of Personal Data .Onfido User unique identifier .Check status/outcome and related information (e.g., a Report) .Optional data fields selected by Client from those technically supported and listed inOnfido's API Documentation. (for example, the User's title - Mr. Mrs., Miss) .Technical metadata .IP address .All other information processed by Onfido relevant to the applicable Services (Note - Onfido will also collect the full name, login credentials, and usage logs for Client personnel accessing the Onfido Dashboard)
Onfido Dashboard	The Onfido Dashboard is a graphical user interface to Onfido’s API, as further described in the API Documentation.

Client Interaction method with Onfido

Description

Personal Data Process

Application Programming Interface (API)

The API is based on REST principles and uses
standard HTTP response codes to enable Client to transmit and receive
data from Onfido, as further described in theAPI Documentation.

Categories of Personal Data

.Onfido User unique identifier
.Check status/outcome and related information (e.g., a Report)
.Optional data fields selected by Client from those technically supported and listed inOnfido's API Documentation. (for example, the User's title - Mr. Mrs., Miss)
.Technical metadata
.IP address
.All other information processed by Onfido relevant to the applicable Services

(Note - Onfido will also collect the full name, login credentials, and usage logs for Client personnel accessing the Onfido Dashboard)

Onfido Dashboard

The Onfido Dashboard is a graphical user interface to Onfido’s API, as further described in the API Documentation.

Onfido collects additional information directly from Users on behalf
of the Oxford 19:

Data Collection Method	Description	Personal Data Processing
Application Programming Interface (API)	The SDK provides the Client with a drop-in set of user interface screens for mobile (iOS and Android) and web applications to allow (save with respect to the Face Authenticate Service) the capture of identity documents and facial photographs/video for the purpose of the Services.	Categories of Personal Data: • Images/video and information describing the images/video (as specified in the relevant check/process) • Telephone number (web SDK only and optional) • Content of SMS (web SDK only and optional) • IP address and associated city/country level location information • Anonymised usage data

Onfido processes the data collected in (1) and (2) above and the
following data on behalf of Oxford 19 in order to provide the Services (including for fraud detection):

Service Name	Description of Service	Personal Data Processing
Document Check	Assesses the likehood Document provide is Genuine.	Categories of Personal Data: • Image(s) of the identity document and information describing the identity document • Information extracted from the Document electronically, where applicable
Facial Similarity Check - Selfie	Compares the face displayed on a Document with a facial image captured of the User, to verify that they are the same.	Categories of Personal Data: • Image of the User’s face • Image of the face in the identity document Special Categories of Personal Data: • Numerical biometric data
Watchlist Report - Standard	Searches third party watchlist, politically exposed persons and sanctions databases to identify whether a User is included in that database.	Categories of Personal Data: • Full name • Date of birth (Client optional) • Address and post/zip code (Client optional)

Service Name

Description of Service

Personal Data Processing

Document Check

Assesses the likehood
Document provide is Genuine.

Categories of Personal Data:

• Image(s) of the identity document and information describing the
identity document
• Information extracted from the Document electronically,
where applicable

Facial Similarity Check - Selfie

Compares the face displayed on a Document with a facial image captured of the User, to verify that they are the same.

Categories of Personal Data:

• Image of the User’s face
• Image of the face in the identity document

Special Categories of Personal Data:

• Numerical biometric data

Watchlist Report - Standard

Searches third party watchlist, politically exposed persons and sanctions databases to identify whether a User is included in that database.

Categories of Personal Data:

• Full name
• Date of birth (Client optional)
• Address and post/zip code (Client optional)

Oxford 19 agrees to require all Users to provide Onfido with full and accurate data either via an online “Applicant Form” or through Onfido’s proprietary application programming interface (the “API”) or SDK. To the extent Onfido obtains Personal Data (as defined below) not necessary for Onfido to provide the Services, the Client instructs Onfido to delete Personal

Data without further notice to Oxford 19.

All Reports provided to the Client will be available for viewing and printing on Onfido’s secure, web-based dashboard (the “Onfido Dashboard”) or returned to the Client via API responses. Through the Onfido Dashboard, the Client may set a list of authorised personnel who are permitted to access the Reports. The list may be updated at any time on a self-service basis by the Client.

5.7.5 No Waiving of Responsibility

Oxford 19 remains liable for any failure to apply appropriate due diligence measures. Reliance on a third-party does not remove the requirement for the Company to risk assess its customers, their transactions, and the business relationship we have with those customers.

5.8 Outsourcing

Where any external company or subsidiaries or associate companies will be engaged by Oxford 19 Limited to undertake any specific business activity on a delegated basis e.g., centrally coordinated customer administration helpdesk services, then we will ensure that effective outsourcing arrangements are in place which specify the extent of delegation and contractual terms as well as ongoing performance measures and service review processes to ensure NIGERIAN requirements are understood, applied, and met on an ongoing basis. Due diligence checks will be carried out on all external companies acting as the outsourcing partners as per the third-party due diligence process. We may only outsource the internal audit function by appointing an external Compliance specialist firm annually as necessary to satisfy AML audit requirements.

6. ON-GOING MONITORING

6.1 Requirements

Oxford 19 is required to conduct on-going monitoring on its customers and their transactions commensurate with the risk posed by the customer. On-going monitoring will also include checks we will undertake on the effectiveness of our policies, procedures, systems, and controls. This will be undertaken as part of Oxford 19 Compliance Monitoring Plan (CMP).

6.2 Preventive Checks

We will put in place several preventive checks that permit it to detect potentially unusual or suspicious activity that may be indicative of money laundering, terrorist financing or fraud before a transaction is released. These checks will be undertaken in real-time using technological tools at our disposal.

The MLRO and the Compliance Officer would set relevant compliance thresholds based on value and frequency of transactions within the TM system which will trigger alerts for further investigation and action. These limits and controls will be tested as part of the CMP carried out by the MLRO and the Compliance Officer on a regular basis.

6.2.1 Threshold checks

Where a customer sends an unusually large or unusually frequent transactions, Oxford 19 will maintain controls to detect such activity and review before the transaction will be released. Customer could also send transactions below the system/control threshold limits to go undetected by the TM system. TM system will also detect below threshold and linked transactions. In all cases, should the transaction volume be unusually high or broken down into smaller amounts to go undetected, the MLRO has a further responsibility to bring this to the attention of partner financial institution, e.g., partner payment banks, so that they can also bring this within their reporting guidelines.

6.2.2 Velocity Checks

Our TM system will be able to detect unusual account velocity including:

i. Increase in transaction volume over set time periods inconsistent with the information known on the customer’s means.

ii. Customer sending more than an expected number of transactions across set time periods, potentially indicative of structuring or undisclosed third parties to the transaction.

iii. Transaction values inconsistent with the pattern of known activity of the customer

6.2.3 Transaction Structuring

Linking small transactions is a common way that money launderers seek to circumvent additional due diligence that would otherwise apply to a larger transaction. This may take several forms, including:

. A single sender making many small transactions – often in a relatively short space of time – to the same beneficiary.

i. Using many senders to send small amounts to a common beneficiary. Oxford 19 may conduct analysis for the purposes of detecting structuring of transactions on a rolling basis over a range of periods. Oxford 19 IT systems will be able to check aggregate transaction value against the Company’s due diligence to ensure that transactions cannot be broken down into smaller value transactions to avoid additional due diligence requirements. We will have controls in place to monitor various scenarios concerning:

. aggregate transaction amount

ii. aggregate number of transactions
iii. one-to-many transactions
iv. many-to-one transactions

6.2.4 Customer Profiling

We will have functionalities of customer profiling by looking at customers’ current real time data, historical information, and account profile. This analysis of the customer will enable risk rating on their profile or transactions.

6.2.5 Trade-Based Money Laundering (TBML)

We are mindful of the risks associated with local and international trade with respect to trade-based money laundering and will put in place appropriate controls on an on-going basis. TBML could involve under invoicing; over-invoicing or payments always send as round amounts.

6.2.6 PEP and Sanctions screening

We will undertake real-time PEP and sanctions checks on all customers and beneficiaries.

6.3 Detective Checks

We will have a number of detective checks in place to identify retrospectively unusual and/or suspicious activity. Front line staff (when appointed) will perform the detective checks using various AML screening and monitoring tools and periodic reports will be shared with the Senior Management.

6.3.1 Adverse Media checks

We will also undertake adverse media checks on the company name, directors and UBOs owning 25% or 10% or more respectively based on their risk profile.

6.3.2 Monitoring Tools

We will use monitoring and screening tools to cover transaction monitoring, fraud prevention, PEP, Sanction screening, adverse media screening and for risk management purposes. MLRO and the Compliance Officer will evaluate the effectiveness of these systems and tools periodically as part of their Compliance Monitoring Plan (CMP).

6.3.3 Retrospective Transaction Analysis

We may conduct data analysis on its customer and transaction database to detect unusual and suspicious activity, for example customers consistently trading just below thresholds used for EDD/high-risk customers that require additional disclosures. These checks will be undertaken as part of our Compliance Monitoring Plan (CMP).

6.4 Periodic Customer review

Oxford 19 will undertake periodic reviews of customer activity to ensure that it is consistent with the information known about the customer. The frequency of the checks will be determined by the risk score of the customer. Periodic reviews of existing customer file will be conducted on a risk-based approach. These reviews will be performed at least once in 2 years for low risk, annually for medium risk and every 6 months for a high-risk customer.

6.5 Dormant Accounts

Any accounts or relationships that have not had any transactions/contact undertaken in the previous 12 months (dormant account) will be considered closed. If these clients wish to recommence using the services, CDD will be re-applied as if it was a new account.

6.6 Outsourced Business Activities

Oxford 19 Limited will retain responsibility for all outsourced or delegated activity and areas of responsibility. We will put appropriate controls into place to maintain robust oversight over the relationship and performance management arrangements with the outsourcing partners to ensure services provided meet the required measures and quality in-line with all NIGERIAN legal and regulatory standards and obligations. Periodic checks will be carried out as part of the Compliance Monitoring checks (part of CMP) by the MLRO and the Compliance Officer. Outsourcing partners will be required to share periodic management reporting on the status and trends of related matters e.g., risk, AML, fraud, customer complaints, system outages etc. In addition, we will also have real-time access toview all customer accounts and positions at any given time.

7. SUSPICIOUS ACTIVITY REPORTS (SARS)

Under the extant Financial, Terrorist Financing Prevention and Anti-Money Laundering Regulations, businesses in the regulated sectors and their employees are required to disclose information to the relevant financial crimes authorities, for further investigation, in circumstances where they:

• Know or suspect or have reasonable grounds for knowing or suspecting that another person is engaged in money laundering or terrorist financing.

The EFCC Regulations, CBN Regulations, and SCUML Regulations require that businesses in the regulated sectors must have policies and procedures under which:

• An individual in the organisation is appointed as a Nominated Officer who is responsible for receiving disclosures of information concerning suspicions of money laundering or any activity which could aid the laundering of money.

• Employees report suspicious activity to the Nominated Officer/MLRO, and

• The Nominated Officer/MLRO considers disclosures in the light of any relevant information which is available to the business and determines whether it gives rise to knowledge or suspicion or reasonable grounds for knowledge or suspicion of money laundering or terrorist financing.

‘In the organisation’ means from within the same business, business group, or corporate structure. At Oxford 19 the Nominated Officer also performs the role of a Money Laundering Reporting Officer (MLRO).

The failure of any person to disclose such information constitutes an offence under Part V of the Terrorism (Prevention and Prohibition) Act, 2022 or Part IV of the Money Laundering (Prevention and Prohibition) Act, 2022.

All our staff will be under a legal obligation to make an internal report where they have knowledge or suspicion, or there is reasonable ground for such knowledge or suspicion that another person is engaged in ML, or that terrorist property exists. Disclosures will be made by submitting a Suspicious Activity Report (SAR). Therefore, any evidence or reasonable suspicion that any activity connected with any customer, transaction or funds might be connected to any financial crime must be internally reported to the MLRO for consideration, investigation, and eventual reporting to the relevant governmental agency responsiblefor the investigation and prosecution of financial crimes.

Staff (when appointed) must inform the MLRO/NO directly and (in writing) via email, providing all details of the circumstances and basis for concern or suspicion. At this point staff will have met their own legal obligations and the MLRO, as the duly NO, will take responsibility for any proper and timely investigation and external reporting to the relevant governmental agency charged with the responsibility of investigating financial crimes). The basis for the knowledge or suspicion of money laundering or terrorist financing should be set out in a clear and concise manner.

The SAR should contain as much relevant information about the customer, transaction, or activity as possible. The NO must report suspicious approaches or proposed transactions or activity, even if no transaction or activity takes place.

It is important that all staff should NOT discuss, engage, or disclose to anyone else any details or information concerning the circumstances of their suspicions or any internal reporting made. This includes anyone directly or indirectly connected to the account, transaction, or funds to avoid the potential risk of committing the ‘tipping-off’ criminal offence.

The MLRO will maintain records of all suspicious activity reports internally received and actioned, in accordance with the organization’s Record Keeping Policy, and analyze data periodically.

The MLRO is further charged with the responsibility of flagging and/or reporting suspicious customer activities through partner financial institutions eg., payment partner banks. The payment partner banks also have a reporting and regulatory requirement to report these transactions through the NFIU reporting portal for monitoring of these transactions by the relevant governmental agency. Oxford 19, on the other hand as a designated non-financial institution under relevant laws also has reporting requirements to SCUML, a sub-division of the EFCC, SCUML have the mandate to receive reports on frauds and financial crimes and are thus charged with the responsibility to investigate and determine culpability of the persons reported in these cases of alleged fraud and financial crime.

Any requirement for technical and operational guidance on handling any consequent customer contact or query connected to any reported matter should be referred to the MLRO.

Some examples of suspicious behaviours are as below:

• the customer is reluctant to provide details of their identity or provides fake documents.
• the customer is trying to use intermediaries to protect their identity or hide their involvement.
• there is no apparent reason for using our business's services, for example, another business is better placed to handle the size of transaction or the destination of the transmission.
• the customer is unable to provide satisfactory evidence for customer’s identity or purpose of transaction like the source of the funds.
• unusual source of funds.
• the transmission is to a high-risk country.
• non-face-to-face customers
• the customer owns or operates a cash-based business.
• there is an unusually large cash transaction.
• the size and frequency of the transaction is different from the customer’s normal pattern.
• the pattern has changed since the business relationship was established.
• the transaction seems to be unnecessarily complicated or seems to use front men or companies.
• the customer is acting on behalf of third parties without there being an appropriate family or business relationship between them.
• an under-age person sends or receives funds from multiple sources.
• the customer (or two or more customers) is using more than one local Money Service Business, perhaps to break one transaction into smaller transactions.

8. INDEPENDENT INTERNAL AUDIT 8.1 Requirements

According to the MLR Regulations, where appropriate to the size and nature of Oxford 19, Senior Managers are responsible for instituting an independent internal audit function to have an independent oversight of the Company’s AML/CTF policies, procedures, systems, and controls, examine the adequacy and effectiveness, make recommendations and to monitor the compliance with those recommendations. Larger firms appoint an internal audit function with individuals having strong experience and skill set in risk management, regulatory compliance and a good understanding of Technology and Infrastructure industry standards and requirements. Internal Audit department reports directly to the Managing Director. Oxford 19 may choose to outsource this function to a specialist Consultancy or Audit firm specialising in Compliance Assurance

The front-line staff (once appointed) who are in the customer facing role performing KYC, Fraud Prevention, AML screening and monitoring are referred as the First Line of Defence (1LOD). Compliance function being Second Line of Defence (2LOD) sets various compliance thresholds, controls and periodically conducts qualitative compliance tests of AML policies, procedures, systems, validating them against the regulatory obligations of the Company. The Internal audit (IA) is referred to as the Third Line of Defence (3LOD) who assess the effectiveness of the AML and compliance functions including Board effectiveness.

Oxford 19 may appoint an external compliance specialist firm to complete a quality assessment or a one off, independent assurance review including Board effectiveness assessment, quality assurance and request bespoke training and advice based on the size and nature of the business.

8.2 Appointment of Internal Audit Team

Managing Director is responsible for appointing skilled and experienced staff who can work independently and report directly to them. Compliance assurance team must be capable of proving independent assurance across numerous subjects like risk management, regulatory compliance, technology, and infrastructure including cyber and information security. Where appointed, the external Compliance specialist firm will be responsible for the Internal AML and Compliance audit process in Oxford 19. It will provide the evidence required to give assurance to Managing Director as well as regulators that these regulations and policies are embedded in the day- to- day business. This means having an effective management reporting infrastructure and having mechanisms in place which can monitor and measure against set tolerances, on an ongoing basis, the extent to which an institution is performing to the standards it sets for itself, as well as those imposed upon it.

8.3 Audit Preparation

• understand which standards and regulations applies to the firm internally and externally.
• understand how these standards are applied and to which business lines or functional areas.
• set any enhanced performance monitoring required to establish and track the Key Performance Indicators (KPIs). The auditor would recommend any changes required to the KPIs to the Board in their audit report.
• establish a performance parameters matrix, enabling management-by-exception.
• depict actual performance against KPIs in dashboards and providing real-time feedback into the operations for prompt corrective action.
• assure compliance in operations – sub process and procedure routine check, and inspections must be performed to evaluate conformance with company policies and procedures. Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.
• change management – ensure changes affecting compliance are reviewed for their impact on compliance. Compliance should be assured and the sign off process must be followed before the changes are made. MLRO and the Compliance Officer will be involved in the change management process.
• ensure management involvement and leadership – The Managing Director will set the policy, culture, values, expectations, and goals. Audit reports and the outcome must be communicated with the Managing Director who should in turn must review the feedback and take action demonstrating their commitment to Compliance Assurance Program.

8.4 Scope

• Compliance with basic due diligence requirements
• Compliance with enhanced due diligence requirements
• Escalation and sign-off procedures from audit trail
• Compliance with high-risk customer requirements
• Sanction screening measures for effectiveness (using test names) and to review handling of transactions flagged as false- and true-positives.
• Handling of PEPs, including effectiveness of detection, and handling by management
• SAR reporting procedure and how suspicious activities have been escalated, managed, and recorded.
• Interview selection of staff at random to ensure they have a good working knowledge of their legal obligations and our policies and procedures.
• Review training records to ensure completeness and compliance.
• Review training records for any upcoming requirements in the next quarter.
• Review of policies and procedures.
• Review of risk assessment.

8.5 Scheduling of Internal Audits

It will be the responsibility of the MLRO to ensure that internal audits are:

• Scheduled with the external compliance specialist firm.
• Implement any follow up actions and recommendations highlighted by the auditor in the audit report.

Internal Audit of the AML and Compliance functions may be performed at least on an annual basis or as a one-of independent review as necessary.

8.6 Reporting to Board (Managing Director)

Compliance Assurance is the collective term for the measures taken by an institution to ensure that regulations, policies, and processes are adhered to, and seen to be adhered to. The Managing Director will set the policy, culture, values, expectations, and goals. Audit reports and the outcome must be communicated with the Managing Director who will review feedback and act demonstrating their commitment to Compliance Assurance Program.

9. RECORD-KEEPING

We will have systems in place to ensure the security, integrity, and ease of access of compliance records. Oxford 19 will retain all required documents in an electronic, computerised format for a minimum of five years:

• Company policy and procedures documents
• Company risk assessment
• Copies of all identity verification and other documents and information for all customers and beneficiaries – from the date of the last transaction or the end of the business relationship with the customer
• Details of all customer transactions – from the date of the transaction
• Details of all internal and external actions taken about the suspicious activity.
• All details of internal investigations by the Nominated Officer where a decision was made not to file a suspicious activity report.
• Details of all filed suspicious activity reports.
• Staff training records, including staff member, date of training, contents of training, individual/body providing the training and the signature of the staff member to confirm training took place.
• Internal audit results
• External audit results [where applicable]

10. TRAINING

10.1 Requirements

We will be required to ensure that our relevant employees should be:

• made aware of the risks of money laundering and terrorist financing, the relevant legislation, and their obligations under that legislation.
• made aware of the identity and responsibilities of the firm’s Nominated Officer and MLRO.
• trained in the firm’s procedures and in how to recognise and deal with potential money laundering and terrorist financing transactions or activity.
• trained on regular intervals and details of the training must be recorded.
• provide with information on, and understand, the legal position of the firm and of individual members of staff, and of changes to these legal positions.
• train on how to operate a risk-based approach to AML and CTF.

MLR Regulations define relevant employee as an employee whose work is relevant to the relevant person’s compliance with any requirement in these Regulations, or otherwise, capable of contributing to the—

• identification or mitigation of the risks of money laundering and terrorist financing to which the relevant person’s business is subject, or
• prevention or detection of money laundering and terrorist financing in relation to the relevant person’s business.

Responsibility for AML training is assigned to the MLRO and the overall responsibility for other trainings to the Training Manager/Facilitator (if appointed externally). Where staff (when appointed) have not been trained, or where staff have been inadequately trained, we may be open to penalties and/or criminal charges and this should be avoided as much as is possible.

All staff connected to the provision of payment services, e.g., customer services, compliance staff, those handling customer funds should receive relevant training specific to their roles.

Senior Managers and Compliance Officer must also undertake enhanced training facilitate by Oxford 19 to perform their roles effectively.

10.2 AML/CTF Training Schedule

The MLRO and the Compliance Officer will be responsible for developing, or overseeing the development of, our risk-based AML/CTF Compliance Training Program (the “Training Program”). The Training Program will be designed to educate Directors, Officers and Employees of Oxford 19 about the AML Program and their role in detecting and preventing money laundering and terrorist financing. This training will cover our regulatory obligations, awareness of money laundering and terrorist financing, and the detection of unusual activity, as well as the procedures to follow if money laundering or unusual activity is observed or suspected.

We will provide full AML training to staff and at least annually. Additional training may be provided where an increased risk has been identified or where a significant change has taken place in the business. Role based training will also be provided to employees whose jobs impact Oxford 19 AML/CTF compliance efforts.

10.3 Training Records

A record will be maintained of all staff training conducted, including the following information:

• Copy of training materials.
• Details of training provider, if provided externally.
• List of staff who have completed training, with dates, with their signatures, or electronic training records.

APPENDIX 1: ACKNOWLEDGEMENT FORM

Oxford 19 Limited: AML and CTF Policy To be signed by all employees of Oxford 19 Limited. All personnel are required to read this policy and must then acknowledge having understood it by entering their name, signing, and dating it, and returning it to the Money Laundering Reporting Officer. To: The Money Laundering Reporting Officer I confirm receipt of Oxford 19’'s AML and CTF Policy. I understand that the AML and CTF Policy is a guide to the more important rules and regulations applicable to Oxford 19 on Financial Crime Prevention, its Directors/Partners, Employees, and that it sets out certain principles, standards, policies, and procedures that must always be observed. I have familiarised myself with the content of this policy and, in cases of doubt as to the application of the requirements set out in the policy will consult the Money Laundering Reporting Officer.

Individual's name: .................................................

Individual's signature: ...............................................

Date: ....................

APPENDIX 2: LEGISLATION AND GUIDANCE

The CBN MLR Regulation requires firms to have policies, controls and procedures in place which provide for the identification and scrutiny of any activity or situation related to ML or TF that comply with CBN, EFCC and the Terrorism Acts. There are several changes introduced by the Regulation, including a greater focus on beneficial ownership of corporate vehicles and trusts. A centralised beneficial ownership register for trusts has been introduced, which will provide a single point of access for trustees and their agents to register and update their records online. The MLR Regulations have all set out what relevant businesses such as Money Service Businesses must do to prevent the use of their services for money laundering or terrorist financing purposes.

To prevent financial crime within the organisation and to meet its regulatory requirements, the Company has taken the following steps:

• establishment of a set of risk-based policies, procedures, and internal controls

• due diligence and customer identification procedures, which are always followed by relevant staff.
• assessment of ML and TF risks and application of enhanced measures in higher risk situations
• ongoing monitoring of its customers’ transactions and business activities
• periodical risk assessment and audits of all financial crime controls and systems
• detection and reporting of suspected ML to the Economic and Financial Crimes Commission (EFCC) via a Suspicious Activity Report (SAR) submitted by the NO.
• maintenance of strict and robust controls and procedures to detect and report any suspicious activity, including transaction and fraud monitoring.
• keeping appropriate and accurate records
• provision of training to all staff so that they can remain vigilant for the signs of financial crime.
Where there are serious, repeated, or systematic breaches of customer due diligence, reporting obligations, record-keeping, or internal controls, the directive requires that at least the following sanctions and measures are available:
• a public statement identifying the natural or legal person and the nature of the breach.
• an order requiring the natural or legal person to cease the conduct and not repeat it.
• where an obliged entity is subject to an authorisation, withdrawal, or suspension of the authorisation.
• a temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person, held responsible for the breach, from exercising managerial functions in obliged entities.
• maximum administrative pecuniary sanctions of at least twice the amount of the benefit derived from the breach, where it can be determined, or at least NGN 10,000,000.

Other Money Laundering Regulations have set out key additions to the AML Scope of MLR considerations, this has been extended to Tax advisers, real estate agents, interior designers, luxury goods dealers, Art market participants, and Custodian wallet providers and other firms categorized as designated non-financial institutions under the Special Control Unit for Money Laundering (SCUML) Regulations. Firms involved in these sectors will now have to comply with requirements of the Money Laundering Regulations and be supervised. Relevant amendments to the Company’s business include:

The Central Bank of Nigeria, through the Nigeria Sanctions Committee (NIGSAC) has called for the extension of the obligation to apply enhanced customer due diligence to all high-risk individuals and third countries as specified by the Financial Action Task Force (FATF) and the NIGSAC.

The current NIGERIAN list of high-risk third countries are: -

• Albania
• Barbados
• Burkina Faso
• Cambodia
• Cameroon
• Cayman Islands
• Croatia
• Democratic People’s Republic of Korea
• Haiti
• Iran
• Jamaica
• Jordon
• Mali
• Malta
• Morocco
• Myanmar
• Nicaragua
• Pakistan
• Panama
• Philippines
• Senegal
• South Sudan
• Syria
• Turkey
• Uganda
• Vietnam
• Yemen
• Zimbabwe

The current NIGERIAN list of high-risk individuals and corporates are: -

• Abdurrahaman Musa Ado Nljasi
• Bashir Ali Yusuf
• Ibrahim Ali Alhassan
• Muhammed Ibrahim Isah
• Salihu Yusuf Adamu
• Surajo Abubakar Mohammed
• Fannami Alhaji Bukar
• Muhammed Musa
• Sahabi Ismail
• Mohammed Saleh Buba
• Alin Yar Yaya General Enterprises
• K.Are Nigeria Limited

International and Cross-Border Jurisdictions and ObligationsThe Financial Action Task Force (FATF), Basel Committee, The Egmont Group and other FATF-style regional bodies shape international standards in respect of AML and CTF. They have evolved and implemented generic global ‘Recommendations’ setting out the legal, supervisory and enforcement requirements and expectations for members to follow and adopt. It also undertakes comprehensive evaluations of member jurisdictions to independently assess and report on the quality and robustness of their AML and CTF regime. Further, at the international political-economic level, international bodies such as the G20 also play a pivotal role in providing further leadership and direction on evolving global requirements and priorities.

Other international bodies also produce periodic intelligence and findings which usefully assists the Company in monitoring and managing financial-crime risks and exposures on a comparative and cross-border basis. In particular, the annual Corruption Perceptions Index

(CPI) issued by Transparency International provides an analytical tool to compare anlook at trends in helping to assess and determine relevant matters. Consequences of Non-Compliance The CBN, EFCC and other sanction enforcement bodies use a wide range of enforcement powers – criminal, civil and regulatory – to protect consumers and to act against firms and individuals that do not meet their standards. The actions can be as shown below:

• withdrawing a firm&apos s authorisation.
• prohibiting individuals from carrying on regulated activities.
• suspending firms and individuals from undertaking regulated activities or variating their permission(s).
• issuing fines and/or public censures against firms and individuals who breach rules.
• making a public announcement when a disciplinary action has begun and publishing details of warning, decision, and final notices.
• applying to courts for injunctions, forfeiture orders, freezing orders, restitution orders, winding-up and other insolvency orders.
• bringing criminal prosecutions to tackle financial crime.
• issuing warnings and alerts about unauthorised firms and individuals.

Oxford 19 Limited (AML and CTF) Policy

CONTENTS

1.1 PURPOSE

1.2 POLICY STATEMENT

1.3 SCOPE

1.4 CHANGES AND REVISION

1.5 DISTRIBUTION LIST

2. MONEY LAUNDERING AND TERRORIST FINANCING

2.1 Money Laundering

2.1.1 Introduction

2.1.2 Placement

2.1.3 Layering

2.1.4 Integration

2.1.5 Predicate Offences

2.2 Terrorist Financing

GOVERNANCE

3.1 Management Structure

3.2 Risk Appetite and Tolerance

3.3 AML and CTF Risk Assessment Framework

3.4 Monitoring and Oversight

3.5 Reporting and Notifications

3.6 Escalations and Approvals

3.6.1 Escalation Criteria and Requirement for Senior Management Sign Off (when further staff are appointed)

3.7 Roles and Responsibilities – Senior Managers

Senior Management is defined as:

Relevant examples for the Company include a:

Appointment For New Senior Managers

3.7.2 Regulatory Obligation for Senior Managers

Senior Managers to:

A relevant employee is an employee whose work is—

3.8 Roles and Responsibilities – Money Laundering Reporting Officer (MLRO)

3.9 Roles and Responsibilities – Nominated Officer

The NO is responsible for:

NOTE: MLRO and the NO roles are performed by the same person, due to the size and nature of the firm.

4.1 Business-wide Risk Assessment (BWRA)

4.1.1 Risk-Based Approach

4.1.2 Methodology

4.1.3 Risk Factors

including whether—

iii. geographical risk factors, including—

4.1.4 Process

4.1.5 Updates to the Risk Assessment

4.2 Individual Customer Risk Assessment

5. CUSTOMER DUE DILIGENCE (CDD)

5.1 Customer Identification & Verification

5.1.1 Simplified Due Diligence (SDD)

Oxford 19 Limited currently chooses not to apply SDD on the individual customers.

5.1.2 Standard /Customer Due Diligence (CDD)

5.1.2.1 Small & Medium Sized Corporates

5.1.2.2 Private Individuals

Table A: Proof of Identity

Table B: Proof of Address

5.1.3 Enhanced Due Diligence (EDD)

EDD will be applied under the following conditions (includes 5MLD scenarios):

Refer to Appendix 2 for further regulatory guidance.

5.3 Prohibited Business Types

5.4 Politically Exposed Persons (PEPs)

5.6 Electronic Verification of Identity

5.6.1 Requirement

5.6.2 Oxford 19’s Policy for Electronic Verification

5.6.3 Criteria for third-party verification services

5.6.4 Mitigation of impersonation risk

5.7 Reliance on Third Parties for Due Diligence

5.7.1 Persons on which reliance can be placed.

5.7.3 Requirements to be met when relying on third parties.

Oxford 19 initiates a check/process and interacts directly with Onfido:

Onfido collects additional information directly from Users on behalfof the Oxford 19:

Onfido processes the data collected in (1) and (2) above and the following data on behalf of Oxford 19 in order to provide the Services (including for fraud detection):

Data without further notice to Oxford 19.

5.7.5 No Waiving of Responsibility

5.8 Outsourcing

6. ON-GOING MONITORING

6.1 Requirements

6.2 Preventive Checks

6.2.1 Threshold checks

6.2.2 Velocity Checks

6.2.3 Transaction Structuring

6.2.4 Customer Profiling

6.2.5 Trade-Based Money Laundering (TBML)

6.2.6 PEP and Sanctions screening

Onfido collects additional information directly from Users on behalf
of the Oxford 19:

Onfido processes the data collected in (1) and (2) above and the
following data on behalf of Oxford 19 in order to provide the Services (including for fraud detection):