Bylls.com (A Service of Bitgo Technologies Inc.)

ANTI-MONEY LAUNDERING POLICY STATEMENT & PROGRAM PROCEDURES FOR Bylls.com (A Service of Bitgo Technologies Inc.) Bitgo Technologies Inc. 99 Sedgefield Avenue Pointe-Claire, QC H9R 1N8 (514) 898-5155 eric@bylls.com www.bylls.com Bitgo Technologies Inc. 99 Sedgefield Avenue Pointe-Claire, QC H9R 1N8 T 514-898-5155 eric@bylls.com www.bylls.com

INTRODUCTORY STATEMENT ON MONEY LAUNDERING PREVENTION & ILLEGAL ACTIVITY IN THE BITCOIN NETWORK 3 PART I: POLICY STATEMENTS 4 1. What is Money Laundering? 4 2. What Framework is used to Combat Money Laundering? 4 3. Compliance Regime 5 4. Compliance Officer 6 5. Information Shared under PCMLTFA 6 Suspicious transactions 6 Large cash transactions 7 Electronic funds transfers (EFTs) 7 6. Customer Verification 7 Information collected for Unverified Users 7 Information collected for Verified Users 7 7. Recordkeeping 8 8. Training Requirements for Staff and Management 8 PART II: PROGRAM PROCEDURES 10 1. Minimum Compliance Requirements 10 Client Identification Procedures 10 Record Keeping Procedures 11 Reporting Requirement Procedures 12 2. Risk-Based Assessment 13 Identification of High Risk Transactions 13 Procedures to Mitigate Risks 17 Procedures for Ongoing Monitoring 18 2

Introductory Statement on Money Laundering Prevention & Illegal Activity in the Bitcoin Network Bitgo Technologies Inc. ( Bitgo or the Company ) provides bill payment processing services to its users under the brand name Bylls, using the www.bylls.com website. The website allows users to search for their bills using an online banking database and the ability to settle these bills using the virtual cryptocurrency called Bitcoin. The way that the Company gets Canadian dollars for the Bitcoins it receives is by using online Bitcoin exchanges such as the Canadian Virtual Exchange ( Exchanges ). The Bitcoins are then sold using the Exchanges, where the Company is 100% registered and verified, and the Canadian dollars received as a result of these transactions are used to pay the third party payment processor in order to settle the bills of the customer. Based on our interpretations of the Financial Transactions and Reports Analysis Centre of Canada s (FINTRAC) guidelines, we do not we believe that the Company s current activities constitute money transferring, which is defined as: Transferring funds from one individual or organization to another using an electronic funds transfer network or any other method such as hawala, hundi, fei ch'ien, and chit. As such, we are not required to register as a Money Service Business ( MSB ) given that a virtual, cryptocurrency does not constitute funds. Despite this, the Company is strongly against money laundering, financing terrorism, and all other illegal uses of the Bitcoin network. We recognize that the original intentions of the creator of Bitcoin were to create a decentralized and distributed form of online cash that would rely on a peer-to-peer network with no trust involved and no central point of failure. Keeping this in mind, we also understand that the nature of the Bitcoin network creates several risks that the protocol will not be used for legitimate purposes. Despite the opportunity for illegal activity, we believe the benefits and legitimate uses of the Bitcoin protocol outweigh the negatives and we encourage the growth of legal Bitcoin uses. As such, the Company has prepared this anti-money laundering ( AML ) and know your customer ( KYC ) program (the AML Program ). Given that we do not believe we are operating as an MSB, law does not require an AML Program. We have created this program to be compliant in case there are any changes in the law, and to demonstrate our willingness to work with law enforcement and other financial institutions to assist with the capture of those who use our services and the Bitcoin network for illegal purposes, if required. 3

Part I: Policy Statements 1. What is Money Laundering? The United Nations defines money laundering as any act or attempted act to disguise the source of money or assets derived from criminal activity. Essentially, money laundering is the process whereby dirty money produced through criminal activity is transformed into clean money, the criminal origin of which is difficult to trace. There are three recognized stages in the money laundering process. Placement involves placing the proceeds of crime in the financial system. Layering involves converting the proceeds of crime into another form and creating complex layers of financial transactions to disguise the audit trail and the source and ownership of funds. This stage may involve transactions such as the buying and selling of stocks, commodities or property. Integration involves placing the laundered proceeds back in the economy to create the perception of legitimacy. The money laundering process is continuous, with new dirty money constantly being introduced into the financial system. Under Canadian law, a money laundering offence involves various acts committed with the intention to conceal or convert property or the proceeds of property (such as money) knowing or believing that these were derived from the commission of a designated offence. In this context, a designated offence means most serious offences under the Criminal Code or any other federal Act. It includes, but is not limited to those relating to illegal drug trafficking, bribery, fraud, forgery, murder, robbery, counterfeit money, stock manipulation, tax evasion and copyright infringement. A money laundering offence may also extend to property or proceeds derived from illegal activities that took place outside Canada. 2. What Framework is used to Combat Money Laundering? Money laundering became an offence in Canada several years ago, under amendments to the Criminal Code. These amendments also gave law 4

enforcement the ability to search, seize and restrain property believed to be proceeds of crime. The criminalization of the laundering of proceeds of crime (money laundering) led to many other legislative changes, such as amendments to the Customs Act and the Excise Act, among others. The first components of Canada's anti-money laundering regime consisted of certain record keeping and client identification requirements to assist in the detection and deterrence of money laundering. Although there were no reporting requirements at that time, information about any suspicious transactions could be provided voluntarily to law enforcement. In 2000, the Proceeds of Crime (Money Laundering) Act was introduced as part of these measures to create an anti-money laundering regime. In 2001, the first reporting requirement came into effect for suspicious transactions. These measures were subsequently enhanced and additional components were introduced. That same year, the scope of the Proceeds of Crime (Money Laundering) Act was expanded to include terrorist financing (see information about the Anti-terrorism Act in subsection 4.2). This resulted in the former Proceeds of Crime (Money Laundering) Act becoming the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Over the course of 2002 and 2003, other requirements under the PCMLTFA and related Regulations were phased-in, such as record keeping, client identification and other reporting obligations. In 2006, amendments to the PCMLTFA introduced changes such as the establishment of a money services businesses registry, the authority to levy administrative monetary penalties and the addition of new reporting sectors, among others. They also included measures to strengthen reporting, record keeping, client identification and compliance regime requirements. These changes were phased-in over the course of 2007 to 2009. 3. Compliance Regime As part of the FINTRAC requirements, the Company must develop and implement a compliance regime, consisting of: the appointment of a compliance officer; the development and application of compliance policies and procedures. These policies and procedures have to be written and kept up to date; an assessment and documentation of risks related to money laundering and terrorist financing, as well as the documentation and implementation of mitigation measures to deal with those risks; 5

an on-going compliance training program for employees. The training program has to be in writing and maintained and; a review of the Company s compliance policies and procedures to test their effectiveness. The review has to cover the policies and procedures, the assessment of risks related to money laundering and terrorist financing and the training program. The review also has to be done every two years. 4. Compliance Officer Eric Spano (CEO of Bitgo Technologies Inc.) is the AML Program Compliance Officer ( Compliance Officer ) for the Company, with full responsibility for the AML Program. Mr. Spano will be responsible for the implementation of the compliance regime. He will also have the authority and the resources necessary to discharge his responsibilities effectively. Eric Spano has been chosen to servce as Compliance Officer because: Mr. Spano is involved with the day-to-day activities since the company s inception and has been actively developing the Company s AML policies Mr. Spano has the most detailed understanding of the Company s business processes Mr. Spano has access to all parts of the approval process Mr. Spano s educational background gives him additional knowledge of compliance and internal controls since he has a BComm in Accountancy. Mr. Spano s professional background gives him additional knowledge of internal control environments and risk assessments since he was previously an external auditor at Ernst & Young LLP. 5. Information Shared under PCMLTFA In order to comply with FINTRAC requirements, the Company is required to share certain information with FINTRAC pursuant to the regulations set forth in the PCMLTFA. The required information to be shared is as follows: Suspicious transactions The Company has to report completed or attempted transactions if there are reasonable grounds to suspect that the transactions are related to the commission or attempted commission of a money laundering offence or a terrorist activity financing offence. This does not prevent the Company from reporting suspicions of money laundering or terrorist financing directly to law enforcement, and FINTRAC 6

encourages financial institutions and financial intermediaries to maintain established relationships with law enforcement. Large cash transactions The Company has to send large cash transaction reports to FINTRAC when it receives an amount of $10,000 or more in cash in the course of a single transaction. Electronic funds transfers (EFTs) The Company has to report incoming and outgoing international EFTs of $10,000 or more in a single transaction. These include the transmission of instructions for a transfer of funds made at the request of a client through any electronic, magnetic or optical device, telephone instrument or computer. 6. Customer Verification Given that users of the Company s service will be paying their bills, we believe that there is a low risk of fraud and money laundering because the bills that the users will be paying will be linked to a name, address and credit information. As such, our basic information collecting requirements are minimal, like the risk. We have two levels of customer verification: Verified and Unverified Information collected for Unverified Users Unverified users can spend up to $1,000 a month to settle their bills. Unverified users must provide the following information: First and last name Primary occupation Bill payee and account number Information collected for Verified Users Verified users can spend up to $30,000 a month to settle their bills. Given this increased level of spending, there is more information required from our Verified Users: First and last name Primary occupation Bill payee and account number High quality scan of Government issued photo ID High quality scan of Proof of Residence 7

We believe that the following customer verification procedures provide us sufficient information to fulfill the KYC requirements set out by FINTRAC. 7. Recordkeeping The Company will document its verification, including all identifying information provided by a User, the methods used and results of verification, and the resolution of any discrepancy in the identifying information. The Company will keep records containing a description of any document that it relied on to verify a User s identity, noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date. With respect to non-documentary verification, the Company will retain documents that describe the methods and the results of any measures it took to verify the identity of a User. Records required to be retained may be made in the ordinary course of business. However, if no record of any transaction with respect to which records are required to be retained is made in the ordinary course of business, then the Company will prepare such a record in writing. Additionally, the Company will maintain access to transactional records generated in the ordinary course of business that would be needed to reconstruct a customer's use of the Company services to make bill payments. The Company will retain all required records for a period of five years. Furthermore, the retained records will be filed or stored in such a way so as to be accessible within a reasonable period of time, taking into consideration the nature of the record, and the amount of time expired since the record was made. 8. Training Requirements for Staff and Management The following section will act as the written compliance training program. It has been last updated on September 4, 2013. Who needs to be trained? How will the trainee receive background information on money laundering and terrorist financing? How will the trainee learn about the Company s processes and Any employee of the Company that has access to the system back-end and can make system changes Trainees will be required to gain a basic understanding by reading through the Financial Action Task Force s (FTAF) anti-money laundering primer, which will be printed out at the time of traning Trainees will be required to read through this document in addition to 8

procedures? What other documentation will be used? spending a 2-hour training session with the Compliance Officer in order to better understand the Company s procedures After reading the FATF documentation as well as the Company s AML Policy and receiving on-site training with the Compliance Officer, trainees will be given access to FINTRAC s database of training material that is made available within F2R, which is FINTRAC s web-based resource center 9

Part II: Program Procedures 1. Minimum Compliance Requirements As a minimum baseline requirement, the Company is required to ensure adequate collection of client identification, record keeping and fulfillment of reporting requirements. The following section will identify the Company s procedures related to these reporting requirements. Client Identification Procedures! Procedure 1: Client Account Registration Before being able to use the Company s services, a user must register a Bylls account. At this point, the Company will obtain the following information from the user: First and last name Date of Birth Primary Occupation At this point, the user will be considered as unverified and as such, will have very limited spending limits. According to FINTRAC guidelines, users will only need to become verified once they have transmitted $1,000 or more on a monthly basis. As a result, unverified users will only be permitted to spend $999 per month, and they will be unable to pay bills to known prepaid credit card companies. The information collected above will constitute the original client records, which must be kept by the Company at all times.! Procedure 2: Client Verification A user of the Company s services will need to become verified if they desire to transmit $1,000 or more on a monthly basis. Given that all of the Company s bill payment transactions occur in such a way that the individual using the service is never physically present, there are special procedures used to verify these individuals. The Company uses two methods: an instant verification method and a manual verification method. The instant verification method is a service provided to the Company by miicard Limited, a UK-based identity verification service. The client will need to register 10

an account with miicard, and then miicard will validate the identity of the client on behalf of the Company. This method provides a Level of Assurance 3+ and meets the KYC and AML guidelines as described by FINTRAC. This process is nearly instantaneous and requires no further procedures on the part of the Company. Once miicard has successfully verified the user, the Company s system automatically recognizes and records this. The manual verification method requires the client to submit two high-quality scanned documents to the Company for an internal verification. The client uploads these documents securely, and the Company maintains them for internal record keeping purposes. The accepted forms of identification are: the individual's birth certificate, driver's license, passport, record of landing, permanent resident card or other similar document; a proof of address (utility bill, cellular phone bill, etc.); Once these documents are received, the Company ensures that they match the information provided by the client in the original client records. Record Keeping Procedures FINTRAC requires MSBs to keep records of certain types of transactions. With regards to the bill payment services provided by the Company, there are a few types of transactions that need to be recorded:! Procedure 1: Conducting transactions of $1,000 or more In these transactions, a user will create a single bill payment request for an amount of $1,000 or greater. When these transactions occur, the Company is required to do two things: 1. Keep a record about the transaction 2. Identify the individual Given that the internal controls of the bill payment system will not allow any user to exceed their bill payment limits if they have not been verified, any user that successfully completes a bill payment request of $1,000 or more will be verified using the procedures outlined in the previous section, thus fulfilling the second requirement. The Company stores electronic copies of each transaction, and these records are backed up on a daily basis. FINTRAC requires that records be kept in a system that will enable them to be accessed in a timely fashion. By storing transaction records electronically, the Company is able to easily produce a paper copy of the information if necessary. 11

! Procedure 2: Suspicious Transactions At any point, employees of the Company may deem a specific bill payment request to be suspicious, based on the client s communication and usage patterns, or simply due to the nature of the bill that is being paid. If a transaction is flagged as suspicious, the Company will: Identify the individual (using the original client records or other verification measures) Submit a suspicious transaction report to FINTRAC The company uses the following criteria (including but not limited to) to identify suspicious transactions: Multiple bill payment requests for the same bill Bill payment requests for prepaid credit cards Bill payment requests to companies that could be affiliated with the user Suspicion that the user is acting on behalf of a third party Reporting Requirement Procedures The Company is required to report certain information to FINTRAC. Given the nature of the bill payment processing services offered by the Company, the only reporting requirement process that is relevant is for Suspicious Transactions. The Company does not deal with cash transactions of any sort, nor does it receive any EFT transfers on behalf of its users.! Procedure 1: Reporting Suspicious Transactions If a transaction as been flagged as suspicious, the documentation outlined in the previous section will be recorded. If a series of transactions have been flagged as suspicious, then the documentation outlined in the previous section will need to be collected and gathered for each of the transactions in question. The report must be filed with FINTRAC within 30 days of when it was flagged as suspicious. Whether the transaction has been successfully completed or simply attempted is irrelevant this is especially important in the Company s case because there can be suspicious transactions that will not be processed (ie: the Company receives Bitcoins from a user but deems the transaction to be suspicious and doesn t process the transaction). Reports must be submitted electronically to FINTRAC. In order to expedite the process, at the end of every business week the Compliance Officer will compile a 12

list of suspicious transactions for review and subsequently submit the suspicious transaction reports to FINTRAC. In order to ensure that suspicious transactions have been properly identified, the Company will include the following information in the suspicious transaction reports: Indicators observed during the transaction Information about the person who requested the transaction (including suspected aliases or associates) Information as to why their behavior was deemed to be suspicious given the nature of the Company s operations If there are multiple transactions, an explanation as to why they are related 2. Risk-Based Assessment Identification of High Risk Transactions The Company believes that this risk assessment is necessary in order to effectively analyze the potential threats and vulnerabilities to money laundering that will be faced. There are several preliminary factors that need to be outlined before proceeding with the analysis. The Company would like to first outline its products and services, the geographic locations where its services are offered and of its clients. Services Offered Geographic Location of Company Geographic Location of Clients Bitcoin bill payment processing Canada Canada The relationship that the Company has with its clients is fairly straight forward the client will specify which bills they would like to have paid, and the client then makes a bill payment request. Once the bill payment request has been made, the Company will provide a quoted rate at which the client s Bitcoins will be exchanged for Canadian dollars. Should the user agree to the rate and send the Bitcoins, the Company will then pay the bill on the users behalf based on the users payment instructions. Given that the Company and its clients are based in Canada, this eliminates the possibility that the Company will be doing business with clients in countries that have been labeled as high-risk with regards to money laundering and terrorist financing. Furthermore, given the simplicity of the services offered to its clients, the Company does not foresee a large risk involved with settling bills for its clients. 13

The following tables are developed by FINTRAC to help with the risk assessment process, and have been duly filled out by the Company. Table 1: Identify whether you provide any of the following products, services or delivery channels Do you offer services that make it difficult to fully identify clients? Do you offer electronic funds payment services? Do you offer any of the following: Electronic cash (for example stored value and payroll cards)? Funds transfers (domestic and international)? Automated banking machines? Do you offer any of the following: International correspondent banking services involving transactions such as commercial payments for non-clients (for example, acting as an intermediary bank) and use of carriers or couriers for international transport of cash, monetary instruments or other documents (pouch activities)? Services involving banknote and precious metal trading and delivery? Electronic banking? Private banking (domestic and international)? Foreign correspondent accounts? Trade finance activities (letters of credit)? Lending activities, particularly loans secured by cash collateral and marketable securities? Non-deposit account services (for example, non-deposit investment products and insurance)? Accounts through which you can extend cheque or bank draft writing privileges to the clients of other institutions, often foreign banks (pass through or payable through type accounts)? Services involving an immigrant investor program? Non face-to-face transactions, such as Internet services, by mail or by telephone? Yes No 14

The risks identified in Table 1 center around the non face-to-face transactions and the fact that clients could use the Company s services to fund stored value cards such as prepaid credit cards. The former is not a large risk, however the latter could potentially allow clients to use the Company s services to launder money. Table 2: Identify whether of the following apply to the Company s clients: Are clients cash-intensive businesses? Does the client transfer a lot of cash to the Company? Is the client an intermediary or "gatekeeper" such as a professional that holds accounts for clients where the identity of the underlying client is not disclosed to you? Does the client use unsupervised intermediaries within the relationship who are not subject to adequate antimoney laundering or anti-terrorist financing obligations? Does client identification take place other than face-toface? Does the client reside outside Canada? Does the client deal offshore? Is the client an unregistered charity or other unregulated "not for profit" organization (especially one operating on a "cross-border" basis)? Is the client located in a known high crime rate country? Does the comparison between your clients with similar profiles and high levels of assets or large transactions seem unreasonable? Does the knowledge of local laws, regulations and rules seem excessive for your client? Do your clients use intermediate vehicles (such as corporations, trusts, foundations, partnerships) or other structures that do not seem usual for their business or seem very complex and unnecessary? Yes No As per the questionnaire in Table 2, the only risk factor to consider is that verification is not done face-to-face, nor is the bill payment requests. This means 15

that someone can claim to be a different person and settle bills for someone else or on behalf of a third-party. Now that several questionnaires have identified some risk factors, we will make reference to FINTRAC s Risk Level Assessment Matrix (what applies to the Company has been highlighted in light green): Low Moderate High Stable, known client base No electronic transaction services or the Web site is informational or nontransactional There are few or no large currency transactions. Identified a few high-risk clients and businesses Few international accounts or very low volume of currency activity in the accounts A limited number of fund transfers for clients, non clients, limited third-party transactions, and no foreign funds transfers Your business is located in an area known to have low crime rate. No transactions with high-risk geographic locations Low turnover of key antimoney laundering personnel and frontline personnel (i.e., client service representatives, tellers, or other personnel) Client base increasing due to branching, merger, or acquisition You are beginning electronic transaction services and offer limited products and services. There is a moderate volume of large currency or structured transactions. Identified a moderate number of high-risk clients and businesses Moderate level of international accounts with unexplained currency activity A moderate number of fund transfers, a few international fund transfers from personal or business accounts with typically low-risk countries Your business is located in an area known to have moderate crime rate. Minimal transactions with highrisk geographic locations Low turnover of key antimoney laundering personnel, but frontline personnel may have changed A large and growing client base in diverse geographic area You offer a wide array of electronic transaction services (i.e., account transfers, or accounts opened via the Internet). There is a significant volume of large currency or structured transactions. Identified a large number of high-risk clients and businesses Large number of international accounts with unexplained currency activity Frequent funds from personal or business accounts to or from high-risk jurisdictions, and financial secrecy havens or jurisdictions. Your business is located in an area known to have high crime rate. Significant volume of transactions with high-risk geographic locations High turnover, especially in key anti-money laundering personnel positions Aside for the following major risks, the Company believes that its risk assessment for providing bill payment services using Bitcoin is LOW. Major Risks: Non face-to-face transactions Non face-to-face verification process 16

Possibility of funding stored value/prepaid credit cards Procedures to Mitigate Risks The Company has various procedures in place to address the major risks that have been identified. Non face-to-face transactions Since all of the bill payment requests are made online, the Company has no faceto-face transactions. In order to mitigate this risk, users of the Company s bill payment service must register an account with the Company. Furthermore, this risk is considered to be of low-risk of money laundering and terrorist financing because should there be a suspicious transaction, the Company will be able to determine which bill was paid and who the bill belongs to, whether or not the individual was present. Given the fact that the bill that was paid can always be traced the Company believes that requiring users to register and keeping well-documented transaction details entirely mitigates this risk. Lastly, the Company s stringent verification process entirely mitigates this risk should the user fall within the spending threshold that requires verification. Non face-to-face verification process While this risk was outlined by FINTRAC in the previous tables, the Company does not believe that this poses a significant risk. However, there are still procedures in place to mitigate the riskiness of non face-to-face verification. The major procedure in place is the use of miicard verification services. FINTRAC states that there several methods for non face-to-face verification that are acceptable and they require a combination of 2 approved methods. The miicard service uses these methods and thus mitigates this risk: Method 1: Confirmation of deposit account method Method 2: Identification product method Method 3: Credit file method Possibility of funding stored value/prepaid credit cards The most significant risk is that customers will opt to fund a prepaid credit card using the Company s bill payment services to fund a prepaid credit and then use the funds for other purposes. This is the highest risk of the Company s services being used for money laundering or terrorist financing purposes and as such, the Company has developed the following procedure to mitigate this risk. 17

The Compliance Officer reviews the bill payment database on a weekly basis to look for payees that have been identified as stored value/prepaid credit card providers. These payees are flagged and controlled in such a way that a user must be verified to transfer any amount to one of these payees. By requiring verification, the risk that a user will attempt to launder money or finance terrorism through this method is vastly reduced because once they become verified, the user will be easy to identify should any transactions be deemed suspicious. Procedures for Ongoing Monitoring The ongoing monitoring procedures for the Company are as follows: review transactions based on an approved scheduled that involves management sign-off; develop reports or perform more frequent review of reports that list high risk transactions. Flag activities or changes in activities from your expectations and elevate concerns as necessary; set business limits or parameters regarding accounts or transactions that would trigger early warning signals and require mandatory review; review transactions more frequently against suspicious transaction indicators relevant to the relationship and escalate them should additional indicators be detected. 18