AML - CFT Policy

ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM (AML/CFT) POLICY - GOATCOM

1. Introduction and Objective

1.1. GOAT COMMERCE LTDA (“GOATCOM”), a limited liability company, registered with the CNPJ under No. 60.126.754/0001-14, acts as a sub-acquirer and provider of technological infrastructure for e-commerce, within the context of the Brazilian Payment System (SPB). Recognizing the importance of its position in the financial ecosystem, Goatcom assumes an institutional and ethical commitment to Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT).

1.2. This AML/CFT Policy is the formal document that establishes the governance structure, operational procedures, and internal controls that Goatcom adopts to mitigate the risk of being used, intentionally or otherwise, as a vehicle for the practice of financial crimes, such as the concealment of assets, the conversion of illicit resources, or the financing of terrorist activities.

1.3. The objective is to ensure that Goatcom operates in full compliance with the Brazilian regulatory framework, especially the rules of the Central Bank of Brazil (BACEN) and the Council for Control of Financial Activities (COAF). Although Goatcom acts as a sub-acquirer and does not require direct authorization from BACEN, it indirectly submits to SPB rules and adopts market best practices, in line with the Risk-Based Approach (RBA). Full adherence to this policy is a duty of all involved, aiming to protect the solidity, reputation, and integrity of the company and the national financial system.

2. Legal and Normative Foundations

2.1. Goatcom's AML/CFT Policy is built on a solid legal and regulatory foundation, which defines the obligations and standards of conduct required for acting in the payments market:

3. Scope and Responsibilities

3.1. Scope of Application

3.1.1. This Policy has broad and mandatory application across Goatcom's entire value chain, covering:

• Natural and Legal Persons: All employees, administrators, partners, service providers, suppliers, and business partners.
• Business Relationships: All commercial relationships established by Goatcom, regardless of the nature of the contract or the duration of the relationship.

3.2. Responsibilities

3.2.1. **Board of Directors:** Responsible for approving this Policy and ensuring that the organization maintains a culture of compliance and integrity.

3.2.2. **Compliance Unit:** Responsible for implementing, managing, and monitoring the AML/CFT program, as well as reporting suspicious transactions to COAF.

3.2.3. **All Employees:** Responsible for knowing and complying with the guidelines of this Policy, as well as reporting any suspicious activity identified in their daily activities.

4. Risk-Based Approach (RBA)

4.1. Goatcom adopts the Risk-Based Approach (RBA) to identify, evaluate, and understand the AML/CFT risks to which it is exposed. The RBA allows for the allocation of resources more efficiently, focusing efforts on higher-risk areas.

4.2. Internal Risk Assessment (IRA)

4.2.1. Goatcom performs an Internal Risk Assessment (IRA) at least annually to identify and evaluate the risks associated with its products, services, customers, geographic areas, and delivery channels.

4.2.2. The IRA results in the classification of risk levels (Low, Medium, High) and guides the application of due diligence and monitoring procedures.

4.3. Risk Appetite

4.3.1. Goatcom has a **low risk appetite** for AML/CFT and **zero tolerance** for situations involving: Sanctioned Jurisdictions (UNSC or OFAC), Systemic Fraud, and Financing of Terrorism.

5. Due Diligence Procedures (KYC, KYP, KYS)

5.1. Due diligence is the process by which Goatcom obtains information about its customers, partners, and suppliers, with the aim of confirming their identity, understanding the nature of their commercial relationship, and evaluating the AML/CFT risk they represent. Goatcom adopts the Know Your Customer (KYC) principle and extends it to Know Your Partner (KYP) and Know Your Supplier (KYS).

5.2. Simplified Due Diligence (SDD)

5.2.1. SDD is applied to Merchants (ECs) classified as Low Risk in the Internal Risk Assessment (IRA).

• Minimum Requirements: Collection of basic registration data (Name/Corporate Name, CPF/CNPJ, address, telephone, e-mail).
• Verification: Confirmation of CPF/CNPJ validity and consultation of public restriction lists (Federal Revenue, Sintegra).
• Update: Registration review is performed every 2 (two) years, or immediately after identifying any change in the transactional profile that may increase risk.

5.3. Standard Due Diligence (SDD)

5.3.1. SDD is applied to ECs classified as Medium Risk. This procedure requires more in-depth information collection and verification:

• Legal Entity (PJ): Documentation (Bylaws, CNPJ, partners' documents), Verification (sanction lists, PEPs, negative media), and Analysis (CNAE compatibility vs. transactional volume).
• Natural Person (PF): Documentation (ID, Driver's License or RNE, CPF, proof of residence) and Verification (authenticity and restrictive lists).

5.4. Enhanced Due Diligence (EDD)

5.4.1. EDD is applied to ECs classified as High Risk, including those that fall under the criteria for Politically Exposed Persons (PEPs) or that operate in high-risk sectors.

• Identification of the Ultimate Beneficial Owner (UBO): Identification of the natural person who holds control or more than 25% of the legal entity's share capital is mandatory.
• Verification of the Source of Funds: Obtaining documents that prove the lawful origin of resources (Income Tax, balance sheets).
• On-site Visit: In cases of extreme risk, Goatcom may perform in-person or virtual visits to the EC.
• Formal Approval: Requires formal approval from the AML/CFT Committee and the Compliance Director.

5.5. Politically Exposed Persons (PEPs)

5.5.1. The treatment of PEPs strictly follows COAF Resolution No. 40/2021. PEPs are considered persons who exercise or have exercised in the last 5 (five) years relevant public positions or functions, as well as their family members and close associates. Every relationship with PEPs is automatically classified as High Risk.

5.6. Registration Update

5.6.1. Goatcom maintains a continuous process of registration update, with the frequency determined by the EC's risk level. Extraordinary updates are triggered in case of changes in registration data, incompatible transactional profile, or new negative media information.

6. Monitoring, Selection, and Analysis of Operations

6.1. Transactional monitoring allows for the detection of atypical patterns that may indicate the use of the platform for illicit purposes. Goatcom uses advanced systems, based on rules and artificial intelligence, to analyze the flow of transactions in real-time and retrospectively.

6.2. Selection Criteria and Parameterization

6.2.1. The system is parameterized based on BACEN Circular Letter No. 4,001/2020. Criteria include: Profile Incompatibility, Fragmentation (Smurfing), Circular Transactions, Use of Third Parties, Abrupt Pattern Change, and Operations with Risk Jurisdictions.

6.3. Fraud Prevention and AML/CFT (BCB Resolution No. 501/2025)

6.3.1. Goatcom integrates the fight against fraud with AML/CFT. Pursuant to BCB Resolution No. 501/2025, the company must: Mandatorily reject transactions to suspicious accounts (mule accounts), participate in the exchange of information about fraud, and perform preventive blocking of resources for up to 72 hours in case of founded suspicion.

6.4. Analysis and Decision

6.4.1. Selected operations are forwarded to the Compliance Unit for in-depth analysis (EDD). The decision may be for filing, reporting to COAF, or terminating the relationship.

7. Reporting to COAF

7.1. Goatcom recognizes its legal obligation to report to COAF any operations or proposals that may constitute signs of AML/CFT, pursuant to Art. 11 of Law No. 9,613/1998.

7.2. Reporting of Suspicious Transactions (COS)

7.2.1. Reporting is mandatory and must be performed regardless of the transaction value. The COS must be made via Siscoaf within 24 hours after analysis. It is strictly forbidden to inform the customer or third parties about the report to COAF (secrecy).

7.3. Reporting of Cash Transactions and Others

7.3.1. Although acting in e-commerce, any attempt at a cash transaction above the regulatory limit will be reported. Goatcom also performs "Negative Reporting" when required by regulation.

8. Records and Information Custody

8.1. Goatcom maintains records and documents related to AML/CFT for a minimum period of five years, counted from the termination of the relationship or the conclusion of the transaction.

8.2. Records include: Registration Data (documents, due diligence), Transactional Data (full history), Access Logs (in compliance with the Internet Bill of Rights), and Analysis Dossiers.

8.3. Access to records is restricted and controlled, limited to the Compliance Unit and Internal Audit, being provided to competent authorities only upon legal request.

9. Training and Compliance Culture

9.1. Goatcom invests in continuous awareness and training for its employees. The program is mandatory and segmented: Basic Training (General) for all employees and Advanced Training (Specific) for Compliance, Risk, Legal, and IT areas.

9.2. The company maintains an independent and confidential Whistleblowing Channel for reporting violations, ensuring non-retaliation to the good-faith whistleblower and anonymity.

10. Audit and Review

10.1. Internal Audit performs control tests (KYC, monitoring, reporting to COAF) and reviews the IRA annually to ensure compliance with BACEN Circular No. 3,978/2020.

10.2. This Policy is reviewed annually by the AML/CFT Committee and approved by the Executive Board, or extraordinarily in case of legislative changes or changes in the company's risk profile.

11. Final Provisions

11.1. Sanctions and Consequences

11.1.1. Failure to comply with this Policy will subject the offender to rigorous measures: Employees and Administrators (disciplinary sanctions up to dismissal for just cause) and Customers and Partners (suspension of operations, blocking of resources, and termination of contract).

11.2. Term and Publicity

11.2.1. This Policy takes effect on the date of its approval and must be widely disseminated. Approved by the Executive Board of Goatcom on January 16, 2026 (Version 3.0).

11.3. Normative References

• Law No. 9,613/1998
• BACEN Circular No. 3,978/2020
• BACEN Circular Letter No. 4,001/2020
• BCB Resolution No. 501/2025
• COAF Resolution No. 40/2021
• FATF/GAFI Recommendations