AML Policy

BetFlow Payments Ltd ("BetFlow") is fully committed to preventing money laundering, terrorist financing, and other forms of financial crime. As a payment gateway provider serving the sports betting and iGaming industry, we recognise that our services may be targeted by criminals seeking to launder the proceeds of crime or to finance terrorism through gambling-related transactions. We take this threat seriously and have implemented a comprehensive Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) programme designed to detect, prevent, and report suspicious activity.

This AML Policy sets out the principles, procedures, and controls that BetFlow has adopted to ensure compliance with all applicable anti-money laundering laws and regulations. The policy applies to all BetFlow employees, officers, directors, contractors, and agents, regardless of their role or seniority. All personnel are required to familiarise themselves with this policy and to comply with its requirements in the performance of their duties.

BetFlow maintains a zero-tolerance approach to money laundering and terrorist financing. Any employee who knowingly facilitates, assists, or fails to report suspected money laundering or terrorist financing will be subject to disciplinary action, up to and including termination of employment, and may face criminal prosecution under applicable law. We are committed to cooperating fully with law enforcement and regulatory authorities in the investigation and prosecution of financial crime.

BetFlow's AML programme is designed to comply with all applicable anti-money laundering and counter-terrorism financing laws and regulations, including but not limited to the following:

The Prevention of Money Laundering Act (Cap. 373 of the Laws of Malta) and the Prevention of Money Laundering and Funding of Terrorism Regulations (S.L. 373.01), which transpose the EU Anti-Money Laundering Directives into Maltese law. The 4th Anti-Money Laundering Directive (EU 2015/849) and the 5th Anti-Money Laundering Directive (EU 2018/843), which establish the EU-wide framework for preventing the use of the financial system for the purposes of money laundering or terrorist financing. The 6th Anti-Money Laundering Directive (EU 2018/1673), which establishes minimum rules on the criminal definition of money laundering.

The Financial Intelligence Analysis Unit (FIAU) Implementing Procedures, which provide detailed guidance on the implementation of AML/CTF obligations for subject persons in Malta, including payment service providers and entities operating in the iGaming sector. The Malta Gaming Authority (MGA) Directive on Anti-Money Laundering and Countering the Financing of Terrorism, which sets out specific AML/CTF requirements for licence holders and key functions in the Maltese gaming sector.

BetFlow also has regard to the Financial Action Task Force (FATF) Recommendations on international standards for combating money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction, as well as the FATF's sector-specific guidance for payment service providers and the gambling sector. Our AML programme is subject to regular review and update to ensure ongoing compliance with evolving regulatory requirements and industry best practices.

BetFlow conducts a comprehensive Business Risk Assessment (BRA) at least annually, and more frequently when triggered by material changes in our business model, customer base, product offerings, geographic footprint, or the broader threat landscape. The BRA identifies and evaluates the money laundering and terrorist financing risks to which BetFlow is exposed and informs the design and calibration of our AML controls.

Our risk assessment considers multiple risk categories, including customer risk (the risk associated with different types of operators and their player bases), product and service risk (the risk associated with different payment methods, transaction types, and service features), geographic risk (the risk associated with jurisdictions where our operators are licensed or where their players are located), and delivery channel risk (the risk associated with non-face-to-face business relationships and digital payment channels).

Based on the results of our BRA, we assign a risk rating (low, medium, or high) to each operator relationship and apply proportionate due diligence measures accordingly. Higher-risk relationships are subject to enhanced due diligence (EDD), more frequent reviews, and closer ongoing monitoring. The BRA is approved by BetFlow's senior management and is made available to our regulators upon request. We also conduct individual risk assessments at the operator onboarding stage and throughout the business relationship to ensure that the risk rating remains appropriate and that our controls remain proportionate to the identified risks.

BetFlow applies Customer Due Diligence (CDD) measures to all operators before establishing a business relationship, and on an ongoing basis throughout the relationship. CDD is a fundamental component of our AML programme and enables us to understand who our customers are, the nature and purpose of the business relationship, and the expected pattern of activity.

Our standard CDD measures include: identification and verification of the operator's legal identity through official corporate documents (certificate of incorporation, memorandum and articles of association, trade register extracts); identification and verification of the beneficial owners who ultimately own or control more than 25% of the operator; identification and verification of key management personnel and authorised signatories; obtaining information about the purpose and intended nature of the business relationship, including anticipated transaction volumes, payment methods, and target markets; and verification of the operator's gambling licence and regulatory standing.

Enhanced Due Diligence (EDD) is applied where the operator or business relationship presents a higher risk of money laundering or terrorist financing. This includes, but is not limited to, operators licensed in higher-risk jurisdictions as identified by the FATF or our own risk assessment, operators with Politically Exposed Persons (PEPs) in their ownership or management structure, operators with complex or opaque ownership structures, and operators whose anticipated transaction volumes or patterns present elevated risk. EDD measures may include obtaining additional documentation on the source of funds and source of wealth, conducting enhanced background checks, requiring senior management approval for the business relationship, and applying more intensive ongoing monitoring.

CDD documentation is refreshed at least every twelve (12) months for high-risk relationships, every twenty-four (24) months for medium-risk relationships, and every thirty-six (36) months for low-risk relationships, or whenever a trigger event occurs that may affect the risk rating of the relationship.

BetFlow's KYC procedures are designed to establish and verify the identity of our operator clients and their beneficial owners at the onboarding stage and on an ongoing basis. Our KYC process is a critical component of our CDD programme and is informed by regulatory requirements and industry best practices.

For corporate entities, our KYC process requires the following documentation: a certified copy of the certificate of incorporation or equivalent registration document; a copy of the memorandum and articles of association or equivalent constitutional documents; a recent trade register extract (not more than three months old); a certificate of good standing or equivalent confirmation from the relevant corporate registry; a completed beneficial ownership declaration identifying all natural persons who ultimately own or control more than 25% of the entity; and a corporate structure chart where the ownership structure involves multiple layers or entities.

For individual beneficial owners and key management personnel, we require: a valid government-issued photo identification document (passport, national ID card, or driving licence); a proof of residential address (utility bill, bank statement, or government correspondence dated within the last three months); a completed PEP declaration confirming whether the individual is a Politically Exposed Person, a family member of a PEP, or a known close associate of a PEP; and, where applicable, a source of wealth declaration supported by appropriate documentation.

All identification documents are verified through a combination of manual review by trained compliance personnel and automated verification using reputable third-party identity verification services. We maintain copies of all KYC documentation in our compliance records system, in accordance with our record-keeping obligations described in Section 8 of this policy.

BetFlow operates a comprehensive transaction monitoring programme designed to detect potentially suspicious transactions and activity patterns across our payment gateway. Our monitoring systems analyse transactions in real time and on a post-event basis, using a combination of rule-based alerts, behavioural analytics, and anomaly detection techniques.

Our transaction monitoring rules are calibrated to detect typologies commonly associated with money laundering in the sports betting and iGaming sector, including: structuring or "smurfing" (breaking large transactions into smaller amounts to avoid reporting thresholds); round-tripping (depositing funds into a sportsbook account and withdrawing them with minimal or no betting activity, effectively using the sportsbook as a laundering vehicle); rapid movement of funds (frequent deposits and immediate withdrawals without commensurate betting activity); unusual transaction patterns that are inconsistent with the operator's stated business profile or historical norms; and transactions involving high-risk jurisdictions or payment methods associated with elevated money laundering risk.

Our monitoring systems generate automated alerts when transactions or activity patterns match predefined rules or deviate significantly from expected behaviour. All alerts are reviewed by trained compliance analysts who assess whether the activity is genuinely suspicious or can be explained by legitimate business reasons. Alerts are triaged and escalated according to a documented priority framework, with the most critical alerts reviewed within twenty-four (24) hours of generation. We continuously refine our monitoring rules based on emerging typologies, regulatory guidance, and the results of our own investigations and risk assessments.

Where BetFlow knows, suspects, or has reasonable grounds to suspect that a transaction or activity may be related to money laundering, terrorist financing, or other financial crime, we are legally obligated to file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) with the Financial Intelligence Analysis Unit (FIAU) of Malta.

The decision to file an STR/SAR is made by BetFlow's Money Laundering Reporting Officer (MLRO) or their deputy, based on the findings of the compliance team's investigation. Reports are filed promptly using the FIAU's designated reporting system. The content of each report includes all relevant details of the suspicious transaction or activity, the identity of the persons involved, the nature and grounds for the suspicion, and any supporting documentation.

Under Maltese law and EU regulation, BetFlow is prohibited from "tipping off" any person who is the subject of an STR/SAR. This means that we may not inform the operator, player, or any other person that a report has been filed, that an investigation is being conducted, or that information has been disclosed to the FIAU. Any BetFlow employee who engages in tipping off, whether directly or indirectly, commits a criminal offence and will be subject to immediate disciplinary action and potential criminal prosecution.

BetFlow may also be required to freeze transactions or withhold funds where directed to do so by the FIAU or other competent authority, or where we determine that continuing to process transactions would expose BetFlow to the risk of facilitating money laundering or terrorist financing. We cooperate fully with the FIAU and law enforcement authorities in response to information requests and production orders.

BetFlow maintains comprehensive records of all CDD documentation, transaction data, monitoring alerts, investigations, and STR/SAR filings in accordance with applicable legal and regulatory requirements. Our record-keeping practices are designed to ensure that all relevant information is readily accessible for regulatory inspection, internal audit, and law enforcement requests.

CDD and KYC records (including identification documents, verification results, beneficial ownership declarations, and risk assessments) are retained for a minimum of five (5) years from the date the business relationship with the operator ends, or from the date of an occasional transaction, whichever is later. Transaction records (including the nature and amount of each transaction, the date and time, and the identities of the parties involved) are retained for a minimum of five (5) years from the date of the transaction. These retention periods may be extended where required by a specific legal obligation, regulatory directive, or ongoing investigation.

Monitoring alerts and investigation records (including the assessment of each alert, any inquiries made, and the outcome of the investigation) are retained for a minimum of five (5) years from the date the alert was generated or the investigation was concluded. STR/SAR records (including the content of each report, supporting documentation, and any correspondence with the FIAU) are retained for a minimum of five (5) years from the date the report was filed, or longer where required by the FIAU.

All records are stored securely with appropriate access controls, ensuring that only authorised compliance personnel can access sensitive AML records. Electronic records are backed up regularly and stored in geographically separated data centres to ensure business continuity and disaster recovery. BetFlow uses a dedicated compliance case management system to maintain an auditable record of all AML-related activities.

BetFlow recognises that the effectiveness of our AML programme depends on the knowledge, awareness, and vigilance of our employees. We maintain a comprehensive AML/CTF training programme that is mandatory for all employees, with enhanced training for those in compliance, risk management, customer-facing, and senior management roles.

All new employees receive induction AML training within their first two weeks of employment, covering the fundamentals of money laundering and terrorist financing, BetFlow's legal and regulatory obligations, the role and responsibilities of the MLRO, how to identify and report suspicious activity, and the consequences of non-compliance (including criminal sanctions for individuals). New employees must pass a knowledge assessment before being granted access to customer data or transaction processing systems.

Annual refresher training is mandatory for all employees and covers updates to AML legislation and regulation, new money laundering and terrorist financing typologies relevant to the sports betting and iGaming sector, case studies based on de-identified internal investigations and FIAU bulletins, changes to BetFlow's AML policies and procedures, and practical exercises in identifying and escalating suspicious activity.

Enhanced training is provided to compliance team members, the MLRO, senior management, and other employees in high-risk roles. This training covers advanced topics such as beneficial ownership analysis, PEP identification and risk assessment, sanctions screening, transaction monitoring system tuning, and STR/SAR drafting and filing. Training records, including attendance, content, and assessment results, are maintained for a minimum of five years.

BetFlow has appointed a Money Laundering Reporting Officer (MLRO) in accordance with the requirements of the Prevention of Money Laundering Act (Cap. 373) and the FIAU Implementing Procedures. The MLRO is a senior member of BetFlow's compliance team and has been approved by the FIAU to hold this role.

The MLRO is responsible for: receiving and assessing internal suspicious activity reports from BetFlow employees; deciding whether to file an STR/SAR with the FIAU based on the assessment of internal reports and their own knowledge; acting as the primary point of contact between BetFlow and the FIAU, and responding to information requests and production orders; overseeing the implementation and effectiveness of BetFlow's AML/CTF programme, including policies, procedures, controls, and training; providing regular reports to BetFlow's Board of Directors and senior management on AML/CTF matters, including the number and nature of internal reports received, STRs/SARs filed, and the outcomes of monitoring activities; and ensuring that BetFlow's Business Risk Assessment is conducted, documented, and reviewed at least annually.

BetFlow has also appointed a Deputy MLRO who is authorised to perform the functions of the MLRO in their absence. The MLRO and Deputy MLRO have sufficient seniority, authority, and independence to carry out their functions effectively, and have direct access to BetFlow's Board of Directors. The identity and contact details of the MLRO have been communicated to all BetFlow employees and are registered with the FIAU.

Any BetFlow employee who suspects that a transaction or activity may be related to money laundering or terrorist financing must report their suspicion to the MLRO immediately, using the internal reporting form available on the compliance portal. Employees must not conduct their own investigations, confront the subject of their suspicion, or discuss the matter with anyone other than the MLRO or Deputy MLRO.

This AML Policy is reviewed and updated at least annually by the MLRO in consultation with BetFlow's senior management and, where appropriate, external legal and compliance advisors. The review process considers changes in applicable law and regulation, updates to FIAU and FATF guidance, the results of BetFlow's Business Risk Assessment, findings from internal and external audits, feedback from the FIAU and other regulatory authorities, and industry developments and emerging typologies.

Material changes to this policy are approved by BetFlow's Board of Directors and communicated to all employees through the internal compliance portal and, where necessary, through targeted training sessions. The updated policy is made available to all employees and, where required, to our regulators.

BetFlow also engages an independent external auditor to conduct a periodic assessment of our AML/CTF programme at least every two (2) years, or more frequently where required by regulation or the FIAU. The external audit evaluates the adequacy and effectiveness of our policies, procedures, controls, and training, and provides recommendations for improvement. Audit findings and management responses are documented and tracked to completion.

This policy was last reviewed and updated on January 15, 2026. The next scheduled review is January 2027. For any questions about this policy, please contact the MLRO at mlro@betflow.io.