Annex J — Sanctions, AML & Export Controls Policy

Owner: Compliance
Co‑Owners: General Counsel (GC), CFO (Treasury), CISO (for technical export), Regional Legal Leads
Review cadence: Quarterly list refresh + upon any regime change

Purpose. Protect the Nexus ecosystem from sanctions, AML, and export‑control exposure by enforcing consolidated screening, a dual‑use technology gate, and strict escalation/hold rules. This Policy governs conduct and contracting; regulated AML obligations in financial services are performed by licensed Partners‑of‑Record (PoR) (see Annex B). SNC/NatCos adopt integrity controls and support PoR AML where applicable.

1) Scope & Equal‑Treatment Baseline

Applies to all regional operators (APAC, Middle East, East Africa, Southern Africa, EU/France, USA, Canada, Brazil/LatAm, Senegal/West Africa, Switzerland/GRF), NatCos, Program SPVs, employees, contractors, suppliers, distributors, resellers, Customers, and end‑beneficiaries where known. Where regimes conflict, the most restrictive rule applies.

2) Governance & Roles

• Compliance (Owner): Maintains policy; operates screening; issues advisories; manages holds; training; quarterly board reporting.
• GC: Interprets regimes, licenses/exemptions; oversees communications with authorities.
• CFO (Treasury): Controls payments/banking; enforces blocked‑party rules; screens beneficiaries and banks.
• CISO: Controls technical exports (crypto, secure modules, software downloads), repository access controls.
• Regional Legal Leads: Map host‑law specifics; coordinate local authority interactions.
• Business Owners/Procurement/Sales: Ensure counterparties are screened before engagement and at key lifecycle events; stop on hold.

3) Regimes & Lists (consolidated)

Screen against, at minimum:

• UN Security Council consolidated list.
• US OFAC (SDN, SSI, NS‑CMIC, CAPTA), BIS Entity/Denied Persons/MEU, DDTC debarred.
• EU CFSP consolidated list + sectoral measures.
• UK OFSI consolidated list.
• Switzerland SECO sanctions.
• Singapore MAS/MinLaw lists (Terrorism (Suppression of Financing) Act), Strategic Goods control parties.
• Canada SEMA/UN Act consolidated, OSFI lists.
• Brazil applicable national lists; Interpol notices as advisory.
• Other high‑risk or program‑specific lists as directed by authorities or funders.

Ownership & Control Rules: Apply US/EU/UK 50% rule and any stricter look‑through; screen UBOs to ≥25% (or ≥10% where risk requires). Capture directors/signatories/bank BIC/IBAN.

4) When to Screen (Lifecycle)

• Pre‑engagement: before RFP invitations (Tier‑1 vendors), before contract signature, and before onboarding customers/beneficiaries.
• Pre‑payment / Shipment / Access: before each payment release, shipment, or enabling of software/download access.
• Ongoing: Daily delta screening of active counterparties; event‑driven on changes (ownership, geography, bank details).
• Retro: Re‑screen historical counterparties on major sanctions updates.

5) How to Screen (Process & Quality)

• Consolidated tool with multi‑list coverage; fuzzy matching; transliteration; aliases (aka/fka).
• Data quality: Capture legal names, local‑language variants, registration numbers, addresses, passport/company IDs.
• Scoring:
  – ≥90 (High): Auto‑HOLD; escalate to Compliance/GC in ≤24h.
  – 70–89 (Medium): Analyst review with independent source checks; document rationale.
  – <70 (Low): Clear with rationale; record.
• Evidence: Save screenshots/PDFs of screening hits, corporate registry docs, ownership charts; store in counterparty file for 7 years.

6) Holds, Escalation & Licensing

• Automatic HOLD on any High‑score match or credible media indicating sanctions/AML risk.
• Communications freeze on commercial negotiations; acknowledge receipt only.
• Escalation path: Analyst → Compliance Lead → GC → Exec Sanctions Committee (GC, Compliance, CFO, Regional Lead).
• Outcomes: (a) Proceed; (b) Proceed with conditions (mitigations, contract carve‑outs, escrow, enhanced monitoring); (c) Decline/Terminate.
• Licensing: If relief is possible (e.g., OFAC/EU/UK/SECO authorization), GC leads application; no activity until license in hand.
• Re‑entry: Permitted only after written clearance and updated screening.

7) AML Integrity (Non‑FI posture) & PoR Interface

• SNC/NatCos are not FIs. We do not operate accounts for clients, accept deposits, transmit money, or provide investment/insurance advice (Annex B).
• Integrity controls: KYC‑Lite collection (company registry docs, UBOs, purpose of relationship, source of funds/use) for high‑risk engagements; adverse‑media; conflicts/PEP declarations.
• Suspicious activity: If red flags appear (structuring, sanctions evasion, shell layering), pause and escalate to Compliance/GC. Where a PoR is involved, inform PoR for potential SAR/STR filing; our staff do not tip off subjects.
• Prohibited: Cash payments, crypto receipt to corporate wallets without PoR, privacy‑coin settlement, sanctioned mixers, or transactions with anonymising services.

8) Red Flags (examples)

• Complex ownership chains to sanctioned jurisdictions; frequent changes of directors/UBOs.
• Payments from third countries with no logical nexus; use of multiple shell entities; mismatch in KYC details.
• Requests to remove origin labels, alter documentation, or route through unrelated intermediaries.
• Unusual urgency; refusal to provide basic corporate/KYC documents.

9) Export Controls & Dual‑Use Gate

• Classification: Before exporting software/tech (including downloads, cloud access, encryption, AI models), determine classification (e.g., US EAR ECCN vs EAR99; EU Dual‑Use; SG Strategic Goods (Control) Act; CH Goods Control Ordinance; UK Export Control Order; CA EIPA).
• US de minimis / re‑export: If US content is present, apply de minimis and re‑export rules.
• Prohibited destinations/users: Denied parties, comprehensively sanctioned countries/regions, military end‑users/end‑uses where restricted.
• Technical measures: Geo‑fencing of downloads; IP allow‑listing; repository access control; key/cryptography export notices; tamper‑evident logs.
• Approvals: Compliance + GC sign‑off for controlled tech exports; license applications where required; maintain records for 5–10 years per regime.

10) Payments & Banking Controls

• Screen beneficiaries, originators, and banks (BIC/SWIFT) before payments.
• Reject transfers from/to sanctioned banks or jurisdictions.
• Require contract sanctions clauses: termination rights; warranty of compliance; change‑in‑law; audit rights.
• No payments in crypto unless via PoR with full AML controls and approved risk assessment.

11) Record‑Keeping & Transparency

• Keep: screening logs, ownership charts, due‑diligence packs, hold decisions, licenses/authorizations, payment proofs, export classifications, and communications ≥7 years (or per stricter law).
• Dual‑log material sanctions/export decisions in the GRF Register and technical ledger where applicable.

12) Training & Audits

• Training: Induction + annual refresh for sales, procurement, delivery, finance, and executives.
• Audits: Quarterly sampling by Compliance; independent audit annually or after material incidents; corrective actions tracked.

13) Communications & Public Claims

• No public claims implying regulator approvals or sanctions exemptions.
• Media statements on sanctions/export matters require GC approval.
• Maintain consistent status disclaimers (see Annex B/H).

14) Exceptions & Waivers

• Document in Sanctions/Export Exception Register with legal basis, risk assessment, compensating controls, and expiry; requires GC + Compliance approval and Board notice for material cases.

15) Enforcement

Breaches (doing business with a sanctioned party, failing to screen, exporting controlled tech without authorization) may result in immediate suspension of activities, disciplinary action, termination, contract remedies, and notification to authorities.

16) Host‑Law Appendices (Equal Treatment)

Each appendix supplements this baseline with regime specifics, authorities, and any stricter defaults:

• Appendix SG — Singapore: Terrorism (Suppression of Financing) Act; MAS/MinLaw notices; Strategic Goods (Control) Act licensing; guidance on transhipment/transit.
• Appendix EU/FR — European Union/France: EU CFSP lists; Dual‑Use Regulation (EU) 2021/821; French export authority (SBDU).
• Appendix CH — Switzerland: SECO sanctions; Goods Control Ordinance; embargo measures.
• Appendix US — United States: OFAC (SDN/SSI/NS‑CMIC/CAPTA), BIS EAR (CCL/ECCN), DDTC ITAR; de minimis/re‑export rules; Unverified List/Entity List.
• Appendix UK — United Kingdom: OFSI consolidated list; Export Control Joint Unit (ECJU) licensing.
• Appendix CA — Canada: SEMA/UN Act sanctions; GAC permits; EIPA export permits; FINTRAC guidance (advisory).
• Appendix BR — Brazil: COAF AML guidance; Decrees implementing UN/EU measures; SECEX export.
• Appendix KE — Kenya: AML/CFT Act; CBK/KBA notices; ODPP guidance; ODPC interface (privacy).
• Appendix ZA — South Africa: FIC Act (FICA) for AML (PoR context), DTIC/ITAC export; National Treasury sanctions notices.
• Appendix SN/WA — Senegal/West Africa: BCEAO AML/CFT; UEMOA/ECOWAS sanctions; CEMAC where relevant.

17) Effective Date & Governance

Adopted by the Board(s) of all regional operators on [●] and incorporated by reference into Charters/Bylaws, SOWs, vendor/customer contracts, and Treasury SOPs. Class B to amend/strengthen; Class A to relax controls or remove lists.