Legal & Privacy

In this agreement the following terms, unless the context otherwise indicates, will have the following meanings:

AML Regulations means MAS Notice No. PSN02 Notice to Holders of Payment Service License (Digital Payment Token Service) read with section 27B of the Monetary Authority of Singapore Act (Cap. 186).

AML Policy means the policies and programs maintained by Zebpay to comply with the AML Regulations.

Business Day means a day that is not a Saturday, Sunday or public holiday in Singapore.

Client Deposits means money (fiat) deposited into the Client Asset Account either by the Client transferring funds to the Client Asset Account or by crediting the Client Asset Account by Zebpay as a result of a sale of Digital Payment Token by the Client on the Zebpay Platform.

Client Deposit Money means Client Deposits credited to the Client Asset Account (not applicable to Indian Customers).

Client Asset Account or Account entails the overall term for all wallets and accounts that the Client holds with the Company on the Zebpay Platform including both fiat and crypto-wallets.

Company means Genie Technologies Pte Ltd [Registration No: 201919382H]

Competent Authority means the Monetary Authority of Singapore or such other relevant government authority.

Crypto Earn Service shall have the meaning ascribed to the term in Clause 10 (d).

Force Majeure shall mean and include any cause arising from or attributable to acts, or events, beyond the reasonable control of Zebpay, including natural calamity, strikes, terrorist action or threat, civil commotion, riot, crowd disorder, invasion, war, threat of or preparation for war, fire, explosion, storm, flood, earthquake, subsidence, structural damage, epidemic or other natural disaster, calamity, attacks including through computer viruses, hacking, denial of service attacks, ransomware or other manmade disruptions or any law, order enactment, statutory direction, legislation, regulation, rule or ruling of government or any court of law or of a Government or regulatory authority.

KYC means know your customer requirements under the AML Regulations.

Privacy Policy means the privacy policy of ZebPay available at https://zebpay.com/sg/privacy-policy/

Digital Payment Token Exchange means (per Schedule I of the Payment Services Act) an exchange operating in or from within Singapore which facilitates the exchange and/or trading of digital payment tokens by making or hosting offers or invitations to buy or sell digital payment tokens in exchange for any money or any other digital payment token, but does not include an exchange where the exchange in question does not come into possession of any money or any digital payment token, whether at the time that the material offer or invitation is made or otherwise.

Digital Payment Token has the same meaning as defined in the Payment Services Act.

Token Lending Service shall have the meaning ascribed to the term in Clause 10 (c).

User or Client shall mean persons availing of the Zebpay Services (as defined below), directly or indirectly, and are referred to herein as “Users”.

ZebPay Platform shall collectively mean and include Zebpay Android App, Zebpay iOS App (collectively, “Zebpay App”) or Zeb Web app (“Web version”) and Zebpay website “www.zebpay.com” (“Zebpay Website”) and other web assets on the Zebpay.com domain, together with the Zebpay Developer Portal, Public APIs and secure authentication for Users;

ZebPay Services means the services made available from time to time on the Zebpay Platform.

Trading in Digital Payment Tokens involves a high degree of risk to your capital. Digital Payment Tokens may not be appropriate for all investors and you should seek independent advice if necessary. Trading with Digital Payment Tokens may result in total loss of your investment. In addition to the foregoing, please read and understand the Risk Warning on Digital Payment Token Services available at https://zebpay.com/sg/risk-warning-on-digital-payment-token-services/ , before using any of ZebPay’s Services.

• (a) These Terms of Use form a binding agreement between you (hereinafter known as ‘The Client or User or You’) and Zebpay as the operator of the Zebpay Platform.
• (b) By using any services made available through the Zebpay Platform the Client agrees that the Client has read, understood and accepted all the terms and conditions contained in this Terms of Use agreement as well as our Privacy Policy.
• (c) As this is a legally binding contract, the Client is cordially requested to carefully read through this agreement and related notices before using any of Zebpay’s Services.
• (d) By registering, accessing or using Zebpay Platform, the Client agrees to the terms and conditions set out in this Terms of Use.
• (e) If any Client disagrees with this Terms of Use, the Client shall not proceed to initiate account registration with Zebpay or seek to acquire any of its services.

Zebpay is committed to improve the global fight against money laundering and terrorist financing. In this regard, the Company has endeavoured to carefully ensure all of its internal anti-money laundering procedures comply with AML Regulations.

• (a) Zebpay reserves the right to modify or change the terms and conditions of the agreement at any time and at its sole discretion. Zebpay will provide reasonable notice of these changes to Users and will modify or change the terms by updating the Terms of Use.
• (b) Any and all modifications or changes to the Terms of Use will be effective on the period mentioned in the notice being provided to Users. As such, Users’ continued use of Zebpay services, including but not limited to any failure to close your account during the requisite notice period, acts as acceptance of the amended agreement and rules. For the avoidance of doubt, if the User does not agree with any such modification or change, then the User should close the Client Asset Account and cease using the Zebpay Platform.

• (a) By registering to use a Zebpay’ Client Asset Account, the Client warrants that the Client is an individual that is at least 18 years old, a legal person or other organization with full legal capacity to enter into these Terms of Use.
• (b) If the Client is an individual and is not at least 18 years old, the Client’s legal guardian shall be responsible for all consequences resulting from the Client’s actions on the Zebpay Platform and Zebpay shall have the right to cancel or freeze the Client’s Client Asset Account in addition to filing claims against the Client and the Client’s guardian for compensation/damages.
• (c) Each Client shall have one Client Asset Account only. Multiple accounts for the same Client will not be allowed.
• (d) Clients who are either citizens or residents of the below countries are not permitted to use the Zebpay Services in any form ( “Prohibited Jurisdiction Use” )

Democratic People’s Republic of Korea, Iran, Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, Zimbabwe, Cuba

By accessing and using the Zebpay Platform, the Client acknowledges and declares that he/she is not on any trade or economic sanctions lists, such as the United Nations Security Council Sanctions List and its equivalent. You may not use your Client Asset Account to engage in the following categories of activity (“Prohibited Uses”). The specific types of use listed below are representative, but not exhaustive:

• (a) unlawful activity
• (b) fraud
• (c) gambling
• (d) intellectual property infringement
• (e) defamation or abuse

Pursuant to Zebpay’s strict policy of preventing potential conflicts of interest and/or market abuse, the Client is given notice that Zebpay does not extend its services to its employees and/or their relatives, save where Zebpay is satisfied, on a case by case basis, that the risk of conflicts of interest and/or market abuse have been ameliorated. By accessing and using the Zebpay Platform, the Client acknowledges and declares that neither he/she nor any of her relations are employees of Zebpay or any of its affiliates.

The content of these Terms of Use shall not supercede the laws of the country to which the User belongs. Zebpay maintains its stance that prohibited users are not to use or access the Zebpay Platform.

• (a) The OTC Trading Platform Service is a service accessed through the Zebpay Platform whereby Zebpay provides an online virtual financial asset trading platform via a sophisticated Zebpay platform for products commonly known as cryptographic tokens, digital tokens or cryptographic currency.
  When a User enters into the OTC Trading Platform Service on the Zebpay Platform, the User acknowledges and consents that he/she is transacting with Zebpay as a counterparty, meaning that for all intents and purposes, Zebpay is dealing on its own account and the prices are set by Zebpay itself.
• (b) The Digital Payment Token Exchange Service is a service accessed through the Zebpay Platform whereby Zebpay provides a trading platform (crypto to crypto/fiat to crypto/crypto-fiat) for digital payment tokens, but otherwise commonly known as cryptographic tokens, digital tokens or cryptographic currency. The functionalities available under this service fall into two separate classes. In broad terms, the “Instant Buy/Sell” class of services will allow Users to trade the aforementioned tokens and cryptographic currencies with Zebpay itself as the counterparty. Conversely, the “Exchange” class of services will allow Users to trade the aforementioned tokens and cryptographic currencies amongst each other, which Zebpay facilitates by providing the matching service that will pair up their respective buy and sell orders.
  When a User enters the Digital Payment Token Exchange Service on the Zebpay Platform, the User acknowledges that he or she is transacting with other users of the Zebpay platform as a counterparty and bids are matched on a non-discretionary basis with a counterparty. In this regard, Zebpay provides the platform to match the orders, and prices are therefore set by the market-forces of supply and demand.
• (c) The Token Lending Service is a service accessed through the Zebpay Platform whereby the User may choose to either (i) deposit Digital Payment Tokens in dedicated wallets where they can earn interest in the form of a fee denominated in the same Digital Payment Token; or (ii) borrow Digital Payment Tokens from Zebpay, subject to an interest rate denominated in the same Digital Payment Tokens, and which borrowings will be secured against other Digital Payment Tokens deposited by the customer with Zebpay for that express purpose.
• (d) The Crypto Earn Service is a service accessed through the Zebpay Platform whereby the User may choose to keep specified Digital Payment Tokens in their trading wallet, for which they will generate earnings denominated in the same crypto assets.

• (a) The Client must register and open a Client Asset Account with Zebpay for exchanging Digital Payment Tokens (Digital Payment Tokens) prior to commencement of trading on the Zebpay platform.
• (b) All crypto-wallets will be managed by the Company.
• (c) Client may request the withdrawal of the Digital Payment Tokens and any fiat currency subject to the limitations available at www.zebpay.com/fees-global/
• (d) Zebpay strives to maintain the accuracy of information posted on the Zebpay Platform however it cannot guarantee the accuracy, suitability, reliability, completeness, performance or fitness for purpose of the content through the Zebpay Platform and will not accept liability for any loss or damage that may arise directly or indirectly from the content.
• (e) Information on Zebpay’s Platform can be subjected to change without notice and is provided for the primary purpose of facilitating Users to arrive at independent decisions.
• (f) All Users of the Zebpay Platform must understand that there are risks involved in the usage of the Zebpay Platform. Zebpay encourage all users to exercise prudence and trade responsibly within their own means.
• (g) While Zebpay emphasises online interface security to ensure the continuity and security of its services (announcements will be made in event of downtime/maintenance), it will be non-accountable to Users for an act of God, Force Majeure, malicious targeted hacking, terrorist attacks and other unforeseen circumstances.
• (h) Zebpay reserves the right to cancel, rollback or block transactions of all type on its platform in event of abnormal transactions or based on its internal AML Policy.
• (i) Zebpay will not ask for any password or PIN from its users except to login into Zebpay platform and use Zebpay services. Zebpay will also not ask users to transfer funds that are not listed on its OTC Trading Platform Service or Digital Payment Token Exchange Service.
• (j) By using the Zebpay Platform and Zebpay’s services, the Client declares that all information provided by the Client to Zebpay is true, accurate and complete.
• The Client agrees and understands that the underlying protocols of different crypto networks are subject to changes (each a “Fork”) which may result in more than one version of such network (each a “Forked Network”). The Client further agrees and understands that Forks may materially affect the value, function, and/or name of the crypto held by the Client with ZebPay. In the event of a Fork, ZebPay may temporarily suspend any services in respect of the relevant crypto/s (with or without advance notice to you) and may determine, in its sole discretion, whether or not to support the Forked Networks. Details of ZebPay’s position on such Forks are available at https://help.zebpay.com/support/solutions/articles/44001895103/, which may be subject to change from time to time.

For the purpose of the Token Lending Service, the lending or borrowing of Tokens to or from Zebpay are subject to the provisions of respective terms. Detailed terms of the Token Lending Service are available at https://zebpay.com/in/lend/. By availing themselves of these particular service(s), Users are deemed to have read and understood, and agree to be bound by their terms.

For the purpose of the OTC Trading Platform Service, the User is subject to the provisions of its terms. Detailed terms of the OTC Trading Platform Service are available at https://zebpay.com/otc/terms-of-use/. By availing themselves of this particular service, Users are deemed to have read and understood, and agree to be bound by its terms.

• (a) With registration of a Client Asset Account on Zebpay, the Client agrees to share personal information requested for the purposes of identity verification. This information is used specifically to identify the Client and for the detection of money laundering, terrorist financing, fraud and other financial crimes on the Zebpay Platform and is fully compliant with the AML Regulations. Zebpay endeavours to retain and obtain this personal information in accordance with the Personal Data Protection Act 2012 and its Privacy Policy.
• (b) In addition to providing this information, to facilitate compliance with global industry and government standards for data retention, the Client agrees to permit Zebpay to keep a record of such information for the lifetime of the User’s Client Asset Account plus five (5) years after closing that account.
• (c) The Client also authorises Zebpay to make inquiries, either directly or through third parties, that are deemed necessary to verify the Client’s identity or to protect the Client and/or Zebpay against financial crimes such as fraud, etc.

• (a) All relevant Client Deposits shall be kept separate from money belonging to Zebpay in a Client Asset Account, in accordance with applicable law and regulations, unless and until such amounts are returned to the Client, or become due and payable to Zebpay in accordance with these Terms of Use or are otherwise paid away or transferred in accordance with applicable law and regulations.
• (b) By accepting these Terms of Use, the Client hereby grants to Zebpay the authority to open and establish a ‘Client Asset Account’ and the Client agrees to grant the Company the right to control the Client’s assets including ‘Digital Payment Tokens’ and fiat.

• (a) Zebpay is required to adhere to KYC requirements. Zebpay may undertake remote KYC procedures and video on boarding, among others.
• (b) The KYC procedures may be created or undertaken by any authorised representative of Zebpay (such as a third-party KYC service provider) possessing all the relevant and necessary credentials to conduct the KYC and due diligence in accordance with the AML Regulations and the AML Policy.
• (c) The Client is bound to follow all on-screen instructions and adhere to all requirements for the on-boarding on to the Zebpay Platform.

(a) All Users must register for a Zebpay Client Asset Account before using the Zebpay Platform via our standard application procedure. To register for an account, the Client must provide his or her real name, email address and such other requested information including KYC documents.

(b) Depending on certain conditions and in our sole discretion, we may refuse to open an account for you. No orders can be executed until a Client Asset Account is opened and cleared funds have been deposited in accordance with these Terms of Use.

(c) Where Zebpay is required under applicable law and regulations to report transactions with the Client to a Competent Authority or otherwise, the Client must obtain and provide Zebpay with any information as Zebpay may require. The Client shall not be permitted to place orders unless and until it has provided the information required, and subject to clearance of the Competent Authority or other authority, as the case may be.

(d) In order to open a Client Asset Account, the Client must complete the registration process.

(e) Zebpay is obliged to carry out all the searches and enquiries that Zebpay deems to be appropriate to assess the Client’s identity and/or to carry out any anti money laundering controls which may be required under the AML Regulations or its AML Policy. This information may be also used for the prevention of money laundering or terrorism financing as well as for the management of the Client Asset Account. The Client authorises Zebpay to use the information to perform the above checks in relation to this Agreement.

(f) The identity verification information which may be requested can generally include but not limited to:

• Full Name
• Email Address,
• Contact Information
• Nationality
• Telephone Number
• Username
• Government Issued ID/Passport
• Date of Birth
• Proof of address
• Bank account details
• Information on the User’s trades
• Photographs and images.

(g) In providing this required information, the Client confirms that it is accurate and authentic. Post-registration, the Client must guarantee that the information is truthful, complete and updated in a timely manner with any changes. If there is any reasonable doubt that any information provided by you is wrong, untruthful, outdated or incomplete, Zebpay shall have the right to send you a notice to demand corrections, remove relevant information directly, suspend use of the Client Asset Account and, as the case may be, terminate all or part of Zebpay Service to the Client.

(h) The Client shall be solely and fully responsible for any loss or expenses incurred by the Client during the use of Zebpay Service if the Client cannot be reached through the contact information provided by the Client.

(i) The Client hereby acknowledges and agrees that he/she has the obligation to keep all information provided to Zebpay up to date if there are any changes.

(j) Zebpay may or may not accept an application to become a Client in its absolute discretion, including if the Client fails to pass the relevant appropriateness checks. If the Client application is accepted by Zebpay, the Client shall be notified of its Client Asset Account.

(k)The Client may only start trading and/or exchanging with Zebpay on the Zebpay Platform after the initial deposit of fiat or Digital Payment Tokens is credited to the Client Asset Account and such deposit has been cleared.

(l) Zebpay shall be authorised to act upon any digital instructions transmitted by the Client. In this connection, Zebpay shall be entitled to carry out any instructions or orders as per the Client’s instructions.

(m) The Client may request Zebpay to make payments by debiting the Client Asset Account to the extent cleared funds are available at the time of the request (electronically via the Zebpay Platform)

(n) The initial deposit and any additional funds deposited by the Client (together, Client Deposits) shall be credited to the Client Asset Account as the case may be.

(o) Any crediting or debiting of Client Deposit Money to or from the Client Asset Account is net of any bank fees, commissions or other charges or costs (including any applicable taxes, including withholding taxes) and you hereby expressly authorise Zebpay to make any such deductions.

(p) Zebpay may receive interest in respect of the Client Asset Account but will not pay any portion of such amounts to the Client. The Client hereby waives any right to receive interest on any positive balance of Client Deposits on the Client Asset Account.

(q) The Client Asset Account shall be denominated in Singapore dollars (‘Base Currency’) by default.

(r) All gains, earnings, losses, costs and liabilities made or incurred by the Client under or in relation to any Digital Payment Token or any service provided by Zebpay or otherwise in connection with this agreement (including any fees charged by Zebpay) shall be credited or debited to the Client Asset Account, as applicable.

(s) The Client hereby expressly authorises Zebpay to deduct any such amounts from any Client Deposits held in the Client Asset Account by Zebpay on the Client’s behalf.

(t) The Client may, at any time, withdraw funds (‘Withdrawn Funds’) from the Client Asset Account by submitting a request to Zebpay (‘Withdrawal Request’). The amount requested must be available in Client Asset Account. Zebpay may, at its discretion, elect to withhold payment (or deduct an amount from it, as applicable) if:

• (i) Zebpay is required by applicable law or regulations to deduct or withhold such payment; or
• (ii)there is an unresolved dispute between Zebpay and the Client in connection with this agreement or any related contract in respect of such funds.

(u) Zebpay will only pay Withdrawn Funds to the Clients registered bank account unless the Client has notified a change in their payment details in writing in advance and this is in compliance with applicable law and regulations, in particular anti-money laundering controls.

(v) The Client shall make Client Deposits and submit withdrawal requests to Zebpay using the deposit or withdrawal function on the Zebpay Platform. The Client shall be solely responsible for the safekeeping of the Client Asset Account and password/ PIN and the Client will be responsible for all activities relating to the Client’s logins and password/PIN.

(w) The Client hereby covenants that the Client:

• (i) will not share its login or password/PIN details with any third party;
• (ii) will notify Zebpay immediately if the Client he/she is aware of any unauthorised use of the Client Asset Account or the Client login or password/ PIN by any person or any other violations its security ;
• (iii) will strictly observe the security, authentication, dealing, charging, withdrawal mechanisms or procedures of the ZebPay Platform; and
• (iv) will log out from the ZebPay Platform by taking proper steps at the end of every visit.

(x) Zebpay will not be responsible for any loss or consequences caused by the Client’s failure to comply with the above terms and conditions.

(a) The Client represents and warrants to ZebPay that:

• (i) The Client’s conduct will not be in violation of the law, public interests, public ethics or other’s legitimate interests,
• (ii) the Client will not evade the payment of taxes or fees and will not violate this agreement or relevant laws and rules ;
• (iii) all information supplied by the Client to ZebPay is complete, true, accurate and not misleading or deceptive in any respect;
• (iv) if the Client is an individual, the Client is at least 18 years old;
• (v) if the Client is a body corporate, unincorporated association, trust or other legal structure, the Client is validly existing in accordance with applicable law and regulations;
• (vi) the Client has entered into this agreement and will enter into any transaction on the ZebPay Platform as a principal and not as another person’s agent or representative;
• (vii) the Client is not subject to any law or regulation preventing it from entering into this agreement or transactions on the ZebPay Platform. In this regard, the Client is not a resident of any other jurisdiction where it may be unlawful to access the ZebPay Platform or trade with ZebPay;
• (viii) the Client has obtained all necessary consents, licenses and authorisations and has full power and authority (in accordance with its constitutional and organisational documents, where relevant) to enter into this agreement and all transactions on the ZebPay Platform;
• (ix) the Client will comply with all laws and regulations to which the Client is subject in relation to this agreement and any transaction contemplated by this agreement including, without limitation, all tax laws and regulations, exchange control requirements and registration requirements;
• (x) this agreement and any transaction entered into thereunder create valid and binding obligations which are enforceable against the Client in accordance with their terms including in the jurisdiction in which the Client is resident and do not violate the terms of any law, regulation, order, charge, agreement or instrument by which the Client is bound or to which the Client’s assets are subject;
• (xi) the Client is fully aware of the financial and other risks involved with trading in Digital Payment Tokens under this agreement and is willing and financially able to sustain a total loss of funds resulting from the trading and transactions entered into on the ZebPay Platform;
• (xii) the Client has consistent and uninterrupted access to the internet and the email address, mobile number provided to ZebPay during the application procedure;
• (xiii) the Client will act in accordance with applicable law and regulations regarding market abuse, manipulation or misconduct, insider trading or dealing and similar offences, as applicable;
• (xiv) the Client will not alter, distort or otherwise manipulate the relevant market or underlying in relation to a transaction entered into under this agreement;
• (xv) the Client will promptly notify ZebPay of the occurrence of any event of default or potential event of default or any other breach of this agreement; and

(b) If the Client violates the foregoing promises and thereby causes any legal consequence, the Client shall independently undertake all of the legal liabilities in the Client’s own name and indemnify Zebpay from all actions, claims, losses or costs arising from such violation;

(c) The Client will not use any data or information displayed on the Zebpay Platform for commercial purposes without the prior consent of Zebpay.

(d) The Client will use the Zebpay Platform in accordance with these Terms of Use and the Privacy Policy, without taking acts of unfair competition nor attempting to intervene with the normal operation of Zebpay. Examples of such malicious acts include, but are not limited to:

• (i) using a device, software or subroutine to interfere with the ZebPay Platform;
• (ii) overloading network equipment with unreasonable data loading requests;
• (iii) executing malicious sales or purchases on the market.

(e) By accessing the Zebpay Service, the Client agrees that Zebpay shall have the right to unilaterally determine whether the Client has violated any of the above covenants and take action without receiving the Client’s consent or giving prior notice to the Client. Examples of such actions include, but are not limited to:

• (i) block and close order requests;
• (ii) freezing your Client Asset Account;
• (iii) reporting the incident to authorities;
• (iv) publishing the alleged violations and actions that have been taken;
• (v) deleting any information you published that is in violation.

(f) The Client consents to the Zebpay Platform’s KYC checks and procedures and under no circumstance may Zebpay refund any money or grant access to the Zebpay Platform before all necessary procedures have been vetted and consent is formally authorised for the Client to access the Zebpay Platform.

(g) Without prejudice to the aforesaid, any funds which are kept in the Client Asset Account will be ‘frozen’ until the relevant procedures are completed and under no circumstance may they be ‘exchanged’ or ‘withdrawn’.

(h) If the Client’s alleged violation causes any losses to a third-party, the Client shall solely undertake all the legal liabilities in the Client’s own name and hold Zebpay harmless from any loss, fine or extra expenses. If, due to any alleged violation Zebpay incurs any losses, is claimed by any third party for compensation or suffers any punishment imposed by any administrative authorities, the Client will indemnify Zebpay against any losses and expenses caused thereby, including legal fees on a full indemnity basis.

(i) The Client acknowledges and agrees that the above representations and warranties have been a material inducement to the decision of Zebpay to enter into this agreement with the Client.

(j) In case of any abnormal behaviour, fluctuation or delay in transactions beyond Zebpay’s control, Zebpay shall not be liable to the Client.

Zebpay reserves the right to resolve issues and disputes at its sole discretion. These issues include infringement of others’ rights, violation of laws and regulations, abnormal trades and others not explicitly mentioned in these Terms of Use. Users agree to bear the costs arising from the process of dispute resolution. Subject to the foregoing, disputes shall be dealt with as per Clause 36 hereunder (‘Governing law and jurisdiction’).

(a) Zebpay will provide access to the Zebpay Platform on an “as is” and “commercially available” condition and to the maximum extent permitted by law does not offer any form of warranty with regards to the Zebpay Platform’s reliability, stability, accuracy and completeness of the technology involved. The Zebpay Platform serves merely as a venue of transactions where Digital Payment Token information can be acquired, and Digital Payment Token transactions can be conducted.

(b) Zebpay cannot control the quality, security or legality of the Digital Payment Tokens in any transaction, truthfulness of the transaction information, or capacity of the parties to any transaction to perform their obligations. The Client must carefully consider the associated investment risks, legal status and validity of the transaction information and investment decisions prior to your use of the Zebpay Platform.

• (a) Release of ZebPay Liability

(i) If you have a dispute with one or more users of the Zebpay Platform, you agree that neither we nor our affiliates or service providers, nor any of our respective officers, directors, agents, joint venturers, employees and representatives will be liable for any claims, demands and damages (actual and consequential) of any kind or nature arising out of or in any way connected with such disputes.

(ii) Zebpay will not be liable for any loss caused to the User due to discontinuation of any cryptocurrency that is being offered through the Zebpay Platform.

(iii) Zebpay shall not be liable for any disruption of service, whereby the User is denied access to their cryptocurrencies, including those stored on the Client Asset Account.

(iv) Zebpay shall not be liable for any loss caused to the User through loss of any cryptocurrency stored on the User’s Client Asset Account for any reason whatsoever, save and except due to a wilful and malicious commission or omission by Zebpay directly resulting in such loss.

(v) Zebpay shall not be liable for any discontinuation, alteration, suspension or termination of any part of the services offered on the Zebpay Platform caused or occasioned any Force Majeure event or any change in applicable Law with respect to cryptocurrencies.

(vi) Zebpay shall not be liable for any loss caused to User due to fluctuations in the price of cryptocurrencies. Zebpay does not guarantee profits from sale or purchase or transfers of cryptocurrencies. Zebpay shall not be liable for any loss caused to User for suspension, cancellation or termination of a User account, including on account of a violation by such User violations of any of the terms of this agreement, the Privacy Policy or any applicable Law. The User agrees that Zebpay will not be liable to User or to any third party for termination of the User account or for restricting access to the Zebpay Platform, which shall be at the sole discretion of Zebpay.

(vii) The User shall not be entitled to any damages for any reason whatsoever including for consequential or compensatory damages against Zebpay for any reasons including suspension, cancellation or termination of the User account or for cessation of any or all services on the Zebpay Platform. The User shall only be entitled to refund / recovery of the cryptocurrencies credited to the Client Asset Account, subject to deductions of amounts owed to Zebpay and other legal, regulatory or statutory dues or those stipulated under applicable Law, and to the permissibility of such refund or recovery under applicable law.

(viii) In the event that any cryptocurrencies stored in any Client Access Account are seized, or Zebpay is unable to access or return the same to User, Zebpay shall not be held liable or responsible for the same. The User is cautioned to avail itself of the Zebpay Platform subject to the above risk. At no point in time will Zebpay, its directors, shareholders, employees, representatives, officers, affiliates or assigns be held liable for any claims whatsoever for cessation of services or termination of any part of the Zebpay Platform or any disruption with respect to access to any Client Asset Account.

(ix) All claims by a User shall be limited to the cryptocurrencies and fiat in the relevant Client Asset Account, subject to the above mentioned conditions.

(x) To the maximum extent permitted by law, THE MAXIMUM CUMULATIVE LIABILITY OF ZEBPAY IN ANY EVENT, FOR ANY CLAIM, DAMAGES, TORT SHALL BE LIMITED TO THE CRYPTOCURRENCIES ACTUALLY RECEIVED FROM THE USER, AS CONSIDERATION OR FEES FOR THE SERVICES RENDERED BY Zebpay IN RELATION TO THE APPLICABLE TRANSACTION TO WHICH THE CLAIM RELATES. IF THE CLAIM DOES NOT RELATE TO ANY TRANSACTION IN PARTICULAR, THEN ZEBPAYS MAXIMUM CUMULATIVE LIABILITY SHALL BE LIMITED TO THE CRYPTOCURRENCIES ACTUALLY RECEIVED FROM THE USER, AS CONSIDERATION OR FEES FOR THE SERVICES RENDERED BY ZEBPAY IN RELATION TO THE TWO TRANSACTIONS IMMEDIATELY PRECEDING THE DATE ON WHICH THE CLAIM IS MADE BY THE USER .

• (b) No Liability for Breach

Zebpay will not be liable for any breach of these Terms of Use, where the breach is due to abnormal and unforeseeable circumstances beyond Zebpay’s control, the consequences of which would have been unavoidable despite all effects to the contrary, nor is Zebpay liable where the breach is due to the application of mandatory legal requirements.

• (c) Limitation of loss

In addition to the liability cap above, in no event shall Zebpay, our affiliates or our service providers, or any of our or their respective officers, directors, agents, employees or representatives, be liable for any of the following types of loss or damage arising under or in connection with this agreement or otherwise:

• (i)any loss of profits or loss of expected revenue or gains, including any loss of anticipated trading profits and / or any actual or hypothetical trading losses, even if we are advised of or knew or should have known of the possibility of the same;
• (ii) any loss of or damage to reputation or goodwill; any loss of business or opportunity, customers or contracts; any loss or waste of overheads, management or other staff time; or any other loss of revenue or actual or anticipated savings, even if we are advised of or knew or should have known of the possibility of the same;
• (iii) any any loss of use of hardware, software or data and / or any corruption of data; including but not limited to any losses or damages arising out of or relating to any inaccuracy, defect or omission of digital currency price data; any error or delay in the transmission of such data; and / or any interruption in any such data;
• (iv) any loss or damage whatsoever which does not occur directly from our breach of this agreement; and/or
• (v) any loss or damage whatsoever which is in excess of that which was caused as a direct result of our breach of this agreement (whether or not you are able to prove such loss or damage).

The Client agrees to indemnify and hold harmless Zebpay, its affiliates, contractors, licensors, and their respective directors, officers, employees and agents from and against any claims and damages (including legal fees, fines or penalties imposed by any regulatory authority) arising out of the Client’s breach or our enforcement of this agreement or (including with limitation your breach of the Privacy Policy, AML Policy or any other restrictions on use of Zebpay services) or your violation of any law, rule or regulation, or the rights of any third party . This shall also apply to the Client’s violation of any applicable law, regulation, or rights of any third party during your use of the Zebpay Services.

(a) The Client agrees that we have the right to immediately suspend the Client Asset Account (and any accounts beneficially owned by related entities or affiliates), freeze or lock the funds in all such Client Asset Accounts, and suspend access to Zebpay if we suspect any such Client Asset Accounts to be in violation of these Terms of Use, Privacy Policy, AML Regulations acts or any applicable laws and regulations.

(b) Zebpay shall have the right to keep and use the transaction data or other information related to such Client Asset Accounts. The above account controls may also be applied in the following cases but not limited to the following:

• (i)the Client Asset Account is subject to a governmental proceeding, criminal investigation or other pending litigation;
• (ii) we detect unusual activity in the Client Asset Account;
• (iii) we detect unauthorized access to the Client Asset Account;
• (iv) we are required to do so by a court order or command by a regulatory/government authority;
• (v) we reasonably suspect you of acting in breach of this Agreement;
• (vi) we suspect money laundering, terrorist financing, fraud, or any other financial crime;
• (vii) Use of your Client Asset Account is subject to any pending litigation, investigation, or government proceeding and/or we perceive a heightened risk of legal or regulatory non-compliance associated with your account activity;
• (viii) we take any action that may circumvent our controls such as opening multiple accounts or abusing promotions which we may offer from time to time.

(c) In case of any of the following events, Zebpay shall have the right to directly terminate this agreement by cancelling the Client’s Asset Account, and shall have the right to permanently freeze (cancel) the authorisations of the Client’s Asset Account and withdraw the corresponding Client account:

• (i) after ZebPay terminates services to the Client,
• (ii) the Client allegedly registers or registers in any other person’s name as ZebPay user again, directly or indirectly;
• (iii) the main content of user’s information that the Client has provided is untruthful, inaccurate, outdated or incomplete;
• (iv) when this agreement) is amended, the Client expressly states and notifies ZebPay of the Client’s unwillingness to accept the amended terms of use;
• (v) any other circumstances where ZebPay deems it should terminate the services.

(d) Should the Client Asset account be terminated, the account and transactional information required for meeting data retention standards will be securely stored for five (5) years. In addition, if a transaction is unfinished during the account termination process, Zebpay shall have the right to notify the Client’s counterparty of the situation at that time.

(e) Subject to clause 21(f), once the Client Asset Account is closed/withdrawn, all remaining balances (which includes charges and liabilities owed to Zebpay) on the account will be due and payable to Zebpay. Upon payment of all outstanding charges to Zebpay (if any), the User will have the reasonable time to withdraw all funds from the account.

(f) Zebpay maintain full custody of the funds and user data/information which may be turned over to the authorities in event of account suspension/closure arising from fraud investigations, AML investigations or violation of the law or Zebpay’s Terms (e.g. trading on Zebpay from a sanctioned country).

(a) It is the responsibility of the User to abide by local laws in relation to the legal usage of Zebpay Services in their local jurisdiction. Users must also factor, to the extent of their local law all aspects of taxation, the withholding, collection, reporting and remittance to their appropriate tax authorities.

(b) All users of the Zebpay Platform and any of its services acknowledge and declare that the source of their funds come from a legitimate manner and are not derived from illegal activities. Zebpay maintain a stance of cooperation with law enforcement authorities globally and will not hesitate to seize, freeze, terminate the Client Asset Account and funds of Users which are flagged or investigated by legal mandate.

(a) Zebpay Services are offered only on the digital domain, which is subject to risks including offensive attacks. Zebpay shall not be liable for any loss caused to the User’s account or the monies or cryptocurrencies accrued therein if the same arises due to any Force Majeure event, including commissions or omissions by third parties, forces of nature, offensive attacks on Zebpay servers or on the personal devices of the Users, changes in applicable law, or any loss caused by conditions or events beyond the reasonable control of Zebpay.

(b) The above limitation on liability includes any Force Majeure event set out hereunder including acts of god; fire, act of terrorists, act of civil or military authorities, civil disturbance, war, strike or other labour dispute, interruption in telecommunications or Internet services or network provider services, failure of equipment and/or software, other catastrophe or any other occurrence which is beyond reasonable control of Zebpay; offensive attacks including virus attack, hacking, denial of service attack or theft of the personal devices of the User resulting in loss to the account.

(c) To the maximum extent permitted by law Zebpay shall not be liable for any loss caused to User due to a data breach of confidential information of the User, including of the User account details or User password, including when such breach has occurred due to the User sharing such details with third parties or due to the User’s failure to follow reasonable due diligence. Zebpay shall also not be liable or responsible for any disclosure by User of any User account details, including on account of a phishing attack or other third-party disruption.

(a) Zebpay processes all personal information in accordance with applicable law and regulations relating to the processing, privacy, and use of personal information.

(b) Zebpay may collect, hold and process personal information about the Client from the way in which the Client engages with Zebpay (such as by filling in the application, placing orders, or if the Client contacts Zebpay by post, email, telephone, in person or by any other means), through the Client’s interactions with Zebpay and/or the Zebpay Platform.

(c) Details of the types of personal information which Zebpay collects, holds or processes are set out in Zebpay’s Privacy Policy,

(d) ZebPay relies on the following legal basis to process and use the Client’s personal information:

• (i) processing is necessary for the performance of the ZebPay Services provided to the Client under this agreement;
• (ii) processing is necessary for the purposes of Zebpay’s legitimate business interests, including administering the relationship with the Client and/or analysing, improving and developing its trade, products and services. [For a more detailed overview of the legitimate business interests of Zebpay’s please refer to the relevant section of the aforesaid Privacy policy]; and
• (iii) processing is necessary for compliance with a legal obligation to which Zebpay is subject as better identified in Zebpay’s Privacy Policy.

(e) The Client’s personal information may be disclosed to service providers and other suppliers (including those outside of Singapore) provided that any such transfer or access is compliant with the Personal Data Protection Act 2012 and is subject to appropriate contractual provisions relating to data protection and confidentiality. Further details as to where the Client’s personal information may be transferred or accessed and the basis for such transfers are set out in the Privacy Policy.

(f) Zebpay has security procedures covering the storage and disclosure of the Client’s personal information to prevent unauthorised access of any Client personal information and to comply with the Personal Data Protection Act 2012.

(g) Neither party may disclose to any person any information relating to the business, investments, finances or other matters of a confidential nature of the other party of which it may come into possession in connection with this agreement and its performance by the other party, and each party shall use all reasonable endeavours to prevent such disclosure, except as may be required by any applicable law, rule or regulatory, law enforcement or tax authority.

(h) For the avoidance of doubt, Zebpay may be required to disclose information to third parties in order to carry out fraud-checks and for KYC procedures, and the Client expressly consents to such disclosure.

If the Client has any complaints, feedback or questions, the Company may be contacted via support@zebpay.com and we will in our best efforts try to resolve the issue with expediency. ZebPay shall not provide any support services to walk-in users.

Any payment to be made under this agreement must be made by one of the following methods:

• (a) a bank draft or a bank cheque;
• (b) by credit of cleared funds to the bank account specified by the payee at least 3 Business Days before the anticipated date of the payment; or
• (c) any other lawful form of payment that the parties agree in writing.

(a) Unless this agreement expressly states otherwise, a notice, consent, approval, waiver or other communication (notice) in connection with this agreement must be in writing. A notice may be given by hand delivery, prepaid post, or by electronic message to the recipient’s physical address or email address as advised from time to time.

(b) A notice given under this clause will be deemed to be received:

• (i) if hand delivered, at the time of delivery;
• (ii) if sent by prepaid post, three Business Days after the date of posting or seven Business Days after the date of posting if posted to or from a place outside Singapore;
• (iii) if sent by electronic message, when the sender receives an automated message confirming delivery or eight hours after the message has been sent (as recorded on the device from which the sender sent the message) unless the sender receives an automated message that the electronic message was not delivered or the sender knows or reasonably should know that there is a network failure and accordingly knows or suspects that the electronic message was not delivered,

unless a notice is received after 5.00 pm on a Business Day in the place of receipt or at any time on a non Business Day, in which case, that notice is deemed to have been received at 9.00 am on the next Business Day.

A party may not assign or otherwise deal with any of its rights or obligations under this agreement without the prior written consent of each other party that must not be unreasonably withheld. However, ZebPay may, without the consent of the User assign its rights under this agreement in the case of the sale of all or part of the ZebPay Platform.

(a) No failure to exercise or delay in exercising any right given by or under this agreement to a party constitutes a waiver and the party may still exercise that right in the future.

(b) Waiver of any provision of this agreement or a right created under it must be in writing signed by the party giving the waiver and is only effective to the extent set out in that written waiver.

By giving its approval or consent about any matter dealt with in this agreement, a party does not make or give any warranty, representation or undertaking about any circumstances relating to the subject matter of the consent or approval.

If any provision of this agreement is void, voidable by a party, unenforceable, invalid or illegal and would not be so if a word or words were omitted, then that word or those words are to be severed and if this cannot be done, the entire provision is to be severed from this agreement without affecting the validity or enforceability of the remaining provisions of this agreement.

On completion or termination of the transactions contemplated by this agreement, the rights and obligations of the parties set out in this agreement will not merge and any provision that has not been fulfilled remains in force.

Each party agrees to promptly do all things reasonably necessary or desirable to give full effect to this agreement, including obtaining consents and signing documents.

Time is of the essence of this agreement.

This agreement contains the entire agreement between the parties about their subject matter and supersede all previous communications, representations or agreements between the parties on the subject matter.

(a) This agreement is governed by the laws of Singapore.

(b) The parties submit to the non exclusive jurisdiction of the courts of Singapore in connection with this agreement.

1.1 “Applicable Law” means the law in force for the time being within the territory of Singapore, but also includes GDPR for those customers resident in the European Union.

1.2 ‘AML’ means ‘Anti-Money Laundering’, and in this connection, the applicable legislation shall be the Payment Services Act 2019 and other associated subsidiary legislation, notices and guidelines published by the Monetary Authority of Singapore from time to time concerning Anti-Money Laundering, including but not limited to the Payment Services Regulations 2019 and MAS PSN Notice 02 Prevention of Money Laundering and Countering the Financing of Terrorism – Holders of Payment Service License (Digital Payment Token Service)

1.3 “ZebPay Platform” shall mean and include ZebPay Android App, ZebPay iOS App (collectively, “ZebPay App”) or ZebPay Web app (“Web version”) and ZebPay website “www.zebpay.com” (“ZebPay Website”). Collectively along with the ZebPay Developer Portal, Public APIs and secure authentication for ZebPay Users is referred to as the “ZebPay.

1.4 “GDPR ” means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’)

2.1 ZebPay is committed to ensuring the safety and protection of all data and information shared with ZebPay by its Users in accordance with Applicable Laws and the terms and conditions set out hereunder and processes established by ZebPay in compliance with the applicable reasonable security practices and procedures, prescribed by Government or Regulatory authorities, as the case may be.

2.2 ZebPay shall not be liable for any breach or violation of its systems or policies due to malicious attacks, errors, commissions or omissions not willfully initiated by ZebPay, leading to breach of data or information of User.

3.1 Personal information is data that can be used to identify you directly or indirectly, or to contact you. Our Privacy Policy covers all personal information that you submit to us and that we obtain from our partners. This Privacy Policy does not apply to anonymized data, as it cannot be used to identify you.

3.2 We can ask you to provide personal information anytime you are in contact or consuming ZebPay Platform. ZebPay group of companies may share your personal information with each other and use it consistently with this Privacy Policy. They may also combine it with other information to provide and improve our products, services, and content. Except as described in this Privacy Policy, ZebPay will not sell, rent or loan any personal Information to any third party.

How to contact ZebPay for data protection inquiries:

4.1 We have endeavored to nominate an independent Data Protection Officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO using the details set-out below.

4.2 ZebPay may collect required personal data and information of the User to provide its services. Use of the ZebPay Platform is contingent upon acceptance of the terms and conditions contained herein. User shall be deemed to have volunteered the data and information collected, retained, used and disseminated by ZebPay, upon accepting the terms herein and those contained in the Terms of Service and User agreement of ZebPay.

4.3 ZebPay processes your personal data and information of the User in accordance with the guidelines laid by Applicable Laws. Personal data’ means any information or opinion relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, which can include (but is not limited to) data concerning that person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation 4 or practices, criminal record that is also personal information, health information about an individual, genetic information about an individual that is not otherwise health information, biometric information that is to be used for the purpose of automated biometric identification or verification, and biometric templates.

4.4 ZebPay collects your personal information to provide our Services. ZebPay ensures that your personal data is processed lawfully, fairly and in a transparent manner and is collected for specified, explicit and legitimate purposes shared with you. Any information you provide to us that is not required, is voluntary. You are free to choose whether to provide us with the types of personal information requested, but we may not be able to serve you as effectively or offer you all our Services when you do choose not to share certain information with us. We may collect the following types of information provided / shared by the User as applicable for

1) Personal Identification Information : Full name, date of birth, nationality, gender, signature, utility bills, photographs, phone number, national ID proof, home address, and/or email.

Why we collect this information

• To complete your user profile and process your registration request on ZebPay Platform allowing you to enter in a contract with us.
• To provide ZebPay products, services and support and enhance the performance of our contract with you.
• To communicate with you about your account and our services, including informing you of changes to our fees and our terms and conditions related to our services.
• To conduct market research and analysis eg. surveying our Users’ needs and opinions on issues, such as our performance;
• For Managing services including your account with us.
• For sending customized offers to you if you have consented to receive our offers.
• To deal with enquiries, complaints, and feedback from you and our service providers.
• To communicate with you regarding your account and our services.
• To maintain legal and regulatory compliance.

2) Recognized Identification Information : Tax ID number, passport number, driver’s license details, national identity card details, photograph identification cards, and/or visa information.

Why we collect this information

• To complete your user profile and Verify your registration request on ZebPay Platform allowing you to enter in a contract with us.
• To complete KYC (Know your customer) form to complete the regulatory requirements of Trading.
• To ensure that our customers are genuine and preventing Identity theft.
• To detect any Fraud, Anti national activity, Money Laundering and Criminal Activities.
• To prevent anti national and terrorist finances and protect our users and business from any threat or Damage.

3) Monetary Information :Bank account information, Permanent account Number, Credit or Debit Card Number, transaction history, trading data, and/or tax identification.

Why we collect this information

• To maintain legal and regulatory compliance.
• To provide ZebPay products, services and support and enhance the performance of our contract with you.
• To detect any fraud, anti national activity, money laundering and criminal activities.
• To prevent anti national and terrorist finances and protect our users and business from any threat or Damage
• To ensure that our customers are genuine and preventing Identity theft.

4) Transaction Information : Information about the transactions by using ZebPay Platform, such as the name of the recipient, digital currency address, your name, the amount, and/or timestamped.

Why we collect this information

• To provide ZebPay products, services and support and enhance the performance of our contract with you.
• To facilitate transactions of users
• To detect any fraud, anti national activity, money laundering and criminal activities.
• To prevent anti national and terrorist finances and protect our users and business from any threat or Damage
• To maintain legal and regulatory compliance.
• To deal with enquiries, complaints, and feedback from you and our service providers.
• To provide you customer Service.
• To communicate with you regarding your account and our services.

5) Employment or Business Information : Office location, job title, and/or description of Business, role, etc.

Why we collect this information

• To complete your user profile and Verify your registration request on ZebPay Platform allowing you to enter in a contract with us.
• To complete KYC (Know your customer) form to complete the regulatory requirements of Trading.
• To ensure that our customers are genuine and preventing Identity theft.
• To detect any Fraud, anti national activity, money laundering and criminal activities
• To maintain legal and regulatory compliance.

6) Online Identifiers : User’s device information including but not limited to IMEI or equipment identification number, IMSI or subscriber identification, UUID, MAC address, OS version, device details, network operator, contact list information, Wi-fi / Data Network connectivity. Cookies Information generated by the User’s use of the app and the website, including cookies and IP addresses. Geolocation of a User’s device or such or other automatically collated data or information of User, please visit our Cookie Policy

Why we collect this information

• To ensure that our customers are genuine and preventing Identity theft.
• To detect any Fraud, Anti national activity, Money Laundering and Criminal Activities.
• To maintain legal and regulatory compliance.
• To check if you are in a location or using a device consistent with our records in order to help prevent unauthorized user access your account and prevent threat.
• To develop and improve our services based on analyzing the behaviors of our users and the technical capabilities of our users.
• To enhance our technical capability by making our app compatible with your devices and to enhance your app browsing experience and ease of operation.
• To identify technical issue and monitor the health of ZebPay Platform.

7) Access to User’s Photo Gallery / Media / Files / Camera for using ZebPay Platform more efficiently.

Why we collect this information

• To complete your user profile and Verify your registration request on ZebPay Platform allowing you to enter in a contract with us.
• To allow you to upload KYC Documents, profile picture on ZebPay Platform.
• To provide you customer service.

8) Access to User’s apps and services including messaging through SMS; Storage data, device details;

Why we collect this information

• To complete your user profile and Verify your registration request on ZebPay Platform allowing you to enter in a contract with us.
• To read & auto-fill the OTP SMS so that we can verify your mobile number. This is helpful in your account verification (KYC).

9) Leave a message – We may collect your name, email id, mobile number, country, etc when you leave a message on our website.

Why we collect this information

• To provide ZebPay products, services and support and enhance the performance of our services.
• To inform you about ZebPay products, services or any other activities that ZebPay may undertake.

Depending on the purpose of our processing activity, the processing of your personal data will be based on one of the following:

• It is necessary for the legitimate interests of ZebPay, without unduly affecting your interests or fundamental rights and freedoms, to provide you with communications related to our products, services, promotions, offers and events. You have a right to opt-out of receiving marketing messages by clicking on the unsubscribe link in the bottom of our marketing emails or by using the personal settings in your user area;
• It is necessary for taking steps to enter into or executing a contract with you for the services or products you request, or for carrying out our obligations under such a contract;
• Required to meet our legal or regulatory responsibilities; or
• Processed with your explicit and free consent which we obtain from you from time to time.

Cookies

6.1 ZebPay uses cookies on its App and website to collect data about user. For a detailed policy on use and collection of Cookies, please visit our Cookie Policy

7.1 ZebPay may collect, use and share aggregated data to create anonymised statistical data. ZebPay may provide this statistical data to its business partners or third parties.

7.2 Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website / app feature.

However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

You are entitled to inform ZebPay at any time that your personal details have changed or otherwise request erasure of your personal data by emailing customer support at help@zebpay.com

7.3 We will only retain your personal data for as long as necessary to fulfil the purpose for which we have collected it, including for the purposes of satisfying any legal, accounting or reporting requirements.

7.4 To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.

7.5 By law we have to keep basic information about our customers (including contract, identity, financial and transaction data) for ten (10) years after they cease being customers for online trading purposes.

In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. When you use this website or other services we provide to you, you may be able to link to other third-party websites, plug-ins and applications.

7.6 This Privacy Policy does not apply to those sites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our website, we encourage you to read the privacy policies on such sites.

7.7 ZebPay uses cookies to gather information about your access to this website and other services we provide to you. Cookies are small pieces of information which use a unique identification tag and are stored on your device as a result of you using this website or other service we provide to you.

When cookies are used by us, they collect statistical and factual information about how you use our services. Most internet browsers are set up to accept cookies. If you do not wish to receive cookies, you may be able to change the settings of your browser to refuse all cookies or to have your computer notify you each time a cookie is sent to it, and thereby give yourself the choice whether to accept it or not. If you disable or refuse cookies, please note that some parts of this website may become inadmissible or not function properly and impair the quality of the services that we provide to you in relation to your account.

For more information about the types of cookies ZebPay uses, please refer to our specific Cookie Policy (in terms of GDPR).

7.8 ZebPay protects your personal information by maintaining physical, electronic, and procedural safeguards in compliance with the applicable laws and regulations.

7.9 The retention period may be extended to comply with legal obligations, resolve disputes, and enforce agreements for a period of ten(10) years after termination of the account or such period, under applicable laws. ZebPay may retain data for further periods but is not obligated to do so in all instances. ZebPay shall not be liable or responsible for non – availability or non – retention of data or information beyond the termination of the User account.

7.10 The retention period may extend beyond the end of User account, but it will be only as long as it is necessary for ZebPay to have sufficient information to respond to any issues that may arise later, including but not limited to retention for the purpose of investigations or ongoing prosecutions or in case of Suspicious transactions or if ZebPay requires the information for its records or to support legal proceedings, or if ZebPay believes in good faith that a law, regulation, rule or guideline requires it.

7.11 Please note that ZebPay cannot guarantee that loss, misuse, unauthorised acquisition, or alteration of your data will not occur and you play a vital role in protecting your own personal information. users while registering with ZebPay Platform, it is important to choose a password or PIN of sufficient length and complexity, to not reveal this password to any third-parties, and to immediately notify us if you become aware of any unauthorised access to or use of your account

7.12 Subsequently, ZebPay cannot ensure or warrant the security or confidentiality of information you transmit to us or receive from us by Internet or wireless connection, including email, phone, or SMS, since we have no way of protecting that information once it leaves and until it reaches us. If you have reason to believe that your data is no longer secure, please contact us at dpo@zebpay.com. ZebPay however takes all reasonable steps to secure data and information pertaining to its Users, including those prescribed under applicable laws and Rules framed thereunder.

7.13 We will keep information about visitors to our websites (not being customers) for a reasonable length of time, that lets us understand how people use our website and any technical issues they have.

7.14 We try to respond to all legitimate requests within one (1) month. Occasionally, it may take us longer than a month if your request is particularly complex or you have a number of requests. In this case, we will notify you and keep you updated.

7.15 You have a right to make a complaint at any time to the Singapore Personal Data Protection Commission (“PDPC”), the Singapore supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the PDPC so please contact us or our DPO in the first instance at the email specified above.

8.1 The User shall ensure that all data and information shared with ZebPay is accurate, correct and complete. User shall ensure that change of the User’s address or any change in circumstances impacting use of the ZebPay Platform, is promptly communicated to ZebPay.

8.2 ZebPay will not be held liable or responsible for any incorrect information provided by the User to ZebPay.

8.3 User may, upon termination of the use of the ZebPay Platform, as provided in the Terms of Service, withdraw consent granted herein to ZebPay. The same shall however not affect actions undertaken or data and information collated, or technological processes initiated prior to such withdrawal of consent. Such withdrawal of consent shall also not affect retention of data and information collected prior to such withdrawal.

9.1Where we use certain service providers which are not located in Singapore, we may use specific contracts compatible with Applicable Laws which give your personal data the same protection it has in Singapore.

9.2 In all other instances, the User generally agrees and consents to ZebPay sharing the following anonymized data or to otherwise gives ZebPay permission to share its Data with third-parties for the following:

• For referral, operations, additional services and technology services (such as hosting providers, identity verification, support, payment, and email service providers) or;
• If required by applicable law or legal process, or if ZebPay believes that it is in accordance with applicable law or legal process; or
• To protect the rights, property and safety of ZebPay, its users and the public, including, including but not limited to usage in court proceedings, or to detect or prevent criminal activity, fraud, material misrepresentation, or to establish its rights or defend against legal claims; or
• In connection with selling, merging, acquiring, transferring, or reorganizing all or parts of ZebPay’s business.

European Economic Area (EEA Residents) have the following rights, which can be exercised by contacting us dpo@zebpay.com so that we may consider your request under applicable law.

Right to withdraw consent – You have the right to withdraw your consent to the processing of your personal information collected on the basis of your consent at any time. Your withdrawal will not affect the lawfulness of ZebPay’s data processing based on consent before your withdrawal.

Right of access to and rectification of your personal information – You have a right to request that we provide you a copy of your personal information held by us. This information will be provided without undue delay subject to some fee associated (if applicable) with gathering of the information (as permitted by law), unless such provision adversely affects the rights and freedoms of others. You may also request us to rectify or update any of your personal information held by ZebPay that is inaccurate.

Right to erasure [right to be forgotten] – You have the right to request erasure of your personal information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing that you previously consented, but later withdraw such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. The above is subject to limitations by relevant data protection laws.

Right to data portability – If we process your personal information based on a contract with you or b ased on your consent, or the processing is carried out by automated means, you may request [in terms of GDPR] to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another “controller”, where technically feasible and once our platform interface allows for the ‘exportation’ of such data. In this connection, ZebPay is committed towards creating a robust function ensuring data portability in due course.

Without prejudice to the aforesaid, data portability will be prohibited if the requested migration of said data adversely affects the rights and freedoms of others. A “controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your personal information.

Right to restriction or objections for processing – You have the right to restrict or object to us processing your personal information where one of the following applies:

You contest the accuracy of your personal information that we processed. In such instances, we will restrict processing during the period necessary for us to verify the accuracy of your personal information.

The processing is unlawful, and you oppose the erasure of your personal information and request the restriction of its use instead.

We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise or defense of legal claims.

You have objected to processing, pending the verification whether the legitimate grounds of ZebPay’s processing override your rights.

Restricted personal information shall only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if the restriction is lifted.

Notification of erasure, rectification and restriction – We will communicate any rectification or erasure of your personal information or restriction of processing to each recipient to whom your personal information have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request this information.

Right to object to processing – Where the processing of your personal information is based on consent, contract or legitimate interests you may restrict or object, at any time, to the processing of your personal information as permitted by applicable law. We can continue to process your personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.

Automated individual decision-making, including profiling – You have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws.

Right to lodge a complaint – If you believe that we have infringed your rights, we encourage you to contact us first at dpo@zebpay.com , so that we can try to resolve the issue or dispute informally.

Your rights to personal information are not absolute. Access may be denied when:

• Denial of access is required or authorized by law;
• Granting access would have a negative impact on other’s privacy;
• Granting access would have a negative impact on other’s privacy;
• To protect our rights and properties; and Where the request is frivolous or vexatious

To Invoke or exercise any of your rights, please contact our Data Protection Officer (DPO) at: dpo@zebpay.com

11.1 Protection of the User’s personal information is of utmost importance to ZebPay and it takes all reasonable steps to secure data and information pertaining to its Users, including those prescribed under applicable laws and Rules framed thereunder

11.2 ZebPay takes appropriate legal, administrative, physical, and reasonable electronic measures designed to protect the information that Users share with ZebPay

11.3 ZebPay however does not extend any warranties with respect to the security or safety of data and information transmitted through digital platforms or online, both of which are susceptible to malicious attacks.

These terms may be periodically reviewed and revised when required by law, or due to business reasons . we will notify you of changes to this Privacy Policy. The revised Policy will be uploaded on the ZebPay website and will reflect the modified date of the terms. Continued use of the ZebPay Platform constitutes agreement of User to the terms contained herein and any amendments thereto. ZebPay may for any important changes in the policy would send an email to user’s registered email id.

We reserve the right to modify this Privacy Policy at any time, and when required by law, we will notify you of changes to this Privacy Policy. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on our Services prior to the change becoming effective. ZebPay also encourages users to periodically visit our policies from time to time

All other provisions of the ZebPay Terms of Service and user agreement shall be read along with this policy and shall form part hereof, including Governing Laws and jurisdiction, notices, severability, assignment and such or other provisions.

If you have questions, please contact our Data Protection Officer (DPO) at: dpo@zebpay.com

The definitions of words and phrases to be in this AML Program are set out in Schedule 1 of Part B.The definitions of words and phrases to be in this AML Program are set out in Schedule 1 of Part B.

2.1 Business background
Genie Technologies Pte. Ltd Registration No: 201919382H (ZebPay) was established in 2019 to operate a digital payment token exchange business in Singapore. Digital payment token is not issued by or under the authority of a government. Digital payment token is also commonly referred to as cryptocurrency or virtual currency.

It is intended that ZebPay will initially offer the following digital payment tokens for exchange through its platform:

• (a) Bitcoin
• (b) Bitcoin cash
• (c) Ethereum
• (d) Litecoin
• (e) Ripple
• (f) Eos

ZebPay platform will allow for:

• (g) Buying digital payment tokens;
• (h) Selling digital payment tokens; and
• (i) Facilitating the trading of digital payment tokens between our customers.

ZebPay’s model:

• (j) includes holding digital payment tokens on trust or as custodian;
• (k) involves ZebPay purchasing or selling digital payment tokens; or
• (l) involves accepting fiat only through electronic funds transfer;
• (m) does not involve accepting cash.

2.2 ZebPay’s AML Policy
ZebPay aims to prevent, detect and not knowingly facilitate money-laundering and terrorism financing. ZebPay does this to protect the company’s reputation, to comply with relevant laws and to be a good corporate citizen. The purpose of this policy is to:

• (a) make staff and management aware of the meaning of anti-money laundering and counter-terrorism financing (AML/CTF) and their responsibilites towards the same pursuant to MAS Notice No. PSN02 Notice to Holders of Payment Service License (Digital Payment Token Service) read with section 27B of the Monetary Authority of Singapore Act (Cap. 186) (collectively, the “AML/CTF Regulations”)];
• (b) state ZebPay’s attitude towards money-laundering and the financing of terrorism;
• (c) outline the key roles and responsibilities of ZebPay’s staff and management in relation to AML/CTF, and
• (d) document requirements of anti-money laundering under the AML/CTF Regulations.

ZebPay faces risks of money laundering or terrorism financing if it (or its employees) knowingly facilitate or fail to put in place the appropriate training, processes and systems to prevent the facilitation of money-laundering or terrorism financing. The potential risks that could occur also include the following:

• (e) reputation risk—customer loss of confidence in being associated with an entity perceived to be assisting criminals or terrorists, or not in compliance with the law. This loss of confidence could lead to a loss of business and revenue.
• (f) personal risk—employees who facilitate money-laundering or terrorist activities, or fail to take appropriate steps to prevent these activities, could face personal criminal action, civil action or dismissal; and
• (g) regulatory risk—potential for increased regulatory oversight if perceived to be facilitating money-laundering or terrorist financing, or negligent of legal requirements. This could be from regulators other than the Monetary Authority of Singapore (“MAS”). This could also result in possible fines or regulatory sanctions.

2.3 Regulatory Framework and the AML Program
The AML/CTF Regulations requires a licensee to adopt, maintain and comply with a Risk-Based Anti-Money Laundering and Counter Terrorist Financing program (AML Program).

ZebPay has adopted a AML Program that comprises a Part A (general) and Part B (customer identification) as prescribed by the AML/CTF Regulations..

The primary purpose of Part A is to identify, manage and mitigate any ML/TF risk ZebPay may reasonably face in relation to the provision by ZebPay of digital payment token services in SIngapore. Part A of ZebPay’s AML Program also provides all users with a map of all of the elements of the AML Program (see section 2.4).

Part B of this AML Program sets out the applicable customer identification and verification procedures for customers of ZebPay. ZebPay has different procedures with respect to the identification and verification of different customers depending on the type of customer, the jurisdiction in which the customer resides, the digital payment token services provided to the customer and the delivery method of the digital payment token services (Rule 8.1.4 of the AML Rules).

2.4 How does Part A (General) of the AML Program Work?
Part A is designed to identify, mitigate and manage the risk ZebPay may reasonably face by the provision of digital payment token services in Australia that might (whether inadvertently or otherwise) involve or facilitate:

• (a) money laundering; or
• (b) financing of terrorism.

This Part A describes the structure of the AML Program and is intended to:

• (c) provide all users of this AML Program with a map of all of the elements of our AML Program;
• (d) provide a brief summary of the legal and regulatory requirements relating to each of the elements of our AML Program; and
• (e) provide details on ZebPay’s compliance policies which are contained in shaded text boxes.

Element	Part A (Introduction and summary of legal requirements)
ML/TF Risk Assessment	Section 3
Staff training and awareness	Section 4
Board and management oversight policy	Section 5
Role of Compliance Officer	Section 6
Reporting	Section 7
Ongoing customer due diligence including transaction monitoring and enhanced customer due diligence	Section 8
Review of AML Program	Section 9
MAS Feedback	Section 10
Privacy	Section 11
Breaches	Section 12
Record Keeping	Section 13

3.1 Risk assessment
As a part of Part A of ZebPay’s AML Program, ZebPay is required to prepare an assessment of the areas of money laundering and terrorism financing risk (ML/TF) which it is likely to face in the provision of its digital payment token services (i.e. operating a digital payment token exchange business).

Understanding the ML/TF) risks ZebPay faces is an important step in developing, implementing and maintaining effective and balanced controls, systems and procedures that mitigate and manage these ML/TF risks. In developing a risk assessment, ZebPay will ensure that

• (a) the risk analysis should be solidly founded on reliable research and provide a true reflection of the inherent risks and the way your business mitigates those risks
• (b) the risk criteria and categorisations chosen should be proportionate to the complexity of ZebPay’s products and services and be consistent with its risk analysis.

ZebPay Risk Assessment

Following an ML/TF risk assessment, ZebPay considers its overall risk rating to be medium on the basis that:

• Service and Delivery
• The digital payment token services provided by ZebPay is the operation of a digital payment token exchange business, as defined in the First Schedule of the Payment Services Act (Cap. ___)
• ZebPay does not accept physical cash.
• ZebPay only offers recognised digital payment tokens for exchange..

• Customers
• Customers include Individual as well as companies.
• Customers may be domiciled in a foreign county.
• Customers are first vetted through KYC & Customer screening checks before being able to utilise the exchange.
• Customers accounts will be linked to a bank which is in the same name of the customer on the ZebPay exchange and the banks will have undertaken AML/CTF checks in opening the account.
• On boarding of politically exposed persons is strictly prohibited
• At the point of on boarding, customers will be required to make a declaration as to their source of funds. Further, when the aggregate funds or digital payment tokens deposited with ZebPay exceeds certain dollar value thresholds, the customers will be expected to provide some additional proof of their stated source of funds.

ZebPay’s risk assessment and risk assessment methodology are detailed in Schedule 2 of Part B.

3.2 Ongoing risk assessments
ZebPay conducts, at least annually, a business-wide ML/TF risk assessment as a part of ZebPay’s annual internal AML/CTF review (section 9.1).

In addition, ZebPay, through its Compliance Officer, also has procedures for identifying, recognising and assessing significant changes to its ML/TF risk (see Rule 8.1.5 of the AML Rules) including.

• (a) subscribing to industry bulletins, attending industry events;
• (b) monitoring trends/methods in ZebPay operating environment (e.g. review transaction monitoring triggers and hits);
• (c) regularly review the MAS website.

Further, the Compliance Officer will conduct a risk assessment prior to the following:

• (d) the provision of new digital payment token services, prior to introducing them to the market;
• (e) the adoption of new methods of a digital payment token service delivery; and
• (f) the adoption of new or developing technologies used for the provision of a digital payment token service.

If ZebPay’s ML/TF risk changes it will ensure that it implements appropriate policies, procedures and systems to reflect the new ML/TF risk.

See paragraph 9.1 for more details on the process for internal review. The annual review may be outsourced to a third party service provider.

4.1 Staff training
As is required under the AML Rules, ZebPay has designed a risk awareness training program (Training Program) to ensure that its employees have appropriate training, at appropriate interval, having regard to the ML/TF risk ZebPay faces (Rule 8.2.2 of the AML Rules).

ZebPay’s Training Program has been designed to enable its employees to understand:

• (a) the obligations of ZebPay under the AML/CTF Regulations and AML Rules including highlighting the ML/TF Risks which are identified by ZebPay’s ML/TF Risk Assessment);
• (b) the consequences of non-compliance with the AML/CTF Regulations and AML Rules (including legal, reputation and financial ramifications which may arise from non-compliance or ineffective management of ML/TF Risks);
• (c) the type of ML/TF risk that ZebPay might face and the potential consequences of such risk;
• (d) the processes and procedures provided for by this AML Program that are relevant to the work carried out by the employee (Rule 8.2.3 of the AML Rules); and
• (e) the risk associated with “tipping off” a customer or prospective customer in relation to a suspicious matter and how to avoid tipping off offences.

TRAINING PROGRAM

• 1 The Training Program is applicable to all employees of ZebPay who provide digital payment token services on behalf of ZebPay. The Training Program consists of the following:
  • (a) all employees of ZebPay who are involved in the provisions of digital payment token services must familiarise themselves with the AML/CTF compliance procedures contained in this AML Program;
  • (b) ZebPay’s Compliance Officer will provide at a minimum annual training (or within 1 month of commencement for new or transferred employees) on ZebPay’s AML/CTF requirements to these staff members, including providing information about updates to the AML/CTF Regulations, AML Rules and the AML Program, also updates on jurisdictional risks, AML case studies and other relevant matters. The training may be delivered in person or online.
• 2 The Compliance Officer will also consider as a part of the annual AML Program to review whether the staff members have adequate AML/CTF training to complete their assigned functions and if any changes are required to be made to the training program
• 3 The Compliance Officer will also deliver training if new and relevant AML/CTF issues arises during the year.

4.2 Employee due diligence program
ZebPay has established an Employee Due Diligence Program. In accordance with the Employee Due Diligence Program, ZebPay:-

• (a) screens any prospective employee who, if employed, may be in a position to facilitate the commission of an offence in relation to money laundering or the financing of terrorism in connection with the provision of a digital payment token service that ZebPay provides;
• (b) screens an employee where the employee is promoted or transferred to a position where they may now be in a position to facilitate the commission of a money laundering or financing of terrorism offence in connection with the provision of a digital payment token service by ZebPay; and
• (c) incorporates into its employment agreement or induction processes compliance with this AML Program.

The Compliance Officer will monitor employee activity to ensure AML/CTF procedures are being followed properly and mitigate the risk of employees colluding with customers to facilitate ML/TF.

4 EMPLOYEE DUE DILIGENCE PROGRAM

• 5 For new, transferred or promoted staff members, the screening process involves:
  • (a) step 1: the Compliance Officer verifies the ID of the employee, reference checks and AML/CTF identity in accordance with the standard KYC procedures for individuals as contained in section 4 of Part B of this AML Program; and
  • (b) step 2: Where the nationality of the employee permits, the Compliance Officer conducts a police check on the employee, and a record of the police check is kept on the relevant file of the particular employee and the AML/CTF identify check being kept with ZebPay’s AML/CTF employee identification files.
• 6 For employees who have failed to comply with the AML/CTF Regulations or the AML Rules, of any system, control or procedure in this AML Program without reasonable excuse, the breach management procedure involves:
  • (a) step 1:the Compliance Officer investigating any alleged breaches or non-compliance and interviewing the relevant staff member to determine whether or not there is a reasonable excuse of the breach;
  • (b) step 2: the results of such an investigation will be raised with and considered by the Compliance Officer, pending the results of the investigation the employee may:
    • receive refresher training;
    • have his/her role reassigned; or
    • have their employment terminated; and
  • (c) step 3: the Compliance Officer, may, if appropriate, determine to communicate the breach to the relevant law enforcement agency.

5.1 Board
The AML Program must be adopted by the ZebPay Board (Board). The Board will have ongoing oversight of the AML Program, via reports like number of suspicious transaction reported, number of political exposed person on boarded or trading on the ZebPay platform from the Compliance Officer.

5.2 Management
The Compliance Officer must ensure that this AML Program is appropriately designed and that there are adequate resources assigned to fully and continuously implement. ZebPay’s management is responsible for:

• (a) implementing this AML Program;
• (b) providing the support necessary for a successful AML Program;
• (c) making provisions for adequate compliance resources sufficient to run this AML Program effectively having regard to the nature, size and complexity of ZebPay’s business;
• (d) identifying, articulating, assigning, and communicating specific roles and responsibilities for employees of ZebPay who should have significant responsibility for carrying out and enhancing this AML Program; and
• (e) ensuring that the Compliance Officer receives appropriate training.

The organisational structure of ZebPay is set out in Schedule 1 of Part A.

5.3 Resources
ZebPay may from time to time appoint individuals to carry out specific duties in respect of digital payment token services and AML/CTF matters. The individuals appointed to carry out specific duties in respect of different matters have the primary responsibility for the performance of those duties. Primary responsibility means that in the ordinary course of business the person with primary responsibility for a task would perform that task. However, if circumstances exist which prevent the person with primary responsibility from performing a particular task, then the task may be performed by a different person for the reporting entity.

Individuals with primary responsibility for AML/CTF duties must report to the Compliance Officer in respect of their duties and, in particular, any system breaches within the operations of the reporting entity which are discovered during the performance of those duties.

The Board will ensure that at all times a Compliance Officer is appointed, and a secondary person to act in the Compliance Officer’s absence.

In the event that the Compliance Officer is absent or is unable to perform their duties pursuant to this policy, MLRO (Money Laundering reporting officer) will assume the position Compliance Officer as Interim Compliance Officer. For the purposes of this policy, the Interim Compliance Officer is to be held to the same standard and accountability as the Compliance Officer normally performing his or her obligations pursuant to this Policy.

The Compliance Officer is responsible for managing the day-to-day operations of this AML Program. This includes, but is not limited to:

• (a) conducting regular reviews of this AML Program (see section 8.3);
• (b) ensuring ZebPay’s compliance with its obligations in respect of risk awareness training. The Compliance Officer is responsible for ensuring that the training is available, that the standards and scope of the training are appropriate, and that appropriate records are kept (see section 4);
• (c) ensuring the maintenance of a continually high level of staff AML/CTF awareness even between training sessions;
• (d) ensuring an awareness of countries that do not have adequate AML/CTF frameworks in place;
• (e) ensuring an awareness of lists of suspects and sanctions issued by law enforcement and regulatory authorities;
• (f) ensuring an awareness of exemptions and modifications for some reporting entities from AML/CTF obligations;
• (g) receiving reports about unusual or suspicious activities that may be suspicious matters to determine if they should be reported to MAS and preparing suspicious matter reports for that purpose (see section 7);
• (h) responding on behalf of ZebPay to requests for information from MAS under the AML/CTF Regulations (see section 10);
• (i) filing internal disclosures that are not reported to MAS for future analysis in the event that a further internal disclosure is made about the same customer at a later date;
• (j) documenting the evaluation of the determination process in respect of reports and investigations;
• (k) maintaining a register of all reports;
• (l) oversight of Part A, which includes:
  • (i) assessing the effectiveness of this AML Program; and
  • (ii) overseeing the establishment of appropriate risk-based systems and controls within ZebPay to manage its ML/TF risk and ensure compliance with the AML/CTF Regulations and the AML Rules (see section 3);
• (m) monitoring ZebPay’s business in relation to its provision of digital payment token services;
• (n) advising management on the AML/CTF Regulations, the AML Rules and relevant industry guidance and keeping them informed on developments in the laws and regulations and recent developments in relation to money laundering and the financing of terrorism;
• (o) undertaking the ML/TF risk assessments (see section 3 and Schedule 2 of Part B);
• (p) implementing this AML Program; and
• (q) undertaking annual reviews of this AML Program which may be outsourced to a third party. Major changes arising from the annual review should be considered and approved by the Board, but other changes can be approved by the Compliance Officer.

7.1 Suspicious matters
Under the AML/CTF Regulations, ZebPay’s obligation to report suspicious matters to MAS arises in the context of:

• (a) ZebPay commencing to provide, or proposing to provide, a digital payment token service to a customer;
• (b) a customer requesting ZebPay to provide a digital payment token service(of a kind ordinarily provided by ZebPay); or
• (c) a customer inquiring of ZebPay whether it would be willing to provide a digital payment token service (of a kind ordinarily provided by ZebPay).

ZebPay acknowledges that suspicious matters may relate to any crime. ZebPay will treat suspicious matters that extend beyond the scope of money laundering and terrorism financing the same as if that suspicious matter were a money laundering and terrorism financing suspicious matter.

SUSPICIOUS MATTER REPORTING PROCEDURES

Where the suspicious matter relates to terrorism financing, it must be reported by the Compliance Officer to MAS within 24 hours. All other suspicious matters must be reported to MAS within 3 business days. The Compliance Officer will ensure these timeframes are complied with through a daily review of any suspicious matter internal reports.

Any employees of ZebPay must report any of the following suspicious matters to the Compliance Officer. The Compliance Officer upon forming a suspicion on reasonable grounds or confirming that one of the following suspicious matters have occurred, must report the following to MAS:

• (a) A person is flagged as being a person who appears on the DFAT sanctions list.
• (d) A person (or their agent) is not the person they claim to be.
• (e) Information that ZebPay has which may be:
  • (i) relevant to the investigation or prosecution of a person for an evasion (or attempted evasion) of a tax law (including that of a state or territory), or an offence against a Commonwealth, state or territory law, or
  • (ii) of assistance in enforcing the Proceeds of Crime Act 2002 (or regulations under that Act), or
  • (iii) a state or territory law that corresponds to that Act or its regulations.
• (f) The provision of digital payment token services may be:
  • (i) preparatory to the commission of an offence related to money laundering or the financing of terrorism, or
  • (ii) relevant to the investigation or prosecution of a person for an offence related to money laundering or the financing of terrorism.

In determining whether or not there are reasonable grounds for reporting a suspicious matter, the Compliance Officer should look at all relevant factors, including:

• (a) whether or not the customer has withheld or provided false or inconsistent information;
• (g) the behaviour of the person or persons receiving or requesting the digital payment token service (for example, unusual nervousness);
• (h) whether or not the person is a foreign PEP;
• (i) the known business background of the person;
• (j) the use of aliases and a variety of similar addresses; and
• (k) transactions involving known tax havens, narcotic source or transit countries.

No tipping off

Important: Employees, officers and directors of ZebPay may not disclose to someone other than MAS or a member of staff of MAS that a suspicious matter has been reported, a suspicion has been formed or information has been given under the AML/CTF Regulations. For example, a client or an external service provider must not be told that a report has been made to MAS about a suspicious matter.

7.2 Cash transactions
ZebPay has decided not to accept any cash from customers.

7.3 Compliance Reporting
The Compliance Officer, on behalf of ZebPay, prepares and submits an annual AML/CTF compliance report to MAS within 3 months of the end of the reporting period or as otherwise required by MAS.

The AML/CTF compliance report will cover ZebPay’s compliance with the AML/CTF Regulations and the AML Rules during the reporting period and take the form specified by MAS (if any).

7.4 International fund transfer instructions
ZebPay is not a sender or recipient of international funds transfer instructions (IFTI) within the meaning of the AML/CTF Regulations.

7.5 Changes to enrolment details
The Compliance Officer must also advise MAS of changes to ZebPay’s enrolment and business details, within 14 days of a change occurring (see Chapter 64 of the AML/CTF Rules). The Compliance Officer will work closely with the owners of ZebPay in relation to business ownership and control changes and/or other registration or licensing requirements with other regulators and will also work closely with human resource personnel in relation to staff movements and changes to key personnel details or circumstances.

ZebPay acknowledges that suspicious matters may relate to any crime. ZebPay will treat suspicious matters that extend beyond the scope of money laundering and terrorism financing the same as if that suspicious matter were a money laundering and terrorism financing suspicious matter.

SUSPICIOUS MATTER REPORTING PROCEDURES

Where the suspicious matter relates to terrorism financing, it must be reported by the Compliance Officer to MAS within 24 hours. All other suspicious matters must be reported to MAS within 3 business days. The Compliance Officer will ensure these timeframes are complied with through a daily review of any suspicious matter internal reports.

Any employees of ZebPay must report any of the following suspicious matters to the Compliance Officer. The Compliance Officer upon forming a suspicion on reasonable grounds or confirming that one of the following suspicious matters have occurred, must report the following to MAS:

• (a) A person is flagged as being a person who appears on the DFAT sanctions list.
• (d) A person (or their agent) is not the person they claim to be.
• (e) Information that ZebPay has which may be:
  • (i) relevant to the investigation or prosecution of a person for an evasion (or attempted evasion) of a tax law (including that of a state or territory), or an offence against a Commonwealth, state or territory law, or
  • (ii) of assistance in enforcing the Proceeds of Crime Act 2002 (or regulations under that Act), or
  • (iii) a state or territory law that corresponds to that Act or its regulations.
• (f) The provision of digital payment token services may be:
  • (i) preparatory to the commission of an offence related to money laundering or the financing of terrorism, or
  • (ii) relevant to the investigation or prosecution of a person for an offence related to money laundering or the financing of terrorism.

In determining whether or not there are reasonable grounds for reporting a suspicious matter, the Compliance Officer should look at all relevant factors, including:

• (a) whether or not the customer has withheld or provided false or inconsistent information;
• (g) the behaviour of the person or persons receiving or requesting the digital payment token service (for example, unusual nervousness);
• (h) whether or not the person is a foreign PEP;
• (i) the known business background of the person;
• (j) the use of aliases and a variety of similar addresses; and
• (k) transactions involving known tax havens, narcotic source or transit countries.

No tipping off

Important: Employees, officers and directors of ZebPay may not disclose to someone other than MAS or a member of staff of MAS that a suspicious matter has been reported, a suspicion has been formed or information has been given under the AML/CTF Regulations. For example, a client or an external service provider must not be told that a report has been made to MAS about a suspicious matter.

7.2 Cash transactions
ZebPay has decided not to accept any cash from customers.

7.3 Compliance Reporting
The Compliance Officer, on behalf of ZebPay, prepares and submits an annual AML/CTF compliance report to MAS within 3 months of the end of the reporting period or as otherwise required by MAS.

The AML/CTF compliance report will cover ZebPay’s compliance with the AML/CTF Regulations and the AML Rules during the reporting period and take the form specified by MAS (if any).

7.4 International fund transfer instructions
ZebPay is not a sender or recipient of international funds transfer instructions (IFTI) within the meaning of the AML/CTF Regulations.

7.5 Changes to enrolment details
The Compliance Officer must also advise MAS of changes to ZebPay’s enrolment and business details, within 14 days of a change occurring (see Chapter 64 of the AML/CTF Rules). The Compliance Officer will work closely with the owners of ZebPay in relation to business ownership and control changes and/or other registration or licensing requirements with other regulators and will also work closely with human resource personnel in relation to staff movements and changes to key personnel details or circumstances.

8.1 General
Under the AML/CTF Regulations, ZebPay is required to have an Ongoing Customer Due Diligence Program which covers:

• (a) procedures for the collection or verification of additional KYC information or Beneficial Owner information;
• (b) a Transaction Monitoring Program; and
• (c) Enhanced Customer Due Diligence Program.

8.2 Ongoing Customer Due Diligence
Based on its ML/TF risk level, ZebPay has determined to implement the following ongoing customer due diligence measures. These measures are to be supervised by the Compliance Officer.

ONGOING CUSTOMER DUE DILIGENCE PROCEDURES

MEASURE	IS THIS MEASURE TRIGGERED?	WHAT IS THE RESPONSE?
Collect additional Customer Information	(a) A discrepancy in the KYC information that has been collected and verified becomes apparent in subsequent engagement with the customer compared to the information provided when the customer initially opened an account. Excluding changes of information e.g. address which have been previously notified.(b) There are doubts to the customer’s identity, before, during and after any engagement of the customer by ZebPay.(c) Client is identified as a high money laundering risk.	Clarify in case of discrepancy in customers information collected and verified then in such circumstances customers account will be on temporary hold till the collection and verification of required information.If the customer’s identity cannot be verified, Compliance Officer must consider whether or not the investment must be reported as a suspicious matter.Customer database will be checked semi-annually for collection of missing information/ documents if any.If any doubts arise, ZebPay will initiate further verification procedures such as: Enhanced due diligence.The staff performing the normal due diligence escalates the case to a supervisor for further validation.The supervisor/manager reviews the case and validates the high risk status or disapproves.If the manager disapproves a high risk status, supporting evidence and reasoning are documented and the client is downgraded to a low, normal, or medium risk status.In a situation of a validated, true high risk case, the client case is escalated to the firm’s Compliance Officer/MLRO using an “Escalation Form.” or via email.The Escalation form is normally accompanied by supporting client documentation.The Compliance Officer/MLRO or his/her designee reviews the Escalation Form and any attached documentation.If needed, the Compliance Officer/MLRO Officer or his/her designee will make a request for additional information.The Compliance/MLRO or his/her designee then conducts further investigation (i.e., reviews the account’s beneficial owners or conducts external non-documentary investigations).Upon completion of the enhanced investigation, the Compliance Officer/MLRO or his/her designee provides a recommendation (to terminate the relationship or accept the client).If the recommendation is to accept the client, there is normally an accompanying monitoring plan for the firm to implement in order to reduce its overall money laundering risk.

8.4 Enhanced Customer Due Diligence
ZebPay must have an enhanced customer due diligence program in place which sets out its procedures for situations where there is a high ML/TF risk, when a suspicious matter reporting obligation arises. Where a customer is a foreign politically-exposed person (PEP), ZebPay will decline to offer any digital payment token services.

• (a) TriggersZebPay will apply its customer due diligence program when:
  • (i) ZebPay has determined (under its risk-based systems and controls) that the ML/TF risk is high; or
  • (ii) ZebPay is provided digital payment token exchange services to a customer who is, or who has a beneficial owner who is, a PEP; or
  • (iii) ZebPay has formed a suspicion regarding the transaction; or
  • (iv) a party to the transaction (that its business has entered in or is proposing to enter into) is physically located in a prescribed foreign country.
• (b) Processes
  • (i) Seek further information from the customers or third party sources to:
    • (A) clarify/update the customer’s information;
    • (B) obtain further information about the customer including applying the Non-Standard Procedure;
    • (C) obtain information about the source of wealth or funds the customer is using to invest or transact in digital payment token;
  • (ii) Undertake more detailed analysis of the customer’s information and/or transaction history;
  • (iii) Verify or re-verify KYC information
  • (iv) Seek senior management approval for processing any future transactions; and
  • (v) Any other appropriate steps as determined by the Compliance Officer.
• (c) Limitations on types of customers

ZebPay has implemented a procedure for the regular internal and external review and updating of the AML Program.

9.1 Internal reviews
Having regard to ZebPay’s level of ML/TF risk, ZebPay has determined that an internal review of Part A of the AML/CTF compliance processes will be carried out:

• (a) annually; and
• (b) where there is a change to ZebPay’s ML/TF risk (see section 3.2 for triggers for reviews).

7 This review process will involve:

• (a)Step 1:an assessment of ZebPay’s ML/TF risk bearing in mind changes to its business and any new digital payment token services being provided by it during the year. If there are any changes to ZebPay’s ML/TF risk, the Compliance Officer will need to make an assessment as to whether current compliance measures are sufficient and, if not, recommend additional measures;
• (b)Step 2:an assessment of whether ZebPay has been complying with:
  • (i) the compliance measures set out in this AML Program and the AML/CTF Regulations and the AML Rules (including any changes which may have been made from time to time); and
  • (ii) any feedback from an external review of ZebPay ‘s AML/CTF compliance;
• (c)Step 3:making recommendations on additional measures to be incorporated into this AML Program to address any compliance deficiencies which have been detected; and
• (d)Step 4:the results of the annual internal review will be summarised in an AML/CTF Compliance Report which will be presented to the Board each year. The Board is required to consider the finding and recommendations of the report and resolve to implement appropriate changes to this AML Program.

8 Steps 1 to 3 of this process may be outsourced to a third party service provider.

9.2 Independent reviews
Part A of this AML Program must be regularly reviewed by an independent reviewer (Part 8.6 of the AML Rules).

INDEPENDENT REVIEW PROCESS

Having regard to ZebPay’s ML/TF risk, ZebPay has determined that an independent review of the AML Program must be undertaken on a bi-annual basis.

• (a)Step 1: Appointment of independent reviewer
  ZebPay must determine who is “independent” for the purposes of undertaking the review. For the purposes of undertaking the independent review, ZebPay has determined that the “independent” reviewer must have experience at least three out of the past five years of experience in AML/CTF legislation and/or reviewing AML Programs and must not have been involved in the preparation, review, approval, implementation, oversight or amendment of the AML Program.
• (b)Step 2: Engagement, review and reporting
  ZebPay must enter into a formal engagement with the independent reviewer in respect of the independent review. The independent reviewer is required to provide an engagement letter which sets out the scope of review as follows:
  • (i) assess the effectiveness of Part A having regard to the ML/TF risk of ZebPay;
  • (ii) assess whether Part A complies with the AML Rules;
  • (iii) assess whether Part A has been effectively implemented; and
  • (iv) assess whether ZebPay has complied with Part A.
  The independent reviewer is required to prepare a report outlining the result of the independent review. The independent reviewer is also required to provide any work schedule(s), audit program(s) or compliance procedures prepared as a part of the independent review. The independent reviewer will be provided with requested documents and staff will be made available to undergo any required interviews.
• (c)Step 3: Consideration by the BoardThe result of the review, including any report prepared, must be tabled at the next meeting of the Board. The Board may provide a written response to the independent reviewer’s report, including any recommendations made in the report.

ZebPay is required to have appropriate procedures in place with regards to any feedback provided by MAS in respect of ZebPay’s performance on the management of ML/TF risk (Rule 8.7.1 of the AML Rules).

ZebPay has determined that the following procedures will apply:

• (a) if MAS provides ZebPay with feedback regarding its performance in relation to the management of its ML/TF risk, the Compliance Officer must assess MAS’s feedback to determine if any changes to this AML Program are required and to implement any such changes as soon as reasonably practicable;
• (b) the Compliance Officer is responsible for notifying Board and management about any MAS feedback;
• (c) the Compliance Officer is responsible for collating and responding to MAS feedback if requested by MAS, with the required information and within the stipulated timeframes; and
• (d) any MAS feedback should also be included in the annual ML/TF risk assessment review detailed in Schedule 2 of Part B.

(a) ZebPay is considered to be a reporting entity for the purposes of the AML/CTF Regulations, and therefore has obligations under the Personal Data Protection Act 2012 (“the Privacy Act”).

(b) ZebPay applies the Privacy Act to personal information collected or handled in relation to activities undertaken to comply with the AML/CTF Regulations. This personal information must be kept secure and destroyed or de identified when no longer in use.

(c) ZebPay also takes reasonable steps to keep relevant personal information it holds accurate and up to date. If the personal information is found to be incorrect, ZebPay must take reasonable steps to correct it.

12.1 Breaches
Any breaches of the AML/CTF Regulations, AML Rules or this AML Program which may have a material adverse effect on ZebPay or its investors must be reported to the Compliance Officer by the individual responsible for the area in which the breach occurred. The officer will in turn report any material breach to the Board.

The Board, or the Compliance Officer will then consider what action to take in respect of the breach including instigating further training or additional systems to prevent a similar breach occurring.

12.2 Internal Reporting

• (a) The standard reporting lines are shown in the flowchart in Schedule 1 of Part A Organisational structure chart—AML/CTF compliance.
• (b) It is the responsibility of the Compliance Officer to ensure staff responsible for AML/CTF compliance are aware of these reporting lines as well as the process of reporting directly to the Compliance Officer.

ZebPay has a number of record keeping obligations under the AML/CTF Regulations. These obligations and how ZebPay intends to comply with these obligations are set out below.

Obligation	Reference	Retention
Record of compliance activoty	Section 13(b)(vi) of the Payment Services Regulations	ZebPay will keep a written record of the steps taken to monitor compliance with its policies, its accounting and operating procedures, and the limits on discretionary powers;
MPI
Records of digital payment token services	Sections 14(3) of the Payment Services Act	Under sections 14(3), 72 of the Act, and 108 of the AML/CTF Regulations, ZebPay must:books of all of ZebPay’s transactions in relation to digital payment token services provided by ZebPay;make these books available to the relevant authorities for their inspection, but under conditions of secrecy;This shall include records received from customers or prospective customers relating to the provision or prospective provision of a digital payment token service, including:(d) application forms;(e) direct debit authority forms;(f) certified copies of identification documents (where applicable); and(g) records of transaction executed at the customers’ behest.ZebPay keeps records of its digital payment token services for a period of 5 years. The Compliance Officer ensures records are dated when filed and has established a storage system so that files and their age are tracked.

The primary purpose of Part B of this Program is to set out ZebPay’s applicable customer identification procedures. This includes the Know Your Customer (KYC) identification and verification requirements and risk based systems and controls for determining whether any additional KYC information should be collected and/or verified for each customer, and how to respond to any discrepancies in the course of verifying KYC information or Beneficial Owner information.

The different identification and verification requirements in relation to different customer types and scenarios are summarised in the table below.

The procedures for identifying and verifying customers will ultimately depend on the ML/TF risks associated with a particular type of customer, the jurisdiction in which they are resident, the type of digital payment token service which is provided and the method of delivery of the digital payment token service.

Broadly, standard identification and verification procedures are used where the ML/TF risk associated with a customer or scenario is assessed to be low or medium. Non-standard identification and verification procedures are used in conjunction with standard identification and verification procedures when the ML/TF risk in relation to a customer or scenario is assessed to be moderate to high. ZebPay’s standard and non-standard identification procedures for different types of entities are set out in sections 4 to 20 of Part B of this AML Program.

1.2 How does ZebPay carry out identification and verification procedures?

The customer identification and verification process may be performed by one of a number of people, including ZebPay or an agent of ZebPay.

15.1 Reliance on third parties
Third party AML service providers engaged by ZebPay (who do not personally know the client)

ZebPay may also delegate to a third party service provider (e.g. financial planners or registry service provider) certain aspects of the customer identification and verification process, whilst retaining overall control and responsibility. Where a third party is engaged, ZebPay will ensure that the following processes are followed:

• (i) a written agreement will be entered into between ZebPay and the third party service provider setting out the terms of the engagement and ZebPay seeks an indemnity for any breaches of the AML Regulations from the third party service provider;
• (ii) the service provider will be provided with a copy of this AML Program and required to comply with the AML Program (or its own similar version) when carrying out customer identification and verification; and
• (iii) ZebPay will undertake periodic reviews of the service provider’s identification and verification procedures, including reviewing any customer identification and verification records to ensure that these processes have been properly complied with.

ZebPay appreciates that even where customer identification and verification procedures are delegated to a third party, the primary responsibility for conducting customer identification and verification under the AML Regulations remains with ZebPay.

15.2 List checking of high risk countries
An update of the list of high risk countries will be provided to relevant staff annually and whenever the Compliance Officer becomes aware of any change to that list.

15.3 Electronic verification
ZebPay has determined that the provision of its digital payment token services is subject to low ML/TF risk (see section 3.1 of Part A of the AML Program), provided always that the digital payment tokens in question are not intrinsically designed to frustrate electronic verification of users’ identity, transaction history etc. With that in mind, ZebPay will always decline to facilitate transactions involving digital payment tokens which features emphasise:-

• (a) a high degree of anonymity for their users; or
• (b) the record of transactions on their associated blockchain(s) is not accessible, not transparent and/or non-existent.

Further, to the extent that ZebPay relies on third party service providers to carry out electronic verification of customers’ identity or transaction history, ZebPay will first determine:-

• (c) what data will be used for verification;
• (a) what are ZebPay’s pre-defined tolerance levels for matches and errors;
• (b) which customer KYC and Beneficial Owner information the service provider will electronically verify, and how this is done.

In conducting electronic verification, ZebPay will comply at all times with the requirements of the Personal Data Protection Act 2012, where applicable. In particular:-

• (c) Disclosure of customer’s personal information (including the information of beneficial owners) to the electronic verification service provider will be limited to an individual customer’s name, residential address and date of birth, and information related to their declared source of funds;
• (d) before undertaking electronic verification of any individual, ZebPay will, in its application forms, inform the customer of the reasons for making the request for personal information;
  • (i) that the personal information about customers may be disclosed to a credit reporting agency;
  • (ii) that ZebPay may request the credit reporting agency to provide an assessment of whether the personal information matches (in whole or part) personal information contained in the credit information file in possession or control of the credit reporting agency;
  • (iii) the credit reporting agency may prepare and provide to ZebPay such an assessment;
  • (iv) the credit reporting agency may use the customer’s personal information or the names, residential addresses and dates of birth contained in credit information files of other individuals, for the purpose of preparing such an assessment;
  • (v) the customer may request that their identity be verified by a different means (section 35A(2) of the AML/CTF Regulations);

15.4 Records of identification and verification
Irrespective of the actual customer identification procedure conducted, for each customer ZebPay identifies, ZebPay must make a record of:

• (a) the document or data;
• (b) the procedure used to identify the customer; and
• (c) the information obtained in the course of carrying out the procedure.

Such records may include a copy of the application form completed by the customer in anticipation of receiving the digital payment token services from ZebPay.

The customer identification record should include the following details of the sources from which the customer identity was verified:

• (a) name of the issuer of the document or data;
• (d) date of issue;
• (e) date of expiry (where applicable);
• (f) document number (where applicable); and
• (g) whether it was verified from an original or certified copy.

ZebPay must retain this record, or a copy of this record, in respect of the customer being identified, for a minimum of 5 years after concluding the provision of a digital payment token service to that customer.

15.5 Language
Where any document relied on as part of the identification procedure is in a language other than English, it must be accompanied by an English translation prepared by an accredited translator.

15.6 Copies of documents
ZebPay will accept a copy of a reliable and independent document if the copy of the document has been certified by an appropriately authorised person.

Care should be taken to differentiate between domestic and foreign customers as different standard customer identification procedures apply. Note, that in respect of individuals from foreign countries, this standard procedure only applies to a FATF Member Country (as listed in Schedule 2)

16.1 Step 1 – Collection
The information to be collected for individuals is their:

• (a) name;
• (b) residential address;
• (c) date of birth; and
• (d) PEP status, in accordance with section 20 of Part B..

In addition, the following information must also be collected for sole traders:

• (e) full business name (if any);
• (f) full address of the principal place of business (if any); and
• (g) ABN (if any).

16.2 Step 2 – Verification
The following information must be verified:

• (a) the customer’s name; and
• (b) the customer’s:
  • (i) date of birth; or
  • (ii) residential address; or
  • (iii) for a sole trader, address of principal place of business (only where the customer is investing as a sole trader).

16.3 Method of verification
ZebPay staff must verify the identity of the customer using either:

• (a) 1 x Primary Photographic Identification Documents (see Note B.1) (e.g. a driver’s licence or passport);
• (b) 1 x Primary Non-Photographic Identification Document (see Note B.1) and 1 x Secondary Identification Document (See Note B.2); or
• (c) reliable and independent documentation or electronic data.

Note B.1 Primary identification document

Primary Photographic Identification Document means any of the following:

• a licence or permit issued under a law of a State or Territory or equivalent authority of a foreign country for the purpose of driving a vehicle that contains a photograph of the person in whose name the document is issued;
• a passport issued by the Commonwealth;
• a passport or a similar document issued for the purpose of international travel, that:
  • contains a photograph and the signature of the person in whose name the document is issued;
  • is issued by a foreign government, the United Nations or an agency of the United Nations; and
  • if it is written in a language that is not understood by the person carrying out the verification – is accompanied by an English translation prepared by an accredited translator.
• a card issued under a law of a State or Territory for the purpose of proving the person’s age which contains a photograph of the person in whose name the document is issued.
• a national identity card issued for the purpose of identification, that:
  • contains a photograph and the signature of the person in whose name the document is issued;
  • is issued by a foreign government, the United Nations or an agency of the United Nations; and
  • if it is written in a language that is not understood by the person carrying out the verification – is accompanied by an English translation prepared by an accredited translator.
• a birth certificate or birth extract issued by a State or Territory;
• a citizenship certificate issued by the Commonwealth;
• a citizenship certificate issued by a foreign government that, if it is written in a language that is not understood by the person carrying out the verification, is accompanied by an English translation prepared by an accredited translator;
• a birth certificate issued by a foreign government, the United Nations or an agency of the United Nations that, if it is written in a language that is not understood by the person carrying out the verification, is accompanied by an English translation prepared by an accredited translator;

Note B.2 Secondary identification document

Secondary identification document (see Note B.2) means any of the following:

• a notice that:
  • was issued to an individual by the Commonwealth, a State or Territory within the preceding twelve months;
  • contains the name of the individual and his or her residential address; and
  • records the provision of financial benefits to the individual under a law of the Commonwealth, State or Territory (as the case may be);
• a notice that:
  • was issued to an individual by the Taxation Office of the relevant nationality within the preceding 12 months;
  • contains the name of the individual and his or her residential address; and
  • records a debt payable to or by the individual by or to (respectively) the Commonwealth under a Commonwealth law relating to taxation;
• a notice that:
  • was issued to an individual by a local government body or utilities provider within the preceding three months;
  • contains the name of the individual and his or her residential address; and
  • records the provision of services by that local government body or utilities provider to that address or to that person.
• In relation to a person under the age of 18, a notice that:
  • was issued to a person by a school principal within the preceding three months;
  • contains the name of the person and his or her residential address; and
  • records the period of time that the person attended at the school.

16.4 Step 3 – Record of identification documents
ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customer’s identity.

16.5 Step 4 – Provide the digital payment token service
If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

17.1 Step 1 – Collection
Additional information to be collected for individuals as a part of non-standard procedures is:

• (a) place of birth; and
• (b) occupation.

17.2 Step 2 – Verification: domestic individual
An acceptable ‘non-standard procedure’ for a domestic individual would involve verifying the collected information based on original or certified copies of:

• (a) a primary identification document (see Note B.1);
• (b) a secondary identification document (see Note B.2);
• (c) where appropriate, in the case of information relating to an individual’s occupation, documents issued by the individual’s employer, a professional/industry organisation or a service provider which identifies the individual’s occupation. ZebPay believes that, in light of its ML/TF risk, this information would be “reliable and independent” for the purpose of the AML Rules; or
• (d) reliable and independent documentation or electronic data.

17.3 Step 2 – Verification: foreign individual
In general, ZebPay should be cautious about providing a digital payment token service for a customer that presents foreign based identification that is not a Passport.

However, in the event the customer has not presented a Passport, acceptable documentation for a ‘non-standard procedure’ for a foreign individual would be:

• (a) an original or certified copy of either:
  • (i) a foreign national identity card containing a photograph and signature of the person; or
  • (ii) a foreign driver’s licence that contains a photograph of the person in whose name it was issued.
• (b) where the relevant document presented is in a language that is not understood by the person carrying out the customer ID procedure, it must be accompanied by an English translation prepared by an accredited translator.

17.4 Other acceptable customer identification related documents
In the event that a ‘non-standard procedure’ for a domestic or foreign individual is unable to be conducted, or ZebPay is still not reasonably satisfied as to the customers identity, ZebPay should consider whether to commence or continue to provide a digital payment token service to that customer.

If ZebPay decides to proceed, the following domestic or foreign equivalent documents may be used to supplement available proof of identity to satisfy ZebPay that the person is who they claim to be:

• (a) adoption or Marriage Certificate;
• (b) tertiary education records;
• (c) electoral Roll records;
• (d) statement of Account from a financial Institution where account has been held for a minimum of 12 months;
• (e) mortgage/Security documents over property;
• (f) foreign citizenship certificate; and
• (g) foreign birth certificate.
• (h) was issued to a person by a school principal within the preceding three months; and
• (i) contains the name of the person and his or her residential address; and
• (j) records the period of time that the person attended the school.

17.5 Steps 3 and 4
Same as ‘standard procedure’ for an individual.

18.1 Step 1 – Collection: Domestic company
In the case of a domestic company, the following information must be collected:

• (a) the full name of the company as registered by ACRA;
• (b) the full address of the company’s registered office;
• (c) the full address of the company’s principal place of business (if any);
• (d) the company registration number;
• (e) whether the company is registered as a proprietary company or a public company;
• (f) if the company is registered as a proprietary company or private company, the name of each director of the company;
• (g) the details of each Beneficial Owner of the company as required under section 19 of this Part B.
• (h) if the company is a listed company, the name of the relevant market and details of its listing.

18.2 Step 1 – Collection: Foreign company

• (a) In the case of a foreign company registered in Singaporethe following information must be collected:
  • (i) the full name of the company as per its registration with ACRA;
  • (ii) the full address of the company’s registered office;
  • (iii) the full address of the company’s principal place of business in Singapore or the full name and address of the company’s local agent in Singapore;
  • (iv) the company registration number issued to the company;
  • (v) the country in which the company was formed, incorporated or registered;
  • (vi) whether the company is registered by the relevant foreign registration body and if so whether it is registered as a public or private company or some other type of company,
  • (vii) if the company is registered as a private/ or proprietary company, the name of each director of the company;
  • (viii) the details of each Beneficial Owner of the company as required under section 19 of this Part B.
• (b) in the case of an unregistered foreign company the following information must be collected:
  • (i) the full name of the company;
  • (ii) the country in which the company was formed, incorporated or registered;
  • (iii) whether the company is registered by the relevant foreign registration body and if so:
    • (A) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration;
    • (B) the full address of the company in its country of formation, incorporation or registration as registered by the relevant foreign registration body; and
    • (C) whether it is registered as a private or public company or some other type of company by the relevant foreign registration body;
  • (iv) if the company is registered as a private/proprietary company,
    • (A) the name of each director of the company; and
    • (B) unless the company is licensed and subject to the regulatory oversight of a Commonwealth, State or Territory statutory regulator in relation to its activities as a company, the name and address of each Beneficial Owner of the company; and
  • if the company is not registered by the relevant foreign registration body, the full address of the principal place of business of the company in its country of formation or incorporation.

18.3 Step 2 – Verification: Domestic company
In the case of a domestic, unlisted company, the following information must be verified:

• (a) the full name of the company as registered by ACRA;
• (b) whether the company is registered by ASIC as a proprietary or public company; and
• (c) the company registration number issued to the company.

18.4 Method of verification

• (a) Verification of a domestic, unlisted company must be by a search of the ACRA / BizProfile database;
• (b) In respect of a domestic listed company or its majority owned subsidiary and in respect of a company licensed and subject to the regulatory oversight of a Commonwealth, State or Territory regulator in relation to its activities as a company, verification must be by:
  • (i) a search of the relevant stock exchange;
  • (ii) a public document issued by the customer; or
  • (iii) a search of the licence or other records of the relevant regulator.

18.5 Simplified Company Verification Procedure
Where ZebPay can confirm that the company is:

• (a) a domestic listed public company;
• (b) a majority owned subsidiary of a domestic listed public company; or
• (c) licensed and subject to the regulatory oversight of a Commonwealth, State or Territory statutory regulator in relation to its activities as a company.
• (a) a search of the relevant stock exchange;
• (d) a public document issued by the relevant company;
• (e) a search of the relevant ACRA database; or
• (f) a search of the licence or other records of the relevant regulator.

18.6 Step 2 – Verification: Foreign company

• (a) In the case of a foreign company registered in Singapore the following information must be verified:
  • (i) the full name of the company as registered by ACRA;
  • (ii) whether the company is registered by the relevant foreign registration body and if so whether it is registered as a private or public company; and
  • (iii) the company registration number issued to the company;
• (b) in the case of an unregistered foreign company the following information must be verified:
  • (i) the full name of the company; and
  • (ii) whether the company is registered by the relevant foreign registration body and if so:
    • (A) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration; and
    • (B) whether the company is registered as a private or public company.

18.7 Method of verification

• (a) In the case of a registered foreign company, verification must be by:
  • (i) a search of the relevant ACRA database;
  • (ii) a copy of the Certificate of Registration of a Foreign Company for the company;
  • (iii) reliable independent documentation,
  • (iv) reliable and independent electronic data; or
  • (v) a combination of (i)-(iv).
• (b) In the case of an unregistered foreign company, verification must be by:
  • (i) reliable independent documentation;
  • (ii) reliable and independent electronic data; or
  • (iii) a combination of both.
• (c) Where ZebPay assesses the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

18.8 Step 3 – Record of identification documents
ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

18.9 Step 4 – Provide the digital payment token service
If ZebPay is reasonably satisfied that the customer is the individual that they claim to be, it may provide the digital payment token service to the customer.

19.1 Step 1 – Collection: Domestic company
In addition to the information collected under the ‘standard procedure’, the ‘non-standard procedure’ for a domestic company would involve collecting:

• (a) the date upon which the company was registered by ACRA; and
• (b) the name of any company secretary.

19.2 Step 1 – Collection: Foreign company

• (a) In the case of a registered foreign company:
  • (i) the name of each director of the company;
  • (ii) the full business name (if any) of the company as registered under any State or Territory business names legislation;
  • (iii) the date upon which the company was registered by ACRA;
  • (iv) the name of any company secretary (if any);
• (b) In the case of an unregistered foreign company:
  • (i) the name of each director of the company; and
  • (ii) the name of any company secretary (if any).

19.3 Step 2 – Verification: Domestic company
In addition to the information verified under the ‘standard procedure’, the ‘non-standard procedure’ for a domestic company would involve verifying this information from:

• (a) a business name search of the relevant State or Territory regulator;
• (b) a public document issued by the customer;
• (c) a search of the relevant ASIC database.

19.4 Step 2 – Verification: Foreign company

• (a) In the case of a registered foreign company, verify the information from:
  • (i) a business name search of the relevant State or Territory regulator;
  • (ii) a search of the relevant domestic stock exchange;
  • (iii) a public document issued by the customer; or
  • (iv) a search of the relevant ASIC database.
• (b) In the case of an unregistered foreign company, verify the information from:
  • (i) reliable and independent documentation; or
  • (ii) reliable and independent electronic data; or
  • (iii) a combination of both.

19.5 Further identification requirements
In the event that a ‘non-standard procedure’ for a Company is unable to be conducted, or ZebPay is still not reasonably satisfied as to the customers identity, ZebPay should consider whether to commence or continue to provide a digital payment token service to that customer.

If ZebPay decides to proceed, ZebPay must:

• (a) collect the name and address of each shareholder of the company;
• (b) verify:
  • (i) if the company has less than 4 shareholders, the name and address of each shareholder of the company; or
  • (ii) if the company has more than 4 shareholders, only the name and address of the 4 shareholders.
• (c) from one of or a combination of the following documents:
  • (i) a copy of the Register of Members for the company;
  • (ii) a search of the relevant domestic stock exchange;
  • (iii) a public document issued by the customer; or
  • (iv) a search of the relevant ASIC database.

19.6 Steps 3 and 4
Same as ‘standard procedure’ for a company.

20.1 Step 1 – Collection

• (a) In relation to a trust the following information must be collected:
  • (i) the full name of the trust;
  • (ii) the full business name (if any) of the trustee in respect of the trust;
  • (iii) the type of the trust;
  • (iv) the country in which the trust was established;
  • (v) the full name of the settlor of the trust, unless the settlor is deceased;
• (b) In relation to the trustees of the trust, the full name and address of each trustee must be collected;
• (c) If any of the trustees is an individual – in respect of any one of those individuals, the information required to be collected from an individual (sections 4 or 5) (Identified Trustee); or
• (d) If any of the trustees is a company – in respect of any one of those companies, the information required to be collected from a company (section 6 or 7) (Identified Trustee);

20.2 Step 2: Verification (and method of verification)
The following information must be verified:

• (a) the full name of the trust, based on:
  • (i) an original, certified copy or certified extract of the trust deed;
  • (ii) a search of the relevant official database;
  • (iii) an original bank statement in the name of the trust issued within the last 12 months; or
  • (iv) an original letter from an accountant or solicitor confirming the name and existence of the trust dated within the last 12 months;
• (b) the full name of the settlor of the trust, unless the settlor is deceased;
• (c) in respect of the Identified Trustee, the applicable verification required for an individual (sections 4 or 5) or company (section 6 or 7).
• (d) Where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

20.3 Step 3 – Record of identification documents
ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

20.4 Step 4 – Provide the digital payment token service
If ZebPay is reasonably satisfied that the customer is the individual that they claim to be, ZebPay may provide the digital payment token service to the customer.

21.1 Step 1
Same as ‘standard procedure’ for a trust.

21.2 Step 2 – Verification

• (a) In relation to the beneficiaries the following information must also be verified:
  • (i) the full name of any beneficiary in respect of the trust; or
  • (ii) if the terms of the trust identify the beneficiaries by reference to membership of a class – details of each class of beneficiary, from
• (b) an original, certified copy or certified extract of the trust deed;
• (c) reliable independent documentation relating to the trust;
• (d) reliable and independent electronic data; or
• (e) a combination of (a)-(c).

21.3 Steps 3 and 4
Same as ‘standard procedure’ for a trust.

22.1 Step 1 – Collection
In relation to a partnership the following information must be collected:

• (a) the full name of the partnership;
• (b) the full business name (if any) of the partnership as registered;
• (c) the country in which the partnership was established;
• (d) in respect of one of the partners – the information required to be collected from an individual (sections 4 or 5) (Identified Partner); and
• (e) the full name and residential address of each partner except where the regulated status of the partnership can be confirmed though reference to the current membership directory of the relevant professional association.

22.2 Step 2 – Verification
The following information must be verified:

• (a) the full name of the partnership;
• (b) if the partnership is regulated by a professional association, membership of that professional association; and
• (c) in respect of the Identified Partner, the applicable verification required for an individual (sections 4 or 5).

22.3 Method of Verification
Verification of information about a partnership may be based on:

• (a) a partnership agreement, certified copy or certified extract of a partnership agreement;
• (b) a certified copy or certified extract of minutes of a partnership meeting;
• (c) an original bank statement in the name of the partnership issued within the last 12 months;
• (d) an original letter from an accountant or solicitor confirming the name and existence of the partnership dated within the last 12 months;
• (e) a search of the relevant offocial database; or
• (f) an original or certified copy of a certificate of registration of business name issued by a government or government agency.

Where information to be verified is not otherwise reasonably available, ZebPay may determine to accept a disclosure certificate from a partnership which is considered to be a low to medium risk customer. The disclosure certificate must meet the requirements of the AML Rules.

22.4 Step 3 – Record of identification documents
ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customer’s identity.

22.5 Step 4 – Provide the digital payment token service
If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

23.1 Step 1 – Collection
In addition to the information collected under the ‘standard procedure’, an acceptable ‘non-standard procedure’ for a partnership would involve collecting:

• (a) each partner’s full name and residential address; and either
• (b) each partner’s date of birth; or
• (c) where applicable, documentation demonstrating that each partner has a transaction history within the partnership of at least the past three years.

23.2 Step 2 – Verification
Verify the information collected in Step 1 from an original or certified copy of:

• (a) the partnership agreement or extract of the partnership agreement;
• (b) reliable and independent documents relating to the partnership;
• (c) reliable and independent electronic data; or
• (d) a combination of (a) – (d)

23.3 Steps 3 and 4
Same as ‘standard procedure’ for a partnership.

24.1 Step 1 – Collection
If the customer notifies ZebPay that it is an incorporated association:

• (a) the full name of the association;
• (b) the full address of the association’s principal place of administration or registered office (if any) or the residential address of the association’s public officer or (if there is no such person) the association’s president, secretary or treasurer;
• (c) any unique identifying number issued to the association upon its incorporation by the Registrar of Societies or overseas body responsible for the incorporation of the association; and
• (d) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association.
• (e) the full name of the association;
• (f) the full address of the association’s principal place of administration (if any);
• (g) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association; and
• (h) in respect of the member – the information required to be collected from an individual under the applicable customer identification procedure with respect to individuals set out in Part B (sections 4 or 5) (Identified Member).

24.2 Step 2 – Verification
The following information must be verified:

• (a) If the customer is an incorporated association:
  • (i) the full name of the incorporated association; and
  • (ii) any unique identifying number issued to the incorporated association upon its incorporation; and
• (b) if the customer notifies ZebPay that he or she is a customer in his or her capacity as a member of an unincorporated association:
  • (i) verify the full name (if any) of the association; and
  • (ii) verify information about the member in accordance with the applicable customer identification procedure with respect to Identified Member set out in Part B (sections 4 or 5).

24.3 Method of Verification
Verification of information about an association may be based on:

• (i) information provided by Registrar of Societies or other overseas body responsible for the incorporation of the association;
• (ii) the rules or constitution of the association or from a certified copy or certified extract of the rules or constitution of the association;
• (iii) reliable and independent documents relating to the association; or
• (iv) reliable and independent electronic data; and

Where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

24.4 Step 3 – Record of identification documents
ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

24.5 Step 4 – Provide the digital payment token service
If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

25.1 Step 1 – Collection
Collect information about either one of the following individuals in relation to the association in accordance the applicable customer identification procedure with respect to individuals set out in Part B (sections 4 or 5):

• (a) chairperson;
• (b) treasurer; or ;
• (c) secretary.

25.2 Step 2 – Verification
Verify information collected under Step 1 in accordance with customer identification procedure with respect to individuals set out in Part B (sections 4 or 5).

25.3 Steps 3 and 4
Same as ‘standard procedure’ for an association.

26.1 Step 1 – Collection
If the customer notifies ZebPay that it is a registered cooperative:

• (a) the full name of the cooperative;
• (b) the full address of the cooperative’s registered office or principal place of operations (if any) or the residential address of the cooperative’s secretary or (if there is no such person) the cooperative’s president or treasurer;
• (c) any unique identifying number issued to the cooperative upon its registration by the State, Territory or overseas body responsible for the registration of the cooperative; and
• (d) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the cooperative.

26.2 Step 2 – Verification
The following information must be verified:

• (a) the full name of the cooperative; and
• (b) any unique identifying number issued to the cooperative upon its registration.

Where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

26.4 Step 3 – Record of identification documents
ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

26.5 Step 4 – Provide the digital payment token service
If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

27.1 Step 1 – Collection
Collect information about either one of the following individuals in relation to the registered cooperative in accordance the applicable customer identification procedure with respect to individuals set out in Part B (sections 4 or 5):

• (a) president; or
• (b) secretary.

27.2 Step 2 – Verification
Verify information collected under Step 1 in accordance with customer identification procedure with respect to individuals set out in Part B (sections 4 or 5).

27.3 Steps 3 and 4
Same as ‘standard procedure’ for a registered cooperative.

28.1 Step 1 – Collection
If the customer notifies ZebPay that it is a government body:

• (a) the full name of the government body;
• (b) the full address of the government body’s principal place of operations;
• (c) whether the government body is an entity or emanation, or is established under legislation, of the Commonwealth;
• (d) whether the government body is an entity or emanation, or is established under legislation, of a State, Territory, or a foreign country and the name of that State, Territory or country; and
• (e) where the government body is a foreign government body, information on who is the ultimate owner or controller of that government body.

28.2 Step 2 – Verification
The full name of the relevant government body must be verified.

28.3 Method of Verification
Verification of information about a registered cooperative may be based on:

• (a) a public records search of the legislation under which the government body was established; or
• (b) from reliable and independent documents relating to the government body or from reliable and independent electronic data.

28.4 Step 3 – Record of identification documents
ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

28.5 Step 4 – Provide the digital payment token service
If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

29.1 Step 1 – Collection
Not applicable.

29.2 Step 2 – Verification
Verify information about the full address of the government body’s principal place of operations from reliable and independent documents relating to the government body or from reliable and independent electronic data.

29.3 Steps 3 and 4
Same as ‘standard procedure’ for a government body.

30.1 Step 1 – collection

• (a) Where an agent is authorised to act for or on behalf of the customer in relation to a digital payment token services, ZebPay must collect information about:
  • (i) full name of each individual who purports to act for or on behalf of the customer with respect to the provision of a digital payment token service by ZebPay;
  • (ii) evidence (if any) of the customer’s authorisation of any individual referred to in (i).
• (b) Non-natural customers may appoint an employee, agent or contractor of the customer as verifying officer.
  • (i) the verifying officer may identify an agent of the customer.
  • (ii) the verifying officer will have identified an agent if he or she has collected the following:
    • (A) the full name of the agent;
    • (B) the title of the position or role held by the agent with the customer;
    • (C) a copy of the signature of the agent; and
    • (D) evidence of the agent’s authorisation to act on behalf of the customer.
  • (iii) The verifying officer is to make and for the customer to retain, a record of the information in (ii).
  • (iv) The verifying officer is to provide the following to ZebPay:
    • (A) the full name of the agent; and
    • (B) a copy of the signature of the agent.

30.2 Step 2 – verification
Where an agent is to be identified by a verifying officer, the verifying officer is to be identified and verified by ZebPay in accordance with the requirements in chapter 4 of the AML Rules.

31.1 Step 1 – Collection
Except for:

• (a) a customer who is an individual;
• (b) a customer who is a company verified under the simplified company verification procedure in section 6.5;
• (c) a customer who is a trust verified under the simplified trustee verification procedure under section 8.3
• (d) for a customer who is a Government Entity, and
• (e) a customer who is a foreign listed public company subject to disclosure requirements (whether by stock exchange rules or by law or enforceable means) to ensure transparency of Beneficial Ownership which are, or are comparable to, the requirements in Singapore,
• (f) full name;
• (g) residential address;
• (h) date of birth; and
• (i) PEP status, in accordance with section 20 of Part B.

31.2 Step 2 – verification
For all Beneficial Owners, ZebPay must in accordance with the standard identification procedures for individuals in section 4 of Part B carry out verification in respect of each Beneficial Owner.

However, where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

31.3 Responding to discrepancies
Where information in relation to Beneficial Owners cannot be verified using standard identification procedures specified in section 4 of Part B, Beneficial Owner information must be verified using non-standard identification procedures specified in section 4 of Part B.

31.4 Beneficial Owner unknown
Where ZebPay is unable to ascertain a Beneficial Owner (e.g. if none has been nominated on the ID form), ZebPay must identify and take reasonable steps to verify the following individuals under procedures referred to in section 4 of Part B:

• (a) for a company (other than a company which is verified under the simplified company verification procedure under section 6.5 of this Part B) or a partnership, any individual who:
  • (i) is entitled (either directly or indirectly) to exercise 25% or more of the voting rights, including a power of veto; or
  • (ii) holds the position of senior managing official (or equivalent);
• (b) for a trust (other than a trust which is verified under the simplified trustee verification procedure under section 8.3), any individual who holds the power to appoint or remove the trustees of the trust;
• (c) for an association or a registered co-operative, any individual who:
  • (i) is entitled (either directly or indirectly) to exercise 25% or more of the voting rights including a power of veto; or
  • (ii) would be entitled on dissolution to 25% or more of the property of the association or registered co-operative; or
  • (iii) holds the position of senior managing official (or equivalent).

32.1 Step 1 – identification by self-certification
ZebPay identifies PEPs by requiring all investors to self-certify whether or not they are a PEP.

The PEP self-certification may either be completed:

• (a) via the application form; or
• (b) where the existing application form does not contain the relevant section for foreign investors to self-certify whether or not they are a PEP, ZebPay staff will send an email or written request to the investor asking them to confirm whether or not they are a PEP before providing a digital payment token service.

The PEP self-certification section of the application form or the email or written request for PEP self-certification will contain a description of PEPs along the lines of:

“Please certify whether or not you are a Politically Exposed Person (PEP)

You are a PEP if you:

• hold a prominent public position or function in a government body or an international organisation, including:
  • Head of State or head of a country or government; or
  • government minister or equivalent senior politician; or
  • senior government official; or
  • Judge of the High Court of Singapore, or a Judge of a court of equivalent seniority in a foreign country or international organisation; or
  • governor of a central bank or any other position that has comparable influence; or
  • senior foreign representative, ambassador, or high commissioner; or
  • high-ranking member of the armed forces; or
  • board chair, chief executive, or chief financial officer of, or any other position that has comparable influence in, any State enterprise or international organisation; or
• have an immediate family member of a person referred to in the first bullet point, including:
  • a spouse; or
  • a de facto partner; or
  • a child and a child’s spouse or de facto partner; or
  • a parent; or
• are a close associate of a person referred to in the first bullet point, which means any individual who is known (having regard to information that is public or readily available) to have:
  • joint Beneficial Ownership of a legal entity or legal arrangement with a person referred to in the first bullet point; or
  • sole Beneficial Ownership of a legal entity or legal arrangement that is known to exist for the benefit of a person described in the first bullet point.”

32.2 Step 2 – Independent verification of PEPs
ZebPay will independently verify whether a customer or Beneficial Owner is a PEP using a third-party service provider where:

• (a) the customer or Beneficial Owner has self-certified that he or she is not a PEP (see Part B Section 3.1(b)); and
• (b) the customer or Beneficial Owner is a foreign investor from a high risk country (see list of high risk countries in Section 3.2(b) of Schedule 2); or
• (c) a ZebPay staff member suspects that the customer or a Beneficial Owner is a PEP (e.g. where, to the knowledge of the staff member, the investor is a PEP or where it is obvious to ZebPay staff member that the investor uses a government address or email address).

The independent verification of PEP status will be conducted before any digital payment token service is provided to the customer.

Before engaging a third party service provider for this purpose, the below must be completed:
ZebPay will consider service providers, reputation in the market, and procedures and only use an appropriate and reputable organisation to conduct verification taking into account ZebPay’s ML/TF risk.

ZebPay has determined that this approach is appropriate given ZebPay’s overall low-medium ML/TF risk. In particular, ZebPay notes that:

• it does not receive cash directly from investors;
• all funds deposited with ZebPay have been transferred through financial institutions which are required to comply with AML/CTF identification and verification requirements.
• The Compliance Officer revisits these procedures on a regular basis to determine whether or not they remain appropriate given ZebPay’s reassessed ML/TF risk.

32.3 Step 3 – Collection of information
ZebPay will take reasonable steps to establish the Politically Exposed Person’s source of wealth and source of funds.

32.4 Provision of services to Politically Exposed Persons
ZebPay shall now establish or continue a business relationship with a foreign PEP or a PEP considered by the Compliance Officer to be high risk and before the provision, or continued provision, of a digital payment token service to the customer.

Definitions and Interpretation.

Beneficial Owner means an individual who ultimately owns or controls (directly or indirectly) the customer. In this definition:

• (a) control includes control as a result of, or by means of, trusts, agreements, arrangements, understandings and practices, whether or not having legal or equitable force and whether or not based on legal or equitable rights, and includes exercising control through the capacity to determine decisions about financial and operating policies; and
• (b) owns means ownership (either directly or indirectly) of 25% or more of a person.

Business Day means a day on which banks are open for business in Melbourne, Victoria excluding Saturday and Sunday and public holidays.

Beneficial Owner information means the information referred to in section 19 of Part B.

certified copy means a document that has been certified as a true copy of an original document by one of the following persons:

• (a) a person who, under a law in force in a State or Territory, is currently licensed or registered to practise in an occupation listed in Part 1 of Schedule 2 of the Statutory Declarations Regulations 1993;
• (b) a person who is enrolled on the roll of the Supreme Court of a State or Territory, or the High Court of Australia, as a legal practitioner (however described);
• (c) a person listed in Part 2 of Schedule 2 of the Statutory Declarations Regulations 1993. For the purposes of the AML Rules, where Part 2 uses the term ‘5 or more years of continuous service’, this should be read as ‘2 or more years of continuous service’;
• (d) an officer with, or authorised representative of, a holder of an Australian financial services licence, having 2 or more years of continuous service with one or more licensees; or
• (e) an officer with, or a credit representative of, a holder of an Australian credit licence, having 2 or more years of continuous service with one or more licensees.

certified extract means an extract that has been certified as a true copy of some of the information contained in a complete original document, by one of the persons described in paragraphs (a)-(e) of the definition of ‘certified copy’ in paragraph 1.2.1 of the AML Rules.

Customer refers to ZebPay’s investors or borrowers or both.

digital payment token service means the operation of a digital payment token exchange and/or provision of facilities for the borrowing of digital payment tokens

domestic company means a company that is registered with ACRA (other than a registered foreign company).

domestic listed public company means a domestic company that is a listed public company.

domestic unlisted public company means a domestic company that is not a listed public company.

foreign listed public company means a foreign company that is a listed public company.

high risk country see lists of high risk countries in paragraph 3.2 of Schedule 2.

KYC information means ‘know your customer information’ and includes information in relation to different customer types as set out in Schedule 2.

listed public company means:

• (a) in the case of a domestic company, a public company that is included in an official list of a domestic stock exchange;
• (b) in the case of a registered foreign company:
  • (i) a public company that is included in an official list of a domestic stock exchange; or
  • (i) a public company whose shares, in whole or in part, are listed for quotation in the official list of any stock or equivalent exchange;
• (c) in the case of an unregistered foreign company, a public company whose shares, in whole or in part, are listed for quotation in the official list of any stock or equivalent exchange.

ML/TF risk means the risk that ZebPay may reasonably face by the provision of digital payment token services that might (whether inadvertently or otherwise) involve or facilitate money laundering or the financing of terrorism.

Part A means Part A of this AML Program.

Part B means Part B of this AML Program.

Politically Exposed Persons or PEP means an individual:

• (a) who holds a prominent public position or function in a government body or an international organisation, including:
  • (i) Head of State or head of a country or government; or
  • (ii) government minister or equivalent senior politician; or
  • (iii) senior government official; or
  • (iv) Judge of the High Court of Australia, the Federal Court of Australia or a Supreme Court of a State or Territory, or a Judge of a court of equivalent seniority in a foreign country or international organisation; or
  • (v) governor of a central bank or any other position that has comparable influence to the Governor of the Reserve Bank of Australia; or
  • (vi) senior foreign representative, ambassador, or high commissioner; or
  • (vii) high-ranking member of the armed forces; or
  • (viii) board chair, chief executive, or chief financial officer of, or any other position that has comparable influence in, any State enterprise or international organisation; and
• (b) who is an immediate family member of a person referred to in paragraph (a), including:
  • (i) a spouse; or
  • (ii) a de facto partner; or
  • (iii) a child and a child’s spouse or de facto partner; or
  • (iv) a parent; and
• (c) who is a close associate of a person referred to in paragraph (a), which means any individual who is known (having regard to information that is public or readily available) to have:
  1. (i) joint Beneficial Ownership of a legal entity or legal arrangement with a person referred to in paragraph (a); or
  2. (ii) sole Beneficial Ownership of a legal entity or legal arrangement that is known to exist for the benefit of a person described in paragraph (a).
• (d) an original Primary Photographic Identification Document (see Note B.1);
• (e) an original primary non-photographic identification document (see Note B.1);
• (f) an original secondary identification document (see Note B.2).

Reliable independent documentation must be current and not have expired (except in the case of a passport issued by the Commonwealth which may be used within 2 years after its expiration date).

In determining what is reliable independent electronic data, ZebPay must assess:

• (a) whether the electronic data is reliable and independent, taking into account the following factors:
  • (i) the accuracy of the data;
  • (ii) how secure the data is;
  • (iii) how the data is kept up-to-date;
  • (iv) how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected);
  • (v) whether the data has been verified from a reliable and independent source;
  • (vi) whether the data is maintained by a government body or pursuant to legislation; and
  • (vii) whether the electronic data can be additionally authenticated; and
• (g) what reliable and independent electronic data ZebPay must use for the purpose of verification;
• (h) ZebPay’s pre-defined tolerance levels for matches and errors (eg. spelling of names etc.); and
• (i) whether, and how, to confirm KYC information or Beneficial Owner information collected from an customer by independently initiating contact with the person that the customer claims to be.

Responsible Manager has the meaning given to it in ASIC Regulatory Guide 204.

secondary identification document see Note B.2.

senior managing official means an individual who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business of a customer of a reporting entity or who has the capacity to affect significantly the financial standing of a customer of a reporting entity.

unregistered foreign company means a foreign company that is not a registered foreign company.

1.5 Risk and risk management
Risk can be defined as the combination of the probability of an event and its consequences. In simple terms risk can be seen as a combination of the chance that something may happen and the degree of damage or loss that may result if it does occur.

Risk management is the process of recognising risk and developing methods to both minimise and manage the risk. This requires the development of a method to identify, prioritise, treat (deal with), control and monitor risk exposures. In risk management, a process is followed where the risks are assessed against the likelihood (chance) of them occurring and the severity or amount of loss or damage (impact) which may result if they do happen.

1.6 Which digital payment token services are provided by ZebPay?
ZebPay intends to operate a digital payment token exchange and a facility for the lending of digital payment tokens, both of which businesses are designated as digital payment token services for the purposes of the Payment Services Act

2.1 Which ML/TF risks have to be identified?
ZebPay is required to identify and assess its ML/TF risks in the context of:

• (a) the AML/CTF Regulations and the AML Rules; and
• (b) the level of ML/TF risk the Board and management is prepared to accept.

ZebPay has undertaken an assessment of both its Business Risk and its Regulatory Risk.

Business risk is the risk that ZebPay’s business may be used for ML/TF. ZebPay has assessed the following business risks:

• (a) customer risks (See 3.1 below);
• (c) country or jurisdictional risks (See 3.2 below).
• (d) products and services risks (See 3.3 below);
• (e) business practices and/or delivery method risks (See 3.4 below); and

The main regulatory risk is associated with ZebPay not meeting its obligations under the AML/CTF Regulations include:

• (a) customer verification not done properly;
• (f) failure to train staff adequately;
• (g) not having an AML/CTF program;
• (h) failure to report suspicious matters;
• (i) not submitting an AML/CTF compliance report; and

ZebPay regular monitors its obligations of AML Rules and has robust systems in place to ensure compliance. ZebPay’s regulatory risk is therefore low.

2.2 Procedures for Risk Assessment
A ML/TF risk assessment has been carried out and is reassessed on a regular basis:

• (a) at least annually, as a part of the Annual Risk Assessment Review Process (see section 4 for further details); and
• (b) when there are significant changes to ZebPay’s ML/TF risks (see section 4 for further details).

All risk assessments are completed by the Compliance Officer with the assistance of other ZebPay staff members.

The steps for the risk assessment are as follows:

• (a) Step 1: Perform an analysis of ZebPay’s operations taking into account the nature, size and complexity of its business. The analysis is to be performed by the Compliance Officer with assistance from other staff members of ZebPay including management.
• (i) Step 2: Identify ZebPay’s relevant ML/TF business risks and ML/TF regulatory risks.
• (b) Step 3: Assess the ML/TF risks identified with particular regard to:
  • (i) Customer profile including:;
    • (A) likelihood of Politically Exposed Persons;
    • (B) they types of customers and thier sources of funds and wealth;
    • (C) the nature and purpose of the business relationships with its customers, including, as appropriate, the collection of information relevant to that consideration;
  • (ii) the types of digital payment token services it provides and the methods by which it delivers digital payment token services;
  • (iii) the nature and characteristics of foreign jurisdictions with which it deals or in which it has permanent establishment; and
  • (iv) the criminal threat environment and possible vulnerabilities of ZebPay’s business
  • (i) A rating based on the likelihood of the risk element occurring (see Table 2.2.1 below)
  • (ii) A rating based on the impact of the risk element (see Table 2.2.2 below)
  • before providing services: non standard identification and verification of the customer; and
  • when providing services: conduct Enhanced Customer Due Diligence in respect of the customer.
  • before providing services: non standard identification and verification of the customer; and
  • when providing services: conduct Enhanced Customer Due Diligence in respect of the customer.
• (c) Step 4: Consider the effectiveness of currently implemented controls at mitigating the assessed risks.
• (d) Step 5: Make recommendations, if necessary, in relation to further controls for addressing ZebPay’s ML/TF risks.

The Compliance Officer must continue to monitor ZebPay’s ML/TF risks and the controls designed to mitigate those risks at all times.

The Compliance Officer must prepare a report of the results of each risk assessment. The Compliance Officer is responsible for reporting to the Board on at least an annual basis.

ZebPay has performed an analysis of the business operations and identified and assessed its risk elements with respect to:

• (a) customers;
• (b) products and services;
• (c) business practices/delivery methods (channels); and
• (d) jurisdictions in which it does business.

Each of these risk assessments are outlined in the tables below.

3.1 Business Risk – Customer Risk (Table 3.1)

Risk Group (a)(b)	Customers:
Risk Elements	Likelihood	Impact	Risk Score	Treatment/Action
New Customer	Unlikely	Minor	1	Standard Identification and Verification Procedure
Customer that wants to carry out a large transaction	Likely	Moderate	2	Standard Identification and Verification Procedure Consider also:Non standard identification and verification of the customer; andConduct Enhanced Customer Due Diligence in respect of the customer.
Customer who has a business which involves large amount of cash	Unlikely	Moderate	1	Standard Identification and Verification Procedure
Customers whose identity is difficult to determine or suspicious information or information that cannot be verified	Likely	Major	3	Standard Identification and Verification Procedure Non-Standard Identification and Verification Procedure Enhanced Customer Due Diligence
Customers or Beneficial Owners who are Politically Exposed Persons (whether domestic or foreign)	Likely	Major	3	Standard Identification and Verification Procedure Non-Standard Identification and Verification Procedure Enhanced Customer Due Diligence
Customers who deposit cash with ZebPay	NA	NA	NA	ZebPay does not accept cash.
Use of proxies, unverifiable IP address or geographical location, disposable email address or mobile number, ever changing devices used to conduct transactions	Likely	Major	3	Standard Identification and Verification Procedure Non-Standard Identification and Verification Procedure Enhanced Customer Due Diligence including for example:Collect IP addresses and other device identifiersRequire the use of one time PINs sent to (Australian) mobile phone number to conduct digital transactions
Customers or transactions in high risk locations (e.g. prescribed foreign countries and the application of sanctions laws)	Likely	Major	3	Screen customers against the DFAT Consolidated List for sanctions monitoring Procedures in place to undertake enhanced customer due diligence, in particular, where it determines the ML/TF risk is high or a party is present in a prescribed foreign country Procedures in place to identify suspicious matters and submit SMR to MAS Employee AML/CTF risk awareness training program implemented
Unusual patterns of transaction activity (e.g. volumes, velocity, structuring to avoid detection/reporting obligations, source, destination)	Likely	Major	3	Standard Identification and Verification Procedure Non-Standard Identification and Verification Procedure Enhanced Customer Due Diligence including for example considering limiting the value of transactions that can be conducted in a day/week/month
Transactions involving known blacklisted addresses such as ‘darknet’ market place transactions and tumblers	Likely	Major	3	Standard Identification and Verification Procedure Non-Standard Identification and Verification Procedure Enhanced Customer Due Diligence
Ransom-ware	Unlikely	Moderate	1	Standard Identification and Verification Procedure
Transactions in higher risk or anonymous digital payment tokens	Very likely	Major	4	Transaction not to be processed until risk level reduced.
Employee collusion	Unlikely	Moderate	1	Standard Identification and Verification Procedure

3.2 Business Risk – Jurisdiction/Country Risk (Table 3.2)

Jurisdiction risk, in conjunction with other risk factors, provides useful information as to potential ML/TF risks. There is no universally agreed definition by either governments or institutions that prescribes whether a particular country represents a higher risk. ZebPay has determined the following impact ratings for the following jurisdictions.

• (a) FATF member countries (Risk Rating Minor): The Financial Action Task Force (FATF) is an international body that evaluates the effectiveness of anti-money laundering controls around the world. FATF members are committed to implementing anti-money laundering measures, reviewing money laundering techniques and counter-measures, and promoting the adoption and implementation of anti-money laundering measures globally. The following is a list of FATF members (current as at January 2020):Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Denmark, Finland, France, Germany, Greece, Hong Kong (China), Iceland, India, Ireland, Israel, Italy, Japan, South Korea, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Portugal, Russian Federation, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom, United StatesThis list is updated by the Compliance Officer at least annually.
• (b) High risk and non-cooperative jurisdictions are countries whose citizens and entities, the FATF has identified as having strategic AML/CFT deficiencies. ZebPay has determined, the jurisdictions listed below must receive additional due diligence before receiving a digital payment token service and it is likely that that no digital payment token services will be provided:

Democratic People’s Rebublic of Korea, Iran, Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, Zimbabwe, Cuba

This list is updated by the Compliance Officer whenever he/she becomes aware of any change.

All other countries (Impact Rating Moderate): All other countries have a moderate risk impact rating.

Table 3.2: Jurisdictional Risk

Risk Group	Jurisdictional Risk
Risk Elements	Likelihood	Impact	Risk Score	Treatment/Action
Singapore and other FATF member countries	Unlikely	Minor	1	Standard Identification and Verification Procedure.
High risk and non-cooperative jurisdictions	Likely	Moderate	3	Enhanced Identification and Verification Procedure
All other countries	Unlikely	Minor	2	Standard Identification and Verification Procedure

Table 3.5: Employees Risk

Risk Group	Employees
Risk Elements	Likelihood	Impact	Risk Score	Treatment/Action
Employees of ZebPay are largely responsible for carrying out the functions and processes of this AML Program. Without proper awareness training the employees of ZebPay will be unable to properly identify the ML/TF risks in a timely fashion.	Unlikely	Moderate	1	This AML Program has a policy in place to ensure employees are appropriately trained. Refer to Employee Risk Awareness Training. (see Part A section 4)

Risk Group	Regulatory Risk
Risk Elements	Likelihood	Impact	Risk Score	Treatment/Action
Failure to report suspicious matters	Unlikely	Major	2	This AML Program has a policy in place to facilitate compliance. (Please refer to Part A Section 7)
Failure to report threshold transactions	Unlikely	Major	2	ZebPay will not be required to report threshold hold transactions as so long as it does not receive cash investments
Failure to file AML/CTF Compliance Reports	Unlikely	Moderate	1	This AML Program has a policy in place to facilitate compliance. (Please refer to Part A Section 7)
Failure to provide further Information to MAS	Unlikely	Moderate	1	This AML Program has a policy in place to facilitate compliance. (Please refer to Part A section 10)
Failure to monitor cross border movements of physical currency and bearer negotiable instruments	Unlikely	Major	NA	It is ZebPay’s policy to not accept physical currency or bearer negotiable instruments.
Failure to monitor electronic funds transfer instructions	Unlikely	Major	NA	As ZebPay is not an ‘institution’ for the purposes of Part 5 of the AML/CTF Regulations It has no obligations in respect of Electronic Funds Transfer instructions. 10
Failure to adopt AML Program	Unlikely	Major	2	This AML Program has been adopted by the Board and management.
Failure to monitor Correspondent Banking relationships	Unlikely	Major	NA	11 As ZebPay is not a ‘financial institution’ it has no obligations in respect of Correspondent Banking relationships.
Failure to comply with record keeping requirements	Unlikely	Moderate	1	This AML Program has a policy in place in place to facilitate compliance. (Please refer to Part A Section 13)
Failure to comply with Customer Identification Requirements	Unlikely	Major	2	This AML Program has a policy in place to facilitate compliance. (Please refer to Part B Customer Identification Procedures)