AML/KYC Policy

Tbilisi — Version dated 22.04.2026

This Anti-Money Laundering, Counter-Terrorist Financing and Counter-Proliferation Financing Policy (hereinafter — the "Policy") is an internal regulatory document of Kolofi LLC (Legal Form: Limited Liability Company; Identification Number: 402285424; Registration Number and Date: 26/07/2023; Registering Authority: LEPL National Agency of Public Registry (Georgia); hereinafter — the "Company"), defining the main principles, objectives and tasks of the Company in the field of preventing money laundering, terrorist financing and financing of the proliferation of weapons of mass destruction.

1. General Provisions

1.1. The Policy has been developed in accordance with:

  • the FATF Recommendations;
  • applicable laws and regulations on AML/CTF/CPF in the jurisdictions where the Company is incorporated, operates or provides services, to the extent applicable;
  • applicable sanctions requirements, including United Nations Security Council sanctions and other sanctions lists applicable to the Company, its partners or payment channels;
  • requirements of acquiring banks, payment service providers, payment aggregators, card schemes and eSIM suppliers;
  • the Company's internal documents, risk management procedures and contracts with acquiring banks, payment service providers, payment aggregators and eSIM suppliers.

1.2. This Policy applies to all employees, officers and contractors of the Company involved in the Company's business processes, regardless of their position or type of work performed.

2. Goals and Objectives

The main goals of the Policy are:

  • to ensure that the Company follows applicable AML/CTF/CPF requirements and partner compliance requirements;
  • to protect the Company from the use of its infrastructure and services for money laundering, terrorist financing or proliferation financing;
  • to minimize regulatory, reputational, operational and financial risks;
  • to ensure compliance with the requirements of partners, including acquiring banks, payment service providers, payment aggregators and eSIM suppliers.

3. Compliance Officer

3.1. The Company appoints a compliance officer responsible for implementing internal control rules and this Policy (hereinafter — the "Responsible Officer").

3.2. The Responsible Officer reports directly to the Director of the Company and has access to all documents and information systems of the Company necessary to perform the assigned functions.

3.3. The functions of the Responsible Officer include:

  • developing and updating internal control rules and this Policy;
  • organizing employee training on AML/CTF/CPF matters;
  • interacting with acquiring banks, payment service providers, payment aggregators, eSIM suppliers and competent public authorities, where required;
  • monitoring transactions and identifying suspicious transactions;
  • maintaining internal reports, records and logs.

4. Customer Identification (KYC)

4.1. The Company identifies Users to the extent determined by applicable law, internal risk procedures and the requirements of acquiring banks, payment service providers and payment aggregators.

4.2. For most retail eSIM purchase and sale transactions, simplified identification is applied through payment systems, acquiring banks and payment service providers, including their KYC, payment verification and anti-fraud procedures.

4.3. If transaction thresholds established by applicable law, partner requirements or internal rules are exceeded, or if indicators of suspicious activity are present, the Company conducts enhanced due diligence and may request from the User:

  • surname and given name;
  • citizenship or nationality;
  • date of birth;
  • details of an identity document;
  • residential address, registered address or place of stay;
  • tax identification number, if available.

4.4. Information obtained during identification is retained for at least 5 (five) years from the termination of the relationship with the User, or for any longer period required by applicable law or partner requirements.

5. Screening Against Lists

5.1. The Company ensures screening of Users and, where appropriate, related transaction data against:

  • United Nations Security Council sanctions lists, including lists related to terrorism, terrorist financing and proliferation financing;
  • national and international sanctions lists applicable to the Company, its partners or payment channels;
  • lists and notices of competent authorities, where applicable;
  • screening and anti-fraud databases used by acquiring banks, payment service providers, payment aggregators and eSIM suppliers.

5.2. If a potential match is identified, the Company promptly suspends or restricts the provision of services, conducts an internal review, informs the relevant acquiring bank, payment service provider or payment aggregator, and, where required, reports or assists in reporting to the competent authority in accordance with applicable law and contractual procedures.

6. Identification and Documentation of Suspicious Transactions

6.1. Indicators of suspicious transactions are identified in accordance with Appendix No. 1 to this Policy, based on FATF guidance, applicable partner requirements and the Company's internal risk rules.

6.2. The main suspicious activity criteria include:

  • multiple payment attempts using different cards from the same account or device;
  • use of cards issued to third parties without clear consent of the cardholder;
  • transaction amounts that are unusually large for a retail eSIM purchase;
  • failed 3DS checks, cardholder disputes, refunds and chargebacks;
  • IP addresses or other indicators linked to higher-risk jurisdictions;
  • signs of automated order creation, bots or attempts to bypass anti-fraud systems;
  • matches with sanctions lists, terrorist financing lists, proliferation financing lists or other applicable restricted-party lists.

6.3. Identified suspicious transactions are recorded by the Responsible Officer in the Suspicious Transactions Register and are reported to the acquiring bank, payment service provider or payment aggregator in accordance with the applicable agreement and operational procedure.

7. Risk Management

7.1. The Company applies a risk-based approach and classifies operations and customers by risk level (low / medium / high).

7.2. Enhanced control measures are applied to high-risk operations and customers, including additional identification, transaction limits, manual moderation of orders and refusal of service where appropriate.

7.3. The Company maintains a register of higher-risk countries and applies enhanced controls to transactions associated with such jurisdictions.

8. Employee Training

8.1. All Company employees involved in customer service, payments, transaction monitoring or compliance processes undergo introductory and regular training on AML/CTF/CPF matters at least once a year.

8.2. Completion of training is documented; knowledge may be checked through internal testing.

9. Record Keeping and Confidentiality

9.1. Documents and information obtained in connection with the implementation of this Policy are confidential and may not be disclosed except where required by applicable law, contractual obligations or requests of competent authorities.

9.2. The retention period is at least 5 (five) years from the termination of the relationship with the User or from the completion of the transaction, whichever occurs later, unless a longer period is required by applicable law or partner requirements.

10. Responsibility

10.1. Violation of this Policy by employees, officers or contractors of the Company may result in disciplinary, contractual, civil, administrative or criminal liability, as applicable under the relevant law and the applicable employment or contractual arrangement.

10.2. The Company is responsible to acquiring banks, payment service providers, payment aggregators, eSIM suppliers and competent authorities for the proper performance of its AML/CTF/CPF obligations in accordance with concluded agreements and applicable law.

11. Final Provisions

11.1. This Policy is approved by order of the Director of the Company and enters into force from the date of its approval.

11.2. The Policy is reviewed at least once a year and also upon any material change in applicable law, partner requirements or the Company's business conditions.

11.3. The current version of the Policy is communicated to all employees and key counterparties.

12. Company Details

Company: Kolofi LLC

Website: https://esimka.io

E-mail: sup@esimka.io

Legal Form: Limited Liability Company

Identification Number: 402285424

Registration Number and Date: 26/07/2023

Registering Authority: LEPL National Agency of Public Registry (Georgia)

Registered Office Address: Georgia, Tbilisi, Didube district, Archil Kurdiani street, N16, apartment N12

Approved by order of the Director dated "22" April 2026 No. 1-AML/CTF.