AML/CFT & KYC Policy

1. Policy Statement

Icon Stockbrokers Limited is committed to the prevention, detection, and reporting of money laundering, terrorist financing, and proliferation financing activities. The Firm shall not knowingly facilitate, assist, or become complicit in any financial crime.

This commitment applies to all products and services offered by the Firm, all customer relationships, and all transactions processed through Icon e-Trade or any other channel operated by the Firm.

The Firm adopts a risk-based approach to AML/CFT compliance, allocating resources and controls commensurate with the risk profile of its clients, products, geographies, and delivery channels. The overarching objectives of this Policy are to:

• Identify, assess, and manage money laundering and terrorist financing risks
• Know our customers and monitor their transactions on an ongoing basis
• Report suspicious transactions and cash transactions to the Nigerian Financial Intelligence Unit (NFIU) as required by law
• Cooperate fully with regulatory and law-enforcement authorities in AML/CFT investigations
• Protect the Firm, its clients, and the Nigerian financial system from being used as a channel for illicit funds

2. Legal & Regulatory Framework

This Policy is designed to ensure compliance with the following legislation, regulations, and standards:

• Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA 2022) — the primary AML statute in Nigeria
• Terrorism Prevention (Amendment) Act 2013 (TPA 2013) and the Terrorism Prevention and Prohibition Act 2022 (TPPA 2022)
• Securities and Exchange Commission AML/CFT Rules 2022 — sector-specific rules for capital market operators
• Central Bank of Nigeria AML/CFT/CPF Regulations 2023 — as applicable to payment-related activities
• Nigerian Financial Intelligence Unit (NFIU) AML/CFT Compliance Framework
• FATF 40 Recommendations (Financial Action Task Force) — the international standard for AML/CFT
• Nigeria Data Protection Act 2023 (NDPA 2023) — governing the handling of personal data collected during KYC
• Investments and Securities Act 2007 (ISA 2007) — as amended, governing capital market conduct
• NGX Dealing Member Rules — Nigerian Exchange Group rules applicable to licensed brokers

Where there is a conflict between this Policy and applicable law or regulation, the applicable law or regulation shall prevail.

3. Scope of Application

This Policy applies to:

• All directors, officers, employees, and contracted staff of Icon Stockbrokers Limited
• All business lines, products, and services offered by the Firm, including the Icon e-Trade mobile application
• All customer relationships, whether retail, professional, or institutional
• All transactions processed on behalf of clients, including deposits, withdrawals, and securities trades
• All third-party service providers and introducers engaged to conduct CDD on behalf of the Firm

The Firm shall not establish or maintain an anonymous account or an account in a fictitious name. All accounts must be linked to a verified natural person or legal entity.

4. Money Laundering Reporting Officer (MLRO)

The Firm shall at all times maintain a designated Money Laundering Reporting Officer (MLRO) who is a senior officer of the Firm with sufficient authority and resources to carry out the function effectively. The MLRO is responsible for:

• Receiving internal suspicious activity reports from staff and making the decision to report to the NFIU
• Submitting Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) to the NFIU in a timely manner
• Maintaining oversight of the Firm's AML/CFT programme, including risk assessments, training, and policy reviews
• Liaising with the SEC, NFIU, and other regulators on AML/CFT matters
• Providing regular AML/CFT compliance reports to the Board of Directors

The MLRO position and contact details are registered with the SEC Nigeria and the NFIU. Staff must report all suspicious activity to the MLRO promptly using internal reporting procedures without tipping off the customer concerned.

MLRO Contact: compliance@icon-securities.ng

5. Customer Due Diligence (CDD)

The Firm shall conduct CDD on all customers before establishing a business relationship or executing a significant transaction. CDD comprises the following elements:

5.1 Customer Identification

For natural persons, the Firm shall collect and verify:

• Full legal name (as on government-issued identity)
• Date of birth
• Nationality and residential address
• Bank Verification Number (BVN) — verified against the Central Bank of Nigeria's BVN database via licensed identity service provider
• National Identification Number (NIN) — verified against NIMC
• A certified copy of at least one government-issued photo identity document (National ID, Passport, or Driver's Licence)
• A biometric facial liveness check matched to the government ID
• A utility bill or bank statement dated within the last three months as proof of address
• Tax Identification Number (TIN) — where applicable

For legal entities, the Firm shall collect and verify: certificate of incorporation, memorandum and articles of association, board resolution authorising account opening, identity of all directors and beneficial owners above 5% shareholding, and the entity's TIN and RC number.

5.2 Verification Standards

Identity information shall be verified against independent, reliable sources. The Firm uses Cellion Platforms Nigeria Limited as its primary identity verification provider, which queries government databases (BVN registry, NIMC, FRSC). Where electronic verification is unavailable, certified hard copies are acceptable. Verification is conducted before the client is granted access to trading functionality.

5.3 Ongoing CDD

Customer information shall be updated and verified on a risk-sensitive basis:

• High-risk customers: at least annually
• Medium-risk customers: every two years
• Low-risk customers: every three years or upon a significant change in customer profile

The Firm may suspend or restrict account access pending completion of periodic review.

5.4 Circumstances for CDD

CDD is triggered when: establishing a new customer relationship; there is a suspicion of money laundering or terrorist financing regardless of transaction size; there is doubt about the veracity or adequacy of previously obtained customer identification data; a customer requests a significant change to their account profile; or aggregate transaction value or behaviour falls outside the customer's established pattern.

6. Enhanced Due Diligence (EDD)

The Firm shall apply Enhanced Due Diligence (EDD) where the risk of money laundering or terrorist financing is assessed as higher than normal. EDD is mandatory for the following categories:

• Politically Exposed Persons (PEPs) and their close associates and family members
• Customers from high-risk jurisdictions identified by FATF, the NFIU, or the Firm's own risk assessment
• Customers with complex or opaque ownership structures
• Non-resident customers or customers with offshore account connections
• Customers engaged in high-value, high-frequency, or atypical trading patterns
• Any customer flagged by transaction monitoring or staff alerts as elevated-risk

EDD measures include, as appropriate: senior management approval of the customer relationship; obtaining additional identity and source-of-funds documentation; verifying the source of wealth and source of funds; conducting enhanced and more frequent transaction monitoring; and obtaining the first payment from an account in the customer's name at a regulated Nigerian financial institution.

7. Politically Exposed Persons (PEPs)

A Politically Exposed Person is an individual who is or has been entrusted with a prominent public function. This includes heads of state or government, ministers, senior government officials, senior judicial or military officials, senior executives of state-owned enterprises, senior officials of international organisations, members of parliament, and immediate family members and close business associates of the above.

The Firm screens all customers against PEP databases at onboarding and on a periodic basis. Nigerian domestic PEPs shall be treated as high-risk. Foreign PEPs shall be treated as high-risk without exception. A business relationship with a PEP requires explicit approval from the MLRO or a designated senior officer.

8. Beneficial Ownership

The Firm shall identify and verify the beneficial owners of all legal entity customers. For corporate clients, a beneficial owner is any natural person holding, directly or indirectly, 5% or more of the shares, voting rights, or ownership interest in the entity, or any natural person who exercises control over the management of the entity through other means. Where no natural person is identified, the senior managing official is treated as the beneficial owner.

Beneficial ownership information shall be verified against the Corporate Affairs Commission (CAC) register, supporting constitutional documents, and shareholder registers. The Firm does not open accounts for shell companies or entities with opaque ownership structures that cannot be satisfactorily verified.

9. Sanctions Screening

The Firm screens all customers and their beneficial owners against relevant sanctions lists at onboarding and on an ongoing basis, including: the United Nations Security Council (UNSC) Consolidated Sanctions List; the Nigerian Sanction List published by the Office of the National Security Adviser (ONSA); OFAC Specially Designated Nationals and Blocked Persons (SDN) List; European Union Consolidated Sanctions List; and UK HM Treasury Financial Sanctions List.

A positive match on any sanctions list shall result in immediate account freezing and a report to the MLRO. The Firm shall not process any transaction for or on behalf of a sanctioned person or entity.

10. Transaction Monitoring

The Firm maintains a transaction monitoring programme to detect transactions or patterns of activity that may indicate money laundering, terrorist financing, or other financial crime. The programme includes automated rules-based alerts, behavioural monitoring comparing current activity against the customer's established baseline, alert review by the Compliance team with documented rationale, and escalation to the MLRO for unresolved alerts.

Examples of red flags that may trigger enhanced scrutiny or reporting include:

• Rapid movement of large funds through the account with little or no investment activity
• Multiple deposits immediately followed by full withdrawals
• Transactions inconsistent with the client's stated profession, income level, or investment objective
• Third-party deposits into the client's account (funds sourced from a name not matching the client's profile)
• Repeated just-below-threshold transactions that appear designed to avoid reporting obligations (structuring)
• Requests to send proceeds to unrelated third parties or overseas accounts

All monitoring alerts and their outcomes shall be documented and retained for at least five (5) years.

11. Suspicious Transaction Reporting (STR)

Where the Firm, its officers, or employees know, suspect, or have reasonable grounds to suspect that a transaction or activity involves the proceeds of unlawful activity or is connected with the financing of terrorism or proliferation, the Firm shall file a Suspicious Transaction Report (STR) with the NFIU.

11.1 Internal Reporting

All staff are required to report suspicions promptly to the MLRO using the internal reporting process. Staff shall not discuss their report with the customer or any unauthorised person (tipping off prohibition). It is a criminal offence under the MLPPA 2022 to disclose to the customer that an STR has been, is being, or is about to be filed.

11.2 External Reporting

Upon receipt of an internal report, the MLRO shall assess the report within a reasonable timeframe (typically within 24 hours for urgent matters). Where suspicion is confirmed, an STR shall be filed with the NFIU via the NFIU goAML portal within 24 hours of forming the suspicion, in accordance with the MLPPA 2022. The decision-making process shall be documented and retained regardless of whether an STR is filed.

12. Cash Transaction Reporting (CTR)

The Firm shall file a Cash Transaction Report (CTR) with the NFIU for all single cash transactions or multiple cash transactions by or on behalf of a customer within a business day that in aggregate equal or exceed ₦5,000,000 for individuals or ₦10,000,000 for corporate entities, as prescribed under the MLPPA 2022. CTRs shall be submitted via the NFIU goAML reporting portal within 24 hours of the transaction date.

The Firm shall not structure transactions, or assist any customer in structuring transactions, to circumvent CTR thresholds. Structuring is a criminal offence under the MLPPA 2022.

13. Record Keeping

The Firm shall maintain adequate records to satisfy regulatory requirements and enable reconstruction of individual transactions:

• Customer identification and CDD records: minimum 5 years after the end of the business relationship
• Transaction records: minimum 5 years from the date of each transaction
• STR and CTR records: minimum 5 years from the date of filing
• Training records: duration of employment plus 3 years
• Internal suspicious activity reports: minimum 5 years, regardless of whether an STR was filed

Records shall be stored securely, be readily accessible to the NFIU, SEC, or any other competent authority upon request, and shall be protected from unauthorised access.

14. Staff Training & Awareness

AML/CFT training is mandatory for all employees and contractors. The programme includes:

• Induction training: for all new joiners before interacting with customers
• Annual refresher: covering regulatory updates and emerging typologies
• Role-specific training: enhanced training for compliance, operations, and customer-facing staff
• MLRO professional development: at least one external AML/CFT event per year

All training completion records shall be documented and retained. Failure to complete mandatory training is a disciplinary offence.

15. Third-Party Reliance

The Firm may rely on the CDD performed by a regulated third party to satisfy its identification and verification obligations, provided that: the third party is regulated and supervised for AML/CFT compliance; a written agreement is in place; underlying CDD information and documentation can be obtained immediately upon request; and ultimate responsibility for AML/CFT compliance remains with the Firm.

Cellion Platforms Nigeria Limited is the Firm's primary KYC identity verification partner. All CDD data obtained via Cellion is retained and auditable by the Firm's compliance function.

16. Policy Review

This Policy shall be reviewed and updated at least annually by the MLRO and approved by the Board of Directors; upon any material change in applicable law or regulation; following a significant change in the Firm's products, services, customer base, or risk profile; and after any material breach of this Policy or regulatory sanction. Previous versions shall be archived and retained for at least five (5) years.

17. Contact & Escalation

For AML/CFT compliance matters, staff internal reporting, or regulatory enquiries:

• MLRO: compliance@icon-securities.ng
• Legal: legal@icon-securities.ng
• Address: Head of Compliance, Icon Stockbrokers Limited, 24 Campbell Street, Lagos Island, Lagos, Nigeria
• SEC Nigeria: sec.gov.ng
• NFIU: nfiu.gov.ng