I. Introductory provisions

a) Rubicon sh.a. ( the “Company” or “Rubicon” ), which fully owns the digital platform “Pago” , is licensed by the Bank of Albania with license no. 52, dated 21.01.2022, as an Electronic Money Institution (Non-Bank Financial Institution). The Company ensures statutory and regulatory compliance with the requirements of the legislation in force for payment services and electronic money, as well as the identification and management of compliance risks in accordance with domestic regulatory requirements and international standards.

b) Compliance risk is the potential legal risk, the risk of supervisory or other official sanctions, significant financial losses or reputational damage due to non-compliance with legislation or other non-legislative standards and internal rules applicable to the Company in relation to its activity in the field of payment services and electronic money.

c) The Compliance Policy is harmonized with the relevant legal framework, including but not limited to:

• Law No. 55/2020 “On Payment Services”;
• Law No. 9917/2008 “On the Prevention of Money Laundering and Financing of Terrorism”, as amended;
• Instruction No. 1, dated 21.01.2025 of the Minister of Finance “On the methods and procedures for implementation by entities involved in financial activities”;
• Law No. 124/2024 “On the Protection of Personal Data” and the General Data Protection Regulation (GDPR);
• Law on Electronic Identification and Trust Services;
• Law No. 9258/2004 “On measures against the financing of terrorism”;
• Bank of Albania regulations and instructions for electronic money institutions;
• UN, EU, OFAC (US) and HM Treasury (UK) sanctions lists.

II. General provisions

II.1. Purpose of the Policy

The activity of the compliance function covers Rubicon sh.a. as a whole, including all its organizational units and activities in the field of electronic money issuance, execution of payment transactions, opening and administration of electronic money accounts, issuance of debit cards, POS and e-commerce services, as well as any other auxiliary services provided through the “Pago” platform. Persons who carry out external activities or are engaged as experts, advisors, agents or service providers on behalf of the Company, whether natural or legal persons, must also meet compliance requirements and standards.

II.2. Position of the compatibility function

a) In accordance with the instructions of the Bank of Albania (BoA) and the recommendations of international financial regulators, Rubicon establishes and maintains internal lines of protection and security to promote:

• prudent, reliable and efficient operations in accordance with legal and regulatory requirements;
• protecting assets, client funds and the interests of shareholders, customers and business partners;
• sustainable business operation and maintaining trust in electronic payment services offered through “Pago”.

b) Internal lines of defense include responsible internal governance and internal control functions of the second and third lines of defense, which complement the controls integrated into business processes (first line of defense).

c) Internal control functions include the risk management function, the compliance function and the internal audit function. The Compliance function at Rubicon is carried out by the Compliance Officer, who reports directly to the Company’s governing bodies.

II.3. Principles guiding the compliance function

a. The compliance function at Rubicon is carried out with the aim of creating a legal and ethical corporate culture, which guarantees the prudent and ethical operation of the Company in the long term.

b. In performing its compliance function, Rubicon operates in accordance with the following principles:

• independence;
• integrity;
• acting without interference;
• objectivity;
• proactive and preventive approach;
• risk-oriented approach (requirement to ensure compliance based on risk);
• proportionality;
• high level of care and professional competence;
• full coverage of the activity;
• efficiency and rationalization of compliance costs.

III. Detailed provisions

III.1. Main compliance activities

III.1.1. Processing and protection of personal data (GDPR)

a) Rubicon is committed to the proper protection of personal data processed by it, in accordance with the provisions of Law No. 124/2024 “On the Protection of Personal Data”, the General Data Protection Regulation (GDPR) and the by-laws in force.

b) As an Electronic Money Institution that processes sensitive financial and identification data of customers through the “Pago” platform, the Company has established, operates and implements a system for regulation, enforcement and auditing that provides for:

• protection of customers’ personal data, including identification, contact, transaction and payment behavior data, biometric records (voice, image), as well as data from the remote Know Your Customer (KYC) process;
• implementing the principle of “privacy by design and by default” in the development of products and services;
• transparently informing customers about the processing of their data and the rights they are entitled to by law;
• cooperation with the Commissioner for the Right to Information and Personal Data Protection.

c) Customer data may be transferred to third countries that meet an adequate level of protection (including the USA, the UK and Belgium) for the purposes of providing Mastercard/Visa debit cards and mandatory FATCA reporting to the IRS (US tax authority).

III.1.2. Integrity

a) Rubicon develops and establishes rules on conflict of interest and ethics, with the requirement that all directors, employees and control bodies take decisive action against any violation of these rules.

b) Rubicon has a business interest and legal obligation to ensure that the personal interests of its employees and members of its governing bodies do not conflict with the business interests and commitments of the Company and “Pago” clients. Rubicon identifies, prevents and manages conflicts of interest in relation to its activities, as well as regulates and ensures the assessment of the compliance of providers and business partners (prior check).

c) Rubicon shall develop a Conflict of Interest Policy to specify the circumstances related to its activity in the field of payment services and which lead or may lead to a conflict of interest with negative consequences for customers or business partners. The policy shall also set out detailed rules and procedural measures for the prevention, identification and management of conflict of interest situations.

d) With the aim of protecting its values ​​and clients, Rubicon formulates requirements for ethical business operations and develops internal ethical and professional standards, which are summarized and published in the Code of Ethics and the Partner Code of Conduct.

e) Rubicon is committed to combating corruption and has declared zero tolerance towards all forms of bribery, improper gifts and unfair benefits. The purpose of the Anti-Corruption Policy is to define the principles of the Company’s anti-corruption activity, to identify areas particularly exposed to the risk of corruption and to serve as a basic document for the activity of the relevant staff.

f) Rubicon offers a dedicated reporting channel (whistleblowing line) for confidential reporting of violations of ethical standards, legal provisions and compliance rules.

III.1.3. Fair treatment of customers and consumer protection

a) Rubicon is committed to protecting and respecting the interests of consumers, in accordance with Law No. 9902/2008 “On Consumer Protection” and Law No. 55/2020 “On Payment Services”.

b)In this context, Rubicon follows the following principles:

• transparent and understandable information before contracting (tariffs, conditions, execution deadlines, consumer rights), reflected in the Terms of Service and the Fees and Commissions section;
• providing services appropriate to the needs and profile of the client;
• fair, equal and non-discriminatory treatment;
• efficient handling of complaints through Customer Service at +355 4 562 0560 and the dedicated email address, within the deadlines set by the BoA;
• information on the client’s right to address the Bank of Albania or alternative dispute resolution mechanisms.

III.1.4. Security of transactions and protection of customer funds

As an Electronic Money Institution, Rubicon ensures the protection of “Pago” customer funds through:

• segregation of client funds from the Company’s own funds in dedicated accounts in second-tier banks licensed in the Republic of Albania;
• implementing Strong Customer Authentication (SCA) measures for electronic transactions, including security elements: PIN code, SMS OTP, Mobile Token and biometric identification;
• real-time monitoring of transactions to identify fraud and suspicious activity;
• implementing daily, monthly and annual transaction limits for individual and business accounts, according to the Terms of Service;
• immediate blocking of the account in case of suspected compromise of credentials or security elements;
• implementation of cybersecurity standards in accordance with BoA guidelines and international best practices (PCI DSS, ISO 27001).

III.1.5. Prevention of money laundering and terrorist financing (AML/CFT)

a) Rubicon’s activities against money laundering and terrorist financing aim to effectively prevent the use of the services of the “Pago” platform for the laundering of assets of criminal origin and the financing of terrorism.

b) Rubicon develops internal policies, establishes and maintains effective processes and procedures in accordance with Law No. 9917/2008 “On the Prevention of Money Laundering and Financing of Terrorism” (as amended), Instruction No. 1, dated 21.01.2025 of the Minister of Finance, the requirements of the Financial Intelligence Agency (AIF), as well as the international standards of the FATF and the MONEYVAL Committee of the Council of Europe.

c) Client identification is carried out through secure electronic identification, in accordance with the requirements of the law “On electronic identification and trusted services”, using the remote “Know Your Customer” (KYC) procedure, which includes verification of the identification document and biometric verification with a camera and microphone.

d) To identify, analyze, assess and manage AML/CFT risks, Rubicon prepares an institution-wide Risk Assessment, which is reviewed at least annually or whenever material changes occur in the activities, clientele, products or regulatory framework.

e) Rubicon classifies customers into risk categories (low, medium, high) and implements appropriate Customer Due Diligence (CDD) measures according to the risk category, including enhanced due diligence (EDD) for high-risk customers, Politically Exposed Persons (PEPs) and high-risk jurisdictions.

f) For business customers, vigilance includes the identification of Beneficial Owners as defined by law, including any person who directly or indirectly owns at least 25% of the shares or votes of the legal entity, or who exercises effective control.

g) During the customer due diligence process, the “Know Your Customer” (KYC) principle is applied to develop a profile for the customer, monitor transaction activity and identify suspicious actions that do not match his profile. Any suspicious transaction is reported to the Financial Intelligence Agency (FIA) in accordance with the law.

h) Rubicon implements transaction limits and identification thresholds in accordance with the Terms of Service, BoA regulations and AML/CFT legislation. Any action exceeding the limits requires additional documentation to justify the funds or purpose of use before being authorized.

i) All Rubicon employees, especially those performing customer due diligence, transaction monitoring and reporting, receive periodic and documented training on AML/CFT obligations.

III.1.6. Compliance with international sanctions

a) In establishing and maintaining its relationships and making business decisions, Rubicon takes into account economic, financial and trade sanctions and embargo requirements adopted by international organizations and states, in particular by:

• United Nations (UN) Security Council;
• European Union;
• Office of Foreign Assets Control (OFAC) of the US Department of the Treasury;
• HM Treasury / Office of Financial Sanctions Implementation (OFSI) of the United Kingdom.

b) Rubicon implements an International Sanctions Policy with general principles of sanctions enforcement, which includes screening of customers, beneficial owners, partners and transactions against sanctions lists, both prior to entering into a relationship and on an ongoing basis.

c) Following the objectives of its business policy, Rubicon avoids transactions and relationships with sanctioned natural or legal persons, as well as transactions with destination or origin from comprehensively sanctioned jurisdictions.

III.1.7. Responsible Governance and Sustainability (ESG)

a) In accordance with sustainability criteria (Environmental, Social and Governance – ESG), Rubicon evaluates its activity from the perspective of environmental impact, social justice and issues related to corporate governance, ensuring compliance with applicable legislative requirements.

b) In the spirit of responsible corporate governance, Rubicon follows internationally recognized standards and transparently discloses information about its governance and operations.

c) In developing its products through the “Pago” platform and providing access to electronic payment services, Rubicon applies the principles of ethics and consumer protection, ensuring that the services provided are modern, secure, comprehensive and fair to customers.

III.1.8. Compliance with international tax agreements

a) Rubicon has a fundamental interest and legal obligation to ensure compliance with customer identification and reporting requirements under international tax treaties, including FATCA (Foreign Account Tax Compliance Act) for US citizens and tax residents and the OECD CRS (Common Reporting Standard), in accordance with the obligations of the Republic of Albania.

b) Individual clients who are US citizens, as well as businesses headquartered in the US, must complete the relevant forms made available to them by Rubicon during the KYC procedure. The data is reported once a year to the US Internal Revenue Service (IRS).

III.2. General principles and requirements

III.2.1. Responsibility for compliance

As defined in the applicable legal regulations and internal provisions, all Rubicon employees assume overall responsibility for the implementation of compliance requirements and rules. All employees are obliged to:

• implement compliance requirements in their daily activities;
• to report any circumstances that pose a threat to their implementation;
• to participate in the elimination of such circumstances;
• attend mandatory compliance training.

III.2.2. Use of agents, consultants and external experts

To ensure the enforceability of the standards set forth in this Policy, all persons acting as agents, Pay-as-you-go partners, experts or external consultants on behalf of or on behalf of Rubicon are required to declare that they have read and understood the Compliance Policy and agree to comply with its requirements. Rubicon performs due diligence on these persons prior to entering into the relationship and monitors their activity on an ongoing basis.

III.2.3. Cooperation with authorities

Rubicon cooperates fully and in good faith with the Bank of Albania in its capacity as supervisory authority, with the Financial Intelligence Agency (AIF), with the Commissioner for the Right to Information and Personal Data Protection, with central and local tax authorities, with authorities in charge of investigations and judicial processes, with bailiffs for the execution of judicial decisions, as well as with other competent authorities, ensuring access to information, documentation and assistance according to legal requirements.

IV. Approval and review

• This Compliance Policy is approved by the governing bodies of Rubicon sh.a. and is reviewed at least once a year, or whenever material changes occur in the legal framework, organizational structure, products and services offered through the “Pago” platform, or in the Company’s risk profile.
• Any Rubicon employee, agent or partner has the right to contact the Compliance Officer for clarifications, reports or questions regarding the implementation of this Policy.
• Customers and third parties can contact Rubicon through Customer Service channels at +355 4 562 0560 (Monday – Friday, 09:00 – 17:00) or at the official address: Rr. “Donika Kastrioti”, Pall. Teknoprojekt, 6th Floor, Tirana 1005, Albania.