SForest

Anti-Money Laundering Policy

Anti-Money Laundering & Combating the Financing of Terrorism Policy

Effective Date: January 1, 2026

1. Introduction & Commitment

SLUMBERING FOREST LLC ("Company") is committed to preventing financial crime, including money laundering, terrorist financing, sanctions evasion, and fraud. This Anti-Money Laundering ("AML") and Combating the Financing of Terrorism ("CTF") Policy establishes the Company's risk-based approach to compliance with applicable laws.

This Policy applies to all users, including game players (Users) and game developers/publishers (Merchants), and all transactions facilitated through the Services.

2. Policy Scope & Applicability

2.1 Services Covered

This AML/CTF Policy applies to:

  • Digital game publishing and distribution through the SForest platform
  • Real currency payment processing and transaction facilitation
  • Revenue settlement to Merchants and user account funding
  • Payment refunds and chargebacks
  • User account creation and management
  • Merchant/publisher onboarding and integration

2.2 Scope Exclusions

This policy does NOT apply to:

  • Virtual currency or cryptocurrency transactions (the Company does not process these)
  • Gambling or iGaming services (except that iGaming clients may use the Services under general AML obligations)
  • Wire transfers or international remittances (except settlement to Merchants)
  • Money transmission services (except payment processing for our Services)

2.3 No Virtual Currency Issuance

The Company does not issue, mint, or facilitate issuance of virtual currencies, digital currencies, stablecoins, or cryptocurrency. All transactions are conducted in real currency (USD or other fiat). This limitation reduces AML/CTF risk by limiting the Company to straightforward payment processing for digital goods.

3.1 US Federal AML/CTF Laws

This Policy implements compliance with the following US federal laws:

3.1.1 Bank Secrecy Act (BSA), 31 U.S.C. § 5311 et seq.

  • Customer identification and verification (CIP)
  • Currency Transaction Reports (CTR) for transactions exceeding $10,000
  • Suspicious Activity Reports (SAR) for transactions suggesting criminal activity
  • Record-keeping requirements (minimum 5 years)
  • AML compliance program requirements
  • FinCEN reporting obligations

3.1.2 USA PATRIOT Act, Pub. L. 107-56 (2001)

  • Know Your Customer (KYC) requirements for account holders
  • Enhanced Due Diligence (EDD) for Merchants and high-risk customers
  • OFAC sanctions screening and blocking
  • Beneficial ownership identification for business entities
  • Politically Exposed Person (PEP) screening

3.1.3 Executive Order 13224 & Sanctions

  • OFAC Specially Designated Nationals (SDN) list screening
  • Sectoral sanctions programs (Russia, Iran, Syria, Cuba, North Korea, etc.)
  • Embargo compliance
  • Blocking of sanctioned persons and entities
  • Reporting of violations to OFAC

3.1.4 FinCEN Guidelines & Regulations

  • Financial Crimes Enforcement Network (FinCEN) guidance on payment processors
  • Virtual currency guidance (if applicable)
  • Risk-based approach to AML compliance
  • Beneficial ownership requirements (Corporate Transparency Act)

3.2 State AML Laws

The Company complies with state-level AML requirements, including:

  • State money transmitter licensing (where applicable)
  • State-specific customer identification requirements
  • State reporting obligations to financial crimes units
  • State payment processor regulations

4. Risk-Based Compliance Approach

4.1 Risk Assessment Framework

The Company uses a risk-based approach to AML/CTF compliance. Risk levels are determined by:

Customer Type:

  • Individual Users (lower risk)
  • Merchants/publishers (higher risk due to revenue settlement)
  • High-risk business customers (highest risk)

Geography:

  • US-based customers (lower risk)
  • EU/OECD countries (lower risk)
  • High-risk jurisdictions (higher risk) - See Section 4.2
  • OFAC-sanctioned countries (prohibited)

Transaction Patterns:

  • Normal, consistent spending (lower risk)
  • Sudden large transactions (higher risk)
  • Frequent failed payments or chargebacks (higher risk)
  • Cross-border transactions (higher risk)

Business Type (for Merchants):

  • Single-person indie developers (lower risk)
  • Established game studios (lower risk)
  • High-risk business models (higher risk)
  • Merchants without clear business purpose (highest risk)

4.2 High-Risk Jurisdictions

Transactions with customers in the following jurisdictions receive enhanced monitoring:

OFAC-Sanctioned Countries (Prohibited):

  • Iran
  • North Korea
  • Syria
  • Cuba
  • Crimea (Autonomous Republic of Ukraine)
  • Any other countries subject to comprehensive OFAC sanctions

High-Risk Countries (Enhanced Due Diligence):

  • Afghanistan
  • Belarus
  • Democratic Republic of Congo
  • Guinea-Bissau
  • Iraq
  • Kyrgyzstan
  • Lebanon
  • Libya
  • Mali
  • Palestine
  • Russia (sectoral sanctions)
  • Somalia
  • South Sudan
  • Sudan
  • Tajikistan
  • Turkmenistan
  • Uzbekistan
  • Venezuela
  • Yemen
  • Any other countries designated as high-risk by FATF or FinCEN

Mitigating Factors:

  • Customers in high-risk countries may still use the Services if:
    • They pass enhanced due diligence screening
    • They are not subject to OFAC sanctions
    • Transaction amounts are reasonable
    • Legitimate business purpose is documented

5. Customer Due Diligence (CDD) for Users

5.1 Customer Identification Program (CIP)

All Users must provide:

  1. Full legal name (matches government ID)
  2. Date of birth (to verify 18+ requirement)
  3. Email address (valid, verified)
  4. Mailing address (street, city, state, ZIP code)
  5. Phone number (optional, but recommended for high-value accounts)

5.2 CIP Verification

The Company verifies customer identification using:

  • Email verification: Confirmation link sent to provided email
  • Address verification: Postal verification or address validation service
  • Age verification: Date of birth cross-check against identity documents
  • Document verification (for high-risk customers): ID document upload (driver's license, passport, etc.)

5.3 Payment Method Verification

When Users add a payment method:

  • Credit/debit card name must match account holder name
  • Billing address must match account address
  • Card verification process conducted by payment processor

5.4 Beneficial Ownership Identification

For Users who appear to be operating accounts on behalf of others:

  • Beneficial owner identification required
  • Beneficial owner consent form
  • Documentation of authorization

6. Enhanced Due Diligence (EDD) for Merchants

6.1 Merchant Onboarding CDD

All Merchants must provide:

  1. Business Information

    • Legal business name and DBA names
    • Type of entity (sole proprietor, LLC, corporation, partnership, etc.)
    • Business address (physical, not PO Box)
    • Business phone number
    • Website or social media presence
    • Business registration number (if applicable)
    • Tax identification number (EIN, SSN for sole proprietors)

  2. Ownership & Control Information

    • Beneficial owner(s) identification (name, DOB, address)
    • Percentage ownership for each beneficial owner
    • Officer/director names (for corporations)
    • Signatory authority and decision-makers

  3. Business Purpose & Operations

    • Description of game/digital content to be published
    • Target user demographic and geography
    • Expected transaction volume and value
    • Business plan and revenue projections
    • Previous gaming/publishing experience

6.2 EDD Document Collection

Merchants must provide:

  • Business License or certificate of good standing
  • Articles of Incorporation or LLC operating agreement
  • Government-issued ID for beneficial owners (driver's license, passport)
  • Proof of Address (utility bill, lease agreement, bank statement less than 90 days old)
  • Tax Documentation (prior year tax returns or EIN assignment letter)
  • Banking Information (bank statement showing business account)

6.3 OFAC & Sanctions Screening

All Merchants are screened against:

  • OFAC SDN List (Specially Designated Nationals)
  • OFAC consolidated sanctions programs list
  • EU sanctions lists (if applicable)
  • UK sanctions lists (if applicable)
  • UN sanctions lists (if applicable)
  • Foreign criminal and watchlists (as available)
  • PEP (Politically Exposed Person) databases

Merchant must certify:

  • They are not on any sanctions list
  • They are not a politically exposed person (PEP)
  • They have no beneficial owners on sanctions lists
  • They do not operate in OFAC-sanctioned countries

6.4 Merchant Risk Classification

Merchants are classified as:

Low-Risk Merchants:

  • Established game studios (3+ years operating)
  • Published games with legitimate user base
  • Transparent ownership and operations
  • Reasonable transaction volumes
  • No history of compliance issues

Medium-Risk Merchants:

  • New developers (under 3 years)
  • Limited publication history
  • First-time game publishers
  • Reasonable transaction volumes
  • Single entity with clear ownership

High-Risk Merchants:

  • Merchants in high-risk jurisdictions
  • Questionable business model or purpose
  • Complex ownership structure
  • High transaction volume relative to business stage
  • Politically exposed persons (PEPs)
  • Merchants with history of disputes or chargebacks
  • Merchants publishing content in adult gaming or other sensitive categories

Enhanced Monitoring for High-Risk Merchants:

  • Quarterly compliance reviews
  • Monthly transaction monitoring
  • Enhanced documentation requirements
  • Possible transaction limits or restrictions

7. Know Your Customer (KYC) Enhanced Due Diligence

7.1 KYC Verification Methods

The Company verifies customer information using:

  1. Third-party identity verification services (IDology, Jumio, or similar)

    • Automated ID document scanning and verification
    • Liveness checks (for video verification)
    • Biometric matching
    • Database cross-checking

  2. Payment processor verification

    • Credit card issuer verification
    • Bank account verification (ACH microdeposits)
    • Payment method validation

  3. Beneficial ownership verification

    • Company Secretary of State filings
    • UCC filings
    • Corporate records verification
    • Manual document review

7.2 Ongoing KYC Monitoring

The Company conducts ongoing monitoring to:

  • Detect changes in customer risk profile
  • Identify new beneficial owners or control changes
  • Monitor for new sanctions designations
  • Detect unusual transaction patterns
  • Monitor for fraud indicators

Ongoing monitoring includes:

  • Annual sanctions re-screening
  • Quarterly transaction pattern review (for high-risk customers)
  • Updates to beneficial ownership information
  • Monitoring of news sources and public records

8. OFAC Sanctions Compliance

8.1 OFAC Screening Program

The Company maintains a comprehensive OFAC compliance program including:

Automated Screening:

  • Screening of all customers at account creation
  • Automatic re-screening of customers monthly
  • Screening of beneficial owners
  • Automated blocking of sanctioned individuals/entities

SDN List Monitoring:

  • Daily updates of SDN list from OFAC
  • Automated match detection
  • Name variation detection (nicknames, aliases, alternate spellings)
  • Entity relationship mapping

Sectoral Sanctions Monitoring:

  • Russia sectoral sanctions programs
  • Iran sectoral sanctions
  • Cuba sectoral sanctions
  • Entity screening against sectoral lists

8.2 False Positives & Appeals

If a customer is blocked due to OFAC match:

  1. Company provides notice to customer
  2. Customer may request review/appeal
  3. Company conducts manual name verification
  4. If false positive confirmed, account is unblocked
  5. Customer is informed of resolution

OFAC Match Criteria:

  • Exact name matches
  • Close name matches with manual review
  • Beneficial owner matches
  • Authorized signatories matches

8.3 Blocking & Freezing

Upon OFAC match or sanctions designation:

  • Customer account is immediately blocked
  • All transactions are prohibited
  • Company notifies OFAC of blocked person/entity (if required)
  • Funds are frozen and held pending OFAC approval to release
  • Company cooperates with OFAC license applications if needed

9. Transaction Monitoring & Red Flags

9.1 Transaction Monitoring Program

The Company monitors all transactions for suspicious activity indicators. Monitoring covers:

  • Transaction amount and frequency
  • Customer location and IP address
  • Payment method changes
  • Rapid account funding followed by withdrawal
  • Multiple failed payment attempts
  • High-value transactions for new accounts
  • Cross-border transaction patterns
  • Chargeback and dispute patterns

9.2 Red Flag Indicators

Transactions triggering enhanced review include:

  1. Amount-Based Indicators

    • Single transaction exceeding $10,000
    • Multiple transactions structured to avoid reporting thresholds (smurfing)
    • Rapid accumulation of account balance
    • Sudden spike in spending vs. historical pattern

  2. Pattern-Based Indicators

    • Rapid account creation followed by large transaction
    • Multiple accounts from same payment method
    • Multiple accounts from same IP address or device
    • Account created with fake or disposable email
    • Multiple failed payment attempts before success
    • Frequent chargebacks or disputes

  3. Customer-Based Indicators

    • Customer information inconsistencies
    • Multiple name variations on account
    • Account operated from multiple geographies
    • Mismatch between account info and transaction behavior
    • Customer in high-risk jurisdiction
    • Customer near OFAC watchlist match

  4. Payment Method Indicators

    • Multiple payment methods used in short timeframe
    • Payment method doesn't match account country
    • Multiple high-value cards used
    • Debit cards typically associated with fraud
    • Digital wallets associated with fraud rings

  5. Behavioral Indicators

    • Not playing games purchased
    • Purchasing games never played
    • Unusual transaction frequency (bots)
    • Account dormant then sudden activity
    • Rapid withdrawal requests
    • Attempting to circumvent platform restrictions

9.3 Merchant Red Flags

High-risk merchant indicators include:

  • Merchant requesting direct payment transfers outside platform
  • Merchant requesting customer personal information beyond necessity
  • Merchant in high-risk jurisdiction
  • Merchant with no verifiable gaming/publishing experience
  • Merchant with unclear source of funds
  • Merchant with beneficial owners on watchlists
  • Merchant operating multiple merchant accounts
  • Merchant requesting exemption from compliance requirements

10. Suspicious Activity Reporting (SAR)

10.1 SAR Filing Obligations

The Company files Suspicious Activity Reports (SARs) with FinCEN when:

  • A transaction or pattern suggests possible money laundering
  • A transaction suggests possible terrorist financing
  • A transaction violates OFAC sanctions
  • A customer appears to be engaged in fraud
  • A transaction suggests structuring (smurfing)
  • Aggregate suspicious activity exceeds $5,000

SARs are filed regardless of whether funds are actually transferred.

10.2 SAR Content & Procedures

Each SAR includes:

  • Company identifying information
  • Customer identifying information (name, ID, account)
  • Suspicious activity description and dates
  • Transaction details (amounts, methods, counterparties)
  • Narrative explanation of suspicious indicators
  • Relationship to known criminal activity (if applicable)
  • Company corrective actions taken

SARs are filed:

  • Within 30 calendar days of detection (and before transaction settles, if possible)
  • Electronically to FinCEN via BSA E-filing System
  • Concurrently with any law enforcement notification
  • With strict confidentiality (disclosure to customer prohibited)

10.3 SAR Non-Disclosure

SAR filings are strictly confidential. The Company shall NOT disclose to any customer or third party:

  • That a SAR has been filed
  • The content of a SAR
  • The fact that suspicious activity was detected
  • Any information that would alert customer to investigation

Unauthorized disclosure is prohibited by law and may result in civil/criminal liability.

11. Record Keeping & Documentation

11.1 Record Retention

The Company maintains records of:

  • Customer identification information (5 years minimum)
  • Transaction records (5 years minimum)
  • OFAC screening results (5 years minimum)
  • SAR filings (5 years minimum, separately from SARs)
  • AML policy and procedures (indefinite)
  • Beneficial ownership documentation (5 years post-relationship termination)
  • Due diligence documentation (5 years post-relationship termination)

All records are stored securely with access limited to compliance personnel.

11.2 Record Accessibility

The Company maintains records in formats that allow:

  • Rapid retrieval upon law enforcement request
  • Search by customer name, ID, or account number
  • Search by transaction date, amount, or type
  • Correlation with other customer records
  • Export for regulatory examination

11.3 Customer Due Diligence File

The Company maintains a Customer Due Diligence File for each customer containing:

  • CIP information (name, DOB, address, ID)
  • Beneficial ownership documentation
  • Risk classification
  • OFAC screening results
  • Transaction history summary
  • Any SARs filed
  • Any compliance issues identified
  • Termination documentation (if applicable)

12. Ongoing Monitoring & Updating

12.1 Customer Information Updates

The Company requires customers to:

  • Update information if address, phone, or beneficial ownership changes
  • Re-verify identity annually for high-risk customers
  • Provide updated beneficial ownership certification annually (for Merchants)

The Company updates customer information:

  • Upon customer request
  • When payment processing detects inconsistencies
  • When regulatory or news sources indicate changes
  • Upon receipt of law enforcement request

12.2 Sanctions List Updates

The Company:

  • Updates OFAC SDN list daily
  • Updates other sanctions lists weekly
  • Re-screens all customers monthly against updated lists
  • Immediately blocks customers newly designated as sanctioned
  • Notifies OFAC of blocked persons/entities

12.3 Transaction Monitoring Updates

The Company:

  • Reviews transaction monitoring rules quarterly
  • Updates red flag indicators based on emerging threats
  • Adjusts thresholds based on fraud trends
  • Incorporates lessons learned from SARs filed

13. Training & Awareness

13.1 Compliance Training

All Company personnel involved in customer service, payments, or fraud prevention receive:

  • Initial AML/CTF training prior to customer contact
  • Annual refresher training
  • Training on red flag identification
  • Training on SAR filing procedures
  • Training on OFAC compliance
  • Training on confidentiality obligations

13.2 Training Records

The Company maintains records of:

  • Training dates and attendees
  • Training content and materials
  • Certification of completion
  • Competency assessments

13.3 Third-Party Training

Sub-processors and vendors receive:

  • Contractual AML/CTF obligations
  • Necessary training or guidance
  • Periodic compliance certifications

14. Independent Review & Testing

14.1 Annual AML Program Review

The Company conducts an annual independent review of the AML compliance program by:

  • Qualified compliance officer or external auditor
  • Assessment of policy effectiveness
  • Testing of transaction monitoring systems
  • Review of SAR filings for accuracy and timeliness
  • Evaluation of training sufficiency
  • Identification of gaps and recommendations

14.2 Audit Frequency

Audits occur at least annually, with additional audits triggered by:

  • Significant changes to business or technology
  • Material compliance violations
  • Major regulatory guidance updates
  • Following security incidents or breaches
  • Upon regulatory request

14.3 Audit Documentation

Audit reports are:

  • Documented in writing
  • Retained for at least 5 years
  • Provided to management and Board (if applicable)
  • Used to implement corrective actions
  • Available upon regulatory request

15. Enforcement & Disciplinary Measures

15.1 Account Suspension & Termination

The Company may suspend or terminate customer accounts for:

  • AML/CTF policy violations
  • Failure to provide required documentation
  • OFAC or sanctions match
  • Suspicious activity patterns
  • Structuring or smurfing
  • Refusal to update customer information
  • False or misleading information
  • Operating in violation of terms

Suspension/termination procedures:

  • Account access is immediately revoked
  • Customer is notified (unless prohibited by law)
  • Funds are held pending investigation
  • Records are retained per retention schedule

15.2 Fund Freezing

If suspicious activity is detected or OFAC match occurs:

  • Customer funds are immediately frozen
  • Withdrawals are prohibited
  • Funds are held pending investigation or OFAC approval
  • Company may apply frozen funds to outstanding compliance fees

15.3 Violation Reporting

Significant AML/CTF violations are:

  • Reported to compliance officer and management
  • Escalated to Board/Audit Committee
  • Documented in compliance file
  • Used to identify systemic issues
  • Reported to regulators if legally required

16. Reporting to Law Enforcement & Regulators

16.1 Law Enforcement Cooperation

The Company cooperates fully with law enforcement inquiries, including:

  • Responding to subpoenas and court orders
  • Providing customer records and transaction history
  • Participating in investigations
  • Freezing customer accounts per legal process
  • Providing expert testimony or analysis

16.2 FinCEN Reports

The Company files with FinCEN:

  • Currency Transaction Reports (CTRs) for deposits exceeding $10,000
  • Suspicious Activity Reports (SARs) for suspicious transactions (see Section 10)
  • OFAC violation reports for OFAC breaches or violations

16.3 Regulatory Examination

The Company cooperates with regulatory examinations by:

  • Providing requested documentation and records
  • Making personnel available for interviews
  • Providing system access for testing
  • Responding to information requests

17. Geographic Coverage & Jurisdictional Limits

17.1 US Jurisdiction

This Policy applies to:

  • All customers in the United States
  • All customers using US payment methods
  • All transactions in US currency
  • All Services provided from US infrastructure

17.2 International Customers

For customers outside the US:

  • OFAC sanctions screening is mandatory
  • Enhanced due diligence applies to high-risk countries
  • Applicable local laws are honored
  • International sanctions are monitored

Prohibited Regions:

  • OFAC-sanctioned countries (Iran, North Korea, Syria, Cuba, Crimea)
  • Customers in these regions cannot use the Services

18. Policy Review & Updates

18.1 Annual Review

This Policy is reviewed annually and updated to reflect:

  • Changes in regulatory guidance
  • Updates to OFAC and sanctions lists
  • Changes in business model
  • Lessons learned from SARs filed
  • Emerging threats and best practices

18.2 Regulatory Updates

When FinCEN, OFAC, or other regulators issue new guidance:

  • The Company evaluates applicability
  • Policies are updated within reasonable timeframe
  • Personnel are trained on changes
  • Documentation is updated

18.3 Effective Date of Changes

Policy changes take effect:

  • Immediately for regulatory compliance matters
  • 30 days after notification for procedural changes
  • With grandfather provisions for existing customers (if applicable)

19. Contact Information

Compliance & AML Questions: Email: [email protected] Mailing Address: SLUMBERING FOREST LLC Compliance Officer 1420 5TH AVE STE 2200 SEATTLE, WA 98101-1346 USA

FinCEN & Regulatory Inquiries: Email: [email protected] Contact: Legal Department

OFAC Compliance: Email: [email protected] Contact: Compliance Officer (OFAC Designated)

20. Governing Law

This Policy is governed by the laws of the State of Washington, USA and the applicable federal laws of the United States, including the Bank Secrecy Act, USA PATRIOT Act, and OFAC regulations.

End of Anti-Money Laundering & Combating the Financing of Terrorism Policy