Effective Date : 11th June 2025

Platform : www.ellaya.co.uk

Business EntityEllaya, operated from Regus, 1010 Cambourne Business Park, Cambourne, Cambridge, CB23 6DP

Policy Statement

Ellaya is committed to conducting business in full compliance with all applicable laws and regulations relating to anti-money laundering (AML), counter-terrorist financing (CTF), and the prevention of criminal facilitation. As a digital platform facilitating scheduling, messaging, e-commerce, ride-booking, and other services, we recognise our obligation to identify and prevent any attempt to use the Platform for money laundering, fraud, terrorist financing, or other criminal activities.

We operate in accordance with:

• The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (as amended)
• The Proceeds of Crime Act 2002 (POCA)
• The Terrorism Act 2000
• Guidance issued by the UK Financial Conduct Authority (FCA) and HM Revenue & Customs (HMRC)

1. Scope

This policy applies to:

• All users of the Ellaya platform (individuals and businesses)
• All e-commerce transactions conducted through Ellaya
• All internal employees and contractors handling platform data or operations
• Any third-party service provider engaged in payment processing, identity verification, or related functions

2. Objectives

The objectives of this Anti-Money Laundering Policy are to:

• Prevent and detect misuse of the Ellaya platform for money laundering, terrorist financing, or the concealment of criminal property by embedding controls that actively identify and flag high-risk behaviours, users, and transactions
• Comply with all applicable UK laws and regulatory obligations, including but not limited to the Money Laundering Regulations 2017, Proceeds of Crime Act 2002, and Terrorism Act 2000
• Protect Ellaya’s infrastructure, brand, users, and commercial integrity by avoiding association with illicit activity or criminal networks that may exploit our scheduling, e-commerce, vault, messaging, or ride-booking features
• Apply a risk-based approach (RBA) to customer and transaction screening, enabling the proportional allocation of monitoring resources and enhanced scrutiny in high-risk scenarios
• Establish robust procedures for Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), recordkeeping, and internal escalation, particularly where large-value, complex, or anomalous transactions are detected
• Ensure timely detection and internal escalation of suspicious activity, including clear procedures for the filing of Suspicious Activity Reports (SARs) to the UK’s National Crime Agency (NCA)
• Assign responsibility and accountability to a designated Money Laundering Reporting Officer (MLRO) with authority to investigate, report, and respond to AML risks
• Promote a culture of compliance and vigilance, supported by mandatory staff training, regular policy reviews, and system updates to adapt to emerging threats and legal developments

These objectives apply across all features and user interactions on the Ellaya platform and form part of our broader compliance and ethical operating framework.

3. Risk-Based Approach

Ellaya adopts a Risk-Based Approach (RBA) to identifying, assessing, and mitigating money laundering and terrorist financing risks across its platform. This approach enables us to apply proportionate compliance measures based on the nature and level of risk presented by different users, transactions, jurisdictions, and services.

By implementing an RBA, Ellaya ensures that resources and controls are focused where they are most needed, rather than applying a one-size-fits-all procedure.

4.1 Risk Factors Considered

We assess a range of key risk factors when evaluating user and transactional risk, including but not limited to:

• Customer risk – The identity, profile, business model, and behaviour of users and sellers (e.g. use of anonymous accounts, lack of public presence, or refusal to provide information)
• Geographic risk – Users, counterparties, or transactions originating in or connected to high-risk third countries, sanctioned jurisdictions, or regions with weak AML/CTF controls
• Service risk – The type of activity or feature being used (e.g. e-commerce sales, high-value ride-bookings, storage of financial documents in vaults, use of third-party payment systems)
• Transaction risk – Transaction frequency, volume, structure, and purpose, especially those that are unusually complex, rapid, or inconsistent with a user’s profile
• Delivery channel risk – Use of the platform in non-face-to-face settings or through IP-masking tools, which may obscure origin or identity

4.2 Risk Classification

Users and transactions are dynamically classified into low, standard, or high risk based on automated rules, system intelligence, and manual review triggers. This classification influences the depth and type of due diligence required and the level of ongoing monitoring applied.

• Low Risk – Standard onboarding, monitoring, and simplified due diligence
• Medium Risk – Routine verification and periodic review
• High Risk – Enhanced Due Diligence (EDD), transaction vetting, account restrictions, and potential internal escalation

We also take into account FCA and HMRC guidance when determining risk severity thresholds and policy updates.

4.3 Controls and Escalation

Where elevated risk is identified, Ellaya may apply additional controls, such as:

• Verifying user identity or business registration
• Reviewing the legitimacy of listings, services, or vault contents
• Flagging or holding transactions pending verification
• Requesting source of funds or source of wealth documentation
• Temporarily suspending or restricting platform access
• Escalating to our MLRO or filing a Suspicious Activity Report (SAR)

4.4 Ongoing Monitoring

Risk is not static. Ellaya conducts continuous monitoring using internal tools and behavioural triggers to re-assess user risk on an ongoing basis. Activity may be reclassified as risk increases, and controls will be adjusted accordingly.

This risk-based methodology ensures that our platform remains resilient against criminal exploitation while maintaining a seamless experience for legitimate users.

4. Customer Due Diligence (CDD)

Ellaya implements Customer Due Diligence (CDD) measures to verify the identity of users and to better understand the nature and purpose of their use of the Platform. These measures help ensure that we are not inadvertently facilitating money laundering, terrorist financing, or other illicit activities. CDD is applied proportionately and consistently in accordance with our risk-based approach.

5.1 When We Apply CDD

We conduct CDD in the following circumstances:

• Before establishing a business relationship, such as onboarding sellers, service providers, or business entities intending to receive payouts through Ellaya
• Before facilitating high-value or frequent transactions, particularly those above risk threshold limits or involving sensitive sectors
• When suspicious activity is detected, regardless of any transaction value
• When we suspect false, stolen, or incomplete identity information has been provided
• When users access regulated financial services through our integrations (e.g. Stripe)

5.2 Standard CDD Measures

Where standard CDD applies, we may collect and verify the following information:

For Individual Users:

• Full legal name
• Residential address
• Date of birth
• Government-issued identification (passport, national ID, or driving licence)
• Email address and mobile number

For Business Users or Sellers:

• Full business name and trading name (if applicable)
• Registered company number and address
• Nature of business activity
• VAT registration (if applicable)
• Identity of beneficial owners (25%+ ownership/control) and company directors
• Business bank account details

All CDD data is securely stored and protected in accordance with data protection laws.

5.3 Enhanced Due Diligence (EDD)

We apply Enhanced Due Diligence (EDD) where the risk of money laundering is higher, including:

• Transactions involving high-risk third countries, cash equivalents, or crypto-related activity
• Users who operate under complex ownership structures
• Politically Exposed Persons (PEPs), their family members or close associates
• Repeated use of anonymous payment methods or proxies
• Unusual behavioural patterns or source-of-funds concerns

EDD may include:

• Verifying the source of funds or wealth
• Conducting deeper background checks
• Requesting supporting documentation (e.g. invoices, contracts, utility bills)
• Ongoing and enhanced transaction monitoring

5.4 Failure or Refusal to Complete CDD

Where a user or business fails to provide adequate information or refuses to undergo CDD or EDD procedures:

• We may decline to onboard the user or suspend access to platform features
• Existing accounts may be frozen, restricted, or terminated without notice
• The matter may be escalated to the MLRO and, where necessary, reported to the National Crime Agency (NCA)

Ellaya will not establish or maintain a relationship with users where CDD cannot be satisfactorily completed.

5. Transaction Monitoring

Ellaya conducts ongoing transaction monitoring to identify and respond to unusual, suspicious, or high-risk user behaviour across the Platform. Monitoring is a key component of our risk-based AML framework and is designed to detect potential money laundering, fraud, terrorist financing, or other illicit activity in real time or retrospectively.

We combine automated system flags with manual reviews and periodic audits to ensure an adaptive and scalable approach.

6.1 What We Monitor

We monitor user activity and transactional behaviour across multiple dimensions of the platform, including:

• E-commerce transactions (volume, frequency, value, product category, payment source)
• Vault uploads and downloads, especially for encrypted or document-heavy activity that may be used for concealment or storage of financial records
• Messaging and scheduling patterns, including coordination of high-frequency transactions or contact with multiple unrelated users in short timeframes
• Ride-booking or service routing anomalies, such as mismatched geolocations, VPN use, or activity involving sanctioned jurisdictions
• Usage of third-party integrations, such as payment gateways or conferencing tools in ways inconsistent with declared user profiles

6.2 Indicators of Suspicious Activity

Examples of red flags that may prompt review or escalation include:

• Transactions that are inconsistent with a user’s profile, business model, or historical behaviour
• Rapid movement of large sums across multiple accounts or through unusual channels
• Use of fake identities, proxy accounts, or unverifiable business registrations
• Activity involving high-risk third countries or sanctioned entities
• Repeated failed identity checks or attempts to avoid due diligence
• Use of Ellaya services to launder funds through seemingly unrelated transactions (e.g. sham listings or duplicate orders)

6.3 Monitoring Methods

Ellaya uses a combination of tools and techniques to detect risk:

• Automated rule-based triggers, such as transaction limits, country codes, frequency thresholds, or behavioural pattern mismatches
• AI-based anomaly detection, where applicable, for ongoing behavioural scoring
• Manual transaction reviews by the compliance team for elevated-risk accounts or flagged cases
• Periodic audits of high-risk accounts and business categories

6.4 Responses to Monitored Activity

When suspicious or anomalous activity is detected, Ellaya may take one or more of the following actions:

• Place a temporary hold on transactions or account activity pending verification
• Request additional identity or source-of-funds documentation
• Escalate the matter to the Money Laundering Reporting Officer (MLRO) for assessment
• Submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA)
• Terminate the user’s access to the Platform in serious or confirmed cases

Transaction monitoring is conducted in accordance with the user’s privacy rights under applicable law, and records of suspicious activity are retained securely and confidentially.

6. Suspicious Activity Reporting (SAR)

If Ellaya suspects or becomes aware of activity that may involve the proceeds of crime or terrorist financing, we will file a Suspicious Activity Report (SAR) with the UK’s National Crime Agency (NCA) in accordance with the Proceeds of Crime Act 2002.

Employees are trained to escalate suspicions to the appointed Money Laundering Reporting Officer (MLRO) immediately and confidentially.

7. Appointed MLRO

Ellaya designates a Money Laundering Reporting Officer (MLRO) responsible for:

• Oversight and enforcement of this AML policy
• Reviewing and submitting SARs
• Coordinating AML training and compliance
• Liaising with regulatory authorities and law enforcement where necessary

[Insert Name/Title of MLRO]
Contact: [Insert MLRO Email Address]

8. Training and Awareness

Ellaya ensures that relevant staff and contractors receive training appropriate to their role. Training includes:

• AML and CTF awareness
• Internal reporting procedures
• KYC/CDD procedures
• Recordkeeping obligations
• Red flags and suspicious behaviour detection

9. Recordkeeping

Ellaya retains:

• CDD and KYC records for at least 5 years
• Transaction records (where processed through our platform)
• SARs and internal investigations

Records are maintained securely and made available to regulatory authorities upon lawful request.

10. Policy Review

This AML Policy is reviewed at least annually, or sooner if there are changes to relevant laws, Ellaya’s business model, or the risk environment.

11. Contact & Reporting Concerns

If you have any concerns or suspicions about potential misuse of the Ellaya platform for money laundering or other illicit activity, please contact us confidentially at:

📧 compliance@ellaya.co.uk
📍 Ellaya ltd, Regus, 1010 Cambourne Business Park, Cambourne, Cambridge, CB23 6DP, Uk