AML/KYC Policy

Anti-Money Laundering, Sanctions & KYC 

Compliance Policy and Procedures

AML, Sanctions & KYC Compliance

Policy & Procedures 
 

Company and Game Overview 

Gorilla Gamez LLC (“Gorillagamez” or the “Company”) offers online fantasy sports games through an online platform.   

          The Company commissioned an analysis of each state’s unique legal framework governing gambling, skill games and the Company’s offerings from Newman Law LLC, which is memorialized in a memo dated November 20, 2025. Based on this analysis and Gorilla Gamez’s management decision on the rollout of its services, the Company has elected to limit the number of states to offer its fantasy games. These state-level exclusions are enforced using geolocation solutions provided by Electronic Verification Solutions (“EVS”). 

Finally, Gorilla Gamez is not a financial institution as defined by the Bank Secrecy Act (“BSA”) insofar as it is not a money services business or a casino, card club or sports betting company licensed by the gambling regulator of any state.  As such the Company is not subject to the requirements of the BSA.  Nevertheless, the Company has voluntarily established this Compliance Program to protect Gorilla Gamez, its platform partners, its banking and payment partners, and its end users against the risk of exposure to illicit funds and money laundering.   

Policy Statement – Compliance Program 

It is the policy of Gorilla Gamez to prohibit and actively seek to prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities and to ensure compliance with economic sanctions.  Accordingly, the Company has designed and implemented risk-based policies and procedures to ensure the Company’s compliance with provisions of the Bank Secrecy Act (“BSA”) and its implementing regulations generally applicable to licensed casinos, other applicable anti-money laundering laws and regulations, and economic sanctions including those administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”). 

This Policy will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place to account for both changes in regulations and changes in the Company’s business.  Additionally, the Company will regularly assess the tools it is using to implement this policy and its related procedures to test the effectiveness of those procedures. 

Overview of Program 

The Company has assessed the risks in its business relating to money laundering, terrorist financing, and sanctions compliance.  Certain users, third parties, and transactions naturally pose higher risks based on various factors including, but not limited to, the nature of the transaction, heightened sanctions, anti-money laundering, or corruption risks in the geographic region associated with the user or transaction, and other facts specific to the user or transaction.   

Based on a consideration of these risks, the Company has developed this Anti-Money Laundering Compliance Policy (the “Policy”) which outlines the Anti-Money Laundering Compliance Program (the “Program”) which is reasonably designed to prevent the Company’s platform from being used to facilitate money laundering and the financing of terrorist activities.  The elements of the Program are outlined below. 

AML Compliance Program Pillars 

  1. Designation of an AML Compliance Officer 

The Company will designate a qualified individual who is competent and knowledgeable of AML laws and regulations and economic sanctions to serve as the Company’s Anti-Money Laundering Compliance Officer (“AML Compliance Officer”).  The AML Compliance Officer is responsible for coordinating and monitoring day-to-day AML compliance, managing all aspects of the AML Compliance Program.  The AML Compliance Officer is also responsible for reporting the status of ongoing AML compliance matters to the Company’s Executive Team.  The AML Compliance Officer will have the authority and independence without undue influence from business lines to communicate and report issues directly to the Executive Team.  

The Company has designated XXX as its Anti-Money Laundering Compliance Officer (“AML Compliance Officer”) with oversight for the Company’s AML Program.  The AML Compliance Officer will report directly to the broader Executive Team with respect to the implementation and execution of this Policy. 

The duties of the AML Compliance Officer will include monitoring the Company’s compliance with AML obligations, overseeing communication and training for employees, and all other assigned duties related to implementation of this Policy and the Company’s Program.  

The AML Compliance Officer will also ensure that the Company maintains records necessary for the Company’s bank(s), payment provider(s) and/or payment gateway to fulfill their BSA obligations including the filing of Suspicious Activity Reports (“SARs”). 

The AML Compliance Officer is vested with full responsibility and authority to enforce the Gorilla Gamez’s AML Program and will report at least annually to the Executive Team on the status of AML Compliance Program.  This report is to provide an overall assessment of the Company’s compliance with AML requirements and the directives of this policy. 

  1. Internal Policies, Procedures and Controls  

The AML Compliance Officer will ensure that the Company implements the risk-based protocols outlined in this Policy and that the Policy is updated regularly to take account of new or changed regulations or guidance and to address new or emerging compliance risks to the Company.   

  1. Suspicious Activity Reporting (SAR) 

The AML Compliance Officer is responsible for continuously monitoring and overseeing the Program to ensure its ongoing effectiveness. This includes both identifying if false positive reviews are unnecessarily detracting from the efforts in reviewing suspicious activity as well as identifying potential gaps in the monitoring process that are allowing for potentially suspicious activity to go undetected. The AML Officer is the only person with the authority to change the review thresholds to better align the Program’s efforts with the desired results. 

Suspicious activity can be identified using a variety of methods that may indicate money laundering or other illicit activities. When a transaction is identified, it may only require further review, or it may require additional reporting and actions by the Company.  Activities that may warrant reporting to law enforcement include: 

  • Activity inconsistent with a user’s normal activity; 
  • Unusual characteristics or activity by a user; 
  • A user attempting to avoid reporting requirements (structuring); 
  • Account applications in which a user provides inconsistent, incomplete, or suspicious information when requested to provide additional information by Company; 
  • Coordinated efforts by multiple users or external parties; 
  • Multiple chargebacks; 
  • Cyber attacks targeting customer information/assets; 
  • Attempted account takeovers. 
  • Completed or attempted transactions with crypto currency linked to illicit activities. 

In assessing whether activity is suspicious the Company will consider the red flags outlined above in this Policy. 

If the Company identifies potentially suspicious activity, it shall be reported to the Company’s bank(s), payment processor(s) and/or payment gateway provider according to the relevant protocols established with those parties. The bank(s), payment processor(s) and/or payment gateway provider will then determine if a SAR will be prepared and submitted by them.  Under certain circumstances, Gorilla Gamez may choose to voluntarily file a SAR with FinCEN. 

  1. Currency Transaction Reporting, Form 8300 

The Company does not currently have arrangements in place to accept cash or cash equivalents for deposit into user accounts.  Should this change, the Company will update this policy to appropriately address transaction monitoring and reporting requirements.  Additionally, Gorilla Gamez will not accept payments in cash from vendors, suppliers, partners, or other third parties. 

  1. Risk-Based KYC/CDD/Third Party Risk Management Procedures  

The Company will utilize risk-based Know Your Customer (“KYC”)/Third Party Risk Management Procedures that are appropriate considering the Company’s business model and specific risks.  The Company will use third party risk tools to help assess, implement, and mitigate these risks including, but not limited to EVS (https://evssolutions.com) for identity and document verification and for geolocation services.  Gorilla Gamez also utilizes an OTP verification solution to help protect against fake account creation and account takeover.  

Additionally, Enhanced Due Diligence (“EDD”) Procedures will be utilized for certain users or third parties determined to present heightened compliance risks as outlined in the Policy. 

The Company utilizes risk-based procedures to mitigate compliance risks arising from user and third-party relationships to the extent reasonable and practicable through risk-based procedures as outlined below.  The information collected by the Company will be used to ensure compliance with economic sanctions administered by OFAC, anti-money laundering laws and regulations, and other applicable laws. 

  1. Collection of Information 
  1. User Information 
  1. Notice to Users 

Each user will be notified that the Company must collect information to verify their identity and to ensure its compliance with applicable laws and the requirements of its banking partners.  Each user will be required to certify that the information they provide is accurate.  The Company will only allow account creation by individual users.  Entities are not permitted to create user accounts or use the Company’s platform. This notice is provided in the Company’s Terms & Conditions.  

  1. Information Required  

Prior to authorizing a user account, the Company will require each individual user to provide: 

  • First & Last Name;  
  • Date of Birth1; and 
  • Email Address, and 
  •  Phone Number (optional). 

The user must also agree to the Company’s Privacy Policy and Terms & Conditions as part of the registration process. 

Once a user initiates the first withdrawal, the user will be required to successfully complete the Company’s Know Your Customer (“KYC”) process.  Gorilla Gamez uses EVS for KYC purposes.  This product integrated into Gorilla Gamez’s platform is used to: 

  • Capture the image of the back of a government-issued ID, collect and autofill key personal data points. 
  • Verify the ID’s authenticity. 
  • Capture and conduct facial recognition screening against the photo in the ID provided.  
  • Perform age verification. 
  • Initiate OFAC screening. 
  1. Failure to Provide Information 

Any prospective or existing user who declines to provide complete identifying information required under Gorilla Gamez’s KYC program, or to respond to inquiries by the Company for additional information, will be denied access to the Company’s platform. 

  1. Collection of Third-Party Information 

With respect to vendors and third parties with which the Company transacts, the Company will also collect the following information: 

  • Full Legal Name of the Individual or Entity 
  • Residential or Business Address 
  • Country of Residence or Location of Headquarters 
  • Date of Birth (for individuals) 
  • Email Address 
  • Phone Number 
  1. Compliance Screening  

With respect to all prospective accounts and third-party partners and vendors, the Company will screen the identifying information of the individual or entity to identify potential matches with the U.S. Department of the Treasury’s Office of Foreign Assets Control’s list of Specially Designated Nationals (“OFAC List”), and additional lists of restricted parties as outlined in further below in this Policy.  Screening will be conducted on a daily basis for all new accounts created, or new partners/vendor relationships established.   

  1. Risk Assessment  
  1. Users 

Additionally, the Company will implement procedures to identify user accounts determined to be “high-risk” as outlined below.  Such user accounts shall be subject to enhanced due diligence.  The Company does not currently have a user base in order to conduct a risk assessment, but at launch intends to use the parameters below to determine whether to conduct enhanced due diligence. 

Accordingly, the Company will implement steps to identify accounts that pose heightened risks both at onboarding and during periodic reviews.  For purposes of this Policy, high risk accounts will be identified as: 

  • Accounts of individuals located outside the United States; 
  • Accounts with an initial purchase in excess of $1,000 or which maintain a balance in excess of $5,000; 
  • Discrepancies or missing information provided by user;  
  • Accounts subject to any law enforcement inquiries, subpoenas; 
  • Accounts with multiple chargebacks; 
  • Accounts exhibiting unusual payment or other suspicious activity; 
  • Unusual geolocation, device ID, or login behavior; 
  • Information received from a third party (payment processor, bank partner, etc.). 
  • Crypto currency transactions linked to illicit activities. 

Any user account identified as “high risk” shall be subject to the enhanced due diligence procedures described further below. 

A risk assessment of the customer base will be conducted within 12 months of launching the platform, which will be sufficient time to have a firm understanding of Gorilla Gamez’s typical customer and behavior. 

  1. Third Parties 

The Company has also conducted a similar risk assessment with respect to certain third party vendor and partner relationships.  For purposes of this Policy, a high-risk relationship will be defined as: 

  • A third party with which the Company does in excess of $500,000 annually with the exception of regulated financial institutions and publicly traded companies; or 
  • A third party based outside the United States that the Company engages in $250,000 or more annually in transactions, similarly with the exception of regulated financial institutions and publicly traded companies. 
  1. Enhanced Due Diligence for Users and Third Parties 
  1. Overview 

The Company will utilize enhanced due diligence steps for users or third parties identified as “high risk.” 

  • Collecting additional identifying information regarding the individual or entity (e.g., Social Security Number, Passport Information, Tax Identification); 
  • Collecting documents verifying identity of an individual (e.g., copies of a government issued identification or passport); 
  • Collecting information regarding the source of funds solicited from the user;  
  • For entities, collecting additional information to verify the identity of officers, directors, and beneficial owners; 
  • Utilizing public source and database research to identify any adverse information in the public domain or government enforcement actions; 
  • Conducting screening against OFAC and PEP lists; and  
  • Requesting additional information at the discretion of the AML Compliance Officer. 

The results of this additional diligence shall be collected and stored in a file.  Before any user is approved for access to the Company’s platform, the results of this enhanced due diligence must be reviewed and approved in writing by the AML Compliance Officer. 

Users identified as high risk that are ultimately onboarded should also be prioritized in the Company’s ongoing monitoring protocols for any unusual activities or “red flags” as outlined below.  The Company shall maintain records of users and third parties that it determines not to work with. 

  1. Assessment of Red Flags 

In conducting either an initial review of a high-risk client or a periodic review of an existing client or a third party, the Company’s compliance team shall utilize the following (non-exhaustive) list of red flags, which could indicate potential compliance risks: 

  • Individual user’s account is identified as exhibiting signs of fraud. 
  • Individual provides unusual or suspicious identification documents that contain discrepancies and/or cannot be readily verified; 
  • Individual or entity asks to have funds transferred to or from the bank account for a different individual or entity; 
  • Individual or entity utilizes bank accounts in a different jurisdiction from where they reside, operate or are based; 
  • Individual or entity appears to be acting as an agent of an undisclosed principal; 
  • Individual or entity appears to “structure” deposits, withdrawals, below a certain amount to avoid reporting or recordkeeping requirements;2  
  • Individual or entity expresses concern with the Company’s reporting of information to banking partners or government entities and record-keeping practices; 
  • Individual attempts to create multiple separate accounts on the Company’s platform; 
  • Individual or entity is reluctant to provide complete information requested by the compliance team; 
  • Individual begins engaging in transactions that differ substantially from their normal activities, or from a typical Gorilla Gamez user; 
  • Individual does not identify a legitimate source for the funds, or the information provided is false, misleading, or substantially incorrect; 
  • Individual engages in an unusually large number of transactions by dollar value of volume compared to other users; 
  • Individual or entity is identified in a government enforcement action, or the Company receives a government subpoena requesting information on the individual or entity. 

When Gorilla Gamez detects any red flag, or other activity that may be suspicious, the individual should notify the AML Compliance Officer.  Under the direction of the AML Compliance Officer, the Company will determine whether to investigate the matter further. This may include gathering additional information internally or from third-party sources, freezing the account and/or notifying the Company’s banking partner(s). 

This list of red flags is not meant to be exhaustive.  The AML Compliance Officer should identify any set of facts that it reasonably believes poses a heightened compliance risk.  However, the existence of one or more of the red flags above does not necessarily indicate improper activity.  There may be a reasonable explanation, and the Compliance Officer should take steps to investigate those facts.   

  1. Multiple Account Restrictions 

The Company restricts each user to only one account.  There are no exceptions.  Accounts with the same first and last names are automatically flagged for review by a Customer Service agent.  Customer Service manually reviews any accounts with the same address.  These teams are also trained to detect suspicious indicators that may indicate the one account restriction is being violated. 

In addition to the items listed above, automated controls prevent multiple accounts from being established with the same phone number or email address. If a potential multiple account violation is identified, all accounts will be reviewed under this policy to ensure the strongest possible AML controls.  Users who have created a second account, are attempting to create a second account or are under suspicion of creating a second account may cause the Company, after internal consultation with the firm’s AML Compliance Officer, to report the situation to its bank(s), payment processor(s) and/or payment gateway provider for further SAR filing with FinCEN.3   

  1. Training and Education. 

All Company employees will receive formal AML training.  Training will be periodically updated to reflect changes in regulatory requirements or other important updates that will assist the Company in identifying and combating money laundering and other suspicious behaviors.  All employees will be required to undergo this training at least once every calendar year.  The AML Compliance Officer and compliance staff will also receive periodic training that is relevant and appropriate to remain informed of changes to regulatory requirements that may impact the company’s risk profile. 

All employees and managers will receive a minimum training, and additional training will be provided as appropriate depending on their responsibilities. 

The Company’s training will include, at a minimum: 

  • The requirements of this Policy; 
  • The importance of AML compliance, policies and procedures, and employee responsibilities; 
  • Basics of how money laundering works and what terrorist financing is; 
  • An overview of anti-money laundering laws and regulations, including the Bank Secrecy Act and the USA PATRIOT Act; 
  • An overview of economic sanctions; 
  • Suspicious activity red flags; and 
  • Procedures for reporting suspicious activity. 

The Company will develop training internally or through a third-party subject matter expert, such as a lawyer or consultant. Delivery of the training may include educational pamphlets, videos, intranet systems, in-person lectures, training classes, webinars, other online methods, and explanatory memos. The Company will review its operations to see if certain employees require specialized additional training. The Company’s written procedures will be updated to reflect any such changes. 

  1. Independent Testing 

The Company will conduct an independent review of the compliance program periodically, but at least bi-annually, to assess the adequacy and effectiveness of the AML Program. The review will be completed by either an internal, qualified resource, or the Company may elect to engage an external party.  In either case, the selected party will be independent of Gorilla Gamez’s AML Compliance Officer.  The audit will review the policies to ensure the activities covered in the policies and procedures represent appropriate controls and demonstrate operations consistent with this Policy.  

The Company’s Executive Team will ensure appropriate action plans are documented for any findings noted in the review and will monitor management’s timely completion of those action plans. 

All audit exceptions will be identified and tracked, including identifying the exception, the proposed course of action, the risk rating of the exception, the employees, managers and/or departments responsible for the corrective action, the current status of the corrective action, and the date completed/proposed date of completion. 

Office of Foreign Assets Control (OFAC) Sanctions Compliance 

  1. Screening 

All new accounts will be compared against the OFAC list on a daily basis using an internally established process.   

Once a user initiates the first withdrawal, the user will be subject to the EVS identity verification process.  As part of this process the user will be again screened against the OFAC list by EVS.   

All accounts will be rescreened on a quarterly basis using the internally established process mentioned above.    

If a possible OFAC Match is identified, the account is immediately disabled until further research can be done.  The designated parties in the Compliance Department will review all matches.  Review for possible OFAC Match includes the following steps: 

  • The information will be compared to the SDN list on the Treasury website http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx  
  • If there is a name match, the reviewer will compare all information available on the SDN record with the user information provided: 
  • Date of Birth 
  • Address 
  • Nationality  
  • Place of Birth 
  • Any other details made available on the SDN record 
  • If the information does not match beyond name, the item is cleared and follow up documentation will be included in the file, identifying when the possible match occurred, the reason for the possible match, and the supporting information for clearing the possible match. 
  1. Managing a True OFAC Match 

If the Company confirms a positive match of the user’s information with the SDN list, it will ensure that the user’s account is blocked and notify the Company’s bank(s), payment processor(s) and/or payment gateway provider so that these partners may report all relevant information to the appropriate authority(ies), in compliance with their own requirements and procedures. 

  1. OFAC List Updates 

The Company relies upon EVS’s controls to ensure that the OFAC list utilized is updated within a reasonable time after there are changes.  For the internally established screening process (daily for new accounts and quarterly for all accounts), the Company obtains the updated list directly from OFAC’s website and has subscribed to email alerts from OFAC. 

  1. Blocked Transactions 

All assets and accounts of an OFAC-specified country, entity, or individual are prohibited by law and must be blocked when such property is located in the U.S., is held by U.S. individuals or entities, or comes into the possession or control of U.S. individuals or entities. Assets and property include anything of direct, indirect, present, future or contingent value.  The Company shall immediately notify its bank(s), payment processor(s) and/or payment gateway provider if it determines an account should be blocked. 

If a user calls regarding the account freeze, they can be advised that their account has been blocked in accordance with government-mandated sanctions administered by OFAC. The user may be informed of their right to apply to OFAC for the unblocking and release of funds. 

  1. Prohibited Countries 

The Company restricts business to users located within the boundaries of the United States, which automatically excludes countries sanctioned by OFAC, as well as countries deemed to pose a high risk to the Company and those with deficient AML controls as reported by organizations such as the Financial Action Task Force (FATF). To the extent the Company considers launching its products outside the US, the AML Compliance Officer will restrict users from its list of prohibited countries which will be regularly reviewed and updated. 

A prohibition on new user accounts will be placed on the countries listed and all transactions of any type are prohibited involving these countries.  The Company will not open accounts for persons with addresses in these countries, or contract with a third-party organized or located in a prohibited country.  Additional IP and geolocation blocking protocols will be implemented and regularly reviewed to ensure that users in the prohibited countries cannot access the Company’s platform. 

Record Retention 

Records created in connection with the Company’s AML Program shall be retained for a minimum of five (5) years.  These records can be maintained in many forms including original, electronic, copy, or a reproduction, and the Company will maintain all records in a way that makes them accessible in a reasonable period of time. Gorilla Gamez maintains electronic records on its servers, which are protected by periodic backups and are mirrored to facilitate rapid disaster recovery.  

Policy Approval & Revision History 

Version ID Approval Date Reviewer Name/Title Approver Name/Title Revision Notes 
V1.0    Document Creation