Anti Money Laundering (AML) & Know Your Customer (KYC) Compliance Framework

Version: 2026

Approved By: Board of Directors

Applies To:

• United Arab Emirates Only.

Introduction & Partnership Purpose :. RealDeed PropTech (DIFC) Ltd ("RealDeed") is a DIFC-licensed real estate tokenization infrastructure provider operating under an Innovation Licence granted by the DIFC Authority and in accordance with DFSA Crypto Suitability Assessment. RealDeed issues SPV-based digital tokens linked to verified land area units, facilitating tokenization access for Property Owners & RERA Regulated Developers.

This AML pack is prepared for UAE Market Properties with DIDIT Platform as RealDeed's designated KYC/AML technology partner. It sets out RealDeed's identity verification and anti-money laundering obligations, the scope of services required from DIDIT, and the compliance standards governing the partnership under DIFC regulatory requirements.

This document constitutes the AML and KYC Compliance Framework prepared for DIDIT Platform in its capacity as RealDeed's designated identity verification and anti-money laundering technology partner. It sets out in full the regulatory obligations that govern RealDeed's user onboarding and transaction monitoring processes, the precise scope of services that DIDIT is required to provide, the classification framework applicable to Politically Exposed Persons, the sanctions and restricted-jurisdiction controls in force — including the absolute prohibition on Iran-nexus activity — and the data governance standards that will apply to all personal and verification data processed under the partnership.

Regulatory Basis for KYC / AML :. Although RealDeed operates as a non-financial Asset Tokenization provider not subject to DFSA, VARA, or UAE Central Bank oversight, it voluntarily adopts full KYC/AML standards consistent with the following frameworks:

Frameworks :. DIFC Data Protection Law, FATF Recommendations, Federal Decree by Law of 2025 Regarding Anti-Money Laundering, DLD & RERA Property Frameworks, ADGM & DIFC SPV (Special Purpose Vehicle) Laws.

Applicability :. User data handling, storage & disclosure , AML/CFT risk-based approach, Anti-money laundering obligations, Operational governance & reporting.

KYC Onboarding Process — Powered by DIDIT

STEP 1 Registration

Name, email, nationality, DOB

STEP 2 Document Upload

Passport / Emirates ID

STEP 3 Liveness Check

DIDIT biometric selfie verification

STEP 4 Screening

PEP / Sanctions / Adverse media

STEP 5 Risk Score & Title Deed Ownership Matching

Low / Medium / High assignment

STEP 6 Approval

Token access granted or escalated

RealDeed's AML and KYC framework draws from five principal regulatory sources. The first is the DIFC Data Protection Law, which governs the collection, storage, processing, and disclosure of all user personal and verification data, and which RealDeed complies with in full. The second is the Financial Action Task Force (FATF) Recommendations and associated guidance notes, which establish the internationally recognised risk-based approach to customer due diligence and anti-money laundering controls that forms the methodological backbone of this framework.

The third source is UAE Federal Decree-Law of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism, together with its implementing Cabinet Decision No. 10 of 2019. Although RealDeed adopts this legislation voluntarily as a matter of best practice rather than direct regulatory compulsion, the obligations it creates — including customer due diligence, enhanced due diligence for higher-risk customers, suspicious activity reporting, and record retention — are treated by RealDeed as binding standards for all platform operations. The fourth source is the DIFC Authority Innovation Licence framework, which establishes RealDeed's primary regulatory relationship and sets the operational governance and reporting obligations applicable to its activities.

Taken together, these frameworks require RealDeed to maintain a documented, risk-sensitive, and continuously updated AML and KYC programme — the full substance of which is set out in the sections that follow.

PEP Category Classification & Screening Policy :. Politically Exposed Persons (PEPs) are individuals who hold or have held prominent public functions, and whose position may expose them to a heightened risk of involvement in bribery, corruption, or other forms of financial crime. RealDeed's PEP classification framework is aligned to the FATF Guidance on Politically Exposed Persons issued in 2013 and updated in 2021, as well as to UAE Cabinet Decision 2025 on the Implementing Regulation of the AML/CFT Law. DIDIT is required to screen all applicants against a comprehensive, continuously updated PEP database covering all six PEP categories defined below.

Category 1 — Domestic PEPs

A Domestic PEP is an individual who holds or has held a prominent public function within the UAE. This category encompasses heads of state and government, senior ministers and deputy ministers, members of parliament or equivalent legislative bodies, senior members of the judiciary including Supreme Court and High Court judges, senior military officers of general rank or above, senior executives and board members of state-owned enterprises, and senior officials of central banks and equivalent monetary authorities. All Category 1 individuals are classified as High Risk and are subject to full Enhanced Due Diligence.

Category 2 — Foreign PEPs

A Foreign PEP is an individual who holds or has held a prominent public function in a country other than the UAE. The category encompasses equivalent positions to those described under Category 1 — foreign heads of state or government, foreign senior ministers, members of foreign parliaments, senior foreign judiciary, senior foreign military officers, and members of ruling families or royal households of foreign states. Foreign PEPs are similarly classified as High Risk and subject to full Enhanced Due Diligence.

Category 3 — International Organisation PEPs

An International Organisation PEP is a senior official of a recognised international body. This category includes senior officials of the United Nations and its agencies, the International Monetary Fund, the World Bank Group, the Bank for International Settlements, INTERPOL, the Financial Action Task Force itself, and other treaty-based international organisations whose senior leadership is internationally recognised as carrying heightened influence. Category 3 individuals are classified as High Risk.

Category 4 — Former PEPs

Former PEPs are individuals who previously held a position falling within Categories 1, 2, or 3, but who have since left public office. RealDeed applies a twelve-month lookback period following cessation of office, during which the individual is treated as an active PEP for the purpose of this framework. After the twelve-month period has elapsed, the risk classification may be downgraded to Medium-High on a case-by-case assessment, taking into account the nature and duration of the former position, the individual's subsequent activities, and the results of adverse media screening. A downgrade must be approved by the Compliance Officer and documented in the individual's KYC file.

Category 5 — PEP Family Members

Category 5 encompasses the immediate family members of any individual classified under Categories 1 through 4. Immediate family is defined as including a spouse or registered civil partner, children of the PEP and their respective spouses or partners, and the parents of the PEP. Family members of PEPs are classified as High Risk and subjected to the same Enhanced Due Diligence requirements as the primary PEP, regardless of whether the family member themselves holds any public position. Relationship to the PEP must be declared in the onboarding documentation and independently verified where possible.

Category 6 — PEP Close Associates

Category 6 covers individuals who are known to be close personal or professional associates of a primary PEP falling within Categories 1 through 4. This includes individuals who are known to be beneficial owners of legal entities jointly held with a PEP, individuals known to be in a close business partnership with a PEP, and known personal advisors or intermediaries acting on behalf of a PEP. The determination of whether an individual qualifies as a close associate requires a judgement-based assessment and must be documented. Category 6 individuals are classified as High Risk.

PEP Onboarding Controls

RealDeed does not maintain an automatic blanket exclusion of PEP-classified users. Rather, it adopts a risk-sensitive approach under which all PEP applicants — across all six categories — are required to complete a full Enhanced Due Diligence process before any platform access is granted. This process includes completion of a comprehensive EDD questionnaire covering political exposure, source of wealth narrative, and business ownership structure; a signed PEP self-declaration form; six months of authenticated bank statements evidencing source of funds; independent verification of the declared income source in the form of an employer letter, professional registration, or company audited accounts; and a full UBO declaration for corporate investors including a diagrammatic ownership chart.

In every PEP case, account activation requires the written sign-off of RealDeed's Senior Compliance Officer before any access to the platform or token purchasing functionality is enabled. Following onboarding, all PEP accounts are subject to a three-month ongoing monitoring cycle rather than the standard twelve-month cycle, with quarterly adverse media and PEP status re-checks conducted via DIDIT. A re-KYC is automatically triggered upon any change in political status, jurisdiction, or material negative news event involving the individual.

Restricted Countries, Sanctions & Iran-Specific Policy

RealDeed operates a zero-tolerance policy in relation to any user, transaction, or token activity that carries a nexus to a jurisdiction subject to comprehensive international sanctions or to FATF high-risk classification. DIDIT is required to maintain and apply all relevant sanctions screening databases in real time, and to ensure that any restricted-jurisdiction nexus — whether identified at the point of onboarding or detected during ongoing monitoring — triggers an immediate hard-stop response and escalation to RealDeed's Compliance Officer.

Mandatory Sanctions Screening Regimes

DIDIT is required to screen all applicants against the following sanctions databases as a minimum: the OFAC Specially Designated Nationals and Blocked Persons (SDN) List maintained by the United States Treasury, which applies globally and encompasses individuals, entities, vessels, and aircraft; the United Nations Security Council Consolidated List, which identifies individuals and entities subject to measures imposed by UN sanctions resolutions; the European Union Consolidated Sanctions List; the United Kingdom HM Treasury Financial Sanctions List maintained following the UK's departure from the EU; the UAE Cabinet Resolution Local Terrorist List covering UAE-designated terrorist individuals and organisations; and both the FATF list of High-Risk Jurisdictions Subject to a Call for Action (commonly referred to as the Black List) and the FATF list of Jurisdictions Under Increased Monitoring (the Grey List). DIDIT must update all of these databases within thirty days of any official revision and must alert RealDeed's Compliance Officer promptly upon any material change to list composition.

Fully Prohibited Jurisdictions

The following jurisdictions are subject to a full platform block. No onboarding will be accepted, no token transaction will be processed, and no platform access will be permitted for any user who holds nationality, residency, or source of funds connected to any of these jurisdictions: Iran, the Democratic People's Republic of Korea (North Korea / DPRK), Cuba, Syria, Myanmar (Burma), Sudan and South Sudan, and Venezuela and Russia in respect of individuals and entities designated under applicable Specially Designated Global Terrorist or sectoral sanctions programmes. These blocks apply regardless of the user's current country of residence or the jurisdiction from which funds are remitted — the controlling factor is the underlying nexus, not the point of transaction.

Iran — Absolute Prohibition

IRAN — ZERO EXCEPTION PROHIBITION

Iran is subject to comprehensive multilateral sanctions imposed by the United States Office of Foreign Assets Control (OFAC), the United Nations Security Council, the European Union, and the United Kingdom. RealDeed applies an unconditional, zero-exception prohibition on all activities, transactions, and relationships carrying any Iran nexus. No business justification, management override, or exceptional circumstance will be treated as grounds for departing from this prohibition.

The Iran prohibition applies across all of the following dimensions. Any applicant presenting a passport or other identity document bearing Iranian nationality will be rejected at the document verification stage, regardless of any claim of dual nationality or foreign residency. Source of funds connected in any way to Iranian bank accounts, Iranian financial institutions, or entities domiciled or incorporated in Iran will not be accepted. Token purchases or transfers that are funded directly or indirectly through Iranian state entities, the Central Bank of Iran, or parties connected to the Islamic Revolutionary Guard Corps (IRGC) — which has been designated as a Foreign Terrorist Organisation by the United States — are prohibited in their entirety. Any attempt to use UAE-registered or third-country intermediary entities or fronting structures to circumvent Iran sanctions will constitute an act of sanctions evasion and will be reported to the relevant authorities without prior notice to the user.

At the platform infrastructure level, all IP address ranges associated with Iran are geofenced and blocked, preventing access to the RealDeed and PropPass platforms from Iranian network connections. DIDIT is required to flag any Iranian IP address, any VPN or proxy service operating from Iranian infrastructure, and any Iranian-registered telephone number as an immediate escalation trigger. Any transaction in which Iran appears as a transit, correspondent, or beneficiary jurisdiction — even where the originating and receiving parties are not themselves Iranian nationals — is similarly prohibited and will trigger an automatic freeze and SAR consideration.

High-Risk Jurisdictions — Enhanced Scrutiny

Users with nationality, residency, or source of funds connected to jurisdictions appearing on the FATF Grey List are permitted to onboard but are subject to Enhanced Due Diligence as a minimum. As of the date of this framework, jurisdictions requiring enhanced scrutiny include Pakistan, Turkey, Nigeria, Kenya, the Philippines, and Vietnam, among others. DIDIT is required to maintain a current Grey List database and to automatically flag any Grey List nexus as a Medium-to-High risk classification trigger. For Pakistani nationals in particular, independent verification of source of funds is mandatory given the sustained FATF monitoring applicable to that jurisdiction. The Grey List is dynamic and DIDIT must update its classification engine within thirty days of any FATF plenary revision.

Customer Due Diligence & Enhanced Due Diligence :.

Standard Customer Due Diligence is applied to all users regardless of risk classification and constitutes the minimum threshold below which no onboarding may proceed. Standard CDD requires verification of the applicant's full legal name, date of birth, nationality, and current residential address; DIDIT-powered authentication of a government-issued photographic identity document; a passed liveness biometric check; completed PEP screening across all six categories; completed sanctions screening across all applicable regimes; a source of funds declaration with supporting documentation; and confirmation that the applicant carries no nexus to any prohibited jurisdiction. The detection of Iranian nationality at the standard CDD stage constitutes an immediate, non-overridable hard-stop and results in automatic rejection of the application.

Enhanced Due Diligence is applied to all Medium and High Risk users, all PEP-classified users across all six categories, all users with a source of funds or residency nexus to a FATF Grey List jurisdiction, and all corporate applicants where the UBO structure is complex or ownership is layered. The EDD process supplements the standard CDD requirements with a full EDD questionnaire covering political exposure, source of wealth narrative, business ownership structure, and purpose of investment; six months of authenticated bank statements; independent verification of declared income source; for corporate investors, a full UBO declaration and ownership chart verified by an independent legal practitioner or auditor; and mandatory Senior Compliance Officer written sign-off before account activation.

Following the completion of either CDD or EDD, ongoing monitoring is maintained throughout the duration of the client relationship. The intensity of monitoring — re-KYC frequency, transaction alert thresholds, and periodic adverse media checks — is calibrated to the risk tier as described in Section 06 and remains subject to upward revision at any time upon the identification of new risk indicators or changes in the regulatory environment.

Property Title Ownership Matching & Suspicious Activity Reporting

RealDeed conducts comprehensive property title verification checks on all users and developers onboarding onto the platform. In addition, a continuous transaction monitoring programme is implemented across all token minting activities on the RealDeed UAE platform, leveraging DIDIT’s integrated AML transaction monitoring engine and further supported by RealDeed’s internal compliance review procedures.

Furthermore, a real-time Title Verification API is executed by integrating with the relevant land registry databases, ensuring that ownership records and identification documents are authenticated and verified directly against official registry sources prior to any transaction or tokenization activity.

This AML & KYC Compliance Framework is issued by RealDeed PropTech (DIFC) Ltd for the purpose of establishing and governing a regulatory-grade KYC/AML partnership with DIDIT Platform.