Anti-Money Laundering / Counter-Terrorist Financing (AML/CFT) Policy

1. Principles and Scope of Application

The institution is committed to complying with the laws and regulations of applicable jurisdictions and FATF standards. It supports and implements AML/CFT and KYC/KYB obligations and cooperates with regulatory and law enforcement authorities in investigations and evidence collection. It is strictly prohibited to establish or maintain business relationships associated with money laundering, terrorist financing, or activities that may facilitate such activities.

2. Risk Assessment and Mitigation (Risk-Based Approach, RBA)

A layered control framework is established:

-Customer identification and verification (individuals, institutions, and ultimate beneficial owners)

-Sanctions/negative list and adverse media screening;

-Ongoing monitoring and suspicious transaction reporting (STR). Enhanced due diligence (EDD) and higher-frequency monitoring are applied to high-risk countries/regions, complex business models, or unusual transactions.

3. Customer Due Diligence (CDD/KYC/KYB)

Anonymous or pseudonymous accounts are not accepted. CDD must be conducted under the following circumstances: establishing or amending business relationships, processing transactions/asset transfers for non-clients, suspicion of ML/TF, or doubts about the authenticity of information. Customers, authorized persons/agents, and ultimate beneficial owners (UBO) must be identified and verified, and the nature of business, ownership, and control structure understood. Structuring or “smurfing” transactions must be aggregated.

4. Non-Face-to-Face Business and Technical Controls

Specific policies and technical solutions are implemented for non-face-to-face onboarding and transactions. New or significantly changed processes must be evaluated by external auditors or independent qualified advisors, with evaluation reports produced within one year of implementation.

5. Ongoing Monitoring and Suspicious Transaction Reports (STR)

Account activities and transactions are subject to continuous monitoring. Complex, unusually large, or transactions lacking obvious economic/legal purpose must be investigated, documented, and retained. STRs must be submitted in accordance with thresholds or trigger conditions set by law.

6. Sanctions and List Screening Compliance

Clients, UBOs, authorized persons, and counterparties must be screened before and during relationships and transactions. Regulatory list updates must be synchronized and results recorded. Entities listed are strictly prohibited from establishing or continuing relationships.

7. Politically Exposed Persons (PEP)

PEPs and their family/close associates must be identified. Relationships with PEPs require senior management approval, verification of the source of funds and wealth, and enhanced monitoring.

8. Value Transfer / Travel Rule (Where Applicable)

For value transfers (crypto-asset transfers) above regulatory thresholds, required originator and beneficiary information must accompany payment instructions. Information must be retained, validated, and forwarded by receiving/intermediary institutions. Transfers must not proceed if information requirements are unmet.

9. Cash and Bearer Instruments

Cash transactions of any amount are not accepted or paid. Bearer negotiable instruments are not accepted for payment.

10. Record Keeping and Data Protection

CDD, transaction, screening, and STR records must be retained for at least 5 years or longer (per local law). Customer personal data is protected in accordance with applicable privacy laws and used solely for compliance purposes.

11. Governance, Independent Audit, and Training

An AML/CFT compliance function must be established and a compliance officer appointed, with independent audit capacity maintained. Role-based training must be provided regularly to employees (including front-line, risk, technical, customer service, and management staff). Enterprise-wide risk assessments (inherent risk – controls – residual risk) must be conducted and reviewed periodically.

12. Regional and Local Adaptation

The policy must adapt to regional rules: EU/UK (GDPR/UK GDPR, 5AMLD/6AMLD), US (BSA/FinCEN, CCPA/CPRA), Hong Kong, Singapore, etc., ensuring compliance with local AML/CFT and data protection requirements.

13. Prohibition of Tipping-Off

It is strictly forbidden to disclose STR submissions, regulatory or internal investigations to clients or third parties. Violations result in disciplinary measures and legal liability.

14. Third-Party and Counterparty Compliance

Due diligence (KYB/questionnaires/certifications) must be conducted on custodians, brokers, market makers, fiat on/off-ramp providers, blockchain analytics firms, and VASP counterparties, evaluating their AML/CFT programs, sanctions, and Travel Rule compliance. Admission, review, and exit mechanisms must be established.

15. Blockchain Analytics and On-Chain Risk Controls

Where permitted by law, compliant blockchain analytics tools must be used to evaluate and block addresses, on-chain activity, and counterparty risks, integrated with sanctions screening.

16. Complaints and Dispute Resolution

A user complaint acceptance and tiered response mechanism must be established (generally with responses within 30 days). Where necessary, users may be referred to local regulators or dispute resolution channels.