AML Policy

INSTITUTIONAL POLICY ON ANTI-MONEY LAUNDERING (AML), COUNTER-TERRORISM FINANCING (CTF), AND COMPLIANCE WITH U.S. SANCTIONS

1. Purpose

This Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and Sanctions Compliance Policy (“Policy”) establishes a comprehensive and proactive framework to ensure that ANDX USA LLC (“Company”), a Florida-incorporated entity registered as a Money Services Business (MSB) with the Financial Crimes Enforcement Network (FinCEN), complies with all applicable U.S. federal and state regulations. These include the Bank Secrecy Act (BSA) (31 U.S.C. § 5311 et seq.), the USA PATRIOT Act, FinCEN regulations (31 CFR Chapter X), sanctions administered by the Office of Foreign Assets Control (OFAC), and the Florida Money Transmitters Act.

The Policy is designed to prevent the Company’s cryptocurrency trading platform from being exploited for money laundering, terrorist financing, proliferation financing, or violations of U.S. sanctions. It adopts a risk-based approach aligned with FinCEN requirements and international standards set by the Financial Action Task Force (FATF), with a particular focus on risks inherent to cryptocurrency transactions, including blockchain-based activities, decentralized finance (DeFi), and non-custodial wallets. By integrating global best practices, the Policy ensures robust compliance and operational integrity.

2. Scope and Responsibilities

This Policy constitutes the Company’s AML/CTF Compliance Program, designed to meet FinCEN requirements for MSBs (31 CFR § 1022.210) and Florida state regulations. It applies to all employees, contractors, and third-party service providers operating in the United States or engaging with U.S.-based customers. The program encompasses:

• Development and enforcement of policies and procedures compliant with FinCEN, OFAC, and Florida regulations.
• Risk management protocols to identify, assess, and mitigate customer, geographic, and service-related risks, with enhanced measures for cryptocurrency-specific vulnerabilities.
• Continuous monitoring of transactions and customer activities using advanced blockchain analytics tools.
• Appointment of a qualified AML Compliance Officer and establishment of a dedicated Compliance Unit.
• Mandatory employee training programs to ensure comprehensive understanding of AML/CTF obligations.
• Regular independent audits to verify compliance and program effectiveness.

2.1 Responsibilities of the Board of Directors

The Board of Directors holds ultimate accountability for the implementation and oversight of the AML/CTF Compliance Program. Its responsibilities include:

• Appointing a qualified AML Compliance Officer and, where necessary, a deputy officer to ensure continuity of compliance functions.
• Reviewing and approving AML/CTF policies, procedures, and annual training programs.
• Evaluating risk management reports and independent audit findings to ensure regulatory compliance.
• Ensuring prompt implementation of corrective actions to address identified deficiencies.
• Allocating sufficient personnel, technological resources, and funding to the Compliance Unit to support its operations.

The Board may delegate specific responsibilities to U.S.-based members in writing but retains ultimate responsibility for the program’s effectiveness.

2.2 Responsibilities of the AML Compliance Officer

The AML Compliance Officer, appointed by the Board, is responsible for the day-to-day management of the AML/CTF Compliance Program. Key duties include:

• Ensuring full compliance with FinCEN regulations (31 CFR Chapter X), BSA, USA PATRIOT Act, OFAC sanctions, and Florida Money Transmitters Act.
• Developing, updating, and submitting AML/CTF policies and procedures for Board approval.
• Establishing and maintaining risk management and transaction monitoring protocols, including the use of blockchain analytics tools (e.g., Chainalysis, Elliptic, TRM Labs).
• Overseeing the design and delivery of mandatory AML/CTF training programs, ensuring coverage of U.S. regulations and cryptocurrency-specific risks.
• Investigating suspicious activities and filing Suspicious Activity Reports (SARs) with FinCEN within 30 calendar days of detection, maintaining confidentiality as required by 31 CFR § 1020.320(e).
• Maintaining accurate and accessible records for submission to FinCEN and Florida’s Office of Financial Regulation.
• Operating with full independence, with unrestricted access to all relevant Company information and direct communication channels with regulators.
• Reviewing and escalating internal suspicious transaction reports for appropriate action.

Qualifications (aligned with FinCEN and Florida requirements):

1. Professional Competency:
   • Comprehensive knowledge of AML/CTF regulations, including the BSA, USA PATRIOT Act, FinCEN guidance, and Florida Money Transmitters Act.
   • Demonstrated expertise in cryptocurrency-specific risks, including blockchain transaction analysis, DeFi platforms, and non-custodial wallets.
   • Minimum of five years of experience in compliance, risk management, or audit roles within regulated financial institutions or MSBs, with preference for cryptocurrency-related experience.
2. Independence:
   • Must maintain independence from operational units, including sales, marketing, and trading functions.
   • Must not hold 10% or more of the Company’s shares or serve in executive management roles.
   • Must have no familial relationships (up to the second degree) with Board members or senior management.
3. Legal and Regulatory Compliance:
   • Be a U.S. Person
   • No convictions or pending investigations for money laundering, terrorist financing, fraud, or sanctions-related offenses.
   • Must not be listed on OFAC’s Specially Designated Nationals (SDN) List or other international sanctions lists.
4. Reporting Capabilities:
   • Proven ability to prepare and submit regulatory reports (e.g., SARs, CTRs) in compliance with FinCEN and Florida requirements.
   • Effective communication skills for engaging with FinCEN, Florida regulators, and other relevant authorities.

The AML Compliance Officer must be registered with FinCEN as part of the Company’s MSB registration. In the event of deficiencies in qualifications or departure from the role, the Company will notify FinCEN within 10 business days and appoint a qualified replacement within 30 calendar days.

2.3 Responsibilities of the Compliance Unit

The Compliance Unit, reporting directly to the AML Compliance Officer, supports the execution of the AML/CTF Compliance Program. Its responsibilities include:

• Conducting preliminary evaluations of potential suspicious transactions, escalating findings to the AML Compliance Officer for final determination.
• Maintaining strict confidentiality of internal suspicious transaction reports, as mandated by 31 CFR § 1020.320(e).
• Monitoring customer profiles and transaction activities, including blockchain-based transactions, using risk-based criteria and analytics tools.
• Assisting in the implementation of recordkeeping, training, and audit activities.
• Ensuring the availability of adequate personnel and technological resources to meet compliance objectives.

2.4 Responsibilities of All Employees

All employees, regardless of role, are obligated to:

• Comply with this Policy and promptly report any suspicious activities or transactions to the AML Compliance Officer through designated internal channels.
• Complete mandatory AML/CTF training programs, achieving proficiency in U.S. regulatory requirements and cryptocurrency-specific risks.
• Adhere to risk-based procedures for customer identification, verification, and transaction monitoring.
• Maintain strict confidentiality of suspicious activity reports and related investigations, avoiding unauthorized disclosures.

3. Definitions

• Blockchain: A decentralized, immutable ledger technology used to record cryptocurrency transactions.
• BSA: Bank Secrecy Act (31 U.S.C. § 5311 et seq.), the cornerstone of U.S. anti-money laundering and counter-terrorism financing legislation.
• CIP: Customer Identification Program, mandated under Section 326 of the USA PATRIOT Act to verify customer identities.
• Crypto Asset: Digital or virtual currencies secured by cryptography, including but not limited to Bitcoin, Ethereum, and stablecoins.
• CTR: Currency Transaction Report, required for transactions involving currency or cryptocurrency equivalents exceeding $10,000 in a single business day (31 CFR § 1010.311).
• DeFi: Decentralized finance platforms facilitating financial transactions without traditional intermediaries, presenting unique AML/CTF challenges.
• FinCEN: Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury responsible for administering and enforcing AML/CTF regulations.
• Florida Money Transmitters Act: Florida state legislation governing licensing, reporting, and compliance for money transmitters, including cryptocurrency platforms.
• High-Risk Countries: Jurisdictions identified by FinCEN, FATF, or OFAC as having deficient AML/CTF frameworks or subject to sanctions.
• Mixer/Tumbler: A service designed to obfuscate the origin, destination, or ownership of cryptocurrency transactions, often associated with money laundering risks.
• Money Services Business (MSB): A business engaged in money transmission, currency exchange, or cryptocurrency trading, as defined by FinCEN (31 CFR § 1010.100(ff)).
• OFAC: Office of Foreign Assets Control, responsible for administering and enforcing U.S. economic and trade sanctions programs.
• Politically Exposed Person (PEP): An individual holding or having held a prominent public function, requiring enhanced due diligence.
• SAR: Suspicious Activity Report, a mandatory filing with FinCEN for transactions suspected of involving illicit activities (31 CFR § 1023.320).
• SDN List: OFAC’s Specially Designated Nationals and Blocked Persons List, identifying individuals, entities, and jurisdictions subject to U.S. sanctions.
• Sensitive Sectors: Industries with elevated money laundering risks, including cryptocurrency exchanges, precious metals dealers, casinos, real estate, luxury goods traders, travel agencies, transportation services, and antique or art dealers.
• Travel Rule: FinCEN regulation requiring the transmission of customer information for cryptocurrency transfers exceeding $3,000 (31 CFR § 1010.410(f)).
• U.S. Person: An individual who is a U.S. citizen or lawful permanent resident, or an entity organized under the laws of the United States or any state, as defined under 31 CFR § 1010.100(mm).
• Ultimate Beneficial Owner (UBO): The natural person(s) who ultimately owns or controls a customer or conducts transactions on their behalf, as defined by FinCEN.
• USA PATRIOT Act: Legislation enhancing AML/CTF obligations, particularly through customer identification and suspicious activity reporting requirements.

4. AML/CTF Compliance Program

The Company’s AML/CTF Compliance Program is structured to meet FinCEN requirements (31 CFR § 1022.210) and Florida state regulations, incorporating a risk-based approach tailored to cryptocurrency operations. The program includes the following components:

4.1 Customer Identification Program (CIP)

The Company implements a robust CIP, as mandated by Section 326 of the USA PATRIOT Act, to ensure accurate identification and verification of customers:

• Data Collection: Collects comprehensive identifying information, including full legal name, date of birth, residential or business address, and government-issued identification (e.g., Social Security Number, Employer Identification Number, or passport number for non-residents).
• Verification: Verifies identities through:
  • Documentary methods (e.g., government-issued photo ID, passport, or driver’s license).
  • Non-documentary methods (e.g., third-party database verification, blockchain analytics for wallet ownership).
• Sanctions Screening: Screens all customers against OFAC’s SDN List, FATF high-risk jurisdiction lists, United Nations Security Council sanctions lists, and other relevant international lists at onboarding and during periodic reviews.
• Enhanced Due Diligence (EDD): Applies EDD for high-risk customers, including:
  • Politically Exposed Persons (PEPs), identified through public records or third-party screening tools.
  • Individuals or entities from jurisdictions identified as high-risk by OFAC or FATF.
  • Customers engaging in high-risk cryptocurrency activities (e.g., use of mixers, privacy coins, or DeFi platforms).
  • Verification of the source of funds and wealth, supported by documentation such as bank statements, tax records, or asset declarations.
  • Approval from senior management for onboarding or approving significant transactions.
• Business Relationship Purpose: Documents the intended purpose and nature of the business relationship, including expected transaction volumes and types, to assess risk exposure and ensure alignment with legitimate financial activities.

4.2 Suspicious Activity Monitoring and Reporting

The Company maintains a robust system for monitoring and reporting suspicious activities, as required by 31 CFR § 1023.320:

• Monitoring: Utilizes advanced AML software and blockchain analytics tools (e.g., Chainalysis, Elliptic, TRM Labs) to detect patterns indicative of money laundering, terrorist financing, or sanctions evasion.
• SAR Filing: Files Suspicious Activity Reports (SARs) with FinCEN within 30 calendar days of detecting suspicious activity, with supplemental filings submitted as new information emerges. SARs include detailed narratives describing the nature, amount, and timing of suspicious transactions.
• Confidentiality: Maintains strict confidentiality of SARs, prohibiting disclosure to unauthorized parties, as mandated by 31 CFR § 1020.320(e).
• Transaction Delays: May delay transactions for up to 7 business days if there is reasonable suspicion of illicit activity, pending guidance from FinCEN or other regulatory authorities.
• Cryptocurrency-Specific Red Flags:
  • Transactions involving known mixers or tumblers (e.g., Tornado Cash, Blender.io).
  • Rapid or complex fund movements across multiple blockchain addresses without a verifiable economic purpose.
  • Transactions linked to dark pool wallets, privacy coins (e.g., Monero, Zcash), or high-risk jurisdictions.
  • Transactions lacking clear legal or economic justification, such as disproportionate trading volumes relative to customer profile.

4.3 Currency Transaction Reporting

The Company complies with FinCEN’s Currency Transaction Reporting requirements (31 CFR § 1010.311):

• CTR Filing: Files Currency Transaction Reports (CTRs) for transactions involving currency or cryptocurrency equivalents exceeding $10,000 in a single business day, including conversions to fiat or other cryptocurrencies.
• Aggregation: Treats multiple transactions by the same customer aggregating to over $10,000 in a single day as a single reportable transaction.
• Travel Rule Compliance: For cryptocurrency transfers exceeding $3,000, complies with FinCEN’s Travel Rule (31 CFR § 1010.410(f)) by:
  • Collecting and transmitting sender and recipient information (e.g., full legal name, physical address, account details, transaction hash ID).
  • Verifying the compliance status of recipient institutions to ensure secure data exchange, using standardized protocols (e.g., TRISA, OpenVASP) where applicable.
  • Retaining Travel Rule-related records for five years, including all transmitted data and verification documentation.

4.4 Recordkeeping

The Company maintains comprehensive records in accordance with 31 CFR § 1010.410:

• Records of customer identification, transaction details, SARs, CTRs, and Travel Rule data are retained for a minimum of five years in a secure, accessible format.
• Blockchain transaction records, including wallet addresses, transaction hash IDs, and associated metadata (e.g., timestamps, amounts), are archived to facilitate regulatory inspections.
• Records are stored in compliance with data protection standards, ensuring protection against unauthorized access, loss, or tampering.
• Records are provided to FinCEN, Florida’s Office of Financial Regulation, or other authorized regulators upon request, in the requested format and within the specified timeframe (typically within 14 business days).

4.5 Training

The Company implements a mandatory annual AML/CTF training program for all employees, designed to ensure comprehensive understanding of regulatory obligations and cryptocurrency-specific risks:

• Content:
  • Concepts of money laundering, terrorist financing, and proliferation financing, including methods, typologies, and real-world examples.
  • Cryptocurrency-specific risks, such as mixers, privacy coins, DeFi platforms, and cross-chain transactions.
  • Detailed overview of applicable U.S. regulations, including the BSA, USA PATRIOT Act, FinCEN regulations, OFAC sanctions, and Florida Money Transmitters Act.
  • Procedures for identifying, escalating, and reporting suspicious activities, with emphasis on confidentiality requirements and internal reporting channels.
  • Analysis of real-world enforcement actions (e.g., BitMEX 2020 AML violations, Tornado Cash 2022 OFAC sanctions, Binance 2023 penalties).
• Delivery Methods: Training is delivered through:
  • Interactive online modules with assessments to verify comprehension and track completion.
  • In-person or virtual seminars led by compliance experts, including case studies and simulations.
  • Visual and audio materials, such as videos and infographics, to enhance engagement and retention.
• Frequency and Participation: Training is mandatory for all employees, with new hires required to complete training within 30 days of onboarding. Refresher training is conducted annually.
• Documentation: Training completion is documented for each employee, with records maintained for regulatory audits. Training results, including participation rates and assessment outcomes, are reported to the Board and submitted to FinCEN by March 31 of the following year.

4.6 Independent Audit

The Company conducts annual independent audits to evaluate the effectiveness of the AML/CTF Compliance Program, as required by 31 CFR § 1022.210(d)(4). Details are provided in Section 7 (Internal Audit Policy).

5. Risk Management Policy

The Company adopts a risk-based approach, aligned with FinCEN and FATF standards, to identify, assess, and mitigate AML/CTF risks associated with its cryptocurrency operations. The Risk Management Policy includes the following components:

5.1 Customer Risk Assessment

The Company classifies customers into low, medium, or high-risk categories based on a detailed evaluation of:

• Profile Factors:
  • Professional or business activities, financial status, and historical transaction patterns, verified through supporting documentation.
  • Nationality, residency, or connections to jurisdictions identified as high-risk by OFAC, FATF, or other authoritative sources.
  • Politically Exposed Person (PEP) status, adverse media reports, or matches on sanctions lists, identified through third-party screening tools.
• Cryptocurrency-Specific Factors:
  • Use of mixers, tumblers, or privacy coins (e.g., Monero, Zcash).
  • High-frequency or high-volume trading inconsistent with customer profile or stated business purpose.
  • Transactions involving DeFi platforms, non-custodial wallets, or cross-chain protocols.

High-risk customers are subject to enhanced due diligence (EDD), which includes:

• Verification of the source of funds and wealth, supported by documentation such as bank statements, tax records, or asset declarations.
• Enhanced monitoring of blockchain transactions using analytics tools to identify suspicious patterns or anomalies.
• Approval from senior management for onboarding, continuing business relationships, or approving significant transactions.
• Periodic updates to customer information, conducted at least annually or upon triggering events, to ensure accuracy and relevance.

5.2 Geographic Risk Assessment

The Company maintains strict controls to mitigate risks associated with high-risk jurisdictions:

• Prohibited Jurisdictions:
  • Jurisdictions subject to comprehensive OFAC sanctions, as listed on the SDN List or other OFAC-administered programs.
  • Jurisdictions identified by FATF as having strategic deficiencies in AML/CTF frameworks or classified as high-risk or non-cooperative.
• Enhanced Monitoring: Transactions involving high-risk jurisdictions are subject to real-time screening of blockchain addresses and enhanced due diligence to detect sanctions exposure or illicit activity.

5.3 Service Risk Assessment

The Company identifies and mitigates risks associated with its services, with a focus on:

• Non-face-to-face transactions conducted through the Company’s online cryptocurrency trading platform.
• Emerging technologies, including DeFi platforms, non-fungible tokens (NFTs), layer-2 solutions (e.g., Lightning Network, Polygon), and cross-chain protocols.
• High-risk services, such as:
  • High-volume or high-value cryptocurrency transfers.
  • Transactions involving stablecoins or privacy coins.
  • Activities involving non-custodial wallets or decentralized exchanges.

Risk mitigation measures include transaction limits, additional verification requirements, and enhanced monitoring using blockchain analytics.

5.4 Sensitive Sectors

The Company applies heightened scrutiny to transactions involving industries with elevated money laundering risks, including:

• Cryptocurrency exchanges and wallet providers.
• Dealers in precious metals, stones, or jewelry.
• Casinos, gambling operators, and lottery agencies.
• Real estate transactions, particularly those involving high-value properties or cash payments.
• Luxury goods traders, including high-end vehicles, watches, and art.
• Travel agencies, transportation services, and parking operators.
• Antique dealers, art galleries, and auction houses.

Transactions in these sectors are subject to enhanced due diligence, including blockchain analytics and verification of the economic purpose of the transaction.

5.5 Sanctions Compliance

The Company maintains a rigorous sanctions compliance program to prevent violations of OFAC regulations:

• Screening:
  • All customers, counterparties, and transactions are screened against OFAC’s SDN List, FATF high-risk jurisdiction lists, United Nations Security Council sanctions lists, and other relevant international lists.
  • Screening is conducted at onboarding, during periodic reviews (at least annually), and in real-time for transactions.
• Prohibitions: Business relationships or transactions with individuals, entities, or jurisdictions subject to OFAC sanctions are strictly prohibited.
• Indirect Violations: The Company monitors for transactions involving services or entities linked to sanctioned parties, such as cryptocurrency mixers (e.g., Tornado Cash, Blender.io).
• Asset Freezes: Upon identification of a sanctioned party or transaction, the Company:
  • Immediately freezes the relevant assets or accounts, segregating them in a designated account.
  • Notifies FinCEN and OFAC within 7 business days, providing detailed transaction information, including wallet addresses and hash IDs.
  • Maintains frozen assets until regulatory guidance is received, ensuring compliance with OFAC reporting requirements.

5.6 Periodic Customer Evaluation

Customer profiles are re-evaluated at least annually or upon the occurrence of triggering events to ensure ongoing compliance:

• Evaluation Triggers:
  • Adverse media reports or intelligence indicating potential illicit activity.
  • Addition to OFAC, FATF, or other sanctions or PEP lists.
  • Significant changes in transaction patterns, such as sudden use of mixers or high-risk blockchain activities.
  • Updates to jurisdictional risk profiles or customer financial status.
• Updates: Outdated or incomplete customer information is updated promptly, with high-risk relationships escalated for senior management review.
• Documentation: All evaluations and updates are documented and retained for regulatory audits.

5.7 Triggering Events

Triggering events requiring immediate customer re-evaluation include:

• Identification in adverse media or intelligence reports indicating potential illicit activity.
• Addition to sanctions lists, PEP lists, or other regulatory watchlists.
• Significant deviations in transaction patterns, such as increased use of privacy coins or DeFi platforms.
• Involvement in high-risk blockchain activities, such as transactions linked to dark pool wallets or sanctioned addresses.

5.8 Termination of Business Relationships

• High-risk or suspicious customers are escalated to senior management for review and potential termination.
• Accounts deemed non-compliant or posing unacceptable risks are closed promptly, with all relevant records retained for a minimum of five years.
• Termination decisions are documented, including the rationale and supporting evidence, for regulatory audits.

6. Sanctions and Penalties

Non-compliance with AML/CTF and sanctions obligations may result in significant civil and criminal penalties under U.S. federal and Florida state law. The following table provides a detailed overview of potential penalties, incorporating regulatory requirements and enforcement precedents:

Violation	Penalty (2021-2025)	Regulatory Reference
Failure to File SARs	Civil penalties up to $250,000 per violation; $500,000 for willful violations. Criminal penalties up to 7 years imprisonment.	31 CFR § 1023.320
Failure to File CTRs	Civil penalties up to $25,000 per day for non-willful violations; $100,000 for willful violations.	31 CFR § 1010.311
Failure to Maintain Records	Civil penalties up to $10,000 per violation.	31 CFR § 1010.410
Failure to Implement CIP	Civil penalties up to $10,000 per violation.	31 CFR § 1022.220
Unauthorized Disclosure of SAR Filing	Civil penalties up to $250,000 or criminal penalties up to 5 years imprisonment for willful violations.	31 CFR § 1020.320(e)
Florida Money Transmitters Act Violations	Fines up to $10,000 per violation, license suspension, or revocation by the Florida Office of Financial Regulation.	Florida Statutes § 560.125
OFAC Sanctions Violations	Civil penalties up to $330,947 per violation (adjusted for inflation, 2025); criminal penalties up to $1,000,000 and 20 years imprisonment.	31 CFR § 501.701

Notable Enforcement Actions:

• BitMEX (2020): Fined $100 million by FinCEN and the Commodity Futures Trading Commission (CFTC) for failure to implement an adequate AML program and CIP, including inadequate customer verification and suspicious activity reporting.
• Tornado Cash (2022): Sanctioned by OFAC for facilitating money laundering through cryptocurrency mixing services, emphasizing the need for robust sanctions screening in blockchain transactions.
• Binance (2023): Ordered to pay $4.3 billion in penalties for systemic violations of AML and sanctions regulations, including failure to file SARs and inadequate customer due diligence.

Total civil penalties for MSBs are capped at $1,000,000 per year for non-willful violations, per 31 CFR § 1010.821. Florida-specific penalties may be imposed for state-level non-compliance, including license revocation or suspension.

7. Internal Audit Policy

The Company conducts annual independent audits to evaluate the effectiveness of the AML/CTF Compliance Program, as mandated by 31 CFR § 1022.210(d)(4) and aligned with Florida Money Transmitters Act requirements. The Internal Audit Policy is designed to ensure rigorous oversight, transparency, and continuous improvement of compliance processes, drawing on structured audit frameworks to address cryptocurrency-specific risks.

7.1 Audit Objectives

The primary objectives of the internal audit are to:

• Verify compliance with FinCEN, OFAC, and Florida regulations, including the BSA, USA PATRIOT Act, and Florida Money Transmitters Act.
• Assess the effectiveness of the AML/CTF Compliance Program in identifying and mitigating money laundering, terrorist financing, and sanctions risks.
• Evaluate the accuracy, timeliness, and completeness of regulatory filings, including SARs, CTRs, and Travel Rule data.
• Identify deficiencies in policies, procedures, or controls and recommend corrective actions.
• Ensure alignment with FATF standards and industry best practices for cryptocurrency operations.

7.2 Audit Scope

The audit encompasses a comprehensive review of the following areas:

• Customer Identification and Verification:
  • Compliance with CIP requirements (Section 326, USA PATRIOT Act), including data collection and verification processes.
  • Effectiveness of EDD for high-risk customers, such as PEPs, high-risk jurisdiction residents, or those engaging in high-risk cryptocurrency activities.
• Transaction Monitoring:
  • Accuracy and robustness of blockchain analytics tools (e.g., Chainalysis, Elliptic, TRM Labs) in detecting suspicious activities.
  • Identification of red flags, such as transactions involving mixers, privacy coins, or dark pool wallets.
• Regulatory Filings:
  • Timeliness and accuracy of SAR filings (31 CFR § 1023.320) and CTR filings (31 CFR § 1010.311).
  • Compliance with FinCEN’s Travel Rule for cryptocurrency transfers exceeding $3,000 (31 CFR § 1010.410(f)).
• Sanctions Compliance:
  • Effectiveness of screening processes against OFAC’s SDN List, FATF high-risk jurisdiction lists, and other international sanctions lists.
  • Procedures for asset freezes and regulatory notifications in case of sanctions violations.
• Training Programs:
  • Participation rates, content relevance, and effectiveness of annual AML/CTF training.
  • Documentation of training completion and assessment outcomes.
• Recordkeeping:
  • Retention and accessibility of customer identification, transaction, and regulatory filing records for a minimum of five years.
  • Security and integrity of blockchain transaction data, including wallet addresses and hash IDs.
• Florida-Specific Requirements:
  • Compliance with licensing, reporting, and operational requirements under the Florida Money Transmitters Act.
  • Adherence to state-specific audit and recordkeeping obligations.

7.3 Audit Execution

• Independence: Audits are conducted by an independent third-party auditor or an internal audit team with no operational conflicts of interest, ensuring objectivity and impartiality.
• Methodology: Audits employ a risk-based approach, prioritizing high-risk areas such as cryptocurrency transactions, DeFi activities, and sanctions compliance.
• Testing Procedures:
  • Sample-based testing of customer identification and verification records.
  • Transaction tracing using blockchain analytics to verify monitoring effectiveness.
  • Review of SAR and CTR filings for accuracy, completeness, and timeliness.
  • Assessment of sanctions screening logs and asset freeze procedures.
• Frequency: Audits are conducted annually, with additional ad-hoc audits triggered by significant regulatory changes, major compliance incidents, or Board directives.

7.4 Audit Reporting

• Audit Report: A comprehensive audit report is prepared, detailing:
  • Findings, including compliance strengths and deficiencies.
  • Specific instances of non-compliance or operational weaknesses.
  • Recommended corrective actions, prioritized by risk level.
• Submission: The audit report is submitted to the Board of Directors by March 31 of the following year, with copies provided to the AML Compliance Officer and Compliance Unit.
• Stakeholder Review: The Board reviews the audit report in a dedicated session, with the AML Compliance Officer presenting key findings and proposed actions.

7.5 Corrective Actions

• Action Plan: Identified deficiencies are addressed through a documented corrective action plan, specifying responsible parties, timelines, and resource requirements.
• Implementation: Corrective actions are implemented within 60 calendar days of the audit report, with progress tracked and reported to the Board.
• Follow-Up: A follow-up review is conducted within 90 days of implementation to verify the effectiveness of corrective actions, with results documented and reported to the Board.
• Regulatory Notification: Significant deficiencies requiring regulatory reporting (e.g., systemic SAR filing failures) are reported to FinCEN and/or Florida regulators within 10 business days, as applicable.

7.6 Continuous Improvement

• Audit findings are integrated into the Company’s compliance framework to enhance policies, procedures, and controls.
• Lessons learned from audits are incorporated into employee training programs to address identified gaps.
• The Company engages with industry peers and regulatory bodies to adopt best practices and stay informed of emerging audit methodologies.

8. Information and Document Submission

The Company ensures full compliance with requests for information and documents from FinCEN and Florida’s Office of Financial Regulation, as mandated by 31 CFR § 1010.410:

• Record Retention: All records, including customer identification data, transaction details, SARs, CTRs, and Travel Rule data, are retained for a minimum of five years in a secure, accessible format.
• Blockchain Data: Transaction records, including wallet addresses, transaction hash IDs, and associated metadata (e.g., timestamps, amounts), are archived to facilitate regulatory inspections.
• Regulatory Requests: Records are provided to regulators in the requested format and within the specified timeframe, typically within 14 business days unless otherwise directed.
• Data Security: Records are stored in compliance with data protection standards, ensuring protection against unauthorized access, loss, or tampering. Encryption and access controls are implemented for sensitive data.

9. Combating Money Laundering and Terrorist Financing

This section outlines the Company’s comprehensive approach to preventing and detecting money laundering and terrorist financing, with a focus on cryptocurrency-specific risks. Drawing on the structured framework of the Bank Secrecy Act (BSA), FinCEN regulations, and Financial Action Task Force (FATF) standards, the Company employs advanced monitoring, robust customer due diligence, and proactive reporting to safeguard its platform from illicit activities. The following subsections provide detailed insights into the processes, typologies, and preventive measures, tailored to the unique challenges of cryptocurrency transactions.

9.1 Money Laundering

Money laundering involves the concealment of illicit funds to make them appear legitimate, typically through three stages:

1. Placement:
   • Illicit funds are introduced into the financial system to distance them from their criminal origins.
   • In the cryptocurrency context, this may involve depositing illicit funds into non-custodial wallets, decentralized exchanges, or mixing services (e.g., Tornado Cash, Blender.io).
   • Example: Converting cash obtained from illegal activities into Bitcoin through peer-to-peer platforms or unregulated exchanges.
2. Layering:
   • Complex transactions are conducted to obscure the audit trail, making it difficult to trace the funds’ origins.
   • Common layering techniques in cryptocurrency include:
     • Rapid transfers across multiple blockchain addresses or wallets.
     • Use of mixers or tumblers to anonymize transactions.
     • Cross-chain transactions involving layer-2 solutions (e.g., Lightning Network) or bridges between blockchains (e.g., Ethereum to Binance Smart Chain).
   • Example: Transferring Bitcoin through multiple wallet addresses in rapid succession, often across different blockchains, to obscure the funds’ source.
3. Integration:
   • Laundered funds are reintroduced into the economy as legitimate assets, often through investments or purchases.
   • In cryptocurrency, this may involve converting illicit crypto assets into fiat currency, purchasing high-value assets (e.g., real estate, luxury goods), or trading for stablecoins to facilitate cash-out.
   • Example: Using laundered cryptocurrency to purchase real estate through a shell company or to acquire non-fungible tokens (NFTs) for resale.

Cryptocurrency-Specific Money Laundering Risks:

• Mixers and Tumblers: Services like Tornado Cash or Blender.io anonymize transactions by pooling and redistributing funds, complicating traceability.
• Privacy Coins: Cryptocurrencies like Monero or Zcash use advanced cryptographic techniques (e.g., ring signatures, zero-knowledge proofs) to obscure transaction details.
• Decentralized Finance (DeFi): DeFi platforms, lacking traditional intermediaries, can be exploited for layering through complex smart contracts or liquidity pools.
• Non-Custodial Wallets: Wallets controlled by users without intermediary oversight increase the risk of undetected illicit transactions.
• Cross-Chain Transactions: Transfers between blockchains (e.g., Ethereum to Solana) can obscure the audit trail, especially when involving unregulated bridges.

Prevention Measures:

• Blockchain Analytics: The Company uses advanced tools (e.g., Chainalysis, Elliptic, TRM Labs) to trace cryptocurrency transactions, identify high-risk wallet addresses, and detect patterns indicative of layering or sanctions evasion.
• Customer Due Diligence: Enhanced due diligence (EDD) is applied to customers engaging in high-risk activities, including verification of the source of funds and wealth.
• Transaction Monitoring: Real-time monitoring systems flag transactions involving mixers, privacy coins, or rapid multi-address transfers for further investigation.
• Travel Rule Compliance: For transfers exceeding $3,000, the Company collects and transmits sender and recipient information, ensuring traceability (31 CFR § 1010.410(f)).
• Sanctions Screening: All transactions are screened against OFAC’s SDN List and other international sanctions lists to prevent interactions with prohibited entities or jurisdictions.

9.2 Terrorist Financing

Terrorist financing involves providing or collecting funds to support terrorist activities, which may originate from legal or illegal sources. Unlike money laundering, terrorist financing often involves smaller amounts and may not require complex layering, making detection challenging. The Company maintains robust controls to detect and prevent terrorist financing, aligning with FinCEN, OFAC, and FATF standards.

Characteristics of Terrorist Financing:

• Funds may originate from legitimate sources (e.g., donations, crowdfunding) or illicit activities (e.g., drug trafficking, extortion).
• Transactions often involve small, frequent transfers to avoid detection, sometimes routed through high-risk jurisdictions or non-custodial wallets.
• Cryptocurrency is increasingly used due to its global reach, speed, and perceived anonymity.

Cryptocurrency-Specific Terrorist Financing Risks:

• Small, Frequent Transactions: Micro-transactions (e.g., $100-$1,000) across multiple wallets to fund terrorist activities, often below reporting thresholds.
• High-Risk Jurisdictions: Transactions linked to jurisdictions identified by FATF or OFAC as high-risk or non-cooperative, such as those with weak AML/CTF frameworks.
• Dark Pool Wallets: Wallets associated with illicit activities, often identified through blockchain analytics, used to aggregate and distribute funds.
• Crowdfunding Platforms: Decentralized platforms or peer-to-peer transfers used to collect funds under the guise of charitable causes.
• Privacy-Enhancing Technologies: Use of privacy coins or mixers to obscure the source and destination of funds.

Indicators of Suspicious Activity (aligned with FinCEN and FATF guidance):

Indicator	Description	Cryptocurrency Example
Unusual Transaction Patterns	Transactions inconsistent with customer profile or stated purpose.	Rapid, small transfers of Bitcoin to multiple non-custodial wallets without economic justification.
High-Risk Jurisdiction Links	Transactions involving jurisdictions on FATF or OFAC lists.	Transfers to wallet addresses associated with OFAC-sanctioned jurisdictions.
Use of Anonymizing Tools	Transactions involving mixers, tumblers, or privacy coins.	Deposits of Monero or funds traced to Tornado Cash.
Lack of Economic Purpose	Transactions with no clear business or financial rationale.	High-frequency trading of small amounts across DeFi platforms without profit motive.
Adverse Media	Customers linked to negative news or terrorist-related activities.	Wallet addresses flagged in reports of terrorist financing activities.
Crowdfunding Anomalies	Funds collected through decentralized platforms without verifiable purpose.	Large inflows from multiple wallets labeled as “donations” without documentation.

Prevention Measures:

• Enhanced Transaction Monitoring: The Company employs blockchain analytics tools to detect suspicious patterns, such as small, frequent transfers to high-risk wallets or jurisdictions.
• Sanctions Screening: All customers and transactions are screened against OFAC’s SDN List, United Nations Security Council sanctions lists, and FATF high-risk jurisdiction lists in real-time.
• Source of Funds Verification: Customers engaging in high-risk transactions are required to provide documentation verifying the source of funds (e.g., bank statements, income records).
• Asset Freezes: Transactions linked to terrorist financing or sanctioned parties trigger immediate asset freezes, with assets segregated in a designated account in accordance with OFAC regulations (31 CFR § 501.603). Notifications are sent to FinCEN and OFAC within 7 business days, ensuring compliance with OFAC’s 10-business-day requirement (31 CFR § 501.604) and FinCEN’s 30-calendar-day SAR filing deadline (31 CFR § 1023.320). Notifications include detailed transaction data, such as wallet addresses, transaction hash IDs, timestamps, and amounts, to facilitate regulatory review.
• Escalation Procedures: Suspected terrorist financing activities are immediately escalated to the AML Compliance Officer, with Suspicious Activity Reports (SARs) filed with FinCEN within 30 calendar days.
• Collaboration with Authorities: The Company cooperates with law enforcement and regulatory agencies, providing blockchain transaction data and customer information upon request, in compliance with 31 CFR § 1010.410.
• Employee Training: Annual training programs include modules on terrorist financing typologies, with case studies (e.g., 2019 Hamas cryptocurrency fundraising campaigns) to enhance employee awareness.

Notable Enforcement Actions:

• Tornado Cash (2022): OFAC sanctioned the mixing service for facilitating transactions linked to terrorist financing and money laundering, highlighting the need for robust sanctions screening in blockchain transactions.
• BitPay (2021): FinCEN fined BitPay $507,000 for failing to implement adequate AML/CTF controls, including insufficient monitoring for terrorist financing activities.
• Binance (2023): Penalized $4.3 billion for systemic AML/CTF violations, including failure to detect and report transactions potentially linked to terrorist financing.

9.3 Prevention and Detection Framework

The Company implements a multi-layered framework to prevent and detect money laundering and terrorist financing, tailored to the cryptocurrency environment:

• Risk-Based Monitoring:
  • Transactions are monitored in real-time using advanced AML software and blockchain analytics tools to identify red flags, such as transactions involving mixers, privacy coins, or high-risk jurisdictions.
  • High-risk transactions are flagged for manual review by the Compliance Unit, with escalation to the AML Compliance Officer for final determination.
• Customer Due Diligence (CDD):
  • Comprehensive CDD is conducted at onboarding, including verification of customer identity, business purpose, and source of funds.
  • Enhanced due diligence (EDD) is applied to high-risk customers, including PEPs, those in sensitive sectors, or those engaging in high-risk cryptocurrency activities.
• Blockchain Forensics:
  • Tools like Chainalysis, Elliptic, and TRM Labs are used to trace transaction histories, identify wallet ownership, and detect links to illicit activities.
  • Transaction clustering and heuristic analysis are employed to identify patterns of layering or terrorist financing.
• Regulatory Reporting:
  • SARs are filed with FinCEN for suspicious transactions within 30 calendar days, with detailed narratives describing the nature, amount, and timing of the activity.
  • CTRs are filed for transactions exceeding $10,000, and Travel Rule data is collected and transmitted for cryptocurrency transfers exceeding $3,000.
• Proactive Sanctions Compliance:
  • Real-time screening ensures no transactions involve sanctioned individuals, entities, or jurisdictions.
  • Asset freezes are implemented immediately upon detection of sanctioned parties, with segregated accounts maintained until regulatory guidance is received.
• Continuous Training:
  • Employees receive annual training on money laundering and terrorist financing typologies, with a focus on cryptocurrency-specific risks and real-world case studies.
  • Training includes simulations to enhance recognition of suspicious activities, such as transactions involving mixers or dark pool wallets.
• Technology Integration:
  • The Company integrates API-based solutions for sanctions screening and blockchain analytics, ensuring seamless compliance with regulatory requirements.
  • Machine learning models are employed to enhance detection of anomalous transaction patterns, improving efficiency and accuracy.

9.4 Cryptocurrency-Specific Case Studies

To illustrate the application of the Company’s prevention measures, the following case studies highlight real-world scenarios and responses:

1. Case Study: Mixer-Linked Transactions:
   • Scenario: A customer initiates multiple Bitcoin transfers to wallet addresses linked to Tornado Cash, a sanctioned mixing service.
   • Response:
     • Blockchain analytics tools flag the transactions due to their association with a sanctioned entity.
     • The Compliance Unit conducts an immediate review, verifying the customer’s identity and source of funds.
     • The AML Compliance Officer files a SAR with FinCEN within 30 days, detailing the transaction hash IDs and wallet addresses.
     • The customer’s account is frozen, and OFAC is notified within 7 business days, pending further guidance.
2. Case Study: High-Frequency Micro-Transactions:
   • Scenario: A customer conducts frequent, small cryptocurrency transfers ($200-$500) to multiple non-custodial wallets in a high-risk jurisdiction.
   • Response:
     • Transaction monitoring systems detect the pattern as inconsistent with the customer’s profile.
     • EDD is applied, requiring the customer to provide documentation verifying the economic purpose of the transfers.
     • Upon failure to provide adequate documentation, the transactions are flagged as suspicious, and a SAR is filed with FinCEN.
     • The customer’s account is escalated for senior management review, with potential termination if risks persist.
3. Case Study: DeFi Platform Exploitation:
   • Scenario: A customer uses the Company’s platform to transfer large volumes of Ethereum to a DeFi liquidity pool, with subsequent rapid withdrawals to multiple wallets.
   • Response:
     • Blockchain analytics identify the transactions as potential layering, due to the lack of economic purpose and rapid fund movements.
     • The Compliance Unit requests additional documentation on the customer’s DeFi activities and source of funds.
     • The AML Compliance Officer escalates the case, delaying the transactions for up to 7 business days pending investigation.
     • A SAR is filed with FinCEN, and the customer’s account is monitored for further suspicious activity.

9.5 Ongoing Monitoring and Improvement

The Company continuously enhances its AML/CTF framework to address evolving risks:

• Typology Updates: The Company regularly reviews FinCEN advisories, FATF reports, and industry publications to update its understanding of money laundering and terrorist financing typologies.
• Technology Upgrades: Investments in blockchain analytics and AI-driven monitoring tools ensure the Company stays ahead of emerging risks, such as new DeFi protocols or privacy-enhancing technologies.
• Regulatory Engagement: The Company collaborates with FinCEN, OFAC, and Florida regulators to align its practices with regulatory expectations, participating in industry forums and working groups.
• Feedback Integration: Audit findings, employee feedback, and regulatory guidance are incorporated into policies, procedures, and training programs to ensure continuous improvement.

10. Cryptocurrency-Specific Compliance Measures

10.1 Blockchain Transaction Monitoring

The Company employs advanced blockchain analytics tools (e.g., Chainalysis, Elliptic, TRM Labs) to monitor transactions for suspicious activity, including:

• Identification of transactions linked to dark pool wallets, sanctioned addresses, or high-risk jurisdictions.
• Analysis of transaction patterns for indications of layering, obfuscation, or sanctions evasion.
• Retention of transaction hash IDs, wallet addresses, and associated metadata for audit and regulatory purposes.
• Real-time alerts for high-risk transactions, enabling prompt investigation and escalation.

10.2 Decentralized Finance (DeFi) and Emerging Technologies

The Company applies enhanced monitoring to transactions involving emerging technologies, including:

• DeFi Platforms: Transactions involving decentralized exchanges, lending protocols, or smart contracts are screened for potential money laundering or sanctions risks.
• Non-Fungible Tokens (NFTs): High-value NFT transactions are monitored for risks of money laundering or ownership obfuscation, with particular attention to rapid sales or transfers.
• Layer-2 and Cross-Chain Protocols: Transactions involving layer-2 solutions (e.g., Lightning Network, Polygon) or cross-chain bridges are subject to enhanced scrutiny to detect illicit activity.

10.3 Travel Rule Compliance

The Company complies with FinCEN’s Travel Rule (31 CFR § 1010.410(f)) for cryptocurrency transfers exceeding $3,000, ensuring:

• Collection and transmission of sender and recipient information, including full legal name, physical address, account details, and transaction hash ID.
• Verification of the compliance status of recipient institutions to ensure secure and compliant data exchange, using standardized protocols (e.g., TRISA, OpenVASP) where applicable.
• Retention of Travel Rule-related records for a minimum of five years, including all transmitted data and verification documentation.
• Regular audits of Travel Rule compliance to ensure adherence to FinCEN requirements.

11. Enforcement and Updates

This Policy takes effect upon approval by the Board of Directors and is subject to annual review to ensure ongoing alignment with U.S. federal and Florida state regulations, as well as emerging risks in the cryptocurrency industry. Updates are implemented promptly to address:

• Changes in FinCEN, OFAC, or Florida regulatory requirements.
• Evolving cryptocurrency-specific risks, such as new DeFi protocols, privacy-enhancing technologies, or layer-2 solutions.
• Recommendations from independent audits, regulatory feedback, or industry best practices.

The AML Compliance Officer is responsible for proposing updates, which are reviewed and approved by the Board to ensure continued compliance and effectiveness.

12. Monitoring and Continuous Improvement

To ensure the ongoing effectiveness of the AML/CTF Compliance Program, the Company:

• Conducts quarterly reviews of transaction monitoring systems to assess performance, identify gaps, and implement enhancements.
• Incorporates feedback from regulators, FATF guidance, and industry best practices into policy updates and operational improvements.
• Maintains a dedicated compliance dashboard to track key metrics, including:
  • SAR and CTR filing rates and timeliness.
  • Training completion rates and assessment outcomes.
  • Audit findings and corrective action progress.
  • Sanctions screening hit rates and resolution times.
• Engages with industry peers, regulatory bodies, and blockchain analytics providers to stay informed of emerging AML/CTF trends, technologies, and typologies.
• Conducts annual risk assessments to identify new or evolving risks, with findings integrated into policy updates and training programs.