Enterprise-wide governance framework for regulated Crypto-Asset Service Providers (CASPs) — aligned with the 2026 EU AML Package & Polish AML Act.
This Anti-Money Laundering and Counter-Terrorist Financing Policy (the "Policy") establishes the binding, enterprise-wide governance framework, internal controls, risk management systems, and operational standards implemented by the Company. As a regulated Crypto-Asset Service Provider (CASP), this Policy is designed to prevent, detect, and report illicit activities, including but not limited to:
The Company maintains a strictly enforced, zero-tolerance approach to financial crime, sanctions evasion, and regulatory circumvention.
Compliance with AML/CFT obligations is a non-negotiable, core component of the Company's corporate governance, risk management framework, and ethical standards. All directors, officers, employees, contractors, and outsourced service providers shall adhere to the provisions herein.
This Policy ensures the Company's strict adherence to the highest standards of regulatory compliance, specifically aligning with the 2026 EU AML Package and local statutory requirements. The primary legal bases include:
| Term | Definition |
|---|---|
| AMLRO | Anti-Money Laundering Reporting Officer — the designated individual responsible for the oversight and execution of the AML/CFT program pursuant to Art. 8 of the Polish AML Act. |
| CASP | Crypto-Asset Service Provider, as defined under MiCA. |
| CRBR | Centralny Rejestr Beneficjentów Rzeczywistych — Polish Central Register of Beneficial Owners. |
| GIIF | Generalny Inspektor Informacji Finansowej — General Inspector of Financial Information / Polish FIU. |
| KNF | Komisja Nadzoru Finansowego — Polish Financial Supervision Authority. |
| UBO | Ultimate Beneficial Owner — any natural person(s) who ultimately owns or controls the customer. |
The Company executes its AML/CFT obligations through a strictly delineated Three Lines of Defence model to ensure operational clarity, independence, and accountability.
Board Oversight: The Management Board holds ultimate accountability for the AML/CFT framework, ensuring adequate resourcing, reviewing the EWRA annually, and attesting to the effectiveness of the compliance program.
The Company has zero appetite for providing services to individuals or entities subject to comprehensive international sanctions, or those engaged in ML/TF/PF. The Company maintains an exceptionally low risk appetite for customers originating from or linked to high-risk third countries as designated by the European Commission and FATF.
Pursuant to Art. 27 of the Polish AML Act, the Company shall maintain, document, and annually update a comprehensive EWRA. The methodology assesses inherent risks across four primary pillars:
Residual risk is calculated post-application of mitigating controls. The EWRA forms the basis for the allocation of compliance resources and the calibration of automated transaction monitoring rules.
The Company applies CDD measures prior to the establishment of a business relationship or the execution of an occasional transaction. CDD includes identifying the customer, verifying their identity using independent, reliable sources, and understanding the intended nature of the business relationship.
For legal entities, the Company shall identify the UBOs and verify their identities. Pursuant to the Polish AML Act, the Company must cross-reference corporate data against the Polish CRBR (or equivalent EU registries). Any identified material discrepancies between the information gathered during CDD and the CRBR data shall be formally documented and immediately reported to the competent registry authority.
EDD shall be applied strictly in cases indicating a higher risk of ML/TF, including but not limited to: business relationships with PEPs, complex corporate structures, and clients linked to high-risk jurisdictions. EDD measures shall systematically include:
The Company utilizes automated, daily screening against premium, third-party databases to identify Politically Exposed Persons (PEPs), their family members, and known close associates (RCAs). The identification of a PEP triggers mandatory EDD procedures.
The establishment or continuation of a business relationship with a PEP requires explicit, documented approval from the Management Board or a designated Senior Executive.
The Company complies fully with all applicable sanctions regimes, including UN, EU, US (OFAC), and Polish national sanctions lists (including the MSWiA list).
Client databases and transaction flows are screened in real-time. In the event of a verified true match against a designated party, the Company shall immediately, and without prior notice:
Given geopolitical realities, the Company deploys advanced blockchain analytics to detect and prevent indirect exposure to sanctioned jurisdictions (e.g., Russia, Belarus). Tactics such as the use of nested exchanges, decentralized mixers, or jurisdiction-hopping to evade sanctions will trigger immediate account suspension and STR filing.
In strict compliance with Regulation (EU) 2023/1113, the Company implements the "Travel Rule" for all crypto-asset transfers:
The Company employs automated, rules-based, and behavioral transaction monitoring systems (TMS) coupled with integrated blockchain analytics software to monitor all fiat and virtual asset transactions in real-time and retrospectively.
TMS and blockchain analytic rules, thresholds, and scoring models shall undergo independent validation at least annually. This ensures the models remain calibrated to the threats identified in the EWRA and limits false-positive degradation. Material changes to monitoring models require formal approval from the AMLRO and the Risk Committee.
Upon determination that a transaction, attempted transaction, or specific client activity is suspicious and linked to ML/TF/PF, the AMLRO shall file an STR with the GIIF immediately, and no later than the statutory deadline.
The Company strictly enforces a "tipping-off" prohibition — no client or unauthorized third party shall be informed of an STR filing or an ongoing GIIF investigation.
Pursuant to Art. 86 and Art. 89 of the Polish AML Act:
The processing of personal data for AML/CFT purposes is conducted on the legal basis of compliance with a legal obligation (Art. 6(1)(c) GDPR) and overriding public interest. The Company adheres to the principle of data minimization, processing only data strictly necessary for financial crime prevention.
Pursuant to the Polish AML Act, all CDD documentation, transaction records, STR filings, and analytical outputs supporting AML decisions shall be retained securely for a period of five (5) years following the termination of the business relationship or the execution of an occasional transaction.
While operational tasks may be outsourced, the legal and regulatory accountability for AML/CFT compliance cannot be delegated and remains entirely with the Company. Any outsourcing of AML functions (e.g., L1 alert triage, identity verification tools) requires:
The Company maintains a secure, confidential, and anonymous whistleblowing channel for employees, contractors, and partners to report actual or potential breaches of AML/CFT regulations or this Policy, free from retaliation.
Breaches of this Policy by any employee will result in disciplinary action, up to and including immediate termination of employment. Where an employee is found to have actively facilitated or willfully ignored financial crime, the Company will report the individual to competent law enforcement and regulatory authorities.
The Company commits to full, transparent, and prompt cooperation with the GIIF, the KNF, and authorized law enforcement agencies. The AMLRO acts as the primary liaison for all regulatory inquiries, ensuring responses to Requests for Information (RFIs) are comprehensive and delivered within statutory deadlines.