AML Policy

1. Introduction & commitment

This Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), Know-Your-Customer (KYC) and sanctions policy (the "Policy") describes how Crypocto (the website at https://crypocto.com and all services offered through it, the "Service") detects, prevents and reports money laundering, terrorist financing, sanctions evasion and related financial-crime risks. References to "we", "our" or "us" mean the legal entity responsible for the Crypocto brand (the "Company"). The Company's full legal name, registration details and registered office are set out in the Contact section or available on written request.

Crypocto operates a regulated crypto-to-fiat and fiat-to-crypto exchange (crypto on-ramp and off-ramp), crypto-to-crypto exchange and crypto-settled escrow for real-asset deals — including real estate, cars, yachts, watches, jewelry and art — across the European Union and Ukraine. Because these activities sit at the intersection of traditional finance and virtual assets, strong AML/CTF controls are embedded in every step of our operations.

We are committed to complying with, and supporting the purpose of, all applicable AML/CTF and sanctions rules. We do not knowingly process transactions linked to money laundering, terrorist financing, fraud, trafficking, proliferation financing, corruption, bribery or sanctions evasion, and we cooperate in good faith with competent authorities wherever required by law.

2. Regulatory framework

This Policy is designed to align with, among others:

• EU Anti-Money Laundering Directives (including 4AMLD, 5AMLD and 6AMLD) and the EU AML Package (AMLR / AMLD6 / AMLAR) as it enters into application;
• Markets in Crypto-Assets Regulation (MiCA) and the national implementing frameworks of EU member states where the Service is active;
• Regulation (EU) 2023/1113 — Transfer of Funds Regulation (TFR), commonly known as the EU "crypto Travel Rule";
• Financial Action Task Force (FATF) Recommendations, in particular those relating to virtual assets and virtual-asset service providers (VASPs);
• Sanctions regimes of the European Union, the United Nations and the United States (OFAC), as well as national sanctions lists applicable to the Company and its counterparties;
• National AML legislation of the jurisdictions in which the Company, its clients or its banking partners are established, including Ukraine's AML framework for deals touching that country.

Where applicable local law is stricter than this Policy, the stricter standard applies.

3. Customer Due Diligence (KYC)

3.1 Standard CDD

Before a client's first Order is settled, and at later points where required by law or internal risk triggers, the Service applies Customer Due Diligence (CDD) measures. For individuals, these include:

• Collection and verification of full legal name, date of birth, nationality and residential address;
• Collection of a valid government-issued photo ID (passport, national ID card, driver's licence, residence permit) and verification of its authenticity;
• Recent proof of address (utility bill, bank statement or equivalent official correspondence, typically dated within three (3) months);
• A live selfie, video confirmation or equivalent liveness check to match the client to their ID document;
• Screening against sanctions, Politically-Exposed-Persons (PEP), adverse-media and law-enforcement databases.

For legal entities, the Service additionally collects and verifies:

• Company registration documents and current extract from the commercial register;
• Articles of association, ownership structure and identification of the Ultimate Beneficial Owners (UBOs) holding more than 25% of the capital or control;
• Identification documents of directors, authorised signatories and UBOs;
• Information on the intended nature of the business relationship and the expected pattern of transactions.

3.2 Enhanced Due Diligence (EDD)

Enhanced Due Diligence is applied wherever the Service identifies higher risk, including:

• Individual crypto-to-fiat or fiat-to-crypto operations above €15,000, or cumulative activity that exceeds this threshold over a short period;
• Escrow deals involving real estate, yachts or other high-value assets;
• Clients from higher-risk jurisdictions identified by FATF, the EU high-risk-country list or the Company's own country-risk assessment;
• PEPs, their close relatives and known close associates;
• Complex, unusual or opaque transaction patterns, including use of nominee structures or privacy-enhancing techniques;
• Deposits originating from, or withdrawals directed to, wallets flagged as higher-risk by on-chain analytics.

EDD may include senior-management approval of the relationship, additional source-of-funds and source-of-wealth documentation, deeper counterparty analysis and intensified ongoing monitoring.

3.3 Simplified Due Diligence (SDD)

Where the Service is permitted to do so by law, Simplified Due Diligence may be applied to clearly low-risk situations — for example small, occasional crypto-to-fiat conversions within published limits by clients with verified EU residency and transparent source of funds. SDD is not a waiver of KYC: baseline identification, sanctions screening and ongoing monitoring still apply.

4. Source of funds & source of wealth

For every deal, the Service must be reasonably satisfied that funds — both crypto and fiat — are of legitimate origin. For higher-risk or higher-value Orders, the User may be asked to provide supporting evidence, including:

• Proof of employment, salary slips or business income (tax returns, audited accounts);
• Records of prior crypto acquisition: trading statements from licensed exchanges, OTC invoices, mining records or pool pay-outs;
• Bank statements showing the relevant fiat flows;
• Sale contracts or notarial deeds where funds come from the sale of real estate, vehicles or other assets;
• Inheritance documents, gift letters or corporate dividend resolutions, as applicable;
• On-chain history of the wallet(s) involved in the Order, supported by blockchain analytics.

For high-value escrow deals, Source of Wealth (SoW) documentation may also be required — a broader picture of how the client accumulated their overall economic position, not only the specific funds used in the Order.

5. Risk-based approach

The Service operates a risk-based approach and maintains an internal client-risk scoring system. Each client and each Order is assessed across several risk dimensions:

• Client risk: type of client (individual, entity), PEP status, occupation, residency, citizenship;
• Geographic risk: country of residence, country of citizenship, country of counterparty, country of asset, FATF grey/black-list exposure;
• Product/service risk: crypto on-ramp vs. off-ramp, escrow vs. spot exchange, size of deal, speed required;
• Delivery-channel risk: fully online, hybrid or in-person settlement;
• Transaction risk: amount, frequency, structuring patterns, unusual behaviour, chain and token specifics.

Clients and Orders are allocated to one of at least three risk tiers — typically low, medium and high — with a corresponding intensity of due diligence, monitoring and approval levels. Risk profiles are reviewed periodically and whenever a material change is observed.

6. Crypto-specific controls

6.1 Blockchain / on-chain analytics

The Service uses on-chain analytics tools to assess the risk profile of wallets involved in every Order — both the wallet from which a deposit is received and the wallet to which a withdrawal is directed. Among other risk indicators, the Service evaluates direct and indirect exposure to:

• Sanctioned addresses and entities;
• Mixing services, tumblers, coin-joiners and other anonymising infrastructure;
• Darknet markets, ransomware operators and known fraud schemes;
• Exchanges with weak KYC, gambling platforms and addresses linked to public hacks;
• High concentration of flows from jurisdictions subject to comprehensive sanctions programmes.

Deposits reaching risk thresholds defined by the Service's internal scoring model may be placed on hold, subject to enhanced due diligence, returned to the sender net of a refund commission, or reported to the competent authority, as appropriate.

6.2 Travel Rule / Transfer of Funds Regulation (TFR)

For crypto transfers that fall within the scope of the EU Transfer of Funds Regulation and similar Travel Rule regimes, the Service collects and transmits the required originator and beneficiary information to its counterparties, and expects counterparties to reciprocate. Where required data is missing, inconsistent or cannot be reconciled, the Service may delay, freeze or reject the transfer and, where applicable, return the funds to the sender.

6.3 Privacy-enhancing assets and tooling

Privacy-focused cryptocurrencies, anonymity-enhancing tokens and obfuscation techniques (such as mixers, tumblers or anonymising wallets) are treated as higher-risk. The Service may refuse deposits or withdrawals involving such assets, or apply strict EDD measures — including detailed source-of-funds evidence and senior-compliance approval — before processing the Order.

7. Escrow-specific controls for real-asset deals

Escrow deals for real estate, cars, yachts, watches, jewelry and art bring together counterparties, banks, notaries, dealers and logistics partners. On top of standard CDD, the Service applies the following checks to such deals:

• Counterparty due diligence: identification and sanctions screening of the seller or selling entity, their directors and UBOs, including proof that the counterparty is the lawful owner or duly authorised seller of the asset;
• Underlying-asset provenance: verification that the asset is real and lawfully in circulation — for example, title deeds and cadastral data for real estate, VIN and registration history for vehicles, hull and flag registration for yachts, serial numbers and provenance for watches, jewelry and art;
• Price-reasonableness check: comparison of the declared asset price with observable market references to detect potential trade-based money laundering or value manipulation;
• Third-party integration: liaison with the notary, dealership, auction house or bank involved in the deal, with supporting documentation filed on the Order;
• Release conditions: escrow release only after satisfaction of pre-agreed conditions (notarial signing, title transfer, hand-over protocol, insurance confirmation, etc.), documented in the escrow instruction;
• Blocked corridors: escrow services are not offered for assets located in, or legally connected to, jurisdictions subject to comprehensive sanctions, and are not offered to buyers or sellers appearing on sanctions or PEP-restricted lists.

8. Ongoing monitoring & suspicious-activity reporting

Client relationships and Orders are subject to continuous monitoring throughout their lifetime. Automatic and manual controls look for anomalies such as:

• Structuring of deposits or withdrawals to stay below reporting thresholds;
• Patterns inconsistent with the client's declared profile or expected activity;
• Rapid passage of funds through the Service ("pass-through" behaviour) with no apparent economic purpose;
• Unusual changes in deposit/withdrawal addresses, beneficiaries or bank accounts;
• Involvement of new counterparties, jurisdictions or asset classes outside the client's stated scope.

When suspicion arises, the compliance team performs an internal investigation. Where legally required, a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) is filed with the relevant Financial Intelligence Unit (FIU) without notifying the client concerned ("tipping off" is strictly prohibited). The Service may continue, freeze, reverse or terminate an Order in line with the instructions received from the competent authority.

9. Sanctions screening

Every client, counterparty, beneficial owner, wallet address and, where applicable, underlying asset and vessel is screened against:

• The EU consolidated list of persons, groups and entities subject to financial sanctions;
• UN Security Council consolidated sanctions list;
• OFAC's Specially Designated Nationals and Blocked Persons (SDN) list and sector-specific programmes;
• National sanctions lists of relevant EU member states and Ukraine;
• Regularly updated list of comprehensively sanctioned jurisdictions and territories.

Transactions involving designated persons, entities, vessels or jurisdictions are refused or frozen in line with applicable law, and reported to the competent authorities where required.

10. Record keeping

The Service maintains complete records of its AML/CTF/KYC and sanctions-screening activities in accordance with applicable law. Unless a longer period is prescribed, the following minimum retention rules apply:

• KYC and identity files: at least five (5) years after the end of the business relationship;
• Transaction and Order records: at least five (5) years after the date of the transaction;
• Escrow-deal files and underlying-asset documentation: at least five (5) years after deal completion or termination;
• STR/SAR files, internal reports and compliance correspondence: at least five (5) years after filing or closure;
• System and access logs relevant to compliance: in line with internal retention policies and applicable data-protection law.

Records are stored securely, with access restricted to personnel and authorities legitimately entitled to them, and processed in accordance with our Privacy Policy.

11. Governance, MLRO & training

The Company operates an independent compliance function, led by a designated Money Laundering Reporting Officer (MLRO) or equivalent senior compliance role. The compliance function is responsible for:

• Drafting, updating and approving AML/CTF/KYC and sanctions procedures;
• Running the internal risk assessment and adjusting the risk-based approach;
• Reviewing high-risk Orders, PEP relationships and escrow deals requiring senior approval;
• Filing STRs/SARs and communicating with Financial Intelligence Units and other authorities;
• Monitoring the performance of third-party KYC, screening and analytics providers engaged by the Company;
• Reporting regularly to senior management and, where applicable, to the Company's board.

All staff involved in client on-boarding, Order execution, escrow management, customer support and engineering receive regular AML/CTF, sanctions and crypto-specific training, including red-flag indicators, escalation procedures, data-protection obligations and the rules on tipping off. Refresher training is delivered at least annually and after any material regulatory change.

12. Refusal of service & cooperation with authorities

The Service reserves the right to refuse to open, or to terminate, a business relationship or a specific Order where:

• The client is unable or unwilling to complete the required KYC/CDD steps;
• Provided information or documentation is inconsistent, forged or otherwise unreliable;
• Source of funds or source of wealth cannot be reasonably verified;
• The client, a counterparty, a wallet or an underlying asset is connected to sanctions, illicit activity or high-risk on-chain exposure;
• The Service becomes subject to a legal, regulatory or judicial instruction to suspend, freeze or close the relationship;
• Continuing the relationship would materially exceed the Service's risk appetite.

Where required by law, the Company cooperates with regulators, FIUs, tax authorities, courts and law-enforcement agencies, including by producing documents, transaction data and KYC records upon receipt of a valid request.

13. Contact & reporting a concern

For questions relating to this Policy, to report a concern, or to share information that may be relevant to the Service's AML/CTF/sanctions framework, please use the channels below:

• Email (compliance): support@crypocto.com (please mark the subject line with "Compliance" or "AML" for faster routing)
• Contact form: crypocto.com/contact
• Service operator: the legal entity responsible for the Crypocto brand — full legal name, registered office and regulatory details available on request.

This Policy should be read together with our Privacy Policy and Terms of Service, which describe how personal data is processed and the broader contractual framework for the Service.