Anti-money Laundering Policy

Anti-Money Laundering and Counter-Terrorist Financing Policy of Xwally

Overview

Purpose

This Anti-Money Laundering and Counter-Terrorist Financing ("AML/CFT") Policy sets forth the principles, standards and internal controls adopted by Xwally, the operating entity responsible for the provision of the Services (hereinafter referred to as "Xwally" or "The Company"), to prevent money laundering, terrorist financing and other financial crimes. The Policy ensures compliance with applicable AML/CFT laws and regulations, including but not limited to:

  • EU AML Directives (including AMLD4, AMLD5 & AMLD6)
  • FATF Recommendations.
  • Relevant national laws in the jurisdictions where the Company operates.

Scope

This policy applies to:

  • All directors, employees, contractors, and agents of the company.
  • All customers and counterparties; and
  • All third-party service providers handling client data, custody or payments.

Definitions

Virtual Currency Wallet service: custody and administration of crypto-assets on behalf of clients.

Customer Due Diligence (CDD): identification and verification measures under the AML framework.

PEP: Politically Exposed Person.

Beneficial Owner: natural person(s) ultimately controlling or owning a customer.

Governance & Oversight

Board of Directors/Management: ultimate accountability for AML/CFT Compliance.

Money Laundering Reporting Officer (MLRO): The Company appoints an AML/CFT Compliance Officer (MLRO), as required by applicable law. The MLRO must have the necessary knowledge, experience, and good repute in the AML/CFT Compliance field. The MLRO has direct access to the Board of Directors/Management and the authority to take measures to ensure AML compliance.

  • Direct reporting line to the Board/Management.
  • Responsible for implementing AML/CFT measures, filing Suspicious Transactions Reports (STRs), and ensuring compliance with regulatory obligations.

Compliance Department: assists the MLRO in daily compliance operations including but not limited to monitoring, training and reporting.

Risk-Based Approach

The Company adopts a risk-based approach to AML/CFT, consistent with applicable laws in its operating jurisdictions, EU Law where applicable, and international best practices. The company assesses and manages risks in the following categories:

Customer Risk Factors

Examples of higher-risk customers include:

  • Business relationships established under unusual circumstances,
  • Customers residing in geographic areas with higher risk,
  • Legal entities or entities without legal personality that serve as vehicles for holding personal assets,
  • Complex ownership structure
  • High-risk occupation (e.g., cash-intensive business)
  • Adverse Media results indicating high-risk

Geographical Risk Factors

Examples of higher-risk include:

  • Countries subject to sanctions, embargoes, or similar measures issued by entities such as the European Union or the United Nations,
  • Jurisdictions identified as having a significant level of corruption or other criminal activity
  • Jurisdictions identified as major sources of terrorist financing or where identified terrorist organizations operate.
  • FATF "Jurisdictions under Increased Monitoring" (i.e., "grey list") and "High-Risk Jurisdictions subject to a Call for Action" (i.e., "black list").

Product, Service, Business Risk Factors

Examples of higher-risk include:

  • Use of private banking-like services
  • Products or features that could be conducive to anonymity
  • Rapid conversion between fiat and crypto assets

Channel / Distribution Risk Factors

Examples of higher-risk include:

  • Indirect commercial relations or transactions (use of third-party intermediaries, especially from high-risk jurisdictions)
  • Remote onboarding where robust electronic identity verification is not possible

The Company has conducted an assessment of inherent ML/TF risks by categories of customers, services, channels, and geography, and also identifies residual risks after applying control measures. Our internal procedures and controls are adequate and proportionate to the nature, scale, and complexity of the business, ensuring compliance with all applicable regulations.

Application of Risk-Based Approach

  • The Business-Wide Risk Assessment (BWRA) will be conducted annually or whenever new risks emerge.
  • Customer Risk Assessment (CRA): will be performed at the onboarding stage and periodically reviewed (depending on the assigned risk level).
  • Enhanced Due Diligence: will be performed when a high-risk client is identified or unusual transaction patterns occur.
  • Monitoring frequency: aligns with customer risk classification.

Customer Due Diligence

Basic Customer Due Diligence (CDD)

For Individuals:

  • Full name
  • Date of birth
  • Nationality
  • Government-issued ID
  • Biometric verification (where required and applicable)
  • Address
  • Unique identification number (e.g., identity card number, birth certificate number, or passport number)

For Entities:

  • Certificate of Incorporation/Registration
  • Unique identification number (e.g., the business registration number)
  • Directors
  • Registered address
  • Beneficial Owners
  • Verification against official registers (where available and applicable)

When Customer Due Diligence (CDD) is conducted

The Company performs CDD in the following situations, in accordance with applicable AML/CFT regulations:

  • At the establishment of a business relationship.
  • For occasional transactions exceeding designated thresholds as defined by applicable law (e.g., EUR 15,000 or equivalent; for crypto-asset transactions, thresholds such as EUR 1,000 may apply as per specific national regulations).
  • For all crypto-asset transfers, the Company collects and transmits originator and beneficiary information in accordance with applicable Travel Rule regulations (e.g., EU 2023/1113), regardless of value, where mandated.
  • When there is a suspicion of money laundering, terrorist financing, or proliferation financing.
  • When the Company doubts the veracity or adequacy of previously obtained customer information.
  • When material changes occur in customer circumstances that may affect their risk profile.

The Company shall refuse to establish a new business relationship or terminate an existing one if it cannot properly identify and verify the customer or the beneficial owner. The Company will not carry out any transactions for such a client until all mandatory CDD measures are completed. In such cases, the Company shall report to the relevant Financial Intelligence Unit as required by law.

When will Enhanced Due Diligence (EDD) be required

  • For Politically Exposed Persons (PEPs) and their close associates (including family members)
  • When establishing or maintaining a business relationship with a PEP, the Company applies enhanced measures: (i) obtaining approval from senior management; (ii) identifying the source of wealth and source of funds; (iii) applying ongoing enhanced monitoring of the PEP's transactions.
  • If the client ceases to be a PEP, the Company will continue enhanced monitoring for a defined period (e.g., at least 12 months) before considering a lower risk level.
  • Customers from or linked to high-risk jurisdictions.
  • Customers using privacy-enhancing technologies (e.g., privacy coins, mixers) or exhibiting behavior indicative of layering activities.
  • Unusual or complex transactions without apparent economic or lawful purpose.
  • Adverse Media Screening results that generate a high-risk alert.

Prohibited Customers

The Company will not establish or maintain a business relationship with customers who fall into any of the following categories:

  • Individuals or entities who fail to provide satisfactory identification or verification documentation, where the Company is unable to identify the customer and beneficiary;
  • Individuals or entities that are currently sanctioned by UN, EU, OFAC, UK, and other relevant governmental sanctions lists;
  • Individuals or entities domiciled in jurisdictions subject to comprehensive international sanctions or included in the FATF "High-Risk Jurisdictions subject to a Call for Action" (i.e., "black list");
  • Shell Banks;
  • Entities engaging in business activities that are prohibited under this Policy or applicable law;
  • Other prohibited types of customers/accounts as determined by the Company's risk appetite and internal risk scoring system;
  • The detailed criteria are outlined in the Company's internal Money Laundering and Terrorist Financing Risk Assessment documentation.

Ongoing Monitoring

Transaction monitoring

The Company utilizes automated Transaction Monitoring Systems and pre-established rules to monitor transactions in real-time and retrospectively for unusual activity.

These rules are tailored to the nature of the Company's different products and services. The system is designed to detect unusual/suspicious patterns or trends that may indicate money laundering or terrorist financing.

Examples of red flags include:

  • Structuring of transactions to evade reporting thresholds
  • Transactions linked to darknet platforms or known illicit addresses
  • Unusual patterns of deposits and withdrawals inconsistent with the customer's profile

Ongoing review

The Company will continuously monitor customer profiles and transaction activity.

The Company will conduct risk-based periodic reviews depending on customers' risk level.

Risk level / Periodic review

  • Low: 3 years
  • Medium: 2 years
  • High: 1 year

The company will review all automated alerts generated by the monitoring system.

Adverse Media, Politically Exposed Persons (PEP) and Sanctions Screening

Screening is conducted against:

  • EU Sanctions Lists;
  • United Nations Security Council Consolidated List;
  • OFAC Specially Designated Nationals (SDN) List and other relevant sanctions lists;
  • Other regional and international sanctions lists as applicable.
  • PEP databases.
  • Adverse Media sources.

Transactions that involve sanctioned parties or assets must be frozen/rejected and reported to the relevant FIU in accordance with applicable law.

Travel Rule Compliance

The Company complies with applicable Travel Rule obligations (e.g., EU Transfer of Funds Regulation). Details are set out in a separate Travel Rule Policy or procedure.

Key obligations include:

  • Collecting, verifying, and retaining accurate originator and beneficiary information for crypto-asset transfers.
  • Ensuring the secure and accurate transmission of required data to counterparty VASPs.
  • Implementing risk-based procedures for handling transfers involving unhosted or non-custodial wallets.

Reporting

Reporting obligations

The Company is obliged to report suspicious transactions (" STR") or unusual activity to the relevant Financial Intelligence Unit without undue delay upon:

  • Identification of a suspicious transaction or activity,
  • An attempt to carry out such a transaction/activity, or
  • Where EDD cannot resolve concerns regarding an unusual transaction/activity.

The Company's reporting process is designed to guarantee the confidentiality of the information contained in the report from unauthorized persons.

Delaying Suspicious Transactions

In accordance with applicable law, the Company is obliged to delay executing a suspicious transaction until it has been reported to the FIU, unless such delay is impossible or could jeopardize investigative efforts. The delay of a transaction is carried out by suspending the customer's instructions or temporarily restricting account functionality. The MLRO or designated Responsible Person decides on the delay.

The Company shall not delay the transaction if:

  • It cannot be delayed for operational or technical reasons; the Company shall immediately inform the FIU of this fact; or
  • The delay could, according to prior guidance from the FIU, frustrate the investigation or law enforcement actions.

Anti-Tipping-Off (Prohibition on Disclosure of Suspicious Activity Reporting)

It is strictly prohibited to disclose to a client or any third party the fact that a suspicious transaction report has been filed, is being prepared, or that related checks are being conducted. Employees must maintain strict confidentiality; exceptions apply only when expressly required or authorized by law.

Record Keeping

Retention

The Company shall retain all CDD data, identification documents, account files, business correspondence, and transaction records for a minimum period as required by applicable law (typically five years) from the termination of the business relationship or the date of the occasional transaction.

Extension

The relevant FIU or supervisory authority may, by written notice, extend the retention period. The Company retains data related to cross-border correspondent relationships and beneficial ownership for the required duration as per applicable regulations.

Data Protection

Compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) - EU 2016/679 where relevant.

The Company shall safeguard the personal data of its customers in the manner prescribed by law.

Personal data processed for AML/CFT purposes is handled within secure systems with restricted access on a need-to-know basis.

Training and Awareness

  • Mandatory AML/CFT training for all relevant employees upon hiring and periodically thereafter;
  • Annual refresher training for all staff involved in compliance, onboarding, or transaction processing;
  • Specialized training for the Compliance Department and MLRO;
  • Training records are maintained for audit and supervisory review.

Independent Controls and Review

  • Regular testing of transaction monitoring and sanctions screening systems.
  • Annual independent audit (internal or external) of the AML/CFT framework, as required by the risk profile and applicable law.
  • Findings are escalated to the Board/Management, with corrective action plans implemented and monitored.

Cooperation with Authorities

The Company shall cooperate fully with relevant Financial Intelligence Units, national competent authorities (e.g., National Bank), and international competent authorities upon receiving official and lawful requests.

Policy Review

This Policy will be reviewed at least annually, or earlier if:

  • New or amended regulations or regulatory guidance are issued;
  • Material findings from internal or external audits demand updates;
  • Emerging ML/TF risks, typologies, or deficiencies in the current program are identified;
  • Significant changes occur in the Company's business model, products, or geographic reach.
intercom