Anti-Money Laundering, Counter-Terrorist Financing & Customer Due Diligence Framework AML/CTF & CDD Framework
Effective Date: 20 April 2026
Approved By: Management Board
CRP Unio Limited s.r.o. ("the Company") operates as a payment agent and provides services involving digital assets and fiat currency. Due to the nature of these services, the Company is exposed to specific risks of money laundering (ML) and terrorist financing (TF).
This Policy establishes the framework for identifying, assessing, and mitigating ML/TF risks. It is designed to ensure full compliance with all applicable regulations, including:
· EU Anti-Money Laundering Directives (AMLD5, AMLD6);
· Czech AML Act No. 253/2008 Coll.;
· FATF Recommendations;
· Guidelines from banking partners, card issuers, and payment service providers.
The Policy ensures that:
· The Company maintains transparent, ethical, and compliant operations.
· Employees are equipped to detect, prevent, and report suspicious activities.
· Clients are onboarded and monitored in line with regulatory standards.
· All employees, contractors, and agents are required to comply with this Policy at all times. Failure to do so may result in disciplinary or legal action.
This Policy applies to:
· All employees, officers, agents, and contractors of the Company;
· All new and existing clients (individuals and corporate entities);
· All products and services involving:
o deposits and withdrawals,
o conversions,
o Loading fiat onto payment cards,
o Any related financial or operational processes.
This Policy must be followed at all times and overrides any conflicting operational procedures.
Money Laundering (ML): Concealing the origin of criminal proceeds through placement, layering, and integration.
Terrorist Financing (TF): Providing funds, from lawful or unlawful sources, to support terrorist activity.
Know Your Customer (KYC): Procedures used to verify client identity and understand their financial activities.
Source of Funds (SOF): Documentation explaining the origin of funds used in a specific transaction.
Source of Wealth (SOW): Documentation describing how a client accumulated their total wealth over time.
Ultimate Beneficial Owner (UBO): The natural person who ultimately owns or controls a legal entity (generally ≥25% ownership).
Politically Exposed Person (PEP): Individuals in prominent public functions, their family members, or close associates, who may present higher ML/TF risk.
Adverse Media: Publicly available information indicating possible criminal, fraudulent, or unethical conduct.
The Company adopts an RBA, tailoring AML measures to the risk level of each client, transaction, and service.
Risk Indicators:
· Client's country of residence or incorporation;
· Type of currency;
· Transaction volume, frequency, and pattern;
· Client occupation, business model, and source of funds;
· Use of anonymous wallets or high-risk blockchain tools.
Risk Categories:
· Low Risk: Standard clients with predictable financial behavior and fully verified identity.
· Medium Risk: Clients in moderately complex industries, using multiple wallets, or conducting large but explainable transactions.
· High Risk: PEPs, clients from high-risk jurisdictions, clients using high-risk sources, or clients with inconsistent transaction behavior.
The RBA is applied dynamically, with risk scores updated based on transactional or behavioral changes.
Customer due diligence (CDD) and KYC are central to preventing ML/TF. The Company follows a tiered approach depending on risk levels.
The primary objectives are:
1. Verify the true identity of clients;
2. Understand the client's financial profile and intended use of services;
3. Identify UBOs for corporate clients;
4. Detect high-risk clients, PEPs, and clients linked to sanctioned countries;
5. Collect information for ongoing monitoring and risk scoring.
Individuals:
· Government-issued ID: Passport, national ID card, or driver's license. Must be verified against a trusted database or using automated ID verification tools.
· Biometric or liveness check: Facial recognition, video verification, or other AI-powered methods to prevent identity fraud.
· Proof of address: Utility bill, bank statement, or official letter not older than 90 days.
· Contact details: Email, phone number, and geolocation/IP for verification of regional compliance.
· Occupation and source of income: Helps determine risk score and detect unusual financial behavior.
Corporates:
· Proof of legal existence: Certificate of incorporation, business license, or registration documents.
· Ownership structure: List of directors, shareholders, and UBOs.
· Business purpose: Description of intended activity, transaction volume expectations, and rationale for using services.
· High-risk industries: Additional documentation for financial companies, forex platforms, gaming operators, and cash-intensive businesses.
· Financial statements: Annual reports, bank statements, or audited accounts to verify legitimacy of funds.
· Automated Verification (IDV): AI-driven document checks, facial recognition, and fraud detection.
· Manual Review: Compliance officers review flagged or high-risk clients.
· Sanctions & PEP Screening: Screening against EU, OFAC, UN, and domestic Czech sanctions lists.
· Adverse Media Checks: Using global media and OSINT tools to identify negative history.
· Blockchain Verification: Wallet provenance, transaction history, and exposure to high-risk sources.
High-risk clients undergo Enhanced Due Diligence (EDD), which may include:
· Detailed Source of Wealth (SOW) and Source of Funds (SOF) documentation;
· Verification of all corporate subsidiaries and related wallets;
· In-person or video interviews;
· Periodic re-evaluation of risk score and transaction behavior.
KYC is not a one-time procedure. Ongoing monitoring includes:
· Periodic re-verification of documents;
· Updates for changes in corporate ownership, client occupation, or jurisdiction;
· Continuous assessment of transaction behavior against the expected profile.
A client may only be onboarded when:
· All KYC documents are verified;
· Sanctions/PEP checks are cleared or manageable;
· Risk scoring is completed and approved;
· Wallets are verified using blockchain analytics.
The Company does not onboard:
· Clients from FATF blacklisted jurisdictions;
· Sanctioned individuals or entities;
· Anonymous clients or those refusing verification;
· Shell banks or unregulated financial institutions.
Employees must complete annual training on:
· AML/CTF regulations and updates;
· Recognizing suspicious activities;
· Customer onboarding procedures;
· Blockchain analytics tools;
· Sanctions/PEP screening.
New employees must complete AML onboarding within 30 days. Training effectiveness is evaluated via testing and audit review.
· Monitor deviations from client profiles;
· Identify structuring or unusual transaction volumes;
· Escalate suspicious patterns to Compliance;
· Maintain logs of alerts and actions taken.
· Low risk: every 36 months;
· Medium risk: every 24 months;
· High risk: every 12 months or upon risk events.
EDD is required for high-risk clients and transactions:
· Additional identity verification;
· Detailed SOF/SOW documentation;
· Contracts, invoices, tax statements, payslips;
· Video interviews and OSINT investigations;
· Senior compliance approval required.
All clients are screened at onboarding and continuously:
· Global sanctions (EU, OFAC, UN);
· Czech domestic sanctions;
· PEP identification and classification;
· Adverse media checks.
All matches are reviewed, documented, and escalated as necessary.
· Employees report suspicious activity to Compliance immediately;
· Compliance investigates and may submit SARs to the Czech FIU;
· Client accounts may be temporarily frozen;
· Confidentiality and whistleblower protections apply.
The Company retains:
· KYC documents;
· Transaction histories;
· Monitoring reports and SARs;
· Communications relating to compliance.
Retention: Minimum 5 years; extended if legally required.
KYT complements KYC by analyzing the risks associated with each transaction, particularly cross-border payments.
· Detect suspicious transaction patterns in real-time;
· Identify high-risk wallets or counterparties;
· Ensure transactions align with the client's declared profile;
· Prevent facilitation of ML/TF activities.
· Real-Time Monitoring:
· Every transaction is assessed automatically using blockchain analytics and AI risk-scoring.
· Metadata including IP, geolocation, device type, and wallet history is analyzed.
· Risk Indicators:
· Transfers involving mixers/tumblers, darknet markets, or stolen funds;
· Sudden spikes in transaction volume inconsistent with client profile;
· Rapid conversion or cross-border transfers with no clear business rationale.
· Transaction Scoring:
· Low-risk transactions: Automated approval;
· Medium-risk: Manual review by compliance officer;
· High-risk: EDD, temporary hold, or blocking pending investigation.
· Blockchain & Counterparty Checks:
· Verification of wallet ownership and previous transaction history;
· Screening against lists of known fraud, hacked wallets, or sanctioned addresses;
· Risk scoring incorporates both origin and destination of funds.
· Suspicious transactions trigger alerts to the compliance team;
· High-risk transactions may result in SAR filing with Czech FIU;
· KYT logs include all flagged transactions, actions taken, and approvals for audit purposes.
· KYT parameters are periodically adjusted to reflect emerging trends in financial crimes;
· Historical data is analyzed to identify hidden patterns or repeat offenders;
· Integration with KYC ensures continuous alignment between client profile and transaction behavior.
Low Risk: Germany, France, Netherlands, Sweden, Czech Republic, Slovakia, UK, Switzerland, Canada, Australia, New Zealand, Japan, South Korea, Singapore.
Medium Risk: Turkey, Ukraine, Georgia, Mexico, Brazil, South Africa, Thailand, Malaysia, Philippines, Vietnam, India, Indonesia.
High Risk: Nigeria, Pakistan, Algeria, Iraq, Sri Lanka, Cambodia, Myanmar, Belarus, Russia.
FATF High-Risk: North Korea, Iran.
· Prohibit onboarding from FATF blacklisted or sanctioned countries;
· Automated IP checks, VPN detection;
· Quarterly jurisdiction risk review;
· Geopolitical and regulatory changes trigger reassessment.
Low Risk: Legal, accounting, IT consulting, retail, manufacturing, healthcare.
Medium Risk: E-commerce, marketing, SaaS, logistics, real estate, digital marketplaces.
High Risk: forex platforms, gambling, adult entertainment, NGOs, cash-intensive businesses, payday lenders.
Prohibited: Unlicensed financial services, shell companies, anonymity-focused services, unregulated mixers.
· Compliance reviews annually; updates as needed;
· Staff notified of amendments;
· Effectiveness monitored via audits and incident reviews.
Approved:
Horvath Zsolt | Director | MTG CREATIVE SOLUTION LIMITED