Anti-Money Laundering, Counter-TerroristFinancing & Customer Due Diligence Framework AML/CTF & CDD Framework
Effective Date: 20 November 2025
Approved By: Management Board
CRP Unio Limited s.r.o. ("theCompany") operates as a payment agent and provides services involvingdigital assets and fiat currency. Due to the nature of these services, theCompany is exposed to specific risks of money laundering (ML) and terroristfinancing (TF).
This Policy establishes the framework foridentifying, assessing, and mitigating ML/TF risks. It is designed to ensurefull compliance with all applicable regulations, including:
· EU Anti-Money Laundering Directives (AMLD5,AMLD6);
· Czech AML Act No. 253/2008 Coll.;
· FATF Recommendations;
· Guidelines from banking partners, cardissuers, and payment service providers.
The Policy ensures that:
· The Company maintains transparent, ethical,and compliant operations.
· Employees are equipped to detect, prevent, andreport suspicious activities.
· Clients are onboarded and monitored in linewith regulatory standards.
· All employees, contractors, and agents arerequired to comply with this Policy at all times. Failure to do so may resultin disciplinary or legal action.
This Policy applies to:
· All employees, officers, agents, andcontractors of the Company;
· All new and existing clients (individuals andcorporate entities);
· All products and services involving:
o Crypto deposits and withdrawals,
o Crypto-to-fiat conversions,
o Loading fiat onto payment cards,
o Any related financial or operationalprocesses.
This Policy must be followed at all times andoverrides any conflicting operational procedures.
Money Laundering (ML): Concealing the originof criminal proceeds through placement, layering, and integration.
Terrorist Financing (TF): Providing funds,from lawful or unlawful sources, to support terrorist activity.
Know Your Customer (KYC): Procedures used toverify client identity and understand their financial activities.
Source of Funds (SOF): Documentationexplaining the origin of funds used in a specific transaction.
Source of Wealth (SOW): Documentationdescribing how a client accumulated their total wealth over time.
Ultimate Beneficial Owner (UBO): The naturalperson who ultimately owns or controls a legal entity (generally ≥25%ownership).
Politically Exposed Person (PEP): Individualsin prominent public functions, their family members, or close associates, whomay present higher ML/TF risk.
Adverse Media: Publicly available informationindicating possible criminal, fraudulent, or unethical conduct.
The Company adopts an RBA, tailoring AMLmeasures to the risk level of each client, transaction, and service.
Risk Indicators:
· Client’s country of residence orincorporation;
· Type of cryptocurrency or fiat transaction;
· Transaction volume, frequency, and pattern;
· Client occupation, business model, and sourceof funds;
· Use of anonymous wallets or high-riskblockchain tools.
Risk Categories:
· Low Risk: Standard clients with predictablefinancial behavior and fully verified identity.
· Medium Risk: Clients in moderately complexindustries, using multiple wallets, or conducting large but explainabletransactions.
· High Risk: PEPs, clients from high-riskjurisdictions, clients using high-risk crypto sources, or clients withinconsistent transaction behavior.
The RBA is applied dynamically, with riskscores updated based on transactional or behavioral changes.
Customer due diligence (CDD) and KYC arecentral to preventing ML/TF. The Company follows a tiered approach depending onrisk levels.
The primary objectives are:
1. Verify the true identity of clients;
2. Understand the client’s financial profile andintended use of services;
3. Identify UBOs for corporate clients;
4. Detect high-risk clients, PEPs, and clientslinked to sanctioned countries;
5. Collect information for ongoing monitoring andrisk scoring.
Individuals:
· Government-issued ID: Passport, national IDcard, or driver’s license. Must be verified against a trusted database or usingautomated ID verification tools.
· Biometric or liveness check: Facial recognition,video verification, or other AI-powered methods to prevent identity fraud.
· Proof of address: Utility bill, bankstatement, or official letter not older than 90 days.
· Contact details: Email, phone number, andgeolocation/IP for verification of regional compliance.
· Occupation and source of income: Helpsdetermine risk score and detect unusual financial behavior.
Corporates:
· Proof of legal existence: Certificate ofincorporation, business license, or registration documents.
· Ownership structure: List of directors,shareholders, and UBOs.
· Business purpose: Description of intendedactivity, transaction volume expectations, and rationale for using services.
· High-risk industries: Additional documentationfor crypto companies, forex platforms, gaming operators, and cash-intensivebusinesses.
· Financial statements: Annual reports, bankstatements, or audited accounts to verify legitimacy of funds.
· Automated Verification (IDV): AI-drivendocument checks, facial recognition, and fraud detection.
· Manual Review: Compliance officers reviewflagged or high-risk clients.
· Sanctions & PEP Screening: Screeningagainst EU, OFAC, UN, and domestic Czech sanctions lists.
· Adverse Media Checks: Using global media andOSINT tools to identify negative history.
· Blockchain Verification (for crypto clients):Wallet provenance, transaction history, and exposure to high-risk sources.
High-risk clients undergo Enhanced DueDiligence (EDD), which may include:
· Detailed Source of Wealth (SOW) and Source ofFunds (SOF) documentation;
· Verification of all corporate subsidiaries andrelated wallets;
· In-person or video interviews;
· Periodic re-evaluation of risk score andtransaction behavior.
KYC is not a one-time procedure. Ongoingmonitoring includes:
· Periodic re-verification of documents;
· Updates for changes in corporate ownership,client occupation, or jurisdiction;
· Continuous assessment oftransaction behavior against the expected profile.
A client may only be onboarded when:
· All KYC documents are verified;
· Sanctions/PEP checks are cleared ormanageable;
· Risk scoring is completed and approved;
· Wallets are verified using blockchainanalytics.
The Company does not onboard:
· Clients from FATF blacklisted jurisdictions;
· Sanctioned individuals or entities;
· Anonymous clients or those refusingverification;
· Shell banks or unregulated financialinstitutions.
Compliance monitors:
· Wallet provenance and ownership;
· Transaction history for illicit sourceexposure;
· Transfers involving mixers, stolen funds,darknet markets, or fraud;
· High-risk transaction patterns such aslayering, spikes in volume, and continuous micro-transactions.
Allowed:
· Verified client wallets;
· Reputable centralized exchanges;
· Transparent multi-signature corporate wallets.
Prohibited:
· Mixers/tumblers used to obfuscate history;
· High-risk or unlicensed gambling websites;
· Wallets linked to known criminal activity.
Employees must complete annual training on:
· AML/CTF regulations and updates;
· Recognizing suspicious activities;
· Customer onboarding procedures;
· Blockchain analytics tools;
· Sanctions/PEP screening.
New employees must complete AML onboardingwithin 30 days. Training effectiveness is evaluated via testing and auditreview.
· Monitor deviations from client profiles;
· Identify structuring or unusual transactionvolumes;
· Escalate suspicious patterns to Compliance;
· Maintain logs of alerts and actions taken.
· Low risk: every 36 months;
· Medium risk: every 24 months;
· High risk: every 12 months or upon riskevents.
EDD is required for high-risk clients andtransactions:
· Additional identity verification;
· Detailed SOF/SOW documentation;
· Contracts, invoices, tax statements, payslips;
· Video interviews and OSINT investigations;
· Senior compliance approval required.
All clients are screened at onboarding andcontinuously:
· Global sanctions (EU, OFAC, UN);
· Czech domestic sanctions;
· PEP identification and classification;
· Adverse media checks.
All matches are reviewed, documented, andescalated as necessary.
· Employees report suspicious activity toCompliance immediately;
· Compliance investigates and may submit SARs tothe Czech FIU;
· Client accounts may be temporarily frozen;
· Confidentiality and whistleblower protectionsapply.
The Company retains:
· KYC documents;
· Transaction histories;
· Monitoring reports and SARs;
· Communications relating to compliance.
Retention: Minimum 5 years; extended iflegally required.
KYT complements KYC by analyzing the risksassociated with each transaction, particularly in crypto and cross-borderpayments.
· Detect suspicious transaction patterns inreal-time;
· Identify high-risk wallets or counterparties;
· Ensure transactions align with the client’sdeclared profile;
· Prevent facilitation of ML/TF activities.
· Real-Time Monitoring:
· Every transaction is assessed automaticallyusing blockchain analytics and AI risk-scoring.
· Metadata including IP, geolocation, devicetype, and wallet history is analyzed.
· Risk Indicators:
· Use of high-risk crypto coins (privacy coins,stablecoins with opaque issuers);
· Transfers involving mixers/tumblers, darknetmarkets, or stolen funds;
· Sudden spikes in transaction volumeinconsistent with client profile;
· Rapid conversion of crypto to fiat orcross-border transfers with no clear business rationale.
· Transaction Scoring:
· Low-risk transactions: Automated approval;
· Medium-risk: Manual review by complianceofficer;
· High-risk: EDD, temporary hold, or blockingpending investigation.
· Blockchain & Counterparty Checks:
· Verification of wallet ownership and previoustransaction history;
· Screening against lists of known fraud, hackedwallets, or sanctioned addresses;
· Risk scoring incorporates both origin anddestination of funds.
· Suspicious transactions trigger alerts to thecompliance team;
· High-risk transactions may result in SARfiling with Czech FIU;
· KYT logs include all flagged transactions,actions taken, and approvals for audit purposes.
· KYT parameters are periodically adjusted toreflect emerging trends in crypto and financial crimes;
· Historical data is analyzed to identify hiddenpatterns or repeat offenders;
· Integration with KYC ensures continuousalignment between client profile and transaction behavior.
Low Risk: Germany, France, Netherlands,Sweden, Czech Republic, Slovakia, UK, Switzerland, Canada, Australia, NewZealand, Japan, South Korea, Singapore.
Medium Risk: Turkey, Ukraine,Georgia, Mexico, Brazil, South Africa, Thailand, Malaysia, Philippines,Vietnam, India, Indonesia.
High Risk: Nigeria, Pakistan,Algeria, Iraq, Sri Lanka, Cambodia, Myanmar, Belarus, Russia.
FATF High-Risk: North Korea,Iran.
· Prohibit onboarding from FATF blacklisted orsanctioned countries;
· Ban transactions from jurisdictionsprohibiting crypto.
· Automated IP checks, VPN detection;
· Quarterly jurisdiction risk review;
· Geopolitical and regulatory changes triggerreassessment.
Low Risk: Legal, accounting, IT consulting(non-crypto), retail, manufacturing, healthcare.
Medium Risk: E-commerce,marketing, SaaS, logistics, real estate, digital marketplaces.
High Risk: Crypto exchanges/OTCbrokers, forex platforms, gambling, adult entertainment, NGOs, cash-intensivebusinesses, payday lenders.
Prohibited: Unlicensedfinancial services, shell companies, anonymity-focused services, unregulatedcrypto mixers.
· Compliance reviews annually; updates asneeded;
· Staff notified of amendments;
· Effectiveness monitored via audits andincident reviews.
Approved:
Oleksandr Taranczuk | Director| CRP Unio Limited s.r.o.