Latest version as of March 2025.

This Anti-Money Laundering / Know Your Customer Policy (“Policy”) outlines the procedures implemented by Fintopio Virtual Assets LLC (“We”, “Us”, “Our”, “Company”, "Fintopio Kg"), duly licensed as a Virtual Assets Exchange Operator with registration number: 225012-3301-OOO, and registered address at 9 Razzakov St., Business Center Russia, 9th Floor, Room 900, Perwomaisky district, Bishkek city, Kyrgyz Republic, to verify the identity of our Users and determine their eligibility to access our Service.

The purpose of this Policy is to verify the identity of our Users and assess their eligibility to access our Services while ensuring compliance with both AML and KYC regulations.

The KYC processes described herein ensure that only verified Users with legitimate intentions can engage with our Services. By requiring Users to provide accurate personal information and undergo verification steps, Fintopio aims to establish a secure and compliant environment for Digital Asset activities. Our AML measures are established to prevent, detect, and report suspicious Money Laundering or Terrorist Financing activities. These measures enable us to assess Users’ eligibility while meeting regulatory obligations, safeguarding the integrity of our Service, and contributing to the overall security of the financial system. Through these combined efforts in KYC and AML, we strive to maintain a trustworthy platform for all users.

To obtain access to the Service, the User is required to complete the following steps during the verification process.

At this level, the User has access to Fintopio’s platform. With this access level, the User is permitted to:

• Maintain an account balance of up to KGS 100,000.
• Transfer funds to other Fintopio Users within the Service.
• Create and activate vouchers (information about vouchers may be found in Fintopio’s Terms of Use).

The Basic level is available to all Users who are eligible to use the Services under section 5 of the Terms of Use.

To be authorized by Fintopio and obtain the Basic Level, Users shall proceed with the following steps:

• Confirm that the User meets Our verification and eligibility criteria.
• Acknowledge that the User has read and agreed to the Terms of Use and Privacy Policy.
• Provide a valid phone number and verify it through a one-time passcode (OTP) sent via a secure communication channel.
• Submit personal information, including first name, last name, date of birth, and citizenship.

At this level, the User can use the Service and its additional features, such as withdrawals to DeFi wallets. To do so, the User must complete an advanced verification process, including the following:

• Enhanced identity checks such as liveness verification, and
• Document recognition.

Advanced level is available to Users who meet any of the following criteria:

• Have not previously used any Service or have HP balance less than 30,000 HP.
• Have spent at least 80 Telegram Stars in the Mini-App.
• Have purchased Advanced level for 80 Telegram Stars.
• Have purchased any HP package.
• Have performed:
  • Cross-chain swaps totaling at least 400 USD, or
  • Swaps exclusively through TON network totaling at least 1,000 USD, or
  • Combination of swaps under 1) and 2) with the total commission charged by the Company exceeds 1 USD.
• Have spent Telegram Stars in the Mini-App and conducted DeFi swaps, with a total expenditure of 1 USD.
• Have a total balance of at least 100 USD (all coins in equivalent value) on their DeFi wallet, or any positive balance on their CeFi wallet.
• Have attracted 5 referrals, each of whom has completed at least one incoming or outgoing transaction (sending HP points does not count) or made an in-game purchase with Telegram Stars.

In addition to the reasons of classifying the User as an Unapproved User mentioned in the “Basic level” section of this Policy, the following reasons may also apply:

• The User’s documents are found to be forged, altered, or otherwise invalid.
• The User refuses or is unable to provide additional information or documentation when requested.

Fintopio Kg reserves the sole discretion to classify the User as an Unapproved User if any of the following circumstances are discovered, including but not limited to:

• The User is located in a High-risk Country;
• The User is associated with entities or individuals subject to international Sanctions or other restrictive measures.
• The User is a PEP;
• Abnormal features during the onboarding of the User;
• The User is an entity engaged in holding personal assets;
• Usage of product/service/transaction/delivery channel that favours anonymity.

If the User is classified as an Unapproved User, Fintopio Kg may offer the User an option to be included in the Company’s “wait list.” In such cases, Fintopio Kg will contact the User if the circumstances preventing KYC verification are resolved.

We may request information/documents whether the customer is a PEP. If the User is a PEP, the providing of Service to them shall be approved by the Company’s Money Laundering Reporting Officer (MLRO) and a member of the Company’s Senior Management before providing the Services to them.

In case of any doubt on the identity of the User, We may request additional information about them or request the User for additional action (for instance, taking a selfie or making a test transaction).

We use a risk-based approach (RBA). This means that in the course of providing of Our Service and facing the risks related to Money Laundering and Terrorist Financing of the respective business, We apply measures that are commensurate with those risks. We analyze the User and their activity to be able to undertake investigative measures that are proportional to the risk We are aware of and complexity of the case and collect evidence using observations collected in the case. We aim to tailor those measures to the level of risk, ensuring that resources are focused on the areas where they are most needed to prevent and detect money laundering and terrorist financing activities. While providing Our Service, RBA includes, but not limited to, for instance:

• Creating a User risk profile. Different Users pose different levels of risk. For instance, We may categorize Сustomers as high-risk Users if they are from a country with inadequate anti-Money Laundering and counter-Terrorist Financing regulations.
• Transaction Monitoring. We have a system to monitor transactions for suspicious patterns. The suspicious transactions alerted by this system trigger additional scrutiny from us.
• Geographic Risks. The risks can vary significantly depending on the geographic location of the Сustomer or the destination/source of the funds. Users or transactions linked to High-Risk Countries would be subjected to additional scrutiny from us.
• Third-party partnerships. If We engage with other virtual assets service providers, We shall assess the risks these partnerships might pose. This includes conducting due diligence on the third party's anti-Money Laundering, counter-Terrorist Financing policies and practices.
• Regulatory Changes. We shall adhere to changes in regulations and adjust Our procedures and this Policy accordingly. For instance, if a new regulation targets a specific type of cryptocurrency transaction, we will have to enhance our monitoring and control mechanisms for that transaction type respectively.

We have an automatic risk-management system that helps us identify suspicious transactions. This system monitors the transactions on an ongoing basis and includes:

• auditing transactions that are carried out throughout the period of the business relationship, to ensure that the transactions conducted are consistent with the information on file regarding Users and the risks they pose, including, where necessary, the source of funds; and
• ensuring that the documents, data, or information obtained from User due diligence measures are up-to-date and appropriate by regularly reviewing such records, particularly those of high-risk Users.

We put in place indicators that are used to identify possible suspicious transactions and regularly update it.

Such an automatic risk management system ensures that no “tipping-off” or similar offence occurs. The Company shall document, obtain Senior Management approval for, and periodically review and update such a system to ensure its effectiveness.

Once the transaction is identified as suspicious, the system reports (alerts) it to the Money Laundering Reporting Officer taking appropriate measures depending on the respective case.

The alerts given by the risk-management system are based on several common scenarios (Money Laundering / Terrorist Financing techniques) which We designed into this system to address the anti-Money Laundering and counterterrorist Financing risks, including, but not limited to, the detection of:

• A lot of small transactions that seem to be parts of one large transaction operated to avoid detection or scrutiny.
• Funds flow through different jurisdictions and then return to the start jurisdiction and these transactions seem to be operated to hide the funds’ source (Round-tripping).
• Transactions involving Users that are on Sanctions lists.
• Transactions that are inconsistent with a User’s profile, geographic location or history (Large cash deposits or withdrawals, unusual geographic spot).
• Transactions flagged as high-risk by the blockchain analytics service.
• Transactions in which cryptocurrency passes through services known as mixers.

All risk-management system alerts shall be investigated by the US. We are prohibited from ignoring the risk-management system alerts.

A Transaction Monitoring case may be initiated manually by Us or based on activity triggers of the User and investigated by Us.

We determine what the risks of the case are. Each risk should be addressed and documented.

During the Transaction Monitoring case (potential case), we have the right to consider whether the User was checked previously and what the concerns were then.

We have the right to conduct research on the User and their activity to determine the User’s profile, to identify the origin of the funds used in a transaction, and to ascertain whether the User’s activity is in line with the User’s profile, or it has a suspicious nature.

We have the right to conduct research on all the counterparties if it is applicable in this case.

The list of evidence needed to collect information about the User and their activity may vary so it will affect the way in which the case is reviewed and the nature of the final decision on the particular case. For instance, in the course of the Transaction Monitoring case, We may consider the following data:

• the User transactions’ history and their type;
• any factors that cause the customer to be considered high risk (including location);
• age of the User;
• any other data which describes the User / their activity / their counterparties.

Our final decision in each case reviewed may be (1) to restrict access to the Service, or (2) close the case. The final decision will be supported by a detailed analysis of the facts of the case and the evidence that led to the decision.

The Company is responsible for maintaining all relevant records, data, and documentation (including but not limited to local and international transactions) in a manner that enables prompt provision of information to regulators or auditors. This includes:

• Transaction Records: Operational and statistical data of all processed transactions, on-chain or off-chain;
• User Due Diligence (“CDD”) Records: Documents and information gathered during the onboarding process, including business correspondence, previous Transaction Monitoring case files, etc.;
• Third-Party Information: Data on third parties involved in User due diligence, if applicable;
• Monitoring Records: Documentation of internal reviews, AML/CFT audits, and findings;
• Suspicious Activity Reports (“SAR”): Copies of all SARs or suspicious transaction reports (where legally required).

Retention Period: All records (including personal data) must be stored for at least eight (8) years from the date of termination of the User relationship or from the date of the relevant transaction, whichever is later. The Company processes personal data in accordance with its Privacy Policy, available at https://fintopio.kg/privacy-policy-kg

If a transaction or account is refused at any stage, the Company will record details that enable identification of the User in case of future inquiries or investigations.

Fintopio Kg implements the Financial Action Task Force’s (FATF) Recommendation 16, commonly referred to as the “Travel Rule,” in accordance with the Kyrgyz Republic’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regulations. Under this rule, Fintopio must collect, verify, and securely transmit specific identifying information on both the originator and beneficiary of qualifying virtual asset transactions, ensuring transparency and traceability within the digital asset ecosystem.

Threshold and Scope

In line with FATF standards, the Travel Rule applies to transfers exceeding USD 1,000 (or equivalent). For such transactions, Fintopio Kg will capture vital information including:

• full legal names,
• addresses, and
• official identifiers from both senders and recipients.

Basic identifying data may be collected for amounts below this threshold, but enhanced scrutiny is generally reserved for transactions above it or where suspicious activity is suspected.

Data Collection and Transmission

Fintopio Kg maintains robust internal controls to verify that each counterparty, be it another Virtual Assets Service Provider (VASP), a financial institution, or a self-hosted wallet, complies with applicable regulations. For self-hosted wallets, we may request additional proof of ownership and conduct risk-based due diligence. All Travel Rule information is transmitted via secure, encrypted channels and stored for a minimum of eight (8) years, consistent with local regulatory requirements.

Compliance and Enforcement

If Fintopio Kg encounters incomplete or unreliable data, or if the counterparty is unwilling to meet the necessary Travel Rule standards, we reserve the right to pause, reject, or further investigate such transactions. These measures help prevent misuse of virtual assets for illicit purposes and support the global fight against money laundering and terrorist financing.

The Company has appointed an MLRO, whose contact details are:

• Email: [email protected]

The MLRO:

• Has more than two (2) years of experience in AML/CFT compliance;
• Is a Fit and Proper Person, demonstrating honesty, integrity, reliability, and the requisite professional qualifications/background.

The MLRO’s appointment is subject to an annual review to confirm continuing compliance with professional and legal requirements.

MLRO is responsible for:

• Staff Training:Ensure that the board of directors, Senior Management, and all relevant personnel are trained on AML/CFT obligations, including how to identify and escalate suspicious transactions.
• Policy Development:Create and maintain this AML/KYC Policy, including ongoing enhancements to address evolving risks.
• Risk Assessments:Periodically assess AML/CFT risks and update the Company’s controls and processes accordingly.
• Suspicious Transaction Reporting:Investigate alerts raised by the automated system or staff, decide whether to file an official report with the relevant authorities, and maintain records of such reports.
• Corrective Action:Oversee remediation for any identified non-compliance issues and ensure adherence to regulatory requirements.
• Regular Reporting:Provide quarterly reports to the Company’s board of directors on AML/CFT compliance effectiveness, identified weaknesses, and corrective actions. Provide copies to competent authorities upon request.
• Regulatory Cooperation:Respond promptly (within 48 hours or the specified deadline) to all requests from regulatory or law enforcement agencies.

• Enhanced Due Diligence measures (“EDD”) apply to Users classified as high-risk or to specific transactions flagged for higher scrutiny. This includes, but is not limited to, Politically Exposed Persons (PEPs), Users residing in or conducting business with High-Risk Countries, or cases involving unusually large or complex transactions.

• The Company may require additional information on the source of funds or wealth, detailed verification of corporate structure (for legal entities), and more frequent ongoing monitoring of transactions.
• The Company may utilize external databases, conduct adverse media checks, or request notarized/certified documents, depending on the assessed risk level.

• Provision of Services to high-risk Users, including PEPs, requires documented approval from the Money Laundering Reporting Officer (MLRO) and at least one member of the Senior Management.
• EDD measures may be conducted periodically, even after initial onboarding, to ensure that the User’s risk profile remains accurate and that no new risk indicators have arisen.

Regular Screening:The Company conducts automated and/or manual screening of Users and transactions against applicable sanctions lists, including those published by the United Nations (UN), the Office of Foreign Assets Control (OFAC), the European Union (EU), and other relevant authorities.

Ongoing Monitoring:If the Company discovers that a User is, or becomes, a sanctioned individual or entity, it shall take immediate steps to comply with the relevant sanction’s regime (e.g., freezing assets, blocking transactions) and report to the competent authority where required.

Obligations of Users:Users must refrain from initiating or facilitating transactions that violate sanctions laws. Any attempt to bypass sanctions through indirect means or third parties may result in account suspension or termination.

Prohibition on Disclosure: All Company personnel are strictly prohibited from disclosing to a User or any third party that a suspicious transaction report (“STR”) or related investigation has been, or will be, filed with any regulatory or law enforcement authority.

Confidentiality: Employees shall maintain the confidentiality of all STRs, related documentation, and any investigations in progress. Unauthorized disclosure constitutes a violation of this Policy and may also violate applicable laws.

Consequences of Violation: Breaches of the no tipping-off requirement may lead to disciplinary action, up to and including termination of employment, in addition to potential legal consequences under applicable legislation.

• Familiarity with the Policy: All employees are required to read, understand, and comply with this AML/KYC Policy and any related procedures.
• Mandatory Training: Employees must attend regular AML/CFT training sessions as directed by the MLRO or Senior Management.
• Reporting Obligations: Employees must promptly report any knowledge or suspicion of Money Laundering, Terrorist Financing, or Sanctions violations to the MLRO.

• The Company reserves the right to take disciplinary measures (including warnings, suspension, or termination of employment) against employees who fail to comply with this Policy or any related internal procedures.
• In cases of willful misconduct or gross negligence, the Company may pursue legal action or refer the matter to relevant law enforcement agencies.

The Company is organized under the laws of the Kyrgyz Republic and is thus subject to all applicable Kyrgyz regulations, including, but not limited to, the Law on Combating the Financing of Terrorism and any guidance or directives from Kyrgyz regulatory authorities.

The Company’s MLRO shall maintain regular communication with Kyrgyz authorities, ensuring the Company’s AML/CFT policies and procedures align with local legal requirements and emerging regulatory guidance.

In the event of any inconsistency between this Policy and applicable Kyrgyz Republic laws, the local laws shall prevail to the extent of such inconsistency. The Company will take all reasonable steps to reconcile or update its internal policies and procedures accordingly.

Fintopio reserves the right to update, amend, or modify this Policy. Continued use of the Service after any updates to this Policy constitutes acceptance of the revised terms.

If significant changes are made to this Policy, Fintopio Kg may, at its discretion, notify Users through email, platform notifications, or other means. However, it is the User’s responsibility to remain aware of the current version of this Policy.