Latest version as of January, 2025.

This Anti-Money Laundering / Know Your Customer Policy (“Policy”) outlines the procedures implemented by Fintopio Virtual Assets LLC (“We”, “Us”, “Our”, “Company”, "Fintopio Kg"), duly licensed as a Virtual Assets Exchange Operator with registration number: 225012-3301-OOO, and registered address at 9 Razzakov St., Business Center Russia, 9th Floor, Room 900, Perwomaisky district, Bishkek city, Kyrgyz Republic, to verify the identity of our Customers and determine their eligibility to access our Service.

The purpose of this Policy is to verify the identity of our Customers and assess their eligibility to access our Services while ensuring compliance with both AML and KYC regulations.

The KYC processes described herein ensure that only verified Customers with legitimate intentions can engage with our Services. By requiring Customers to provide accurate personal information and undergo verification steps, Fintopio aims to establish a secure and compliant environment for Digital Asset activities. Our AML measures are established to prevent, detect, and report any suspected Money Laundering or Terrorist Financing. These measures enable us to assess Customers’ eligibility while meeting regulatory obligations, safeguarding the integrity of our Service, and contributing to the overall security of the financial system. Through these combined efforts in KYC and AML, we strive to maintain a trustworthy platform for all users.

To obtain access to the Service, the Customer is required to complete the following steps during the verification process.

At this level, the Customer has access to Fintopio’s platform. With this access level, the Customer is permitted to:

• Maintain an account balance of up to KGS 100,000.
• Transfer funds to other Fintopio Customers within the Service.
• Create and activate vouchers (information about vouchers may be found in Fintopio’s Terms of Use).

To be authorized by Fintopio and obtain the Basic Level, Customers shall proceed with the following steps:

• Confirm that the Customer meets Our verification and eligibility criteria.
• Acknowledge that the Customer has read and agreed to the Terms of Use and Privacy Policy.
• Provide a valid phone number and verify it through a one-time passcode (OTP) sent via a secure communication channel.
• Submit personal information, including first name, last name, date of birth, and citizenship.

At this level, the Customer is able to use the Service and its additional features, such as withdrawals to DeFi wallets. To do so, the Customer must complete an advanced verification process, including the following:

• Enhanced identity checks such as liveness verification, and
• Document recognition.

In addition to the reasons of classification the Customer as an Unapproved Customer mentioned in the “Basic level” section of this Policy the following reasons may also apply:

• The Customer’s documents are found to be forged, altered, or otherwise invalid.
• The Customer refuses or is unable to provide additional information or documentation when requested.

Fintopio reserves the sole discretion to classify the Customer as an Unapproved Customer if any of the following circumstances are discovered, including but not limited to:

• The Customer is located in a High-risk Country;
• The Customer is associated with entities or individuals subject to international Sanctions or other restrictive measures.
• The Customer is a PEP;
• Abnormal features during the onboarding of the Customer;
• The Customer is an entity engaged in holding personal assets;
• Usage of product/service/transaction/delivery channel that favors anonymity.

If the Customer is classified as an Unapproved Customer, Fintopio may offer the Customer an option to be included in Fintopio’s “wait list.” In such cases, Fintopio will contact the Customer if the circumstances preventing KYC verification are resolved.

We may request information/documents whether the customer is a PEP. If the Customer is a PEP, the providing of Service to them shall be approved by the Company’s Money Laundering Reporting Officer and a member of the Company’s Senior Management before such providing.

In case of any doubt on the identity of the Customer, We may request additional information about them or request the Customer for additional action (for instance, taking a selfie or making a test transaction).

We use a risk-based approach (RBA). This means that in the course of providing of Our Service and facing the risks related to Money Laundering and Terrorist Financing of the respective business, We apply measures that are commensurate with those risks. We analyze the Customer and their activity to be able to undertake investigative measures that are proportional to the risk We are aware of and complexity of the case and collect evidence using observations collected in the case. We aim to tailor those measures to the level of risk, ensuring that resources are focused on the areas where they are most needed to prevent and detect money laundering and terrorist financing activities. In the course of providing Our Service RBA includes, but not limited to, for instance:

• Creating a Customer risk profile. Different Customers pose different levels of risk. For instance, We may categorize Сustomers as high-risk Customers if they are from a country with inadequate anti-Money Laundering and counter-Terrorist Financing regulations.
• Transaction Monitoring. We have a system to monitor transactions for suspicious patterns. The suspicious transactions alerted by this system trigger additional scrutiny from us.
• Geographic Risks. The risks can vary significantly depending on the geographic location of the Сustomer or the destination/source of the funds. Customers or transactions linked to High-Risk Countries would be subjected to additional scrutiny from us.
• Third-party partnerships. If We engage with other virtual assets service providers, We shall assess the risks these partnerships might pose. This includes conducting due diligence on the third party's anti-Money Laundering, counter-Terrorist Financing policies and practices.
• Regulatory Changes. We shall adhere to changes in regulations and adjust Our procedures and this Policy accordingly. For instance, if a new regulation targets a specific type of cryptocurrency transaction, we would have to enhance our monitoring and control mechanisms for that transaction type respectively.

We have an automatic risk-management system that helps us identify suspicious transactions. This system monitors the transactions on an ongoing basis and includes:

• auditing transactions that are carried out throughout the period of the business relationship, to ensure that the transactions conducted are consistent with the information on file regarding Customers and the risks they pose, including, where necessary, the source of funds; and
• ensuring that the documents, data, or information obtained from Customer due diligence measures are up-to-date and appropriate by regularly reviewing such records, particularly those of high-risk Customers.

We put in place indicators that are used to identify possible suspicious transactions and regularly update it.

Such an automatic risk management system ensures that no “tipping-off” or similar offence occurs. The Company shall document, obtain Senior Management approval for, and periodically review and update such system to ensure its effectiveness.

Once the transaction is identified as suspicious, the system reports (alerts) it to the Money Laundering Reporting Officer taking appropriate measures depending on the respective case.

The alerts given by the risk-management system are based on several common scenarios (Money Laundering / Terrorist Financing techniques) which We designed into this system in order to address the anti-Money Laundering and counter-Terrorist Financing risks, including, but not limited to, the detection of:

• A lot of small transactions that seem to be parts of one large transaction operated in order to avoid detection or scrutiny.
• Funds flow through different jurisdictions and then return to the start jurisdiction and these transactions seem to be operated in order to hide the funds’ source (Round-tripping).
• Transactions involving Customers that are on Sanctions lists.
• Transactions that are inconsistent with a Customer's profile, geographic location or history (Large cash deposits or withdrawals, unusual geographic spot).
• Transactions flagged as high-risk by the blockchain analytics service.
• Transactions in which cryptocurrency passes through services known as mixers.

All risk-management system alerts shall be investigated by the US. We are prohibited from ignoring the risk-management system alerts.

A Transaction Monitoring case may be initiated manually by Us or based on activity triggers of the Customer and investigated by Us.

We determine what the risks of the case are. Each risk should be addressed and documented.

In the course of the Transaction Monitoring case (potential case) we have the right to consider whether the Customer was checked previously and what were the concerns then.

We have the right to conduct research on the Customer and their activity to determine the Customer’s profile, to identify the origin of the funds used in a transaction, and to ascertain whether the Customer’s activity is in line with the Customer’s profile or it has a suspicious nature.

We have the right to conduct research on all the counterparties if it is applicable in this case.

The list of evidence needed to collect about the Customer and their activity may vary so it will affect the way in which the case is reviewed and the nature of the final decision on the particular case. For instance, in the course of the Transaction Monitoring case, We may consider the following data:

• the Customer transactions’ history and their type;
• any factors that cause the customer to be considered high risk (including location);
• age of the Customer;
• any other data which describes the Customer / their activity / their counterparties.

Our final decision in each case reviewed may be (1) to restrict access to the Service, or (2) close the case. The final decision will be supported by a detailed analysis of the facts of the case and the evidence that led to the decision.

The Company is responsible for maintaining all relevant records, data, and documentation (including but not limited to local and international transactions) in a manner that enables prompt provision of information to regulators or auditors. This includes:

• Transaction Records: - Operational and statistical data of all processed transactions, on-chain or off-chain;
• Customer Due Diligence (“CDD”) Records: - Documents and information gathered during the onboarding process, including business correspondence, previous Transaction Monitoring case files, etc.;
• Third-Party Information: - Data on third parties involved in Customer due diligence, if applicable;
• Monitoring Records: - Documentation of internal reviews, AML/CFT audits, and findings;
• Suspicious Activity Reports (“SAR”): - Copies of all SARs or suspicious transaction reports (where legally required).

Retention Period: All records (including personal data) must be stored for at least eight (8) years from the date of termination of the Customer relationship or from the date of the relevant transaction, whichever is later. The Company processes personal data in accordance with its Privacy Policy, available at https://fintopio.kg/privacy-policy-kg

If a transaction or account is refused at any stage, the Company will record details that enable identification of the Customer in case of future inquiries or investigations.

We shall include required and accurate originator information, and required beneficiary information, on wire transfers and related messages, and the information shall remain with the wire transfer or related message throughout the payment chain (Travel Rule). In the course of implementing the Travel Rule We are governed by FATF Recommendation 15.

Prior to providing a Customer the service by Us in the form of a wire transfer, We shall obtain and hold the required and accurate originator information and required beneficiary information.

Prior to providing a Customer the service by Us in the form of permitting access to funds received from a transfer, We shall obtain and hold the required originator information and required and accurate beneficiary information.

Required originator information shall include, but not be limited to, the originator’s:

• name;
• account number of wallet address;
• residential business address.

Required beneficiary information shall include, but not be limited to, the beneficiary’s:

• name;
• account number of wallet address.

When dealing with virtual assets, the Company will take commercially reasonable steps to ensure the Travel Rule requirements are met even in jurisdictions where local legislation has not yet adopted such obligations (the so-called “sunrise issue”).

The Company has appointed an MLRO, whose contact details are:

• Email: Insert MLRO Email

The MLRO must:

• Have at least two (2) years of experience in AML/CFT compliance;
• Be a Fit and Proper Person, demonstrating honesty, integrity, reliability, and the requisite professional qualifications/background.

The MLRO’s appointment is subject to annual review to confirm continuing compliance with professional and legal requirements.

MLRO is responsible for:

• Staff Training:Ensure that the board of directors, Senior Management, and all relevant personnel are trained on AML/CFT obligations, including how to identify and escalate suspicious transactions.
• Policy Development:Create and maintain this AML/KYC Policy, including ongoing enhancements to address evolving risks.
• Risk Assessments:Periodically assess AML/CFT risks and update the Company’s controls and processes accordingly.
• Suspicious Transaction Reporting:Investigate alerts raised by the automated system or staff, decide whether to file an official report with the relevant authorities, and maintain records of such reports.
• Corrective Action:Oversee remediation for any identified non-compliance issues and ensure adherence to regulatory requirements.
• Regular Reporting:Provide quarterly reports to the Company’s board of directors on AML/CFT compliance effectiveness, identified weaknesses, and corrective actions. Provide copies to competent authorities upon request.
• Regulatory Cooperation:Respond promptly (within 48 hours or the specified deadline) to all requests from regulatory or law enforcement agencies.

• The Company maintains records of all AML/CTF activities, including client identification, verification, and monitoring.

• The Company may require additional information on the source of funds or wealth, detailed verification of corporate structure (for legal entities), and more frequent ongoing monitoring of transactions.
• The Company may utilize external databases, conduct adverse media checks, or request notarized/certified documents, depending on the assessed risk level.

• Provision of Services to high-risk Customers, including PEPs, requires documented approval from the Money Laundering Reporting Officer (MLRO) and at least one member of Senior Management.
• EDD measures may be conducted periodically, even after initial onboarding, to ensure that the Customer’s risk profile remains accurate and that no new risk indicators have arisen.

Regular Screening:The Company conducts automated and/or manual screening of Customers and transactions against applicable sanctions lists, including those published by the United Nations (UN), the Office of Foreign Assets Control (OFAC), the European Union (EU), and other relevant authorities.

Ongoing Monitoring:If the Company discovers that a Customer is, or becomes, a sanctioned individual or entity, it shall take immediate steps to comply with the relevant sanctions regime (e.g., freezing assets, blocking transactions) and report to the competent authority where required.

Obligations of Customers:Customers must refrain from initiating or facilitating transactions that violate sanctions laws. Any attempt to bypass sanctions through indirect means or third parties may result in account suspension or termination.

Prohibition on Disclosure: All Company personnel are strictly prohibited from disclosing to a Customer or any third party that a suspicious transaction report (“STR”) or related investigation has been, or will be, filed with any regulatory or law enforcement authority.

Confidentiality: Employees shall maintain the confidentiality of all STRs, related documentation, and any investigations in progress. Unauthorized disclosure constitutes a violation of this Policy and may also violate applicable laws.

Consequences of Violation: Breaches of the no tipping-off requirement may lead to disciplinary action, up to and including termination of employment, in addition to potential legal consequences under applicable legislation.

• Familiarity with the Policy: All employees are required to read, understand, and comply with this AML/KYC Policy and any related procedures.
• Mandatory Training: Employees must attend regular AML/CFT training sessions as directed by the MLRO or Senior Management.
• Reporting Obligations: Employees must promptly report any knowledge or suspicion of Money Laundering, Terrorist Financing, or Sanctions violations to the MLRO.

• The Company reserves the right to take disciplinary measures (including warnings, suspension, or termination of employment) against employees who fail to comply with this Policy or any related internal procedures.
• In cases of willful misconduct or gross negligence, the Company may pursue legal action or refer the matter to relevant law enforcement agencies.

The Company is organized under the laws of the Kyrgyz Republic and is thus subject to all applicable Kyrgyz regulations, including, but not limited to, the Law on Combating the Financing of Terrorism and any guidance or directives from Kyrgyz regulatory authorities.

The Company’s MLRO shall maintain regular communication with Kyrgyz authorities, ensuring the Company’s AML/CFT policies and procedures align with local legal requirements and emerging regulatory guidance.

In the event of any inconsistency between this Policy and applicable Kyrgyz Republic laws, the local laws shall prevail to the extent of such inconsistency. The Company will take all reasonable steps to reconcile or update its internal policies and procedures accordingly.

Fintopio reserves the right to update, amend, or modify this Policy. Continued use of Fintopio’s Service after any updates to this Policy constitutes acceptance of the revised terms.

If significant changes are made to this Policy, Fintopio may, at its discretion, notify Customers through email, platform notifications, or other means. However, it is the Customer’s responsibility to remain aware of the current version of this Policy.