AML/KYC Policy

Anti-money laundering (AML) & know your customer (KYC) policies

Effective Date: 11/7/2025
Approved by: Board of Directors, TouchPay Exchange
Policy Owner: Chief Compliance Officer (CCO)
Applies to: All employees, contractors, customer-users, entrepreneurs, businesses, partners, and monitors

1. Introduction

TouchPay Exchange is a digital asset and financial services platform that provides secure and regulated exchange services for cryptocurrencies, electronic currencies, and fiat currencies. The Exchange serves a wide range of clients, including individuals, entrepreneurs, businesses, and institutional partners, enabling them to safely buy, sell, and convert digital and traditional currencies.

Given the inherent nature of digital and electronic assets, TouchPay operates in an environment with heightened financial crime risk, including money laundering, terrorist financing, fraud, sanctions violations, and other illicit activities. The global, cross-border, and pseudonymous characteristics of cryptocurrencies and electronic currencies require robust and proactive compliance controls to mitigate these risks.

Objectives of this Policy inсlude:

• Prevent misuse of TouchPay’s services for illicit purposes.
• Ensure adherence to international AML standards, including FATF Recommendations, Travel Rule obligations, and applicable local laws,
• Identify, assess, and mitigate risks associated with individuals, entrepreneurs, businesses, partners, and counterparties,
• Protect the integrity and reputation of TouchPay and maintain trust with regulators, monitors, and international partners,
• Provide a safe, transparent, and reliable platform for all users,
• Establish clear compliance rules, obligations, and internal controls that are auditable and enforceable.

To achieve these objectives, TouchPay implements a comprehensive, risk-based, and technology-enabled compliance framework, which includes:

• Customer due diligence (KYC) and ongoing verification,
• Enhanced due diligence (EDD) for higher-risk customers and transactions,
• Transaction monitoring and Know Your Transaction (KYT) controls,
• Sanctions screening and Travel Rule compliance,
• Identification and reporting of suspicious activities (SAR/STR),
• Periodic risk assessments and independent audits.

This Policy applies to all TouchPay employees, contractors, customers, users, entrepreneurs, businesses, partners, and monitors, establishing clear rules, obligations, and internal controls required to maintain compliance with AML/KYC standards across all operations.

2. Regulatory Compliance & International AML Standards

TouchPay adheres to all applicable international AML standards and regulatory expectations, including:

• FATF Recommendations and Interpretive Notes, including guidance on virtual assets and virtual asset service providers (VASPs),
• Travel Rule compliance for virtual asset transfers,
• UN, EU, OFAC, and local sanctions regimes,
• Applicable local AML/CTF laws,
• International guidance on risk-based customer due diligence, ongoing monitoring, and reporting.

TouchPay maintains policies, procedures, and internal controls reasonably designed to detect, prevent, and report suspicious activity and to mitigate financial crime across its cryptocurrency, electronic currency, and fiat currency exchange services.

3. AML Risk Management Framework

3.1 Enterprise-Wide Risk Assessments

TouchPay conducts periodic and dynamic risk assessments to identify vulnerabilities and determine the level of scrutiny required for customers, transactions, products, and jurisdictions. Risk assessment factors inсlude:

• Customer type and profile,
• Geographic exposure,
• Products and services used,
• Transaction volume, frequency, and complexity,
• Virtual asset typologies and blockchain risk patterns,
• Emerging financial crime trends.

3.2 Customer and Transaction Risk Scoring

Each customer and transaction receives a dynamic risk score reflecting:

• PEP status,
• Transaction history,
• Counterparty exposure,
• Behavioral patterns,
• Adverse media or sanctions hits,
• High-risk accounts are subject to enhanced monitoring, transaction limits, and senior compliance review.

4. Ongoing Monitoring & Know Your Transaction (KYT)

• Real-time blockchain analytics to detect layering, structuring, or interaction with high-risk wallets,
• Fiat transaction monitoring for unusual amounts or high-risk jurisdictions,
• Behavioral analytics for deviations from normal patterns,
• Alerts are reviewed via centralized case management.

Frozen funds: TouchPay may temporarily restrict or freeze funds where transactions are flagged as suspicious. Users must provide requested information for verification.

5. Suspicious Activity & Funds Freeze Procedures

Right to restrict, freeze, or block accounts/transactions when suspicious activity is detected:

• Mandatory cooperation from users/partners, including:
  • Providing documentation,
  • Explaining the source/purpose of funds,
  • Clarifying counterparties and activities,
  • Completing enhanced verification.
• SAR/STR filing with authorities in accordance with anti-tipping-off laws

6. Customer Due Diligence (KYC)

6.1 Identity Verification

• Government-issued identification,
• Proof of residential address,
• Biometric/liveness verification,
• Video verification (risk-based),
• Database and sanctions checks,
• Non-documentary verification if necessary.

6.2 Beneficial Ownership

• Legal entities and businesses must disclose UBOs ≥25% ownership/control,
• Complex structures require enhanced due diligence (EDD).

6.3 Politically Exposed Persons (PEPs)

• Enhanced monitoring, senior approval, and source-of-wealth verification

7. Verification Procedures

TouchPay applies a comprehensive, risk-based verification framework to ensure that all customers, entrepreneurs, businesses, and partners are properly identified, verified, and continuously monitored.

Verification procedures inсlude:

1. Identity Verification (ID):
   • Government-issued identification (passport, national ID, driver’s license),
   • Verification of authenticity using automated or manual review.
2. Proof of Address:
   • Utility bill, bank statement, or official government correspondence,
   • Must be recent and verifiable.
3. Biometric and Liveness Verification:
   • Facial recognition, live selfie capture, or other biometric measures,
   • Used to confirm identity matches the submitted documents.
4. Video Verification (Risk-Based):
   • Real-time video interview or submission for high-risk customers,
   • Applied when documentation alone is insufficient.
5. Database and Sanctions Checks:
   • Screening against international watchlists (UN, EU, OFAC, local lists),
   • Continuous sanctions and PEP monitoring.
6. Non-Documentary Verification (if needed):
   • Digital footprint analysis, social verification, wallet ownership verification,
   • Transaction history and activity review.
7. Enhanced Due Diligence (EDD) for High-Risk Customers:
   • Source of funds and wealth verification,
   • Senior compliance approval,
   • Ongoing monitoring of transaction behavior.
8. Ongoing Monitoring and Re-Verification:
   • Periodic review of account activity and documentation,
   • Triggered re-verification when risk increases or unusual activity is detected,
   • TouchPay’s verification procedures ensure regulatory compliance, risk mitigation, and integrity of the platform while respecting customer privacy.

8. Levels of Verification

TouchPay uses a tiered, risk-based verification model, aligning the depth of verification with the risk profile, transaction volume, and type of services.

Level 1 — Basic Verification

• Target: Individuals and small entrepreneurs.
• Requirements: Full legal name, date of birth, nationality, government-issued ID.
• Screening: Sanctions and PEP checks.
• Access: Limited deposits, withdrawals, and trading.

Level 2 — Standard Verification

• Target: Active individuals and entrepreneurs.
• Requirements: Level 1 + proof of residential address, liveness/selfie verification.
• Access: Full trading functionality, higher deposit/withdrawal limits.

Level 3 — Enhanced Verification

• Target: High-risk or high-value users.
• Requirements: Level 2 + source of funds and source of wealth verification.
• Verification: Video interview or senior compliance officer approval.
• Access: High-volume trading and withdrawal limits.

Institutional / Corporate Verification

• Target: Businesses and corporate entities.
• Requirements: Company registration documents, ownership and control structure, directors/authorized signatories, business activity description, source of funds/wealth verification.
• Access: Institutional accounts, trading, settlements, and business services.
• Note: Customers may be required to upgrade verification if risk profile changes, suspicious activity is detected, or regulatory requirements demand enhanced verification.

9. Privacy & Data Protection

• Customer data is confidential and encrypted,
• Data collected for AML/KYC purposes only,
• Regulatory or partner sharing only when legally required.

10. Enhanced Due Diligence (EDD)

Applied to high-risk customers, jurisdictions, or transactions:

• Detailed source-of-funds/wealth verification,
• Video interviews or in-person verification,
• Transaction monitoring,
• Senior compliance approvals.

11. Training, Recordkeeping, and Audit

• Mandatory AML/KYC/KYT training for all employees & contractors,
• Records retained ≥5 years, including verification, transactions, alerts, and SAR/STR filings,
• Independent audits for compliance effectiveness and regulatory readiness.

12. Policy Enforcement

• Violations by employees: disciplinary action or termination,
• Violations by users/partners: account restrictions, termination, regulatory reporting,
• TouchPay retains final discretion over AML/KYC measures consistent with law.

13. Policies Review

• Reviewed annually or upon material changes,
• Board approval required for updates.

14. Purpose and Protection Scope of This Policies

TouchPay implements this AML/KYC Policy to ensure the safety, integrity, and regulatory compliance of its operations while safeguarding all stakeholders involved in its platform. The Policy exists to:

1. Protect the Financial systеm: Prevent TouchPay from being used to facilitate money laundering, terrorist financing, fraud, sanctions violations, or other illicit financial activities, contributing to a safer financial ecosystem globally.
2. Protect Customers, Entrepreneurs, and Businesses: Ensure that all users, including individuals, entrepreneurs, and corporate clients, can transact in a secure, transparent, and compliant environment, with verified counterparties and minimized exposure to financial crime.
3. Protect Partners and Institutional Counterparties: Maintain the trust of banks, financial institutions, payment providers, and international partners by demonstrating that all TouchPay operations adhere to international AML standards and best practices.
4. Protect TouchPay and Its Reputation: By implementing strong AML/KYC controls, the Exchange safeguards its reputation, regulatory standing, and legal compliance, ensuring long-term stability and trustworthiness in the financial services sector.
5. Protect Regulators and Monitors: Provide regulators, auditors, and monitoring authorities with auditable, transparent, and robust compliance processes, showing that TouchPay proactively manages and mitigates financial crime risk across its operations.

In summary, this Policy protects the Exchange, its users, partners, and the broader financial systеm from misuse, while ensuring compliance with international standards, regulatory requirements, and best practices. By following this Policy, TouchPay ensures that all transactions are conducted in a secure, transparent, and legally compliant manner, promoting trust and integrity for all stakeholders.