Document ID

OTCM-POL-AML-001

Version

1.0

Effective Date

January 30, 2026

Classification

CONFIDENTIAL

Approved By

Board of Directors

🛡️

Prevent Crime

Detect and prevent money laundering and terrorist financing

⚖️

Ensure Compliance

Comply with all applicable AML laws and regulations

🔍

Identify Risk

Identify and mitigate AML/CFT risks

📢

Report Activity

File required reports with regulatory authorities

🏛️

Protect Integrity

Protect the integrity of the financial system

🔗

Platform Security

Prevent illicit use of the OTCM Protocol platform

Bank Secrecy Act (BSA)

31 U.S.C. § 5311 et seq. — Recordkeeping and reporting

USA PATRIOT Act

Enhanced due diligence, CIP requirements

FinCEN Regulations

31 CFR Chapter X — AML program requirements

OFAC Regulations

31 CFR Parts 500-599 — Sanctions compliance

SEC Rule 17a-8

Broker-dealer SAR filing requirements

FATF Recommendations

International AML/CFT standards

SEC January 2026 Guidance

Tokenized securities compliance

Travel Rule

FATF Recommendation 16 — Virtual asset transfers

🏢

Company Operations

All Company business activities

🔗

Platform Transactions

All OTCM Protocol platform transactions

🪙

Token Activities

ST22 Security Token and OTCM Utility Token transactions

👤

Customers

All issuers, investors, and platform users

🤝

Partners

Transfer agents, custodians, service providers

🌍

Geographic

Global operations

1️⃣

Placement

Introducing illicit funds into the financial system

2️⃣

Layering

Disguising the trail through complex transactions

3️⃣

Integration

Reintroducing funds as legitimate assets

💊

Drug Trafficking

Narcotics sales and distribution

🎰

Fraud

Securities fraud, wire fraud, bank fraud

💰

Tax Evasion

Federal and state tax crimes

🔫

Terrorism

Terrorist financing and material support

👤

Human Trafficking

Human smuggling and trafficking

🏛️

Corruption

Bribery, public corruption

💳

Theft

Embezzlement, theft, robbery

🌐

Cybercrime

Ransomware, hacking, crypto theft

1️⃣

Internal Controls

Policies, procedures, and systems

2️⃣

BSA/AML Officer

Designated compliance officer

3️⃣

Training

Ongoing employee training

4️⃣

Independent Testing

Regular program audits

5️⃣

Customer Due Diligence

Risk-based CDD program

🎓

Knowledge

Comprehensive BSA/AML knowledge

👔

Authority

Sufficient authority to implement program

💼

Experience

Relevant compliance experience

📊

Access

Direct access to Board and senior management

🎯

Program Oversight

Oversee all aspects of AML Program

📜

Policy Development

Develop and update AML policies

🔍

Risk Assessment

Conduct enterprise AML risk assessments

📢

SAR Filing

Review and file Suspicious Activity Reports

🏛️

Regulatory Liaison

Interface with FinCEN, SEC, examiners

🎓

Training

Ensure adequate AML training

📊

Reporting

Report to Board on AML matters

🔗

Blockchain Monitoring

Oversee blockchain transaction monitoring

✅

Approve AML Policy

Annually and as amended

📊

Review AML Reports

Quarterly

🔍

Review Audit Findings

Upon completion

👤

Approve AML Officer

Upon appointment

💰

Allocate Resources

Annually

👤

Customer Risk

Customer types, geographic locations

📊

Product Risk

Products and services offered

🌍

Geographic Risk

Countries and regions served

🔗

Channel Risk

Delivery channels (online, blockchain)

💰

Transaction Risk

Transaction types, volumes, patterns

🟢

Low

Standard risk customers

Annual

🟡

Medium

Elevated risk factors

Semi-annual

🔴

High

Significant risk factors

Quarterly

⚫

Prohibited

Unacceptable risk

No onboarding

📋

Collect Information

Obtain required identifying information

✅

Verify Identity

Verify identity through documents or non-documentary methods

🔍

Screen Lists

Screen against OFAC and other watchlists

📁

Maintain Records

Retain CIP records

📢

Provide Notice

Inform customers of CIP requirements

👤

Full Legal Name

✅ Yes

As it appears on government ID

📅

Date of Birth

✅ Yes

Full DOB required

🏠

Residential Address

✅ Yes

No P.O. boxes

🔢

SSN/TIN

✅ Yes

For U.S. persons

🛂

Passport Number

✅ If non-U.S.

Plus country of issuance

📧

Email Address

✅ Yes

For platform access

📞

Phone Number

✅ Yes

For verification

🏢

Legal Name

✅ Yes

Full legal entity name

🏷️

DBA Names

✅ If applicable

All trade names

📍

Principal Address

✅ Yes

Physical address required

🔢

EIN/TIN

✅ Yes

Federal tax ID

🏛️

State of Formation

✅ Yes

Jurisdiction

📅

Formation Date

✅ Yes

Date of incorporation

📋

Entity Type

✅ Yes

Corporation, LLC, etc.

🌐

Website

✅ If applicable

Company website

🛂

Government-Issued Photo ID

Current, unexpired

🚗

Driver's License

U.S. state-issued

🛂

Passport

U.S. or foreign

🆔

State ID Card

Government-issued

🌍

National ID

For non-U.S. persons

📊

Credit Bureau

Identity verification services

🏦

Financial References

Bank account verification

📋

Public Records

Government databases

🔗

Third-Party Services

KYC/identity verification providers

📜

Formation Documents

Articles of incorporation/organization

📋

Good Standing Certificate

Recent certificate from state

🔢

EIN Letter

IRS EIN confirmation

📊

Operating Agreement

For LLCs

📋

Bylaws

For corporations

✅

Board Resolution

Authorizing account opening

🏢

Entity Verification

Full entity CIP as above

👤

Authorized Signers

CIP on all authorized signers

🎯

Beneficial Owners

25%+ owners identified

👔

Control Person

Individual with significant control

📊

Business Verification

Verification of business operations

📋

Securities Filings

Review of SEC/state filings

👤

Understand Customer

Know who the customer is

💼

Understand Business

Understand nature and purpose of relationship

📊

Assess Risk

Develop customer risk profile

🔍

Monitor Activity

Conduct ongoing monitoring

📋

Update Information

Maintain current customer information

👤

Customer Type

Individual, entity, institutional

🌍

Geography

Country of residence/operations

💼

Occupation/Industry

High-risk industries

💰

Transaction Patterns

Expected activity vs. actual

🔗

Source of Funds

Origin of wealth/funds

📊

Negative News

Adverse media screening

🟢

Low Risk

Standard risk profile

U.S. individuals, established businesses

🟡

Medium Risk

Elevated risk factors

Foreign nationals, newer businesses

🔴

High Risk

Significant risk factors

PEPs, high-risk jurisdictions, cash-intensive

⚫

Prohibited

Unacceptable risk

Sanctioned parties, shell banks

💵

Source of Funds

All customers — origin of transaction funds

💰

Source of Wealth

High-risk customers — origin of overall wealth

💼

Employment Income

Pay stubs, tax returns

🏢

Business Income

Financial statements, tax returns

📈

Investment Returns

Brokerage statements

🏠

Real Estate

Sale documents

🎁

Inheritance

Estate documents

💰

Retirement Funds

Account statements

🎯

Purpose

Why is customer using our services?

📊

Expected Activity

Volume, frequency, transaction types

💼

Business Model

How customer generates income

🔗

Platform Use

Intended use of OTCM Protocol

📊

Transaction Monitoring

Continuous

📋

Profile Review

Per risk rating schedule

🔍

Negative News

Periodic screening

🏛️

Sanctions Screening

Daily and transaction-based

📈

Pattern Analysis

Ongoing

🟢

Low

Every 3 years

🟡

Medium

Every 2 years

🔴

High

Annually

⚠️

Trigger Event

Upon material change

🌍

High-Risk Jurisdictions

Countries identified by FATF, FinCEN

👔

Politically Exposed Persons

PEPs and their associates

🏢

Complex Structures

Multi-layered ownership, shell companies

💰

High-Value Transactions

Transactions exceeding thresholds

⚠️

Negative News

Adverse media findings

🔗

High-Risk Industries

Casinos, MSBs, crypto exchanges

📊

Unusual Patterns

Unexplained transaction patterns

🏛️

Government Officials

Heads of state, ministers, legislators

⚖️

Judicial Officials

Senior judges, prosecutors

🎖️

Military Officers

Senior military officials

🏦

State Enterprise Executives

Senior executives of state-owned enterprises

🏛️

Political Party Officials

Senior political party officials

👨‍👩‍👧‍👦

Family Members

Immediate family of above

🤝

Close Associates

Known close associates of above

👔

Senior Approval

Senior management approval to onboard

💰

Source of Wealth

Detailed source of wealth documentation

📊

Enhanced Monitoring

Increased transaction monitoring

📋

Periodic Review

More frequent relationship review

📢

Escalation

Report to AML Officer

⚫

FATF Blacklist

Prohibited — no business relationships

🔴

FATF Grey List

EDD required, enhanced monitoring

🟡

FinCEN Advisories

Heightened scrutiny

🔍

Enhanced Verification

Additional identity verification

💰

Source Documentation

Detailed source of funds/wealth

📊

Transaction Justification

Business rationale for transactions

👔

Senior Approval

Management approval required

📋

Ongoing Review

Quarterly relationship review

📊

Ownership Chart

Complete ownership structure diagram

👤

Ultimate Beneficial Owner

Identify natural persons with control

💼

Business Rationale

Legitimate reason for structure

🌍

Jurisdiction Review

Review all jurisdictions involved

📋

Documentation

Full documentation of structure

🚦

Risk Assessment

Written risk assessment

📋

EDD Procedures

EDD steps performed

📊

Findings

Results of EDD

✅

Approval

Management approval and rationale

📁

Supporting Documents

All supporting documentation

📊

Equity Owners

Each individual owning 25%+ of the entity

👔

Control Person

At least one individual with significant control

25%+

✅ Yes — full CIP required

10-24%

✅ For high-risk entities

< 10%

⚠️ If significant control

👔

CEO

Chief Executive Officer

💰

CFO

Chief Financial Officer

⚖️

General Counsel

Chief Legal Officer

🎯

Managing Member

For LLCs

👔

General Partner

For partnerships

🏢

Entity Information

Legal name, address, type

👤

Beneficial Owners

Name, DOB, address, SSN, ownership %

👔

Control Person

Name, DOB, address, SSN, title

✍️

Signature

Authorized representative signature

📅

Date

Date of certification

📄

Document Review

Formation documents, ownership records

🔍

Database Verification

Third-party verification services

📊

Public Records

Secretary of state, SEC filings

💻

Screening

Sanctions and negative news screening

📊

Publicly Traded

SEC reporting companies

🏦

Regulated Financial Institutions

Subject to existing AML requirements

🏛️

Government Entities

Federal, state, local governments

📋

Registered Investment Companies

SEC-registered funds

🏦

Bank-Regulated Entities

Banks, credit unions

👤

All 10%+ Owners

Lower threshold than standard

👔

All Officers

CEO, CFO, and other executive officers

🏛️

All Directors

Board members

📊

Cap Table Review

Full review of capitalization table

🔄

Ongoing Updates

Material ownership changes reported

💰

Suspicious Activity

Potentially illicit transactions

📊

Unusual Patterns

Deviations from expected activity

🚨

Structuring

Transactions designed to evade reporting

🌍

Sanctions Violations

Transactions with sanctioned parties

📈

Threshold Exceedances

Transactions exceeding defined limits

🤖

Automated Systems

Rules-based transaction monitoring

📊

Behavioral Analytics

Pattern detection and anomaly identification

👤

Manual Review

Human review of flagged transactions

🔗

Blockchain Analysis

On-chain transaction analysis

📋

Periodic Reviews

Scheduled account reviews

💵

Structuring

Multiple transactions just below thresholds

🔄

Round-Tripping

Funds sent and returned without purpose

⚡

Rapid Movement

Quick in-and-out of funds

📊

Unusual Volume

Activity inconsistent with profile

🌍

High-Risk Jurisdictions

Transactions with sanctioned/high-risk countries

👤

Third-Party Payments

Unexplained third-party involvement

📋

Reluctant Documentation

Hesitancy to provide required documents

🔄

Frequent Changes

Frequent changes to account information

❓

Inconsistent Information

Information doesn't match public records

😰

Unusual Behavior

Nervousness, urgency, secrecy

💼

No Business Purpose

Cannot explain business rationale

🚫

Avoiding Thresholds

Requests to avoid reporting requirements

🔀

Mixer/Tumbler Use

Transactions through mixing services

🌑

Darknet Connections

Wallets associated with darknet markets

💳

Multiple Wallets

Rapid transfers across many wallets

🔗

Chain Hopping

Cross-chain transfers to obscure origin

🤖

Automated Layering

Bot-driven transaction layering

🚨

Sanctioned Wallets

Interaction with OFAC-listed addresses

1️⃣

Real-time

Alert generated by monitoring system

2️⃣

Within 24 hours

Alert assigned to analyst

3️⃣

Within 5 days

Initial review completed

4️⃣

Within 15 days

Investigation completed

5️⃣

Within 30 days

SAR filed if warranted

📋

Gather Information

Collect transaction records, customer data

🔗

Blockchain Analysis

Analyze on-chain activity

📊

Pattern Analysis

Review for patterns and anomalies

👤

Customer Inquiry

Contact customer if appropriate

📋

Document Findings

Complete investigation memo

🚦

Disposition

Close, escalate, or file SAR

💰

$5,000+

Suspicious activity involving $5,000 or more

👤

Known Subject

Where a suspect can be identified

❓

Unknown Subject

$25,000+ with no identifiable suspect

🔗

Ongoing Relationship

Any amount if relationship exists

💰

Involves Criminal Proceeds

Known or suspected proceeds of crime

🚫

Evades Reporting

Designed to evade BSA reporting

❓

Lacks Business Purpose

No apparent lawful purpose

📊

Unusual Pattern

Unusual given customer profile

🎭

Disguises Ownership

Designed to disguise ownership/control

📅

30 Days

From detection of suspicious activity

📅

60 Days

If no suspect identified (to identify suspect)

🚨

Immediate

If imminent threat to life or property

👤

Subject Information

Name, address, ID numbers, account info

🏢

Filing Institution

Company information

📊

Suspicious Activity

Type, date, amount, instruments

📝

Narrative

Detailed description of suspicious activity

📎

Supporting Documentation

Referenced but not attached

🚫

No Disclosure

Cannot disclose SAR filing to subject

🚫

No Tipping

Cannot notify subject of investigation

🚫

Limited Sharing

Share only with authorized parties

✅

FinCEN Requests

Must respond to FinCEN requests

✅

Law Enforcement

Cooperate with law enforcement requests

🔄

90-Day Review

Review and file continuation SAR

📊

New Information

File new SAR if material new information

📋

Document Review

Document decision to continue or close

🚫

Prohibited Transactions

No transactions with sanctioned parties

🔍

Screening

All customers and transactions screened

❄️

Blocking

Blocked property properly handled

📢

Reporting

Required reports filed

📊

SDN List

Specially Designated Nationals and Blocked Persons

🏢

SSI List

Sectoral Sanctions Identifications

🚫

FSE List

Foreign Sanctions Evaders

🔗

CAPTA List

Correspondent Account or Payable-Through Account

🌍

Country Programs

Cuba, Iran, North Korea, Syria, Russia, etc.

👤

Customer Onboarding

Screen before account opening

📊

Transaction Processing

Screen all transactions

🔄

Periodic Rescreening

Daily against updated lists

📋

Name Changes

Screen when customer information changes

🔗

Counterparties

Screen all transaction counterparties

💳

Wallet Screening

Screen wallet addresses against OFAC list

🔗

Transaction Screening

Screen blockchain transactions

📊

Indirect Exposure

Identify wallets with sanctioned connections

🔍

Blockchain Analytics

Use specialized blockchain compliance tools

🚫

Block Transactions

No transactions with listed addresses

❄️

Freeze Assets

Block property of listed addresses

📢

Report

File blocking report within 10 days

🔍

Monitor

Monitor for indirect exposure

1️⃣

Transaction/account placed on hold

2️⃣

Compliance review within 24 hours

3️⃣

Determine if true match or false positive

4️⃣

If true match: block and report

5️⃣

If false positive: document and release

❄️

Block

SDN or blocked person — freeze assets

🚫

Reject

Prohibited transaction — refuse to process

📢

Report

File blocking report with OFAC

❄️

Blocking Report

Within 10 business days of blocking

📊

Annual Report

By September 30 for blocked property

📋

Voluntary Disclosure

Promptly upon discovery of violation

📊

On-Chain Monitoring

Real-time monitoring of blockchain transactions

🔍

Wallet Analysis

Risk scoring of wallet addresses

🔗

Transaction Tracing

Source and destination tracking

🚨

Alert Generation

Automated alerts for suspicious patterns

💳

Wallet Attribution

Identify wallet owners where possible

🔗

Cluster Analysis

Identify related wallets

📊

Risk Scoring

Assign risk scores to addresses

🌑

Illicit Activity Detection

Identify connections to illicit activity

🔀

Mixer Detection

Identify mixing/tumbling services

🏛️

Sanctions Screening

Screen against OFAC-listed addresses

👤

Originator Name

Full legal name

💳

Originator Wallet

Wallet address

🏦

Originator Institution

If applicable

👤

Beneficiary Name

Full legal name

💳

Beneficiary Wallet

Wallet address

🏦

Beneficiary Institution

If applicable

💰

> $3,000

Collect and verify counterparty information

💰

> $10,000

Enhanced due diligence

🔴

High Risk

May require additional documentation

📊

Transaction Limits

Daily/monthly transaction limits

🔍

Pattern Monitoring

Monitor for wash trading, manipulation

💳

Wallet Limits

Limits on holdings per wallet

🔗

Transfer Monitoring

Monitor large transfers

🔐

Transfer Hooks

Compliance checks on every transfer

✅

Whitelist Verification

Only verified wallets can hold tokens

📊

Volume Monitoring

Monitor unusual trading volumes

🔒

Lock Enforcement

Vesting and lock-up enforcement

🚨

Circuit Breakers

Automatic trading halts for anomalies

💧

Liquidity Pools

Monitor pool activity for manipulation

📈

Bonding Curves

Monitor for artificial price manipulation

🔄

Swap Activity

Track swaps and conversions

🌉

Bridge Transactions

Monitor cross-chain activity

✅

Accurate

Complete and accurate

🔒

Secure

Protected from unauthorized access

📂

Retrievable

Retrievable within reasonable time

📁

Organized

Systematically organized

👤

CIP Records

5 years after account closure

🔍

CDD/EDD Records

5 years after account closure

📊

Transaction Records

5 years from transaction date

📢

SAR Records

5 years from filing date

🏛️

OFAC Records

5 years from date of record

🎓

Training Records

5 years

🔍

Audit Reports

5 years

🔗

Blockchain Records

5 years (off-chain copies)

👤

Identifying Information

Name, DOB, address, ID number

📄

ID Documents

Copies of documents used for verification

💻

Verification Methods

Description of methods used

🔍

Verification Results

Results of verification process

⚠️

Discrepancies

Resolution of any discrepancies

💰

Amount

Transaction amount

📅

Date

Date and time of transaction

👤

Parties

All parties to transaction

💳

Account/Wallet

Account numbers, wallet addresses

🔗

Transaction ID

Transaction hash (for blockchain)

📋

Purpose

Nature of transaction

📢

SAR Copy

Copy of filed SAR

📋

Supporting Documentation

All supporting documents

🔍

Investigation File

Complete investigation file

📝

Narrative Backup

Detailed narrative and analysis

📋

General AML

All employees

Annual

🔍

Role-Specific

AML staff

Upon hire + annual

👔

Management

Senior management

Annual

🏛️

Board

Board of Directors

Annual

🔗

Blockchain AML

Technical staff

Upon hire + annual

📢

SAR Training

AML analysts

Upon hire + annual

⚖️

Legal Framework

BSA, USA PATRIOT Act, OFAC

🔍

Red Flags

Recognizing suspicious activity

📢

Reporting

Internal escalation, SAR filing

👤

CIP/CDD

Customer identification and due diligence

🏛️

Sanctions

OFAC compliance

🔗

Blockchain

Crypto-specific AML concerns

📜

Company Policy

This Policy and procedures

📅

Date

Date of training

👤

Attendees

List of participants

📋

Content

Training materials/agenda

✅

Completion

Attestation of completion

📊

Assessment

Test results (if applicable)

📧

Alerts

Regulatory updates and alerts

📰

Newsletters

AML compliance newsletters

🎓

Webinars

Industry webinars and conferences

📋

Case Studies

Review of enforcement actions

🔄

Frequency

At least annually

👤

Independence

Conducted by independent party

📊

Scope

All aspects of AML program

📋

Documentation

Written report of findings

📋

Policies

Review of policies and procedures

🔍

CIP/CDD

Sample testing of customer files

📊

Transaction Monitoring

Effectiveness of monitoring

📢

SAR Process

Review of SAR filing process

🏛️

OFAC

Sanctions screening effectiveness

🎓

Training

Training program adequacy

🔗

Blockchain Controls

Blockchain-specific controls

🏢

External Firm

Third-party audit firm with AML expertise

👤

Internal Audit

Internal audit (if independent)

🎓

Qualifications

CAMS, CFE, or equivalent certification

📊

Experience

Demonstrated AML audit experience

1️⃣

Findings reported to AML Officer

2️⃣

Findings reported to Board/Audit Committee

3️⃣

Remediation plan developed

4️⃣

Remediation implemented

5️⃣

Follow-up testing of remediation

📋

Maintenance

Keeping Policy current

🔍

Interpretation

Providing authoritative interpretation

📊

Reporting

Reporting to Board on AML matters

🎓

Training

Ensuring adequate training

🔧

Updates

Recommending Policy updates

⚖️

Regulatory Changes

New laws, regulations, guidance

🏆

Best Practices

Industry developments

🔍

Audit Findings

Internal and external audit results

📊

Risk Assessment

Updated risk assessment

🔗

Technology Changes

New blockchain/platform features

📋

Administrative

AML Officer

📊

Substantive

Board of Directors

🚨

Emergency

CEO (with Board ratification)

🏛️

Primary Contact

AML Officer

📋

Document Production

Coordinated by AML Officer

👤

Interview Preparation

AML Officer and Legal

📊

Findings Response

AML Officer with Board oversight

Signature

_________________________________

Date

_________________________________

Printed Name

_________________________________

Title/Position

_________________________________

Department

_________________________________

Transactions just below reporting thresholds

Escalate to AML

Rapid movement of funds in and out

Escalate to AML

Transactions inconsistent with customer profile

Investigate

High-risk jurisdiction involvement

EDD required

Third-party payments without explanation

Investigate

Round-trip transactions

Escalate to AML

Reluctance to provide documentation

Cannot onboard

Inconsistent or false information

Cannot onboard

Unusual secrecy about business

Escalate to AML

Requests to avoid reporting

Report to AML

Multiple accounts with no business purpose

Investigate

Frequent changes to account information

Investigate

Transactions through mixers/tumblers

Escalate to AML

Connections to darknet markets

Block and report

Interactions with OFAC-listed wallets

Block and report

Rapid transfers across many wallets

Investigate

Cross-chain transfers to obscure source

Investigate

Unusual smart contract interactions

Investigate

New customer onboarding

✅ Yes

Every transaction

✅ Yes

Daily list updates

✅ Yes

Customer information changes

✅ Yes

Counterparty transactions

✅ Yes

Wallet address interactions

✅ Yes

1️⃣

Immediate

Stop transaction/hold account

2️⃣

< 24 hours

Compliance review

3️⃣

< 48 hours

Determination (true/false match)

4️⃣

If true match

Block and file report

5️⃣

If false positive

Document and release