ANTI-MONEY LAUNDERING (AML) POLICY V8

ANTI-MONEY LAUNDERING POLICY

VERSION 8.0 | MARCH 2026

GROOVY COMPANY, INC. DBA OTCM PROTOCOL

Wyoming Corporation | CIK: 1499275 | OTC: GROO | 12 Daniel Rd East, Fairfield, NJ 07004

Field	Value
Document ID	OTCM-POL-AML-001
Version	8.0 (supersedes V1.0)
Effective Date	March 2026
Classification	CONFIDENTIAL
Approved By	Board of Directors
Legal Entity	Groovy Company, Inc. dba OTCM Protocol
Governing Law	Bank Secrecy Act, USA PATRIOT Act, OFAC, FinCEN, Federal Securities Law, New Jersey State Law

Article I: Purpose and Regulatory Framework

Section 1.1 — Purpose

This Anti-Money Laundering Policy (the “Policy”) establishes Groovy Company, Inc. dba OTCM Protocol’s (the “Company”) program to prevent money laundering, terrorist financing, and other financial crimes across all Company operations, the OTCM Protocol platform, CEDEX, and all ST22 Digital Securities and OTCM Utility Token transactions.

Section 1.2 — Regulatory Framework

Regulation	Description
Bank Secrecy Act (BSA)	31 U.S.C. § 5311 et seq. — Recordkeeping and reporting
USA PATRIOT Act	Enhanced due diligence, CIP requirements
FinCEN Regulations	31 CFR Chapter X — AML program requirements
OFAC Regulations	31 CFR Parts 500–599 — Sanctions compliance
SEC Rule 17a-8	Broker-dealer SAR filing requirements
FATF Recommendations	International AML/CFT standards
Release No. 33-11412	SEC–CFTC Digital Securities taxonomy (March 17, 2026, binding)
FATF Travel Rule	Recommendation 16 — Virtual asset transfer information requirements

Section 1.3 — Scope

This Policy applies to all Company business activities, all OTCM Protocol and CEDEX platform transactions, all ST22 Digital Securities and OTCM Utility Token transactions, all issuers, investors, and platform users, all partners (Empire Stock Transfer, custody providers, service providers), and all geographic operations.

Section 1.4 — Money Laundering Defined

Money laundering is the process of disguising criminal proceeds through three stages: Placement (introducing illicit funds), Layering (disguising the trail through complex transactions), and Integration (reintroducing funds as legitimate assets). Predicate offenses include drug trafficking, securities fraud, wire fraud, bank fraud, tax evasion, terrorist financing, human trafficking, public corruption, embezzlement, ransomware, and cryptocurrency theft.

Article II: AML Program Structure

Section 2.1 — Five Pillars

Pillar	Description
1. Internal Controls	Policies, procedures, and systems including 42 Transfer Hook controls and blockchain monitoring via Chainalysis KYT + TRM Labs
2. BSA/AML Officer	Designated compliance officer with authority, Board access, and oversight of all AML operations
3. Training	Ongoing employee training covering BSA, OFAC, blockchain AML, and SAR filing
4. Independent Testing	Annual independent program audits by qualified external auditors (CAMS/CFE certified)
5. Customer Due Diligence	Risk-based CDD program including KYC, KYB, KYW, and beneficial ownership verification via Empire Stock Transfer

Section 2.2 — BSA/AML Compliance Officer

The Board designates a BSA/AML Compliance Officer with comprehensive BSA/AML knowledge, sufficient authority, direct Board and senior management access. Responsibilities include program oversight, policy development, enterprise risk assessments, SAR filing decisions, regulatory liaison (FinCEN, SEC, OFAC, examiners), training oversight, Board reporting, and blockchain transaction monitoring oversight.

Empire Stock Transfer is the sole investor onboarding authority for all ST22 issuers. The AML Officer coordinates with Empire on all KYC/KYB/KYW/AML/OFAC procedures but does not perform investor onboarding directly.

Section 2.3 — Risk Assessment

Risk Factor	Considerations
Customer Risk	Customer types, geographic locations, accreditation status, wallet history
Product Risk	ST22 Digital Securities, OTCM Utility Token, stablecoin settlement (GENIUS Act)
Geographic Risk	Countries and regions served, FATF grey/blacklist, OFAC sanctions
Channel Risk	CEDEX (24/7 blockchain trading), stablecoin on-ramp, wallet connectivity
Transaction Risk	Transaction types, volumes, patterns, velocity, Global Pool activity

Rating	Description	Review Frequency
Low (Green)	Standard risk customers	Annual
Medium (Yellow)	Elevated risk factors	Semi-annual
High (Red)	Significant risk factors — PEPs, high-risk jurisdictions	Quarterly
Prohibited (Black)	Unacceptable risk — sanctioned parties, FATF blacklist	No onboarding permitted

Article III: Customer Identification Program (CIP)

Section 3.1 — Requirements

Before establishing any business relationship, Empire Stock Transfer (as sole onboarding authority) must collect required identifying information, verify identity through documentary or non-documentary methods, screen against OFAC and other watchlists, maintain CIP records, and provide the CIP notice to all customers.

Section 3.2 — Individual CIP

Information	Required	Verification
Full Legal Name	Yes — as on government ID	Government ID match
Date of Birth	Yes	Government ID match
Residential Address	Yes — no P.O. boxes	Utility bill / bank statement < 90 days
SSN/TIN	Yes (U.S. persons)	Database verification
Passport Number	Yes (non-U.S. persons)	Document verification + country of issuance
Email / Phone	Yes	Email confirmation / SMS verification
Solana Wallet Address	Yes — for KYW	Ed25519 signature challenge (wallet ownership proof)

Section 3.3 — Entity CIP

Required: legal name, DBA names, principal physical address, EIN/TIN, state of formation, formation date, entity type, website. Documents: articles of incorporation/organization, good standing certificate, EIN letter, operating agreement/bylaws, board resolution authorizing account.

Section 3.4 — Verification Methods

Documentary: government-issued photo ID, passport (U.S. or foreign), driver’s license, state ID, national ID. Non-documentary: credit bureau verification, bank account verification, government databases, third-party KYC providers. All verification performed by Empire Stock Transfer.

Section 3.5 — Enhanced Issuer CIP

Issuers onboarding to OTCM Protocol require: full entity CIP, CIP on all authorized signers, 25%+ beneficial owners identified (10%+ for issuers), control person identified, business operations verification, SEC/state filing review, Common Class B documentation (board resolution, Certificate of Designation draft).

Section 3.6 — CIP Notice

IMPORTANT: To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. When you access our platform, we will ask for your name, address, date of birth, and other identifying information.

Article IV: Customer Due Diligence (CDD)

Section 4.1 — CDD Objectives

Understand who the customer is, understand the nature and purpose of the relationship, develop a customer risk profile, conduct ongoing monitoring, and maintain current customer information.

Section 4.2 — Risk Rating Factors

Customer type (individual, entity, institutional), geography (country of residence/operations), occupation/industry (high-risk industries), transaction patterns (expected vs. actual), source of funds (origin of wealth), negative news (adverse media screening), and wallet risk score (Chainalysis KYT + TRM Labs).

Section 4.3 — Source of Funds/Wealth

Source of funds inquiry required for all customers. Source of wealth documentation required for high-risk customers. Acceptable sources include employment income (pay stubs, tax returns), business income (financial statements), investment returns (brokerage statements), real estate proceeds, inheritance, and retirement funds.

Section 4.4 — Ongoing Monitoring and CDD Refresh

Monitoring	Frequency	Method
Transaction Monitoring	Continuous	Chainalysis KYT + TRM Labs + Transfer Hook controls
Profile Review	Per risk rating	Manual review by Empire / Compliance
Negative News	Periodic	Automated adverse media screening
Sanctions Screening	Daily + per transaction	Three-layer OFAC architecture
Wallet Risk Rescoring	Weekly	TRM Labs 200+ behavioral features

Risk Level	CDD Refresh Frequency
Low	Every 3 years
Medium	Every 2 years
High	Annually
Trigger Event	Upon any material change in customer profile or activity

Article V: Enhanced Due Diligence (EDD)

Section 5.1 — EDD Triggers

EDD is required for: high-risk jurisdictions (FATF grey/blacklist, FinCEN advisories), politically exposed persons (PEPs) and their associates, complex multi-layered ownership structures, high-value transactions exceeding defined thresholds, adverse media findings, high-risk industries (casinos, MSBs, crypto exchanges), and unexplained transaction patterns.

Section 5.2 — PEP Requirements

PEPs include heads of state, ministers, legislators, senior judges, senior military officials, state enterprise executives, senior political party officials, and immediate family and close associates of all of the above. PEP EDD requires: senior management approval to onboard, detailed source of wealth documentation, enhanced ongoing transaction monitoring, more frequent relationship review, and escalation to AML Officer.

Section 5.3 — High-Risk Jurisdictions

Category	Treatment
FATF Blacklist	PROHIBITED — no business relationships permitted
FATF Grey List	EDD required, enhanced monitoring, quarterly review
FinCEN Advisories	Heightened scrutiny, additional verification
OFAC Comprehensively Sanctioned	PROHIBITED — North Korea, Iran, Syria, Cuba, Crimea/Donetsk/Luhansk

Section 5.4 — Complex Structures and Documentation

Complex ownership structures require: complete ownership diagram through all levels to natural persons, identification of ultimate beneficial owner, legitimate business rationale, review of all jurisdictions involved, and full documentation. All EDD must be documented with written risk assessment, procedures performed, findings, management approval with rationale, and all supporting documents.

Article VI: Beneficial Ownership

Section 6.1 — Requirements

For all legal entity customers, the Company (via Empire Stock Transfer) must identify and verify: each individual owning 25%+ of the entity (ownership prong) and at least one individual with significant control (control prong — CEO, CFO, Managing Member, General Partner, or equivalent).

Section 6.2 — Thresholds

Ownership Level	Requirement
25%+	Full CIP required on each beneficial owner
10–24%	Required for high-risk entities and all OTCM Protocol issuers
< 10%	Required if individual has significant management control

Section 6.3 — Platform Issuer Enhanced Requirements

For issuers tokenizing equity as ST22 Digital Securities: all 10%+ owners identified (lower threshold than standard), all officers (CEO, CTO, COO and other executives), all directors, full cap table review, and ongoing reporting of material ownership changes.

Section 6.4 — Exemptions

Exempt entities: publicly traded SEC reporting companies, regulated financial institutions subject to existing AML, federal/state/local government entities, SEC-registered investment companies, and bank-regulated entities.

Article VII: Transaction Monitoring

Section 7.1 — Monitoring Program

The Company maintains a transaction monitoring program using Chainalysis KYT (continuous on-chain monitoring), TRM Labs (weekly wallet risk rescoring across 200+ features), Transfer Hook Controls 11–15 (per-transaction AML risk scoring inside Solana runtime), rules-based automated systems, behavioral analytics, manual review of flagged transactions, and scheduled account reviews.

Section 7.2 — Red Flags

Transaction Red Flags

• Structuring: multiple transactions just below $10,000 threshold

• Round-tripping: funds sent and returned without economic purpose

• Rapid in-out: quick movement of funds within 24 hours

• Unusual volume: activity inconsistent with customer profile

• High-risk jurisdiction transactions

• Unexplained third-party involvement

Blockchain Red Flags

• Mixer/tumbler use (Tornado Cash, etc.)

• Darknet market connections

• Rapid transfers across many wallets

• Chain hopping: cross-chain transfers to obscure origin

• Bot-driven automated layering

• Interaction with OFAC-listed wallet addresses

Section 7.3 — Alert Management

Step	Timeline
Alert generated	Real-time (Chainalysis KYT / Transfer Hook)
Alert assigned to analyst	Within 24 hours
Initial review completed	Within 5 business days
Investigation completed	Within 15 business days
SAR filed if warranted	Within 30 days of detection

Article VIII: Suspicious Activity Reporting

Section 8.1 — SAR Filing Obligations

Threshold	Requirement
$5,000+ with known subject	SAR required — FinCEN Form 111 via BSA E-Filing
$25,000+ with unknown subject	SAR required
Any amount with existing relationship	SAR required if activity is suspicious
Imminent threat	Immediate filing + law enforcement notification

Section 8.2 — Timeline

30 days from detection of suspicious activity. 60 days if no suspect identified (to identify suspect). Immediate if imminent threat to life or property. Continuing activity: 90-day review and continuation SAR as needed.

Section 8.3 — Confidentiality

SARs are STRICTLY CONFIDENTIAL. Cannot disclose SAR filing to the subject. Cannot notify subject of investigation. Share only with authorized parties. Must respond to FinCEN requests. Must cooperate with law enforcement. 31 U.S.C. § 5318(g)(3) provides safe harbor from liability for good faith SAR filings.

Article IX: OFAC Sanctions Compliance

Section 9.1 — Three-Layer Screening Architecture

OTCM Protocol implements three-layer OFAC screening: (1) Empire Stock Transfer onboarding screening, (2) Chainalysis KYT + TRM Labs continuous wallet monitoring, (3) Transfer Hook Controls 8–10 real-time screening on every ST22 transaction inside the Solana runtime.

Section 9.2 — OFAC Lists Screened

List	Update Frequency
SDN (Specially Designated Nationals)	Daily (within 24 hours of OFAC publication)
Consolidated Non-SDN Lists	Daily
SSI (Sectoral Sanctions)	As updated by OFAC
FSE (Foreign Sanctions Evaders)	As updated
CAPTA List	As updated
Country Programs	Cuba, Iran, North Korea, Syria, Russia/Crimea — comprehensive prohibition

Section 9.3 — Screening Points

Customer onboarding (before account opening), every transaction (Transfer Hook Controls 8–10), daily against updated lists, upon customer information changes, all counterparties, and all Solana wallet addresses via Chainalysis + TRM Labs.

Section 9.4 — Blockchain Sanctions Screening

Wallet address screening against OFAC-designated addresses, transaction screening on every ST22 transfer, indirect exposure identification (2-hop address clustering), and specialized blockchain compliance tools (Chainalysis KYT + TRM Labs). OFAC has designated specific blockchain addresses. The Company blocks all transactions with listed addresses, freezes property, files blocking report within 10 business days, and monitors for indirect exposure.

Section 9.5 — Match Handling

Step	Action
1. Hold	Transaction/account placed on immediate hold
2. Review	Compliance review within 24 hours
3. Determine	True match (>95%): block and report. Potential (75–95%): manual review. False positive (<75%): document and release.
4. Block/Report	If true match: freeze assets, file blocking report with OFAC within 10 business days
5. Annual Report	File by September 30 for all blocked property

Article X: Blockchain-Specific Controls

Section 10.1 — Monitoring and Analytics

Real-time on-chain monitoring via Chainalysis KYT. Wallet risk scoring and attribution. Transaction source and destination tracking. Automated alerts for suspicious patterns. Cluster analysis identifying related wallets. Mixer/tumbler detection. OFAC-listed address screening.

Section 10.2 — Travel Rule Compliance

For virtual asset transfers exceeding applicable thresholds: originator and beneficiary full legal name, wallet address, and institution (if applicable) must be collected and transmitted per FATF Recommendation 16.

Section 10.3 — Unhosted Wallet Controls

Threshold	Requirement
> $3,000	Collect and verify counterparty information
> $10,000	Enhanced due diligence required
High Risk	Additional documentation and source of funds verification

Section 10.4 — Token-Specific Controls

ST22 Digital Securities Controls

• 42 Transfer Hook compliance checks on every transfer inside Solana runtime

• Whitelist verification — only Empire-registered wallets can hold tokens

• Volume monitoring for unusual trading patterns on CEDEX

• Holding period enforcement (Rule 144: 6 months Reg D / 12 months Reg S)

• Circuit breakers: >10% price move in 5 minutes = 15-minute halt

OTCM Utility Token Controls

• Daily/monthly transaction limits

• Wash trading and manipulation pattern monitoring

• Wallet concentration limits

• Large transfer monitoring and alerts

Section 10.5 — CEDEX and Liquidity Monitoring

Global Unified CEDEX Liquidity Pool monitoring for manipulation, CPMM bonding curve monitoring for artificial price manipulation, swap and stablecoin conversion tracking, and cross-chain activity monitoring.

Article XI: Recordkeeping

Record Type	Retention Period
CIP Records	5 years after account closure
CDD/EDD Records	5 years after account closure
KYW Wallet Records	5 years after wallet deregistration
Transaction Records	5 years from transaction date
SAR Records	5 years from filing date
OFAC Screening Records	5 years from date of record
Training Records	5 years
Audit Reports	5 years
Blockchain Records (off-chain)	5 years (on-chain records are permanent/immutable)
Beneficial Ownership Certifications	5 years after account closure

Article XII: Training Program

Type	Audience	Frequency
General AML	All employees	Annual
Role-Specific AML	AML staff, analysts	Upon hire + annual
Management	Senior management	Annual
Board	Board of Directors	Annual
Blockchain AML	Technical staff (CEDEX, Transfer Hooks)	Upon hire + annual
SAR Training	AML analysts, Compliance Officer	Upon hire + annual

Content covers BSA/USA PATRIOT Act/OFAC legal framework, red flag recognition (transaction, customer, blockchain), internal escalation and SAR filing, CIP/CDD/KYW procedures, sanctions compliance and three-layer screening, blockchain-specific AML concerns (mixers, chain hopping, darknet), and this Policy.

Article XIII: Independent Testing

At least annually by an independent party (external firm with CAMS/CFE certification or independent internal audit). Scope covers all AML program aspects: policies, CIP/CDD/KYW sample testing, transaction monitoring effectiveness, SAR filing process, OFAC screening effectiveness, training adequacy, and blockchain-specific controls.

Findings reported to AML Officer and Board/Audit Committee. Remediation plan developed, implemented, and follow-up tested.

Article XIV: Administration

The BSA/AML Compliance Officer is the Policy owner. Annual review covers regulatory changes, industry best practices, audit findings, updated risk assessment, and new blockchain/platform features. Administrative changes approved by AML Officer; substantive changes require Board approval; emergency changes by CEO with Board ratification.

Contact: aml@otcm.io or compliance@otcm.io

Acknowledgment and Certification

I acknowledge that I have received and read the Groovy Company, Inc. dba OTCM Protocol Anti-Money Laundering Policy. I understand its contents and my responsibilities.

I understand that I must comply with all AML/BSA requirements, report suspicious activity, complete required training, maintain SAR confidentiality, and that failure to comply may result in disciplinary action and personal liability.

Field
Signature	_________________________________
Date	_________________________________
Printed Name	_________________________________
Title / Position	_________________________________
Department	_________________________________

Appendix A: Red Flags Quick Reference

Transaction

• Transactions just below $10,000 reporting thresholds → Escalate to AML

• Rapid in-out of funds within 24 hours → Escalate to AML

• Activity inconsistent with customer profile → Investigate

• High-risk jurisdiction involvement → EDD required

• Round-trip transactions with no economic purpose → Escalate to AML

Customer

• Reluctance to provide documentation → Cannot onboard

• Inconsistent or false information → Cannot onboard

• Requests to avoid reporting thresholds → Report to AML

• Multiple accounts with no business purpose → Investigate

Blockchain

• Mixer/tumbler transactions → Escalate to AML

• Darknet market connections → Block and report

• OFAC-listed wallet interactions → Block and report immediately

• Rapid multi-wallet transfers → Investigate

• Cross-chain transfers to obscure source → Investigate

Appendix B: OFAC Screening Quick Reference

When to Screen	Action
New customer onboarding	Screen before any account activity via Empire
Every ST22 transaction	Transfer Hook Controls 8–10 — automatic
Daily list updates	Re-screen all active customers and wallets
Customer info changes	Re-screen immediately
All counterparties	Screen before transaction processes
All wallet addresses	Chainalysis + TRM Labs continuous monitoring

Document Information

Field	Value
Document ID	OTCM-POL-AML-001
Version	8.0
Effective Date	March 2026
Legal Entity	Groovy Company, Inc. dba OTCM Protocol
Entity Type	Wyoming Corporation
Governing Law	BSA, USA PATRIOT Act, OFAC, FinCEN, Federal Securities Law, New Jersey State Law
Approved By	Board of Directors