/
No results

Try adjusting your search

Language
Currency
  • € EUR
  • $ USD
  • £ GBP
  • лв. BGN
  • Kč CZK
  • ft HUF
  • zł PLN
  • kr SEK
  • ₺ TRY
  • fr. CHF
  • kr NOK
  • L RON
  • kr. DKK
Legal KYC / AML / CTF POLICY

KYC / AML / CTF POLICY

Kriptomat is a fully regulated Crypto Asset Service Provider (CASP), committed to the highest standards of security and compliance. We prioritize user safety and align our operations with all applicable laws in Estonia and the European Union, including the 6th Anti-Money Laundering Directive (AMLD6), Markets in Crypto-Assets Regulation (MiCA), FATF recommendations, and Estonian national regulations. This Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorist Financing (CTF) Policy outlines the measures we implement to prevent financial crime.

Legal and Regulatory Framework

Kriptomat adheres to:

  • 6AMLD (EU Directive 2018/1673)
  • Estonian AML Act
  • Regulation (EU) 2023/1114 (MiCA)
  • FATF Recommendations, including the Travel Rule
  • GDPR (Regulation (EU) 2016/679) for data processing

This Policy is reviewed annually or upon regulatory updates, and approved by the Management Board. 

Governance and Oversight

Kriptomat has appointed a Money Laundering Reporting Officer (MLRO) and designated Compliance Officer responsible for the implementation and oversight of AML/CTF procedures. The Management Board provides strategic oversight and ensures allocation of appropriate resources.

User Due Diligence

We do not support anonymous use of our services. All customers must undergo due diligence in accordance with a risk-based approach.

Individual Users

Required information:

  • Full name, DOB, place of birth, residential address
  • Contact details (phone, email)
  • Government-issued ID (both sides)
  • Video liveness check with biometric face verification*
  • Bank account or card details
  • Onboarding questionnaire
  • Source of Funds (SoF) and additional documents upon request

(*Biometric data is processed under GDPR Articles 6(1)(b) and 9(2)(g), subject to strict safeguards and stored securely.)

Corporate Users

  • Company name, registration code, incorporation date
  • Proof of registered office
  • Identification documents of UBOs, directors, and representatives
  • Articles of Association
  • Bank statement
  • Onboarding questionnaire
  • Internal AML policy

Risk-Based Approach

Each user is assigned a risk profile based on:

  • Geographic data (Country of residence/citizenship)
  • Demographic data
  • Business model (for legal entities)
  • Transaction and behavioural patterns
  • Presence on PEP, sanctions, or wanted lists

Ongoing monitoring ensures dynamic reassessment of risk levels.

Transaction Monitoring

We monitor all transactions using automated and manual controls to detect:

  • Structuring and layering
  • Unusual patterns or volume spikes
  • Use of privacy coins or mixing services
  • Jurisdictional red flags

Transactions deemed suspicious may be paused, investigated, or reported to the relevant Financial Intelligence Unit (FIU).

Sanctions Screening

We conduct real-time screening of all users and transactions against:

  • EU Consolidated Sanctions List
  • OFAC Sanctions List
  • United Nations Security Council Sanctions
  • Local Estonian lists and other applicable sources

Travel Rule Compliance

Kriptomat complies with the FATF Travel Rule by collecting and transmitting originator and beneficiary data for virtual asset transfers over regulatory thresholds, using Travel Rule-compliant technologies and secure transmission protocols.

Politically Exposed Persons (PEPs)

Enhanced Due Diligence (EDD) is applied to PEPs and their close associates. This includes:

  • Senior management approval
  • Enhanced monitoring
  • Source of Wealth (SoW) verification

Training and Awareness

All employees undergo:

  • AML/CTF induction training upon onboarding
  • Annual refresher training
  • Ad hoc training on emerging risks or regulatory changes

Record-Keeping and Audit Trail

We retain customer and transaction records for a minimum of 5 years after the business relationship ends, in compliance with legal requirements. Secure digital archives are maintained.

Jurisdictional Restrictions

Prohibited Jurisdictions

Kriptomat does not serve users in countries where virtual asset services are prohibited, including but not limited to: USA, Iran, DPRK, Russia, and others listed on the latest EU non-cooperative jurisdictions list.

The list of supported markets is available and updated at: https://kriptomat.io/global/ 

High-Risk Jurisdictions

Users from high-risk countries face additional controls, enhanced due diligence, and potential service restrictions.

Low-Tax/Tax-Free Jurisdictions

Users from low-tax jurisdictions are subject to enhanced scrutiny to assess the legitimacy of funds.

Data Protection and Security

Kriptomat is ISO/IEC 27001:2013 certified. Our Data Protection Officer (DPO) ensures lawful and secure processing of personal data, in accordance with GDPR principles of transparency, data minimisation, purpose limitation, and storage limitation.

Contact

For compliance-related queries, reach out to:
[email protected]

Valid from: 13.05.2025