KYC / AML / CTF POLICY
Kriptomat is a fully regulated Crypto Asset Service Provider (CASP), committed to the highest standards of security and compliance. We prioritize user safety and align our operations with all applicable laws in Estonia and the European Union, including the 6th Anti-Money Laundering Directive (AMLD6), Markets in Crypto-Assets Regulation (MiCA), FATF recommendations, and Estonian national regulations. This Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorist Financing (CTF) Policy outlines the measures we implement to prevent financial crime.
Legal and Regulatory Framework
Kriptomat adheres to:
- 6AMLD (EU Directive 2018/1673)
- Estonian AML Act
- Regulation (EU) 2023/1114 (MiCA)
- FATF Recommendations, including the Travel Rule
- GDPR (Regulation (EU) 2016/679) for data processing
This Policy is reviewed annually or upon regulatory updates, and approved by the Management Board.
Governance and Oversight
Kriptomat has appointed a Money Laundering Reporting Officer (MLRO) and designated Compliance Officer responsible for the implementation and oversight of AML/CTF procedures. The Management Board provides strategic oversight and ensures allocation of appropriate resources.
User Due Diligence
We do not support anonymous use of our services. All customers must undergo due diligence in accordance with a risk-based approach.
Individual Users
Required information:
- Full name, DOB, place of birth, residential address
- Contact details (phone, email)
- Government-issued ID (both sides)
- Video liveness check with biometric face verification*
- Bank account or card details
- Onboarding questionnaire
- Source of Funds (SoF) and additional documents upon request
(*Biometric data is processed under GDPR Articles 6(1)(b) and 9(2)(g), subject to strict safeguards and stored securely.)
Corporate Users
- Company name, registration code, incorporation date
- Proof of registered office
- Identification documents of UBOs, directors, and representatives
- Articles of Association
- Bank statement
- Onboarding questionnaire
- Internal AML policy
Risk-Based Approach
Each user is assigned a risk profile based on:
- Geographic data (Country of residence/citizenship)
- Demographic data
- Business model (for legal entities)
- Transaction and behavioural patterns
- Presence on PEP, sanctions, or wanted lists
Ongoing monitoring ensures dynamic reassessment of risk levels.
Transaction Monitoring
We monitor all transactions using automated and manual controls to detect:
- Structuring and layering
- Unusual patterns or volume spikes
- Use of privacy coins or mixing services
- Jurisdictional red flags
Transactions deemed suspicious may be paused, investigated, or reported to the relevant Financial Intelligence Unit (FIU).
Sanctions Screening
We conduct real-time screening of all users and transactions against:
- EU Consolidated Sanctions List
- OFAC Sanctions List
- United Nations Security Council Sanctions
- Local Estonian lists and other applicable sources
Travel Rule Compliance
Kriptomat complies with the FATF Travel Rule by collecting and transmitting originator and beneficiary data for virtual asset transfers over regulatory thresholds, using Travel Rule-compliant technologies and secure transmission protocols.
Politically Exposed Persons (PEPs)
Enhanced Due Diligence (EDD) is applied to PEPs and their close associates. This includes:
- Senior management approval
- Enhanced monitoring
- Source of Wealth (SoW) verification
Training and Awareness
All employees undergo:
- AML/CTF induction training upon onboarding
- Annual refresher training
- Ad hoc training on emerging risks or regulatory changes
Record-Keeping and Audit Trail
We retain customer and transaction records for a minimum of 5 years after the business relationship ends, in compliance with legal requirements. Secure digital archives are maintained.
Jurisdictional Restrictions
Prohibited Jurisdictions
Kriptomat does not serve users in countries where virtual asset services are prohibited, including but not limited to: USA, Iran, DPRK, Russia, and others listed on the latest EU non-cooperative jurisdictions list.
The list of supported markets is available and updated at: https://kriptomat.io/global/
High-Risk Jurisdictions
Users from high-risk countries face additional controls, enhanced due diligence, and potential service restrictions.
Low-Tax/Tax-Free Jurisdictions
Users from low-tax jurisdictions are subject to enhanced scrutiny to assess the legitimacy of funds.
Data Protection and Security
Kriptomat is ISO/IEC 27001:2013 certified. Our Data Protection Officer (DPO) ensures lawful and secure processing of personal data, in accordance with GDPR principles of transparency, data minimisation, purpose limitation, and storage limitation.
Contact
For compliance-related queries, reach out to:
[email protected]
Valid from: 13.05.2025