Anti-Money Laundering Policy

Okanewatch LTD (the "Company") is committed to conducting business with the highest standards of integrity and in compliance with applicable anti-money laundering (AML), counter-terrorism financing (CTF), and economic sanctions laws. We recognise that crypto-assets can be misused for illicit purposes, and we design our products and our own operations to deter, detect, and disrupt such misuse.

AMLRegister is itself a tool used by compliance teams to help prevent financial crime. We take additional responsibility for the integrity of the tool and the accuracy of the data that powers it. This Policy sets out the framework we apply to ourselves and the obligations we ask of users.

This Policy is issued under the authority of the Company's Board of Directors and is overseen by the Head of Compliance. It is reviewed at least annually, or more frequently in response to changes in applicable law or material changes to our business.

The Company's primary AML/CTF framework is derived from the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), the Proceeds of Crime Act 2002, the Terrorism Act 2000, and the Sanctions and Anti-Money Laundering Act 2018, together with guidance issued by the Financial Conduct Authority, HM Treasury, and the Joint Money Laundering Steering Group. We also have regard to international standards including the Financial Action Task Force (FATF) Recommendations.

Where we operate in other jurisdictions, or where users of the Service are based in other jurisdictions, additional AML regimes may apply, including the EU Anti-Money Laundering Directives and the Markets in Crypto-Assets Regulation (MiCA), the U.S. Bank Secrecy Act, and the rules of equivalent regulators in other jurisdictions. We aim to meet the stricter of any overlapping requirements.

Nothing in this Policy limits the Company's obligation to comply with applicable law. Where the requirements of applicable law exceed those described here, the law prevails.

The Board of Directors holds ultimate responsibility for AML compliance and approves this Policy. The Head of Compliance is the Money Laundering Reporting Officer (MLRO) with operational responsibility for the AML programme, reports directly to the Board, and has sufficient authority and resources to carry out the role independently.

The Head of Compliance is responsible for: (a) maintaining and updating this Policy; (b) performing and reviewing the Company's business-wide risk assessment; (c) overseeing staff training; (d) reviewing and escalating internal suspicious activity reports; (e) liaising with regulators, law enforcement, and external auditors; and (f) reporting at least quarterly to the Board on the effectiveness of the AML programme.

All staff — including engineering, product, customer success, and sales — are responsible for adhering to this Policy, completing required training, and reporting any suspicious activity, potential breach, or control weakness to the Head of Compliance promptly. Staff should not "tip off" a customer or any third party about an AML concern.

We appoint a deputy MLRO to ensure continuity in the absence of the primary Head of Compliance. The deputy has the same authority and reporting lines when acting in that capacity.

The Company adopts a risk-based approach to AML. We maintain a business-wide risk assessment that considers the nature of our customers, the geographic distribution of users, the products and services we offer, the channels through which we deliver the Service, and the types of transactions involved. The assessment is updated at least annually and whenever a material change occurs.

Our risk classification informs the level of due diligence we perform on enterprise customers, the monitoring we apply to our own operations, and the design of the Service itself (for example, rate limits, abuse detection, and logging). Higher-risk scenarios trigger enhanced measures; lower-risk scenarios may attract simplified measures within the limits permitted by law.

We publish a summary of our risk assessment methodology and findings to enterprise customers on request, subject to confidentiality protections.

Enterprise customers — that is, organisations that enter into a paid commercial agreement with the Company — are subject to customer due diligence (CDD) in accordance with our KYC Policy. CDD includes verification of the customer's identity, ownership structure, beneficial owners (25% or greater), the purpose and intended nature of the relationship, and any politically exposed person (PEP) status.

CDD is performed at onboarding and refreshed periodically based on customer risk rating. Enhanced due diligence (EDD) applies where the customer is based in a high-risk jurisdiction, has complex ownership, is subject to adverse media, or where the nature of the relationship otherwise presents elevated risk.

Where we cannot complete CDD to our satisfaction, we will not enter into or continue the relationship. We reserve the right to terminate existing relationships where ongoing CDD is not maintained. Further detail on KYC procedures is set out in our KYC Policy.

We screen prospective enterprise customers against consolidated sanction lists including the OFAC Specially Designated Nationals (SDN) List, the UK HM Treasury Consolidated List, the EU Financial Sanctions List, and United Nations Security Council consolidated lists. Screening is performed at onboarding and re-run on list updates.

A positive match, or a potential match that we cannot confidently eliminate, will result in onboarding being halted and escalation to the Head of Compliance. Where a match is confirmed for an existing customer, we will freeze the relationship to the extent legally required and file the appropriate report with the competent authority.

We do not provide the Service to persons located in comprehensively sanctioned jurisdictions. We maintain IP-level controls where appropriate and commercial terms that prohibit access from such jurisdictions.

Because AMLRegister primarily acts as an informational tool, we do not hold customer funds or process payment transactions as a payment institution. However, we do monitor our own operations for unusual patterns that might indicate misuse, including (a) bulk or automated querying patterns outside the expected profile of a legitimate compliance user; (b) attempts to submit illegitimate account or configuration data; and (c) abnormal geographical or device patterns.

For paid subscriptions, we review the payment metadata we receive from our payment processor for any indicators of fraud or ongoing sanctions concerns, and we retain transaction records for the period required by law.

Where we observe suspicious activity, the Head of Compliance evaluates the matter and, where appropriate, files an internal suspicious activity report (SAR) which, after review, may be submitted to the UK National Crime Agency (NCA) or equivalent authority in another jurisdiction. The obligation to file a SAR is not a commercial decision — we will file whenever the legal test is met.

We keep records of: (a) CDD information and documents; (b) sanctions screening outcomes; (c) the business-wide risk assessment and its updates; (d) the results of internal and external audits of the AML programme; (e) staff training records; (f) internal SARs, regulatory SARs, and related correspondence; and (g) internal audit trails of privileged system operations required under our AML programme. Records are retained for at least five (5) years after the end of the business relationship, or longer where required by law.

Records are stored in systems that ensure integrity, confidentiality, and availability, with access restricted to authorised staff on a need-to-know basis. Destruction of records at the end of the retention period is logged for audit purposes.

All staff receive AML training at induction and annually thereafter. Training covers: the legal framework; the Company's policies; recognising and reporting suspicious activity; sanctions risk; the risks of tipping off; data protection considerations in an AML context; and the specific AML risks relevant to each role. Additional, role-specific training is provided to customer success, sales, and compliance staff.

Training materials are updated in response to regulatory change, emerging typologies, and lessons learned from internal incidents or external events. Completion of training is logged and non-completion is escalated to line managers and, for persistent cases, to the Head of Compliance.

The effectiveness of the AML programme is subject to independent review at least every twenty-four (24) months. The review is performed by a qualified independent party (internal or external) who has not been involved in the day-to-day operation of the programme. The report is presented to the Board.

Recommendations from the independent review are tracked through to completion. Significant findings are disclosed to regulators where required. The most recent independent review report is available to enterprise customers on request, subject to redaction for confidentiality.

AMLRegister is widely used by "obliged entities" — financial institutions, crypto-asset service providers, and other regulated businesses — as a component of their own AML compliance programmes. We welcome such use and strive to be a reliable partner, but we emphasise the following: a AMLRegister report is advisory and does not constitute a regulatory determination. Obliged entities must apply their own risk appetite, controls, and human judgement, and must combine AMLRegister outputs with other intelligence.

We encourage enterprise customers to document how they use AMLRegister within their AML framework, including the role of the risk score, category breakdown, and analyst notes. We support customers with sample compliance procedures and training material on request.

If your use of AMLRegister forms part of a regulated AML programme, you should maintain appropriate backup procedures for periods when the Service is unavailable. No single tool should be a single point of failure in a compliance programme.

Users must not use AMLRegister to further any illicit purpose. Prohibited uses include, without limitation: (a) sanctions evasion, including attempting to determine whether a sanctioned wallet is currently being monitored; (b) "tipping off" a customer or third party about a suspicious activity report or a freezing order; (c) circumventing restrictions imposed by another compliance tool; (d) harvesting our data to build a competing list without a lawful basis; (e) using the Service to target individuals for harassment.

Violation of this section may result in immediate termination of access, referral to law enforcement, and pursuit of civil remedies. Our Acceptable Use Policy expands on these restrictions and is incorporated into these Terms.

The Company maintains a living catalogue of money-laundering typologies observed across the AMLRegister ecosystem and within our own operations. This catalogue informs staff training, product controls, and customer advisory notes. Examples of patterns we track include: layered peel-chains consistent with mixer avoidance; rapid cross-chain bridging intended to break attribution continuity; consolidation of funds from multiple darknet-adjacent clusters; and sudden volume spikes from dormant wallets immediately before a suspected off-ramp.

We also track operational red flags specific to our Service, including but not limited to: repeated screening of sequential addresses in a short period, consistent with clustering probes; screening of addresses with no prior on-chain activity, suggesting pre-seeding checks; repeated requests from IP ranges associated with sanctioned jurisdictions; and unusual patterns of internal system usage inconsistent with normal operations.

Where we identify a typology with sufficient confidence, we update our internal risk-scoring weights, communicate relevant intelligence to subscribing customers, and — where appropriate — notify relevant authorities. The catalogue is reviewed quarterly by the Head of Compliance and is informed by sources such as the FATF's published typologies, Egmont Group intelligence products, academic research, and our own observational data.

Customers who observe novel typologies in their own workflows are encouraged to share anonymised case details with our research team at compliance@amlregister.com. Contributions to the community typology catalogue help the whole ecosystem defend against emerging abuse patterns.

If you have concerns about potential money laundering, terrorism financing, or other financial crime involving the Company or the Service, please contact our MLRO confidentially at compliance@amlregister.com. Reports can be made anonymously. The Company does not tolerate retaliation against anyone who raises a concern in good faith.

Regulators, law enforcement, and industry partners can contact us through the same address. We respond to formal requests promptly and in accordance with applicable law.

For formal regulator communications, we commit to acknowledging within one business day and to providing substantive responses within the timeframes applicable to the requesting authority. Our MLRO maintains direct relationships with the principal UK and EU authorities and is available for briefings on our programme on reasonable notice. Industry partners seeking intelligence sharing through recognised forums — such as FS-ISAC or the Joint Money Laundering Intelligence Taskforce — are welcome to engage through the same channel; we contribute to typology studies and consolidated reporting where the governance framework permits.