Regulatory Compliance Statement

Okanewatch LTD ("we") operates AMLRegister, a crypto-asset risk-screening service used by compliance teams, financial institutions, and other obliged entities to support their own AML and sanctions programmes. Although we are not ourselves a regulated financial institution, we operate to a high standard of regulatory awareness and we structure our operations to make it easy for regulated customers to use our Service safely.

This Statement summarises our regulatory posture, the frameworks that shape our operations, and the assurances we make available. It is intended to be a useful reference for procurement teams, internal compliance reviewers, and auditors.

This Statement is informational and does not create rights additional to those in our Terms of Service, DPA, or other binding agreements. Where there is any inconsistency, the binding agreements prevail.

Okanewatch LTD is a private limited company registered in England and Wales under company number 14728041. Our registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. We are registered with the UK Information Commissioner's Office as a data controller and, where required by our activities, with other authorities.

We maintain business continuity and insurance arrangements proportionate to the nature of our business and the expectations of our enterprise customers. Specific insurance details are provided to enterprise customers on request subject to confidentiality.

Changes in corporate status — including changes of control, company name, or registered office — are notified to customers where required by the relevant contract.

Our operations are shaped by, and our product is designed to support, the following regulatory frameworks relevant to our customers: the UK Money Laundering Regulations 2017; the EU Anti-Money Laundering Directives (5AMLD, 6AMLD) and the forthcoming EU AML Authority (AMLA) framework; the EU Markets in Crypto-Assets Regulation (MiCA); the Financial Action Task Force (FATF) Recommendations, including the "Travel Rule"; the U.S. Bank Secrecy Act and associated FinCEN guidance; and economic sanctions regimes administered by OFAC, HM Treasury, the EU, and the United Nations.

Where customers operate in other jurisdictions (for example, Singapore MAS, Hong Kong SFC, UAE ADGM/VARA, or Japan FSA/JVCEA), we track relevant developments and adapt our documentation and integrations as required. Customers with specific jurisdictional requirements are invited to raise them with our compliance team.

We do not represent that AMLRegister output satisfies any specific regulatory requirement on its own. Our product is a tool; meeting regulatory requirements is the responsibility of the using entity.

We maintain an internal compliance programme covering AML, sanctions, privacy, information security, and responsible disclosure. The programme is governed by a Compliance Policy approved by the Board of Directors and overseen by the Head of Compliance.

Components of the programme include: risk assessment; written policies; staff training; third-party due diligence; sub-processor oversight; incident response; regulatory horizon scanning; and periodic independent review. Policies covering each area are published or made available on request where appropriate.

We seek to embed compliance-by-design into the product: rate limits to prevent abuse; audit logs for privileged operations; encryption and access controls; documented data flows; and privacy-respecting defaults.

We comply with the UK GDPR, the EU GDPR, and other applicable data-protection laws. Our Privacy Policy sets out the detail of how we collect, use, and protect personal data. We operate a designated Data Protection Office contactable at dpo@amlregister.com.

For enterprise customers, we offer a Data Processing Agreement that sets out our commitments as a processor and the terms of international data transfers where required. The DPA is available at /legal/dpa.

Incidents affecting personal data are handled under a documented response plan, including notification obligations to supervisory authorities and affected data subjects where required. We cooperate fully with supervisory authority investigations and provide transparency reports on request.

Our information security programme is designed around the principles of the ISO 27001 family of standards. We apply encryption in transit and, for sensitive fields, at rest; multi-factor authentication for privileged access; least-privilege access controls; audit logging; quarterly vulnerability assessments; and annual penetration testing by an independent third party.

We maintain a documented incident response plan that covers triage, containment, eradication, recovery, and lessons learned. Incident notifications to customers are governed by contract and by applicable data-protection law.

Summary security documentation — including our SIG Lite or equivalent questionnaire responses, and our most recent penetration-testing summary — is available to enterprise customers under NDA.

Within our own operations, we screen prospective enterprise customers and their beneficial owners against consolidated sanctions lists. We refuse to onboard confirmed matches and freeze or terminate relationships where a match develops during the lifecycle.

We do not provide the Service to persons located in comprehensively sanctioned jurisdictions. IP-level controls and contractual prohibitions support this position. We keep our geolocation filters and list subscriptions current as part of the ongoing monitoring programme.

For customers who use AMLRegister in their own sanctions programmes, we provide daily list updates for supported lists, methodology notes on how risk scores incorporate sanctions exposure, and transparency on the data sources used.

We operate a responsible disclosure policy and welcome reports from security researchers. Reports can be submitted to security@amlregister.com. We commit to acknowledging reports within three (3) business days, to providing an initial assessment within fourteen (14) days, and to coordinated disclosure with the reporter where appropriate.

Good-faith security research conducted within the scope of the policy will not be the subject of legal action. Detailed scope and rules of engagement are published in the policy document.

We do not currently operate a paid bug bounty programme but may acknowledge contributions publicly with the reporter's consent.

We publish periodic transparency reports covering: government and law enforcement requests received; data subject requests processed; security incidents affecting customers; and sub-processor changes. Reports are published at /resources or made available on request.

Where we receive a legal process request (for example, a subpoena, production order, or formal request from a supervisory authority), we evaluate the request carefully, comply only to the extent legally required, and notify affected customers where legally permitted.

We do not provide direct access to customer data for any third party absent a valid legal process or explicit customer consent.

Enterprise customers that are regulated entities can expect contract terms tailored to regulatory requirements, including specific representations on information security, incident response, audit rights, sub-processor management, and business continuity.

We participate in procurement and third-party risk management processes — including questionnaires, on-site and virtual assessments, and contractual negotiation — proportionate to the customer's regulatory profile.

Our commercial team can be reached at compliance@amlregister.com to discuss specific customer requirements. Lead times for bespoke reviews vary with scope.

We maintain a multi-year roadmap of third-party audits and certifications. Current status as of the Effective date of this Statement: ISO 27001 certification in progress with a target completion date in Q3 2026; SOC 2 Type I attestation completed in Q1 2026 with a Type II engagement scheduled to conclude in Q4 2026; annual penetration testing completed by an independent CREST-accredited firm.

We provide reports, summary letters, or SIG Lite responses to enterprise customers under appropriate confidentiality arrangements. Customers may also request the right to perform their own on-site or virtual assessments, subject to scheduling and confidentiality considerations. Our approach is to substitute third-party attestations for repeated direct audits where a reasonable equivalent assurance is available, to minimise audit-fatigue on our team and to allow us to focus attention on higher-impact customer concerns.

For regulated customers, we maintain a standing "compliance questionnaire response" library covering common AML, sanctions, privacy, and security enquiries. Provision of this library is typically faster and more comprehensive than bespoke responses. Customers with requirements beyond the standing library are handled on a case-by-case basis by our Customer Success and Compliance teams.

Material changes to our attestation status — such as a new certification or the unexpected lapse of an existing one — are notified to enterprise customers in accordance with the relevant contract. We treat transparency about our assurance posture as a first-order commitment, not a marketing exercise.

We engage with regulators and law enforcement as a professional counterparty. Our policy is to cooperate fully with valid legal process, to be transparent about our capabilities and limits, and to advocate for clear and proportionate rules where we believe it contributes to better outcomes for the industry.

Formal law-enforcement contact should be directed to our MLRO at compliance@amlregister.com or by post to the registered office. We respond to formal requests — search warrants, production orders, grand-jury subpoenas, or equivalents in other jurisdictions — in accordance with applicable law. Where we receive a request that we believe is over-broad or not properly issued, we will push back in good faith and seek amendment before responding.

We do not provide informal, off-the-record data access. Requests must come through formal channels that leave an auditable trail. This protects our customers, our staff, and the integrity of the process. Informal enquiries of a general nature — for example, seeking our understanding of a typology — are welcome and can be routed through our MLRO.

Supervisory authority and industry-body engagement is a separate track. We participate in industry consultations, standard-setting work, and responses to policy calls-for-evidence. Our responses are generally published once the consultation closes and the policy-maker has had an opportunity to review.

Third-party risk management is a core element of our compliance programme. Before onboarding a sub-processor, we perform due diligence that considers: (a) the sub-processor's security posture and certifications; (b) its data-protection practices, including international transfer arrangements; (c) financial stability and business continuity; (d) subcontracting practices (whether the sub-processor further subcontracts our data); (e) past incidents and how they were handled; and (f) contractual commitments.

Ongoing oversight includes: contractual audit rights (exercised where necessary); review of annual third-party attestations (SOC 2, ISO 27001); incident notification obligations; and an annual review of whether the sub-processor is still the right choice. We maintain a register of sub-processors with current status, risk rating, and review dates.

Where a sub-processor is replaced, we plan the transition to minimise disruption to customers. Enterprise customers are notified in advance as required by the DPA. Data held by the outgoing sub-processor is migrated or deleted in accordance with retention requirements; deletion is verified via attestation from the outgoing sub-processor where feasible.

We recognise that sub-processor choice is an area of legitimate customer scrutiny. A current list of sub-processors is available to enterprise customers on request, including name, service provided, processing location, and the legal basis for any international transfer. We treat sub-processor transparency as an operational requirement, not a discretionary courtesy.

We operate the Service from geographically diverse infrastructure with automated failover. Our recovery-time objective (RTO) for the core screening Service is one hour; our recovery-point objective (RPO) is fifteen minutes for production data. These targets are underpinned by automated backup, regular restore testing, and a documented incident response process.

Business continuity plans cover major scenarios: loss of a primary data centre; loss of a key sub-processor; loss of key staff; and extended network disruption. Plans are reviewed annually and exercised (tabletop or live) at least semi-annually. Results of exercises, including any identified gaps and remediation plans, are documented and reviewed at Board level.

For enterprise customers, service-level commitments and disaster-recovery details are documented in the customer's main services agreement or service level agreement. Customers with specific continuity requirements — for example, data residency constraints or regulatory backup-site requirements — should discuss these with our account management team at onboarding.

Questions about our regulatory posture can be directed to compliance@amlregister.com. Formal regulator and law enforcement contact should be addressed to our MLRO at the same address, or by post to Okanewatch LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

This Statement is reviewed at least annually. The most recent review was completed on the Effective date shown above. Between reviews, amendments are issued as addenda available on the website; the consolidated Statement is republished at each anniversary. Historical versions are archived and available on request for transparency.

Our approach to compliance is summed up in one sentence: do it because it is right, document it because it is necessary, and improve it continuously because the threat environment never stops. We take operational integrity as seriously as we take commercial success — the two are, in our business, the same thing.