AML/CFT POLICY

Anti-Money Laundering / Counter-Terrorist Financing Policy
ABCEX.io

1. Purpose and Scope

1.1. This Policy sets out the principles and procedures of NUEVA CRYPTOLOGIA, S.A.S. DE C.V. (the "Operator") for anti-money laundering and counter-terrorist financing (AML/CFT) when providing access to the ABCEX.io Platform.

1.2. This Policy applies to all Users, products and channels, including the web interface, API, P2P, and operations related to the Platform's internal accounting unit RUB.

1.3. This Policy is based on a risk-based approach and international best practices, including FATF principles, to the extent applicable to the Operator's business model.

2. Definitions

2.1. Terms are used in the meanings set out in the Terms of Service (ToS) unless otherwise provided in this Policy.

• "CDD" – Customer Due Diligence (standard customer due diligence).
• "EDD" – Enhanced Due Diligence (enhanced customer due diligence).
• "SoF/SoW" – Source of Funds / Source of Wealth.
• "MLRO" – Money Laundering Reporting Officer (the officer responsible for AML/CFT).
• "KYT" – blockchain transaction monitoring.
• "PEP" – Politically Exposed Person and related persons.
• "Sanctions Screening" – screening against sanctions lists and restrictions.

3. Governance and Responsibilities

3.1. The Operator appoints an MLRO and/or a Compliance Officer responsible for implementing and overseeing AML/CFT procedures.

3.2. The MLRO is responsible for: (a) approving KYC procedures; (b) conducting risk assessments; (c) monitoring transactions; (d) staff training; and (e) interaction with authorities and counterparties on compliance matters.

3.3. The Operator's management ensures the independence of the compliance function, sufficient resources, and access to necessary information.

3.4. The Operator implements the "three lines of defense" model: (1) operational units; (2) compliance and risk; and (3) independent audit/testing.

4. Risk Assessment (Enterprise-Wide Risk Assessment)

4.1. The Operator performs regular risk assessments taking into account: (a) customer types; (b) geography; (c) products and channels; (d) asset types; and (e) abuse/misuse scenarios.

4.2. Customer risk scoring is formed based on questionnaire data, source of funds, customer behavior, and screening results.

4.3. The Operator may classify customers as low/medium/high risk and apply appropriate control measures.

5. Customer Identification and Verification (CDD)

5.1. The Operator performs identification prior to granting access to functions that require KYC, or upon reaching relevant limits/risk triggers.

5.2. For individuals, CDD may include: (a) an identity document; (b) selfie/liveness check; (c) contact verification; and (d) proof of address (if required).

5.3. For legal entities, CDD includes: (a) incorporation/registration documents; (b) information about directors and authorized representatives; (c) information on beneficial owners; (d) business profile; and (e) confirmation of authority.

5.4. The Operator may use third-party KYC providers and biometric/documentary verification.

5.5. The Operator applies ongoing due diligence – periodic data updates and transaction monitoring.

6. Enhanced Due Diligence (EDD)

6.1. EDD is applied in cases of elevated risk, including: PEPs, high-risk jurisdictions, unusual transactions, complex ownership structures, high volumes, or adverse media.

6.2. EDD may include: (a) extended SoF/SoW documentation; (b) bank statements; (c) tax documents; (d) evidence of the source of crypto-assets; (e) video verification; and (f) additional interviews/questionnaires.

6.3. Based on EDD results, the Operator may refuse service or set individual limits and conditions.

7. Sanctions Controls

7.1. The Operator performs sanctions screening at onboarding and on an ongoing basis (continuous screening).

7.2. Screening includes checks against sanctions lists, restriction lists, PEP databases, adverse media, and other risk sources.

7.3. Where a match is detected, a match-resolution procedure is applied (false positive/true match). Transactions may be suspended until review is completed.

7.4. Users from Restricted Jurisdictions may be rejected or restricted without explanation.

8. Transaction Monitoring and KYT

8.1. The Operator applies transaction monitoring based on rules (rule-based), scenarios (scenario-based), and risk scoring.

8.2. For blockchain transactions, the Operator applies KYT: address risk scoring, identification of links to darknet/mixers/sanctioned addresses, and analysis of sources and destinations.

8.3. When triggers are activated, the Operator may: (a) request documents; (b) suspend withdrawals; (c) freeze assets; (d) close the account; and/or (e) provide information to competent authorities within the limits of applicable law.

8.4. The Operator maintains an incidents and cases register, including decisions taken as a result of monitoring.

9. Suspicious Activity Reporting and Cooperation with Authorities

9.1. The Operator implements an internal escalation process for suspicious activity to the MLRO.

9.2. The MLRO decides whether to file suspicious activity/transaction reports (SAR/STR) with competent authorities in accordance with applicable law.

9.3. The Operator may not inform the User of a review or report if prohibited by law or if it could prejudice an investigation (tipping-off prohibition).

10. Recordkeeping and Retention

10.1. The Operator retains KYC, transaction, and communication records for the periods necessary to comply with applicable law, contractual obligations, and risk management.

10.2. Minimum retention periods are set by internal procedures and may be no less than 5 years after the end of the relationship (if applicable).

11. Training and Awareness

11.1. The Operator provides regular training for personnel involved in KYC/AML, P2P, customer support, and partner channels.

11.2. Training covers: money laundering typologies, sanctions, red flags, documentation requirements, incident handling, and data protection.

12. Independent Testing and Audit

12.1. The Operator conducts independent reviews of the effectiveness of the AML/CFT program (internal audit and/or an external independent consultant) on a regular basis.

12.2. Audit results are documented, and remedial actions are tracked until deficiencies are fully addressed.

13. Third Parties and Partners

13.1. The Operator assesses the risks and reliability of KYC and KYT providers, hosting providers, and other counterparties.

13.2. For partners carrying out external B2C operations, the Operator sets mandatory standards: customer identification, document capture, transaction logging, anti-fraud measures, data retention, and audit readiness.

13.3. The Operator may suspend a partner's access to systems upon detection of breaches, elevated risks, user complaints, or requirements of regulators or authorities.

14. Confidentiality and Data Protection

14.1. AML data is confidential and is processed in accordance with the Privacy Policy and internal security requirements.

14.2. Access to AML data is restricted on a need-to-know basis.

15. Policy Updates

15.1. This Policy is reviewed at least annually and upon material changes in the product, geography, or risk profile.

15.2. Changes are approved by the Operator's management and communicated to staff and partners.

APPENDIX A. Risk Indicators (Red Flags)

• Mismatch between the customer's stated profile and the volume/frequency of transactions;
• Structuring/splitting of transactions without an apparent economic rationale;
• Deposits/withdrawals from addresses linked to mixers, darknet markets, or stolen funds;
• Use of third-party payment details or third parties in P2P;
• Multiple accounts linked by device/contact details/IP;
• Refusal to provide documents/explanations regarding source of funds;
• High turnover shortly after registration without a clear source;
• Attempts to circumvent geo-restrictions and sanctions filters;

APPENDIX B. EDD Triggers (Example)