Legal · Compliance

Privacy Policy

Last updated: 15 May 2026

1. Introduction

At XSettle, we take privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and what rights you have. The Cookie Policy at the end of this document covers the cookies and similar technologies we use on our website.

This Policy applies to visitors to xsettle.com and to the individual directors, beneficial owners, authorised signatories, and representatives of our business clients who provide personal data as part of our onboarding and ongoing compliance process.

The data controller is XSL AG, registered in Switzerland, operating as XSettle. Our address is Blegistrasse 7, 6340 Baar, Canton Zug, Switzerland. If you have any questions about how we handle your personal data, or if you want to exercise your rights, please contact us at privacy@xsettle.com.

We process personal data in accordance with the Swiss Federal Act on Data Protection — the nDSG, which came into force on 1 September 2023 — and, where we handle personal data of individuals in the European Economic Area, the EU General Data Protection Regulation (GDPR). Both laws give individuals meaningful rights over their personal data, and we are committed to honouring those rights in practice, not just on paper.

2. Data Controller

The data controller for all personal data processed in connection with xsettle.com and our services is XSL AG, registered in the Swiss Canton of Zug. Our address is Blegistrasse 7, 6340 Baar, Canton Zug, Switzerland. We are a member of VQF, the self-regulatory organisation supervised by FINMA, and operate as a Swiss financial intermediary under Art. 2(3) of the Swiss Anti-Money Laundering Act (AMLA).

If you have any questions about how we handle your personal data, or if you want to exercise any of your rights, you can reach us at privacy@xsettle.com. We aim to respond to all privacy-related enquiries within 30 calendar days.

If you feel your concern has not been addressed, you have the right to contact the Swiss Federal Data Protection and Information Commissioner (FDPIC), whose website is www.edoeb.admin.ch. If you are based in the EU, you can also contact the data protection authority in your member state of residence.

3. Personal Data We Collect

Data from website visitors

When you visit xsettle.com, our servers automatically log some technical information: your IP address, browser type and version, operating system, the pages you visit, and the time of your visit. This happens automatically and is necessary to keep the website running and secure. We also use analytics tools to understand how visitors use the site — which pages are most useful, how people navigate, and where they come from. Analytics data is aggregated and pseudonymised where applicable; we are not building profiles of individual website visitors.

If you contact us through a form on the site, by email, or through another channel, we collect your name, your organisation and role, your email address or phone number, and the content of your message. We use this only to respond to you and, where relevant, to follow up about our services.

Data collected during client onboarding

XSettle is a regulated Swiss financial intermediary. Under the Anti-Money Laundering Act, we have a legal duty to verify the identity of the people who own and control the businesses we work with. For the directors, beneficial owners, authorised signatories, and key representatives of our client entities, this means we collect: full name, date of birth, nationality, and a copy of a government-issued identity document such as a passport. We also collect proof of residential address, professional details including role and qualifications, and for significant beneficial owners, a declaration of source of wealth.

Where identity verification is conducted by video or online identification in accordance with applicable AML/CFT obligations and FINMA guidance, we process the relevant document imagery, including the machine-readable zone (MRZ) of the identity document and, where required, a facial image. Where biometric or document imagery processing is required to complete legally mandated identity verification procedures, the processing is necessary for compliance with applicable AML/CFT obligations. Where consent is required under applicable law for specific processing operations, we will request it separately.

We also run screening checks on these individuals against international sanctions lists and politically exposed person (PEP) databases. These are a legal requirement and are repeated throughout the relationship, not just at the start.

Data collected during ongoing relationships

Once a client account is active, we process transaction data — settlement flow records processed in connection with regulated payment flows, Treasury Instructions, currency conversion records, and account statements. XSettle acts solely as a technical and operational treasury orchestrator; Client Settlement Funds are held exclusively with licensed banking partners and are not accepted as public deposits within the meaning of the Swiss Banking Act. Where clients use stablecoin conversion, we also process the associated blockchain wallet addresses and on-chain transaction records. We update screening records on an ongoing basis and retain all correspondence relating to the business relationship, as required by Swiss AMLA.

4. How We Use Your Personal Data

We use personal data only for the purposes we have described, and only to the extent necessary for each purpose.

Identity verification and KYB/CDD

We use the identity information, address data, and document imagery we collect to verify the identity of the people who own and control our client entities. This is a legal obligation under Swiss AMLA and VQF SRO Regulations, and it is the primary reason we hold most of the personal data in our compliance files.

Sanctions and PEP screening

We screen individuals associated with our clients against applicable international sanctions lists and PEP databases. This is required by Swiss AMLA Art. 6 and is carried out both at onboarding and on an ongoing basis throughout the relationship.

Transaction monitoring

We monitor settlement flows through our platform for AML/CFT red flags — unusual patterns, unexpected counterparties, volumes inconsistent with the client’s stated profile. This is an ongoing legal obligation and uses transaction data and, where applicable, blockchain analytics data.

Video and online identification

Where we carry out video or online identification to verify identity, we process biometric data including document imagery and in some cases facial images. Where biometric or document imagery processing is required to complete legally mandated identity verification procedures under Swiss AMLA and applicable FINMA guidance, the legal basis for this processing is compliance with a legal obligation. Where consent is required under applicable law for specific processing operations, we will request it separately.

Responding to enquiries

We use the contact information you provide through the website or other channels to respond to your enquiry and, where relevant, to discuss becoming a client. This is done on the basis of our legitimate interest in communicating with potential business partners.

Delivering the services

We use your data to operate the platform, process Treasury Instructions and coordinate the movement of Settlement Funds held with our licensed banking partners, and provide reporting. XSettle acts solely as a technical and operational treasury orchestrator and does not accept public deposits within the meaning of the Swiss Banking Act. This processing is necessary for the performance of the service agreement between us.

Website analytics and security

We use analytics cookies and server logs to understand how xsettle.com is used and to maintain its security and performance. For non-essential analytics, we rely on your consent given through the cookie banner. For security-related logging, we rely on our legitimate interest in protecting the site and its users.

Record keeping

We retain records of our business relationships — all KYB/CDD files, transaction records, screening results, and correspondence — for 10 years after the end of the relationship, as required by Swiss AMLA Art. 7. This legal obligation applies regardless of any other consideration.

5. Data Retention

How long we keep personal data depends on the category of data and the legal obligations that apply to it.

Almost all personal data we hold about the representatives and owners of client entities falls within our AMLA obligations. Swiss AMLA Art. 7 requires us to retain all AML/CFT-related records — including KYB files, identity documents, screening results, transaction records, and correspondence — for 10 years following the termination of the business relationship or completion of the transaction, whichever occurs later. This 10-year requirement is a non-negotiable legal obligation that overrides any request for earlier deletion.

For biometric data collected during video or online identification — such as document imagery and MRZ scans — the retention period is also 10 years following the termination of the business relationship, as required by AMLA and FINMA Circular 2016/7.

Website server logs and IP addresses are retained for up to 12 months, or less where our legitimate interest no longer applies. Analytics cookie data is retained for between 12 and 24 months, depending on the tool and configuration. Contact and enquiry data from individuals who do not become clients is kept for 12 months from the last communication.

When any retention period expires, the data is permanently deleted using a secure and documented deletion procedure. We log each deletion event and retain those logs for three years.

6. Who We Share Your Data With

We do not sell personal data. We do not share it for advertising or commercial purposes. We share it only in the circumstances described below.

Regulatory and supervisory authorities

As a regulated financial intermediary, we are legally required to share information with supervisory bodies and law enforcement in certain circumstances. This includes SRO VQF, FINMA, the Money Reporting Office Switzerland (MROS), Swiss courts, and — where required by law or treaty — foreign competent authorities. We do not have a choice about these disclosures. Swiss law specifically prohibits us in some cases from notifying you that a disclosure has been made, particularly in connection with suspicious transaction reports.

Banking partners and VASP counterparties

To provide our treasury services, we work with licensed banking partners with whom Client Settlement Funds are held. XSettle acts as a technical and operational treasury orchestrator; it does not itself hold or receive client funds and does not accept public deposits within the meaning of the Swiss Banking Act. These banks receive the client information necessary to operate those accounts. Where stablecoin conversion is involved, we share the identifying information required by the FATF Travel Rule (FATF Recommendation 16) with the regulated crypto exchanges and VASPs we route conversions through.

Service providers

We use specialist third-party providers for identity verification, sanctions screening, document management, and blockchain analytics. These providers act as data processors under our instruction and are bound by data processing agreements requiring them to maintain appropriate security and to use the data only for the purposes we specify. Key providers include: SumSub (Sum and Substance Ltd), our identity verification and KYC platform, which processes personal data including identity documents and biometric data on our behalf — SumSub’s own privacy notice is available at sumsub.com/privacy-notice-service/; and blockchain analytics providers for virtual asset transaction screening, which may be based in the United States. Our primary technology infrastructure uses Amazon Web Services (AWS): client data is stored in the AWS Europe (Zurich) region (eu-central-2) to satisfy FINMA requirements for data residency in Switzerland, while certain processing operations utilise the AWS Europe (Frankfurt) region (eu-central-1). Where data is transferred outside Switzerland in connection with these services, appropriate safeguards are in place as described in the International Data Transfers section below.

Professional advisers

Where we need legal, audit, or compliance advice, we may share relevant information with external advisers who are bound by professional confidentiality obligations.

Successors

If XSettle is acquired, merges, or transfers its business to a regulated successor, personal data may be transferred as part of that transaction, subject to the same confidentiality and security standards that apply today.

7. International Data Transfers

Switzerland is recognised by the EU Commission as providing an adequate level of data protection, so transfers between Switzerland and the EEA do not require additional safeguards beyond that recognition.

Our primary data storage is located in Switzerland (AWS Europe — Zurich region, eu-central-2) in order to satisfy FINMA requirements for data residency. Certain processing operations — including some infrastructure and operational services — utilise the AWS Europe (Frankfurt) region (eu-central-1) in Germany, which is within the EEA. Transfers within the EEA from Switzerland are covered by Switzerland’s adequacy recognition.

Some third-party service providers are located outside Switzerland and the EEA. In particular: our identity verification provider SumSub (Sum and Substance Ltd, registered in Cyprus) processes data including identity documents and biometric data; and blockchain analytics providers used for virtual asset transaction screening may be based in the United States. For transfers to these and other recipients in countries that do not benefit from an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) or their Swiss equivalent under the nDSG transfer mechanism, together with any supplementary measures required to ensure an equivalent level of protection. Transfers to regulatory authorities required by law — such as information provided to MROS or in response to international law enforcement requests — are justified by the applicable legal obligation and do not require standard transfer mechanisms. If you would like to know what safeguards apply to a specific transfer, please write to us at privacy@xsettle.com.

8. Your Rights as a Data Subject

Swiss nDSG and EU GDPR give individuals meaningful control over their personal data. We take these rights seriously. Here is what each right means in practice at XSettle, and where any limitations apply.

The right to access your data

You can ask us what personal data we hold about you, why we hold it, and where it came from. We will provide a clear summary within 30 days of receiving a valid request. In rare cases we may need to withhold specific details — for example, where disclosure would compromise an active AML investigation or another individual’s rights — but we will always tell you if this applies.

The right to correct inaccuracies

If any data we hold about you is inaccurate or out of date, you can ask us to correct it. We will process the correction as quickly as we can and let you know if there is any reason we are unable to make a particular change.

The right to erasure

You can ask us to delete your personal data. At XSettle, however, this right is significantly limited by our legal obligations under Swiss AMLA. Almost all the personal data we hold about the representatives and owners of our client entities falls within the mandatory 10-year retention period. We cannot delete that data during the retention period, regardless of the request. We will always be honest with you about this and explain the specific legal basis that applies. Once a retention period has expired, data is deleted as a matter of routine.

The right to restrict processing

Where EU GDPR applies, you may ask us to restrict processing to storage only — for example, while you are challenging the accuracy of your data, or where processing is unlawful but you prefer restriction to deletion. Restrictions do not override AMLA retention obligations.

The right to object

You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate a compelling legitimate reason to continue. Processing for AML/CFT compliance is based on a legal obligation rather than legitimate interests, so objections cannot override it — but for other processing activities, we will consider your objection carefully and respond to you.

The right to data portability

Where GDPR applies and we process your data by automated means based on your consent or a contract, you can ask for a copy of your data in a structured, machine-readable format. AML/CFT processing is based on legal obligation and falls outside this right, but for other categories we will accommodate reasonable portability requests.

The right to withdraw consent

Where we process your data on the basis of consent — for example, for analytics cookies — you can withdraw that consent at any time. This does not affect the lawfulness of processing that already took place before you withdrew consent, and it does not give rise to a right to delete data that we are otherwise legally required to keep.

How to make a request

Send your request to privacy@xsettle.com with ‘Data Rights Request’ in the subject line. Please include your name, your organisation if relevant, and enough context for us to identify the data you are asking about. We will respond within 30 calendar days. If we need more time or more information, we will tell you promptly.

Your right to complain

If you believe we have not handled your personal data correctly, you can complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch. If you are based in the EU, you can also complain to the data protection authority in your member state of residence.

9. Security

We protect personal data with a combination of technical and organisational measures. Personal data is encrypted in transit and, where appropriate, encrypted at rest using industry-standard controls. Access is role-based — staff can access only the data they genuinely need for their work. KYB files and compliance records are held in a secure, access-controlled document management system hosted in Switzerland.

We conduct regular security reviews, keep our systems up to date, and require all third-party processors to maintain equivalent security standards under data processing agreements. Our backups are encrypted and tested regularly.

If a personal data breach occurs that is likely to create a risk for affected individuals, we will notify the FDPIC without undue delay and as soon as practicable in accordance with applicable Swiss data protection law (nDSG Art. 24), and notify the affected individuals directly where the risk is serious.

10. Changes to Privacy Policy

We review this Privacy Policy at least once a year. If we make significant changes — for example, if we start processing new categories of personal data or sharing it with new categories of recipients — we will tell you by email at least 14 days before the changes take effect and update the effective date at the top of this document. Minor or clarifying changes may be made without specific notification. The current version is always available at xsettle.com/privacy.

11. Cookie Policy

This Cookie Policy forms part of XSettle’s Privacy Policy. It explains what cookies and similar technologies we use on xsettle.com, why we use them, and how you can control them.

A cookie is a small text file placed on your device when you visit a website. Different cookies serve different purposes — some are essential for the site to work, others help us understand how visitors use it.

Necessary Cookies

Strictly necessary cookies are essential for xsettle.com to function. They keep your browsing session active, protect the site against certain security threats, and remember your cookie consent preferences so you are not asked again on every visit. You cannot disable these cookies through our consent tool. If you block them in your browser settings, parts of the site may stop working.

Functional Cookies

Functional cookies allow the site to remember choices you have made — such as your preferred language or display settings — so that your experience is more consistent on return visits. These are not strictly necessary for the site to work, and we will only place them with your consent. You can update your preferences at any time through the Cookie Settings link in the site footer.

Analytics Cookies

We use analytics cookies to understand how visitors use xsettle.com — which pages they find most useful, how they navigate, and where they come from. This helps us improve the site over time. We use a privacy-focused analytics tool configured with IP anonymisation enabled and cross-site tracking disabled, rather than Google Analytics in its default form. The data we collect is aggregated and pseudonymised where applicable; we are not profiling individual users. We do not share this data with our analytics provider for their commercial purposes. Analytics cookies are placed only with your consent.

What We Do Not Use

We do not use advertising or targeting cookies. We do not run retargeting campaigns or serve ads to visitors based on their visit to xsettle.com. We do not have Facebook Pixel, LinkedIn Insight Tag, Twitter/X pixel, or any other social media tracking technology on our site. We do not share your browsing data with ad networks, data brokers, or profiling services of any kind. Our analytics are confined to this site only.

If this ever changes, we will update this Cookie Policy before placing any new tracking technology and ask for your consent.

Your Cookie Choices

When you first visit xsettle.com, a cookie consent banner will appear. You can accept all cookies, accept only the strictly necessary ones, or customise your preferences by category. Your choice is saved and remembered for 12 months.

You can change your cookie preferences at any time by clicking the Cookie Settings link in the footer of xsettle.com. Your updated preferences take effect immediately.

You can also control cookies directly in your browser. Most modern browsers let you view and delete existing cookies, block third-party cookies, or block all cookies. If you block all cookies, the strictly necessary cookies will also be blocked and some parts of the site may not work as expected. You can find instructions in the support pages for your browser — Chrome, Firefox, Safari, and Edge all provide clear guidance on cookie management.

Some browsers send a Do Not Track (DNT) signal to websites. There is currently no universally agreed standard for how websites should respond to these signals, and xsettle.com does not respond to them technically. Our cookie consent tool is the reliable way to manage your tracking preferences with us.

Third-Party Cookies

xsettle.com does not currently embed third-party services — such as video players, social share buttons, or live chat widgets — that would place their own cookies on your device. If we add any such integrations in future, we will update this Cookie Policy and seek your consent before any third-party cookies are placed.

Updates

We review this Cookie Policy at least once a year and whenever we change the cookies or analytics tools we use. Significant changes will be communicated through the cookie consent banner on your next visit to the site. The current version is always available at xsettle.com/privacy.

12. Contact Us

For questions about this Privacy Policy or to exercise your data rights, write to us at privacy@xsettle.com. We aim to respond within 30 days. For complaints, you can also contact the FDPIC at www.edoeb.admin.ch, or the data protection authority in your EU member state if that is where you are based. Our postal address is XSL AG, Attn: Privacy/Compliance, Blegistrasse 7, 6340 Baar, Canton Zug, Switzerland. Our EU Representative under Article 27 GDPR is Cristian Vasco, who can be contacted at privacy@xsettle.com for any matters relating to the processing of personal data of individuals based in the European Economic Area.

AML Officer
External or internal person ensuring the implementation of the AML/CTF framework within the Company
AML/CTF
Anti-money laundering, counter terrorism financing and prevention of sanctions violation
Assets
All items of value such as Virtual Assets, FIAT currencies, shares and investment products
Beneficial Owner
Each person who is the ultimate, effective economic owner of the Assets involved in the relationship
Board of Directors (BoD)
All members of the Board of Directors together. The body which bears the overall responsibility for the Company.
Cash transactions
All (physical and non-physical) transfer of Assets, in particular the exchange of money, cryptocurrencies, precious metals, traveler’s checks and the like, which are not part of a permanent business relationship
Compliance
Ensuring adherence to legal, regulatory and internal provisions as well as the observance of customary market standards and code of conduct
Contracting Partner
A customer who has a business relationship with the Company based on a contract for using its services and products
Controlling Person
Individual who exercises control over a legal person either as shareholder, managing director or otherwise
Cryptocurrency
Any Virtual Asset which is classified as payment token
Executive Committee (EXCO)
All members of the Executive Committee together. The body which implements and executes the Company’s strategy.
FATF
Financial Action Task Force, sub-organisation of the OECD responsible for setting international standards on the fight against money laundering
FIAT
Any money declared by a government to be legal tender
FINMA
Swiss Financial Market Supervisory Authority
High-risk Business Relationships
Business relationships with increased AML/CTF risks
High-risk Country
Countries with increased money laundering risks
High-risk Business Sector
Business sectors with increased money laundering risks
KYC file
Know your customer file. The file containing all relevant background information about a customer.
MROS
Money Laundering Reporting Office Switzerland
MRZ
Machine-readable zone, part of an identification document
Outsourcing
An external service provider is mandated to perform independently and on an ongoing basis all or part of a function that is significant to the Company’s business activities
Permanent business relationship
Business relationship which is not limited to the performance of one-off financial activities
Politically Exposed Person (PEP)
Individual or related person who is or has been entrusted with prominent public functions in politics, governments, military, justice or in state corporations as well as in intergovernmental organisations or international sports associations
Regulations
The regulatory framework of the respective SRO
Relationship / transaction with increased risk
Relationship or transaction, which fulfils the criteria for being classified as with increased risk (also called high-risk relationship & high-risk transaction)
SECO
The Swiss state secretariat for economic affairs
SRO
Self-regulatory organisation the Company is required to become a member of
TAN
Transaction number, a one-time password used for verification
Travel Rule
The FATF Recommendation 16 on wire transfers requests virtual asset service providers (VASP) to exchange originator and beneficiary identifying information with counterparties during transmittals
VASP
Virtual Asset Service Provider
Virtual Assets
Any assets in form of token that are based on decentralized technology including utility, payment and asset token

5. Customer Review

5.1 Principles

5.1.1 Prohibited Assets and business relationships

The Company does not accept Assets if the Company knows or is aware of indications that these assets are the proceeds of criminal activities or qualified tax evasion, even if the respective crime or offense was committed abroad.

The Company does not start a business relationship with any person that is knowingly connected to money laundering, financing of terrorism or listed on a sanctions list. Prohibited are in particular business relationships with persons for which it is known or reasonably suspected that they are involved in criminal or terrorist activities or support criminal or terrorist organizations.

The Company does not open or maintain any business relationships with banks that have no physical presence in the place of incorporation (fictive banks or shell banks).

Neither a business relationship with a person active in a “non-serviced” business sector nor with a person domiciled in a “non-serviced” country will be opened nor a transaction to such a country will be executed or from such a country accepted (as outlined in Appendices).

5.1.2 General business restrictions

The Company does not accept, exchange, deliver, hold or provide any physical cash (bills or coins) or any other physical items of value.

The Company does not accept deposits from the public. However, the company reserves the right to make use of the CHF 1m sandbox threshold and/or the 60 days settlement period. In case the Company makes use of the CHF 1m sandbox threshold, the respective regulatory requirements as outlined are met. Every customer affected is informed and expressly accepts prior to the Company accepts the customers deposits:

  • That the Company is not regulated by FINMA
  • That the deposits are not covered by the Swiss depositor protection

The Company is not entering into a business relationship with:

  • A natural person
  • An insurance wrapper or similar structures
  • Escrow structures

When onboarding individuals, only a natural person owning beneficially her-/himself the assets involved in the relationship is accepted.

The following services are not offered:

  • Pseudonym and numbered mandates
  • Joint mandates

The Company only accepts permanent business relationships.

5.2 Establishing a business relationship

Business relationships are commenced based on the provisions in the Regulations by following the process as outlined beneath.

5.2.1 Identification principles

The Company identifies its customers:

  • in person
  • by correspondence
  • via video identification (FINMA Circular 2016/7 “Video and online identification”)
  • via online identification (FINMA Circular 2016/7 “Video and online identification”)

In order to perform its identification duties, the Company cooperates with an established tool provider fulfilling Swiss standards.

If the identification cannot be performed in line with the requirements outlined beneath or cannot be completed because of quality issues, the identification is stopped and either repeated or cancelled. The Company documents the identification process.

5.2.2 Identification threshold Virtual Assets for non-permanent relationships

The Company does not identify a customer if:

  1. The customer brings in less than CHF 1’000 within 30 days, and
  2. the business relationship is non-permanent, and
  3. the services are limited to cash transactions, in particular the exchange of Cryptocurrency, and
  4. the Company ensures a two-party relationship with its customers by implementing the following technical measures: single use of IP-address; exclusion of VPN user; single use of Email-address and mobile number presented (if applicable); avoid similar Email-addresses; proof of control over the wallet by:
  • Obtaining a print-screen of the wallet, or
  • Verifying access of the customer of the Company to the external wallet presented by a transfer of a small amount (so called Satoshi test) and getting proof of receive by the customer, or
  • Verifying access of the customer of the Company to the external wallet presented by sending a message (such as a password) to the wallet of the customer and getting proof of receive by the customer, or
  • Obtaining a digital signature verification for both single and multi-signature (MultiSig) wallets

In case the two-party relationship cannot be doubtlessly ensured, the identification-free threshold is not used. The Company ensures that such customer do not run several mandates in order to circumvent this rule.

5.2.3 Identification of natural persons

The following process applies for natural persons identified in person (for natural person(s) opening the business relationship of a legal entity only steps 1–2 apply):

  1. The customer provides the relevant personal data as outlined in “Documentation requirements (KYC)”.
  2. The customer presents an identification document the Company takes a copy from declaring to have taken the copy from original by dating and signing the copy.
  3. The customer completes a written declaration (Form A) confirming the identity of the beneficial owner of the Assets to be brought into the relationship.

The following process applies for natural persons identified by correspondence:

  1. The customer provides the relevant personal data as outlined in “Documentation requirements (KYC)”.
  2. The customer provides a certified copy of his/her identification document.
  3. The customer sends a copy of an utility bill as proof of domicile address. The Company ensures that the address correspond with the address provided.
  4. The customer completes a written declaration (Form A) confirming the identity of the Beneficial Owner of the Assets to be brought into the relationship.

The following process applies for natural persons identified via video identification:

  1. The customer provides the relevant personal data as outlined in “Documentation requirements (KYC)”.
  2. The Company obtains the explicit consent to conduct the video identification and audio recording before starting the video interview and if obtained, starts a live video identification session.
  3. The customer presents an identification document of which the Company takes pictures from all relevant sides and pages as well as takes a picture from the customers face.
  4. The Company ensures that the decrypted Machine Readable Zone (MRZ) matches the information in the identification document as well as the data provided by the customer during the video interview.
  5. The authenticity of the identification document is assessed by using the Machine Readable Zone (MRZ) and further security features including comparing the identification document with an identity document database.
  6. The customer confirms the beneficial ownership through the TAN method.

The following process applies for natural persons identified via online identification:

  1. The customer provides personal data as outlined in “Documentation requirements (KYC)”.
  2. The customer presents an identification document and the Company takes pictures from all relevant sides and pages as well as from the customers face.
  3. The authenticity of the identification document is assessed by using the MRZ and further security features including comparing the identification document with an identity document database.
  4. The customer performs a GBP, EUR or CHF transaction of a small amount from an account held in the customer’s name at a bank in Switzerland, Liechtenstein or at a bank domiciled in a permissible FATF member state (see Appendix), or the customer scans the biometrical chip including general ID data, MRZ number and facial image of the identification document via smartphone NFC reader. The Company checks this information for authenticity and correctness.
  5. The customer uploads an utility bill as proof of domicile address or the Company performs a geolocation check. The Company ensures that the address on the utility bill or the address identified via geolocation corresponds with the address provided.
  6. The customer confirms the beneficial ownership by using the TAN method.

5.2.4 Identification of legal entities

  1. The customer provides a certified extract from the commercial register of the respective country, or a certificate of incorporation in original or as a certified copy if the company was founded within the last 12 months, or a certificate of good standing in original or as a certified copy if not; or the Company prints or downloads an extract from the commercial register or from a trustworthy private database, marks it as printed or downloaded and adds date and signature.
  2. The natural person(s) opening the business relationship is (are) identified like a natural person using the steps designated (*) in the corresponding section above. The Company ensures that the person(s) is (are) entitled to act on behalf of the legal entity.
  3. In case of online identification: the customer performs a EUR or CHF transaction of a small amount from an account held in the customer’s name at a bank in Switzerland, Liechtenstein or at a bank domiciled in a permissible FATF member state (see Appendix).
  4. The customer completes a written declaration (Form K) confirming the identity of the Controlling Person of the legal entity or, in case of a domiciliary company, completes a written declaration (Form A) confirming the identity of the Beneficial Owner of the Assets to be brought into the relationship. Both can be done via TAN method.
  5. The identity of the Controlling Person(s) of the legal entity (Form K) or of the Beneficial Owner(s) of the Assets (Form A) is (are) verified.
  6. Other signatories are disclosed by the customer and taken on file.

If the legal entity is an association, the customer provides either a certified extract from the commercial register of the respective country or a copy of the by-laws in case the association is not entered in the commercial register. The customer completes a written declaration (Form K) confirming the identity of the Controlling Person(s) or the president of the association.

If the legal entity is a foundation, the customer provides either a certified extract from the commercial register of the respective country or a copy of the foundation deed or other equivalent document. The customer completes a written declaration (Form S) confirming the declaration of the foundation, the founder and the beneficiaries, or completes the form K if the foundation is operationally active.

If the customer is a trust, the trustee provides either a certified extract from the commercial register of the respective country or a copy of the trust deed or other equivalent document. The trustee is identified following the process of identification of a natural person or legal entities. The trustee completes a written declaration (Form T) confirming the declaration of the trust, the settlor, the protector and the beneficiaries. In case of a revocable trust, the person who can revoke the trust is to be declared.

5.2.5 Professional treasury for legal entities

In case a legal entity is on-boarded, the Company verifies whether the legal entity maintains a professional treasury. Treasury is defined as the management of money and financial risks on a corporate level. It is considered as professional if the legal entity runs either a qualified financial department or employs a designated person holding professional education and experience in the management of money and financial risks.

The Company asks for a self-declaration of the legal entity and in addition gathers proof for the presence of a professional treasury. The information received is reviewed for plausibility and, in case of doubt, further information is obtained.

Shall it remain unclear whether the legal entity to be on-boarded fulfils the requirements, the AML Officer shall be consulted. In case doubts remain, the legal entity is classified as not holding a professional treasury.

The assessment of the presence of a professional treasury is repeated annually or, in case of doubts, immediately.

5.2.6 Documentation requirements (KYC)

For any natural person as customer, the following information is to be collected and documented in a customer profile:

  • Family name and first name
  • Date of birth
  • Nationality/ies
  • Domicile address (street, city and country)
  • Business sector of activity
  • Place/s of business activity/ies
  • Financial circumstances (declaration of income and total wealth)
  • The intended use of the assets involved in the business relationship
  • Nature (currency) and the value of the assets involved
  • Source of the assets involved (source of funds)

For any legal person as customer, the following information is to be collected and documented in a customer profile:

  • Company name
  • Domicile address
  • Business activity/ies
  • Place/s of business activity/ies
  • Financial circumstances (turnover)
  • The intended use of the assets involved
  • Nature and value of the assets involved
  • Source of the assets involved (source of funds)
  • Documentation about professional treasury

The information provided is reviewed with regards to plausibility. Should the information appear contradictory or implausible, the Contracting Partner is contacted for clarification. If clarifications are not successful, in case of a relationship with increased risks and/or if indications for money laundering, terrorism financing or sanction violation occur, the AML Officer is approached. The AML Officer undertakes an enhanced due diligence and, if indications remain, starts an investigation.

The AML Officer defines a sample size for standard risk relationship without any such indications and performs spot checks on the relationship opening documents after being onboarded.

5.2.7 Exposure check

Any customer including any person involved is matched with relevant PEP- and sanctions-lists. The minimum requirements are Swiss sanctions, EU sanctions, US sanctions (OFAC list).

  • In case of a person listed on a sanctions list, the opening of a relationship is denied
  • In case of indications for money laundering, terrorism financing or sanctions violation, the opening of a relationship is denied
  • In case of a relationship includes a PEP, the process for relationships with increased risks is followed

In case of a negative exposure as listed above or any other negative exposure, the AML Officer is approached immediately for further investigation and to clarify whether a reporting duty as outlined in “Reporting & documentation” is given.

In order to perform sanctions, PEP and negative exposure checks, the Company cooperates with an established tool provider fulfilling Swiss standards.

5.2.8 Risk classification and acceptance

The Company assigns, based on the risk scoring as outlined beneath, every business relationship to one of the following categories:

  • Risk category 1 (score 0–1) — standard risk business relationship
  • Risk category 2 (score ≥ 2) — business relationship with increased risks (high-risk business relationship)

If the risk score is ≥ 2 the business relationship is classified as a business relationship with increased risks (high risk business relationship).

The Company uses the following risk criteria based on the assessment of the risks inherent to the Company’s business case with scoring:

  • Domicile or residence of the Contracting Party, the Controlling Person or the Beneficial Owner (for scoring of countries see Appendix)
  • Place of the business activities of the Contracting Party or the Beneficial Owner (for scoring of countries see Appendix)
  • Sector of business activities of the Contracting Party or the Beneficial Owner (for scoring of business sectors see Appendix)
  • Complexity of structures, particularly if using several domiciliary companies or a domiciliary company with fiduciary shareholders in a non-transparent jurisdiction (scoring: non-complex: 0 / complex: 1)
  • Frequent transactions carrying an increased risk (scoring: no frequent high-risk transactions: 0 / frequent high risk transactions: 1)
  • Total value of wealth of the Contracting Party, if an individual or a domiciliary company, is > 10 Mio. CHF or equivalent (scoring: <10 Mio. CHF: 0 / >10 Mio. CHF: 1)
  • Crypto wallet address presented by the customer is flagged as high-risk by the transaction monitoring software used (scoring: standard risk: 0 / high risk: 1)

In case one criterion has several answers (such as several sectors of business activities), the one with the highest risk exposure prevails. In case several persons are involved in the relationship, the one with the highest risk exposure prevails.

A business relationship is in any case classified as high-risk (score: 2) if:

  • any Politically Exposed Person is involved in the business relationship
  • the domicile or residence of the Contracting Party, the Controlling Person or the Beneficial Owner is located in a country that is on the following two lists of FATF: “high-risk Jurisdictions subject to a Call for Action” and “Jurisdictions under Increased Monitoring” (if not restricted see Appendix)
  • an investigation because of money laundering, terrorism financing or sanctions violation was conducted by the Company (irrespective of the outcome)
  • the Company considers the business relationship as high-risk due to any other reason based on a risk assessment by the EXCO or the AML Officer

In case a business relationship is classified as high-risk, enhanced due diligence is undertaken by the AML Officer before onboarding is completed. If during its lifecycle, a business relationship is re-classified as high-risk, enhanced due diligence is undertaken without delay.

Depending on the circumstances, enhanced due diligence may include (not exclusively):

  • the collection of information from the Contracting Partner
  • the consultation of reliable publicly accessible sources and databases
  • information from trustworthy individuals or authorities

The AML Officer assesses the results of the enhanced due diligence with a view to plausibility. If necessary, the AML Officer clarifies the background of the relationship, requests further documents or starts an investigation. The result of the clarification is documented in such way that a third party can easily understand the economic background and purpose of the business relationship.

An EXCO member decides on the acceptance of any new business relationship with increased risks. The decision on the acceptance or decline of a business relationship is documented.

The Company does not use the following risk criteria:

  • Nationality of the Contracting Party or the Beneficial Owner — a person’s nationality does not provide great confidence about a potential money laundering/terrorism financing risk in particular considering the global economy the Company is operating in.
  • Lack of personal contact to the Contracting Party and the Beneficial Owner — since the Company’s focus is not on identification in person and if considering the shift towards a digital economy, missing personal contact is not considered as a supportive risk factor.
  • Nature of requested goods or services — the Company offers a very limited range of services that are of an equivalent exposure. Therefore, the nature of services requested is not a supportive risk factor.
  • The value of assets introduced — since the business case of the Company also includes investment in a highly volatile asset class, the value of assets introduced may lead to constant changes of the risk level of the customer and is therefore not a supportive risk factor.
  • Value of inflowing and outflowing assets — due to the nature of the Company’s business activity, a high frequency of in- and outflows is expected. Therefore, this criterion does not provide any additional confidence.
  • Country of origin or destination of frequent payments — since the token economy operates globally as well as the country of origin and destination of token transfers remain often intransparent, this risk factor does not provide great support.

5.2.9 Rejection or termination of a business relationship

The rejection or the termination of the business relationship is mandatory if:

  • the Company had been misled by the Contracting Partner during the identification process
  • the Company received a false statement about the Beneficial Owner or the Controlling Person of the Assets to be involved in the business relationship
  • doubts about the information provided by the Contracting Partner persist even after repeating the identification of the Contracting Partner, the Beneficial Owner or the Controlling Person

In case of a non-cooperative Contracting Partner, the AML Officer is notified immediately. Generally, in case of a continuously non-cooperative Contracting Partner, the business relationship shall be terminated. The AML Officer recommends the closing of the business relationship to the EXCO if the deficiencies occurred cannot be solved otherwise and a termination appears to be appropriate. An EXCO member takes the final decision.

If there is suspicion for money laundering or terrorism financing, the AML Officer performs an investigation. In such cases, the business relationship must neither be terminated during the investigation nor if the conditions for a reporting as outlined in “Reporting & documentation” are fulfilled.

5.3 Monitoring

5.3.1 Monitoring principles

The profile of the Contracting Partner is kept up-to-date and changes to the customer’s data are recorded on an ongoing basis. In addition, profiles are reviewed regularly depending on the respective risk level.

All employees and external service provider performing AML relevant tasks like an internal employee have the duty to inform the AML Officer if money laundering, financing of terrorism or sanctions violation is suspected or if there is awareness of any activity and/or transaction which indicates such exposure. The same duty applies in case of circumstances that may lead to legal or reputational risks for the Company.

5.3.2 Regular update

Business relationships are periodically updated in line with their level of risk:

  • Risk category 1 — biennial (every 2 years)
  • Risk category 2 — annually

Business relationships classified as high-risk are in addition at least annually reviewed by the AML Officer. The continuation of the business relationship is subject to an EXCO Member approval.

The Company repeats the procedure of identification if doubts arise during the business relationship as to whether the information given concerning the identity of the Contracting Partner is accurate or, in case of a natural person as Contracting Partner, whether the Contracting Partner is identical with the Beneficial Owner and these doubts cannot be eliminated by means of usual enquiries.

5.3.3 People monitoring

Throughout the duration of the business relationship, crosschecks on the Contracting Partner, the Controlling Person and the Beneficial Owner against the PEP- and sanctions list are undertaken.

If a Contracting Partner is identified as negatively exposed, the business relationship is passed on for review to the AML Officer and re-classified as high-risk. The AML Officer undertakes enhanced due diligence on the background of the customer. In case of an indication for money laundering, terrorism financing or sanctions violation, the AML Officer starts an investigation.

In case of an upgrade of a business relationship with standard risks to a high-risk business relationship, the process for acceptance of high-risk business relationships applies.

5.3.4 Transaction monitoring

These rules apply for FIAT as well as Virtual Assets transactions.

The Company classifies every transaction as either a standard or a high-risk transaction. A transaction is considered as high-risk if at least one of the following criteria is met for legal entities:

1. Threshold single transaction legal entities

  • Risk category 1 — CHF 250’000 (or equivalent)
  • Risk category 2 — CHF 100’000 (or equivalent)

Several transactions at the same business day are considered as a single transaction.

2. Threshold multiple transaction legal entities

  • Risk category 1 — turnover of CHF 500’000 (or equivalent) in one calendar month
  • Risk category 2 — turnover of CHF 200’000 (or equivalent) in one calendar month

The minimum number of transactions to trigger the multiple transaction threshold are two. In case a bunch of transactions reach together the threshold for multiple transaction monitoring, the calculation of the limit for further transactions starts from zero.

3. Country of origin

All transactions performed by a customer domiciled in a country that is on the following two lists of FATF: “high-risk Jurisdictions subject to a Call for Action” and “Jurisdictions under Increased Monitoring” (if not restricted see Appendix).

The following transactions are always deemed to carry an increased risk (to the extend relevant for the business case of the Company):

  • Transactions in cases where, at the beginning of a business relationship, assets equivalent to a value of CHF 100’000 are physically introduced, whether in one payment or split into several payments
  • Money and asset transfers in one or split into several transactions which appear connected reach or exceed the amount of CHF 5’000 if no permanent business relationship is associated with these transactions
  • Payments from or to a country which is considered “high-risk” or non-cooperative by the FATF and for which the FATF demands a higher level of due diligence (see Appendix)

The Company has an effective process in place to monitor transactions in order to facilitate the detection of high-risk transactions. It operates an electronic monitoring system. Hits generated by this system are to be analysed and commented by the Company and reviewed by the AML Officer.

Depending on the type of business activities conducted, the following questions are of particular relevance:

  • the reason for the transaction
  • the origin of the Assets
  • the connection of the transactions with the Contracting Partner’s business activity
  • the reason for significant deviations from the type, volume or frequency of transactions that would be usual in the context of the business relationship
  • the reason for significant deviations from the type, volume or frequency of transactions that would be usual in comparable business relationships

The AML Officer reviews the comment and either approves, rejects and ask for further clarification or start an investigation in case of indication for money laundering, terrorism financing or sanction violation.

5.3.5 Transaction monitoring Virtual Assets (additional requirements)

a) Travel Rule

In- and outflows in Virtual Assets performed from or to an external wallet are permitted if the customer of the Company is identical with the person controlling the external wallet by having access to the wallet. The Company verifies this requirement by using technical means as follows:

  • Providing an external wallet to the credentials presented by the customer of the Company during the on-boarding process, or
  • Obtaining a print-screen of the external wallet, or
  • Verifying access of the customer of the Company to the external wallet presented by a transfer of a small amount (so called Satoshi test) and getting proof of receive by the customer, or
  • Verifying access of the customer of the Company to the external wallet presented by sending a message (such as a password) to the wallet of the customer and getting proof of receive by the customer, or
  • Obtaining a digital signature verification for both single and multi-signature (MultiSig) wallets

After successful proof of control, the wallet is assigned to the customers’ profile and can be used for in- and out-going payments in Virtual Assets.

If an incoming transaction is not originating from a verified wallet of the customer, proof of control must be provided immediately. Otherwise, the Company initiates an investigation for suspicious transactions.

In case the customer uses an external wallet hosted by a third party, the provider of hosted wallets submits the name, account number and address of the respective wallet holder as well as the name and account number of the beneficial owner so that the Company is able to provide full identification.

The proof of control will be regularly repeated according to the following rules:

  • For business relationship with risk category 1: after 12 months
  • For business relationship with risk category 2: after 6 months
  • In case of doubt that the customer still has control over the wallet

For inter-VASP transactions, the Company may make use of a travel rule protocol such as the TRP or the OpenVASP protocol in order to receive identifying information about the person receiving or sending the Virtual Assets from or to the customer.

b) Analysis of Virtual Asset transactions

The Company uses an established blockchain analytics tool for all incoming and outgoing transactions in Virtual Assets which analyzes the addresses of the sending or receiving external wallet.

The result of the blockchain analysis is driven by a range of indicators as defined in the analysis tool. Those risk indicators are based on information such as:

  • addresses that are used in online casinos and in the gambling sector in general
  • addresses used by ransomware, fraudsters, scam/phishing and similar exposures
  • addresses that were used to hack or exploit cryptocurrency platforms
  • indication of a use of mixers/tumblers used to cover up the source of Virtual Assets
  • addresses that have been flagged on sanction lists
  • addresses that are linked to terrorist activities

The analytics tool provides a risk score which shows a score in the range from not exposed to extremely exposed. The Company classifies transactions based on its score into the following categories:

  • standard risk transaction — no further measures
  • high-risk transaction — enhanced due diligence required
  • suspicious transaction — prohibited, investigations are required

The Company reviews the score received and the AML Officer performs, depending on the transaction scoring, an enhanced due diligence or investigation. If required, additional information will be requested by the analytics tool or other external sources.

6. Fraud Prevention and Detection

The Company recognizes fraud as a significant financial crime risk which may expose the Company to legal, regulatory, financial and reputational damage. Fraud risk is therefore managed as an integral component of the Company’s overall AML/CTF and sanctions compliance framework and is addressed through the same risk-based approach applied to money laundering and terrorist financing.

The Company applies a zero-tolerance approach towards fraudulent activities, attempted fraud, and any behavior intended to deceive, mislead or abuse the Company, its customers, or third parties.

Fraud refers to any intentional act or omission designed to obtain an unlawful or unfair advantage, to cause loss to another party, or to conceal the true nature, source, ownership or control of assets. Fraud may be committed by customers, counterparties, third parties or employees.

Fraud risks are considered during customer onboarding, risk classification, ongoing monitoring and enhanced due diligence. The Company assesses fraud exposure in connection with the customer’s profile, business activity, geographic footprint, transaction behavior, delivery channels and use of technology. Where fraud risk is elevated, the business relationship is subject to enhanced due diligence and increased monitoring in line with this Policy.

The Company prevents fraud primarily through strong customer identification and verification procedures, verification of beneficial ownership and controlling persons, transaction monitoring, use of blockchain analytics and other monitoring tools, segregation of duties, access controls, and secure authentication measures. No business relationship shall be established or continued if fraud risks cannot be adequately mitigated.

Throughout the duration of a business relationship, the Company monitors customer behavior and transactions to identify patterns or activities that may indicate potential fraud. Such indicators may include inconsistencies between the customer profile and actual activity, unusual transaction patterns, unexplained changes in behavior, repeated failed authentication attempts, or links to addresses, entities or typologies associated with fraudulent activity.

All employees and external service providers performing AML-relevant tasks have an obligation to remain vigilant and to immediately inform the AML Officer if fraud is suspected or if circumstances arise that may indicate fraudulent behavior.

Where fraud is suspected, the AML Officer performs or coordinates an investigation in accordance with this Policy. The investigation includes a review of the customer relationship, transactions, documentation and any other relevant information. Additional information may be requested from the customer or obtained from reliable external sources.

If, during the investigation, indications of money laundering, terrorist financing or sanctions violations are identified, the reporting procedures of this Policy apply, including the assessment of a duty or right to notify MROS or other competent authorities.

Confirmed or reasonably suspected fraud cases are documented and escalated to the Executive Committee. The Company cooperates fully with competent authorities and supervisory bodies where reporting is required by law.

All documentation related to fraud alerts, investigations, decisions and outcomes is retained in accordance with this Policy.

Fraud awareness is included in the Company’s regular AML/CTF training program. Employees are trained to understand common fraud typologies, recognize red flags and follow internal escalation procedures.

The Board of Directors bears the overall responsibility for oversight of fraud risks. The Executive Committee ensures the implementation of appropriate fraud controls. The AML Officer acts as the central competence center for fraud-related matters within the framework of this Policy. All employees are responsible for acting with integrity and for promptly reporting any suspected fraud.

7. Investigation

If the circumstances require an investigation as outlined in this Policy or if any indications for money laundering or sanction violation were otherwise identified, the AML Officer performs an investigation. In particular, the indications as outlined in the SRO typology are used as trigger indicating the necessity of an investigation.

The AML Officer reviews the background information of the business relationship as well as transactions affected, uses external sources of information if required to complete the respective background picture and documents the results of the investigation.

The AML Officer recommends based on the investigation either to continue the business relationship, to end the business relationship or to report the business relationship to the responsible authorities. The recommendation is shared with the Executive Committee for decision. The decision is documented and the follow-up, if any, performed by the AML Officer.

Each relationship for which an investigation was performed is in any case re-classified as high-risk relationship. The respective procedures for high-risk relationships apply.

8. Reporting & Documentation

The Company informs its supervising regulator immediately about any report made to authorities.

8.1 Duty to notify MROS

Based on art. 9 para 1 AMLA, a duty to notify the Money Laundering Reporting Office Switzerland MROS is given, if the Company knows or has reasonable grounds to suspect that Assets involved in the business relationship:

  • are connected to an offence in terms of art. 260ter no. 1 or 305bis Swiss criminal code (SCC)
  • are the proceeds of a criminal act or of a qualified tax offence according to art. 305bis no. 1bis SCC
  • are subject to the power of disposal of a criminal organisation or serve the financing of terrorism (art. 260quinquies paragraph 1 SCC)

In case of such indication, the AML Officer has to be informed immediately. The circumstances and the background of the case will be analysed by the AML Officer. After the review, the AML Officer informs the Executive Committee and presents an assessment as well as a recommendation. The Executive Committee decides on any notification based on the recommendation of the AML Officer. The decision is documented. The necessary notifications are made by the AML Officer subsequent to the respective decision of the Executive Committee.

The Company immediately notifies MROS if it terminates negotiations aimed at establishing a business relationship because of a reasonable suspicion as defined above.

The Company immediately notifies MROS if the Company knows or has reason to assume that the data passed on by FINMA or the supervising regulator is relating to a person or organisation corresponds to the data of a Contracting Party, a Controlling Person, a Beneficial Owner of the assets or an authorised signatory in a business relationship or transaction. In this case the Company immediately freezes the Assets entrusted to it and related to the report.

In connection with reports according to article 9 AMLA, the Company freezes the Assets entrusted to it and related to the report as soon as the MROS informs the Company about forwarding the report to the prosecution authorities. The Company keeps the Assets frozen until it receives an order from the competent prosecution authority, but at the most for five working days from the date at which the MROS informs the Company about forwarding the notification to the prosecution authorities respectively from the date at which the AML Officer notified the MROS.

The Company is prohibited from informing the Contracting Partner affected or third parties of the notification.

8.2 Right to notify MROS

If the Company does not have reasonable grounds for suspecting money laundering activity or financing of terrorism, but has indication suggesting that Assets are derived from criminal activities or legal funds are misused for criminal purposes, the Company is entitled to take one of the following actions:

  • to notify the MROS based on the right to notify
  • to continue the business relationship under increased control (re-classification as high-risk business relationship)
  • to terminate the business relationship

8.3 Sanctions reporting

In case of a potential reporting duty to SECO based on a sanction list finding, the AML Officer summarises the situation and presents it to the Executive Committee including a recommendation. The decision of the Executive Committee and the reasons behind is documented.

8.4 Documentation and data storage

The company creates and organises their documentation in a manner allowing a competent third party at any time to make reliable conclusions regarding compliance with the legal and regulatory obligations concerning AML/CTF.

Documents and records are created and stored in a manner allowing the Company to respond to any requests for information and seizure by competent authorities within the period of time required. The company maintains an up to date AML file for each contracting party containing all information of fundamental significance to the establishment of facts with regard to an AMLA-relevant business relationship as well as a list of acquisition and information of relationship closed. Each individual transaction is at any time constructable.

The Company holds physical paper or electronic copies of all significant documents. Documents and reports are stored in a secure place (inaccessible to unauthorised third parties) in Switzerland. The following requirements are applicable:

  • Possibility to print out the necessary information on paper if requested
  • The server used is located in Switzerland
  • All data is accessible to the Company at all times

The requirements pursuant to Arts. 9 and 10 of the Swiss Accounts Ordinance concerning permitted data medium as well as data review and migration apply in addition. All customer related data are stored in an unchangeable form as a regular backup.

The Company retains documentation for a period of ten years following the end of the business relationship or the conclusion of the transaction.

Documents which are of fundamental significance for the establishment of facts concerning a business relationship and which are not written in one of the official languages of Switzerland or in English are translated into English or into one of the official languages of Switzerland by an appropriately qualified and approved translator.

9. Third Parties and Outsourcing

The Company might engage third parties for the fulfilment of duties of due diligence or otherwise work with third parties as cooperation partners such as external service providers or business partners.

When outsourcing activities to a third party, the following conditions are met:

  • Evaluation and careful selection of the appointed person and guarantee of the person for proper business conduct
  • Instruction of the person with regards to its responsibilities by concluding of a written agreement with the appointed person or company
  • Control of the person whether the appointed person is complying with the duties of due diligence

The responsibility for being compliant with the duties carried out remains with the Company and the duty to report and the duty to freeze assets as well as the decision about acceptance or termination of a business relationship cannot be delegated to a third party.

The Company ensures that any third parties to whom due diligence tasks were delegated to, do not themselves delegate those tasks further to any other person or company.

10. Responsibilities

Generally, all employees including the BoD as well as the EXCO are responsible for following and being compliant with all applicable external and internal provisions and are requested to immediately report any breaches to the AML Officer. External service providers are also to be bound to a comparable level of compliance.

10.1 Board of Directors

The BoD bears the overall responsibility concerning the risks in the Company and supervises the Company’s activities in this regard. The implementation of risk mitigating measures may be delegated to the EXCO. A member of the BoD is designated as the person responsible for overseeing the implementation of the regulatory framework for Compliance.

In particular, the duties of the BoD are:

  • Sets up an appropriate company structure that enables and ensures compliance with relevant AML/CTF regulations
  • Approves this policy
  • Establishes, records and approves the general principles relating to AML/CTF
  • Ensures that the AML Officer as well as any other person assigned to implement AML/CTF tasks, receive all relevant data and information in a complete, correct and timely manner
  • Ensures that all employees are aware of the AML Officer and are informed when and what shall be reported to the AML Officer
  • Ensures that the AML Officer has sufficient resources to effectively carry out its responsibilities including competent personnel and technological equipment
  • Evaluates and approves the annual AML Officer report and takes correcting measures in case of weaknesses and deficiencies

10.2 Executive Committee

The EXCO performs all corporate management tasks that are not assigned to the BoD or have been delegated by the BoD to the EXCO. The EXCO holds the responsibility that the Company’s business activities are performed in a compliant manner. This duty cannot be delegated to a third party.

In particular, the duties of the EXCO are:

  • Implements this policy
  • Appoints one or several persons who has/have the skills, experience and expertise to serve as AML Officer, ensures deputization if required and determines and controls the responsibilities and duties of the AML Officer based on the requirements as outlined in this policy
  • Decides on the acceptance, continuing and termination of business relationships
  • Decides about MROS, SECO and FINMA notifications based on the recommendation of the AML Officer
  • Grants the AML Officer unrestricted access to the EXCO and the BoD
  • Performs all reporting duties towards the regulator as well as towards customers
  • Supervises all third parties to whom task of the Company have been delegated to

10.3 AML Officer

The AML Officer serves as the anti-money laundering, counter terrorism financing and sanctions competence centre. The AML Officer supports and advises the Company in the implementation of this policy without overtaking the responsibility for correct implementation by the Company.

The tasks of the AML Officer are in particular:

  • Assistance of the Client in compliance tasks to ensure compliance with anti-money laundering regulations and internal directives and guidelines by auditing the effectiveness of its internal compliance program every 6 months
  • Control of the AML/CTF and sanction duties of the Client with regards to the SRO-Regulation
  • Perform of investigations in case of suspicious relationships and behavior, recommendation and creation of reports to MROS and/or SECO as well as the SRO
  • Regular update of the AML Policy (at least annual) and assistance in preparing other internal directions and guidelines in the area of the AMLA
  • Assistance with SRO relevant changes
  • Report to the Board of Directors and the management of the Client in any relevant matters (at least once per year)
  • Preparation and participation on the audit as well as corrections based on audit feedback
  • Support with annual SRO declaration
  • Regulatory updates on AML relevant changes (information & adaption)
  • Information point for questions concerning SRO Regulation
  • Coordination of basic and advanced trainings of the Client’s personnel
  • If required (20 or more employees): creation of an AML risk assessment

The AML Officer role contains at least one senior executive with specific knowledge of the Company’s exposure in the areas of AML/CTF and with sufficient seniority to identify the respective risks, adequately address them, take decisions and advocate for them.

The AML Officer has the resources, expertise, and access to all relevant information necessary to perform its duties appropriately and efficiently. The AML Officer reports directly to the EXCO on all AML/CTF related matters as well has a direct reporting line to the BoD.

The AML Officer shall in particular have the following rights:

  • Entitlement to issue internal guidelines for AML/CTF matters
  • Unimpeded access to all stored records at all times
  • Reclassification of any customer relationship to a relationship with increased risks if appearing as appropriate
  • Freezing assets if appearing as appropriate

11. Internal Reporting

11.1 Ordinary reporting

The AML Officer reports to the Executive Committee on a quarterly basis. In addition, an annual report for the attention of the Executive Committee as well as to the Board of Directors is created.

11.2 Extraordinary reporting

All employees, as soon as they become aware of any breach of duties based on this policy, have the obligation to promptly inform their responsible superior (Executive Committee Member) or contact the AML Officer about the issue directly. Such reports are to be treated confidential and may also be made anonymously.

The Executive Committee Member immediately informs the AML Officer in case of significant changes of regulatory risks or violations of this policy in their area of responsibility.

12. Training

The AML Officer coordinates employee trainings regarding anti-money laundering and prevention of financing of terrorism as well as sanctions.

The AML Officer defines the functions within the Company, that are considered as exposed because of a close contact to Contracting Partner as well as their Assets with regards to the Regulations. For these functions, an annual training focused on anti-money laundering and counter terrorism financing as well as sanctions is undertaken.

The basic AML training for employees working in the AML sector takes place within 12 months after admission or joining the Company. After completion of the basic training, repetitions in form of advanced trainings shall take place every two years.

13. Exception to Policy

The Company may decide to deviate from a provision outlined in this policy if:

  • the provision is not a mandatory requirement according to Regulations, and
  • the deviation does not expose the Company to disproportional risks

In order to deviate from a provision of this policy, a written preapproval of the AML Officer as well as of an Executive Committee Member is required. The approval has to be documented and the exception will be included in the regular reporting.

14. Updates of This Policy

This policy shall be updated as often as required by the circumstances including when needed to reflect changes in applicable external regulation, sanctions and FATF opinions. The AML Officer proactively assists in the regulatory watch and necessary adjustments to the policy including to its appendices.

Appendix 1 — Country Risk Categories

Last update: 07/2024. For country risk categories the following lists are consulted:

  • FATF lists “High Risk Jurisdictions subject to a Call for Action” and “Jurisdictions under Increased Monitoring”
  • High-risk countries list (based on SRO, FINMA, SECO sanctioned countries and best practice standards)

The countries as listed beneath are used for all country-driven risk factors such as nationality, domicile and place of business activity if defined in this policy as being relevant. The list covers all countries and cannot be used as an indication for the countries the Company is or will be servicing.

Customers domiciled in the United States of America, its territories or if otherwise taxable in the US are not accepted.

«Non-serviced» countries

Customers with domicile or with current business activity in one of the following countries are excluded from the service of the Company:

  • Belarus (sanctioned)
  • Bulgaria
  • Burkina Faso
  • Burundi (sanctioned)
  • Cameroon
  • Central African Republic (sanctioned)
  • Congo, Democratic Rep. (sanctioned)
  • Croatia
  • Democratic People’s Rep. of Korea (sanctioned)
  • Guatemala (sanctioned)
  • Guinea (sanctioned)
  • Guinea Bissau (sanctioned)
  • Haiti (sanctioned)
  • Iran (sanctioned)
  • Iraq (sanctioned)
  • Kenya
  • Lebanon (sanctioned)
  • Libya (sanctioned)
  • Mali (sanctioned)
  • Moldova (sanctioned)
  • Monaco
  • Mozambique
  • Myanmar (sanctioned)
  • Namibia
  • Nicaragua (sanctioned)
  • Nigeria
  • Philippines
  • Russia (sanctioned)
  • Senegal
  • Somalia (sanctioned)
  • South Africa
  • Sudan (sanctioned)
  • Sudan, Republic of South (sanctioned)
  • Syria (sanctioned)
  • Tanzania
  • Ukraine, occupied areas (sanctioned)
  • Venezuela (sanctioned)
  • Vietnam
  • Yemen (sanctioned)
  • Zimbabwe (sanctioned)

Exposed countries (scoring 2)

  • Algeria
  • Angola
  • Benin
  • Cambodia
  • Chad
  • China
  • Comoros
  • Cote D’Ivoire
  • Gabon
  • Kyrgyzstan
  • Lesotho
  • Liberia
  • Mauritania
  • Nepal
  • Panama
  • Rwanda
  • Sierra Leone
  • Solomon Islands
  • Suriname
  • Tajikistan
  • Togo
  • Turkmenistan
  • United Arab Emirates

High-risk countries (scoring 1)

  • Afghanistan
  • Albania
  • Anguilla
  • Antigua & Barbuda
  • Azerbaijan
  • Bahrain
  • Bangladesh
  • Barbados
  • Belize
  • Bermuda
  • Bolivia
  • Bosnia and Herzegovina
  • Botswana
  • British Virgin Islands
  • Cayman Islands
  • Colombia
  • Congo, Republic of
  • Cuba
  • Curacao (cfr NL)
  • Cyprus
  • Delaware
  • Djibouti
  • Dominica
  • Dominican Republic
  • Ecuador
  • Equatorial Guinea
  • Eritrea
  • Ethiopia
  • Fiji
  • Gambia
  • Ghana
  • Gibraltar
  • Grenada
  • Guernsey
  • Guyana
  • Honduras
  • Hong Kong
  • Ireland
  • Isle of Man
  • Jamaica
  • Jersey
  • Jordan
  • Kazakhstan
  • Kiribati
  • Kosovo
  • Laos
  • Liberia
  • Macao
  • Madagascar
  • Maldives
  • Malta
  • Marshall Islands
  • Mauritania
  • Mauritius
  • Mexico
  • Miami
  • Micronesia
  • Montserrat
  • Morocco
  • Nauru
  • Niue
  • Pakistan
  • Palau
  • Papua New Guinea
  • Paraguay
  • Peru
  • Puerto Rico
  • Saint Kitts and Nevis
  • Saint Lucia
  • Saint Vincent and the Grenadines
  • Sao Tome and Principe
  • Seychelles
  • Swaziland
  • Timor-Leste
  • Tonga
  • Trinidad and Tobago
  • Turkey
  • Turks & Caicos Islands
  • Tuvalu
  • Uganda
  • Ukraine, non-occupied areas
  • Uzbekistan
  • Vanuatu
  • Zambia

The following countries are not classified as high-risk countries in deviation to the VQF Country Risk List — Singapore: based on the ratings in the BASEL AML Index and the Transparency International Index, Singapore is not considered as a high-risk country.

Appendix 2 — Business Sector Risk Categories

Last update: 01/2025. Customers active in one of the following business sectors are excluded from the service of the Company. These activities are declared as «non-serviced» business sectors:

  • Illegal sale of tobacco products
  • Offensive adult pornography
  • Copyright and trademark infringements
  • Unlicensed gambling, betting, or lotteries
  • Coerced transactions
  • Child exploitation and sex trafficking
  • High risk securities/cryptocurrencies in violation of the Regulations
  • Circumvention devices
  • Sale of certain drugs/chemicals such as synthetic drugs, K2, Spice etc.
  • Illegal pharmaceuticals
  • Animals and wildlife products classified as endangered or protected
  • Business models that use ransom or extortion like practices, or business models with trial periods or subscriptions
  • Human body parts or bodily fluids (excluding hair and teeth)
  • Pyramid selling, chain letters or other financial scams
  • Trade of weapons, ammunitions, military arms, explosive devices and firearm parts
  • Other ML and TF geared business activities
  • Fictitious account, unlicensed / unregulated institutions and shell companies

An activity or business qualifies as a high-risk if the respective sector of business activity involves (scoring 1):

  • Adult Entertainment industry
  • Art & antiques
  • Charity, NGO & non-profit organisations
  • Commodities
  • Cryptocurrency / DLT
  • Exotic animals
  • Foreign exchanges (non-professional)
  • Gambling & sports
  • Military & arms
  • Money transfer agents
  • Politics & public administration
  • Precious stones & metals

Where unclear, the AML Officer supports in determining whether a certain activity is deemed as high-risk.

Appendix 3 — FATF Member States for Bank Transfers (Online Identification)

Last update: 07/2024.

Permissible FATF member states

  • Australia
  • Austria
  • Belgium
  • Brazil
  • Canada
  • France
  • Germany
  • Greece
  • Hong Kong (China)
  • Indonesia
  • Ireland
  • Israel
  • Italy
  • Japan
  • Korea (South)
  • Luxembourg
  • Malaysia
  • Netherlands
  • New Zealand
  • Norway
  • Portugal
  • Saudi Arabia
  • Singapore
  • South Africa
  • Spain
  • Sweden
  • Switzerland
  • Turkey
  • United Kingdom
  • USA

Non-permissible FATF member states

  • Argentina
  • China
  • Denmark
  • Finland
  • Iceland
  • India
  • Mexico
  • Russian Federation (suspended)