Anti-Money Laundering and Counter-Terrorist Financing Policy

Last Updated: 2025-01-05 Effective Date: 2025-01-05 Version: 2.0 (Non-Custodial Remittance Orchestration Platform) Classification: Internal / Compliance

1. Introduction and Scope

1.1 Purpose

This Anti-Money Laundering and Counter-Terrorist Financing Policy ("AML/CTF Policy") establishes DONATION POS L.P. (trading as "PayWolt")'s framework for preventing, detecting, and mitigating the risks of money laundering (ML), terrorist financing (TF), and proliferation financing (PF) in connection with our cross-border remittance orchestration platform.

1.2 PayWolt's Business Model and AML/CTF Role

Critical Context:

PayWolt operates as a technology service provider (TSP) that orchestrates cross-border money transfers between licensed payment service providers. PayWolt does NOT:

Hold, custody, or transmit customer funds
Operate as a money transmitter or remittance business
Issue electronic money
Provide payment services as defined in PSD2 Article 4

PayWolt's AML/CTF Responsibilities:

While PayWolt is not a regulated payment institution, we implement AML/CTF controls appropriate to our role as a technology platform, including:

Platform-Level Sanctions Screening: Screening users and transactions against EU, UN, US, and UK sanctions lists
Transaction Pattern Monitoring: Detecting suspicious orchestration patterns (e.g., rapid corridor switching, structuring across providers)
Provider Compliance Verification: Ensuring our licensed payment service providers maintain adequate AML/CTF programs
Cooperation with Authorities: Assisting law enforcement and regulatory authorities as legally required
Record Keeping: Maintaining transaction orchestration records for regulatory review

Provider AML/CTF Responsibilities:

Our licensed payment service providers (Wise, Flutterwave, Stripe) are independently responsible for:

Customer Due Diligence (CDD) / Know Your Customer (KYC)
Identity verification and document retention
Source of funds / source of wealth verification
Politically Exposed Person (PEP) screening
Transaction monitoring for payment execution
Suspicious Activity Reporting (SARs) to their respective Financial Intelligence Units (FIUs)
AML/CTF compliance in accordance with their licenses

1.3 Scope of Application

This Policy applies to:

Scope	Coverage
Persons	All PayWolt employees, contractors, directors, and agents
Services	Cross-border remittance orchestration via the PayWolt Platform
Transactions	All transfers orchestrated through the Platform, regardless of amount
Geography	All jurisdictions where PayWolt operates or facilitates transfers

1.4 Regulatory Framework

This Policy is informed by (but does not constitute full compliance with, given PayWolt's non-regulated status):

Regulation	Jurisdiction	Key Provisions Considered
5th Anti-Money Laundering Directive (EU 2018/843)	European Union	Risk assessment, enhanced due diligence for high-risk third countries
6th Anti-Money Laundering Directive (EU 2018/1673)	European Union	Criminalization of ML, corporate liability
Hellenic Law 4557/2018	Greece	AML/CTF implementation in Greece
Payment Services Directive 2 (EU 2015/2366)	European Union	Strong customer authentication, transaction monitoring
FATF Recommendations (2012, as amended)	International	Risk-based approach, beneficial ownership, wire transfer rules (R.16)
EU Regulation 2015/847 (Wire Transfer Regulation)	European Union	Information requirements for fund transfers

Important Note: As a technology platform, PayWolt is not directly subject to licensing requirements under AMLD5/6 or PSD2. However, we implement controls reflecting best practices to:

Support our providers' AML/CTF compliance
Protect our business from ML/TF risks
Demonstrate responsible platform governance to regulators, investors, and partners

2. Governance and Organizational Structure

2.1 AML/CTF Governance Framework

Board of Directors
        │
        ├─► Chief Executive Officer (CEO)
        │           │
        │           └─► Chief Compliance Officer (CCO)
        │                       │
        │                       ├─► AML/CTF Compliance Manager
        │                       │           │
        │                       │           ├─► Sanctions Screening Team
        │                       │           ├─► Transaction Monitoring Team
        │                       │           └─► Provider Compliance Team
        │                       │
        │                       └─► Money Laundering Reporting Officer (MLRO)
        │
        └─► Chief Technology Officer (CTO)
                    │
                    └─► Security & Fraud Prevention Team

2.2 Roles and Responsibilities

2.2.1 Board of Directors

Responsibilities:

Approve this AML/CTF Policy and material amendments
Set the organization's risk appetite for ML/TF exposure
Ensure adequate resources (budget, staffing, technology) for compliance
Receive quarterly AML/CTF reports from the CCO/MLRO
Oversee management's implementation of the AML/CTF program

Frequency: Quarterly AML/CTF updates; annual policy review.

2.2.2 Chief Compliance Officer (CCO)

Responsibilities:

Overall accountability for AML/CTF compliance program
Report directly to the Board on AML/CTF matters
Approve provider partnerships from AML/CTF perspective
Oversee annual enterprise ML/TF risk assessment
Coordinate with providers on AML/CTF matters
Liaise with regulators and law enforcement (where applicable)
Approve high-risk corridors or service expansions

Authority:

Block high-risk transfers or corridor activations
Suspend user accounts pending investigation
Terminate provider relationships for compliance failures
Access all Platform data for compliance purposes

2.2.3 Money Laundering Reporting Officer (MLRO)

Responsibilities:

Receive and evaluate internal suspicious activity reports
Determine whether to file Suspicious Transaction Reports (STRs) / Suspicious Activity Reports (SARs) with relevant FIUs
Maintain confidential STR/SAR records
Liaise with Hellenic Authority for Combating Money Laundering and FIUs in other jurisdictions (as appropriate)
Provide quarterly statistical reports to Board (number of STRs filed, outcomes)

Independence:

Reports directly to CCO (functionally) and CEO (administratively)
Protected from retaliation for good-faith reporting
No conflicting business development responsibilities

Note: Given PayWolt's non-custodial model, STR/SAR filings by PayWolt are rare. Most suspicious activity is reported by providers. PayWolt files STRs only for platform-level suspicions (e.g., coordinated fraud rings using multiple providers).

2.2.4 AML/CTF Compliance Manager

Responsibilities:

Implement and maintain AML/CTF procedures
Manage sanctions screening system and watchlist updates
Oversee transaction pattern monitoring
Conduct provider AML/CTF due diligence reviews
Coordinate AML/CTF training programs
Maintain AML/CTF documentation and audit trail
Prepare quarterly compliance reports for CCO/MLRO

2.2.5 All Employees

Responsibilities:

Complete mandatory annual AML/CTF training
Report suspicious activity to MLRO via internal reporting channel
Comply with sanctions screening requirements
Do not "tip off" users about investigations or STR filings
Escalate compliance concerns without fear of retaliation

3. Risk Assessment

3.1 Enterprise-Wide ML/TF Risk Assessment

PayWolt conducts an annual enterprise-wide ML/TF risk assessment covering:

3.1.1 Inherent Risk Factors

Risk Category	Factors Assessed	Risk Level Assessment Criteria
Customer/User Risk	Geographic distribution, transaction volumes, behavior patterns	High: PEPs, sanctioned individuals, high-risk jurisdictions
Product/Service Risk	Cross-border remittances, corridor characteristics, speed of transfers	High: Instant transfers, high-value corridors, cash-intensive destinations
Geographic Risk	Source/destination countries, FATF compliance, corruption indices	High: FATF blacklist/greylist countries, US/EU sanctioned jurisdictions
Provider Risk	Providers' AML/CTF programs, regulatory standing, incident history	High: Providers with recent AML deficiencies, regulatory actions
Delivery Channel Risk	Mobile app, API integrations, third-party referrals	High: Non-face-to-face onboarding, anonymous access attempts

3.1.2 ML/TF Risk Matrix

Overall Risk Calculation:

Overall ML/TF Risk = (Inherent Risk) × (1 - Effectiveness of Controls)

Risk Levels:

Level	Definition	Treatment
Low	Minimal ML/TF risk; strong controls	Standard monitoring
Medium	Moderate ML/TF risk; adequate controls	Enhanced monitoring
High	Elevated ML/TF risk; controls may be insufficient	Heightened due diligence; senior approval required
Prohibited	Unacceptable ML/TF risk	Service not offered; relationship declined/exited

3.2 Corridor-Specific Risk Assessment

Each transfer corridor (e.g., "Nigeria → Germany", "Ghana → United Kingdom") is assigned a risk rating:

Corridor Risk Factors	Examples
Source Country Risk	FATF compliance, corruption perception index, sanctions exposure
Destination Country Risk	Same as source
Historical Abuse Patterns	Known ML/TF typologies for this corridor
Provider AML Capabilities	Strength of provider's controls in source/destination countries
Transaction Characteristics	Typical amounts, velocity, purposes

Corridor Risk Ratings:

Rating	Examples	Monitoring Approach
Standard	UK → Germany (SEPA), France → Spain	Normal monitoring thresholds
Elevated	Nigeria → UK, Ghana → Germany	Reduced thresholds; more frequent reviews
High-Risk	Transfers involving FATF greylist countries	Manual review for all transactions >EUR 1,000; EDD at provider level
Prohibited	Transfers to/from comprehensively sanctioned jurisdictions (e.g., North Korea, Iran)	Corridor not activated; transactions blocked

3.3 Annual Risk Assessment Process

Timing: Conducted annually (Q1 of each calendar year) and updated upon:

Launch of new corridors or services
Significant regulatory changes (e.g., new FATF greylist additions)
Provider incidents (e.g., AML enforcement actions against a provider)
Internal incidents (e.g., detection of organized fraud)

Output: Written risk assessment report presented to Board, including:

Summary of inherent risks
Assessment of control effectiveness
Residual risk rating
Recommended control enhancements
Resource requirements

4. Sanctions Screening

4.1 Sanctions Programs

PayWolt screens against the following sanctions lists:

Sanctions List	Issuing Authority	Update Frequency	Coverage
EU Consolidated Financial Sanctions List	European Union	Daily (via official EU API)	Individuals, entities, countries subject to EU sanctions
OFAC Specially Designated Nationals (SDN) List	U.S. Department of Treasury	Daily (via OFAC API)	Individuals and entities blocked under US sanctions programs
OFAC Consolidated Sanctions List	U.S. Department of Treasury	Daily	All US sanctions programs (country-based, list-based)
UK Consolidated List of Financial Sanctions Targets	UK Office of Financial Sanctions Implementation (OFSI)	Daily (via UK government API)	UK sanctions targets
UN Security Council Consolidated List	United Nations	Weekly	Individuals/entities associated with terrorism, proliferation

4.2 Screening Points

Sanctions screening is performed at the following checkpoints:

Event	Screening Target	Action on Match
Account Registration	User name, date of birth, nationality	Block registration; escalate to MLRO
Transfer Initiation (Quote Request)	Sender name; recipient name; recipient bank (if applicable)	Block quote generation; escalate
Corridor Validation	Source country; destination country	Block corridor access if sanctioned jurisdiction
Periodic Re-Screening	All active users	Quarterly batch screening; freeze accounts on new matches
List Updates	All users and recent transactions	Immediate screening upon list update; block matching accounts

4.3 Screening Methodology

Name Screening:

Fuzzy matching algorithm (minimum 85% similarity threshold)
Phonetic matching (Soundex, Metaphone algorithms)
Alias and alternate spelling matching
Transliteration variants (e.g., Arabic, Cyrillic to Latin)

Date of Birth Matching:

Exact match or within ±2 years (to account for data entry errors)

Nationality/Citizenship Matching:

Exact match to sanctioned nationalities (where applicable)

4.4 Match Disposition

4.4.1 Confirmed Match (True Positive)

Immediate Actions:

Block Transaction/Account Immediately: System automatically blocks the transaction and freezes the account.
Escalate to MLRO: Automated alert sent within minutes; MLRO reviews within 1 hour.
Do NOT Notify User: Per "tipping off" prohibitions, user is not informed of the sanctions match.
Report to Authorities:
- EU sanctions: Report to Hellenic Ministry of Foreign Affairs (within 24 hours)
- OFAC sanctions: Consider voluntary self-disclosure to OFAC (if US nexus exists)
- Document all actions in compliance management system

4.4.2 Potential Match (Requires Investigation)

Procedure:

Hold Transaction: Transaction placed in pending status (not executed).
Gather Additional Information: Request additional identifying information from user (e.g., full legal name, passport number).
Manual Review: AML Compliance Manager reviews match against additional data points.
Disposition Decision: Within 24 hours, determine:
- True Positive: Follow 4.4.1 above.
- False Positive: Document rationale; add to whitelist; release transaction.

4.4.3 False Positive

Procedure:

Document Rationale: Record why the match is deemed false (e.g., different date of birth, different nationality, common name).
Clear Alert: Mark alert as "False Positive - Cleared."
Whitelist (if appropriate): Add user to internal whitelist to prevent future alerts (reviewed quarterly).

4.5 Sanctions Compliance Governance

List Update Protocol:

Automated daily downloads from official sources
System alerts compliance team upon list changes
Immediate batch re-screening of all active users upon list update

Audit Trail:

All screening results logged with timestamps
Disposition decisions recorded with rationale and approver name
Quarterly audit of sanctions screening effectiveness

5. Transaction Monitoring and Pattern Detection

5.1 Purpose and Scope

PayWolt monitors transaction orchestration patterns (not payment execution, which is monitored by providers) to detect:

Structuring / Smurfing: Users splitting large transfers across multiple corridors or time periods to evade detection
Rapid Movement / Layering: Users sending funds through multiple corridors in quick succession (e.g., Nigeria → Germany → UK → Nigeria)
Unusual Corridor Usage: Transfers through corridors with no logical economic purpose
Velocity Abuse: Excessive transfer frequency inconsistent with stated purpose
Provider Hopping: Users systematically avoiding provider-specific limits by switching providers

Important Distinction: PayWolt does NOT monitor individual payment transactions (e.g., card payments, bank transfers) - this is the responsibility of Collection and Payout Providers. PayWolt monitors the orchestration layer (which corridors, which providers, what patterns).

5.2 Monitoring Rules and Thresholds

5.2.1 Threshold-Based Rules

Rule ID	Description	Threshold	Alert Action
TM-001	High Single Transfer Amount	≥EUR 10,000 equivalent	Alert to Compliance Team for review
TM-002	Daily Cumulative Amount	≥EUR 15,000 equivalent per user per day	Alert; request source of funds from provider
TM-003	Weekly Cumulative Amount	≥EUR 50,000 equivalent per user per week	Escalate to MLRO; consider STR
TM-004	Monthly Cumulative Amount	≥EUR 100,000 equivalent per user per month	Mandatory MLRO review; EDD required from provider

Rationale: These thresholds align with EU Wire Transfer Regulation (EUR 1,000 for full information; EUR 10,000 for heightened scrutiny) and industry best practices.

5.2.2 Behavioral Pattern Rules

Rule ID	Pattern Detected	Risk Indicator	Alert Action
TM-101	Velocity Abuse - >5 transfers in 24 hours	Potential structuring or fraud	Alert; review user history
TM-102	Round Amount Clustering - Multiple transfers of exact round amounts (e.g., EUR 5,000, EUR 10,000)	Layering or trade-based ML	Alert; investigate business rationale
TM-103	Rapid Corridor Switching - User uses >3 different corridors within 7 days	Complex layering scheme	Escalate to MLRO
TM-104	Midnight/Unusual Hour Transfers - Transfers initiated 00:00-05:00 local time	Automation or fraud	Alert if pattern persists
TM-105	Provider Limit Evasion - User approaches provider-specific limit, then switches to different provider	Systematic evasion of controls	Escalate; may indicate sophisticated ML

5.2.3 Geographic and Corridor Rules

Rule ID	Pattern	Risk Level	Action
TM-201	Transfer to/from FATF Greylist Country	Elevated	Automatic escalation; manual review required
TM-202	Transfer involving High-Risk Jurisdiction (per Transparency International CPI <40)	High	MLRO review; EDD from provider
TM-203	Circular Corridor Pattern - e.g., Nigeria → Germany → UK → Nigeria within 30 days	Very High	Potential layering; immediate MLRO review; likely STR
TM-204	Transfer to Offshore Financial Center with no stated business purpose	High	Request explanation; escalate if unsatisfactory

5.3 Alert Management Workflow

Transaction Orchestrated → Monitoring Rules Engine → Alert Generated?
                                                              │
                                                              ├─► No Alert: Transaction proceeds
                                                              │
                                                              └─► Alert Generated
                                                                        │
                                                                        ▼
                                                              L1 Analyst Review (24 hours)
                                                                        │
                                          ┌─────────────────────────────┼─────────────────────────────┐
                                          ▼                             ▼                             ▼
                                    Clear Alert                  Escalate to L2            Request Info from User
                                 (Document Rationale)         (Complex Pattern)          (Via Provider or Direct)
                                                                        │
                                                                        ▼
                                                              L2 Senior Analyst Review (48 hours)
                                                                        │
                                          ┌─────────────────────────────┼─────────────────────────────┐
                                          ▼                             ▼                             ▼
                                    Clear Alert              Escalate to MLRO            Enhanced Monitoring
                                                           (Potential STR)                (Watchlist User)
                                                                        │
                                                                        ▼
                                                              MLRO Review & Decision (72 hours)
                                                                        │
                                          ┌─────────────────────────────┼─────────────────────────────┐
                                          ▼                             ▼                             ▼
                                    Close Case                  File STR/SAR              Account Closure / Exit
                               (No Suspicion)           (Report to Hellenic FIU)      (Terminate Relationship)

5.4 Investigation Procedures

For escalated alerts, the assigned investigator must:

Gather Transaction Data:
- Pull all transfers by the user in the past 90 days
- Identify all corridors used, amounts, recipients
- Check for patterns (timing, amounts, frequency)
Review User Profile:
- KYC status from provider (verification level, documents submitted)
- Stated purpose of account usage
- Self-declared occupation and income source
- Historical transaction patterns
Analyze Corridor Logic:
- Is there a logical economic reason for the corridor? (e.g., Nigerian national sending funds to family in Nigeria)
- Does the pattern suggest trade, employment, or personal remittances?
- Are amounts consistent with declared income?
Check External Sources:
- Adverse media search (Google, Lexis Nexis, World-Check if available)
- PEP status verification
- Social media review (LinkedIn, public profiles) for business verification
Provider Inquiry (if applicable):
- Request additional KYC from provider (source of funds, employment verification)
- Ask provider if they have flagged the user for suspicious activity
Document Findings:
- Prepare investigation report with timeline, findings, conclusion
- Recommend disposition: Clear, Monitor, Escalate to MLRO, or File STR
MLRO Decision:
- MLRO reviews investigation report
- Decides whether to file STR with Hellenic FIU
- Documents decision rationale

5.5 Alert Disposition Codes

Code	Meaning	Definition	Action Required
CLEAR	Cleared - No Suspicion	Legitimate transaction pattern; no evidence of ML/TF	Document rationale; close alert
MONITOR	Enhanced Monitoring	Unusual but not suspicious; warrants ongoing observation	Add user to watchlist; lower alert thresholds
STR	Suspicious Transaction Report Filed	Suspicious activity identified; reported to FIU	File STR; maintain confidentiality (no tipping off)
EXIT	Relationship Terminated	Unacceptable ML/TF risk; business relationship ended	Close account; may file STR; offboard user
PEND	Pending - More Info Needed	Insufficient information to make determination	Request additional information from user or provider

5.6 Performance Metrics and Tuning

Quarterly Metrics:

Total alerts generated
Alert-to-investigation ratio (target: <20% escalated to L2)
Investigation-to-STR ratio
False positive rate (target: <50%)
Average time to disposition (target: L1 within 24 hours, L2 within 48 hours, MLRO within 72 hours)

Annual Rule Tuning:

Review rules with high false positive rates
Adjust thresholds based on user population growth
Incorporate new ML/TF typologies from FATF, FIU guidance

6. Provider Due Diligence and Oversight

6.1 Provider AML/CTF Due Diligence

Before partnering with a payment service provider, PayWolt conducts comprehensive AML/CTF due diligence:

6.1.1 Initial Due Diligence Checklist

Category	Information/Documentation Required	Verification Method
Regulatory Authorization	EMI/PI license; license number; regulator name; license validity	Verify on regulator's public register (e.g., NBB for Wise, CBN for Flutterwave)
AML/CTF Program	Copy of provider's AML/CTF policy; organizational structure; MLRO contact	Request from provider; review for adequacy
Sanctions Compliance	Sanctions screening procedures; list coverage; screening frequency	Request documentation; assess alignment with PayWolt standards
Transaction Monitoring	Description of transaction monitoring system; rules and thresholds	Request summary; evaluate sophistication
STR/SAR Filing	Number of STRs filed annually (if disclosable); FIU relationships	Request from provider (confidential)
Regulatory History	Any AML/CTF enforcement actions, fines, or regulatory findings in past 5 years	Public records search; ask provider to disclose
Beneficial Ownership	UBOs of provider (if not publicly listed)	Corporate registry search; provider attestation
PEP Exposure	Whether provider has PEP clients; EDD procedures for PEPs	Request documentation
Audits and Certifications	Recent AML/CTF audit reports (if shareable); ISO 27001, SOC 2 certifications	Request reports; verify certifications

6.1.2 Provider Risk Rating

Based on due diligence findings, each provider is assigned a risk rating:

Risk Rating	Criteria	Oversight Level
Low	Regulated in EU/UK/US; strong AML program; no recent enforcement actions; transparent operations	Annual re-certification; standard monitoring
Medium	Regulated in non-EU jurisdiction; adequate AML program; minor historical issues	Bi-annual re-certification; enhanced monitoring
High	Recent AML deficiencies; emerging market regulation; limited transparency	Quarterly re-certification; heightened oversight; escalation to CCO for approval
Prohibited	Unlicensed; significant AML enforcement history; uncooperative with due diligence	No partnership

Current Provider Ratings (as of 2025-01-05):

Wise (Belgium): Low Risk (EU-regulated EMI; strong AML program; transparent)
Flutterwave (Nigeria, Kenya, Ghana, SA): Medium Risk (African regulation; adequate AML program; cooperative)
Stripe (US/EU): Low Risk (US/EU-regulated; robust AML controls; publicly documented program)

6.1.3 Ongoing Provider Monitoring

Annual Re-Certification:

Request updated AML/CTF policy (if amended)
Verify license remains valid
Search for new enforcement actions or adverse media
Review operational performance (incident reports, STR cooperation)

Event-Driven Reviews:

Provider receives AML/CTF enforcement action → Immediate review; consider relationship suspension
Provider changes ownership or regulatory status → Re-conduct initial due diligence
Provider expands to new high-risk jurisdiction → Assess impact on PayWolt's risk profile

6.2 Provider AML/CTF Contractual Requirements

All provider agreements include the following AML/CTF provisions:

Clause	Requirement
AML/CTF Compliance Warranty	Provider warrants it maintains an AML/CTF program compliant with applicable laws
Sanctions Screening	Provider agrees to screen all users against relevant sanctions lists
STR Filing Obligation	Provider agrees to file STRs with its regulator for suspicious activity (no obligation to share STRs with PayWolt due to tipping-off laws)
Cooperation with Authorities	Provider agrees to cooperate with law enforcement and regulatory inquiries
Right to Audit	PayWolt reserves the right to audit provider's AML/CTF controls (upon reasonable notice)
Incident Notification	Provider must notify PayWolt within 24 hours of any AML/CTF enforcement action, breach, or significant incident
Termination for Cause	PayWolt may terminate agreement if provider materially breaches AML/CTF obligations

7. Suspicious Activity Reporting

7.1 Internal Reporting Obligation

All PayWolt employees have a duty to report suspicious activity to the MLRO. Suspicious activity includes:

Indicator Category	Examples
User Behavior	User refuses to provide information; provides inconsistent information; appears coached
Transaction Patterns	Unusual patterns detected by monitoring rules (see Section 5); transactions with no apparent economic purpose
Evasion Tactics	User appears aware of reporting thresholds; structures transactions; uses multiple accounts
Knowledge of Crime	Employee becomes aware through public sources or user statements that user is involved in criminal activity
Sanctions Concerns	User has potential connection to sanctioned individual/entity/country (even if not a confirmed match)

Internal Reporting Channel:

Email: mlro@paywolt.com (encrypted)
Confidential Hotline: [Confidential number for employees]
Compliance Portal: Internal case management system

Protections for Reporters:

Confidentiality maintained (reporter identity protected)
No retaliation for good-faith reporting
Whistleblower protection under Greek law and EU Whistleblower Directive (EU 2019/1937)

7.2 MLRO Evaluation and STR/SAR Filing

Upon receiving an internal report or escalated alert, the MLRO:

Reviews Report/Alert: Gathers all relevant information, transaction data, investigation findings.
Applies Legal Test: Determines whether there are "reasonable grounds to suspect" ML/TF (not "proof" or "knowledge" - suspicion is sufficient).
Makes Filing Decision: Decides whether to file a Suspicious Transaction Report (STR) / Suspicious Activity Report (SAR).
Files STR (if applicable): Submits STR to appropriate Financial Intelligence Unit:
- Greece: Hellenic Authority for Combating Money Laundering (via dedicated reporting portal)
- Other EU: If transaction primarily relates to another EU member state, may file with that country's FIU (coordination with Hellenic FIU)
- UK (if applicable): National Crime Agency (NCA) via Suspicious Activity Reports (SARs) Online
- US (if applicable): FinCEN via BSA E-Filing System (if PayWolt has US nexus requiring SAR filing)

STR/SAR Content:

User identifying information (name, date of birth, address, account number)
Description of suspicious activity
Amounts, dates, corridors, recipients involved
Reason for suspicion (which ML/TF indicators triggered the report)
Supporting documentation (transaction records, screenshots, investigation notes)

Timing:

Greece: "Promptly" upon forming suspicion (interpreted as within 24-48 hours)
UK: As soon as practicable after forming suspicion
US: Within 30 calendar days of initial detection (if US SAR applies)

Record Keeping:

Maintain copy of STR and all supporting documentation for 10 years (per Hellenic Law 4557/2018, Article 61)
STRs stored in secure, access-controlled system (separate from general transaction records)
Access limited to MLRO, CCO, and designated compliance staff

7.3 Prohibition on "Tipping Off"

Legal Prohibition:

Under Greek AML law (Law 4557/2018, Article 52) and AMLD5 (Article 39), it is a criminal offense to disclose to the user or any third party that:

A STR has been filed or is being considered
An AML/CTF investigation is underway
Authorities have been notified or are investigating

Prohibited Actions:

Informing the user that their account is under review for AML reasons
Explaining that a transaction was blocked due to a STR filing
Discussing STRs with colleagues not involved in the investigation
Disclosing STR information to external parties (except authorities)

Permitted Actions:

Informing user of general compliance requirements (e.g., "We need to verify source of funds for compliance purposes")
Blocking a transaction for "compliance review" without specifying STR
Discussing suspicions internally with MLRO/compliance team on a need-to-know basis

Penalties for Tipping Off:

Criminal prosecution (imprisonment and/or fines)
Regulatory sanctions
Termination of employment

8. Record Keeping and Data Retention

8.1 Retention Periods

Pursuant to AMLD5 (Article 40) and Hellenic Law 4557/2018 (Article 61), PayWolt retains:

Record Type	Retention Period	Storage Location	Legal Basis
Transaction Records (orchestration metadata: corridors, amounts, timestamps, provider references)	10 years from transaction date	Secure database (encrypted at rest)	Hellenic Law 4557/2018, Art. 61(1)
User Account Data (name, email, phone, KYC status from provider, registration date)	5 years after account closure or last transaction (whichever is later)	Secure database	AMLD5 Art. 40(1)
KYC Verification Metadata (verification status, provider reference ID, verification date - NOT identity documents, which are stored by providers)	5 years after account closure	Secure database	AMLD5 Art. 40(1)
STR/SAR Filings and Supporting Documentation	10 years from filing date	Encrypted archive; restricted access	Hellenic Law 4557/2018, Art. 61(3)
AML/CTF Investigations (alerts, investigation reports, dispositions)	5 years from closure of investigation	Compliance case management system	Best practice; evidentiary purposes
Provider Due Diligence Records	5 years from termination of provider relationship	Compliance document repository	Best practice
Training Records (attendance, completion certificates, assessments)	5 years from training date	HR system	Best practice; regulatory examination preparedness
Risk Assessments (annual enterprise ML/TF risk assessments)	5 years from publication date	Compliance repository	Best practice

Note on KYC Documents: PayWolt does NOT retain identity documents (passports, driver's licenses, selfies, proof of address). These are stored exclusively by the payment service providers performing KYC, in accordance with their own retention obligations.

8.2 Data Security and Access Controls

Security Measures:

Encryption: AES-256 encryption at rest; TLS 1.3 in transit
Access Controls: Role-based access control (RBAC); only authorized compliance personnel access AML/CTF records
Audit Logging: All access to AML/CTF records logged with timestamp and user ID
Physical Security: Data hosted in SOC 2-compliant data centers (AWS)
Segregation: STR/SAR records stored separately from general transaction data

Access Authorization:

Transaction Records: Compliance team, finance (for reconciliation), senior management (read-only)
STR/SAR Records: MLRO, CCO, designated compliance staff only
Provider Due Diligence: CCO, AML Compliance Manager, senior management

8.3 Data Subject Requests and AML Exemptions

GDPR Right to Erasure ("Right to be Forgotten"):

Users may request deletion of their personal data under GDPR Article 17. However, PayWolt may refuse erasure if retention is necessary for:

Legal Obligation: Compliance with AML/CTF retention requirements (GDPR Article 17(3)(b))
Legal Claims: Establishment, exercise, or defense of legal claims (GDPR Article 17(3)(e))

GDPR Right of Access:

Users may request access to their personal data under GDPR Article 15. However, PayWolt may refuse or limit access if disclosure would adversely affect:

Prevention, detection, or investigation of crime (GDPR Article 23(1)(d)) - e.g., if providing STR information would constitute "tipping off"
Important objectives of general public interest (GDPR Article 23(1)(e))

Procedure:

User requests forwarded to privacy@paywolt.com
Privacy team consults with CCO/MLRO before responding
If request relates to data subject of STR/ongoing investigation: Refuse request; cite GDPR Article 23 exemption; do NOT disclose existence of STR

9. Training and Awareness

9.1 Training Program Structure

Audience	Training Module	Frequency	Duration	Delivery Method
All Employees	AML/CTF Fundamentals (ML/TF basics, red flags, reporting obligations)	Annual (mandatory)	45 minutes	E-learning + quiz (passing score: 80%)
Customer Support	Enhanced Training (user interactions, information gathering, escalation)	Annual + ad hoc updates	90 minutes	Live training + case studies
Compliance Team	Advanced AML/CTF (investigation techniques, STR writing, regulatory developments)	Quarterly	2 hours	Live training + workshops
Senior Management	Governance and Regulatory Updates	Bi-annual	1 hour	Executive briefing
Board of Directors	AML/CTF Oversight and Risk Appetite	Annual	1 hour	Presentation by CCO/MLRO
New Hires	AML/CTF Onboarding (role-specific training)	Within 30 days of hire	1-2 hours	E-learning + live session

9.2 Training Content

Core Topics:

What is money laundering and terrorist financing?
Greece's AML/CTF legal framework (Law 4557/2018, AMLD5/6)
PayWolt's AML/CTF Policy and procedures
Red flags and suspicious activity indicators
Internal reporting procedures and whistleblower protections
Tipping off prohibition
Sanctions screening and OFAC/EU sanctions
Record keeping requirements
Consequences of non-compliance (legal, regulatory, reputational)

Role-Specific Topics:

Compliance: STR/SAR writing, investigation techniques, provider oversight
Customer Support: How to handle unusual user requests; when to escalate
Engineering: Secure data handling; implementing sanctions screening; monitoring system maintenance

9.3 Training Records and Compliance Tracking

Records Maintained:

Employee name and role
Training module(s) completed
Completion date
Assessment score (if applicable)
Acknowledgment of Policy (signed annually)

Compliance Metrics:

Training completion rate (target: 100% within 60 days of due date)
Average assessment score
Overdue training follow-up (automated reminders; escalation to manager after 30 days overdue)

Annual Report to Board:

Training completion rates by department
Assessment performance
Training program updates and enhancements

10. Independent Testing and Audit

10.1 Internal Audit (Annual)

Scope:

Policy and Procedure Compliance: Are procedures being followed?
Sanctions Screening Effectiveness: Sample testing of screening results; false positive/false negative analysis
Transaction Monitoring: Review alert generation, investigation quality, disposition accuracy
Provider Oversight: Review provider due diligence files; verify annual re-certifications
Record Keeping: Verify retention compliance; test access controls
Training Compliance: Verify all employees completed training; review training materials for accuracy

Conducted By: Internal Audit function (independent of compliance team) OR external auditor

Deliverable: Written audit report with findings, recommendations, management responses, remediation timeline

Distribution: CCO, CEO, Audit Committee of the Board

10.2 External AML/CTF Review (Every 2-3 Years)

Scope:

Independent assessment of AML/CTF program against regulatory requirements and industry best practices
Gap analysis: Identify areas where program falls short of FATF Recommendations, AMLD5 requirements
Benchmarking: Compare PayWolt's program to peer companies
Scenario testing: Simulate ML/TF scenarios to test detection capabilities

Conducted By: Qualified external consultant (Big Four accounting firm, boutique AML consultancy)

Deliverable: Comprehensive report with findings, risk assessment, recommendations for enhancement

Action Plan: Management prepares action plan to address findings; progress reported to Board quarterly

10.3 Regulatory Examinations

Preparedness:

Maintain examination readiness: organized records, accessible documentation
Designated point of contact for regulators: CCO
Cooperation protocol: Provide requested information promptly; make personnel available for interviews

Expected Regulators (given PayWolt's non-licensed status, examinations are less likely but possible):

Hellenic Capital Market Commission (if deemed to provide payment-related services)
Hellenic Authority for Combating Money Laundering (thematic reviews, investigations)
Providers' regulators may inquire about PayWolt's controls as part of provider examination

Post-Examination:

Document all findings and recommendations
Develop remediation plan with timelines
Report to Board
Track remediation completion

11. ML/TF Typologies and Red Flags

11.1 Money Laundering Typologies Relevant to Cross-Border Remittances

Typology	Description	Red Flags
Trade-Based Money Laundering (TBML)	Over/under-invoicing of goods to move value across borders	Large transfers with stated purpose "business payment" but no supporting documentation; inconsistent amounts relative to stated trade
Structuring / Smurfing	Breaking large transfers into smaller amounts to avoid detection thresholds	Multiple transfers just below EUR 10,000; frequent transfers of similar amounts; use of multiple corridors to same recipient
Layering	Moving funds through multiple jurisdictions to obscure origin	Circular corridor patterns (e.g., funds sent abroad and returned shortly after); use of multiple intermediaries
Integration	Placing illicit funds into legitimate economy	High-value transfers stated as "gift" or "family support" with no supporting relationship
Cash-to-Digital Conversion	Converting cash proceeds of crime into digital/bank funds	User collects cash locally and sends abroad via digital channels (relies on cash collection providers, which PayWolt does not use)
Sanctions Evasion	Using remittances to circumvent sanctions	Transfers to high-risk jurisdictions; use of shell companies or nominees; obfuscated beneficiary identities

11.2 User-Level Red Flags

Category	Red Flag	Risk Level
Identity & Verification	User reluctant to provide KYC to provider; provides inconsistent information	Medium
	User uses disposable email, temporary phone number	Medium
	KYC verification fails multiple times	High
Behavioral	User unusually knowledgeable about AML thresholds or procedures	High
	User inquires about reporting requirements or monitoring	High
	User becomes defensive or hostile when asked for additional information	Medium
	User rushes transaction or demands immediate processing	Medium
Transaction Purpose	Stated purpose doesn't match user profile (e.g., student sending large business payments)	Medium-High
	Vague or inconsistent explanation of transfer purpose	Medium
	No apparent economic rationale for transfer (e.g., no family/business ties to destination country)	High
Relationship	User asks for assistance in structuring transactions or evading limits	Very High
	Third party attempts to conduct transaction on behalf of user	High

11.3 Transaction-Level Red Flags

Category	Red Flag	Risk Level
Amount	Transfer amount just below reporting threshold (e.g., EUR 9,900)	High
	Sudden large transfer inconsistent with prior activity (e.g., user who normally sends EUR 500 suddenly sends EUR 50,000)	High
	Round number amounts (EUR 10,000, USD 20,000, etc.)	Medium
Frequency	High velocity (>5 transfers per day; >20 per week)	High
	Immediate re-initiation after transfer completes (rapid recycling)	High
Corridor	Use of high-risk corridor with no stated connection to destination country	High
	Transfers to multiple unrelated countries in short period	Medium-High
	Circular transfers (send abroad, receive back shortly after)	Very High
Recipient	Different recipient for each transfer (no repeat recipients)	Medium
	Recipients in multiple high-risk jurisdictions	High
	Recipient is a shell company, offshore entity, or money service business	High
Timing	Transfers during unusual hours (e.g., 2:00 AM local time)	Low-Medium (may be legitimate for different time zones)
	Immediate transfer after account funding (no dormancy period)	Medium

11.4 Provider-Level Red Flags

Red Flag	Risk Indicator
Provider receives AML/CTF enforcement action or fine	Provider's AML program may be deficient; heightened risk
Provider is uncooperative with due diligence requests	Lack of transparency; possible compliance issues
Provider operates in multiple high-risk jurisdictions without adequate local licensing	Regulatory arbitrage; heightened ML/TF risk
Provider's STR filing rate is abnormally low compared to industry peers	Possible under-reporting; ineffective monitoring
Adverse media reports about provider's involvement in ML/TF incidents	Reputational risk; possible control weaknesses

12. High-Risk Jurisdictions and Geographic Risk

12.1 Jurisdiction Risk Classification Methodology

PayWolt classifies countries based on the following risk factors:

Risk Factor	Data Source	Weighting
FATF Status	FATF Greylist (jurisdictions under increased monitoring); FATF Blacklist (high-risk jurisdictions)	High (automatic elevation)
Sanctions Status	Comprehensive sanctions by EU, UN, US, UK	Prohibited (automatic block)
Corruption Perception Index (CPI)	Transparency International CPI (scale 0-100; lower = more corrupt)	Medium (CPI <40 = elevated risk)
Financial Secrecy Index	Tax Justice Network FSI (higher = more secretive)	Medium (FSI >70 = elevated risk)
Mutual Evaluation Reports	FATF/FATF-Style Regional Body evaluations	Medium (non-compliant or partially compliant ratings = elevated)
AML/CTF Legislation	Existence and enforcement of AML/CTF laws	Medium (weak enforcement = elevated)
Political Stability	World Bank Governance Indicators	Low (instability may indicate weak rule of law)

12.2 Jurisdiction Risk Categories

Category	Criteria	Examples (Illustrative; subject to change)	Treatment
Standard Risk	EU/EEA member; FATF member with strong compliance; CPI >60	Germany, France, UK, Netherlands, Belgium, Spain	Normal processing; standard monitoring thresholds
Elevated Risk	Non-EU/EEA; CPI 40-60; moderate FATF compliance	Nigeria, Ghana, Kenya, South Africa, Turkey, Brazil, Mexico	Reduced thresholds (e.g., alert at EUR 5,000 instead of EUR 10,000); enhanced provider oversight
High Risk	FATF Greylist; CPI <40; weak AML enforcement	[Per FATF Greylist, updated quarterly - see Section 12.3]	Mandatory manual review for all transfers >EUR 1,000; EDD required from provider; senior approval
Prohibited	FATF Blacklist; Comprehensive sanctions (EU/UN/US/UK); State sponsor of terrorism	North Korea, Iran, Syria (sanctions); [Per FATF Blacklist]	Corridor not activated; transfers automatically blocked; no business conducted

12.3 FATF Greylist Monitoring

Procedure:

Monitor FATF website quarterly for Grey List updates
Upon addition of country to Grey List:
- Update risk classification to "High Risk"
- Reduce monitoring thresholds for affected corridors
- Communicate to all users from that jurisdiction (via email): "We are implementing enhanced verification for transfers involving [Country]. Please ensure your provider has up-to-date KYC on file."
Upon removal from Grey List:
- Re-assess risk classification (may remain Elevated if CPI <40)
- Adjust thresholds accordingly

Current FATF Grey List (as of December 2024; verify at fatf-gafi.org):

[To be updated based on latest FATF publication]

12.4 Sanctions List Monitoring

Comprehensive Sanctions (No Business):

OFAC (US): Crimea region of Ukraine, Cuba, Iran, North Korea, Syria, and regions of Donetsk and Luhansk
EU: Syria, North Korea, Russia (partial; targeted sanctions)
UN: North Korea, Central African Republic (partial), Democratic Republic of Congo (partial), etc.

Targeted Sanctions (Individual/Entity Level):

Screened via sanctions lists in Section 4.1
May permit transfers to country if counterparty is not sanctioned individual/entity

Sanction Updates:

Real-time monitoring of sanctions announcements (OFAC, EU, UN, UK)
Immediate corridor/user review upon new sanctions designation

13. Incident Response and Breach Notification

13.1 AML/CTF Incident Definition

An "AML/CTF Incident" includes:

Failure of sanctions screening system (e.g., system outage; list update failure)
Processing of transaction involving sanctioned individual/entity due to system/human error
Delayed filing of STR/SAR beyond regulatory deadline
Tipping-off violation (disclosure of STR to user or unauthorized party)
Data breach involving AML/CTF records (STRs, investigation files, user KYC data)
Discovery of employee involvement in ML/TF facilitation

13.2 Incident Response Procedures

Immediate Actions (Within 24 Hours):

Containment: Stop processing affected transactions; suspend affected accounts if necessary
Notification to MLRO/CCO: Employee discovering incident immediately notifies MLRO and CCO
Preliminary Assessment: Determine scope, impact, root cause (preliminary)
Preserve Evidence: Secure logs, records, communications related to incident

Investigation (Within 72 Hours):

Root Cause Analysis: Investigate how incident occurred; identify control failures
Impact Assessment: Determine number of affected transactions/users; financial impact; regulatory impact
Regulatory Notification (if required):
- Sanctions violations: Report to relevant authority (OFAC, EU, Hellenic Ministry of Foreign Affairs)
- Data breach: Report to Hellenic Data Protection Authority (if GDPR breach criteria met)
- STR delayed filing: File STR with explanation of delay; notify FIU
Documentation: Incident report with timeline, findings, affected parties, corrective actions

Remediation (Within 30 Days):

Corrective Actions: Implement fixes to prevent recurrence (system patches, procedure updates, retraining)
User Notification (if applicable): If user data compromised, notify affected users (GDPR Article 34)
Regulatory Follow-Up: Provide regulators with incident report and corrective action plan
Board Notification: Report significant incidents to Board

13.3 Breach Notification Requirements

Incident Type	Authority to Notify	Deadline	Content
Sanctions Violation (Processing transaction involving sanctioned party)	Hellenic Ministry of Foreign Affairs; OFAC (if US nexus); EU (if EU sanctions)	Immediate (within 24 hours of discovery)	Identity of sanctioned party; transaction details; corrective actions
Data Breach (Personal data of >100 users compromised)	Hellenic Data Protection Authority (HDPA)	72 hours of becoming aware (GDPR Art. 33)	Nature of breach; data categories affected; likely consequences; measures taken
STR/SAR Delayed Filing	Hellenic FIU (or relevant FIU)	With STR filing (include explanation)	Reason for delay; when suspicion arose; when STR filed
Tipping-Off Violation	Hellenic FIU; potentially law enforcement	Within 24 hours of discovery	Details of disclosure; to whom; potential impact on investigation

14. Consequences of Non-Compliance

14.1 Legal and Regulatory Consequences

Violation	Legal Basis	Potential Penalty
Failure to Conduct Due Diligence	Hellenic Law 4557/2018, Art. 72	Administrative fine up to EUR 5,000,000 or 10% of annual turnover
Failure to File STR	Hellenic Law 4557/2018, Art. 72	Administrative fine; criminal prosecution (imprisonment up to 6 months)
Tipping Off	Hellenic Law 4557/2018, Art. 52	Criminal offense: Imprisonment and/or fine
Sanctions Violation (EU)	EU Regulation 2580/2001; country-specific sanctions regs	Fine up to EUR 500,000 (or higher); criminal prosecution
Sanctions Violation (US)	OFAC regulations; 31 CFR 501.701	Civil penalty up to USD 250,000 or twice the amount of the transaction; criminal prosecution (up to USD 1,000,000 fine + 20 years imprisonment)
Breach of Record Keeping Requirements	Hellenic Law 4557/2018, Art. 61	Administrative fine up to EUR 1,000,000

14.2 Reputational and Business Consequences

Loss of Provider Partnerships: Providers may terminate relationship if PayWolt demonstrates AML/CTF deficiencies
Investor Confidence: AML incidents may deter investors or trigger contractual breaches (representations & warranties)
User Trust: Public disclosure of AML failures damages brand and user confidence
Regulatory Scrutiny: Increased regulatory examinations; potential license requirements imposed

14.3 Employee Consequences

Violation by Employee	Potential Consequence
Failure to Report Suspicious Activity	Disciplinary action; termination; criminal liability (if knowledge of crime)
Tipping Off	Immediate termination for cause; criminal prosecution; personal fines/imprisonment
Falsifying AML/CTF Records	Immediate termination; criminal prosecution for fraud
Facilitation of ML/TF	Immediate termination; criminal prosecution; professional disqualification

15. Policy Review and Amendment

15.1 Review Schedule

Review Type	Frequency	Responsible Party	Approval Required
Full Policy Review	Annual (Q1 of each year)	CCO + MLRO	Board of Directors
Procedural Updates	Quarterly (or as needed)	AML Compliance Manager	CCO
Regulatory Monitoring	Ongoing (daily for sanctions; monthly for legislation)	AML Compliance Manager	CCO (for material changes)
Incident-Driven Review	Immediate (following AML/CTF incident or audit finding)	CCO + MLRO	CEO; Board (if material)

15.2 Triggers for Interim Review

Regulatory Changes: New AML/CTF legislation or guidance issued by Greek authorities, EU, FATF
Service Expansion: Launch of new corridors, especially high-risk jurisdictions
Provider Changes: Addition or termination of payment service provider partnerships
Incident or Breach: AML/CTF incident requiring control enhancements
Audit Findings: Internal or external audit identifies gaps or recommendations
Industry Developments: Emerging ML/TF typologies; peer incidents providing lessons learned

15.3 Amendment Process

Draft Amendment: CCO or MLRO drafts proposed changes with rationale
Internal Review: Legal, Compliance, Risk, and relevant business teams review
Board Approval: Material changes (e.g., risk appetite, governance structure, prohibited activities) require Board approval
Communication: Updated policy communicated to all employees via email; mandatory acknowledgment
Training Update: Training materials updated to reflect changes; supplemental training provided if material
Version Control: New version number assigned; revision history maintained

16. Definitions

Term	Definition
AML	Anti-Money Laundering
CCO	Chief Compliance Officer
CDD	Customer Due Diligence - process of identifying and verifying customer identity
CTF	Counter-Terrorist Financing
EDD	Enhanced Due Diligence - higher level of scrutiny for high-risk customers/transactions
FATF	Financial Action Task Force - international AML/CTF standard-setting body
FIU	Financial Intelligence Unit - national authority receiving and analyzing STRs/SARs
KYC	Know Your Customer - identity verification requirements
ML	Money Laundering
MLRO	Money Laundering Reporting Officer
PEP	Politically Exposed Person - individual holding prominent public function
PF	Proliferation Financing - financing of weapons of mass destruction
SAR	Suspicious Activity Report (US terminology)
STR	Suspicious Transaction Report (EU/UK terminology)
TF	Terrorist Financing
Tipping Off	Unlawful disclosure to a user that a STR/SAR has been filed or investigation is underway
UBO	Ultimate Beneficial Owner - individual(s) with >25% ownership or control of an entity

Document Control

Field	Value
Version	2.0
Document Type	Anti-Money Laundering and Counter-Terrorist Financing Policy
Effective Date	2025-01-05
Last Revised	2025-01-05
Next Scheduled Review	2026-01-05 (Annual)
Owner	Chief Compliance Officer
Approved By	Board of Directors (2025-01-05)
Classification	Internal / Confidential / Compliance
Distribution	All PayWolt employees (mandatory reading); Board of Directors; external auditors (upon request)
Revision Notes	Complete rewrite for non-custodial remittance orchestration model. Clarifies division of AML/CTF responsibilities: PayWolt (platform-level sanctions screening, transaction pattern monitoring, provider oversight) vs. Providers (KYC, CDD, payment-level monitoring, STR filing). Reflects 3 initial providers (Wise, Flutterwave, Stripe). Investor-grade legal language for audit and regulatory review.
Related Documents	TERMS_OF_SERVICE.md, PRIVACY_POLICY.md, REGULATORY_CLASSIFICATION.md

Acknowledgment

I acknowledge that I have read, understood, and agree to comply with this Anti-Money Laundering and Counter-Terrorist Financing Policy.

Failure to comply with this Policy may result in disciplinary action up to and including termination of employment, as well as potential criminal prosecution.

This Policy is confidential and proprietary to DONATION POS L.P. (trading as PayWolt). Unauthorized distribution or disclosure is prohibited.

This AML/CTF Policy reflects PayWolt's commitment to preventing money laundering and terrorist financing. While PayWolt is not a regulated payment institution, we implement robust controls appropriate to our role as a technology orchestration platform. For legal or regulatory guidance specific to AML/CTF compliance, consult qualified legal counsel or compliance advisors.