Know Your Customer (KYC) Policy

This Know Your Customer ("KYC") Policy governs how Okanewatch LTD identifies, verifies, and monitors enterprise customers of AMLRegister. The Policy applies to all organisations that enter into a paid commercial agreement with us, including API licensees, bulk-screening subscribers, and white-label partners.

Individual anonymous users of the free wallet-check feature on our website are not subject to KYC, consistent with the low-risk, information-only nature of that feature. If you later upgrade to a paid tier or API access, KYC procedures will apply.

The purpose of this Policy is to (a) satisfy our AML obligations; (b) protect our customers and the wider ecosystem from misuse of our Service; and (c) make the onboarding process as efficient as possible while maintaining appropriate rigour. We take a proportionate, risk-based approach.

Customer due diligence ("CDD") involves identifying the customer, verifying their identity, understanding the nature and purpose of the business relationship, and identifying the beneficial owners of the customer. We perform CDD at onboarding and refresh it periodically based on the customer's risk rating.

Our CDD is risk-based: the depth of verification scales with the risk we assign to the relationship. Low-risk relationships — for example, public companies with strong governance in low-risk jurisdictions — may be subject to simplified due diligence, while high-risk relationships are subject to enhanced due diligence.

We do not accept anonymous or shell-company customers where the ultimate beneficial owners cannot be adequately identified. If we cannot complete CDD to our reasonable satisfaction, we will not enter into the relationship and, for existing relationships, we may terminate service.

For corporate customers, we typically request: the registered legal name, trading name(s), registered office, head office (if different), company registration number, date of incorporation, constitutional documents, and a current ownership structure showing beneficial owners at 25% or more. We also collect the contact information of the authorised signatory and any additional authorised users.

For natural-person beneficial owners, directors, and authorised signatories we collect: full legal name, date of birth, nationality, and a scan of a valid government-issued photo identification (passport or national ID). Where required by law, we also collect proof of residential address dated within the past three (3) months.

Collection of information is performed through a secure onboarding portal with encryption in transit and at rest. Documents are stored only for as long as required, and access is restricted to trained compliance and customer success staff.

Corporate existence and status are verified through reputable company registries (for example, Companies House in the UK, the SEC's EDGAR for US-listed entities, or equivalents). Documents are checked for authenticity indicators, date stamps, and consistency with other documents.

Natural-person identification documents are verified using a combination of manual checks and automated identity verification technology that detects tampering, checks document templates against known formats, performs biometric liveness checks where required, and screens against international identity databases.

We may request a brief video call with a director or authorised signatory to confirm the relationship, particularly for higher-risk accounts. Where any element of the verification raises concerns, the matter is escalated to the Head of Compliance for review before the account can be approved.

We identify and verify beneficial owners — any natural person who ultimately owns or controls 25% or more of the customer, or who exercises control over the customer's management — consistent with FATF guidance. Where a threshold is unclear, we default to the more conservative interpretation.

Where the customer is part of a complex group or has a layered ownership structure, we look through the layers until we reach natural persons or we are satisfied that no natural person meets the threshold. We apply enhanced scrutiny to structures that appear designed to obscure beneficial ownership.

Beneficial ownership information is refreshed periodically and on any material change. Customers are required to notify us within thirty (30) days of a change in beneficial ownership, directors, or authorised signatories.

We screen authorised signatories, directors, and beneficial owners against lists of politically exposed persons ("PEPs") and against adverse media sources. A PEP match is not automatically disqualifying — relationships with PEPs are permitted where enhanced due diligence is completed and senior management approves.

Where adverse media suggests a potential criminal history, ongoing investigation, or reputational risk, the matter is reviewed by the Head of Compliance. The review weighs the severity, recency, credibility of the source, and the individual's role relative to the customer.

Screening is re-run at defined intervals and triggered by events such as news searches in response to media alerts or a requested refresh by the customer. Historical matches that have been cleared through documented analysis remain on the customer file for context.

All prospective customers, their beneficial owners, directors, and authorised signatories are screened against consolidated sanctions lists at onboarding. Re-screening is performed automatically when lists are updated and at a minimum monthly.

A confirmed match is never onboarded. A potential match triggers an escalation to the Head of Compliance for resolution; if the match cannot be cleared, onboarding is declined. For existing customers, a newly identified sanctions match may result in account freezing to the extent legally required and, where applicable, a report to the competent authority.

Details of our sanctions screening procedure are in our AML Policy. A summary of the lists we screen against is available to customers on request.

Each customer is assigned an internal risk rating of low, medium, or high at onboarding. The rating considers jurisdictional risk (based on FATF, Basel AML Index, and our own internal list), business activity, ownership complexity, size, and PEP or adverse media findings. The rating drives the depth of ongoing monitoring and the refresh cadence for CDD.

Risk ratings are reviewed at least annually, and immediately following material events such as a change of control, a change in activity, or an adverse news event. Upward rating changes trigger additional due diligence.

Our risk rating framework is documented, consistent, and applied in the same way to all prospective and existing customers. We do not weight ratings based on commercial value alone.

Ongoing monitoring is proportionate to the risk rating. All customers are subject to continuous sanctions and PEP rescreening. Higher-risk customers are also subject to periodic review of their account usage patterns within AMLRegister, source-of-funds checks for paid subscriptions, and enhanced re-verification cycles (typically every twelve (12) months for high risk, every twenty-four (24) months for medium risk, every thirty-six (36) months for low risk).

Any customer activity that deviates materially from the expected profile is reviewed by the Head of Compliance. Reviews may result in an updated risk rating, a request for further information, or — in severe cases — an exit decision. Customers are not informed that a monitoring review is underway except where we are legally permitted to disclose.

We maintain records of monitoring activities, decisions, and their rationale, for the retention periods set out in our AML Policy.

Customers are required to provide accurate and complete information during onboarding, to update us promptly when that information changes, and to cooperate with reasonable requests for refresh documentation. Failure to cooperate may result in account suspension or termination and, where appropriate, reporting.

Customers must not share account credentials for AMLRegister with unauthorised individuals. Each authorised user must be separately identified, and the primary authorised signatory is responsible for maintaining an accurate roster of authorised users with our Customer Success team.

Customers must not use AMLRegister to onboard or transact with counterparties on behalf of parties whose identity they have not independently verified in accordance with their own KYC procedures.

Personal data collected through the KYC process is processed in accordance with our Privacy Policy. Legal basis relies primarily on performance of a contract (to deliver paid services), legal obligation (to comply with AML rules), and legitimate interests (to protect the Company and the wider ecosystem).

KYC data is restricted to trained compliance and customer success staff on a need-to-know basis, is not used for marketing, and is retained for at least five (5) years after the end of the business relationship as required by law.

Customers may exercise data subject rights — including access, rectification, restriction, and erasure — through the process set out in our Privacy Policy, subject to the legal hold periods described above.

We reserve the right to refuse onboarding or terminate an existing relationship where we cannot satisfy ourselves that our KYC obligations can be met, where the relationship presents unacceptable AML or reputational risk, or where the customer has materially misrepresented information provided to us. Termination may be immediate where required by law or where the risk is severe.

Where termination occurs, we retain KYC data for the retention period required by law and handle any pending service obligations consistent with applicable contract terms. Where termination relates to a suspected AML concern, we will not "tip off" the customer and will report in accordance with our AML Policy.

Where permitted, we use third-party data sources to enrich and verify information provided during onboarding. Sources include identity-verification providers, sanctions and PEP list providers, corporate registries, and adverse-media monitoring tools. Each provider is assessed under our third-party risk management programme before engagement.

Data obtained from third-party sources is used to form our own assessment; it is not relied upon blindly. Where a third-party source suggests a concern that cannot be independently verified, we pursue the concern directly with the customer or, if appropriate, escalate internally rather than acting solely on the third-party signal.

The use of third-party data sources is disclosed to customers as part of our Privacy Notice. Customers can request a list of the sources used in their onboarding through a data-subject access request, subject to confidentiality obligations owed to the providers.

For higher-risk customer relationships and for paid subscriptions above defined thresholds, we may require evidence of source of funds (SoF) and, in certain cases, source of wealth (SoW). Source of funds refers to the immediate origin of the money used in the transaction with us; source of wealth refers to the underlying origin of the customer's overall assets and is a broader, more qualitative enquiry.

Typical SoF evidence includes payment-instrument metadata, bank statements covering the payment flow, and in crypto contexts, on-chain evidence of the origin cluster. We do not retain full bank statements in our systems; our standard practice is to review them under a non-retention arrangement with our identity verification vendor, retaining only the outcome (pass/fail/flags) and relevant extracts for audit.

Source of wealth enquiries are reserved for customers whose profile suggests elevated risk — for instance, politically exposed persons, customers in designated high-risk sectors, or customers whose size or activity profile is materially inconsistent with their declared business. SoW review considers the plausibility of the customer's stated origin of wealth in light of age, professional background, and any external corroborating evidence.

We recognise that crypto-native customers often have legitimate wealth histories that do not map cleanly onto traditional SoW conventions. Our approach is to consider on-chain evidence alongside conventional documentation, using proportionate enquiries. Customers who proactively volunteer corroborating information typically move through review more quickly than those who wait to be asked.

Information obtained through SoF and SoW enquiries is processed in accordance with our Privacy Policy and the restrictions in this KYC Policy. It is not used for marketing, is not shared with third parties absent legal obligation, and is retained only for the periods required by applicable law. Customers can request details of the SoF/SoW information held about them as part of their data-subject rights.

For questions about this KYC Policy or to start an onboarding enquiry, please contact compliance@amlregister.com. Our Customer Success team can also arrange a walkthrough of the onboarding process and timeline for your specific situation.

This Policy is reviewed at least annually and upon any material regulatory change. The most recent review, approved by the Head of Compliance, occurred on the Effective date shown at the top of this page. A change log is maintained internally and made available to enterprise customers on request; material changes are notified via the customer communication channels documented in the relevant commercial agreement.