AML / KYC Policy

krypco is committed to preventing the use of its services for money laundering, terrorist financing, sanctions evasion or any other financial crime. This policy describes the controls we apply under EU Directives 2015/849 (4AMLD), 2018/843 (5AMLD), 2018/1673 (6AMLD), Regulation (EU) 2023/1113 (Travel Rule for crypto), the EU Markets-in-Crypto-Assets Regulation (MiCA) and the FATF Recommendations.

This policy applies to all customers who use any feature requiring identity verification — in particular the personal IBAN, kEUR mint and redeem, SEPA payouts, presale participation above thresholds, and any service deemed a Crypto-Asset Service under MiCA. Anonymous use of the public chain (sending tokens between unhosted wallets) is not covered by this policy and may be subject to the Travel Rule when the krypco Services act as the originator or beneficiary CASP.

Before activating IBAN-linked features, we collect and verify:

• → Full legal name
• → Date and place of birth
• → Nationality
• → Residential address (verified by recent utility bill or bank statement < 3 months old)
• → Government-issued photo ID (passport or national ID)
• → Liveness selfie matched against the ID document
• → Tax-residency self-certification (for DAC8 reporting)

Verification is performed by a qualified KYC provider and reviewed by trained compliance staff. Identity documents are encrypted at rest and never stored on-chain.

We apply Enhanced Due Diligence in the following higher-risk situations:

• → The customer is a Politically Exposed Person (PEP), family member of a PEP, or known close associate
• → The customer resides in a high-risk third country listed by the European Commission
• → Source of funds appears unusual or inconsistent with the customer's declared profile
• → Cumulative deposits or withdrawals exceed risk-based thresholds
• → Transactions have no apparent economic or lawful purpose

EDD adds: source-of-funds documentation, source-of-wealth review, senior-management approval before onboarding, and ongoing enhanced monitoring.

Every customer is screened against the EU Consolidated List of Sanctions, the UN Security Council Sanctions List, the OFAC SDN List and other relevant national lists at onboarding and continuously thereafter. Wallet addresses are screened against on-chain analytics feeds (e.g., Chainalysis, TRM Labs) before any IBAN minting or SEPA payout. Confirmed matches result in immediate suspension and reporting to the relevant authority.

We monitor transactions for unusual patterns including but not limited to:

• → Structuring (deposits / withdrawals just under reporting thresholds)
• → Velocity anomalies (sudden spike in volume vs the customer profile)
• → Round-tripping (funds exiting and re-entering through different rails)
• → Counterparty risk (interaction with mixers, sanctioned addresses, darknet markets)
• → Geographic anomalies (transactions from inconsistent IP locations)

Suspicious activity triggers a case in our compliance system, review by a Money Laundering Reporting Officer (MLRO), and where confirmed, a Suspicious Activity Report (SAR) to the relevant Financial Intelligence Unit — MOKAS in Cyprus. The customer is not notified that a SAR has been filed (tipping-off prohibition).

For crypto-asset transfers covered by Regulation (EU) 2023/1113, krypco — when acting as the originator or beneficiary CASP — collects and forwards the originator and beneficiary information required (name, address, account number, official personal document number for amounts above the threshold). Counterparty CASPs must accept and validate the information; transfers to non-compliant counterparties may be delayed or blocked.

Identity records, transaction records, sanctions screening results, monitoring case files and SAR documentation are retained for 5 years from the end of the business relationship or from the date of the transaction (whichever is later), as required by Article 40 of 4AMLD. Records are stored encrypted within the EU and made available to competent authorities upon lawful request.

From 1 January 2026, krypco — as a Reporting Crypto-Asset Service Provider under DAC8 (Directive 2023/2226) — collects tax-residency self-certifications from customers and reports relevant transaction data annually to the customer's tax-residency Member State, which exchanges the information across the EU and with OECD CRS partner jurisdictions.

• MLRO: a designated Money Laundering Reporting Officer, qualified and senior, leads the compliance function and reports directly to the board.
• Risk assessment: documented enterprise-wide AML risk assessment reviewed at least annually and on material changes.
• Staff training: all staff receive AML / KYC / sanctions training at onboarding and at least annually thereafter.
• Independent audit: external AML programme audit at least every two years.

If you suspect that krypco services are being misused, or you wish to report a compliance concern, contact our compliance team at compliance@krypco.eu. Reports can be made confidentially. Whistleblowers are protected under Directive (EU) 2019/1937.