Transfer of Assets Policy

1. General Provisions

1.1 Objective

The objective of this Transfer of Assets Policy (the “Policy”) is to ensure that all crypto-asset transfers executed by AURUM NEO-BANK sp. z o.o. (the “Company”) are conducted in a secure, compliant, and risk-controlled manner.

The Company operates under a strict low-risk appetite and will refuse, suspend, or terminate transfers where financial crime, sanctions, or regulatory risk cannot be reduced to an acceptable level.

1.2 Regulatory Alignment

This Policy aligns with:

• Markets in Crypto-Assets Regulation
• Regulation (EU) 2023/1113
• Polish AML/CFT legislation
• FATF Recommendations

The Company operates under supervision of the Polish Financial Supervision Authority.

1.3 Risk Appetite Statement

The Company:

• Does not process transfers for High-Risk clients;
• Does not process transfers involving sanctioned persons or jurisdictions;
• Does not process transfers involving unverified originators or beneficiaries;
• Does not facilitate transfers where AML/Travel Rule data is incomplete;
• Does not execute transfers linked to high-risk blockchain exposure (mixers, sanctioned wallets, illicit services).

Transfer execution is conditional upon full compliance validation.

2. Strict Pre-Transfer Compliance Controls

No transfer shall be initiated unless all of the following conditions are satisfied:

2.1 Verified Customer Status

• The Customer is classified as Low or Medium Risk;
• The Customer is not a Politically Exposed Person;
• The Customer is not connected to high-risk jurisdictions;
• The Customer has passed full KYC verification.

2.2 Sanctions Screening

Prior to execution:

• Originator and beneficiary are screened against EU, UN, and national sanctions lists;
• Wallet addresses are screened using blockchain analytics;
• Ongoing screening is applied.

Any confirmed match results in immediate freeze and escalation.

2.3 Travel Rule Validation

The Company shall:

• Verify completeness of originator and beneficiary data;
• Reject transfers lacking mandatory Travel Rule information;
• Reject transfers where counterparty CASP compliance cannot be reasonably confirmed;
• Apply enhanced controls to unhosted wallet transfers.

Transfers shall not proceed without full TFR compliance.

2.4 Blockchain Risk Assessment

Each transfer is subject to blockchain analytics review, including:

• Sanctioned wallet exposure;
• Mixer or tumbler interaction;
• Darknet association;
• High-risk DeFi exposure;
• Cross-chain obfuscation patterns.

High-risk exposure triggers automatic suspension and compliance review.

3. Grounds for Automatic Rejection or Suspension

The Company shall reject, suspend, or return a transfer where:

• Required originator/beneficiary information is missing;
• Sanctions exposure is detected;
• Suspicious structuring behavior is identified;
• Source of funds is unclear;
• The transfer lacks legitimate economic purpose;
• The transaction exceeds the Customer’s expected activity profile;
• Repeated risk alerts are generated;
• Technical incompatibility or network risk exists.

The Company retains absolute discretion to refuse execution where compliance risk exists.

4. Documentation of Risk Assessment

Each flagged transfer undergoes documented review including:

• Identified risk factors;
• Screening results;
• Escalation path;
• Final decision;
• STR submission status (if applicable).

Records are retained in accordance with AML retention requirements.

5. Missing Information Deadlines

Where required data is missing:

• 3 business days (EU origin transfers)
• 5 business days (non-EU origin transfers)

Failure to provide required information results in rejection or return.

6. Strict Irreversibility Confirmation

Before final confirmation, clients are explicitly warned:

Once initiated and confirmed on the blockchain, crypto-asset transfers are irreversible.

The Company shall not bear liability for transfers correctly executed per client instruction where required information was provided and compliance checks were satisfied.

7. Ongoing Monitoring Post-Execution

Transfer monitoring does not cease upon execution.

Post-transfer controls include:

• Retroactive blockchain risk review;
• Suspicious pattern identification;
• Escalation for potential STR submission;
• Relationship termination if risk escalates.

8. Fraud and Security Controls

The Company implements:

• Multi-factor authentication;
• Withdrawal confirmation safeguards;
• Device anomaly detection;
• Behavioral risk scoring;
• Manual review for high-value transfers.

Security-triggered holds may override transfer timing.

9. Error Reporting & Limited Liability

The Company is liable only where:

• Unauthorized transfer is attributable to internal failure;
• Reported within 48 hours;
• Client complied with security requirements.

No liability exists where:

• Client provided incorrect wallet address;
• Client failed to enable required security controls;
• Transfer was compliant and properly executed.

10. Termination and Risk Escalation

The Company may immediately:

• Freeze transfers;
• Suspend accounts;
• Terminate client relationships;
• File STR reports;
• Notify competent authorities.

Continuation of service is conditional upon acceptable risk profile.

11. Governance & Oversight

The Board and CCO:

• Oversee transfer risk metrics;
• Review transfer rejection statistics;
• Review sanctions exposure incidents;
• Ensure alignment with AML & MiCA governance standards.

High-risk transfer attempts are escalated to MLRO.

12. Final Provisions

This Policy reflects the Company’s conservative risk model and commitment to:

• Regulatory compliance;
• Financial crime prevention;
• Operational resilience;
• Market integrity.

The Company prioritizes compliance over transaction volume and reserves the right to refuse service where risk is unacceptable.