RULES FOR THE PREVENTION OF MONEY LAUNDERING AND (OR) TERRORIST FINANCING

Effective Date: 05.2027
Issued By: AURUM NEO-BANK sp. z o.o.
Registered Headquarters: Ul. Długa 29, 00-238 Warsaw, Mazowieckie, Republic of Poland
Platform Operated: Crypto-Asset Exchange (Polex)

1. General Provisions

Purpose

AURUM NEO-BANK sp. z o.o. (the “Company”) maintains a low-risk appetite and zero-tolerance approach toward knowingly facilitating money laundering (ML), terrorist financing (TF), sanctions evasion, or other financial crime.

The Company will refuse or terminate any business relationship where ML/TF risk cannot be reduced to an acceptable level.

These Rules establish a comprehensive AML/CFT framework designed to:

  • Prevent misuse of the Platform;
  • Detect suspicious financial activity;
  • Report relevant activity to competent authorities;
  • Protect financial system integrity;
  • Comply with applicable EU and Polish law.

Scope

These Rules apply to:

  • All crypto-asset services provided by the Company;
  • All employees, officers, directors, and contractors;
  • All Customers and business relationships.

AML/CFT obligations apply at onboarding, throughout the relationship, and post-termination where required.

Legal Basis

These Rules are formulated in alignment with:

  • Markets in Crypto-Assets Regulation
  • Polish Act on Counteracting Money Laundering and Terrorist Financing
  • EU AML Directives
  • EU Transfer of Funds Regulation (TFR Recast 2023)
  • FATF Recommendations
  • Supervisory expectations of the Polish Financial Supervision Authority

They also reflect governance, internal control, and safeguarding obligations applicable to crypto-asset service providers under MiCA.

2. Definitions

Customer: A natural or legal person entering into a business relationship with the Company.

Beneficial Owner: The natural person who ultimately owns or controls the Customer.

Politically Exposed Person (PEP): An individual entrusted with prominent public functions, including close associates.

Crypto-Asset: A digital representation of value transferable electronically.

KYC: Know Your Customer identity verification process.

KYT: Ongoing transaction monitoring process.

STR/SAR: Suspicious Transaction Report submitted to the Polish Financial Intelligence Unit (GIIF).

3. Risk-Based Approach

The Company applies a structured risk-based AML framework evaluating:

  • Customer risk;
  • Geographic risk;
  • Product and service risk;
  • Delivery channel risk;
  • Transactional behavior risk.

A formal ML/TF risk assessment is conducted at least annually and approved by senior management and the Board.

4. Customer Identification & Verification (KYC)

The Company shall:

  • Verify Customer identity prior to establishing a relationship;
  • Identify and verify Beneficial Owners;
  • Conduct sanctions and PEP screening;
  • Prohibit anonymous accounts and fictitious names.

Remote identification is permitted via compliant digital verification tools in accordance with Polish AML regulations.

5. Sanctions & Restrictive Measures Compliance

The Company conducts continuous screening against:

  • EU consolidated sanctions lists;
  • UN sanctions lists;
  • National restrictive measures lists.

Confirmed sanctions matches result in:

  • Immediate account freeze;
  • Escalation to MLRO;
  • Reporting to competent authorities where required.

6. Travel Rule Compliance (TFR Recast)

In accordance with FATF standards and EU Transfer of Funds Regulation:

The Company:

  • Collects originator and beneficiary information for transfers;
  • Verifies counterpart CASPs where applicable;
  • Securely transmits required Travel Rule data;
  • Rejects transfers lacking mandatory information;
  • Applies enhanced scrutiny to unhosted wallet transactions.

7. Customer Risk Classification

Customers are classified into the following categories:

Low Risk

Regulated financial institutions and public authorities.

Medium Risk

Standard retail clients without elevated risk indicators.

High Risk

Includes, but is not limited to:

  • Politically Exposed Persons (PEPs);
  • Customers connected to high-risk or sanctioned jurisdictions;
  • Complex or opaque ownership structures;
  • Customers linked to high-risk crypto activity (mixers, sanctioned wallets);
  • Customers with adverse media indicating financial crime risk;
  • Customers exhibiting suspicious transactional behavior.

8. Strict High-Risk Client Prohibition Policy

The Company maintains a conservative risk model and does not accept, onboard, or maintain business relationships with Customers classified as High Risk.

Accordingly:

  • High-risk Customers are declined at onboarding.
  • Existing Customers reclassified as High Risk are subject to immediate suspension and termination review.
  • Enhanced due diligence shall not be used to justify continuation of a High-Risk relationship.
  • The Company does not provide services to PEPs.
  • The Company does not provide services to Customers located in high-risk or sanctioned jurisdictions.

This strict exclusion policy reflects the Company’s low-risk appetite.

9. Crypto-Specific Monitoring Controls

The Company deploys blockchain analytics and monitoring tools to detect:

  • Interaction with sanctioned wallets;
  • Mixer/tumbler exposure;
  • Cross-chain obfuscation patterns;
  • High-risk DeFi protocol exposure;
  • Structuring and layering activity;
  • Rapid movement inconsistent with profile.

Suspicious patterns trigger immediate escalation.

10. Ongoing Monitoring (KYT)

Continuous monitoring includes:

  • Transaction velocity checks;
  • Behavioral anomaly detection;
  • Risk-based alert thresholds;
  • Manual review of high-value transactions.

11. Reporting Suspicious Activity

When reasonable suspicion is formed:

  • An STR shall be submitted to the Polish Financial Intelligence Unit (GIIF) without undue delay;
  • Transactions may be suspended where legally required;
  • Tipping-off is strictly prohibited.

12. Relationship Termination Triggers

The Company shall suspend and terminate relationships where:

  • A Customer becomes subject to sanctions;
  • A Customer is identified as a PEP;
  • Source of funds cannot be verified;
  • Beneficial ownership cannot be confirmed;
  • Repeated suspicious alerts occur;
  • ML/TF risk becomes unmanageable.

Termination decisions are documented and escalated where required.

13. Governance & Escalation Framework

Escalation ladder:

Employee → Compliance → MLRO → Senior Management → Board (for material cases)

The Board:

  • Approves annual AML risk assessment;
  • Reviews AML metrics quarterly;
  • Oversees high-risk exposure management.

14. Independent Testing & Assurance

The AML framework is subject to:

  • Periodic internal testing;
  • Independent AML effectiveness review;
  • Remediation tracking;
  • Regulatory inspection readiness procedures.

15. Data Retention

Customer identity and transaction records shall be retained for:

  • Minimum five (5) years following termination of the business relationship or execution of transaction, or longer if required by law.

Records are securely stored and access-controlled.

16. Information Protection

Employees are strictly prohibited from:

  • Disclosing STR filings;
  • Informing Customers of investigations;
  • Circumventing AML controls.

Violations may result in termination and legal liability.

17. Responsibilities

MLRO

Responsible for:

  • Implementation of AML framework;
  • STR submission;
  • Regulator communication;
  • Oversight of monitoring systems.

Employees

Required to:

  • Conduct KYC/KYT procedures;
  • Escalate suspicious activity;
  • Complete annual AML training.

18. Performance Monitoring & Metrics

The Company tracks:

  • Customer risk distribution;
  • STR volumes;
  • Sanctions hits;
  • Terminated relationships;
  • Monitoring alert statistics.

Metrics are reviewed by senior management and the Board.

19. Final Provisions

These Rules:

  • Are reviewed annually;
  • Updated upon regulatory changes;
  • Approved by senior management;
  • Supported by mandatory annual AML training.
Register