Anti-Money Laundering (AML) & Counter-Terrorist Financing (CTF) Policy

1. Purpose

This Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Policy sets out BitTopUp’s standards, controls, and procedures designed to prevent, detect, and report money laundering, terrorism financing, proliferation financing, and other financial crimes associated with services offered on the BitTopUp platform.

2. Scope

This Policy applies to all products, services, and business lines of BitTopUp, and to all employees, officers, directors, contractors, agents, and affiliated third parties. It covers all users and customers (retail and institutional) interacting with the platform, regardless of location, subject to applicable laws.

3. Key Definitions

• Money Laundering (ML): The process of concealing the illicit origin of proceeds of crime.
• Terrorist Financing (TF): The provision or collection of funds to support terrorist acts or organizations.
• Proliferation Financing (PF): Financing the proliferation of weapons of mass destruction.
• Customer Due Diligence (CDD): Identity verification and risk assessment measures applied to customers.
• Enhanced Due Diligence (EDD): Additional due diligence for higher-risk customers, products, or geographies.
• Politically Exposed Person (PEP): A person entrusted with prominent public functions, including family members and close associates.
• Sanctions: Restrictive measures issued by competent authorities (e.g., UN, OFAC, EU, UK HMT, and local lists).

4. Regulatory Framework

BitTopUp commits to complying with all applicable AML/CTF laws and regulations of Hong Kong, relevant extra-territorial requirements, and internationally recognized standards including the Financial Action Task Force (FATF) Recommendations. Where conflicts arise between this Policy and local laws, the stricter standard applies to the extent permitted by law.

5. Risk-Based Approach

BitTopUp applies a risk-based approach (RBA) to identify and mitigate ML/TF/PF risks.

5.1 Risk Assessment

• Assess inherent and residual risk across customers, products/services, delivery channels, and geographies.
• Update assessments at least annually or upon material changes (e.g., new products or markets).

5.2 Risk Mitigation

• Implement controls commensurate with risk (CDD tiers, limits, monitoring rules, and reviews).
• Document rationales for risk acceptance, mitigation, or avoidance.

6. Governance & Responsibilities

• Board/Management: Approves this Policy, sets risk appetite, ensures resources and oversight.
• AML Compliance Officer (MLRO): Oversees AML program, reports to the Board, manages investigations and regulatory liaison.
• All Personnel: Must follow this Policy, complete training, and escalate concerns immediately.

7. Customer Due Diligence (CDD)

7.1 When CDD Is Required

• On onboarding and before providing services.
• When suspicion of ML/TF/PF arises.
• Upon material changes or doubts about previously obtained data.

7.2 Identification & Verification (KYC)

• Individuals: Full name, date of birth, nationality, residential address, selfie/biometric where lawful, and government-issued ID (passport/ID card/driver’s license).
• Legal Entities: Legal name, trading name, registration number, registered address, directors, authorized signatories, nature of business, and Ultimate Beneficial Owners (UBOs) with verification of ownership/control.
• Validate information using reliable, independent sources and, where appropriate, digital identity solutions.

7.3 Purpose & Intended Nature

• Collect information about expected activity, source of funds, and, for higher risk, source of wealth.

7.4 CDD Tiers

• Simplified Due Diligence (SDD): Allowed only where demonstrably low risk and legally permitted.
• Standard CDD: Default level for most customers.
• Enhanced Due Diligence (EDD): Required for high-risk customers, PEPs, high-risk geographies, complex ownership structures, or adverse media.

7.5 Failure to Complete CDD

• BitTopUp will not establish or maintain a relationship, and will consider filing a report where warranted.

8. Enhanced Due Diligence (EDD)

• Obtain senior management approval to onboard or maintain high-risk customers.
• Corroborate source of funds and, where applicable, source of wealth.
• Apply stricter limits, increased monitoring frequency, and periodic reviews.
• For PEPs: assess role, influence, and proximity; perform adverse media and sanctions screening with ongoing monitoring.

9. Ongoing Monitoring & Screening

• Monitor activity against risk profiles and expected behavior to detect anomalies (e.g., structuring, rapid in/out movements, use of mixers or privacy tools where relevant).
• Screen customers and transactions against up-to-date sanctions, watchlists, and PEP lists at onboarding and on a continuous basis.
• Review and update customer information periodically, risk-based.
• Investigate alerts promptly; document decisions and rationales.

10. Transaction Controls

• Set risk-based limits on deposits, withdrawals, purchases, and redemptions.
• Restrict or prohibit transactions involving high-risk jurisdictions or sanctioned persons/entities.
• Apply blockchain analytics and address-risk screening for virtual asset flows where applicable.
• Implement velocity checks, device/IP risk controls, and multi-factor authentication.
• Hold, pause, or decline transactions pending review where red flags are identified.

11. Suspicious Activity Reporting

• Employees must escalate unusual or suspicious activity to the AML Compliance Officer (MLRO) immediately.
• Where required, the MLRO will file internal reports and external reports to the competent Financial Intelligence Unit (FIU) in Hong Kong without tipping off the customer.
• All investigations and filings are documented and retained confidentially.

12. Record Keeping

• Retain CDD/KYC records, transactions, screening logs, monitoring alerts, investigations, and training records for the periods required by applicable law.
• Ensure records are retrievable promptly for regulatory requests and audits.

13. Training & Awareness

• Provide role-based AML/CTF training at onboarding and at least annually.
• Deliver targeted modules for higher-risk roles (e.g., onboarding, payments, investigations, crypto operations).
• Assess training effectiveness and maintain attendance records.

14. Independent Review

• Conduct independent testing of the AML/CTF program at least annually or upon material change.
• Remediate findings promptly with documented action plans and timelines.

15. Data Protection & Privacy

• Process personal data lawfully and minimally for AML/CTF purposes, consistent with applicable privacy laws.
• Implement appropriate technical and organizational security measures.
• Provide clear notices and obtain consents where required by law.

16. Third-Party Reliance

• Where permitted by law, BitTopUp may rely on regulated third parties for elements of CDD/KYC, subject to risk assessment and written agreements.
• BitTopUp remains ultimately responsible for compliance.

17. Prohibited & Restricted Activities

• Services are not available to customers in, or ordinarily resident of, comprehensively sanctioned jurisdictions.
• Prohibited uses include: mixing/tumbling to obfuscate provenance, darknet markets, ransomware, child exploitation, human trafficking, weapons proliferation, fraud schemes, or any illegal activity.
• BitTopUp may decline or terminate relationships that present unacceptable risk.

18. Sanctions Compliance

• Screen customers, beneficiaries, and transactions against UN, OFAC, EU, UK HMT, and relevant local sanctions lists.
• Block or reject transactions involving sanctioned persons, entities, or instruments as required.
• Report sanctions matches to competent authorities per legal requirements.

19. Breach, Enforcement & Disciplinary Actions

• Violations of this Policy may result in disciplinary action up to termination, and may be reportable to authorities.
• Vendors and partners who breach obligations may face contract termination and notifications to regulators where applicable.

20. Policy Review & Updates

• This Policy is reviewed at least annually and upon significant regulatory or business changes.
• Material updates require Board or senior management approval.

21. Contact

For questions about this Policy or to report suspicious activity, contact:
Email: ibittopup@gmail.com
Address: Room 1508, 15/F, Grand Plaza Office Tower II, 625 Nathan Road, Mong Kok, Kowloon, Hong Kong

22. Disclaimer

This Policy provides a general overview of BitTopUp’s AML/CTF program. It does not create any private right of action and may be supplemented by procedures not publicly disclosed. Nothing in this document constitutes legal advice.