1. Purpose & Scope

This policy sets out NFTiFay’s framework for preventing money laundering (ML), terrorist financing (TF), and other financial crime. It describes how we assess, mitigate and monitor these risks. This applies to all employees, contractors, partners and users of NFTiFay.

2. Definitions

• Money Laundering (ML): The process by which criminals attempt to disguise the origin of proceeds of criminal conduct so that they appear legitimate.

• Terrorist Financing (TF): The provision, collection, or use of funds for terrorist purposes, regardless of the legitimacy of the underlying source.

• Beneficial Owner: The natural person(s) who ultimately owns or controls (directly or indirectly) a customer or is the natural person on whose behalf a transaction is being conducted.

• Politically Exposed Person (PEP): An individual who is or has been entrusted with prominent public functions.

• Customer Due Diligence (CDD): Measures to verify identity, assess risk, and monitor transactions.

• Enhanced Due Diligence (EDD): Additional checks for high-risk customers, transactions or jurisdictions.

• Risk-Based Approach (RBA): Allocating resources and controls proportionate to the assessed level of ML/TF risk.

3. Regulatory & Legal Basis

• Adherence to relevant local AML / CFT laws and regulations in the jurisdictions in which NFTiFay operates.

• Observance of international standards (e.g. FATF recommendations) and sanctions lists (UN, EU, OFAC, etc.).

• Cooperation with law enforcement and regulatory bodies.

4. Governance & Responsibilities

• MLRO / Compliance Officer: A senior person (or team) responsible for overseeing AML / CFT compliance, reporting suspicious activity, ensuring training, and policy maintenance.

• Senior Management: Involved in approving risk appetite, policy, and resources.

• Employees / Users: Must comply with policies and report suspicious behavior.

5. Risk Assessment

• Conduct an initial risk assessment of ML/TF exposure, including factors such as:

  • Types of users (creators, collectors, institutions).

  • Geographical risks (where users are located / user IP).

  • Transaction types (large one-off purchases, frequent small ones, secondary marketplace, auctions).

  • Payment methods (crypto, fiat on-ramp, off-ramp).

  • Jurisdictional risk (sanctioned countries, high-risk jurisdictions).

• Periodic review of risk assessment.

6. Customer Identification & Due Diligence (KYC)

• All customers must provide identity verification (government-issued ID, proof of address) upon registration or before certain transaction thresholds are met.

• For low-risk / small volume customers, minimal verification may suffice.

• For higher-risk users or transactions (e.g. large value, from high-risk jurisdictions, PEPs), EDD is required: verifying source of funds, additional documentation, etc.

• Beneficial owner identification for business / organizational customers.

7. Transaction Monitoring & Suspicious Activity Reporting

• Monitor transactions for unusual / suspicious activity, including but not limited to:

  • Transactions much larger than normal for that user.

  • Structuring: many small purchases to avoid detection.

  • Discrepancies in user location, IP, payment method or identity documents.

  • Attempts to withdraw large sums via off-ramp with weak proof of identity or source of funds.

  • Use of wallets or crypto addresses linked to known illicit activity.

• Flag and escalate suspicious transactions internally to MLRO.

• Report to relevant authorities (Financial Intelligence Unit, etc.) any knowledge or suspicion of ML/TF as required by law.

8. Sanctions Screening

• Screen customers against applicable sanctions lists (UN, EU, OFAC, national sanctions) before onboarding and periodically after.

• Block or freeze accounts or transactions involving persons/entities on those lists.

9. Record Keeping & Documentation

• Maintain records of customer identity documents, transaction records, due diligence, risk assessments, monitoring, and reports.

• Retain records for a period required by applicable law/regulation (often 5–10 years, depending on jurisdiction).

10. Training & Awareness

• All staff (technical, customer support, compliance, etc.) receive regular AML / CFT training.

• Training covers: awareness of ML/TF, red flags, sanctions, and internal reporting procedures.

11. Internal Controls, Audit & Review

• Internal policies and procedures to control risk (segregation of duties, approval workflows, access controls).

• Periodic internal audits / reviews of compliance with this policy.

• Update policy as laws, regulations or risks change.

12. Risk Mitigation Measures

• Define thresholds for transaction amounts that trigger enhanced due diligence.

• Restrict or block transactions from high-risk jurisdictions.

• Require additional verification (e.g. proof of funds/source of funds) for large / unusual transactions.

• Limit or prohibit anonymous transactions.

13. Incident Response & Escalation

• Establish clear internal procedures for escalation once suspicious activity is detected.

• Document and preserve evidence.

• Cooperate with regulators and law enforcement in investigations.

14. Sanctions, Penalties & Remediation

• Disciplinary measures for non-compliance by employees.

• Remediation plan if any compliance failure is found.

• Report breaches to authorities where required.

15. Risk Tolerance & Appetite

• Define what level(s) of risk the platform is willing to accept (e.g. geographies, transaction volumes, user types).

• Transparent criteria for rejecting or suspending customers or transactions that exceed risk thresholds.

NFTiFay AML / CFT & Risk Policy

(Applicable to Operations in the Republic of Kosovo)

1. Purpose & Scope

This policy outlines the framework by which NFTiFay prevents and detects money laundering (ML), terrorist financing (TF), and related financial crimes in accordance with applicable laws of the Republic of Kosovo. It applies to all employees, contractors, partners, and platform users.

2. Legal & Regulatory Basis

NFTiFay complies with:

• Law No. 05/L-096 on the Prevention of Money Laundering and Combating Terrorist Financing of Kosovo.

• Regulations of the Financial Intelligence Unit of Kosovo (FIU-K).

• Applicable European Union AML Directives (AMLD V/VI) and FATF recommendations.

• Sanctions lists: United Nations, EU, OFAC, and Kosovo government lists.

3. Governance & Responsibilities

• Money Laundering Reporting Officer (MLRO): Appointed by NFTiFay to oversee compliance, handle suspicious activity reports (SARs), and act as liaison with FIU-K.

• Senior Management: Approves the risk appetite, allocates resources, and ensures organizational commitment.

• Employees: Must apply customer due diligence (CDD), report suspicious behavior, and follow internal procedures.

4. Risk-Based Approach (RBA)

NFTiFay applies a risk-based approach by identifying, assessing, and mitigating ML/TF risks. Factors include:

• Customer Risk: Individual collectors, institutional buyers, NFT creators, politically exposed persons (PEPs).

• Geographic Risk: Transactions involving high-risk or sanctioned jurisdictions.

• Product/Service Risk: NFT sales, auctions, secondary market resales.

• Transaction Risk: High-value purchases, frequent microtransactions, or rapid cash-outs.

5. Customer Due Diligence (CDD) & Know Your Customer (KYC)

• Mandatory Identification: All customers must provide valid identification documents (Kosovo-issued ID/passport, or equivalent foreign ID).

• Verification: Biometric or document verification tools may be used.

• Enhanced Due Diligence (EDD): Required for high-risk clients (PEPs, high-value traders, users from high-risk countries). May include verifying the source of funds.

• Ongoing Monitoring: Customer profiles and transactions are reviewed continuously to ensure consistency with expected behavior.

6. Transaction Monitoring & Reporting

• All transactions are monitored in real time using automated tools and manual reviews.

• Red flags include:

  • Transactions inconsistent with customer profile.

  • Sudden large purchases or sales.

  • Attempts to bypass KYC thresholds (structuring).

  • Links to wallets previously associated with illicit activity.

• Suspicious Activity Reports (SARs) will be submitted promptly to the FIU-K when there is knowledge or suspicion of ML/TF.

7. Sanctions & Screening

• NFTiFay screens all customers against Kosovo Government sanctions lists, as well as UN, EU, and OFAC lists.

• Transactions or accounts involving sanctioned persons or entities are blocked, frozen, and reported to the FIU-K.

8. Record Keeping

• Customer identification, transaction records, and due diligence documents are retained for at least 5 years, in compliance with Kosovo AML law.

• Records must be accessible to the FIU-K and other competent authorities upon request.

9. Training & Awareness

• All staff receive annual AML / CFT training, including:

  • Recognition of suspicious activity.

  • Kosovo-specific reporting obligations.

  • Handling high-risk clients and PEPs.

10. Internal Controls & Audit

• Internal procedures ensure segregation of duties, approval workflows, and fraud prevention.

• Independent audits or compliance reviews will be conducted at least once per year.

11. Risk Mitigation Measures

• Transaction Thresholds: Additional KYC checks above defined fiat/crypto thresholds (aligned with FIU-K guidelines).

• Geographic Controls: Restrict or prohibit services to users in sanctioned or FATF high-risk jurisdictions.

• Fiat/Crypto On-Off Ramp Controls: Enhanced monitoring for cash-outs and fiat withdrawals.

12. Cooperation with Authorities

NFTiFay is committed to full cooperation with the FIU-K, law enforcement, and regulators by:

• Providing requested data in a timely manner.

• Maintaining confidentiality of SARs and investigations.

• Supporting financial crime investigations when legally required.

13. Disciplinary Measures

Non-compliance by staff will result in disciplinary action, up to and including termination. Breaches will be reported to regulators where applicable.