ENG

Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Policy

TOP SHOP POLAND
Effective date: October 3, 2025
  1. Introduction
    • This Policy is intended to ensure compliance with the following requirements:
      • Polish legislation (the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing);
      • Regulation (EU) 2023/1114 (MiCA);
      • Regulation (EU) 2015/847 (Transfer of Funds Regulation — Travel Rule);
      • Recommendations of the EBA, FATF, and KNF.
    • The Company provides services related to crypto-assets. This Policy contains provisions designed to ensure compliance with requirements on internal controls, risk management, customer protection, and the prevention of money laundering and terrorist financing.
  2. Scope of application
    • The Policy applies to all Company employees, business partners and third parties associated with the Company's activities.
    • The policy covers:
      • cryptocurrency exchange operations;
      • any related services.
  3. Main responsibilities of the company
    • Customer identification (KYC - Know Your Customer):
      • Verification of clients' identity before starting cooperation.
      • Determination of the ultimate beneficial owner (UBO) for legal entities.
      • Identification of politically exposed persons (PEPs), their family members, and close associates among clients;
      • Screening of the client against sanctions lists;
      • Collection and verification of data on the origin of funds.
    • Risk assessment:
      • Conducting a client risk assessment (low, medium, high).
      • Transaction risk assessment (amounts, regularity, links with jurisdictions with high risk).
    • Monitoring operations:
      • Continuously monitor transactions to identify unusual or suspicious activity.
      • Setting thresholds for automatic checking of large operations (15,000 euros and above).
    • Reporting suspicious transactions:
      • Information about all suspicious transactions is sent to the General Inspector of Financial Information (GIIF) without notice to the client.
  4. Customer Due Diligence (CDD) principles
    • The Company applies customer due diligence (CDD) measures to effectively monitor the business relationship with the customer on an ongoing basis based on risk assessment. CDD measures consist of 3 levels, including simplified (SDD) and enhanced (EDD) due diligence measures, as described below.
    • CDD measures are applied to the extent necessary, taking into account the client's risk profile and other circumstances, in the following cases:
      • when establishing business relations;
      • during periodic monitoring of business relations;
      • when carrying out or mediating an incidental transaction(s) outside of a business relationship, if the value of the transaction(s) is 1,000 euros or more (or an equivalent amount in another asset);
      • when checking information collected during CDD;
      • in case of doubts about the sufficiency or reliability of previously received documents (data) or when updating relevant data;
      • if there is a suspicion of money laundering or terrorist financing.
    • The Company shall not establish or maintain business relationships or carry out transactions if:
      • the company is unable to ensure compliance with the required CDD measures;
      • the company suspects that services or transactions will be used for money laundering or terrorist financing;
      • the risk level of the client or transaction does not correspond to the company's risk appetite.
    • In the event of receiving information in foreign languages as part of the implementation of CDD measures, the company has the right to request translation of documents into another language acceptable to the company.
    • During the CDD, the client is assigned a documented individual risk level, which forms the basis for further measures and is periodically monitored and updated as necessary.
    • A company has applied CDD measures properly if the company has an internal conviction that it has fulfilled its obligation with due diligence. This means that the company must obtain sufficient information about the client, its activities, the purposes of the business relationship and the transactions carried out under such measures, as well as the origin of the client's funds.
    • Application of simplified due diligence measures (SDD)
      Simplified due diligence (SDD) measures are applied in cases where the client profile indicates a low level of AML/CFT risk.
      When using SDD, a company receives only the following data about a customer:
      For an individual: first and last name; personal number and/or date of birth;
      For a legal entity:
      • Brand name;
      • Legal form;
      • Registration number, if such a number has been assigned;
      • Head office (address) and address of actual activity;
      • Name(s), surname(s) of the Client's representative and personal number and/or date of birth.
      The application of SDD measures is permitted only if the client has been assigned a low risk level. If, during the ongoing monitoring of the business relationship, it is determined that the AML/CFT risk is no longer low, the company must apply the appropriate level of CDD measures.
    • Application of standard due diligence measures
      Standard CDD measures apply to all clients who are classified as medium risk and include:
      • identification of the Client and verification of the information provided based on a reliable and independent source;
      • identification and verification of the identity of the client's representative and his rights to represent the client's interests;
      • identification of the beneficial owner, establishment of the ownership structure and management of the client;
      • understanding the nature of business relationships, transactions or operations and, where necessary, gathering information about them;
      • collecting information on whether the client is a politically exposed person (PEP), a member of his family or a close person of a PEP;
      • monitoring of business relations.
      The above mentioned CDD measures shall apply to the establishment of a business relationship or the execution of a transaction.
    • Application of Enhanced Due Diligence (EDD)
      In addition to standard CDD measures, the company applies enhanced due diligence (EDD) measures in cases where the risk of money laundering and/or terrorist financing is higher than usual.
      The Company always applies EDD measures in the following cases:
      • the client profile indicates a high level of risk of money laundering/ terrorist financing;
      • during the identification of the client or verification of the information provided, doubts arise regarding the veracity of the data provided, the authenticity of the documents or the identification of the beneficial owner;
      • cross-border correspondent relations are established with a client who is a financial institution of another country;
      • in the event of a transaction being entered into or a business relationship being established with a PEP, a member of a PEP's family or a close person of a PEP;
      • a transaction is entered into or a business relationship is established with persons located or established in high-risk countries, as defined by the European Commission;
      • the client is a citizen of such a country (territory) or his place of residence is in a country (territory) which, according to reliable sources, it has not established an effective AML/CFT system in accordance with FATF recommendations.
      Before applying EDD measures, the employee of the company must be satisfied that the business relationship or transaction is associated with high risk and that it can be classified as high risk. When applying EDD measures, the employee must notify the MLRO within 2 working days from the moment the measures are applied. In case of applying EDD measures, the company re-assesses the customer profile at least once every six months.
  5. Customer identification (KYC - Know Your Customer)
    • The Company identifies the client, who is an individual, and may store the following data: first and last name; personal number; date of birth; citizenship/ place of residence; photograph; signature sample.
    • The following valid identity documents containing the above data may be used to identify an individual:
      • a document confirming identity in the Republic of Poland (passport or ID card);
      • a document confirming a person's affiliation with another state (passport or ID card).
    • The Company identifies a client who is a legal entity, its representative, and may store the following data about the client:
      • company name or title;
      • organizational and legal form;
      • registration number, if such a number has been assigned;
      • the name(s) and surname(s), personal number (in the case of a foreigner; date of birth or, if available, personal number or any other unique sequence of characters provided to that person for identification) and citizenship of the director(s) or member(s) of the Management Board or member(s) of another equivalent body, as well as their authority to represent the client;
      • extract or registration record and date of issue;
      • head office (address) and address of actual activity.
      The following documents issued by the competent authority may be used to identify the client:
      • certificate of registration of the relevant register;
      • a document equivalent to a registration certificate or other documents confirming the establishment of the client.
      The Company verifies the authenticity of the above customer data using information obtained from a reliable and independent source. If the Company has access to the relevant register of legal entities, the above documents may not be requested from the client.
    • The identity of the representative and the right of representation of a legal entity may be verified on the basis of a document certified by a notary or an official, and on the basis of other sources of information, thereby using at least two different sources to verify the data.
    • The company must identify the beneficial owner of the client and take steps to verify the identity of the beneficial owner to the extent that this enables the company to be satisfied that they know who the beneficial owner is.
      The Company collects the following data about the beneficial owner(s) of the client:
      • first and last name;
      • personal number and/or date of birth;
      • citizenship.
      The company requests information about the client's beneficial owner from the client and compares this information with data from other sources (for example, the register of beneficial owners). In the event of a discrepancy in the information, the client is asked to clarify the information. In this case, information about the discrepancy in the data may also be sent to government agencies without notifying the client.
    • The Company takes steps to determine whether a customer, a beneficial owner of a customer, or a representative of that customer is politically exposed person (PEP), a member of his/her family or a close associate of a PEP. To do this, when collecting data about a customer, the company requests information from the customer to determine whether the customer is a politically exposed person (PEP), a member of his/her family or a close associate of a PEP.
      The Company verifies the data received from the Client by sending queries to the relevant databases or by checking the data on the websites of the relevant supervisory authorities or institutions of the country in which the Client has his/her place of residence or location. The PEP must also be additionally verified using an international search engine (e.g. Google) and the local search engine of the Client's country of origin, if any.
      The Company shall identify close associates and family members of a PEP only if their connection to the PEP is publicly known or if the Company has other grounds to believe that such a connection exists.
    • The company must understand the purpose and nature of the establishment of a business relationship or the execution of a transaction. To do this, the company may request the following information from the client:
      • whether the client will use the company's services for his own needs or to represent the interests of another person;
      • contact information;
      • information about the client's registration address and actual residential address;
      • the expected turnover of transactions with the company during the calendar year;
      • the intended source of funds used in a business relationship or transaction;
      • whether the business relationship or transaction is related to the client's economic or professional activities, and to what types of activities they relate;
      • information about the source of funds related to a business relationship or transaction if the transaction amount (including the expected amount) exceeds the established limit. The Company applies additional measures (collects additional information) to determine the purpose and nature of a business relationship or incidental transaction in cases where:
        • a high-value situation has arisen or is unusual;
        • the client's risk profile and the nature of the business relationship provide grounds for taking additional steps to ensure proper monitoring of business relationships in the future.
  6. Monitoring business relations
    • The Company analyses established business relationships by conducting the following continuous due diligence (ODD):
      • ensuring that documents, data or information collected in the course of due diligence measures and in the event of events that require them are regularly updated, in particular data relating to the client, its representative (including the right of representation) and the beneficial owner, as well as the purposes and nature of the business relationship;
      • ongoing monitoring of business relationships, which covers transactions carried out within the framework of the business relationship, to ensure that transactions are consistent with the company's knowledge of the client, its activities and risk profile;
      • identification of the source and origin of funds used in transactions.
    • The Company regularly reviews and updates the documents and information collected in the course of AML activities and updates the client risk profile. The frequency of reviews and updates is based on the client risk profile:
      • once every six months for a high-risk client;
      • once a year for a client with an average risk level;
      • once every two years for a low-risk client.
      The collected documents and information should also be verified if an event occurs that indicates the need to update the data.
    • In the course of ongoing monitoring of business relationships, the company monitors contracts concluded during the course of business relationships to determine whether the concluded contracts correspond to the information about the customer. The Company also monitors business relationships to identify facts that indicate criminal activity, money laundering or terrorist financing or the likelihood that the client's transactions are related to money laundering or terrorist financing, including complex, high-value and unusual transactions and transaction patterns that have no reasonable or obvious economic or legal purpose or are not typical of the specific characteristics of the client's business.
    • For continuous monitoring of business relations, the Company applies the following measures:
      • screening;
      • monitoring.
      The purpose of screening is to identify:
      • suspicious and non-standard transactions and transaction schemes;
      • operations exceeding established threshold values;
      • participation of politically exposed persons;
      • circumstances related to sanctions.
      Transaction verification is carried out automatically and includes the following actions:
      • establishing threshold values for client transactions depending on the client's risk profile and the expected transaction turnover declared by the client;
      • evaluation of virtual currency wallets to which virtual currency will be sent in accordance with the client's order;
      • evaluation of virtual currency wallets from which virtual currency originates.
      If a customer submits a request for a transaction that exceeds the established threshold or for a transaction to a high-risk virtual currency wallet (e.g. wallets associated with fraud, crime, etc.), the transaction must be manually confirmed by an employee who must assess the need to apply additional AML measures (e.g. applying EDD measures, inquiring about the origin of funds, or requesting additional information regarding the transaction).
      When monitoring transactions, the employee is required to evaluate transactions to identify actions and transactions that:
      • deviate from what would be expected based on the CDD measures taken (e.g. exceeding the estimated transaction turnover, sending virtual currency to a new virtual currency wallet each time, exceeding the transaction volume limit);
      • may be considered as part of money laundering or terrorist financing;
      • may affect the assessment of the client's risk profile.
      In the event of discovery of the above fact, the employee is obliged to notify the MLRO and postpone any client transaction until the MLRO makes a decision on this matter.
    • In addition to the above, the MLRO must review the company's transactions on a regular basis (at least weekly) to ensure that:
      • the company's employees have properly fulfilled the above-mentioned duties;
      • there are no transactions or transaction schemes that are complex, expensive and non-standard, do not have a reasonable or obvious economic or legal purpose, or are not typical for the client.
    • If necessary, the company determines the source and origin of funds used in transactions. The need to identify the source and origin of funds depends on the previous activity of the client, as well as other known information. Thus, identification of the source and origin of funds used in the transaction is carried out in the following cases:
      • transactions exceed the limits set by the company;
      • transactions do not correspond to previously known information about the client;
      • the company suspects that the transactions indicate criminal activity, money laundering or terrorist financing.
  7. The company's refusal to engage in business relations and transactions
    • The Company shall not establish business relations, and established business relations or contracts shall be terminated (except in cases where this is objectively impossible) if:
      • the company suspects money laundering or terrorist financing;
      • the company cannot apply AML measures due to the fact that the client does not provide the relevant data or the data provided gives reason to believe that they are unreliable;
      • a client whose capital consists of bearer shares or other bearer securities wishes to establish business relations;
      • the client is a person behind whom another person actually hides who wishes to establish a business relationship (suspicion of using a person acting as a cover);
      • clients from jurisdictions prohibited by internal company policies or international sanctions;
      • clients are identified as persons subject to international sanctions.
    • The Company does not accept individuals or legal entities as clients from Abkhazia, Afghanistan, Azores, The Bahamas, Barbados, Belarus, Benin, Burkina Faso, Cambodia, Cameroon, Cayman Islands, Central African Republic, Chad, The Democratic Republic of Congo, Côte d'Ivoire, Crimea (region of Ukraine), Cuba, Donetsk region (DNR), Eritrea, Gaza Strip, Ghana, Guinea, Guinea-Bissau, Haiti, Iran, Iraq, Jamaica, Jordan, Kashmir, Kherson region, Democratic People's Republic of Korea, Kosovo, Kuwait, Lebanon, Liberia, Libya, Luhansk region (LNR), Mali, Myanmar, Nagorny Karabakh, Northern Cyprus, Nicaragua, Pakistan, Palestine, Panama, Philippines, People's Republic of China, Qatar, Russian Federation, Senegal, Somalia, South Ossetia, South Sudan, Sudan, Syrian Arab Republic, Togo, Trinidad and Tobago, Uganda, Vanuatu, Venezuela, Yemen, Zaporizhzhia region, Zimbabwe, West Bank.
      Individuals or entities from jurisdictions where a special license or permit is required will not be accepted as clients unless the company has obtained such permit or license.
  8. Application of sanctions
    • Once sanctions are in effect, amended or terminated, a company must verify whether the customer, its beneficial owner or a person intending to do business with or transact with it is subject to sanctions. If a company identifies a person who is the subject of sanctions, or that a transaction it intends to or is conducting violates sanctions, the company must comply with sanctions requirements and notify KNF within 3 hours.
    • The Company uses at least the following sources (databases) to check the client's attitude towards sanctions:
      • EU Sanctions Tracker
      • OFAC Sanctions List
      In addition to these sources, the company may use any other sources at the employee's discretion, subject to AML measures. In order to verify that the names of persons obtained as a result of the request match those of persons specified in the sanctions lists, their personal data is used: for a legal entity - its name or trademark, registration code or registration date; for an individual - his first and last name, personal number or date of birth.
    • For the purposes of identifying a person, the company analyses the names of persons identified as a result of the request based on the possible influence of factors that distort personal data (for example, decoding foreign names, changing word order, replacement of diacritics or double letters, etc.).
    • The Company carries out checks on an ongoing basis during the established business relationship. The frequency of checks depends on the client's risk profile:
      • Daily for high-risk clients;
      • Weekly for medium-risk clients;
      • Monthly for low-risk clients.
    • If an employee of the company becomes aware that a client who is in a business relationship or is concluding a transaction with the company, or a person intending to establish a business relationship or conclude a transaction with the company, is subject to sanctions, the employee is obliged to immediately notify the MLRO or the company's management of the identification of the subject of sanctions, the doubts arising in connection with this and the measures taken.
    • In such circumstances, the company refuses to enter into an agreement or carry out a transaction, applies the measures provided for in the act on the imposition or application of sanctions and immediately informs KNF of its doubts and the measures taken.
  9. Restricted and Prohibited Industries

    As part of the Anti-Money Laundering (AML) and Counter-Terrorist Financing Policy, the Company establishes a list of industries with which cooperation is either restricted or prohibited to minimize legal, reputational, and financial risks.

    • Prohibited Industries
      The Company does not engage in business relationships or transactions with clients operating in the following industries:
      • Production, distribution, and trade of weapons, ammunition, and explosives (except for lawful activities of government and authorized organizations);
      • Operation of illegal gambling and unlicensed lottery activities;
      • Production and distribution of narcotic and psychotropic substances;
      • Human trafficking and forced labor exploitation;
      • Financing of terrorist activities and extremist organizations;
      • Production and distribution of counterfeit money and documents;
      • Conducting transactions in jurisdictions under international sanctions or recognized as high-risk offshore zones without a transparent ownership structure.
    • Restricted Industries
      Cooperation with clients from the following industries is possible only after conducting Enhanced Due Diligence (EDD):
      • Legal gambling businesses, casinos, and betting companies;
      • Cryptocurrency and blockchain companies, digital asset exchanges;
      • Organizations engaged in international money transfers and currency exchange;
      • Companies involved in the extraction and trade of precious metals and gemstones;
      • Charitable and non-profit organizations operating in high-risk areas;
      • Companies engaged in the trade of art and antiques.
    • Control Procedures
      For clients from restricted industries, additional verification measures apply, including:
      • Establishing sources of funding and the origin of funds;
      • Assessing business reputation and transparency of ownership structure;
      • Monitoring transaction activity for compliance with declared business operations;
      • Conducting enhanced ongoing monitoring of client operations.
      The Company reserves the right to refuse services to clients from prohibited or restricted industries if risks are identified that contradict internal policies and regulatory requirements.
  10. Employee training
    • Regular training for employees covering:
      • Principles AML/CFT
      • Recognition of suspicious transactions.
      • Use of transaction monitoring systems.
    • Recording the completion of training by all employees.
  11. Data storage
    • All customer and transaction data will be retained for at least 5 years from the end of the business relationship.
    • Protection of customer data in accordance with the provisions of the GDPR.
  12. Responsibility
    • Appointment of an AML Officer (MLRO - Money Laundering Reporting Officer).
    • The MLRO is responsible for:
      • Development and updating of policies.
      • Employee training.
      • Report suspicious transactions to GIIF.
      • Interaction with supervisory authorities.
  13. Review and update the policy
    • The policy is reviewed annually or when legislation changes.
    • The results of the inspection are recorded in the relevant report.
  14. Penalties for non-compliance

    Violation of the Policy may result in:

    • Disciplinary measures for employees.
    • Financial and criminal sanctions for the company.
  15. Contact information

    For AML related questions: