Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Policy

Definitions

  • “Company”, “we”, “our”, “PawPayments”— PawPayments, Inc.
  • “Platform”— PawPayments’ cryptocurrency-only payment gateway and any related services.
  • “User”— any natural or legal person that uses the Platform.
  • “AML provider” / “KYC provider”AMLBot, operated by Safelement Limited, our appointed third-party provider of AML (Anti-Money Laundering) and KYC (Know Your Customer) services, including identity verification, sanctions and PEP screening, adverse-media screening, and blockchain transaction analytics.

1. Introduction and Purpose

PawPayments, Inc. is registered with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as a Money Services Business (MSB) under registration number C10001337. PawPayments is committed to preventing money laundering, terrorist financing, and other illicit activity conducted through its cryptocurrency services. This Policy explains the risk-based controls we apply in line with:

  • Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated FINTRAC regulations.
  • Financial Action Task Force (FATF) Recommendations for virtual-asset service providers.
  • Comparable international best practices (e.g., the EU 5th AML Directive, U.S. Bank Secrecy Act).

Because we process only virtual-currency transactions, our controls focus on blockchain-based risks; nevertheless, the core principles of AML/CTF apply. The Policy applies to every employee, officer, contractor, and all Users of the Platform.

PawPayments serves both individual users (B2C) and business clients (B2B) worldwide, subject to the due-diligence tiers and risk controls described in this Policy. Both segments go through the same risk-based KYC/KYB framework, and prospective Users from prohibited jurisdictions or sanctions targets (see Sections 4.8 and 7) are not on-boarded regardless of segment.

2. Governance and Oversight

  • Compliance Officer— PawPayments has designated an AML Compliance Officer with independent authority to design, maintain, and enforce this program, escalate issues to senior management, and liaise with regulators or law-enforcement agencies, including FINTRAC.
  • Risk-Based Approach— controls, resources, and monitoring intensity are allocated according to the inherent risk of each User, geography, and transaction.

3. Enterprise-Wide Risk Assessment

At least once a year, PawPayments conducts an enterprise-wide AML/CTF risk assessment. The assessment is also refreshed upon material changes to our products, services, client base, or applicable regulations. It covers:

  • Client risk— type of clients, their business activities, geographic exposure, and transaction volumes.
  • Product and service risk— cryptocurrency payment processing and related products.
  • Geographic risk— jurisdictions where counterparties are incorporated or operate.
  • Channel risk— remote on-boarding without face-to-face interactions.
  • Blockchain risk— exposure to high-risk wallet addresses, mixers, and unhosted wallets.

Identified risks are classified as Low, Medium, or High, and inform the intensity of due diligence and monitoring measures applied to each client and transaction.

4. Customer Due Diligence (CDD)

4.1 Basic On-Boarding

  • Individuals: legal name, date of birth, residential address, nationality, email, country of residence or operation, business description and category, expected monthly payment volume, average transaction size, operating countries, customer geographies, source-of-funds and source-of-wealth information, regulatory licence details where applicable, prohibited-business attestation, and email/phone verification where applicable.
  • Businesses: legal name, registration data, legal address, tax identifier where applicable, directors, beneficial owners or controllers, authorised representative name and role, business description and category, expected monthly payment volume, average transaction size, operating countries, customer geographies, source-of-funds and source-of-wealth information, regulatory licence details where applicable, ownership/prohibited-business attestations, and account administrator details.

4.2 Tiered KYC

  • Simplified due diligence for low-risk, low-volume activity.
  • Enhanced Due Diligence (EDD) when triggers occur (e.g., high cumulative volume, large single transactions, blockchain flags, suspicious patterns).

4.3 Verification via AMLBot

When EDD is required, Users complete identity verification through our AML provider, AMLBot (operated by Safelement Limited), which performs document authentication, biometric checks, sanctions and PEP screening, and provides pass/fail results to our Compliance team. Refusal or failure results in denied or restricted service.

4.4 Politically Exposed Persons (PEPs)

A Politically Exposed Person (PEP) is an individual who holds, or has held, a prominent public function — including heads of state, senior politicians, senior government officials, senior judicial or military officials, senior executives of state-owned enterprises, and senior officials of international organisations — as well as their close family members and known associates.

Where a PEP or PEP associate is identified, we:

  • automatically classify the relationship as High-Risk;
  • apply Enhanced Due Diligence, including documentation of source of wealth and source of funds;
  • require senior-management approval prior to on-boarding or continuing the relationship;
  • apply enhanced ongoing monitoring for the duration of the relationship.

4.5 Business Clients

For business clients, we identify beneficial owners (≥ 25% ownership), directors, controllers, and authorised representatives. Records may include each person’s legal name, role or control type, residential address, date of birth, nationality, and ownership percentage where applicable. We may request proof of business activities, source of funds, source of wealth, regulatory licences, and ownership/control structure for high-risk clients.

4.6 Adverse Media Screening

All clients are screened for adverse media at on-boarding and on an ongoing basis through our AML provider. Adverse media includes negative news related to financial crime, fraud, sanctions violations, terrorism, or regulatory enforcement actions. Confirmed adverse-media findings are documented and may result in EDD escalation or client off-boarding.

4.7 Ongoing Monitoring

We re-verify identities when risk profiles change, conduct periodic adverse-media checks, and screen all existing clients against updated sanctions lists.

4.8 Prohibited Users and Jurisdictions

We do not provide services to:

  • Persons or entities listed on any applicable sanctions list (see Section 7).
  • Clients incorporated in, operating from, or transacting with individuals or entities in countries subject to comprehensive sanctions — currently including Belarus, Cuba, Iran, the Democratic People’s Republic of Korea (North Korea), and Russia.
  • Clients in other jurisdictions identified as high-risk under OFAC, UN, Canadian (SEMA / JVCFOA), EU, or FATF designations, where transacting with them is prohibited or requires a specific licence we do not hold.

Our prohibited-jurisdictions list is reviewed regularly against FATF, OFAC, UN, Canadian, and EU sanctions updates and may be expanded based on regulatory developments. Identified accounts that fall within these categories are terminated or frozen in accordance with legal requirements.

5. Transaction Monitoring and Reporting

5.1 Blockchain Analytics

Wallet addresses and transactions are screened in real time by AMLBot to detect links to darknet markets, mixers, ransomware, sanctioned addresses, scams, fraud, and other illicit indicators.

5.2 Velocity & Pattern Checks

We apply thresholds for transaction volume and frequency and monitor for structuring, rapid in-and-out transfers, and other patterns inconsistent with a client’s stated business profile.

5.3 Geographic Risk

Heightened scrutiny is applied to transactions involving high-risk jurisdictions identified by FATF, OFAC, the UN, or Canadian sanctions authorities.

5.4 Review of Flagged Transactions

Transactions that trigger our rules are paused where possible. The User may be contacted for source-of-funds information and, if not yet verified, must complete KYC with our AML provider before processing resumes. While such a review is open we may, in line with the contractual rights set out in our Terms of Use, delay or block individual withdrawals, temporarily restrict specific features of the Account, and require additional documentation before processing further transactions. Restrictions are released as soon as the review is concluded satisfactorily, except where applicable law (including the tipping-off prohibition under PCMLTFA) limits what we can disclose or do.

5.5 FINTRAC Reporting

As a FINTRAC-registered Money Services Business, PawPayments is required to file the following reports:

  • Suspicious Transaction Reports (STRs)— filed with FINTRAC within 30 days of forming reasonable grounds to suspect that a transaction (attempted or completed) is related to money laundering, terrorist financing, or sanctions evasion. Clients are not notified of an STR filing (tipping-off prohibition under PCMLTFA).
  • Large Virtual Currency Transaction Reports (LVCTRs)— filed for virtual-currency transactions of CAD $10,000 or more received in a single transaction (or aggregated under FINTRAC’s 24-hour rule).
  • Electronic Funds Transfer Reports (EFTRs)— filed for qualifying electronic funds transfers of CAD $10,000 or more, where applicable.

5.6 Zero Tolerance for Evasion

Attempts to circumvent controls — including the use of multiple accounts, transaction splitting, or false information — are treated as suspicious and may result in account closure and an STR filing.

6. Travel Rule Compliance

PawPayments complies with FINTRAC’s Virtual Currency Travel Rule requirements under the PCMLTFA. For virtual-currency transfers of CAD $1,000 or more, we:

  • collect and transmit the required originator information to the receiving virtual-asset service provider (VASP), including name, account or wallet address, and address or date of birth;
  • collect and retain required beneficiary information for incoming transfers;
  • verify, where required, that the receiving or sending entity is a regulated VASP;
  • retain all Travel Rule records for a minimum of five (5) years.

For transfers below CAD $1,000, transaction records are retained in accordance with FINTRAC’s general record-keeping requirements.

7. Sanctions Screening

All clients and transactions are screened against the following sanctions lists:

  • OFAC Specially Designated Nationals (SDN) List— U.S. Office of Foreign Assets Control.
  • OFAC Non-SDN Consolidated List— including SSI, NS-MBS, CMIC, and other program lists.
  • United Nations Security Council Consolidated List.
  • Consolidated Canadian Autonomous Sanctions List— maintained by Global Affairs Canada under SEMA and JVCFOA.
  • OSFI Listed Persons and Entities— under the Regulations Establishing a List of Entities and the Justice for Victims of Corrupt Foreign Officials Regulations.
  • European Union Consolidated Financial Sanctions List.
  • UK HM Treasury Consolidated List of Financial Sanctions Targets.

Screening is conducted:

  • at on-boarding, prior to account activation;
  • on an ongoing basis whenever sanctions lists are updated;
  • at the time of each transaction, including blockchain address-level checks;
  • immediately upon notification of a sanctions list update affecting existing clients.

Upon a potential sanctions match, the transaction or on-boarding process is immediately paused. The Compliance Officer reviews the alert and, if confirmed as a true match, the client is rejected or the transaction blocked, with assets frozen pending further review. Where applicable, an STR is filed with FINTRAC for transactions suspected to be related to sanctions evasion.

8. Record-Keeping

We retain for at least five (5) years:

  • Client identification and verification records (KYC documents, beneficial ownership information, directors/controllers, authorised representatives, business profile, expected volumes, source-of-funds/source-of-wealth information, regulatory licence details, and attestations).
  • Detailed transaction data (date/time, amount, currency, addresses, hashes, associated Users).
  • Sanctions screening results and alert dispositions.
  • Blockchain monitoring alerts and dispositions.
  • Travel Rule records.
  • STRs, LVCTRs, EFTRs and supporting documentation.
  • Compliance training logs and audit reports.

Records are stored securely with appropriate access controls.

9. Employee Training and Accountability

  • Mandatory AML training for relevant staff at on-boarding and annually thereafter, with ad-hoc training when material regulatory changes occur.
  • Content covers PCMLTFA obligations, KYC/CDD procedures, PEP identification, sanctions screening, the Travel Rule, blockchain monitoring, red-flag indicators, STR filing, and record-keeping.
  • Employees acknowledge understanding of the Policy and are subject to disciplinary action for non-compliance.
  • Background checks for employees in sensitive roles help safeguard program integrity.

10. Program Review and Independent Audit

  • The Compliance Officer reviews this Policy at least annually and after material regulatory changes.
  • An independent review of the AML program is conducted at least every two (2) years, or more frequently if warranted by risk-assessment findings or regulatory changes. Findings and remediation plans are reported to senior management and documented.
  • Version control is maintained, and significant updates are communicated to Users when relevant.
  • PawPayments cooperates fully with regulators and law-enforcement agencies.

11. Conclusion

Preventing misuse of our Platform is integral to PawPayments’ mission. All employees must understand and adhere to this Policy, and Users agree to its principles by accessing the Platform. For questions, contact the Compliance Officer at legal@pawpayments.com.

By staying vigilant and applying a robust, risk-based AML/CTF framework, PawPayments safeguards its Users, its business, and the wider financial ecosystem.