Version : 1.1

Effective Date : June 12, 2025

Last Reviewed : June 12, 2025

Approved by : Guillermo Alda (CEO)

Signed by : Chris Kottnauer (Compliance Officer)

1. Introduction

1.1 Overview

TokenWay s.r.o. (“TokenWay”, “we”, “us”) operates a tokenization platform and marketplace facilitating the issuance and purchase of MiCA-compliant Other Crypto-Asset (OCA) tokens. We are a Crypto-Asset Service Provider (CASP) currently operating under the MiCA grandfathering period as of June 2025, in accordance with Article 143 of Regulation (EU) 2023/1114 (MiCA). Our policies and procedures are designed to ensure robust user verification and prevent illicit activities.

1.2 Purpose

This Policy outlines our AML/KYC and KYB procedures to ensure compliance with MiCA, AML/CTF laws, and Czech law, safeguarding the Platform and its Users.

1.3 Regulatory Framework

This Policy is aligned with:

• MiCA (Regulation (EU) 2023/1114)
• EU AML Directives (including Directive (EU) 2015/849 and amendments)
• Czech AML Act (Act No. 253/2008 Coll.)
• General Data Protection Regulation (GDPR)

2. Governance & Oversight

2.1 Compliance Officer / MLRO

TokenWay has designated an internal Compliance Officer/Money Laundering Reporting Officer (MLRO) responsible for:

• Regulatory reporting (e.g., SARs to the Czech Financial Analytical Office, FAU)
• Oversight of onboarding, transaction monitoring, and policy implementation
• Internal escalation protocols and ongoing policy review
• AML/CTF staff training and regulatory liaison

2.2 Compliance Team Structure

• Internal Officer: Manages due diligence (DD), onboarding, and AML oversight.
• Legal Team: TokenWay retains an external legal team under ongoing contract to double-check, validate, and control all KYC, KYB, and AML proceedings and policies.
• Allocation: Operational execution is handled by the internal officer, while the legal team provides independent review, policy validation, and regulatory engagement.

3. Scope

3.1 Applicability

This Policy applies to all Users, including SMEs issuing OCA tokens, buyers purchasing tokens, and all participants engaging with the Platform.

4. KYC/KYB and Due Diligence Procedures

4.1 SME/Issuer Verification (KYB)

SMEs/token issuers must provide:

• Company details (name, ID, registered office, jurisdiction)
• Ownership structure (UBOs, shareholders)
• Financial records (e.g., recent financial statements)
• KYC data for representatives (names, IDs, addresses)
• Credit check, company good standing, public register verification
• Disclosure of social media profiles and financial history

Verification is conducted via third-party providers (e.g., ComplyQ) and public registers, per MiCA and Czech AML requirements.

4.2 Buyer Verification (KYC)

Buyers must provide:

• Full name, date of birth, nationality
• Government-issued ID (passport, driver’s license)
• Proof of address (utility bill)
• Source of funds, if required

All buyers are screened via ComplyQ and must pass KYC/KYB and AML checks before purchasing tokens. No PEPs, sanctioned individuals/entities, or US citizens are permitted.

4.3 Enhanced Due Diligence (EDD)

EDD is applied to:

• High-risk users (e.g., non-residents, complex structures, adverse media)
• All token issuers
• Any buyer flagged by transaction monitoring

EDD includes additional verification, source of funds/wealth, and senior management/legal approval.

4.4 Ongoing Monitoring

TokenWay monitors user transactions for suspicious activity, updating KYC/KYB data as needed. Ongoing monitoring is automated and reviewed by the compliance officer and legal team.

5. Risk Assessment Methodology

TokenWay conducts risk-based assessments covering:

• Customer Risk: Type, UBO, PEP status, adverse media
• Geographic Risk: Jurisdiction, high-risk/sanctioned countries
• Product/Service Risk: Token type, payment method (only MiCA-approved stablecoins and credit cards)
• SChannel/Delivery Risk: Non-face-to-face onboarding, vendor involvement

Each risk factor is scored (Low/Medium/High), with EDD applied as required. Risk assessments are reviewed annually or upon significant change.

6. Sanctions & PEP Screening

• All users are screened at onboarding and on an ongoing/event-driven basis against EU, OFAC, and UN sanctions lists.
• Screening is performed via ComplyQ, with escalation protocols for any matches.
• No PEPs, sanctioned individuals/entities, or US citizens are permitted.

7. Third-Party Vendor Management

• ComplyQ is our designated provider for KYC, KYB, and AML screening, including identity verification, adverse media, and sanctions/PEP checks.
• Additional checks on issuers are performed via public company registers and credit bureaus.
• All vendor relationships are subject to due diligence, contractual agreements, and ongoing oversight by both the compliance officer and legal team.

8. Transaction Monitoring Framework

• Purchases are only allowed via MiCA-approved stablecoins and credit card payments.
• All buyers must pass KYC/KYB and AML screening prior to purchase.
• Transaction monitoring is automated via ComplyQ and reviewed by the compliance officer, with legal oversight for escalations.
• Alerts and suspicious patterns (e.g., structuring, rapid in/out flows) are escalated as needed.

9. AML Training Program

• All staff receive mandatory, role-specific AML training at onboarding and annually.
• The legal team provides updates on regulatory changes and best practices.
• Training participation and effectiveness are tracked and assessed.

10. Independent Testing & Audit

• The AML program is independently reviewed annually by the contracted legal team or a qualified third party.
• Findings and remediation actions are reported to senior management and tracked to completion.

11. Record-Keeping & Data Protection

• All AML-related records (due diligence, transaction monitoring, SARs, training, audits) are retained for at least 5 years, per MiCA and AML laws.
• Data is processed per TokenWay’s Privacy Policy (www.tokenway.io/privacy), ensuring GDPR compliance, with secure storage and minimal sharing.

12. User Obligations

• Users must provide accurate and complete KYC/KYB data, updating it as requested, or risk account suspension or transaction cancellation.
• Users must comply with MiCA, AML, and CTF laws, cooperating with TokenWay’s verification processes.

13. Policy Review & Updates

• This Policy is reviewed and updated at least annually or upon regulatory/business changes.