ANTI-MONEY LAUNDERING (AML) AND BANK SECRECY ACT (BSA) COMPLIANCE POLICY 

Effective Date: 6/23/2026 Version: 1.0 Approved by: Francesca Augustine, CEO Next Review Date: 7/01/2026

0. HOW THE NEFTWERK PROTOCOL WORKS

Neftwerk Inc. operates as blockchain protocol infrastructure. Neftwerk does not sell artworks, does not act as a payment processor, and does not collect or store payment instrument data. Payment processing, fiat in/out, and KYC/AML compliance are handled exclusively by Coinflow, our licensed third-party payment processing partner. Galleries and authorized sellers credentialed on the Neftwerk Protocol are the merchants of record for all artwork transactions. 

1. PURPOSE AND SCOPE 

Neftwerk Inc. ("the Company") is committed to preventing money laundering, terrorist financing, sanctions violations, and other financial crimes. This Anti-Money Laundering ("AML") and Bank Secrecy Act ("BSA") Compliance Policy ("Policy") establishes the framework, controls, and procedures the Company maintains to detect, prevent, and report financial crime risk arising from its products and services. 

This Policy applies to all employees, officers, directors, contractors, and agents of the Company, and to all customers, transactions, and counterparties processed through the Company's platform. 

2. REGULATORY FRAMEWORK 

The Company maintains its AML program in alignment with the following applicable laws and regulations: 

● The Bank Secrecy Act (BSA), 31 U.S.C. § 5311 et seq. 

● The USA PATRIOT Act of 2001 

● FinCEN regulations, 31 C.F.R. Chapter X 

● The Office of Foreign Assets Control (OFAC) sanctions programs 

● Applicable state money transmission laws, where relevant 

● For Canadian users: FINTRAC / PCMLTFA / Revenue Quebec MSB

3. AML COMPLIANCE OFFICER 

The Company has designated Francesca K. Augustine as its AML Compliance Officer ("ACO"). The ACO is responsible for: 

● Overall design, implementation, and maintenance of the AML program

● Ensuring timely filing of any required regulatory reports (SARs, CTRs) 

● Coordinating annual independent reviews of the AML program 

● Acting as the primary point of contact for regulators, law enforcement, and banking/processing partners on AML matters 

● Reporting on AML program effectiveness to executive leadership at least quarterly The ACO has sufficient authority, independence, and resources to administer the program. 

4. RISK ASSESSMENT 

The Company conducts and documents a written enterprise-wide AML risk assessment at least annually, and ad hoc when material changes occur (new product launch, new geography, new partner relationship). The assessment considers: 

● Customer risk (entity type, geography, business model, beneficial ownership complexity)

 ● Product and service risk (transaction types, custody model, settlement rails) 

● Geographic risk (jurisdictions of operation, exposure to high-risk countries)

● Transaction risk (volume, velocity, size, payment methods) 

● Delivery channel risk (online onboarding, agent relationships, third-party platforms) 

Risk ratings inform onboarding diligence depth, transaction monitoring thresholds, and ongoing review cadence. 

5. CUSTOMER IDENTIFICATION PROGRAM (CIP) AND CUSTOMER DUE DILIGENCE (CDD) 

The Company performs identity verification on all customers prior to providing services, consistent with the requirements of 31 C.F.R. § 1022.210 and applicable state rules. 

At onboarding, the Company collects and verifies: 

● For individuals: full legal name, date of birth, physical address, and government-issued identification number (e.g., SSN, ITIN, or equivalent for non-US persons) 

● For legal entities: legal name, registered address, formation jurisdiction, EIN or equivalent, formation documents, and beneficial ownership information for all individuals owning 25% or more, plus one control person (consistent with FinCEN's Beneficial Ownership Rule and the Corporate Transparency Act, where applicable) 

Identity verification is performed via: 

● [Vendor name — e.g., Persona, Alloy, Jumio] for document verification 

● [Vendor name — e.g., LexisNexis, Middesk] for entity verification

● Sanctions and PEP screening through [vendor name — e.g., ComplyAdvantage, Refinitiv World-Check] 

Enhanced Due Diligence (EDD) is performed for higher-risk customers, including but not limited to: 

● Politically Exposed Persons (PEPs) and their immediate family/close associates 

● Customers operating in higher-risk industries (cash-intensive businesses, MSBs, crypto-related entities, gambling, adult content) 

● Customers in or with significant exposure to higher-risk jurisdictions (FATF gray/blacklist countries, US sanctions programs) 

● Customers exhibiting unusual transaction patterns relative to their profile 

EDD includes additional documentation (source of funds/wealth), management approval, and elevated monitoring cadence. 

6. SANCTIONS AND OFAC SCREENING 

The Company screens all customers, beneficial owners, and counterparties against: 

● OFAC Specially Designated Nationals (SDN) List 

● OFAC Consolidated Sanctions List 

● UN, EU, and UK sanctions lists (where applicable) 

● Politically Exposed Persons (PEP) lists 

● Adverse media databases 

Screening occurs at onboarding and continuously thereafter through automated rescreening at least daily. Positive matches are escalated to the ACO within 24 hours and reviewed before any transactions are permitted to proceed. 

The Company maintains procedures for OFAC license requests, blocked property reporting, and prompt notification to OFAC in the event of an apparent match. 

7. TRANSACTION MONITORING 

The Company monitors customer transactions on an ongoing basis to identify potentially suspicious activity. Monitoring is conducted via [in-house rules engine / vendor name — e.g., Unit21, Hummingbird, Sardine] and includes: 

Rule-based alerts on: 

● Transactions above defined dollar thresholds

● Unusual velocity (number of transactions in a time window) 

● Structuring patterns (transactions just below reporting thresholds) 

● Inconsistency with customer profile or stated business purpose 

● Cross-border transactions involving higher-risk jurisdictions 

● Wallet exposure to mixers, darknet markets, sanctioned addresses, or otherwise high-risk counterparties, screened via [Chainalysis / TRM Labs / Elliptic] 

● Rapid movement of funds in/out without economic substance 

Alerts are reviewed by trained analysts within [X] business days, with escalation paths to the ACO for potentially reportable activity. 

8. SUSPICIOUS ACTIVITY REPORTING (SAR) 

Where suspicious activity is identified and meets the threshold under 31 C.F.R. § 1022.320, the Company files a Suspicious Activity Report (SAR) with FinCEN within 30 calendar days of initial detection (60 days if no suspect is identified at the time of initial detection). 

SAR decisions are documented in writing and approved by the ACO. SARs and all supporting documentation are maintained for a minimum of five (5) years from the date of filing. 

The Company strictly observes SAR confidentiality requirements. No employee will disclose the existence or contents of a SAR to the subject or any unauthorized party. 

9. CURRENCY TRANSACTION REPORTING (CTR) 

To the extent the Company handles physical currency transactions (or if regulatory interpretation requires CTR-style reporting for any crypto-to-fiat conversion exceeding $10,000 in a single business day), the Company files Currency Transaction Reports with FinCEN consistent with 31 C.F.R. § 1022.310. The ACO maintains the procedures for aggregation, identification, and filing. 

10. RECORDKEEPING 

The Company retains the following records for a minimum of five (5) years from the date of customer relationship termination or transaction completion, whichever is later: 

● Customer identification and verification records (CIP/CDD/EDD documentation) 

● Transaction records (date, amount, parties, payment instrument, counterparty wallet addresses where applicable) 

● SARs, CTRs, and supporting analysis

● Sanctions and PEP screening results 

● Training records 

● Risk assessments and internal audit reports 

Records are stored securely with access restricted to authorized personnel. 

11. EMPLOYEE TRAINING 

All employees with customer-facing, compliance, operational, or fraud responsibilities receive AML training: 

● Upon hire (within 30 days) 

● Annually thereafter 

● Ad hoc when material regulatory or policy changes occur 

Training covers: AML/BSA legal framework, red flags relevant to the Company's products, SAR triggers, sanctions screening, the employee's role in the program, and consequences of non-compliance. Training completion is tracked and recorded. 

12. INDEPENDENT REVIEW 

The Company conducts an independent review of its AML program at least every 12–18 months, performed by a qualified internal team independent of compliance operations or by an external firm. The review evaluates: 

● Program design and adequacy 

● Operational effectiveness of controls 

● Quality of SAR and CTR filings 

● Training effectiveness 

● Recordkeeping compliance 

Findings are reported in writing to executive leadership with a documented management response and remediation plan. 

13. HIGHER-RISK CUSTOMERS, PRODUCTS, AND GEOGRAPHIES 

The Company restricts or prohibits relationships with:

● Customers domiciled in or transacting from comprehensively sanctioned jurisdictions (currently: Cuba, Iran, North Korea, Syria, Crimea/Donetsk/Luhansk regions, and any others designated by OFAC) 

● Shell companies without identifiable beneficial ownership 

● Unlicensed money services businesses 

● [Crypto-specific] Wallets or counterparties with confirmed exposure to darknet markets, ransomware, mixers (above policy threshold), or sanctioned addresses 

The ACO maintains the full list of prohibited and restricted activities and reviews it at least annually. 

14. GEOGRAPHIC CONTROLS 

The Company employs geolocation, IP screening, and KYC-jurisdiction matching to enforce geographic restrictions. The Company actively blocks VPN, TOR, and proxy traffic attempting to access services from restricted jurisdictions via [vendor name]. 

15. REPORTING AND GOVERNANCE 

The ACO provides written reports on the AML program to executive leadership and the Board (or equivalent governance body) at least quarterly. Reports include: 

● Alert volumes and disposition 

● SARs and CTRs filed 

● Material changes in customer or product risk 

● Training completion rates 

● Open audit findings and remediation status 

16. POLICY REVIEW AND UPDATES 

This Policy is reviewed and approved by the ACO, Francesca K. Augustine at least annually, and updated upon material regulatory changes, new product launches, or significant findings from independent reviews.