Anti-Money Laundering & Customer Verification Policy
1. Our Commitment
M-STROKE Ltd. (the “Company”, “we”) is committed to preventing money laundering, terrorist financing, sanctions evasion, and any other form of financial crime within the M-STROKE token ecosystem.
Although the issuance of utility tokens is not, in itself, a regulated activity under the Virtual Assets Service Providers Act, 2022 of the British Virgin Islands, we voluntarily apply controls aligned with international best practice, including the Recommendations of the Financial Action Task Force (FATF) and the BVI Anti-Money Laundering and Terrorist Financing Code of Practice.
This Policy summarises, in plain language, the principles and procedures we follow for anti-money laundering and counter-terrorist financing (AML/CFT), customer verification (KYC and KYB), and transaction monitoring (KYT). It is intended for our users, partners, and the public. Detailed internal procedures and methodologies are maintained separately and are available to regulators on request.
2. Scope
This Policy applies to:
- All individuals and entities purchasing, holding, or otherwise interacting with M-STROKE tokens;
- All directors, officers, employees, contractors, and third-party service providers acting for the Company;
- All token sale events, distributions, treasury operations, and ecosystem activities run by the Company.
3. Legal & Regulatory Framework
We operate in accordance with applicable British Virgin Islands legislation, including:
- Proceeds of Criminal Conduct Act, 1997 (as amended);
- Anti-Money Laundering Regulations, 2008 (as amended);
- Anti-Money Laundering and Terrorist Financing Code of Practice;
- Terrorist Financing Regulations;
- Virtual Assets Service Providers Act, 2022;
- BVI Sanctions Legislation implementing UN, UK, EU, and US (OFAC) measures.
We also align with international standards issued by FATF, the Egmont Group, and the Basel Committee on Banking Supervision.
4. Governance
The Board of Directors bears ultimate responsibility for the Company’s compliance framework. Day-to-day implementation is led by:
- A Compliance Officer, who develops and oversees AML/CFT policies, training, and customer due diligence; and
- A Money Laundering Reporting Officer (MLRO), who receives suspicious activity reports internally and liaises with the BVI Financial Investigation Agency.
5. Risk-Based Approach
We apply a risk-based approach to compliance: the depth of our due diligence and monitoring is proportionate to the risk presented by each customer, product, and transaction.
Every customer is assigned a risk rating at onboarding and is reassessed on an ongoing basis. Risk is evaluated across multiple factors, including geography (country of nationality, residence, and source of funds; sanctions exposure; FATF status), customer profile (type, ownership structure, PEP status, adverse media), product and channel used, transaction patterns, blockchain risk indicators, and source of funds and wealth.
| Risk Rating | What it Means in Practice |
|---|---|
| LOW | Standard due diligence; annual review. |
| MEDIUM | Standard due diligence with enhanced monitoring; semi-annual review. |
| HIGH | Enhanced Due Diligence (EDD), senior approval, and ongoing event-driven review. |
Detailed scoring criteria, weightings, and operational thresholds form part of our internal compliance manual. They are not published in order to preserve their effectiveness as a control, but are reviewed by our auditors and available to competent authorities upon lawful request.
6. Onboarding & Initial Verification
Verification is required before any user is granted access to financial operations within the ecosystem. During onboarding, we automatically capture standard technical data (IP address, device type, browser, geolocation) and ask the user to complete an electronic questionnaire.
Use of VPN, Tor, or other tools to conceal location, and the provision of false or incomplete information, are treated as risk indicators and may result in denial of service.
7. KYC — Individuals
Information Collected
We collect, at minimum:
- Full name as it appears on the identity document;
- Date and place of birth;
- All current nationalities;
- Country of residence and full residential address;
- Contact details (email, phone number);
- Government-issued identity document (passport, national ID, or driver’s licence);
- Information on occupation, source of funds, and intended activity;
- Tax residency and FATCA/CRS status, where applicable;
- PEP and sanctions declarations.
Verification
Identity verification combines three components:
- Documentary verification: Review of identity-document integrity, security features, and validity;
- Biometric verification: Real-time facial match with liveness detection;
- Proof of address: Utility bill, bank statement, or official correspondence dated within the last three months.
8. KYB — Corporate Clients
Information Collected
For companies, partnerships, trusts, foundations, and other legal entities, we collect, at minimum:
- Legal name, trading names, and registered address;
- Country of incorporation, registration number, and date of incorporation;
- Constitutional documents (certificate of incorporation, memorandum and articles of association);
- Register of directors and shareholders;
- Identification of all Ultimate Beneficial Owners (UBOs) holding 10% or more, directly or indirectly;
- Ownership structure chart;
- Description of business activities and target markets;
- Source of funds and, where applicable, source of wealth;
- Regulatory licences and AML/CTF arrangements, where applicable.
Verification
We cross-check provided data against public registers in the jurisdiction of incorporation, confirm the entity’s active status (Good Standing), and run each director and UBO through the same KYC process used for individuals. Nominee directors and shareholders must be disclosed and the actual beneficiaries identified.
9. Database Screening
In parallel with documentary review, customer data — including the names of directors and UBOs — is screened against:
- International sanctions lists (UN, OFAC, EU, UK HM Treasury, BVI);
- Politically Exposed Persons (PEP) databases, including close family members and known associates;
- Adverse media and law-enforcement watchlists.
Screening is performed at onboarding and on an ongoing basis, with re-screening triggered by updates to any of the relevant lists. In the event of a potential match, onboarding is suspended and the case is escalated to a senior compliance specialist for manual review.
10. Enhanced Due Diligence (EDD)
EDD is applied where the risk of money laundering or terrorist financing is higher than usual, including:
- Politically Exposed Persons (PEPs), their immediate family, and known close associates;
- Customers from high-risk jurisdictions identified by FATF or by our internal risk assessment;
- Customers with complex or opaque ownership structures;
- High-value or unusual transactions inconsistent with the customer’s stated profile;
- Adverse media or intelligence suggesting involvement in financial crime.
EDD includes additional identity verification, source-of-wealth and source-of-funds documentation, written senior management approval, and enhanced ongoing monitoring.
11. Sanctions Compliance
We screen all customers, beneficial owners, directors, and counterparties against international sanctions lists, including:
- United Nations Security Council Consolidated List;
- OFAC Specially Designated Nationals (SDN) List (United States);
- EU Consolidated Financial Sanctions List;
- UK Financial Sanctions List (HM Treasury);
- BVI Sanctions List.
We do not process transactions involving sanctioned persons or entities and we do not accept customers resident in jurisdictions subject to comprehensive sanctions.
12. Prohibited & High-Risk Jurisdictions
We do not accept customers, or process transactions, from jurisdictions subject to comprehensive sanctions or identified by FATF as high-risk and subject to a call for action. As of the effective date, prohibited jurisdictions include:
- North Korea (DPRK), Iran, Myanmar, Syria, Sudan, Cuba;
- Crimea, Donetsk, and Luhansk regions;
- Taliban-controlled regions of Afghanistan;
- Any jurisdiction subject to comprehensive UN sanctions or identified by FATF as subject to a call for action.
Other jurisdictions may be subject to Enhanced Due Diligence based on FATF grey-listing or other risk indicators. The list of restricted and high-risk jurisdictions is reviewed regularly and may change without prior notice.
13. Wallet Ownership Verification
For every blockchain address used to send funds to or receive funds from the ecosystem, we verify that the customer controls the address.
Verification is required:
- At onboarding;
- When a customer adds or changes a registered wallet address;
- When the blockchain-analytics system flags a transaction from an unverified or high-risk wallet;
- During periodic review for higher-risk customers.
We accept the following methods of proof, in order of preference:
- Cryptographic signature: A Company-generated message using the wallet’s private key (preferred);
- Micro-transaction verification: A small randomly generated amount sent to the wallet and returned in full from the same address;
- Official confirmation: From a regulated exchange or licensed custodian, where the wallet is held with such a provider in a FATF-equivalent jurisdiction.
If verification cannot be completed within five business days, or if the result is inconsistent, the transaction is suspended pending further review.
14. Transaction Monitoring (KYT)
Because virtual assets present specific risks, we use blockchain analytics tools to monitor wallets interacting with the M-STROKE ecosystem. We may decline transactions involving wallets associated with:
- Sanctioned addresses;
- Mixers, tumblers, or similar privacy-enhancing services;
- Darknet markets, ransomware, scams, or other known illicit activity;
- Stolen or fraudulent funds.
We also monitor behavioural patterns that may indicate misuse, including:
- Sudden and unexplained increases in transaction volume;
- Structuring — splitting transactions to remain below reporting thresholds;
- Immediate transfer of funds after deposit (transit operations);
- Regular transfers to high-risk jurisdictions without economic rationale;
- Interactions with sanctioned smart contracts or other flagged addresses.
Where a transaction is flagged, it may be suspended pending review. During review, we may ask for supporting documentation (contracts, invoices, statements, or an explanation of the economic rationale). Depending on the outcome, the transaction may proceed, be rejected, or, where appropriate, be reported to the relevant authorities.
15. Periodic Updates (KYC Refresh)
Information becomes outdated over time, so we refresh customer data at intervals proportionate to risk — more frequently for higher-risk customers. Unscheduled updates may be triggered by specific events, including significant changes in transaction volume, expiry of an identity document, a change of residence or nationality, a change of directors or ownership, or the emergence of adverse information.
16. Reporting Suspicious Activity
Where we have reasonable grounds to suspect that a transaction or activity involves the proceeds of crime or the financing of terrorism, we file a Suspicious Activity Report (SAR) with the BVI Financial Investigation Agency. By law, we may not disclose to the customer or any third party that a report has been filed or is being considered (the “tipping off” prohibition).
17. Record-Keeping
We retain customer identification records, transaction records, and compliance documentation for a minimum of five (5) years from the end of the business relationship or the date of the transaction, in line with BVI law. Records are kept securely and accessibly so that they can be produced promptly to a competent authority.
18. Data Protection & Security
Personal data collected for AML/CFT and verification purposes is handled in accordance with applicable data-protection legislation and our Privacy Policy. It is used only for the purposes for which it was collected — including compliance with legal obligations and the prevention of financial crime — and is protected by multiple layers of controls:
- Encryption: Data is stored encrypted (AES-256 or higher) and transmitted over secure protocols (TLS/SSL);
- Access control: Access is granted only to authorised compliance staff on a least-privilege basis;
- Audit trail: Every access to and action on customer data is logged in an immutable system log;
- Secure destruction: Data is securely and irreversibly destroyed at the end of the retention period, unless required for ongoing investigation or legal proceedings.
19. Your Cooperation
Successful verification depends on cooperation. You agree to:
- Provide accurate, complete, and up-to-date information;
- Notify us promptly of any material change to your information, ownership structure, or risk status;
- Respond to reasonable requests for additional documentation;
- Refrain from concealing your location or identity through anonymising tools.
We reserve the right to refuse, suspend, or terminate a relationship where verification cannot be completed, where false or misleading information is provided, or where the activity presents an unacceptable risk.
20. Training
All staff and other relevant persons receive AML/CFT and verification training at induction, at least annually, and whenever there is a material change in our framework, applicable law, or the risk environment.
21. Cooperation with Authorities
We cooperate fully with the BVI Financial Investigation Agency, the BVI Financial Services Commission, and other competent law-enforcement and regulatory authorities in connection with investigations into money laundering, terrorist financing, sanctions evasion, or other financial crime, subject to applicable legal privilege and confidentiality obligations.
22. Policy Review
This Policy is reviewed at least annually, and whenever there is a material change to applicable law, regulatory guidance, our business model, or the risk environment. All amendments require Board approval. The latest version is always published on our website.
23. Contact
Questions regarding this Policy, or requests related to AML/CFT compliance and customer verification, may be addressed to our Compliance Officer at: compliance@m-stroke.com.
APPENDIX 1: PROHIBITED AND HIGH-RISK JURISDICTIONS
The Company applies jurisdictional restrictions in accordance with FATF recommendations, international sanctions regimes, and BVI sanctions legislation.
1. Prohibited Jurisdictions
Customers resident in the following jurisdictions are not permitted to participate in the M-STROKE ecosystem:
| Prohibited Jurisdictions / Regions |
|---|
| North Korea (DPRK) |
| Iran |
| Syria |
| Sudan |
| Crimea Region |
| Donetsk Region |
| Luhansk Region |
| Cuba |
| Afghanistan (Taliban-controlled regions) |
| Any jurisdiction subject to comprehensive United Nations sanctions |
2. High-Risk Jurisdictions (Enhanced Due Diligence Required)
Customers from the following jurisdictions may be accepted only after successful Enhanced Due Diligence (EDD) and formal approval:
| High-Risk Jurisdictions / Regions |
|---|
| Belarus |
| Japan |
| Myanmar |
| Pakistan |
| Russia |
| Yemen |
| Haiti |
| South Sudan |
| Somalia |
| Nigeria |
| Democratic Republic of Congo |
| United States of America (USA) |
| Venezuela |
| Zimbabwe |
| Cambodia |
| FATF grey-listed jurisdictions (as updated periodically) |