AML/CTF Policy and Procedures (MSB-Style; Bridge-Integrated)

1. Purpose and objectives

This AML/CTF Policy and Procedures (the “Policy”) establishes the Company’s risk-based compliance program to prevent, detect, and report money laundering, terrorist financing, and other illicit finance risks associated with the Company’s products and services, including those enabled through the Bridge platform (the “Program”).

Objectives include:

Establish governance, roles, and accountability for AML/CTF compliance.
Implement a documented risk assessment and risk-based controls (CDD/EDD, monitoring, investigations).
Provide for identification and verification of customers (as applicable), including ongoing due diligence.
Provide for recordkeeping and regulatory reporting (as applicable by jurisdiction).
Establish training and independent testing/audit.

2. Scope

This Policy applies to:

The Company, its officers, employees, contractors, and (where applicable) agents.
All customers/users accessing Bridge-enabled services through the Company’s interface.
All products, services, and channels offered under the Program, including fiat on/off ramps, stablecoin/digital asset purchase/sale, custody, payouts, and any future functionality that moves or stores value.

This Policy is intended to be read together with the Company’s Sanctions Policy and Procedures, Transaction Monitoring Policies & Procedures, and the Program Parameters and Definitions.

3. Regulatory and contractual context

The Company will maintain an AML/CTF compliance program consistent with applicable laws and regulatory expectations in the jurisdictions where it operates and offers services.

3.1. U.S. Bank Secrecy Act (BSA) / FinCEN — MSB framing (where applicable)

Where the Company is registered and/or regulated as a U.S. Money Services Business (MSB) or otherwise subject to U.S. BSA obligations, the Company’s program shall be structured to satisfy, at minimum, the following control domains (as applicable to the Company’s activities):

Written AML program: documented policies, procedures, and internal controls; designation of a compliance officer; training; and independent review/testing (commonly referenced under 31 CFR 1022.210).
Suspicious Activity Reporting (SAR): governance to identify, investigate, decide, and file or support filing of SARs; confidentiality controls (commonly referenced under 31 CFR 1022.320).
Currency Transaction Reporting (CTR): governance to identify and file or support filing of CTRs for covered currency transactions and aggregation logic as applicable (commonly referenced under 31 CFR 1010.311 and 1010.306).
BSA recordkeeping / funds transfer recordkeeping (“Travel Rule”): governance to capture, retain, and retrieve required records for covered transfers and other BSA record categories (commonly referenced under 31 CFR 1010.410 and related provisions).
MSB registration: governance to maintain MSB registration and supporting records where required (commonly referenced under 31 CFR 1022.380).

For a control-to-requirement mapping, see the Company’s “FinCEN / BSA Crosswalk (U.S. MSB)” annex and FinCEN’s BSA statutes and regulations hub: https://www.fincen.gov/resources/statutes-and-regulations/bank-secrecy-act.

Where Bridge provides services to Users and performs identity verification and transaction monitoring in accordance with its compliance program, the Company will:

Maintain a Company-side AML/CTF program appropriate to its role in the Program.
Cooperate and support Bridge’s onboarding, eligibility, and monitoring obligations by providing accurate and up-to-date user information and assisting with identity verification as reasonably requested.
Monitor user usage of the services and report suspicious activity and user complaints to Bridge in accordance with the agreed escalation process.

These allocation principles reflect the roles described in Bridge’s developer agreement (including responsibilities relating to user information, credential security, consent to Bridge terms/policies, monitoring and reporting, and delivery of disclosures/receipts). See Bridge developer agreement: Bridge Developer Agreement.

4. Governance and accountability

4.1. Compliance Officer / MLRO

The Company shall appoint a Compliance Officer / MLRO with authority, independence, and resources to implement and maintain this Policy. Responsibilities include:

Owning the AML/CTF risk assessment and risk-based program design.
Overseeing customer due diligence controls and escalations.
Overseeing transaction monitoring governance and investigations workflow.
Determining whether suspicious activity should be escalated to Bridge and/or reported to relevant authorities (as applicable), and ensuring required filings are made by the responsible party.
Ensuring timely responses to Bridge compliance requests, law enforcement requests, and regulator examinations (as applicable).

4.2. Roles and responsibilities (summary)

The Company will maintain a documented responsibilities matrix (RACI) that, at minimum, covers:

User onboarding steps (data capture, identity verification, eligibility decisions).
Ongoing due diligence and periodic review.
Sanctions screening (who screens, when, tools used, escalation).
Transaction monitoring (who monitors, scenarios, alert handling, reporting).
Case management, evidence retention, and recordkeeping.
User complaints intake and escalation to Bridge.
Incident handling and suspicious activity escalation.

4.3. Three lines of defense

First line (Operations / Product / Support): user interactions, data quality checks, escalation of red flags, executing holds/closures per procedure.
Second line (Compliance): policies, oversight, investigations, approvals, reporting governance, training.
Third line (Independent testing/audit): periodic independent testing of the AML/CTF program.

5. AML/CTF risk assessment (enterprise and product)

5.1. Methodology

The Company maintains a written risk assessment using a documented methodology that considers:

Customer risk: individuals vs businesses, industry, PEP status, adverse media, source of funds/wealth, prior behavior.
Geographic risk: residence/incorporation and transaction counterparties; high-risk jurisdictions.
Product/service risk: on/off ramps, custody, payouts, speed/irreversibility, third-party rails, use of stablecoins.
Channel risk: remote onboarding, device/behavior risk, API access.
Transaction risk: size, velocity, structuring patterns, layering, unusual flows.
Third-party/vendor risk: Bridge and other vendors (KYC/KYB, screening, analytics, payments).

5.2. Risk scoring and segmentation

Users are assigned a risk rating (e.g., Low/Medium/High) at onboarding and updated dynamically based on:

CDD/EDD outcomes,
sanctions/PEP/adverse media results,
changes in user profile,
transaction behavior and monitoring outcomes,
external intelligence (fraud signals, blockchain analytics, law enforcement inquiries).

5.3. Review frequency

The risk assessment is reviewed at least annually and upon material changes to products, geographies, partners, or risk events.

6. Customer due diligence (CDD)

6.1. General principle

The Company applies risk-based due diligence to understand who the customer is, what they will use the service for, and whether their activity is consistent with a legitimate profile.

6.2. Customer identification and verification (CIP/KYC/KYB)

Depending on the operating model and division of responsibilities with Bridge:

The Company captures required identity and profile information in the user interface.
Bridge (and/or designated providers) may perform identity verification required to receive Bridge services.
The Company will ensure the user provides required consents and acknowledgements prior to accessing Bridge services, including acceptance of Bridge’s user terms and privacy policy where required.

Minimum data elements (configure per jurisdiction and user type) include:

Individuals: full legal name, DOB, address, government ID, email/phone, nationality, tax identifiers (as applicable).
Businesses: legal name, registration number, address, business activity, beneficial owners/controllers, authorized users, formation documents (as applicable).

6.3. Purpose and intended nature of relationship

At onboarding (and when refreshed), the Company collects sufficient information to understand:

expected use cases (e.g., payroll, remittance, commerce payments, treasury),
expected transaction volume and frequency,
funding sources and payout destinations,
relevant counterparties (if known).

6.4. Beneficial ownership (business customers)

For business users, the Company obtains and validates beneficial ownership and control information as required by applicable law and program policy, including:

identification of ultimate beneficial owners above the applicable threshold,
identification of control persons,
verification and screening of beneficial owners and control persons.

6.5. Ongoing due diligence (ODD)

The Company maintains ongoing due diligence processes to:

refresh customer information on a schedule and upon triggers,
monitor for changes in sanctions/PEP/adverse media status,
update risk ratings based on behavior and alerts,
ensure data accuracy for Bridge and other vendors as required.

7. Enhanced due diligence (EDD)

7.1. When EDD is required

EDD is required for higher-risk users and situations, including (non-exhaustive):

PEPs and their close associates/family members.
High-risk industries or business models (including those with AML exposure).
Complex ownership structures or nominee arrangements.
Unusual source of funds/wealth or inability to reasonably explain economic purpose.
Elevated geographic risk.
Repeated monitoring alerts or suspicious patterns.

7.2. EDD measures

EDD may include:

additional verification and corroboration of identity and ownership,
source of funds and source of wealth information and supporting documentation,
enhanced sanctions and adverse media review,
senior compliance approval prior to activation and/or prior to certain activity,
tighter monitoring thresholds and controls (limits, velocity controls, pre-approval of payouts).

8. Prohibited and restricted activity

The Company prohibits use of the Program for unlawful activity and for categories restricted or prohibited by policy and by partner rules. The Company will align with Bridge’s prohibited activities list and any additional restrictions imposed by payment rails, banking partners, and applicable laws.

The Company implements:

onboarding controls to prevent prohibited activity,
ongoing monitoring to detect prohibited use,
enforcement actions (reject/hold/close) per procedure and consistent with contractual responsibilities.

9. Transaction monitoring and suspicious activity escalation

The Company maintains transaction monitoring governance appropriate to its role, including:

defining monitoring responsibilities between the Company and Bridge,
monitoring user behavior signals available to the Company (account actions, device/IP risk, support interactions),
reviewing alerts and user behavior anomalies,
escalating suspicious activity to Bridge promptly with adequate detail.

Detailed procedures are set forth in the Company’s Transaction Monitoring Policies & Procedures.

10. Investigations, holds, and offboarding

10.1. Case initiation

Cases may be initiated by:

system-generated monitoring alerts,
sanctions screening alerts,
customer support complaints,
partner notifications (Bridge, banks, PSPs),
law enforcement inquiries,
internal fraud signals.

10.2. Investigation standards

Investigations must be documented in a case management system and include:

the triggering event and date/time,
data reviewed (KYC/KYB, transactional history, device signals, blockchain analytics where applicable),
actions taken (holds, requests for information, limits),
disposition and rationale,
escalation actions and communications (including to Bridge),
retention of evidence and approvals.

10.3. Customer requests for information (RFI)

Where additional information is needed, the Company may request:

explanation of activity and economic purpose,
source of funds documentation,
invoices/contracts,
ownership/authorization documentation for businesses.

10.4. Holds, restrictions, and termination

The Company may apply risk-based restrictions, including:

temporary holds pending review,
reduced limits or additional verification steps,
suspension or termination consistent with contract terms and applicable law.

Where Bridge controls certain user access actions, the Company will coordinate with Bridge per escalation procedures.

11. Recordkeeping and data retention

The Company retains records sufficient to demonstrate compliance with this Policy, including:

onboarding and due diligence information and verification results (as applicable),
consents and user acknowledgements,
risk assessments and risk rating changes,
monitoring alerts, investigations, and outcomes,
sanctions screening logs and decisions,
communications with Bridge and other partners regarding compliance matters,
required reports/filings evidence (where applicable).

Retention period: see the Program Parameters and Definitions.

12. Regulatory reporting and law enforcement requests (as applicable)

12.1. Suspicious Activity Reporting (SAR) governance (U.S. MSB context; where applicable)

Where SAR obligations apply and the Company is the filing party, the Company shall maintain written procedures to:

Identify potentially suspicious activity from monitoring alerts, internal fraud signals, user behavior indicators, partner notifications, and support complaints.
Investigate and document relevant facts and supporting evidence in a case file.
Decide whether activity is suspicious based on an articulable basis and whether a SAR filing is required under applicable rules.
File SARs via the designated filing method (e.g., BSA E-Filing) within required timeframes, and retain filing confirmations and supporting documentation.
Maintain confidentiality of SARs and SAR-related information consistent with applicable restrictions (no “tipping off”).

Where Bridge is the filing party for Bridge-enabled services, the Company shall maintain procedures to escalate suspicious activity to Bridge promptly, including:

user identifiers and relevant KYC/KYB profile information available to the Company,
transaction IDs/timestamps/amounts/rails/assets,
device and behavioral signals (IP/device, velocity, account changes),
supporting documents and user communications (if any),
the Company’s preliminary assessment and recommended actions (hold/limit/suspend/EDD).

12.2. Currency Transaction Reporting (CTR) governance (where applicable)

Where CTR obligations apply, the Company shall maintain written procedures to:

identify covered currency transactions and applicable aggregation logic,
determine whether the Company or a partner (Bridge/PSP/bank) is the filing party for each covered flow,
support the filing party with accurate data and documentation,
retain evidence of determinations and filings/confirmations.

12.3. BSA recordkeeping / funds transfer recordkeeping (“Travel Rule”) (where applicable)

Where recordkeeping obligations apply to funds transfers/transmittals of funds and other covered records, the Company shall maintain written procedures to:

define which Program events constitute covered “funds transfers” or “transmittals” in the Company’s operating model,
ensure required originator/beneficiary and transaction details are captured in system logs and/or partner data feeds,
ensure integrity and retention controls (immutability, access control, audit logs),
perform periodic retrieval tests to demonstrate the ability to produce records for examinations and lawful requests.

12.4. Law enforcement and regulator requests

The Company shall maintain procedures to:

route subpoenas/summons/production orders to Compliance/Legal only,
preserve and collect responsive records with chain-of-custody where appropriate,
coordinate with Bridge where responsive records relate to Bridge-performed services and Bridge is the record custodian,
document the request, response package, and closure.

12.5. Confidentiality and restrictions on disclosure