This Policy sets out how Cryptoway approaches AML, CFT, sanctions and the prevention of financial crime across its cryptocurrency payment services. It applies to merchants, users, partners and to the accounts, APIs and payment functions they use.
This Policy works together with the Terms of Service and the Privacy Policy. Where this Policy refers to a measure Cryptoway “may” take, the decision is made on a risk basis and may differ between cases.
AML — anti-money laundering. CFT — counter-terrorist financing. KYC — Know Your Customer, the verification of a customer’s identity. KYB — Know Your Business, the verification of a legal entity and its ownership.
KYT — Know Your Transaction, the assessment of the risk of a cryptocurrency transaction, address or chain of activity. CDD — customer due diligence. EDD — enhanced due diligence. PEP — politically exposed person. UBO — ultimate beneficial owner. STR — suspicious transaction report.
Cryptoway designs its controls with international AML/CFT standards in mind, including the recommendations of the Financial Action Task Force (FATF) and applicable laws of the jurisdictions in which it and its partners operate.
Cryptoway is MiCA-aware and follows developments in cryptocurrency regulation. References to standards describe the design intent of our controls and are not a claim of certification, licensing or supervision by any specific authority.
Our programme is built on a risk-based approach, proportionality, customer due diligence, ongoing monitoring, recordkeeping and cooperation with competent authorities where lawfully required.
Controls are applied where they are relevant to the assessed risk; low-risk activity may proceed with lighter checks, while higher-risk activity may trigger additional measures.
Cryptoway may apply different levels of review to different users, merchants, partners, operations and platform functions. Risk assessment may consider business type, countries of registration and operation, customer categories, transaction volume and frequency, currencies and networks, address exposure to high-risk activity, account behaviour and the quality of documents provided.
Before onboarding or during service, Cryptoway may request company details, ownership structure, directors, representatives, beneficial owners, identity documents, website, product, services, payment scenario, licences, permits, customer countries, source of funds and expected transaction volume.
If information is not provided, is inaccurate, incomplete or insufficient to complete risk assessment, Cryptoway may refuse onboarding, restrict functions or terminate service.
Where verification is required, Cryptoway may ask an individual to confirm full name, date of birth, citizenship or residence and an official identity document, and may ask a legal entity to confirm its registration, address, directors and ownership.
Cryptoway may rely on independent and reliable sources, documents or third-party verification providers to confirm the information provided.
Cryptoway may apply different verification levels depending on risk, transaction amount, jurisdiction and account activity. Reaching certain thresholds or risk indicators may require additional information before service continues.
Verification requirements may change over time as risk, activity or applicable law change.
For legal entities, Cryptoway may identify the natural persons who ultimately own or control the business and may request ownership charts, registers or supporting documents.
Where ownership is layered, opaque or cannot be reasonably established, Cryptoway may apply enhanced measures or decline service.
Where a person acts on behalf of a merchant or entity, Cryptoway may verify that person’s identity and authority to act before granting access or processing operations.
Higher-risk relationships — including certain jurisdictions, business categories, complex structures, or politically exposed persons (PEPs) and their close associates — may be subject to enhanced due diligence.
Enhanced measures may include additional documents, source-of-funds and source-of-wealth checks, additional approval and closer ongoing monitoring.
Cryptoway does not permit use of the platform by persons, organisations, addresses, businesses or operations where such use would violate applicable sanctions, prohibitions, restrictions or requirements of competent authorities.
Cryptoway may screen users, entities, representatives and beneficial owners against sanctions and watchlists, and may refuse, suspend or restrict service where a match or unacceptable risk is identified.
KYT means Know Your Transaction: understanding and assessing the risk of a cryptocurrency transaction, address or chain of activity. Cryptoway may analyse public blockchain addresses, transaction hashes, inbound and outbound address links, amount, currency, network, transaction frequency, mismatch with the stated business profile and anomalous account behaviour.
Cryptoway may use internal rules and third-party analytics tools to support this assessment. Where risk is increased, Cryptoway may request explanations, documents, source-of-funds information, payment purpose details or other materials needed to make a decision.
Where risk indicators are present, Cryptoway may ask for information or documents about the origin of funds or wealth involved in an operation, and may pause or decline processing until a satisfactory explanation is provided.
Relationships and activity may be monitored on an ongoing, risk-based basis. Cryptoway may re-assess risk, update verification requirements and review activity that is inconsistent with the known profile of a merchant or user.
Cryptoway may not be used for, and the following are prohibited:
Cryptoway may restrict or refuse service connected with jurisdictions that are subject to comprehensive sanctions, are designated as high-risk, or where service would breach applicable law. The applicable list may change over time.
If elevated risk, suspicious activity, incomplete information or a possible breach is identified, Cryptoway may request additional documents, temporarily restrict the account, API, invoices or functions, refuse a specific operation, place funds or settlement on hold pending review, suspend onboarding or terminate service.
Such measures are applied on a risk basis and in accordance with this Policy and the Terms of Service.
Where Cryptoway identifies activity it reasonably believes to be suspicious, it may record and escalate the matter internally and, where legally required or permitted, report it to the relevant authority.
Where applicable law requires it, Cryptoway may be restricted from disclosing that a report has been made.
Cryptoway may cooperate with competent authorities, regulators, law enforcement and courts where a lawful and applicable request exists. To the extent permitted by applicable law, Cryptoway may provide information about an account, merchant, transaction, address, documents, logs or other activity.
Cryptoway may retain documents, logs, review results, transaction data, communications and internal decisions for the period required by applicable law and for as long as necessary for AML/CFT, compliance, tax, legal records, dispute resolution and audit.
Information collected for AML/CFT purposes is handled in line with the Privacy Policy and applicable data-protection law. Access is limited to those who need it for compliance, legal or operational purposes.
Cryptoway maintains internal responsibility for AML/CFT compliance and reviews its controls as its services, risks and applicable law evolve. Relevant staff may receive AML/CFT guidance appropriate to their role.
The merchant must use Cryptoway only for lawful activity, provide accurate and current information, comply with applicable law in the countries where it is registered, operates and serves customers, hold required licences and permits, review its own customers and operations as applicable to its business, avoid accepting payments for prohibited goods, services or schemes, and respond to Cryptoway requests in time.
Cryptoway does not replace the merchant’s own legal, tax, AML, KYC/KYB or industry-specific review.
AML/CFT measures are applied on a reasonable, risk-based and best-effort basis. No screening or monitoring can detect every risk, and the application of these measures does not guarantee that any particular transaction, address or counterparty is lawful or risk-free.
Cryptoway may update this Policy from time to time to reflect changes in its services, risks or applicable law. The current version is the one published on this page.
Questions about this Policy can be sent to the compliance team.