AML/KYC Policy

1. Purpose of the Policy

Kotova ("Kotova," "we," "us," or "our"), a company committed to common standards of Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) compliance. This policy outlines our approach to Know Your Customer (KYC) procedures and our commitment to preventing the misuse of our non-custodial exchange services for illicit purposes.

We operate in accordance with applicable international regulations. Our policies are designed to detect, prevent, and report money laundering, terrorist financing, and other financial crimes.

Kotova adopts a risk-based approach to AML/KYC compliance, meaning the level and intensity of due diligence measures are proportional to the assessed risk of each transaction or user interaction. This approach allows us to allocate compliance resources efficiently while maintaining robust protections against financial crime.

As a non-custodial exchange, Kotova does not hold, store, or manage user funds at any time. Transactions are executed directly between blockchain addresses, and users retain full control of their private keys and wallets. Nevertheless, we recognize our obligation to prevent our infrastructure from being exploited for money laundering or terrorist financing purposes.

2. When KYC Applies

Kotova does not require account registration to use its services. Users may initiate exchanges without providing personal identification data in the ordinary course of business. However, identity verification (KYC) may be required under the following specific circumstances:

• Fraud Reports: When a transaction is flagged by our systems or by a third party as potentially fraudulent, Kotova reserves the right to require identity verification before processing or completing the transaction.
• Law Enforcement Requests: When a valid, legally binding request is received from a competent law enforcement authority, regulatory body, or court of competent jurisdiction requiring help identifying a crypto address or the freezing of a transaction.
• Sanctions Screening Matches: When a sending or receiving crypto address matches entries on international sanctions lists maintained by the United Nations, European Union, OFAC, or other relevant authorities.

Kotova acknowledges that it has no authority or control over Know Your Customer (KYC) procedures or asset handling practices initiated by external counterparties or third-party service providers. While Kotova carefully vets and lists only counterparties that meet our standards and maintain responsible compliance practices, any KYC processes conducted by such external parties, including but not limited to the potential freezing or indefinite holding of user funds pending verification completion, remain entirely outside Kotova's jurisdiction and control.

Notwithstanding the above, Kotova commits that when Kotova itself serves as the transacting counterparty, any failed KYC verification process resulting from a user's failure to submit required documentation within the specified timeframe shall result in transaction cancellation and the return of funds to the originating address, unless Kotova is legally prohibited from doing so by a valid court order or binding directive from a competent law enforcement authority or financial regulator. In all other circumstances involving external counterparties, users acknowledge and accept that they bear the risk of potential asset holds or freezes initiated by such third parties.

To mitigate the risk of funds being subject to restrictive KYC procedures by external counterparties, users are strongly advised to: (i) exercise careful due diligence in selecting counterparties for transactions; (ii) review each counterparty's published compliance policies and KYC requirements prior to initiating any transaction; and (iii) where such risk mitigation is desired, utilize exclusively Kotova X as the sole counterparty, thereby ensuring that all KYC procedures are subject to Kotova's documented commitment to fund return in cases of verification failure, except where legally mandated otherwise. Users are responsible for evaluating counterparty risk and making informed decisions regarding transaction routing and counterparty selection.

Users who are requested to complete verification must do so within the timeframe specified in the verification request. Failure to comply may result in the suspension or cancellation of the affected transaction.

3. How Verification Works

When identity verification is required, Kotova utilizes reputable third-party identity verification providers to conduct the KYC process. We do not directly store copies of identity documents on our servers. The verification process is handled through secure, encrypted channels provided by our verification partners.

3.1 Documents Required

Depending on the level of due diligence required, users may be asked to provide one or more of the following:

• Government-Issued Photo ID: A valid passport, national identity card, or driver's license. The document must be current (not expired), legible, and display the user's full legal name, date of birth, and photograph.
• Proof of Address: A utility bill, bank statement, or government-issued document dated within the last three (3) months, showing the user's full name and residential address.
• Proof of Funds / Source of Funds: Documentation demonstrating the legitimate origin of the funds involved in the transaction, such as bank statements, payroll records, tax returns, sale agreements, or other verifiable financial records.
• Selfie / Liveness Check: A real-time photograph or video verification to confirm that the person submitting the documents is the legitimate holder of the identity document.

3.2 Verification Window

Upon receiving a KYC request, users are granted a reasonable verification window to submit the required documents. Kotova may extend this window on a case-by-case basis where circumstances warrant additional time. During the verification period, the affected transaction may be placed on hold.

3.3 Consequences of False or Misleading Information

Providing false, forged, or misleading identity documents or information constitutes a serious violation of this policy and applicable law. In such cases, Kotova reserves the right to:

• Immediately terminate the transaction and permanently block the associated wallet addresses from using our services.
• File a Suspicious Activity Report (SAR) with the relevant Financial Intelligence Unit (FIU), including the German FIU (Zentralstelle für Finanztransaktionsuntersuchungen).
• Report the incident to law enforcement authorities in accordance with our legal obligations under the GwG and applicable criminal law.
• Retain all data associated with the fraudulent verification attempt for evidentiary purposes, in compliance with applicable data retention laws.
• Return all funds associated with the fraudulent transaction to the originating blockchain address where technically possible, unless legally prohibited from doing so by a valid court order or binding directive from a competent law enforcement authority.

4. Transaction Monitoring

Kotova employs automated risk analysis tools and blockchain analytics to continuously monitor transactions processed through our platform. These systems are designed to detect patterns and behaviors that may indicate funds to originate from fraud or theft, or may be associated with terrorist financing, or other illicit activity.

4.1 Risk Scoring

Each transaction processed through Kotova is assigned a risk score based on multiple factors, including but not limited to: the transaction amount, the jurisdictions involved, the history and behavior of the associated wallet addresses, the cryptocurrency type, and known exposure to darknet markets, mixers, or other high-risk services. Transactions exceeding defined risk thresholds are automatically flagged for enhanced review.

4.2 Actions Upon Detection

When suspicious patterns or high-risk indicators are detected, Kotova may take one or more of the following actions:

• Transaction Hold: The transaction may be temporarily suspended pending further review. The user will be notified that their transaction is under review and may be asked to provide additional information or complete KYC verification.
• Request for Clarification: Kotova may contact the user to request additional context regarding the purpose, origin, or destination of the funds involved in the transaction.
• Enhanced Due Diligence Review: The transaction may be escalated to our compliance team for a manual review. This may include deeper blockchain analysis, cross-referencing with external databases, and consultation with our legal counsel.
• Transaction Rejection: If the review determines that the transaction poses an unacceptable risk or if the user fails to provide satisfactory information, the transaction may be rejected. Funds will be returned to the originating address where technically feasible.
• Suspicious Activity Reporting: Where required by law, Kotova will file a Suspicious Activity Report (SAR) with the competent Financial Intelligence Unit without prior notification to the user, in accordance with Section 43 GwG (tipping-off prohibition).

5. Cooperation with Law Enforcement

Kotova is committed to cooperating with law enforcement agencies and regulatory authorities in the prevention and investigation of financial crime. We will share information with such authorities only in response to valid, lawful requests.

For Kotova to process a law enforcement request, the following requirements must generally be met:

• The request must originate from a competent law enforcement authority, regulatory body, or court of competent jurisdiction.
• The request must be made in writing and must clearly identify the legal basis for the disclosure (e.g., court order, subpoena, or statutory authority under the GwG, StPO, or equivalent legislation).
• The request must specify the particular information sought and the purpose for which it is required, with sufficient particularity to allow Kotova to identify the relevant records.
• The request must comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), and must be proportionate to the legitimate aim pursued.

Kotova will not voluntarily disclose user information to third parties absent a valid legal obligation. All law enforcement inquiries should be directed to legal@kotova.io.

In urgent cases where there is an imminent risk to life or public safety, Kotova may expedite the processing of law enforcement requests. We may also proactively report information to the competent FIU where we have reasonable grounds to suspect that a transaction involves the proceeds of crime or is related to terrorist financing, as required under Section 43 GwG.

6. Data Handling and Privacy

The collection, processing, and storage of personal data in connection with KYC and AML procedures is governed by our Privacy Policy, which should be read in conjunction with this AML/KYC Policy. All personal data processing activities are conducted in strict compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

Kotova adheres to the principle of data minimization. We collect only the personal data that is strictly necessary for the specific compliance purpose at hand. Identity verification data is processed by our third-party verification partners and is not stored on Kotova's servers beyond what is required by law.

Where KYC data is collected, it is retained for the minimum period required by applicable law. Under Section 8 GwG, records relating to due diligence measures and transaction documentation must be retained for a period of five (5) years after the end of the business relationship or the completion of the transaction, unless a longer retention period is mandated by other applicable legislation.

Users have the right to access, rectify, and — subject to legal retention obligations — request the deletion of their personal data. Requests should be directed to legal@kotova.io. Please note that certain data may be exempt from deletion requests where retention is required by law for AML/CTF compliance purposes.

7. User Responsibilities

By using Kotova's services, users agree to the following obligations:

• Lawful Use Only: Users shall not use Kotova's services for any purpose that is unlawful, fraudulent, or in violation of any applicable local, national, or international law or regulation. This includes, but is not limited to, money laundering, terrorist financing, tax evasion, sanctions evasion, fraud, and the purchase or sale of illegal goods or services.
• Truthful Information: When requested to provide information or documentation in connection with a KYC or compliance check, users must provide accurate, complete, and truthful data. The submission of false, misleading, or forged documents is strictly prohibited and may constitute a criminal offense under German law.
• Cooperation with Verification: Users must cooperate promptly and fully with any KYC verification request or compliance inquiry initiated by Kotova. This includes responding to requests for information within the specified timeframe and providing any additional documentation or clarification as reasonably requested.

Failure to comply with these obligations may result in one or more of the following consequences:

• Suspension or cancellation of pending transactions.
• Temporary or permanent restriction from using Kotova's services.
• Filing of Suspicious Activity Reports with the competent Financial Intelligence Unit.
• Referral to law enforcement authorities where there are reasonable grounds to suspect criminal activity.

8. Sanctions Compliance

Kotova maintains a comprehensive sanctions compliance program. All transactions are screened against applicable international sanctions lists, including but not limited to:

• United Nations Security Council Consolidated List of individuals and entities subject to sanctions measures.
• European Union Consolidated Financial Sanctions List maintained pursuant to EU Council Regulations.
• U.S. Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List).
• German Federal Financial Supervisory Authority (BaFin) sanctions and embargo lists.

Users are prohibited from using Kotova's services if they are located in, organized under the laws of, or residents of a jurisdiction subject to comprehensive sanctions imposed by the European Union, the United Nations, or OFAC. Kotova reserves the right to block or restrict access to its services from sanctioned jurisdictions without prior notice.

9. Final Provisions

Kotova reserves the right to update, amend, or modify this AML/KYC Policy at any time to reflect changes in applicable law, regulatory guidance, industry best practices, or our internal procedures. Material changes will be communicated to users through our website. The "Last updated" date at the top of this policy indicates the date of the most recent revision.

Continued use of Kotova's services following the publication of an updated policy constitutes acceptance of the revised terms. Users are encouraged to review this policy periodically to remain informed of our AML/KYC practices.

This policy is governed by and construed in accordance with applicable laws, without regard to conflict of law principles. The courts of Hamburg, Germany, shall have exclusive jurisdiction over any disputes arising in connection with this policy.

If any provision of this AML/KYC Policy is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely approximates the intent of the original.

For questions, concerns, or requests related to this AML/KYC Policy, please contact our legal and compliance team at legal@kotova.io.