AML / KYC policy of Bankcomat online service

Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Policy for Bankcomat.me Cryptocurrency Exchange Service

Effective Date: December 15, 2025

Developed in accordance with international FATF standards and the legislative requirements of the countries where it operates

1. General Provisions

Bankcomat.me (hereinafter referred to as the "Service") is committed to adhering to the highest standards of anti-money laundering (AML) and combating terrorist financing (CTF). This Policy has been developed in accordance with the recommendations of the Financial Action Task Force (FATF), as well as the legal requirements of the jurisdictions in which the Service operates.

The purpose of this Policy is to prevent the use of the Bankcomat.me platform for illegal purposes, ensure compliance with regulatory requirements, protect the reputation of the Service, and enhance the trust of users and regulators.

2. Service Obligations

Bankcomat.me undertakes to:

implement and comply with Know Your Customer (KYC) and Know Your Transaction (KYT) procedures;
conduct risk assessments of clients and transactions;
monitor transactions for suspicious activity;
block assets and suspend transactions if AML/CTF risks are identified;
transfer information to authorized bodies in cases provided for by law;
store personal and transaction data for at least 5 years;
train staff in AML/CTF compliance principles;
ensure the quality and legitimacy of assets transferred to clients, regardless of the direction of exchange and the method of sending them.

All cryptocurrency transactions sent to clients comply with AML requirements of international regulators such as FATF and OFAC. Payments from the Service are processed through:

unique (one-time) crypto addresses;
crypto addresses classified as low-risk in AML analyzer and blockchain explorer databases;
crypto addresses of licensed platforms.

3. Customer identification procedures (KYC)

All users undergo mandatory verification before performing transactions beyond established limits.

For the identification process, Bankcomat.me uses solutions from leading KYC providers with whom it has signed relevant agreements. Based on the verification and data obtained, a decision is made on further interaction with the user.

Identity verification schemes and withdrawal limits

Bankcomat.me strictly adheres to the laws of the country where the organization is located. Therefore, platform users are required to complete a two-level verification process. The first level involves verifying the client"s email address. If successful, the daily withdrawal limit is increased to $10,000 (or the amount of cryptocurrency held by Bankcomat, based on the current exchange rate). The second level involves verifying the client"s identity and address. Once this is successfully confirmed, the client can withdraw up to 100 BTC daily (or the amount of USD held by Bankcomat, based on the current exchange rate).

To carry out this procedure, in accordance with the AML/KYC Policy, the client must obtain:

a) A document confirming identity. It must be valid, reliable, and independent, and must include the client"s first and last name, date of birth, photo, and document series. The client may choose to provide:

internal passport of a citizen of the country;
foreign passport;
driver"s license.

An important point is the following: documents can be accepted as proof of identity if the information contained in them is transliterated into Latin.

b) A document confirming the client"s address of residence for the past three months. In this case, the client may choose to provide:

a certified rental agreement or bank statement;
electricity/utility bills;
tax declaration;
other documents containing the current address where the person has lived for the last 3 months.

An important point is the following: documents can be accepted as proof of address if the information contained in them is transliterated into Latin.

c) A selfie taken by the client showing him/herself holding a piece of paper with the text “Bankcomat.me” and the date.

The company will take specific steps to confirm that all information provided by the client is genuine. This will include methods including double-checking of information, based on legal requirements. If the company has any suspicions regarding the client"s identity, the company reserves the right to refuse cooperation.

The company continually verifies the client"s identity, but this most frequently occurs when the client is engaged in activities deemed "suspicious." Even if the client has previously undergone a documentation check, the company reserves the right to request updated documents again.

Users from jurisdictions blacklisted by FATF, OFAC, the EU, the UN, as well as from countries specified in Appendix No. 1 to this Policy, are not permitted to use the Service.

Regulated deadlines:

to check documents: from 1 to 24 hours;
for EDD: 24 to 72 hours.

4. Transaction monitoring (KYT)

Bankcomat.me uses automated and manual methods to analyze cryptocurrency transactions using solutions from leading providers (including, but not limited to, AMLBot and similar solutions). Monitoring is performed based on the following criteria:

Linking the sender/recipient address to sanctions lists or blacklist clusters (darknet, fraud, stolen funds, etc.).
Using mixers, tumblers or anonymizing protocols (Tornado Cash and similar).
Suspicious patterns:

- multiple small transactions (smurfing);

- abnormal volumes compared to user behavior;

— transfers to newly created wallets;

— operations from high-risk jurisdictions.

Risk scoring for each transaction: Low / Medium / High.

Example of a transaction scoring model based on relevant providers:

Low - the assessment level does not exceed 62% according to the program model ;
Medium - the assessment level does not exceed 70% according to the program model ;
High - the assessment level does not exceed 75% according to the program model.

Please note that all these estimates are the subjective opinion of a particular company (provider) and may not reflect the true source of the assets.

Transactions with a High Risk level are automatically blocked and sent for manual review by an AML officer.

Preliminary AML verification of a cryptocurrency address is available at https://www.bestchange.com/report/ .

5. Client categorization and verification levels

Depending on the risk, clients are divided into three categories:

Low risk : standard CDD check.
Medium risk : enhanced monitoring, periodic re-checking (every 2 years).
High risk : application of Enhanced Due Diligence (EDD) procedures, including:

request for source of funds;
Advanced transaction history analysis;
annual KYC update.

The following are automatically included in the high risk category:

PEP (politically exposed persons, including members of their families and close associates);
Residents of countries from the FATF High-Risk Jurisdictions list;
Clients with a turnover exceeding the equivalent of USD 100,000 per year.

6. Processing suspicious transactions

If signs of money laundering, terrorist financing, or other illegal activity are detected, Bankcomat.me:

immediately pauses the transaction;
blocks the account until the investigation is completed;
generates an internal suspicious transaction report (SAR/STR);
if necessary, informs the competent authorities (including Rosfinmonitoring, FinCEN, EU FIU, etc.).

A client"s refusal to provide requested information or failure to undergo verification is considered grounds for denial of service.

Parameters of the fee for refunds in AML cases.

The fee is up to 5% of the blocked amount, but no more than the equivalent of $100. Refunds are not possible in cases where assets are deemed linked to illegal activity or are subject to withholding by competent authorities.

However, for bona fide clients whose funds, after passing KYC/SoF, are not confirmed as being related to money laundering, the exchange or refund fee is limited only to the network fee.

7. Interaction with third parties

Bankcomat.me:

does not cooperate with platforms registered in jurisdictions with insufficient AML regulation;
conducts due diligence of all counterparties (exchanges, payment providers, API partners);
requires partners to have licenses and comply with international AML standards.

8. Training and internal control

An AML officer has been appointed responsible for implementing and updating this Policy. Contact: [email protected].
All employees undergo mandatory AML/CTF training at least once a year.
Internal audits are conducted quarterly with the participation of independent consultants when necessary.

9. Data storage and protection

All personal and transactional data:

encrypted in accordance with industry best practices;
stored on secure servers in GDPR and MiCA compliant jurisdictions;
accessible only to authorized personnel;
are stored for at least 5 years from the date of termination of the relationship with the client, unless otherwise required by law.

10. Final Provisions

This Policy is an integral part of the Bankcomat.me User Agreement . The Service reserves the right to amend it unilaterally with mandatory notification to users via the website.

All clients using Bankcomat.me services automatically agree to the terms of this AML policy.

---

Appendix No. 1

List of jurisdictions with high AML risk (prohibited territories)

Afghanistan, Iran, North Korea, Syria, Yemen, Libya, Somalia, Cuba, Crimea, Transnistria, Venezuela, Myanmar (Burma), as well as all territories included in the FATF, OFAC, EU and UN lists on the date of the operation.

Contact for reporting suspicious activity:

[email protected]

Responsible AML officer :

[email protected]