AML/CFT Policy

1. Policy Statement & Objectives

Vinance Coin ("VNC", "the Platform", "the Exchange"), operated by Vinance Technologies Pvt Ltd, is committed to the highest standards of Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) compliance. This policy establishes the framework for preventing the misuse of our platform for money laundering, terrorist financing, proliferation financing, or other financial crimes.

Objectives

• Prevent the Platform from being used as a conduit for money laundering or terrorist financing
• Comply with all applicable Indian laws and international standards, including the Prevention of Money Laundering Act (PMLA), 2002
• Implement robust Customer Due Diligence (CDD) and Know Your Customer (KYC) procedures
• Maintain an effective transaction monitoring and suspicious activity reporting system
• Cooperate fully with the Financial Intelligence Unit — India (FIU-IND) and law enforcement agencies
• Ensure compliance with FATF recommendations for Virtual Asset Service Providers (VASPs)
• Protect the integrity and reputation of VNC and the broader financial system

2. Regulatory Framework

This policy is designed in accordance with the following regulatory and legal frameworks:

Indian Regulations

• Prevention of Money Laundering Act (PMLA), 2002 — as amended, including notification dated March 7, 2023 bringing VDA exchanges under PMLA
• PMLA (Maintenance of Records) Rules, 2005 — KYC, record-keeping, and reporting obligations
• Income Tax Act, 1961 — Section 194S (TDS on VDA transfers), Section 115BBH (30% tax on VDA income)
• Foreign Exchange Management Act (FEMA), 1999 — cross-border transaction controls
• Information Technology Act, 2000 — data protection and cyber security
• Digital Personal Data Protection Act (DPDPA), 2023 — personal data processing
• RBI Master Directions on KYC — customer identification and verification standards
• FIU-IND Guidelines — STR, CTR, and NTR filing requirements

International Standards

• FATF 40 Recommendations — including Recommendation 15 (Virtual Assets & VASPs)
• FATF Travel Rule (Recommendation 16) — originator/beneficiary information for VA transfers
• UN Security Council Resolutions — sanctions and counter-proliferation
• Wolfsberg Group Standards — AML/CFT principles for financial institutions

3. Scope & Applicability

This policy applies to:

• All employees, officers, and directors of Vinance Technologies Pvt Ltd
• All customers and users of the VNC Platform — both individual and corporate
• All products and services offered — including spot trading, P2P trading, futures, copy trading, staking, airdrops, wallet services, and fiat on/off ramps
• All types of transactions — crypto-to-crypto, fiat-to-crypto, crypto-to-fiat, internal transfers, and cross-border transfers
• Third-party agents, contractors, and business partners acting on behalf of VNC

The policy covers all Virtual Digital Assets (VDAs) as defined under Section 2(47A) of the Income Tax Act, 1961, including but not limited to: VNC Token, Bitcoin (BTC), Ethereum (ETH), BNB, USDT, and all other listed cryptocurrencies.

4. Governance & Organizational Structure

4.1 Board of Directors

The Board maintains ultimate oversight of the AML/CFT program and approves this policy annually. The Board ensures adequate resources are allocated for compliance.

4.2 Money Laundering Reporting Officer (MLRO) / Principal Officer

The MLRO (designated as "Principal Officer" under PMLA) is responsible for:

• Overseeing day-to-day AML/CFT compliance operations
• Reviewing and filing Suspicious Transaction Reports (STRs) with FIU-IND
• Filing Cash Transaction Reports (CTRs) and Non-Profit Transaction Reports (NTRs)
• Conducting internal investigations of flagged activities
• Liaising with FIU-IND, law enforcement, and regulatory bodies
• Ensuring staff training programs are conducted and documented
• Reporting to the Board on compliance matters at least quarterly

4.3 Designated Director

As required under PMLA, a senior management member is designated as "Designated Director" who ensures overall compliance with PMLA and rules made thereunder.

4.4 Three Lines of Defence

• First Line: Customer-facing teams — responsible for initial CDD, document collection, and reporting suspicious activities to the compliance team
• Second Line: Compliance & Risk team — develops policies, monitors transactions, conducts EDD reviews, and files regulatory reports
• Third Line: Internal Audit — independently reviews effectiveness of AML/CFT controls and reports to the Board

5. Customer Due Diligence (CDD)

CDD is performed at account opening and on an ongoing basis as per the risk profile of the customer.

5.1 Individual Customers

• Level 0 (Email Only): Email verification — daily deposit limit ₹40,000 ($500), no withdrawals, no trading
• Level 1 (Basic KYC): PAN card + selfie verification — daily withdrawal up to ₹8,00,000, daily deposit up to ₹20,00,000
• Level 2 (Full KYC): PAN + Aadhaar + address proof + video KYC — daily withdrawal up to ₹80,00,000, P2P trading enabled
• Level 3 (Institutional/VIP): Board resolution + authorized signatory + source of funds verification — unlimited

5.2 Required Documents (India)

• PAN Card: Mandatory for all Level 1+ accounts (format: ABCDE1234F)
• Aadhaar Card: For address verification and e-KYC (front and back images)
• Selfie / Liveness Check: For biometric matching against documents
• Bank Statement: For source of funds verification (EDD cases)
• Income Tax Returns: For high-value traders (annual volume > ₹50,00,000)

5.3 Ongoing Due Diligence

• Periodic re-verification: every 365 days (configurable)
• Transaction pattern monitoring against customer profile
• Sanctions list re-screening upon list updates
• Risk re-assessment triggered by unusual activity or threshold breaches

6. Enhanced Due Diligence (EDD)

Enhanced due diligence is triggered in the following scenarios:

• High-risk customers: PEPs, customers from high-risk jurisdictions (FATF grey/blacklist)
• High-value transactions: Single transaction exceeding ₹10,00,000 or cumulative monthly > ₹50,00,000
• Unusual patterns: Rapid escalation in transaction frequency or amount, structuring behaviour
• Adverse media matches: Customers linked to criminal activity, fraud, or financial misconduct
• Complex corporate structures: Multi-layered ownership, nominee shareholding, shell entities
• High-risk products: Privacy coins (if supported), cross-chain bridges, mixer-linked addresses

EDD Measures

• Source of wealth and source of funds documentation
• Senior management approval for account opening/continuation
• Enhanced transaction monitoring with lower thresholds
• More frequent CDD reviews (every 6 months vs annual)
• Wallet address risk scoring using blockchain analytics (Chainalysis/Elliptic)
• Identification of beneficial ownership (25% or more ultimate ownership)

7. Transaction Monitoring Framework

VNC implements a real-time, automated transaction monitoring system that screens every transaction against configurable rules and thresholds.

7.1 Monitoring Rules

7.2 Risk Scoring

Each transaction receives a composite risk score (0-100) based on weighted factors:

• Transaction Amount Weight: 25% — higher amounts increase risk
• Transaction Velocity: 20% — rapid transactions indicate higher risk
• KYC Status: 15% — unverified users carry higher risk
• Geographic Risk: 15% — transactions from/to high-risk jurisdictions
• Account Age: 10% — newer accounts carry higher risk
• Behavioral Anomaly: 10% — deviation from established patterns
• Device Risk: 5% — new/suspicious devices

7.3 Auto-Actions

• Risk Score ≥ 70: Automatic escalation to compliance team
• Risk Score ≥ 85: Automatic transaction block pending review
• Risk Score ≥ 90: Automatic account freeze + MLRO notification

8. Suspicious Transaction Reporting (STR)

As mandated under PMLA, VNC files Suspicious Transaction Reports with FIU-IND for transactions that give rise to a reasonable ground of suspicion.

8.1 Filing Obligations

• Filing deadline: Within 7 working days of determining suspicion
• No tipping off: The customer must not be informed about the STR filing
• Regardless of amount: STRs must be filed for suspicious activity of any amount
• Attempted transactions: Even failed/cancelled suspicious transactions must be reported

8.2 Red Flags (Indicators of Suspicion)

• Structuring transactions to avoid reporting thresholds
• Multiple accounts linked to the same identity documents or devices
• Rapid movement of funds in and out (layering behaviour)
• Transactions inconsistent with declared source of income
• Use of mixer/tumbler services, privacy coins, or obfuscation tools
• Receiving funds from high-risk wallet addresses or sanctioned entities
• Frequent cross-border transfers without apparent business purpose
• Refusal to provide KYC documents or providing forged/altered documents
• Activity linked to darknet markets or known illicit services

8.3 Filing Process

1. Automated system flags or employee identifies suspicious activity
2. Compliance team conducts preliminary investigation
3. MLRO reviews findings and makes determination
4. Dual approval by MLRO and Deputy MLRO (or Designated Director)
5. STR filed electronically with FIU-IND via FINnet portal
6. Internal record of filing maintained with case reference

9. Cash Transaction Reporting (CTR)

Cash Transaction Reports are filed with FIU-IND for all transactions (including VDA transactions) exceeding the prescribed threshold.

• Threshold: ₹10,00,000 (Ten Lakh Rupees) or equivalent in a single transaction or series of linked transactions within a month
• Filing deadline: Within 15 days of the month following the transaction
• Format: As prescribed by FIU-IND through the FINnet 2.0 reporting system
• Scope: All fiat deposits/withdrawals, crypto purchases/sales via fiat, and large VDA transfers

10. Sanctions & Watchlist Screening

All customers and their counterparties are screened against global sanctions and watchlists:

10.1 Screening Lists

• OFAC SDN List (United States Treasury)
• UN Security Council Sanctions
• EU Consolidated Sanctions List
• UK HMT Financial Sanctions
• FATF High-Risk & Non-Cooperative Jurisdictions
• India MHA Banned Organizations List
• Interpol Red/Blue Notices (where available)

10.2 Screening Procedures

• Screening at onboarding and upon every update to sanctions lists
• Real-time transaction screening against sanctioned wallet addresses
• Fuzzy name matching with configurable threshold (default: 85%)
• Automatic blocking of transactions involving sanctioned parties
• Immediate account freeze and MLRO notification on confirmed match

10.3 High-Risk Jurisdictions

The following jurisdictions are subject to enhanced scrutiny or complete blocking: Afghanistan (AF), Iran (IR), North Korea (KP), Syria (SY), Yemen (YE), Myanmar (MM), Libya (LY), Somalia (SO), South Sudan (SS), Sudan (SD).

11. Politically Exposed Persons (PEP) Screening

VNC identifies and applies enhanced due diligence to Politically Exposed Persons in accordance with FATF guidance:

• Definition: Individuals entrusted with prominent public functions — heads of state, senior politicians, judicial members, military officials, senior executives of state-owned enterprises, and their family members and close associates
• PEP Database Screening: All customers screened against PEP databases at onboarding and periodically
• EDD for PEPs: Source of wealth verification, senior management approval, enhanced ongoing monitoring
• Domestic PEPs: Treated as high-risk with mandatory EDD
• Foreign PEPs: Subject to full EDD regardless of risk assessment
• International Organization PEPs: Assessed on risk-based approach

12. Risk-Based Approach

VNC employs a risk-based approach to AML/CFT compliance, allocating resources proportionally to identified risks.

12.1 Customer Risk Classification

12.2 Risk Factors

• Customer Risk: Non-resident status, PEP status, adverse media, complex corporate structures
• Geographic Risk: Customer location, counterparty location, FATF grey/blacklist jurisdictions
• Product/Service Risk: Privacy coins, cross-chain bridges, large OTC trades, P2P trading
• Channel Risk: VPN usage, TOR browser, new devices, multiple IP locations
• Transaction Risk: Volume, frequency, counterparty profile, structuring indicators

13. Record Keeping & Data Retention

All records are maintained in accordance with PMLA and other applicable laws:

• KYC Documents: 5 years after account closure or business relationship ends
• Transaction Records: 10 years from the date of transaction (as per PMLA/IT Act)
• STR/CTR Records: 5 years from the date of filing
• AML Alert Records: 7 years from resolution date
• Audit Trail Logs: 7 years (immutable audit trail for all compliance actions)
• Training Records: 5 years from the date of training completion
• Correspondence with FIU-IND: Permanent retention

Records are stored securely with AES-256 encryption at rest and TLS in transit. Access is restricted on a need-to-know basis with full audit trail of who accessed what records and when.

14. Training & Awareness

• Onboarding Training: All new employees receive mandatory AML/CFT training within 30 days of joining
• Annual Refresher: All staff complete annual AML/CFT refresher training
• Role-Specific Training: Enhanced training for compliance team, customer-facing staff, and technology teams
• Board Training: Annual briefing for Board members on AML/CFT developments and emerging risks
• Topics Covered: Typologies of money laundering, red flag indicators, STR filing process, sanctions compliance, crypto-specific risks (mixer detection, chain-hopping, DeFi exploitation)
• Assessment: Training effectiveness measured through tests with minimum pass score of 80%

15. Internal Audit & Review

• Frequency: Independent AML/CFT audit conducted at least annually
• Scope: Effectiveness of CDD procedures, transaction monitoring rules, STR/CTR filing processes, sanctions screening, training adequacy
• External Audit: Annual external audit by a qualified firm as required under PMLA
• Regulatory Compliance Review: Quarterly self-assessment against FIU-IND requirements
• Policy Review: This policy is reviewed and updated at least annually or when there are significant regulatory changes

16. Enforcement & Penalties

Non-compliance with this policy may result in:

• For Customers: Account suspension, transaction blocking, account closure, reporting to FIU-IND/law enforcement
• For Employees: Disciplinary action up to and including termination, and personal criminal liability under PMLA
• Regulatory Penalties: Under PMLA — imprisonment up to 7 years and fine up to ₹5,00,000 for first offence; up to 10 years for subsequent offences

17. Travel Rule Compliance

In accordance with FATF Recommendation 16 (the "Travel Rule"), VNC collects and transmits originator and beneficiary information for virtual asset transfers exceeding the applicable threshold:

• Threshold: $1,000 USD (or INR equivalent) for crypto-to-crypto transfers
• Originator Information: Full name, account number/wallet address, date of birth or national ID
• Beneficiary Information: Full name, account number/wallet address at receiving VASP
• Protocol: Compatible with TRISA, OpenVASP, Sygna, and Notabene travel rule protocols
• Blocking: Transfers above threshold are blocked if Travel Rule data cannot be obtained within the grace window (30 minutes)

18. Whistleblower Protection

• VNC encourages employees and third parties to report suspected violations of this policy
• Whistleblowers are protected from retaliation under our internal policy and applicable Indian laws
• Reports can be made anonymously through our internal reporting channel
• All reports are investigated confidentially by the compliance team
• Contact: compliance@vncexchange.com

19. Contact Information

• 📧 MLRO / Principal Officer: compliance@vncexchange.com
• 📧 Legal Team: legal@vncexchange.com
• 📧 Privacy Officer / DPO: privacy@vncexchange.com
• 📧 General Support: support@vncexchange.com
• 🌐 Website: vncexchange.com

Regulatory Reporting Authority:
Financial Intelligence Unit — India (FIU-IND)
6th Floor, Hotel Samrat, Kautilya Marg, Chanakyapuri, New Delhi — 110021
Portal: fiuindia.gov.in | Helpdesk: 011-24101892