Document Control

1. Purpose

Encoin Limited ("the Company"), operating the Oppi Wallet virtual-asset trading platform ("the Exchange"), is committed to the highest standards of Anti-Money-Laundering (AML) and Counter-Terrorist-Financing (CTF). This policy sets out the principles, controls and procedures designed to detect, deter and report money-laundering, terrorist-financing and related financial crime.

2. Scope

This policy applies to:

• All products and services listed on the Oppi Wallet platform, including spot trading, P2P marketplace, staking, and custody;
• All customers, counterparties and business relationships (corporate and retail);
• All employees, contractors, officers and directors of Encoin Limited worldwide;
• All group entities, branches and agents providing services on behalf of Encoin Limited.

3. Legal & Regulatory Framework

The Company adheres to, and incorporates into its control framework, the following (non-exhaustive) laws, regulations and standards:

• Financial Action Task Force (FATF) Recommendations, incl. Rec. 15 (VASPs) & Rec. 16 (Travel Rule);
• EU Sixth Anti-Money-Laundering Directive (6AMLD);
• US Bank Secrecy Act (BSA) & FinCEN MSB rules (where applicable);
• ISO/IEC 27001 & 17025 standards (as referenced in third-party audits);
• Any local VASP, EMI or MSB licensing conditions in jurisdictions where the Exchange is registered or markets services;
• UN, EU, OFAC, HM Treasury and other applicable sanctions regimes.

The Board mandates compliance with the strictest of competing requirements in cases of conflict ("highest-standard principle").

4. Governance & Responsibility

A designated Deputy MLRO assumes responsibilities when the MLRO is unavailable.

5. Risk-Based Approach (RBA) & Enterprise Wide Risk Assessment (EWRA)

The Company conducts an EWRA at least annually, following FATF guidance. Risk factors include:

• Customer Risk – retail vs. corporate; geography; PEP status; source of funds
• Product/Service Risk – P2P trading and withdrawals are higher-risk than internal transfers
• Geographic Risk – high-risk and sanctioned jurisdictions
• Delivery Channel Risk – non-face-to-face onboarding, third-party payment rails, APIs
• Transactional Risk – size, volume, velocity and pattern anomalies

Risk scores drive the intensity of CDD, monitoring and Board reporting.

6. Customer Due Diligence (CDD)

7. Transaction Monitoring & Surveillance

• Automated rule-based and machine-learning models analyse 100% of transactions in real time.
• Risk indicators include: rapid layering; structuring; anomalous mixing activity; destination wallets linked to darknet markets.
• Alerts are triaged within 24 hours; material alerts escalated to MLRO within 72 hours.
• Freeze/hold function allows the MLRO to suspend withdrawals pending investigation (consistent with Binance's P2P policy and Bybit's Card T&Cs).

8. Sanctions & Politically Exposed Person (PEP) Screening

• All customers and counterparties are screened at onboarding and daily thereafter against OFAC, EU, UN and any local sanctions lists.
• PEP screening uses multiple global datasets; family members and close associates are captured.
• Matches trigger immediate account suspension and EDD.

9. Suspicious Activity Reporting

• Internal suspicion → escalation to MLRO via secure case-management system.
• MLRO files Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) to the relevant Financial Intelligence Unit (FIU) within statutory deadlines (≤ 24 hours for urgent matters).
• Tipping-off prohibition is strictly enforced.

10. Record-Keeping & Data Protection

• KYC records – minimum retention of 5 years after account closure;
• Transaction data – 10 years (aligning with Bybit's retention statement);
• Data is stored in encrypted form (AES-256) in ISO 27001-certified data centres within approved jurisdictions;
• GDPR & CCPA rights are honoured unless conflicting with AML retention requirements.

11. Travel Rule Compliance

The Exchange has implemented a Travel Rule solution (VASP-to-VASP secure messaging) that transmits originator and beneficiary data for transfers ≥ 1,000 USD in line with FATF Rec. 16.

12. Prohibited & Restricted Jurisdictions

13. Employee AML Training

• Induction – all new hires complete AML & sanctions e-learning within 10 working days;
• Annual refresher – mandatory for all staff; MLRO maintains attendance records;
• Specialist training – additional modules for Compliance, Customer Support, Engineering.

14. Independent Audit & Assurance

An external, ISO/IEC 17025-accredited firm audits the AML framework annually. Findings are reported to the Board and remediation tracked in a central register.

15. Co-operation with Law-Enforcement & Regulators

The Company maintains a dedicated Law-Enforcement Request Portal. Response times: within 7 calendar days for standard requests, and 24 hours for urgent cases involving imminent risk (mirroring Binance's LERS). All requests are logged and retained for 10 years.

16. Technology & Information Security Controls

• Multi-factor authentication (MFA) enforced for all employees;
• Role-based access controls (RBAC);
• End-to-end encryption for data in transit;
• Regular penetration testing and vulnerability scanning;
• Disaster-recovery RTO ≤ 1 hour, RPO ≤ 15 minutes.

17. Monitoring, Review & Updates

The MLRO ensures this policy is reviewed at least annually or following:

• Changes in relevant legislation or FATF guidance;
• Significant new product launches;
• Material findings from internal or external audits.

All amendments require Board approval and immediate staff notification.

18. Appendix A – Definitions

19. Appendix B – Abbreviations

20. Appendix C – Key Contacts