AML POLICY
4payments – Anti-Money Laundering & Counter-Terrorist Financing Policy
(stand-alone document – KYC/KYB requirements are defined in a separate CDD Policy)
Version 1.0 – 24 June 2025
1 Purpose & Scope
This Anti-Money Laundering and Counter-Terrorist Financing Policy (“AML/CTF Policy”) describes how FP Solutions Inc.. (trading as 4payments) detects, prevents and reports money-laundering, terrorism-financing and sanctions-evasion risks arising from its card-issuing, payment-processing and crypto-related services.
It applies to:
all business lines, products and delivery channels;
every employee, contractor and outsourced service provider;
all customers and transactions, irrespective of volume, currency or technology used.
2 Legal & Regulatory References
Republic of Panama — Law 23/2015 (Prevention of ML/TF)
FATF Recommendations (especially 1, 10, 15, 16, 20)
EU AMLD 6 and GDPR – followed as recognised best practice
FinCEN/OFAC, UN, EU, UK (HMT) consolidated sanctions lists
Basel AML Index, Wolfsberg Principles, Travel Rule guidance for VASPs
3 Governance & Responsibilities
Role | Key AML Duties |
|---|---|
Board of Directors | Approves AML risk appetite, reviews annual AML report. |
Compliance Officer / MLRO | Owns this Policy, maintains risk assessment, files Suspicious Activity Reports (SARs), liaises with regulators, oversees training. |
Compliance Committee | Quarterly review of red-flag metrics, rule tuning, and high-risk client decisions. |
All Employees | Complete mandatory training, follow procedures, report red flags immediately. |
4 Enterprise-Wide Risk Assessment (EWRA)
The MLRO conducts an EWRA at least annually, measuring inherent and residual risk across four pillars:
Customer Risk – PEP status, industry (crypto, gambling, etc.), complex structures.
Product / Service Risk – prepaid cards, high-value withdrawals, cross-border crypto swaps.
Geographic Risk – exposure to High-Risk or Monitored jurisdictions (FATF lists, EU “black/grey list”).
Delivery Channel Risk – fully remote onboarding, agent relationships, APIs.
Mitigations: tiered KYC rules (per CDD Policy v 1.0), transaction-monitoring thresholds, and sanctions controls.
5 Sanctions, PEP & Adverse-Media Screening
Tools: ComplyAdvantage API + internal sanctions engine.
Timing:
Actions: true hits → account freeze, enhanced due diligence (EDD), potential SAR filing.
6 Transaction Monitoring
Control | Description |
|---|---|
Rule-based engine | Thresholds, velocity checks, structuring patterns, IP/device anomalies. |
Crypto analytics | Chainalysis & Crystal AML risk scores; automatic hold on ≥ 70/100 risk events. |
Behavioural profiling | Expected vs. actual turnover; 30 % spike auto-flags review. |
Manual escalation | KYC Analysts tag, MLRO decides: allow, request docs, freeze, or exit. |
All rules are version-controlled; tuning reviewed quarterly by Compliance Committee.
7 Suspicious Activity Reporting (SAR)
Internal escalation – staff create a Red Flag Report within 24 h.
MLRO review – decide within 48 h of receipt.
External filing – SAR submitted to Unidad de Análisis Financiero (UAF), Panama or other competent body; copy retained.
Tipping-off prohibition – customers are not informed of SAR filings.
8 Enhanced Measures for Crypto Flows
Apply the Travel Rule for transfers ≥ USD/EUR 1,000 when counter-party VASP supports messaging.
Reject deposits from or withdrawals to:
Keep blockchain-analytics logs for ≥ 5 years.
9 Record-Keeping
AML monitoring logs, SARs, screening results and audit trails are retained ≥ 5 years from transaction date or relationship end (whichever is later).
Storage: AES-256-encrypted, access via RBAC, immutable audit logs (7-year retention).
10 Training & Awareness
Audience | Frequency | Content |
|---|---|---|
All staff | Within 2 weeks of start, then yearly | AML basics, red flags, sanctions, tipping-off rules. |
High-risk functions (Compliance, Support, Tech) | Twice yearly | Deep-dive on rule tuning, crypto typologies, case studies. |
Pass mark ≥ 80 %. Non-completion triggers account access suspension.
11 Independent Audit & Testing
Internal QA: 10 % sample of alerts and SARs each quarter (target error rate ≤ 2 %).
External audit: accredited third-party review every 24 months; report shared with the Board and retained for regulators.
12 Confidentiality & Data Protection
Information obtained for AML purposes is used solely for compliance and may be disclosed only to competent authorities or as required by law. Processing complies with GDPR and Panama Law 81/2019 on Personal Data Protection.
13 Policy Review & Approval
The MLRO will review this Policy at least annually or sooner if triggered by:
regulatory changes;
new products or channels;
material shifts in the risk profile.
All amendments require Board approval. Latest version is published internally and supplied to banking partners upon request.
Contact: compliance@4payments.io