Anti-Money Laundering and Anti-Terrorist Financing Policy
Nortyx’s public approach to financial crime prevention across onboarding, transactions, and ongoing monitoring.
1. Purpose of This Policy
The purpose of this Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Policy (the “Policy”) is to describe Nortyx’s public approach to financial crime prevention in connection with its website, onboarding processes, client portal, crypto-asset exchange services, transaction services, customer-support channels and related online services.
For the purposes of this Policy, “financial crime” includes money laundering, terrorist financing, proliferation financing, sanctions evasion, fraud, bribery, corruption, tax crime, cyber-enabled financial crime, scams, ransomware, identity misuse, illicit concealment and activity designed to disguise the origin, ownership, destination, purpose or control of funds or crypto-assets.
This Policy does not create a right for any person to access Nortyx’s services. Nortyx may refuse, suspend, restrict, delay, terminate or report any relationship, account, transaction, wallet address, payment method, counterparty or activity where required or appropriate under applicable law, regulatory expectations, sanctions requirements, partner requirements or Nortyx’s risk assessment.
2. Regulatory Position and Important Status Note
Nortyx is structured in this Policy by reference to a Finland/EU crypto-asset-related business model, without implying any specific regulatory authorisation or licensing status. Where a service requires authorisation, registration, notification, passporting or other regulatory entitlement, Nortyx will provide that service only where it is legally permitted, authorised or otherwise entitled to do so under applicable Finnish and European Union law.
Nothing in this Policy should be read as a statement that Nortyx already holds a regulatory authorisation, licence or registration unless that status is separately confirmed on Nortyx’s website or in an official register. If Nortyx has not yet commenced regulated activity, references to controls, processes and obligations describe the framework Nortyx intends to maintain before and during the provision of services.
Nortyx’s AML/CFT and sanctions framework is designed for services that may include, where supported and legally permitted, account registration, customer onboarding, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, fiat on-ramp or off-ramp activity, crypto-asset transfer support, delivery of crypto-assets to customer-provided external wallet addresses, blockchain analytics, transaction monitoring and related compliance controls.
3. Persons and Activities Covered
This Policy applies to any person who accesses, attempts to access, registers for, applies to use or uses Nortyx’s services. This includes website visitors, prospective customers, individual customers, account holders, transaction originators, beneficiaries, payors, payees, external wallet owners or controllers, transaction counterparties and other persons involved in a transaction.
Where Nortyx supports business users, legal entities, trusts, partnerships or other non-individual arrangements, this Policy also applies to authorised representatives, directors, officers, senior managers, beneficial owners, controllers, shareholders, signatories, agents, nominees and other persons connected with those arrangements.
Nortyx may also apply this Policy to attempted activity, rejected applications, incomplete onboarding flows, abandoned transactions, refunds, chargebacks, disputes, suspicious wallet interactions, blocked access attempts and other interactions that create AML/CFT, sanctions, fraud, security, legal or regulatory risk.
4. Services and Risk Profile
Crypto-asset services may create specific financial crime risks because transactions can be cross-border, fast, technologically complex, pseudonymous, irreversible or routed through multiple wallets, networks, exchanges or service providers. Nortyx therefore applies controls that are proportionate to the nature of its services, the customers it serves, the assets supported, the jurisdictions involved, the transaction flows used and the risks identified.
Nortyx may support services for individuals and, where permitted, business users. Services may be limited by supported jurisdictions, supported assets, supported payment methods, transaction limits, wallet requirements, partner restrictions, compliance requirements and internal risk appetite.
Nortyx does not treat access to a website, mobile interface, application page, marketing page or online form as confirmation that a person is eligible to receive services. Eligibility is subject to onboarding, verification, sanctions screening, jurisdictional checks, wallet screening, transaction monitoring, payment review and any other controls required by Nortyx.
5. Finnish and EU AML/CFT Framework
Nortyx takes account of applicable Finnish and EU anti-money laundering and counter-terrorist financing requirements. This includes the Finnish Act on Preventing Money Laundering and Terrorist Financing, related Finnish rules and guidance, obligations applicable to obliged entities, customer due diligence requirements, enhanced due diligence requirements, reporting obligations, recordkeeping requirements and supervisory expectations.
Nortyx also takes account of the role of the Finnish Financial Supervisory Authority (“FIN-FSA”) as a supervisory authority for relevant financial sector participants and the Finnish Financial Intelligence Unit (“FIU”) as the competent authority for receiving and analysing suspicious transaction reports and related financial intelligence in Finland.
Nortyx may also be subject to additional rules, expectations or requirements arising from banks, payment service providers, liquidity providers, blockchain analytics providers, Travel Rule solution providers, identity verification providers, cybersecurity providers, auditors, professional advisers or other service providers supporting Nortyx’s operations.
6. MiCA, Travel Rule and Crypto-Asset Compliance
Nortyx’s public compliance framework is designed for a crypto-asset business model operating under the EU Markets in Crypto-Assets Regulation (“MiCA”) where applicable. MiCA regulates, among other matters, the provision of crypto-asset services in the European Union and imposes conduct, governance, prudential, operational and organisational requirements on authorised companies.
Nortyx also takes account of Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets. Where applicable, Nortyx may be required to collect, verify, retain and transmit originator and beneficiary information in connection with certain transfers of funds and crypto-assets, and to detect missing or incomplete information.
The Travel Rule and AML/CFT obligations operate alongside MiCA. MiCA authorisation or crypto-asset regulatory status does not remove the need to perform AML/CFT checks, sanctions screening, suspicious activity reporting, recordkeeping, customer due diligence, risk assessment or other financial crime controls.
7. Sanctions and Restrictive Measures
Nortyx applies sanctions controls designed to prevent the use of its services in breach of applicable European Union, United Nations, Finnish or other sanctions and restrictive measures applicable to Nortyx, its customers, partners or service providers.
Sanctions restrictions may apply to individuals, legal entities, bodies, vessels, wallet addresses, countries, territories, regions, sectors, products, services, ownership structures, control relationships, transactions, funds, crypto-assets or other economic resources. Sanctions may also restrict services that appear indirect, attempted, split, routed through intermediaries or structured to conceal a prohibited connection.
Nortyx does not provide services where doing so would make funds, crypto-assets or economic resources available to a sanctioned person or entity, facilitate sanctions evasion, process prohibited transactions, provide restricted services or otherwise breach applicable sanctions obligations.
8. FATF, EBA and International Standards
Nortyx’s public framework takes account of international standards issued by the Financial Action Task Force (“FATF”), including standards relating to virtual assets and virtual asset service providers, risk-based supervision, customer due diligence, suspicious transaction reporting, sanctions, high-risk jurisdictions and wire transfer or Travel Rule requirements.
Nortyx also takes account of applicable European Banking Authority (“EBA”) guidelines and opinions relevant to AML/CFT risk factors, transfers of funds and certain crypto-assets, restrictive measures, internal policies, governance and controls. Such guidance may inform how Nortyx designs risk assessments, onboarding, monitoring, EDD, Travel Rule processes and transaction controls.
Nortyx may update this Policy or its internal controls to reflect changes in FATF statements, EBA guidelines, EU law, Finnish law, sanctions lists, supervisory expectations, partner requirements, product features, supported assets, supported jurisdictions or emerging financial crime typologies.
9. Customer Due Diligence Overview
Nortyx applies customer due diligence (“CDD”) measures to identify and verify customers, understand the purpose and intended nature of the relationship, assess risk, support ongoing monitoring and prevent misuse of its services. CDD may be performed before onboarding, before specific transactions, during the relationship, when risk changes, when information becomes outdated or when required by law or internal policy.
CDD requirements may vary based on the customer type, jurisdiction, product, transaction value, asset type, payment method, wallet arrangement, counterparty exposure, source of funds, source of wealth, business activity, risk indicators and any alerts generated by Nortyx’s systems or service providers.
Nortyx may refuse to open or maintain an account, reject a transaction or terminate a relationship if CDD cannot be completed, if information is incomplete or inconsistent, if documents cannot be verified, if sanctions or high-risk indicators are identified, or if the risk is outside Nortyx’s risk appetite.
10. Individual Customer Verification
For individual customers, Nortyx may collect and verify information such as full legal name, date of birth, residential address, country of residence, nationality or citizenship where relevant, contact details, account credentials, identity document information, proof of address, selfie or liveness information, biometric or facial-verification information where used, payment method ownership and external wallet information.
Nortyx may also request information about occupation, employer, business activity, expected use of the services, anticipated transaction frequency, transaction purpose, source of funds, source of wealth and relationship to a transaction counterparty where this is required by law, risk assessment, EDD or transaction monitoring.
Verification may be performed using documents, electronic identity methods, independent data sources, identity verification providers, fraud-prevention tools, device-risk systems, public databases, payment information, bank account information, blockchain analytics, customer declarations or other appropriate verification methods.
11. Business Users, KYB and Legal Entity Verification
Where Nortyx supports business users or legal entities, Nortyx may apply know-your-business (“KYB”) controls. These controls are intended to verify the legal existence of the entity, understand its ownership and control, confirm authority to act, assess the nature of business activity and identify financial crime risks associated with the business relationship.
Nortyx may request legal name, trading name, registration number, incorporation documents, constitutional documents, registered address, principal place of business, business website, nature of business, licences or regulatory permissions, operating jurisdictions, expected transaction volumes, expected transaction values, supported assets, customer base, payment methods, bank account information, wallet arrangements and source of revenue.
Nortyx may request documents or information relating to directors, officers, authorised representatives, senior managers, signatories, beneficial owners, controllers, shareholders, group entities, subsidiaries, affiliates, trusts, nominees or persons exercising control over the business relationship.
12. Beneficial Ownership, Control and Authority
Where a customer is a legal entity or other arrangement, Nortyx may identify and verify beneficial owners, controllers and persons who own, control, manage, represent or otherwise exercise authority over the customer. Nortyx may also request evidence that an individual acting on behalf of a business user is duly authorised to do so.
Nortyx may take reasonable measures to understand complex ownership structures, indirect ownership, nominee arrangements, trusts, foundations, control through voting rights, control through contractual arrangements, control through senior management or any other arrangement that may affect the true ownership or control of the customer.
Nortyx may refuse or terminate a business relationship where the ownership and control structure cannot be reasonably understood or verified, where required beneficial ownership information is not provided, or where a beneficial owner, controller, representative or related party presents unacceptable AML/CFT, sanctions, fraud, legal, reputational or regulatory risk.
13. Source of Funds and Source of Wealth
Nortyx may request source of funds and source of wealth information where required by law, risk assessment, enhanced due diligence, transaction review, sanctions screening, fraud prevention, unusual activity review or internal policy. The purpose is to understand how funds or crypto-assets used in a transaction were generated, acquired, transferred or accumulated.
Information or evidence may include bank statements, payslips, tax documents, contracts, invoices, sale agreements, corporate records, investment statements, inheritance documents, proof of crypto-asset acquisition, exchange records, wallet history, mining or staking records, loan documents, business revenue evidence or other documents relevant to the transaction or relationship.
Nortyx may decline, delay or restrict a transaction if the source of funds or source of wealth cannot be reasonably explained, if evidence is not provided, if information is inconsistent with expected activity, or if the activity presents a risk of money laundering, terrorist financing, sanctions evasion, fraud or other financial crime.
14. Risk-Based Approach
Nortyx applies a risk-based approach. This means that controls are designed and applied according to the risks associated with customers, business users, beneficial owners, products, services, delivery channels, payment methods, crypto-assets, wallet addresses, transaction corridors, jurisdictions, counterparties, technologies and third-party providers.
Risk factors considered by Nortyx may include customer type, geographic exposure, residence, nationality, business activity, source of funds, source of wealth, transaction value, transaction frequency, transaction velocity, asset type, wallet risk, counterparty type, payment method, sanctions exposure, PEP exposure, adverse media, device indicators, use of anonymisation tools, blockchain typologies, chargebacks, refunds, disputes and prior activity.
Nortyx may adjust controls, limits, monitoring intensity, onboarding requirements, wallet restrictions, transaction review, reporting decisions and relationship status according to the risk identified. A lower-risk customer may still be subject to further review if activity changes or new risk indicators arise.
15. Enhanced Due Diligence
Nortyx may apply enhanced due diligence (“EDD”) where higher risk is identified. EDD may apply before onboarding, during onboarding, before a transaction, during a relationship, after a transaction alert, during periodic review or when required by law or internal risk assessment.
EDD may include requesting additional identity documents, proof of address, source of funds evidence, source of wealth evidence, wallet ownership or control evidence, bank account evidence, business records, corporate documents, invoices, contracts, explanations of transaction purpose, explanations of wallet activity, additional screening, closer ongoing monitoring, senior compliance review or restrictions on products, assets, limits or transaction flows.
Triggers for EDD may include higher-risk jurisdictions, unusual transaction patterns, sanctions proximity, PEP exposure, adverse media, high-risk business activities, unusual payment flows, use of high-risk wallets, use of mixers or obfuscation techniques, high-value or high-velocity activity, inconsistent information, rejected payments, fraud indicators, complex ownership structures or business activity that is difficult to verify.
16. Politically Exposed Persons and Other Higher-Risk Persons
Nortyx may screen customers, beneficial owners, authorised representatives, controllers, counterparties and other relevant persons against politically exposed person (“PEP”), family member, close associate, heads of international organisations, adverse media and other higher-risk databases.
A PEP or other higher-risk status does not automatically mean that Nortyx will refuse service. However, Nortyx may apply enhanced due diligence, senior compliance review, source of wealth checks, source of funds checks, transaction limits, closer monitoring or other measures appropriate to the risk.
Nortyx may refuse or terminate a relationship where the risks associated with a PEP, close associate, family member, higher-risk person, business relationship or transaction cannot be adequately understood or mitigated.
17. Geographic and Jurisdictional Risk
Nortyx may assess jurisdictional risk using information such as declared residence, nationality, citizenship where relevant, residential address, business address, IP address, device indicators, payment method country, bank account country, transaction corridor, wallet exposure, counterparty location, blockchain analytics, sanctions lists, FATF statements, EU high-risk country assessments and partner restrictions.
Nortyx may restrict or prohibit access to services from or in connection with certain countries, territories, regions, transaction corridors, wallet address clusters, counterparties or activities. Restrictions may apply even if a country, territory or region is not specifically named on a public list where Nortyx identifies sanctions, legal, regulatory, AML/CFT, fraud, cybercrime, operational, partner or reputational risk.
Users must not attempt to bypass jurisdictional controls by using VPNs, proxies, Tor, hosting services, false documents, misleading address information, third-party accounts, nominee arrangements, false payment methods, false wallet information or any other mechanism designed to hide the true location or jurisdictional connection of a user, transaction or counterparty.
18. Sanctions Screening and Restricted Parties
Nortyx screens relevant persons, entities, wallets, transactions and counterparties against applicable sanctions and restricted-party lists. This may include individual customers, business users, beneficial owners, controllers, authorised representatives, directors, officers, transaction originators, beneficiaries, counterparties, payment parties, wallet addresses and related entities.
Nortyx may block, reject, delay, suspend, restrict, freeze where legally required or report activity involving sanctioned persons, sanctioned entities, sanctioned jurisdictions, entities owned or controlled by sanctioned persons or entities, persons acting for or on behalf of sanctioned persons or entities, sanctions evasion indicators or wallet addresses associated with sanctions exposure.
Nortyx may also apply restrictions required by banking partners, payment processors, liquidity providers, Travel Rule providers, blockchain analytics providers, cybersecurity providers, regulators, competent authorities or internal risk policies. Where legally restricted, Nortyx may not be able to disclose the reason for certain actions.
19. Wallet Screening and Blockchain Analytics
Nortyx may screen customer-provided external wallet addresses, blockchain transaction hashes, transaction flows, wallet clusters, counterparties and related blockchain exposure. Wallet screening and blockchain analytics may be used before a transaction, during a transaction, after a transaction, during ongoing monitoring or as part of an investigation or compliance review.
Blockchain analytics may identify exposure to sanctioned addresses, sanctioned entities, stolen funds, ransomware, darknet markets, scams, fraud clusters, child exploitation material-related activity, terrorist financing, mixers, tumblers, privacy coins, chain-hopping, bridges, peel chains, high-risk exchanges, gambling platforms, illicit marketplaces, high-risk merchant activity or other typologies associated with financial crime.
Nortyx may reject external wallet addresses, delay crypto-asset delivery, require proof of wallet ownership or control, request transaction explanations, restrict assets, impose transaction limits, refuse transfers to or from high-risk wallets, terminate relationships or report activity where wallet exposure cannot be reasonably explained or presents unacceptable risk.
20. Transaction Monitoring
Nortyx may monitor fiat payments, card activity, bank transfers, account activity, login patterns, crypto-asset exchange transactions, crypto-asset transfers, wallet addresses, refunds, reversals, chargebacks, transaction values, transaction frequency, transaction velocity and other behaviour to identify unusual, suspicious, inconsistent, prohibited or high-risk activity.
Monitoring may include automated rules, manual review, case-management workflows, third-party screening tools, blockchain analytics, sanctions alerts, fraud-prevention alerts, device-risk signals, customer behaviour review, payment processor information, banking partner information, Travel Rule information and customer- provided explanations or documents.
Examples of activity that may result in review include repeated transactions below limits, rapid in-and-out movement, frequent wallet changes, use of newly created wallets, mismatches between declared purpose and actual activity, payments from third parties, high-risk jurisdiction exposure, sudden increase in activity, inconsistent device or location indicators, failed verification, unusual refunds, multiple declined payments, wallet exposure to illicit typologies or attempts to bypass controls.
21. Travel Rule and Transfer Information
Nortyx may assess whether required transfer information is complete, accurate and consistent. Nortyx may delay, reject, suspend, restrict or review a transfer where required information is missing, incomplete, inconsistent, unreliable, suspicious or indicates prohibited activity.
22. Fiat Payment, Refund and Chargeback Controls
Where Nortyx supports fiat payments, bank transfers, cards or other payment methods, Nortyx may review payment method ownership, payer information, payee information, bank account country, card issuing country, billing information, payment references, refund requests, chargebacks, reversals, payment failures and payment processor alerts.
Nortyx may refuse payments from third parties, unsupported payment methods, high-risk payment instruments, accounts that cannot be verified, payments inconsistent with customer information, payments connected to restricted jurisdictions, payments connected to fraud indicators or payments that create unacceptable AML/CFT, sanctions, fraud, chargeback, operational or regulatory risk.
Refunds, reversals and returns may be subject to legal restrictions, sanctions controls, AML/CFT review, fraud review, payment processor rules, banking partner rules and internal risk controls. Nortyx may be unable to complete a refund or return where doing so would breach law, sanctions, court orders, regulatory instructions or partner restrictions.
23. Prohibited Use of Services
Nortyx’s services must not be used for any unlawful, prohibited, deceptive, abusive or high-risk activity. Nortyx may reject, restrict, suspend or terminate any account, transaction, wallet address, payment method, business relationship or activity that is prohibited by law, this Policy, Nortyx’s Terms of Service, sanctions requirements, partner requirements or internal risk policies.
Prohibited use includes, without limitation:
- money laundering, terrorist financing, proliferation financing or sanctions evasion;
- fraud, scams, identity theft, account takeover, payment fraud or cyber-enabled financial crime;
- ransomware, hacking, phishing, malware, darknet market activity or illicit online marketplaces;
- drug trafficking, human trafficking, exploitation, corruption, bribery, illegal gambling, tax evasion or illegal trade;
- transactions involving sanctioned persons, entities, jurisdictions, wallets, services or prohibited counterparties;
- use of false, misleading, incomplete or inconsistent information, documents, payment details, wallet details or business information;
- use of mixers, tumblers, obfuscation tools, chain-hopping, nominee accounts, mule accounts or third- party accounts for concealment or evasion;
- attempts to bypass Nortyx’s CDD, EDD, sanctions, geoblocking, Travel Rule, wallet screening, transaction monitoring, payment, fraud-prevention or security controls.
24. Individual User Responsibilities
Individual users must provide accurate, complete and up-to-date information when requested by Nortyx. Users must not misrepresent identity, age, residence, nationality, beneficial ownership, source of funds, source of wealth, wallet ownership, transaction purpose, payment method ownership, counterparty information or jurisdictional connection.
Users must cooperate with Nortyx’s onboarding, verification, CDD, EDD, sanctions screening, PEP screening, transaction monitoring, blockchain analytics, Travel Rule, wallet verification, fraud-prevention, security and information requests. Failure to cooperate may result in delayed transactions, rejected transactions, wallet restrictions, account restrictions, service suspension, termination, reporting to competent authorities or refusal of future service.
Users are responsible for ensuring that their use of Nortyx’s services is lawful in their jurisdiction and consistent with Nortyx’s Terms of Service, this Policy and any applicable product rules. Nortyx may refuse service even where a user believes the service is lawful in the user’s jurisdiction.
25. Business User Responsibilities
Where Nortyx supports business users, legal entities or authorised representatives, such users must provide accurate, complete and up-to-date information about the business, ownership, control, representatives, source of revenue, source of funds, customer base, operating jurisdictions, products, services, licences, transaction flows, wallet arrangements and payment methods.
Business users must promptly notify Nortyx of material changes to ownership, control, beneficial owners, directors, authorised representatives, business activity, licences, operating jurisdictions, customer base, source of revenue, transaction flows, payment methods, wallet addresses or any other information relevant to the relationship.
Business users must not use Nortyx to process transactions for restricted jurisdictions, sanctioned persons, prohibited activities, unsupported business models, hidden third parties, undisclosed customers, shell structures, nominee arrangements, unlicensed activity, illegal activity or transaction flows that Nortyx has not approved.
26. No Circumvention
Users must not attempt to bypass, avoid, disable, mislead or interfere with Nortyx’s compliance, sanctions, fraud-prevention, geoblocking, security, transaction monitoring, Travel Rule, wallet screening or payment controls.
Circumvention includes using VPNs, proxies, Tor, hosting services, false documents, third-party accounts, nominee wallets, mule accounts, false addresses, false payment methods, undisclosed beneficial owners, false transaction purposes, false business descriptions, wallet obfuscation, chain-hopping, structured transactions or any other method designed to hide the true identity, location, ownership, control, source, destination or purpose of funds or crypto-assets.
Nortyx may treat attempted circumvention as a serious breach of this Policy and may restrict access, reject transactions, suspend accounts, terminate relationships, retain records and report activity to competent authorities where required or permitted by law.
27. Internal Review and Escalation
Nortyx reviews unusual, suspicious, inconsistent, prohibited or high-risk activity using internal and third-party tools. Reviews may involve automated alerts, manual assessment, requests for information, enhanced due diligence, wallet analysis, payment review, sanctions review, fraud review, legal review, senior compliance review or other appropriate measures.
Nortyx may not disclose all reasons for a review, restriction, delay, rejection, suspension or termination. Disclosure may be limited where necessary to protect security, prevent fraud, preserve investigation integrity, comply with tipping-off restrictions, comply with sanctions, comply with law or protect confidential compliance controls.
Nortyx may continue a review after a transaction is rejected, an account is closed or a customer relationship ends where necessary for AML/CFT, sanctions, fraud prevention, legal, regulatory, audit, dispute, security or recordkeeping purposes.
28. Suspicious Activity and Regulatory Reporting
Nortyx may report suspicious transactions, attempted suspicious transactions, suspected money laundering, suspected terrorist financing, suspected proliferation financing, suspected sanctions evasion, suspected asset-freezing matters, suspected fraud or other reportable activity to the Finnish Financial Intelligence Unit, FIN-FSA, law enforcement, courts, regulators, public authorities or other competent authorities where required or permitted by law.
Nortyx may also cooperate with lawful requests, production orders, court orders, regulatory enquiries, supervisory requests, law-enforcement requests, sanctions authority requests, FIU enquiries, payment partner requests or banking partner requests where required or permitted by law.
Nortyx may be legally restricted from informing a customer, business user, representative, beneficial owner, controller, counterparty or other person that a suspicious activity report has been filed, that a review is ongoing, that authorities have been notified or that a reporting decision has been made.
29. Actions Nortyx May Take
Where Nortyx identifies or suspects a breach of this Policy, incomplete due diligence, sanctions exposure, suspicious activity, prohibited use, wallet risk, payment risk, fraud risk, jurisdictional risk, regulatory risk, security risk or other unacceptable risk, Nortyx may take one or more actions.
These actions may include refusing onboarding, requesting additional information, applying enhanced due diligence, delaying processing, rejecting transactions, restricting products or assets, imposing limits, rejecting wallet addresses, suspending account access, blocking login, declining payments, restricting refunds, freezing or holding assets where legally required or permitted, terminating the relationship, retaining records, reporting to competent authorities or refusing future service.
Nortyx may also take any action required by law, sanctions, court order, regulatory instruction, FIU request, law-enforcement request, payment partner, banking partner, liquidity provider, blockchain analytics provider, Travel Rule provider, cybersecurity provider or other service provider supporting Nortyx’s operations.
30. Threshold, Large Transaction and Other Reports
Where applicable law requires threshold-based, large-value, transfer-related, sanctions-related, asset- freezing-related or other regulatory reports, Nortyx will maintain procedures designed to identify and submit required reports to the relevant competent authority.
The exact thresholds, aggregation methods, reporting channels and internal procedures may depend on the applicable legal framework, transaction type, asset type, reporting category, customer relationship, jurisdiction and regulatory instructions. Nortyx does not publicly disclose all reporting triggers or monitoring thresholds.
Nortyx may retain supporting information, transaction data, exchange rate methodology information, customer records, wallet screening outputs, Travel Rule information, case notes and internal decisions necessary to support reporting, auditability, legal defence, regulatory inspections or investigations.
31. Recordkeeping and Retention
Nortyx maintains records relating to AML/CFT, sanctions, fraud prevention and financial crime compliance. Records may include customer due diligence information, identity verification records, KYC records, beneficial ownership records, authority records, screening results, risk assessments, wallet screening results, blockchain analytics outputs, transaction monitoring alerts, Travel Rule information, suspicious activity reviews, reports, service actions and internal decisions.
Records may be retained after account closure, transaction completion, onboarding, rejection or termination of the relationship where required or permitted for AML/CFT, sanctions, regulatory, tax, accounting, audit, fraud-prevention, dispute-resolution, investigation, security, operational or legal purposes.
Retention periods may vary based on applicable law, the type of record, the customer relationship, the nature of the transaction, regulatory requirements, pending investigations, disputes, sanctions considerations, audit requirements and internal procedures. Where multiple retention periods apply, Nortyx may retain records for the longest applicable period.
32. Use of Personal Data for Compliance Purposes
Nortyx may collect, use, disclose and retain personal data, identity information, verification information, contact information, device information, location indicators, payment method information, bank account information, wallet address information, blockchain analytics information, transaction information, communication records, business information, beneficial ownership information and compliance records for AML/CFT, sanctions, Travel Rule, fraud-prevention, security, reporting, recordkeeping and legal purposes.
Personal data may be shared with identity verification providers, blockchain analytics providers, Travel Rule solution providers, sanctions screening providers, PEP screening providers, adverse media providers, payment service providers, banks, liquidity providers, cybersecurity providers, cloud providers, professional advisers, regulators, FIUs, law enforcement, courts or other competent authorities where required or permitted by law.
Further information about personal data processing is provided in Nortyx’s Privacy Policy and Cookie Policy. The exercise of privacy rights may be subject to legal, regulatory, AML/CFT, sanctions, recordkeeping, security, investigation or fraud-prevention limitations.
33. Third-Party Compliance Providers
Nortyx may use third-party service providers to support identity verification, document authentication, liveness checks, fraud prevention, sanctions screening, PEP screening, adverse media checks, blockchain analytics, wallet screening, Travel Rule data exchange, payment processing, banking connectivity, transaction monitoring, cybersecurity, cloud hosting, case management, recordkeeping, audit and operational support.
Nortyx remains responsible for selecting and overseeing providers in a manner appropriate to the nature of the service, the risk involved and applicable legal requirements. Nortyx may use vendor outputs as part of its compliance assessment, but may also apply internal review, manual assessment, additional checks or other controls where appropriate.
Third-party providers may impose restrictions or requirements that affect service availability, transaction processing, wallet support, payment support, jurisdictional access, data processing, reporting, refunds or other operational matters.
34. Training, Governance and Continuous Improvement
Nortyx maintains AML/CFT, sanctions and financial crime governance appropriate to the nature, size, complexity and risk profile of its business. This may include a compliance function, allocation of responsibilities, written policies, procedures, risk assessments, controls, employee training, management reporting, vendor oversight, independent review or testing where appropriate, and periodic updates.
Relevant personnel may receive training on AML/CFT, sanctions, customer due diligence, enhanced due diligence, suspicious activity indicators, Travel Rule requirements, blockchain analytics, wallet risk, fraud prevention, data protection, confidentiality, escalation, recordkeeping and reporting obligations relevant to their role.
Nortyx periodically reviews and updates its controls to address changes in law, regulation, FATF standards, EBA guidelines, FIN-FSA expectations, sanctions requirements, supported products, supported assets, supported jurisdictions, business model, technology, partner requirements, financial crime typologies and internal risk assessment.
35. Confidentiality of Internal Controls
This Policy is a public summary. Nortyx does not publicly disclose detailed internal procedures, monitoring thresholds, screening rules, alert logic, escalation criteria, scoring models, reporting triggers, vendor configurations, investigation methods, security controls or other sensitive information that could undermine financial crime prevention, sanctions compliance, fraud prevention, cybersecurity or regulatory compliance.
Nortyx may provide additional information to regulators, auditors, competent authorities, partners or other authorised recipients where required or appropriate. Public users should not interpret the absence of detailed operational information in this Policy as an absence of controls.
36. Relationship With Other Nortyx Policies
This Policy should be read together with Nortyx’s Terms of Service, Privacy Policy, Cookie Policy, Geoblocking and Restricted Jurisdictions Policy, Risk Disclosure, Complaints Policy and any product- specific notices or customer terms published by Nortyx from time to time.
If there is a conflict between this Policy and stricter requirements imposed by law, regulation, sanctions, regulatory instruction, partner requirement or product-specific terms, the stricter requirement may apply. Nortyx may apply additional controls or restrictions not expressly described in this Policy where required or appropriate.
37. Updates to This Policy
Nortyx may update this Policy from time to time to reflect changes in law, regulation, sanctions requirements, supervisory expectations, FATF standards, EBA guidance, FIN-FSA expectations, product availability, supported crypto-assets, supported jurisdictions, partner requirements, technologies, financial crime typologies, operational controls or internal risk assessment.
The “Last updated” date at the top of this Policy indicates when it was last revised. Updated versions will be published on Nortyx’s website or through another appropriate channel and will become effective upon publication unless otherwise stated.
38. Contact
Questions about this Policy may be submitted through the contact details provided on Nortyx’s website or platform. Nortyx may not be able to discuss specific monitoring rules, transaction alerts, sanctions matches, suspicious activity reviews, reporting decisions or confidential compliance controls.