📜AML Compliance Policy

AML Policy

Anti-Money Laundering & Counter-Terrorist Financing (AML/CFT) Policy For: Quantro Network LLC Jurisdiction: Phoenix, Arizona, USA Policy Version: v1.0 Effective Date: [TBD] Approved By: [Compliance Officer/Board]

---

1. Policy Objective & Scope

Defines why the policy exists (prevent money laundering, terrorist financing, sanctions breaches), who it applies to (staff, leadership, users), and what activities are covered (software access, crypto payments, etc.).

---

2. Legal & Regulatory Framework

• FinCEN & Bank Secrecy Act (BSA)

• OFAC Sanctions Enforcement

• FATF Recommendations

• Virtual Asset specific rules (interpretation for software tools)

---

3. Company Structure & Business Model

• What Quantro does (EA software → Zenith, Atlas)

• Clarification that we do not custody funds or issue financial advice

• Role of third-party processors (crypto gateways, broker APIs)

---

4. Risk-Based Approach

• Why crypto involves higher AML risk

• Risk categories: geographical, customer type, wallet source, sanctions exposure

• Risk rating system (Low / Medium / High)

---

5. Customer Due Diligence (KYC/CDD)

• Identity verification for all users pre-activation

• Requirements: Govt IDs, Proof of Address, Sanctions/PEP screening

• Enhanced Due Diligence for high-risk users

• Zero-tolerance for anonymous or fake accounts

---

AML Policy Review:

Applicable Regulation:

US Level

• Bank Secrecy Act (BSA) – 31 U.S.C. § 5311 et seq.

• USA PATRIOT Act (2001)

State Level

• A.R.S. § 13-2317

• A.R.S. § 6-1201 to 6-1243

• Arizona DIFI Rules (Section 352 – Establishing Anti-Money Laundering Programs)

---

Policy Objective & Scope

Only a sketch of what should be included under the objective and scope but does not reflect a clear explanation of the actual objective of the policy. For example, it mentions “activities covered (software access, crypto payments, etc.)” but does not specified which activities are actually applicable. Add cross-references between sections (e.g., risk-scoring methodology in Annex B should tie to monitoring triggers in Section 6).

---

Legal & Regulatory Framework

The framework is defined in general terms and does not clarify whether it aligns with federal or state-level regulations. Both levels of regulation should be reflected for completeness. As per my knowledge Arizona based company pr federal and state level both regulations are applicable.

Can include specific citations to 31 CFR § 1022 (Money Services Businesses) and A.R.S. Title 6 for money-transmitter obligations.

---

Company Structure & Business Model

Not clearly define or explain the business model of Quantro Network LLC, making it difficult to understand the operational context in which the policy applies.

---

Risk-Based Approach (RBA)

Risk-based approach should be customized based on the client’s business model; however, this linkage is missing. The framework mentions qualitative/quantitative scoring but does not specify how thresholds are set (e.g., what defines a “High Risk” client numerically).

Given Quantro’s crypto exposure, the policy should explicitly reference “risks associated with virtual assets and new technologies” (per FATF R.15).

---

Customer Due Diligence (KYC/CDD)

The section is not well explained and lacks detailed procedures or criteria for performing KYC/CDD in accordance with applicable regulatory standards. Must state that Quantro will identify and verify the ultimate beneficial owners (UBOs) for legal-entity clients (per FinCEN CDD Rule, 31 CFR § 1010.230). Although periodic review is mentioned, criteria for when to trigger refresh (e.g., address change, ownership change, suspicious activity) should be specified.

Can add a clause for voluntary information sharing or immediate reporting of significant matters to DIFI when applicable.

Add explicit reference to record availability within 30 days upon regulatory request (as FinCEN expects) You may also add a requirement that training completion is a condition for system access or continued employment.

Overall, the policy statement is not well-articulated and does not effectively reflect a comprehensive AML policy. It merely outlines a few generic steps without demonstrating a structured.