AML Policy

This Anti–Money Laundering and Counter–Terrorist Financing Policy (“the Policy”) establishes the governance, controls, and responsibilities that Celtouch and its affiliated entities shall apply to detect, prevent, and report money laundering (“ML”), terrorist financing (“TF”), and related financial crimes in accordance with United States federal law.

The objectives of this Policy are to:

Ensure full compliance with applicable U.S. AML/CFT legislation and FinCEN regulations.
Protect Celtouch’s reputation and the integrity of the financial system by deterring the misuse of its services.
Implement a risk-based compliance framework consistent with the Bank Secrecy Act (BSA) and Anti-Money Laundering Act of 2020 (AMLA).
Define clear accountability across management and employees for AML/CFT governance.

This Policy applies to all Celtouch entities, subsidiaries, employees, contractors, and technology partners (including Coral Commerce) involved in onboarding, monitoring, and transaction processing.

2. Policy Statement

Celtouch is firmly committed to conducting its business with integrity, transparency, and in full compliance with U.S. laws and regulations governing anti-money laundering and counter-terrorist financing.

Celtouch’s compliance framework aligns with:

Bank Secrecy Act (31 U.S.C. § 5311 et seq.)
Anti-Money Laundering Act of 2020 (AMLA)
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act)
OFAC Sanctions Programs and the Specially Designated Nationals (SDN) List
Financial Action Task Force (FATF) 40 Recommendations
Wolfsberg Group Principles and Basel Committee AML Guidelines

Celtouch maintains a zero-tolerance policy toward any employee, customer, or partner involved in or facilitating financial crime.

3. Scope of Application

This Policy applies to:

All Celtouch business activities within the United States.
All financial products and services, including:
- Escrow and blocked-fund holding services.
- Guarantor and financial assurance programs.
- Cross-border settlements and custodial transfers.
All delivery channels, including online, mobile, and agent-assisted.

4. Définitions

Term	Meaning
Money Laundering (ML)	Concealing or disguising the origins of illegally obtained money.
Terrorist Financing (TF)	Collecting or providing funds for terrorist acts or organisations.
Customer Due Diligence (CDD)	Identifying and verifying customers’ identities and business activities.
Enhanced Due Diligence (EDD)	Additional scrutiny for high-risk clients or transactions.
Suspicious Activity Report (SAR)	Report filed with FinCEN when suspicious behaviour is detected.
Politically Exposed Person (PEP)	An individual with prominent public responsibilities, posing higher corruption risk.
Beneficial Owner	The natural person who ultimately owns or controls an entity.

5. Legal & Regulatory Framework

Celtouch operates under the following U.S. legal and regulatory authorities:

Financial Crimes Enforcement Network (FinCEN) — U.S. Treasury bureau that administers AML laws and receives SARs.
Office of Foreign Assets Control (OFAC) — Enforces economic and trade sanctions.
Federal Deposit Insurance Corporation (FDIC) — Oversees compliance for institutions handling customer funds.
Federal Bureau of Investigation (FBI) — Investigates financial crimes.
Internal Revenue Service (IRS) — Oversees reporting of large or suspicious cash transactions.
U.S. Securities and Exchange Commission (SEC) — Regulates securities-related AML obligations.

6. Governance & Compliance Structure

6.1. Board of Directors

Holds ultimate accountability for AML/CFT compliance.
Approves the AML Policy and receives quarterly compliance reports.
Ensures the Compliance Officer has adequate authority and resources.

6.2. Designated Compliance Officer (DCO)

Senior official responsible for AML oversight.
Duties include:
- Overseeing CDD/KYC processes.
- Reviewing high-risk accounts.
- Approving SAR filings.
- Liaising with FinCEN and OFAC.
- Reporting quarterly to the Board.

6.3. AML Compliance Department

Monitors compliance controls, transaction monitoring, and sanctions screening.
Conducts ongoing risk assessments and training.
Coordinates independent AML audits.

6.4. Independent Audit Function

Performs annual AML audits to evaluate effectiveness of controls.
Reports findings directly to the Board.

6.5. Compliance Committee

Includes representatives from Legal, Operations, and Finance.
Reviews escalated cases and updates risk assessments.

7. Risk-Based Approach (RBA)

Celtouch employs a Risk-Based Approach in line with FinCEN and FATF standards to identify, assess, and mitigate ML/TF risks.

7.1. Enterprise Risk Assessment

Conducted annually to evaluate:

Customer risk (individuals, corporates, PEPs).
Geographic exposure (high-risk countries).
Product/service risk (escrow, guarantor, cross-border).
Channel risk (digital vs. in-person onboarding).

7.2. Risk Classification

Risk Level	Definition	Control Measure
Low	Transparent clients, simple activity	Standard CDD
Medium	Moderate risk exposure	Periodic review (24 months)
High	Complex structures, cross-border	EDD and senior approval

7.3. Enhanced Controls

Senior management review of all high-risk relationships.
Verification of source of wealth and funds.
Real-time transaction monitoring.
Annual re-verification.

8. Customer Due Diligence (CDD) & Know Your Customer (KYC)

8.1. Individuals

Verify full legal name, date of birth, address, and SSN or ITIN.
Obtain a government-issued photo ID (passport, driver’s license, or state ID).
Collect proof of address (utility bill, bank statement).
Verify source of funds and intended use.

8.2. Corporations

Obtain Certificate of Incorporation or formation.
Identify directors, officers, and beneficial owners (≥25%).
Validate Employer Identification Number (EIN).
Collect operating address, tax filings, and business description.
Obtain ownership chart and authorized signatory list.

8.3. Enhanced Due Diligence (EDD)

Required for:

PEPs and their associates.
Clients from high-risk jurisdictions (as identified by FATF/OFAC).
High-value or complex transactions. Measures include:
- Source of wealth verification.
- Adverse media screening.
- Senior-level approval.

8.4. Simplified Due Diligence (SDD) Allowed only for low-risk relationships, under FinCEN guidance, and never for escrow/guarantor accounts.

9. Recordkeeping & Retention

Maintain KYC and transaction data for at least five (5) years after account closure or transaction completion.
Records must allow reconstruction of each transaction.
Stored securely in encrypted systems with access logs.
Destruction of records before retention expiry is prohibited.

10. Sanctions Screening

All customers, transactions, and counterparties are screened against:

OFAC SDN List
U.S. State Department Sanctions Lists
UN Security Council Sanctions List
EU Consolidated Sanctions List (for global transactions)

Positive matches result in immediate account freeze, compliance review, and SAR filing.

11. Transaction Monitoring

Celtouch employs automated, rule-based and AI-assisted monitoring through Coral Commerce infrastructure. 

The system flags anomalies including:

Unusual transaction frequency or volume.
Third-party fund transfers.
Activity inconsistent with client profile.
Rapid movement of funds between unrelated accounts.

Alerts are escalated to the Compliance Officer for investigation and potential SAR filing.

12. Suspicious Activity Detection & Reporting

12.1. Obligation to Report

Celtouch and its employees are required under the Bank Secrecy Act (BSA) and FinCEN regulations to identify and report any known or suspected instance of money laundering, terrorist financing, or other financial crime. 

This duty extends to all staff, officers, and agents who become aware of suspicious conduct, whether before, during, or after a transaction.

12.2. Identifying Suspicious Activity

Examples of suspicious activity include:

Transactions inconsistent with the customer’s business or income level.
Large or rapid transfers between unrelated accounts or jurisdictions.
Attempts to avoid reporting thresholds (“structuring”).
Unexplained involvement of third parties in escrow deposits or withdrawals.
Client reluctance to provide identification or supporting documents.
Activity involving high-risk or sanctioned countries.
Use of multiple, sequential escrow accounts without clear purpose.

12.3. Internal Reporting Process

Front-line detection: Any employee noticing red-flag behaviour must complete an Internal Suspicious Transaction Report (ISTR).
Compliance review: The report is submitted to the Designated Compliance Officer (DCO) for evaluation and documentation.
Escalation: If suspicion is substantiated, the DCO prepares and files a Suspicious Activity Report (SAR) with FinCEN within 30 calendar days of initial detection (or 60 days if additional information is required).
Confidential record: All supporting data are retained securely for a minimum of five years.

12.4. Prohibition on Tipping Off

Employees are strictly prohibited from informing any customer or third party that a SAR has been or may be filed, or that their transactions are under review. 

Any breach of confidentiality constitutes a violation of 31 U.S.C. § 5318(g)(2) and may result in criminal penalties and termination of employment.

12.5. Freezing and Rejection of Transactions

If activity appears connected to sanctions or criminal conduct:

The transaction is immediately frozen or rejected pending investigation.
The DCO documents the action and notifies OFAC and FinCEN as appropriate.
Funds remain restricted until formal clearance or government instruction.

13. Prohibited & Restricted Activities

Celtouch will not process or maintain relationships involving:

Anonymous or fictitious accounts.
Shell banks or unlicensed money-service businesses.
Individuals or entities on any OFAC or UN Sanctions List.
Cash deposits or withdrawals related to escrow or guarantor operations.
Virtual-currency mixers or unregistered exchanges.
Transactions designed to disguise true ownership or purpose.

Celtouch reserves the right to terminate any account that presents unacceptable AML/CFT risk.

14. Staff Screening, Training & Awareness

14.1. Employee Screening

All staff occupying compliance-sensitive positions must undergo pre-employment background checks and periodic re-screening. Disqualifying factors include convictions for fraud, bribery, or financial crimes.

14.2. Mandatory AML/CFT Training

Celtouch provides annual training covering:

U.S. AML/CFT laws (BSA, AMLA, Patriot Act).
KYC/CDD requirements and document verification.
Recognition of red flags and escalation procedures.
SAR preparation and FinCEN e-filing process.
OFAC sanctions programs and blocking rules.
Data-protection and confidentiality obligations.

Additional modules are assigned when regulations change or system upgrades occur.

14.3. Assessment and Recordkeeping

Each employee must complete a short examination to confirm understanding. Completion records are logged in the HR compliance database and retained for five years. 

Non-completion or failed assessments trigger remedial training and possible disciplinary action.

15. Technology Systems & Data Security

15.1. System Integrity

All financial transactions and AML processes operate through secure, audited systems provided by Coral Commerce. 

These systems ensure:

End-to-end encryption of data in transit and at rest.
Immutable audit trails for every transaction.
Access control limited to authorised personnel only.
Redundancy and backup for business-continuity assurance.

15.2. Automated AML Tools

Celtouch employs:

Sanctions-screening engines using the latest OFAC SDN, UN, and EU data.
Machine-learning analytics to detect structuring, layering, and unusual patterns.
Transaction-monitoring algorithms calibrated to risk thresholds.
Case-management workflows for alert triage, investigation, and resolution.

15.3. Data Protection

Celtouch complies with U.S. privacy and cybersecurity laws, including the Gramm–Leach–Bliley Act (GLBA) and relevant state data-protection statutes. 

Data are stored in U.S. jurisdictions and may not be transferred abroad without approval from Compliance and Legal.

16. Cooperation with Regulators & Law-Enforcement

Celtouch cooperates fully with:

FinCEN for SAR filings and AML data requests.
OFAC for sanctions compliance and blocking orders.
FBI, IRS-Criminal Investigation, and other agencies investigating financial crimes.

All requests for records or information must be handled solely by the Compliance Officer to maintain consistency and confidentiality. 

Celtouch will provide prompt, complete responses to lawful subpoenas and 314(a) requests under the Patriot Act.

17. Independent Audit & Continuous Improvement

17.1. Independent Audit

An independent internal or external auditor will:

Test AML/CFT systems and controls annually.
Validate transaction-monitoring accuracy and SAR timeliness.
Review employee training coverage and competence.
Report findings directly to the Board Audit Committee and Compliance Committee.

17.2. Continuous Improvement

Celtouch commits to continuous enhancement by:

Updating monitoring parameters based on new typologies.
Conducting semi-annual system calibrations and data-quality checks.
Integrating regulatory feedback and enforcement-trend analysis.
Implementing all audit recommendations within agreed deadlines.

18. Enforcement & Disciplinary Measures

Non-compliance with this Policy may result in disciplinary action up to and including termination.
Serious or wilful violations will be referred to authorities under 31 U.S.C. § 5322.
Managers are responsible for ensuring timely remediation of any identified deficiencies.
Systemic breaches trigger immediate review by the Board Compliance Committee.

19. Policy Review & Governance

The Compliance Officer will review this Policy annually, or sooner if required by legislative or operational change.
Revisions will be approved by the Board of Directors before implementation.
Updated versions will be distributed to all staff and maintained in the compliance portal with version control.

20. Documentation & Record Control

A master version of this Policy is stored securely by the Compliance Department.
Archived copies are retained for at least ten (10) years.
Employees must acknowledge receipt and understanding within five business days of issuance.
A summary of this Policy may be made publicly available for transparency.

21. Enterprise-Wide Risk Classification Framework

Celtouch’s risk assessment model follows a structured methodology consistent with FinCEN guidance and FATF’s Risk-Based Approach (RBA). 

Each customer, product, and transaction is classified based on inherent and residual risk.

Risk Category	Description	Examples	Controls Applied
Customer Risk	Type, nature, and activity of the client	Individual, Corporate, PEP, Trust, Non-Profit	CDD or EDD as appropriate
Geographic Risk	Country of residence or transaction destination	OFAC-sanctioned or FATF high-risk jurisdictions	Screening and enhanced review
Product/Service Risk	Nature of financial product	Escrow, guarantor, blocked funds	Pre-approval by Compliance
Channel Risk	Method of onboarding or transaction	Online, remote, agent-assisted	Verification tiering
Transaction Risk	Frequency, value, and complexity	Large cross-border transfers	Real-time monitoring and alerts

Risk Levels and Actions

Risk Level	Score Range	Requirements
Low	1–5	Standard CDD; routine monitoring
Medium	6–10	CDD + 24-month review
High	11–15	EDD; senior management approval; 12-month re-verification

Risk scores are calculated automatically by the Coral Commerce AML engine and manually reviewed by Compliance quarterly.

22. Customer Identification (KYC) Requirements

22.1. Individual Clients

Requirement	Acceptable Documents	Notes
Proof of Identity	U.S. Passport, Driver’s License, State ID	Must be current and legible
Proof of Address	Utility bill, bank statement, or lease (≤90 days old)	Must match stated residence
SSN or ITIN Verification	Social Security Number or Individual Taxpayer ID	Verified electronically
Source of Funds	Bank statement, pay stub, tax return	Required for all escrow deposits

22.2. Business Clients

Requirement	Acceptable Documents	Notes
Business Formation Documents	Articles of Incorporation or Organization	Certified copy required
EIN Verification	IRS-issued Employer Identification Number	Verified via IRS portal
Ownership and Control	List of all owners (≥25%)	Obtain individual KYC on each
Operating Address	Lease, business license, or utility bill	Must be U.S.-based for primary registration
Source of Funds	Financial statements, invoices, contracts	Reviewed for plausibility and consistency

22.3. High-Risk Entities (EDD Required)

Non-profits, foundations, and trusts.
Politically Exposed Persons (PEPs).
Clients with foreign beneficial owners.
Escrow counterparties from or transacting with FATF-listed jurisdictions.

EDD includes verification of source of wealth, media screening, and Compliance Officer approval.

23. Red-Flag Indicators of Suspicious Activity

23.1. Customer Behaviour

Reluctance to provide identification or supporting documents.
Use of intermediaries without clear business purpose.
Requests for anonymity or avoidance of recordkeeping.
Mismatch between stated purpose and transactional behaviour.

23.2. Transactional Behaviour

Repeated deposits just under reporting thresholds.
Round-number transactions inconsistent with legitimate activity.
Movement of funds between multiple escrow accounts in short succession.
Unexplained urgency or pressure to complete transfers.
Reversal or cancellation of legitimate escrow agreements without cause.

23.3. Geographic and Counterparty Patterns

Transfers involving jurisdictions with weak AML regimes.
Counterparties located in known secrecy or tax-haven territories.
Transactions referencing sanctioned or embargoed regions.
Use of correspondent accounts or layering across unrelated entities.

24. Suspicious Activity Reporting Templates

Internal Suspicious Transaction Report (ISTR)

Field	Description
Date	[MM/DD/YYYY]
Employee Name	[Staff completing report]
Customer Name / ID	[Full name or entity name]
Account Reference	[Escrow or Guarantor ID]
Suspicious Activity Description	[Narrative summary]
Transaction Value	[USD equivalent]
Reason for Suspicion	[Concise factual basis]
Action Taken	[Freeze, escalate, or refer to Compliance]

FinCEN SAR Filing

The Compliance Officer files a Suspicious Activity Report (SAR) electronically via FinCEN BSA E-Filing System including:

Customer details and identifiers.
Nature, date, and amount of suspicious transactions.
Narrative explanation of suspicious behaviour.
Relevant supporting documentation.

SAR filings are confidential and retained for five years.

25. Recordkeeping & Retention Standards

Celtouch maintains AML-related records for five years after:

Account closure, or
Completion of a transaction, whichever is later.

Records include:

KYC and identification data.
Transaction logs and audit trails.
SARs, ISTRs, and investigation notes.
Staff training records.
Audit and regulatory correspondence.

All records are encrypted, access-controlled, and periodically tested for integrity.

26. Partner & Correspondent Due Diligence

Celtouch conducts Partner Due Diligence (PDD) for all counterparties that facilitate escrow, payment processing, or custodial services.

Minimum PDD Requirements

Proof of business registration and licensing.
AML policy and compliance officer contact.
Confirmation of adherence to BSA, AMLA, and OFAC regulations.
Annual attestation of compliance and reporting history.
Review of enforcement or disciplinary actions (if any).

27. Training & Competence Matrix

Training Module	Target Group	Frequency	Description
AML/CFT Fundamentals	All employees	Annual	Overview of U.S. AML laws, obligations, and penalties
KYC/CDD Process	Onboarding & Operations	Annual	Customer verification and documentation standards
Transaction Monitoring & Red Flags	Compliance, Operations	Biannual	Identification of unusual patterns and escalation
SAR Preparation & FinCEN Reporting	Compliance staff	Annual	Procedures for filing SARs electronically
OFAC Sanctions Screening	Finance & Operations	Annual	Managing and reporting blocked transactions
Data Protection & Privacy	All staff	Annual	GLBA and state privacy law compliance

Records of training attendance and assessment results are stored for five years.

28. Governance & Accountability

28.1. Board of Directors

The Board of Celtouch bears ultimate responsibility for AML/CFT compliance and will:

Review quarterly AML reports.
Approve the AML policy and budget allocations.
Ensure the Compliance Officer’s independence and resources.

28.2. Designated Compliance Officer (DCO)

Oversees all AML/CFT systems and filings.
Has direct access to senior management and the Board.
Liaises with regulators and law enforcement agencies.

28.3. Management Responsibility

Department heads must ensure operational compliance and promptly escalate issues to the DCO.

29. Policy Attestation

By resolution of the Board of Directors of Celtouch, it is hereby confirmed that:

Celtouch maintains and implements AML/CFT policies compliant with U.S. federal laws including the BSA, AMLA, and Patriot Act.
The company cooperates fully with FinCEN, OFAC, and other competent authorities.
All employees are trained and obligated to comply with this policy.
Non-compliance may result in termination and legal prosecution under U.S. law.

Effective Date: 05 August 2025 

Next Review Date: 05 August 2026

Signed on behalf of Celtouch:

_____________________________ 

Alioune Kane, Chairperson, Board of Directors,  Date: 05 August 2025

_____________________________ 

Gerry van Heerden,  Designated Compliance Officer,  Date: 05 August 2025

30. Appendix A – Reference Frameworks

Bank Secrecy Act (BSA), 31 U.S.C. §§ 5311–5330
Anti-Money Laundering Act of 2020 (AMLA)
U.S.A. Patriot Act (Title III)
Office of Foreign Assets Control (OFAC) Regulations
Financial Crimes Enforcement Network (FinCEN) Guidance
FATF 40 Recommendations (2023 Revision)
Wolfsberg Group Principles (2022 Edition)
Basel Committee AML Guidelines

31. Appendix B – Document Control

Version	Date	Author	Description	Approved By
1.0	[Insert]	Compliance Department	Initial release (U.S.-aligned)	Board of Directors
1.1	[Future]	Compliance Department	Annual review updates	Board of Directors

Archived versions retained for a minimum of ten (10) years.

32. Appendix C – Compliance Contacts

Designated Compliance Officer (DCO) 

Name: Gerry van Heerden

Email: gerry@celtouch.com

 Phone: +27 72 890 9790

33. Appendix D – Acronyms & Abbreviations (U.S. Version)

Acronym	Full Term	Explanation / Context
AI	Artificial Intelligence	Used in Celtouch’s automated monitoring and pattern-recognition systems.
AML	Anti-Money Laundering	Framework of U.S. laws and controls to prevent disguising proceeds of crime.
AML/CFT	Anti-Money Laundering and Counter-Terrorist Financing	Combined reference to AML and TF measures.
AMLA	Anti-Money Laundering Act of 2020 (U.S.)	Updated U.S. AML legislation under the Bank Secrecy Act framework.
BSA	Bank Secrecy Act	Primary U.S. AML statute requiring record-keeping and reporting of suspicious activity.
CDD	Customer Due Diligence	Identification and verification process for customers under the FinCEN CDD Rule.
CFT	Counter-Terrorist Financing	Measures to prevent the collection or use of funds for terrorism.
DCO	Designated Compliance Officer	Senior officer responsible for AML/CFT oversight at Celtouch.
EDD	Enhanced Due Diligence	Additional scrutiny applied to higher-risk clients or transactions.
EU	European Union	Mentioned only for sanctions screening against the EU Consolidated List.
FATF	Financial Action Task Force	Inter-governmental body that sets global AML/CFT standards; U.S. is a member.
FATF 40	FATF 40 Recommendations	Internationally recognised AML/CFT framework adopted by the U.S. through the BSA.
FBI	Federal Bureau of Investigation	May receive referrals or coordinate on AML/CFT enforcement actions.
FCPA	Foreign Corrupt Practices Act	U.S. law prohibiting bribery of foreign officials; relevant to PEP and corruption risk.
FDIC	Federal Deposit Insurance Corporation	Oversees safety and compliance for U.S. insured institutions.
FinCEN	Financial Crimes Enforcement Network	The U.S. Financial Intelligence Unit under the Treasury Department.
FATCA	Foreign Account Tax Compliance Act	U.S. regime requiring disclosure of offshore accounts (used for tax-information matching).
FIU	Financial Intelligence Unit	In the U.S., this role is performed by FinCEN.
GDPR	General Data Protection Regulation	EU privacy regulation referenced only when processing EU-resident data.
HR	Human Resources	Department responsible for employee compliance acknowledgements.
ISTR	Internal Suspicious Transaction Report	Internal form submitted by staff to the Compliance Officer.
IRS	Internal Revenue Service	U.S. tax authority; relevant for verifying taxpayer identification (TIN/EIN).
KYC	Know-Your-Customer	Practical implementation of CDD requirements.
ML	Money Laundering	Concealment of the origins of illegally obtained money.
NMLS	Nationwide Multistate Licensing System	Registry for U.S. money-service businesses and fintech compliance licensing.
OFAC	Office of Foreign Assets Control	U.S. Treasury office administering and enforcing sanctions programs.
PEP	Politically Exposed Person	Individual holding, or previously holding, a prominent public function.
PDD	Partner Due Diligence	Review of counterparties such as U.S. or foreign banks and fintech partners.
RBA	Risk-Based Approach	Allocating AML resources proportionate to assessed risk.
SAR	Suspicious Activity Report	Formal report filed with FinCEN regarding suspected ML/TF.
SDD	Simplified Due Diligence	Reduced CDD applied to low-risk situations where legally permitted.
SDN	Specially Designated Nationals	OFAC’s list of sanctioned individuals and entities.
SEC	Securities and Exchange Commission	Regulates U.S. securities-related AML compliance.
STR	Suspicious Transaction Report	Equivalent term to SAR in some non-U.S. jurisdictions.
TF	Terrorist Financing	Funding or financial support of terrorist acts or organisations.
TIN	Taxpayer Identification Number	Used for individual or corporate tax verification in the U.S.
U.S. Patriot Act	Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001	U.S. law expanding AML/CFT powers, especially under Title III.
UN	United Nations	Provides international sanctions lists mirrored in OFAC data.
UNSC	United Nations Security Council	Source of global sanctions resolutions adopted by OFAC.
USA	United States of America	Celtouch’s current operating jurisdiction.
VAT	Value-Added Tax	Mentioned only when screening foreign corporate clients.
Wolfsberg Group	Wolfsberg Group Principles	Financial-industry AML best-practice standards referenced by U.S. institutions.