KNOW YOUR CUSTOMER (KYC) AND ANTI-MONEY LAUNDERING (AML) POLICY

1. DEFINITIONS AND OBJECTIVES

1.1 Introduction

This Know Your Customer (KYC) and Anti-Money Laundering (AML) Policy defines the principles and procedures adopted by SynergyRecycle.B to prevent and combat money laundering, terrorist financing, and other illicit activities through our services and the use of SRB tokens.

1.2 Regulatory Framework

Our policy is based on relevant international and national regulations and guidelines, including:

• Directive (EU) 2015/849 (Fourth Anti-Money Laundering Directive - 4AMLD).
• Directive (EU) 2018/843 (Fifth Anti-Money Laundering Directive - 5AMLD) and subsequent amendments.
• National implementing legislation (e.g., D.Lgs. 231/2007 in Italy, Geldwäschegesetz - GwG in Germany).
• Regulation (EU) 2016/679 (GDPR) for aspects related to the processing of personal data collected for KYC/AML purposes.
• Recommendations of the FATF (Financial Action Task Force).
• Potential future specific regulations for virtual assets (e.g., MiCA - Markets in Crypto-Assets Regulation).

1.3 Policy Objectives

The main objectives of this policy are:

• To prevent the SynergyRecycle.B platform and SRB tokens from being used for money laundering, terrorist financing, or other illicit financial activities.
• To establish effective procedures for identifying and verifying the identity of our customers (KYC).
• To implement a system for monitoring user transactions and activities to detect suspicious behavior.
• To define the procedures for reporting suspicious transactions to the competent authorities.
• To ensure compliance with all applicable AML/CFT laws and regulations.
• To protect the integrity and reputation of SynergyRecycle.B.

1.4 Scope of Application

This policy applies to:

• All users interacting with specific platform features requiring verification (e.g., buying/selling tokens above certain thresholds, accessing advanced services).
• All transactions involving SRB tokens or fiat funds managed through the platform (if applicable).
• All employees, collaborators, and directors of SynergyRecycle.B involved in KYC/AML processes.
• Any third-party partners or service providers operating on our behalf in areas relevant to KYC/AML.

2. IDENTITY VERIFICATION PROCEDURES (KYC)

2.1 Risk-Based Approach

We adopt a risk-based approach to determine the appropriate level of due diligence to apply to each user. Risk classification considers various factors, including:

• User Profile: Type of user (natural person, legal entity), nature of declared activity.
• Geography: Country of residence, nationality, countries associated with transactions (considering lists of high-risk or sanctioned countries).
• Product/Service Used: Required access level, features used (e.g., transaction limits).
• Transactional Behavior: Volume, frequency, and nature of expected or observed transactions.
• PEP Status: Verification if the user or their close associates are Politically Exposed Persons (PEPs).

2.2 Due Diligence Levels

Based on the risk assessment, we apply the following verification levels:

1. Simplified Due Diligence (SDD): Applicable in inherently low-risk situations (e.g., users with limited access, very low-value transactions). May only require basic information (e.g., verified email).
2. Customer Due Diligence (CDD): The standard level applied to most users accessing key features. Requires identification and identity verification.
3. Enhanced Due Diligence (EDD): Applied to users or situations classified as high-risk (e.g., PEPs, users from high-risk jurisdictions, complex or unusually large transactions). Requires additional information and checks, such as source of funds, wealth information, intensified monitoring.

2.3 Identification and Verification Process

2.3.1 Natural Persons (CDD/EDD)

We require the collection and verification of the following information:

• Full Identifying Data: First name, last name, date of birth, place of birth, nationality, full residential address.
• Valid Identity Document: Copy of a valid government-issued document (passport, national identity card, driver's license) containing a photograph.
• Document Verification: Use of reliable, independent databases or specialized providers to verify the authenticity of the document and the correspondence of data.
• Address Verification: Recent proof of residence (e.g., utility bill, bank statement, residence certificate - dated within the last 3 months).
• Selfie or Video Verification (Liveness Check): A selfie of the user holding the identity document or a short video verification may be required to confirm that the person presenting the document is indeed the user.
• Sanctions Lists and PEP Check: Cross-checking data against international sanctions lists (e.g., OFAC, UN, EU) and PEP databases.
• Additional Information (EDD): For EDD, information on the source of funds/wealth, purpose of the business relationship, occupation may be requested.

2.3.2 Legal Persons (CDD/EDD)

We require the collection and verification of the following information:

• Corporate Data: Legal name, legal form, registration number, registered office and operational address.
• Official Documentation: Certificate of registration/company register extract, articles of association/incorporation act.
• Identification of Legal Representatives: Identification and verification of individuals authorized to act on behalf of the entity (following procedures for natural persons).
• Identification of Ultimate Beneficial Owners (UBOs): Identification and identity verification of the natural persons who ultimately own or control, directly or indirectly, a significant stake (generally >25%) or exercise control over the entity. Requires supporting documentation (e.g., ownership structure).
• Nature of Business: Detailed description of the commercial activity carried out.
• Sanctions Lists Check: Checking the entity and its beneficial owners/representatives.
• Additional Information (EDD): Complex ownership and control structure, source of funds, detailed purpose of the relationship.

2.4 Updating and Periodic Review of KYC Information

KYC information must be kept up-to-date. We conduct periodic reviews:

• High Risk: At least annually or more frequently if necessary.
• Standard/Low Risk: Every 2-5 years, or following trigger events such as significant changes in user data or transactional behavior.

Users are required to promptly inform us of any changes to their identification data.

3. ANTI-MONEY LAUNDERING (AML) MEASURES

3.1 Transaction Monitoring

We implement monitoring systems, both automated and manual, to analyze transactions conducted on the platform in search of unusual or potentially suspicious activities. Monitoring considers:

• Volume and Frequency: Unusually large or frequent transactions compared to the user's profile.
• Transactional Patterns: Attempts at structuring (smurfing), circular transactions, use of multiple accounts.
• Counterparties and Jurisdictions: Transactions to/from wallet addresses known for illicit activities or to/from high-risk or non-cooperative jurisdictions.
• Profile Deviations: Activities inconsistent with the user's risk profile or declared activity.

3.2 Detection and Management of Suspicious Activities

Any activity that raises doubts or lacks an apparent economic or legal explanation is considered potentially suspicious. Red flags include, but are not limited to:

• Attempts to evade KYC/CDD procedures.
• Provision of false or misleading information.
• Transactions without an apparent legitimate purpose.
• Unusual requests for confidentiality.
• Involvement of individuals present on sanctions lists.
• Complex and unjustified operations.

Potentially suspicious activities are escalated internally to the AML Officer for thorough analysis.

3.3 Reporting Suspicious Transactions (STR)

If, following the analysis, a transaction is deemed suspicious under AML regulations, the AML Officer will:

• Prepare a Suspicious Transaction Report (STR).
• Submit the report to the competent Financial Intelligence Unit (FIU) (e.g., German FIU - Zentralstelle für Finanztransaktionsuntersuchungen) or the equivalent authority according to the applicable jurisdiction, within the timelines and methods provided by law.
• Maintain confidentiality regarding the report filed (prohibition of "tipping off"), not informing the concerned user.

3.4 Staff Training

All employees and collaborators with AML/CFT relevant duties receive specific and periodic training on:

• Current AML/CFT legislation and its updates.
• Internal KYC/CDD/EDD procedures.
• Money laundering and terrorist financing techniques.
• Recognition of suspicious activity indicators.
• Internal reporting procedures.
• Confidentiality obligations and the prohibition of tipping-off.

Training participation is mandatory and tracked.

4. DATA RETENTION AND SECURITY

4.1 Secure Storage

All documentation and information collected during KYC/AML processes, as well as records of transactions and analyses performed, are stored securely, ensuring:

• Integrity: Protection against unauthorized modifications.
• Confidentiality: Access limited only to authorized personnel with specific work needs.
• Availability: Data retrievability for competent authorities and internal/external audits.
• Traceability: Logging of data access (audit trail).

We use secure digital storage systems with adequate protection measures (encryption, access control, backups).

4.2 Retention Period

KYC documentation and transaction records are kept for the minimum period required by applicable AML legislation (generally 5 years, but can extend to 10 years in some jurisdictions, starting from the termination of the customer relationship or the date of the last transaction). This period may be extended if required by specific investigations or legal proceedings.

4.3 Personal Data Protection (GDPR)

The processing of personal data collected for KYC/AML purposes is carried out in full compliance with GDPR. We ensure that data is processed only for the purposes provided by AML legislation, that it is adequate, relevant, and limited to what is necessary. Users retain their rights under GDPR, consistent with the retention and reporting obligations required by AML regulations (as specified in section 5).

5. USER RIGHTS AND DATA PROCESSING

5.1 Specific Privacy Notice

Users are informed, through our general Privacy Policy and specific notices at the time of KYC data collection, about the purposes of AML/CFT processing, the legal basis (legal obligation), the types of data processed, retention periods, and their rights.

5.2 Exercise of GDPR Rights

Users can exercise their GDPR rights (access, rectification, etc.) by contacting the Data Controller. However, the exercise of certain rights (such as the right to erasure or objection) may be limited by legal obligations imposed by AML/CFT regulations, particularly regarding:

• The obligation to retain data for periods established by law.
• The obligation to report suspicious transactions and the prohibition of informing the data subject (tipping off).

We will evaluate each request on a case-by-case basis, balancing the data subject's rights with regulatory obligations.

5.3 Transparency

We are committed to providing the maximum possible transparency regarding the processing of data for KYC/AML purposes, within the limits allowed by law and without compromising the effectiveness of anti-money laundering measures.

6. POLICY REVIEW AND UPDATE

6.1 Periodic Review

This KYC/AML Policy is subject to periodic review, at least annually, and whenever significant changes occur in the regulatory framework, business operations, identified risks, or industry best practices.

6.2 Internal and External Audit

The effectiveness of KYC/AML procedures is verified through regular internal audits. We may also use independent external audits to ensure the adequacy and compliance of our policy and procedures.

6.3 Approval and Dissemination

Any substantial revision of the policy must be approved by Senior Management or the competent governing body. The updated version is communicated to all relevant staff and made available to stakeholders as appropriate.

7. RISK ASSESSMENT

7.1 Risk Assessment

We conduct an AML/CFT risk assessment at least annually (or more frequently if necessary) to identify, analyze, and understand the specific risks to which SynergyRecycle.B is exposed. The assessment considers:

• Customer-related risks (type, behavior, geography).
• Risks related to products/services offered (features, vulnerabilities).
• Risks related to delivery channels and interfaces used.
• Geographic risks (countries of operation, customer countries).

7.2 Risk Mitigation

Based on the results of the risk assessment, we implement adequate and proportionate mitigation measures, which may include:

• Application of differentiated due diligence levels.
• Setting specific operational limits.
• Strengthening monitoring controls.
• Specific training for staff.
• Decision not to initiate/terminate relationships with very high-risk clients where risk cannot be mitigated.

8. GOVERNANCE AND RESPONSIBILITY

8.1 Organizational Structure

AML/CFT governance includes:

• Senior Management/Governing Body: Ultimate responsibility for policy approval and oversight of its implementation.
• AML Officer (Compliance Officer): Dedicated figure responsible for the daily implementation of the policy, monitoring, management of suspicious reports, training, and reporting to management.
• Internal Control/Audit Functions: Independent verification of the adequacy and effectiveness of AML procedures.

8.2 Clear Responsibilities

Specific responsibilities for each role involved in KYC/AML processes are clearly defined and communicated within the organization.

9. FINAL PROVISIONS

9.1 Entry into Force

This version of the KYC/AML Policy comes into effect from the date indicated in the last update.

9.2 Internal Dissemination

The policy is made available to all relevant personnel through internal communication channels and is an integral part of mandatory training programs.

9.3 Contacts for AML/KYC Matters

For any specific questions or clarifications regarding this policy, you can contact the AML Officer at: compliance.srb@example.com (Note: Replace with the correct email).