DATA Working Group - Global AML Guidelines

1. AML WORKING COMMITTEE GUIDELINES 1 Anti-Money Laundering Guidelines1 INTRODUCTION The Digital Asset Transfer Authority (DATA) recognizes the critical importance of preventing its members’ digital currency products and services from being used for illicit purposes, including money laundering and terrorist financing. DATA also recognizes that new technologies may pose qualitatively and functional distinct risks from traditional financial transactions, and that these products, services, and corresponding risks will also evolve alongside the technology. The guidelines are intended to provide a starting point that incorporates the spirit and substance of AML policies for the digital asset industry based on current state of the industry and existing regulations. DATA believes that AML guidelines for and adopted by this nascent industry must be reiterative and continue to evolve to ensure that operationalized measures intended to fulfill the policy goals of preventing threats to the global financial network are effective in practice, while maintaining the integrity of other fundamental rights and values, including civil liberties, financial privacy and inclusion, transparency and accountability. Background Anti-money laundering standards emanate from local, inter-governmental and inter- institutional bodies, the most prominent of which is the Financial Action Task Force (“FATF”). The Financial Action Task Force (FATF) is an inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. The objectives of the FATF are to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. The FATF is therefore a “policy-making body” which works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas in coordinated action across the globe. The FATF has developed a series of Recommendations that are recognized as the international standard for combating of money laundering and the financing of terrorism and proliferation of weapons of mass destruction. They form the basis for a coordinated response to these threats to the integrity of the financial system and help 1 Please consult legal counsel for advice regarding the application of specific regulations, including anti-money laundering and terrorist financing laws to particular products or services.

2. AML WORKING COMMITTEE GUIDELINES 2 ensure a level playing field. First issued in 1990, the FATF Recommendations were revised in 1996, 2001, 2003 and most recently in 2012 to ensure that they remain up to date and relevant, and they are intended to be of universal application. Each member nation of the FATF implements its recommendations by enacting laws and their implementing regulations in each jurisdiction. The FATF then monitors the progress of its implementation and utilizes an enforcement mechanism of incentives and sanctions. The following guidelines developed by DATA’s AML Working Committee are fundamentally based on the FATF’s Recommendations as well as other FATF research publications, and are recommended to any company that does business or provides services with and for the digital currency industry (particularly any company that holds or manages customer funds), including exchanges, wallets, merchant services, administrators, miners, equipment sales companies and security service providers (collectively referred to in these guidelines as Digital Asset Companies). Although these guidelines specifically reference United States and other regulatory guidelines, Digital Asset Companies anywhere in the world should focus on the spirit of the guidelines that, as discussed above, emanates from FATF’s internationally recognized standards. DATA recognizes that the digital asset industry is still in its infancy and that any guidelines or best practices should be reiterative and carefully evaluated to ensure that critical, multifaceted policy goals are effectively balanced and achieved. GUIDELINES 1. Digital Asset Companies should implement a basic AML Compliance Program whether or not required by law. DATA recognizes that digital currencies and other assets, like other value transfer systems, have been used by some criminal elements as a form of payment, and that cross-border value transfer systems are vulnerable to abuse by criminals. DATA recommends that all Digital Asset Companies implement a risk-based AML Compliance program, whether or not required by law, which would include the classic “four pillars” of an AML program: I. Appointing a knowledgeable Chief Compliance Officer; II. Training for the organization’s board and employees regarding what money laundering and illicit financing consists of, how it can be recognized and what to do if such illicit financial activity is suspected;

3. AML WORKING COMMITTEE GUIDELINES 3 III. Preparing internal procedures covering A. Due diligence of major customers, vendors, employees, investors B. Limits on accounts, transactions, access to data as deterrents to abuse C. Steps to take when illicit activity is suspected, including to whom such activity should be reported, escalation procedures D. Record-keeping and record retention procedures E. Reporting and information sharing procedures IV. An annual independent review of the procedures and program Digital Asset Companies should also develop and implement a Sanctions Compliance Program. In the U.S., such a program would be called an OFAC Compliance Program. The Office of Foreign Assets Control (OFAC) administers and enforces economic and trade sanctions against targeted foreign countries, terrorism sponsoring organizations and international narcotics traffickers based on U.S. foreign policy and national security agenda. OFAC acts under Presidential wartime and national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze foreign assets under U.S. jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments. AML and Sanctions Compliance Programs must be written and well-documented. Above all, they must be demonstrably effective. Therefore, Digital Asset Companies are advised to focus both on the formal and substantial, operational aspects of compliance programs. The rest of the guidelines refer to key internal procedures that should be in place as part of any AML and Sanctions Compliance Program. 2. Digital Asset Companies should conduct a thorough risk assessment of their products and services. In order to develop a solid risk-based AML Compliance Program, each Digital Asset Company should take a hard look at their products or services to determine which product and/or service presents more or less risks, and then tailor its deterrent and detective controls to the specific risks and tiers of risk identified. A typical risk assessment considers customer, product and geographic risks. For example:

4. AML WORKING COMMITTEE GUIDELINES 4 ● Customers that are anonymous, with no known source of funds are higher risk customers. ● Products that involve high potential values, international usage, or access to cash are generally considered higher risk products. ● Customers, sales or products linked to domestic geographic locations designated, in the United States, as High Intensity Drug Trafficking Areas (HIDTAs) or High Intensity Financial Crime Areas (HIFCAs) would be higher risk. International locations that are subject to national security-based sanctions, such as those administered by OFAC in the United States, or identified as supporting international terrorism, or identified as non-cooperative by the Financial Action Task Force on Money Laundering (FATF), would all be considered higher risk. Once a Digital Asset Company determines which products more or less risk than other products and/or the norm, appropriate mitigating actions (such as transaction limits, increased monitoring, or increased customer identification collecting more detailed information about the individual or business) can then be implemented. 3. Digital Asset Companies should develop risk-based Customer Identification Procedures. There is a wide range of possible customer identification procedures that a Digital Asset Company can implement, depending on the circumstances. Under FinCEN’s Guidance issued on March 18, 2013, exchanges and administrators are required to register as “money transmitters,” a category that requires only the collection of name and address of their customers, and not collection of more sensitive personal data such as date of birth or social security number.2 Under many circumstances, the data collected must be stored and must “travel” with the transaction, but there is no obligation to verify the data.3 Nevertheless, under a risk- based AML Program, a Digital Asset Company should consider implementing more in- depth customer identification and verification procedures – especially for customers and products identified in the risk assessment as high risk. 2 See March 18, 2013 Application of FinCEN's Regulations to Persons Administering, Exchanging, or Using Virtual Currencies. Please consult legal counsel for advice regarding specific products or services. For example, under US state, federal and international laws, other categories of financial institutions and corresponding regulations may apply to a specific Digital Currency Company, based in its specific products and services. 3 Please consult legal counsel for advice regarding the application of specific laws such as the “travel rule” to particular products or services.

5. AML WORKING COMMITTEE GUIDELINES 5 4. Digital Asset Companies should develop risk-based due diligence procedures. No company is immune to criminal attempts to infiltrate and use its products and services for illicit purposes. Digital Asset Companies have already been targeted by some criminal enterprises and therefore must be vigilant when hiring employees, accepting investments or retaining vendors that provide critical services. In addition, any customers who routinely ask for non-traditional services, seek waivers of limits or restrictions, and often submit particularly high-value transactions, should also be reviewed carefully. As with identification procedures, due diligence can cover a range of possibilities – everything from simply “googling” the person or company involved or checking the appropriate government agency for corporate registration, to requesting banking and other references, to obtaining credit or business reports, and even obtaining a criminal background check. 5. Digital Asset Companies should monitor their transactions for potentially suspicious, fraudulent or criminal activity. Digital Asset Companies are advised to control not only the onboarding stage but the entire life cycle of a relationship as well. Any payments company that holds or moves value need to keep an eye on the flow of transactions. It is important to understand what is “business as usual” and what constitutes a deviation from the norm. Digital Asset Companies can benefit by working directly with law enforcement to learn about criminal typologies in their area, and what kinds of activities could be a sign of criminal misuse. In addition to a monitoring program, there also needs to be procedures in place regarding what to do if a transaction appears to be suspicious, fraudulent, criminal in nature, or in violation of nationally-imposed sanctions. 6. Digital Asset Companies should appoint a Chief Compliance Officer who is independent and works closely with each Company’s Board. Having an experienced Chief Compliance Officer that reports to the Board and keeps the Board apprised of potential risks as well as suspicious, fraudulent or criminal activity is a critical feature for most Digital Asset Companies. In addition to being experienced and knowledgeable about compliance with AML laws and regulations, it is important that this person have the standing and resources within the Company to effectively implement the compliance program and be heard and able to take action if an issue should arise.

6. AML WORKING COMMITTEE GUIDELINES 6 7. Digital Asset Companies should train all employees, officers and Board members about AML risks. To create a culture of compliance, from the first day an employee begins work, he or she should be sensitized to the risks of having a digital payment product or service misused for illicit purposes. The training does not need to be lengthy or onerous. But basic facts should be shared about what is money laundering, fraud, and illicit financing, what patterns or behavior to watch out for, and what to do if the employees sees or hears something that raises a concern. The training should be given at all levels of the Digital Asset Company, and should be repeated annually. Records should be maintained showing who was trained, when the training occurred, and what the training consisted of. 8. Digital Asset Companies should undergo a periodic “Independent Review” of their AML and Sanctions Program. Depending on the size and volume of business, the review can be performed by an internal person or group, provided that person or group does not report into the Compliance function and can provide the results of the review directly to the Board. The independent review is intended to ensure that transaction monitoring, risk assessments, training, customer ID and due diligence activities are occurring as planned and the controls in place are effective. If no one checks to make sure it is happening, then it easy for these critical processes to get pushed to the back burner, or entirely forgotten under the pressure of new business. The annual review should also involve a meeting with legal counsel to make sure that applicable laws have been updated, and any compliance activities (e.g., money transmitter licensing renewals; MSB registration renewals) have been kept up to date. CONCLUSION Digital assets and emerging payment technologies are poised to bring enormous positive benefits to society all over the world. DATA believes that in order for these emerging technologies to gain legitimacy in the global financial markets, and for Digital Asset Companies to thrive, the industry needs to adapt, adopt and implement best practices such as the guidelines described above that adhere to existing standards and, if necessary, adapt those policy standards in dialogue and collaboration with public and private stakeholders to address the risks and benefits posed these new technologies.

7. AML WORKING COMMITTEE GUIDELINES 7 The protection of the global financial system from abuse is a global societal goal and a primary policy goal of most nations of the world. Therefore, the careful development of compliance measures that meet or exceed the effectiveness of AML standards and regulations currently in force, that also address related policy goals of financial inclusion, privacy, transparency and accountability, is one of DATA’s key goals for the industry. RESOURCES See below for a partial list of international financial regulation agencies. Financial Action Task Force - The FATF Recommendations Africa & Middle East Kenya – Capital Markets Authority (CMA) Israel - Israel Securities Authority (ISA) South Africa - South African Reserve Bank - Financial Services Board (South Africa) United Arab Emirates - Securities and Commodities Authority - (SCA) - Dubai Financial Services Authority - (DFSA) Asia China - China Banking Regulatory Commission (CBRC) - China Securities Regulatory Commission (CSRC) - China Securities Regulatory Commission (CSRC) - Ministry of Industry and Information Technology (MIIT) Hong Kong – Financial Services Authority (FSA) India - Reserve Bank of India (RBI) - Securities and Exchange Board of India (SEBI) Japan – Financial Services Agency (FSA) Singapore – Monetary Authority of Singapore (MAS) South Korea - Financial Services Commission (FSC) - Financial Supervisory Service (FSS)

8. AML WORKING COMMITTEE GUIDELINES 8 Australia AUSTRAC-Australian Transaction Reports and Analysis Centre Europe European Union - European Commission - European Banking Authority (EBA) - FIU.net Germany – Federal Financial Supervisory Authority (BaFin) Sweden - Financial Supervisory Authority (Finansinspektionen or “FI”) United Kingdom - Financial Services Authority (FCA) - Prudent Regulation Authority (PRA) - HM Revenue & Customs Latin America Argentina - Comisión Nacional de Valores (CNV) Brazil -Banco Central do Brasil (BCB) -Comissão de Valores Mobiliários (CVM) Chile - Superintendencia de Valores y Seguros Mexico - Comisión Nacional Bancaria y de Valores North America Canada - Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) - Office of the Superintendent of Financial Institutions (OSFI) United States - Financial Crimes Enforcement Network (FinCEN) - Office of Foreign Assets Control (OFAC) - Securities & Exchange Commission (SEC) - Commodity Futures Trading Commission (CFTC) - Federal Reserve System (The "Fed") - Federal Deposit Insurance Corporation (FDIC) - Federal Trade Commission (FTC) - Financial Industry Regulatory Authority (FINRA) - Office of the Comptroller of the Currency (OCC) - National Credit Union Administration (NCUA) - National Futures Association (NFA) - Consumer Financial Protection Bureau (CFPB)