ZYC-AML-001 AML / CTF / Anti-Proliferation Policy

Anti-Money Laundering, Counter-Terrorist Financing & Anti-Proliferation Policy

(Applies to all business lines at Zeyro. Updated October 2025)

Background

Zeyro operates under the Financial Conduct Authority (FCA) regime for MiFID arranging activities and financial promotion approvals (for both cryptoassets and funds under the Overseas Fund Regime). While Zeyro does not handle or transmit client funds, our work means we can indirectly expose the UK market to financial crime risks by approving promotions for clients who might use their products or services for money laundering or terrorist or proliferation financing.

In line with the Money Laundering Regulations 2017 (MLRs) and FCA expectations, we first conducted a Business-Wide Risk Assessment (BWRA) to identify the money laundering (ML), terrorist financing (TF), and proliferation financing (PF) risks that could arise in our business. That assessment — available here — defines where we are most exposed.

This AML/CTF/Anti-Proliferation Policy sets out how we mitigate those identified risks through proportionate controls, monitoring, and governance. Each section of this policy corresponds to a category of mitigation identified in the BWRA. [MLRs Reg 19 – written policies, controls, and procedures]

Purpose

This policy ensures Zeyro’s services are never used to enable ML, TF, or PF. Although we do not handle client money, we act as a gateway to the market through our approval and arranging activities. If we approve a promotion for a bad actor, we risk facilitating financial crime.

How this controls our key risks This principle underpins mitigation of every risk identified in the BWRA by ensuring that financial crime considerations apply across all business lines and decision-making.

Scope

This policy applies to all Zeyro employees and covers:

• Crypto financial promotion approvals – for overseas crypto-asset firms.

• OFR financial promotion approvals – for authorised fund managers (usually EU-based).

• Facilities services – MiFID arranging activities for investment funds.

Governance

• MLRO: Gareth Malna (SMF 16 & 17) is responsible for AML/CTF compliance.

• Board Oversight: The board reviews AML/CTF risks annually and after any material business change.

• All Staff: Everyone at Zeyro is responsible for identifying and reporting possible financial-crime risks. [MLRs Reg 21 – senior-management responsibility & nominated officer]

How this controls our key risks Strong governance mitigates the risk of ineffective oversight, outdated policies, or failure to act on emerging ML/TF/PF threats.

Risk Assessment

Zeyro maintains a Business-Wide Risk Assessment (BWRA) identifying ML/TF/PF risks across all business lines. It is reviewed annually or whenever operations change.

Our risk-based framework combines:

1. Client Risk – automated scoring in DotFile, our AI-enabled KYB/KYC tool.

2. Asset Risk – manual risk ratings for each cryptoasset, maintained in Confluence.

3. Promotion Risk – manual assessment of the financial promotion itself.

Each factor contributes to a composite score that determines:

• how often a client or promotion must be reviewed, and

• what level of due diligence is applied. [MLRs Reg 18 – risk assessment requirements]

How this controls our key risks This ensures Zeyro continually identifies where ML/TF/PF exposure lies, reducing the risk of blind spots or inconsistent control application.

Customer Due Diligence (CDD)

Before engagement:

• DotFile collects and verifies onboarding information (identity, ownership, purpose).

• It applies an embedded risk methodology and assigns each client a risk score automatically.

• Sanctions and PEP screening are built into the DotFile process.

• The MLRO reviews manually if any result is uncertain, incomplete, or inconsistent.

• Enhanced due diligence (EDD) is triggered for higher-risk clients or jurisdictions. [MLRs Reg 27–33 – CDD & EDD]

How this controls our key risks Mitigates risks of:

• Use of Zeyro’s services for money laundering by ensuring every client is verified and risk-scored.

• KYC control failure through automated onboarding plus MLRO oversight.

• Sanctions violation via integrated screening.

Asset and Promotion Risk

• Each cryptoasset is manually scored by Zeyro’s team using a methodology stored in Confluence.

• Each financial promotion is assessed for ML/TF/PF exposure and linked to its client and asset risk scores.

• High-risk promotions require board-level approval before sign-off. [MLRs Reg 19 – risk-based controls]

How this controls our key risks Addresses:

• Assets used to launder proceeds by ensuring all cryptoassets are risk-rated.

• Reputational exposure through board oversight of higher-risk approvals.

• Regulatory breaches by ensuring every promotion is reviewed for AML implications.

Ongoing Monitoring

• DotFile flags clients and promotions for periodic review based on risk tier.

• Any material change (ownership, jurisdiction, or business model) triggers immediate re-verification.

• The MLRO reviews overall risk metrics quarterly to identify emerging threats. [MLRs Reg 21 – monitoring and oversight]

How this controls our key risks Mitigates:

• Failure to detect risk escalation by scheduling automatic re-checks.

• Outdated CDD through MLRO monitoring of risk patterns.

Proliferation Financing & Sanctions

Zeyro screens all clients and connected entities against the UK Sanctions List and considers PF risks, including:

• high-risk or sanctioned jurisdictions,

• cryptoassets with anonymising features, and

• dual-use goods or technologies. [MLRs Reg 19(2)(c) – proliferation-financing controls]

How this controls our key risks Reduces the likelihood of:

• Sanctions violations by maintaining automated screening;

• Failure to identify PF risk via explicit inclusion in risk scoring and onboarding.

Suspicious Activity & Reporting

If anyone suspects that a client or promotion might involve ML, TF, or PF:

1. Report immediately to the MLRO.

2. The MLRO assesses and, if necessary, files a Suspicious Activity Report (SAR) to the National Crime Agency (NCA).

3. Once a SAR is raised, information about it must not be shared externally without NCA consent. [Proceeds of Crime Act 2002 & MLRs Reg 21(3)]

How this controls our key risks Ensures compliance with legal reporting duties and prevents failure to disclose suspicious activity.

Record-Keeping

Zeyro keeps records of:

• client due-diligence documents,

• risk assessments and scoring,

• SARs and internal reports, and

• training and compliance reviews

for five years after the end of each business relationship. Records are stored securely in DotFile and Confluence, accessible only to authorised staff. [MLRs Reg 40 – record-keeping]

How this controls our key risks Mitigates loss of AML evidence by ensuring verifiable audit trails and secure storage.

Training

All staff complete AML/CTF/PF training when joining Zeyro and at least once a year. Training focuses on recognising suspicious activity in the context of financial promotions and fund facilities. [MLRs Reg 24 – training requirements]

How this controls our key risks Addresses employee unawareness leading to control failure by ensuring staff understand red-flag indicators and escalation routes.

Independent Review

An independent review (internal or external) of Zeyro’s AML controls takes place annually or following major system changes. Findings and remediation actions are presented to the board. [MLRs Reg 21(1)(c) – independent audit function]

How this controls our key risks Mitigates unidentified control weaknesses by ensuring the AML framework is tested and improved regularly.

Culture & Escalation

We maintain a no-blame culture. If you are unsure about something — raise it. An anonymous reporting channel routes directly to the MLRO. [Supports FCA Principle 11 – openness with regulators]

How this controls our key risks Prevents under-reporting and promotes early detection of potential financial-crime issues.

Policy Review

This policy is reviewed annually and whenever we introduce new products, technologies, or business lines.

Next review due: October 2026

Summary: Policy–Risk Mapping