ZYC-ONB-001 Client Onboarding & Due Diligence Policy

(Applies to all Zeyro staff, directors, contractors, and consultants — Updated October 2025)

Background

Zeyro is authorised by the FCA and must comply with the Money Laundering Regulations 2017 (MLRs), SYSC 6.3, and Principle 11 (Relations with regulators). We do not hold client money or assets but act as an intermediary through financial-promotion approvals and arranging services. Because these activities can indirectly facilitate market access for bad actors, we apply proportionate due-diligence controls to every client.

This policy implements the procedures identified in the Business-Wide Risk Assessment (BWRA) and complements the AML / CTF / Anti-Proliferation Policy (ZYC-AML-001).

Purpose

To ensure that Zeyro:

  • Verifies the identity and legitimacy of every client before engagement.

  • Assigns and maintains accurate risk ratings.

  • Applies enhanced checks to higher-risk clients, assets, and promotions.

Scope

Covers all onboarding, re-verification, and monitoring activities for:

  • Cryptoasset clients seeking financial-promotion approval.

  • Overseas Fund Regime (OFR) fund managers.

  • Facilities-service clients (MiFID arranging).

Key Principles

1. Client Verification (KYB / KYC)

  • Zeyro uses DotFile, an AI-enabled onboarding tool, to collect and analyse information submitted through the onboarding form.

  • DotFile verifies identity, ownership, and control; screens for PEPs and sanctions; and assigns a risk rating using Zeyro’s five-tier scale:

    • Low, Medium, High, Very High, and Prohibited.

  • Clients rated as Prohibited cannot be onboarded.

  • The MLRO manually reviews any incomplete or ambiguous onboarding results.

How this controls our risks: Ensures all clients are verified and categorised consistently using both automated and human oversight.

2. Client Type Risk Expectations

  • Cryptoasset clients are always subject to Enhanced Due Diligence (EDD) regardless of their risk score.

    • This reflects the inherent financial-crime risk of cryptoassets and their promoters.

  • Funds clients authorised in recognised EU jurisdictions generally qualify for Simplified Due Diligence (SDD), reflecting lower risk due to their regulatory status.

    • SDD may be revoked if other risk indicators (PEPs, sanctions, adverse media) are identified.

How this controls our risks: Applies a realistic risk-based approach that distinguishes high-risk crypto clients from lower-risk regulated fund clients.

3. Risk Rating Framework

  • Risk ratings are generated automatically in DotFile using Zeyro’s five-tier system: Low, Medium, High, Very High, and Prohibited.

  • Zeyro also maintains manual risk ratings in Confluence for:

    • Cryptoassets

    • Funds

    • Promotions

  • These manual ratings supplement DotFile outputs and are aggregated to form a composite “client + product + promotion” risk view.

  • Ratings determine:

    • The depth of due diligence (SDD, CDD, EDD)

    • Review frequency (higher risk = more frequent)

    • Monitoring intensity

How this controls our risks: Combines automated and manual intelligence for a holistic and auditable risk profile across clients, assets, and promotions.

4. Enhanced Due Diligence (EDD)

EDD applies automatically to:

  • All cryptoasset clients

  • Any client flagged as High or Very High risk

  • Clients involving high-risk jurisdictions, PEPs, or complex ownership

EDD includes:

  • Verification of source of funds and wealth

  • Independent corporate-registry and ownership checks

  • MLRO review and sign-off before engagement

How this controls our risks: Provides deeper scrutiny where financial-crime exposure is highest.

5. Ongoing Monitoring

  • DotFile triggers re-verification based on client risk level:

    • Low – every 24 months

    • Medium – every 12 months

    • High / Very High – every 6 months

  • Cryptoasset clients and prohibited-risk cases are monitored continuously.

  • Any material change (ownership, jurisdiction, product type) triggers immediate review.

How this controls our risks: Ensures client data and risk classification remain current and accurate.

6. Sanctions & Screening

  • All clients and beneficial owners are screened against the UK Sanctions List at onboarding and monthly thereafter.

  • Matches are escalated to the MLRO and no business proceeds until resolved.

How this controls our risks: Prevents relationships with sanctioned or restricted parties.

7. Record Keeping

  • All verification data, risk scores, and review notes are stored securely in DotFile and Confluence.

  • Records are retained for five years after the end of each relationship.

How this controls our risks: Maintains an audit-ready evidence trail for the FCA and external reviewers.

8. Training & Responsibilities

  • All staff involved in onboarding complete AML and due-diligence training annually.

  • Suspicious patterns or irregularities must be escalated to the MLRO immediately.

How this controls our risks: Ensures staff awareness and consistent application of the risk-based approach.

Document Control

Field

Details

Policy Code

ZYC-ONB-001

Policy Title

Client Onboarding & Due Diligence Policy

Document Owner

Gareth Malna – MLRO (SMF 16 & 17)

Responsible Reviewer(s)

Zeyro Board

Version

v 1.1

Date Approved

October 2025

Next Scheduled Review

October 2026

Last Reviewed By

Gareth Malna

Change History

v 1.0 (Oct 2025): Initial creation. v 1.1 (Oct 2025): Added DotFile five-tier risk scale; clarified EDD for crypto clients and SDD for regulated funds; included manual ratings for cryptoassets, funds, and promotions.

Classification

Internal policy – distributed to all staff; available to regulators on request.

PreviousClients and ServicesNextZYC-FINPROM-001 Financial Promotions Approval & Withdrawal Policy

Last updated