Anti-Money Laundering (AML) Policy

Last Updated on 29th July 2025

1. Purpose

This Anti-Money Laundering (AML) Policy outlines AFI’s commitment to upholding the highest standards in combating money laundering, terrorism financing, sanctions evasion, and other forms of financial crime. The policy is designed to voluntarily ensure compliance with the European Union’s Fifth Anti-Money Laundering Directive (AMLD5), along with applicable international regulatory frameworks and industry best practices.

AFI operates as a decentralized, non-custodial financial protocol that leverages algorithmic agents and smart contracts for cross-chain (Swarm Intelligence), risk-optimized asset deployment. Despite the platform’s non-custodial architecture and absence of direct control over user assets, AFI recognizes its responsibility to implement effective controls that minimize the risk of illicit financial activity occurring via its infrastructure.

This AML Policy serves the following core purposes:

  • Promoting a risk-based culture of compliance that aligns with decentralized finance (DeFi) principles and technological innovations

  • Establishing internal guidelines and monitoring procedures for ecosystem participants who interact with the AFI protocol, including interface providers, developers, and integrators

  • Demonstrating AFI’s proactive stance in supporting lawful use of decentralized technologies and maintaining transparency and trust within the ecosystem

AFI is committed to continuously evolving its AML practices to reflect changes in global regulations, threat landscapes, and decentralized technology risks, while maintaining a balance between user privacy, permissionless access, and regulatory integrity.

2. Scope

This AML Policy applies to all operational layers, technical interfaces, and user interactions within the AFI ecosystem that may involve or present exposure to money laundering or terrorist financing risks. While AFI is a decentralized, non-custodial protocol and does not take possession of user funds, it acknowledges that certain components of the platform—particularly those involving user access, smart contract execution, and value transfer—may be targeted or exploited for illicit activity.

This Policy governs and informs AML risk mitigation efforts in connection with the following:

  • User Onboarding via Front-End Gateways: Any web-based or application-based interface that facilitates user access to AFI’s decentralized infrastructure, including integrations by third-party interface providers, must implement appropriate risk-based controls, including user screening and identity verification where applicable.

  • Smart Wallet Creation and Usage: The automatic creation of ERC-4337-compatible smart wallets for users entails the possibility of repeated, pseudonymous wallet interactions. Although no custodial services are provided, the platform recognizes the importance of transaction pattern monitoring and behavioral analytics to detect anomalous or suspicious activity.

  • Deployment of Crypto Assets into Yield Strategies: Funds deposited into AFI vaults may be deployed across third-party DeFi protocols. The AML implications of routing user assets to external smart contracts are considered within the risk framework, and protocols integrated by AFI’s autonomous agents are subject to periodic due diligence.

  • Minting and Redemption of the afiusd Vault Token: The minting and burning of afiusd tokens, which represent claims to the yield generated from user-deployed stablecoins, can involve complex, cross-chain, or privacy-enhancing transaction flows. These token lifecycle events are monitored to prevent abuse, layering, or value obfuscation associated with money laundering techniques.

This Policy applies to all contributors, developers, validators, third-party integrators, and governance participants who support the AFI protocol in a manner that could impact financial integrity or regulatory exposure. It also outlines shared expectations for front-end operators and partners interacting with end users.

3. Legal Framework

This Anti-Money Laundering Policy has been developed in accordance with the European Union’s Fifth Anti-Money Laundering Directive (AMLD5), which came into effect in January 2020. AMLD5 extends AML compliance obligations to a broader range of entities, including virtual asset service providers (VASPs), decentralized platforms, and wallet service providers, where applicable.

AFI, while operating as a decentralized and non-custodial protocol, aligns its compliance framework with the core principles of AMLD5 and global Financial Action Task Force (FATF) standards to the extent technically and operationally feasible. This includes the implementation or facilitation of the following key requirements:

  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD): AFI expects front-end operators or interface providers interacting with users to implement robust identity verification measures, including Know Your Customer (KYC) procedures. In higher-risk cases, such as users from high-risk jurisdictions or using privacy-enhancing technologies, EDD protocols must be applied to gather additional information and perform deeper risk assessment.

  • Suspicious Transaction Monitoring and Reporting: While AFI cannot directly monitor users due to its decentralized nature, the protocol encourages interface providers and analytics-integrated components to monitor wallet behavior for suspicious transaction patterns (e.g., rapid fund cycling, use of mixers, sudden high-volume interactions). Where applicable, suspicious activity should be escalated and reported to the relevant Financial Intelligence Unit (FIU).

  • Recordkeeping Obligations: In compliance with AMLD5, relevant user data collected during CDD/EDD procedures must be retained securely for a minimum of five (5) years. This includes identity documentation, transaction logs, and audit trails. Where AFI integrates with custodial or regulated gateways, those entities are expected to fulfill these data retention responsibilities.

  • Cooperation with Financial Intelligence Units (FIUs): AFI and its ecosystem partners commit to cooperating with law enforcement and competent FIUs upon lawful request, including facilitating access to relevant transaction data or user records, where such data exists or is held by regulated partners.

This legal framework ensures that AFI’s AML strategy is not only technically mindful of its decentralized architecture but also aligned with emerging European and global standards for decentralized finance (DeFi) compliance.

4. AML Risk Approach

In alignment with the requirements of AMLD5 and FATF guidelines, AFI adopts a Risk-Based Approach (RBA) to Anti-Money Laundering (AML) compliance. This means that AFI assesses and addresses the likelihood and impact of potential money laundering or terrorist financing (ML/TF) risks based on the nature of user interactions, transaction behavior, and technical environment.

While operating as a decentralized, non-custodial protocol, AFI applies this RBA through modular compliance features integrated into its ecosystem interfaces, smart wallet architecture, and analytics layers. This allows risk to be assessed without compromising decentralization principles.

1. High-Risk Indicators

AFI and its ecosystem partners flag or scrutinize activities that exhibit one or more of the following high-risk characteristics:

  • Anonymized Transactions: Use of privacy-enhancing technologies (e.g., Tornado Cash, Monero bridges) that obscure fund origin or destination.

  • Large, Unusual Deposits: Sudden or disproportionate deposits into vaults or yield strategies without historical precedent.

  • Interactions with Mixers or Obfuscation Protocols: Engagement with services designed to hide fund provenance.

  • Cross-Border Transfers from High-Risk Jurisdictions: Interactions originating from or directed to jurisdictions identified by the EU or FATF as non-cooperative or high-risk.

  • Rapid In/Out Transactions: Patterns indicating potential layering or structuring behavior.

Such activities may trigger enhanced review or restrictions where interface providers or on-chain compliance tools are used.

2. Low-Risk Indicators

Conversely, the following are considered low-risk indicators:

  • Transparent, Verifiable On-Chain Activity: Clear transaction history with identifiable wallet behavior traceable across DeFi platforms.

  • Known Source of Funds: Deposits from regulated platforms or wallets with a consistent and explainable asset trail.

  • Stable Usage Patterns: Gradual and consistent use of AFI vaults and smart accounts for yield purposes over time.

Where low-risk factors dominate, the AML burden on users may be proportionally lower, consistent with AMLD5’s proportionality principle.

3. Adaptive Risk Monitoring

Although AFI does not operate as a centralized custodian or financial institution, the protocol encourages integration with on-chain compliance tools (e.g., Chainalysis, TRM Labs) to dynamically assess wallet risk scores, transactional metadata, and jurisdictional exposure. These tools support ecosystem partners in aligning with AMLD5 requirements while preserving user privacy and decentralization.

5. Customer Due Diligence (CDD)

AFI recognizes the importance of Customer Due Diligence (CDD) as a core component of AML compliance under the EU's Fifth Anti-Money Laundering Directive (AMLD5). While the AFI protocol itself is decentralized, non-custodial, and does not directly hold or control user funds, CDD obligations may arise when AFI interfaces with users through regulated third-party platforms or fiat on/off ramp providers.

KYC Obligations

Where AFI or affiliated third-party frontends enable user interactions that involve regulated financial activities, such as fiat conversion, account-linked services, or interaction with regulated entities, Know Your Customer (KYC) procedures must be implemented. These are carried out via compliant third-party KYC vendors, such as Sumsub, Veriff, or equivalent, who adhere to GDPR and AMLD5 standards.

KYC verification is mandatory under the following conditions:

  • Use of fiat deposit or withdrawal rails

  • Redemption of afiusd vault tokens to off-chain assets

  • Onboarding from jurisdictions with AML enforcement mandates

  • Any legal requirement under the jurisdiction of the frontend operator

Minimum Information Required

To comply with AMLD5 and ensure identity verification, the following minimum user data points are collected during KYC:

  • Full legal name

  • Date of birth

  • Nationality

  • Residential address

  • Government-issued photo identification (e.g., passport, national ID, driver’s license)

In some cases, additional supporting documents (such as proof of address or source of funds) may be required for verification or audit purposes.

Enhanced Due Diligence (EDD) Triggers

AFI or its frontend partners will apply Enhanced Due Diligence (EDD) when certain higher-risk scenarios are detected. These include, but are not limited to:

  • Users from high-risk jurisdictions, as identified by the EU or FATF (e.g., countries on the grey or blacklist)

  • Large-volume redemptions of afiusd tokens that may indicate abnormal behavior or require deeper scrutiny of fund origin

  • Identified Politically Exposed Persons (PEPs) or their associates, who may pose elevated corruption or reputational risks

EDD measures may include additional document verification, ongoing monitoring, approval escalations, or outright service restrictions.

Protocol Nature and Limitations

It is important to note that AFI’s core smart contract protocol operates in a non-custodial and permissionless manner, meaning:

  • It does not collect or store personal data

  • It does not hold user funds or custody assets

  • It does not exercise control over third-party frontend decisions

Where user access is facilitated via interfaces that operate under regulatory oversight, those service providers are responsible for implementing and enforcing appropriate CDD/EDD mechanisms. AFI supports the development of privacy-preserving KYC solutions that allow compliant access without undermining decentralization principles.

6. Transaction Monitoring

As part of its commitment to mitigating financial crime risks in accordance with AMLD5, AFI implements robust on-chain transaction monitoring protocols, in collaboration with industry-leading blockchain analytics providers. While the AFI protocol is non-custodial and decentralized, transaction monitoring is performed at the interface level (e.g., via frontends or partners) to ensure regulatory alignment where applicable.

Use of Analytics Tools

AFI and/or its third-party interface operators will leverage specialized blockchain intelligence tools to monitor user behavior across the ecosystem. These tools include, but are not limited to:

  • Chainalysis

  • TRM Labs

  • Elliptic (where applicable)

These systems provide real-time insights into wallet activity, historical behavior, and risk categorization of on-chain addresses.

Real-Time Risk Alerts

The monitoring tools are configured to trigger alerts for transactions or behaviors that exhibit red flags commonly associated with money laundering, terrorist financing, or illicit activity. Key alert categories include:

  • Interactions with sanctioned addresses as identified by international sanction lists (e.g., OFAC, EU, UN)

  • Patterns of layering or structuring, such as rapid movement of funds across multiple wallets to obscure origin

  • Frequent interaction with privacy-enhancing tools (e.g., Tornado Cash, mixers) or darknet-related addresses

  • Sudden large-value transactions inconsistent with historical usage patterns

Alerts may be escalated for human review or automatically logged for further investigation, depending on the severity of the risk.

Response to Suspicious Activity

If suspicious activity is detected through monitoring systems, the following actions may be taken:

  • Flagging of the user’s wallet address in internal risk databases

  • Temporary or permanent frontend access restrictions, especially where the frontend operates under a regulatory license or has KYC/AML obligations

  • Generation of a Suspicious Activity Report (SAR) by the frontend operator or responsible party, in accordance with local Financial Intelligence Unit (FIU) obligations

AFI does not have access to user identities on the protocol level, but it supports responsible frontend partners in meeting their legal duties by ensuring compatibility with industry-standard monitoring solutions.

Privacy and Transparency

AFI is committed to upholding user privacy while ensuring regulatory alignment. Monitoring tools are used solely for compliance and risk management purposes and do not extend to unauthorized surveillance or data misuse.

Where applicable, users will be informed of the data processing involved in frontend interaction through transparent privacy notices.

7. Recordkeeping

In accordance with the Fifth Anti-Money Laundering Directive (AMLD5) and applicable global best practices, AFI, through its affiliated frontend operators or third-party compliance partners, ensures that all relevant records are maintained securely and systematically for regulatory, audit, and investigative purposes.

While the core AFI protocol is decentralized and does not hold user data, recordkeeping obligations apply at the interface level, where user interactions with regulated components such as fiat on/off ramps, smart wallet generation, and afiusd redemptions occur.

Records to Be Maintained

The following categories of information are retained where applicable:

  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) Records, including:

    • Identity documents and verification data

    • Risk assessments and EDD rationale for flagged users

    • Source of funds declarations (where required)

  • Transaction Logs and Audit Trails, including:

    • On-chain transaction hashes and timestamps

    • Smart wallet deployment and afiusd vault interactions

    • Wallet risk classification history (e.g., analytics scores)

  • Suspicious Activity Reports (SARs) and related internal investigation files, such as:

    • Reason for suspicion

    • Communications with FIUs or legal authorities

    • Actions taken (e.g., frontend restrictions)

Retention Period

  • All AML-relevant records will be retained for a minimum period of five (5) years, starting from the date the relationship with the user ends or the transaction is executed.

  • In cases of ongoing investigations or requests from competent authorities, records may be retained for longer as legally required.

Data Security and Protection

  • All personal and transactional data is stored in secure, access-controlled systems by the relevant frontend or compliance entity.

  • AFI and its partners commit to full compliance with the General Data Protection Regulation (GDPR) and any other applicable data protection laws.

  • Records will be:

    • Encrypted at rest and in transit

    • Accessible only to authorized personnel

    • Regularly reviewed for accuracy and relevance

    • Deleted or anonymized after the retention period expires, unless otherwise required by law

Transparency

Users interacting with any regulated frontend of AFI will be notified of the data collection and retention policies through privacy notices and terms of use. Consent, where required, will be explicitly obtained and recorded.

8. Sanctions and Prohibited Jurisdictions

AFI is committed to upholding international sanctions laws and preventing the misuse of its protocol by individuals or entities in restricted or high-risk regions. Although the AFI protocol operates in a decentralized and permissionless manner, front-end interfaces, integrations, and associated service providers are subject to legal obligations and will enforce restrictions accordingly.

Prohibited Jurisdictions

AFI and its affiliated interfaces will not knowingly offer services to users located in, or associated with, the following:

  • Jurisdictions designated as “High-Risk” or “Non-Cooperative” by the Financial Action Task Force (FATF)

  • Countries or territories subject to sanctions imposed by the European Union (EU), the United Nations (UN), or the United States Office of Foreign Assets Control (OFAC)

  • Any other jurisdiction where the offering of decentralized financial services may contravene local laws or expose AFI to undue legal or regulatory risk

Enforcement Mechanisms

To enforce these restrictions, AFI frontends and integration partners will implement:

  • Geo-blocking and IP-based restrictions to prevent access from sanctioned or prohibited jurisdictions

  • Compliance screening and sanctions list checks using reputable tools (e.g., Dow Jones Risk & Compliance, World-Check)

  • Blockchain analytics to detect indirect exposure to sanctioned wallets or high-risk sources

  • Service refusals or limitations for users attempting to interact from prohibited regions, including:

    • Disabling onboarding

    • Rejecting afiusd vault minting or redemption

    • Blocking smart wallet initialization

Disclaimer on Protocol Accessibility

While AFI’s smart contracts are deployed on public blockchains and may be technically accessible worldwide, AFI does not authorize or condone use of its platform in contravention of applicable sanctions laws. Any such unauthorized use shall be considered a breach of this AML Policy and the AFI Terms of Use.

Ongoing Updates

Sanctions lists are subject to continuous updates. AFI and its compliance partners will monitor changes in real time and adjust access controls accordingly to remain compliant with evolving international regulatory obligations.

9. Training and Awareness

AFI recognizes that a strong culture of compliance is essential to maintaining the integrity of its decentralized financial ecosystem. To that end, all contributors, developers, and teams involved in user-facing, compliance-relevant, or ecosystem-integrated activities are required to undergo periodic Anti-Money Laundering (AML) training and awareness programs.

Mandatory Training Areas

The training curriculum shall include, but not be limited to:

  • Understanding AMLD5 obligations, including:

    • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

    • Suspicious activity monitoring and reporting

    • Recordkeeping and data retention requirements

  • Recognizing and responding to AML risk indicators, such as:

    • Red flags involving anonymizing technologies or high-risk transaction patterns

    • Use of mixers, privacy coins, or cross-chain obfuscation techniques

    • Attempts to circumvent frontend geoblocking or sanctions enforcement

  • Proper escalation and reporting channels for suspected financial crime, including:

    • How to document and submit Suspicious Activity Reports (SARs)

    • When and how to engage with compliance leads or legal counsel

Delivery and Frequency

  • Training will be delivered through:

    • Online modules

    • Internal workshops

    • Third-party compliance partners, where applicable

  • New team members must complete AML training prior to onboarding.

  • Annual refresher training is mandatory for all relevant stakeholders.

  • Targeted, ad hoc training may also be conducted in response to regulatory changes or newly identified risks.

Documentation and Audit

  • Completion of training shall be documented and logged as part of AFI's internal compliance records.

  • Audit trails will be maintained to demonstrate adherence to AMLD5 training obligations and to support reviews by regulatory or governance bodies, if required.

10. Reporting Obligations

AFI is committed to full compliance with applicable anti-money laundering and counter-terrorism financing (AML/CTF) reporting duties under AMLD5. While the AFI core protocol remains non-custodial and decentralized, regulated front-end interfaces or affiliated entities facilitating user access may fall within the scope of AML regulatory oversight. In such cases, these entities assume responsibility for fulfilling all mandatory reporting obligations.

10.1 Filing of Suspicious Activity Reports (SARs)

  • Where suspicious behavior is detected, whether through automated monitoring systems or manual escalation, Suspicious Activity Reports (SARs) will be prepared and submitted to the competent Financial Intelligence Unit (FIU) in the relevant jurisdiction.

  • SARs will be filed in accordance with:

    • Applicable thresholds and submission timelines

    • Formatting and confidentiality standards set by the FIU

    • Requirements to avoid tipping-off affected users

10.2 Cooperation with Law Enforcement

  • AFI or its associated regulated gateways will fully cooperate with authorized requests from law enforcement and regulatory authorities.

  • Cooperation may include, but is not limited to:

    • Providing CDD/EDD documentation

    • Supplying transaction records and analytics

    • Freezing or suspending access through regulated frontends (where legally empowered)

10.3 Escalation Protocols

  • All red flags identified by transaction monitoring systems, KYC/KYB checks, or third-party alerts will be escalated in a timely manner to designated compliance officers or legal counsel.

  • A standardized escalation process shall be maintained, detailing:

    • Initial identification and classification of risk

    • Timeframes for escalation

    • Responsibilities for SAR decision-making and final review

10.4 Confidentiality and Legal Protections

  • All reporting activity will be handled confidentially to preserve the integrity of investigations.

  • Personnel involved in filing or supporting SARs will be protected from legal liability, provided actions are taken in good faith and in compliance with applicable laws.

11. Governance

AFI maintains a clear governance structure to ensure effective implementation, oversight, and continuous improvement of its Anti-Money Laundering (AML) Policy.

11.1 Compliance Officer

The appointed Compliance Officer holds overall responsibility for:

  • Oversight of AML/CTF measures and compliance frameworks

  • Ensuring adherence to AMLD5 obligations across relevant interfaces

  • Managing audits, internal reviews, and reporting processes

  • Acting as the primary point of contact for regulators and Financial Intelligence Units (FIUs)

  • Overseeing the effectiveness of third-party KYC/AML service providers

11.2 Policy Review and Maintenance

  • This AML Policy will be reviewed:

    • At least annually, to ensure continued relevance and effectiveness

    • Immediately following any:

      • Major regulatory developments

      • Structural changes in AFI’s architecture or product suite

      • Material changes in AML/CTF risk exposure

  • Reviews shall be documented and approved by the Compliance Officer or equivalent governance body.

12. Disclaimer

AFI is a decentralized and autonomous financial protocol, operating without custodianship or centralized control. As such, this AML Policy primarily governs:

  • Front-end interfaces and platform integrations provided by third-party entities operating in regulated jurisdictions, and

  • Affiliate partners who facilitate fiat on/off ramps or user onboarding services in compliance with AMLD5 and local laws.

Users who choose to interact directly with AFI’s smart contracts (i.e., without going through a regulated interface or integration) do so entirely at their own discretion and are solely responsible for:

  • Assessing and complying with the laws and regulations applicable in their jurisdiction

  • Ensuring their actions do not violate national or international sanctions or anti-money laundering provisions

AFI makes no representations or warranties regarding the legality of access or use in any specific territory.

Contact

To report suspicious activity or obtain further clarification regarding this AML Policy, please contact: 📧 [[email protected]] 🌐 [afiprotocol.ai]

PreviousDigital Asset Custody FrameworkNextKnow Your Customer (KYC) Policy

Last updated