Know Your Customer (KYC) Policy

Last Updated on 29th July 2025

1. Purpose

This Know Your Customer (KYC) Policy establishes AFI’s proactive voluntary stance on identifying and verifying users to mitigate the risks of fraud, money laundering, terrorist financing, and violations of U.S. securities laws. The purpose of this policy is to ensure that AFI, through its associated front-end gateways, partners, or regulated integrations, complies with applicable legal and regulatory standards, particularly those enforced by the U.S. Securities and Exchange Commission (SEC) and the Financial Crimes Enforcement Network (FinCEN) in addition to typical St Kitts and Nevis based AML and KYC compliance requirements.

While AFI is fundamentally a decentralized, non-custodial, and autonomous DeFi protocol that does not control user assets or operate as a financial intermediary, it voluntarily acknowledges that certain access points or affiliated services may fall under the regulatory purview of U.S. federal law. In such cases, those entities are responsible for enforcing KYC obligations in line with this policy to ensure lawful user onboarding, prevent the circumvention of securities registration requirements, and uphold the integrity of the AFI ecosystem.

2. Applicability

This Know Your Customer (KYC) Policy applies specifically to users, entities, and partners who engage with AFI through interfaces or components that may trigger U.S. regulatory obligations, particularly under the supervision of the Securities and Exchange Commission (SEC) or other federal agencies.

The policy is binding on the following categories:

  • Retail Users Utilizing Regulated Interfaces: Individuals who access AFI through front-end platforms that facilitate fiat on/off ramps, offer tokenized securities, or provide access to investment advisory tools are subject to identity verification and ongoing KYC requirements, as mandated under U.S. Anti-Money Laundering (AML) and securities laws.

  • Participants in Regulated Offerings: Any user participating in capital-raising mechanisms associated with AFI, such as Simple Agreements for Future Tokens (SAFTs), yield-bearing financial instruments, or other instruments that may be classified as investment contracts under the Howey Test, must undergo strict identity checks and suitability assessments to comply with SEC requirements.

  • Institutional Counterparties: All exchanges, liquidity providers, custodians, and third-party DeFi platforms interacting with AFI's infrastructure in a manner that involves asset custody, cross-border flows, or regulated financial services must implement robust KYC and Anti-Money Laundering controls, in line with this policy.

  • Compliant Integration Partners: Any third-party platform, dApp, or API integration that leverages AFI for regulated activities and is subject to federal or state-level securities compliance (such as broker-dealers, investment advisors, or ATS platforms) must enforce equivalent KYC standards aligned with U.S. regulatory expectations.

By clarifying these application zones, AFI ensures that regulatory accountability is maintained across the ecosystem, while respecting the protocol’s decentralized architecture.

3. Regulatory Basis

This Know Your Customer (KYC) Policy is anchored in the relevant legal and regulatory frameworks governing identity verification, anti-money laundering, and securities compliance within the United States. It reflects AFI’s commitment to upholding industry standards and legal obligations where applicable.

The following laws and regulatory instruments form the foundation of this Policy:

  • U.S. Securities Act of 1933 (as amended): Establishes the requirement for registration of securities offerings and mandates disclosure obligations. This Act serves as the primary legal basis for identifying and verifying participants in any token offerings or yield-bearing products that may be classified as securities by the U.S. Securities and Exchange Commission (SEC).

  • Bank Secrecy Act (BSA) and FinCEN Guidelines: Requires financial institutions and certain non-bank platforms to implement comprehensive anti-money laundering (AML) programs, including Customer Identification Programs (CIP), ongoing due diligence, and suspicious activity monitoring. AFI-aligned interfaces that touch fiat rails or investment flows are subject to these obligations where applicable.

  • SEC Guidance on Digital Assets: Incorporates the Howey Test to determine whether a digital asset qualifies as a security. This guidance informs AFI’s policy on when KYC procedures must be enforced to ensure that participants in potentially regulated instruments are properly identified and vetted.

  • Customer Identification Program (CIP): Mandated under the USA PATRIOT Act, CIP regulations require identification verification of all customers engaging with financial service providers. This includes collection of basic identity information, verification through reliable sources, and screening against relevant sanctions lists.

  • OFAC Sanctions Screening and AML Controls: AFI and its compliant interfaces will screen users against the Office of Foreign Assets Control (OFAC) lists and monitor for any involvement with high-risk jurisdictions or sanctioned entities, as part of broader AML controls aligned with U.S. law.

Through this regulatory alignment, AFI ensures that its ecosystem partners and users interacting through regulated channels meet all necessary compliance obligations while participating in a secure and transparent environment.

4. Identity Verification (KYC)

AFI is a decentralized, non-custodial protocol. However, certain services accessed through affiliated frontends, such as fiat on/off ramps, token sales, or jurisdiction-sensitive features, may require identity verification ("KYC") in compliance with applicable laws.

KYC, where applicable, will be conducted by third-party service providers (e.g., Sumsub, Veriff, or Jumio) integrated by the relevant frontend operator. Users may be asked to provide basic identification details such as:

  • Full name

  • Government-issued ID

  • Country of residence or tax domicile

  • Biometric verification (e.g., selfie)

The scope of information requested may vary depending on the user’s jurisdiction, risk profile, and applicable regulations. All data is handled securely by the KYC provider in accordance with relevant data protection laws.

AFI itself does not store or access your personal identification data.

5. Screening & Risk Assessment

To uphold the integrity of the AFI ecosystem and meet U.S. regulatory standards, including those established by the SEC, FinCEN, and the Office of Foreign Assets Control (OFAC), all users who are subject to Know Your Customer (KYC) procedures will undergo comprehensive screening and continuous risk assessment. This ensures early detection of illicit activity, sanctions evasion, and potential securities law violations.

A. Sanctions and Watchlist Screening

All verified users will be screened against a combination of international and U.S. government-issued lists, including but not limited to:

  • U.S. OFAC Sanctions Lists – Ensuring compliance with U.S. trade embargoes and financial restrictions.

  • Specially Designated Nationals (SDNs) – Individuals and entities subject to asset freezes or transaction bans under U.S. law.

  • PEP (Politically Exposed Persons) Databases – Screening for current or former government officials and their close associates who may pose a heightened corruption risk.

  • Adverse Media and Financial Crime Watchlists – Monitoring for involvement in fraud, money laundering, terrorism financing, cybercrime, or other financial misconduct as reported in credible media or regulatory filings.

These checks are conducted both at onboarding and on an ongoing basis to capture changes in risk profiles.

B. Risk Scoring Criteria

Each user will be assigned a risk score by the third-party KYC provider or AFI’s compliance framework based on a combination of behavioral, jurisdictional, and financial factors. Risk assessments may include:

  • Jurisdiction of Origin – Users from countries identified by FATF as high-risk or non-cooperative jurisdictions will receive elevated risk ratings.

  • Wallet Activity & On-Chain Behavior – Interaction with known mixers, darknet addresses, or anomalous DeFi patterns may increase a user's risk profile.

  • Transaction Volume and Patterns – Sudden spikes in activity, high-frequency trading, or transactions inconsistent with the user’s stated profile may trigger review.

  • Source of Funds – Users must demonstrate that their funds derive from legitimate, traceable sources. Where unclear, AFI may request documentation such as bank statements, payslips, or investment records.

C. Enhanced Due Diligence (EDD)

Users flagged as high-risk through the above screening mechanisms may be required to undergo Enhanced Due Diligence, which can include:

  • Additional identity verification steps

  • Interviews or declarations regarding source of wealth

  • Manual review of supporting documents

  • Continuous transaction monitoring

In some cases, access to specific AFI services, such as participation in yield-generating products or token offerings, may be restricted or denied if the risk is deemed unacceptable.

AFI retains the right to suspend or terminate access to its interfaces and partners for users who fail or refuse risk assessment procedures or whose activity raises legal or compliance concerns.

6. Data Retention & Security

AFI is committed to upholding the highest standards of data protection and privacy in line with U.S. regulatory requirements and international best practices. Although AFI operates as a decentralized, non-custodial protocol and does not directly collect or store user identity data, this section outlines the expectations and safeguards applicable to KYC-related information handled by third-party providers.

A. Retention Period

All Know Your Customer (KYC) records, including user-submitted identity documents, verification logs, screening results, and compliance notes, must be securely retained by the authorized KYC provider for a minimum of five (5) years from the date of the user’s last activity or transaction. This retention period aligns with:

  • U.S. Bank Secrecy Act (BSA) requirements

  • Customer Identification Program (CIP) rules enforced by FinCEN

  • SEC and state-level obligations for broker-dealers and investment platforms

Retention ensures that historical user data is available for regulatory inquiries, audits, or legal investigations when needed.

B. Data Storage & Protection

All KYC data must be stored in environments that are:

  • Encrypted both in transit and at rest using industry-standard cryptographic protocols (e.g., AES-256, TLS 1.2+)

  • Access-controlled, allowing only authorized compliance personnel or designated officers to view or modify data

  • Monitored for unauthorized access, anomalies, or breaches through continuous security auditing and intrusion detection systems

These security measures are critical in preventing data theft, identity misuse, or reputational harm to AFI and its ecosystem partners.

C. Compliance with Privacy Regulations

All data processing activities by KYC vendors must comply with:

  • The U.S. Privacy Act, GLBA (Gramm-Leach-Bliley Act), and relevant state-level privacy laws (e.g., California Consumer Privacy Act – CCPA)

  • The General Data Protection Regulation (GDPR) for users located in the European Union or other jurisdictions recognizing GDPR-equivalent protections

  • Any additional cross-border data transfer protocols, such as Standard Contractual Clauses (SCCs), if required

D. Role of Third-Party KYC Providers

AFI does not collect, store, or process any user identity data directly. Instead, AFI engages or integrates with independent, compliance-certified KYC providers (e.g., Sumsub, Veriff, Jumio) who are responsible for:

  • End-to-end user verification

  • Secure document handling and storage

  • Sanctions and PEP screening

  • Audit trail maintenance

All KYC providers working with AFI must meet and maintain SOC 2 Type II, ISO/IEC 27001, or equivalent information security certifications, ensuring robust internal controls and accountability.

7. KYC Triggers and Timing

AFI recognizes that not all interactions with a decentralized protocol require user identity verification. However, to align with U.S. SEC compliance requirements and applicable financial regulations, certain user actions and access points within the AFI ecosystem may necessitate the completion of a Know Your Customer (KYC) process. This section outlines the specific events ("triggers") and the timing for when KYC must be completed.

A. Trigger Events Requiring KYC

Users may be prompted to undergo KYC verification prior to performing any of the following actions:

  1. Accessing Fiat On/Off-Ramps or Banking Integrations

    • Any attempt to convert fiat to digital assets (or vice versa) through integrated service providers will require KYC due to AML and anti-fraud obligations under the U.S. Bank Secrecy Act (BSA).

    • This includes wire transfers, ACH connections, card processing, or bank-linked services.

  2. Participating in Token Offerings or Reward Distributions

    • Users engaging in regulated token offerings (such as via a SAFT or yield-bearing instruments) must complete KYC as a prerequisite.

    • This also applies to token distributions categorized as securities under the U.S. Securities Act of 1933 or SEC guidance.

    • Additionally, users receiving staking, governance, or liquidity rewards in excess of a defined threshold may be subject to KYC verification.

  3. Withdrawing Large Volumes of afiUSD or Vault Tokens

    • To mitigate the risk of money laundering and ensure compliance with transaction monitoring obligations, users may be required to verify their identity before executing high-volume withdrawals from AFI Vaults or redeeming afiUSD.

    • Withdrawal limits triggering KYC may be adjusted based on jurisdiction, on-chain behavior, and user risk scores.

  4. Engaging in Governance, Liquidity, or Node Operations

    • Any individual or entity acting in a governance capacity, such as node operator, vault manager, or protocol delegate, may be considered a key ecosystem actor and thus subject to KYC.

    • This includes participants who manage or influence treasury functions, validator operations, or cross-chain asset rebalancing.

  5. Accessing AFI from High-Risk or Restricted Jurisdictions

    • Users attempting to interact with AFI from jurisdictions flagged as high-risk, OFAC-sanctioned, or under regulatory embargo may be blocked or required to pass identity verification before gaining access to any front-end platform or integration.

    • KYC is mandatory in such cases to ensure that AFI and its partners are not facilitating prohibited transactions or inadvertently violating international sanctions.

B. Timing of KYC Implementation

  • KYC must be completed before the user accesses a restricted service, submits a regulated investment, or exceeds pre-set transaction thresholds.

  • In some cases, KYC may be progressively enforced, for example, upon first interaction, upon reaching certain usage limits, or upon backend risk triggers (e.g., unusual transaction behavior).

  • If a user fails or refuses to complete KYC when required, their access to certain features may be restricted or suspended until verification is successfully completed.

8. Restricted Jurisdictions

To uphold AFI’s commitment to legal and regulatory compliance, especially with U.S. Securities and financial crime laws, access to KYC-enabled features and services will be denied or restricted for users residing in or operating from jurisdictions flagged for legal, regulatory, or financial risks. This measure is essential to avoid violations of U.S. sanctions, prevent exposure to high-risk territories, and maintain lawful operations across the AFI ecosystem.

A. Denied or Restricted Access Applies to Users From:

  1. U.S. Embargoed and Sanctioned Countries (as per OFAC)

    • Individuals or entities based in countries subject to comprehensive U.S. economic and trade sanctions enforced by the Office of Foreign Assets Control (OFAC) are strictly prohibited from accessing AFI’s front-end interfaces or affiliated services.

    • Examples of currently embargoed jurisdictions include North Korea, Iran, Cuba, Syria, and certain regions of Ukraine (Crimea, Donetsk, Luhansk).

    • IP address checks, geolocation filters, and OFAC list screenings will be employed to enforce this restriction.

  2. Countries Identified by the Financial Action Task Force (FATF) as High-Risk or Non-Cooperative

    • Users located in jurisdictions appearing on the FATF "grey list" or "blacklist", which identifies countries with strategic AML/CFT deficiencies, may be denied access or subject to Enhanced Due Diligence (EDD).

    • AFI or its front-end partners reserve the right to suspend interactions from such jurisdictions until adequate risk controls are satisfied.

  3. Jurisdictions Where Cryptocurrency or DeFi Activities Are Explicitly Illegal

    • Countries that have imposed blanket bans on the use, trading, or development of cryptocurrency or decentralized finance services will not be supported.

    • Examples may include countries like Algeria, Bangladesh, Nepal, or Bolivia, where DeFi participation could violate local laws and potentially expose AFI ecosystem partners to liability.

    • Users must comply with their local legal framework; AFI does not solicit or encourage use where prohibited.

  4. U.S. States With Specific Crypto Regulatory Restrictions

    • In cases where individual U.S. states enforce stringent crypto regulations or licensing requirements (e.g., New York’s BitLicense regime), users from those states may face limitations or may be excluded from accessing investment-related or custodial features of the platform.

    • This is particularly relevant for front-ends or partners offering fiat conversions, token sales, or advisory tools targeting U.S. residents.

B. Ongoing Review and Dynamic Enforcement

  • The list of restricted jurisdictions will be continuously monitored and updated based on changes in OFAC, FATF, and national regulatory advisories.

  • AFI and its service partners may adopt a risk-based approach to jurisdictional access, dynamically adjusting KYC requirements, feature availability, or outright access denial in accordance with evolving geopolitical, legal, and financial crime trends.

9. Governance and Oversight

To ensure that Know Your Customer (KYC) procedures across the AFI ecosystem are effective, transparent, and aligned with applicable laws and regulatory guidance, a structured governance and oversight framework has been established. This framework ensures that KYC implementation is not only compliant but also adaptive to evolving legal requirements and operational realities.

A. KYC Compliance Lead

A KYC Compliance Lead shall be formally appointed by the AFI-affiliated front-end entity, partner organization, or operator responsible for user-facing services. This individual or team will be charged with the strategic and operational management of the KYC program.

Key responsibilities of the KYC Compliance Lead include:

  • Oversight of KYC Processes Monitoring the execution of identity verification workflows by third-party providers to ensure consistency, accuracy, and adherence to applicable laws and internal standards.

  • Regulatory Coordination Liaising with legal counsel, compliance consultants, and (as necessary) government agencies, including the U.S. Securities and Exchange Commission (SEC), to maintain up-to-date compliance in light of new interpretations, enforcement actions, or advisory opinions.

  • Internal Controls and Incident Management Ensuring the availability of escalation protocols in the event of suspicious activity, fraud alerts, sanctions matches, or KYC data breaches. The Compliance Lead will also supervise remediation efforts and implement corrective action plans where needed.

  • Training and Guidance Providing onboarding, updates, and operational support to relevant team members, ensuring that staff interacting with KYC systems understand their legal and procedural obligations.

B. Audit and Review Procedures

To maintain the integrity and legal defensibility of AFI’s KYC framework, formal audits and reviews shall be conducted on a regular basis. These assessments may be internal or conducted by external auditors, depending on partner requirements and jurisdictional needs.

Audit Triggers and Frequency:

  • Annual Review Cycle A comprehensive annual review shall be undertaken to evaluate the effectiveness of KYC systems, vendor performance, record retention practices, and regulatory alignment.

  • Regulatory Updates KYC policies and procedures shall be reassessed immediately upon changes to key legal frameworks (e.g., amendments to the U.S. Securities Act, BSA/AML guidelines, or FATF advisories) or publication of new regulatory guidance affecting digital asset compliance.

  • Protocol or Product Changes If AFI introduces new features (e.g., tokenized securities, fiat ramps, or investment tools), expands to new jurisdictions, or modifies user interaction pathways in a way that implicates compliance obligations, a targeted policy review shall be conducted prior to rollout.

10. User Rights and Appeals

AFI is committed to upholding the fundamental rights of its users in connection with the processing of personal and identity-related data. While AFI itself does not collect or directly store KYC data, it ensures that third-party verification providers and affiliated frontend platforms maintain user rights in accordance with applicable data protection regulations.

A. Access to KYC Records

Users have the right to request access to their own KYC data that has been collected and stored by AFI’s designated third-party identity verification providers. This includes:

  • The full set of submitted documents and personal information

  • Screening results (e.g., sanctions or PEP flags)

  • Risk classification or EDD (Enhanced Due Diligence) status, if applicable

Requests for access must be submitted through the appropriate support channels of the frontend platform or the designated KYC provider. Users may be required to verify their identity again to process such requests.

B. Correction of Inaccurate Information

If a user believes that any KYC information associated with their account is incorrect, outdated, or incomplete, they may submit a formal request for correction or update. The process generally involves:

  • Providing evidence to support the correction (e.g., a new address proof or updated passport)

  • Undergoing re-verification through the third-party provider

Corrections will only be accepted if they comply with the applicable jurisdiction’s laws and the provider’s internal verification standards.

C. Appeals and Dispute Resolution

Users who are denied access to AFI features due to a failed or incomplete KYC process may appeal the decision through a structured ticketing or dispute resolution mechanism provided by the frontend interface or its KYC partner.

The appeals process typically includes:

  • Submission of a dispute ticket or email explaining the issue

  • A review by compliance personnel within a fixed response window (e.g., 10 business days)

  • A final determination based on submitted evidence and verification criteria

All appeal decisions are subject to audit and documentation requirements to ensure fairness and transparency.

D. Legal Compliance

All user rights related to KYC data access, correction, and appeal shall be exercised in accordance with:

  • Applicable data protection laws, such as the U.S. Privacy Act, California Consumer Privacy Act (CCPA), or the European Union’s General Data Protection Regulation (GDPR)

  • AFI’s Privacy Policy, which outlines data processing roles, third-party access, and user consent mechanisms

Users should be aware that in certain cases (e.g., investigations, law enforcement requests, or sanctions compliance), their rights may be limited or deferred as permitted under the law.

11. Contact

For KYC inquiries or support, contact:

📧 [email protected] 🌐 docs.afiprotocol.ai

PreviousAnti-Money Laundering (AML) Policy

Last updated