COOWN KYC/KYB & AML Framework¶
Version: 2.0
Last Updated: 2026-02-09
For: PolyReg Membership Application & Regulatory Documentation
Overview¶
COOWN operates a hybrid compliance framework that balances user experience, security, and regulatory requirements. This document outlines our approach to Know Your Customer (KYC), Know Your Business (KYB), Anti-Money Laundering (AML), and transaction monitoring.
Regulatory Foundation: - Swiss Anti-Money Laundering Act (AMLA) - FINMA Circulars and Guidance - PolyReg Self-Regulatory Organization (SRO) Rules - Monerium E-Money Institution (EMI) License
Hybrid KYC/KYB Model¶
Tier 1: Crypto-Only Users (<€1,000/day)¶
Risk Assessment: Low Risk
KYC Requirements: - Basic Information: Name, email, date of birth, country of residence - Verification: Email verification + SMS/2FA - Document Upload: None required - Processing: Automated (instant)
Transaction Limits: - Daily: <€1,000 equivalent in crypto - No fiat services (IBAN, VISA, SEPA) - Crypto-to-crypto only (BTC, stablecoins)
Rationale: - Low-value crypto-only transactions present minimal AML risk - Aligns with risk-based approach per FINMA guidance - Enables frictionless onboarding for individuals/testers
Tier 2: Fiat-Enabled Users (>€1,000/day)¶
Risk Assessment: Medium Risk (adjusts to High based on factors)
KYC Requirements: - Delegated to Monerium: COOWN relies on Monerium's licensed KYC process - Identity Verification: Government-issued ID (passport, national ID, driver's license) - Proof of Address: Utility bill, bank statement, government document - Liveness Check: Selfie + liveness detection (anti-spoofing) - Processing: 1-3 business days (Monerium review)
Transaction Limits: - Daily: Up to €50,000 (adjustable based on risk assessment) - Monthly: Up to €250,000 (business accounts) - Fiat services: IBAN, SEPA Instant, VISA card - Crypto services: Unlimited
Monerium Integration: - COOWN embeds Monerium's KYC flow in user onboarding - Monerium (licensed EMI) performs identity verification - COOWN receives: Verification status, KYC completion date, risk score - COOWN stores: Only verification status + hash (not documents)
Rationale: - Monerium is a licensed e-money institution with robust KYC - Leverages Monerium's regulatory coverage for fiat services - COOWN focuses on crypto-specific compliance (VASP)
Tier 3: Business Customers (KYB)¶
Risk Assessment: Medium to High Risk (varies by factors)
KYB Requirements: - Delegated to Monerium for Fiat Services - Company Information: - Legal name, registration number, incorporation date - Business address, country of incorporation - Industry/sector, business model description - Ownership Structure: - Ultimate Beneficial Owners (UBOs) >25% ownership - Shareholders list (for risk assessment) - Organizational chart - Authorized Signatories: - Directors, executives with signing authority - Individual KYC for each signatory (ID, proof of address) - Corporate Documents: - Certificate of incorporation - Memorandum & Articles of Association - Board resolution authorizing COOWN account - Latest financial statements (if high-risk) - PEP Screening: - Politically Exposed Persons (PEPs) flagged - Enhanced due diligence for PEP-related entities - Sanctions Screening: - Check against EU, UN, OFAC, Swiss sanctions lists - Ongoing monitoring
Transaction Limits: - Negotiated based on business size and risk profile - Typical: €100,000/day, €1M/month - Higher limits available with enhanced due diligence
Rationale: - B2B customers present higher AML risk (larger volumes, complex structures) - Requires understanding of business model, source of funds - Shareholder identification critical for multi-sig wallet controls
Customer Risk Categorization¶
Risk Factors¶
COOWN assesses customer risk based on multiple factors:
1. Geographic Risk¶
| Risk Level | Countries/Regions |
|---|---|
| Low | EEA, Switzerland, UK, Australia, Canada, Japan |
| Medium | Most other countries (case-by-case) |
| High | FATF-blacklisted countries, US (regulatory complexity), sanctioned countries (Russia, North Korea, Iran, etc.) |
2. Industry Risk¶
| Risk Level | Industries |
|---|---|
| Low | Tech/SaaS, professional services, e-commerce (non-cash) |
| Medium | Retail, hospitality, real estate, general trading |
| High | Crypto exchanges/VASPs, gambling/gaming, cash-intensive businesses, money service businesses |
3. Transaction Volume¶
| Risk Level | Daily Volume |
|---|---|
| Low | <€1,000 |
| Medium | €1,000 - €50,000 |
| High | >€50,000 |
4. Ownership/Control¶
| Risk Level | Factors |
|---|---|
| Low | Transparent ownership, no PEPs, public company |
| Medium | Private company, clear UBOs, no red flags |
| High | Complex ownership structure, PEPs as shareholders/directors, offshore entities, bearer shares |
5. Regulatory Status¶
| Risk Level | Status |
|---|---|
| Low | Fully regulated in home jurisdiction |
| Medium | No license required for business type |
| High | Operating without required license, regulatory sanctions history |
Risk-Based Measures¶
| Risk Level | Due Diligence | Monitoring | Review Frequency |
|---|---|---|---|
| Low | Simplified (email + basic info) | Standard (automated) | Annual |
| Medium | Standard (Monerium KYC/KYB) | Enhanced (>€10k flagged) | Quarterly |
| High | Enhanced (additional docs, source of funds, ongoing monitoring) | Intensive (>€5k flagged, manual review) | Monthly |
AML & Transaction Monitoring¶
Current State (COOWN 2.0)¶
Transaction Logging: - All transactions logged on-chain (ICP) - Immutable audit trail (cannot be altered) - Includes: sender, recipient, amount, currency, timestamp, transaction ID
Automated Alerts: - High-value transactions: >€10,000 flagged automatically - Unusual patterns: Sudden large transaction after dormancy (heuristic-based) - Velocity: Multiple large transactions in short time window
Manual Review Process: 1. Alert generated → sent to Regional Operator's AML Officer 2. AML Officer reviews transaction details, customer profile, risk score 3. If suspicious: Conduct enhanced due diligence - Contact customer for explanation (source of funds, purpose) - Review supporting documents (invoices, contracts) - Check blockchain explorer for counterparty (if crypto) 4. If still suspicious: File SAR (Suspicious Activity Report) via PolyReg 5. If cleared: Mark transaction as reviewed, update customer risk score
Case Management: - COOWN has internal case management system (canister-based) - Tracks: alert → review → decision → SAR filing (if applicable) - Audit trail for regulators
Planned Enhancements (2026-2027)¶
Blockchain Analysis Tools: - Challenge: Commercial tools (Chainalysis, Elliptic) are expensive (~$50k+/year) - Options Under Consideration: 1. AMLBot: Cheaper alternative (~$10-15k/year) 2. Open-source databases: Free blockchain intelligence (e.g., Chainabuse, Crypto Scam DB) 3. Hybrid approach: Manual checks for high-risk txns, automated for low-risk
Purpose: Identify if counterparties (senders/receivers outside COOWN) are: - Sanctioned addresses (OFAC, EU lists) - Mixer/tumbler addresses (Tornado Cash, etc.) - Known scam/fraud addresses - High-risk exchanges (unregulated, history of hacks)
Machine Learning Risk Scoring: - Train ML model on historical transaction data - Predict risk score for new transactions - Reduce false positives (fewer manual reviews) - Target: 2027 (requires sufficient data)
Multi-Signature as AML Control¶
How It Works¶
Spending Limits & Approvals: - Single signature: Transactions <€1,000 (low risk) - Dual signature: Transactions €1,000-€10,000 (medium risk) - Triple signature: Transactions >€10,000 (high risk) - Shareholder approval: Major expenditures (>€50k), dividends, policy changes
AML Benefit: - Prevents unauthorized large transfers (internal fraud) - Creates approval audit trail (who authorized what) - Enables real-time review before funds leave wallet
Shareholder Identification: - All shareholders identified during KYB - Shareholders assigned crypto wallet addresses - Enables enforcement of shareholder mode (ultimate control)
Suspicious Activity Reporting (SAR)¶
When to File SAR¶
Mandatory Filing: - Transactions suspected to be related to money laundering or terrorist financing - Cannot identify beneficial owner - Doubts about truthfulness of customer information - Unusual transaction with no apparent economic purpose
COOWN's Process: 1. AML Officer completes internal investigation 2. Documents findings in case management system 3. Drafts SAR with details: customer, transactions, suspicion rationale 4. Files SAR with PolyReg (SRO) 5. PolyReg forwards to Swiss Money Laundering Reporting Office (MROS)
Confidentiality: - Customer NOT notified of SAR (tipping-off prohibited) - Transaction may be temporarily frozen (if immediate risk)
Status: Not yet filed any SARs (no membership yet). Capability ready once PolyReg member.
Source of Funds & Wealth¶
When Required¶
Enhanced Due Diligence Triggers: - High-risk customer (per risk categorization) - Unusually large transaction relative to customer profile - Inconsistent with declared business model - Request from AML Officer during investigation
Documentation: - Individuals: Salary slips, tax returns, inheritance documents, sale of assets - Businesses: Financial statements, invoices, contracts, business bank statements
Verification: - Cross-check against declared income/revenue - Verify authenticity of documents (call employer, accountant, etc.) - Assess reasonableness (e.g., €100k transaction from student = red flag)
Politically Exposed Persons (PEPs)¶
Definition¶
Per FATF/FINMA: - Individuals holding prominent public functions (heads of state, senior politicians, judges, military officers, etc.) - Immediate family members (spouse, children, parents) - Close associates (business partners, joint beneficial owners)
COOWN's Approach¶
Screening: - All customers screened against PEP databases (via Monerium for KYC users) - Ongoing monitoring (PEP status can change)
Enhanced Due Diligence for PEPs: - Senior management approval required - Source of wealth verification (mandatory, not optional) - Ongoing monitoring (every 3 months, not annually) - Higher scrutiny for large transactions
Risk Mitigation: - PEPs from high-corruption countries: Generally declined - PEPs from low-corruption countries (e.g., Swiss politicians): Case-by-case, with enhanced controls
Sanctions Screening¶
Lists Monitored¶
- EU Consolidated Sanctions List
- UN Security Council Sanctions
- OFAC (US Office of Foreign Assets Control) - even though COOWN doesn't serve US customers, many sanctions are global
- Swiss SECO Sanctions
Screening Points: 1. Onboarding: All new customers screened 2. Ongoing: Weekly batch screening of all customers (detect new sanctions) 3. Transaction-level: If counterparty address is known, check against sanctioned addresses
Actions Upon Match: - Freeze account immediately - Report to authorities (PolyReg → SECO) - Do not notify customer (until instructed by authorities)
Record Keeping¶
Retention Periods¶
Per Swiss AMLA: - Transaction records: 10 years - KYC/KYB documents: 10 years after relationship ends - SAR documentation: 10 years - Internal investigations: 10 years
COOWN's Approach: - All data stored on-chain (ICP) → immutable, permanent record - KYC documents stored by Monerium (10-year retention guaranteed) - Accounting records (double-entry ledger) on-chain → permanent
Regional Operator Model & Compliance¶
What is a Regional Operator?¶
A Regional Operator is a licensed entity (customer of COOWN) that: - Operates COOWN platform for their own customers - Holds own VASP/crypto license in their jurisdiction - Customizes risk categorization and limits for their market - Employs own AML Officer
Example: - COOWN Switzerland (Managed-Trust.com LTD): PolyReg member, serves Swiss/EU customers - COOWN Germany (Hypothetical): BaFin-licensed, serves German customers with local AML officer
Compliance Responsibility: - Each Regional Operator responsible for their customers' compliance - COOWN (platform provider) provides tools, but not liable for operator's AML failures - Operators must meet minimum standards set by COOWN (e.g., KYC requirements)
Continuous Improvement¶
Annual Review Process¶
What's Reviewed: - Risk categorization thresholds (are they still appropriate?) - AML policy effectiveness (false positive rate, SAR outcomes) - New regulatory guidance (FINMA, PolyReg updates) - Emerging risks (new typologies, threat intelligence)
Who Conducts: - AML Officer (lead) - CEO approval - External audit (once ISO 27001 certified)
Output: - Updated risk matrix - Revised transaction thresholds (if needed) - Training materials for team - Policy amendments
Frequency: Annually (minimum), or upon regulatory change
Training & Awareness¶
Who Gets Trained: - All COOWN team members (developers, support, management) - Regional Operators' teams - AML Officers (specialized training)
Topics: - Red flags and typologies - KYC/KYB procedures - Transaction monitoring - SAR filing process - Sanctions compliance - Data protection (GDPR)
Frequency: - Onboarding (new hires) - Annual refresher - Ad-hoc (when regulations change)
Audit & Oversight¶
Internal Controls¶
First Line of Defense: Business operations (COOWN developers, support) - Execute KYC/KYB procedures - Monitor transactions - Escalate suspicious activity
Second Line of Defense: AML Officer (Regional Operator) - Review flagged transactions - Conduct enhanced due diligence - File SARs - Ensure policy compliance
Third Line of Defense: External Audit (future) - Independent review of AML program - Test effectiveness of controls - Recommend improvements
External Oversight¶
PolyReg (SRO): - Annual compliance questionnaire - On-site audits (random or risk-based) - Review SAR filings - Sanctions for non-compliance
FINMA: - Indirect supervision (via PolyReg) - Direct intervention if systemic issues - Can revoke PolyReg's authorization (affects all members)
Future Enhancements Roadmap¶
2026: - ✅ Monerium KYC integration (complete) - 🎯 Blockchain analysis tool selection and integration - 🎯 Automated sanctions screening (real-time API) - 🎯 Enhanced transaction monitoring rules
2027: - 🎯 Machine learning risk scoring - 🎯 Integrated case management (workflow automation) - 🎯 Customer self-service (view KYC status, upload docs)
2028: - 🎯 AI-powered anomaly detection - 🎯 Cross-border intelligence sharing (with other VASPs, if permitted) - 🎯 ISO 27001 certification (includes AML controls audit)
Document Control: - Version: 2.0 - Approved by: Simon (CEO), AML Officer (Regional Operator) - Prepared by: Agent Maya-COOWN - Date: 2026-02-09 - Next Review: 2027-02-09 (qualtiy target) or upon regulatory change