Anti-Money Laundering and Sanctions Policy

Effective: April 10, 2018

Prepared for Turing Technologies, Inc., by Wilmer, Cutler, Pickering, Hale & Dorr


CredoEx is a cryptocurrency exchange that provides a platform for users to transact in cryptocurrencies such as Credo. CredoEx’s platform allows users to buy, sell, or exchange cryptocurrencies, exchange cryptocurrencies for fiat money, or exchange fiat money for cryptocurrencies.

CredoEx provides a convenient way to purchase the cryptocurrency Credo for use in the BitBounce Spam Solution product, BitBounce Incentivized Marketing product, BitBounce Lead Generation product, and BitBounce Incentivized Response solution. CredoEx will also enable BitBounce users who receive Credo to quickly trade it for another currency of their choice.

CredoEx is a virtual currency exchanger, which is “a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency.” Virtual currency exchangers are considered money transmitters, a type of money services business (“MSB”), under regulations promulgated by the Financial Crimes Enforcement Network (“FinCEN”). A “money transmitter” is a person that provides “money transmission services,” which are “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.” 31 C.F.R. § 1010.100(ff)(5)(i)(A). The definition of money transmitter does not differentiate between fiat currency and virtual currency, and therefore virtual currencies are covered by FinCEN’s regulations.

Under the Bank Secrecy Act (“BSA”), MSBs such as CredoEx are required to establish and implement an effective anti-money laundering (“AML”) program, which is described herein. 31 C.F.R. § 1022.210.

All U.S. persons must adhere to sanctions regulations promulgated by the U.S. Department of the Treasury that restrict dealings with certain individuals, entities, and jurisdictions. This policy also sets out the mechanisms by which CredoEx will meet its obligations under sanctions laws.


CredoEx has adopted this Anti-Money Laundering and Sanctions Compliance Policy (the “Policy”) to combat financial crimes, ensure the integrity of its platform, and comply with applicable laws and regulations. Those AML obligations are principally set forth in the Bank Secrecy Act (“BSA”), as amended by the USA PATRIOT Act of 2001 (“the PATRIOT Act”), and the Financial Crimes Enforcement Network’s (“FinCEN”) implementing regulations, among other relevant AML laws and regulations. The applicable sanctions obligations are principally set out in the International Emergency Economic Powers Act (“IEEPA”) and regulations promulgated by the Office of Foreign Assets Control (“OFAC”), as well as relevant United Nations Security Council Resolutions and EU regulations [discuss with client re: applicability of EU regulations].

This CredoEx Policy, along with its accompanying procedures and internal controls, is designed to ensure compliance with these regulations, and will be reviewed and updated on a regular basis to account for changes in law, regulatory guidance, and CredoEx’s business.

A. Anti-Money Laundering
1. Background

Money laundering is the movement of criminally derived funds to conceal their true source, ownership, or use. The funds are often filtered through a maze or series of transactions, so the funds are “cleaned” to look like proceeds from legal activities.

In general, money laundering occurs in three stages: (1) placement, (2) layering, and (3) integration. At the placement stage, cash profits from criminal activity enter the financial system and are converted into monetary instruments, such as money orders, traveler’s checks, or deposits into accounts at a financial institution. At the layering stage, the funds are transferred or moved into other accounts or financial institutions to separate the proceeds from their criminal origin. At the integration stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund further activities, both criminal and legitimate.

Money laundering also generally includes actual or attempted transactions involving the proceeds of unlawful activity when there is requisite intent. See 18 U.S.C. §§ 1956–1957. The required intent is to promote the unlawful activity or knowledge that the financial transaction is designed at least in part to conceal or disguise the nature, source, or ownership of those proceeds. Such unlawful activities include, but are not limited to, criminal fraud.

Appropriate CredoEx personnel are responsible for having a general understanding of the techniques and typologies involved in money laundering and for immediately reporting suspected money-laundering activities to the AML and Sanctions Compliance Officer (“the Compliance Officer”). The Compliance Officer is responsible for overseeing the ongoing operation of the AML and Sanctions Program, for supervising the filing of Suspicious Activity Reports (“SARs”), and for providing ongoing training to appropriate personnel to ensure they have the requisite understanding of AML and sanctions obligations to which the Company is subject.

2. Penalties

Participation in a money laundering scheme or the knowing receipt of proceeds from criminal activities is a crime. See 18 U.S.C. §§ 1956–1957. CredoEx and its personnel may be subject to severe criminal, civil, and regulatory penalties if they do not comply with applicable laws or they facilitate or participate in money laundering activities. Personnel who violate this Policy or applicable laws may also be subject to internal disciplinary action, including termination.

Personnel may be deemed to be facilitating or participating in money laundering if the employee is aware of, or willfully ignores, the fact that customers or others making use of CredoEx’s services are engaged in illegal activities.

Crimes or suspected crimes by individuals (whether or not associated with CredoEx) must be reported to the AML and Sanctions Compliance Officer, designated below, unless the violations implicate the AML and Sanctions Compliance Officer, in which case the employee shall report to [Client to designate here]. Such reports will be confidential, and personnel will suffer no retaliation for making such reports.

3. FinCEN Registration Requirements

CredoEx is required to register as a MSB with FinCEN. Within 180 days after commencing its MSB activities, CredoEx will have registered with FinCEN and, every two calendar years thereafter by December 31, CredoEx will renew its registration as a MSB with FinCEN.

The AML Compliance Officer will keep in his or her files for 5 years a copy of the registration form and CredoEx’s registration number.

B. Sanctions
1. Background

The United States and its allies in the international community deploy financial sanctions to shape the behavior of adversaries and safeguard the integrity of the international financial system. In the U.S., sanctions policy and regulations are administered and enforced by OFAC, within the Treasury Department. Depending on the situation, sanctions can be deployed against individuals, entities, or jurisdictions. They can also take a variety of different forms. The broad trade embargoes that predominated before the 1990s have given way to targeted “smart” sanctions that focus on specific persons and specified illicit conduct. Generally, those targeted sanctions result in the blocking of property or interests in property of the designated person, and a prohibition on U.S. Persons conducting transactions with the designated person. But entities that designated persons own or control are also subject to sanctions even if they may not themselves be on a list. And while blocking property and prohibiting transactions are the most common forms of sanctions, others are available too, like restrictions on dealing in certain categories of debt or equity, investment prohibitions, and limitations on correspondent banking relationships.

All U.S. persons, including CredoEx, must comply with OFAC’s regulations and the regulation of others like the Department of Justice that often have a role in the detection and punishment of sanctions violations. Appropriate CredoEx personnel are responsible for having an understanding of the company’s obligations under applicable sanctions laws and regulations and reporting violations to the Compliance Officer so that CredoEx can meet its own reporting obligations.

2. Penalties

Civil violations of sanctions regulations are “strict liability” offenses, meaning penalties can be imposed even if an individual or entity did not mean to violate the law. Willful violations of sanctions laws, the provision of material support to terrorism, and certain activities related to sanctions evasion can all be prosecuted criminally. Sanctions evasion is a particular focus of regulators in the U.S. and Europe, and may be a particular concern with respect to cryptocurrencies, which have enhanced anonymity properties and can potentially be used to shield the true party in interest in a transaction. Personnel who violate this Policy or applicable laws may be subject to internal disciplinary action, including termination.

Suspected violation of OFAC regulations by individuals (whether or not associated with CredoEx) must be reported to the AML and Sanctions Compliance Officer, defined below, unless the violations implicate the AML and Sanctions Compliance Officer, in which case the employee shall report to [Client to designate here]. Such reports will be confidential, and personnel will suffer no retaliation for making such reports.


CredoEx has designated an Anti-Money Laundering and Sanctions Compliance Officer (the “Compliance Officer”), with full responsibility for CredoEx’s Compliance Program. The duties of the Compliance Officer will include monitoring CredoEx’s day-to-day compliance with applicable AML and sanctions laws, regulations, and obligations, overseeing communication and training for appropriate personnel, and updating this policy as necessary.

The Compliance Officer is identified in Appendix A.


CredoEx will train appropriate personnel with respect to its AML and OFAC compliance procedures and responsibilities under this Policy, including training in the detection of suspicious activity. Training will occur at least every 12 to 18 months. CredoEx will tailor its training program based on its activities, size, customer base, and resources, and the program will be updated as necessary to reflect changes to these characteristics and legal developments.

The Compliance Officer is responsible for developing training internally or through an external vendor. CredoEx will maintain records to show that the relevant persons required to attend training attended that training, the dates of training, and the subject matter of their training.


Testing of CredoEx’s Compliance Program will be performed at least annually by a qualified, independent internal or external function. Such review may be conducted by an officer or employee of CredoEx. The individual conducting the review, however, cannot be or report to the Compliance Officer, and cannot have other AML or sanctions compliance responsibilities. The individual’s qualifications must include a working knowledge of money laundering and sanctions principles, relevant portions of the BSA and implementing regulations, and OFAC regulations. Independent testing will be performed more frequently if circumstances warrant, such as if there is a material change in CredoEx’s business model that affects money laundering or sanctions risk.

After the designated person has completed the independent testing, he or she will report his or her findings to senior management. CredoEx will promptly address each of the resulting recommendations and keep appropriate records.

In accordance with NYDFS’s BitLicense regulations, the findings of the audit must be summarized in a written report and submitted to the New York Superintendent of Financial Services. See 23 NYCRR § 200.15(c)(2).


CredoEx shall complete appropriate procedures prior to entering into any agreement with a Customer that could bind CredoEx. CredoEx’s KYC Procedures include a number of steps that CredoEx may need to complete before the Company can engage in a transaction with a Customer.

The Company shall subject Customers deemed to be “high risk” to greater due diligence, including obtaining additional information as deemed appropriate under the circumstances.

A. Prohibited Customers

[Client to confirm prohibited customer / jurisdictions list] CredoEx’s policy is to take reasonable and practical steps to verify the identities of potential and existing Customers and Customer Employees and to prevent prohibited parties from doing business with CredoEx. Parties with which CredoEx will not do business include:

  • Customers or Customer-Employees whose names appear on the List of Specially Designated Nationals and Blocked Persons (the “SDN List”; and such persons “SDNs”) maintained by the U.S. Department of Treasury Office of Foreign Assets Control (“OFAC”) (or Customers owned 50 percent or more, directly or indirectly, by one or more SDNs) and such other lists of prohibited persons and entities as may be mandated by applicable law or regulation;
  • Customers or Customer-Employees that are from a country or territory prohibited by OFAC sanctions programs;
  • Foreign shell banks (or a bank that has no physical presence anywhere); and
  • Other Customers or Customer-Employees identified as prohibited by the Company, such as Customers or individuals whose identities cannot be verified using the procedures below.
B. KYC for Customers
1. Due Diligence

CredoEx has a tiered due diligence process tailored to the type of customer trading activity and its associated risk. Prior to allowing a customer to trade on its platform, CredoEx should take the following steps:

Basic Trading Account. To open a basic account and start trading, CredoEx requires the customer’s full name, date of birth, address, location, and phone number.

Advanced Trading Account. A more advanced account (for higher account funding limits and in some areas required for bank funding) requires the customer provide its full name, date of birth, identification number (SSN, TIN, or ID Confirmation) address, phone number, a government issued ID, and proof of residence. [Client to confirm and further develop this procedure as necessary].


1. For each account CredoEx will confirm that:

a. The Customer does not appear on the OFAC sanctions lists, and

b. The jurisdictions in which the Customer is located, organized, and/or operates are not among OFAC’s sanctioned or otherwise prohibited jurisdictions; and

2. CredoEx will take reasonable steps to verify the information obtained from the Customer, including searching publicly available databases to ensure that the information in such databases does not conflict with information about the Customer and does not otherwise raise a red flag.

Recordkeeping. CredoEx must maintain records of any documentation received for at least 5 years.


A. Response to Law Enforcement Requests

The USA Patriot Act seeks to promote cooperation between the U.S. government and the private financial sector to prevent money laundering and terrorist activities.

FinCEN may, on behalf of a law enforcement agency, require CredoEx to search its records regarding a particular individual, organization, or entity suspected of engaging in terrorism or money laundering to determine whether CredoEx has any transaction information regarding the subject of FinCEN’s inquiry in compliance with Section 314(a) of the PATRIOT Act. Any employee contacted by FinCEN or any other governmental authority regarding our business should immediately contact the Legal department for assistance.

Upon receiving a request from FinCEN:

  • The AML Compliance Officer will serve as the designated contact person.
  • The AML Compliance Officer will initiate a search for (1) any transaction conducted by or on behalf of the subject of the request or (2) any transmittal of funds in which the subject of the request was either the transmitter or the recipient, during the preceding six (6) months.
  • The AML Compliance Officer will report to FinCEN in the timeframe the FinCEN requests: the name of the customer, the date and type of each transaction, and any identifying information about the customer.
  • The AML Compliance Officer will document the request and CredoEx’s response for the AML files.
  • CredoEx will maintain adequate procedures to protect the security and confidentiality of the FinCEN request and CredoEx’s response by satisfying the requirements of Section 501 of the Gramm-Leach-Bliley Act and related regulations.
  • CredoEx will not disclose the fact of the FinCEN request to any person, other than FinCEN or the relevant law enforcement agency.

If CredoEx (or any employee) is subpoenaed or otherwise requested to disclose a SAR-MSB or the information contained in it, except where the request is by an appropriate law enforcement or supervisory agency, CredoEx must decline to produce the SAR-MSB or to provide any information that would disclose that a SAR-MSB has been prepared or filed, and cite 31 U.S.C. § 5318(g)(2) and 31 C.F.R. § 103.20(d) as support for not responding. In addition, the Financial Crimes Enforcement Network of the Department of the Treasury should be notified immediately of any such request. The AML Compliance Officer will document all requests for information and CredoEx’s responses and retain them in CredoEx’s files.

The foregoing does not affect the authority of a Federal agency or officer to obtain information directly from a financial institution pursuant to a summons, subpoena, or court order.

B. Information Sharing With Other Financial Institution

Under certain circumstances, CredoEx may share information regarding suspected money laundering or terrorist financing activities with other financial institutions under Section 314(b) of the USA PATRIOT Act. [Confirm whether client will opt-in to Section 314(b) sharing].

C. USA Patriot Act Section 311

CredoEx will voluntarily monitor for FinCEN findings/notices of proposed rulemaking imposing a special measure against one or more foreign jurisdictions, financial institutions, or classes of international transactions or types of accounts deeming them to be of primary money laundering concern (e.g., under Section 311 of the Bank Secrecy Act). If such rules are issued, the Compliance Officer will review the final rule to determine what steps, if any, are appropriate for CredoEx to take in order to follow relevant prescriptions or prohibitions contained in that rule, such as prohibiting a relationship with such institution.

Section 311 updates are available here:


A. Reporting of Suspicious Activity in General

CredoEx is required to file a Suspicious Activity Report (“SAR”) with FinCEN if a suspicious transaction is “conducted or attempted by, at, or through” the institution, involves or aggregates at least $2,000, and CredoEx “knows or has reason to suspect” that:

  • the transaction involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade federal law or regulation or to avoid any transaction reporting requirement under federal law or regulation;
  • the transaction is designed, whether through structuring or otherwise, to evade any requirements of the BSA and/or associated regulations;
  • the transaction has no business or apparent lawful purpose or is not the sort in which the Customer would normally be expected to engage, and after examining the background, possible purpose of the transaction and other facts, the institution knows of no reasonable explanation for the transaction; or
  • the transaction involves the use of the institution to facilitate criminal activity.
B. Filing Procedures for Suspicious Activity Reports

SAR-MSB. CredoEx will electronically file a Suspicious Activity Report for Money Services Businesses (“SAR-MSB”) with FinCEN (available at

CredoEx will maintain registration with FinCEN as an E-Filer here:

Filing. CredoEx must complete and file SAR-MSBs within 30 days after the CredoEx becomes aware of a suspicious transaction. If no suspect is identified at the date of the initial suspicious transaction, CredoEx may delay filing of the SAR-MSB for an additional 30 days pending identification of the suspect.

Immediacy. In some cases, such as ongoing money laundering schemes or potential terrorist activity, a suspicious transaction requires immediate action. In these cases, CredoEx shall immediately call FinCEN’s Financial Institutions Hotline at 1-866-556-3974 and notify appropriate law enforcement authorities in addition to timely filing a SAR-MSB.

SAR Recordkeeping. CredoEx will retain copies of any formal report filed with law enforcement or its bank partners, and the original or business record equivalent of any supporting documentation, for 5 years from the date of filing the report. 31 C.F.R. § 1022.320(c).

SAR Confidentiality. A SAR, and “any information that would reveal the existence of a SAR” (“SAR Information”), is confidential and cannot be shared outside the filing entity, except in certain limited circumstances. Therefore, CredoEx, and its current and former directors, officers, employees, agents, contractors, and attorneys are generally prohibited from disclosing SARs or SAR Information. Unauthorized disclosure of a SAR could result in civil and criminal penalties. See 31 U.S.C. §§ 5321–5322; 31 C.F.R. §§ 1010.820 & 1010.840.

C. Indications of Suspicious Activity

This Policy requires appropriate CredoEx personnel to detect and address suspicious activity. To that end CredoEx has established procedures to monitor transactions taking place on the Exchange to look for indicators of suspicious activity. Some indicators of potential suspicious activity (“Red Flags”) include, but are not limited to: [client to develop additional red flags tailored to its business model as necessary]

  • A Customer who has not verified their account or is unwilling or unable to verify their account;
  • A Customer who alters a transaction upon learning that he/she must show additional identification;
  • A Customer who asks how to avoid money-laundering laws or currency reporting requirements;
  • A Customer who provides different identification or information when he or she opens a new trading account:
  • Different name or different spelling of name.
  • Different address or different spelling or numeration in address.
  • Different identification types.
  • Two or more customers use the same or similar identification documents.
  • A customer who presents any unusual or suspicious identification document or information.
  • Readily available public information identifies accounts or addresses associated with institutions or schemes of money laundering concern;
  • Information provided by the Customer contains several mismatches (e.g. email domain or address details do not correspond to the Customer’s stated location);
  • A Customer asks how to remain anonymous or use features or programs to try to maintain anonymity; Client to confirm which cryptocurrencies will be traded on the platform. Anonymous features pose unique issues and we may need to carveout an Enhanced Due Diligence section for these trades;
  • Customers who conduct several similar transactions over several days, staying just under CredoEx’s maximum transaction limits, each time;
  • Transactions with individual or legal entity counterparties in jurisdictions identified by the Financial Action Task Force (FATF) and FinCEN advisories as having strategic deficiencies in AML deficiencies;
  • Transactions with counterparties located in known tax havens or secrecy jurisdictions, for example, Hong Kong, the Cayman Islands, and Guernsey;
  • Transactions with legal entity counterparties that do significant business without a significant public presence;
  • Transactions with legal entity counterparties that are recently incorporated and/or have little or no discernible business history;
  • Transactions with legal entity counterparties whose public business descriptions are exceedingly generic;
  • Transactions with legal entity counterparties that otherwise raise concerns regarding the entity’s beneficial ownership or status as a possible shell company that would trigger enhanced due diligence under this Policy.


A. Sanctions Screening

CredoEx is committed to complying with all applicable financial sanctions laws, including those promulgated by the U.S. Department of the Treasury, U.S. Department of State, and other applicable agencies. To that end, CredoEx will engage in the following measures designed to ensure compliance with applicable sanctions requirements:

  • Screen the names of natural persons in whose name accounts will be opened at the time of opening against lists of sanctions and prohibited parties maintained by the U.S. Department of the Treasury (including OFAC’s list of Specially Designated Nationals and Blocked Persons [the “SDN List”]), the U.S. Department of State, the United Nations, and the European Union [WH to discuss EU applicability with client];
  • For all legal entity customers, CredoEx shall screen the name of the legal entity accountholder, as well as the name of any authorized signatory on the account;
  • Screen all transactions against lists of sanctions and prohibited parties maintained by the U.S. Department of the Treasury (including OFAC’s list of Specially Designated Nationals and Blocked Persons [the “SDN List”]), the U.S. Department of State, the United Nations, and the European Union in real time;
  • Screen static databases of customers and transactions when applicable sanctions lists are updated;
  • Prohibit account opening by natural persons ordinarily resident in Comprehensively Sanctioned Countries and Territories (CSCTs) and legal entities established in CSCTs, including Cuba, the Crimea Region of Ukraine, the Democratic Peoples’ Republic of Korea (“DPRK”), Iran, and Syria;
  • CredoEx shall also implement technical measures to prevent individuals and entities in CSCTs from using services provided by CredoEx.
B. Enhanced Due Diligence for High Risk Relationships

In addition to the measures above, CredoEx will take additional steps to ensure its compliance with applicable sanctions laws in the event there is an indicia of high risk counterparties, customers, or transactions. Indicia of high risk activity may include all of the factors listed in Chapter 5.B above (“Indications of Suspicious Activity”). It may also include residence in high risk jurisdictions (e.g. British Virgin Islands, Cayman Islands, China, Cyprus, Guernsey, Hong Kong, Jersey, Lebanon, Panama, Russia), or occupation in high risk businesses. In such situations, CredoEx may collect and screen additional information such as beneficial ownership information, additional information about the customer’s business activities (e.g. places of operation to determine exposure to CSCTs), or additional information about the compliance framework of legal entity customers. Failure to provide such information at the request of CredoEx shall be grounds to prevent the provision of any services, or discontinue providing services already being offered.

CredoEx may request additional information at any point that it becomes aware of indicia of high risk activity, whether at account opening or at any time thereafter.

C. Other Matters Related to Sanctions Compliance

CredoEx will also maintain the ability to segregate blocked property in accordance with applicable regulations, and will issue reports of blocked property pursuant to the requirements of 31 CFR Part V.


Appendix A - Designation of Anti-Money Laundering and Sanctions Compliance Officer

For purposes of the U.S. Anti-Money Laundering and Sanctions Policy, as of [DATE] the CredoEx Anti-Money Laundering and Sanctions Compliance Officer shall be [PERSON].

Appendix B - Senior Management Approval

Senior management has approved this Policy in writing as reasonably designed to achieve and monitor CredoEx’s ongoing compliance with its anti-money laundering and sanctions compliance goals. This approval is indicated by the signature below.