AML & KYC POLICY — The Platform
Version: v3.0 — 05 Jan 2026
Operator / Licensing / Brand Scope
Operator / Data Controller:
3-102-938509 S.R.L. (Costa Rica)
Registered address: Costa Rica, San José, San José, Mata Redonda, Sabana Oeste, 12 Avenue 90 Street, ERP Lawyers.
Contact: help@zanlo.market
Licensing: The Platform operates under a license issued by the Anjouan Offshore Finance Authority (Gaming Division), an autonomous island of the Union of the Comoros (License No.: NUMBER WILL BE ADDED LATER).
Brand scope: These Terms apply to all products and services under the zanlo trademark, logos, and domains; collectively referred to herein as “the Platform.”
1. Purpose & Scope
This Anti‑Money Laundering and Know‑Your‑Customer (AML & KYC) Policy establishes the measures implemented by **3‑102‑938509 S.R.L.** (operating as zanlo prediction market) to prevent money laundering, terrorist financing, fraud, and other illicit activity.
The Policy applies to all employees, contractors, payment partners, and processors acting on behalf of the Platform and aligns with the **Anjouan Offshore Finance Authority (AOFA)** licensing framework.
2. Regulatory Framework
This Policy complies with **AOFA AML Guidance**, **FATF Recommendations**, and international AMLD5 standards. The Platform follows a **risk‑based approach** to due diligence, verification, and monitoring, ensuring proportionate measures according to user and transaction context.
3. Roles & Responsibilities
The **Designated AML Compliance Officer** (contact: compliance@zanlo.market) is responsible for implementing and supervising AML/KYC controls. Duties include:
• maintaining procedures, controls, and staff training;
• reviewing flagged transactions and suspicious activity;
• approving account freezes/unfreezes and SAR filings;
• ensuring compliance with AOFA directives and PSP obligations;
• coordinating periodic policy reviews and audits.
4. Customer Identification (KYC)
The Platform performs user verification using secure electronic methods:
• identity verification via **Didit.me**, which conducts document validation, face match, and sanctions/PEP screening;
• OTP, Google, or Apple ID linkage for authentication;
• technical verification (device/browser fingerprint via FingerprintJS);
• The Platform does **not** store KYC images or documents; these remain with Didit.me per their data protection standards;
• full KYC required before withdrawals or high‑risk actions.
5. Enhanced Due Diligence (EDD)
High‑risk users (e.g., flagged jurisdictions, or PEPs) undergo Enhanced Due Diligence including:
• proof of address or source‑of‑funds declaration;
• manual review by AML Officer prior to withdrawals;
• cross‑checks against sanctions, adverse media, and PEP databases;
• enhanced monitoring of unusual activity until cleared.
6. Ongoing Monitoring & Internal SLA
The Platform continuously monitors user activity through automated detection, behavioral anomaly detection algorithms, and manual review.
Indicators include large or inconsistent deposits, VPN/TOR access, multiple accounts from one fingerprint, use of temporary numbers or false identities, and high‑frequency withdrawal requests.
Accounts may be suspended pending investigation. The Platform maintains internal target timelines for triage and escalation (e.g., initial review target within 48 hours). These internal KPIs do not create third‑party obligations but support effective compliance.
7. Record Keeping & Data Protection
AML/KYC records, SARs, and audit logs are preserved for a minimum of **five (5) years** after account closure.
Audit trails are stored in **append‑only (immutable)** format with restricted access under role‑based controls and segregation of duties (SOD). After expiry, data is deleted or anonymized.
Third‑party providers (Didit.me, PSPs) retain data per their own legal obligations.
8. App & Store Considerations
Age gating and geolocation checks apply in‑app. Real‑money features do not use app store billing.
9. Suspicious Activity Reporting (SAR)
Suspicious Activity Reports (SARs) are reviewed by the AML Officer **as soon as practicable** after detection.
Reports may be filed with PSPs, AOFA, or other competent authorities **promptly after confirmation** of suspicious behavior, without fixed deadlines, per applicable contracts and laws.
Each SAR record includes case ID, date/time, user ID, description, risk level, action taken, decision, and officer signature. All SARs are registered in an immutable log and retained for audit.
10. Sanctions, PEP & Adverse Media Screening
Didit.me automatically screens customers against global sanctions and PEP lists during onboarding. Active users undergo periodic re‑screening. Adverse media hits trigger manual review; confirmed matches result in suspension or refusal of service. The Platform does not onboard users from restricted jurisdictions.
11. Fraud & Technical Correlation Controls
The Platform uses fraud detection tools including **FingerprintJS** for fingerprint correlation and device integrity checks.
Risk indicators such as proxy use, temporary numbers, SIM swaps, or compromised IDs are flagged for Compliance review. Confirmed cases may lead to freezing, ban, or PSP notification.
12. Refusal of Service & Freezing Policy
The Platform may refuse registration or freeze accounts when suspicion arises before or after onboarding. Actions may occur without prior notice to ensure compliance integrity.
Funds remain frozen until investigation concludes or external authorities provide clearance.
13. Vendor Due Diligence & DPAs
The Platform executes **Data Processing Agreements (DPAs)** with third‑party vendors including Didit.me, FingerprintJS, and PSPs, ensuring security standards such as ISO27001 or SOC2 where applicable. Vendors undergo due‑diligence and periodic reviews before onboarding and throughout the partnership.
14. Training & Awareness
All staff with access to compliance tools receive AML/KYC training at least annually and upon significant policy changes. Attendance and comprehension are recorded.
Regular tabletop exercises are conducted to ensure staff readiness in handling SARs and regulatory inquiries.
15. Whistleblower & Internal Reporting Channel
Employees or partners may confidentially report suspected AML or compliance breaches through the **whistleblower channel** at compliance@zanlo.market or directly to AOFA.
Reports are handled confidentially and without retaliation. The Platform encourages good‑faith reporting of potential violations to strengthen regulatory integrity.
16. Cooperation with Authorities & Legal Holds
The Platform cooperates fully with AOFA, PSPs, and law enforcement for legitimate investigations and audits. In case of active investigations, data related to the subject is placed under legal hold and preserved until the process concludes.
Cross‑border data disclosures occur only when recognized by AOFA under applicable agreements.
17. Internal SOPs & SAR Management
The Platform maintains internal **Standard Operating Procedures (SOPs)** and **SAR templates** defining each step from detection to closure of suspicious cases.
All compliance actions are logged in an immutable registry available for AOFA audit.
Internal SOPs define escalation flow (Detection → Triage → AML Review → SAR Filing → Closure) and are updated annually or upon regulatory change.
18. Review, Audit & Updates
This Policy and underlying SOPs are reviewed **at least once per year** or upon changes to AOFA guidance, FATF recommendations, or internal processes.
Independent external audits may be commissioned by AOFA or PSPs. Updates are approved by the AML Officer and management team.
19. Policy Enforcement
All Platform’s employees, contractors, and partners are required to comply with this Policy. Violations may result in disciplinary action, access revocation, or contract termination, depending on severity. The Platform enforces compliance expectations consistently across all jurisdictions.
Approved: 05 Jan 2026 by 3‑102‑938509 S.R.L.