Anti-Money Laundering (AML) and OFAC Compliance Policy

1. Policy Statement and Commitment

Utilli, LLC (dba Tilli) operating as Monay ("Company," "we," "us," or "our") is committed to the highest standards of Anti-Money Laundering (AML) compliance, Counter-Terrorist Financing (CTF), and sanctions compliance. This comprehensive policy establishes our framework for preventing, detecting, and reporting money laundering, terrorist financing, and sanctions violations across all our services including:

• Monay ID - Identity and authentication services
• Monay CaaS - Enterprise stablecoin issuance on dual-rail blockchain
• Monay WaaS - Digital wallet and payment services
• All associated payment rails and cross-border transactions

We maintain a zero-tolerance policy toward money laundering, terrorist financing, and sanctions violations. All employees, contractors, and partners must comply with this policy without exception.

2. Regulatory Framework and Compliance

Monay operates in strict compliance with all applicable laws and regulations including but not limited to:

2.1 United States Federal Requirements

• Bank Secrecy Act (BSA) - 31 USC 5311 et seq.
• USA PATRIOT Act - Title III provisions
• Money Laundering Control Act of 1986 - 18 USC 1956 and 1957
• Financial Crimes Enforcement Network (FinCEN) regulations - 31 CFR Chapter X
• Office of Foreign Assets Control (OFAC) sanctions programs - 31 CFR Parts 500-599
• Electronic Fund Transfer Act (EFTA) and Regulation E
• Trading with the Enemy Act (TWEA)
• International Emergency Economic Powers Act (IEEPA)

2.2 State Requirements

• Maryland Money Transmission Act
• State money transmitter licensing requirements
• State-specific AML and reporting obligations
• Multi-state licensing through NMLS

2.3 International Standards

• Financial Action Task Force (FATF) Recommendations
• Wolfsberg AML Principles
• EU 5th and 6th Anti-Money Laundering Directives (for EU operations)
• UN Security Council Resolutions on terrorist financing
• SWIFT CSP requirements for payment messaging

3. Customer Due Diligence (CDD) Program

3.1 Know Your Customer (KYC) Requirements

All customers must undergo comprehensive identity verification before accessing our services:

Individual Customers

• Full legal name as it appears on government-issued ID
• Date of birth (must be 18+ or age of majority)
• Social Security Number (SSN) or Tax Identification Number (TIN)
• Current residential address (no P.O. boxes for primary address)
• Government-issued photo ID (passport, driver's license, national ID)
• Selfie verification for biometric matching
• Proof of address (utility bill, bank statement, lease agreement)
• Source of funds documentation for transactions over $10,000

Business Customers (Know Your Business - KYB)

• Legal entity name and all DBAs
• Business registration number and jurisdiction
• Federal EIN or equivalent tax identification
• Certificate of incorporation or formation
• Operating agreement or bylaws
• Business license and permits
• Beneficial ownership information (25% or greater ownership)
• Control prong person identification
• Proof of business address
• Bank account verification
• Website and business model documentation

3.2 Enhanced Due Diligence (EDD)

Enhanced due diligence is required for:

• Politically Exposed Persons (PEPs) and their associates
• High-risk jurisdictions as designated by FATF or OFAC
• Money Service Businesses (MSBs) and Virtual Asset Service Providers (VASPs)
• Non-profit organizations and charities
• Customers with complex ownership structures
• Shell companies or entities with no apparent business purpose
• Transactions exceeding $50,000 per month
• Cross-border wire transfers
• Cryptocurrency exchanges and DeFi protocols

3.3 Customer Risk Rating

Each customer is assigned a risk rating based on:

• Low Risk: Standard retail customers, verified employment, domestic transactions
• Medium Risk: Small businesses, moderate transaction volumes, limited international activity
• High Risk: MSBs, PEPs, high-risk jurisdictions, large transaction volumes
• Prohibited: Sanctioned parties, shell companies without substance, illegal activities

4. OFAC and Sanctions Compliance

4.1 Sanctions Screening Program

We maintain a comprehensive sanctions screening program that includes:

• Real-time screening against OFAC's Specially Designated Nationals (SDN) List
• Consolidated Sanctions List screening
• Sectoral Sanctions Identifications (SSI) List
• Foreign Sanctions Evaders (FSE) List
• EU consolidated sanctions list
• UN Security Council sanctions list
• UK HM Treasury sanctions list
• Country-based comprehensive sanctions programs (Cuba, Iran, North Korea, Syria, Crimea)

4.2 Prohibited Countries and Regions

We do not provide services to individuals or entities located in:

• Cuba
• Iran
• North Korea (DPRK)
• Syria
• Crimea, Donetsk, and Luhansk regions of Ukraine
• Any other jurisdiction subject to comprehensive OFAC sanctions

4.3 Sanctions Compliance Procedures

• Automated screening at account opening and for every transaction
• Daily rescreening of entire customer base against updated lists
• Fuzzy logic matching to catch name variations
• Manual review of potential matches by compliance team
• Immediate blocking of confirmed matches
• Filing of blocking reports with OFAC within 10 days
• Annual reports of blocked property to OFAC
• Retention of screening records for 5 years

5. Transaction Monitoring and Analysis

5.1 Real-Time Monitoring Systems

Our transaction monitoring system employs:

• Machine learning algorithms for pattern recognition
• Rule-based scenarios for known typologies
• Behavioral analytics and peer group analysis
• Network analysis for related party transactions
• Geographic risk scoring
• Velocity checking (frequency and volume)
• Cross-product monitoring across all services

5.2 Red Flag Indicators

We monitor for the following suspicious activity indicators:

Structuring and Layering

• Multiple transactions just below $10,000 reporting threshold
• Rapid movement of funds between accounts
• Complex transaction chains with no apparent purpose
• Use of multiple accounts to circumvent limits

Unusual Customer Behavior

• Reluctance to provide required information
• Providing false or misleading information
• Unusual concern about compliance procedures
• Requests to bypass normal procedures

High-Risk Transaction Patterns

• Large cash deposits followed by immediate transfers
• Transactions to/from high-risk jurisdictions
• Round-dollar amounts or repetitive transactions
• Dormant account suddenly active
• Transaction patterns inconsistent with stated business

Cryptocurrency-Specific Indicators

• Transactions with mixing services or tumblers
• Deposits from or withdrawals to darknet markets
• Rapid conversion between multiple cryptocurrencies
• Use of privacy coins without clear business purpose
• Transactions with ransomware-associated addresses

6. Suspicious Activity Reporting (SAR)

6.1 SAR Filing Requirements

We file SARs with FinCEN for:

• Transactions aggregating $5,000+ involving suspected money laundering
• Transactions aggregating $2,000+ involving suspected structuring
• Any transaction suspected to involve terrorist financing (no minimum)
• Suspected insider abuse involving any amount
• Transactions with no apparent lawful purpose

6.2 SAR Process and Timeline

• Detection: Automated alert or manual identification
• Investigation: Within 5 business days of detection
• Decision: Document decision to file or not file
• Filing: Within 30 calendar days of initial detection
• Continuing activity: File continuing SARs every 90 days
• Recordkeeping: Maintain SAR and supporting documentation for 5 years

6.3 SAR Confidentiality

Federal law prohibits disclosure of SAR filing to any person involved in the transaction. Violations may result in civil and criminal penalties. Only authorized personnel with a need-to-know basis may access SAR information.

7. Currency Transaction Reporting (CTR)

We file Currency Transaction Reports for:

• Cash transactions exceeding $10,000 in a single business day
• Multiple cash transactions aggregating over $10,000 by or on behalf of the same person
• Filing deadline: Within 15 days of the transaction
• Exemptions documented and reviewed annually

8. Recordkeeping Requirements

8.1 Required Records and Retention Periods

• Customer Identification Records: 5 years after account closure
• Account Records: 5 years after account closure
• Transaction Records: 5 years from transaction date
• Wire Transfer Records: 5 years (including all originator and beneficiary information)
• SAR Filings: 5 years from filing date
• CTR Filings: 5 years from filing date
• OFAC Screening Records: 5 years
• Training Records: 5 years
• Independent Testing Results: 5 years
• Risk Assessments: Until superseded plus 5 years

8.2 Information Security

All AML records are maintained with:

• AES-256 encryption at rest and in transit
• Role-based access controls
• Audit logging of all access
• Secure backup and disaster recovery
• Physical and logical security controls

9. Employee Training and Awareness

9.1 Training Requirements

• New Hire Training: Within 30 days of employment
• Annual Refresher: All employees annually
• Role-Specific Training: For customer-facing and compliance staff
• Updates Training: Within 30 days of regulatory changes
• Testing: Minimum 80% passing score required

9.2 Training Topics

• AML/CFT laws and regulations
• OFAC sanctions programs
• Red flag identification
• Customer due diligence procedures
• SAR/CTR filing requirements
• Recordkeeping obligations
• Internal reporting procedures
• Consequences of non-compliance

10. Governance and Oversight Structure

10.1 Three Lines of Defense

• First Line: Business units implementing controls
• Second Line: Compliance function providing oversight
• Third Line: Internal audit providing independent assurance

10.2 AML Compliance Officer

Our designated AML Compliance Officer has:

• Full authority and resources to implement the AML program
• Direct reporting line to senior management and board
• Responsibility for program effectiveness
• Authority to freeze accounts and block transactions
• CAMS certification or equivalent qualification

10.3 Independent Testing

• Annual independent audit of AML program
• Conducted by qualified third party or internal audit
• Testing of internal controls and procedures
• Transaction testing and sampling
• Regulatory compliance assessment
• Findings reported directly to board

11. Cooperation with Law Enforcement

We maintain full cooperation with law enforcement and regulatory authorities:

• Timely response to subpoenas and court orders (within legal deadlines)
• 314(a) information sharing requests (response within 2 weeks)
• 314(b) voluntary information sharing with financial institutions
• Preservation of records upon request
• Assistance with investigations while maintaining customer privacy rights
• Designation of law enforcement liaison

12. Penalties for Non-Compliance

12.1 Regulatory Penalties

• Civil Money Penalties up to $500,000 per violation
• Criminal penalties including imprisonment
• Loss of licenses and registrations
• Cease and desist orders
• Personal liability for executives and board members

12.2 Internal Disciplinary Actions

• Verbal or written warnings
• Suspension without pay
• Termination of employment
• Referral to law enforcement
• Personal liability for losses

13. Blockchain and Cryptocurrency Specific Requirements

13.1 Blockchain Analytics

For all blockchain transactions, we employ:

• Chainalysis or similar blockchain analytics tools
• Risk scoring of wallet addresses
• Cluster analysis for related addresses
• Source of funds tracing
• Destination of funds monitoring
• Darknet market exposure analysis
• Mixer and tumbler detection

13.2 Travel Rule Compliance

For cryptocurrency transfers over $3,000:

• Collect and transmit originator information
• Collect and transmit beneficiary information
• Verify counterparty VASP compliance
• Implement FATF Travel Rule standards
• Maintain records for 5 years

13.3 DeFi and Smart Contract Risks

• Enhanced monitoring of DeFi protocol interactions
• Smart contract audit requirements for integrated protocols
• Flash loan detection and monitoring
• Governance token concentration analysis
• Cross-chain bridge transaction monitoring

14. Reporting Suspicious Activity

If you observe suspicious activity or potential violations of this policy:

Whistleblower Protection: We maintain strict non-retaliation policies for good faith reporting. Whistleblowers may be eligible for rewards under federal programs.

15. Contact Information