AML Policy

Anti-money laundering and anti-terrorism policies
KTC GROUP LTD, as a provider of services relating to the use of virtual currency and in compliance with the regulations on anti-money laundering and against international terrorism financing (see Legislative Decree no. 231/2007 - "Anti-Money Laundering Decree"), implemented suitable measures to manage the relevant risk in order to prevent KTC GRUOP LTD involvement in criminal events that may have negative effects on its stability and reputation on the market.Money laundering and terrorist financing are criminal offences, which, in view of their transnational dimension, may seriously threaten the lawful economy. These are factors that cause a great deal of damage to the entire economic system: the reinvestment of illicit profits in legal activities and the presence of economic players and entities involved in crime deeply alter market mechanisms, affect the efficiency and correctness of financial activities and weaken the economic system.

It is known that KTC GRUOP LTD provides users with services linked to blockchain technology: an internet platform that allows them to buy and sell tokens or any other existing "virtual" or "mathematical" currency, as well as allowing the conversion of virtual or cryptographic tokens between them or legal tender countervalue and vice versa. In this context, transactions are protected through encryption, potentially vulnerable, due to their anonymity, to leakage of money laundering and international terrorist financing events, as indicated by the Financial Action Task Force (FATF).

Given all this, the action to prevent and contrast money laundering and terrorism financing by KTC GRUOP LTD is carried out through the introduction of controls aimed at guaranteeing proper customer verification, traceability of financial transactions, identification of suspicious transactions and storage of customer data and documents. This document ("AML Policy"), in particular, describes the general principles and criteria - which are in turn subject to further and timely internal regulation - implemented and managed by KTC GRUOP LTD for the fulfilment of the obligations required by the AML Decree in relation to its core business, which employees, collaborators, customers, corporate representatives and business partners are required to comply with.

Following the implementation of Directive 2015/849/EU (known as the Fourth AMLD) into our legal system, the relevant national legislation has been significantly amended, extending its scope to service providers relating to the use of virtual currency, limited to the performance of the activity of converting virtual currencies from or into legal tender currencies.The IV AMLD has been implemented in our legal system with the Legislative Decree. 90/2017, which amended and supplemented the Anti-Money Laundering Decree. The Anti-Money Laundering Decree consists of three main pillars:
• proper customer verification;
• retention of customer data and information;
• suspicious transaction reports.
The regulatory provisions of the Anti-Money Laundering Decree provide for an accurate identification of customer information and introduce the concept of a "risk-based approach" according to the "sensitivity" of customers, comparing customer due diligence obligations with the risk related to the customer, the product and the geolocation.Authorities at national level called upon to supervise compliance with the regulations are the Ministry of the Economy of Finance, the Financial Information Office (FIU) at the Bank of MALTA, the Supervisory Authorities of each sector where the parties required to apply the regulations operate, the Anti-Mafia Investigative Directorate and the Tax Authorities.

In order to clarify the terminology used in this AML/KYC Policy, the following definitions are specified:Client: The person, who enters into a continuous relationship with KTC GROUP LTD, opens an account on the Website and carries out purchase and sale transactions or requests or obtains the provision of a professional service by .Identifying data: given name and family name, place and date of birth, domicile, if different from the registered residence, the references of the identification document and, if granted, the tax number or, in the case of persons other than natural persons, the name, registered office and, if granted, the tax number.
Agent/Trader: The person authorized to deal with the Client's name and on his/her behalf or who is in any case vested with representative powers enabling him/her to deal with the Client's name and on his/her behalf.
Terrorist financing: Any activity carried out in any way and aimed at the provision, collection, intermediation, deposit, custody or disbursement of funds and economic resources, directly or indirectly, in whole or in part, suitable for the performance of one or more conduct aimed at terrorism, in accordance with the provisions of criminal law, regardless of the actual disbursement of funds and economic resources for the commission of the aforementioned conduct.
Fractionated transaction: It is a single transaction in terms of economic value, for an amount equal to or exceeding thresholds set by this decree, carried out through several transactions, each lower than the above thresholds, carried out at different times and within a limited time period set at seven days, without prejudice to the existence of the fractionated transaction should there be elements to consider it as such.
Occasional Transaction: A transaction not attributable to a continuing business relationship as such; an intellectual or commercial service, including those with the immediate execution of the transaction, rendered in favor of the customer also represents an occasional transaction
High Risk Countries: These are countries outside the European Union whose legal systems suffer from strategic weaknesses in their national systems to prevent money laundering and terrorist financing, as identified by the European Commission.
Politically Exposed Persons - PEPs: These are natural persons who have been entrusted or no longer have been (for less than one year), with prominent public functions, as well as their family members and those who have close links with such persons, as listed below:
1. individuals who have or have held prominent public offices, those who hold or have held the role of:
1.1 President of the Republic, President of the Council, Minister, Vice-Minister and Undersecretary, President of the Region, Regional Alderman, Mayor of the provincial capital or metropolitan city, Mayor of the municipality with a population of non-less than 15,000 inhabitants and similar positions in foreign states;
1.2 Members of Parliament, Senators, Members of the European Parliament, Regional Councilors and equivalent offices in foreign countries;
1.3 member of the central governing boards of political parties;
1.4 Judge at the Constitutional Court, Judge at the Italian Supreme Court or the Court of Auditors, State Councilor and other members of the Administrative Justice Committee for Sicily and similar positions in foreign countries;
1.5 member of the governing boards of central banks and independent authorities;
1.6 ambassador, business representative or comparable positions in foreign states, senior military officer or comparable positions in foreign states;
1.7 member of the administrative, management or control authorities of companies subsidiaries, even indirectly, of the Italian State or of a foreign State, companies controlled by Regions, provincial capitals and metropolitan cities and by municipalities with a total population of not less than 15,000 inhabitants;
1.8 General Manager of ASL, Hospital, University Hospital and other National Health Service Institutes;
1.9 Director, Deputy Director and member of the management board or entity performing similar functions in international organizations;
2. relatives of politically exposed persons include: parents, spouses or persons in a non-marital partnership or institutions deemed equivalent to the politically exposed person, children and spouses thereof, and persons in a non-marital partnership or in a de-facto partnership or institutions treated as such;

3. The following are persons whom politically exposed persons are recognized to maintain close links with:
3.1 natural persons linked to the politically exposed person by virtue of joint beneficial ownership of legal entities or other close business relationships;
3.2 natural persons who only formally control a whole entity known to be effectively established in the interest and for the benefit of a politically exposed person.
Ongoing relationship: It is a long-term relationship, falling within the scope of the activity of an institution carried out by the responsible parties, which is not limited to a single transaction.
Money laundering: Money laundering is defined as the following criminal offences:
a) conversion or transfer of property, being aware that such property results from criminal activity or participation therein, for the purpose of concealing or disguising the unlawful origin of the property or helping any person involved in such activity to avoid legal effects of such activities;
b) concealment or disguise of the true nature, source, location, disposition, movement, ownership of, or rights in respect of property, being aware that such property is the result of criminal activity or participation therein;
c) purchase, possession or use of property, being aware, at the time of receipt, that such property resulted from criminal activities or from participation therein;
d) involvement in, attempt to commit, aiding, abetting, or counselling someone to commit any of the activities listed in (a), (b) and (c), or facilitating the commission thereof.
Beneficial Owner: The natural person(s), other than the client, in whose interest the ongoing relationship is ultimately established, the professional service is rendered or the transaction is carried out.

KYC (know your customer) is an essential element of national and European legislation governing financial transactions between agents/traders and customers.Careful customer control, in addition to being a valid tool for combating money laundering and terrorist financing, protects traders against commercial and reputational risks together with the enforcement of administrative, civil and criminal penalties and fines.
KTC GROUP LTD carries out the appropriate customer verification and monitors the activity through the analysis of the following parameters:
identification data/personal details;
legal status (for corporate entities);
prevailing activity;
source of funds;
conduct occurring at the time of opening the ongoing relationship or at the time of completion of the transaction;
geographical region of origin;
purpose for opening the relationship;
transaction or relationship details;
transaction amount;
significance of the transaction and the relationship.
In gathering customer information, KTC GROUP LTD makes use of the activities carried out by third parties entrusted with the task of adequate verification. In particular, the authorised party shall acquire at least the customer's identification document and verify its identity. In any case, the acquisition of internal and external data allows KTC GROUP LTD to determine the relevant money laundering risk profile for each customer, monitored periodically based on the risk profile mentioned above.

KTC GROUP LTD constantly updates customer due diligence during the relationship with the same, both during the review phase (scheduled according to the risk level) and when any events occur, such as, but not limited to: anomalies detected by the IT applications used, reports by the Authorities, identification of transactions carried out by the customer not consistent with the nature of the relationship underlying the transaction.

In order to comply with the storage obligations, KTC GROUP LTD has implemented an IT register, ensuring that data management is clear and complete, so that information is easy to access and readily available. KTC GROUP LTD has entrusted the maintenance of the register to a third party.

Information and data obtained are retained for ten years as provided for by the existing Legislative Decree 231/2007.

KTC GROUP LTD has appointed a Manager of the AML Department.

KTC GROUP LTD internal control system, however, involves the entire corporate structure from corporate boards to control functions. KTC GROUP LTD ensures that adequate internal controls are maintained to protect the integrity of the money laundering risk management process and the relevant reputational risk by drafting strict guidelines on the topic, as well as by means of an adequate internal organizational structure.

The Anti-Money Laundering Policy updates, as well as the assessment of the compliance with procedures and internal provisions adopted by KTC GROUP LTD, is entrusted to the AML Department which, in partnership with other internal functions or external professions, is responsible for ensuring the effectiveness of the activities implemented to mitigate the risks related to money laundering and terrorist financing.

KTC GROUP LTD has implemented dedicated organizational/regulatory supervision to fulfil the obligations set out in the AML Decree. In particular, adequate internal regulatory procedures have been prepared to govern the requirements established in order to provide KTC GROUP LTD corporate functions with internal reference and support tools useful for understanding the issues involved.

Furthermore,KTC GROUP LTD adopted specific IT tools for the analysis of the anti-money laundering risk profiles to be attributed to customers and for the monitoring of "anomalous" transactions for which an analysis is carried out by the relevant structures in order to assess the same.

In order to cooperate with the Authorities to ensure the stability of the financial system and to avoid KTC GROUP LTD involvement in money laundering and terrorist financing, the latter has adopted a structured process for reporting suspicious transactions regarding the illicit origin of transferred funds. For this purpose, KTC GROUP LTD has identified a reporting party responsible to report suspicious transactions, required to transmit reports to the Financial Intelligence Unit (FIU) in the form and manner required by the Authority.
As provided for by the Anti-Money Laundering Decree, KTC GROUP LTD annually provides a Training Program (e-learning, specific courses) mandatory for all personnel, consultants and company representatives.
Privacy policy
Privacy Disclosure
KTC GROUP LTD Malta 163 Guardamangia Hill, Msida PTA 1311 REG: C86282 or even "Data Controller" of users who access and visit website and of customers who access the services thereof ("Site").
KTC GROUP LTD, as Data Controller, provides the following disclosure ("Privacy Policy"), pursuant to Article 13 of Legislative Decree No. 231/2001. 196/2003 "Personal Data Protection Code" ("Privacy Code") and amendments thereto, as well as art. 13 of EU Regulation 2016/679 (or General Data Protection Regulation, hereinafter also referred to as the GDPR).
This Privacy Policy covers the methods for personal data collection, processing and treatment during website browsing and does not apply to other websites accessed through links; it has been drafted in a clear and intelligible way accessible to the general public, by means of icons as well, as provided for by art. 12, par. 7 of the GDPR, which will be amended at a later date, once those officially approved by the European Commission are available.
Privacy Policy is divided into the following paragraphs:
1.Data processed
As a rule, the Website can be used without having to provide any personal data. Should the Website be accessed for information only (opening no account), we are not going to collect any personal data, except for those transmitted by the user's browser or terminal device and IP address in order to enable access to the Website. In this case, data transmitted to KTC GROUP LTD shall be, by way of example: (i) date and place of the request; (ii) the type and version of the browser used; (iii) the OS; (iv) page views and navigation paths of the Website; and (v) information on the timing, frequency and layout of the use of the Website, and in general all the use-related data offered by KTC GROUP LTD automatic tracking system, whereby, in any case, anonymous information is collected to report use-related trends.
Personal data are collected within specific sections of the Website via electronic forms, only to access KTC GROUP LTD services. In this case, personal data collected between the user and KTC GROUP LTD for service use consist of two different categories, depending on whether you want to use the services only for the exchange and trading of virtual currencies, or you also want to access the services of conversion, purchase and sale of virtual currencies in exchange for currency legal tender or vice-versa.
In the first case, KTC GROUP LTD, as Data Controller, collects and processes personal data, such as given name, family name, business name, address and e-mail address (hereinafter "Personal Data" or "Data"), communicated by the user when opening an account and registering on the Website. In the latter case, since the account is to be verified for personal identification purposes, Personal Data required will also be those necessary for identification, and may include, without limitation: (i) first name and surname; (ii) date of birth; (iii) place of birth; (iv) place of residence; (v) domicile, if different from residence; (vi) tax number, if issued; (vii) references to identification document and date of issue and expiry, etc.
KTC GROUP LTD does not collect data from persons younger than 18 and does not process sensitive data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, or health status.
2. Checking and Identification
Once the user has registered on the website in order to use the services by accepting the Terms and Conditions relating to the Website and the services, KTC GROUP LTD is obliged to fulfill its obligations as a service provider relating to the use of virtual currency, as per Legislative Decree 231/2001. 21 November 2007, no. 231, as amended by Legislative Decree 25 May 2017, no. 90, concerning anti-money laundering and the fight against terrorist financing, limited to the conversion of virtual currencies from or into legal tender currencies.
KTC GROUP LTD is obliged to verify the User's identity by means of a valid identification document, keep specific information taken from this document, check the authenticity of such document together with all additional information, including documents, which must be requested and which, during the relationship, must be updated. Therefore, the User must provide all the information additional to that required for opening the account, which will be requested through electronic forms also providing for the possibility to upload documents, or through questionnaires that will be submitted and that KTC GROUP LTD will request to fill off-line.
In order to comply with all obligations regarding anti-money laundering, KTC GROUP LTD , as Data Controller, makes use of third-party services, duly authorized to process Personal Data through specific outsourcing contracts with KTC GROUP LTD , or specific mandates to process such Personal Data; third parties are required, pursuant to the GDPR, to comply with KTC GROUP LTD Privacy Policy and with instructions on the storage and non-disclosure, nor misuse of Personal Data other than for the purpose of data processing. A detailed and updated list of these parties is available to the user; a formal request should be addressed to KTC GROUP LTD

3. Legal basis and purpose for processing
Personal Data of the user are processed:

A) with no specific consent of the data subject (Article 6(b), (c) and (f) GDPR), for the following purposes:
use the Website services;
comply with pre-contract, contract and tax obligations of KTC GROUP LTD or carry out all measures and actions upon request of the data subject, as well as arising from all existing relationships with users, customers, collaborators, business partners, suppliers, and consultants;comply with the obligations set out under the law, any Regulation, EU legislation or any Authority order ( as, for example, concerning anti-money laundering); pursue legitimate rights and interests (such as the right of defense before the Court);
B) only upon specific and separate consent (Articles 23 and 130 of the Privacy Code and Article 7 GDPR), for the following marketing purposes: send by e-mail, post and/or sms and/or telephone contacts, newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller and assess the satisfaction rate on service quality;
send via e-mail, mail and/or sms and/or telephone contacts commercial and/or promotional communications from third parties (such as, for example, business partners). In any case, KTC GROUP LTD shall, insofar as possible, ask the data subject's consent even when the legal basis for Personal Data processing is based on the purposes referred to in paragraph 3.A).
4. Data provision
Personal Data must be provided for the purposes referred to in paragraph 3.A).

If the data are not provided by the data subject, KTC GROUP LTD cannot guarantee the provision of business services, nor can it perform its contractual obligations towards customers, employees, suppliers, business partners and, in general, all those connected with KTC GROUP LTD . In such cases, the Company further states that even the partial or incorrect provision of Personal Data may result in the impossibility to provide services and in any case prevents KTC GROUP LTD from fulfilling the pre-contract, contract and tax requirements it is required to fulfill.

If consent to personal data processing is required to the data subject and the latter discontinues the consent to the provision of Personal Data already made, it shall remain mandatory and basic condition for the performance of all the purposes specified under paragraph 3.A) above. Should the data subject fail to provide his/her Personal Data, given that KTC GROUP LTD is unable to fulfill its obligations, KTC GROUP LTD shall not be deemed liable, resulting in the termination of any previous relationship or otherwise being unable to continue the same.

Data provision for the purposes referred to in paragraph 3.B) is optional.

The data subject may therefore decide not to provide any Personal Data or to subsequently refuse the possibility of processing any data already provided. In this case, the data subject shall not receive newsletters, commercial communications and advertising material relating to the services offered by the Data Controller, whilst remaining entitled to use company and contractual services referred to in paragraph 3.A), without prejudice to the foregoing.

5. Data processing and retention
Personal Data processing is carried out by means of procedures indicated in art. 4 Privacy Code and art. 4 no 2) GDPR. Specifically, data processing is carried out through: data collection, recording, management, retention, consultation, processing, modification, selection, extraction, comparison, application, interconnection, blocking, communication, erasure and destruction.

Personal Data are processed both in paper and electronic and/or automated form with methods and tools in compliance with the security measures set forth in art. 32 of the GDPR and Annex B of the Privacy Code, by parties specifically appointed by TRT in compliance with the provisions of art. 30 of the Privacy Code, or parties in charge of personal data processing under the direct control of TRT as provided for by Article 4, paragraph 10, of the GDPR. As anticipated, the treatment may be entrusted, by means of specific agreements, also to third parties, appointed as data processors and acting on written order of TRT itself, as Data Controller.

Data Controller or Data Processor shall process and retain Personal Data for the shortest time necessary to fulfill the purposes set out in paragraph 3, and only for the time necessary to complete the retention as provided for by the GDPR. Both the processing and retention, however, are set for no more than 10 years from the term of the processing agreement entered into for service purposes, and for no more than 12 months from data collection for marketing purposes. After these retention periods, Personal Data will be blocked, destroyed or made anonymous in accordance with legal requirements.
6. Data-access and international data-migration
Personal Data may be accessed for the purposes referred to in paragraphs 3.A) and 3.B):
to employees or consultants of the Data Controller who are in charge of the processing under the direct authority and instructions of KTC GROUP LTD;
to KTC GROUP LTD partner companies, in Malta and abroad, in their capacity as data controllers and/or system administrators pursuant to art. 28 of the GDPR acting as Personal Data Processors on behalf of the Data Controller and having provided sufficient guarantees to put in place appropriate technical and organisational measures to ensure that the processing thereof complies with legal requirements;
to third parties or other parties, such as, without limitation, financial institutions, payment institutions or other financial intermediaries, firms, consultants, insurance carriers, which carry out activities on behalf of the Data Controller and act as independent data controllers with their own privacy policies, available to the data subject.
Without specific consent (art. 24 letters a), b), and d) Privacy Code and art. 6 letters b) and c) GDPR), the Data Controller may disclose Personal Data of the data subject for the purposes set forth in paragraph 3.A) to Supervisory Boards (such as FIU, Bank of Malta, OAM, IVASS, etc.), Judicial Authorities, insurance companies for the provision of insurance services, as well as to whom the communication is compulsory by law for the fulfillment of said purposes. Said parties will process the data in their capacity as autonomous data controllers and the Personal Data of the data subject will not be disclosed. Personal Data will be retained on servers located within the European Union. Should it become necessary, Data Controller will be entitled to move servers also to non-EU countries.

In such a case, Data Controller hereby ensures that the transfer of data to non-EU countries will take place only upon specific consent of each data subject, to countries that guarantee an adequate level of protection of Personal Data and only after entering into agreements containing standard clauses approved by the European Commission, which guarantee that the processing of Personal Data complies with legal principles and requirements set out in the GDPR.
7. Cookies
Cookies are used on the Website. By using cookies, KTC GROUP LTD can provide Website users with more user-friendly services that would not be possible without cookie setting. By means of a cookie, the information on the Website may be optimized as cookies enable the identification of Website users. The purpose of this identification is to make it easier for users to access the Website . The user, for example, is not obliged to enter the access data every time they visit the Website, since these data are already acquired by the Website through the cookies saved in the user's IT system.

The data subject may at any time prevent the setting of cookies when accessing the Website by setting the corresponding Internet browser used, and can therefore permanently deny the setting of cookies. In addition, cookies that have already been set can be deleted at any time via an Internet browser or other software. This is possible with every common Internet browser. If the data subject disables cookie settings in the Internet browser used, not all functions of the Website may be fully available.
8. Rights of data subjects and how to apply
The data subject is entitled to the rights set forth in Article. 7 Privacy Code and Art. 15 GDPR and precisely the following: i) obtain confirmation as to whether or not personal data concerning him/her exist, regardless of their being already recorded;
ii) obtain the indication: a) of the origin of Personal Data; b) of the purposes and methods of processing; c) of the logic applied in the case of processing with the aid of electronic tools; and d) of the identification details of the Data Controller, Data Processors and other persons in charge;
iii) obtain: a) the updating, correction or integration of data; b) the erasure, anonymization or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected; c) certification that the operations as per letters a) and b) have been notified, also with regard to their contents, to those whom the data were communicated or disseminated, unless this requirement proves impossible or involves a clearly disproportionate effort
iv) object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials by means of traditional marketing systems, or automated call without operator, by e-mail, telephone and/or mail
The data subject is also entitled to the rights under Articles 16-21 GDPR, namely the right to be forgotten, the right to restrict processing, the right to data portability, and the right to submit a complaint to the Data Protection Authority. Lastly, if consent is required to the processing of personal data by the data subject, the latter may revoke the provision of the Personal Data already carried out.
The interested party may, at any time, apply his/her rights by sending a request drawn up on the basis of the form prepared by the Personal Data Protection Authority.
9. Data controller, data processor and persons in charge
Data controller is KTC GROUP LTD, with registered office Malta ,163 Guardamangia Hill ,Msida PTA 1311, in the person of its legal representative.

In order to comply with the GDPR, KTC GROUP LTD has been drafting a privacy organisational model, identifying roles and responsibilities in the processing of Personal Data, and identifying in particular, as internal privacy contact persons, the Persons in charge of the Organisational Units or Offices who, limited to the processing of data under their responsibility, are responsible for implementing the data protection model in compliance with legal requirements. Data Controller shall appoint in writing as Data Processors, pursuant to art. 30 of the Privacy Code, employees of the company functions responsible for pursuing the above purposes and providing suitable instructions.

Personal Data may be processed by third parties the Company relies on for purposes of identification procedures, verification of the authenticity of identity documents, database access, or to perform payment services made available to customers. These persons will be independent Data Controllers or will be appointed as Data Processors.
The updated list of data processors and persons in charge of processing is kept at the registered office of the Data Controller.
10. Amendments to the Privacy Policy
This Disclosure may change; we recommend reviewing updates that will be notified time by time.

Malta, Gwardmangia Hill,
Pieta PTA 1311
Company number C 86282