Back to Legal
Legal

AML & Compliance Policy

Qatobit Technologies Private Limited

Report Date: 09 February 2026

Review Frequency: Annual

Reviewed By: Compliance & Risk Function

01

Executive Summary

This comprehensive policy document outlines Qatobit Private Limited's commitment to complying with Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), and other related regulatory requirements as mandated by the Financial Intelligence Unit — India (FIU-IND) under the Prevention of Money Laundering Act (PMLA), 2002, and applicable sectoral guidelines for Virtual Digital Asset Service Providers (VDASPs).

Objective

  • Establish a robust framework for detecting and preventing money laundering and terrorist financing risks.
  • Ensure compliance with FIU-IND registration requirements and regulatory expectations.
  • Implement effective Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures.
  • Conduct comprehensive transaction monitoring and suspicious activity identification.
  • Maintain operational transparency and regulatory adherence across all business units.
  • Mitigate reputational and legal risks through proactive compliance measures.

Overall Assessment

Regulatory Alignment

Framework aligns with current FIU-IND guidelines (January 2026).

Control Effectiveness

Structured governance with designated roles ensures operational compliance.

Enhancement Areas

Crypto-specific transaction monitoring and advanced risk scoring require continuous refinement.

Risk Coverage

Comprehensive policies address crypto-specific AML/CTF risks including wallet and bank transactions.

02

Regulatory Framework & Applicability

Legal Basis

  • Prevention of Money Laundering Act (PMLA), 2002
  • Unlawful Activities (Prevention) Act (UAPA), 1967 — for CTF provisions
  • FIU-IND Guidelines for VDASPs (issued 07 January 2026, 3rd Revision as of 15 September 2025)
  • FATF Recommendations on AML/CFT for Virtual Assets
  • Sanctions Regime: UN Security Council Consolidated List, OFAC, and other competent authority designations

Scope & Applicability

This policy applies to:

  • All employees, contractors, and consultants of Qatobit Private Limited
  • All business units engaged in Virtual Digital Asset (VDA) operations
  • All customers and counterparties transacting on Qatobit platforms
  • Third-party service providers and custodians involved in VDA transactions
  • Directors, officers, and board-level governance structures

Reporting Obligations

Qatobit Private Limited, as a VDASP, is obligated to:

  • Register on FINGate 2.0 (FIU-IND digital reporting portal)
  • Submit Suspicious Transaction Reports (STRs) within stipulated timelines
  • File Currency Transaction Reports (CTRs) for transactions exceeding ₹10 lakh in cash equivalents
  • Maintain detailed transaction reconstruction records per Travel Rule requirements
  • Comply with sanctions screening at account opening and on an ongoing basis
03

Organizational Structure & Governance

Board-Level Commitment

  • Providing adequate resources and budget for AML/CTF compliance infrastructure
  • Approving annual compliance risk assessments and policy updates
  • Overseeing the appointment of key compliance officers
  • Reviewing compliance metrics and violations quarterly
  • Ensuring escalation procedures for serious breaches to senior management

Designated Director (DD)

A Designated Director must be appointed at board or senior management level, responsible for overall AML/CTF governance and regulatory liaison, and must act as the primary contact point with FIU-IND.

  • Ensure organizational commitment to compliance
  • Approve all critical AML/CTF policies and procedures
  • Oversee Principal Officer performance and audit findings
  • Report to board on compliance status quarterly

Principal Officer (PO)

Must possess minimum 3 years of AML/KYC compliance experience in financial services or the crypto sector. Appointment must be disclosed to FIU-IND during VDASP registration. Cannot be relieved of duties without prior FIU-IND notification.

Reporting structure: Direct reporting line to the Designated Director (Mr. Kumar Sonu) or equivalent senior management authority (Mrs. Kumari Jaya). Must have unrestricted access to all customer, transaction, and operational data.

Core PO Responsibilities

  • Design and implement organization-wide AML/CTF policies and procedures
  • Oversee KYC/CDD processes and customer risk assessments
  • Monitor transaction patterns and identify suspicious activities
  • Coordinate STR preparation and timely filing with FIU-IND
  • Conduct ongoing staff training and awareness programs
  • Interface with FIU-IND on regulatory matters and audit responses
  • Maintain compliance documentation and audit trails
  • Review and report compliance metrics to senior management monthly

Compliance Team Structure

Designated Director

Principal Officer

· KYC / Onboarding Manager

· Transaction Monitoring Analyst

· Risk & Sanctions Screening Officer

· Audit & Controls Specialist

· Compliance Support Staff

Board Audit Committee

  • Quarterly review of AML/CTF compliance reports — testing of systems (transaction monitoring/CDD) and identified gaps.
  • Annual assessment of compliance program effectiveness — rigorous review of AML/CFT policies and procedures.
  • Oversight of audit findings and remediation actions — ensuring management develops action plans for identified issues.
  • Approval of compliance budget and resource allocation — sufficient budget, technology, and staff for compliance function.
04

Customer Due Diligence (CDD) & KYC Procedures

Qatobit adopts a comprehensive, risk-based KYC approach aligned with FIU-IND guidelines for VDASPs.

Mandatory Information at Onboarding

Personal Information:

  • Full legal name (including any aliases or alternative names)
  • Date of birth and nationality
  • Permanent and current residential address
  • Contact details (email, mobile number, residential phone)
  • Occupation and nature of business (if self-employed/business owner)

Identity Verification — Primary Documentation (one required):

  • PAN (Permanent Account Number) — mandatory for all Indian customers
  • Government-issued photo ID: Passport, Voter ID, Driving License, or Aadhaar

Enhanced Verification — Live KYC:

  • Mandatory live selfie with liveliness detection (eye-blink or head movement) to prevent deepfake or static image fraud
  • Geographic tracking: latitude, longitude, timestamp, and IP address capture during selfie submission
  • OTP verification for registered email and mobile number
  • Penny-drop verification: confirmation of bank account via a ₹1 test transaction

Beneficial Ownership (for Organisations)

  • Company incorporation certificate (COI) and GST registration
  • Memorandum & Articles of Association or equivalent
  • Board resolution authorizing designated signatories
  • Beneficial ownership structure — all persons holding ≥25% beneficial interest
  • Ultimate Beneficial Owner (UBO) documentation
  • Director and Authorized Signatory identity verification (same as personal KYC)

Risk Categories

Risk LevelProfile
LowEstablished salaried employees, verified employment/residential history, individual transaction volumes within normal parameters, no adverse media or sanctions matches.
MediumSelf-employed professionals or business owners, moderate transaction volumes with occasional large transfers, patterns consistent with declared occupation.
HighHigh-risk business sectors (remittance, precious metals, casinos, ATMs), PEP designation or close associates, jurisdictions with high ML risk, previous sanctions matches or adverse media.
ExtremeConfirmed sanctions designation (UNSC, OFAC, UK, EU), known or suspected terrorist financing links, entities in prohibited jurisdictions, links to organized crime.

Enhanced Due Diligence (EDD) for High-Risk Customers

Enhanced Verification:

  • In-person verification with government-issued photo ID
  • Video KYC with third-party verification service
  • Detailed beneficial ownership verification
  • Source of funds declaration and verification
  • Enhanced background screening including adverse media searches
  • Periodic re-verification (6-monthly for high-risk, 12-monthly for medium-risk)

Periodic Review Schedule:

  • High-risk customers: 6-monthly risk reassessment
  • Medium-risk customers: 12-monthly risk reassessment
  • Low-risk customers: 24-monthly risk reassessment

Annual Re-KYC Requirements

FIU-IND mandate (effective 2024): all customers must undergo re-KYC annually, irrespective of risk rating. Customers receive re-KYC notices 30 days before expiry. Online re-KYC through portal with document upload. Accounts suspended after 60 days if re-KYC is not completed. Non-responsive customers escalated to senior management.

Ongoing Customer Due Diligence (OCDD)

  • Monthly review of transaction activity against declared business/income profile
  • Quarterly risk profile reassessment based on transaction patterns
  • Immediate escalation if activity deviates significantly from baseline
  • Seasonal adjustment for business customers with cyclical revenue patterns
  • Automated alerts for unusual account activity (behavioral anomalies)
05

Transaction Monitoring & Suspicious Activity Detection

Automated Monitoring Thresholds

Transaction TypeThresholdAction
Single cash/fiat deposit₹10 lakhFile Currency Transaction Report within 7 days
Suspicious transaction (any amount)Risk-scored alertReview for STR within 24 hours
High-risk customer transaction₹5 lakh+Enhanced review and documentation
Structuring pattern (daily deposits <₹10L aggregating ₹10L+/week)Pattern detectedImmediate STR consideration
Rapid wallet transfers>5 transfers/day, <1 hour apartBehavioral analysis and escalation

Behavioral Triggers

  • Sudden change in transaction frequency or volume from established baseline
  • Rapid movement of funds through multiple wallets
  • Round-trip transfers (send out → receive back within hours)
  • Late-night/early-morning transaction patterns (typical of illicit activity)
  • Transactions to high-risk jurisdictions or jurisdictions with weak AML frameworks
  • Beneficiary account changes after months of consistent patterns

Crypto-Specific Triggers

  • Mixing service or tumbler usage detection (wallet analysis)
  • Transactions to known ransomware wallet addresses
  • Dark web marketplace interactions
  • Bridge/swap transactions to convert between asset types rapidly
  • Peer-to-peer (P2P) transaction aggregation from multiple sources

Transaction Verification Procedure

Step 1 – Initial Screening

Automated system flags transaction; captures amount, date/time, originator, beneficiary, asset type; screens beneficiary wallet/account against sanctions lists; performs transaction route analysis.

Step 2 – Customer Verification

Verify identity against stored KYC data; confirm authorization by genuine account holder; assess transaction consistency with customer profile; review transaction history for patterns.

Step 3 – Documentation & Evidence

Preserve transaction hash/ID; document all supporting communications; create timestamped audit trail; maintain evidence for regulatory inspection.

Step 4 – Risk Assessment

Assign risk score (low/medium/high); determine if STR criteria are met; document inclusion/exclusion rationale; escalate high-risk assessments to Principal Officer.

STR Filing Criteria

A transaction must be reported as suspicious (STR) to FIU-IND if any of the following apply:

  • Suspected Money Laundering — proceeds from any predicate offense (drug trafficking, cybercrime, corruption, fraud, etc.)
  • Suspected Terrorist Financing — funds destined for terrorist activities, organizations, or designated individuals/entities
  • Structuring/Smurfing — multiple transactions structured to avoid reporting thresholds
  • Beneficial Ownership Concealment — patterns suggesting deliberate obfuscation of true beneficiary
  • Sanctions Evasion — transaction routed through unusual paths to circumvent sanctions screening
  • Unexplained Wealth — customer transaction volume unexplained by declared income or business
  • High-Risk Jurisdiction Transactions — transfers to/from high-risk or non-cooperative jurisdictions
  • Crypto Mixing/Laundering Indicators — wallet analytics reveal tumbler or privacy service usage
  • Ransomware-Linked Addresses — funds sent to known ransomware attacker wallets
  • Regulatory Counterparty — transaction involves entities under sanctions, frozen assets, or regulatory action

STR Preparation & Filing

Each STR must include transaction ID, date/time, and asset type; originator details (name, wallet/account, PAN/KYC ID); beneficiary details (name, wallet/account, country); transaction amount and currency; and complete transaction route (if multi-hop).

Filing Timeline:

  • STR prepared within 24 hours of transaction flagging
  • Filed on FINnet 2.0 within 7 calendar days of detection (or within 30 days if more investigation needed, with supplementary filing)
  • Filed without advance notice to customer or counterparty (regulatory requirement)
  • Complete filing documentation maintained with Principal Officer authorization

Currency Transaction Report (CTR) Filing

Reportable transactions:

  • Cumulative cash/fiat deposits exceeding ₹10 lakh in a calendar week
  • Cross-border wire transfers (SWIFT) exceeding ₹10 lakh
  • Convertible virtual assets purchased with cash exceeding ₹10 lakh
  • Multiple transactions aggregating to ₹10 lakh+ to avoid reporting threshold

CTR filed within 7 calendar days of transaction. Filed on FINnet 2.0 by Principal Officer or authorized compliance officer. Cumulative submissions weekly to FIU-IND.

06

Risk-Based Approach (RBA) to Compliance

Qatobit adopts a risk-based approach recognizing that money laundering and terrorist financing risks vary significantly across customer segments. Not all transactions or customers present equal risk. Proportionate compliance measures optimize regulatory effectiveness and operational efficiency. Customer risk rating determines applicable CDD, monitoring, and reporting procedures.

Risk Assessment Matrix

FactorLow RiskMedium RiskHigh Risk
Customer TypeSalaried individual, established businessSelf-employed professional, SMEHigh-risk business sector (remittance, precious metals, casino)
Transaction Volume<₹5 lakh/month₹5–50 lakh/month>₹50 lakh/month
GeographyIndia, low-risk countriesEmerging marketsFATF Grey List, high ML risk jurisdictions
PEP StatusNo PEP linksDistant PEP connectionDirect/immediate family PEP
Compliance HistoryClean recordMinor inconsistenciesPrevious sanctions match, adverse media
07

Sanctions Screening & Travel Rule Compliance

Sanctions Lists Screened

UNSC Consolidated List (Mandatory):

  • UN Security Council Financial Sanctions Target List — updated daily
  • Coverage: individual persons, legal entities, groups, organizations
  • Screening frequency: real-time at account opening and monthly for ongoing customers

Additional Lists:

  • UK Sanctions List
  • EU Consolidated Sanctions List
  • OFAC (Office of Foreign Assets Control) SDN List
  • EU High-Risk Third Countries List (for jurisdictional screening)

Jurisdictional Risk Assessment:

  • FATF Grey List and non-cooperative jurisdictions
  • Countries with known ML/TF risk (country risk assessment matrix)
  • Sanctioned jurisdictions (North Korea, Iran, Syria, Crimea, etc.)
  • Jurisdictions with weak AML/CFT frameworks

Account Opening Screening Procedure

Step 1 – Initial Verification (Pre-KYC)

Customer name, DOB, nationality checked against UNSC Consolidated List. Exact match algorithm with tolerance for alternative spellings/name variations. Wildcard search for common name elements. Result documented with timestamp.

Step 2 – Enhanced Verification (Potential Matches)

Manual review of matched entry details (designation date, offense description, entity type). Verify customer information against designation details. Request additional information if required (alternative addresses, passport number).

Step 3 – Positive Match Response

IMMEDIATE HALT: account opening suspended. FIU-IND notified within 24 hours. Any funds identified frozen and reported per Section 23(1) of PMLA. Complete record of matched entry, screening process, and regulatory notification maintained.

Travel Rule Compliance

For all VDA transfers, VDASPs must collect and transmit:

Originator Information Required:

  • Full legal name
  • Wallet address or account identifier
  • Residential address or account registration address
  • Unique customer identifier (PAN for India)
  • Date of birth (if available)

Beneficiary Information Required:

  • Full legal name
  • Wallet address or account receiving assets
  • Beneficiary entity name (if different from receiving address holder)
  • Country of beneficiary
  • Unique customer identifier (if available)

Information must be transmitted before or during the VDA transfer. Counterparty VDASP must receive complete originator/beneficiary data. Records maintained for transaction reconstruction per audit requirements.

Travel Rule Non-Compliance Handling

Received transfer without Travel Rule data:

  • Transfer held in suspense account pending information receipt
  • Counterparty contacted immediately with information request
  • Escalation to FIU-IND if counterparty fails to provide information within 5 business days
  • STR considered if information cannot be verified
08

Cyber Security & Data Protection

CERT-In Audit Requirement

Per FIU-IND guidelines (2026), Qatobit must obtain a CERT-In Empaneled Auditor Certificate covering all critical risk domains: governance, compliance, access control, insider risk, infrastructure security (network, endpoints, cloud), application security (AML systems, KYC platform, wallet security), third-party and API security, and incident detection readiness.

  • Audit completed by 31 December each year
  • Audit scope proportionate to Qatobit's operational size and transaction volume
  • Audit certificate submitted to FIU-IND within 15 days of completion
  • Remediation of identified vulnerabilities completed within 90 days

Data Protection Measures

Data Storage:

  • Customer KYC and transaction data encrypted at rest (AES-256 minimum)
  • Database access restricted to authorized compliance personnel only
  • Segregation of development/testing environments from production systems

Data Transmission:

  • All data in transit encrypted via TLS 1.2 or higher
  • API calls use OAuth 2.0 or equivalent authentication
  • Third-party data sharing via encrypted channels only

Access Controls:

  • Role-based access control (RBAC) with least privilege principle
  • Multi-factor authentication (MFA) for all compliance system access
  • Regular access reviews (quarterly) with immediate removal of lapsed access
  • Privileged Access Management (PAM) for superuser/admin access

Incident Response:

  • Data breach notification to affected customers within 72 hours
  • FIU-IND notification for breaches affecting AML/CTF data within 24 hours
  • Root cause analysis and remediation plan documented
  • Post-incident audit to prevent recurrence
09

Staff Training & Awareness

Mandatory AML/CTF Training

All Employees:

  • Onboarding training within 7 days of joining
  • Annual refresher training (minimum 4-hour session)
  • Role-specific training for compliance, KYC, and operations teams

Training Content:

  • AML/CTF regulatory framework and FIU-IND requirements
  • Qatobit's AML/CTF policies and procedures
  • Customer due diligence and KYC process
  • Transaction monitoring and STR filing
  • Sanctions screening procedures
  • Crypto-specific money laundering typologies and detection
  • Case studies of recent regulatory actions and enforcement
  • Consequences of non-compliance (personal liability, penalties, criminal exposure)

Role-Specific Competency

Compliance Officers:

  • Advanced AML/CTF and PMLA knowledge
  • Crypto transaction analysis and blockchain forensics
  • Risk assessment and customer profiling
  • STR preparation and regulatory liaison

KYC/Onboarding Team:

  • Enhanced CDD procedures and documentation requirements
  • PEP screening and beneficial ownership verification
  • Live KYC technology (facial recognition, liveliness detection)
  • Document verification and fraud detection

Transaction Monitoring Analysts:

  • Behavioural analytics and transaction pattern recognition
  • Blockchain analysis tool proficiency
  • Sanctions screening procedures
  • STR documentation and justification

Audit & Testing

  • Annual competency assessment for all staff
  • Scenario-based testing on suspicious transaction identification
  • Mock STR filings reviewed for accuracy
  • Sanctions screening test records maintained
10

Predicate Offenses & PMLA Coverage

Qatobit identifies and reports transactions suspicious of proceeds from the following predicate offenses. STR filing does NOT require definitive proof — report on reasonable suspicion that a transaction involves proceeds from a predicate offense. Investigation responsibility lies with law enforcement/FIU-IND.

  • Drug trafficking (NDPS Act violations)
  • Corruption and bribery (Prevention of Corruption Act)
  • Cybercrime and fraud (IPC, IT Act)
  • Human trafficking (ITPA)
  • Wildlife trafficking (Wildlife Protection Act)
  • Organized crime (UAPA)
  • Extortion and illegal arms trading
  • Tax evasion and financial fraud
  • Counterfeit currency and securities fraud
11

Record Keeping & Documentation

All records retained for a minimum of 7 years.

Customer Records

  • KYC documents and ongoing CDD files
  • Identification documents and address verification
  • Beneficial ownership documentation
  • Risk assessment ratings and reassessment records
  • All KYC update/re-KYC records

Transaction Records

  • Complete transaction details (originator, beneficiary, amount, asset, date/time)
  • Transaction screening results and sanctions check outcomes
  • Supporting documentation and justification for transaction approval
  • Travel Rule information exchanged
  • Blockchain transaction hash/proof of settlement

STR/CTR Records

  • STR filing copy and FIU-IND confirmation receipt
  • Supporting investigation files and red flag documentation
  • CTR filing records and cash deposit verification
  • Correspondence with FIU-IND and regulatory responses

Compliance Documentation

  • Internal audit reports and findings
  • Staff training records and compliance certifications
  • Policy update history with Board approvals
  • Third-party audit certificates and compliance reviews
  • Data breach incident reports and remediation records

Document Quality Standards

  • Scanned documents in PDF format (minimum 300 DPI resolution)
  • Original documents retained for critical/high-value transactions
  • Metadata preserved (date uploaded, uploaded by, system timestamps)
  • Access logs maintained for sensitive records
  • Indexing system enabling rapid retrieval for regulatory inspection
12

Penalties & Enforcement

Internal Escalation Matrix

LevelViolationConsequence
Level 1 – MinorDocumentation deficiency, minor training gapVerbal/written warning, retraining
Level 2 – ModerateMissed re-KYC deadline, incomplete transaction reviewSuspension of bonus, written warning
Level 3 – MajorSTR filing delay >7 days, unauthorized transaction approvalSuspension, termination review
Level 4 – CriticalFalsified KYC, regulatory reporting violation, customer data theftImmediate termination, law enforcement referral

FIU-IND Regulatory Penalties

  • Non-compliance with STR filing: ₹25,000 per violation (PMLA Section 75)
  • Deficient KYC documentation: ₹5,000–₹10,000 per instance
  • Failure to file CTR: ₹10,000 per violation
  • Sanctions screening breach: ₹50,000+ per incident
  • Cumulative liability for repeated violations

Potential License Action

  • Suspension of VDASP registration (temporary)
  • Cancellation of VDASP registration (permanent)
  • Restraint from operating VDA services pending investigation
13

Reporting & Regulatory Liaison

Monthly Report to Principal Officer

  • Transaction volume and average transaction value
  • New customer onboarding volume and approval rate
  • STR/CTR filings submitted and status
  • Customer risk profile distribution
  • High-risk transaction alerts and follow-up status
  • Compliance exceptions and violations (if any)

Quarterly Report to Board

  • Executive summary of compliance status
  • Key performance indicators (KPIs) and metrics
  • Regulatory inspection findings (if any)
  • Audit recommendations and remediation progress
  • Budget utilization for compliance infrastructure
  • Risk assessment and emerging compliance challenges

FIU-IND Liaison

  • VDASP registration on FINnet 2.0 (prerequisite for operations)
  • Disclosure of Designated Director and Principal Officer details
  • Annual compliance certification by Principal Officer
  • Prompt response to FIU-IND information requests (within 15 days unless extended)
  • Notification of Principal Officer changes or compliance policy updates

Inspection Readiness

  • Designated compliance officer assigned as FIU-IND liaison
  • All documentation organized and indexed for rapid retrieval
  • Senior management prepared for inspection meetings
  • Compliance staff trained on inspection protocols

Conclusion & Commitment Statement

Qatobit Private Limited is committed to maintaining the highest standards of AML/CTF compliance, protecting the integrity of the Indian financial system, and safeguarding its operations from money laundering and terrorist financing risks.

Our Commitment

  • Full regulatory compliance with FIU-IND mandates and PMLA requirements
  • Robust customer due diligence and ongoing monitoring
  • Transparent reporting and cooperation with regulatory authorities
  • Continuous improvement of compliance controls and procedures
  • Accountability of leadership and all staff in fulfilling compliance obligations

Approved By

Senior Management / Board of Directors

Qatobit Technologies Private Limited

Report Date: 09 February 2026