AML & KYC Policy

Mysto (operated at mysto.net) is committed to the highest standards of anti-money-laundering (AML) controls in line with applicable EU directives and equivalent local requirements. Management and employees are required to enforce these standards to prevent the use of our services for money-laundering purposes.

We seek to offer the highest level of security to every Mysto user. To that end, a three-step account verification process is used to confirm the identity of our customers — proving the registered details are correct and that the deposit methods used are not stolen or being operated on behalf of someone else. This forms the general framework of our AML programme.

Depending on a user's nationality, country of origin, payment method and withdrawal method, additional safeguards may apply. Mysto also puts reasonable measures in place to control and limit money-laundering risk, including dedicating appropriate resources.

The Mysto AML programme is designed to be compliant with:

• EU Directive 2015/849 of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering.
• EU Regulation 2015/847 on information accompanying transfers of funds.
• EU regulations imposing sanctions or restrictive measures against persons, and embargoes on certain goods and technology (including dual-use goods).
• Belgian Law of 18 September 2017 on the prevention of money laundering and the limitation of the use of cash.

For the purposes of this policy, money laundering means:

• The conversion or transfer of property — especially money — knowing that it is derived from criminal activity, for the purpose of concealing or disguising the illegal origin of the property, or of helping any person involved in such activity evade the legal consequences of their actions.
• The concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of property, knowing that it is derived from criminal activity.
• The acquisition, possession or use of property knowing, at the time of receipt, that it was derived from criminal activity.
• Participation in, association to commit, attempts to commit, and aiding, abetting, facilitating or counselling the commission of any of the above.

Money laundering is treated as such even where the underlying activity took place in another Member State or in a third country.

In accordance with applicable AML legislation, Mysto has appointed the highest level of the company — full management — as accountable for the prevention of money laundering.

An Anti-Money-Laundering Compliance Officer (AMLCO) is in charge of enforcing the AML policy and procedures across the platform. The AMLCO reports directly to general management.

Each material change to the Mysto AML policy is subject to approval by the company's general management and the AMLCO.

Step one

Step one verification must be completed by every user before they can withdraw, regardless of the payment method, deposit amount, withdrawal amount or nationality. It is filled out by the user themselves and collects: first name, last name, date of birth, country of usual residence, gender and full address.

Step two

Step two verification is required for any user who deposits over $2,000, withdraws over $2,000, or sends another user more than $1,000. Until step two is complete the deposit, withdrawal or transfer is held.

The user is taken to a sub-page where they upload a photo of their ID alongside a paper note showing a six-digit randomly-generated number. Only an official ID is accepted; the specific document types vary by country. An electronic check then compares the data from step one against two independent databases to confirm the information matches the ID and the registered name.

If the electronic check fails or is not possible, the user is required to provide proof of current residence — a certificate of registration issued by their government or an equivalent document.

Step three

Step three verification is required for any user who deposits over $5,000, withdraws over $5,000, or sends another user more than $3,000. Until step three is complete the deposit, withdrawal or transfer is held. At this step the user is asked to evidence their source of wealth.

Formal identification of customers at the start of a commercial relationship is fundamental, both for AML regulations and for our KYC policy. The identification relies on the following principles.

We require a copy of the user's passport, ID card or driving licence, photographed alongside a handwritten note showing six randomly generated digits, plus a second image showing the user's face. Users may blur out anything that is not date of birth, nationality, gender, first name, last name or the photograph itself, in order to protect their privacy.

All four corners of the ID must be visible in the same image and every detail (other than fields the user has chosen to redact) must be clearly legible. Mysto may request additional details if required.

An employee may run additional checks where appropriate.

Proof of address is performed via two independent electronic checks against separate databases. If these fail, the user may submit a manual proof.

Acceptable manual proofs include a recent utility bill addressed to the user's registered address, issued within the past three months, or an official government-issued document evidencing residence (for example: an electricity bill, water bill, bank statement or any addressed government correspondence).

To keep approval fast, the document should be uploaded at clear resolution, with all four corners visible and all relevant text readable.

An employee may run additional checks where appropriate.

Where a user deposits more than €5,000, a source-of-wealth (SOW) review is initiated. Examples of accepted SOW include:

• Ownership of a business
• Employment
• Inheritance
• Investment
• Family

It is critical that the origin and legitimacy of the wealth is clearly understood. Where this is not possible, an employee may request further documents or evidence.

The account will be frozen if a single user deposits this amount in a single transaction or aggregates to it across multiple transactions. The user is contacted by email and on-site to walk through the SOW process.

Mysto may also request a bank wire or credit-card payment to further confirm the user's identity and provide additional context on their financial situation.

The basic document is accessible from the settings page on mysto.net. Every user must complete:

• First name
• Last name
• Nationality
• Gender
• Date of birth

The document is saved automatically; an employee may run additional checks where appropriate.

To address differences in risk profile across the world, Mysto categorises every nation into one of three risk regions.

Region one — low risk

For nations in region one, the standard three-step verification described above applies.

Region two — medium risk

For nations in region two, the three-step verification thresholds are lower. Step one runs as usual. Step two is triggered after depositing $1,000, withdrawing $1,000, or transferring $500 to another user. Step three is triggered after depositing $2,500, withdrawing $2,500, or transferring $1,000 to another user. Users from a low-risk region who exchange cryptocurrency into another currency are treated as medium-risk for the purpose of these thresholds.

Region three — high risk

High-risk regions are blocked from using the platform. The list of high-risk regions is updated regularly to reflect the changing global environment.

An automated monitoring system, supervised by the AMLCO, scans for unusual behaviour and reports it to a Mysto employee for review. On a risk-based view, human employees re-check the work of the automated system and other employees, and may run additional checks as the situation requires.

In addition, a data scientist supported by modern analytical systems looks for atypical patterns such as: depositing and withdrawing without meaningful play between, attempts to use different bank accounts for deposit and withdrawal, nationality or currency changes, unusual behaviour or activity changes, and indicators that an account is being operated by someone other than its registered owner.

Users must also withdraw using the same method they deposited with — at least up to the value of the original deposit — to prevent layering.

Enterprise-wide risk assessment

As part of its risk-based approach, Mysto conducts an Enterprise-Wide Risk Assessment (EWRA) to identify and understand the risks specific to its business lines. The AML risk policy is determined after identifying and documenting risks inherent to each line: the services we offer, the users we offer them to, the transactions those users perform, the delivery channels used, and the geographic locations of our operations, customers and transactions, alongside other qualitative and emerging risks.

The identification of AML risk categories is grounded in our understanding of regulatory requirements, regulatory expectations and industry guidance, with additional measures to address risks specific to operating online. The EWRA is reassessed annually.

The compliance team ensures that ongoing transaction monitoring is conducted to detect transactions that are unusual or suspicious compared with the customer profile. Monitoring is conducted across three lines of control.

First line of control

Mysto works only with trusted Payment Service Providers, all of which operate effective AML policies of their own — preventing the large majority of suspicious deposits onto the platform from taking place without proper KYC at the funding step.

Second line of control

Mysto's teams are trained so that any contact with a customer or their authorised representative triggers due diligence on the relevant account. This includes:

• Requests to execute financial transactions on the account.
• Requests relating to means of payment or services on the account.

The three-step verification, combined with risk-based threshold adjustment, is designed to provide all necessary information about each customer at all times. All transactions are reviewed by employees overseen by the AMLCO, who in turn reports to general management. Specific transactions referred to the customer-support manager — and onward to the Compliance Manager — are subject to further due diligence.

Determining whether a transaction is unusual is partly a subjective assessment, made in light of the customer's KYC record, financial behaviour and counterparty. These checks are run by an automated system with employee cross-checks for additional security. Transactions for which the lawful activity and origin of funds cannot be readily established are treated as atypical. Any Mysto staff member is required to inform the AML team of any atypical transaction they cannot attribute to a lawful, known source of income or activity.

Third line of control

As a final line of defence, Mysto runs manual checks on suspicious or higher-risk users to fully prevent money laundering. Where fraud or money laundering is identified, the relevant authorities are informed.

Mysto's internal procedures describe in precise terms, for the attention of staff, when to report and how to proceed. Reports of atypical transactions are analysed within the AML team in accordance with documented methodology.

Depending on the result of this examination and the information gathered, the AML team will decide:

• Whether it is necessary to file a report with the Financial Intelligence Unit (FIU), in line with applicable legal obligations.
• Whether it is necessary to terminate the business relationship with the customer.

The AML rules — including minimum KYC standards — are translated into operational guidance available on Mysto's internal systems.

Records of identification data are retained for at least ten years after the business relationship has ended. Records of all transaction data are retained for at least ten years after the transaction takes place or after the end of the business relationship. These records are stored securely and encrypted, both online and offline.

Mysto employees responsible for manual controls receive specialist training. The training and awareness programme includes:

• A mandatory AML training programme — kept current with the latest regulatory developments — for all employees who are in contact with finances.
• Academic AML learning sessions for all new employees.

Programme content is calibrated to the trainee's line of business and role. Sessions are delivered by an AML specialist from the Mysto AML team.

Internal audit regularly conducts missions and reports on AML activities.

All data provided by a user is stored securely and is not sold or shared with any third party. Data is shared only where required by law, or where necessary to prevent money laundering, with the relevant AML authority of the affected state. Mysto follows the guidelines and rules of the Data Protection Directive (Directive 95/46/EC) and applicable successor regulations.

If you have any questions about our AML and KYC policy, please contact us at support@mysto.net.

If you have a complaint about our AML and KYC policy, or about the checks performed on your account, please contact us at the same address.