AML & Compliance Policy

Last Updated: April 29, 2026 | Version: 2.0

Your money, your life.

We are committed to preventing financial crime while protecting your financial privacy and autonomy. These two commitments reinforce each other.

We meet our AML, Counter-Terrorist Financing (CTF), and compliance obligations through two complementary approaches:

Approach

Description

Payment gateway compliance

AML screening and transaction monitoring is handled by NowPayments, our regulated payment gateway partner, as part of their own published compliance programme.

Privacy-preserving verification

We verify eligibility through a zero-knowledge (ZK) model. You prove your eligibility. We do not hold your identity.

1. LEGAL FRAMEWORK

Our AML and CTF obligations arise from:

Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (ML Regulations 2017)

Proceeds of Crime Act 2002 (POCA 2002)

Terrorism Act 2000 (TA 2000)

Sanctions and Anti-Money Laundering Act 2018 (SAMLA 2018)

Financial Action Task Force (FATF) Recommendations

FCA Financial Crime Guide and related FCA guidance

HM Treasury sanctions regulations applicable to our operations

Non-compliance is a criminal offence and may result in financial penalties, regulatory sanctions, and loss of FCA authorisation.

2. MLRO — MONEY LAUNDERING REPORTING OFFICER

CardsFlow has appointed a designated Money Laundering Reporting Officer (MLRO) responsible for:

Overseeing our AML and CTF compliance programme

Receiving and assessing internal suspicious activity reports

Filing Suspicious Activity Reports (SARs) to the National Crime Agency (NCA) where required

Liaising with the FCA and other regulatory bodies

Reviewing and updating our compliance policies

MLRO Contact

compliance@cardsflow.net

If you have a concern about financial crime or suspicious activity connected to your Account or the platform, contact the MLRO directly.

3. HOW WE HANDLE AML — NOWPAYMENTS

3.1 Our Payment Gateway Partner

CardsFlow processes all payments through NowPayments (nowpayments.io), a regulated payment gateway with its own comprehensive AML compliance programme.

NowPayments is responsible for:

Screening transactions against global sanctions and watchlists

Monitoring for suspicious transaction patterns

Applying velocity and threshold checks

Filing SARs where required by law

Maintaining their own compliance procedures for payment processing

NowPayments Policy

URL

Terms of Service

nowpayments.io/terms-of-service

AML & KYC Policy

nowpayments.io/aml-kyc-policy

3.2 CardsFlow Platform-Level Monitoring

In addition to NowPayments' gateway-level controls, CardsFlow monitors account-level behaviour for patterns including:

Unusually high transaction volumes or values

Rapid movement of funds without clear purpose

Activity inconsistent with stated account profile

Structuring — splitting transactions to avoid reporting thresholds

Activity involving high-risk or sanctioned jurisdictions

Sudden unexplained changes in transaction behaviour

3.3 Shared Responsibility

CardsFlow retains overall regulatory responsibility for ensuring our platform is not used for financial crime. We work in active partnership with NowPayments to ensure compliance at every layer of our operations.

4. HOW WE VERIFY ELIGIBILITY — ZERO-KNOWLEDGE MODEL

4.1 Your Money, Your Life

Traditional compliance often means handing over copies of your most sensitive personal documents to companies whose security you cannot verify. CardsFlow takes a different approach.

We use a zero-knowledge (ZK) verification model:

You prove you are eligible to use the Service

We receive only a cryptographic proof of eligibility

Your underlying documents never reach CardsFlow

Only you hold the evidence of your own identity

4.2 What We Confirm

We Confirm

We Do NOT Store

You meet the minimum age requirement

Passport or identity card images

You are resident in a supported jurisdiction

Driving licence scans

You are not a sanctioned individual or entity

Selfies or facial biometric data

You are eligible to use the Service

Any raw personal identity document

4.3 Legal Compliance

This approach is compliant with the ML Regulations 2017. The regulations require that we verify eligibility and maintain a record that we did so. A cryptographic ZK proof satisfies this requirement without centralising your sensitive identity documents on our servers.

4.4 Verification Partner

Partner Name

[Verification Partner Name]

Privacy Policy

[partner privacy URL]

Verification Approach

[partner approach URL]

4.5 Business Accounts

Authorised representatives provide a cryptographic attestation confirming entity legitimacy, beneficial ownership accuracy, sanction-free status, and authority to act. No company documents are stored on CardsFlow servers.

4.6 Ongoing Verification

We may request re-verification where:

Material changes to your account are detected

Regulatory requirements change

Transaction behaviour is inconsistent with your stated profile

Our MLRO determines enhanced review is required

5. SANCTIONS SCREENING

5.1 How Screening Works

Transaction-level sanctions screening is performed by NowPayments. At the platform level, CardsFlow independently screens account registrations against:

HM Treasury UK Consolidated List of Financial Sanctions Targets

UN Security Council Sanctions Lists

OFAC Specially Designated Nationals (SDN) List

EU Consolidated Sanctions List (where applicable)

5.2 Positive Matches

Where a sanctions match is identified:

Account immediately suspended

Manual review conducted by our MLRO

If confirmed — Account frozen and reported to OFSI

We are prohibited by law from disclosing this to the user (tipping off, POCA 2002, Section 333A)

5.3 Prohibited Jurisdictions

We do not provide services to individuals or entities in jurisdictions subject to comprehensive international sanctions, including:

North Korea (DPRK)

Iran

Syria

Russia (sanctioned sectors and entities)

Belarus (sanctioned entities)

Cuba

[Other applicable jurisdictions as updated]

This list is subject to change as sanctions regimes evolve. Check gov.uk/sanctions for current listings.

6. POLITICALLY EXPOSED PERSONS (PEPs)

6.1 Who Is a PEP?

PEP Category

Examples

Political figures

Heads of state, senior politicians, government ministers

Official positions

Senior judicial, military, or government officials

State enterprise

Senior executives of state-owned enterprises

International bodies

Senior officials of international organisations

Associated persons

Close family members and known associates of any of the above

6.2 Disclosure Requirement

Being a PEP does not prevent you from using the Service. However, you must disclose your PEP status to compliance@cardsflow.net. Failure to disclose is a material breach of our Terms of Service.

We screen all accounts against PEP databases at registration and on an ongoing basis.

7. SUSPICIOUS ACTIVITY REPORTING (SARs)

7.1 Our Obligation

Where we or NowPayments have reasonable grounds to suspect that funds are the proceeds of crime or connected to terrorist financing, we are legally required to submit a SAR to the NCA under POCA 2002 Section 330 and Terrorism Act 2000 Section 21A.

7.2 Tipping Off

We are prohibited by law from disclosing that a SAR has been submitted or that an investigation is underway. If we cannot explain the reason for an account action, this legal prohibition may be why.

7.3 DAML — Defence Against Money Laundering

In certain circumstances we may need to obtain NCA consent before processing a Transaction. This may delay certain transactions by up to 7 working days, extendable to 31 days in exceptional circumstances.

8. YOUR OBLIGATIONS AS A USER

By using the Service, you confirm and agree that:

All information you provide is accurate, complete, and truthful at all times

You will notify us promptly of any material changes to your information

You will not use the Service to launder money, finance terrorism, evade sanctions, or commit any financial crime

You will not structure transactions to avoid AML thresholds or reporting obligations

You will not provide access to the Service to sanctioned individuals or entities

You will cooperate fully with any compliance review or information request

You will disclose your PEP status or any change in PEP status immediately

You will report any suspected misuse of your Account to compliance@cardsflow.net at once

Breach of these obligations may result in immediate Account termination and referral to law enforcement.

9. DATA RETENTION FOR COMPLIANCE PURPOSES

We retain compliance data as required by the ML Regulations 2017 (Regulation 40).

Data Type

Retention Period

Eligibility tokens (ZK proofs)

Duration of account + 5 years

Transaction records

Duration of account + 6 years

Compliance review records

Duration of account + 5 years

SAR-related records

As directed by NCA or law enforcement

NowPayments maintains its own retention records for payment transaction data in accordance with their published compliance programme. After each retention period, data is securely deleted or irreversibly anonymised.

10. STAFF TRAINING

All CardsFlow personnel with access to financial data or customer accounts receive mandatory AML and CTF training covering:

Recognition of money laundering and terrorist financing red flags

Internal suspicious activity reporting procedures

Personal legal obligations under POCA 2002 and the Terrorism Act 2000

Sanctions compliance obligations

Tipping off and prejudicing investigation offences

Training is completed at onboarding and refreshed annually or when material regulatory changes occur.

11. CONTACT

Purpose

Email / Contact

MLRO and compliance matters

compliance@cardsflow.net

Data protection matters

privacy@cardsflow.net

General support

support@cardsflow.net

Registered address

CardsFlow, [Full Registered Address]

12. EXTERNAL REPORTING CONTACTS

Organisation

Purpose

Contact

National Crime Agency

Suspicious Activity Reports

nationalcrimeagency.gov.uk

0370 496 7622

Action Fraud

Fraud and cybercrime reporting

actionfraud.police.uk

0300 123 2040

FCA

Report financial crime

fca.org.uk/consumers/report-financial-crime

0800 111 6768

OFSI

Report sanctions breaches

gov.uk/ofsi

NowPayments

AML and compliance policy

nowpayments.io/aml-kyc-policy

13. CHANGES TO THIS POLICY

This Policy is reviewed at least annually by our MLRO and updated to reflect changes in legislation, regulatory guidance, and our operations. Material changes will be communicated by email and by updating the "Last Updated" date on this page.