Kyc Policy

1. Introduction

PHGREAT is committed to preventing money laundering, the financing of terrorism, and other financial crimes. This KYC Policy sets the framework for customer due diligence, ongoing monitoring, sanctions screening, recordkeeping, and reporting in a manner that aligns with applicable laws and international standards. The policy applies to all PHGREAT platforms and services used by account holders and to any personnel privileged to handle customer information.

2. Scope and Applicability

This policy governs onboarding, ongoing activity, and termination of customer relationships. It applies to all customers, potential customers, and affiliated parties who interact with PHGREAT, including payment processors and service providers acting on behalf of PHGREAT. Where PHGREAT provides cryptocurrency-related features, the same KYC and AML/CFT controls apply as described herein.

3. Governance, Roles, and Oversight

• Board and senior management retain ultimate accountability for the effectiveness of the AML/CFT program.
• The designated AML/CFT Compliance Officer (the MLRO) oversees policy maintenance, risk assessment, training, and reporting to authorities where required.
• Internal audit provides independent assurance over the adequacy and effectiveness of controls, escalation procedures, and remediation actions.

4. Risk-Based Approach and Risk Assessment

PHGREAT operates a risk-based framework to identify, assess, and mitigate ML/FT risks. Risk factors include customer profile, geography, products, and payment methods. The risk assessment informs the level of KYC scrutiny, transaction monitoring, and ongoing due diligence applied to each customer. The risk framework is reviewed at least annually and updated to reflect changes in products, services, or external risk factors.

• Low risk: Standard due diligence with ongoing monitoring.
• Medium risk: Enhanced due diligence may be triggered by indications of elevated risk; additional verification and source of funds checks may be required.
• High risk: Enhanced due diligence with comprehensive verification, ongoing monitoring, and escalation to the MLRO as appropriate.

5. Customer Due Diligence (CDD) and KYC Onboarding

PHGREAT conducts KYC to establish identity, assess risk, and understand the purpose and expected nature of the business relationship. On onboarding, customers must provide verifiable information sufficient to establish identity and address. Verification may be conducted through automated checks and, when necessary, manual review by the Compliance team.

• Required onboarding information includes: full legal name, date of birth, residential address, nationality, and government-issued identification (passport, national ID, or driver’s license).
• Verification methods:
  • Automated identity verification with document validation and address verification.
  • Manual review by the Compliance team for flagged or high-risk cases.
• Sanctions and adverse-criteria screening against credible, up-to-date lists at onboarding and on an ongoing basis.

6. Enhanced Due Diligence (EDD)

EDD applies to high-risk customers or transactions. Measures may include:

• Detailed source of funds and source of wealth verification.
• Biometric or additional identity verification, beneficial ownership checks, and enhanced transaction scrutiny.
• Ongoing monitoring with expanded data collection and frequent reviews of risk profiles.

7. Ongoing Monitoring and Transaction Surveillance

PHGREAT conducts continuous monitoring of customer activity to detect irregular or suspicious behavior. Monitoring covers:

• Transaction size, frequency, and pattern deviations.
• Unusual deposits or rapid funding cycles, round‑tripping, or structuring indicators.
• Crypto transactions, where applicable, including wallet provenance and flow analysis via approved tools.

Alerts generated by monitoring systems are reviewed by the Compliance team. When indicators meet the criteria for suspicious activity, a SAR is prepared and submitted to the competent authority in accordance with local law. The MLRO oversees escalation and reporting processes.

8. Sanctions Compliance and Restricted Jurisdictions

PHGREAT maintains procedures to screen customers and transactions against current sanctions regimes. It maintains a list of prohibited or restricted jurisdictions and applies enhanced due diligence or blocks access for individuals or entities from those regions. False positives are resolved through manual review before any action is taken. When a potential sanction concern is identified, the account or transaction is isolated pending resolution and potential reporting to authorities.

9. Reporting and Recordkeeping

PHGREAT reports suspicious activity in accordance with applicable laws. The MLRO is the primary point of contact for regulatory authorities. Records of KYC, due diligence, transaction monitoring, and SARs are retained for a minimum of five (5) years from the date of the last activity or from the termination of the customer relationship, whichever is later. Records are stored securely and protected from unauthorized access.

10. Training and Awareness

PHGREAT provides role-appropriate AML/CFT training for all employees. Training includes identification of red flags, escalation procedures, and the regulatory framework. Training is mandatory upon onboarding and conducted at least annually, with additional sessions when regulations or risk profiles change. Training outcomes are documented for compliance review.

11. Third-Party and Vendor Risk Management

PHGREAT requires and validates AML/CFT controls within third-party relationships. Due diligence is conducted on service providers and payment processors, with ongoing monitoring and annual reviews. Third-party arrangements are governed by contractual obligations that require compliance with applicable AML/CFT laws and PHGREAT policies.

12. Data Protection and Privacy

PHGREAT collects, stores, and processes personal data to perform KYC and AML/CFT activities in accordance with applicable data protection laws. Personal data is processed only to the extent necessary for legitimate business purposes and is safeguarded with appropriate technical and organizational controls. Data retention, access, and disclosure are governed by internal data protection policies and legal requirements.

13. Crypto-Asset Controls (If Applicable)

Where PHGREAT offers cryptocurrency-related services, the following controls apply:

• Identity, age, and address verification prior to enabling crypto functionalities.
• Wallet verification and binding to the verified customer before transfers or payouts.
• Separation of custody for customer funds and prohibition on exchange of crypto for fiat within PHGREAT when not expressly permitted.
• Disclosure of market risks, including price volatility and liquidity considerations, and ongoing monitoring for unusual wallet activity.

14. Disclosures, Cooperation, and Remedies

PHGREAT cooperates with competent authorities, provides information as required by law, and takes appropriate action to mitigate any financial crime risk. Where customer information is requested by authorities, PHGREAT will respond promptly in accordance with applicable privacy and data protection requirements.

15. Review and Updates

This policy is reviewed at least annually or more frequently if required by changes in law or risk profile. Material changes are communicated to affected parties in a timely manner.