Anti–Money Laundering & Counter–Financing of Terrorism (AML/CFT) Policy

Effective Date: 10 February 2025 Applies To: Bondi Technology Inc. (Panama) operating as Bondi Finance (“Bondi”), its products, and users.

User‑Facing Policy. This document describes the AML/CFT standards Bondi applies to users of the Bondi Finance platform and related services. By connecting a wallet, submitting verification information, or interacting with Bondi‑gated smart contracts, you represent that you have read, understood, and agree to comply with this Policy.

1. Purpose & Commitment

Bondi Finance operates technology and related compliance infrastructure that enable the issuance, administration, and lifecycle servicing of tokenized fixed‑income instruments (“Bond Tokens”) and associated on‑chain and off‑chain services. Criminal abuse of digital assets threatens market integrity, investor trust, and regulatory confidence. Bondi is committed to preventing money laundering, terrorist financing, proliferation financing, sanctions evasion, fraud, and other financial crimes across all products and delivery channels.

This AML/CFT Policy sets the standards Bondi applies—globally and on a risk‑sensitive basis—to: (i) identify and verify customers; (ii) understand the nature and purpose of activity; (iii) monitor for and respond to suspicious behavior; (iv) comply with sanctions requirements; and (v) report to competent authorities where legally required.

2. Scope & Applicability

This Policy applies to:

Bondi Technology Inc. (Panama) and any direct or indirect subsidiaries once formed.
All Bondi Finance products, including the Bondi Finance decentralized application (dApp), Bond Tokens, related APIs, and any custodial or non‑custodial interfaces Bondi directly controls.
All directors, officers, employees, contractors, and agents performing compliance‑relevant functions for Bondi.
Third‑party service providers engaged by Bondi to perform elements of customer due diligence (“CDD”), sanctions screening, watchlist screening, identity verification, transaction screening, or related compliance operations when acting on Bondi’s behalf. Contractual agreements must bind such providers to control standards no less protective than those in this Policy.

Where Bondi offers technology rails to partners who onboard end users directly, Bondi will require the partner to maintain AML/CFT standards reasonably equivalent to this Policy and will reserve information‑sharing rights sufficient to assess compliance.

3. Governing Law, Standards & Interpretive Hierarchy

Bondi is incorporated in the Republic of Panama. Digital‑asset regulations continue to evolve; in the absence of fully prescriptive local rules for certain activities, Bondi aligns its controls to widely recognized international AML/CFT standards and applicable sanctions regimes. Bondi’s program is informed by (non‑exhaustive):

Financial Action Task Force (FATF) Recommendations & Guidance (incl. guidance for Virtual Asset Service Providers, Travel Rule expectations, risk‑based approach, and PEP treatment).
UN Security Council sanctions obligations as implemented in relevant jurisdictions.
U.S. sanctions programs administered by the Office of Foreign Assets Control (OFAC) and related AML expectations under the Bank Secrecy Act (BSA) where a U.S. nexus arises or counterparties require adherence.
EU AML Directives (5AMLD/6AMLD and successor regime) where applicable through counterparties or operational footprint.
UK Money Laundering Regulations & HM Treasury sanctions guidance where relevant.
Applicable Panamanian AML/CFT statutes and regulations, including obligations administered through the Unidad de Análisis Financiero (UAF) and other competent authorities, as applicable to Bondi’s activities.

4. User Representations, Warranties & Consents

By accessing or using Bondi services you represent, warrant, and covenant that:

Accurate Information. All information and documents you submit are true, correct, and complete. You will promptly update Bondi if information changes.
No Prohibited Status. You are not (i) a person listed on, or owned/controlled by a person listed on, any applicable sanctions list; (ii) located, resident, organized, or ordinarily resident in a Restricted Jurisdiction (Section 10); or (iii) using Bondi services on behalf of such a person.
Lawful Source & Use of Funds. Funds and digital assets you use in connection with Bondi services are derived from lawful sources and will not be used to finance illicit activity.
Consent to Screening. You authorize Bondi and its service providers to collect, verify, and rescreen your information (including identity data and associated wallet addresses) against sanctions, PEP, watchlist, and adverse media data sources on an ongoing basis.
Further Information. You agree to provide additional information or records (including Source of Funds / Source of Wealth evidence) upon request for compliance purposes. Bondi may suspend or restrict services pending receipt and review.
Data Processing. You consent to the processing, storage, and cross‑border transfer of your data for compliance purposes, including disclosure to competent authorities where legally required.

Failure to provide requested information or to satisfy these representations may result in denial, suspension, or termination of access.

5. Risk‑Based Approach (RBA)

Bondi applies a structured risk‑based approach consistent with FATF principles. Controls scale with assessed risk; higher‑risk customers, products, delivery channels, and geographies receive enhanced measures.

5.1 Risk Domains Considered

Customer risk: natural persons vs. legal entities; PEP exposure; beneficial ownership complexity.
Geographic risk: country of residence, nationality, source of funds, transactional counterpart jurisdictions; sanctions exposure.
Product / service risk: nature of Bond Tokens; secondary market trading; redemption channels; fiat on/off‑ramp linkages; self‑custody vs. hosted solutions.
Delivery channel risk: remote onboarding; non‑face‑to‑face verification; API integrations; programmatic smart‑contract interactions.
Transaction behavior: size, frequency, velocity, layering patterns, privacy‑enhancing techniques, cross‑chain movement.

5.2 Risk Classification

Risk ratings are assigned at onboarding and may be updated as new information emerges (e.g., sanctions list changes, jurisdictional reclassification, unusual activity). High‑risk classifications trigger Enhanced Due Diligence (EDD) and may result in tighter transactional limits or denial of service.

5.3 Periodic Review

Bondi reviews its enterprise AML risk assessment at least annually, and sooner upon material business, regulatory, or typology changes.

6. Customer Due Diligence (CDD)

All users who intend to access Bondi‑controlled primary subscription / funding contracts, Bond Token distribution contracts, coupon or principal payment contracts, or redemption functions must complete identity verification before those functions are enabled. Limited pre‑KYC interactions (read‑only site access, waitlist signup, viewing public on‑chain data) may be allowed but confer no transactional rights.

Important: Bond Tokens are transferable on chain. An unverified wallet may receive and hold Bond Tokens acquired in secondary markets or via wallet‑to‑wallet transfers. Holding tokens in an unverified wallet does not entitle the holder to coupon payments, redemptions, or other platform benefits until the wallet is linked to a verified account.

Bondi’s compliance gate sits at the points where value leaves Bondi‑controlled contracts (subscription inflows; new token issuance; coupon / principal distributions; redemptions). Wallets that have not passed KYC are blocked from these gated interactions. Secondary transfers that occur outside these gated points remain technically possible but fall outside Bondi’s service perimeter; Bondi may decline to recognize economic rights attached to such holdings until KYC completion.

6.1 Minimum Requirements – Natural Persons

Unless exempted under a documented low‑risk program, Bondi (or its KYC service provider) collects and validates:

Email verification.
Government‑issued photo ID (passport, national ID card, or driver’s license – country availability varies); live image capture required.
Selfie / liveness check (biometric comparison of live or video capture against the ID image; anti‑spoofing required).
Proof of address (PoA) dated within an acceptable recency window (normally 3 months; utilities, bank/credit statements, or official government correspondence; jurisdiction‑specific variants allowed).
Date of birth & full legal name as displayed on the ID document.
Residency / tax attestation used to enforce restricted‑country rules.

6.2 Automated Screening at Onboarding

Data submitted at onboarding are screened against:

Global sanctions lists (incl. OFAC, UN, EU, UK, and additional local lists where available).
Law‑enforcement & regulatory warning lists (wanted persons, debarred directors, enforcement actions).
Fitness & probity / exclusion databases.
Politically Exposed Persons (PEP) databases across all major PEP classes.
Configurable adverse media categories (financial crime, cybercrime, fraud, corruption, terrorism, violent crime, and other high‑relevance typologies).

Name‑matching sensitivity is calibrated to capture close variants and common transliterations while limiting excessive false positives.

6.3 Country & Residency Controls

Applicants self‑attest to residency; documentary evidence (PoA, ID country) and geo‑signals are cross‑checked. Certain country attestations (e.g., United States residency) may result in automatic rejection without progressing to full verification. See Section 10.

6.4 Beneficial Ownership – Legal Entities (When Enabled)

If Bondi permits legal‑entity participation, the following minimums apply:

Certified formation documents & proof of good standing.
Identification of natural persons who own or control ≥25% (lower if risk warrants) or who otherwise exercise control (senior managing officials) when no individual exceeds threshold ownership.
Screening of the entity and all reported beneficial owners/controllers under the same sanctions, PEP, and adverse media controls applied to natural persons.
Verification of business address, nature of business, and expected transactional profile; Source of Funds / Source of Wealth (SoF/SoW) where appropriate.

6.5 Source of Funds / Source of Wealth

Bondi may request SoF/SoW support for higher‑risk users, for PEPs, for users from high‑risk jurisdictions, or when transactional behavior materially diverges from stated profile. Acceptable evidence may include bank statements, brokerage statements, payroll records, audited financials, or supported attestations. Digital‑asset proceeds must be traceable to lawful sources.

6.6 Incomplete, Inconsistent, or Suspicious Applications

Applications with unresolved red flags (data mismatches, document tampering, sanctions proximity) are routed to manual review. Bondi may request resubmission, reject the application, or escalate to the MLRO for suspicious‑activity evaluation.

7. Enhanced Due Diligence (EDD)

EDD is applied when heightened risk is identified at onboarding or during the customer lifecycle. Triggers include (non‑exhaustive):

Confirmed or potential PEP match.
Residence, nationality, or funding nexus to a high‑risk or Restricted Jurisdiction (Section 10).
Links to sanctioned persons, entities, or blocked wallet addresses (direct or indirect).
Adverse media suggesting fraud, corruption, or other financial crime.
Use of obfuscation or privacy tools that complicate source‑of‑funds analysis.

EDD measures may include additional documentary evidence (incl. SoF/SoW), senior management approval prior to activation, reduced limits, or denial of service.

8. Ongoing Monitoring & Screening

AML/CFT risk management continues after onboarding.

8.1 Periodic Rescreening

Customer data (name, DOB, jurisdiction) are rescreened on a recurring basis against updated sanctions, PEP, and adverse media data sources. Material new hits trigger review; confirmed matches may result in freeze, rejection, or reporting as required.

8.2 Activity Surveillance

Bondi reviews user activity for patterns inconsistent with stated purpose or expected profile. Size, frequency, velocity, jurisdictional routing, and other behavioral factors may prompt review or additional information requests.

9. Sanctions Compliance Program

Bondi will not knowingly engage, directly or indirectly, in transactions prohibited under applicable sanctions laws. Core elements:

List Coverage: UN, OFAC (SDN & other programs), EU Consolidated, UK HMT, and other national lists as relevant to Bondi’s operations.
Screening: Conducted at onboarding and refreshed periodically; potential matches reviewed.
Ownership & Control: Screening extends, where applicable, to entities owned or controlled by sanctioned parties (e.g., OFAC 50% rule or analogous standards where relevant).
Address‑Level Risk: Where Bondi has risk information linking a blockchain address to sanctioned activity, related transactions may be rejected, frozen, or reported.

10. Restricted & Prohibited Jurisdictions

Bondi restricts onboarding and/or activity from jurisdictions presenting elevated sanctions, AML/CFT, corruption, or regulatory risk. The list is informed by sanctions regimes, FATF statements, internal risk models, and operational constraints. Applicants self‑identifying as residents of the United States are currently rejected automatically.

Dynamic List. The MLRO maintains the authoritative list and may update it without prior notice. The following jurisdictions are currently designated Restricted / Not Accepted for onboarding (alphabetical; subject to change):

Afghanistan
Albania
Algeria
Angola
Belarus
Bosnia and Herzegovina
Burkina Faso
Cameroon
Central African Republic
Congo (Brazzaville)
Congo (Kinshasa)
Côte d’Ivoire
Croatia
Cuba
Haiti
Hong Kong
Iran
Iraq
Kenya
Lebanon
Libya
Mali
Monaco
Mozambique
Myanmar
Namibia
Nicaragua
Nigeria
North Korea
Palestine
Panama
Philippines
Russia
Serbia
Slovenia
Somalia
South Africa
South Georgia & the South Sandwich Islands
South Sudan
Sudan
Syrian Arab Republic
Tanzania
United States of America
U.S. Minor Outlying Islands
U.S. Virgin Islands
Venezuela
Viet Nam
Yemen
Zimbabwe

Important: Attempting to access Bondi services from, or on behalf of, a Restricted Jurisdiction—including through VPNs or misrepresentation—violates this Policy and may result in immediate termination of services and reporting to authorities.

11. Customer Wallet Association & Access Controls

Bondi associates verified customer identities with one or more blockchain wallet addresses (“Verified Wallets”). Only Verified Wallets are authorized to interact with Bondi‑gated smart contracts, subject to network‑specific implementation. Attempts to subscribe, transfer, or redeem from unverified addresses may be blocked, quarantined, or require remediation.

Bondi reserves the right to place addresses on internal blocklists where linked to sanctions, illicit finance typologies, fraud, or policy violations. Associated customers may be offboarded and reported to competent authorities where required by law.

12. Recordkeeping, Data Retention & Privacy

Bondi maintains records sufficient to reconstruct customer identity, transaction history, risk decisions, and compliance actions.

Minimum retention: 5 years from the later of (i) the date the relationship ends, or (ii) the date of the last transaction known to Bondi, unless longer retention is required by law or needed for investigations, litigation, or regulatory request.

Records include (as applicable): KYC data & documents; screening results; risk ratings and review notes; SoF/SoW evidence; transactional logs (on‑chain references and fiat settlement records where held); internal suspicious activity reports; external regulatory filings; and compliance‑related communications.

Access is limited to personnel with a legitimate need to know. Data are processed in accordance with Bondi’s Privacy Notice and applicable data‑protection laws.

13. Suspicious Activity Identification, Escalation & Reporting

13.1 Internal Escalation

Any Bondi personnel, contractor, automated alert, or service provider that detects behavior indicative of money laundering, terrorist financing, sanctions evasion, fraud, or other illicit activity must promptly elevate the matter to the Money Laundering Reporting Officer (“MLRO”) or delegate via designated channels.

13.2 MLRO Review

The MLRO evaluates escalations, may request additional information (including supplemental documentation or blockchain review), and determines whether an external report to a competent authority is required.

13.3 External Reporting

Where required by law or upon lawful request, Bondi will file Suspicious Transaction/Activity Reports (STRs/SARs), respond to subpoenas, freezing orders, or production requests, and cooperate with law‑enforcement or regulatory inquiries in relevant jurisdictions.

13.4 Activity Freezes & Restrictions

Pending investigation, Bondi may freeze transfers, disable smart‑contract interactions, place addresses on hold, or otherwise restrict activity to satisfy legal obligations. Customer notification will be made where permitted and appropriate; in some cases Bondi may be legally prohibited from notifying affected parties (anti‑tipping‑off rules).

14. Use of Third‑Party Service Providers

Bondi may contract vendors to perform identity verification, document authentication, sanctions / PEP screening, liveness checks, and related services. Bondi remains responsible for compliance with applicable AML/CFT obligations and will oversee vendor performance.

15. Policy Review & Change Management

This Policy is reviewed at least annually and updated as needed in response to regulatory change, new products, material incidents, or program improvements. Material changes will be posted in the Bondi documentation portal; continued use of Bondi services after changes become effective constitutes acceptance.

16. Enforcement & Consequences of Non‑Compliance

Failure to comply with this Policy may result in:

Denial, suspension, or termination of platform access.
Blocking or freezing of Bond Tokens addresses.
Prevention of additional subscriptions, transfers, or redemptions.
Cancellation of pending allocations prior to settlement.
Reporting to regulators or law‑enforcement agencies where legally required.
Other remedial actions permitted under governing token, subscription, or platform agreements (subject to applicable law).

17. Contact Information

Bondi Technology Inc.
Province of Panama, District of Panama, Betania,
Vía Ricardo J. Alfaro, PH The Century Tower, Office 317
Email: info@bondifinance.io

18. Acknowledgment

Users accept this Policy by completing onboarding or by using Bondi services after publication.

1. Purpose & Commitment​

2. Scope & Applicability​

3. Governing Law, Standards & Interpretive Hierarchy​

4. User Representations, Warranties & Consents​

5. Risk‑Based Approach (RBA)​

5.1 Risk Domains Considered​

5.2 Risk Classification​

5.3 Periodic Review​

6. Customer Due Diligence (CDD)​

6.1 Minimum Requirements – Natural Persons​

6.2 Automated Screening at Onboarding​

6.3 Country & Residency Controls​

6.4 Beneficial Ownership – Legal Entities (When Enabled)​

6.5 Source of Funds / Source of Wealth​

6.6 Incomplete, Inconsistent, or Suspicious Applications​

7. Enhanced Due Diligence (EDD)​

8. Ongoing Monitoring & Screening​

8.1 Periodic Rescreening​

8.2 Activity Surveillance​

9. Sanctions Compliance Program​

10. Restricted & Prohibited Jurisdictions​

11. Customer Wallet Association & Access Controls​

12. Recordkeeping, Data Retention & Privacy​

13. Suspicious Activity Identification, Escalation & Reporting​

13.1 Internal Escalation​

13.2 MLRO Review​

13.3 External Reporting​

13.4 Activity Freezes & Restrictions​

14. Use of Third‑Party Service Providers​

15. Policy Review & Change Management​

16. Enforcement & Consequences of Non‑Compliance​

17. Contact Information​

18. Acknowledgment​