Introduction

Ceylon Cash (Private) Limited (“Ceylon Cash” or “the Company”) is a  technology provider offering proprietary payment integration and routing services, enabling crypto-initiated transactions while settling exclusively through regulated banking channels.

This Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Policy (“the Policy” or “AML/CFT Compliance Manual”) establishes the framework and procedures to ensure that Ceylon Cash conducts business in full compliance with applicable Sri Lankan laws and regulations on money laundering and terrorist financing, as well as relevant international standards. The Policy is designed to prevent Ceylon Cash from being used, intentionally or unintentionally, for illicit money laundering or terror-financing activities, and to protect the Company’s reputation and the integrity of the financial system.

Scope: This Policy applies to all employees, directors, and officers of Ceylon Cash, and to all business units and products of the Company. It covers the onboarding of customers, ongoing account monitoring, reporting of suspicious activities, record-keeping, employee training, and all other controls required to mitigate money laundering (ML) and terrorist financing (TF) risks. Compliance with this Policy is mandatory, and any deviation or exception must be approved by senior management in accordance with the “Approval and Variations” procedure below.

This Policy sets out the AML/CFT compliance program for Ceylon Cash. The purpose of this Policy is to: 

1. Enable Ceylon Cash to comply with the provisions as set out in the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities; 
2. Comply to the standards as set out in the Policy Document on Anti-Money Laundering and Counter Terrorism Financing (AML/CFT)
3. Document the roles and responsibilities of Ceylon Cash’s management staff and employees 
4. Establish the operational procedures for AML/CFT monitoring of transactions; 
5. Provide guidance to Ceylon Cash and its staff to identify, assess and manage money laundering and terrorism financing (“ML/TF”) risks associated with the products and services; 
6. Prevent Ceylon Cash from being exposed to any reputational, legal, regulatory and fraud risks; 
7. Prevent Ceylon Cash from being used as a vehicle for money laundering and terrorism financing; and 
8. Assist and cooperate with the local Law Enforcement Agencies, regulators and authorities in preventing ML/TF. 

Recent events have shown the world that organizations in breach of the law and regulations have been meted with huge fines as well as faced with reputational damage. Through these events, we have seen that having an AML/CFT compliance program is just not enough. There is a need for the program to be well implemented and effective. A well implemented effective

Overview of Money Laundering and Terrorist Financing

Money Laundering 

Definition of “Money Laundering” 

Various Definitions are given to the term “Money Laundering”. Set out below are two of the most commonly used ones. 

Definition 1. “Theprocessofconvertingcashorotherpropertywhichisderivedfromcriminalactivity so as to give it the appearance of having been obtained from a legitimate source” 

Definition 2 “The process by which criminals seek to disguise the illicit nature of their proceeds by introducing them into the stream of legitimate commerce and finance” 

The Process of Money Laundering 

In the process of Money Laundering, there are, theoretically four factors that are common to Money Laundering operations. 

1. The real source of criminal money must be concealed and will not be done with public knowledge. 
2. The form in which money is held must be changed in order to hide identity. 
3. The trail of transaction must be obscured to defeat any attempted follow-up by law enforcement agencies. 
4. The launderer must maintain constant control on the monies as he cannot legally declare any theft of such money. 

Stages of Money Laundering 

Money Laundering occurs in three stages – 

Stage 1- Placement 

Placement means the consolidation and placement of different proceeds of criminal money in the financial system through different sources, or smuggling them out of the country. The objective of the launderer is to remove the proceeds of the illegal transaction to another location without detection and to transform them into transferable assets. 

Stage 2 – Layering

The Launderer by moving the money through many accounts, through different countries and through dummy companies creates complex layers of transactions to disguise the trail and provide anonymity. This process will distancehis deeds from his gains and obliterate the path of movement of funds. 

Stage 3 – Integration 

Once the money has been cleaned through the first two processes, “washed” or “cleaned” funds are brought back into circulation. 

Terrorist Financing

What is Terrorist Financing

Terrorist financing involves the provision or collection of funds, from either legitimate or illicit sources, with the intent or knowledge that they will be used to support terrorist acts or organizations. This includes offering financial services or other support to terrorists, or making funds or assets available to persons or entities engaged in terrorism.

The United Nations International Convention for Suppression of Terrorist Financing defines Terrorist Financing in under mentioned manner in its Article-2 and also the recommendation of the Financial Action Task Force (FATF) gives the same definition. Most countries including Sri Lanka use this definition. 

Article 2 

1. Any person commits an offence within the meaning of the Convention if that person by any means, directly or indirectly, unlawfully and willfully provides or collects funds or property with the intention that such funds or property should be used or in the knowledge that they are to be used or having reason to believe that they are likely to be used, in full or in part, in order to commit: 
2. an act which constitutes an offence within the scope of or within the definition of any one of the Treaties listed in the Convention on the Suppression of Terrorist Financing Act; or 
3. any other act intended to cause death or serious bodily injury to a civilian, or to any other person not taking an active part in the hostilities in a situation of armed conflict or otherwise and the purpose of such act, by its nature or context, is to intimidate a population, or to compel a Government or an International Organization to do or to abstain from doing any act; or 
4. any terrorist act.

In practice, this means the Company must screen customers against designated terrorist lists, monitor transactions for any terrorism-related red flags, and promptly report any suspicious activity, as detailed in this Policy.

1. Overview of Regulatory Requirements in Sri Lanka

1.1 Key AML/CFT Laws and Regulations: 

For several years’ government authorities, the Central Bank, the Financial Sector Authorities and Legal and Law Enforcement Authorities, have worked together with international experts to formulate the necessary AML/CFT legal framework for Sri Lanka. The first piece of legislation, the Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005. The other two laws, the Prevention of Money Laundering Act No.5 of 2006 and the Financial Transactions Reporting Act No.6 of 2006. All three Acts were prepared in line with the Recommendations provided in the Financial Action Task Force (FATF), and therefore Sri Lanka is compliant with the requirements of the FATF. Convention on the Suppression of Terrorist Financing Act, No.25 of 2005 was amended in 2011 by Convention on the Suppression of Terrorist Financing (Amendment) Act, No.41 of 2011 and Convention on the Suppression of Terrorist Financing (Amendment) Act, No.03 of 2013 while Prevention of Money Laundering Act No. 5 of 2006 was amended by Prevention of Money Laundering (Amendment) Act No. 40 of 2011. Some of the main features of these three Acts are given below.

Sri Lanka has a robust legal framework for AML/CFT. The following laws and regulatory instruments form the foundation of Ceylon Cash’s compliance program:

• Prevention of Money Laundering Act, No. 5 of 2006 (PMLA): 

This law criminalizes the act of money laundering and provides for the confiscation of proceeds of crime. Under PMLA, any person or entity that engages in a transaction knowing or having reason to believe it involves proceeds of unlawful activity commits an offense. Ceylon Cash and its staff must ensure they do not willfully blindness themselves to a customer’s illicit activities. Violations of PMLA can lead to severe penalties, including imprisonment and fines, for individuals and for companies (and their officers). While the PMLA is more focused on defining and penalizing ML offenses, it underscores the importance of robust internal controls to avoid involvement (even unwittingly) in money laundering. Any movable or immovable property acquired by a person which cannot be part of the known income or receipts of a person or money/ property to which his known income and receipts have been converted, is deemed to have been derived directly or indirectly from unlawful activity, in terms of the PMLA.

• Financial Transactions Reporting Act, No. 6 of 2006 (FTRA): 

The FTRA establishes obligations for “institutions” (financial institutions and designated non-financial businesses/professions) to implement AML/CFT measures. Under FTRA, no institution may open or maintain anonymous accounts, and institutions must identify and verify customers when establishing business relationships or conducting transactions. The FTRA requires reporting of suspicious transactions to the FIU, and mandates record-keeping of transaction and identification data. It also empowers the FIU to issue rules, directives and guidelines to enforce AML/CFT controls. For example, the FIU has issued Customer Due Diligence Rules for Financial Institutions (2016) and for DNFBPs (2018) under the FTRA, detailing the KYC (Know Your Customer) procedures to be followed. FTRA Regulations also prescribe the format for Suspicious Transaction Reports (STRs) and other requirements. Ceylon Cash, although a fintech/virtual asset service provider (currently not explicitly listed as a “reporting institution” under the FTRA), voluntarily adopts these standards as best practice and anticipates being subject to similar obligations once regulations evolve to cover virtual asset service providers (VASPs).

• Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005 (and Amendments):

On 10 January 2000, Sri Lanka became a signatory to the International Convention for the Suppression of Terrorist Financing adopted by the United Nations General Assembly on 10/01/2000 and ratified the same on 8/9/2000. The Convention on the Suppression of Terrorist Financing Act. No.25 of 2005 was enacted to give effect to Sri Lanka’s obligations under this Convention and further amended under Act No. 41 0f 2011 and Act No. 3 of 2013. Under the Act, the provision or collection of funds for use in terrorist activity with the knowledge or belief that such funds could be used for financing a terrorist activity is an offence. This law implements Sri Lanka’s obligations under the International Convention for the Suppression of the Financing of Terrorism. It criminalizes providing or collecting funds for terrorist acts and organizations. It also provides the legal basis for freezing and seizing assets of terrorists. In compliance, Ceylon Cash must ensure it does not deal with sanctioned terrorist individuals or entities. We comply with orders under the United Nations Regulations on Terrorism Financing – meaning screening all customers and transactions against designated terrorism and sanctions lists is mandatory. Any match to a person or organization listed under UN Security Council Resolutions (such as 1267 (Al-Qaida/ISIL) or 1373 lists) must result in immediate freezing of funds and notification to the FIU.

• Regulatory Directives and Guidelines: 

The FIU (operating under the Central Bank of Sri Lanka) issues binding rules and useful guidance to clarify AML/CFT expectations. Key directives include the Financial Institutions (Customer Due Diligence) Rules No. 1 of 2016 (and subsequent amendments), which apply risk-based CDD obligations on banks, finance companies and similar institutions, and the Designated Non-Finance Business (Customer Due Diligence) Rules No. 1 of 2018 for DNFBPs. These rules require steps such as risk assessment of customers, verification of identity using reliable sources, identification of beneficial owners, enhanced due diligence for higher-risk situations (like Politically Exposed Persons), ongoing monitoring of transactions, record-keeping for at least 6 years, and prompt reporting of suspicions. 

• Financial Intelligence Unit Rule No.1 of 2016 – Financial Institutions (Customer Due Diligence) Rules 

Introduction Public confidence in financial institutions, and hence their stability, is enhanced by sound banking practices that reduce financial risks to their operations. Money laundering and terrorist financing can harm the soundness of a country’s financial system, as well as the stability of individual financial institutions, in multiple ways. Customer identification and due diligence procedures also known as “Know Your Customer” (KYC) rules, are part of an effective Anti Money Laundering (AML)/ Combating of Financing of Terrorism (CFT) regime. These rules are not only consistent with, but also enhance, the safe and sound operation of banking and other types of financial institutions. While preparing operational guidelines on customer identification and due diligence procedures, financial institutions are advised to treat the information collected from the customer for the purpose of opening of accounts, as confidential and not divulge any details thereof for cross-selling or for any other purpose, and that the information sought is relevant to the perceived risk, is not intrusive and is in conformity with the rules issued hereunder. These rules are issued under Section 2 of the Financial Transactions Reporting Act No.6 of 2006 and any contravention of, or non-compliance with the same will be liable to the penalties under the relevant provisions of the Act.

1.2 Virtual Asset Service Providers (VASPs) and Fintech Regulations: 

As of the date of this Policy, Sri Lanka has not yet established a dedicated licensing or regulatory framework for cryptocurrency exchanges or virtual asset service providers outside of the Colombo Port City special jurisdiction. The Central Bank of Sri Lanka (CBSL) has publicly cautioned that cryptocurrencies are not recognized as legal tender and that no persons or companies have been authorized to operate crypto exchange services in the country. Despite this lack of formal regulation, Ceylon Cash is committed to voluntary compliance with all relevant AML/CFT obligations as if it were a regulated reporting institution. We recognize that global standards (notably the Financial Action Task Force – FATF – Recommendations) apply to virtual asset activities, and that future local regulations are likely to incorporate these standards. In June 2019, the FATF expanded Recommendation 15 to explicitly cover virtual assets and VASPs. This means countries (including Sri Lanka through its membership in APG) are expected to require VASPs to be licensed/registered and subject to AML/CFT controls comparable to those of financial institutions. International best practices for crypto service providers – which Ceylon Cash adopts – include implementing risk-based due diligence on customers, transaction monitoring for crypto transactions, sanctions screening, the “Travel Rule” for virtual asset transfers (collecting and transferring originator and beneficiary information for transfers above the designated threshold), enhanced scrutiny of higher-risk customers (e.g. PEPs), and having strong cybersecurity and record-keeping measures to handle the unique risks of digital assets.

Ceylon Cash will proactively comply with both the letter and the spirit of evolving regulations. We maintain open communication with regulatory bodies and will seek registration or licensing under any future framework for VASPs in Sri Lanka. Until then, this Policy ensures that our AML/CFT controls meet or exceed those required of analogous financial institutions. In summary, even in the absence of explicit crypto-specific laws, Ceylon Cash acknowledges that all general AML/CFT laws do apply to its operations (e.g. we must report any suspicious activity related to crypto transactions just as any other reporting institution would). We operate under the oversight of Sri Lanka’s FIU to the extent possible and commit to full cooperation with Sri Lankan authorities.

By aligning with both local regulatory requirements and international best practices, Ceylon Cash aims to maintain an AML/CFT program that is effective, comprehensive, and resilient to emerging risks.

2. Governance and Approval of the AML/CFT Compliance Program

2.1 Approval and Oversight: This AML/CFT Policy and Program is formally approved by the Board of Directors of Ceylon Cash and is endorsed by the Chief Executive Officer (CEO). The Board is ultimately accountable for ensuring that the Company’s AML/CFT measures are robust and compliant with laws. Senior Management is responsible for implementing this Policy and for providing the necessary resources to do so. Any changes or deviations to the Policy must be approved at the appropriate level of authority. Specifically, if any business unit proposes a variation from the standard procedures that would be less stringent than those prescribed herein, such variation requires approval by the CEO (or an authorized delegate) with no objection from the Compliance Officer. More stringent measures may be adopted with approval of the Compliance Officer. All approvals and variations must be documented. The AML/CFT Policy will be reviewed on an annual basis (at minimum) and updated to address new risks or regulatory changes; material revisions will be submitted to the Board for re-approval (version control is maintained as noted above).

2.2 Governance Structure: Ceylon Cash employs a “Three Lines of Defense” model to manage ML/TF risk:

• First Line: Business units (e.g. customer onboarding teams, operations and transaction processing teams) own and manage the risk. They are responsible for carrying out customer due diligence, transaction screening and monitoring as per this Policy, and for adhering to procedures on the ground. They must identify, assess, and control the ML/TF risks in their day-to-day dealings with customers.
• Second Line: The Compliance Unit (and Risk Management function) provides independent oversight and guidance. The Compliance Officer and his/her team monitor the business units’ compliance with AML/CFT requirements, conduct risk assessments, and implement controls to mitigate risks. They also serve as the point of contact for regulatory reporting and inquiries. The second line has the authority to escalate issues to senior management and, if necessary, halt business pending remediation of compliance issues.
• Third Line: The Internal Audit function (or an external independent auditor, as applicable) periodically reviews and tests the overall AML/CFT program. This independent review (details in Section 9) evaluates the effectiveness of AML/CFT controls and identifies areas for improvement. It ensures that the first and second lines are functioning properly and that the Company is in full compliance.

The organizational reporting structure for AML/CFT is as follows: The Compliance Officer reports to senior management (and/or directly to the Board) on AML/CFT matters. Business units report AML issues to the Compliance Officer. The Board oversees the entire framework through regular reports and meetings. This clear escalation path ensures any significant AML/CFT issues (for example, discovery of a major suspicious activity or a sanctions hit) are promptly communicated to the highest levels.

2.3 Roles and Responsibilities: All levels of the Company have defined responsibilities to uphold AML/CFT compliance:

• Board of Directors (BOD): The Board is responsible for setting the “tone at the top” and ensuring a strong compliance culture. The Board must understand the ML/TF risks inherent in the Company’s business model, products, delivery channels, and customer base. The BOD ensures that appropriate governance and risk management frameworks are in place to mitigate these risks. It approves this AML/CFT Policy and any significant updates, and it holds senior management accountable for implementation. The Board will review AML/CFT reports, including risk assessment results and compliance testing reports, on a regular basis (at least annually, with interim updates as needed). Directors should be aware that they bear ultimate responsibility – including potential regulatory penalties – for any significant compliance failures, so they must exercise oversight diligently.
• Chief Senior Management: This refers to the CEO and department Heads. Chief Senior Management must ensure that day-to-day operations are in line with this Policy. They allocate sufficient resources (personnel, budget, and technology) to the AML/CFT compliance program. Chief Senior Management should be intimately aware of the Company’s exposure to ML/TF risks and must take timely action to address any gaps. They are responsible for inculcating compliance as a core value among staff. Chief Senior Management must also review and approve entering into or continuing relationships with high-risk customers such as PEPs and approve any large or unusual transactions flagged by Compliance, as appropriate. The CEO, as the apex of management, endorses this Policy and supports the Compliance Officer in enforcement.
• Compliance Officer (CO) and Compliance Unit: Ceylon Cash appoints a designated Compliance Officer at a managerial level, who has the requisite experience and authority. The Compliance Officer’s responsibilities include:
  • Ensuring the Company fully understands and meets its obligations under AML/CFT laws, regulations, and this internal Policy.
  • Developing and updating internal AML/CFT procedures and controls.
  • Providing advice and guidance to business staff on compliance queries.
  • Regularly assessing the effectiveness of the AML/CFT measures and addressing any weaknesses or emerging risks (for example, adapting controls if new typologies of crypto-related ML/TF are identified).
  • Training: Arranging and conducting AML/CFT training programs for all relevant employees to enhance their knowledge and awareness. 
  • Acting as the main liaison with regulators and law enforcement – e.g. handling FIU correspondence, regulatory examinations, and ensuring timely submission of required reports (STRs, threshold reports, etc.).
  • Receiving internal reports of unusual or suspicious activities from staff, evaluating them, and if warranted, filing STRs with the FIU. The CO will establish secure and confidential reporting channels for employees to escalate suspicions.
  • Keeping abreast of new AML/CFT developments (both local and international) and updating senior management and the Board on such developments and their impact on the Company.
  • Reporting to the Board and senior management on the ML/TF risk exposure of the Company and the status of compliance (e.g. number of STRs filed, training conducted, any regulatory issues, etc.).

The Compliance Officer has the authority to enforce this Policy across all departments. All employees are required to cooperate with the Compliance Unit’s directives and investigations. The Compliance Officer shall have unfettered access to relevant data, records, and personnel to carry out his/her duties.

• Employees (All Staff): Every employee of Ceylon Cash has a role in AML/CFT compliance. Staff are the first line of defense in spotting unusual activities or potential red flags during their routine work. As such, all employees must:
  • Adhere to the customer identification (“Know Your Customer”) procedures when initiating any business relationship or processing transactions. This means no account is opened unless all required KYC information is obtained and verified as per this Policy.
  • Be vigilant for signs of suspicious behavior or transactions and promptly report any unusual or potentially suspicious activity to the Compliance Officer, without tipping off the customer.
  • Maintain strict confidentiality regarding any internal or external investigations or reports. It is a serious offense (known as “tipping off”) for any person who knows or suspects that a money laundering or terrorist financing investigation is underway to disclose that fact to the subject or any unauthorized party. Employees must never divulge to a customer that a suspicion has been formed or that an STR has been or will be filed.
  • Follow all internal controls and procedures in their daily work, such as completing required information on transaction records, using the monitoring systems properly, and maintaining records as required.
  • Attend required training sessions and keep themselves updated on AML/CFT knowledge. Each employee should understand how AML/CFT laws and this Policy apply to their specific job role. Ignorance is not an excuse for non-compliance.
  • Refrain from aiding or advising any customer in a way that facilitates money laundering or evasion of the law. Employees must not knowingly assist any person in circumventing AML/CFT requirements.

Failure by any employee to comply with this Policy and perform their AML/CFT duties may result in disciplinary action, including termination, and could expose the individual to personal legal liability.

3. Risk Assessment – The Risk-Based Approach

Ceylon Cash adopts a risk-based approach (RBA) to AML/CFT, meaning our efforts and resources are commensurate with the level of risk of money laundering or terrorist financing that we face in different areas of our business. Not all customers, transactions, or geographies pose the same risk. By understanding our specific risk exposure, we can apply appropriate controls – enhancing measures where risk is higher and simplifying where risk is demonstrably low, in line with regulatory allowances.

3.1 Enterprise-Wide ML/TF Risk Assessment: The Company conducts an enterprise-wide ML/TF Risk Assessment at least annually (or more frequently if major changes occur). This assessment considers various risk factors, including:

• Customer Risk: What types of customers do we serve? We analyze the risk profiles of different categories of customers – e.g. retail individual clients, corporate entities, high-net-worth individuals, politically exposed persons (PEPs), non-residents, etc. Certain customers inherently carry higher risk (for example, anonymous internet-based clients or clients with complex ownership structures). The Company considers factors like customers’ occupation or business (especially if it’s cash-intensive or higher-risk industry), their reputation/adverse media, whether they are PEPs, and whether they are acting on behalf of others. Each customer is assigned a risk rating based on these factors.
• Product/Service Risk: We evaluate the risks associated with the products and services Ceylon Cash offers. As a digital asset platform, key services include converting fiat currency to cryptocurrency and vice versa, and facilitating crypto-to-crypto trades. Virtual asset transactions can be higher risk due to potential anonymity and speed of transfers. We consider whether we offer high-risk services like privacy coins, mixing/tumbling services (which we do not), or high-leverage trading, etc., and we adjust controls accordingly. Additional services (if any, such as custodial wallets, prepaid cards, or remittances) are also risk-scored.
• Delivery Channel Risk: Our platform is internet-based (non-face-to-face customer interactions), which can increase impersonation/fraud risks. We use electronic/digital onboarding and thus have to mitigate the risk of fake identities through robust e-KYC tools. We assess the risks of any third-party introducers or agents (currently none) and of any reliance on online verification systems. Non-face-to-face onboarding is recognized by regulators as potentially higher risk requiring specific safeguards.
• Geographic Risk: We examine the countries or jurisdictions associated with our customers and transactions. Ceylon Cash primarily targets Sri Lankan residents; however, any exposure (current or future) to foreign clients or international transactions is assessed. We pay special attention to connections with countries that are subject to sanctions, under FATF monitoring, or known for high levels of corruption, drug trafficking, terrorism, or weak AML controls. For example, if a customer is located in or sending funds to/from a jurisdiction on the FATF “grey list” or “black list”, or certain high-risk regions, that will elevate risk. Our policy may restrict or prohibit business in certain jurisdictions entirely, based on risk (e.g. no dealings with countries under UN sanctions or comprehensively sanctioned by OFAC/EU, etc.).
• Transaction/Interface Risk: We also consider the mode of funding and withdrawals (e.g. bank transfers, credit cards, cash deposits via bank, etc.). Since CBSL rules currently disallow using credit/debit cards for crypto purchases in Sri Lanka, our fiat on-ramp/off-ramp is via bank transfers through licensed banks. These are somewhat mitigated by banks’ own AML checks. However, peer-to-peer transfers of crypto entirely on blockchain might carry more anonymity risk. The Company employs transaction monitoring tools to mitigate these. Frequency, size, and patterns of transactions are analyzed in the risk assessment to identify any trends that may need additional controls.

All these factors feed into an overall risk profile for Ceylon Cash. Senior Management and the Compliance Officer use the risk assessment to allocate resources and design controls. The risk assessment process and results are documented and reported to the Board. Where higher risks are identified (e.g. a significant customer base of high-risk individuals, or an increase in transactions with certain countries), enhanced measures are implemented and reflected in this Policy. Conversely, if certain areas are determined to be lower risk and Sri Lankan regulations permit, the Company may apply simplified due diligence measures in those specific scenarios – but currently, given the nascent nature of crypto regulations, we generally default to standard or enhanced measures only.

3.2 Five Pillars of AML/CFT Compliance: In formulating our program, we ensure it incorporates what are often referred to as the “five pillars” of AML/CFT compliance: 

(1) A system of internal policies, procedures and controls (this entire Policy); 

(2) A designated compliance officer with sufficient authority; 

(3) Ongoing AML/CFT training for employees; 

(4) Independent testing of the program; and 

(5) Customer due diligence and ongoing monitoring 

Underpinning these pillars is the risk assessment discussed above – the foundation that informs how each pillar is implemented. By structuring our compliance program around these pillars and the risk-based approach, we aim for both effectiveness and efficiency in combating financial crime.

3.3 ML/TF Risk in Virtual Asset Activities: It is acknowledged that digital asset services can be an attractive target for criminals due to features like speed, global reach, and potential pseudonymity of crypto transactions. Some specific risks in the cryptocurrency domain include: the use of stolen identities to create accounts, use of “money mule” accounts, layering of funds through multiple exchanges and wallets to obfuscate origin, exploitation of privacy coins or decentralized mixers, and potential exposure to darknet marketplaces and ransomware proceeds. Ceylon Cash stays vigilant to these risks. Our risk assessment is updated whenever new typologies emerge (for instance, if FATF or the Sri Lankan FIU publishes findings on virtual asset abuse, we incorporate those). We also utilize technological tools (blockchain analytics) to trace crypto transaction history where possible and flag high-risk sources or destinations of funds (e.g. wallets associated with hacks, sanctioned addresses, or darknet markets). Ongoing Monitoring elaborates on this. In summary, our risk-based approach is dynamic – continuously evolving as the risk landscape changes. The Compliance Officer will maintain an up-to-date risk register and ensure controls adapt to new threats or vulnerabilities.

4. Internal Controls and Compliance Infrastructure

Ceylon Cash has implemented a robust set of internal controls to ensure adherence to AML/CFT requirements. These controls cover procedures for customer onboarding, transaction monitoring, record management, auditing, and more. They are documented in detail in our operational procedures manuals, and summarized here as part of the Policy.

4.1 Policies and Procedures: This written Policy is the cornerstone of our internal controls. It is complemented by more detailed Standard Operating Procedures (SOPs) for front-line staff and compliance staff, which provide step-by-step guidance on performing tasks in compliance with AML/CFT rules (e.g. how to verify a customer’s identity documents, how to review an alert in the monitoring system, how to file an STR, etc.). The Policy and procedures are consistent with current laws and will be updated promptly if laws change. The Compliance Officer ensures that any regulatory changes (such as new FIU directives) are incorporated. All relevant staff have access to and must familiarize themselves with these internal procedures. Department heads are responsible for enforcing procedure adherence in their teams.

4.2 Systems and Tools: Given the digital nature of our business, appropriate technology is critical for effective AML/CFT control. Ceylon Cash employs an integrated compliance software platform which includes:

• Customer onboarding/KYC system: to collect customer information and documents, perform identity verification (including biometric or liveness checks for selfies vs. ID, as applicable), and screen against sanctions/PEP databases in real-time.
• Transaction monitoring system: that analyzes transactions (fiat and crypto) for suspicious patterns, unusual size or frequency, and other risk indicators. This includes rules and scenarios tailored to crypto (e.g. rapid in-and-out trades, multiple accounts funneling to one wallet, etc.).
• Blockchain analytics tool: to trace cryptocurrency transactions to their source or destination addresses and identify if funds have passed through known illicit entities (such as mixers or addresses flagged for ransomware, etc.).
• Record-keeping database: to securely retain all customer due diligence records and transaction records for the required retention period (at least 6 years) and enable quick retrieval for review or audit.
• Reporting interface (goAML or equivalent): to electronically file STRs with the FIU and submit any other required reports (like threshold transaction reports, if applicable) in the format specified by regulations.

We ensure these systems have appropriate access controls, data integrity, and confidentiality protections. System logs and audit trails are maintained. The IT Department works closely with Compliance to configure and update these tools. Additionally, periodic tests are run to ensure the systems are functioning as intended (for example, generating “false positives” vs. true alerts at acceptable rates).

4.3 Management Information and Reporting: A key internal control is the flow of information upward to management. The Compliance Officer provides regular reports to Senior Management and the Board on AML/CFT matters. These include: updates on the number of new accounts opened and any high-risk accounts, summary of STRs filed (count and broad categories, without tipping off details), results of any internal compliance testing or audits, training conducted, and any regulatory communications or fines. Such reports may be monthly or quarterly to senior management, and at least annually to the Board (with immediate escalation in case of major issues). Internally, the Compliance team also monitors key performance indicators (KPIs) such as KYC processing times, backlog of alerts, etc., to ensure the program is running smoothly.

4.4 Employee Screening and HR Controls: Ceylon Cash exercises care in hiring and maintaining a workforce with high integrity. Pre-employment screening of employees (especially those in sensitive roles like compliance, finance, or any who handle customer funds or data) is conducted. This can include background checks for criminal records, verification of qualifications, and reference checks. We also ensure that staff performing AML duties have not been previously implicated in compliance violations. Employees are required to disclose if they are investigated or charged with any financial crime. We avoid conflicts of interest – e.g. an employee cannot handle a case involving a relative or close associate as a customer. Staff must adhere to a code of conduct that includes ethics in AML/CFT compliance. Any breach of AML obligations or unethical behavior can result in disciplinary measures.

4.5 Confidentiality and Data Protection: Because our AML program deals with sensitive personal data and confidential information (customer IDs, STRs, etc.), we have controls to protect this information. STRs and investigation files are kept secure and access is limited to those who need to know (e.g. the Compliance Officer and maybe one or two deputies). We abide by data protection regulations in handling customer data and ensure that any sharing of information (with authorities or between institutions) is done lawfully and securely. Notably, Sri Lankan law provides safe harbor for reporting suspicious activities in good faith, and Ceylon Cash upholds strict confidentiality of such reporting to encourage employees to come forward without fear. No information about an STR filed will be disclosed externally (except to regulators) or internally beyond what’s necessary.

4.6 Independent Audits and Reviews: In brief, as part of internal controls, we schedule independent reviews of our AML/CFT program. The findings of these reviews are used by management to strengthen controls and remediate any deficiencies.

All internal controls are documented and subject to continuous improvement. Compliance, Risk, and Internal Audit collaborate to ensure that our controls keep pace with the growth of the company and emerging risks. Ultimately, the effectiveness of these controls is measured by our ability to prevent illicit activity (no significant incidents), to detect and report suspicious behavior promptly, and to satisfy regulatory examinations with no material findings.

5. Customer Due Diligence (CDD) Policies

Ceylon Cash will not do business with anonymous or unverified customers. We have a rigorous Customer Due Diligence (CDD) process to Know Your Customer (KYC) before onboarding and throughout the relationship, in line with the FTRA and FIU rules. The level of due diligence is commensurate with the customer’s risk profile – basic CDD for most, Enhanced Due Diligence (EDD) for higher-risk customers/circumstances, and Simplified Due Diligence (SDD) only if allowed and justified for low-risk cases.

5.1 When CDD is Required: We perform identification and verification of customers (and beneficial owners, where applicable) in the following situations:

• At the onset of a business relationship: i.e. when a person signs up for an account on our platform (prior to permitting trading or transactions). Every new customer must be verified before they can use our services.
• Before processing an occasional transaction above applicable thresholds: While our model is account-based (so nearly all transactions involve an ongoing relationship), if there were any occasional (one-off) transactions (for instance, a one-time exchange without full account creation, if ever allowed) that exceed regulatory thresholds, we would conduct full CDD. As a reference, under FIU rules, cash transactions above LKR 1,000,000 or wire transfers above USD/Euro 15,000 usually trigger CDD obligations; Ceylon Cash sets a low internal threshold (any fiat transaction > LKR 100,000 or crypto transfer > USD 1,000 equivalent) to ensure CDD kicks in well before any regulatory limit.
• Whenever there is suspicion of money laundering or terrorist financing, regardless of any amounts. If an existing customer’s activity becomes suspicious, we may refresh or deepen CDD even if not otherwise required at that moment.
• When the Company has doubts about the veracity or adequacy of previously obtained customer identification data. For example, if a customer’s contact info no longer seems valid, or discrepancies are noticed in documentation, we will re-verify.

We will not allow any transaction or account activity to proceed until the required identification and verification steps are completed to our satisfaction, except to the extent needed to prevent tipping off when a suspicion has arisen.

5.2 Customer Identification and Verification (KYC): At onboarding, customers must provide identifying information and valid documents. The exact requirements differ slightly for individual vs. corporate customers:

• Individual Customers: We collect at least the full name, date of birth, nationality, official identification number (e.g. NIC or passport number), residential address, and contact details (phone, email). For Sri Lankan nationals, a valid National Identity Card (NIC) is the primary ID document; for non-nationals, a passport is required. We verify the identity by:
  • Checking the ID document’s authenticity (using automated ID verification software that can detect forgeries, or manually inspecting security features if needed).
  • Ensuring the person presenting the ID is indeed its owner – done via a “selfie” or live video verification compared to the ID photo (with liveness check to prevent spoofing) and/or in some cases through a one-time password.
  • Cross-verifying against independent databases when possible. For example, for Sri Lankan NIC, the FIU has provided interfaces to verify details with the Department for Registration of Persons – we leverage such tools when available. Also, we might cross-check the name against any available public databases or credit bureau for consistency.
  • Recording identification details: a clear copy of the ID (front and back), and a selfie image are stored in our records.
    Additionally, we ask for the customer’s purpose of account (e.g. investment, trading, remittance etc.), source of funds and estimated annual turnover or volume expected. Gathering this information helps us establish a baseline expected activity to later judge what’s unusual. If a customer is not a resident of Sri Lanka, we require information on their source of funds coming into the account (e.g. from which foreign bank, etc.).
• Institutional/Corporate Customers: (If the platform caters to companies or other legal entities.) We require certified copies of the entity’s registration/incorporation documents, proof of address of business, and identification information of all directors and ultimate beneficial owners (UBOs) holding 10% or more equity (or exercising control). We will identify the UBOs through a layered KYC if the ownership chain involves multiple entities. Each UBO identified is treated like an individual customer for verification of their personal identity as above. We also obtain the board resolution or authorization for the account opening and identify the person(s) purporting to act on behalf of the company (authorized signatories or traders) – verifying their identity and authority. For higher-risk entities (e.g. trust accounts, NGOs), we might require additional documentation such as trust deeds, charity objectives, etc., to understand the nature of the entity. Any entity that cannot disclose its true ownership (e.g. bearer share companies or overly complex structures without clear reason) will be declined as per risk appetite.
  Part of corporate KYC is also assessing the nature of the business the company is involved in, and its normal activity (so we can spot anomalies later). We may request financial statements or other proof of source of funds for initial deposits for corporate clients.

5.3 Name Screening and Sanctions Checks: Before onboarding any customer (and on an ongoing basis), Ceylon Cash will screen the customer’s name and related parties against relevant sanctions and watchlists. This includes the United Nations Security Council sanctions lists (particularly those related to terrorism and proliferation financing), any domestic list of designated persons (e.g. as per orders under UN Act or PTA in Sri Lanka), and global lists such as OFAC, EU, and other government lists as a best practice. We also screen for Politically Exposed Persons (PEPs) status and against known negative media. Our electronic screening tool automatically flags potential matches:

• If a customer is an exact or close name match to a sanctions list entry, we pause onboarding and escalate to Compliance for review. A true match (confirmed same person/entity) means we must reject the customer and, if required by law, report to the FIU immediately (and freeze any assets if already received). It is illegal to deal with sanctioned parties, and we fully comply with UNSCR 1267/1373 obligations.
• If a customer is identified as a PEP (foreign or domestic senior public official, their immediate family or close associates), we mark them for Enhanced Due Diligence. Being a PEP is not a reason to refuse a customer per se, but it significantly raises risk, so we ensure proper senior management approval and monitoring.
• Adverse Media: Our screening extends to checking if the person has known links to financial crime or terrorism via media reports or Internet searches (this is part of EDD for higher risk customers).

Screening isn’t a one-time exercise. Ongoing screening is performed: our system regularly updates watchlists and retroactively checks existing clients against any newly added names (for instance, if someone we onboarded later gets sanctioned or is convicted of a crime). Additionally, we rescreen the database of customers periodically (at least daily for sanctions updates). This is critical as new sanctions designations can occur anytime and require immediate action.

We document any potential matches and the resolution (false positive cleared vs. true match actioned). The screening process is a vital control to ensure we do not engage with prohibited persons or entities and to identify higher-risk relationships early.

5.4 Risk Profiling and Customer Risk Rating (CRR): After collecting CDD information, Ceylon Cash assesses the overall ML/TF risk of the customer and assigns a risk rating (for example: Low, Medium, or High Risk). This Customer Risk Rating is determined by evaluating multiple factors, including: the customer’s identity and background, geographic connection, product type they will use, transaction size or volume expected, PEP status, business or occupation, source of funds, etc. We utilize a risk scoring model to ensure consistent assessments. The purpose is to decide the level of due diligence and monitoring that will apply.

• Low-Risk Customers: These might include individual residents with verified identity, low-volume predictable transactions from salary or savings, and no other risk flags. For such customers, once standard CDD is done, no additional EDD measures are usually needed. Simplified measures may be allowed by regulation for low-risk cases – for instance, verifying identity via a single reliable document, or not requiring extensive income proofs. 
• High-Risk Customers: These include PEPs, customers from high-risk countries, those with unusual account circumstances, or whose business type is prone to money laundering (e.g. money changers, gambling, shell companies, etc.). For high-risk customers, the Company applies Enhanced Due Diligence (EDD) measures. This could involve obtaining additional information (such as detailed source of wealth, reasons for using our platform, etc.), verifying information from independent sources, and requiring senior management sign-off to onboard or continue the relationship. High-risk accounts are subject to more frequent review and tighter transaction limits possibly.
• Medium Risk: Those who don’t squarely fall in low or high go into medium, which means standard controls apply but with some caution.

The rationale for each customer’s risk classification is documented. Risk ratings are not static; they are updated in light of new information or changes in behavior. For example, if a low-risk customer suddenly starts executing large transactions to a risky jurisdiction, we might elevate their risk level and apply EDD going forward.

5.5 Enhanced Due Diligence (EDD): For any customer or scenario identified as high-risk, Ceylon Cash performs EDD, which includes:

• Obtaining Senior Management Approval: Establishing or continuing a business relationship with a high-risk customer (such as a PEP or someone with high risk factors) must be approved by senior management. In our practice, the Compliance Officer or Management Team will prepare a brief on the customer, and either the CEO or the relevant Director on the Board (if policy dictates Board approval for PEPs) will sign off on the decision to onboard or maintain the relationship. This adds a level of oversight and awareness at the top.
• Deepening Understanding / Source of Wealth: We collect additional information on the customer’s source of funds and wealth. Source of funds means the origin of the particular funds involved in the transactions (e.g. salary, business income, sale of property, investment proceeds). Source of wealth refers to how the person acquired their overall wealth or net worth (e.g. through years of employment, inheritance, business ownership). For high-risk customers, especially PEPs, merely taking their word is not enough – we seek corroborating evidence. This could be in the form of bank statements, audited financials, salary slips, property sale contracts, etc., or reliable public information (for example, for a PEP, their asset declarations if available, or reputable media stating their business success). The goal is to ensure their funds are legitimate and proportionate to their profile.
• Increased Identification Measures: If identity verification had any uncertainty (say a document wasn’t very clear), we may require notarized copies or a second document or even an in-person meeting for high-risk clients. For non-face-to-face high-risk onboarding, sometimes a video call is done to interview the client about their intended usage of the platform.
• More Frequent Monitoring: EDD also implies that such accounts will be monitored more closely. We might set lower thresholds for generating alerts for these customers and review their transactions in real-time or daily.
• Periodic Review: High-risk customers’ information is subject to periodic refresh (for instance, annually). We will reach out to the customer to update KYC documents or information more often (whereas low-risk might be done every 2-3 years). This ensures we keep up with any changes, such as changes in occupation, directorships (for PEPs, if they leave office it could actually lower risk after some time, though they remain PEP for at least 1 year after stepping down per best practice, often longer by policy).
• Specific Measures for PEPs: If the customer is a Politically Exposed Person, we ensure we have identified not just the individual but any accounts they have an interest in. We perform all measures stated (approval, source of wealth) specifically for PEPs. Additionally for foreign PEPs, due to potentially higher corruption risk, we may be even more stringent, possibly deciding not to onboard certain PEPs from high-corruption jurisdictions at all. For domestic PEPs, given familiarity with local context, we still apply full EDD. All PEP relationships are reviewed at the highest levels and any unusual activity could lead to account closure if we are not satisfied.
• High-Risk Countries or Activities: If a customer has ties to a country identified by FATF as high-risk or under increased monitoring, we apply EDD. This might involve requiring evidence of why funds are coming from/going to that country (e.g. trade invoices if a business deal, etc.), and ensuring compliance with any enhanced measures mandated by FIU (like checking against lists of suspicious companies or verifying import/export documents for trade transactions, etc.).

In summary, Enhanced Due Diligence is our failsafe for higher risk – it’s doing more of everything: more information, more verification, more scrutiny, more senior involvement. EDD must satisfy us that despite the higher risk, the customer’s dealings are legitimate and any risks are mitigated. If at any point we cannot mitigate the risk or complete EDD to our comfort (for example, the customer refuses to provide sufficient information on source of funds, or we find their explanation implausible), the account will be rejected or terminated to protect the Company from exposure.

5.6 Refusal and Termination Policy: Ceylon Cash reserves the right to refuse to establish a business relationship or to terminate an existing relationship if the customer fails to comply with CDD requirements or if we assess the ML/TF risk as too high to manage. Situations that will lead to refusal/termination include:

• Inability to satisfactorily verify the customer’s identity or beneficial ownership.
• The customer is found to be a sanctioned individual/entity or from a sanctioned jurisdiction.
• The customer provides misleading or false information during KYC.
• The customer’s source of funds is unverifiable or clearly linked to illicit activity.
• The customer is engaged in a type of activity that we decide not to service (for example, if someone is an online casino or engages in adult entertainment payments – if outside our risk appetite).
• The customer refuses to provide updated KYC or additional details when legitimately requested as part of EDD or ongoing monitoring.

In executing a termination, we will follow legal requirements (for example, if an STR is warranted, we file it; if funds need to be frozen by law, we do so). We will return any remaining legitimate funds to the source whence they came (e.g. back to the customer’s bank account) unless instructed otherwise by authorities. We also ensure we do not “tip off” – meaning if a termination is due to suspicion, we handle communications carefully (often citing a generic business decision rather than telling them “we think you’re laundering money”).

5.7 Reliance on Third Parties: At present, Ceylon Cash generally performs its own CDD and does not rely on third-party intermediaries to do KYC on our behalf (except where customers deposit via their banks, the bank would have done some KYC, but we still do our own). If in the future we engage in any arrangements (e.g. using an agent or a third-party introducer), we will ensure that such third party is regulated and supervised for AML/CFT, and that we immediately obtain the necessary CDD information from them. We would also periodically test the third party’s compliance. Currently, this is not applicable, but it’s noted for completeness.

5.8 Non-Face-to-Face and Technological CDD: Since our onboarding is online, we mitigate the risk of not meeting customers in person through e-KYC technology and additional verifications. We follow FIU Guidance on non-face-to-face identification, which allows the use of digital verification with proper safeguards (like verifying NIC details against government databases, using biometric verification, etc.). We ensure the methods used provide similar assurance as traditional face-to-face document checks. If any doubt remains, we may insist on a face-to-face meeting (or a certified true copy of documents, etc.) even though it’s not convenient, because proper identification is paramount.

In conclusion, our CDD measures are comprehensive and form the first bulwark against illicit actors entering our ecosystem. By knowing our customers thoroughly, we lay the groundwork for effective monitoring and reporting as described in subsequent sections.

6. Ongoing Monitoring of Accounts and Transactions

Performing thorough KYC at onboarding is necessary but not sufficient – Ceylon Cash also engages in continuous monitoring of customer activity to detect unusual or potentially suspicious patterns. Ongoing due diligence on the business relationship means we keep customer information up-to-date and we scrutinize transactions to ensure they are consistent with what we know of the customer’s profile and source of funds. This section details how we monitor and what we do when something suspicious is noted.

6.1 Transaction Monitoring System: Ceylon Cash uses an automated transaction monitoring (TM) system to flag transactions that may indicate money laundering or terrorist financing. This system is configured with a set of rules and scenarios tailored to our business. Examples of scenarios include:

• Transactions (deposits or withdrawals) that are significantly larger than what a customer has done in the past or above certain high thresholds (e.g. a deposit over LKR 5 million or a crypto transfer over a certain large USD value could warrant review).
• Abrupt changes in activity patterns, such as a dormant account suddenly moving large amounts.
• Rapid in-and-out movement: e.g. customer deposits fiat, buys crypto, sends it out to an external wallet within a short time without any plausible reason (could indicate layering). Or conversely, receives crypto and quickly cashes out.
• Multiple accounts sending funds to the same wallet or bank account, or one account receiving funds from many unrelated sources, which could indicate a layering network or mule network.
• Transactions involving high-risk geographies: e.g. a series of crypto transfers to mixers or to exchanges in jurisdictions with weak AML controls, or fiat withdrawals to banks in known secrecy havens.
• Structuring: a customer breaking a large transaction into smaller ones below reporting thresholds or just below our alert limits, etc., could be detected by velocity/frequency rules.

The TM system generates alerts for the compliance team to review. We ensure that it produces daily or real-time alerts (depending on scenario criticality). The Compliance analysts investigate each alert by examining the customer’s profile, the transaction details, and other contextual information. Many alerts can be resolved as false positives or explained by legitimate behavior, but if something truly cannot be explained, it escalates towards being deemed “suspicious”.

Additionally, the Company runs daily reports for manual review focusing on:

• All large transactions of the day.
• Any transaction to/from new external crypto addresses (and checks if those addresses appear on any blacklists).
• Aggregate summaries like top senders/receivers, which could reveal if someone is acting as an unregistered dealer funneling money (which we would shut down).
• Accounts with multiple failed login or authentication attempts (in case account compromise is an issue – this is more fraud-related but tied to AML if someone hijacks an account to launder through it).

We document the review of these monitoring reports and any decisions made. To manage resources, the Compliance Officer ensures the tuning of the system is optimal – not too many false alarms, and not too loose to miss issues. The system’s rules are reviewed periodically (especially as new risks arise or new typologies are learned).

6.2 Ongoing Customer Due Diligence (Periodic Reviews): Apart from transaction-specific monitoring, we also perform periodic reviews of existing customers at intervals determined by their risk rating. For high-risk customers, we may do a comprehensive review annually (or even more often if very high risk), for medium risk perhaps every 2 years, and low risk every 3 years. A periodic review involves:

• Refreshing KYC information: asking the customer if there are any changes in their address, employment, beneficial owners (for companies), etc., and obtaining updated documents if needed.
• Re-screening the customer through sanctions/PEP lists and adverse media to see if their status has changed (this is in addition to our automated ongoing screening).
• Looking at the account’s cumulative activity since the last review: does it align with the expected profile? Documenting any significant deviations and whether they were explained.
• Re-assessing the customer’s risk level in light of any new information or behavior. Possibly the risk rating may be adjusted (for instance, an initially low-risk customer might have turned high-risk due to their transaction pattern or external developments; or a high-risk PEP might have left office and posed somewhat lower risk after some time).

By conducting periodic reviews, we maintain a good understanding of who our customers are over time, not just at onboarding. It also provides an opportunity to re-engage the customer for any missing info. If a client fails to cooperate in periodic updating of KYC, we may suspend or eventually terminate the account (non-cooperation itself is a red flag).

6.3 Identifying Suspicious Activities: Through the above monitoring mechanisms, Ceylon Cash endeavors to identify unusual and potentially suspicious transactions. An unusual transaction might be one that is large, complex, or has no obvious economic purpose given the client’s profile. When an unusual pattern is detected, we try to inquire into the background and purpose of those transactions to the extent possible. For example, if a customer suddenly receives a large third-party payment, we might reach out asking for the reason (perhaps it’s a once-off family inheritance or sale of asset – we’d ask for supporting documents to verify). These inquiries and their results are documented. If the explanation is reasonable and verified, we note that. If the customer cannot or will not provide a plausible reason, the activity becomes suspicious in nature.

Some common red flags we watch for (not exhaustive):

• The customer’s funds origins/destinations involve jurisdictions known for drug trafficking, terrorism, or high secrecy.
• The customer tries to avoid reporting by breaking transactions or uses repeatedly just under limit amounts.
• There is sudden activity after long dormancy, or spikes around certain events (like just after some negative news, they withdraw all to cash, etc.).
• The customer’s transactions make no economic sense (e.g., buying crypto and selling at a loss immediately, which might indicate layering with disregard for profit).
• The customer has multiple accounts under different names (maybe linked by device or address) – indicating possible smurfing.
• For corporate clients: transactions not related to their stated business (like a company in one industry receiving funds from an unrelated sector without good reason).
• Any media mention or rumor that the client is involved in fraud, crime, or under investigation.

When staff or the system suspects a transaction or activity could be linked to ML/TF, this triggers our internal escalation: an internal suspicious activity report is prepared by Compliance. The Senior Managers will analyze the details of the case discreetly. If after examination, we determine that the suspicion has merit and there is no innocent explanation, we proceed to file an official Suspicious Transaction Report (STR) to the FIU. Importantly, during this process, we must avoid tipping off the customer. This means we might not continue asking the customer too many questions if we already have enough suspicion – because pressing further could alert them that they are under scrutiny. Sri Lankan regulations permit ceasing CDD measures in such a scenario to avoid tipping off, provided an STR is filed. We will do exactly that if needed: stop interacting with the client on that matter, freeze or delay the transaction if possible, and file the STR.

6.4 Transaction Screening (Sanctions/Funds): In addition to name screening at onboarding, we also screen transactions in real-time for sanctions or prohibited parties. For example, if a payment is incoming from a bank or a crypto wallet, the system checks the sender information (if available) against sanctions lists. If we detect a prohibited sender or recipient, we will block the transaction and escalate. For fiat transactions, our partner banks also have their filtering (e.g. SWIFT messages are screened by banks), but we add our own layer. For crypto, we rely on blockchain analytics that flag if the counterparty address is sanctioned (e.g. an OFAC-listed Bitcoin address) or associated with dark markets. If a sanctions hit occurs, we will take steps to freeze the assets (if already credited) and inform the FIU promptly.

6.5 Monitoring Employee and Agent Activity: As part of internal controls, we also monitor if any employee access or trading on accounts is happening suspiciously (to prevent internal collusion or misconduct). Employees are restricted from handling their own accounts or related accounts. Additionally, if we ever use agents or introducers, their transactions or referrals should be monitored to ensure they are not bringing in bad actors.

Through comprehensive monitoring, Ceylon Cash aims to catch suspicious activities early and take appropriate action. The ongoing monitoring forms the basis for our suspicious transaction reporting, which is described next.

7. Suspicious Transaction Reporting (STR)

One of the most critical obligations under Sri Lankan AML law (FTRA) is that we promptly report suspicious transactions or attempted transactions to the FIU. Filing STRs protects the Company and society by enabling authorities to investigate and disrupt money laundering or terrorist financing schemes. Ceylon Cash has established procedures to ensure any suspicions are escalated and reported in compliance with the law.

7.1 Internal Reporting and Escalation: All employees are trained that if they detect or suspect any potentially suspicious activity, they must report it internally without delay to the designated delegate in Compliance. This report should include all details known – who, what, when, why it seems suspicious, and any supporting documents. We provide a standardized internal STR template for staff to fill out, or they can simply call/email the Compliance department if urgency demands (followed by written report). The identity of the reporting employee is kept confidential (unless disclosure is required by law in subsequent proceedings, etc.). There will be no retaliatory action against staff for reporting suspicions in good faith – indeed it is expected as part of their duties.

The Compliance Officer (CO) logs all internal reports and begins analysis. They may gather more information from the system, request help from other teams to pull records, etc., all under secrecy. The CO may also discuss the case with senior management as needed without revealing beyond the need-to-know. (For example, if large funds are involved, the CEO or CFO might be informed that a significant STR is being considered, but details remain limited to those reviewing.) Ultimately, the decision to file an STR with the FIU lies with the Compliance Officer. This avoids any business-side pressure to avoid reporting; even if senior management is consulted, the CO has the autonomy to go ahead and report if they believe it’s necessary.

We ensure that this decision and filing happens quickly – as soon as we determine that suspicion is sufficient. As per best practice, STRs should be filed “promptly” or even immediately upon confirmation. Internally, our target is to file within 24 hours of concluding a transaction is suspicious. In fast-moving scenarios, we file even faster (within the same working day). If for some reason confirmation is pending (like waiting for management sign-off), we do not unduly delay – partial information can be filed and later supplemented.

7.2 Filing to the FIU: Ceylon Cash uses the FIU’s prescribed electronic system (goAML web portal or XML reporting system) to lodge STRs. The STR contains comprehensive details: information on the customer(s) involved, description of the transactions, reasons for suspicion, and any supporting documentation (which we will attach as needed, such as account statements, application forms, chat logs, etc.). We follow the “Suspicious Transactions (Format) Regulations of 2017” for the required format and fields.

The FIU has given reporting institutions guidance to include as much detail as possible, including the who/what/where of the activity and why we suspect it. We avoid vague language – we clearly state the indicators observed (e.g. “Customer attempted to transfer LKR X million to an unrelated party in a high-risk country, inconsistent with stated profile, and gave evasive answers when questioned”). If it’s an attempted transaction that was not completed, we still report it, noting it was declined.

The STR is marked confidential. Once filed, we note the STR reference number in our internal log. No copies of STRs or acknowledgments are kept in customer-facing files – to prevent accidental disclosure. They are kept in the Compliance secure repository only.

It’s an offense to disclose (“tip off”) that an STR has been filed or that an investigation may be underway. All employees, especially the Compliance staff involved, are reminded of this legal obligation. Thus, after filing, we do not inform the customer or any external party. If the customer inquires about a delayed transaction or frozen account related to a filed STR, we respond with generic explanations (system issues, etc. as advised by legal) rather than revealing the suspicion.

7.3 Post-Filing Actions: Upon filing an STR, the Compliance Officer will consider whether we need to take any immediate risk mitigation actions regarding that customer. Depending on the case, options include:

• Continuing to monitor the account closely but not tipping off (the FIU may instruct us to continue the relationship for intelligence gathering).
• Temporarily freezing transactions if allowed (though outside of formal freeze orders, we can only delay so much under contract; but if we suspect funds are criminal proceeds, we might try to stall until FIU takes action).
• Closing the account after a suitable period, if the situation warrants (ensuring closure itself doesn’t tip off, or doing it under some pretext like “business decision”).
• If it’s a significant case (like linked to terrorist financing or a major syndicate), management might prepare for possible law enforcement inquiries or asset freeze orders. We keep STRs confidential, but we ensure records that might be requested (CCTV footage if any in office, chat logs, etc.) are preserved.

We also comply with any follow-up requests from the FIU. Sometimes FIU might ask for additional information after an STR. We treat such requests with highest priority and respond promptly, as allowed by law.

7.4 No Threshold for STRs: Importantly, we file STRs regardless of transaction value – there is no minimum amount for suspicion. Even a small transaction can be part of a bigger laundering scheme or could relate to terrorism. Quality of suspicion matters, not quantity of money.

7.5 Safe Harbor and Legal Protection: As per FTRA, if we report an STR in good faith, our Company and employees are protected from liability (whether civil, criminal or administrative) for breaking any confidentiality restrictions with that report. Also, if we choose to not execute a suspicious transaction and report it, that is allowed. We make sure employees know they are legally protected when following this procedure, to encourage reporting.

7.6 Prohibition on Tipping Off: As stressed before, once a suspicion is formed or an STR filed, absolutely no one outside the limited internal circle may be informed. Staff are trained that even telling the customer “you’re being reported” or any equivalent hint can itself be a criminal offense punishable by fines or imprisonment. We maintain secrecy internally as well – those not involved in the case’s review have no knowledge of it. If multiple staff were involved in analysis, they are all bound by confidentiality. Any breach of this will result in disciplinary action and notification to FIU.

By diligently reporting suspicions to authorities, Ceylon Cash fulfills a key part of its AML/CFT duty. We recognize that we are a vital source of intelligence for law enforcement to combat financial crime. As such, we aim for our STRs to be timely, well-founded, and of high quality, reflecting the thorough analysis done by our Compliance team.

8. Record Keeping

Proper record-keeping is an essential component of AML/CFT controls and is required by law. Ceylon Cash maintains all relevant records so that we can readily reconstruct transactions or provide evidence of due diligence to regulators or law enforcement upon request. We adhere to the record retention periods mandated by the FIU rules and FTRA.

8.1 Transaction Records: For every transaction processed through Ceylon Cash (whether fiat or crypto), we keep a record with details sufficient to reconstruct the transaction entirely. This includes: date, amount and currency/value, type of transaction (buy/sell, deposit/withdrawal, transfer), the involved accounts/wallets (e.g. sender and receiver identification), and any reference numbers (such as blockchain transaction hash, bank reference, etc.). If a transaction is automated, our systems log these details; if there were any manual intervention, staff would document it. We also retain any analysis or investigations related to transactions – for example, if a transaction was flagged and we looked into it, the notes of that inquiry (like why it was deemed okay or suspicious) are kept. All transaction records are kept in either electronic form (databases) or as exportable files. We ensure they are backed up and protected from unauthorized alteration. According to FIU’s CDD Rule 89, such records must be kept for a minimum of six (6) years from the date of completion of the transaction. Ceylon Cash complies with this; in practice, we may keep them longer if needed (especially since customers might have ongoing relationships, we keep entire history for at least 6 years from relationship end, see below).

8.2 Identification/KYC Records: We retain all documents and information obtained during customer due diligence – copies of ID documents, address proofs, email communications with the customer, account opening forms, risk assessment results, etc. These form the identity record of the customer. As required, these records are kept for at least six (6) years after the business relationship has ended or the date of the last transaction (if it was a one-off transaction). “Relationship ended” typically means the account was officially closed. So if a customer closes their account, we archive their KYC and keep it 6 more years. If a prospective customer applied but never was onboarded due to failed KYC, we still keep the record of that attempt for some years (not explicitly mandated, but as internal policy maybe 1-2 years, in case needed).

8.3 STR and Compliance Records: All STRs filed, along with the internal documentation of the investigations leading to them, are retained securely. Similarly, records of employee training sessions (dates, attendees, topics), records of internal/external audits and their findings, and records of any communication with regulators (like FIU correspondences, inspection reports) are maintained. STRs and related investigative documents are kept indefinitely or as per regulatory guidance (at least 6 years and typically much longer given their sensitive nature). We also keep logs of any blocked or rejected transactions due to sanctions hits or KYC refusals, as these may be useful for demonstrating our compliance activities.

8.4 Format and Accessibility: Records can be kept in paper or electronic form, or other retrievable forms like microfilm as allowed. Ceylon Cash primarily uses electronic storage to enable quick search and retrieval. We index records by customer and date so that we can promptly comply if, say, the FIU asks for all documents related to Customer X or transaction Y. The FIU rules (CDD Rule 94) require that all CDD information and transaction records be available immediately to domestic authorities and the FIU upon request. We therefore ensure no records are locked away in a manner causing delay. Our Compliance Officer is responsible for coordinating record retrieval for any official request, and we test our ability to retrieve older records periodically.

8.5 Extended Retention: In certain cases, we will retain records beyond 6 years. This is done if: a) we know of an investigation or legal proceedings involving the customer/transaction that are ongoing – then we keep records until we are cleared to dispose; or b) by direction of the FIU or court order to hold records longer. FIU Rule 93 explicitly says to retain longer if transactions, customers or accounts are involved in litigation or needed as evidence. Ceylon Cash will thus preserve relevant records until it is confirmed that they are no longer required.

8.6 Data Security of Records: Given the sensitivity, all AML records are kept secure. Electronic records are access-controlled (only Compliance and senior management can access full KYC documents, for instance). Any physical papers (if any) are in locked cabinets in a secure area. We have disaster recovery for records – backups in separate secure locations to prevent data loss. When records eventually age beyond retention and are to be destroyed, we do so securely (shredding physical documents, permanent deletion of electronic files) to avoid any data leakage.

8.7 Audit Trail: Every transaction record and KYC record is maintained with an audit trail to show which employee entered or approved it, and any changes made. This helps in internal accountability and also demonstrates integrity of records if ever challenged.

By keeping detailed and organized records, Ceylon Cash not only complies with legal requirements, but also equips itself to respond to any inquiries and to conduct effective retrospective reviews if needed. Good record-keeping is also crucial for the independent audits discussed next, as they rely on these records to verify our compliance.

9. Training and Awareness

An AML/CFT program is only as effective as the people implementing it. Therefore, Ceylon Cash invests in ongoing training to ensure that all relevant employees are aware of their responsibilities and are capable of identifying and dealing with potential money laundering or terrorist financing events. Training is not a one-time event but a continuous effort.

9.1 New Employee Training: All new hires at Ceylon Cash, regardless of department, receive basic AML/CFT awareness training as part of their orientation. This training covers the importance of AML/CFT, an overview of relevant laws (FTRA, PMLA, etc.), the company’s policy and zero-tolerance for non-compliance, and practical instructions on how to report suspicious activities internally. For roles that are more directly involved in financial transactions or customer onboarding (like compliance team, customer service, finance operations), the training is more intensive and job-specific from the start.

9.2 Ongoing Training Program: At least annually, and more frequently as needed, the Compliance Officer arranges formal training sessions for all staff. The training program is tailored to different audiences: for example, front-line customer onboarding staff get training focusing on KYC procedures and document forgery detection; the trading operations team might get training on spotting unusual trading patterns; IT staff are trained on red flags related to cybersecurity breaches that could facilitate ML. Senior management and the Board also receive periodic briefings/training on their oversight role and latest developments (ensuring the tone at the top remains strong).

9.3 Training Content: The curriculum is updated regularly to include:

• Current laws and regulatory obligations: any changes in regulations, new circulars from FIU, or enforcement actions in Sri Lanka that highlight expectations.
• Company Policies and Procedures: reminding employees of the specific procedures they must follow (for instance, how to correctly fill a KYC form, or how to escalate an STR internally using our system).
• ML/TF Typologies and Red Flags: practical examples of how money laundering can occur in fintech and crypto contexts. For example, demonstrating a case study of a drug trafficker using crypto exchanges to launder money, or how terrorist financiers might use multiple accounts. We share both local case studies (if any known) and international cases (like well-known crypto exchange enforcement cases) to illustrate the warning signs. Employees are taught specific red flags relevant to their function.
• How to respond to Suspicious Activity: emphasizing the “don’t tip off” rule and exactly how to file internal reports. Role-playing exercises may be used (like presenting a scenario and asking staff what they’d do).
• Sanctions compliance: making sure staff understand how critical sanctions checks are, what to do if a hit occurs, and reviewing the lists that we have to obey.
• Personal liability: making it clear that non-compliance can lead to regulatory penalties or even criminal charges for the company and individuals. This reinforces the seriousness.
• Emerging Trends: If new risks emerge (like new fraud schemes, new FATF guidance on virtual assets, etc.), those are integrated. For instance, training might cover the FATF Travel Rule requirements and how we implement them, so that relevant staff know why they might need to gather additional information for crypto transfers.

We make training engaging and understandable, sometimes inviting external experts or using multimedia. Each session’s attendance is recorded (sign-in sheets or electronic logs). We also conduct knowledge assessments (quizzes) periodically to gauge effectiveness.

9.4 Specialized Training: Certain roles require specialized training and potentially certification. Our Compliance Officer and team members may attend external AML certification courses (e.g. CAMS) or FIU’s training programs to deepen their expertise. The IT team might receive training on how to administer the transaction monitoring system or on cybersecurity aspects of AML (since hacks and laundering intersect). Senior management might attend workshops or seminars on AML governance. We encourage continuous professional development in this domain.

9.5 Refreshers and Updates: Whenever there is a significant change (say, the FIU issues a new guideline or we add a new product), we issue a special training update or memo. For example, if tomorrow the law extends AML obligations explicitly to crypto exchanges, we will conduct an immediate briefing on what that means practically. Or if a big incident happened globally (e.g., a major crypto exchange was fined for AML lapses), we use that as a learning opportunity to reinforce messages.

9.6 Employee Testing and Acknowledgment: After key training sessions, we may administer tests to ensure understanding. Employees are also required to acknowledge that they have read and understood the AML/CFT Policy (usually on hire and annually thereafter). This acknowledgement is kept on file. If someone fails to attend mandatory training, Compliance will follow up to ensure they complete it, possibly via an online module if they missed the live session.

9.7 Effectiveness Evaluation: The Compliance Officer will evaluate the training program’s effectiveness by tracking metrics like: number of internal reports coming from staff (a sign they are applying training), feedback from attendees, quiz scores, and observation of any compliance errors. If issues are found (e.g., staff still confused about a procedure), the training content or frequency is adjusted.

Through rigorous training and continual awareness efforts, Ceylon Cash strives to create a knowledgeable workforce that is alert to ML/TF risks and fully equipped to manage them. Our goal is that compliance becomes ingrained in daily operations, not seen as a burden but as part of professional duty.

10. Independent Testing and Audit of the AML Program

Regular independent reviews of our AML/CFT program ensure that our policies and controls are not only in place on paper but are effective in practice. Ceylon Cash commits to having its AML/CFT Compliance Program independently tested at least annually, or more often if warranted by risk or regulatory expectation.

10.1 Internal Audit Function: If Ceylon Cash has an internal audit department, AML/CFT compliance will be part of its audit plan. Internal Audit (which operates independently from the Compliance function and reports to the Board/Audit Committee) will conduct a thorough audit covering: policy adequacy, adherence to procedures, regulatory reporting accuracy, system effectiveness, and sample testing of customer files and transactions. They will look for any control gaps or instances of non-compliance. For example, they might review a random sample of KYC files to see if documentation is complete and genuine, check a sample of STRs to see if they were filed timely, or even simulate a suspicious transaction to see if the monitoring system catches it. They also verify that record-keeping meets requirements (e.g., can we retrieve a 5-year old record promptly?). The internal auditors will reference FIU guidelines and any past FIU examination findings to ensure we fixed prior issues.

10.2 External Independent Audit: If internal audit capacity is limited or for added assurance, Ceylon Cash may engage an external auditor or consultant specializing in AML to perform an independent review. This is particularly useful given the evolving nature of crypto compliance – an external expert might benchmark us against industry best practices. They would examine both design and operational effectiveness of our program.

10.3 Scope of Testing: The independent tester (internal or external) will typically evaluate:

• Compliance with Laws/Regulations: Are we in compliance with all applicable requirements (FTRA, etc.)? For instance, have we filed all required STRs and any threshold reports? Are there any instances where we should have filed an STR and didn’t?
• Policy Implementation: Is what’s written in this Policy actually being done? For example, policy says we verify ID before account opening – audit will try to find if any active accounts have missing or unverified KYC (which should not happen).
• Effectiveness of Controls: Are the controls working? E.g., test the sanctions screening by inputting a dummy sanctioned name to see if system blocks it. Or review if high-risk customers indeed had senior management approval documented.
• Employee Knowledge: Auditors might interview a few staff to gauge their understanding of AML procedures (basically checking if training has sunk in).
• Record Quality: Are records complete and well-kept? Are STR supporting documents available?
• Management Oversight: Are reports being given to the Board? Are issues raised being addressed timely?

10.4 Reporting of Audit Results: The results of any independent review are documented in a report. Findings are categorized by severity (e.g., high, medium, low risk issues) and include recommendations. This report is presented to Senior Management and the Board (or relevant Board Committee) to ensure top-level awareness and accountability for remediation.

For example, an audit might find that while overall the program is good, perhaps some CDD files lacked evidence of address verification – which might be a medium finding to fix. Or maybe the transaction monitoring scenarios need fine-tuning because too many false negatives/positives – that could be a high priority to address.

10.5 Corrective Actions: Ceylon Cash will promptly address any deficiencies identified. The Compliance Officer, together with relevant department heads, will prepare a Corrective Action Plan specifying how and by when each finding will be resolved. This may involve updating procedures, retraining staff, enhancing systems, or in some cases disciplining staff if a lapse was due to negligence. Progress on remediation is tracked and reported to the Board until closure.

10.6 Regulatory Examinations: In addition to our own initiated audits, we anticipate that regulators (FIU or CBSL) may conduct examinations of our AML controls, especially once a regulatory regime for VASPs is formalized or if we operate under existing provisions. We treat regulatory examinations with the same seriousness as an audit. The Compliance Officer coordinates these, ensures all requested information is provided, and any recommendations by regulators are implemented swiftly. Historically, FIU Sri Lanka has engaged in on-site examinations of reporting institutions to test compliance, and we will be prepared for such oversight.

10.7 Continuous Improvement: Independent testing is not a check-the-box, but a tool for continuous improvement. Even if no major issues are found, we use the opportunity to identify how we can streamline or strengthen our processes. The AML landscape and typologies evolve, so an area that was fine last year might need bolstering this year. We also keep track of common findings in the industry (if other exchanges or fintechs got fined for something, we preemptively check that in our program).

By conducting rigorous independent audits and promptly fixing any shortcomings, Ceylon Cash ensures that its AML/CFT program remains effective and robust against regulatory scrutiny. This proactive approach helps maintain trust with regulators, banking partners, and customers, demonstrating that we operate with the highest compliance standards.

11. Conclusion and Approval

This AML/CFT Policy provides a comprehensive framework aligning with Sri Lanka’s legal requirements and international best practices, tailored to Ceylon Cash’s business as a crypto-focused fintech entity. It is intended to be a living document – reviewed regularly and responsive to new threats, regulatory changes, and business developments. All staff are required to adhere to both the letter and spirit of this Policy.

The Policy has been reviewed and approved by the Board of Ceylon Cash (Pvt) Ltd as of the date indicated in the version control. The Board and senior management are committed to fostering an organizational culture that emphasizes ethical conduct and compliance with AML/CFT obligations at all levels.

By following this Policy, Ceylon Cash endeavors to not only comply with the law but to contribute to the global fight against financial crime, thereby protecting our customers, our community, and the integrity of the financial system.

Approved by: Board of Directors, Ceylon Cash (Private) Limited

Effective date: 20th February 2025