SkinJoker Tech Ltd. Anti-Money-Laundering & Counter-Terrorist-Financing (AML/CTF) and Know-Your-Customer (KYC) Policy
1. Purpose
This Policy sets out the comprehensive framework adopted by SkinJoker Tech Ltd. (“SkinJoker,” “Company,” “we,” “our”) to detect, deter and report money-laundering (ML), terrorism-financing (TF), sanctions evasion, fraud and any other illicit use of the cryptocurrency gaming platform skinjoker.com (the “Site”). The Policy supplements our Terms & Conditions, Privacy Policy, Responsible-Gaming Policy, Game Fairness & Integrity Statement and General Rules.
Although we operate without a state gambling licence, SkinJoker voluntarily aligns with:
- The Financial Action Task Force (FATF) Recommendations (updated February 2024);
- Hong Kong Anti-Money-Laundering & Counter-Terrorist-Financing Ordinance (Cap. 615);
- EU Sixth Anti-Money-Laundering Directive (AMLD 6);
- FinCEN guidance for convertible virtual-currency (CVC) providers;
- Joint Working Group IVMS 101 Travel-Rule Standard.
2. Scope & Application
Subject Entities
- All natural persons using the Site (“Players”).
- All SkinJoker directors, officers, employees and contractors (“Staff”).
- Third-party service providers performing AML/KYC functions (“Associated Parties”).
Covered Activities
- Cryptocurrency deposits, wagers, withdrawals, voucher redemptions and promotional credits.
- Player-to-Player (“P2P”) transfers (if enabled).
- Any other financial or value transfer activity facilitated by the Site.
3. Legal & Regulatory Framework (Key Provisions)
Instrument | Relevance |
---|---|
FATF Rec. 1, 10-16, 20 | Risk-based approach, CDD, record-keeping, SAR filing, reliance on third parties, crypto Travel Rule |
Hong Kong Cap. 615 (AMLO) | Criminalises ML/TF; mandates CDD, EDD, record retention ≥ 5 years |
EU AMLD 6 | Adds cybercrime & environmental crime as predicate offences; broadens ML liability |
US FinCEN (FIN-2023-G001) | Applies to foreign-located MSBs offering services to US persons |
OFAC, EU & UN Sanctions | Prohibits dealings with listed individuals, entities & wallets |
IVMS 101 | Defines data fields for Travel-Rule transmissions (e.g., originator name, wallet address) |
4. Governance & Organisational Structure
Function | Incumbent | Core Responsibilities |
---|---|---|
Board of Directors | — | Approves AML budget, risk appetite; receives quarterly MLRO reports |
Chief Compliance Officer / MLRO | Jonathan Lee, CAMS, ICA-IntDip(AML) | Designs Policy, signs SARs, liaison with FIUs, reviews EDD files |
Deputy MLRO | Katarina Ng (CAMS) | SAR drafting, daily alert triage, absence cover |
Compliance Operations Team (5 FTE) | — | KYC onboarding, sanctions screening, transaction monitoring |
External Auditor | Deloitte Risk Advisory (Hong Kong) | Annual independent AML audit; penetration testing |
Escalation hierarchy and 24 / 7 contact tree are detailed in Internal SOP AML-001.
5. Risk-Based Methodology (Enterprise-Wide Risk Assessment, “EWRA”)
Reviewed annually and when triggering events occur.
Risk Dimension | Indicators | Current Residual Risk |
---|---|---|
Customer | predominantly cross-border, non-face-to-face onboarding, cryptographic pseudonymity | Medium |
Product / Service | instant crypto in/out, high-volatility tokens, provably-fair in-house games | Medium-High |
Geographic | Marketing focus on EU, North America, Asia; geo-blocks on Schedule A jurisdictions | Medium |
Delivery Channels | web & mobile PWA, API integrations with partner marketplaces | Medium |
6. Customer Due-Diligence Programme
6.1 CDD Tiers & Verification
Tier | Trigger | Data Collected & Verification Method | Tech Tools | SLA |
---|---|---|---|---|
Tier 1 | Account creation | DOB, e-mail, phone, device fingerprint, IP geo-check, sanctions/PEP screen | SumSub API, MaxMind GeoIP | Instant |
Tier 2 | Pre-withdrawal OR deposits/withdrawals ≥ EUR 2 000 / 24 h | Government ID (OCR & NFC), selfie liveness, proof of address ≤ 90 days | SumSub, iDenfy, DocuVision | ≤ 60 min |
Tier 3 (EDD) | Cumulative deposits ≥ USD 50 000 eq., PEP hit, high-risk pattern | Proof of source of funds (bank statements, payslips, tax returns), source of wealth, live video interview | Chainalysis Reactor, Refinitiv World-Check One | ≤ 48 h |
Non-completion within 30 days ➔ account suspension + potential balance freeze pending review.
6.2 Beneficial-Ownership (Corporate Clients)
- Certificate of incorporation, shareholder register (> 25 % BO), director IDs.
- Corporate proof of address, business licence.
- Board resolution authorising account and designated signatory.
6.3 Politically Exposed Persons & Sanctions
- Real-time API screening on onboarding & every 4 h thereafter.
- PEPs permitted subject to Tier 3 EDD + deposit cap USD 10 000 eq./week.
- Positive sanctions result → immediate account lock, funds blocked, MLRO review.
6.4 Travel-Rule Compliance (Crypto Transfers ≥ USD 1 000 eq.)
- Originator & beneficiary data (IVMS 101) sent via CipherTrace Traveler to Travel-Rule-enabled VASP counterparties.
- If beneficiary VASP is non-compliant, withdrawal is routed via in-house Travel-Rule hold wallet pending manual review.
7. Cryptocurrency-Specific Controls
- Blockchain Analytics – Chainalysis KYT risk scoring on every inbound/outbound transaction; score ≥ 75/100 auto-block.
- Mixer / Privacy-Coin Ban – Deposits from Tornado Cash, Blender, CoinJoin clusters, Monero, Zcash-shielded rejected.
- Wallet Management – Fresh deposit address (BIP-32) per transaction; hot-wallet cap = trailing 24-h average withdrawals; multi-sig cold wallets (3/5 quorum) with Hardware Security Modules.
- Address Blacklist – Daily import of OFAC SDN, EU, UN, UK and HKMA crypto-wallet lists.
- Volatility Risk Alert – Auto message if token price drops > 20 % 24-h asking Player to reconfirm withdrawal address.
8. Ongoing Monitoring & Transaction-Screening Programme
8.1 Automated Rule-Set (Sample)
Rule ID | Description | Threshold | Action |
---|---|---|---|
R-01 | ≥ 90 % deposits withdrawn within 60 min, minimal betting | 3 occurrences / 72 h | Tier 3 review |
R-07 | ≥ 5 deposit addresses linked to high-risk exchange cluster | Immediate | Suspend account |
R-12 | IP address change to Schedule A country during session | — | Auto log-out & KYC re-check |
R-20 | Net losses > USD 100 000 eq. in 30 days | — | Enhanced RG outreach + EDD |
8.2 Machine-Learning Module
- Gradient-boosting model (AUC 0.93) flags anomalous wager paths, chip-dumping & collusion rings; retrained monthly on labelled SAR outcomes.
- Features: session length, bet variance, token exchange rate correlation, time-zone irregularities.
9. Suspicious Activity Reporting (SAR)
Step | Timeline | Responsibility |
---|---|---|
Internal escalation via Case Management System | ≤ 4 h from detection | Operations Analyst |
MLRO decision (file / no file) | ≤ 3 business days | MLRO / Deputy |
File SAR to JFIU (HK) or relevant FIU | Immediately after decision | MLRO |
Post-SAR monitoring freeze | 7 days minimum | MLRO |
“Tipping-off” is strictly prohibited (Cap. 405 §25).
10. Record-Keeping & Data Protection
Record | Medium | Retention | Storage |
---|---|---|---|
CDD docs | Encrypted PDF/Image | ≥ 5 years post-closure | AWS S3 (AES-256) |
Blockchain TX logs | CSV/JSON | ≥ 5 years | Hash-chained in AWS QLDB |
SAR & MLRO files | ≥ 5 years post-filing | On-prem HSM-secured vault | |
Training files | LMS | 5 years | EU data centre |
Processing is lawful under Art. 6 (1)(c)(f) GDPR; data shared strictly on a “need-to-know” basis.
11. Training & Staff Competence
Category | Frequency | Duration | Assessment |
---|---|---|---|
New Hire Induction | Day 1 | 6 h | Quiz ≥ 80 % |
Annual Refresher | Yearly | 3 h | Quiz ≥ 85 % |
Specialist (Blockchain Forensics) | Quarterly | 2 h | Practical case study |
Executive Briefing | Semi- | 1 h | Board Q&A session |
Training content reviewed by MLRO & HR; completion tracked in LMS.
12. Independent Audit & Assurance
- Auditor engaged under ISAE 3000 standard.
- Scope: EWRA validation, random 5 % CDD file check, SAR timeliness, system penetration & Travel-Rule test transfers.
- Report delivered to Board; remediation deadlines logged in ComplianceTracker GRC.
13. Breach Management & Enforcement
- Minor Breach (documentation delay < 48 h) → formal reminder + 24 h cure period.
- Material Breach (EDD refusal, high-risk wallet deposit) → account suspension, balance freeze, potential SAR.
- Critical Breach (sanctions match, evidence of terrorist financing) → immediate freeze, SAR, permanent account termination, notice to law-enforcement.
Internal disciplinary procedures apply to Staff negligence or wilful non-compliance (up to dismissal).
14. Review, Change-Control & Version History
Policy reviewed annually or upon regulatory trigger (e.g., new FATF guidance). Change proposals logged in Compliance JIRA; Board approval required for material revisions.
Version | Date | Key Updates |
---|---|---|
2.0 | 21 Apr 2025 | Travel-Rule, mixer ban, sanctions API |
3.0 | 21 Apr 2025 | Added ML model, address blacklist, governance table, breach tiers |
15. Appendices
Appendix A — Glossary
(abridged: AML, CDD, EDD, FIU, HSM, IVMS 101, ML, PEP, SAR, TF, VASP)
Appendix B — Schedule A (Restricted Territories)
Australia; Curaçao; Czech Republic; France & DOM-TOM; Iran; Israel; Lithuania; Netherlands & BES; North Korea; Singapore; Spain; Syria; United Kingdom; United States & territories; any comprehensively sanctioned state.
Appendix C — Red-Flag Typology Matrix
Category | Example Indicators | Risk Weight |
---|---|---|
Source of Funds | Deposit from darknet-linked wallet | High |
Transaction Behaviour | Sudden stop of wagering after large win, immediate withdrawal | High |
Geography | IP from high-risk jurisdiction, VPN detected | Medium |
Device Pattern | 10 accounts linked to single device ID | High |
(Full 60-indicator matrix available to authorized Staff in SOP AML-002.)
Contact (24 / 7 / 365)
Money-Laundering Reporting Officer
SkinJoker Tech Ltd.
22/F, 2 International Finance Centre, 8 Finance Street, Central, Hong Kong SAR, China
e-mail: [email protected] (PGP key ID 0x98F1 A7C3)
Hotline: +852 5803 8761
Failure to comply with KYC requests or involvement in suspicious activity will result in account suspension, possible forfeiture of funds and notification to the competent authorities.
Play responsibly. 18 + only.