SkinJoker Tech Ltd. Anti-Money-Laundering & Counter-Terrorist-Financing (AML/CTF) and Know-Your-Customer (KYC) Policy

1. Purpose

This Policy sets out the comprehensive framework adopted by SkinJoker Tech Ltd. (“SkinJoker,” “Company,” “we,” “our”) to detect, deter and report money-laundering (ML), terrorism-financing (TF), sanctions evasion, fraud and any other illicit use of the cryptocurrency gaming platform skinjoker.com (the “Site”). The Policy supplements our Terms & Conditions, Privacy Policy, Responsible-Gaming Policy, Game Fairness & Integrity Statement and General Rules.

Although we operate without a state gambling licence, SkinJoker voluntarily aligns with:

The Financial Action Task Force (FATF) Recommendations (updated February 2024);
Hong Kong Anti-Money-Laundering & Counter-Terrorist-Financing Ordinance (Cap. 615);
EU Sixth Anti-Money-Laundering Directive (AMLD 6);
FinCEN guidance for convertible virtual-currency (CVC) providers;
Joint Working Group IVMS 101 Travel-Rule Standard.

2. Scope & Application

Subject Entities

All natural persons using the Site (“Players”).
All SkinJoker directors, officers, employees and contractors (“Staff”).
Third-party service providers performing AML/KYC functions (“Associated Parties”).

Covered Activities

Cryptocurrency deposits, wagers, withdrawals, voucher redemptions and promotional credits.
Player-to-Player (“P2P”) transfers (if enabled).
Any other financial or value transfer activity facilitated by the Site.

3. Legal & Regulatory Framework (Key Provisions)

Instrument	Relevance
FATF Rec. 1, 10-16, 20	Risk-based approach, CDD, record-keeping, SAR filing, reliance on third parties, crypto Travel Rule
Hong Kong Cap. 615 (AMLO)	Criminalises ML/TF; mandates CDD, EDD, record retention ≥ 5 years
EU AMLD 6	Adds cybercrime & environmental crime as predicate offences; broadens ML liability
US FinCEN (FIN-2023-G001)	Applies to foreign-located MSBs offering services to US persons
OFAC, EU & UN Sanctions	Prohibits dealings with listed individuals, entities & wallets
IVMS 101	Defines data fields for Travel-Rule transmissions (e.g., originator name, wallet address)

4. Governance & Organisational Structure

Function	Incumbent	Core Responsibilities
Board of Directors	—	Approves AML budget, risk appetite; receives quarterly MLRO reports
Chief Compliance Officer / MLRO	Jonathan Lee, CAMS, ICA-IntDip(AML)	Designs Policy, signs SARs, liaison with FIUs, reviews EDD files
Deputy MLRO	Katarina Ng (CAMS)	SAR drafting, daily alert triage, absence cover
Compliance Operations Team (5 FTE)	—	KYC onboarding, sanctions screening, transaction monitoring
External Auditor	Deloitte Risk Advisory (Hong Kong)	Annual independent AML audit; penetration testing

Escalation hierarchy and 24 / 7 contact tree are detailed in Internal SOP AML-001.

5. Risk-Based Methodology (Enterprise-Wide Risk Assessment, “EWRA”)

Reviewed annually and when triggering events occur.

Risk Dimension	Indicators	Current Residual Risk
Customer	predominantly cross-border, non-face-to-face onboarding, cryptographic pseudonymity	Medium
Product / Service	instant crypto in/out, high-volatility tokens, provably-fair in-house games	Medium-High
Geographic	Marketing focus on EU, North America, Asia; geo-blocks on Schedule A jurisdictions	Medium
Delivery Channels	web & mobile PWA, API integrations with partner marketplaces	Medium

6. Customer Due-Diligence Programme

6.1 CDD Tiers & Verification

Tier	Trigger	Data Collected & Verification Method	Tech Tools	SLA
Tier 1	Account creation	DOB, e-mail, phone, device fingerprint, IP geo-check, sanctions/PEP screen	SumSub API, MaxMind GeoIP	Instant
Tier 2	Pre-withdrawal OR deposits/withdrawals ≥ EUR 2 000 / 24 h	Government ID (OCR & NFC), selfie liveness, proof of address ≤ 90 days	SumSub, iDenfy, DocuVision	≤ 60 min
Tier 3 (EDD)	Cumulative deposits ≥ USD 50 000 eq., PEP hit, high-risk pattern	Proof of source of funds (bank statements, payslips, tax returns), source of wealth, live video interview	Chainalysis Reactor, Refinitiv World-Check One	≤ 48 h

Non-completion within 30 days ➔ account suspension + potential balance freeze pending review.

6.2 Beneficial-Ownership (Corporate Clients)

Certificate of incorporation, shareholder register (> 25 % BO), director IDs.
Corporate proof of address, business licence.
Board resolution authorising account and designated signatory.

6.3 Politically Exposed Persons & Sanctions

Real-time API screening on onboarding & every 4 h thereafter.
PEPs permitted subject to Tier 3 EDD + deposit cap USD 10 000 eq./week.
Positive sanctions result → immediate account lock, funds blocked, MLRO review.

6.4 Travel-Rule Compliance (Crypto Transfers ≥ USD 1 000 eq.)

Originator & beneficiary data (IVMS 101) sent via CipherTrace Traveler to Travel-Rule-enabled VASP counterparties.
If beneficiary VASP is non-compliant, withdrawal is routed via in-house Travel-Rule hold wallet pending manual review.

7. Cryptocurrency-Specific Controls

Blockchain Analytics – Chainalysis KYT risk scoring on every inbound/outbound transaction; score ≥ 75/100 auto-block.
Mixer / Privacy-Coin Ban – Deposits from Tornado Cash, Blender, CoinJoin clusters, Monero, Zcash-shielded rejected.
Wallet Management – Fresh deposit address (BIP-32) per transaction; hot-wallet cap = trailing 24-h average withdrawals; multi-sig cold wallets (3/5 quorum) with Hardware Security Modules.
Address Blacklist – Daily import of OFAC SDN, EU, UN, UK and HKMA crypto-wallet lists.
Volatility Risk Alert – Auto message if token price drops > 20 % 24-h asking Player to reconfirm withdrawal address.

8. Ongoing Monitoring & Transaction-Screening Programme

8.1 Automated Rule-Set (Sample)

Rule ID	Description	Threshold	Action
R-01	≥ 90 % deposits withdrawn within 60 min, minimal betting	3 occurrences / 72 h	Tier 3 review
R-07	≥ 5 deposit addresses linked to high-risk exchange cluster	Immediate	Suspend account
R-12	IP address change to Schedule A country during session	—	Auto log-out & KYC re-check
R-20	Net losses > USD 100 000 eq. in 30 days	—	Enhanced RG outreach + EDD

8.2 Machine-Learning Module

Gradient-boosting model (AUC 0.93) flags anomalous wager paths, chip-dumping & collusion rings; retrained monthly on labelled SAR outcomes.
Features: session length, bet variance, token exchange rate correlation, time-zone irregularities.

9. Suspicious Activity Reporting (SAR)

Step	Timeline	Responsibility
Internal escalation via Case Management System	≤ 4 h from detection	Operations Analyst
MLRO decision (file / no file)	≤ 3 business days	MLRO / Deputy
File SAR to JFIU (HK) or relevant FIU	Immediately after decision	MLRO
Post-SAR monitoring freeze	7 days minimum	MLRO

“Tipping-off” is strictly prohibited (Cap. 405 §25).

10. Record-Keeping & Data Protection

Record	Medium	Retention	Storage
CDD docs	Encrypted PDF/Image	≥ 5 years post-closure	AWS S3 (AES-256)
Blockchain TX logs	CSV/JSON	≥ 5 years	Hash-chained in AWS QLDB
SAR & MLRO files	PDF	≥ 5 years post-filing	On-prem HSM-secured vault
Training files	LMS	5 years	EU data centre

Processing is lawful under Art. 6 (1)(c)(f) GDPR; data shared strictly on a “need-to-know” basis.

11. Training & Staff Competence

Category	Frequency	Duration	Assessment
New Hire Induction	Day 1	6 h	Quiz ≥ 80 %
Annual Refresher	Yearly	3 h	Quiz ≥ 85 %
Specialist (Blockchain Forensics)	Quarterly	2 h	Practical case study
Executive Briefing	Semi-	1 h	Board Q&A session

Training content reviewed by MLRO & HR; completion tracked in LMS.

12. Independent Audit & Assurance

Auditor engaged under ISAE 3000 standard.
Scope: EWRA validation, random 5 % CDD file check, SAR timeliness, system penetration & Travel-Rule test transfers.
Report delivered to Board; remediation deadlines logged in ComplianceTracker GRC.

13. Breach Management & Enforcement

Minor Breach (documentation delay < 48 h) → formal reminder + 24 h cure period.
Material Breach (EDD refusal, high-risk wallet deposit) → account suspension, balance freeze, potential SAR.
Critical Breach (sanctions match, evidence of terrorist financing) → immediate freeze, SAR, permanent account termination, notice to law-enforcement.

Internal disciplinary procedures apply to Staff negligence or wilful non-compliance (up to dismissal).

14. Review, Change-Control & Version History

Policy reviewed annually or upon regulatory trigger (e.g., new FATF guidance). Change proposals logged in Compliance JIRA; Board approval required for material revisions.

Version	Date	Key Updates
2.0	21 Apr 2025	Travel-Rule, mixer ban, sanctions API
3.0	21 Apr 2025	Added ML model, address blacklist, governance table, breach tiers

15. Appendices

Appendix A — Glossary
(abridged: AML, CDD, EDD, FIU, HSM, IVMS 101, ML, PEP, SAR, TF, VASP)

Appendix B — Schedule A (Restricted Territories)
Australia; Curaçao; Czech Republic; France & DOM-TOM; Iran; Israel; Lithuania; Netherlands & BES; North Korea; Singapore; Spain; Syria; United Kingdom; United States & territories; any comprehensively sanctioned state.

Appendix C — Red-Flag Typology Matrix

Category	Example Indicators	Risk Weight
Source of Funds	Deposit from darknet-linked wallet	High
Transaction Behaviour	Sudden stop of wagering after large win, immediate withdrawal	High
Geography	IP from high-risk jurisdiction, VPN detected	Medium
Device Pattern	10 accounts linked to single device ID	High

(Full 60-indicator matrix available to authorized Staff in SOP AML-002.)

Contact (24 / 7 / 365)

Money-Laundering Reporting Officer
SkinJoker Tech Ltd.
22/F, 2 International Finance Centre, 8 Finance Street, Central, Hong Kong SAR, China
e-mail: [email protected] (PGP key ID 0x98F1 A7C3)
Hotline: +852 5803 8761

Failure to comply with KYC requests or involvement in suspicious activity will result in account suspension, possible forfeiture of funds and notification to the competent authorities.
Play responsibly. 18 + only.

SkinJoker Tech Ltd.​ Anti-Money-Laundering & Counter-Terrorist-Financing (AML/CTF) and Know-Your-Customer (KYC) Policy