AML Policy

company: Comentive LTD

website: super-spin.com

1. Overview

The Company is committed to full compliance with all applicable sanctions laws and regulations, including those imposed by the United States Office of Foreign Assets Control (OFAC), the United Nations Security Council (UNSC), the European Union (EU), and Her Majesty’s Treasury (UK). These regulations prohibit financial and business relationships with certain individuals, entities, and countries deemed to pose threats to national or international security or to be involved in terrorism, proliferation of weapons, or organized crime.

1.2 Objectives

The objective of this Sanctions Policy is to:

  • Prevent the Company from engaging in any transaction that directly or indirectly involves sanctioned individuals or entities.
  • Ensure that all customers, business partners, and financial transactions are screened against up-to-date sanctions lists.
  • Mitigate the risk of reputational, regulatory, and legal exposure due to sanctions breaches.
1.3 Screening Procedures

The Company conducts:

  • Initial Sanctions Screening: During the onboarding process, all individuals and corporate entities are screened against the latest consolidated sanctions lists from OFAC, UNSC, EU, and UK.
  • Ongoing Screening: Daily automated re-screening of customer data against updated lists to detect matches or new sanctions impositions.
  • Payment Screening: All incoming and outgoing financial transactions are screened to ensure they do not involve sanctioned parties.
1.4 Use of Technology

To perform effective sanctions screening, the Company employs third-party compliance tools integrated with global sanctions databases. The screening solution:

  • Automatically updates sanction lists in real time.
  • Performs fuzzy matching and transliteration checks to catch spelling variations.
  • Maintains logs of all screening results and matches for auditability.
1.5 Escalation and Investigation

If a potential match is identified, the Compliance Team initiates the following process:

  1. Review the alert and validate whether the match is true or false.
  2. For positive matches, immediately suspend the customer account and related transactions.
  3. Notify the MLRO and escalate to senior management for review.
  4. Submit a Suspicious Activity Report (SAR) if required and notify the appropriate regulatory authority (e.g., Anguilla FIU or OFAC, if applicable).
1.6 Prohibited Activities

The Company strictly prohibits the following:

  • Opening accounts for or processing transactions on behalf of any individual or entity listed on sanctions lists.
  • Allowing access to any of the Company’s platforms or services from a sanctioned country.
  • Using proxy or VPN services to bypass geographic restrictions related to sanctioned jurisdictions.
1.7 Recordkeeping

All screening logs, alerts, investigation outcomes, and related communications are stored securely for a minimum of five years. These records are made available to regulatory authorities upon request.

2. Politically Exposed Persons (PEP) Policy

2.1 Definition and Scope

A Politically Exposed Person (PEP) is defined as an individual who is or has been entrusted with a prominent public function, including heads of state, senior politicians, senior government officials, judicial or military officials, senior executives of state-owned corporations, and important political party officials. This definition extends to family members and close associates of such individuals.

The Company classifies PEPs into:

  • Domestic PEPs: Individuals with political roles in the same country where the Company is licensed (e.g., Anguilla).
  • Foreign PEPs: Individuals holding public positions in foreign countries.
  • International Organization PEPs: Senior management in international bodies such as the UN, IMF, or World Bank.
2.2 Risk-Based Approach

All PEPs are inherently categorized as High Risk customers due to their increased exposure to potential corruption, bribery, and misuse of public funds. As such, the Company applies a risk- based approach, requiring Enhanced Due Diligence (EDD) measures when establishing or continuing a business relationship with a PEP.

2.3 Identification of PEPs

PEP status is identified at onboarding through:

  • Customer disclosures (mandatory self-declaration).
  • Third-party data providers and screening tools.
  • AML screening software that continuously checks customer data against global PEP lists.
  • Manual review by the Compliance Team for any ambiguous cases.

The status is re-evaluated throughout the business relationship, with updates triggered by changes in occupation, media coverage, or periodic reviews.

2.4 Enhanced Due Diligence Measures

When a customer is identified as a PEP, the following steps are undertaken:

  1. Source of Wealth and Funds Verification: Clear documentation showing the origin of the customer’s assets and ongoing source of income.
  2. Senior Management Approval: No account or relationship with a PEP can be approved without formal approval by senior management.
  3. Increased Monitoring: All financial activity of the PEP is subject to enhanced transaction monitoring. Any unusual pattern is escalated to the MLRO.
  4. Document Retention: Detailed records of EDD procedures, decisions, approvals, and correspondence are securely stored for a minimum of 5 years.
2.5 Onboarding Restrictions

The Company may refuse to onboard a PEP or may terminate an existing relationship if:

  • The risk is deemed too high.
  • Adequate information regarding source of funds cannot be obtained.
  • The relationship could damage the Company’s reputation or result in regulatory exposure.
2.6 Ongoing Monitoring of PEPs

PEPs are subject to more frequent reviews, typically every 6 months, or sooner if there is a significant change in behavior or political position. The Company’s transaction monitoring tools are configured to automatically flag high-risk activity involving PEPs, such as:

  • Use of shell companies.
  • Large international wire transfers.
  • Sudden changes in transaction volume.
2.7 Training

Compliance and customer-facing staff are trained annually on:

  • Recognizing and verifying PEPs.
  • Conducting and documenting EDD.
  • The risks associated with PEPs and red flags to watch for.
2.8 Reporting Obligations

All established or attempted business relationships with PEPs are logged and made available for regulatory inspection. If a PEP is suspected of being involved in illicit activities, a SAR must be filed promptly with the appropriate authority.

2.9 Training and Awareness

All employees undergo mandatory annual training on sanctions compliance, including how to recognize sanctioned names, how to escalate issues, and the consequences of non-compliance. The MLRO is responsible for ensuring that employees remain updated on sanctions developments.

3. Risk Matrix

3.1 Purpose

The Risk Matrix is a core component of the Company’s AML framework. It is used to assess the risk posed by customers and their activities, enabling a proportionate and targeted approach to Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), monitoring, and reporting.

The matrix evaluates multiple factors — both inherent and behavioral — to classify customers into Low, Medium, or High risk categories. The resulting risk level determines the depth of verification, frequency of monitoring, and overall compliance response.

3.2 Risk Categories and Factors

The Company’s Risk Matrix incorporates the following categories and criteria:

3.2.1 Geographic Risk
  • Countries with high levels of corruption or criminal activity (based on FATF, EU, and UN lists).
  • Countries subject to sanctions or embargoes.
  • Countries with weak AML/CFT regimes.
3.2.2 Customer Type
  • Individual vs. corporate clients.
  • PEP status.
  • Nature of the business (e.g., gaming-related entities, cash-intensive businesses).
3.2.3 Product and Channel Risk
  • Use of digital currency (e.g., crypto deposits).
  • Use of third-party payment platforms.
  • Access through high-risk channels like VPNs, TOR, or anonymous browsers.
3.2.4 Transaction Behavior
  • Deposit and withdrawal patterns.
  • Use of the platform inconsistent with declared profile.
  • Frequent changes in personal or financial information.
3.3 Scoring and Weighting

Each risk category is assigned a score (e.g., 1 = Low Risk, 2 = Medium Risk, 3 = High Risk), with weights applied based on priority. A total risk score is calculated for each customer profile.

3.4 Risk Mitigation Measures by Category
  • Low Risk: Standard CDD, annual profile review.
  • Medium Risk: Additional verification, semi-annual monitoring.
  • High Risk: Full EDD, manual transaction review, monthly risk assessment, senior management approval for account activity.
3.5 Periodic Review and Update

The MLRO reviews the effectiveness of the Risk Matrix quarterly. This includes:

  • Auditing sample cases for appropriate risk classification.
  • Updating factor weights or thresholds based on emerging threats or typologies.
  • Incorporating new FATF guidance, regulatory changes, or internal audit findings.
3.6 Documentation and Audit Trail

All risk assessments are documented and retained for a minimum of 5 years, along with any supporting material used in customer profiling or review decisions. The audit trail includes risk scores, assigned ratings, compliance decisions, and any escalations made.

4. Identification Policy (KYC/CDD)

4.1 Purpose and Regulatory Basis

This policy defines the identification and verification procedures applied to all customers under the principles of Know Your Customer (KYC) and Customer Due Diligence (CDD). The Company complies with AML/CFT regulations set by the Anguillan Financial Services Commission (FSC) and international standards such as the FATF Recommendations.

Proper identification is the first step in detecting and preventing money laundering, terrorist financing, fraud, and impersonation. No customer may access or use the platform without passing the identification process.

4.2 KYC/CDD Policy Objectives
  • Ensure all customers are properly identified and verified before establishing a business relationship.
  • Identify the beneficial owner(s) where applicable.
  • Understand the purpose and intended nature of the relationship.
  • Apply enhanced scrutiny to higher-risk customers.
  • Maintain up-to-date and accurate customer information throughout the relationship.
4.3 Customer Onboarding – Minimum Requirements

Before account activation, customers must provide the following documentation:

4.3.1 Individuals
  • Full legal name
  • Date of birth
  • Nationality
  • Residential address
  • Proof of Identity: Government-issued photo ID (passport, national ID, driver’s license)
  • Proof of Address: Utility bill, bank statement, or government correspondence (not older than 90 days)
  • Payment Method Verification: Proof that the payment method (card, wallet, crypto) belongs to the customer
4.3.2 Corporate Customers
  • Certificate of incorporation
  • Memorandum and articles of association
  • Register of shareholders and directors
  • Proof of business address
  • Valid identification and proof of address for UBOs (Ultimate Beneficial Owners)
  • Board resolution approving account opening
  • Source of funds and expected transaction volume
4.4 Verification Procedures
  • Documents are reviewed manually and/or via certified KYC/AML technology providers.
  • Facial recognition, liveness checks, and biometric analysis are employed for identity confirmation.
  • IP address and device fingerprinting are used to detect proxy or suspicious access.

The Company rejects documents that are unclear, expired, tampered, or inconsistent with other data.

4.5 Ongoing KYC/Customer Reviews

KYC is not a one-time process. Ongoing measures include:

  • Periodic Reviews: Customer data is reviewed annually (Low Risk), bi-annually (Medium Risk), and quarterly (High Risk).
  • Event-Triggered Reviews: Change of address, unusual activity, or manual flags automatically trigger a KYC refresh.
  • Document Renewal: Expired documents must be updated before further transactions are allowed.
4.6 Enhanced Due Diligence (EDD)

EDD is mandatory for:

  • Politically Exposed Persons (PEPs)
  • Customers from high-risk jurisdictions
  • Unusual or complex business structures
  • Transactions with no clear economic rationale

EDD involves:

  • Collecting additional identity and financial documentation
  • Determining and validating source of wealth and funds
  • Senior management approval
  • Enhanced ongoing monitoring and limits on activity
4.7 Simplified Due Diligence (SDD)

In certain low-risk scenarios (e.g., trusted EU bank transfers under €250), the Company may apply simplified procedures, provided no red flags are present and local regulations allow. However, SDD is never applied when:

  • Suspicious activity is detected
  • The customer is from a high-risk third country
  • The customer refuses to provide required documents
4.8 Failure to Complete KYC

If a customer fails to complete KYC within the designated timeframe (e.g., 14 days post-registration), the account will be:

  • Restricted from deposits and withdrawals
  • Subject to internal review and possible closure
  • Reported if there are indicators of suspicious intent
4.9 Recordkeeping

All documents collected for identification and verification are securely stored for at least five years after the end of the customer relationship. All access is restricted and logged.

4.10 Audit and Review

KYC procedures are subject to quarterly internal audits and ongoing review by the MLRO and Compliance Department to ensure consistency, legal compliance, and operational efficiency.

5. Prohibited Countries Policy

5.1 Purpose

This policy outlines the Company’s approach to identifying and restricting access to its services from countries considered high-risk due to sanctions, insufficient AML/CFT controls, or geopolitical instability. It supports the Company’s broader objective of ensuring compliance with international anti-money laundering laws and mitigating jurisdictional risk.

5.2 Risk-Based Approach

The Company adopts a risk-based framework when determining whether a jurisdiction should be classified as prohibited. This determination is based on factors such as:

  • Classification by the Financial Action Task Force (FATF) as a high-risk jurisdiction.
  • International sanctions imposed by global bodies including the UN, EU, UK, and US.
  • Identified systemic failures in AML/CFT governance.
  • Geopolitical concerns, including active armed conflict or political instability.
  • Risk of fraud, corruption, or terrorist financing as observed through internal reviews and external intelligence.
5.3 Fully Prohibited Jurisdictions

The Company prohibits access to its services from the following jurisdictions, which are considered to present an unacceptable level of risk. These restrictions apply to:

  • Registration and onboarding
  • Access to the platform
  • Deposit and withdrawal functions
  • Use of payment methods associated with the listed countries

As of the most recent review, the following countries are restricted:

  • Afghanistan
  • Belarus
  • Central African Republic
  • Democratic People’s Republic of Korea (North Korea)
  • Democratic Republic of the Congo
  • Iran
  • Iraq
  • Libya
  • Myanmar
  • Russia
  • Somalia
  • South Sudan
  • Sudan
  • Syria
  • Venezuela
  • Yemen
  • Zimbabwe
  • Cuba

This list is reviewed quarterly and updated based on evolving global risk factors and guidance from international bodies.

5.4 Heightened Risk Jurisdictions

Certain jurisdictions are not fully prohibited but are treated as high-risk. Customers associated with these jurisdictions are subject to:

  • Enhanced Due Diligence (EDD)
  • Manual transaction approval
  • Heightened scrutiny and periodic reviews

Examples include countries with high levels of corruption or weak regulatory oversight but no outright sanctions or international restrictions.

5.5 Access Controls and Enforcement

To enforce this policy, the Company implements:

  • Geo-blocking: Automatic IP-based restriction for access from prohibited countries.
  • KYC validation: Analysis of documents to confirm nationality and residency.
  • Payment provider risk flags: Examination of deposit and withdrawal sources for jurisdictional links.
  • Proxy detection systems: Identification and flagging of users attempting to bypass geographic restrictions through VPNs or anonymous browsers.
5.6 Account Restrictions and Closure

If a customer is discovered to have misrepresented their jurisdiction or used obfuscation tools to access the platform from a restricted location:

  • The account will be suspended immediately.
  • Any remaining funds may be frozen pending further review.
  • A suspicious activity report may be submitted to relevant authorities if necessary.
  • The customer relationship will be terminated in accordance with the Company’s Terms of Use.
5.7 Review and Governance

The Compliance Department maintains the prohibited countries list and coordinates with the MLRO to ensure it reflects the latest regulatory developments and risk intelligence. Changes are documented and approved by senior management on a quarterly basis.

5.8 Recordkeeping

All data used to determine the customer’s jurisdiction (including IP logs, device data, onboarding documents, and monitoring alerts) is securely stored for a period of at least five years following account closure.

6. Segregation of Funds Policy

6.1 Purpose

The Company is committed to maintaining full financial transparency and safeguarding customer assets by ensuring the complete segregation of client funds from company operational funds. This policy outlines the procedures for managing customer monies in compliance with regulatory expectations for online gaming and financial services under the laws of Anguilla and international best practices.

6.2 Definition

Segregation of funds refers to the practice of holding customer deposits in separate accounts that are not co-mingled with the Company’s own operational, investment, or creditor-related accounts. This is done to protect customer funds in the event of insolvency, fraud, or operational failure.

6.3 Objectives
  • Ensure customer funds are identifiable, traceable, and protected at all times.
  • Prevent the use of customer funds for company operating expenses, liabilities, or credit obligations.
  • Comply with financial service regulations and maintain fiduciary responsibility.
  • Facilitate transparency in financial reporting and audits.
6.4 Operational Structure

The Company maintains the following safeguards:

6.4.1 Dedicated Bank Accounts
  • Customer funds are deposited into ring-fenced bank accounts held with licensed financial institutions.
  • These accounts are labeled and treated as “Client Funds” accounts internally and externally.
  • Access is restricted to authorized personnel in Finance and Compliance under dual signatory control.
6.4.2 Reconciliation Process
  • Daily automated reconciliation compares ledger balances with actual bank balances.
  • Discrepancies are flagged and resolved within 24 hours.
  • Finance department reviews reconciliation logs and reports issues to the MLRO and CFO.
6.4.3 Ledger Integrity
  • The accounting system maintains individual ledgers for each customer account.
  • Deposit and withdrawal activity is logged in real time.
  • Transfers to or from the operational account must follow pre-approved treasury procedures.
6.5 Insolvency Safeguards

In the unlikely event of company insolvency:

  • Customer funds in segregated accounts will not be considered company assets.
  • Creditors will have no legal claim to client-held balances.
  • An appointed administrator will prioritize the return of customer funds before satisfying company liabilities.

This legal structure will be documented in all contractual banking relationships.

6.6 Oversight and Controls

The segregation policy is enforced through multiple layers of control:

  • Dual authorization for transfers from customer fund accounts.
  • Monthly internal audits by the Compliance and Finance departments.
  • Quarterly external financial audits with full disclosure of segregation practices.
  • Annual policy review conducted by the MLRO and approved by the Board of Directors.
6.7 Staff Responsibilities
  • The Finance Department is responsible for executing and documenting daily reconciliations.
  • The Compliance Department monitors access rights, segregation breaches, and internal reporting.
  • The MLRO ensures that fund segregation policies align with AML/CFT regulations and licensing conditions.
6.8 Incident Management

Any deviation from segregation procedures is classified as a compliance incident and subject to the following process:

  1. Immediate escalation to the MLRO and CFO.
  2. Investigation and incident report within 48 hours.
  3. Implementation of corrective actions and controls.
  4. Reporting to the regulator, if required by law.
6.9 Customer Disclosures

The Company provides transparent information to customers regarding fund protection measures:

  • Segregation practices are outlined in the Terms & Conditions.
  • Customers may request further information about fund handling upon request.
  • The Company does not offer investment or interest on customer balances to avoid fiduciary conflict.
6.10 Recordkeeping

All reconciliation reports, authorization logs, bank confirmations, and policy reviews are maintained for a minimum of five years and are available for regulatory inspection.

7. Safeguarding Policy

7.1 Purpose

The Safeguarding Policy outlines the Company’s approach to protecting both customer funds and sensitive customer information from theft, misuse, loss, or compromise. It complements the Segregation of Funds Policy and forms part of the broader AML/CFT framework, ensuring secure handling of all assets and data entrusted to the Company.

The safeguarding function is essential to building trust, complying with regulatory obligations, and defending against both financial crime and operational risk.

7.2 Scope

This policy applies to all departments and systems involved in:

  • Handling or storing customer funds
  • Processing payments or financial transactions
  • Managing customer data (identity, financial, behavioral)
  • Operating the online gaming platform or back-office systems
7.3 Safeguarding of Customer Funds

Beyond segregation, the Company employs layered protection mechanisms to secure customer balances from misuse, fraud, and external threats.

7.3.1 Payment Service Provider (PSP) Standards
  • The Company partners only with regulated and licensed PSPs and banking partners.
  • Each PSP must demonstrate compliance with PCI DSS, ISO 27001, or other relevant data security standards.
  • Payment flows are regularly reviewed to detect delays, chargebacks, reversals, or failed settlements.
7.3.2 Transaction Controls
  • Daily, weekly, and monthly transaction limits are enforced.
  • Suspicious transaction patterns (e.g., looping, micro-layering) are flagged by automated monitoring systems.
  • Manual approval is required for certain transaction types or thresholds (e.g., large withdrawals).
7.3.3 Contingency and Emergency Access
  • Emergency fund release procedures are in place in case of system failure, regulatory freeze, or third-party technical incident.
  • Only senior management and the MLRO may initiate emergency actions, subject to strict multi-factor verification.
7.4 Safeguarding of Customer Data

The Company ensures the confidentiality, integrity, and availability of all sensitive data through the following practices:

7.4.1 Data Security Infrastructure
  • End-to-end encryption (AES-256 or equivalent) is applied to all personal data in transit and at rest.
  • Firewalls, intrusion detection systems (IDS), and anti-malware solutions are actively monitored.
  • All sensitive data is hosted in secure, GDPR-compliant environments.
7.4.2 Access Management
  • Access to customer data is role-based and governed by a least-privilege model.
  • Privileged user access is logged, monitored, and reviewed monthly.
  • Remote access requires multi-factor authentication and is granted only with executive-level approval.
7.4.3 Staff Responsibilities and Confidentiality
  • Employees must complete information security and privacy training during onboarding and annually thereafter.
  • Non-disclosure agreements (NDAs) are mandatory for all staff and contractors.
  • Violation of data safeguarding responsibilities leads to disciplinary action or dismissal.
7.5 Platform Integrity

The Company’s online platform is developed and maintained with embedded security measures:

  • Secure software development lifecycle (SSDLC) protocols are followed.
  • Third-party libraries are reviewed for known vulnerabilities.
  • The platform undergoes penetration testing and vulnerability assessments at least twice a year by external security firms.
7.6 Third-Party Vendors and Outsourcing

Any external party with access to customer data or funds (e.g., payment gateways, cloud providers, customer support platforms) must:

  • Sign a binding Data Protection Agreement (DPA)
  • Undergo a compliance due diligence review
  • Be monitored via service level agreements (SLAs) and security audits
7.7 Incident Response and Breach Protocols

In case of a suspected or confirmed data or fund safeguarding breach:

  1. Immediate notification to the MLRO, DPO (if applicable), and Compliance Director.
  2. Activation of the Company’s Incident Response Plan, which includes containment, impact assessment, and escalation.
  3. If personal data is involved, the Data Protection Authority and affected individuals will be notified within required timeframes.
  4. A post-mortem report and mitigation strategy will be documented and reviewed by senior management.
7.8 Review and Testing
  • All safeguarding policies and systems are reviewed annually.
  • Safeguarding measures are stress-tested quarterly using simulations or third-party audits.
  • Staff awareness is tested via drills, phishing simulations, and mystery audits.
7.9 Recordkeeping

Logs related to safeguarding activities — including access logs, breach reports, audit results, and vendor assessments — are maintained for a minimum of five years.

8. Ongoing Monitoring Policy

8.1 Purpose

The purpose of ongoing monitoring is to continuously assess the behavior and activity of customers throughout the lifecycle of their relationship with the Company. While KYC and due diligence are essential at onboarding, ongoing monitoring ensures that any changes in behavior, risk level, or transaction patterns are promptly identified, assessed, and, where necessary, escalated.

This function is a critical element of the Company’s AML/CFT framework and regulatory compliance obligations.

8.2 Scope

This policy applies to:

  • All customer accounts, regardless of risk level
  • All transaction types (deposits, withdrawals, bonuses, gameplay)
  • All employees and departments responsible for monitoring or interacting with customer activity
8.3 Monitoring Objectives
  • Detect suspicious or unusual activity that may indicate money laundering or terrorist financing
  • Identify changes in customer behavior that increase AML risk
  • Ensure the information held about the customer remains accurate and up to date
  • Promptly escalate red flags for investigation or reporting
8.4 Types of Monitoring
8.4.1 Automated Transaction Monitoring

The Company uses real-time and batch-processing tools to monitor:

  • Transaction frequency, value, and velocity
  • Deposit/withdrawal patterns inconsistent with customer profile
  • Use of multiple payment methods or wallets
  • Attempted use of accounts from high-risk IP locations

Alerts generated by the system are reviewed by the Compliance Team daily.

8.4.2 Behavioral Monitoring

Behavioral changes or anomalies may include:

  • Increased gambling intensity or significant changes in stakes
  • Activity inconsistent with declared income or profile
  • Multiple accounts using shared devices or networks
  • Login activity from unusual time zones or flagged jurisdictions

Such patterns are detected through data analytics, player profiling, and behavioral scoring models.

8.4.3 Manual Monitoring and Escalation

In addition to automated controls, the Company performs manual reviews of:

  • High-risk customers (monthly for PEPs and high-risk jurisdictions)
  • Manually triggered cases from customer support, payment team, or fraud teams
  • Customers with pending KYC or flagged documents
  • Transactions over defined thresholds (e.g., €5,000 or equivalent)

All flagged cases are logged in the internal case management system with assigned owners and deadlines.

8.6 Red Flags and Triggers

Examples of red flags include (but are not limited to):

  • Structuring (breaking transactions into small increments)
  • Rapid movement of funds in and out
  • Dormant accounts suddenly becoming highly active
  • Refusal to provide updated KYC when requested
  • Transactions with no visible economic purpose

Red flags must be immediately escalated to the MLRO, who will determine whether further investigation or a Suspicious Activity Report (SAR) is warranted.

8.7 Customer Information Updates

Monitoring includes ensuring customer information is kept up to date. This includes:

  • Verifying email and phone numbers during activity reviews
  • Refreshing expired documents or proof of address
  • Requesting new KYC in case of changed behavior or geography

Failure to provide updated documentation may result in account restrictions or closure.

8.8 Audit Trail and Recordkeeping

Each monitoring event — automated or manual — is logged with the following:

  • Date/time and person responsible
  • System or manual review action
  • Any flags raised and action taken
  • Notes on decision or escalation

These logs are stored securely for a minimum of five years.

8.9 Training and Responsibilities
  • Compliance Team: Oversees the system configuration and first-line analysis
  • MLRO: Reviews high-priority cases and decides on escalation/reporting
  • Customer Support, Payments, and Fraud Teams: Required to report suspicious activity internally
  • All staff receive training on ongoing monitoring concepts, system alerts, and escalation protocols
8.10 System Review

The monitoring system’s parameters, thresholds, and scenarios are reviewed:

  • Monthly by the Compliance Team
  • Quarterly by the MLRO
  • Annually by external auditors (or upon system upgrades)

Adjustments are made to align with emerging typologies and regulatory expectations.

9. Suspicious Activity Reports (SAR) Policy

9.1 Purpose

This policy defines the process by which the Company identifies, documents, and reports suspicious activity to the relevant Financial Intelligence Unit (FIU). Filing a Suspicious Activity Report (SAR) is a legal obligation and a cornerstone of the Company’s anti-money laundering and counter-terrorism financing (AML/CFT) program.

The purpose of this policy is to ensure that all employees understand their role in recognizing, escalating, and assisting in the proper reporting of suspicious behavior, in accordance with regulatory requirements.

9.2 Legal Obligation

Under the AML laws and regulations applicable in Anguilla and aligned with FATF Recommendations:

  • The Company is required to report suspicious transactions or activities promptly to the designated FIU.
  • Reports must be submitted even if the transaction is not completed or later reversed.
  • Employees are protected by legal immunity and confidentiality provisions when submitting internal or external reports in good faith.
9.3 Definition of Suspicious Activity

Suspicious activity refers to any behavior, transaction, or set of circumstances that may indicate:

  • Money laundering or attempted money laundering
  • Terrorist financing
  • Fraud or identity theft
  • Use of the platform for criminal purposes
  • Unexplained wealth or activity inconsistent with a customer’s profile

Examples include:

  • Customers attempting to avoid identification (e.g., refusing to complete KYC)
  • Sudden and unexplained large deposits or withdrawals
  • Use of multiple accounts by the same individual
  • Customers from high-risk jurisdictions making unusual transactions
  • Attempts to structure transactions below reporting thresholds
9.4 Reporting Process
9.4.1 Internal Escalation
  1. Detection: Any employee who notices suspicious behavior must report it immediately via the internal escalation system or directly to the MLRO.
  2. Internal Report (Initial Suspicion Report or ISR): The report should include all relevant facts — customer ID, transaction details, behavior observed, and any supporting evidence.
  3. MLRO Review: The MLRO reviews the ISR within 24–48 hours and determines whether the suspicion is reasonable, and if so, whether a formal SAR should be submitted to the FIU.
9.4.2 External Reporting

If suspicion is confirmed:

  • The MLRO submits a formal SAR to the FIU using the prescribed format and method.
  • The SAR includes a clear narrative, all known customer identifiers, the nature of the activity, and supporting documentation.
  • The Company may choose to freeze transactions or suspend the account if there is significant risk or regulatory requirement.
9.5 No Tipping-Off

It is a criminal offense to inform a customer or third party that a SAR has been filed or is being considered. All employees are strictly prohibited from:

  • Notifying the customer of internal suspicion
  • Disclosing SAR content or status
  • Mentioning the involvement of regulators or law enforcement

Violation of this rule is grounds for immediate termination and legal action.

9.6 Staff Responsibilities
  • All employees: Must remain vigilant and report suspicious activity immediately.
  • Customer-facing teams: Should be trained to recognize red flags during onboarding or account interaction.
  • MLRO: Has full responsibility for evaluating, documenting, filing, and managing all SARs.
  • Compliance Team: Assists in gathering relevant documents, logs, and analysis.
9.7 Recordkeeping and Confidentiality
  • All SARs, including internal and external reports, are retained securely for a minimum of five years.
  • Access is restricted to the MLRO and authorized Compliance staff.
  • A SAR log is maintained with anonymized tracking for internal audit purposes.
9.8 Quality Assurance

SAR quality is reviewed quarterly to ensure completeness, clarity, and consistency. Sample SARs are audited internally to ensure:

  • Risk indicators were well documented
  • Filing occurred within appropriate timeframes
  • Supporting evidence is available and well structured
9.9 Training and Awareness

All employees receive mandatory SAR training during onboarding and annually thereafter. Training includes:

  • Examples of suspicious activity
  • How to fill in an internal report
  • How to communicate with the MLRO
  • Importance of discretion and no tipping-off

10. Recordkeeping Policy

10.1 Purpose

This policy establishes the Company’s procedures for the retention, storage, protection, and availability of records relevant to its AML/CFT obligations. Proper recordkeeping ensures that the Company can:

  • Provide an audit trail for customer activity
  • Support investigations by regulators or law enforcement
  • Demonstrate compliance with AML laws, licensing requirements, and risk mitigation standards

All recordkeeping practices are in line with the legal framework applicable in Anguilla and aligned with international standards such as the FATF Recommendations.

10.2 Scope

The following categories of records must be retained under this policy:

  • Customer identification documents and KYC data
  • Transaction records (deposits, withdrawals, internal transfers)
  • Enhanced Due Diligence (EDD) documentation
  • Suspicious Activity Reports (SARs) and internal reports
  • Monitoring and compliance logs
  • Communication logs (e.g., support chats, email correspondence)
  • Risk assessments and audit reports
  • Staff training records related to AML
10.3 Retention Periods

All records must be retained for at least five (5) years from:

  • The date of the transaction
  • The end of the business relationship
  • The filing of a report (whichever is later)

Longer retention may be applied if:

  • Required by law enforcement
  • Necessary to comply with legal holds or regulatory instructions
  • Involved in ongoing litigation or investigation
10.4 Storage and Security

All AML-related records are stored in secure environments with the following protections:

  • Access Controls: Only authorized personnel (e.g., Compliance Team, MLRO) may access sensitive records
  • Encryption: Digital records are encrypted both in transit and at rest
  • Redundancy: Backups are maintained in secure, geographically separate locations
  • Physical Security: Any paper-based documents are stored in locked, access-controlled areas
10.5 Formats and Indexing
  • Records may be retained in physical or digital format, provided they are legible, accessible, and reproducible.
  • All documents must be indexed by customer ID, transaction ID, and date to ensure efficient retrieval.
  • Documents must be saved in standardized formats (e.g., PDF, CSV, JPEG) to ensure long-term accessibility.
10.6 Access Logs and Audit Trails

Access to records is monitored through system logs, which are reviewed monthly by the IT Security and Compliance teams. Logs must record:

  • User ID
  • Date and time of access
  • Type of record accessed
  • Any downloads, edits, or deletions

Unauthorized access attempts are treated as security incidents and escalated per the Safeguarding Policy.

10.7 Destruction of Records

At the end of the retention period (unless extended), records are securely destroyed using:

  • Digital wiping or cryptographic erasure for electronic files
  • Shredding and certified disposal for physical records

Destruction must be logged and approved by the MLRO or Compliance Officer.

10.8 Regulator Access and Cooperation

The Company will make AML-related records available to regulators and law enforcement agencies upon request, subject to:

  • Proper legal basis (e.g., subpoena, official request)
  • Verification of requestor identity and authority
  • Record delivery tracking and confirmation

All disclosures are documented and subject to legal review before release.

10.9 Staff Responsibilities
  • The MLRO oversees the implementation of the recordkeeping policy
  • The Compliance Team ensures completeness, accuracy, and timely updates
  • The IT Department maintains the integrity, availability, and security of data storage systems
10.10 Monitoring and Review

The recordkeeping policy is reviewed annually by the Compliance Department to ensure:

  • Consistency with changing regulations
  • Effectiveness of storage systems and access control
  • Adequacy of retention schedules

Internal and external audits include tests of record availability and integrity.

11. MLRO Responsibilities

11.1 Role Definition

The Money Laundering Reporting Officer (MLRO) is a senior member of the Company appointed to oversee the implementation, effectiveness, and compliance of the Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) framework. The MLRO acts as the primary liaison between the Company and regulatory authorities, including the Financial Intelligence Unit (FIU).

This role is central to detecting, preventing, and reporting money laundering and suspicious activity and ensuring the Company fulfills its legal and regulatory obligations.

11.2 Appointment and Qualifications

The MLRO is:

  • Appointed by the Company’s Board of Directors
  • Subject to regulatory fit and proper checks (if applicable)
  • Required to have experience in AML, risk management, compliance, or financial regulation
  • Expected to maintain independence, integrity, and authority within the organization

In the MLRO’s absence, a Deputy MLRO or other designated official assumes these responsibilities.

11.3 Core Responsibilities

The MLRO is responsible for:

11.3.1 Oversight of AML Framework
  • Developing, maintaining, and enforcing the Company’s AML/CFT policy
  • Ensuring policies and procedures reflect current regulatory requirements and international standards
  • Conducting a risk assessment of the Company’s exposure to money laundering and terrorist financing at least annually
11.3.2 Suspicious Activity Reporting (SAR)
  • Receiving, reviewing, and evaluating all internal suspicion reports
  • Determining whether a SAR should be submitted to the FIU
  • Preparing and submitting SARs in a timely and accurate manner
  • Maintaining a confidential SAR log and ensuring compliance with data protection laws
11.3.3 Customer Risk Management
  • Approving high-risk customers (e.g., PEPs, high-risk jurisdictions)
  • Reviewing Enhanced Due Diligence (EDD) files and overseeing periodic reassessments
  • Providing second-line oversight of onboarding, monitoring, and account closure decisions involving elevated AML risk
11.3.4 Monitoring and Controls
  • Supervising the transaction and behavior monitoring systems
  • Reviewing high-priority alerts and overseeing manual escalations
  • Ensuring the integrity and accuracy of risk classification in the customer database
11.3.5 Regulatory Engagement
  • Acting as the point of contact for the FIU and other regulatory bodies
  • Coordinating responses to AML-related inquiries, audits, or investigations
  • Ensuring timely regulatory notifications and filings as required by law
11.4 Governance and Reporting
  • The MLRO reports regularly (at least quarterly) to the Board or senior management on AML performance, risks, and incidents
  • Urgent matters (e.g., major breaches or SAR trends) are reported ad hoc
  • All reports are documented, presented formally, and stored for internal and regulatory review
11.5 Training and Awareness
  • Designing and implementing the Company’s AML training program for all employees
  • Delivering specialized training to high-risk departments (e.g., finance, customer support)
  • Keeping up to date with global AML trends and regulatory changes, and updating internal practices accordingly
11.6 Recordkeeping

The MLRO is responsible for maintaining:

  • All internal and external SARs
  • Risk assessment documentation
  • Training attendance and materials
  • Audit reports and findings related to AML/CFT

These records are stored securely for a minimum of five years.

11.7 Independence and Resources

To fulfill their duties effectively, the MLRO must:

  • Have unfettered access to all company data and systems relevant to AML
  • Be free from conflict of interest or influence in AML-related decisions
  • Be supported by sufficient budget, staff, and technical resources to manage the AML program
11.8 Review of MLRO Function

The performance and adequacy of the MLRO function is reviewed annually by the Board or a designated independent party. This review assesses:

  • Regulatory compliance
  • Internal handling of SARs
  • Effectiveness of risk management procedures
  • Staff training and awareness initiatives

12. Employee Training and Audits

12.1 Purpose

The purpose of this section is to establish a structured training and audit framework that ensures all employees understand their AML/CFT obligations and that internal procedures are effectively implemented and monitored. Regular training and independent audits are critical in promoting a culture of compliance, reducing risk, and demonstrating accountability to regulators.

12.2 AML Training Policy

The Company provides tailored training programs to ensure employees are aware of:

  • Their role in preventing money laundering and terrorist financing
  • Internal procedures for identifying, escalating, and reporting suspicious activity
  • Key regulatory obligations applicable to their role
  • Real-world typologies, red flags, and case studies
12.4 Training Delivery and Materials

Training is delivered through a combination of:

  • E-learning platforms with mandatory quizzes
  • Live workshops and webinars
  • Role-based simulations (e.g., SAR writing, document review)
  • Case study analysis based on industry-specific scenarios

Each training module is followed by an assessment to evaluate comprehension. Pass thresholds are enforced and tracked.

12.5 Recordkeeping and Tracking
  • Attendance and completion of all training sessions are logged
  • Training records are retained for a minimum of five years
  • Reports on training completion rates are reviewed quarterly by the MLRO and HR

Employees who fail to complete mandatory training on time may face:

  • Temporary suspension of access to critical systems
  • Formal warning or disciplinary procedures
12.6 Internal Audit Policy

The Company’s internal audit function independently reviews the AML program to:

  • Assess whether AML policies and controls are implemented and followed
  • Identify gaps in compliance procedures or documentation
  • Evaluate the quality and timeliness of SARs, KYC files, and monitoring actions
  • Test the integrity of risk scoring and escalation processes
12.7 Audit Scope and Frequency
  • Quarterly audits focus on transaction samples, onboarding files, and alert handling
  • Annual audits provide a full AML/CFT program assessment, including technology effectiveness
  • Ad-hoc audits may be triggered by red flags, system changes, or regulatory findings
12.8 Corrective Actions

Findings from internal audits are documented in formal reports, reviewed by the MLRO, and submitted to senior management. Any identified deficiencies result in:

  • Corrective action plans with deadlines and responsible owners
  • Follow-up reviews to confirm implementation
  • Additional training or disciplinary steps where applicable
12.9 External Audits and Independent Reviews

Where required by law or licensing conditions, the Company engages independent external firms to:

  • Review AML compliance, internal controls, and SAR quality
  • Validate the effectiveness of training and monitoring tools
  • Benchmark the AML framework against industry best practices

These external reviews are typically conducted annually and shared with the regulator upon request.

12.10 Continuous Improvement
  • Feedback from employees and audit findings is used to refine training content and internal controls
  • The MLRO tracks global AML enforcement trends and integrates relevant updates into training and procedures
  • A “lessons learned” log is maintained for significant cases or failures


Terms & ConditionsPrivacy NoticeBonus TermsFAQCashbackAML PolicyResponsible Gaming

[email protected]

Live Chat 24/7

Super-spin.com is owned and operated by Comentive LTD. registration number: 000047924, registered address: Sea Urchin Street, San Pedro Town, Ambergris Caye, Belize. Contact us [email protected]. www.super-spin.com is licensed and regulated by the Government of the Autonomous Island of Anjouan, Union of Comoros and operates under License No. ALSI-202505024-FI1. www.super-spin.com has passed all regulatory compliance and is legally authorized to conduct gaming operations for any and all games of chance and wagering. Norvelic LIMITED, Reg No. HE 475930, having its registered address at Avlonos, 1 MARIA HOUSE 1075, Nicosia, Cyprus, is a payment agent of Comentive LTD.