AML/CFT Policy

AML/CFT Policy

Digi Ex Pro (Pty) Ltd — Crypto Asset Service Provider (public version)

Digi Ex Pro (Pty) Ltd — AML/CFT Policy (public version)

Last revision: 28 May 2026

This Anti-Money Laundering and Combating the Financing of Terrorism Policy (“AML/CFT Policy”) has been adopted to prevent the use of our services for money laundering, terrorist financing or other financial crime. We are committed to complying with all applicable South African laws, regulations and regulatory guidance on AML/CFT. This is a public summary of our approach; our detailed internal procedures (including our Risk Management and Compliance Programme, KYC/CDD Procedures, Sanctions and PEP Screening Policy, Customer Risk Scoring Methodology and Transaction Monitoring Procedure) are confidential. By using our website or services, you agree to this AML/CFT Policy.

Digi Ex Pro (Pty) Ltd (the “Company”, “we”, “us”), a private company incorporated in South Africa under registration number 2023/150340/07, with its registered office at 1 Hood Avenue, Rosebank, Johannesburg, Gauteng, 2196, is an authorised financial services provider (FSP licence number 53786) licensed by the Financial Sector Conduct Authority (FSCA) as a crypto asset service provider, and an accountable institution under the Financial Intelligence Centre Act 38 of 2001. We are committed to meeting all applicable AML/CFT requirements and to maintaining effective controls to prevent the misuse of our services.

Scope and currencies: we predominantly serve clients outside South Africa and transact principally in EUR and USD (and in crypto assets), while applying South African law to all clients and transactions. Thresholds fixed by South African law are expressed in ZAR; internal, risk-based thresholds are expressed in EUR/USD and monitored across currencies at prevailing exchange rates.

1. Main objectives

Our main objectives in adopting this AML/CFT Policy are to ensure that:

  • clients’ identities are satisfactorily verified, on a risk-based approach, before we do business with them;
  • we know our clients and understand their reasons for doing business with us, both at the acceptance stage and throughout the business relationship;
  • our staff are trained and made aware of their personal legal obligations and those of the Company;
  • our staff are vigilant for activity giving reasonable grounds for suspicion of money laundering, terrorist financing or proliferation financing, and report it to the Compliance Officer / FIC Officer;
  • sufficient records are kept for the required period; and
  • we establish, maintain and implement appropriate procedures to achieve these objectives.

2. Definitions

  • FIC Act — the Financial Intelligence Centre Act 38 of 2001, together with the Money Laundering and Terrorist Financing Control Regulations, directives and guidance made under it.
  • FAIS Act — the Financial Advisory and Intermediary Services Act 37 of 2002, under which crypto assets are a declared financial product.
  • POCA / POCDATARA — the Prevention of Organised Crime Act 121 of 1998 and the Protection of Constitutional Democracy against Terrorist and Related Activities Act 33 of 2004.
  • KYC — Know Your Customer. CDD / EDD — Customer Due Diligence / Enhanced Due Diligence. ML/TF — money laundering and terrorist financing.
  • Company / we / us — Digi Ex Pro (Pty) Ltd, registration number 2023/150340/07, providing crypto asset services in accordance with South African AML/CFT and financial-sector law.
  • Crypto asset — a digital representation of value, declared a financial product under the FAIS Act, that can be traded, transferred or stored electronically and that uses cryptographic techniques and distributed ledger technology.
  • Crypto asset services — the activities in Item 22 of Schedule 1 to the FIC Act carried on for or on behalf of a client, namely: exchanging a crypto asset for fiat or vice versa; exchanging one crypto asset for another; transferring a crypto asset between addresses or accounts; safekeeping or administering a crypto asset or the means of control over it; and participating in and providing financial services related to an issuer’s offer or sale of a crypto asset.
  • Politically exposed person (PEP) — a domestic prominent influential person (DPIP) under section 21G of the FIC Act (a person who holds, or held in the preceding 12 months, a prominent public function in the Republic listed in Schedule 3A), a foreign prominent public official (FPPO) under section 21F (a corresponding function in a foreign country listed in Schedule 3B), or an immediate family member or known close associate of such a person under section 21H.
  • Targeted financial sanctions — asset freezes and prohibitions on making funds or economic resources available to or for designated persons, under sections 26A–26C of the FIC Act (giving effect to United Nations Security Council resolutions) and the POCDATARA Act.

3. General principles

We have implemented policies, procedures and controls designed to prevent our services from being used to launder the proceeds of crime or to finance terrorism. These controls are tailored to the risk posed by individual clients. We apply customer due diligence to identify our clients and, for higher-risk clients, their beneficial owners and the origin of their funds, and we remain vigilant for anomalous transactions. Initial identification and due diligence give effect to the KYC principle so that we understand the ML/TF risk each client poses. In particular, we gather and assess:

  • Client identification — full name and contact details, verified through reliable, independent documents.
  • Risk assessment — the client’s country of origin (including whether it is a high-risk jurisdiction); whether the client is a PEP (and, if so, the source of wealth); and confirmation that the client is not subject to targeted financial sanctions.
  • Ownership and control structure — for legal entities, the ownership and control structure, the ultimate beneficial owner(s), and screening of those persons against the targeted-financial-sanctions list.
  • Business purpose and source of funds — the client’s intended use of our services, the legitimate source of funds, and the anticipated volume, nature and geographical scope of transactions.
  • Client background — the client’s business activities, income sources and geographical reach, and any past relationship with us.
  • Verification and credibility — information collected from the client and other reliable sources (public registers, official documents), with the level of verification proportionate to risk and corroborated by multiple independent sources where appropriate.

This is a general overview and may not be exhaustive; specific requirements vary with the client and the proposed transaction or relationship.

4. Risk factors

A risk factor is any characteristic of the client, of the crypto asset services provided, or of the manner in which they are provided, that increases the likelihood of those services being misused for ML/TF.

5. Categorisation of the customer risk profile

Clients are classified, according to the risk factors present, as:

  • Low risk — no risk factors, or only factors posing negligible and tolerable risk;
  • Medium risk — risk factors that cannot be treated as low but do not warrant a high classification;
  • High risk — risk factors requiring enhanced due diligence; or
  • Reject — an unacceptable client to whom services will not be provided, or whose services will be terminated.

A “Reject” profile applies where a factor requiring EDD exists and the client has not provided sufficient information to address it, and in particular where: the client’s country of origin or activity is “blacklisted”; no identification or CDD can be performed; there are reasonable grounds to suspect the client is acting only as a nominee or identity provider and the client does not refute this; the client, a person in its ownership or control structure, or an authorised representative is subject to targeted financial sanctions, or the transaction would breach sanctions (in which case we refuse onboarding, reject the transaction and/or terminate the relationship and report to the Financial Intelligence Centre (FIC) as required); the source of funds or wealth is suspicious; the information provided is grossly inconsistent with reliable sources and unexplained; there is reasonable suspicion of false or altered documents; a relationship previously terminated at our initiative is being re-established without the original concerns being resolved; the client is connected to another client whose relationship we terminated; or the client otherwise poses a significant ML/TF risk.

6. Primary determination of the customer risk profile

The type and intensity of identification and due diligence applied at onboarding are based on the client’s primary risk profile, initially assessed by reference to the client’s country of origin, activity and planned monthly turnover. The profile may change as information is obtained and screening is performed. The internal turnover bands (in EUR, with USD treated equivalently and other currencies converted at prevailing rates) are:

  • Low — natural person up to €5,000; legal person up to €15,000 per month.
  • Medium — natural person more than €5,000 and up to €25,000; legal person more than €15,000 and up to €100,000 per month.
  • High — natural person more than €25,000; legal person more than €100,000 per month.

A client is “High risk” if its country of origin or activity is categorised as high risk, or if its planned turnover exceeds the High band; and “Reject” if its country of origin or activity is “blacklisted”. Where the country/activity assessment and the turnover assessment differ, the higher rating governs.

7. CDD during the business relationship

  • Regular CDD — ongoing monitoring and verification that the information held remains current and consistent with what we know about the client and the services provided, performed at least every 24 months (Low risk), 12 months (Medium risk) or 6 months (High risk).
  • Operational CDD — applied on the occurrence of specific events, including changes in the client’s ownership or control structure, changes in the purpose or nature of the relationship, exceeding the declared turnover, or trigger alerts from our monitoring system.

8. Ongoing monitoring of transactions

We conduct ongoing monitoring of business relationships, including the analysis of transactions, to ensure that they are consistent with our knowledge of the client, the type and scope of its business, and its ML/TF risk profile. This includes investigating the source of funds and source of wealth where the circumstances justify it, and keeping the documents, data and information we hold up to date. Monitoring is conducted using automated transaction-monitoring and blockchain-analytics tools and is given effect through our internal Transaction Monitoring Procedure.

9. Sanctions screening

We screen all clients (and, where applicable, beneficial owners, persons in the ownership and control structure, authorised representatives and counterparties) against the applicable targeted-financial-sanctions lists — the United Nations Security Council Consolidated List as given effect under the FIC Act, the FIC’s targeted-financial-sanctions list, and (on a risk basis) the lists administered by OFAC, the European Union and the United Kingdom. We also screen transactions to ensure they do not involve a designated person. Where a designated person or property is identified, we freeze the relevant property, refrain from making funds or economic resources available, and report to the FIC. We have procedures in place to investigate and report potential sanctions breaches to the appropriate authorities.

10. Risk assessment

We conduct a comprehensive, business-wide risk assessment and a risk assessment of each client relationship, considering the nature of the relationship, the services provided, the client’s location, and the client’s industry or sector, and we apply a risk-based approach throughout our AML/CFT programme. Where a client is connected to a foreign jurisdiction, we take account of: FATF membership; non-FATF jurisdictions not subject to sanctions and not otherwise high-risk; jurisdictions with AML/CFT deficiencies, serious organised crime, political instability, corruption or weak rule of law (including the FATF “Jurisdictions under Increased Monitoring”); and jurisdictions subject to UNSC sanctions or the FATF “Call for Action”. Based on the assessment, we apply appropriate measures to mitigate the risks identified.

11. Reporting suspicious activity

We have a process for reporting any suspicious activity or transaction that may indicate money laundering or terrorist financing. Internal reports are reviewed and investigated by the Compliance Officer and the FIC Officer, who determine whether the activity is reportable. Where it is, the FIC Officer submits a Suspicious and Unusual Transaction Report to the Financial Intelligence Centre via the goAML platform in accordance with section 29 of the FIC Act, together with Cash Threshold Reports (section 28) and Terrorist Property Reports (section 28A) where applicable. We comply with any direction of the FIC under section 34, or order of court under section 35, not to proceed with a transaction.

12. Third-party service providers

We take steps to ensure that third-party service providers comply with our AML/CFT requirements, including conducting due diligence on them, reviewing their reputation and their own AML/CFT policies and procedures, including appropriate AML/CFT and sanctions provisions in our agreements, and monitoring their ongoing adherence. Reliance on a third party does not relieve us of our responsibility under the FIC Act.

13. Suspicious activity

A suspicious activity is a crypto asset service (whether within or outside a business relationship) carried out in circumstances giving rise to a suspicion, or reasonable grounds to suspect, that property is the proceeds of unlawful activity, that funds are connected to terrorist financing or sanctions evasion, that a transaction has no apparent lawful or business purpose, or that we are being used for ML/TF. It may also include conduct not directly related to a service, a service we do not perform, or a mere attempt by a client to transact or to establish a relationship.

14. Prohibition on providing crypto asset services

We refuse to provide crypto asset services, within or outside a business relationship, where: the client does not provide the cooperation necessary for initial identification or CDD; the client was identified remotely and the first payment could not be made from an account in the client’s own name; doubts arise as to the accuracy or completeness of the information provided; there are reasonable grounds to suspect false, distorted or incomplete information or false or altered documents; the initial identification or CDD cannot otherwise be completed; the purpose is to provide services to a person other than the client without adequate justification; the client is subject to EDD and the Director has not approved the relationship; the client is a PEP whose source of funds is unknown; or the client is assigned a “Reject” profile. Where this occurs, the matter is escalated to the Compliance Officer, who ensures the service is not provided and that any relationship is terminated, consistent with section 21E of the FIC Act. We may determine, for particular categories of client, further circumstances in which services will not be provided.

15. Specific restrictive measures

Transaction monitoring and the analysis of data received are tools for assessing risk and detecting suspicious transactions. Where money laundering or terrorist financing is suspected, or where required by law, we reserve the right to: suspend or terminate a client’s access to its account; suspend services and freeze or block assets or funds until the circumstances are clarified; return a client’s assets or funds by cancelling the order or instruction; and take other actions permitted by law and by our internal policies and procedures, including to give effect to a FIC direction (section 34) or a court order (section 35) or a targeted-financial-sanctions freeze.

16. Geo-blocking and jurisdictional access restrictions

We may employ geo-blocking or other technical access-restriction measures to limit or prevent access to our platform, website and mobile applications from jurisdictions where providing services would expose us to regulatory, legal, compliance or operational risk. As part of our KYC and AML processes, we may: reject registrations where the client’s residential address, place of establishment or identification documents are associated with a restricted jurisdiction; restrict or block payment methods (including bank accounts and cards) issued or maintained in a restricted jurisdiction; and conduct ongoing monitoring to detect and prevent access by clients connected with restricted jurisdictions. We do not direct financial promotions, marketing or communications at persons located in, resident in, or otherwise connected with a restricted jurisdiction.

17. Records, communication and review

We document the financial security measures in place and keep records for at least 5 years from the date of termination of the business relationship or the conclusion of a single transaction, unless a longer period is required by law or by a competent authority in connection with proceedings, audits or investigations (sections 22–24 of the FIC Act). Records are stored so as to ensure their integrity, confidentiality, availability and security, and in accordance with applicable data-protection requirements (see our Privacy Notice). Communication with a client may take the form of telephone or video discussions and e-mail correspondence. We review and update this AML/CFT Policy regularly to ensure it remains effective in addressing ML/TF risk.