Purpose and Principles

The AML policy sets the mandatory controls by which Vivatbet prevents money laundering and the financing of terrorism. It applies a risk‑based approach to customer onboarding, ongoing monitoring, and periodic review of customer activity to ensure compliance with applicable laws, regulations, and regulatory expectations.

Scope and Definitions

This policy covers all customers, payment methods, devices, and geographies where Vivatbet operates, including subsidiaries and partner channels. For the purposes of this policy, the following terms have the meanings specified below:

• AML/CFT — anti‑money laundering and counter‑terrorist financing obligations.
• KYC/CIP — Know Your Customer and Customer Identification Program to verify a customer's identity and assess risk.
• CDD — standard customer due diligence for most customers and transactions.
• SDD — simplified due diligence for extremely low‑risk cases.
• EDD — enhanced due diligence for high‑risk customers, large transactions, or special cases.
• STR / SAR — Suspicious Transaction Reporting or Suspicious Activity Reporting to the relevant authorities.
• EWRA — enterprise‑wide risk assessment covering product, channel, geography, and customer risk.
• Geoblocking — restriction of services based on sanctions and restricted jurisdictions.

Governance and Compliance Oversight

Vivatbet maintains an AML Compliance function responsible for the design, implementation, and effectiveness of controls. The Compliance Lead reports to the Board or equivalent governance body, ensuring independent oversight, escalation protocols, and timely regulatory reporting. All material AML actions—such as policy changes, significant risk findings, or regulatory inquiries—require board review and approval.

Enterprise‑Wide Risk Assessment (EWRA)

Vivatbet conducts an ongoing EWRA to identify and measure risk across customer profiles, products, channels, and geographic exposure. The assessment informs the level of due diligence, monitoring intensity, and transaction review thresholds. The EWRA is reviewed at least annually and updated in response to regulatory developments or material changes in business activities.

Know Your Customer and Identity Verification (KYC/CIP)

• Onboarding requires verification of identity prior to full platform access or the execution of payout transactions.
• Data collected at onboarding includes: full legal name, date of birth, nationality, residential address, contact details, and government‑issued identification number.
• Acceptable identity documents include a valid government‑issued passport, national ID card, or driver’s license. Documents must be valid and consistent with the applicant’s profile; a clearly legible copy is required.
• Verification steps include a government‑issued photo ID check, a selfie of the applicant holding the ID, and a proof of residence (e.g., bank statement or utility bill not older than three months). If the document shows the address, additional proof may not be required.
• Use of external databases and independent verification services is permitted to corroborate identity information.
• There is a risk‑based escalation to Enhanced Due Diligence (EDD) for high‑risk customers, unusual patterns, or large or complex transactions, with documentation retained in accordance with data retention policies.
• Thresholds triggering full KYC escalation: upon aggregate lifetime deposits reaching EUR 5,000 or when a withdrawal request is initiated, the customer shall undergo enhanced verification and ongoing monitoring.
• Account restrictions, holds, or temporary suspensions may be imposed if identity verification cannot be completed within a reasonable timeframe or if information provided is incomplete or inconsistent.

Sanctions Compliance and Geo‑Blocking

Vivatbet conducts ongoing sanctions screening against applicable lists and performs geo‑blocking where required. Accounts associated with sanctioned or restricted jurisdictions or individuals are restricted from services, and ongoing monitoring applies to prevent circumvention attempts. Any identified match triggers immediate review and relevant regulatory notification as required by law.

Transaction Monitoring

Transactions are monitored continuously using rule‑based and risk‑based analytics. Monitoring considers customer risk, transaction type, geography, and source of funds. Alerts are generated for unusual or high‑risk activity, enabling rapid investigation and escalation where warranted.

Suspicious Activity Reporting (STR/SAR)

When suspicious activity is detected or suspected, an internal alert is triggered and escalated to the Compliance function. The operator shall file STR/SAR with the competent authority within the legally mandated timeframe and maintain documented justification for the decision. All supporting evidence and case notes are retained in a secure, access‑controlled repository for audit and regulatory review.

Record Keeping and Data Storage

All KYC documents, due diligence records, transaction histories, and STR/SAR files are retained for a minimum of five (5) years from account closure or the date of the last transaction, whichever is later. Records are stored securely with restricted access, and data retention aligns with applicable data protection laws and regulator expectations.

Data Privacy and Security

Vivatbet implements data minimization, encryption at rest and in transit, access controls, and regular security assessments. Personal data is processed in accordance with applicable privacy laws and is used solely for AML/CFT purposes. Data transfers, if any, occur only with appropriate safeguards and vendor controls in place.

Vendor Management

third‑party service providers involved in identity verification, payment processing, or AML activities are subject to due diligence, contractual obligations, and ongoing monitoring. Contracts include audit rights, data security commitments, and requirements to comply with AML/CFT laws. Any material AML deficiencies identified in a vendor must be remediated or the relationship terminated.

Training and Awareness

All staff receive mandatory AML/CFT training at onboarding and at least annually thereafter. Training covers identification of suspicious activity, escalation procedures, data handling, and regulatory reporting requirements. Refresher sessions are conducted whenever there are material regulatory changes.

Independent Audit and Testing

The AML program undergoes periodic independent reviews, including internal and where appropriate external audits. Findings are reported to the board, with remediation plans tracked until closure. Remediation timelines are determined by risk assessments and regulatory expectations.

Whistleblowing and Reporting Channels

Vivatbet maintains confidential channels for reporting AML concerns without fear of retaliation. Reports may be submitted through designated internal channels, and, where required by law, reported to the appropriate supervisory or law enforcement authorities. All whistleblower investigations are managed with appropriate protections for the reporting party.

Key Performance Indicators and Management Reporting

AHM monitoring includes defined KPIs such as: time to complete KYC verification, proportion of accounts under enhanced due diligence, number of STRs filed, average time to investigate alerts, and rate of regulatory compliance. Management reviews these metrics regularly to improve controls and resource allocation.

Business Continuity and Incident Response

Vivatbet maintains a business continuity plan addressing AML incident response, data recovery, and regulatory reporting continuity. The plan includes defined roles, communication protocols, and模拟 incident testing to ensure operations can continue securely during disruptions.

Policy Updates and Governance

This policy is reviewed at least annually or when regulatory developments require immediate action. Significant amendments require approval by the governance body and prompt dissemination to relevant stakeholders, with updated training and procedural documents reflecting changes.