Legal Document

KYC/AML Policy

Effective date: 1 May 2025 · Version 1.2

This policy is reviewed annually and updated as required by applicable regulation.

Purpose & Scope

STO Chain Pte. Ltd. ("STOC") is committed to preventing money laundering, terrorist financing, and other financial crimes. This KYC/AML Policy establishes the framework under which STOC conducts identity verification and monitors platform activity.

This Policy applies to all users who register on the STOC platform, regardless of jurisdiction, and to all staff, agents, and third-party service providers engaged in customer onboarding or transaction monitoring.

Covered activities include:

User registration and account creation
Investment in tokenized real estate and other digital assets
Secondary market trading on the STOC marketplace
Fiat on-ramp and off-ramp transactions
Wallet top-ups and withdrawals exceeding applicable thresholds

Customer Due Diligence (CDD)

STOC applies a risk-based Customer Due Diligence process to all users prior to granting investment access. CDD is performed via our regulated KYC provider, Sumsub.

3-step CDD process:

Step 1 — Identity Verification

User submits a government-issued photo ID (passport, national ID card, or driver's license). Sumsub performs liveness detection and document authenticity checks using AI-assisted review.

Step 2 — Personal Data Collection

Full legal name, date of birth, nationality, country of residence, residential address, and contact details are collected and verified against the submitted documents.

Step 3 — Risk Scoring & Screening

Each applicant is screened against global sanctions lists (OFAC SDN, EU Consolidated, UN Security Council) and adverse media databases. A risk score is assigned that determines ongoing monitoring intensity.

Enhanced Due Diligence (EDD)

Enhanced Due Diligence is mandatory for users seeking Tier 3 (Accredited) or Tier 4 (Institutional) access, and for any user flagged as high-risk during standard CDD.

EDD triggers include:

Politically Exposed Person (PEP) status — current or historical
Close family member or known associate of a PEP
Residency or nationality from a high-risk jurisdiction
Unusual transaction patterns detected post-onboarding
Self-certification as an Accredited or Institutional investor

EDD may require submission of audited financial statements, tax returns, source-of-wealth documentation, and senior management approval before account upgrade is granted.

AML Monitoring

STOC maintains a continuous transaction monitoring program across all platform activity. Monitoring is automated and supplemented by periodic manual review by our compliance team.

Monitoring controls include:

Transaction velocity monitoring — alerts on unusual frequency or volume
Structuring detection — identification of potential smurfing patterns
Sanctions list screening — re-screened on every transaction
Travel Rule compliance — mandatory originator/beneficiary data for transfers exceeding $1,000 USD equivalent
Peer-to-peer transfer monitoring — unusual wallet funding sources flagged
Geographic anomaly detection — login and transaction location mismatches

Suspicious Activity Reporting (SAR)

STOC is legally obligated to report suspicious transactions to the relevant Financial Intelligence Unit (FIU) in each operating jurisdiction. Our compliance team reviews flagged activity and determines whether a Suspicious Activity Report (SAR) must be filed.

SAR obligations:

Filing deadline: within 30 calendar days of identifying suspicious activity
No-tip-off rule: users must not be informed that a SAR has been, or may be, filed
Parallel obligation: STOC may simultaneously freeze or restrict the account pending investigation
Safe harbour: STOC staff acting in good faith are protected from civil liability for SAR filings

Data Retention

All KYC records, transaction logs, and compliance documentation are retained for a minimum of seven (7) years from the date of the relevant transaction or the termination of the customer relationship, whichever is later.

Data protection standards:

AES-256 encryption at rest; TLS 1.3 in transit
Access controls: role-based, with audit logging of all access events
Compliance with Vietnam Personal Data Protection Decree 2023 (PDPD)
Alignment with GDPR principles for EU-resident users
Korean Personal Information Protection Act (PIPA) compliance for KR users
Right to erasure requests assessed against mandatory retention obligations

Compliance Contact

For policy enquiries or data subject requests, contact coo@stochain.io

This policy is reviewed annually. The current version supersedes all previous versions.