Anti-Money Laundering, Countering the Financing of Terrorism, Countering Proliferation Financing, and Sanctions Compliance Policy

Version: 1.0
Adopted by: Board of Directors
Registered Office: P.O. Box 31489, 2nd Floor, Whitehall House, 238 North Church Street, George Town, Grand Cayman, KY1-1206, Cayman Islands
Policy Owner: Money Laundering Reporting Officer (MLRO)
Contact: team@bluwhale.com

Table of Contents

1. Recitals and Purpose
2. Definitions
3. Risk-Based Approach and Enterprise-Wide Risk Assessment
4. Governance and Responsibilities
5. Customer Due Diligence (CDD) and Know-Your-Customer (KYC)
6. Sanctions and Targeted Financial Sanctions Compliance
7. Transaction Monitoring and Blockchain Analytics
8. Suspicious Activity Reporting
9. Record Keeping
10. Training and Awareness
11. Independent Testing and Audit
12. Treasury and Ecosystem-Specific Controls
13. Policy Review and Updates
    Appendix A – Red-Flag Indicators
    Appendix B – Sanctions Lists and Screening Tools
    Appendix C – MLRO Contact and Escalation Matrix
    Appendix D – Travel Rule Implementation Procedures

1. Recitals and Purpose

The Bluwhale Foundation (the "Foundation") is the issuer and steward of the BLUAI crypto-asset. This Policy establishes a comprehensive, risk-based framework to prevent the Foundation's operations — including treasury management, BLUAI token stewardship, ecosystem grants, node incentives, funding inflows, wallet control, and protocol revenue handling — from being used for money laundering (ML), terrorist financing (TF), proliferation financing (PF), or sanctions evasion.

This Policy complies with:

• Cayman Islands laws, including the Proceeds of Crime Act (2020 Revision), Anti-Money Laundering Regulations (2023 Revision), Virtual Asset (Service Providers) Act, and CIMA Guidance;
• FATF Recommendations (particularly R.15, INR.15, R.16, and INR.16 on virtual assets and the Travel Rule); and
• MiCAR (Regulation (EU) 2023/1114) and the EU Transfer of Funds Regulation (TFR) where the Foundation has EU nexus.

2. Definitions

• "BLUAI" or the "Token" – The utility crypto-asset issued and stewarded by the Foundation (total supply: 10,000,000,000 tokens).
• "Virtual Asset" or "VA" – As defined under FATF, Cayman law, and MiCAR.
• "Business Relationship" – Any grant, token allocation, funding participation, or ongoing treasury interaction.

3. Risk-Based Approach and Enterprise-Wide Risk Assessment

The Foundation shall maintain a current Enterprise-Wide Risk Assessment (EWRA) that identifies and mitigates ML/TF/PF risks specific to its multi-chain AI ecosystem, counterparties, products, and operations. The EWRA shall be reviewed and approved by the Board annually or upon material change.

4. Governance and Responsibilities

The Board of Directors holds ultimate responsibility for this Policy. A qualified Money Laundering Reporting Officer (MLRO) and Deputy MLRO shall be appointed to oversee day-to-day compliance. All service providers must meet equivalent AML standards through contractual agreements.

5. Customer Due Diligence (CDD) and Know-Your-Customer (KYC)

The Foundation shall conduct appropriate CDD prior to establishing any Business Relationship or processing transactions above defined thresholds. This includes identification and verification of beneficial owners (≥25%), source of funds/wealth checks, and understanding the purpose of the relationship. Enhanced Due Diligence (EDD) shall be applied to higher-risk cases. Travel Rule obligations shall be fulfilled for applicable virtual asset transfers.

6. Sanctions and Targeted Financial Sanctions Compliance

All counterparties, wallet addresses, and transactions shall be screened in real time and on an ongoing basis against OFAC, UN, EU, UK, and other relevant sanctions lists. No transactions or relationships shall be entered into with sanctioned persons or entities. Any positive match shall result in immediate asset freezing and regulatory reporting.

7. Transaction Monitoring and Blockchain Analytics

All treasury movements, BLUAI distributions, grants, and protocol revenue shall be subject to continuous monitoring using blockchain analytics tools to detect suspicious patterns and red flags.

8. Suspicious Activity Reporting

Any suspicion of ML, TF, or PF shall be escalated immediately to the MLRO. Where required, a Suspicious Activity Report (SAR/STR) shall be filed with the Cayman Financial Reporting Authority (FRA) and/or relevant EU Financial Intelligence Unit. Tipping-off is strictly prohibited.

9. Record Keeping

All CDD, transaction, screening, and monitoring records shall be retained for a minimum of six (6) years (or longer where required by MiCAR) in a secure and auditable manner.

10. Training and Awareness

All directors, officers, and relevant service providers shall receive initial and annual training on this Policy, virtual asset risks, and regulatory obligations.

11. Independent Testing and Audit

The AML/CFT/CPF programme shall be subject to annual independent review and external audit. Audit findings shall be reported to the Board with timely remediation.

12. Treasury and Ecosystem-Specific Controls

• Inflows: All token sale proceeds, funding rounds, protocol revenue, and donations shall be routed through screened multisig or custodial wallets following CDD.
• Outflows: Grants, R&D funding, node incentives, and ecosystem allocations require pre-approval, recipient due diligence, and post-disbursement monitoring.
• Wallet Management: Multisig controls with role-based access and strict segregation of duties.
• Fund Segregation: Complete separation of Foundation funds from any related commercial entities.

13. Policy Review and Updates

This Policy shall be reviewed at least annually and upon any material regulatory, operational, or risk-related change. Updates require Board approval.

Appendices

Appendix A – Red-Flag Indicators
Appendix B – Sanctions Lists and Screening Tools
Appendix C – MLRO Contact Details and Escalation Matrix
Appendix D – Travel Rule Implementation Procedures