1. Purpose and Scope
This Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Policy establishes the principles, procedures, and controls that Kova implements to prevent the misuse of its platform for money laundering, terrorism financing, sanctions evasion, or any other illicit financial activity.
This policy applies to all Kova operations, personnel, contractors, and third-party partners. It is designed to ensure compliance with applicable Brazilian legislation, including the Brazilian Crypto Framework (Lei 14.478/2022), Lei 9.613/1998 (Anti-Money Laundering Law), regulations issued by the Banco Central do Brasil (BCB) and the Conselho de Controle de Atividades Financeiras (COAF), and international standards set by the Financial Action Task Force (FATF).
2. Company Overview and Risk Profile
2.1 Business Model
Kova is a technology platform that enables Brazilian users to convert BRL to US Dollar-denominated stablecoins (primarily USDC) and access yield-generating opportunities through selected DeFi protocols. The platform operates on a non-custodial model — Kova does not hold, store, or control user funds or private keys at any time.
2.2 Non-Custodial Architecture
User wallets are created and managed through Turnkey, a third-party wallet infrastructure provider that utilizes secure enclave technology and passkey-based authentication.
2.3 Third-Party Dependency
Kova does not directly process fiat-to-crypto or crypto-to-fiat transactions. All on-ramp and off-ramp operations are handled by licensed third-party providers, including Transak and MoonPay, which maintain their own AML/CTF programs, hold relevant licenses and registrations, and perform KYC/KYB verification on all users.
3. Risk-Based Approach
Kova adopts a risk-based approach to AML/CTF compliance, as recommended by the FATF. This means allocating resources and implementing controls proportionate to the identified risks.
3.1 Risk Factors Assessed
Customer Risk: User identity is verified through our on-ramp partners (Transak, MoonPay) before any fiat conversion is permitted. Users who exhibit unusual behavior patterns are flagged for enhanced review.
Geographic Risk: Kova primarily serves Brazilian users. Transactions involving high-risk jurisdictions (as identified by FATF or OFAC) are subject to enhanced scrutiny or may be blocked entirely.
Product/Service Risk: The use of stablecoins (USDC) on public blockchains introduces transparency — all transactions are recorded on the Solana blockchain and are publicly auditable.
Transaction Risk: Transaction volume, frequency, and patterns are monitored for anomalies including unusually large or rapid transactions, structured transactions, and transactions with no apparent economic purpose.
3.2 Risk Rating
Each user account is assigned a risk rating (low, medium, or high) based on the factors above. Risk ratings are reviewed periodically and adjusted based on ongoing monitoring.
4. Know Your Customer (KYC)
4.1 Customer Identification
All users must complete identity verification before accessing Kova's core services. KYC is performed at two levels:
On-Ramp Provider KYC: Transak and MoonPay perform comprehensive KYC on all users prior to processing any fiat-to-crypto transaction, including government-issued ID verification (CPF, RG, passport), facial recognition / liveness check, proof of address verification, and sanctions and PEP screening.
Kova Account KYC: Kova collects and verifies user email addresses at account creation and may request additional identity documentation for enhanced due diligence when risk indicators are present.
4.2 Enhanced Due Diligence (EDD)
Enhanced due diligence is applied to high-risk users, Politically Exposed Persons (PEPs) or their close associates, users whose transaction patterns trigger monitoring alerts, and users from or transacting with high-risk jurisdictions. EDD measures may include requesting source of funds documentation, conducting deeper background checks, applying stricter transaction limits, and increasing review frequency.
4.3 Ongoing Customer Due Diligence
KYC is not a one-time event. Kova performs ongoing due diligence by periodically reviewing user risk ratings, monitoring transaction activity for behavioral changes, requesting updated documentation when risk indicators change, and re-screening against updated sanctions and PEP lists.
5. Transaction Monitoring
5.1 Monitoring Framework
Kova implements transaction monitoring to detect suspicious activity. Given our non-custodial architecture, monitoring focuses on on-chain transaction analysis, behavioral analytics, deposit and withdrawal patterns, and peer-to-peer transfer activity within the platform.
5.2 Red Flags
Examples of red flags that may trigger an alert include: unusually large or frequent transactions inconsistent with a user's profile, transactions structured to fall below reporting thresholds, rapid movement of funds with no yield activity, transactions involving addresses associated with known illicit activity, attempts to circumvent KYC requirements, and multiple accounts linked to the same individual or device.
5.3 Alert Handling
When a monitoring alert is triggered, the compliance team reviews the alert, determines whether the activity is genuinely suspicious, escalates confirmed suspicious activity to senior management, and files a Suspicious Activity Report (SAR) / Suspicious Transaction Report (STR) with COAF if warranted.
6. Sanctions Compliance
Kova is committed to complying with all applicable sanctions regimes, including screening against sanctions lists maintained by the United Nations (UN), the Office of Foreign Assets Control (OFAC), the European Union (EU), and any other applicable authorities.
Sanctions screening is performed at user onboarding (via our on-ramp partners), on an ongoing basis against updated lists, and when processing transactions involving external addresses. Transactions or accounts associated with sanctioned individuals, entities, or jurisdictions are blocked immediately and reported.
7. Suspicious Activity Reporting
When suspicious activity is identified, Kova follows a structured reporting process. The compliance officer evaluates the activity, documents the findings, and determines whether a report to COAF is required under Brazilian law.
Reports are filed within the timeframes prescribed by applicable regulations. All SAR/STR filings are treated as strictly confidential. No employee or officer of Kova shall disclose to any user or third party that a report has been or will be filed (tipping-off prohibition).
Kova maintains complete records of all internal investigations and filed reports for a minimum of five (5) years, or longer if required by law.
8. Record Keeping
Kova maintains comprehensive records including user identification and KYC documentation, transaction records (deposits, conversions, yield allocations, withdrawals, P2P transfers), copies of all monitoring alerts and investigation outcomes, SAR/STR filings and related correspondence, and training records for all personnel.
All records are retained for a minimum of five (5) years from the date of the transaction or account closure, whichever is later. Records are stored securely with appropriate access controls and encryption.
9. Governance and Compliance Structure
9.1 Compliance Officer
Kova designates a Compliance Officer responsible for overseeing this AML/CTF policy, ensuring monitoring systems function effectively, reviewing and approving SAR/STR filings, managing relationships with regulatory authorities, and reporting to senior management on compliance matters.
9.2 Board and Senior Management
Senior management is responsible for ensuring adequate resources are allocated to compliance, fostering a culture of compliance throughout the organization, and reviewing this policy at least annually.
10. Training and Awareness
All Kova employees and contractors receive AML/CTF training upon joining and on an ongoing basis (at least annually). Training covers the fundamentals of money laundering and terrorism financing, Kova's AML/CTF policies and procedures, how to identify and report suspicious activity, sanctions compliance obligations, and recent regulatory developments.
Training records are maintained, including attendance, content covered, and assessment results. Specialized training is provided to employees in higher-risk functions.
11. Third-Party Due Diligence
Kova conducts due diligence on all third-party partners involved in the flow of funds or user data. This includes verifying that on-ramp/off-ramp providers (Transak, MoonPay) hold appropriate licenses and maintain robust AML/CTF programs, that Turnkey implements adequate security and operational controls, and that DeFi protocols selected for yield generation have undergone security audits.
Third-party compliance is reviewed periodically, and Kova reserves the right to terminate partnerships with providers that fail to meet its compliance standards.
12. Blockchain Analytics and On-Chain Monitoring
Given that all Kova transactions occur on public blockchains (primarily Solana), Kova leverages blockchain analytics to monitor on-chain activity for connections to flagged addresses, trace fund flows, identify patterns consistent with mixing or layering, and support investigations with on-chain evidence.
Kova may utilize third-party blockchain analytics providers to enhance its on-chain monitoring capabilities.
13. Data Privacy and Confidentiality
All personal data collected as part of AML/CTF procedures is handled in accordance with Kova's Privacy Policy and applicable data protection laws, including the Lei Geral de Proteção de Dados (LGPD). AML/CTF data is used solely for compliance purposes and is not shared with third parties except as required by law.
14. Policy Review and Updates
This AML/CTF Policy is reviewed at least annually, or more frequently if triggered by significant changes in applicable laws, changes to Kova's business model or risk profile, findings from internal or external audits, regulatory guidance or enforcement actions, or significant incidents.
All updates must be approved by the Compliance Officer and senior management. Material changes are communicated to all relevant personnel.
15. Contact
For questions or concerns regarding this AML/CTF Policy, or to report suspicious activity: