Smuggled gold has no attestation.

1 · Regulatory anchor

Sika di adanseɛ — the gold bears witness.

The AML/CFT programme is anchored in three concentric regulatory frames:

• Ghana primary law. Anti-Money Laundering Act 2020 (Act 1044), Anti-Terrorism Act 2008 (Act 762), and the supervisory authority of Ghana's Financial Intelligence Centre (FIC) — the operational AML/CFT regulator that receives Suspicious Transaction Reports and coordinates with the Bank of Ghana, Securities and Exchange Commission, and Precious Minerals Marketing Company on sectoral implementation. EcoVent Africa Limited is registered with the Ghana Registrar General (CS274771225) and operates within FIC reporting scope for any gold-tokenisation activity.
• Ghana sectoral law & reserve programme. Article 114 of the Constitution of Ghana and its enabling statute, the Ghana Gold Board Act 2025 (Act 1140), provide the regulatory on-ramp for legitimate gold tokenisation. The Bank of Ghana's GANRAP — the Ghana Accelerated National Reserve Accumulation Programme, passed Parliament February 2025 and operational April 2026 — is the reserve-accumulation channel through which approximately 104 tonnes of gold and $13.8 billion in reserves have been accumulated via GoldBod. VPAY Genesis positions itself as the verification primitive that operates through this framework, providing hardware-attested provenance at the weigh-in point where Article 114 and GANRAP require it.
• International standards. FATF Recommendations 10–16 (Customer Due Diligence, Politically Exposed Persons, Correspondent Banking, Money or Value Transfer Services, New Technologies, Wire Transfers / Travel Rule). For Virtual Asset Service Providers, the FATF VASP guidance (issued 2019, updated 2021) is the operative interpretation. EcoVent Africa treats itself as a VASP for AML/CFT purposes ahead of any formal regulatory designation.

The auditor noted: "EcoVent Africa demonstrates strong regulatory alignment. The compliance page explicitly references alignment with the Bank of Ghana's GANRAP programme and Article 114 provisions. The dedicated Chief Compliance Officer with an operational AML programme and documented KYC framework is a significant positive indicator."

2 · Customer due diligence (CDD)

Wofa di adanseɛ — the uncle bears witness.

All customers — retail and institutional — are subject to risk-based customer due diligence before any $SOV transfer or institutional API access. The framework is tiered by risk exposure:

• Tier A · Retail consumer (the future Save-in-Gold flow). Identity verification (government-issued ID + selfie liveness check), residential address verification, source-of-funds attestation for transfers over a threshold (set in operational policy, not published). Enhanced due diligence triggered by jurisdiction risk, transaction velocity, or politically exposed person screening hits.
• Tier B · Institutional client (exchange, custodian, regulator, treasury). Corporate registration documentation, ultimate beneficial owner identification at 25%+ thresholds (Ghana standard) or lower where local law requires, authorised signatory verification, sanctions screening of all entities and individuals in the ownership chain, source-of-funds attestation, on-boarding interview with CCO or designate.
• Tier C · Counterparty (refinery, assay office, hardware vendor, downstream off-taker). Licence verification with the relevant Ghanaian authority (Precious Minerals Marketing Company, Minerals Commission, or sectoral equivalent), beneficial ownership disclosure, ongoing relationship monitoring.

The KYC framework documentation is published in summary at /compliance.html and in operational detail under NDA via /diligence. The auditor's specific gap — "specific components (transaction monitoring, suspicious activity reporting, sanctions screening, PEP checks) are not detailed publicly" — is addressed in the sections below at the level of detail that does not compromise operational security.

3 · Provenance verification (the architectural AML control)

Adwene di adanseɛ — the mind bears witness.

The most significant AML control in the VPAY Genesis stack is not procedural — it is structural. The hardware-rooted attestation chain makes provenance verification a precondition of token minting:

• No GSU reading → no AttestationBridge entry. Every $SOV token traces to a sealed XRF spectroscopy + mass + GPS + cryptographic signature reading from a registered GSU device. The device's hardware secure element holds a private key that cannot be exported; the public verification anchor is on-chain.
• No AttestationBridge entry → no $SOV mint. The smart-contract architecture holds MINTER_ROLE exclusively on the AttestationBridge contract. The token contract refuses any mint call from any address other than the AttestationBridge. The Safe multisig administering all contracts cannot bypass this — it can only pause it (CircuitBreaker), not override it.
• The result: smuggled gold has no path to tokenisation. A bar acquired outside the licensed supply chain has no licensed GSU reading; without a GSU reading, no on-chain attestation; without an attestation, no $SOV. The auditor stated this clearly: "Smuggled gold has no attestation. Licensed gold does."

Traditional AML controls in gold markets rely on paper-based provenance documentation and after-the-fact reconciliation. VPAY Genesis inverts this: the provenance verification is the precondition of the financial action, encoded in code, observable on a public ledger, and cryptographically resistant to forgery. This is the AML innovation that the FATF VASP guidance contemplated but few VASPs have implemented at this depth.

4 · Transaction monitoring

Mate Masie — what I hear, I keep.

Transaction monitoring covers two surfaces: on-chain (where the canonical record lives) and off-chain (KYC databases and operational flows). The approach is:

• On-chain rule-based monitoring. Programmatic surveillance of $SOV transfers, mint events, and burn events on Polygon Mainnet. Patterns reviewed include: rapid sequential transfers consistent with layering, structuring below known reporting thresholds, transfers to or from sanctioned addresses, transfers to high-risk-jurisdiction wallets, anomalous concentration of holdings, dormant-account reactivation patterns.
• On-chain risk scoring. Counterparty wallets are screened against industry blockchain analytics (e.g., Chainalysis, TRM Labs, Elliptic — vendor selection in commissioning). Risk scores trigger enhanced review for transfers exceeding velocity or concentration thresholds.
• Off-chain operational monitoring. Customer activity outside the canonical chain — repeated failed KYC attempts, suspicious correspondence patterns, jurisdiction-of-IP versus jurisdiction-of-claimed-residence mismatches — is reviewed by the CCO against the documented case-management procedure.
• Threshold mechanics. The monetary and velocity thresholds that trigger enhanced review are set in operational policy and are not published. This is intentional: published thresholds become structuring targets. Reviewed parties may request, under NDA, the thresholds applicable to their account class.

5 · Suspicious activity reporting (SAR)

Nkrabea — the appointed time.

Suspicious activity reporting is the procedural fail-safe behind the architectural AML control. The chain is:

• Detection. Activity surfaces via transaction monitoring (§4), counterparty risk scoring, customer-conduct review, or external referral. The CCO maintains a SAR caseload register.
• Investigation. The CCO (or designate, with documented training) opens a case file, gathers context, applies the "reasonable grounds to suspect" standard. Investigation is bounded to a documented time-box; cases that cannot be substantiated within the box are escalated or closed with reasons recorded.
• Reporting. Where reasonable grounds to suspect are established, a Suspicious Transaction Report (STR) is filed with the Financial Intelligence Centre (FIC) of Ghana per Act 1044 requirements, within the timeframes the Act prescribes. Foreign-counterparty matters may trigger parallel filings under the relevant foreign FIU regime.
• Tipping-off prohibition. Once an STR is filed or under preparation, the customer and any third party who could compromise the investigation is not informed of the filing. The CCO holds confidential authority over all SAR-related communications.
• Record retention. All SAR files, supporting documentation, and disposition records are retained for the period Ghana law requires (minimum 5 years under Act 1044, longer where regulatory hold is in effect).

6 · Sanctions screening

Wo nsa akyi — the back of your hand.

Sanctions screening is applied at three points in the customer and transaction lifecycle:

• Onboarding. Every customer (Tier A retail, Tier B institutional, Tier C counterparty) is screened against the consolidated sanctions lists at onboarding: UN Security Council Consolidated List, OFAC Specially Designated Nationals (SDN) and consolidated sanctions lists, EU Restrictive Measures, UK HMT Sanctions List, and the Ghana sanctions list maintained under Act 762. Beneficial owners and authorised signatories are screened to the same standard.
• Ongoing screening. Customer records are re-screened on each sanctions-list update (typically multiple times per week from each authority). A previously-clean customer whose principal becomes sanctioned generates an immediate review.
• Transaction-time screening. Counterparty wallet addresses for institutional transactions are screened against the same lists at transaction submission. Sanctions-list-matching wallet addresses block the transaction and trigger an immediate CCO review.

Politically Exposed Persons (PEP) screening follows the FATF Recommendation 12 standard, with enhanced due diligence applied to identified PEPs and their immediate family / close associates. The PEP determination is made by the CCO; appeal channels are documented internally.

7 · Travel Rule compliance plan

Sankɔfa — return and fetch.

FATF Recommendation 16 (the "Travel Rule") requires Virtual Asset Service Providers to transmit originator and beneficiary information alongside any transfer above the FATF-recommended threshold (USD/EUR 1,000 or local equivalent). For VPAY Genesis, the Travel Rule plan is:

• Industry-standard messaging protocol. Integration with an established Travel Rule infrastructure provider — candidates under evaluation: TRISA, Sygna Bridge, Notabene. Selection criteria include Ghana regulatory acceptance, throughput at expected scale, IVMS101 data-model conformance, and integration cost.
• Beneficiary VASP discovery. Counterparty VASP identification at the wallet-address level. Where the beneficiary is a non-custodial wallet (a true peer-to-peer transfer), the originator's CDD record is retained and made available to authorities on lawful request, per the "self-hosted wallet" guidance.
• Originator information collected. Name, account number (wallet address), physical address or national identifier, and a unique transaction reference, per IVMS101.
• Privacy by transmission. Originator/beneficiary information is transmitted encrypted to the counterparty VASP via the Travel Rule infrastructure; it is not written to the public ledger. The public chain carries only the cryptographic verification anchor.
• Activation trigger. Travel Rule compliance is implemented before any retail $SOV transfer functionality is opened to consumers. The architecture is built to be Travel-Rule-ready from launch, not retrofitted afterward.

The auditor flagged this as the specific component to publish: "Implement FATF Travel Rule compliance for $SOV token transfers using an industry standard solution (e.g., TRISA, Sygna)." This section is that commitment.

8 · Beneficial ownership identification

Tikoro nko agyina — one head does not hold council.

Identifying the natural persons who ultimately own or control institutional clients is fundamental to AML/CFT integrity. The VPAY Genesis approach:

• Threshold. 25% direct or indirect ownership is the standard threshold under Ghana's Companies Act 2019 (Act 992) Beneficial Ownership requirements; lower thresholds (10% or named) apply where the local regime of the customer's domicile requires.
• Documentation. For each ultimate beneficial owner: government-issued photo ID, address verification, sanctions and PEP screening (per §6), source-of-wealth attestation for institutional clients.
• Verification. Independent verification against company registries where available (Ghana Registrar General, UK Companies House, Open Corporates, equivalent). Trust and nominee structures require enhanced due diligence to identify the natural person controllers and ultimate economic beneficiaries.
• Ongoing maintenance. Beneficial ownership records are reviewed on a documented cadence (annually as standard; more frequently for higher-risk clients). Customer-initiated changes are validated before being applied to the record.
• EcoVent Africa's own beneficial ownership. Disclosed publicly at /about.html and on-chain via the SOVVesting contract holding the founder allocation under irrevocable 12-month-cliff / 4-year-linear release.

9 · Independent review & audit commitments

Nyansapɔ wɔsane no badwemma — the wise knot is untied only by the wise.

The auditor's final AML/CFT recommendation was: "Conduct an independent AML programme review by a qualified firm." Commitments:

• External AML programme review. Engagement of a qualified firm (Ghana-based ACAMS-credentialed practitioner or international equivalent) within Phase 1 (0–6 months) of the institutional maturation programme. Findings published in summary, with detailed report under NDA.
• Annual external AML audit. Annual external review of the programme starting in Year 2 (post-launch). Each audit produces a written opinion that is shared with regulator-on-request and prospective institutional clients under NDA.
• Continuous internal monitoring. CCO maintains an internal control register, runs quarterly self-assessments against the FATF Recommendations, and submits annually to the founder a state-of-the-programme report.
• Regulator engagement cadence. Standing dialogue with the Bank of Ghana, Financial Intelligence Centre, and Precious Minerals Marketing Company on the operational interpretation of Article 114 and GANRAP requirements as they apply to gold tokenisation. We treat regulator informal guidance as authoritative pending formal designation.

Version 1.0 · Effective 27 May 2026 · Next scheduled review: 27 August 2026. The AML/CFT programme itself is reviewed on a continuous basis; this summary is updated at least quarterly or immediately upon material change.

10 · Contact

Mate Masie — what I hear, I keep.

Chief Compliance Officer (Ibilola Macaulay): cco@ecoventafrica.com

Founder direct: Ano@ecoventafrica.com

Regulator contact (Bank of Ghana, FIC, PMMC) is conducted via the CCO. Independent reviewers and external auditors should request engagement via cco@ecoventafrica.com.

Postal: EcoVent Africa Limited, 40 Nii Nortei Nyanchi Street, Dzorwulu, Accra, Greater Accra, Ghana.

Version 1.0 · Effective 27 May 2026