the_order/docs/governance/procedures/kyc-aml.md

KYC/AML Standard Operating Procedures (SOP)

Version: 1.0
Date: November 10, 2025
Status: Draft

---

Overview

This document defines the Standard Operating Procedures (SOPs) for Know Your Customer (KYC), Anti-Money Laundering (AML), and sanctions screening for eResidency and eCitizenship applications.

Screening Lists

Sanctions Lists

Primary Sources:

• UN Security Council Sanctions
• EU Sanctions
• OFAC (US Treasury)
• UK HM Treasury
• Other relevant jurisdictions

Update Frequency:

• Daily automated updates
• Manual review for high-priority updates
• Real-time screening for new applications

PEP Lists

Sources:

• World-Check
• Dow Jones Risk & Compliance
• ComplyAdvantage
• Other commercial providers

Categories:

• Heads of State
• Senior government officials
• Senior political party officials
• Senior judicial officials
• Senior military officials
• State-owned enterprise executives
• Close associates and family members

Risk Scoring

Risk Factors

Low Risk:

• Clear identity verification
• No sanctions matches
• No PEP matches
• Low-risk geography
• Established history

Medium Risk:

• Partial identity verification
• Potential PEP match (distant)
• Medium-risk geography
• Limited history

High Risk:

• Failed identity verification
• Sanctions match
• Direct PEP match
• High-risk geography
• Suspicious patterns

Risk Score Calculation

Formula:

Risk Score = (KYC Risk × 0.4) + (Sanctions Risk × 0.4) + (Geographic Risk × 0.2)

Thresholds:

• Auto-approve: < 0.3
• Manual review: 0.3 - 0.8
• Auto-reject: > 0.8

Enhanced Due Diligence (EDD)

Triggers

Automatic EDD:

• PEP match
• High-risk geography
• Risk score > 0.7
• Suspicious patterns
• Large transactions (if applicable)

EDD Requirements

Additional Checks:

• Source of funds verification
• Additional identity documents
• References or attestations
• Background checks
• Enhanced monitoring

EDD Process

1. Identify EDD trigger
2. Request additional information
3. Verify sources
4. Conduct enhanced screening
5. Risk assessment
6. Decision

PEP Handling

PEP Classification

Direct PEP:

• Current or former PEP
• Immediate family member
• Close associate

Indirect PEP:

• Distant relative
• Former associate
• Historical connection

PEP Process

Direct PEP:

1. Automatic EDD
2. Enhanced screening
3. Manual review required
4. Risk assessment
5. Decision with justification

Indirect PEP:

1. Standard EDD
2. Risk assessment
3. Decision based on risk

Source of Funds

Requirements

If Applicable:

• Fee payments
• Donations
• Service contributions
• Other financial transactions

Verification

Methods:

• Bank statements
• Payment receipts
• Transaction history
• Attestations
• Third-party verification

Audit Trail

Requirements

Documentation:

• All screening results
• Risk assessments
• Decisions and justifications
• EDD materials
• Audit logs

Retention

Periods:

• KYC artifacts: 365 days (regulatory)
• Application metadata: 6 years
• Audit logs: 7 years
• Credential status: Indefinite

Access

Controls:

• Role-based access
• Audit logging
• Data minimization
• Encryption at rest
• Secure transmission

Compliance

Regulatory Requirements

Jurisdictions:

• GDPR (EU)
• CCPA (California)
• Other applicable laws

Reporting

Obligations:

• Suspicious activity reports (if applicable)
• Regulatory reporting
• Internal reporting
• Audit reporting

Testing

Mock Audit

Scope:

• End-to-end process testing
• Risk assessment validation
• EDD trigger testing
• Audit trail verification
• Compliance checks

Success Criteria

Requirements:

• All processes documented
• All decisions justified
• All audit trails complete
• All compliance checks passed
• No critical findings

---

Revision History

Version	Date	Author	Changes
1.0	2025-11-10	CISO	Initial draft

---

Approval

CISO: _________________ Date: _________

Chancellor: _________________ Date: _________

External Counsel: _________________ Date: _________