AML & Sanctions Policy

0. Preamble and scope

This policy (the "AML & Sanctions Policy", hereinafter "this Policy") is issued by the UpSwap team (hereinafter "we" or "UpSwap") and takes effect on 2026-06-11. Together with the Terms of Service, Privacy Policy, Disclaimer, and Cookie Policy, this Policy forms the complete legal framework governing your use of the UpSwap cross-chain swap widget (the "Service").

UpSwap is a non-custodial cross-chain swap widget. We do not receive, control, or custody any user assets, do not open accounts for users, and do not hold any crypto asset private keys. This Policy explains the position we take and the measures we apply in the areas of anti-money laundering (AML), counter-terrorist financing (CTF), and international sanctions.

1. Legal basis for not implementing KYC

UpSwap does not perform Know-Your-Customer (KYC) identity verification on users, and does not collect names, identity documents, residential addresses, or other personally identifiable information. This position rests on the following legal analysis:

1. 1.1 We do not receive or control user assets — the user's source-chain and destination-chain assets remain under the control of the user's self-custodied wallet at all times; at no point in the transaction flow does UpSwap "hold" or "handle" the assets;
2. 1.2 We do not open accounts for users — the Service requires no sign-up, has no account system and no balance ledger, and therefore does not satisfy the core elements of a "money transmitter" under 31 U.S.C. § 5330;
3. 1.3 We rely on FinCEN's 2019 guidance (FIN-2019-G001) § 4.5.1 on "anonymizing software providers" — an entity that only provides software / a frontend interface and does not accept or transmit value itself does not constitute a Money Services Business (MSB) under the Bank Secrecy Act;
4. 1.4 We position our role as a "software publisher and quote aggregation frontend", not a "money transmitter" or "exchanger".

2. Restricted jurisdictions

Users in the following jurisdictions are expressly prohibited from accessing and using the UpSwap Service. This list was last updated on 2026-06-11. We will continue to update it in line with the OFAC, UN, EU, and UK sanctions lists.

1. 2.1 Democratic People's Republic of Korea (DPRK / North Korea) — comprehensive OFAC sanctions + UN Security Council Resolutions;
2. 2.2 Islamic Republic of Iran (Iran) — comprehensive OFAC sanctions (Iranian Transactions and Sanctions Regulations, 31 CFR Part 560);
3. 2.3 Syrian Arab Republic (Syria) — comprehensive OFAC sanctions (Syrian Sanctions Regulations, 31 CFR Part 542);
4. 2.4 Republic of Cuba (Cuba) — comprehensive OFAC sanctions (Cuban Assets Control Regulations, 31 CFR Part 515);
5. 2.5 Crimea region — OFAC Sectoral Sanctions (Executive Order 13685);
6. 2.6 Donetsk region (occupied territory of Ukraine) — OFAC 2022 Executive Order 14065;
7. 2.7 Luhansk region (occupied territory of Ukraine) — OFAC 2022 Executive Order 14065;
8. 2.8 Zaporizhzhia region (occupied territory of Ukraine) — OFAC 2022 extended sanctions;
9. 2.9 Kherson region (occupied territory of Ukraine) — OFAC 2022 extended sanctions;
10. 2.10 Saint Kitts and Nevis — additional restriction based on our internal risk assessment;
11. 2.11 China Mainland — pursuant to the September 2021 "Notice on Further Preventing and Handling the Risks of Speculation in Virtual Currency Trading" (issued by the People's Bank of China together with nine other ministries, commonly known in practice as the "9.24 Notice"), which prohibits offshore exchanges from providing services to mainland residents;
12. 2.12 United States of America (including all states, territories, and possessions) — fully restricted to avoid triggering MSB registration requirements under the BSA and OFAC strict liability;
13. 2.13 United Kingdom of Great Britain and Northern Ireland — FCA restrictions on cryptoasset marketing (Financial Promotions Regime, effective October 2023).

3. Geo-blocking technical measures

To enforce the restricted-jurisdiction policy in Section 2, we apply the following technical measures:

1. 3.1 Third-party IP geolocation — at the start of each session, the access origin is identified via a third-party IP geolocation database, and IPs located in restricted jurisdictions are refused loading of the trading interface;
2. 3.2 VPN / Tor exit node blocking — we maintain lists of known VPN provider egress IPs and Tor exit nodes, and proactively deny access from these nodes;
3. 3.3 Browser timezone / language cross-check — after an IP passes initial screening, we additionally check whether the browser timezone and navigator.language are consistent with the declared region; anomalies trigger additional blocking.

4. OFAC SDN List wallet address screening

We perform real-time screening of the source wallet address and the destination wallet address involved in every quote request:

1. 4.1 Data sources — we use an SDN (Specially Designated Nationals) wallet address database provided by a third-party on-chain analytics vendor, which consolidates the OFAC SDN List, SDN-related digital currency address announcements, and on-chain addresses from the UN/EU/UK sanctions lists;
2. 4.2 Screening points — checks are performed three times: when a quote is requested, when a deposit address is generated, and before order submission;
3. 4.3 Match handling — a hit on either address results in immediate refusal of service; the frontend displays a refusal message but does not disclose the specific name of the matched list (to avoid providing counter-surveillance information to sanctioned parties);
4. 4.4 False-positive remedy — if you believe a screening match is a false positive, you may appeal via compliance@upswap.io, and we will re-review within a reasonable period.

5. Blocking of Tornado Cash and other sanctioned protocol addresses

Following OFAC's precedent of sanctioning Tornado Cash smart contract addresses on August 8, 2022 (Treasury Press Release JY0916), we add the following categories of on-chain addresses to our blocklist:

• All Tornado Cash smart contract addresses sanctioned in OFAC announcements;
• Mixer service addresses already sanctioned by OFAC, such as Blender.io and Sinbad.io;
• Other smart contract or protocol addresses sanctioned by OFAC, the UN, the EU, or the UK.

UpSwap refuses to provide cross-chain routing quotes for funds originating from, or destined for, any of the above addresses. We continuously track OFAC SDN List update announcements and typically complete blocklist rule updates within 24 hours after a new sanctions announcement is published.

6. Suspicious activity response

Once screening or risk-control rules trigger a suspicious signal, we immediately execute the following handling process:

1. 6.1 Immediately reject the current order and display a refusal notice on the frontend;
2. 6.2 Freeze all active quotes for the address in question (quote freeze) and refuse to generate new quotes during a reasonable cooling-off period;
3. 6.3 Retain on-chain evidence for 30 days — including relevant transaction hashes, matched rule IDs, quote timestamps, and IP and user-agent metadata, available for retrieval upon lawful requests from law enforcement;
4. 6.4 After the retention period expires, unless a lawful judicial request has been received or an internal investigation is ongoing, the evidence is deleted in accordance with Section 9 of the Privacy Policy.

7. Law enforcement cooperation

UpSwap is committed to assisting law enforcement, to the extent permitted by law, in combating financial crime and sanctions evasion:

1. 7.1 Lawful requests — we respond only to law enforcement requests that satisfy one of the following: (a) a subpoena or court order issued by a court of competent jurisdiction; (b) a request transmitted through formal Mutual Legal Assistance Treaty (MLAT) channels; (c) a verified written emergency disclosure request from law enforcement in situations involving imminent threat to life;
2. 7.2 Scope of disclosure — we provide only log data within the retention period described in Section 6 of this Policy; we do not reconstruct data that does not exist, and we structurally hold no KYC information capable of identifying users;
3. 7.3 No proactive reporting — unless explicitly compelled by law (for example, mandatory SAR filing with the UK NCA or mandatory STR filing in Singapore), we do not proactively submit suspicious activity reports to any regulator;
4. 7.4 User notice — where legally permitted, we will notify affected users within a reasonable period before executing a law enforcement request; where notice is legally prohibited (for example, under a gag order), we will comply strictly.

8. User representations

Each time you use the UpSwap Service, you make the following continuing representations and warranties, without any further click-through confirmation:

1. 8.1 Lawful source of funds — all crypto assets used in your transaction come from lawful sources and do not involve drug trafficking, terrorist financing, corruption, fraud, ransomware, darknet markets, or any other criminal proceeds;
2. 8.2 Not a sanctioned party — neither you, any entity you represent, nor the ultimate beneficiary of your transaction appears on the OFAC SDN List, the UN 1267 sanctions list, EU Restrictive Measures, or the UK OFSI Consolidated List;
3. 8.3 Not in a restricted jurisdiction — your current location, habitual residence, and nationality do not fall within any restricted jurisdiction listed in Section 2 of this Policy;
4. 8.4 No evasive access — you have not used a VPN, Tor, residential proxies, or any other technical means to bypass UpSwap's geo-blocking measures.

9. VASP applicability boundary statement

We take the position that the services provided by UpSwap do not constitute a Virtual Asset Service Provider (VASP) as defined in the FATF (Financial Action Task Force) "Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs" updated in October 2021, nor a VASP / DASP / CASP / crypto asset service provider as defined in any jurisdiction's localized legislation enacted on that basis.

The core defenses for this position include:

1. 9.1 No holding of customer assets — we do not receive, control, or custody any user crypto assets, and hold no corresponding private keys;
2. 9.2 No issuance of crypto assets — we do not issue, underwrite, or distribute any crypto assets, tokens, or financial instruments;
3. 9.3 No custody for customers — we do not open accounts for customers, hold no identifiable customer records, and have no customer asset-liability relationship;
4. 9.4 No counterparty matching — we act solely as a frontend aggregation layer that routes users' quote requests to multiple third-party liquidity providers; we do not match P2P counterparties;
5. 9.5 Positioned as software — our core deliverable is a quote-aggregation frontend (widget), not a financial service.

10. Travel Rule position

FATF Recommendation 16 (commonly known as the "Travel Rule") requires VASPs to collect and transmit originator and beneficiary identity information when transferring crypto assets. Our position is as follows:

1. 10.1 Not applicable — for the reasons stated in Sections 1 and 9, we do not constitute a VASP and structurally do not collect originator/beneficiary information; the Travel Rule therefore does not apply to UpSwap as a matter of fact;
2. 10.2 No passive receipt — we do not accept customer identity information transmitted by other VASPs through Travel Rule protocols such as TRP, Sumsub, Notabene, or Shyft; should any such transmission arrive, we will not process it and will destroy it immediately in accordance with the Privacy Policy;
3. 10.3 Response to mandatory requirements — should any jurisdiction compel us to implement the Travel Rule (i.e., require KYC collection as a condition of continued operation), we will immediately cease providing the Service in that jurisdiction rather than compromise by introducing KYC.

11. FATF Recommendation 15 and the DeFi gray zone

We acknowledge that FATF Recommendation 15 and its October 2021 updated guidance leave a gray zone — not yet fully harmonized at the international regulatory level — around their applicability to DeFi and non-custodial software services. Jurisdictions diverge on how to assess "sufficient control or influence" when deciding whether to bring DeFi protocols or frontends within the VASP perimeter.

Against this backdrop, UpSwap chooses transparency over avoidance:

• We publish this Policy and do not shy away from regulatory discussion;
• Under the OFAC strict liability framework, we adopt the strictest restricted-jurisdiction list rather than minimum-level compliance;
• Between KYC and geo-blocking, we choose geo-blocking plus user representations, on the grounds that the former creates irreversible personal data risk while the latter better fits the nature of a non-custodial service;
• We continuously monitor the latest legislative developments from FATF, IOSCO, and BIS on DeFi regulation, and will proactively adjust this Policy when material changes occur.

12. AML compliance contact

Compliance inquiries about this Policy, law enforcement cooperation requests, SDN false-positive appeals, and other AML/Sanctions matters should all be directed to the following mailbox:

• Email: compliance@upswap.io;
• Applicable matters: service of subpoenas / court orders, MLAT requests, emergency law enforcement requests, SDN screening false-positive appeals, regulator inquiries, compliance audit needs;
• Response time: routine inquiries within 10 business days; emergencies involving imminent threat to life within 24 hours;
• Languages: Chinese / English.

Contact

For AML, sanctions screening, law enforcement cooperation, SDN false-positive appeals, and other compliance matters under this Policy, contact compliance@upswap.io. We commit to responding to lawful requests within a reasonable period.