AML / KYC Policy

Last updated: February 12, 2026

Data Controller: Bank of Bali · Contact: hello@bankofbali.com

Bank of Bali takes anti-money-laundering (AML) and counter-terrorism-financing (CTF) seriously. This policy explains the controls we apply, when we may ask for additional information, and how we balance them against your right to privacy.

1. Overview

Although Bank of Bali is a non-custodial wallet provider, certain operations (fiat on-ramp, OTC, merchant settlement) involve regulated counterparties. We apply a risk-based AML framework consistent with the FATF Recommendations (2012, as amended), the EU's 6th AMLD, and the standards expected by our payment partners.

2. Risk-based approach

We assess risk along four axes: user (geography, profile), product (wallet vs. swap vs. OTC), transaction (size, velocity, counterparty), and delivery channel. Most users — small-balance, non-fiat — fall into the lowest risk band and never face additional checks.

3. Thresholds & triggers

We may request additional information when one or more of the following is true:

  • A single transaction (or cumulative 30-day volume) exceeds USD 1,000 in fiat-on-ramp value.
  • An OTC desk request is submitted.
  • Our fraud-detection AI flags VPN/proxy abuse, impossible-travel, or behavioural anomalies.
  • A counterparty address appears on chain-analytics deny-lists.
  • A regulator or partner requires it.

4. Enhanced due-diligence (EDD)

Where EDD is required, we may ask for: government-issued ID, proof of address (utility bill / bank statement < 3 months), source-of-funds declaration, and — for OTC — proof of beneficial ownership. EDD documents are encrypted at rest, accessible only to compliance staff, and deleted in line with our retention schedule.

5. Sanctions & PEP screening

All EDD subjects are screened against the OFAC SDN List, UN Consolidated List, EU sanctions, HM Treasury OFSI, and politically-exposed-persons (PEP) databases. Matches result in transaction refusal and, where required, regulatory reporting.

6. Transaction monitoring

Our internal "Fraud" and "Security" AI agents continuously evaluate login telemetry and transaction patterns. The AI cannot itself freeze user funds (we are non-custodial) but it can refuse fiat-on-ramp, OTC, or platform-credit payouts.

7. Suspicious activity reports

Where we have a reasonable suspicion of unlawful activity, we will file a Suspicious Activity Report (SAR) with the appropriate Financial Intelligence Unit. By law, we may be prohibited from telling you that a SAR has been filed ("tipping-off" rules).

8. Your rights during AML review

You retain all GDPR data-subject rights. You may request a copy of any document you submitted. If we close your account on AML grounds, you may export your wallet via your seed phrase at any time — we never have custody of your funds.

9. Record-keeping

AML-relevant records are retained for at least 5 years after the end of the business relationship or the date of the relevant transaction, in line with FATF Recommendation 11.

10. Contact

Compliance enquiries: hello@bankofbali.com with subject "AML / Compliance".

© 2026 Bank of Bali · All rights reserved.