Compliance Statement

1. Regulatory Framework

Our compliance programme is designed to satisfy the requirements of:

• Canada: Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC guidance and directives for Money Services Businesses, Canadian sanctions legislation (SEMA, JVCFOA, United Nations Act), and PIPEDA
• United States: Bank Secrecy Act (BSA), FinCEN regulations for Money Services Businesses, OFAC sanctions programmes, and state money transmitter licensing requirements
• International: Financial Action Task Force (FATF) Recommendations, EU Anti-Money Laundering Directives (where applicable to cross-border corridors), and GDPR

2. Governance

The board of directors bears ultimate responsibility for the effectiveness of the compliance programme. A designated Compliance Officer is responsible for day-to-day implementation and oversight, with a direct reporting line to the board independent of business line management.

Anton adopts the three lines of defence model:

• First Line: Business operations apply due diligence procedures, identify unusual activity, and comply with screening and velocity controls
• Second Line: The compliance function designs and maintains the programme, monitors effectiveness, reviews alerts, conducts risk assessments, and files regulatory reports
• Third Line: Independent external review assesses programme effectiveness at least every two years as required by PCMLTFA s. 9.6(c)

3. Compliance Programme Components

Our compliance programme is governed by a comprehensive policy framework. The following policies are available for review:

Anti-Money Laundering and Anti-Terrorist Financing

Our AML/ATF Policy establishes the full compliance programme required under PCMLTFA s. 9.6 and BSA/FinCEN MSB requirements, including customer due diligence, transaction monitoring, suspicious activity reporting, PEP screening, and record keeping.

Know Your Customer / Know Your Business

Our KYC/KYB Policy details the four-step merchant onboarding process, beneficial ownership verification, tiered due diligence (standard and enhanced), risk scoring, and ongoing monitoring. All identity verification is performed through Persona.

Sanctions Compliance

Our Sanctions Compliance Policy covers screening against OFAC, UN Security Council, CCASL, EU, and FATF lists at multiple lifecycle points, infrastructure-level country blocking, name matching methodology, Travel Rule compliance, and ministerial directive monitoring.

Data Protection and Privacy

Our Privacy Policy and Data Processing Agreement address compliance with PIPEDA (Canada), GDPR (EU), and CCPA (California). All personally identifiable information and payment instruments are stored in PCI DSS-certified vault infrastructure (Basis Theory), separate from our core database.

Acceptable Use

Our Acceptable Use Policy defines prohibited activities, restricted industries, and the conditions under which Anton may suspend or terminate merchant accounts.

4. Transaction Monitoring

Transaction monitoring is not a bolt-on — it is embedded in the core of Anton's payout processing infrastructure. Every payout is evaluated in real time before it can proceed to a payment rail. Our monitoring operates across multiple intelligence layers including deterministic rules, anomaly detection, graph intelligence, cross-platform payee network analysis, and adaptive recalibration with human governance.

A separate velocity rules engine operates at the API boundary with fail-closed semantics: if the monitoring infrastructure is unavailable, transactions are blocked rather than allowed to bypass controls.

5. Registrations and Certifications

For current information on our regulatory registrations, money transmitter licences, and compliance certifications, see our Licenses & Registrations page.

6. Network Partners

Anton partners with certified infrastructure providers to maintain security and compliance across the platform:

• Basis Theory (PCI DSS Level 1, SOC 2 Type II, ISO 27001, ISO 27701) — tokenisation vault for all PII and payment instruments
• Persona (SOC 2 Type II, ISO 27001, PCI DSS, FedRAMP) — KYB/KYC identity verification, PEP screening, and sanctions screening
• Google Cloud (SOC 1/2/3, ISO 27001, PCI DSS, FedRAMP) — all infrastructure hosted on Google Cloud Platform
• WorkOS (SOC 2 Type II, HIPAA) — enterprise identity and authentication

7. Regulatory Cooperation

Anton fully cooperates with regulatory authorities and maintains readiness to respond to examinations at all times. We maintain cooperative relationships with:

• Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
• Financial Crimes Enforcement Network (FinCEN)
• Office of Foreign Assets Control (OFAC)
• State money transmitter regulators

Anton commits to producing records within 72 hours for standard regulatory requests and 24 hours for urgent requests from FINTRAC or FinCEN.

8. Independent Review

The compliance programme is subject to independent review at least every two years as required by PCMLTFA s. 9.6(c). The review assesses the adequacy of policies and procedures, risk assessment methodology, CDD application, transaction monitoring effectiveness, sanctions screening, reporting timeliness, training, and record-keeping. Findings are tracked to closure with evidence and reported to the board.

9. Reporting Concerns

If you have concerns about our compliance practices or wish to report potential violations, please contact:

Anton Payments, Inc.
Compliance Department
Email: compliance@antonpayments.com

Personnel who report suspected violations in good faith are protected from retaliation.

10. Policy Updates

This statement is reviewed at least annually and updated following material regulatory changes, changes to products or risk profile, or findings from the independent review. Material changes are approved by the board of directors.