— Legal / Compliance

Compliance

Last updated: April 2026 · Version 1.0

Twinfin Ltd. is building an EU-regulated payment and crypto settlement platform under MiCA CASP and EMI authorisation pathways from Cyprus. This page summarises the regulatory frameworks we operate under and the controls we maintain. It is intended for partners, customers, and regulators who want a single reference point.

1. Regulatory status

MiCA CASP — Markets in Crypto-Assets Regulation, Crypto-Asset Service Provider authorisation pathway in Cyprus. Covers custody, transfer, exchange, and order execution of crypto-assets.
EMI — E-Money Institution authorisation pathway (Directive 2009/110/EC, as transposed into Cyprus law). Covers issuance and redemption of e-money, fiat payment accounts, and payment services.
AMLD / AML Regulation — full alignment with the EU Anti-Money Laundering regime.
Travel Rule — originator and beneficiary information transmitted in accordance with MiCA Title IV.
PSD2 — payment services are framed by Directive (EU) 2015/2366 (PSD2) as transposed into Cyprus law; relevant safeguarding, strong customer authentication, and incident reporting obligations apply via our EMI partner today and to TWINFIN directly post-authorisation.
Cyprus Companies Law (Cap. 113) — Twinfin Ltd. is incorporated and governed under Cap. 113.

2. Interim fiat partnership

Until our own EMI authorisation is granted, fiat payment services are delivered under an agency arrangement with a regulated EMI partner. All fiat flows, safeguarding, and settlement are performed on the partner's regulated ledger, under their authorisation. Customer funds are segregated in accordance with EMI safeguarding rules. Our MiCA CASP scope covers the crypto side in parallel.

3. AML / KYC program

Customer due diligence

Identity & verification

Identity document verification, liveness, address proof, UBO mapping. Corporate onboarding layered with UBO declarations and source-of-funds/wealth checks.

Screening

Sanctions & PEP

Continuous sanctions screening (EU, UN, UK, OFAC lists), PEP and adverse media. Blockchain analytics on all crypto flows via Chainalysis.

Monitoring

Transaction monitoring

Rules-based plus behavioural analytics, risk scoring, and case management. Suspicious Activity Reports filed with MOKAS where warranted.

Risk-based approach

Enhanced due diligence

EDD triggers for high-risk jurisdictions, high-volume activity, privacy-preserving assets, or unusual counterparty patterns.

4. Governance & controls

Board-approved compliance framework with independent MLRO and DPO.
Three lines of defence: business controls · compliance/risk · independent audit.
Annual external audit of financial statements and periodic internal audit of AML/CTF controls.
Segregation of duties, dual approval on sensitive operational actions, and privileged access reviews.

5. Custody & safeguarding

Fiat: held with safeguarding bank partners in segregated accounts in line with EMI rules.
Crypto: multi-party computation (MPC) custody with hardware-backed key shards, geographically distributed. Cold storage thresholds enforced above operational balances.
Proof-of-Reserves statements planned on a rolling quarterly basis once CASP authorisation is in effect.

6. Security

Encryption in transit (TLS 1.3) and at rest (AES-256).
SOC 2 Type II and ISO 27001 alignment (certifications in progress).
Bug bounty programme and regular third-party penetration tests.
Incident response runbooks with regulator notification procedures.

7. Reporting & transparency

Real-time dashboards for customers covering flows, fees, and FX.
Annual regulatory returns and disclosures.
API-accessible audit trail covering all customer and admin actions.

8. Contact

Compliance queries: compliance@twinfin.tech. MLRO: mlro@twinfin.tech. Regulator liaison: regulator@twinfin.tech.

Privacy Terms DPA