Compliance

Pre-launch notice. Twinfin is not currently authorised by CySEC. The framework below describes the controls Twinfin is building and will operate from the date the relevant authorisations are granted. Each control is marked operational today, in design, or from authorisation. Nothing on this page is an offer of services or a representation that any authorisation has been granted.

Twinfin Ltd. is building a payment and crypto settlement platform on the MiCA CASP and EMI authorisation pathways from Cyprus. This page summarises the regulatory frameworks we are designing toward and the controls we maintain. It is intended for partners, customers, and regulators who want a single reference point.

1. Regulatory pathway

• MiCA CASP — in progress. Markets in Crypto-Assets Regulation, Crypto-Asset Service Provider authorisation pathway in Cyprus. Once granted, scope will cover custody, transfer, exchange, and order execution of crypto-assets.
• EMI — in progress. E-Money Institution authorisation pathway (Directive 2009/110/EC, as transposed into Cyprus law). Once granted, scope will cover issuance and redemption of e-money, fiat payment accounts, and payment services.
• Cyprus Companies Law (Cap. 113) — operational today. Twinfin Ltd. is incorporated and governed under Cap. 113.
• EU AMLD / AML Regulation — from authorisation. Once Twinfin is an obliged entity, the full EU AML regime will apply, including reporting to the Cyprus Financial Intelligence Unit (MOKAS).
• Travel Rule — from CASP authorisation. Originator and beneficiary information will be transmitted in accordance with MiCA Title IV.
• PSD2 — interim via EMI partner, then directly from EMI authorisation. Until Twinfin's own EMI is granted, payment services run via a regulated EMI partner under their authorisation; safeguarding, strong customer authentication, and incident reporting apply via that partner. Post-authorisation these obligations apply to Twinfin directly.

2. Interim fiat partnership

Until Twinfin's own EMI authorisation is granted, fiat payment services will be delivered under an agency arrangement with a regulated EMI partner. All fiat flows, safeguarding, and settlement will be performed on the partner's regulated ledger, under their authorisation, in segregated accounts in accordance with EMI safeguarding rules. The MiCA CASP scope, once granted, will cover the crypto side in parallel. The named partner will be disclosed in customer Order Forms prior to onboarding.

3. AML / KYC program — design (operational from authorisation)

The pillars below describe the AML/KYC programme Twinfin is designing to operate as an obliged entity once authorisations are granted. Until then, Twinfin is not yet an obliged entity under Cyprus AML law and does not file Suspicious Activity Reports.

4. Governance & controls

• Compliance framework — in design. Board-approved compliance framework with named MLRO and DPO; statutory MLRO role takes effect from the date of authorisation.
• MLRO designate: Sergey Semeniuk (statutory MLRO from authorisation date) — mlro@twinfin.tech.
• DPO: Sergey Semeniuk — dpo@twinfin.tech.
• Three lines of defence — operational from authorisation: business controls · compliance/risk · independent audit.
• External audit — from authorisation: annual external audit of financial statements and periodic internal audit of AML/CTF controls.
• Operational hygiene — operational today: segregation of duties, dual approval on sensitive operational actions, and privileged-access reviews.

5. Custody & safeguarding

• Fiat — from EMI authorisation: held with safeguarding bank partners in segregated accounts in line with EMI rules. Until then, fiat is held under the EMI partner's safeguarding regime.
• Crypto — from CASP authorisation: multi-party computation (MPC) custody with hardware-backed key shards, geographically distributed. Cold-storage thresholds enforced above operational balances.
• Proof-of-Reserves — from CASP authorisation: rolling quarterly statements planned once authorisation is in effect.

6. Security

• Operational today: TLS 1.3 in transit, modern security headers (HSTS preload, X-Frame DENY, strict referrer policy) on the marketing site.
• From platform launch: AES-256 encryption at rest, RBAC with least privilege, MFA on administrative access.
• In design: SOC 2 Type II and ISO 27001 alignment; certifications targeted post-launch.
• From platform launch: third-party penetration testing on a recurring schedule. A bug-bounty programme is planned post-launch.
• In design: documented incident-response plan with regulator-notification paths.

7. Reporting & transparency

• From platform launch: real-time dashboards for customers covering flows, fees, and FX.
• From authorisation: annual regulatory returns and disclosures.
• From platform launch: API-accessible audit trail covering all customer and admin actions.

8. Forward-looking statements

Statements about future authorisations, services, partners, controls, and timelines are forward-looking. They are contingent on regulatory approvals and may change. Nothing on this page is an offer of services or a representation that any authorisation has been granted.

9. Contact

Compliance queries: compliance@twinfin.tech. MLRO designate (statutory MLRO from authorisation): mlro@twinfin.tech — Sergey Semeniuk. Data Protection Officer: dpo@twinfin.tech.