Our compliance program
LiveCooud Exchange runs a defence-in-depth compliance program built around five pillars: anti-money-laundering (AML), know-your-customer (KYC), sanctions screening, transaction monitoring, and suspicious-activity reporting. The program is overseen by a designated compliance officer and is reviewed annually against FATF guidance and the regulatory regimes in each jurisdiction we operate in.
The controls described below are built into the request path of trades, deposits, and withdrawals and are configurable per jurisdiction and product. Active enforcement of each control depends on its current rollout phase and the operating regime for your market — see the status indicator on each section.
KYC tiers
AvailableWe define three KYC tiers. Each tier is designed to unlock specific functionality and limits, with upgrades processed asynchronously after document review (typically within 24 hours). Whether a given tier is required to withdraw is configured per jurisdiction and product, and may not be enforced in every market at this stage of rollout.
- Email confirmation
- Government ID
- Selfie / liveness check
- Proof of address
- Source of funds
Limits are denominated in USD-equivalent at the time of the withdrawal and refresh on a 24-hour rolling window. Limits may be lower for specific assets or chains when on-chain conditions require additional gating.
AML / sanctions screening
AvailableCooud Exchange integrates real-time withdrawal-address screening that, when enabled for a market, checks each address before broadcast. The integration supports TRM Labs as the primary screening provider, with Chainalysis as a fallback for redundancy and cross-validation on high-risk flows.
When enabled, the screening surface covers:
- Sanctions lists — OFAC SDN, EU consolidated, UK OFSI, UN Security Council;
- Known illicit-finance addresses — hacks, ransomware, darknet markets, mixers;
- High-risk-jurisdiction exposure scores;
- Politically-exposed-person (PEP) screening on KYC submission and ongoing.
Where screening is active, withdrawals to sanctioned or high-risk addresses are blocked automatically and borderline cases are queued for compliance review, typically resolved within one business day. Screening enforcement is configured per jurisdiction and product and may not be active in every market at this stage of rollout.
Transaction monitoring
AvailableThe matching engine and ledger emit a structured event for every deposit, trade, conversion, and withdrawal. A rules engine can evaluate each event against a portfolio of detection patterns, including:
- Per-user velocity gates over 1-hour, 24-hour, and 7-day rolling windows;
- Structuring patterns — small amounts crafted to stay under thresholds;
- Anomalous geography or device fingerprint shifts mid-session;
- Counterparty clustering — repeated trading against the same external entity;
- Round-trip patterns suggestive of layering.
When monitoring is active for a market, hits are routed to a manual review queue. Reviewers can request additional information, freeze affected balances pending resolution, or escalate to a suspicious-activity report (SAR) where required. Monitoring enforcement is configured per jurisdiction and product and may not be active in every market at this stage of rollout.
Operator controls
LiveCompliance and operations staff have first-class tooling — not a back-channel into the database, but auditable surfaces with the same security posture as the customer-facing app.
- Pending-withdrawal queue with approve, hold, and escalate actions;
- Per-account freeze controls with documented reason codes;
- Reconciliation drift dashboard — flags when off-chain balances diverge from on-chain state;
- SHA-256 hash-chained audit log for every privileged action, retained for 7 years;
- Break-glass procedures for emergency response, with mandatory dual approval.
Operational runbooks are documented and version-controlled. See the operator handbook for the public-facing procedure index.
Audit and reconciliation
LiveAutomated reconciliation runs hourly across every chain we support, comparing the internal ledger against on-chain wallet balances. Any drift greater than the per-chain tolerance triggers an alert and a review.
- Hourly automated balance reconciliation Live
- Quarterly internal compliance review Live
- Annual external financial audit Planned 2026 Q3
- SOC 2 Type II Target 2027
- Proof-of-reserves attestation Planned 2026 Q4
When the external audit and SOC 2 report are available, we will publish the executive summary on this page.
Regulatory licenses
In progressCooud Exchange operates under [pending licenses]. Specifics — including the issuing authority, scope, and any conditions — will be published on this page when each license is granted in each jurisdiction we serve.
Where required, we register as a money-services business or virtual-asset service provider before offering the relevant services to residents of that jurisdiction. We do not offer products in any jurisdiction where we are not authorised to do so.
Regulator cooperation
StatutoryWe respond to lawful subpoenas, court orders, and regulatory requests in accordance with applicable law. We do not voluntarily disclose customer data outside that framework.
- Suspicious-activity reports (SARs) are filed with the relevant financial-intelligence unit when triggered;
- Currency-transaction reports (CTRs) are filed where statutory thresholds apply;
- Law-enforcement requests must be served on our designated agent and accompanied by appropriate legal process;
- We publish an annual transparency report summarising the number and type of requests received and the responses given.
Travel rule compliance
AvailableFor virtual-asset transfers at or above the applicable threshold (in most jurisdictions, USD 1,000), Cooud Exchange supports collecting and transmitting originator and beneficiary information to the receiving virtual-asset service provider in accordance with FATF Recommendation 16 and local implementations. Travel rule enforcement is configured per jurisdiction and is applied where required for your market.
Required fields include the originator's name, account or wallet reference, address or national identifier, and equivalent fields for the beneficiary. The data is transmitted over an authenticated channel and is not used for any purpose beyond travel-rule compliance.
Transfers to self-hosted (unhosted) wallets are handled in accordance with the applicable local rules — including additional verification or attestation where required.
Contact compliance
Direct lineFor compliance enquiries, lawful requests for information, or to file a report:
Compliance team
compliance@cooud.exchange
Responses within 5 business days.
Law enforcement portal
le@cooud.exchange
Process must be served via authenticated channel.

