Anti-Money Laundering and Counter-Terrorist Financing Policy

1. General Provisions

1.1. This Anti-Money Laundering and Counter-Terrorist Financing Policy (hereinafter referred to as the “Policy”) outlines the commitment of AEXchanger Service (hereinafter referred to as the “Service”, “We”, or “Us”), to the prevention of money laundering (hereinafter referred to as the “ML”) and terrorist financing (hereinafter referred to as the “TF”).

1.2. The EX Rock s.r.o. (hereinafter referred to as the “Company”) operates the online platform AEXchanger Service accessible at https://aexchanger.com (hereinafter referred to as the “Website”).

1.3. As an obligated entity under Act № 253/2008 Coll. on Selected Measures Against Legitimisation of Proceeds of Crime and Financing of Terrorism (hereinafter referred to as the “AML Act”), the Company ensures strict adherence to all applicable Czech laws, European Union (hereinafter referred to as the “EU”) regulations, and international AML/CFT standards, including the Financial Action Task Force (hereinafter referred to as the “FATF”) Recommendations and guidance from the Financial Analytical Office (hereinafter referred to as the “FAO”).

1.4. This Policy is designed to ensure regulatory compliance, protect our Clients and operations from financial crime risks, and promote a strong culture of integrity and compliance throughout the Company.

2. Definitions

AEXchanger Service: It is an online Platform providing a Service for the exchange of Crypto-assets for funds, as well as for other Crypto-assets, and enables the transfer of Crypto-assets on behalf of Clients. The service is owned by the Company.

Client: Any individual or legal person who wishes to use the Company's Services and accepts our Client Agreement.

Company: EX Rock s.r.o., commercial company, ID number 193 14 850, with a registered office at Roháčova 145/14, Žižkov, 130 00 Prague 3, Czech Republic, registered by the Municipal Court in Prague, Section C, Insert 384567.

Anti-money laundering (hereinafter referred to as the “AML”): a set of activities, procedures and regulations designed to prevent criminal activities related to ML.

Financial Analytical Office (hereinafter referred to as the “FAO”): the Financial Intelligence Unit of the Czech Republic responsible for receiving and analyzing reports of suspicious activities under the AML Act.

High-Risk Third Country: a non-EU country identified by the European Commission as having strategic deficiencies in its AML/CFT regime, as listed under the AML Act and applicable EU regulations.

Know Your Customer (hereinafter referred to as the “KYC”): a process of identifying and verifying the identity of the Client, beneficial owner, and person acting on behalf of the Client, understanding the purpose and intended nature of the business relationship, monitoring ongoing transactions, and ensuring compliance with legislative obligations.

Money Laundering (hereinafter referred to as the “ML”): the process of concealing the illicit origin of assets derived from criminal activity, including conversion, transfer, concealment, acquisition, or use of such assets.

Occasional transaction: a transaction which is not performed under business relationships.

Politically Exposed Person (hereinafter referred to as the “PEP”): an individual who is or has been entrusted with a prominent public function, including their close associates and family members, as defined in the AML Act.

Restricted Countries: countries or jurisdictions where the Company does not provide its Services due to applicable sanctions, AML/CFT risks, or legal prohibitions. The list of Restricted Countries is maintained and updated in accordance with international sanctions and high-risk third-country lists.

Screening: the process of verifying Clients and transactions against applicable sanctions lists, PEP databases, and other watchlists to prevent engagement with prohibited or high-risk parties.

Terrorist Financing: the provision or collection of funds intended to support terrorist acts, individuals, groups, or organizations, as defined in the AML Act.

Website: the Company’s official Website, accessible at https://aexchanger.com, which serves as the primary source for publishing information about the Services, legal documentation, public communications, contact information, and any official Offers.

3. Client Due Diligence

3.1. The Company implements a risk-based Customer Due Diligence (hereinafter referred to as the “CDD”) framework in accordance with the AML Act, EU legislation, and international standards.

3.2. CDD is applied prior to establishing any business relationship or executing a transaction, with continuous monitoring throughout the duration of the relationship. The Company does not permit anonymous accounts or occasional transactions and does not exempt any Client from due diligence obligations.

3.3. Simplified due diligence (hereinafter referred to as the “SDD”) may be applied only in limited and clearly justified low-risk cases and never for individual Clients. Even in SDD scenarios, the Company verifies whether the Client, its representative, or its beneficial owner is a PEP or subject to international sanctions, and identifies the ultimate beneficial owner (hereinafter referred to as the “UBO”) in the case of legal entities. If risk indicators change or doubts arise, the Company re-evaluates the situation and applies a higher level of due diligence.

3.4. Regular due diligence (hereinafter referred to as the “RDD”) is the default approach and includes verification of the Client’s identity, UBO structure, source of funds, business activity, and transaction purpose. The Company assesses the connection to high-risk jurisdictions and ensures that all data is sufficient for ongoing monitoring and detection of suspicious patterns.

3.5. Enhanced due diligence (hereinafter referred to as the “EDD”) is mandatory in high-risk cases, especially when the Client or transaction involves a high-risk third country or meets risk triggers defined by the AML Act. EDD requires obtaining additional information on the Client and the UBO, verifying documents through reliable sources, closely monitoring the relationship, and involving senior management in approval processes. The Company may impose additional control measures, including transaction limits or payment restrictions, to mitigate elevated risks.

4. Client Identification and KYC

4.1. The Company applies robust KYC measures to prevent ML, TF, and financial fraud. All Clients must be identified and verified before entering into a business relationship, in accordance with the AML Act and internal AML procedures.

4.2. Identification of natural persons includes collection and verification of the Client’s full name, date and place of birth, gender, nationality, permanent or other residence, type and number of ID document, issuing authority and validity, contact details, and purpose of the business relationship. If the person conducts business, their business name, registered office, and personal identification number must also be collected.

4.3. All natural persons are subject to risk-based KYC procedures. The Company applies three levels of identification depending on the transaction amount or risk. Basic verification includes document check and biometric liveness. Higher levels require proof of address, source of wealth, and source of funds.

4.4. Identification of legal persons includes business name, legal form, registered and operating address, registration and tax data, nature and place of business, website, licenses, AML policies, and ownership and control structure. Verification is conducted through corporate documents such as Certificate of Incorporation, Articles of Association, Share Register, and proof of address. The Company may also request bank statements or invoices to confirm the source of funds.

4.5. The ownership and control structure must be verified in all cases. Identification of directors, representatives (if applicable), and beneficial owners includes the same personal data as for natural persons, along with documentation confirming their authority or roles. In the case of a legal person as a beneficial owner, the Company verifies its registration data and traces the ownership chain to the ultimate beneficial owner – a natural person. Any person holding 25% or more of ownership is considered a beneficial owner under applicable law.

4.6. Clients are required to submit the data via the KYC provider’s platform, including uploading documents and completing a questionnaire. The Company uses third-party KYC providers to perform verification, including ID scan and liveness detection. In certain cases, alternative methods such as BankID, electronic identification, or verification through initial bank transactions may be used.

4.7. PEPs, their family members, and close associates are not accepted as Clients. The Company screens all Clients at onboarding and during the business relationship to detect PEPs, using external databases and continuous monitoring. Any detected PEP relationship leads to immediate termination and reporting to authorities.

4.8. The Client must provide all requested information truthfully and cooperate with the identification process. The Company may request additional documents where deemed necessary. All data is processed in compliance with AML/CFT obligations and data protection requirements.

5. Sanctions Compliance

5.1. The Company strictly adheres to international and national sanctions regimes and does not provide services to individuals or entities who are subject to restrictive measures or originate from sanctioned jurisdictions.

5.2. The Company applies screening and restrictions in accordance with:

• United Nations Security Council Consolidated Sanctions List;
• EU Sanctions according to the EU Sanctions Map;
• Czech national list of sanctioned persons;
• Office of Foreign Assets Control (OFAC) sanctions list;
• United Kingdom’s Her Majesty Treasury Sanctions List;

5.3. Client screening is conducted using a licensed third-party provider, integrated into the onboarding and ongoing monitoring process. The Company performs automated screening against both individual and jurisdictional sanctions lists.

5.4. In line with applicable legislation and internal risk-based approach, the Company does not accept Clients from the following jurisdictions: Abkhazia, Afghanistan, Azerbaijan, Bangladesh, Belarus, Bolivia, Burundi, Cambodia, Central African Republic, China, Crimea (region of Ukraine), Cuba, Democratic Republic of the Congo, Eritrea, Equatorial Guinea, Federal Republic of Amazonia, Gabon, Guatemala, Guinea, Guinea-Bissau, Haiti, Honduras, Iran, Iraq, Kosovo, Kyrgyzstan, Lebanon, Libya, Madagascar, Mali, Myanmar (Burma), Non-government controlled areas of Donetsk, Luhansk, Kherson, and Zaporizhzhia regions (Ukraine), Nicaragua, Niger, North Korea (DPRK), Pakistan, Palestine, Paraguay, Republic of Artsakh, Russia, Somalia, South Ossetia, South Sudan, Sudan, Syria, Tajikistan, Transnistria, Tunisia, Turkmenistan, Venezuela, Yemen, Zimbabwe.

5.5. Additionally, the Company does not accept Clients from countries requiring a local service license for crypto-related activities: Australia, Canada, Japan, New Zealand, United Kingdom, United States of America.

5.6. The Company implements the following key measures:

• Screening all Clients and transactions against relevant sanctions lists before onboarding and during the business relationship.
• Blocking or rejecting any transaction or relationship that violates or may violate applicable sanctions laws.
• Investigating and reporting suspicious attempts to circumvent sanctions.
• Adhering to regulatory reporting obligations regarding any sanctions breaches.
• Refusing services based on ethical, reputational, or geopolitical considerations beyond the minimum legal thresholds.

6. Transaction Monitoring

6.1. The Company conducts transaction monitoring both in real time (screening) and after execution (monitoring) to detect unusual, high-risk, or suspicious activity. Transaction monitoring is applied to all Clients with an established business relationship, except for one-off transactions that do not exceed EUR 1,000 over the lifetime of the Client.

6.2. Screening

6.2.1. The Company screens transactions at onboarding and throughout the business relationship using automated tools and manual checks by the AML Officer. Screening includes:

• detection of transactions above defined thresholds;
• identification of unusual patterns and sanctions/PEP exposure;
• risk scoring of Crypto-asset wallets (incoming/outgoing).

6.2.2. Transactions involving high-risk wallets or exceeding thresholds require manual approval and may trigger additional due diligence measures such as origin of funds inquiries or EDD.

6.2.3. Screening is conducted in line with Wolfsberg principles and focuses on embargo/sanctions-related filtering.

6.3. Monitoring

6.3.1. Transaction monitoring involves post-execution review to detect:

• deviations from expected transaction behavior based on the Client's risk profile, services used, and historical activity;
• patterns consistent with ML/TF typologies;
• unusual transaction characteristics (e.g., volume spikes, frequent wallet changes, shared service providers).

6.3.2. Clients are checked weekly against applicable checklists (e.g., sanctions). Responsible Employees report concerns to the AML Officer and suspend transactions until further instruction.

6.4. Oversight and Review

6.4.1. The AML Officer conducts monthly oversight to confirm that monitoring is performed adequately by employees, no complex or atypical transactions exist without legitimate purpose.

6.4.2. Periodic Client reviews are performed based on risk, considering transaction history and profile changes. Where necessary, the Company verifies the origin and source of funds, especially when:

• transactions diverge from known Client behavior;
• thresholds are exceeded;
• transactions appear complex, unusual, or economically unjustified;
• there are ML/TF suspicions.

6.4.3. Upon termination of the business relationship, the Company ceases transaction monitoring obligations.

7. Suspicious Transaction Reporting

7.1. The Company monitors transactions to detect whether there are reasonable grounds to suspect (hereinafter referred to as the “RGS”) that a transaction may be related to ML/TF. Suspicion is based on facts and contextual information, including transaction details, Client behavior, business background, and KYC data.

7.2. Upon detection of suspicious activity, the responsible employee promptly notifies the Company’s designated contact person. The contact person must prepare a written report containing all available information, including:

• Company and Client identifiers;
• details of the transaction and all involved parties;
• a detailed description of the subject matter and circumstances of the suspicious transaction;
• an indication of the case where the notification also concerns assets subject to international sanctions;
• whether and when the transaction was carried out or postponed, or the reason why it was or was not carried out;
• contact information.

7.3. The Suspicious Transaction Reporting (hereinafter referred to as the “STR”) is submitted to the FAO without undue delay, and no later than 2 business days after suspicion is confirmed. If a delay poses risk, the Company reports immediately, even if not all data is available, with subsequent completion.

7.4. The preferred filing method is via the FAO’s MoneyWeb platform. If necessary, reports may be submitted via data box or delivered in person. The Company maintains a register of all STRs submitted.

7.5. We strictly adhere to confidentiality requirements, including non-disclosure to Clients involved in reported activities. All reports are securely documented, and appropriate cooperation is extended to regulatory and law enforcement authorities as part of ongoing investigations or audits.

8. Suspicious Activity Reporting

8.1. The Company is committed to identifying and reporting suspicious activities in accordance with the AML Act and the obligations established by the FAO. If the Company suspects that a transaction or Client behavior may be related to ML or TF, it will act swiftly and report the matter as required.

9. Refusal of Business Relationship or Transaction

9.1. The Company reserves the right to refuse or terminate any transaction or business relationship where legal and regulatory requirements cannot be fulfilled. In particular, services will not be provided if:

• The Client is subject to sanctions or poses a high ML/TF risk.
• The Client provides incomplete, incorrect, or insufficient information.
• The Client fails or refuses to verify their identity or disclose the beneficial owner.
• There are grounds to suspect ML or TF.

9.2. Such decisions are based on the Client’s risk profile and in accordance with the Company’s Risk Appetite Statement. Where appropriate, the Company may report the matter to the FAO.

10. Compliance with the Travel Rule

10.1. The Company acknowledges its responsibility to support transparency in Crypto-asset transfers and combat illicit activities by collecting, verifying, and transmitting required information about originators and beneficiaries in accordance with Regulation (EU) 2023/1113 on the transfer of funds and crypto-assets (hereinafter referred to as the “Travel Rule”), global standards such as the FATF Recommendation 16 and AML Act. The Company may use third-party software solutions or technical providers to facilitate compliance with Travel Rule requirements if necessary.

10.2. Although the Company does not carry out direct transfers of Crypto-assets, it operates through Supported Exchanges that comply with the Travel Rule and other AML/CFT requirements. The Company does not cooperate with platforms or service providers that fail to comply with applicable EU and Czech legal standards. Although the Company does not execute Crypto-asset transfers directly due to its business model, it uses Supported Exchanges to perform such transfers.

10.3. The Company collects the necessary information about originators and beneficiaries during the KYC onboarding process to ensure that it can transmit this data to its Supported Exchanges in compliance with the Travel Rule. All Travel Rule responsibilities lie with the Supported Exchanges, which are required to ensure compliance independently.

10.4. The Company reserves the right to request any other information about the originator and beneficiary of the Crypto-asset transfer in addition to the categories described below, for the purpose of preventing money laundering and terrorist financing.

10.5. The Company collects information during the KYC onboarding process and ensures it is verified for accuracy. The data is securely stored and transmitted to Supported Exchanges to enable compliance with Travel Rule obligations.

10.6. All Travel Rule-related records are retained for a minimum period of five (5) years in accordance with Czech legal requirements.

10.7. Transactions from or to CASPs/VASPs:

Where the Company’s Clients send or receive Crypto-assets to or from CASPs/VASPs, the Company collects the following information:

10.7.1. Information about the Originator:

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the originator of the Crypto-asset transfer with the Company:

• the full name of the originator;
• the originator’s distributed ledger address;
• the originator’s crypto-asset account number in the originator’s CASP/VASP system, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;
• the originator’s address, including:
• the name of the country;
• official personal document number;
• client identification number; and
• date and place of birth.

10.7.2. Information about the Beneficiary:

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the beneficiary of the crypto-asset transfer with the Company:

• the full name of the beneficiary;
• the beneficiary’s distributed ledger address;
• the beneficiary’s crypto-asset account number in the originator's CASP/VASP system, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology.

10.8. Transactions from or to self-hosted wallets:

Transactions involving self-hosted wallets require additional measures to verify compliance with Travel Rule requirements. The following measures have been implemented to comply with Travel Rule requirements.

10.8.1. Information about the Originator:

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the originator of the Crypto-asset transfer with the Company:

• the full name of the originator;
• the originator’s distributed ledger address;
• the originator’s address, including:
• the name of the country;
• official personal document number;
• client identification number; and
• date and place of birth.

10.8.2. Information about the Beneficiary

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the beneficiary of the Crypto-asset transfer with the Company:

• the full name of the beneficiary;
• the beneficiary’s distributed ledger address.

10.8.3. Control Over Wallet

Given that the Company only accepts transactions exceeding €10,000, additional measures are implemented to confirm ownership and control of self-hosted wallets. These measures may include:

• Requiring the originator or beneficiary to provide a cryptographic signature as proof of control.
• Requesting a test transaction from the self-hosted wallet;
• Integration with third-party wallet verification APIs to validate ownership;

The Company may otherwise verify control over the self-hosted wallet. If the originator or beneficiary fails to provide sufficient proof of control, the Company reserves the right to reject the transaction and refuse further services.

11. Confidentiality

11.1. All employees, officers, and designated contact persons are bound by a duty of confidentiality concerning any information related to STR, activities of the FAO, and the fulfilment of AML/CFT obligations. This duty remains in force even after the termination of employment, contractual relationship, or cessation of AML-related activities.

11.2. Confidential information may only be disclosed in exceptional cases under Article 39 of the AML Act. Any external request for such information must be referred to the senior manager, who shall determine whether disclosure is permissible and to what extent.

11.3. If requested by the FAO, the designated contact person must provide the required information without undue delay. This includes transaction details, supporting documentation, and identification data, which may be submitted in written, electronic, or archived form. All employees are obliged to assist the contact person in meeting this legal duty.

11.4. The Company ensures that all confidential information is securely stored, access is restricted to authorized staff only, and internal procedures prevent unauthorized disclosure in any form.

12. Client Responsibilities

12.1. Clients are expected to cooperate fully with the Company’s AML/CFT procedures. This includes providing accurate, complete, and timely information upon request and promptly updating any relevant data.

12.2. Failure to comply with these obligations may result in refusal to establish or continuation of the business relationship, delayed transactions, or termination of services, in accordance with applicable laws and internal risk-based assessments.

13. Record-Keeping

13.1. The Company stores and maintains comprehensive records of all Client identification data, transaction history, risk assessments, AML compliance actions, and internal registers (including STRs, postponed transactions, and risk classifications). These records are retained for a minimum period of ten (10) years in accordance with AML Act and applicable EU regulations.

13.2. The Company also maintains all data and documents related to the identification obligation and related transactions for ten (10) years following the termination of the business relationship or the execution of the last transaction known to the Company, whichever occurs later. The retention period starts on the first day of the calendar month following the calendar month in which the respective event occurred.

13.3. All records are securely stored in either digital or physical form, with strict access controls, encryption, and regular backups to ensure confidentiality, integrity, and availability. The storage is carried out in a manner and to an extent that enables full traceability of individual transactions and the AML procedures associated with them.

13.4. Upon lawful request, the Company shall make all relevant records and documentation available to competent authorities without undue delay and in a format and language understandable to both internal staff and supervisory bodies. Upon expiry of the retention period, the Company’s competent employee ensures that the data are deleted and the documents securely destroyed, unless otherwise required by applicable law or for the purpose of ongoing legal or regulatory proceedings.

13.5. As part of its compliance framework, the Company regularly reviews the effectiveness of its AML/CFT procedures and risk management practices.

14. Staff Training

14.1. We provide regular and role-specific training to all employees to ensure a strong understanding of AML/CFT obligations. Our training program reflects applicable Czech and international laws, including the AML Act, and is tailored to each employee’s responsibilities and risk exposure.

14.2. Employees are trained to:

• Recognize suspicious activities and red flags.
• Apply internal procedures effectively in daily operations.
• Handle sensitive data with confidentiality and care.

14.3. Training is delivered at least once a year or prior to appointment to a relevant position and is continuously updated to reflect regulatory changes and emerging financial crime risks.

15. Changes to this Policy

15.1. We reserve the right to revise, update, or modify this Policy at any time to reflect changes in applicable legislation, regulatory requirements, technological advancements, or adjustments to the functionality of our Website and services.

15.2. The new version of this Policy takes effect three (3) days after the new version of the relevant documents is posted on the Service.

15.3. Clients agree to periodically review this Policy to stay informed about how the Service protects their information.

15.4. If the Website or services make any changes to this Policy that the Client does not agree with, the Client must stop using the services.

15.5. Continuing to use the Website confirms the Client's consent and acceptance of the new version of this Policy.

15.6. The Website is not responsible for any damages or losses incurred by the Client or third parties resulting from the Client's misunderstanding or failure to understand the terms of this Policy, instructions, or guidelines on how to use the Website and other technical issues.

16. Other Conditions

16.1. If any provision of this Policy, including any proposal, clause, or part thereof, is found to be contrary to law or invalid, the other provisions not contrary to law shall remain in force and valid, and any invalid or unenforceable provision shall be deemed amended, modified to the extent necessary to ensure its validity and enforceability.

16.2. The Client may contact the Service electronically using the tools available on the Service or via the support email address: [email protected]. Any electronic message is considered delivered once We confirm its receipt. We will make reasonable efforts to respond to Your request in a timely and appropriate manner, in accordance with applicable data protection laws.