Anti-Money Laundering and Counter-Terrorist Financing Policy

1. General Provisions

1.1. This Anti-Money Laundering and Counter-Terrorist Financing Policy (hereinafter referred to as the “Policy”) outlines the commitment of AEXchanger Service (hereinafter referred to as the “Service”, “We”, or “Us”), to the prevention of money laundering (hereinafter referred to as the “ML”) and terrorist financing (hereinafter referred to as the “TF”).

1.2. The EX Rock s.r.o. (hereinafter referred to as the “Company”) operates the online platform AEXchanger Service accessible at https://aexchanger.com (hereinafter referred to as the “Website”).

1.3. As an obligated entity under Act № 253/2008 Coll. on Selected Measures Against Legitimisation of Proceeds of Crime and Financing of Terrorism (hereinafter referred to as the “AML Act”), the Company ensures strict adherence to all applicable Czech laws, European Union (hereinafter referred to as the “EU”) regulations, and international AML/CFT standards, including the Financial Action Task Force (hereinafter referred to as the “FATF”) Recommendations and guidance from the Financial Analytical Office (hereinafter referred to as the “FAO”).

1.4. This Policy is designed to ensure regulatory compliance, protect our Clients and operations from financial crime risks, and promote a strong culture of integrity and compliance throughout the Company.

1.5. The objectives of this Policy are:

• To ensure that the Company has robust mechanisms in place for the identification, verification, monitoring, and reporting of Clients and Merchants following applicable AML/CFT legislation;
• To establish clear and enforceable standards of conduct for Merchants, requiring them to cooperate with the Company’s procedures, provide accurate and complete information, refrain from prohibited or high-risk activities, and implement appropriate internal AML/CFT measures;
• To protect the integrity of the Company’s Services, maintain trust with regulators, and contribute to the broader international effort to combat financial crime and terrorism financing.

2. Definitions

AEXchanger Service: it is an online Platform providing a Service for the exchange of Crypto-assets for funds, as well as for other Crypto-assets, and enables the transfer of Crypto-assets on behalf of Clients. The service is owned by the Company.

Crypto acquiring: it is a Merchant service that enables Merchants to accept Crypto-Assets as payment for goods or services.

Client: Any individual or legal person who wishes to use the Company's Services and accepts our Client Agreement.

Company: EX Rock s.r.o., commercial company, ID number 193 14 850, with a registered office at Roháčova 145/14, Žižkov, 130 00 Prague 3, Czech Republic, registered by the Municipal Court in Prague, Section C, Insert 384567.

Anti-money laundering (hereinafter referred to as the “AML”): a set of activities, procedures and regulations designed to prevent criminal activities related to ML.

Financial Analytical Office (hereinafter referred to as the “FAO”): the Financial Intelligence Unit of the Czech Republic responsible for receiving and analyzing reports of suspicious activities under the AML Act.

High-Risk Third Country: a country which, on the basis of a directly applicable regulation of the European Union or for other substantiated reasons, should be considered high-risk. This includes jurisdictions identified by the European Commission as having strategic deficiencies in their AML/CFT regimes, countries listed by the Financial Action Task Force (hereinafter referred to as the “FATF”) as “High-Risk Jurisdictions subject to a Call for Action”, jurisdictions designated as supporting terrorism pursuant to resolutions of the Chamber of Deputies of the Parliament of the Czech Republic, statements of the European Parliament, or other relevant competent authorities, as well as any country that the Company, following its own risk assessment, determines to present a high risk of money laundering or terrorist financing.

Know Your Customer (hereinafter referred to as the “KYC”): a process of identifying and verifying the identity of the Client, beneficial owner, and person acting on behalf of the Client, understanding the purpose and intended nature of the business relationship, monitoring ongoing transactions, and ensuring compliance with legislative obligations.

Money Laundering (hereinafter referred to as the “ML”): the process of concealing the illicit origin of assets derived from criminal activity, including conversion, transfer, concealment, acquisition, or use of such assets.

Occasional transaction: a transaction which is not performed under business relationships.

Politically Exposed Person (hereinafter referred to as the “PEP”): an individual who is or has been entrusted with a prominent public function, including their close associates and family members, as defined in the AML Act.

Restricted Countries: countries or jurisdictions where the Company does not provide its Services due to applicable sanctions, AML/CFT risks, or legal prohibitions. The list of Restricted Countries is maintained and updated in accordance with international sanctions and high-risk third-country lists.

Screening: the process of verifying Clients and transactions against applicable sanctions lists, PEP databases, and other watchlists to prevent engagement with prohibited or high-risk parties.

Buyers: individuals that wish to pay for the seller's or Merchant’s goods or services in crypto-assets.

Sellers: individuals that use the AEXchanger Platform to accept payments in crypto-assets from their buyers.

Originator: a person that holds a crypto-asset account with a crypto-asset service provider, a distributed ledger address or a device allowing the storage of crypto-assets, and allows a transfer of crypto-assets from that account, distributed ledger address, or device, or, where there is no such account, distributed ledger address, or device, a person that orders or initiates a transfer of crypto-assets.

Terrorist Financing: the provision or collection of funds intended to support terrorist acts, individuals, groups, or organizations, as defined in the AML Act.

Website: the Company’s official Website, accessible at https://aexchanger.com/, which serves as the primary source for publishing information about the Services, legal documentation, public communications, contact information, and any official Offers.

3. Client Due Diligence

3.1. The Company implements a risk-based Customer Due Diligence (hereinafter referred to as the “CDD”) framework in accordance with the AML Act, EU legislation, and international standards.

3.2. CDD is applied prior to establishing any business relationship or executing a transaction, with continuous monitoring throughout the duration of the relationship. The Company does not permit anonymous accounts or occasional transactions and does not exempt any Client from due diligence obligations.

3.3. “Simplified due diligence (hereinafter referred to as the “SDD”) is currently not applied by the Company to any Clients, whether individuals or legal entities. Given the risk profile of crypto-asset services and supervisory expectations, all Clients are subject to at least regular due diligence (hereinafter referred to as the “RDD”), with enhanced due diligence (hereinafter referred to as the “EDD”) applied whenever higher risk indicators are identified. The Company reserves the right to review this approach after obtaining a CASP license and, if consistent with applicable law and supervisory practice, may consider applying SDD to certain low-risk categories of Clients in the future.

3.4. Regular due diligence (hereinafter referred to as the “RDD”) is the default approach and includes verification of the Client’s identity, UBO structure, source of funds, business activity, and transaction purpose. The Company assesses the connection to high-risk jurisdictions and ensures that all data is sufficient for ongoing monitoring and detection of suspicious patterns.

3.5. Enhanced due diligence (hereinafter referred to as the “EDD”) is mandatory in high-risk cases, especially when the Client or transaction involves a high-risk third country or meets risk triggers defined by the AML Act. EDD requires obtaining additional information on the Client and the UBO, verifying documents through reliable sources, closely monitoring the relationship, and involving senior management in approval processes. The Company may impose additional control measures, including transaction limits or payment restrictions, to mitigate elevated risks.

3.6. The Company may impose further requirements to ensure that the Merchant’s processes meet the Company’s risk management and regulatory obligations.

4. Client Identification

4.1. The Company is dedicated to maintaining the highest standards of integrity and regulatory compliance in accordance with AML regulations. Client identification plays a fundamental role in the Company’s risk management framework, ensuring that robust KYC measures are in place to prevent financial crimes, money laundering, and terrorist financing.

4.2. In an increasingly interconnected financial landscape, where illicit activities pose a significant threat, effective Client identification is essential. The Company’s commitment to transparency, accountability, and compliance is reflected in its stringent KYC procedures, which are designed to create a secure Client environment and mitigate risks associated with fraudulent financial activities.

4.3. To ensure accurate and reliable Client verification, the Company employs structured identification processes, including:

A. Use of third-party KYC providers – the Company may leverage external KYC providers and verification software to enhance the accuracy and efficiency of the identification process.

B. Identity verification of Client and beneficial owners – the verification process includes confirming the identity of Clients, authorized representatives, and beneficial owners based on:

a. official identity documents (e.g., passports, national ID cards, or other government-issued identification);

b. valid registration extracts from official business or corporate registers;

c. reliable and independent data sources that provide authenticated and verifiable information.

4.A. Identification of Natural Person

All Clients-natural persons are required to undergo a mandatory CDD process. The Company does not make exceptions for passing CDD checks regardless of the amount of the transaction.

KYC levels are divided into 3 levels, so that:

A. KYC level 1 and KYC level 2 correspond to the RCDD.

B. KYC level 3 corresponds to EDD.

KYC Level	Required Documentation
KYC level 1 (up to EUR 15,000)	The Company must obtain and record the following information from Clients-natural persons when applying KYC level 1 measures: A. the Client's full name; B. the Client's birth number; and C. if not assigned, the Client's date of birth and gender; D. the Client's place of birth; E. the Client's countries of origin, meaning each state of which the Client is a national, or in which the Client is registered for permanent or other residence, or in which the Client has resided for more than one year (if more than one country meets the above criteria, all such countries must be obtained and recorded); F. the Client's number and type of ID, the State or, where applicable, the authority which issued the ID and the period of its validity. G. the Client's telephone number; H. the Client's email address; I. the Client's confirmation that the Client is not a PEP or a family member or close associate of a PEP; J. information about the purpose of the business relationship that is collected in the questionnaire; K. type of the intended transaction; L. total transaction value expressed in EUR; M. the Clients source of wealth general information; N. in the case of a natural person engaged in business in the Czech Republic: a. the Client's business name; b. distinctive supplement or other designation; c. registered office; d. personal identification number. To identify and verify the above information, the Company may require the following: A. the Client's phone number confirmation; B. the Client's email address confirmation; C. the Client's photo of a valid document confirming the identity of the person (a passport, driver's licence, ID card, etc.); D. the Client's liveness selfie.
KYC level 2 (from EUR 15,000 to EUR 100,000)	The Company must obtain and record the following information from Clients-natural persons when applying KYC level 2 measures: A. all information and documents in KYC level 1; B. where deemed appropriate by the Company as part of its risk-based approach, additional information such as proof of address, which may include the Client’s full name, residential address (country, city, street, house number, zip code) and the date of issuance (documents must not be older than three months). To identify and verify the above information, the Company may request documents serving as proof of address, such as financial statements, utility bills, tenancy agreements, or similar documents, provided that they are not older than three months.
KYC level 3 (from EUR 100,000)	When the Company assesses that, based on its risk evaluation, natural persons present an elevated risk level, the Company will undertake EDD. During this process, the Company will seek and validate additional information deemed relevant for the particular natural person. As part of the Level 3 KYC, the Company must obtain the following information: A. all information and documents in KYC level 2; B. proof of SoW; C. proof of SoF.

The Company may request any additional document for the identification and verification of its Clients if it considers that Clients may pose any AML/CFT risks in the Company's assessment. Clients-natural persons are not allowed to have representatives.

The identification and verification of Clients are conducted exclusively through a third-party KYC provider - AllPass. This process includes, inter alia, the collection of a copy of the identification document and a liveness check. This method constitutes the sole and standard approach to Client due diligence applied by the Company.

However, in specific cases, where it is obligatory by applicable law or solely at the discretion of the Company alternative methods of Client identification may be applied in accordance with the Company’s internal AML procedures and applicable legislation. These methods may include, but are not limited to:

A. Electronic identification (eID): applicable to natural persons, the Company may utilize electronic identification tools with a level of assurance corresponding to "substantial" or "high", as defined in Regulation (EU) No 910/2014 (eIDAS Regulation), where deemed appropriate.

B. Bank identity (BankID): applicable to natural persons and representatives of legal persons. Identification via BankID may be used in accordance with national legal requirements for remote identification, if the Company considers it necessary in a particular case.

C. Provision of another supporting document: the Company may, at its discretion, request the Client to provide a second identification document for verification purposes. The second document must not duplicate the primary one and may include, for example: a national passport, an international (foreign) passport, an ID card, or a valid driver’s licence. Acceptable combinations may include, for instance, a passport and a driver’s licence.

D. Verification via initial transaction: the Company may verify Client identity by requesting an initial bank transaction from the Client, provided that:

a. the payment includes a reference message specifying the purpose of the transaction, the Company’s legal name, and the full name of the Client (natural person);

b. the payment is executed from a bank account held in the name of the Client with a credit institution established in a jurisdiction not classified as high-risk (with preference for jurisdictions within the EU/EEA);

c. a risk assessment pursuant to the Article 21a of the AML Act has been conducted and the Client or product is not classified as high-risk.

The total value of a transaction is determined by the value of the assets involved (such as fiat currency, Crypto-assets) provided by the Client for the transaction, expressed in EUR, including any fees or commissions charged.

If a transaction consists of Сrypto-assets or other assets instead of fiat currency, the value of the transaction is determined by the current market value of these assets at the time of the transaction. If the purchase or sale price of the assets is higher than their current market value, the higher price becomes the transaction value.

In case the transaction involves a fiat currency other than EUR, its value will be converted into EUR (using the official daily exchange rate published by the European Central Bank).

If personnel are aware that business transactions are related, the value of the transactions will be the sum of their values. Despite being registered individually, the obligation under this Policy must be fulfilled as if it were a single transaction with a value equal to the sum of related transactions.

Employees are strictly prohibited from dividing transactions into transactions with lower values without proper justification. Only if the Client requests such division for valid reasons, such as for accounting purposes, can the transaction be divided, but in such cases, they must always be considered as related transactions.

If more than one person is involved in a transaction, each of them is considered a Client, and the obligations under this Policy must be fulfilled for each person, regardless of their share in the transaction amount.

The Client is required to provide personnel with all the necessary information to fulfill their obligations, including presenting relevant identification documents.

Additionally, personnel may obtain and retain copies of identity cards to comply with their obligations, provided that the authorized holder agrees to it.

4.B. Identification of Legal Entity and Merchant

For legal entity Clients, the Company has developed a single verification procedure. The Company must obtain and record the following information:

A. the Client's full legal name (business name or name including a distinctive addition or further designation );

B. the Client's organizational form;

C. the Client's address of the registered office or address of pursuing the activity;

D. the Client's Czech tax identification number, if applicable;

E. in the case of a lack of the tax identification number:

a. the state of registration;

b. the name of the relevant commercial register;

c. the number of registration;

d. the date of registration.

F. the Client's principal place of business and the type of business engaged in;

G. the ownership and control structure of the legal person, including direct and indirect ownership;

H. the Client's website, if applicable;

I. the license availability, if applicable;

J. the AML policies, if applicable.

To identify and verify the above information, the Company may require the following:

A. the proof of the legal existence of the legal entity:

a. Certificate of Incorporation;

b. Share Certificates/Shareholders Register;

c. Memorandum of Association;

d. Articles of Association.

B. the proof of the legal entity’s registered address and office:

a. utility bill (e.g. electricity, water, phone) (not older than 3 months);

b. tenancy contract/purchase agreement.

C. the proof of source funds or wealth:

a. bank statements.

b. invoice and payment records.

Outside of identifying and verifying that a legal entity exists, the Company must, where applicable, also verify information in relation to the legal entity’s beneficial owners, directors, and representatives of the legal entity. Relevant documentation the Company must obtain includes:

A. Register of Directors, Register of Partners, or similar documents;

B. Register of Shareholders or other similar documents.

Where the Company decides that from its risk assessment, a legal entity presents a higher level of risk, the Company shall obtain and verify additional information as the Company considers relevant with respect to the legal entity.

Upon successful completion of the KYC process, a questionnaire is dispatched to the Client's representative. The questionnaire is completed using the platform of our KYC provider.

Merchants will undergo the same verification process as legal entities.

The Company may also request other data from Merchants, as specified by our third party provider AllPass.

The Company may impose further requirements to ensure that the Merchant’s processes meet the Company’s risk management and regulatory obligations.

4.C. Identification of Beneficial Owner(s), Directors and Client’s Representative

The Company must obtain information for all beneficial owner(s), director(s), and Client’s representative(s).

The Company takes reasonable measures to verify their identity and collect the following data:

A. for Client’s representative(s), director(s), and in the case of the beneficial owner(s) is being a natu...

5. Restrictions on Service Provision

5.1. The Company does not provide services to Clients who are citizens or residents of the United States of America or any jurisdiction where crypto-related services are restricted or prohibited by local laws.

5.2. The Company does not provide services to Clients from the Restricted Countries.

5.3. The Company does not provide services to Clients who are subject to international sanctions or are associated with sanctioned entities.

5.4. The Company does not provide services to Clients from the High-Risk Third Countries, including: Afghanistan, Albania, Algeria, Angola, Armenia, Azerbaijan, Bangladesh, Belarus, Benin, Bolivia, Botswana, Burkina Faso, Burundi, Cambodia, Cameroon, Cape Verde, Central African Republic, Chad, Colombia, Comoros, Congo (Brazzaville), Congo (Kinshasa), Cote d’Ivoire, Crimea, Cuba, Democratic People's Republic of Korea (North Korea), Djibouti, Dominican Republic, Ecuador, Egypt, Equatorial Guinea, Eritrea, Eswatini, Ethiopia, Gabon, Guatemala, Guinea, Guinea-Bissau, Haiti, Honduras, Iran, Iraq, Kosovo, Kyrgyzstan, Lebanon, Libya, Madagascar, Mali, Myanmar (Burma), Non-government controlled areas of Donetsk, Luhansk, Kherson, and Zaporizhzhia regions (Ukraine), Nicaragua, Niger, North Korea (DPRK), Pakistan, Palestine, Paraguay, Republic of Artsakh, Russia, Somalia, South Ossetia, South Sudan, Sudan, Syria, Tajikistan, Transnistria, Tunisia, Turkmenistan, Venezuela, Yemen, Zimbabwe.

5.5. Additionally, the Company does not accept Clients from countries requiring a local service license for crypto-related activities.

5.6. The Company implements the following key measures:

• Screening all Clients and transactions against relevant sanctions lists before onboarding and during the business relationship.
• Blocking or rejecting any transaction or relationship that violates or may violate applicable sanctions laws.
• Investigating and reporting suspicious attempts to circumvent sanctions.
• Adhering to regulatory reporting obligations regarding any sanctions breaches.
• Refusing services based on ethical, reputational, or geopolitical considerations beyond the minimum legal thresholds.

6. Transaction Monitoring

6.1. Screening

6.1.1. The Company screens transactions at onboarding and throughout the business relationship using automated tools and manual checks by the AML Officer. Screening includes:

• detection of transactions above defined thresholds;
• identification of unusual patterns and sanctions/PEP exposure;
• risk scoring of Crypto-asset wallets (incoming/outgoing).

6.1.2. Transactions involving high-risk wallets or exceeding thresholds require manual approval and may trigger additional due diligence measures such as origin of funds inquiries or EDD.

6.1.3. Screening is conducted in line with Wolfsberg principles and focuses on embargo/sanctions-related filtering.

6.2. Monitoring

6.2.1. Transaction monitoring involves post-execution review to detect:

• deviations from expected transaction behavior based on the Client's risk profile, services used, and historical activity;
• patterns consistent with ML/TF typologies;
• unusual transaction characteristics (e.g., volume spikes, frequent wallet changes, shared service providers).

6.2.2. Clients are checked weekly against applicable checklists (e.g., sanctions). Responsible Employees report concerns to the AML Officer and suspend transactions until further instruction.

6.3. Oversight and Review

6.3.1. The AML Officer conducts monthly oversight to confirm that monitoring is performed adequately by employees, no complex or atypical transactions exist without legitimate purpose.

6.3.2. Periodic Client reviews are performed based on risk, considering transaction history and profile changes. Where necessary, the Company verifies the origin and source of funds, especially when:

• transactions diverge from known Client behavior;
• thresholds are exceeded;
• transactions appear complex, unusual, or economically unjustified;
• there are ML/TF suspicions.

6.3.3. Upon termination of the business relationship, the Company ceases transaction monitoring obligations.

7. Suspicious Transaction Reporting

7.1. The Company monitors transactions to detect whether there are reasonable grounds to suspect (hereinafter referred to as the “RGS”) that a transaction may be related to ML/TF. Suspicion is based on facts and contextual information, including transaction details, Client behavior, business background, and KYC data.

7.2. Upon detection of suspicious activity, the responsible employee promptly notifies the Company’s designated contact person. The contact person must prepare a written report containing all available information, including:

• Company and Client identifiers;
• details of the transaction and all involved parties;
• a detailed description of the subject matter and circumstances of the suspicious transaction;
• an indication of the case where the notification also concerns assets subject to international sanctions;
• whether and when the transaction was carried out or postponed, or the reason why it was or was not carried out;
• contact information.

7.3. The Suspicious Transaction Reporting (hereinafter referred to as the “STR”) is submitted to the FAO without undue delay, and no later than 2 business days after suspicion is confirmed. If a delay poses risk, the Company reports immediately, even if not all data is available, with subsequent completion.

7.4. The preferred filing method is via the FAO’s MoneyWeb platform. If necessary, reports may be submitted via data box or delivered in person. The Company maintains a register of all STRs submitted.

7.5. We strictly adhere to confidentiality requirements, including non-disclosure to Clients involved in reported activities. All reports are securely documented, and appropriate cooperation is extended to regulatory and law enforcement authorities as part of ongoing investigations or audits.

8. Suspicious Activity Reporting

8.1. The Company is committed to identifying and reporting suspicious activities in accordance with the AML Act and the obligations established by the FAO. If the Company suspects that a transaction or Client behavior may be related to ML or TF, it will act swiftly and report the matter as required.

9. Refusal of Business Relationship or Transaction

9.1. The Company reserves the right to refuse or terminate any transaction or business relationship where legal and regulatory requirements cannot be fulfilled. In particular, services will not be provided if:

• The Client is subject to sanctions or poses a high ML/TF risk.
• The Client provides incomplete, incorrect, or insufficient information.
• The Client fails or refuses to verify their identity or disclose the beneficial owner.
• There are grounds to suspect ML or TF.

9.2. Such decisions are based on the Client’s risk profile and in accordance with the Company’s Risk Appetite Statement. Where appropriate, the Company may report the matter to the FAO.

10. Compliance with the Travel Rule

10.1. The Company acknowledges its responsibility to support transparency in Crypto-asset transfers and combat illicit activities by collecting, verifying, and transmitting required information about originators and beneficiaries in accordance with with Regulation (EU) 2023/1113 on the transfer of funds and crypto-assets (hereinafter referred to as the “Travel Rule”), global standards such as the FATF Recommendation 16 and AML Act. The Company may use third-party software solutions or technical providers to facilitate compliance with Travel Rule requirements if necessary.

10.2. Although the Company does not carry out direct transfers of Crypto-assets, it operates through Supported Exchanges that comply with the Travel Rule and other AML/CFT requirements. The Company does not cooperate with platforms or service providers that fail to comply with applicable EU and Czech legal standards. Although the Company does not execute Crypto-asset transfers directly due to its business model, it uses Supported Exchanges to perform such transfers.

10.3. The Company collects the necessary information about originators and beneficiaries during the KYC onboarding process to ensure that it can transmit this data to its Supported Exchanges in compliance with the Travel Rule. All Travel Rule responsibilities lie with the Supported Exchanges, which are required to ensure compliance independently.

10.4. The Company reserves the right to request any other information about the originator and beneficiary of the Crypto-asset transfer in addition to the categories described below, for the purpose of preventing money laundering and terrorist financing.

10.5. The Company collects information during the KYC onboarding process and ensures it is verified for accuracy. The data is securely stored and transmitted to Supported Exchanges to enable compliance with Travel Rule obligations.

10.6. All Travel Rule-related records are retained for a minimum period of five (5) years in accordance with Czech legal requirements.

10.7. Transactions from or to CASPs/VASPs:

Where the Company’s Clients send or receive Crypto-assets to or from CASPs/VASPs, the Company collects the following information:

10.7.1. Information about the Originator:

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the originator of the Crypto-asset transfer with the Company:

• the full name of the originator;
• the originator’s distributed ledger address;
• the originator’s crypto-asset account number in the originator’s CASP/VASP system, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;
• the originator’s address, including:
• the name of the country;
• official personal document number;
• client identification number; and
• date and place of birth.

10.7.2. Information about the Beneficiary:

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the beneficiary of the crypto-asset transfer with the Company:

• the full name of the beneficiary;
• the beneficiary’s distributed ledger address;
• the beneficiary’s crypto-asset account number in the originator's CASP/VASP system, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology.

10.8. Transactions from or to self-hosted wallets:

Transactions involving self-hosted wallets require additional measures to verify compliance with Travel Rule requirements. The following measures have been implemented to comply with Travel Rule requirements.

10.8.1. Information about the Originator:

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the originator of the Crypto-asset transfer with the Company:

• the full name of the originator;
• the originator’s distributed ledger address;
• the originator’s address, including:
• the name of the country;
• official personal document number;
• client identification number; and
• date and place of birth.

10.8.2. Information about the Beneficiary

The Company will request the following information from its Client if the Client or a third party on the Client's side is going to be the beneficiary of the Crypto-asset transfer with the Company:

• the full name of the beneficiary;
• the beneficiary’s distributed ledger address.

10.8.3. Control Over Wallet

Given that the Company only accepts transactions exceeding €10,000, additional measures are implemented to confirm ownership and control of self-hosted wallets. These measures may include:

• Requiring the originator or beneficiary to provide a cryptographic signature as proof of control.
• Requesting a test transaction from the self-hosted wallet;
• Integration with third-party wallet verification APIs to validate ownership;

The Company may otherwise verify control over the self-hosted wallet. If the originator or beneficiary fails to provide sufficient proof of control, the Company reserves the right to reject the transaction and refuse further services.

11. Specific Obligations of Merchants

11.1. Obligations of Merchants

Merchants shall, at all times:

• Fully cooperate with the Company’s KYC/CDD and AML/CFT processes;
• Provide up-to-date corporate and ownership documentation, and relevant licenses;
• Implement and maintain internal AML/CFT measures proportionate to their business;
• Refrain from engaging in prohibited, or unlawful activities;
• Use the Company’s Platform exclusively for legitimate business purposes;
• Provide the necessary legal and transactional information to maintain financial transparency;
• Ensure that their Buyers are informed about the terms of crypto payments and, where applicable, assist them in completing verification procedures.

11.2. Obligations of Buyers

Buyers shall, at all times:

• Complete verification and necessary checks to confirm the legitimacy of the source of funds;
• Use the Platform exclusively within the framework of legitimate activities;
• Promptly update any relevant data to maintain financial transparency;
• Understand that failure to comply with these obligations may result in refusal to establish or continue the business relationship, delayed transactions, or termination of services, in accordance with applicable laws and internal risk-based assessments.

11.3. Obligations of the Company

The Company shall, at all times:

• Provide uninterrupted access to the Platform and ensure the ability to make and receive payments in crypto-assets;
• Ensure compliance with AML/CFT rules, including verification of crypto-asset transfer transactions and verification of the source of funds;
• Maintain financial transparency in line with applicable legal and regulatory requirements;
• Process crypto payments, including conversion to fiat currency and transfer to the Merchant or duly authorized third party, in accordance with Merchant instructions;
• Withhold commissions for transactions in the amount agreed in advance with the Merchant and/or Buyer.

12. Process for Conducting Business Activities Outside of the Established Business Relationship

12.1. General Principle

12.1.1. The Company ensures that all business activities are conducted strictly within the framework of formally established and verified legal relationships. A fundamental principle of the Company is a “zero-tolerance policy” towards conducting any business outside of duly formalized legal relationships. This principle applies to all Clients, including Merchants and individual Sellers or Buyers, who are equally required to adhere to it.

12.1.2. The Company shall not process transactions or provide services to Clients who have not completed the onboarding process, including KYC, risk assessment, and due diligence. One-time, anonymous, or occasional transactions from individuals or entities that have not been formally onboarded are strictly prohibited. Any attempt to bypass the establishment of a business relationship will be denied and flagged for review.

12.2. Individuals (Sellers and Buyers)

12.2.1. The Company acts as an intermediary between Sellers and Buyers, providing technical and financial mechanisms for conducting transactions in crypto-assets. The Company is not a party to the relationship between the Seller and the Buyer but only provides the relevant payment infrastructure.

12.2.1. To pay for the Seller’s goods or services:

• The Buyer must deposit the required amount of crypto-assets into their wallet.
• The Buyer must confirm the legitimacy of the source of these crypto-assets to comply with legal requirements.

12.3. Compliance and Risk Control

12.3.1. Any attempt to conduct business outside of an approved or formally established relationship is subject to enhanced due diligence, review, and potential rejection. The Company reserves the right to terminate or deny services if a Client is found to be operating outside of an approved business relationship.

12.3.2. All interactions between the Company and individuals, including Sellers and Buyers, are governed by the Company’s User Agreement and Crypto Acquiring Agreement, ensuring that all transactions are compliant, transparent, and legally supported.

13. Confidentiality

13.1. All employees, officers, and designated contact persons are bound by a duty of confidentiality concerning any information related to STR, activities of the FAO, and the fulfilment of AML/CFT obligations. This duty remains in force even after the termination of employment, contractual relationship, or cessation of AML-related activities.

13.2. Confidential information may only be disclosed in exceptional cases under Article 39 of the AML Act. Any external request for such information must be referred to the senior manager, who shall determine whether disclosure is permissible and to what extent.

13.3. If requested by the FAO, the designated contact person must provide the required information without undue delay. This includes transaction details, supporting documentation, and identification data, which may be submitted in written, electronic, or archived form. All employees are obliged to assist the contact person in meeting this legal duty.

13.4. The Company ensures that all confidential information is securely stored, access is restricted to authorized staff only, and internal procedures prevent unauthorized disclosure in any form.

14. Client Responsibilities

14.1. Clients are expected to cooperate fully with the Company’s AML/CFT procedures. This includes providing accurate, complete, and timely information upon request and promptly updating any relevant data.

14.2. Failure to comply with these obligations may result in refusal to establish or continuation of the business relationship, delayed transactions, or termination of services, in accordance with applicable laws and internal risk-based assessments.

15. Record-Keeping

15.1. The Company stores and maintains comprehensive records of all Client identification data, transaction history, risk assessments, AML compliance actions, and internal registers (including STRs, postponed transactions, and risk classifications). These records are retained for a minimum period of ten (10) years in accordance with AML Act and applicable EU regulations.

15.2. The Company also maintains all data and documents related to the identification obligation and related transactions for ten (10) years following the termination of the business relationship or the execution of the last transaction known to the Company, whichever occurs later. The retention period starts on the first day of the calendar month following the calendar month in which the respective event occurred.

15.3. All records are securely stored in either digital or physical form, with strict access controls, encryption, and regular backups to ensure confidentiality, integrity, and availability. The storage is carried out in a manner and to an extent that enables full traceability of individual transactions and the AML procedures associated with them.

15.4. Upon lawful request, the Company shall make all relevant records and documentation available to competent authorities without undue delay and in a format and language understandable to both internal staff and supervisory bodies. Upon expiry of the retention period, the Company’s competent employee ensures that the data are deleted and the documents securely destroyed, unless otherwise required by applicable law or for the purpose of ongoing legal or regulatory proceedings.

15.5. As part of its compliance framework, the Company regularly reviews the effectiveness of its AML/CFT procedures and risk management practices.

16. Staff Training

16.1. We provide regular and role-specific training to all employees to ensure a strong understanding of AML/CFT obligations. Our training program reflects applicable Czech and international laws, including the AML Act, and is tailored to each employee’s responsibilities and risk exposure.

16.2. Employees are trained to:

• Recognize suspicious activities and red flags.
• Apply internal procedures effectively in daily operations.
• Handle sensitive data with confidentiality and care.

16.3. Training is delivered at least once a year or prior to appointment to a relevant position and is continuously updated to reflect regulatory changes and emerging financial crime risks.

17. Changes to this Policy

17.1. We reserve the right to revise, update, or modify this Policy at any time to reflect changes in applicable legislation, regulatory requirements, technological advancements, or adjustments to the functionality of our Website and services.

17.2. The new version of this Policy takes effect three (3) days after the new version of the relevant documents is posted on the Service.

17.3. Clients agree to periodically review this Policy to stay informed about how the Service protects their information.

17.4. If the Website or services make any changes to this Policy that the Client does not agree with, the Client must stop using the services.

17.5. Continuing to use the Website confirms the Client's consent and acceptance of the new version of this Policy.

17.6. The Website is not responsible for any damages or losses incurred by the Client or third parties resulting from the Client's misunderstanding or failure to understand the terms of this Policy, instructions, or guidelines on how to use the Website and other technical issues.

18. Other Conditions

18.1. If any provision of this Policy, including any proposal, clause, or part thereof, is found to be contrary to law or invalid, the other provisions not contrary to law shall remain in force and valid, and any invalid or unenforceable provision shall be deemed amended, modified to the extent necessary to ensure its validity and enforceability.

18.2. The Client may contact the Service electronically using the tools available on the Service or via the support E-mail address: [email protected]. Any electronic message is considered delivered once We confirm its receipt. We will make reasonable efforts to respond to Your request in a timely and appropriate manner, in accordance with applicable data protection laws.

Anti-Fraud Policy

Last updated on 11, August 2025

1. Introduction

AEXchanger is an online service providing exchange services of Crypto-assets for funds, as well as for other Crypto-assets, and providing Crypto-asset transfer services on behalf of Clients (hereinafter referred to as the “Services”).

The Service’s website is (hereinafter referred to as the"Website"). The Service is owned by EX Rock s.r.o., identification number 193 14 850, with a registered office at Roháčova 145/14, Žižkov, 130 00 Prague 3, Czech Republic, registered with the Municipal Court in Prague, Section C, Insert 384567(hereinafter referred to as the “Company”).

This Anti-Fraud Policy (hereinafter referred to as the “Policy”) sets forth the Company’s framework for the prevention, detection, escalation, investigation, and reporting of fraud, covering both internal and external fraud risks related to the provision of Crypto-asset Services, Client interactions, and internal operations.

Fraud undermines trust, distorts financial operations, and exposes Clients and the Company to material risks. Therefore, this Policy is a core component of the Company’s internal control and risk management framework, supported by a culture of transparency, ethical behaviour, and zero tolerance towards fraudulent conduct in all its forms.

To ensure regulatory alignment, the Company has established a robust internal governance framework.

The Company applies a zero-tolerance approach to fraud, corruption, bribery, and any related misconduct. All actual, attempted, or suspected fraudulent activities will be treated seriously, investigated promptly, and addressed through disciplinary, legal, and regulatory measures as appropriate.

This Policy reflects the requirements of:

Act No. 253/2008 Coll. (AML Act),

Act No. 40/2009 Coll. (Criminal Code),

Act No. 171/2023 Coll. (Whistleblower Protection Act),

Directive (EU) 2019/1937, and

relevant best practices in fraud prevention in the Czech Republic and European Union (hereinafter referred to as the “EU”).

2. Scope and Purpose of this Policy

The Company is dedicated to conducting its operations with the highest standards of legality, ethics, and integrity. The purpose of this Policy is to establish a robust framework that promotes transparency, accountability, and trust across all levels of the Company. This Policy reflects the Company's zero-tolerance stance on fraud and commitment to complying with all applicable legal and regulatory requirements in the EU.

This Policy is intended to support all employees, management, and third parties associated with the Company by assisting in the identification of prohibited conduct, thereby helping to prevent fraud.

A well-structured Anti-Fraud framework builds trust by:

Communicating the Company’s ethical standards and expectations to personnel and third parties.

Providing straightforward instructions on how to navigate the Anti-Fraud process.

Outlining the steps for reporting concerns or suspicions.

Specifying the kinds of matters that can be raised, such as fraud.

Offering clear guidance on the Anti-Fraud process.

Defining the types of issues that can be reported.

This Policy applies to all personnel and, where relevant, to external stakeholders, including but not limited to clients, and investors.

This Policy shall also apply to reporting persons where they report or publicly disclose information on breaches acquired in a work-based relationship which has since ended.

This Policy shall also apply to reporting persons whose work-based relationship is yet to begin in cases where information on breaches has been acquired during the recruitment process or other pre-contractual negotiations.

All such individuals are required to comply fully with this Policy, regardless of their seniority, role, or form of engagement. The obligations set forth herein are binding insofar as their activities may impact the Company's operations, risk profile, or regulatory standing.

Non-compliance with this Policy may result in disciplinary action and/or contractual consequences, in accordance with internal procedures and applicable law.

3. Terms Definitions

AEXchanger Service: It is an online Platform providing a Service for the exchange of Crypto-assets for funds, as well as for other Crypto-assets, and enables the transfer of Crypto-assets on behalf of Clients. The service is owned by the Company.

Bribe:offering, giving, requesting or accepting (directly or indirectly) in the public or private sector, an unauthorised benefit consisting in a direct material enrichment or other advantage which is obtained or is intended to be obtained by the bribed person or another person with his / her agreement, and to which she / he has no right.

Fraud: according to the CzechCriminal Codemeans the intentional enrichment of oneself or another person by inducing an error in another, by taking advantage of another’s error, or by concealing material facts, thereby causing damage that is not insignificant to another person’s property.

Attempted Fraud:means any action that demonstrates a clear intent to commit fraud, even if unsuccessful or partially prevented by internal controls. Such attempts must be recorded and reported.

Internal Fraud: means fraudulent actions committed by personnel, management, or contractors of the Company, including embezzlement, manipulation of records, unauthorised use of assets, or concealment of material information.External Fraud:means fraud committed by third parties intending to unlawfully gain access to the Company’s resources, services, or information systems.Theft:meansunlawful taking of property belonging to the Company or its clients.Abuse of Position:meansexploitation of a role of trust or authority within the Company for personal gain or to cause harm.Fraud Report (hereinafter referred to as the “Report”):meansany communication alleging or indicating potential fraud, submitted through approved reporting channels.

Fraud Risk: means the possibility of loss or damage to the Company’s assets, operations, reputation, or Clients resulting from fraudulent acts or attempts. It includes risks related to digital fraud, identity misuse, and unauthorised transactions.

Fraud Response: means a set of internal procedures for fraud investigation, documentation, evidence collection, disciplinary measures, restitution, escalation to competent authorities, and system improvements.

Client:meansany individual or legal person who wishes to use the Company's Services and accepts the terms of Client Agreement.

Reporting Person:means person who reports the fraud orally or in writing.

Company: EX Rock s.r.o., commercial company, ID number 193 14 850, with a registered office at Roháčova 145/14, Žižkov, 130 00 Prague 3, Czech Republic, registered by the Municipal Court in Prague, Section C, Insert 384567.

Account:means Client account available after the registration process, through which the Client can request our Services.

Anti-Money Laundering Law: on certain measures against money laundering and terrorist financing, as amended.

GDPR: on the protection of individuals concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as formulated in subsequent regulations.

Crypto-asset: a digital representation of value or rights that can be transferred and stored electronically using distributed ledger technology or similar technology.

Website: the Company’s official Website, accessible at, which serves as the primary source for publishing information about the Services, legal documentation, public communications, contact information, and any official Offers.

Personnel:means general umbrella term used to refer to all natural persons who perform functions within or on behalf of the Company, regardless of the type of their engagement (including permanent, temporary, fixed-term, or contractual arrangements). The term also includes natural persons who perform such functions through third-party service providers (outsourcing), to the extent that they are involved in the Company’s governance, operations, internal control, or critical activities. Specifically, the term encompasses, without limitation:

Members of the Management Body;

Employees and other staff, including heads and members of structural units, individuals acting independently as structural or functional units (i.e., where a single person constitutes a standalone unit);

As members or heads of structural or functional units,

Persons performing key functions or holding key function responsibilities, as defined in applicable legislation and guidelines;

Individuals entrusted with critical or important functions, including those engaged via outsourcing;

Persons responsible for internal control functions, such as compliance, risk management, and internal audit.

Confidentiality: means core principle that ensures the data of a person submitting information about a violation and any information that allows for direct or indirect identification of this person are processed solely for the purposes of performing work or service functions. This information shall not be disclosed to third parties, except as specified in this Policy or required by law.

4. General Principles

The Company is firmly committed to the prevention, detection, and mitigation of fraud risks across all its Crypto-asset Services. This commitment is embedded within the Company’s internal control system and corporate culture, in full compliance with applicable legislation, and national laws and regulations.

The Company establishes the following structured measures for the prevention of fraud:

Personnel Screening:

Prior to employment, all candidates undergo a comprehensive background verification process.

Personnel screening procedures are designed to prevent individuals with a known history of dishonest, fraudulent, or unethical behavior from assuming sensitive roles within the Company.

Know Your Customer(hereinafter referred to as the “KYC”):

The Company implements a robust KYC program as part of its client onBodying and ongoing monitoring obligations.

All Clients are subject to identity verification, beneficial ownership checks, and assessment of the purpose and intended nature of the business relationship.

Enhanced due diligence (hereinafter referred to as the"EDD") measures are applied to Clients deemed high-risk, including but not limited to verifying the source of funds and scrutinizing the purpose of transactions.

Internal Controls:

The Company maintains a comprehensive internal control framework to mitigate fraud risks. Key elements include:

Segregation of duties and clear assignment of roles and responsibilities;

Restricted access to critical systems, premises, and confidential information;

Automated and manual data analysis for anomaly detection and fraud indicators;

Performance and behavior reviews for early identification of risk factors;

Documented approval workflows for financial transactions and operational activities.

Internal controls are periodically reviewed, tested, and enhanced through internal audits and compliance assessments.

Third-Party Due Diligence:

All partners and third-party service providers undergo initial and ongoing due diligence to assess integrity, financial soundness, operational capacity, and regulatory compliance.

Transaction Monitoring:

The Company utilizes advanced transaction monitoring tools to track and verify Crypto-asset transfers in real-time.

AML Oversight:

The Company's Anti-Money Laundering Officer (hereinafter referred to as the “AML Officer”) is responsible for overseeing the AML/CTF framework and ensuring compliance with anti-fraud obligations.

The AML Officer:

Investigates suspicious activities or transactions flagged through monitoring tools or internal reports;

Coordinates with competent authorities as required;

Prepares periodic reports to the Management Body on fraud and AML/CTF risks.

Reporting Mechanisms:

The Company maintains confidential internal channels for the reporting of suspected or confirmed fraud cases. Personnel, contractors, and third parties may report concerns anonymously via the Company’s internal channels. All reports are promptly assessed and, where warranted, escalated to law enforcement, regulatory bodies, or other competent authorities.

The Company ensures protection against retaliation for individuals reporting in good faith.

5. Anti-Fraud Procedure

5.1. Reporting of Fraud

All personnel, and third parties acting on behalf of the Company are required to report any suspected or confirmed fraudulent activity without delay. Failure to report known or suspected fraud may be considered a breach of this Policy and subject to disciplinary measures.

Reports may be submitted by the following communication channels:

E-mail: Reports may be submitted electronically via the designated E-mail address:.

Postal Mail: Reports may be delivered by post to the following address: Roháčova 145/14, Žižkov, 130 00 Praha 3, Czech Republic.

In-person Reporting: At the request, reports may also be made verbally during a scheduled confidential meeting with the Chief Compliance Officer (hereinafter referred to as the “CCO”) or the Human Resources Officer (hereinafter referred to as the“HRO”, “HR Officer”), which must be arranged within 14 days of the request. The oral notification shall be audio-recorded or recorded in a manner that faithfully captures the substance of the oral notification. An audio recording of an oral communication may be made only with the consent of the Reporting Person. The CCO or the HRO shall give the Reporting Person the opportunity to comment on the recording or transcript of the audio recording, if made. The Reporting Person's comments shall be attached to the recording or transcript.

The reporting channels are designed to facilitate both confidential and anonymous reporting, ensuring that individuals can raise concerns without fear of retaliation or breach of confidentiality.

The possibility of applying directly to the competent authority is not excluded by these provisions. In addition to the internal channels, Reporting Persons retain the right to report externally to the relevant competent authority, particularly in cases where internal reporting may be ineffective, compromised, or inappropriate.

The Company ensures equal treatment, confidentiality, and protection for all reports, whether submitted anonymously or not, in accordance with and national legislation.

Reporting Persons submitting Reports should include as many specific details as possible to help facilitate a thorough investigation. To help ensure concerns are addressed as soon as possible, Reporting Persons should provide as much information as possible, as missing or inaccurate information can lead to a delay.

The Fraud Report should provide clear details, helpful information, and relevant supporting documents.

Reports should, where possible, contain:

A clear description of the suspected fraud.

Names or roles of involved individuals or entities.

Reference to relevant transactions, documents, or internal processes.

Any available supporting evidence.

All reports regardless of format are logged by the HRO, who performs an initial screening to verify scope and completeness. Substantiated reports are escalated to the CCO for investigation. If the report concerns the CCO or any member of the Management Body, it must be redirected to the independent Non-Executive Director. In such cases, the CCO is excluded from all related proceedings.

The CCO shall acknowledge receipt of all non-anonymous reports within five business days and confirm whether the matter falls within the scope of investigation. Reports received informally (e.g. via audits, informal conversations, or incidental findings) are subject to the same protections and follow-up as formally submitted cases.

Reports made by individuals qualifying as whistleblowers under Czech or EU law are handled in accordance with the Whistleblowing Policy and applicable legal standards.

All reports are documented in a secure log with date, nature of the concern, and summary of evidence, subject to the confidentiality standards set out in this Policy. The Company prohibits retaliation against any individual who reports suspected fraud in good faith.

5.2. Investigation of Fraud

All fraud-related reports are subject to structured, confidential, and impartial investigation. The objective is to establish facts, determine responsibility, and apply appropriate corrective or disciplinary measures.

Upon receiving a report, the CCO assesses its relevance, completeness, and risk level to determine whether a formal investigation is warranted. Reports falling outside this Policy may be redirected to the appropriate function or authority. Where applicable, the CCO ensures timely escalation to law enforcement, supervisory bodies, or external experts.

Upon receiving the Fraud Report, the CCO will notify the individual who made the Fraud Report within two (2) working days of receipt.

Investigations are led by the CCO or, where a conflict exists (e.g., if the CCO or the Director is involved), by the independent Non-Executive Director, ensuring procedural independence. The CCO coordinates fact-finding activities, including the review of systems, internal records, communications, and transaction data, and conducts interviews with relevant parties. Where needed, external specialists (e.g., forensic auditors, legal counsel) may be engaged to ensure objectivity and expertise.

Investigations are conducted promptly, with a target resolution period of 30 days for standard cases, extendable for complex matters with documented justification. All investigation steps are logged in a dedicated file, including evidence collected, interviews conducted, and decisions reached. Confidentiality is maintained throughout, with access limited to authorised personnel.

Upon completion, the CCO prepares a final investigation report, including findings, evidence summary, root cause analysis, and recommended actions, including disciplinary steps, procedural enhancements, or legal escalation. If applicable, a summary may also be shared with the reporting person.

If the Report is assessed as unsubstantiated, the CCO shall inform the Reporting Person in writing without undue delay that, based on the facts stated in the report and circumstances known at the time of review, no suspected offence was found, or the report appears to be based on false information. The CCO shall also inform the Reporting Person of their right to escalate the matter to a competent authority.

If the Report is deemed substantiated, the CCO shall propose appropriate measures to prevent or remedy the unlawful situation. If such measures are not adopted by the Company, alternative appropriate steps shall be implemented and the Reporting Person shall be informed without undue delay.

Where justified, particularly in cases where fraud is confirmed, the Company may escalate the matter to the appropriate competent authorities, in line with applicable legal obligations.

In instances where allegations of suspected fraud are communicated via informal or non-designated channels (e.g., verbal reports, findings from audits), the Company shall nevertheless treat such information with equal procedural rigour. All standard safeguards, such as confidentiality, limited access to sensitive case details, and protection of the reporting individual against unauthorized retaliation, shall be applied in the same manner as for formal Fraud Reports.

5.3. Fraud Response

Following the confirmation or reasonable substantiation of a fraudulent act, the Company undertakes immediate, proportionate, and risk-adjusted actions to limit adverse effects, restore operational integrity, and prevent recurrence.

All confirmed fraud cases are logged in the Fraud Register, and affected Clients are informed without undue delay, in accordance with applicable law and the principle of transparency. Communication includes a description of the incident, its implications, and the corrective steps taken. Notifications comply with GDPR obligations and applicable supervisory guidance.

Persons found culpable, whether personnel, contractors, or third parties, are subject to disciplinary or contractual consequences, including possible dismissal or contract termination, in accordance with labour laws, internal rules, and the severity of the misconduct. Relevant authorities are notified where required, and the Company cooperates fully with investigations or proceedings.

Where gaps in controls are identified, the Company shall update internal procedures, enhance cybersecurity safeguards, refine fraud-detection parameters, and strengthen employee training. Post-incident reviews are conducted by the Management Body or its delegated committee to evaluate root causes and initiate remedial policy or process changes.

Where material weaknesses in governance, culture, or personnel awareness are identified, the Company may initiate broader structural reforms, including targeted training refreshers, process re-engineering, or reassignment of duties.

Where financial recovery is feasible, the Company may pursue restitution from responsible parties and, where lawfully permitted, initiate refunds to affected Clients pursuant to a valid legal basis. The Internal Auditor evaluates the adequacy and independence of each investigation and recommends systemic improvements where applicable.

In cases involving multiple entities or cross-border activities, the Company shall coordinate its response in accordance with applicable supervisory cooperation mechanisms and, where necessary, submit fraud-related notifications via the central reporting systems mandated by EU or Czech financial authorities.

6.Fraud Prevention

The Company implements a structured fraud prevention system integrated into its internal control and compliance frameworks.

All prospective employees undergo pre-employment screening, including verification of criminal records, references, and, where applicable, credit and sanction databases. Candidates with known integrity or fraud-related risks are excluded from sensitive roles.

Clients are subject to a robust KYC process, including identity and beneficial ownership verification, business purpose analysis, and ongoing monitoring. EDD is applied to high-risk Clients such as PEPs, entities using privacy-enhancing technologies, or those from high-risk jurisdictions, with scrutiny of the source of funds and transaction rationale.

The Company maintains clear segregation of duties, dual-approval workflows for crypto transactions, and restricted access to critical systems and assets. Automated anomaly detection tools and real-time blockchain analytics are used to flag obfuscated transactions, mixing services, irregular patterns, and behavioural red flags. Transactions triggering risk-based thresholds are escalated to the AML Officer.

To support prevention and detection efforts, the Company maintains an updated classification of relevant fraud typologies. These include:

Internal fraud: asset misappropriation, manipulation of internal records, abuse of access rights and conflicts of interest.

Client-driven and third-party fraud: forged KYC documentation, identity theft, phishing and chargeback fraud.

Transactional and payment fraud: account takeovers.

Hybrid and emerging schemes: insider collaboration with external actors, AI-generated impersonation and abusive refund schemes.

These typologies are reviewed at least annually or upon identification of new patterns, and integrated into employee training, transaction monitoring, and post-incident analysis.

Third-party vendors and partners undergo risk-based due diligence prior to engagement and periodically thereafter. Contracts include anti-fraud and audit clauses, and high-risk third parties are subject to enhanced monitoring and control.

All internal and external stakeholders can report suspected fraud confidentially or anonymously via secure internal channels. All reports are assessed by the CCO, recorded in the Fraud Register, and handled in accordance with protection laws. Retaliation against good-faith reporters is strictly prohibited.

All personnel complete mandatory training on fraud typologies, crypto-specific risks, phishing, and social engineering, with role-specific modules for onboarding, operations, and vendor management. Training completion is tracked by the HRO and reported to CCO. The Internal Auditor independently reviews fraud controls, response procedures, and training effectiveness at least annually, ensuring that failures are addressed through corrective action and that the overall framework remains aligned with regulatory expectations and evolving threat patterns.

7. False and Malicious Allegations

The Company maintains the highest standards of integrity. As such, it is committed to dedicating significant resources to thoroughly investigate any Report it receives. However, it is equally important to understand that the Company will treat any allegations that are found to be unsubstantiated or made maliciously, or with knowledge of their falsity, very seriously.

Making deliberately false or malicious allegations will be considered a serious disciplinary offense by the Company. Any personnel found to have made such allegations may face disciplinary action, which could include termination for cause.

8. Risk Assessment

The Company conducts regular and structured assessments of fraud-related risks across all business lines, processes, and control functions. The risk assessment process is designed to identify, evaluate, and prioritise potential internal and external fraud threats that may impact the Company’s operations, Clients, digital infrastructure, or compliance obligations. This includes risks related to employee misconduct, collusion, fraudulent transactions, impersonation, supplier fraud, data breaches, and attempted scams targeting the Company or its Clients.

Fraud risk assessments are performed:

Annually, as part of the Company's general risk management cycle.

Ad hoc, following major incidents, process changes, product launches, or regulatory developments.

Identified fraud risks are recorded in the Company's Fraud Risk Register, which is regularly reviewed and updated. Mitigation measures are incorporated into the Company’s internal control framework, transaction monitoring parameters, and employee training programmes. High-risk areas are subject to enhanced controls, more frequent reviews, and targeted awareness campaigns.

The outcome of each risk assessment is reported to the Management Body and informs strategic decision-making, resource allocation, and regulatory disclosures where applicable.

Failure to conduct or document a fraud risk assessment may constitute a breach of internal policies and trigger remedial actions, including external audit recommendations or supervisory scrutiny.

9. Confidentiality

The Company treats all fraud-related reports and investigations with strict confidentiality. The identity of the reporting person shall not be disclosed to anyone beyond authorised personnel responsible for handling reports, unless the reporting person provides explicit consent. This also applies to any information from which their identity may be directly or indirectly inferred.

Reports are handled on a need-to-know basis and stored in secure, access-restricted systems. Employees must not investigate or discuss suspected fraud internally but report concerns through the designated channels. Investigation outcomes are disclosed only to those with a legitimate compliance, legal, or supervisory function.

All materials and evidence related to fraud cases, including transaction records, communications, personal data, and interview notes, shall be handled with enhanced confidentiality safeguards. Special categories of personal data, if processed, shall be treated strictly in line with applicable legal bases and subject to proportionality and data minimisation principles. Secure digital storage, access logging, encryption, and retention controls shall apply to all such data. Disclosure to third parties, including competent authorities, is only permitted where legally required and subject to prior data protection assessment.

Any unauthorised disclosure, duplication, or mishandling of fraud-related data or personal information will result in disciplinary measures and, where applicable, legal consequences.

10. Notification

All personnel, and other relevant individuals are personally responsible for:

Remaining vigilant to potential fraud, bribery, corruption, and unethical conduct;

Immediately reporting any suspected or confirmed incidents to the Management Body the CCO, or through the designated reporting channels;

Providing available evidence or supporting information where possible;

Cooperating fully and in good faith with any subsequent investigation.

Reports can be submitted anonymously where desired. Retaliation against individuals making reports in good faith is strictly prohibited and will be subject to disciplinary action.

11. Register, Monitoring, and Annual Reporting

The Company maintains a centralized Fraud Register, which documents all reports of potential, suspected, or actual misconduct submitted via internal or external channels.

The Register is maintained and updated by the HRO with oversight from the CCO.

The Register shall be reviewed:

Quarterly, by the HRO and the CCO, to monitor trends, emerging risks, and the effectiveness of the internal controls;

Annually, in the context of the preparation of the Annual Fraud Report, submitted to the Management Body;

Ad hoc, in the event of significant regulatory updates or material organisational changes.

Access to the Register is strictly limited to designated compliance and audit personnel to ensure the confidentiality and protection of Reporting Persons.

The CCO is responsible for preparing and submitting the Annual Fraud Report to the Management Body. The CCO shall ensure that the report includes a detailed summary of all Reports, the nature of the allegations, the actions taken in response, the outcomes of any investigations, and any recommendations for improvements in procedures or policies.

The HRO shall provide any necessary data or reports regarding Reports submitted through the Human Resources channels, including any personnel-related investigations or outcomes.

The Internal Auditor shall review the Annual Fraud Reports to ensure that proper procedures were followed in handling the reports and that any corrective actions have been implemented.

The Annual Fraud Report shall be presented to the Management Body no later than Q1 of the following financial year.

12. Personnel Training and Awareness

The Company ensures that all personnel, including all personnel receive role-specific and risk-sensitive training aimed at preventing, identifying, and reporting fraud.

Training is mandatory upon onboarding and is renewed on a periodic basis, at least annually, or upon any significant update to this Policy or applicable fraud-related regulations. The training programme covers:

Identification of fraud indicators, including cyber-enabled fraud, scams, and internal misconduct.

Internal fraud reporting procedures, including use of secure and anonymous reporting channels.

Rights and protections under Directive (EU) 2019/1937, including safeguards against retaliation.

Interaction between fraud risks and AML/CTF, market abuse, and ICT/cybersecurity frameworks.

Personal accountability in recognising and escalating suspicious activity.

Training materials are developed and delivered under the supervision of the HRO, in cooperation with the CCO and Risk Manager Officer, and are tailored to the personnel's functions, access rights, and exposure to fraud risks.

Heads of Structural Units are responsible for ensuring that their teams complete all required training and are familiar with the Company’s internal fraud prevention mechanisms. Employees are required to confirm their understanding of the Policy and demonstrate knowledge through assessments, quizzes, or other knowledge checks.

The Company keeps records of completed training sessions, including participant names, dates, content covered, and assessment results. These records are reviewed by Internal Audit during periodic evaluations to assess training effectiveness and alignment with the overall internal control framework.

Non-compliance with training requirements may result in disciplinary action, and failure to complete mandatory modules may restrict access to certain roles, systems, or Client-facing functions.

13. Record-Keeping

The Company is responsible for maintaining centralized, secure storage of all internal policies and procedures documents.

The HRO and the CCO are responsible for maintaining these records and ensuring their timely accessibility to relevant stakeholders or competent authorities upon formal request.

The storage system must ensure confidentiality, security, and accessibility, providing personnel with easy access to current versions while maintaining an archive of previous versions to facilitate traceability of changes. Potential storage solutions include the use of a dedicated internal portal, secure cloud storage, or a comprehensive document management system.

Regardless of the chosen solution, the Company must ensure robust data protection measures are in place to safeguard both personnel and sensitive Company information.

The Company undertakes to comply with the GDPR and applicable Czech legislation, ensuring the protection of personal data of personnel and external stakeholders, including clients, investors, regulators, and business partners. Personal data that is clearly not related to the specific information about the breach or the processing of the report shall not be collected.

The Company shall retain for a minimum period of five (5) years all versions of this Internal Policy, including all historical amendments, annexes, appendices, and any documents developed in implementation or furtherance thereof, such as:

Fraud Reports;

Annual Fraud Report;

Reports, notifications submitted to competent authorities, as required;

Fraud Register;

Training Protocols and attendance records;

And any other related documentation.

Upon request, and where appropriate under applicable law, relevant records may be made available to Clients.

Where requested by the competent authority before the expiry of the five-year period, the retention period shall be extended to up to seven (7) years.

14. Final Provisions

The Company is dedicated to keeping this Policy continuously updated and aligned with its operational requirements, regulatory obligations, prevailing industry standards, and regulatory changes. To ensure its relevance and effectiveness, the Policy is subject to regular assessments, conducted at least once annually. These reviews allow the Company to implement necessary modifications in response to evolving legal frameworks, advancements in industry best practices, and adjustments to internal operational procedures.

By implementing these ongoing updates and transparent communication measures, the Company reinforces its commitment to compliance.