The purpose of these Guidance Principles on combating money laundering (AML), countering financing of terrorism (CFT), and sanctions measures is to ensure that BITEXPERT POLAND LTD (the Company) has internal guiding principles to prevent the misuse of its business for money laundering and terrorist financing, as well as internal guiding principles for implementing international sanctions. These Guidance Principles have been adopted to ensure that the Company complies with the rules and regulations set forth in the Law of the Republic of Poland on the prevention of money laundering and terrorist financing (Law) and other applicable legislative acts. These Guidance Principles shall be reviewed by the Board at least once a year. Proposals for revision and the revision of these Guidance Principles may be scheduled more frequently at the discretion of the Company's Money Laundering Reporting Officer (MLRO) or Internal Control Officer. All definitions in these Guidance Principles are used in the meaning of the Law of the Republic of Poland on the prevention of money laundering and terrorist financing and other applicable legislation.

• Company Name: BITEXPERT POLAND LTD.
• Country of Registration: Poland.
• Registration Number: 0001069617.
• Address: Konduktorska Street 18 office 7 (00-775) Warsaw.
• Email: info@bitexpert.pro

1. Basic principles

   CDD measures are taken and executed to the required extent considering the Client's risk profile and other circumstances in the following cases:

   • Upon establishment of business relationships and during ongoing monitoring of business relationships.
   • Within 24 hours - upon execution or mediation of Occasional Transaction(s) outside business relationships if the transaction(s) value is 700 euros or more (or equivalent amount in another asset).
   • Upon review of information collected when applying due diligence measures or in case of doubts regarding the sufficiency or reliability of previously collected documents or data when updating relevant data.
   • Upon suspicion of money laundering or terrorist financing, regardless of any deviations, exceptions, or limitations provided in these Guidance Principles and applicable legislation.

   The Company shall not establish or maintain business relationships and shall not engage in transactions if:

   • The Company is unable to undertake and perform any required CDD measures.
   • The Company has any suspicion that its services or transactions will be used for money laundering or terrorist financing.
   • The Client's or transaction's risk level does not correspond to the Company's risk appetite.

   In cases of information received in foreign languages in the implementation of CDD, the Company may request translation of documents into another language applicable to the Company. The use of translations should be avoided in situations where the original documents are prepared in a language applicable to the Company.

   Achieving CDD is a process that starts with the implementation of CDD measures. Upon completion of this process, the Client is assigned a documented individual risk level, which forms the basis for subsequent measures and is monitored and updated as necessary.

   The Company has applied CDD measures adequately if the Company has an internal conviction that it has fulfilled its obligation to apply due diligence measures. The principle of reasonableness is observed in considering internal conviction. This means that the Company, when applying CDD measures, must acquire knowledge, understanding, and confirmation that it has collected sufficient information about the Client, the Client's activities, the purpose of the business relationship and transactions conducted within such measures, the origin of funds, etc., to understand the Client and its business activities, thereby taking into account the Client's risk level, the risk associated with the business relationship, and the nature of such relationships. Such a level of affirmation should allow for the identification of complex, costly, and unusual transactions and transaction patterns that lack a reasonable or obvious economic or legal purpose or are not characteristic of the specific features of the business under consideration.

2. Application of Simplified Comprehensive Verification Measures (Level 1)

   Simplified comprehensive verification measures (SDD) are applied in cases where the Client's risk profile indicates a low risk of ML/TF.

   When applying SDD measures, the Company shall obtain only the following data for a Client who is a natural person:

   • Name(s) and surname(s).
   • Personal number; or

   For a Client who is a legal entity, the following data:

   • Company name or name.
   • Legal form.
   • Registration number, if such number has been assigned.
   • Head office (address) and actual business address.
   • Name(s) and surname(s) of the Client's representative and personal number or date of birth; and

   Ensure that the first payment is made through an account in a credit institution if the credit institution is registered in the EEA or in a third country that imposes requirements equivalent to those set forth in the relevant legislation and is supervised by competent authorities for compliance with these requirements.

   SDD measures may only be applied where ongoing monitoring of the Client's business relationships is conducted in accordance with the Guidance and there is the ability to detect suspicious cash transactions and transactions.

   SDD measures should not be applied in circumstances where enhanced comprehensive verification measures (described below) are required.

   If, during ongoing monitoring of the Client's business relationships, it is determined that the ML/TF risk is no longer low, the Company shall apply the appropriate level of CDD measures.

3. Application of Standard Comprehensive Verification Measures (Level 2)

   Standard due diligence measures apply to all Clients subject to CDD measures in accordance with the Guidance Principles. The following standard due diligence measures shall be applied:

   • Identification of the Client and verification of the information provided based on information obtained from a reliable and independent source;
   • Identification and verification of the Client's representative and their authority to represent;
   • Identification of the Beneficial Owner and, for the purpose of verifying their identity, taking measures to the extent that enable the Company to ascertain who the Beneficial Owner is and understand the ownership and control structure of the Client;
   • Understanding of business relationships, transactions, or operations and, where necessary, gathering information about them;
   • Collection of information regarding whether the Client is a politically exposed person, a member of their family, or a person known as a close associate;
   • Monitoring of business relationships.

   CDD measures as outlined above must be applied before establishing business relationships or executing transactions. Detailed instructions on the application of standard due diligence measures are provided in the Guidance Principles.

4. Application of Enhanced Comprehensive Verification Measures (Level 3)

   In addition to standard comprehensive verification measures, the Company applies enhanced comprehensive verification measures (EDD) to manage and mitigate established risks of money laundering and terrorist financing when the risk is higher than normal.

   The Company always applies EDD measures when:

   • The Client's risk profile indicates a high risk of ML/TF;
   • There are doubts about the accuracy of the information provided, authenticity of documents, or identification of the Beneficial Owner;
   • Cross-border correspondent relationships commence with a Client that is a financial institution of a Third Country;
   • Transactions or business relationships are conducted with PEPs, family members of PEPs, or known close associates;
   • Individuals or legal entities resident or established in Third Countries with a high risk level as identified by the European Commission;
   • The Client is a citizen of such a country or territory, or their residence or the location of the payment service provider receiving the payment is in a country or territory that, according to credible sources such as mutual evaluations, reports, or subsequent published reports, has not established effective AML/CFT systems in line with FATF recommendations.

   Prior to applying EDD measures, the Company ensures that the business relationship or transaction poses a high risk and that such business relationships or transactions can be categorized as high risk. Specifically, the employee evaluates before applying EDD measures whether the above criteria are present and applies them as independent grounds (i.e., each identified factor allows the application of EDD measures regarding the Client).

   Upon applying EDD measures, the Company is obliged to notify the MLRO within 2 working days from the start of applying EDD measures by sending the relevant notification.

   In the case of applying EDD measures, the Company conducts a reassessment of the Client's risk profile no later than every six months.

1. Identification of a Client – Natural Person

   The Company identifies a Client who is a natural person and, where appropriate, their representative and retains the following data about the Client:

   • Name(s) and surname(s);
   • Personal number;
   • Nationality;
   • Photograph;
   • Signature.

   The following valid identity documents containing the above data may serve as a basis for identifying a natural person:

   • Document certifying identity in the Republic of Poland;
   • Document certifying identity of a foreign state;
   • Passport issued in the Republic of Poland;
   • Driver's license issued in a state of the European Economic Area in accordance with the requirements set out in Appendix I to Directiv 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences (recast).

   A Client who is a natural person may not use a representative during business relationships or occasional transactions with the Company.

2. Identification of a Customer – Legal Entity

   The Company identifies a Client who is a legal entity and its representative and retains the following data about the Client:

   • Company name or name;
   • Legal form;
   • Registration number, if such number has been assigned;
   • Name(s) and surname(s), personal number (in the case of a foreigner - date of birth or, if available, personal number or any other unique sequence of characters provided to this person for identification purposes) and nationality of the director(s) or member(s) of the Management Board or member(s) of another equivalent body, as well as their authority to represent the Client;
   • Extract or registration certificate and its issuance date;
   • Head office (address) and actual business address.

   The following documents issued by a competent authority or authority not earlier than six months before their use may be used for Client identification:

   • Registration card of the relevant register;
   • Certificate of registration of the relevant register;
   • Document equivalent to the above-mentioned documents or corresponding documents confirming the establishment of the Client.

   The Company verifies the accuracy of the Client's data mentioned above using information obtained from a reliable and independent source. If the Company has access to the relevant registry of legal entities, it is not required to request the above documents from the Client.

   The identity of the legal entity and the authority to represent the legal entity may be verified based on the above-mentioned document, notarized or officially certified, or based on other information from a reliable and independent source, including electronic identification means and trust services for electronic transactions, thereby using at least two different sources to verify the data in such a case.

3. Identification of the Beneficial Owner of the Client

   The Company must identify the Beneficial Owner of the Client and take measures to verify the identity of the Beneficial Owner to the extent that allows the Company to ensure they know who the Beneficial Owner is. The Company collects the following data regarding the Beneficial Owner(s) of the Client:

   • Name(s) and surname(s);
   • Personal number;
   • Nationality.

   The Company requests information from the Client about the Beneficial Owner of the Client (for example, providing the Client with the opportunity to specify their Beneficial Owner when collecting data about the Client).

   The Company does not establish business relationships if the Client who is a natural person has a Beneficial Owner who is not the same person as the Client.

   The Beneficial Owner of a legal entity is identified step-by-step, with the obligated subject moving to each subsequent stage if the Beneficial Owner of the legal entity cannot be identified at the previous stage. The stages are as follows:

   • It can be identified regarding the Client, a legal entity, or a party to the transaction, a natural person or persons who actually ultimately control the legal entity or exercise influence or control over it in another way, regardless of the size of the shares, voting rights, or ownership rights or their direct or indirect nature;
   • Whether the Client, who is a legal entity or party to the transaction, is a natural person or persons who own or control the legal entity through direct or indirect ownership of shares. Family relationships and contractual relationships should also be considered here;
   • Who is a natural person in the senior management that should be identified as the Beneficial Owner, if the obligated person has not identified the Beneficial Owner in the previous two stages.

   In documents used for the identification of a legal entity, or in other submitted documents, the direct identification of the beneficial owner of the legal entity is not specified. Corresponding data (including information about group membership, ownership structure, and group management) is recorded based on a statement from the legal entity's representative or a document written by them personally.

4. Identification of a Politically Exposed Person

   The Company takes measures to ascertain whether the Client, the Beneficial Owner of the Client, or a representative of this Client is a politically exposed person, a member of their family, or a close associate, or whether the Client has become such a person.

   The Company requests information from the Client to determine whether the Client is a politically exposed person, a member of their family, or a close associate (for example, providing the Client with the opportunity to specify such information when collecting data about the Client).

   The Company verifies the data obtained from the Client by sending requests to relevant databases or publicly accessible databases or by querying or verifying data on websites of relevant supervisory authorities or institutions of the country in which the Client resides or is located. PEPs must be additionally checked using an international search engine (for example, Google) and the local search engine of the Client's country of origin, if available, by entering the Client's name in both Latin and local alphabets with the Client's date of birth.

   The Company must identify close associates and family members of PEPs only if their connection with the PEP is known to the public or if the Company has reason to believe that such a connection exists.

   If a Client who is a PEP no longer performs important public functions entrusted to them, the Company must consider the risks associated with the Client for at least 12 months and apply appropriate measures based on risk sensitivity until it is established that the risks associated with the PEP no longer exist in the case of the Client.

5. Determination of the Purpose and Nature of Business Relationships or Transactions

   The Company must understand the purpose and nature of establishing business relationships or conducting transactions. Regarding the services provided, the Company may request the following information from the Client to understand the purpose and nature of business relationships or transactions:

   • Whether the Client will use the Company's services for their own needs or will represent the interests of another person;
   • Contact information;
   • Information about the Client's registration address and actual residential address;
   • Estimated turnover of operations with the Company for the calendar year;
   • Estimated source of funds to be used in business relationships or transactions;
   • Whether the business relationships or transaction are related to the Client's economic or professional activities, and which specific types of activities these are;
   • Information about the source of funds related to business relationships or transactions if the transaction amount (including the expected amount) exceeds the established limit.

   The Company applies additional measures and collects additional information to determine the purpose and nature of business relationships or occasional transactions in cases where:

   • There is a situation that involves high value or is unusual and/or
   • When the risk and/or risk profile associated with the Client and the nature of the business relationships warrant additional actions to ensure the possibility of proper monitoring of business relationships in the future.

   If the Client is a legal entity, in addition to the above, the Company must determine the Client's field of activity in which the Company should understand what the Client is engaged in and intends to engage in during the Business Relationship and how this corresponds to the purpose and nature of the Business Relationship overall, as well as whether they are reasonable, understandable, and credible.

   The field of activity must correspond to the experience of the Client's representative (or key personnel) and/or Beneficial Owner. Thus, the Company must determine where the abilities, skills, and knowledge (overall experience) of the representative and/or Beneficial Owner come from to work in this field of activity, with these business volumes, and with these key business partners.

6. Business Relationship Monitoring

   The Company shall monitor established business relationships, implementing the following measures of ongoing comprehensive due diligence (ODD):

   • Ensuring regular updating of documents, data, or information collected during the application of due diligence measures, as well as in case events occur necessitating their conduct, primarily data concerning the Client, their representative (including authority to represent), and Beneficial Owner, as well as the purpose and nature of the Business Relationship;
   • Continuous monitoring of business relationships, encompassing transactions conducted within the business relationship, to ensure transactions align with the Company’s knowledge of the Client, their activities, and risk profile;
   • Identification of the source and origin of funds used in the transaction(s).

   The Company shall regularly review and update documents, data, and information collected during the implementation of CDD measures, as well as update the Client’s risk profile. The frequency of checks and updates should be based on the Client’s risk profile, and checks should be conducted no less than:

   • Once every six months for High-Risk Clients;
   • Once annually for Medium-Risk Clients;
   • Once every two years for Low-Risk Clients.

   Collected documents, data, and information must also be reviewed if an event occurs indicating the need to update the collected documents, data, and information.

   During ongoing monitoring of Business Relationships, the Company conducts monitoring of transactions concluded within Business Relationships to determine whether the transactions correspond to previously known information about the Client (i.e., what the Client stated at the establishment of the Business Relationship or what became known during the Business Relationship). The Company also monitors Business Relationships to ascertain Client activities or facts indicating criminal activity, money laundering, or terrorist financing or their connection with money laundering or terrorist financing is probable, including complex, costly, and unusual operations and transaction schemes lacking any reasonable or apparent economic or lawful purpose. During Business Relationships, the Company continually assesses changes in Client activity and evaluates whether these changes may increase the level of risk associated with the Client and Business Relationships, necessitating the application of EDD measures.

   During ongoing monitoring of Business Relationships, the Company implements the following measures:

   • Screening, i.e., real-time transaction monitoring;
   • Monitoring, i.e., transaction analysis thereafter.

   The purpose of screening is to identify:

   • Suspicious and unusual transactions and transaction patterns;
   • Transactions exceeding specified thresholds;
   • Politically Exposed Persons and circumstances relating to sanctions.

   Transaction checks are conducted automatically and include the following measures:

   • Established threshold values for Client transactions based on the Client’s risk profile and stated transaction turnover;
   • Assessment of virtual currency wallets to which virtual currency will be sent according to the Client’s order;
   • Assessment of virtual currency wallets from which virtual currency is received.

   If a Client requests a transaction exceeding the established threshold or a transaction to a high-risk virtual currency wallet (e.g., wallets associated with fraud, crimes, etc.), the transaction must be manually approved by an Employee who must assess, before approval, the necessity of applying additional AML measures (e.g., AML measures, source and origin of funds inquiry, or request for additional transaction information).

   During transaction monitoring, Employees are required to evaluate transactions to identify actions and transactions that:

   • Deviate from what could be expected based on accepted CDD measures, services provided, information provided by the Client, and other circumstances (e.g., exceeding expected transaction turnover, sending Virtual Currency to a new Virtual Currency wallet each time, transaction volume exceeding limits);
   • Without deviation from the above, may be considered part of money laundering or terrorist financing;
   • May affect the assessment of the Client’s risk profile.

   If any of the above is identified, the Employee must notify the MLRO and suspend any Client transaction until the MLRO makes a decision on the matter.

   In addition to the above, the MLRO must regularly review Company transactions (at least once a week) to ensure that:

   • Company Employees properly fulfill the aforementioned obligations;
   • There are no transactions or transaction schemes that are complex, costly, and unusual and lack a reasonable or apparent economic or lawful purpose or are not characteristic of specific business characteristics.

   The Company identifies the source and origin of funds used in the transaction(s) if necessary. The necessity of identifying the source and origin of funds depends on the Client’s previous activities as well as other known information. Thus, identification of the source and origin of funds used in the transaction is carried out in the following cases:

   • Operations exceed limits established by the Company;
   • Transactions do not correspond to previously known Client information;
   • The Company wishes or reasonably believes it is necessary to assess whether transactions correspond to previously known Client information;
   • The Company suspects that transactions indicate criminal activity, money laundering, or terrorist financing or that there is a probable connection of transactions with money laundering or terrorist financing, including complex, costly, and unusual transactions and transaction schemes that lack any reasonable or apparent economic or lawful purpose or are not characteristic of specific business characteristics.

The Company is prohibited from establishing Business Relationships, and established Business Relationships or transactions shall be terminated (except when objectively impossible) in the following cases:

• The Company suspects money laundering or terrorist financing;
• The Company cannot apply AML measures because the Client does not provide the required data or refuses to provide it, or the provided data does not provide sufficient grounds to believe that the collected data is adequate;
• A Client whose capital consists of bearer shares or other bearer securities wishes to establish Business Relationships;
• A Client, who is a natural person, has a beneficial owner who actually benefits from the relationship, wishes to establish Business Relationships (suspicion of the use of a front person);
• The Client's risk profile becomes unsuitable for the Company's risk appetite (i.e., the Client's risk profile is "prohibited").

In the event of terminating Business Relationships under this chapter, the Company shall transfer the Client's assets within a reasonable time but preferably no later than 10 (ten) business days after termination to an open account in a credit institution registered or with its place of business in a contracting state of the European Economic Area or in a country where requirements equivalent to those set out in relevant directives of the European Parliament and Council are applied. In exceptional cases, assets may be transferred to an account other than the Client's account or disbursed in cash. Regardless of the recipient of funds, the minimum information provided in English in the payment details of the transfer of Client assets is that the transfer is related to the termination of relations with the Client.

1. Unacceptable Clients

   The following list predetermines the types of Clients who are not acceptable for establishing Business Relationships or conducting One-off Transactions with the Company:

   • Clients who do not provide or refuse to provide requested data and information for identity verification without sufficient grounds;
   • Clients from jurisdictions prohibited by the Company's internal policy or international sanctions
   • Clients identified as individuals subject to the International Sanctions Law;
   • Clients identified as individuals subject to UN sanctions; EU sanctions; sanctions administered by the Office of Foreign Assets Control; sanctions administered by the Office of Financial Sanctions Implementation;
   • The Company suspects money laundering or terrorist financing;
   • Any other actions that the Company considers risky for its business or suspicious in terms of money laundering and terrorist financing.

   The Company will not accept individuals or entities from Afghanistan, Barbados, Belarus, Burkina Faso, Burma (Myanmar), Cambodia, Cayman Islands, Crimea (region of Ukraine), Cuba, Democratic People's Republic of Korea, Donetsk region (region of Ukraine), Haiti, Iran, Jamaica, Jordan, Luhansk region (region of Ukraine), Mali, Morocco, Nicaragua, Pakistan, Panama, Philippines, People's Republic of China, Russia, Senegal, Sudan, Syria, Trinidad and Tobago, Uganda, Vanuatu, Yemen, Zimbabwe. Individuals or legal entities from jurisdictions requiring a specific license or permit will not be accepted as Clients unless the Company has obtained such permission or license.

1. PROCEDURE FOR IDENTIFYING SANCTIONED INDIVIDUALS AND TRANSACTIONS VIOLATING SANCTIONS

   The Company undertakes to use at least the following sources (databases) to verify the Client's relationship to sanctions:

   • https://finance.ec.europa.eu/financial-crime/anti-money-laundering-and-countering-financing-terrorism-international-level_en
   • https://www.fatf-gafi.org/

   In addition to the above sources, the Company may use any other sources at the discretion of the Employee applying AML measures.

   To verify the match of names of individuals obtained from the query with persons listed in a notification containing Sanctions, their personal data shall be used, the primary characteristics of which for a legal entity are its name or trademark, registration code or date of registration, and for a natural person – their name and identification data or date of birth.

   For the purpose of establishing the identity of persons listed in the relevant legal act or notification matching individuals identified from the database query, the Company is obliged to analyze the names of persons identified from the query based on potential factors affecting personal data distortion (e.g., transliteration of foreign names, different word order, substitution of diacritical marks or double letters, etc.).

   The Company shall conduct the above verification on a regular basis during established business relationships. The frequency of ongoing checks depends on the Client's risk profile:

   • Once a week for Clients with a high-risk profile;
   • Once a month for Clients with a medium-risk profile;
   • Once a quarter for Clients with a low-risk profile.
2. ACTIONS UPON IDENTIFICATION OF SANCTIONED INDIVIDUALS OR TRANSACTIONS VIOLATING SANCTIONS

   If an Employee of the Company becomes aware that a Client engaged in Business Relationships or conducting a transaction with the Company, as well as a person intending to establish Business Relationships or conduct a transaction with the Company, is subject to Sanctions, the Employee is obligated to immediately notify the MLRO or a member of the Management Board about the identification of the Sanctioned individual, doubts arising in connection with this, and measures taken.

   The MLRO or a member of the Management Board is obligated to refrain from concluding the transaction or proceeding further, take measures provided for by the act imposing or applying Sanctions, and immediately notify the KNF about their doubts and measures taken.

   Upon identifying a Sanctioned individual, it is necessary to determine the measures applied for Sanctions against that person. These measures are described in the legal act implementing Sanctions, hence it is necessary to determine the exact sanction applied to the person to ensure lawful and proper application of measures.