Know Your Customer (KYC) Policy

Firebit

1. Introduction

The Know Your Customer (KYC) Policy establishes the principles, rules, and guidelines adopted by Firebit ("Firebit") for the identification, verification, and validation of the identity of its clients (users), with the objective of ensuring compliance with applicable legislation and preventing the use of the Platform for illicit activities, including, but not limited to, money laundering, terrorism financing, and proliferation of weapons of mass destruction.

Firebit conducts its KYC processes in strict compliance with national and international regulatory standards for the prevention of money laundering (AML/CFT), as well as the provisions of Law No. 13,709/2018 - the Brazilian General Data Protection Law (LGPD), ensuring that the processing of clients' personal data is carried out in an ethical, secure, and transparent manner.

2. Objective

The main objective of this Know Your Customer (KYC) Policy is to prevent the Firebit Platform from being used for illicit activities, ensuring that all operations carried out are in compliance with the legal, regulatory, and ethical requirements applicable to the virtual assets sector. This Policy is guided by the following principles:

Regulatory Compliance: to ensure that all client identification, verification, and monitoring procedures are aligned with national and international Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) standards, in particular:

  1. Law No. 9,613/1998 (Anti-Money Laundering and Counter-Terrorism Financing Law);
  2. Law No. 14,478/2022 (Virtual Assets Legal Framework);
  3. COAF Normative Instruction No. 5/2020, which regulates the registration and updating of obligated entities in SISCOAF;
  4. BCB Resolution No. 80/2021, applicable to institutions regulated by the Central Bank of Brazil;
  5. CVM Resolution No. 50/2021, applicable to participants in the securities market;
  6. Recommendations of the FATF - Financial Action Task Force.

Integrity and Ethics: to ensure that Firebit maintains an honest, transparent business environment committed to ethics and regulatory compliance.

Prevention of Illicit Activities: to adopt effective controls to detect, mitigate, and report risks of money laundering, terrorism financing, and other financial crimes, preserving the trust of clients, partners, and authorities.

3. Scope

This Policy applies to all employees, administrators, service providers, and departments of Firebit that, directly or indirectly, are involved in processes of interaction, registration, verification, monitoring, or relationship with clients.

The scope covers, but is not limited to:

  1. Commercial, operational, and customer service areas;
  2. Administrative, integrity, legal, compliance, and finance departments;
  3. Service providers and strategic partners that support Firebit in activities related to client identification, validation, and monitoring.

All parties involved have the responsibility to strictly comply with the guidelines of this Policy, ensuring that the KYC process is conducted in a uniform, transparent manner and in compliance with applicable legal and regulatory standards.

4. Definitions

Know Your Customer (KYC): a process used to identify, verify, and validate the identity of clients, aiming to prevent fraud, money laundering, terrorism financing, proliferation of weapons of mass destruction, and other illicit activities.

Client or User:a natural person who uses or intends to use Firebit's services.

Ultimate Beneficial Owner (UBO): a natural person who ultimately owns, controls, or benefits from a company, contract, or transaction, even through third parties.

Politically Exposed Person (PEP): a natural person who holds or has held, in the last five years, prominent public functions in Brazil or in other countries, as well as their representatives, family members, and close associates, as defined by COAF.

Due Diligence: a set of analysis and assessment procedures for clients, partners, and third parties, which allows the identification of risks related to financial, reputational, or regulatory illicit activities.

Enhanced Due Diligence (EDD): additional verification measures applied to clients classified as high risk, including requests for additional information and supplementary documents.

Ongoing Monitoring: regular monitoring of transactions carried out by clients, in order to detect atypical, suspicious, or inconsistent movements with the declared profile.

5. KYC Process Guidelines

5.1 Client Registration

Every client registration must mandatorily undergo an identification, verification, and validation process, through the collection of the following information and documents:

  1. Full name;
  2. CPF number (Brazilian taxpayer ID);
  3. Date of birth;
  4. Official photo identification document (ID card, driver's license, passport, or valid equivalent);
  5. Complete residential address, accompanied by an updated proof of address;
  6. Nationality and marital status;
  7. Phone number and contact email address;
  8. Proof of bank account ownership at a financial institution authorized to operate in Brazil;
  9. Proof of life (liveness check) or biometric authentication, when applicable;
  10. Politically Exposed Person (PEP) declaration, when relevant;
  11. AML/CFT risk assessment and classification, according to Firebit's internal parameters, with the possibility of applying Enhanced Due Diligence for high-risk clients.

For additional validation purposes, geolocation information and banking data linked to the client's CPF/CNPJ may be collected, including PIX key when applicable, aiming to ensure greater security in legal and contractual transactions.

Firebit reserves the right to request additional information or supplementary documents whenever it deems necessary to confirm the client's identity, clarify inconsistencies, or meet legal and regulatory requirements.

5.2 Due Diligence

Every client must mandatorily undergo an Integrity Due Diligence process, aimed at assessing risks related to the prevention of financial, reputational, or regulatory illicit activities. This process will include, at a minimum, the following analyses:

  1. Document verification: checking the authenticity and validity of documents submitted during the registration process;
  2. Restrictive and sanctions list screening: checking national and international databases, including lists from the UN, OFAC, European Union, Central Bank, COAF, and other competent authorities;
  3. Adverse media analysis: research in public and private sources to identify any links with illicit activities, fraud, or investigations;
  4. PEP (Politically Exposed Persons) verification: identification of the client as a PEP, their family members, or close associates, in accordance with COAF regulations;
  5. Profile and reputational history assessment: analysis of the compatibility between the declared occupation/profession, presumed income, and expected transaction patterns.

Firebit may also cross-reference data with national and international external databases, such as COAF, OFAC, Interpol, Federal Revenue Service, courts, and public records, with the client's consent, to verify judicial history, corporate ties, political or reputational exposure, and other factors relevant to the integrity of the contractual relationship.

Whenever indications of elevated risk are identified, Firebit may apply Enhanced Due Diligence (EDD), requiring additional information, such as proof of the origin of funds, supplementary declarations, or formal interviews.

5.3 Risk Classification

Based on the information collected during the registration, verification, and Integrity Due Diligence process, all Firebit clients will be classified according to the level of risk they represent.

The risk classification aims to allow Firebit to apply control and monitoring measures proportional to the identified risk profile, in compliance with legislation and AML/CFT best practices (Anti-Money Laundering, Counter-Terrorism Financing, and Proliferation of Weapons).

The assessment criteria include, among others:

  1. Socioeconomic profile and client occupation;
  2. Transaction history and compatibility with declared income;
  3. Geographic location, considering countries or regions of high risk identified by international organizations (FATF, UN, OFAC);
  4. Links to PEPs (Politically Exposed Persons);
  5. Indications of adverse media, legal proceedings, or prior sanctions.

Based on these parameters, clients will be classified into low, medium, or high risk categories, subject to different levels of monitoring and internal controls.

5.4 Ongoing Monitoring

Firebit will carry out ongoing monitoring of all clients, with the objective of identifying changes in risk profiles and detecting atypical or inconsistent movements with the previously declared pattern.

This monitoring includes, among others:

  1. Periodic updating of registration information (personal documents, address, occupation, and proof of income);
  2. Recurring screening against restrictive lists, sanctions, and political exposure lists, including PEP (Politically Exposed Persons) checks, adverse media, and national and international databases (e.g., COAF, UN, OFAC, FATF);
  3. Analysis of financial transactions carried out on the Platform to verify compatibility with the client's declared profile and financial capacity;
  4. Periodic compliance and internal audit reports, documenting monitoring procedures and the effectiveness of AML/CFT controls;
  5. Application of enhanced monitoring measures whenever indications of irregularities, incompatible movements, or relevant changes in the client's profile are detected.

Firebit reserves the right to request additional information and documents at any time, especially in cases of elevated risk or legal/regulatory requirements.

5.5 Non-Accepted Profiles

Firebit may restrict or refuse the registration of clients who present elevated risk, are involved in relevant legal proceedings, appear on restrictive lists, or are prohibited by judicial or administrative decision from contracting legal services.

Specific cases will be evaluated by the Integrity and Compliance department.

5.6 Data Storage

Firebit will maintain records, information, and documents related to compliance with this Policy and KYC and AML/CFT obligations for a minimum period of 5 (five) years, counted from the termination of the relationship with the client or from the last transaction, as provided for in applicable legislation, without prejudice to longer periods required by competent authorities or specific regulations.

All personal data and collected documents will be stored in a secure, integral, and confidential manner, in compliance with Law No. 13,709/2018 (LGPD), the European Union General Data Protection Regulation (GDPR), and other applicable regulations.

Access to information is restricted exclusively to authorized employees and conditioned on the need-to-use basis for the performance of their duties, in observance of the principle of security and least privilege.

Firebit also adopts technical and administrative protection measures, including access controls, encryption, log records, and ongoing monitoring, in order to prevent unauthorized access, leaks, losses, or any form of inadequate or illicit processing.

6. Responsibilities

The implementation and effectiveness of this Know Your Customer (KYC) Policy depend on the fulfillment of the following responsibilities, assigned to each area:

a. Integrity and Compliance

  1. Prepare, review, and periodically update this Policy, ensuring its adequacy with legal and regulatory standards;
  2. Submit the Policy for approval by Senior Management/Board of Directors;
  3. Conduct client risk analysis, considering AML/CFT criteria and other regulatory parameters;
  4. Develop and implement periodic training and education programs for employees and partners, to ensure full knowledge of their legal and regulatory obligations;
  5. Supervise the effective application of the Policy across all areas of Firebit;
  6. Act as the official communication channel with regulatory bodies and competent authorities.

b. Commercial Area

  1. Ensure that no client is formalized without full compliance with KYC requirements;
  2. Implement internal controls that assist the Compliance area in client monitoring;
  3. Ensure that employees and third parties under its management receive annual training in KYC and AML/CFT.

c. Senior Management

  1. Promote and support a compliance culture, ensuring that Firebit operates in compliance with applicable legislation and regulations;
  2. Monitor the effectiveness of procedures, policies, and internal controls related to KYC;
  3. Analyze reports and communications from regulators, auditors, and supervisory bodies, determining the necessary measures to meet their recommendations or requirements.

d. Internal Audit

  1. Conduct periodic reviews of the application of this Policy;
  2. Evaluate the effectiveness of controls, procedures, and evidence related to KYC;
  3. Issue improvement recommendations to strengthen regulatory compliance and risk mitigation.

7. Audit and Policy Review

Firebit will carry out periodic internal audits, defined in the Internal Audit Plan, with the objective of:

  1. Verifying the compliance of this KYC Policy with applicable legal and regulatory standards;
  2. Evaluating the effectiveness of internal controls, procedures, and monitoring tools used for the prevention of financial illicit activities;
  3. Identifying failures, vulnerabilities, or deviations from AML/CFT best practices (Anti-Money Laundering and Counter-Terrorism Financing);
  4. Issuing recommendations for immediate correction of non-conformities and for the continuous improvement of internal practices;
  5. Documenting compliance evidence, in order to support potential inspection by regulatory authorities or independent external audits.

Audit results will be formalized in specific reports, submitted to Senior Management, which must evaluate the findings and adopt the necessary measures to ensure full adherence to regulations and Firebit's Integrity Program.

8. Training and Education

Firebit will promote regular training programs, defined in the Training Plan, which are mandatory for all employees, especially those directly involved in the processes of registration, verification, storage, and monitoring of clients in the virtual assets market.

Training will include simulations and examples of good integrity and compliance practices, in order to reinforce the practical application of Firebit's guidelines.

Completion of training will be monitored and recorded as an integral part of Firebit's Integrity and Compliance Program, being considered an essential requirement for the maintenance of the employee's activities in their functions.

9. Penalties for Non-Compliance

Any violation of this Know Your Customer (KYC) Policy will be treated with the utmost seriousness by Firebit, considering the severity of the infraction, the risk involved, and the impacts on the company and the market. Applicable penalties may include, individually or cumulatively:

  1. Formal warnings, recorded in employee files;
  2. Mandatory corrective training, aimed at refreshing knowledge and reinforcing good compliance practices;
  3. Disciplinary actions, which may range from temporary suspension of activities to dismissal of the employee, in cases of recurrence or serious infractions.

Non-compliance with the obligations of this Policy may also result in civil, administrative, or criminal liability, under applicable legislation.

Firebit reaffirms that all employees, partners, and third parties involved in KYC processes are subject to this Policy, and the Compliance/Integrity department is responsible for monitoring, investigating, and recommending appropriate measures in cases of non-compliance.

10. Final Provisions

This Know Your Customer (KYC) Policy takes effect on the date of its approval by Firebit's Board of Directors and will remain valid for an indefinite period, until it is formally revoked or replaced by an updated version.

Firebit may review and update this Policy at any time and whenever necessary, due to:

  1. legislative or regulatory changes;
  2. guidance issued by competent authorities, including COAF, ANPD, the Central Bank of Brazil, and other regulatory bodies;
  3. evolution of compliance and AML/CFT best practices;
  4. adjustments resulting from internal or external audits.

Any relevant changes will be duly communicated to employees, partners, and interested parties through Firebit's official channels.

11. Contact

For any questions about this policy, please contact the Integrity department.