Anti-Money Laundering and Counter-Terrorism Financing and Proliferation of Weapons of Mass Destruction Policy (AML/CTF)

Firebit

Objective

This Anti-Money Laundering and Counter-Terrorism Financing and Proliferation of Weapons of Mass Destruction Policy ("Policy") aims to establish the guidelines, principles and procedures adopted by Firebit Digital Assets Ltda. ("Firebit") for the identification, verification, monitoring and prevention of illicit activities, in particular those related to money laundering, terrorism financing and proliferation of weapons of mass destruction.

To this end, this Policy establishes a set of rules, controls and internal measures designed to ensure that operations conducted through Firebit are not used, directly or indirectly, to conceal, disguise, convert, transfer or integrate proceeds from illicit activities into the economy and financial markets.

The measures described herein have been structured in compliance with Law No. 9,613/1998 and Law No. 14,478/2022 – the Virtual Assets Legal Framework, to which Firebit, as a virtual asset service provider in Brazil, is subject. The rules and procedures of this Policy observe, as applicable, the recommendations of the Financial Action Task Force (FATF), as well as the guidelines of the Financial Activities Control Council (COAF), and other applicable regulatory standards.

Scope

This Anti-Money Laundering and Counter-Terrorism Financing and Proliferation of Weapons of Mass Destruction Policy (AML/CTF) applies in full to all employees, users, administrators, departments, service providers, business partners and any third parties that, directly or indirectly, maintain a relationship with Firebit.

It equally covers the control, recording and continuous monitoring of all financial transactions, including, among others, deposits, withdrawals, transfers and virtual asset operations, with the objective of ensuring the timely identification of atypical movements, the prevention of illicit practices and full compliance with applicable AML/CTF rules and regulations.

Definitions

For the purposes of this Policy, the following terms, when capitalized, shall have the following meaning:

Employees: any persons acting on behalf of or for the benefit of Firebit, including employees (CLT), individual service providers, administrators, directors, representatives, interns and other professionals with access to systems, information, clients, operations or processes relevant for the purposes of this Policy.

COAF (Financial Activities Control Council): the body responsible for producing financial intelligence and for receiving, examining and identifying suspected occurrences of illicit activities, including reports of suspicious operations and operations carried out above applicable thresholds, in accordance with current legislation.

Compliance Department: the area responsible for the implementation, maintenance, monitoring and updating of this Policy and related procedures, as well as for guiding Employees, handling alerts/indicators and conducting and recording analyses and communications as required.

Standard Due Diligence (CDD): identification, verification and registration procedures for Clients (Know Your Client – KYC) or Suppliers (Know Your Partner – KYP), as applicable, consistent with the risk and nature of the relationship, designed to enable knowledge of the Client or Supplier and the maintenance of updated records, including, where applicable, the identification of representatives and ultimate beneficial owners and the understanding of the purpose of the relationship.

Enhanced Due Diligence (EDD): a set of additional measures beyond Standard Due Diligence for Clients and/or Suppliers, applied when the risk is elevated or when there are indicators justifying further investigation, which may include requests for additional information and documents, expanded verification of the origin of funds/assets, additional validations, higher-level approval and enhanced monitoring.

Suppliers: external third parties that provide goods or services to Firebit, including external service providers, business partners, consultancies, intermediaries, technology suppliers, agents and other contractors, regardless of the contractual model.

Suspicious Operations:operations, attempted or completed, that, due to their characteristics, amounts, frequency, method of execution, complexity, parties involved, incompatibility with the client's profile or lack of apparent economic justification, may indicate signs of money laundering, terrorism financing or other illicit activities, and must be subject to attention, analysis and, where applicable, reporting to COAF, in accordance with current legislation.

Politically Exposed Person (PEP): a person who holds or has held, pursuant to applicable legislation and regulations, relevant public positions, jobs or functions, in Brazil or abroad, as well as their representatives, family members and close associates, when so defined by applicable regulations, for the purposes of applying due diligence and treatment consistent with the risk.

AML/CTF: the set of policies, procedures, internal controls and practices adopted by Firebit to identify, monitor, analyze, record and report situations that may indicate money laundering, terrorism financing or financing of the proliferation of weapons of mass destruction, in accordance with current and applicable legislation.

Virtual Asset Regulation:the set of laws and regulations in force and effectively applicable to Firebit's activities involving virtual assets, including rules related to the prevention of money laundering and terrorism financing.

Suspicious Operation Report (SOR): a communication prepared by Firebit to COAF containing the record and description of elements, analyses and information pertaining to an operation or proposed operation considered suspicious, pursuant to current legislation, observing confidentiality and internal procedures.

User or Client: a natural person (individual) or legal entity (company) that uses, contracts, accesses or requests products, services, functionalities or operations offered by Firebit, including registered users, active clients, occasional clients and prospective clients in the registration/onboarding phase, as applicable.

Responsibilities

Firebit's Board of Directors shall be responsible for:

  • Approving this Policy and its relevant updates.
  • Ensuring institutional support for compliance with Law No. 9,613/1998 and this Policy.
  • Deciding, when escalated, on structural risk-related measures (e.g., refusal or termination of relationships in sensitive cases).

Firebit's CFO shall be responsible for:

  • Overseeing the governance of the AML Program, ensuring the implementation and operation of internal controls consistent with the size and nature of Firebit's operations.
  • Ensuring minimum resources (people, processes and means) for the execution of routines provided for in this Policy.
  • Approving, where applicable, the decision to report to COAF (including SORs) and ensuring compliance with legal deadlines.
  • Designating a substitute for periods of absence and ensuring the continuity of AML routines.

The Compliance Department shall be responsible for:

  • Implementing, maintaining and updating this Policy and related procedures.
  • Conducting and/or supervising the identification and registration update of Users/Clients and, where applicable, of representatives and beneficial owners.
  • Performing required checks and verifications (including, where applicable, PEP checks), recording results and addressing inconsistencies.
  • Receiving internal reports of indicators and conducting analyses, with recording of rationale, evidence and conclusions.
  • Preparing communications to COAF (including Suspicious Operation Reports – SORs and required communications), maintaining supporting documentation and observing applicable confidentiality.
  • Handling and coordinating responses to COAF requests, with control of deadlines, evidence and audit trail.
  • Providing training and guidance to Employees, maintaining attendance records.

The Legal Department shall be responsible for:

  • Providing technical-legal support in the interpretation and application of Law No. 9,613/1998 and other regulations applicable to Firebit.
  • Reviewing and supporting the drafting and updating of relevant instruments (policies, procedures, terms and contracts), when requested.
  • Supporting Firebit in responding to authorities and preserving confidentiality, including with respect to the prohibition of improper disclosure to third parties regarding analyses and communications to COAF.

The Technology Department shall be responsible for:

  • Ensuring that Firebit's systems support the collection, integrity, traceability and availability of information necessary for compliance with this Policy.
  • Ensuring access controls, log recording and audit trails for registrations, relevant changes, operations and applicable queries.
  • Implementing and maintaining technical mechanisms for the retention and preservation of records for the applicable legal period, as well as for responding to data requests when demanded by Compliance and/or Legal.
  • Providing technical support for internal investigations and analyses, when necessary, preserving digital evidence.

The HR Department shall be responsible for:

  • Ensuring that Employees receive notice of this Policy and complete mandatory training applicable to their roles.
  • Maintaining records of Employee acknowledgment and training.
  • Supporting the application of internal disciplinary measures in case of non-compliance with this Policy, in conjunction with Firebit's Board of Directors and the Compliance Department.

All Employees shall be responsible for:

  • Complying with this Policy and related procedures, observing applicable confidentiality and secrecy requirements.
  • Immediately reporting to the Compliance Department any indicators, registration inconsistencies, atypical behaviors or situations that may constitute Suspicious Operations.
  • Cooperating with requests from the Compliance and Legal Departments for analysis, investigation, recording and responding to authority requests.
  • Not disclosing to third parties, including to the User/Client, the existence of internal analysis, reports to COAF or any related measures.

AML/CTF Process Guidelines

Client Registration

All User registrations at Firebit must undergo an identification and verification process (KYC), with the objective of ensuring the legitimacy of the business relationship and preventing the use of the Platform for illicit purposes.

The KYC procedure shall include the collection, analysis and validation of the following information and documents:

  • Full name;
  • CPF number (Brazilian tax ID);
  • Date of birth;
  • Official photo identification document (ID card, driver's license, passport or valid equivalent);
  • Full residential address, accompanied by an updated proof of address;
  • Nationality and marital status;
  • Phone number and contact email address;
  • Proof of bank account ownership;
  • Liveness check and/or biometric authentication, when applicable;
  • Politically Exposed Person (PEP) declaration, when applicable;
  • AML/CTF risk assessment and classification, according to Firebit's internal parameters, with the possibility of applying Enhanced Due Diligence for high-risk clients.

Firebit may, at its discretion, request additional information or documents whenever it deems necessary to confirm the User's identity, clarify any inconsistencies or meet legal and regulatory requirements.

Standard Due Diligence

Firebit shall conduct a Standard Due Diligence process with the objective of assessing the risks associated with each User, ensuring compliance with AML/CTF standards and mitigating potential misuse of the Platform.

The risk analysis shall consider, among other aspects:

  • Profile and nature of activities declared by the User (e.g., profession, occupation or primary source of income);
  • Geographic location of the User, including possible residence in countries or regions classified as high-risk by FATF, COAF or other competent authorities;
  • Reputational history, including checks against public and private databases, national and international sanctions lists, presence on Politically Exposed Persons (PEP) lists and any references in negative media;
  • Compatibility between declared income and transactional behavior, including deposits, withdrawals and financial movements made through the Platform;
  • Previous relationship with Firebit, if any, and any history of alerts, blocks or incidents on their account.

Whenever necessary, Firebit may adopt Enhanced Due Diligence measures, requiring additional information or documents, including proof of origin of funds, in order to mitigate elevated risks identified in the assessment process.

All procedures performed for client registration, Standard Due Diligence and Enhanced Due Diligence shall be conducted in compliance with the guidelines, procedures and criteria contained in applicable internal documentation.

Supplier Identification and Verification (KYP – Know Your Partner)

All registrations of partners and third parties that maintain a business relationship with Firebit must undergo an identification, verification and validation process (KYP), with the objective of ensuring the legitimacy of the contractual relationship and preventing risks of improper use of the relationship for illicit purposes.

The KYP procedure shall cover the collection, analysis and validation of supporting information and documents related to:

  • Company name and CNPJ registration number (when applicable);
  • Head office address and any branch offices;
  • Corporate structure, including the identification of ultimate beneficial owners (UBOs);
  • Incorporation documents and proof of legal existence (articles of association/bylaws and latest amendments);
  • Proof of tax, labor and regulatory compliance;
  • Relevant internal policies and compliance practices (Code of Conduct, Anti-Corruption and AML/CTF Policies, when available);
  • Reputational history, including checks against national and international sanctions lists, as well as any negative occurrences in public sources;
  • Nature of activities performed and their compatibility with the intended contractual relationship with Firebit.

Whenever necessary, Firebit may also adopt Enhanced Due Diligence measures with respect to partners and third parties, requiring additional information or supplementary documentation, according to the level of risk identified in the assessment process.

User Acceptance Policy

Firebit adopts objective and rigorous criteria for the acceptance of Users, in order to ensure the mitigation of risks related to money laundering, terrorism financing and proliferation of weapons of mass destruction (AML/CTF).

In particular, Firebit may:

  • Restrict or refuse the opening of accounts and the maintenance of relationships with Users classified as high-risk, according to internal assessment parameters, including reputational history, financial risk profile and behavioral patterns incompatible with declared income;
  • Not accept Users located in jurisdictions that appear on high-risk or non-cooperative lists published by FATF, COAF or other competent authorities, or in countries subject to international sanctions;
  • Impose additional transaction limits or require enhanced verification measures (Enhanced Due Diligence – EDD) before authorizing the continuation of relationships with Users that present intermediate risk;
  • Reserve the right to unilaterally terminate relationships with Users whose risk classification is elevated or who, in the course of operations, reveal practices, indicators or conduct incompatible with this Policy and current legislation.

This policy aims to ensure that Firebit maintains a business environment of integrity, security and regulatory compliance, preserving the trust of Users, partners, authorities and the market.

Suspicious Operation Report (SOR)

Monitoring

Firebit shall maintain mechanisms consistent with its size and the nature of its operations to monitor and record transactions carried out by Users, with the objective of:

  • identifying operations that, due to their amounts, frequency, method of execution, complexity, parties involved or incompatibility with the User/Client's profile, require analysis from an AML/CTF perspective; and
  • fulfilling the legal duties of record maintenance provided for in Law No. 9,613/1998.

Transaction Records

Records shall be maintained in an integral and traceable manner, containing, where applicable, sufficient information to identify the parties involved, amounts, dates, means of execution and other relevant elements of the operation, and shall be kept for the minimum legal period of 5 (five) years, counted from the termination of the relationship with the User/Client or the conclusion of the transaction, as applicable.

Suspicious Operations

Whenever Firebit identifies suspicious, atypical or unusual activities carried out by Users, partners or third parties, it may prepare a Suspicious Operation Report (SOR) through the Integrity and Compliance Department, in compliance with applicable Brazilian legislation. The SOR shall be reported promptly to COAF (Financial Activities Control Council), observing the deadlines and procedures defined by current regulations.

Situations that may give rise to the preparation and submission of an SOR include, but are not limited to:

  • Transactions involving elevated or disproportionate amounts relative to the User's economic profile or declared occupation;
  • Operations without apparent economic cause or justification, or whose purpose is unclear or unrelated to the User's profile;
  • Structured or repetitive movements indicating an attempt to conceal the origin or destination of funds;
  • Transactions with natural or legal persons linked to illicit activities, or who appear on national or international sanctions lists;
  • Frequent transfers to high-risk jurisdictions, non-cooperative countries or those subject to international sanctions.

Confidentiality

Firebit is committed to maintaining absolute confidentiality regarding the preparation and submission of SORs, in compliance with applicable legislation, ensuring that Users are not notified of such communications.

Data Storage and Processing

Personal data and documents provided by Users, suppliers, employees, partners and service providers shall be stored in a secure operational environment, managed by Firebit, with access restricted and controlled only to duly authorized employees and agents responsible for their processing and analysis.

The processing and retention of such data shall comply with Firebit's internal Data Protection and Information Security policies, as well as the provisions of the General Data Protection Law (Law No. 13,709/2018 – LGPD), other sectoral legislation and regulations applicable to Firebit's activities, as described in the Privacy Policy.

Employee Training

Firebit shall ensure that all its employees, especially those directly involved in registration, analysis, monitoring and financial operations processes, receive specific and ongoing training in Anti-Money Laundering, Counter-Terrorism Financing and Proliferation of Weapons of Mass Destruction (AML/CTF).

The training program shall aim to:

  • Raise employee awareness of their legal and internal responsibilities related to AML/CTF;
  • Train employees to identify indicators of suspicious or atypical activities;
  • Provide guidance on internal reporting procedures to the Integrity Department and obligations for reporting to COAF;
  • Provide updates on market best practices, new regulatory standards and relevant cases that may serve as practical examples.

The minimum guidelines to be observed are:

  • Mandatory initial training for all newly hired employees who perform functions sensitive to AML/CTF risk;
  • Periodic refresher sessions every 12 (twelve) months, covering applicable regulatory, technological and jurisprudential updates;
  • Specific training plans, defined based on the risk profile of the functions performed by employees, in order to calibrate the depth and frequency of training;
  • Formal records of training participation, for purposes of control, audit and proof of regulatory compliance.

Penalties for Non-Compliance

Firebit shall treat with the utmost seriousness any violation of the provisions set forth in this AML/CTF Policy. Non-compliance with its rules and guidelines may compromise the integrity of the Platform, expose the institution to legal and regulatory risks and affect the trust of clients, partners and authorities.

Penalties applicable to any employee or third party that fails to comply with this Policy shall be graduated according to the severity of the infraction, the recurrence of the conduct and the potential impact on Firebit, and may include, but are not limited to:

  • Formal warnings, recorded in internal files;
  • Mandatory corrective training, aimed at raising awareness and preventing further occurrences;
  • Proportional disciplinary actions, which may range from temporary suspension to dismissal, without prejudice to the adoption of applicable legal measures;

In the case of suppliers, partners or service providers, Firebit may apply contractual sanctions, including immediate termination of the relationship, as well as reporting to competent authorities, when necessary.

Non-compliance that constitutes a legal or regulatory infraction shall be immediately reported to competent authorities, pursuant to applicable legislation, without prejudice to applicable internal sanctions.

Final Provisions

This Anti-Money Laundering, Counter-Terrorism Financing and Proliferation of Weapons of Mass Destruction Policy (AML/CTF) shall enter into force on the date of its approval by Firebit's Board of Directors and shall remain valid for an indefinite period, until expressly revoked or replaced. Firebit commits to:

  • Periodically reviewing and updating this Policy, in order to ensure its compliance with legislative, regulatory changes and market best practices;
  • Promptly communicating to employees, partners and third parties any updates that may impact their responsibilities and obligations;
  • Integrating this Policy with Firebit's other internal standards, in particular the Privacy, Information Security, Anti-Corruption and Compliance Policies, which shall be interpreted harmoniously and in a complementary manner.

Omitted cases or exceptional situations not covered by this Policy shall be evaluated by the Integrity and Compliance Department, and may be submitted to the Board of Directors when necessary.

Contact

For any questions about this policy, please contact the Compliance Department.