Anti-Money Laundering, Counter-Terrorist Financing, and Know Your Client (AML/CTF & KYC) Policy

CAMBIUMWAY SP. Z.O.O.

1. INTRODUCTION

1.1 Purpose

This Anti-Money Laundering, Counter-Terrorist Financing, and Know Your Client (AML/CTF & KYC) Policy outlines the principles, procedures, and obligations adopted by Cambiumway sp. z.o.o. ("the Company") to prevent the use of its services for money laundering, terrorist financing, fraud, or other financial crimes.

The Company is committed to operating in full compliance with all applicable laws and regulations, including but not limited to Polish AML legislation, European Union Directives, and international standards set by the Financial Action Task Force (FATF).

1.2 Regulatory Scope

Cambiumway sp. z.o.o. is registered in the Republic of Poland and operates as a virtual asset service provider (VASP). The Company is subject to:

• The Polish Act on Anti-Money Laundering and Counter-Terrorist Financing (Ustawa z dnia 1 marca 2018 r. o przeciwdzialaniu praniu pieniedzy oraz finansowaniu terroryzmu);
• Directive (EU) 2015/849 of the European Parliament and of the Council (4th Anti-Money Laundering Directive, "4AMLD"), as amended by Directive (EU) 2018/843 (5th Anti-Money Laundering Directive, "5AMLD");
• Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets ("Travel Rule");
• Recommendations of the Financial Action Task Force (FATF), including the FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers;
• Regulation (EU) 2023/1114 on Markets in Crypto-Assets ("MiCA"), to the extent applicable;
• Other applicable national and EU-level regulations related to financial crime prevention.

1.3 AML/CTF Principles

The Company adheres to the following core principles:

• Zero tolerance for money laundering and terrorist financing activities;
• Comprehensive client identification and verification (KYC) before establishing a business relationship;
• Ongoing monitoring of transactions and client activity;
• Risk-based approach to customer due diligence;
• Timely reporting of suspicious transactions to the relevant authorities;
• Continuous staff training and awareness programs;
• Regular internal and external audits of AML/CTF compliance procedures.

2. CLIENT IDENTIFICATION & KYC PROCEDURES

2.1 KYC Policy

The Company shall verify the identity of every client before establishing a business relationship or executing any transaction. The KYC process aims to:

• Confirm the true identity of each client;
• Understand the nature and purpose of the business relationship;
• Assess the risk profile of the client;
• Ensure that the client is not listed on any sanctions lists or associated with prohibited jurisdictions.

No transaction shall be processed until the client has been fully identified and verified in accordance with this policy. The Company reserves the right to refuse service to any individual or entity that fails to provide adequate identification.

2.2 Required Documentation

For individual clients, the following documents are required:

• A valid government-issued photo identification document (passport, national ID card, or driving license);
• Proof of residential address (utility bill, bank statement, or government correspondence, dated within the last three months);
• A selfie or live photo for biometric verification;
• Source of funds documentation (bank statements, employment contracts, tax returns, or other relevant documents).

For corporate clients, the following additional documents are required:

• Certificate of incorporation or registration;
• Memorandum and Articles of Association;
• Register of directors and shareholders (including beneficial owners holding 25% or more);
• Proof of registered address;
• Board resolution or power of attorney authorizing the representative to act on behalf of the company;
• Identification documents of all directors, beneficial owners, and authorized representatives.

2.3 Enhanced Due Diligence (EDD)

Enhanced due diligence measures shall be applied in the following circumstances:

• The client is a Politically Exposed Person (PEP) or a close associate or family member of a PEP;
• The client is from a high-risk jurisdiction identified by the FATF, EU, or the Company's internal risk assessment;
• The transaction involves unusually large amounts or complex structures with no apparent economic purpose;
• There are grounds for suspicion of money laundering or terrorist financing;
• The client's source of funds or wealth cannot be easily verified;
• Any other factor that increases the risk of money laundering or terrorist financing.

EDD measures may include, but are not limited to: obtaining additional identification documents, requesting independent verification of source of funds, conducting enhanced monitoring of the business relationship, and obtaining senior management approval before establishing or continuing the relationship.

3. TRANSACTION MONITORING & REPORTING

3.1 Monitoring Process

The Company implements ongoing transaction monitoring to detect and prevent suspicious activities. The monitoring process includes:

• Automated screening of all transactions against predefined risk parameters and thresholds;
• Blockchain analytics tools to trace the origin and destination of virtual assets;
• Real-time screening against international sanctions lists, PEP databases, and adverse media;
• Periodic review of client profiles and transaction patterns to identify anomalies;
• Manual review of flagged transactions by the compliance team.

The Company uses a combination of automated systems and manual oversight to ensure comprehensive monitoring coverage. All alerts generated by the monitoring system are reviewed and resolved by qualified compliance personnel.

3.2 Suspicious Activity Reporting (SAR/STR)

Where the Company identifies or suspects that a transaction or activity may be related to money laundering, terrorist financing, or other financial crime, it shall:

• Immediately escalate the matter to the designated Compliance Officer;
• File a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) with the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF) in Poland;
• Refrain from informing the client that a report has been filed (tipping-off prohibition);
• Freeze the relevant funds or suspend the transaction pending investigation, where legally required or deemed necessary;
• Cooperate fully with law enforcement and regulatory authorities.

3.3 Prohibited Transactions

The Company shall not process any transaction that:

• Involves parties listed on international sanctions lists (UN, EU, OFAC, or other relevant lists);
• Originates from or is destined for jurisdictions subject to comprehensive sanctions or embargoes;
• Is associated with illegal activities, including but not limited to drug trafficking, human trafficking, arms dealing, fraud, tax evasion, or terrorism;
• Involves virtual assets that have been identified as proceeds of crime or associated with darknet marketplaces, ransomware, or other illicit activities;
• Involves anonymity-enhanced cryptocurrencies (privacy coins) or mixing/tumbling services, unless otherwise permitted by applicable law and subject to enhanced due diligence.

4. RISK MANAGEMENT & GOVERNANCE

4.1 Risk-Based Approach

The Company applies a risk-based approach (RBA) to AML/CTF compliance, allocating resources proportionally to the level of risk identified. The risk assessment considers:

• Client risk: The nature and profile of the client, including their country of residence, occupation, source of funds, and PEP status;
• Product/service risk: The type of virtual assets and services offered, including their susceptibility to misuse;
• Geographic risk: The jurisdictions involved in the transaction, including countries with weak AML/CTF frameworks;
• Transaction risk: The size, frequency, and pattern of transactions;
• Delivery channel risk: The manner in which services are provided (e.g., remote onboarding, face-to-face interaction).

Clients are classified into low, medium, and high-risk categories based on the outcome of the risk assessment. The level of due diligence and monitoring applied is commensurate with the assessed risk level.

4.2 Compliance Officer Role

The Company has appointed a designated Compliance Officer who is responsible for:

• Overseeing the implementation and effectiveness of the AML/CTF compliance program;
• Ensuring that the Company's policies and procedures are up to date and compliant with applicable laws;
• Receiving and investigating internal reports of suspicious activities;
• Filing SARs/STRs with the relevant authorities;
• Conducting or coordinating staff training on AML/CTF matters;
• Liaising with regulatory and law enforcement authorities;
• Reporting to the management board on AML/CTF compliance matters.

5. DATA RETENTION & PRIVACY PROTECTION

5.1 Record Keeping

The Company shall retain all records related to client identification, due diligence, and transactions for a minimum period of five (5) years from the date of the end of the business relationship or the date of the transaction, whichever is later, in accordance with applicable legal requirements.

5.2 Data Protection

All personal data collected for AML/CTF purposes shall be processed in accordance with the General Data Protection Regulation (GDPR) and applicable Polish data protection laws. Personal data shall be:

• Collected only for specified, explicit, and legitimate purposes;
• Adequate, relevant, and limited to what is necessary;
• Accurate and kept up to date;
• Stored securely with appropriate technical and organizational measures;
• Retained only for as long as necessary to fulfill legal obligations.

5.3 Confidentiality

All information obtained during the KYC and AML/CTF process shall be treated as strictly confidential. Access to such information shall be limited to authorized personnel on a need-to-know basis. The Company shall not disclose client information to third parties except as required by law or in response to valid requests from competent authorities.

5.4 Data Subject Rights

Clients have the right to access, rectify, or request deletion of their personal data, subject to the Company's legal obligations to retain certain records for AML/CTF purposes. Requests should be directed to the Compliance Officer at compliance@cambiumway.com.

6. SANCTIONS, RESTRICTED COUNTRIES & PROHIBITED ACTIVITIES

6.1 Sanctions Compliance

The Company screens all clients and transactions against applicable sanctions lists, including but not limited to:

• United Nations Security Council (UNSC) Consolidated List;
• European Union Consolidated List of Sanctions;
• Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List);
• Her Majesty's Treasury (HMT) Financial Sanctions Targets;
• Polish national sanctions lists.

The Company shall not establish or maintain any business relationship with individuals, entities, or countries subject to comprehensive sanctions or embargoes.

6.2 Restricted Countries

The Company does not provide services to clients residing in or operating from the following jurisdictions (non-exhaustive list, subject to periodic review):

• Countries subject to comprehensive UN or EU sanctions (e.g., North Korea, Iran, Syria);
• Countries identified by FATF as high-risk or non-cooperative jurisdictions;
• Countries designated by the EU as having strategic deficiencies in their AML/CTF regime;
• Any other country that the Company determines presents an unacceptable level of risk.

6.3 Prohibited Activities

The Company strictly prohibits the use of its services for:

• Money laundering or the concealment of proceeds of crime;
• Terrorist financing or support for terrorist organizations;
• Tax evasion or avoidance through illegal means;
• Sanctions evasion;
• Fraud, identity theft, or other forms of financial crime;
• Purchasing or dealing in illegal goods or services;
• Any other activity that is illegal under applicable law.

7. COMPLIANCE GOVERNANCE & AUDIT FRAMEWORK

7.1 Internal Controls

The Company maintains a robust system of internal controls designed to prevent and detect money laundering and terrorist financing. These controls include:

• Documented policies and procedures for all AML/CTF-related processes;
• Segregation of duties between operational and compliance functions;
• Automated transaction monitoring and screening systems;
• Regular review and updating of risk assessments;
• Whistleblower protection mechanisms for internal reporting.

7.2 Internal Audit

The Company shall conduct regular internal audits of its AML/CTF compliance program to assess its effectiveness and identify areas for improvement. Internal audits shall be conducted at least annually, or more frequently if warranted by changes in the regulatory environment or the Company's risk profile.

7.3 External Audit

The Company may engage external auditors or consultants to conduct independent reviews of its AML/CTF compliance program. The findings and recommendations of external audits shall be reviewed by the management board and implemented as appropriate.

8. REPORTING, TRAINING & POLICY UPDATES

8.1 Reporting Obligations

The Company shall comply with all reporting obligations under applicable law, including:

• Filing Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) with the General Inspector of Financial Information (GIIF);
• Reporting threshold transactions as required by law;
• Responding to information requests from regulatory and law enforcement authorities;
• Maintaining records of all reports filed and regulatory communications.

8.2 Staff Training

All employees of the Company shall receive regular training on AML/CTF compliance, including:

• Overview of money laundering and terrorist financing risks;
• The Company's AML/CTF policies and procedures;
• Identification of suspicious activities and red flags;
• Internal reporting procedures;
• Legal obligations and penalties for non-compliance;
• Updates on regulatory changes and emerging risks.

Training shall be provided upon onboarding and at least annually thereafter. Additional training shall be provided when significant changes occur in the regulatory environment or the Company's operations.

8.3 Policy Updates

This policy shall be reviewed and updated at least annually, or more frequently as required by changes in applicable laws, regulations, or the Company's risk profile. All updates shall be approved by the management board and communicated to all relevant personnel.

9. FINAL PROVISIONS

9.1 Governing Law

This policy is governed by the laws of the Republic of Poland and applicable European Union regulations.

9.2 Severability

If any provision of this policy is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

9.3 Contact Information

For questions or concerns regarding this policy, please contact:

Compliance Officer
Cambiumway sp. z.o.o.
Hoza 86/210, 00-682 Warsaw, Poland
Email: compliance@cambiumway.com