AML & CFT Policy - First Crypto

STATEMENT ON COMPLIANCE WITH AML/CFT/CPF REGULATIONS AND ON ZERO-TOLERANCE TO BRIBERY AND CORRUPTION

First Crypto ("the Company") maintains a robust and comprehensive compliance framework on Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), and Counter-Proliferation Financing (CPF) regulations, in accordance with national laws, international standards, and industry best practices on safeguarding virtual assets ecosystem against illicit activities and financial crime.

1. Compliance with the UAE Legislation and International Regulatory Frameworks

As a licensed Virtual Asset Service Provider (VASP) regulated by the Virtual Assets Regulatory Authority of the Emirate of Dubai (VARA), First Crypto acts in strict compliance with all local and international AML/CFT/CPF regulations, including compliance with the Financial Action Task Force (FATF) Recommendations and all applicable local and federal legislation of the UAE, including:

• Federal Decree-Law No. (10) of 2025 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations
• Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of the AML Law
• Guidance and directives from the UAE Executive Office for Control and Non-Proliferation (EOCN)
• VARA Compliance and Risk Management Rulebook of 2025
• FATF Travel Rules as implemented by the CB UAE and VARA for Virtual Assets and VASPs
• Applicable United Nations Security Council Resolutions
• Sanctions screening obligations in line with UAE's Targeted Financial Sanctions regime and international sanctions lists (UN, EU, OFAC)

The Company's AML/CFT Policy undergoes periodic review and attestation by an accredited independent third party and is submitted to VARA in accordance with regulatory requirements. All updates are implemented promptly and systematically across operations.

2. Sanctions, Proliferation Financing and FATF Travel Rule Compliance

The Company maintains a proactive compliance stance toward international sanctions regimes and CPF obligations. This includes:

• Ongoing screening against UN, EU, OFAC, and UAE local terrorist lists
• Client Risk Assessments and Business Risk Assessments before establishing business relationship and no less frequently than every three months thereafter or following material changes in business operations or client profiles
• Freezing of assets and reporting obligations when dealing with sanctioned individuals or entities
• Full compliance on the FATF Travel Rule in the UAE, ensuring the collection, retention, and sharing of originator and beneficiary information for transfer of Virtual Assets with an equivalent value exceeding AED 3,500
• Assessment and mitigation of proliferation financing risks through enhanced screening, due diligence, and escalation protocols designed in line with international industry best practices
• Continuous reporting to regulatory authorities including VARA and the UAE FIU as applicable

3. Anti-Bribery and Anti-Corruption Protocols

First Crypto upholds a zero-tolerance approach towards bribery and corruption. The Company:

• Prohibits offering, giving, soliciting, or accepting any bribes or illicit advantages, whether directly or indirectly
• Incorporates Anti-Bribery and Corruption (ABC) training into its mandatory compliance programs
• Ensures all employees, directors, and third-party representatives understand their responsibilities under applicable anti-corruption laws
• Investigates all allegations of misconduct and takes appropriate disciplinary and legal action where violations are found
• Promotes a culture of ethical conduct, transparency, and accountability in all business dealings and business relationships

4. AML/CFT/CPF Risk-Based Framework of Internal Controls, Governance and Accountability

First Crypto adopts a robust risk-based approach to proactively identify, assess and mitigate AML/CFT/CPF threats and other risks associated with financial crime. This risk-based framework includes:

• Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures commensurate with client risk levels
• Risk-based framework on screening and continuous monitoring of virtual asset transactions
• Appointment of a qualified Money Laundering Reporting Officer (MLRO) with appropriate authority and experience
• The Three Lines of Defence framework for AML/CFT risk management, which includes compliance oversight, operational responsibility and independent auditing
• Implementation of transaction monitoring systems, including blockchain surveillance providers such as Sumsub Verification Monitoring, to proactively detect and escalate suspicious transactions
• Timely and accurate submission of Suspicious Transaction Reports (STRs) via the goAML platform in line with UAE FIU regulations
• Safekeeping of detailed records of all AML/CFT/CPF activities, decisions, and risk assessments for a minimum of 8 years, in line with the UAE regulations

The Company provides ongoing AML/CFT/CPF/ABC training for all staff, management, and directors, initially within 30 days of appointment and then annually, and also ensures that the training is updated regularly to reflect new typologies of risks, regulatory changes and lessons learned from internal and external reviews.

5. Statement of Compliance

First Crypto operates in accordance with the comprehensive and up-to-date AML/CFT/CPF compliance program aligned with UAE Government, Central Bank of the UAE, and Virtual Assets Regulatory Authority of Dubai requirements. The organization remains committed to detecting and preventing illicit activities while maintaining ethical operations.

First Crypto. Dubai, United Arab Emirates. August 2025