AML/KYC POLICY

Effective Date: 22 January 2026

 

I. GENERAL PROVISIONS

This Anti-Money Laundering and Know Your Customer Policy (hereinafter – “the Policy”) establishes the procedures of PELOTON SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (hereinafter – “the Company”) as an obliged entity, for implementation and daily compliance with legal requirements on prevention of money laundering and terrorist financing (hereinafter – “ML/TF”).

 

The Policy is prepared according to the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (Ustawa o przeciwdziałaniu praniu pieniędzy oraz finansowaniu terroryzmu) (hereinafter – “the AML Act”), relevant secondary legislation adopted thereunder, applicable European Union (hereinafter – “EU”) AML and CFT legislation, as well as internationally recognised standards and recommendations issued by the Financial Action Task Force (hereinafter – “FATF”).

 

The main activity of the Company is the provision of virtual currency exchange and virtual currency deposit wallet services (hereinafter – “the Services”) in the Republic of Poland. According to Article 2 Paragraph 10 Points 10 and 11 of the AML Act, the Company as a virtual asset service provider is obliged to provide services in accordance with the AML Act in order to prevent ML/TF.

 

The Company assesses the risks of ML/TF using a risk-based approach and evaluates the following types of risks:

 

• Risk related to the Client’s attributes;
• Risk associated with the channel for the supply of a product, service, transaction, or service delivery;
• Risk related to the area (country and/or geographical).

 

The Policy is prepared considering that the Company provides services electronically through the platform operated by the Company. At least annually or in the case of significant events, the Company will carry out a risk assessment, monitor the adequacy of the measures set out in the Policy for the implementation of ML/TF prevention, and where necessary, new or adequate preventive measures shall be amended or introduced.

 

This Policy must be followed by all employees of the Company.

 

II. RISK ASSESSMENT AND MANAGEMENT

The Company applies a risk-based approach when implementing measures to mitigate the risk of ML/TF.

 

The Company continually assesses and manages the ML/TF risks associated with the Company’s business relationships or incidental transactions. The Company’s risk assessment consists of:

 

• Enterprise-wide risk assessment, which covers all activities of the Company, helps identify areas in which the Company has to implement priority risk management measures commensurate with the risks and the business specificities of the Company;
• Client risk assessment, which includes identification, other KYC procedures and ongoing monitoring;
• Continuous monitoring of the level of risk arising from the ongoing monitoring of Client transactions, monetary operations and status to match the Company’s Client profile, ensuring that the information available to the Company is relevant.

 

Clients of the Company are divided into following three risk groups:

 

• Low-risk: Clients who carry low risk of ML/TF;
• Medium-risk: Clients rated as being at moderate risk for ML/TF by one or more attributes;
• High-risk: Clients who have one or more attributes of increased risk of ML/TF.

 

Clients are assigned to one of the identified risk groups when establishing business relationships. Subsequently, the risk profile of the Client may be changed in light of the results of the monitoring of business relationships.
The establishment of a business relationship with high-risk Clients must be approved by the Money Laundering Reporting Officer (hereinafter – “MLRO”).

 

III. CLIENT TRANSACTIONS AND OPERATIONS MONITORING

After establishing a relationship with the Client, the Client’s business relationships, including transactions and operations, are monitored on an ongoing basis—ongoing Client due diligence (ODD) is applied.

 

The Company operates an automated transaction monitoring system as a core component of its AML/CFT control framework, designed to support the timely detection, analysis, and escalation of potentially unusual or suspicious transactions.

 

When monitoring the Client’s activities, transactions and operations, particular attention is paid to:

 

• Complex or unusually large transactions and any unusual transactional structures that have no apparent economic or visible legitimate purpose;
• Business relationships or operations with Clients from high-risk third countries;
• Any threat of ML/TF that may arise from the use of the services provided or transactions carried out in order to conceal the identity of the Client or the beneficial owner;
• Whether the Client or beneficial owner is included in the consolidated list of the United Nations of persons, groups and entities subject to EU financial sanctions;
• Whether the Client or beneficial owner has links with countries that are classified as higher risk countries.

 

The Company has ongoing control over its operations for possible violations of international sanctions through integrated third-party monitoring tools.

 

In case the Company has established a business relationship with a Client determined as high-risk, the Company applies enhanced ongoing due diligence (EDD).

 

IV. IMPLEMENTATION OF SANCTIONS

The Company applies a comprehensive and risk-based approach to the implementation of international restrictive measures and sanctions regimes.

 

The Company screens Clients and related parties against the following lists and sources:

 

• EU Sanctions according to the EU Sanctions Map;
• United Nations Security Council Consolidated List;
• OFAC Sanctions List (United States);
• UK Sanctions List;
• Polish national sanctions lists.

 

Company employees and Clients are prohibited:

 

• To carry out actions which are prohibited by international sanctions implemented in the Republic of Poland;
• To enter into transactions which would be contrary to international sanctions;
• To assume new obligations, the fulfillment whereof would be contrary to international sanctions.

 

V. CLIENT AND BENEFICIAL OWNER IDENTIFICATION

The Company shall take steps to identify and verify the identity of the Client, its representative and the beneficial owner in the following cases:

 

• Before starting a business relationship;
• Before performing occasional virtual currency operations equal to or exceeding EUR 500;
• When there are doubts about the accuracy or authenticity of previously obtained Client identities;
• In any other case where there is a suspicion that ML/TF activities are, have been, or will be carried out by the Client.

 

The Company applies three verification levels based on transaction thresholds. The Company may apply a higher level based on risk assessment.

Tier uplift: Where a Client’s activity reaches, or is reasonably expected to reach, a higher tier, the Company may temporarily suspend new activity and shall obtain and verify the required additional information prior to resuming such activity.

 

The Client and/or its representative shall perform identity verification remotely via tools provided by the Company.

 

VI. KYC AND CLIENT DUE DILIGENCE

• Client due diligence (CDD) is a key responsibility of the Company in the implementation of the prevention of ML/TF and includes:
• Client identification and verification based on provided documents, data and information obtained from an independent and reliable source;
• Identification of the beneficial owner and taking reasonable steps to verify that the named person is in fact the final beneficial owner.

 

The data provided by the Client must be verified on the basis of documents, data or information obtained from a reliable and independent source.

 

• The information must be verified by various means and sources available, including:
• Checking the consistency of the information received;
• Comparing the information provided by the Client with official documents and public registers;
• Using targeted web search and open-source intelligence;
• Using other reliable sources depending on the information to be verified.

 

Data Update Requirements

 

Risk Level	Update Frequency
High-risk	At least annually
Medium-risk	At least every 2 years
Low-risk	At least every 3 years

 

If the Client did not update their data when required according to their risk level during a period of 3 months, services provided by the Company to the Client may be limited.

 

VII. STORAGE OF INFORMATION

The Company shall maintain the following databases:

 

• Database for registration of Clients with whom business relationships have been terminated;
• Database of virtual currency operations amounting to or above EUR 15,000;
• Database of reports submitted to the General Inspector of Financial Information (GIIF) on suspicious operations and transactions.

 

Retention periods:

 

• Copies of the Client’s identity documents and beneficial owner’s identity data: 8 years from the date of termination of business relationships;
• Business correspondence with the Client: 5 years from the end of business relationship;
• Documents supporting operations or transactions: 8 years from the date of operation or transaction;
• Documents analyzing results of transaction investigations: 5 years.

 

Retention periods may be further extended by up to 2 years upon instruction of the competent authority.

 

VIII. TRAINING OF THE COMPANY’S EMPLOYEES

All employees of the Company shall be introduced to the Policy upon their appointment. The Company ensures that all newly recruited employees are made aware of this Policy in writing and receive training depending on the functions performed.

 

The Company must review and, where necessary, update its internal control procedures:

 

• Upon receipt of an order from the GIIF;
• Upon significant events or changes in the Company’s management and operations;
• Through periodic monitoring of the implementation and adequacy of internal control procedures.

 

IX. FINAL PROVISIONS

The implementation of measures for prevention of ML/TF is organized by the MLRO in liaison with the GIIF.

 

The CEO of the Company must ensure that the MLRO has access to all information necessary to perform their functions, including information relating to the identity of the Client, the beneficial owner, and business relationships.

 

This Policy is approved by the CEO and the MLRO of the Company. This Policy shall take effect from the date of its approval unless otherwise specified. The Policy may be withdrawn, amended and/or supplemented only by a decision of the CEO and the MLRO. All employees are familiarized with changes immediately.

 

CONTACT INFORMATION AND LEGAL DETAILS

VASP Services Provider:
PELOTON SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
Company Number (KRS): 0001132722
NIP: 5170443729
REGON: 527552404
Legal Address: ul. Jana III Sobieskiego 17, 35-002 Rzeszów, Poland

 

PELOTON SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ is a registered Virtual Asset Service Provider in Poland (VASP License: RDWW-1567), entered in the Register of Virtual Currency Activities maintained by the General Inspector of Financial Information.

 

The Company operates as an obligated institution under the Polish Act on Counteracting Money Laundering and Terrorist Financing and applies internal AML/CFT procedures, including customer due diligence, transaction monitoring and reporting obligations.

 

This document is for informational purposes and represents a summary of the Company’s AML/KYC framework. The full internal AML/CFT Policy, together with all operational procedures, is maintained separately and governs the Company’s day-to-day compliance activities.