Compliance document

KYC/AML Policy

This document presents the Know Your Customer (KYC) and Anti-Money Laundering (AML) policy standards adopted by PangeaPay, defining practices to prevent illicit activities in the relationship with our customers.

Last updated: April 2026

1. Objective

The objective of this Policy is to prevent PangeaPay from being used, intentionally or unintentionally, by malicious agents for money laundering or terrorist financing activities. The Policy requires reasonable efforts to verify the real identity and final beneficiary of accounts, the origin of resources, the nature of the client's business and the coherence between operations and the declared profile, which allows us to manage risks prudently.

We seek to protect our customers from fraud and scams in the cryptoactive ecosystem. PangeaPay adopts a firm stance in implementing the most recent FATF recommendations, the guidelines of Law 14,478/22 (legal framework for cryptocurrencies in Brazil) and the applicable resolutions of BACEN, CVM and COAF.

Our KYC/AML Policy, procedures and internal controls have been designed to comply with all applicable regulations and are periodically reviewed and updated to reflect regulatory and operational changes.

2. Glossary

AML
— Anti-Money Laundering.
KYC
— Know Your Customer.
CIP
— Customer Identification Program.
PEP
— Politically Exposed Person.
STR
— Suspicious Transaction Reporting.
SAR
— Suspicious Activity Reporting.
COAF
— Financial Activities Control Council.
GAFI
— Financial Action Group against Money Laundering and Terrorist Financing.

3. Customer Identification Procedure (CIP)

The CIP is applied to operations flagged by our risk system as suspicious, as well as to all long-term commercial relationships. We collect identifying information from customers, use risk-based methods to verify it, record the results, and inform customers in advance that this information may be requested.

the. Identification. When a transaction is flagged by the risk system, it is placed under review and we may request from the client, as applicable: full name; date of birth (individual); residential and commercial address (individual) or main headquarters and operational addresses (legal entity); valid identification document issued by a government authority, with photo (CNH, ID or passport); for legal entity, social contract or statute, active CNPJ and identification of legal representatives.

The customer has the obligation to keep the data updated.

b. Incorrect or outdated information. If we identify that any information provided is incorrect, false, outdated or incomplete, we may send a notification requesting correction and, if applicable, suspend or partially or completely terminate services to the customer.

w. Verification of information. We carry out verification proportional to the risk of the operation, using risk-based procedures to confirm the veracity of the information. We may hire specialized third-party providers, under a confidentiality agreement and in compliance with the Privacy Policy, to assist with document analysis, facial biometrics and checking restrictive lists (OFAC, UN, EU).

We verify the information within a reasonable time depending on the risk of the operation. We may refuse or pause the operation until the verification is complete. If we identify signs of money laundering, terrorist financing or other suspicious activity, we inform COAF in accordance with applicable legislation, after internal analysis by the Compliance Officer.

d. Lack of verification. When we are unable to form a reasonable belief about the customer's identity, we may: request additional information; not authorize the relationship; blocking the account after failed verification attempts; and assess the need for communication to COAF.

and. Notice to customers. Customers are advised that their operations may be subject to KYC/AML checks. This information is contained in the Terms of Use, and each customer must be aware of these Terms before starting operations.

f. Enhanced due diligence. We apply enhanced due diligence on clients or accounts classified as high risk. We refuse or terminate relationships when we are unable to complete due diligence or when the information obtained has a significant reputational impact. Non-exhaustive indicators of high risk: customers requesting the exchange of cryptoassets with enhanced privacy (no traceability); client under ongoing investigation; activity originating in risky jurisdictions; transfers above thresholds defined by FATF guidelines; Politically Exposed Persons (PEPs).

Enhanced due diligence includes close account monitoring for risk reclassification and document updates, as well as verification of the origin of funds. Accepted evidence includes exchange statements with transaction history, proof of sale of crypto assets and proof of mining.

4. Record keeping

We document the entire verification process, including information provided by customers, verification methods and results, and the resolution of any inconsistencies.

Personal data collected during the KYC procedure is encrypted and stored in accordance with the LGPD (Law No. 13,709/2018). We use server infrastructure with recognized security certifications (Tier III, ISO 27001 and PCI DSS when applicable), with access restricted by the principle of least privilege and audit log.

We maintain identification records for at least 5 (five) years after the end of the commercial relationship, as required by Law 9,613/98 and other applicable regulations.

Records may be made available to competent authorities upon request on a legal basis.

5. Compliance Officer

The Compliance Officer is the person formally designated by PangeaPay for implementing and monitoring the application and compliance with the KYC/AML Policy described in this document. The person in charge is responsible for supervising all aspects of the money laundering and terrorist financing prevention program. Suspicious behavior or activities must be reported to the Compliance Officer.

Communication with the Compliance Officer, with regard to this Policy, is made by email at compliance@pangeapay.org.

6. Transaction Monitoring

Continuous monitoring is an essential element of an effective KYC program. We maintain an understanding of each client's normal and reasonable activity, ensuring the ability to identify operations outside the usual pattern. The intensity of monitoring varies depending on the risk of the account — high-risk accounts are subject to intensified monitoring. Operations of significant value can be flagged by the risk system as low, medium or high risk.

We implemented an automated Know-Your-Transaction solution for real-time analysis of cryptoactive transactions. This approach allows the compliance team to accelerate the detection of operations with signs of illicit origin.

7. Risk management

We have implemented procedures to ensure the effective application of KYC guidelines, including executive supervision, systems and controls, segregation of duties, periodic training and other related measures. Periodically, the compliance team performs quality controls and internal process audits to ensure adherence to policies and procedures. The compliance team reports to PangeaPay leadership on issues arising in the acquisition process and customer relationships.

8. Cooperation with competent authorities

We maintain the information required about the originator and beneficiary in cryptoasset transfers and make it available to the competent authorities upon official request, in accordance with the travel rule and other applicable regulatory obligations.

We cooperate with bodies such as the Central Bank of Brazil, CVM, COAF, Federal Revenue, Federal Police and Public Ministry when requested under the terms of the law.

Questions about compliance?

Talk to us.

For regulatory issues, complaints or requests for information on a legal basis, use the dedicated compliance channel.

compliance@pangeapay.org