AML / KYC / CFT Policy and Practice for Black Forest Digital Asssets.

Last Updated: February 4, 2026

Black Forest Digital Assets ("we," "us," or "our"), a registered Virtual Asset Service Provider (VASP) supervised by the National Bank of Georgia (NBG), is fully committed to preventing money laundering (ML), terrorist financing (TF), proliferation financing, and other financial crimes. These guidelines outline our Anti-Money Laundering (AML), Know Your Customer (KYC), and Countering the Financing of Terrorism (CFT) program, in strict compliance with:

• The Law of Georgia on Facilitating the Prevention of Money Laundering and the Financing of Terrorism (as amended, the "AML/CFT Law"). • The Organic Law of Georgia on the National Bank of Georgia. • NBG regulations, including the Rule for the Virtual Asset Service Provider’s (VASP’s) Registration at the National Bank of Georgia, Registration Cancellation, and Regulation (Order No. 94/04, as amended). • Relevant NBG decrees and supervisory requirements for VASPs. • International standards, particularly FATF Recommendations (including Recommendation 15 on new technologies and Recommendation 16 on the Travel Rule).

We adopt a risk-based approach to AML/CFT, ensuring that preventive measures are proportionate to identified risks.

1. Risk Assessment and Management

We conduct and regularly update an enterprise-wide ML/TF risk assessment that considers:

• Customer types (individuals, legal entities, PEPs, high-risk jurisdictions). • Nature of products/services (e.g., exchange, custody, transfers involving convertible virtual assets). • Delivery channels (online, mobile, API). • Geographic exposure. • Transaction patterns and volumes. Based on this assessment, we apply enhanced due diligence (EDD) to high-risk scenarios and simplified due diligence (SDD) only where low risk is clearly established and permitted by law.

2. Customer Due Diligence (CDD) / Know Your Customer (KYC)

We apply CDD before establishing a business relationship or carrying out occasional transactions above applicable thresholds.

Basic Customer Due Diligence (CDD) For all customers, we collect and verify:

• Full legal name. • Date and place of birth (individuals) or registration details (legal entities). • Nationality / jurisdiction of residence / incorporation. • Government-issued identification document (passport, ID card, etc.). • Proof of residential address (utility bill, bank statement, etc., not older than 3 months). • For legal entities: beneficial ownership information (natural persons owning or controlling ≥25%), including identity verification of beneficial owners. • Purpose and intended nature of the business relationship. • Source of funds / source of wealth (where risk justifies).

We use trained and regualrly tested staff for the majority of cases and independent sources for verification and may, depnding on a the nature of each individual transaction, engage third-party KYC/verification providers compliant with Georgian law. Enhanced Due Diligence (EDD) EDD is mandatory for high-risk customers, including:

• Politically Exposed Persons (PEPs), their family members, and close associates. • Customers from high-risk jurisdictions (FATF grey/black lists or NBG-identified). • Complex or unusually large transactions. • Customers using privacy-enhancing technologies or anonymity features (where permitted). • Transactions involving high-risk virtual assets or unhosted wallets. EDD measures include: • Additional identity/source of funds verification. • Senior management approval for account opening/continuing relationship. • Enhanced ongoing monitoring. • Obtaining senior approval for high-risk relationships. Simplified Due Diligence (SDD) SDD may be applied only in low-risk cases explicitly permitted under the AML/CFT Law and NBG guidance.

3. Ongoing Monitoring and Transaction Monitoring

We continuously monitor business relationships and transactions to detect suspicious activity, including:

• Unusual patterns inconsistent with customer profile. • Large or frequent transfers without apparent economic purpose. • Use of structuring/smurfing techniques. • Transactions linked to high-risk jurisdictions, sanctioned entities, or red-flag indicators. We employ automated transaction monitoring systems supplemented by manual review. 4. Travel Rule Compliance (Information Accompanying Virtual Asset Transfers) For convertible virtual asset transfers above the threshold (typically GEL equivalent of USD 1,000 or as specified in current NBG rules), we comply with the Travel Rule: • Collect and retain originator and beneficiary information (full name, wallet/account address, address, identification number, etc.). • Securely transmit required data to the counterparty VASP. • Verify receipt of information on incoming transfers and take action if missing (e.g., reject, EDD, report). • For transfers involving unhosted/cold/self-hosted wallets exceeding the threshold, verify the real person behind the wallet through proof-of-ownership mechanisms, additional KYC, or blockchain analytics. Data sharing complies with Georgian personal data protection law. 5. Suspicious Activity Reporting We report suspicious transactions/activities promptly to the Financial Monitoring Service of Georgia (FMS) via the established channels. • Internal suspicion triggers mandatory reporting (no tipping-off). • We maintain records of internal investigations and decisions.

6. Record-Keeping

We retain all CDD documents, transaction records, correspondence, and AML-related files for at least 5 years after the end of the business relationship or the date of the transaction (or longer if required by law or NBG instruction).

7. Internal Controls, Policies, and Training

• We maintain a comprehensive, written AML/CFT Policy approved by senior management. • A dedicated Compliance Officer (Money Laundering Reporting Officer) oversees the program and reports directly to senior management/the board. • All staff undergo mandatory AML/CFT training upon hiring and annually (or more frequently for high-risk roles). • Independent audits/review of the AML/CFT program are conducted regularly.

8. Sanctions Screening

We screen customers, beneficial owners, transactions, and counterparties against:

• Georgian sanctions lists. • UN, EU, US (OFAC), and other relevant international sanctions lists. • Updates are applied in real-time or near real-time.

We freeze assets and report matches to authorities as required.

9. Prohibited Activities

We do not provide services to:

• Customers from jurisdictions subject to NBG or international sanctions. • Persons on sanctions lists. • Activities linked to illegal purposes (e.g., darknet markets, unlicensed gambling). • Anonymity-enhanced cryptocurrencies where prohibited or high-risk.

10. Cooperation with Authorities

We fully cooperate with the NBG, FMS, law enforcement, and other competent authorities, providing information as required under the AML/CFT Law.

These guidelines form an integral part of our Terms of Use and Privacy Policy. We reserve the right to update them to reflect changes in Georgian law, NBG requirements, or our risk assessment.

Continued use of our Services constitutes acceptance of the current AML/KYC/CFT framework.

For questions regarding these guidelines or to report concerns, contact our Compliance Officer a compliance@bfda.io.

We are proud to operate transparently and in full compliance with NBG supervision to promote a safe and legitimate virtual asset ecosystem in Georgia.