Anti-Money Laundering (AML) Policy

Last updated: February 2026

1. Introduction and Commitment

Immutable Vault LLC ("Immutable," "we," "us," or "our") is a crypto-to-fiat platform committed to the highest standards of anti-money laundering ("AML") and counter-terrorist financing ("CTF") compliance. We operate in strict accordance with applicable laws and regulations, including but not limited to the Bank Secrecy Act ("BSA"), the USA PATRIOT Act, and the regulations and guidance issued by the Financial Crimes Enforcement Network ("FinCEN") of the United States Department of the Treasury. Where applicable, we also adhere to the regulatory requirements of the Australian Transaction Reports and Analysis Centre ("AUSTRAC").

This AML Policy outlines the procedures, controls, and internal practices that Immutable maintains to detect, prevent, and report money laundering, terrorist financing, and other illicit financial activities. Our commitment extends to fostering a culture of compliance across all levels of the organization, ensuring that every employee, contractor, and agent understands their obligations under this policy.

We recognize that the cryptocurrency industry presents unique risks related to the pseudonymous nature of blockchain transactions, the speed of cross-border transfers, and the evolving regulatory landscape. To address these risks, Immutable has implemented a comprehensive compliance program that is regularly reviewed and updated to reflect changes in law, regulation, and industry best practices.

2. Know Your Customer (KYC) Procedures

Immutable maintains a robust Know Your Customer ("KYC") program designed to verify the identity of every customer before they are permitted to conduct transactions on our platform. Our KYC procedures are a critical component of our AML compliance framework and are designed to ensure that we understand who our customers are, the nature of their activities, and the risks they may present.

2.1 Customer Identification Program (CIP)

In accordance with Section 326 of the USA PATRIOT Act and FinCEN's implementing regulations, Immutable has established a Customer Identification Program ("CIP") that requires the collection and verification of identifying information from each customer at the time of account opening. At a minimum, we collect the following information from individual customers:

• Full legal name
• Date of birth
• Residential address
• Government-issued identification number (e.g., Social Security Number, passport number, or national ID number)
• A copy of a valid, unexpired government-issued photo identification document

We verify the information provided by customers using reliable, independent sources, which may include documentary verification (e.g., reviewing government-issued identification documents) and non-documentary verification (e.g., cross-referencing information against third-party databases and public records).

2.2 Individual Verification via Bridge API

Immutable utilizes the Bridge API to facilitate and streamline the identity verification process for individual customers. Through this integration, customer-submitted identification documents and personal information are verified against authoritative data sources in real time. The Bridge API enables us to perform document authentication, facial recognition matching, and database cross-checks to confirm the identity of each customer with a high degree of confidence. Customers who cannot be adequately verified through the Bridge API may be subject to additional manual review or may be denied access to the platform.

2.3 Business Verification (KYB)

For business customers, Immutable conducts Know Your Business ("KYB") procedures that include, but are not limited to:

• Verification of the legal existence and status of the business entity through official corporate registries and formation documents (e.g., articles of incorporation, certificates of formation, or equivalent documents)
• Identification and verification of the beneficial owners who own or control 25% or more of the equity interests of the entity, as well as any individual who exercises significant managerial control
• Collection and verification of the business's Employer Identification Number (EIN) or equivalent tax identification number
• Understanding the nature and purpose of the business relationship, including the expected volume and types of transactions
• Verification of the authority of the individual acting on behalf of the business entity

2.4 Enhanced Due Diligence (EDD)

Immutable applies Enhanced Due Diligence ("EDD") measures to customers and transactions that present a higher risk of money laundering or terrorist financing. EDD may be triggered by factors including, but not limited to:

• Customers who are Politically Exposed Persons ("PEPs") or who have close associations with PEPs
• Customers located in or conducting transactions involving jurisdictions identified as high-risk by FATF, OFAC, or other relevant authorities
• Customers whose transaction patterns are unusual, inconsistent with their stated purpose, or otherwise raise suspicion
• Business relationships that involve complex ownership structures or nominee arrangements
• Customers who have been the subject of prior suspicious activity reports or law enforcement inquiries

EDD measures may include obtaining additional identification documents, conducting more frequent reviews of account activity, requiring senior management approval for the continuation of the business relationship, and gathering information about the source of funds and source of wealth.

3. Transaction Monitoring

Immutable employs a comprehensive transaction monitoring program designed to detect and investigate potentially suspicious activity in a timely manner. Our monitoring systems are calibrated to identify transactions and patterns of behavior that may indicate money laundering, terrorist financing, fraud, or other illicit activity.

3.1 Automated Monitoring

We utilize automated transaction monitoring systems that analyze customer transactions in real time and on a retrospective basis. These systems apply rule-based and behavior-based detection methodologies to flag transactions that meet predefined risk criteria. Monitoring parameters are regularly reviewed and updated to reflect emerging typologies, regulatory guidance, and changes in our customer base and product offerings.

3.2 Suspicious Activity Identification

Our monitoring systems are designed to identify, among other things, the following types of potentially suspicious activity:

• Transactions that are unusually large or complex relative to the customer's profile or stated purpose
• Rapid movement of funds through the platform with no apparent economic or lawful purpose
• Structuring or splitting of transactions to avoid reporting thresholds or identification requirements
• Transactions involving jurisdictions, entities, or individuals associated with heightened money laundering or terrorist financing risk
• Patterns of activity that are inconsistent with the customer's known business or personal profile
• Attempts to use the platform to convert cryptocurrency derived from known illicit sources, including darknet markets, ransomware, or sanctioned entities
• Frequent changes to customer identification information or the use of multiple accounts

3.3 Transaction Limits

Immutable imposes transaction limits based on the customer's verification level, risk profile, and applicable regulatory requirements. These limits are designed to mitigate risk and ensure that higher-value transactions are subject to appropriate scrutiny. Customers seeking to increase their transaction limits may be required to undergo additional verification and due diligence procedures. All transactions at or above applicable Currency Transaction Report ("CTR") thresholds are reported to FinCEN as required by law.

4. Suspicious Activity Reporting

Immutable is committed to the timely identification and reporting of suspicious activity in accordance with the BSA and FinCEN regulations. When our monitoring systems or personnel identify activity that is known or suspected to involve funds derived from illegal activity, or that is designed to evade BSA reporting requirements, we take the following steps:

• The flagged activity is escalated to the Compliance team for review and investigation. The Compliance team conducts a thorough analysis of the transaction(s), the customer's account history, and any other relevant information.
• If, after investigation, the Compliance team determines that the activity is suspicious and meets the applicable reporting thresholds, a Suspicious Activity Report ("SAR") is prepared and filed with FinCEN through the BSA E-Filing System within 30 calendar days of the initial detection of the suspicious activity, or within 60 calendar days if no suspect is identified at the time of initial detection.
• All SAR filings are reviewed and approved by the designated Compliance Officer or their delegate prior to submission.
• Immutable maintains the strict confidentiality of SAR filings. No employee, officer, or agent of Immutable shall disclose the existence or contents of a SAR to the subject of the report or to any person other than as authorized by law or regulation.
• Supporting documentation for each SAR filing is retained in accordance with our record-keeping obligations and is made available to law enforcement and regulatory authorities upon request.

In cases where the suspicious activity involves an imminent threat to national security or an ongoing violation of federal criminal law, Immutable will notify the appropriate law enforcement authorities immediately, in addition to filing a SAR.

5. Sanctions Screening

Immutable maintains a sanctions compliance program to ensure that we do not engage in transactions with, or provide services to, individuals, entities, or jurisdictions that are subject to economic sanctions administered by the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") or other applicable sanctions authorities.

Our sanctions screening procedures include the following measures:

• All customers are screened against the OFAC Specially Designated Nationals and Blocked Persons List ("SDN List"), the Consolidated Sanctions List, and other relevant sanctions lists at the time of account opening and on an ongoing basis.
• Transactions are screened in real time to identify any involvement of sanctioned individuals, entities, or jurisdictions.
• We utilize automated screening tools that are regularly updated to reflect changes to applicable sanctions lists.
• Any potential sanctions match is escalated to the Compliance team for review. If a true match is confirmed, the transaction is blocked, the account is frozen, and a report is filed with OFAC within 10 business days, as required.
• Immutable prohibits transactions involving comprehensively sanctioned jurisdictions, including but not limited to Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine, as designated by OFAC.

Our sanctions compliance program is reviewed and updated regularly to reflect changes in OFAC guidance, executive orders, and applicable international sanctions regimes.

6. Record Keeping

Immutable maintains comprehensive records in accordance with the BSA and other applicable regulations. Our record-keeping practices are designed to ensure that all relevant information is preserved and readily accessible for regulatory examination, law enforcement inquiries, and internal audit purposes.

We retain the following records for a minimum period of five (5) years from the date of the transaction or the date the account is closed, whichever is later:

• Customer identification and verification records, including copies of identification documents, CIP and KYB documentation, and the results of any due diligence or enhanced due diligence reviews
• Transaction records, including the date, amount, currency, and parties involved in each transaction processed through the platform
• Records of all SARs filed, including supporting documentation and the results of any related investigations
• Records of all CTRs and other regulatory reports filed
• Sanctions screening results and records of any blocked or rejected transactions
• Correspondence with regulatory authorities and law enforcement agencies
• AML training records, including the dates of training sessions, the content covered, and the names of attendees
• Internal audit reports and compliance review findings

Records are stored securely using encryption and access controls to protect the confidentiality and integrity of customer information. Access to compliance records is restricted to authorized personnel on a need-to-know basis.

7. Risk Assessment

Immutable conducts periodic risk assessments to identify, evaluate, and mitigate the money laundering and terrorist financing risks associated with our products, services, customers, and geographic exposure. The risk assessment forms the foundation of our AML compliance program and informs the design and calibration of our controls.

7.1 Customer Risk Classification

Each customer is assigned a risk rating based on an evaluation of relevant risk factors, including but not limited to:

• The customer's geographic location and the jurisdictions involved in their transactions
• The nature and purpose of the customer's account and expected transaction activity
• The customer's occupation, business type, or source of funds
• Whether the customer is a PEP or has associations with PEPs
• The customer's transaction history and any prior suspicious activity indicators
• The results of sanctions screening and adverse media checks

Customers are classified into risk tiers (e.g., low, medium, high), and the level of ongoing monitoring and due diligence applied to each customer is commensurate with their assigned risk level. Risk ratings are reviewed and updated periodically and whenever there is a material change in the customer's activity or profile.

7.2 Geographic Risk

Immutable evaluates the geographic risk associated with the jurisdictions in which our customers are located and to which they direct transactions. We consider factors such as:

• Whether the jurisdiction is identified by FATF as having strategic AML/CTF deficiencies
• Whether the jurisdiction is subject to comprehensive or targeted sanctions by OFAC or other authorities
• The jurisdiction's level of corruption, as assessed by Transparency International's Corruption Perceptions Index and similar indices
• The jurisdiction's regulatory framework for virtual assets and virtual asset service providers
• Whether the jurisdiction is known to be associated with heightened levels of drug trafficking, fraud, or other predicate offenses for money laundering

Transactions involving high-risk jurisdictions are subject to enhanced scrutiny, and Immutable reserves the right to restrict or prohibit transactions involving certain jurisdictions at its sole discretion.

8. Training and Compliance

Immutable is committed to ensuring that all employees, officers, and relevant contractors receive adequate training on AML and CTF obligations. Our training program is designed to equip personnel with the knowledge and skills necessary to identify and report suspicious activity and to comply with all applicable laws and regulations.

Our training and compliance program includes the following elements:

• All new employees receive AML/CTF training as part of their onboarding process, covering the fundamentals of money laundering and terrorist financing, the requirements of the BSA and USA PATRIOT Act, and Immutable's internal policies and procedures.
• All employees receive annual refresher training that addresses updates to laws and regulations, emerging money laundering typologies, and lessons learned from internal and external case studies.
• Employees in compliance, customer-facing, and risk management roles receive specialized, role-specific training on topics such as SAR preparation, sanctions screening, and enhanced due diligence.
• Training records are maintained for a minimum of five (5) years and are available for review by regulators and auditors.
• Immutable has designated a qualified Compliance Officer who is responsible for the overall administration of the AML compliance program, including the development and implementation of policies and procedures, the oversight of transaction monitoring and SAR filing, and the coordination of regulatory examinations and audits.
• The Compliance Officer reports directly to senior management and has the authority and resources necessary to carry out their responsibilities effectively.

Immutable also engages independent third-party auditors to conduct periodic reviews of our AML compliance program to assess its effectiveness and identify areas for improvement. The findings of these audits are reported to senior management and are used to enhance our policies, procedures, and controls.

9. Contact Us

If you have any questions about this Anti-Money Laundering Policy, or if you wish to report suspicious activity, please contact us using the information below:

Immutable Vault LLC
30 N Gould St Sheridan, 82801 United States
Email: contact@immutable.top

We take all reports of suspicious activity seriously and will investigate any concerns raised in a timely and confidential manner.