Procedure for Registration of Digital Asset Service Providers

A. Procedure for Registration of Digital Asset Service Providers

Interested parties wishing to operate as Digital Asset Service Providers must apply for registration with the Comisión Nacional de Activos Digitales (CNAD), in accordance with the provisions of Article 9(d), Articles 18, 20, and 21 of the Digital Asset Issuance Law, and Articles 7, 17 through 35 of the Regulation on Digital Asset Service Providers. For this purpose, the interested party must complete two stages: the first stage, called "pre-registration," and the second stage, called "definitive registration."

The interested party must follow the following steps:

Complete the definitive registration form for Digital Asset Service Providers.

In said form, the following information must be completed:

1. Business Plan to be developed in El Salvador for the next 3 years: • Executive Summary • Business Description • Market Strategy • Financial Projections • Expense Budget • Key Performance Indicators (KPIs) • Risks and Mitigations • Implementation and Monitoring • Summary and Conclusions

2. Documentation regarding the implementation of the "User Assistance System/Communication with the Customer," according to Article 7(f) and Article 22 of the Regulation on Digital Asset Service Providers, which must contain the minimum requirements: • A general explanation of each digital asset, which must include its most relevant characteristics, such as its interchangeability with other digital assets, its current price, its price history over the last twelve months, and the trading volume it currently has on the platform or digital wallet. The update of this information must be regular and reasonable according to the product. • The manner in which digital assets can be sold and purchased on the platform or digital wallet administered or promoted by the digital asset service provider. • Applicable transaction fees. • List and explanation of the rest of the complementary products offered, such as custody, loans, and deposit methods. The update of this information must be regular and reasonable according to the product. • Customer service policy, which must include the channels and protocols of its user assistance system in a coherent and efficient manner according to the nature of the services to be provided.

NOTE: At all times, Digital Asset Service Providers must have all relevant information regarding the services and digital assets they commercialize or manage available at their LRU (Legal Representative) address. The update of this information must be regular and reasonable according to the product.

3. Documentation regarding the implementation of "Anti-Money Laundering, Counter-Terrorist Financing, and Counter-Proliferation of Weapons of Mass Destruction," according to Articles 17, 19, 23, and 24 of the Regulation on Digital Asset Service Providers: • Registration with the Financial Investigation Unit of the Principal and Alternate Compliance Officers; • Appointment by the board of directors of the Principal and Alternate Compliance Officers; • Certification of the Principal and Alternate Compliance Officers in AML/CFT/FPADM matters as established in Article 64 of the Financial Investigation Unit's instruction for the Prevention of Money and Asset Laundering; • Organizational chart including the Compliance Office; • Planning and administration with a risk-based approach; • Documentation, archiving, and conservation of documents; • AML/CFT/FPADM Prevention Policy; • AML/CFT/FPADM Risk Management Procedures; • Policy on limits for transactions with Digital Assets; • Customer Due Diligence (standard and enhanced) and Politically Exposed Persons Policy; • Policy on Monitoring of Customer and Counterparty operations; • Policies to prevent the theft of assets; • Institutional Code of Ethics:

• Which must include the section "Good Faith and Impartiality in Digital Asset Markets" according to Article 17 of the Regulation on Digital Asset Service Providers; and the section "Prohibitions on the Use of Insider Information" according to Articles 23 and 24 of the Regulation on Digital Asset Service Providers. • Procedures for the detection of Unusual and Suspicious Operations (Include procedure with flowchart for the implementation of unusual operation monitoring and the preparation of suspicious operation reports);

• Regulated Operations Reporting Procedure according to Article 52(b) of the Financial Investigation Unit's Instruction for the Prevention of Money and Asset Laundering:

• Reports of operations required by the UIF;
• Customer registration to identify the origin and destination of funds;
• Registration of assets, liabilities, and equity;
• Account registration with transaction data;
• Complaint registration;
• Training plan.

4. Documentation regarding the implementation of "Risk Factors," according to Article 21 of the Regulation on Digital Asset Service Providers: • Description of the risks to which the entity is exposed given its business model (Include financial and operational risks, not only AML/CFT/FPADM and cybersecurity). • Responsibilities of corporate governance areas within the framework of comprehensive risk management. • Description of the activities or tools that constitute each stage of the risk management cycle (Identification, measurement, monitoring, mitigation, and risk communication). • The measures that will be adopted to prevent possible non-compliance with regulatory requirements and those that will be adopted in the event of having incurred them, defining in both situations the parameters that will guide the action and the responsible parties for implementing them.

5. Documentation regarding the implementation of "Digital Asset Operations," according to Articles 27 through 35 of the Regulation on Digital Asset Service Providers: • Spot operations (Article 28 of the Regulation) • Forward operations (Article 29 of the Regulation) • Optional purchase or sale operations (Article 30 of the Regulation) • Settlement of operations (Article 31 of the Regulation) • Seizure (Article 32 of the Regulation) • Arbitrage (Article 33 of the Regulation) • Protection of acquirer assets (Article 34 of the Regulation) • Investments (Article 35 of the Regulation)

6. Security and Custody Policies and Procedures: • Digital Asset and FIAT Custody Policy: Detailed description of policies and procedures for the secure custody of digital assets and fiat currencies. • Information Security and Cybersecurity Policies: This consolidated document establishes comprehensive policies and procedures to protect information and technological assets, covering access control, vulnerability management, incident response, and security training. Its objective is to ensure the confidentiality, integrity, and availability of information, aligning with data protection regulations.

7. Comprehensive Compliance and Customer/Company Knowledge Framework: • KYC (Know Your Customer) and KYB (Know Your Business) Protocol: Description of customer/company identification and verification procedures to prevent fraud and money laundering. • KYT (Know Your Transaction) Protocol: Systems and processes for monitoring and analyzing transactions for suspicious activities.

8. Risk Management and Continuity Planning: • Risk Management Policies: Establishes the framework and processes to identify, evaluate, manage, and monitor operational, financial, and technological risks. Provides a methodology for risk-based decision-making and risk mitigation to acceptable levels. • Business Continuity Plan: Describes the procedures and measures that must be taken to ensure operational continuity in the event of a significant interruption. Includes the identification of critical functions, resource allocation for recovery, and strategies to maintain operations during and after an incident. • Contingency Plan: Provides a structured approach to responding to unexpected incidents that could severely affect operations. Focuses on the rapid restoration of critical services, minimizing the impact on the business and its clients.

9. Audits and Control Technologies: • Internal/External Audits: Information on internal and external audit processes, including frequency, scope, and auditing entities. • Implementation of Geofencing: Details on the geofencing technologies and policies used to restrict transactions in specific jurisdictions.

After completing the form and sending it, a copy of the same signed by the person authorized to process it, along with its annexed documentation, must be presented in physical format at the Commission's offices. Once received, the Registration Department will issue a receipt confirmation for the form, in accordance with Article 8, first and second paragraphs, of the Regulation on Digital Asset Service Providers (RPSAD).