Central Bank of Ireland Pre-Authorisation Risk Evaluation Questionnaire for Crypto-Asset Service Providers

Anti-Money Laundering, Countering the Financing of Terrorism (AML/CFT) and Financial Sanctions Pre-Authorisation Risk Evaluation Questionnaire For Crypto-Asset Service Providers (CASPs) February 2025

Anti-Money Laundering, Countering the Financing of Terrorism (AML/CFT) and Financial Sanctions (FS) Risk Evaluation Questionnaire (REQ) Framework The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (“CJA 2010”), as amended, requires firms to have AML/CFT preventative measures in place, including policies, procedures, and processes to ensure compliance with the CJA 2010. There is also an obligation to comply with EU Council Regulations that set out Financial Sanctions (FS)

[1] measures. The Pre-Authorisation REQ seeks to consider: Information on the way in which a firm has assessed the AML/CFT/FS risks posed by its proposed business model (based on high level information provided by the firm); and Information on the proposed AML/CFT/FS framework put in place by the firm. The Pre-Authorisation REQ does not seek to make an assessment as to the effectiveness of the firm’s AML/CFT/FS policies, procedures and processes. This assessment is the responsibility of the firm’s principals and may be tested by the Central Bank as part of its supervisory process. The completion of this Pre-Authorisation REQ is required for firms that are not registered as a Virtual Asset Service Provider by the Central Bank of Ireland. Completing the Questionnaire The firm must complete ALL sections of this form and all responses must be typed, except where a signature is required. Please note that hand written forms will not be accepted. All references to “the firm” mean the applicant CASP firm. Where the term “customer” is used, this also refers to “client”, “consumer” and other comparable terms. Where instructed, all tables must be populated. References to the ‘Board’ can be construed as references to the Management Body or Principals of the firm in instances where the firm does not have a Board. The firm MUST NOT overwrite / delete any input sections that contain drop-downs. Data should be entered by making a selection from the available drop-down options and in the format specified. Note the drop-down boxes provide a number of options and these are not an indication of the expectations of the Central Bank. Where data in relation to the number of products, employees, agents, branches etc. is sought, this information should be projected (unless actuals available) and as at the date of authorisation. If insufficient space has been provided for a response, please provide any additional information on a separate sheet. Please ensure the separate sheet(s) are clearly marked with your firm name and referenced to the appropriate question. This sheet should be submitted with this form. Please do not include copies of your policies and procedures when submitting this form, unless requested to do so. Please submit the completed form (and any separate sheets, if relevant) with the firm’s application for authorisation/registration. The ‘Completion Notes’ section of this form (which can be found at pages 16 and 17 of the form) should be referred to when completing this form. The Central Bank may process personal data provided by you in order to fulfil its statutory functions or to facilitate its business operations. Any personal data will be processed in accordance with the requirements of data protection legislation. Any queries concerning the processing of personal data by the Central Bank may be directed to dataprotection@centralbank.ie . A copy of the Central Bank’s Data Protection Notice is available at www.centralbank.ie/fns/privacy-statement . Firm Details Firm Name: Firm Address: Type of Business: Please state the authorisation sought from the Central Bank: Does the firm currently hold any other registrations and/or authorisations from the Central Bank at this time? Date first established in Ireland: Click here to enter a date. Name of the MLRO (or other relevant person) and evidence of his or her expertise; And, if different from the above, name of the contact person to whom all AML/CFT/FS queries and/or communications may be directed. Position Held: Direct Phone Number: Direct E-mail Address: Establish Governance Risk Assessment Risk Assessment Frequency Has the firm conducted a comprehensive ML/TF and FS risk assessment for its Crypto-Asset services? What is the proposed frequency of review and update of the risk assessment? Please Select Please Select If no risk assessment or risk assessment is incomplete, please populate the table below: Brief rationale for not carrying out the risk assessment Proposed Business line(s) NOT included in the firm’s risk assessment Proposed completion Date Click here to enter a date. Click here to enter a date. Click here to enter a date. Based on the firm’s risk assessment, what ML/TF risk rating would apply? Inherent Risk Risk Rating Product and Services Please select Customer Please select Geography Please select Distribution Please select Overall Firm Please select Please describe the internal control mechanisms that the firm has established to assess the ML/TF risks associated with its proposed business to include the firm’s: Customer base; The products and services provided; The distribution channels used; and The geographic areas of operation. Please provide a copy of the firm’s assessment of the ML/TF risks associated with its business, including the risks associated with the firm’s customer base, the products and services provided, the distribution channels used and the geographical areas of operation. Policies and Procedures Note: where a CASP has not previously been registered as a VASP, the policies and procedures outlined below will be reviewed in detail as part of the CASP application. Policies Procedures Date to be implemented (if applicable) Does the firm have or will the firm have AML/CFT/FS policies and procedures that reflect the requirements of Irish AML/CFT legislation and EU FS regulations? (including but not limited to the following…) Customer Due Diligence (CDD); Suspicious Transaction Reporting (STR); Transaction Monitoring;(including Blockchain Analytics) Financial Sanctions Screening Record Keeping; Training; Assurance Testing; and Travel Rule. If the answer is ‘No’, for either policies or procedures, please confirm the date by which these will be put in place. Please Select Please Select Click here to enter a date. Do the proposed policies and procedures reflect a risk-based approach to on-going monitoring [2] aligned to the ML/TF risks presented by its proposed business? If the answer is ‘No’, for either policies or procedures, please confirm the date by which these will be put in place. Please Select Please Select Click here to enter a date. Do the proposed policies and procedures reflect the requirement to update CDD on existing customers as prescribed by legislation e.g. section 54(3)(i) of the CJA 2010? If the answer is ‘No’, for either policies or procedures, please confirm the date by which these will be put in place. Please Select Please Select Click here to enter a date. In relation to STRs, do the proposed policies and procedures include the process for investigation, documentation and escalation of suspicious transactions? If the answer is ‘No’, please confirm the date by which these policies and procedures will be put in place. Please Select Please Select Click here to enter a date. In respect to record keeping, do the proposed policies and procedures document the records to be retained and the period of retention for each record, as set out in legislation? If the answer is ‘No’, please confirm the date by which these will be put in place. Please Select Please Select Click here to enter a date. If applicable, does the firm have policies and procedures in place in relation to any proposed correspondent banking relationships [3] ? Where applicable and ‘No’ is selected for either policies or procedures, please confirm the date by which these will be put in place. Please Select Please Select Click here to enter a date. Does the firm comply with the Travel Rule Guidelines issued by the EBA under Regulation (EU) Regulation (EU) 2023/1113 [4]

Where applicable and ‘No’ is selected, please confirm the date by which compliance will occur. Please Select Please Select Click here to enter a date. AML/CFT Manual Does the firm have an AML/CFT manual for staff? If the answer is ‘Yes’, please provide a copy of this. If the answer is ‘No’, please confirm the date by which these will be put in place and provide a copy of same to the Central Bank within 5 days of that date. Please Select Click here to enter a date. Please provide a description of the systems and controls the firm has or will put in place to ensure that AML/CFT/FS policies and procedures remain up to date, effective and comply with AML/CFT requirements. Please include details of the proposed frequency that the firm’s AML/CFT/FS policy(ies) and procedures will be reviewed and updated. Please provide a description of the measures the firm has or will put in place to mitigate the risks and comply with applicable AML/CFT obligations, including the firm’s: Risk assessment process; Policies and procedures to comply with CDD requirements; and Policies and procedures to detect and report suspicious transactions or activities. Training Please confirm that all members of the Board, all senior management and other staff of the firm have received training in respect of their AML/CFT obligations, as required by law and state the frequency of this training. Board/ Principals Senior Management Other Staff Has the firm provided training? Please Select Please Select Please Select Where training has been provided , please confirm the date on which the training was provided. Click here to enter a date. Click here to enter a date. Click here to enter a date. What is the proposed frequency of training? Please Select Please Select Please Select Where training has not yet

been provided, please confirm the date on which this training will be provided. Click here to enter a date. Click here to enter a date. Click here to enter a date. Training Date Training to be provided Will specialist training be provided to personnel in key compliance roles for example the Money Laundering Reporting Officer (MLRO), compliance staff etc.? Please Select Has the firm put in place a plan for on-going training to ensure that relevant management and staff (both new and existing) are aware of the firm’s AML/CFT/FS obligations and its processes and procedures for the fulfilment of same? If the answer is ‘No’, please confirm the date on which such training will be put in place. Please Select Click here to enter a date. Do the firm’s proposed training materials reflect local AML/CFT requirements and EU FS regulations, as appropriate? Please Select Will appropriate records of AML/CFT/FS training be retained? Please Select Please confirm who will facilitate the on-going training and the proposed format of such training. Training Provider Training Format Internal – In-house training Please Select Online Please Select Internal – Parent/group training Please Select Presentations/seminars Please Select External – Unrelated party Please Select Other (please state below) Please Select External – Related party Please Select If ‘Other’ is selected, please provide additional information: Firm Risk Profile Products and Services Risk Rating No. of Products No. of Services Please complete the table to provide a breakdown of the following: Approximately how many (i) products; and (ii) services, as defined in the firm’s ML/TF risk assessment, will be offered by the firm? Ultra High High Medium High Medium Low Low Total No. Yr. 1 Yr. 2 Yr. 3 What is the estimated annual transaction value? Please provide a brief description of each of the proposed products and/or services to be offered by the firm. Customer Exposure Risk Rating No. of Customers Of which are Specified Customers Of which are PEPs Please complete the table based on the firm’s total estimated size (i.e. numbers) of the firm’s proposed customer base at the end of the firm’s first year of authorisation (t o the extent that this information is available). Ultra High High Medium High Medium Low Low Total No. Customer Types No. of Customers Please complete the table, providing a breakdown of the firm’s proposed customer type(s) and the approximate number of customers (t o the extent that this information is available). PEPs and Financial Sanctions Financial Sanctions PEPs Will the firm conduct financial sanction and PEP screening? Please Select Please Select Will this screening be automated or manual? Please Select Please Select How frequently will the screening be conducted? Please Select Please Select If ‘Other’ is selected as the proposed frequency of screening, please provide more information: ‘Other’ frequency for Financial Sanctions ‘Other’ frequency for PEP screening Geography/Country The firm’s proposed operations and customer base are: Restricted to Ireland only Restricted to EU, EEA only. Not restricted to EU, EEA. Please Select Please Select Please Select If the firm does not propose to restrict its proposed operations and customer base to Ireland, please list the top 5 countries (1 being the largest) by size of customer base. Top 5 Ranking Country Projected % of Customer Base 1 2 3 4 5 Distribution Channels Proposed Distribution Channel(s) Rank in order of priority Please select and rank the most relevant distribution channel(s) to be utilised in relation to the firm's proposed products and/or services. The relevant distribution channels should be ranked 1-5, with 1 inferring the proposed main distribution channel. Select N/A where appropriate. (A) Customer take-on and transactions will be completed through in-person face-to-face engagement by the firm’s own sales personnel (e.g. head office, branches, regional sales teams, specialist relationship managers). Please Select (B) Customer take-on will be completed through in-person face-to-face engagement by firm’s own sales personnel (e.g. branches, regional sales teams, specialist relationship managers) but subsequent transactions are performed through non-face-to-face media (website, mobile app etc.). Please Select (C) Customer take-on and transactions will be completed through non-face-to-face channels (website, mobile app etc.). Please Select (D) Outsourcing - Customer take-on and transactions will predominantly be completed by external providers or related group entities in accordance with the firm’s policies and procedures. Please Select (E) Other (e.g. where the provision of a service is through a network of agents - please detail below) Please Select If ‘Other’ is selected, please provide additional information: Freedom of Services & Freedom of Establishment Does the firm intend to provide products/services on a Freedom of Services (FOS) and/or a Freedom of Establishment (FOE) basis? Please Select If the answer is ‘Yes’, please provide details of the total proposed number of agents to be appointed and/or branches to be established (if applicable and t o the extent that this information is available). Total No. of Agents Total No. of Branches Please list the countries where the proposed products/services will be provided and the proposed number of agents and/or branches that will operate in each of the countries listed. Please state if FOS, FOE or FOS & FOE Country No. of Agents No. of Branches 3.7 Agents & Branches Please detail the systems and controls the firm has or will put in place to ensure that all branches and/or agents in all jurisdictions (including Ireland) comply with applicable AML/CFT requirements. Note that where this includes agents and/or branches located in another Member State, the AML/CFT requirements of that Member State apply and the systems and controls in respect of those should be detailed. Please detail the arrangements the firm has or will put in place to ensure that agents are appropriately trained in AML/CFT matters. Please detail: the due diligence the firm has or will put in place in respect of appointing new agents to minimise the risks of having ‘bad agents’; and the systems and controls the firm has or will put in place to ensure that the agents do not expose the firm to increased AML/CFT risks Adopt a Risk-Based Approach to On-going Monitoring Assurance Testing Assurance Testing Date to be implemented (if applicable) Please confirm that the firm has an assurance testing programme in place to ensure that all relevant AML/CFT/FS processes and procedures are fit for purpose and adhered to in practice (and not just at customer take on). If the answer is ‘No’, please confirm the date by which this assurance-testing programme will be put in place. Please Select Click here to enter a date. Please detail the systems and controls the firm has or will put in place to ensure AML/CFT policies and procedures remain up-to-date, effective and relevant. Third Party Reliance - Customer Due Diligence Third Party Reliance Date Does the firm propose to place reliance on third parties for customer due diligence, as defined in Irish legislation (e.g. a “relevant third party” as defined in section 40 of the CJA 2010)? Please Select If the answer is ‘No’, does the firm envisage any such third party reliance arrangements being put in place in the first 12 months of authorisation (to the extent this information is known)? Please Select If the firm proposes to place reliance on third parties, please confirm the proposed number of firms that reliance will be placed on Does the firm have letters of reliance/assurance with all these firms in accordance with Irish legislation (e.g. section 40(4) of the CJA 2010)? If the answer is ‘No’, please confirm date by which such letters of reliance/assurance will be put in place. Please Select Click here to enter a date. Does the firm have a proposed programme in place for the regular testing and verification of AML/CFT documentation sourced through these third parties to ensure: AML/CFT/FS procedures applied reflect those of the firm; AML/CFT/FS information can be retrieved quickly without undue delay; and The quality of underlying documents is sufficient and that there are no gaps in any records kept that cannot be readily explained? If the answer is ‘No’, please confirm date by which such a proposed testing programme will be put in place. Please Select Click here to enter a date. What is the proposed frequency of testing of third party reliance/arrangements, which will be put in place? Please Select If ‘Other’ is selected at (f) above, please provide additional information: Outsourcing Outsourcing Date Does the firm outsource or propose to outsource any AML/CFT/FS related functions? Please Select If the firm outsources AML/CFT related functions, please list the outsourced functions. If the firm outsources or proposes to outsource AML/CFT functions, please confirm the number of outsourcing arrangements in place. N.B. For the avoidance of doubt, this includes inter/group-company outsourcing arrangements. If the firm outsources or proposes to outsource AML/CFT/FS related functions, are the outsourced service providers: Group related parties; or Non-group related parties. Please Select Does the firm have operating agreements/service level agreements in place with all proposed AML/CFT/FS outsourced service providers? If the answer is ‘No’, please confirm date by which such operating agreements/service level agreements will be put in place. Please Select Click here to enter a date. Does the firm have a programme in place for appropriate regular assurance testing and verification of AML/CFT/FS documentation gathered through outsourced service providers to show that AML/CFT/FS procedures applied reflect those of the firm? If the answer is ‘No’, please confirm the date by which such a proposed testing programme will be put in place. Please Select Click here to enter a date. What is the proposed frequency of testing of AML/CFT/FS outsourcing arrangements, which are currently in place? Please Select If no AML/CFT/FS outsourcing arrangements are currently in place, does the firm envisage that any such outsourcing arrangements will be put in place in the 12 months following authorisation (to the extent this information is available)? Please Select If ‘Other’ is selected at (g) above, please provide additional information: Report Management Information Please confirm that an annual report that analyses and informs on the operation and effectiveness of the firm’s AML/CFT and FS systems and controls will be prepared by the MLRO and such a report will be presented to the Board to comply with EU law e.g. CJA 2010? Please Select Pre-Authorisation REQ Completed By What is the name of the person completing the Pre-Authorisation REQ on behalf of the firm? What position does this person hold? Does this person hold a PCF role or are they proposed to hold a PCF role? Please Select On what date was the Pre-Authorisation REQ completed? Click here to enter a date. Completion Notes [Please note that this Guidance does not amount to legal advice and each applicant should take appropriate advice to ensure compliance with all AML/CFT/FS obligations] Question Guidance for completion 2.1 (a) For a Head Office entity, “ Business lines ” includes all proposed branches, subsidiaries and other relevant agents wherever located. 2.2 (a) Procedures should at the very least consider below sections, (please note this is not an exhaustive list and it is the responsibility of the firm to ensure its proposed AML/CFT/FS procedures are adequate). Customer Due Diligence (CDD) Risk-based approach to customers for example high risk, politically exposed persons (PEPs), non-face-to-face etc.; Approach taken to identifying and verifying new and existing customers; Mechanisms to identify linked transactions and the subsequent requirement; to apply CDD requirements where warranted; List of acceptable documents to identify and verify customers; Beneficial ownership; and Third party reliance arrangements. Suspicious Transaction Reporting (STR) The process to raise and escalate STRs to the firm’s MLRO; Timeframe within which reports should be made to the authorities; The offences and penalties for failure to report; The definition of ‘tipping off’ and penalties associated with this offence; and Measures to be taken to avoid tipping off. Transaction monitoring (TM) Monitoring thresholds and rationale for setting. Description of TM and Blockchain Monitoring rules. Financial Sanctions Frequency of screening; and Investigation and escalation procedures. Record Keeping Duration retained, format and location of retained documents. Training Format, frequency, testing, completion log etc. Assurance Testing Internal/external, frequency and format. 2.2 (b) At a minimum, a firm’s procedures must be sufficiently clear and detailed to enable its front-line staff (or equivalent) to readily distinguish those customers in respect of which enhanced CDD requirements must be applied. 2.2 (c) For example, but not limited to, PEPs, correspondent banking other higher risk rated customers etc. 2.2(e) Section 55 of the CJA 2010 prescribes the obligations in respect of records including, but not limited to the following types of record): CDD documentation; STRs; Correspondent banking records; and History of services and transactions carried out in relation to each customer. 2.2 (f) Section 38 of CJA 2010 prevents the establishment or continuation of relationships where (but not limited to) (see the CJA 2010 for the full listing): The respondent does not have adequate controls against criminal activities; or The respondent is not effectively supervised; or The respondent is considered to be a shell bank. 2.3 (d) Where ‘N/A’ has been selected for question 2.3 (a), a date is not required to be populated. 2.3 (i) ‘In-house training’ refers to training provided by the firm ‘Parent/group training’ refers to training designed by the parent/group and cascaded to the firm. ‘Unrelated training’ refers to training provided by external parties for example third party consultants. 3.1 (d) A description of the proposed products and/or services should include: The characteristics of the proposed product(s)/service(s) to be offered; and Whether certain products/services will be restricted to specific geographies and/or distribution channels. 3.2 (b) Examples of customer types include (but are not limited to): Natural Persons (non-business); Non-cash businesses & professionals; Cash intensive businesses (e.g. pubs, restaurants, petrol stations gambling firms etc.); Legal structures (e.g. trusts, company structures etc.); Charities; and/or Off-shore corporations. 3.6 (a) This includes the provision of services in other jurisdictions i.e. passporting out. www.centralbank.ie CASPauthorisations@centralbank.ie Version 20171018REQ https://www.centralbank.ie/regulation/how-we-regulate/international-financial-sanctions ↑ “monitoring” in accordance with the definition in section 24(1) of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 ↑ In accordance with the definition of “correspondent relationship” in section 24(1) of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 ↑ https://www.eba.europa.eu/sites/default/files/2024-07/6de6e9b9-0ed9-49cd-985d-c0834b5b4356/Travel%20Rule%20Guidelines.pdf ↑