Skip to main content
Updated Version – 2026

1. Policy Objective

This Policy aims to establish internal procedures and controls intended to prevent crimes related to Money Laundering and Terrorism Financing (AML/CFT), in accordance with the applicable laws and regulations, as well as international best practices, through the adoption—via Compliance—of foreign standards and rules that may progressively enhance the robustness of the control, monitoring, and oversight of transactions carried out through CRIPTO HOST.

2. Guidelines

CRIPTO HOST adopts the following guidelines:
  • Independence and autonomy of those responsible for Compliance, as well as the integrity and transparency of the process by which operations are verified for AML/CFT conformity.
  • A clear definition of responsibilities and obligations regarding the implementation and observance of the measures and procedures set forth in this Policy.
  • Commitment to continuously updating knowledge about new technologies, with the purpose of preventing the use of unconventional means to launder money and/or finance terrorism.
  • Implementation of a Risk-Based Approach, considering the nature, complexity, and exposure inherent to operations involving virtual assets, ensuring that the risks related to the Company’s activity are properly managed.
  • Classification of clients and cryptoasset transactions according to risk levels (low, medium, high), applying proportional and appropriate due diligence measures.
  • Compliance with the Brazilian General Data Protection Law (LGPD).
  • Requirement that Virtual Asset Service Providers (VASPs) interacting with CRIPTO HOST services are duly licensed, registered, or regulated by a competent authority and adopt best AML/CFT practices.
  • All cryptoasset operations must consider the public and traceable nature of blockchain transactions as an instrument to strengthen compliance measures, including those related to foreign exchange regulations and AML prevention.
  • Implementation and/or consultation of compliance scoring systems that indicate the likelihood that a given wallet is associated with illegal operations. Such scoring must be used especially at contact points with the banking system (off-ramps) as a preventive measure against the entry of illicit funds.
  • Ensuring that Know Your Customer (KYC) procedures, when applicable, are performed for clients, intermediaries, and counterparties whose risk level requires such measures.
  • Requiring documented justifications regarding the source of funds and any virtual assets used in transactions, when fraud is suspected.
  • Developing and implementing continuous training and updating programs for all employees involved with compliance and digital assets, including but not limited to certifications, courses, trainings, workshops, etc.
  • Establishing internal procedures for investigation, internal communication, and reporting of suspicious transactions to COAF and the Federal Public Prosecutor’s Office (MPF), pursuant to Article 1, §1, of Law No. 9,613/1998.
  • Appointing a technical officer responsible for operational compliance, with authority and autonomy to act preventively.
  • Ensuring that policies and procedures are reviewed periodically, preferably once per year, in light of national and international regulatory updates as well as technological developments.
  • Identifying operational deficiencies in the adopted measures through this Policy, aiming to correct them as soon as they are identified.
  • Promoting and fostering an organizational culture that elevates AML/CFT prevention as an institutional commitment.

3. Scope

This AML/CFT Policy establishes principles and rules applicable to all employees, administrators, service providers, partners, shareholders, clients, related parties, and any other individual or legal entity, resident or non-resident in Brazil, who conducts—or wishes to conduct—business with CRIPTO HOST or contract the services provided by it. This Policy reflects CRIPTO HOST’s commitment to ensuring that all stakeholders are fully aware of its determination to keep its business free from activities involving money laundering and terrorism financing, enabling alignment of expectations among all parties involved in its operations and services. The rules set forth herein also serve to inform authorities and/or regulators who may wish to oversee, when necessary, CRIPTO HOST’s compliance with legal obligations. The Director of Compliance – Chief Compliance Officer (CCO) shall be responsible for monitoring and supervising compliance with this Policy, as well as compliance with applicable legislation and related guidance, and for training employees, shareholders, and other persons involved in CRIPTO HOST operations.

4. Applicable Legislation

4.1 Brazil

In Brazil, the legal framework for preventing and controlling illicit activities involving money laundering and terrorism financing was established with the enactment of Law No. 9,613/1998, which instituted measures, procedures, obligations, and responsibilities related to such offenses, as well as sanctions and the supervisory authority known as the Council for Financial Activities Control (COAF). This Law was later refined through specific regulatory instruments, including normative instructions and resolutions, such as:
  • CVM Resolution 50/2021, concerning AML rules in the capital markets;
  • SUSEP Circular No. 612/2020, related to AML controls in the insurance market;
  • BCB Circular No. 3,978/2020, applicable to institutions authorized to operate by the Central Bank of Brazil;
  • COAF Resolution No. 36/2021, which provides for the adoption of AML/CFT (and proliferation financing) policies, procedures, and internal controls by entities subject to COAF supervision under Article 14, §1, of Law No. 9,613/1998.
With the regulation of Virtual Asset Service Providers (VASPs), Law No. 14,478/2022 (Brazil’s crypto legal framework) established mandatory AML/CFT policies for such providers, as provided in Article 4, VII. This mandate is reinforced throughout BCB Public Consultation No. 109/2024, which served as the regulatory draft that led to the new specific regulation for the digital asset market, currently BCB Resolution 519.

4.2 International Standards

International standards issued by the Financial Action Task Force (FATF/GAFI)—an intergovernmental entity combating money laundering and terrorism financing—are recommended as best practices to ensure international cooperation in addressing these crimes. Additionally, Bank for International Settlements (BIS) Bulletin No. 108 proposes a new approach that leverages blockchain characteristics to improve regulatory effectiveness, especially at contact points between crypto and the traditional financial system.

4.3 Other Relevant Laws and Regulations

  • Law No. 9,613 (03/03/1998)
  • Law No. 10,467 (11/06/2002)
  • Law No. 12,683 (09/07/2012)
  • Law No. 12,846 (01/08/2013)
  • Law No. 13,260 (16/03/2016)
  • Law No. 13,810 (08/03/2019)
  • Law No. 14,286 (31/12/2021)
  • CMN Resolution No. 3,426 (22/12/2006)
  • COAF Resolution No. 31 (07/06/2019)
  • CMN Resolution No. 4,595 (28/08/2017)
  • BCB Circular No. 3,978 (23/01/2020)
  • BCB Resolution No. 44 (23/11/2020)
  • BCB Resolutions Nos. 277, 278, 279, 280, 281 and 282 (31/12/2022)
  • BCB Circular Letter No. 4,001 (29/01/2020)
Finally, CRIPTO HOST notes the possibility of incorporating rules provided under foreign legal frameworks through regulated self-regulation, in order to enhance the robustness of AML/CFT procedures.

5. Definitions and Concepts of the Offenses Addressed

5.1 Money Laundering

Money laundering consists of a set of commercial or financial operations intended to introduce into the economy assets, rights, or values originating from any criminal offense, including but not limited to drug trafficking, arms trafficking, corruption, etc. Through “laundering,” “dirty money” (originating from unlawful activities) is transformed into “clean money” (with an appearance of legitimacy). Typically, such offenses are committed:
  1. To conceal or disguise the nature, origin, location, disposition, movement, or ownership of assets, rights, or values derived directly or indirectly from criminal offenses.
  2. To conceal or disguise the use of assets derived from criminal offenses, converting them into lawful assets; or acquiring, receiving, exchanging, negotiating, giving or receiving as collateral, holding, depositing, moving, transferring; or importing/exporting goods at values that do not correspond to their true value.
  3. By using, in economic or financial activity, assets derived from criminal offenses; or participating in a group, association, or office knowing that its primary or secondary activity is directed toward money laundering or terrorism financing.
In summary, to disguise illicit profits without compromising those involved, money laundering occurs through a dynamic process with the following objectives (which may occur without being simultaneous):
  • Placement: distancing funds from their origin and avoiding direct association with the crime;
  • Layering/Concealment: disguising movements to hinder tracing;
  • Integration: making the money available again to criminals after sufficient movement through the laundering cycle, so it may be considered “clean” (lawful).

5.2 Terrorism Financing

Terrorism financing aims to provide funds for terrorist activities. Funding may occur through multiple means, including licit sources such as personal donations, undue payments, and resources for non-profit organizations, as well as illicit sources such as drug trafficking, arms smuggling, illicit appropriation of goods and services through force, fraud, kidnapping, extortion, and others.

6. Parties Involved in AML/CFT Prevention and Enforcement

  • International Organization for Standardization (ISO): an independent international entity that develops globally recognized technical and management standards, promoting standardization, safety, quality, and efficiency. Within AML and compliance, ISO is relevant for establishing risk management and internal controls frameworks such as ISO 37301 (Compliance Management Systems) and ISO 31000 (Risk Management).
  • Financial Action Task Force (FATF/GAFI): an intergovernmental body responsible for setting global standards and promoting effective implementation of legal, regulatory, and operational measures to combat money laundering, terrorism financing, and proliferation financing.
  • Bank for International Settlements (BIS): contributes indirectly through dissemination of regulatory best practices among central banks and financial authorities, including through the Basel Committee.
  • Central Bank of Brazil (BCB): responsible for establishing basic AML/CFT policy guidelines and ensuring supervised institutions communicate suspicious transactions to COAF.
  • COAF: Brazil’s Financial Intelligence Unit, linked to the Ministry of Finance, responsible for receiving, examining, and identifying suspicious occurrences and issuing Financial Intelligence Reports (RIFs).
  • Regulated/Supervised Institutions: institutions supervised by the BCB and required to follow regulator requirements, including VASPs (PSAVs) under Law No. 14,478/2022.
  • Federal Public Prosecutor’s Office (MPF): responsible for investigating suspicious cases, opening inquiries, and filing criminal charges.
  • Police Authorities: perform investigation, evidence gathering, tracing illicit funds, and cooperation with COAF, Receita Federal, BCB, etc.
  • Judiciary: responsible for conviction/acquittal and may determine freezing and confiscation of assets.
Illustration of the functioning of agents (Brazil level):
(Insert illustration here)

7. Temporal Dynamics of Illicit Activity in Cryptoassets: Evidence of the Inability to Conceal Funds Given On-Chain Traceability

The narrative that cryptoassets constitute an “Eldorado” for money laundering and financial crime does not withstand empirical analysis. Annual reports by Chainalysis, a globally recognized on-chain tracing source, indicate a clear trend: while the absolute volume moved by illicit addresses remains significant in billions of dollars, the proportion of such flows relative to total global blockchain transactions has systematically declined. These data show a trajectory opposite to claims of uncontrolled expansion. In practice, the combination of improved blockchain intelligence tools and strengthened prevention measures adopted by market participants has reduced the attractiveness of cryptoassets as vehicles for concealment and laundering. The key point is inherent to public blockchains: every transaction leaves a permanent, open, auditable trail. Unlike traditional finance—where information is fragmented across institutions and jurisdictions—the distributed ledger provides unprecedented transparency. This is why major law enforcement operations and international sanctions increasingly rely on on-chain analysis as an intelligence and evidentiary tool. Moreover, contrary to the belief that blockchain provides absolute anonymity, it offers pseudonymity. Transactions are recorded immutably in a public ledger and linked to cryptographic addresses that may be correlated with external data, transactional patterns, and information from exchanges and fiat conversion points. Through specialized forensic analysis and regulatory cooperation, it is possible to reconstruct flows and ultimately identify agents involved in illicit operations. Therefore, blockchain not only fails to provide full anonymity, but also offers a more transparent and durable evidentiary base than most traditional financial infrastructures. The stability of absolute figures contrasted with the declining percentages suggests crime has not disappeared, but has become proportionally marginal given legitimate market growth—especially due to increasing professionalization of market participants. Regulatory and legal implications:
  1. Reputational risk is more related to misunderstanding traceability than to statistical reality.
  2. Blockchain is an ally in fighting financial crime.
On-chain compliance mechanisms—risk scoring, blocklists, and international cooperation—tend to become central prevention tools. This Policy is drafted under this perspective.

8. Allocation of Responsibilities

CRIPTO HOST responsibilities under this Policy are divided among:
  1. Employees
  2. Directors
  3. Service providers/partners
CRIPTO HOST provides and encourages annual training for employees and administrators and expects similar standards from service providers. It also promotes a fair professional environment with equal opportunities and without discrimination (regardless of age, gender, race, social class, religion, or belief). CRIPTO HOST preserves independence and autonomy for reporting incidents, ensuring no sanctions will be applied to any person who reports an incident—even if the report is later archived for lack of material evidence—provided there were reasonable suspicious elements.

Compliance Agents

a) Chief Compliance Officer (CCO)

Independent and autonomous; responsible for:
  • Creating AML/CFT compliance policy and guidelines
  • Managing, applying, maintaining, and updating governance, rules, controls, and procedures
  • Preparing the dossier to be submitted to the deliberative meeting
  • Proposing whether a transaction should be deemed illicit
  • Coordinating penalties when applicable
  • Conducting annual training (at least once per year)

b) Compliance Analyst (CA)

Provides support to the CCO to ensure policy effectiveness.

c) Senior Management

Responsible for:
  • Approving this Policy and updates
  • Ensuring access to AML/CFT materials
  • Ensuring annual registry tests
  • Responding to external audit findings
  • Ensuring implementation alongside the CCO
  • Approving budget for training/certifications
  • Assuming responsibility to third parties for the practical effectiveness of AML/CFT compliance

d) Compliance Committee

Temporary body formed by:
  • CCO
  • Compliance Analyst
  • 1 Senior Management representative
  • 1 accountant
  • 1 outsourced legal consultant
  • 1 outsourced on-chain investigator
Responsible for investigating suspected AML/CFT violations and compliance breaches. Supports analysis of formal regulatory requests relating to AML/CFT.

f) Employees

Must support monitoring within their competencies and report suspicious cases immediately to the CCO via:
fale@cripto.host
Employees must maintain strict confidentiality and avoid alerting the alleged violator, client, partner, or related individuals.

9. AML/CFT Procedure

CRIPTO HOST’s AML/CFT procedure includes multiple stages. When possible, CRIPTO HOST will rely on regulated partners (VASPs) to require compliance practices, including but not limited to KYC and KYT. The procedure requires sufficient information to build a customer profile, including expected transaction type and volume and risk evaluation. By understanding customer nature, purpose, and expected behavior—combined with continuous KYT monitoring—CRIPTO HOST can establish a baseline of expected activity to detect suspicious deviations. When CRIPTO HOST identifies a suspicious transaction during its retail operation, it will initiate the procedure described in this Policy. Example: if a single customer contracts services in volumes outside what is reasonably expected (number of nodes, ASICs, etc.), the transaction must be treated as suspicious and a Compliance Committee must be formed.

9.1 Customer Registration

Customer registration is a key tool for monitoring, as it enables evaluation of consistency between customer financial movement, economic activity, and financial capacity. Under BCB regulations and best compliance practices, CRIPTO HOST’s regulated partner—when participating in the transaction—must conduct this registration and will be responsible for it. When the partner does not participate, and in cases involving suspicious transactions, CRIPTO HOST will, when possible, collect necessary data regarding the person behind the operation: Individuals
  • Original ID document or certified copy
  • Proof of address
  • Income tax return statement
  • PEP declaration
Legal Entities
  • Corporate structure (Ultimate Beneficial Owners)
  • Corporate documents (Articles/Bylaws)
  • Accounting documents
  • Documents of shareholders and administrators (as above)
CRIPTO HOST reserves the right to use public and private databases to strengthen verification.

9.2 Atypical Operations

Atypical operations are any transaction or set of transactions that:
  • Deviate from expected customer behavior
  • Lack compatible economic or legal justification
  • Present characteristics suggesting concealment of origin, nature, location, disposition, or ownership of resources

9.3 Monitoring

Transactions conducted through CRIPTO HOST services are monitored to identify suspicious activity and apply appropriate measures when suspicion is confirmed. Monitoring includes analysis of legal, regulatory, and public/private sources, following due diligence practices aimed at identifying operational failures, measuring risks, and determining compliance levels.

9.4 Analysis of Atypical Operations

Once identified—or upon receipt of a report—if a transaction is classified as “suspicious” according to business practice, it must be treated as suspicious for all purposes, and the verification procedure must begin. CRIPTO HOST may suspend services for the time required to conclude verification and conformity analysis, without liability to the Customer.

Compliance Committee Formation

Upon identifying an atypical operation, the CCO shall convene the Compliance Committee consisting of:
  1. CCO
  2. Compliance Analyst
  3. 1 outsourced lawyer (pre-designated by Senior Management)
  4. 1 Senior Management representative
  5. 1 outsourced specialized accountant (pre-designated)
  6. 1 on-chain investigator (pre-designated)
The CCO must also convene the members when establishing the Committee. At the time of convening, the CCO will provide a brief report describing the incident and a preliminary deadline for the dossier presentation.

Timeline

The investigation must be concluded within 10 business days, extendable once for an equal period, with justification by the CCO and communication to interested parties (Customer and Committee members). The Committee will assess transaction legality using the dossier prepared by the CCO. If additional documentation is required, the Customer will be notified by any communication means and must provide documentation within 24 hours, extendable depending on the case.

Deliberation and Voting

The CCO will prepare a Dossier for Committee deliberation. By simple majority vote, the Committee will decide the measures to apply. The CCO’s conclusion will be included in the Dossier; the Committee may adopt or reject it by majority vote. The CCO’s vote is consultative only. The CCO will convene the deliberative meeting by any means, and the Dossier must be provided at the time of convening. The meeting must be scheduled no earlier than five days from dossier availability to allow proper review.

Neutral Role of the CCO

The CCO does not act as an accuser nor seek punishment. The role is technical, neutral, and aimed at verifying legality and conformity in accordance with internal rules, applicable law, equity, and good faith. All documents and reports are technical and descriptive, intended solely to support CRIPTO HOST decision-making bodies. The CCO must avoid bias, pre-judgment, or punitive orientation.

Minutes and Confidentiality

Meeting minutes must be drafted containing each member’s reasoned vote, vote counting, and final decision. The Dossier must not be shared with third parties, except regulators, Committee members, regulated partners, and/or law enforcement authorities if requested. After minutes are signed, the Committee is dissolved and determined measures executed by the CCO.

Record Retention

CRIPTO HOST will store all documents for at least 10 years, including customer records, Dossiers, deliberation minutes, etc.

9.5 Measures That May Be Applied

If the transaction is deemed irregular, CRIPTO HOST will:
  • Tag the wallet involved and commit not to contract services with it or related wallets (based on on-chain analysis).
  • When possible, file a report to COAF through the official portal, submitting the Dossier supporting the report.
  • Inform regulated partners (financial institutions, exchange houses, regulated VASPs) which may report through Siscoaf.
  • When possible, file a report to the MPF requesting investigation, through the MPF portal.

10. Reporting Channel (Whistleblowing)

Internal reports must be made only when the reporter identifies justified indicators of illegality based on CCO training. Reports must be sent to:
  • fale@cripto.host
    or submitted via a website form accessible to clients, service providers, and the public.
CRIPTO HOST guarantees whistleblower anonymity to third parties. Only the CCO may identify the whistleblower, to assess legitimacy. Non-anonymity to the CCO exists to prevent bad-faith reporting and maintain procedural efficiency. No penalty will be imposed on whistleblowers even if the suspicious signs prove to be only indicators after investigation.

11. Publication and Unrestricted Access

This Policy is accessible to any interested party through CRIPTO HOST’s website under:
“Anti-Money Laundering Policy – AML/CFT” https://cripto.host/ Employees and partners will receive a copy by email upon execution of the contract.

12. Responsibility Toward Regulated Partners and/or Regulators

CRIPTO HOST’s activity does not constitute a regulated activity, as it does not fall under the SPSAV concept under Law No. 14,478/2022 nor the new BCB regulation (Resolutions 519/2025 and 520/2025). However, CRIPTO HOST recognizes its obligation—under regulated self-regulation—toward regulators, clients, and regulated partners to maintain effective AML/CFT controls. CRIPTO HOST appoints Senior Director Tiago Hintz as the responsible officer toward partners regarding adherence to the measures provided in the current regulation, partner policies, and this AML/CFT Policy. The designated Director is expressly prohibited from assuming activities that conflict with the responsibility undertaken.

13. Board Approval

This 2026 version of the Policy has been duly approved by CRIPTO HOST’s Management, as evidenced by the signature at the end of this document.