Crypto Assets Transfer Services Disclosure

1. Purpose

CoinJar Europe Limited (“CoinJar Europe”, “CEL”, “the Firm”, “we”, “our” or “the Company”) is committed to the secure, transparent, and compliant transfer of crypto-assets on behalf of our customers. The Company recognises that trust in our transfer operations is critical to upholding our regulatory obligations, protecting customer assets, and maintaining the integrity of the financial ecosystem.

This Disclosure reflects our commitment to safe and compliant crypto-asset transfers, supported by effective customer communication, pre- and post-transfer transparency, data security, and a risk-based control environment.

The Disclosure applies to all crypto-asset transfer services offered by the Company and is designed to ensure alignment with applicable regulatory frameworks, supervisory guidelines, and internal governance standards. It is part of the Company’s broader financial crime compliance and operational risk framework.

2. Key definitions

• AML - anti-money laundering, referring to the legal and regulatory measures implemented to detect and prevent money laundering activities;
• AMLD4 - Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing;
• AMLD5 - Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018, amending Directive (EU) 2015/849 on AML/CFT and other related directives;
• Applicable Laws - all EU and domestic legal instruments applicable to the Company, including MiCAR, the Travel Rule Regulation, GDPR, ESMA Guidelines, and national laws;
• Beneficiary - the natural or legal person who is the intended recipient of a crypto-asset transfer;
• Board - the Board of Directors of CoinJar Europe Limited;
• Business Relationship - a business, professional, or commercial relationship between the Company and a Customer that is expected to have some duration at the time it is established;
• CASP (Crypto Asset Service Provider) - a legal entity authorised under MiCAR to offer crypto-asset services, including the transfer of crypto-assets on behalf of customers;
• Head of Compliance - the Head of Compliance of the Company, responsible for overseeing compliance with regulatory requirements and internal policies;
• CEO - the Chief Executive Officer of the Company;
• CFT - combating the financing of terrorism, referring to efforts and controls designed to prevent, detect, and report financial support of terrorist activities;
• CISO - the Chief Information Security Officer of the Company, responsible for overseeing IT security risks and ensuring the secure transmission of data related to crypto-asset transfers;
• Customer - any natural or legal person with whom the Company has entered into or is negotiating a Business Relationship for crypto-asset services;
• DLA (Distributed Ledger Address) - an alphanumeric identifier that designates a specific address on a blockchain or other distributed ledger for sending or receiving crypto-assets;
• DLT (Distributed Ledger Technology) - technology that allows data to be recorded and stored across a distributed network of computers or nodes, including public and permissioned blockchains;
• Employee - any individual working for the Company, whether on a permanent or temporary basis, whose duties relate to crypto-asset transfers or related controls;
• ESMA - the European Securities and Markets Authority, the EU supervisory authority responsible for overseeing compliance with MiCAR;
• ESMA Guidelines - regulatory guidelines issued by ESMA to support the implementation of MiCAR and provide additional clarity on supervisory expectations;
• EU - the European Union and/or European Economic Area, depending on the applicable legal context;
• EWRA (Enterprise-Wide Risk Assessment) - the Company’s formal assessment of the risks of money laundering and terrorist financing it is exposed to across its business activities;
• FATF - the Financial Action Task Force, the global standard-setting body for anti-money laundering and counter-terrorist financing;
• GDPR - Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
• ICT - information and communication technologies used in the provision, management, and security of crypto-asset transfers;
• International Sanctions - restrictive measures including financial sanctions, asset freezes, or embargoes imposed by the EU, United Nations, or other international organisations, and applicable within the EU;
• KYC (Know Your Customer) - the process of verifying the identity of Customers and assessing associated risks, including the collection of personal and transactional information;
• Management - for the purposes of this Disclosure, the Board of Directors and the CEO of the Company; MiCAR - Regulation (EU) 2023/1114 on Markets in Crypto-assets, which establishes a harmonised EU regulatory framework for crypto-assets and service providers;
• ML (Money Laundering) - the process of concealing the origins of illegally obtained funds by passing them through legitimate channels;
• MLRO (Money Laundering Reporting Officer) - the person appointed by the Company to oversee AML/CFT compliance and report suspicious activities to relevant authorities;
• Originator - the natural or legal person who initiates a crypto-asset transfer or on whose behalf the transfer is made;
• PEP (Politically Exposed Person) - a natural person who is or has been entrusted with prominent public functions, including heads of state, ministers, parliamentarians, judges, military officers, and leaders of state-owned enterprises;
• Personal Data - any information relating to an identified or identifiable natural person, including transaction metadata, wallet addresses, and customer identification data;
• Disclosure - this Crypto Assets Transfer Services Disclosure, as adopted by the Board of Directors of the Company, including all future revisions approved in accordance with the governance provisions herein;
• Prominent Public Functions - roles associated with political, judicial, military, or administrative authority in national or international organisations, as defined under AML/CFT regulations;
• RTS - the regulatory technical standards developed by ESMA to supplement MiCAR, specifying certain requirements for CASPs and competent authorities;
• SAR (Suspicious Activity Report) - a formal report submitted to a competent authority, when the Company suspects or has reasonable grounds to suspect money laundering or terrorist financing activity;
• SCA (Strong Customer Authentication) - an authentication method based on the use of two or more independent elements (e.g., knowledge, possession, inherence) to ensure secure access and consent;
• Supervisory Authority - the competent regulatory authority with oversight responsibility for crypto-asset services under MiCAR and other applicable frameworks. For CoinJar Europe, this includes the Central Bank of Ireland;
• TF (Terrorist Financing) - the act of providing financial support to individuals, groups, or organisations engaged in terrorism;
• Third-Party Service Provider - any external party contracted by the Company to support the execution, monitoring, or compliance aspects of crypto-asset transfers, including custodians, blockchain analytics providers, and sanctions screening tools;
• Transfer of Crypto-Assets - the transmission of crypto-assets between Originator and Beneficiary, either directly or through intermediary CASPs, and subject to the regulatory obligations of MiCAR and the Travel Rule Regulation;
• Travel Rule - the obligation under Regulation (EU) 2023/1113 requiring the transmission of Originator and Beneficiary information alongside crypto-asset transfers to ensure traceability and compliance with AML/CFT requirements;
• Travel Rule Guidelines - the EBA/GL/2024/11 Guidelines on information requirements for crypto-asset transfers issued under the Travel Rule Regulation;
• Travel Rule Regulation - Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets, which mandates data transmission and transparency obligations for CASPs and other obliged entities.

Other terms that are not defined in this section shall have the meanings ascribed to them by MiCAR and ESMA Guidelines.

3. Guiding Principles

The Company’s approach to crypto-asset transfers is grounded in the following guiding principles, which ensure the integrity of the process and compliance with applicable regulatory standards:

• Compliance-first execution – All crypto-asset transfers are subject to regulatory obligations under MiCAR, the Travel Rule Regulation, GDPR, and applicable AML/CFT laws. No transfer is executed unless all legal, compliance, and risk-based requirements are satisfied.
• Transparency and customer awareness – Customers are informed clearly and in advance of the rights, obligations, risks, and timing parameters associated with crypto-asset transfers. Pre-execution and post-execution information is provided in plain language through secure, accessible channels.
• Security by design – The Company ensures the secure transmission and processing of Originator and Beneficiary information through robust ICT infrastructure, multi-layered authentication, encryption, and regular security testing.
• Risk-based decision-making – Transfer instructions are evaluated using automated and manual controls aligned with the Customer’s risk profile, jurisdictional exposure, and transaction characteristics. Transfers may be rejected, suspended, or escalated based on defined risk triggers.
• Data integrity and privacy – All personal and transactional data processed during a crypto-asset transfer is handled in accordance with GDPR and relevant privacy laws. Data is stored, accessed, and transmitted only on a need-to-know basis with appropriate safeguards in place.
• Responsiveness and accountability – The Company notifies Customers promptly in cases of failed, rejected, or delayed transfers. Decisions are documented, auditable, and communicated within regulatory timeframes.
• Customer-centric delivery – The Company provides tools, disclosures, and support to empower Customers to understand and manage their crypto-asset transfers effectively. Educational content is made available to explain processes, risks, and rights.
• Continual improvement and oversight – The crypto-asset transfer framework is reviewed periodically to reflect evolving technologies, risk trends, regulatory updates, and audit findings. Feedback loops from internal monitoring and customer interactions inform control enhancements.

These principles support the Company’s broader commitment to regulatory integrity, operational excellence, and customer protection in the fast-evolving digital asset ecosystem.

4. Application

This Disclosure applies to all crypto-asset transfers, regardless of:

• The type of crypto-asset being transferred (e.g., utility tokens, stablecoins, e-money tokens);
• The nature of the receiving wallet (e.g., hosted, self-hosted, or third-party wallet);
• The Customer type (e.g., individual, corporate, institutional); and
• The jurisdiction or DLT network involved in the transfer.

The Disclosure is effective from the date of its approval by the Board of Directors and remains in force until formally amended or replaced. All Employees and relevant third parties are required to be familiar with the Disclosure and to act in accordance with its provisions. Failure to comply may result in disciplinary action or termination of contractual relationships, where applicable.

5. Customers Rights in the Context of Transfer Services

Customers engaging CoinJar Europe to transfer crypto assets on their behalf are entitled to:

• Right to Timely Execution: Customers have the right to expect that valid transfer instructions will be executed promptly, subject to applicable compliance and risk checks.
• Right to Accuracy and Finality: Customers can expect accurate processing of the transfer in accordance with the terms presented at the point of instruction, with confirmation of completion or failure provided promptly.
• Right to Transparency: Customers will receive clear information regarding any fees, network charges, timing expectations, and the applicable blockchain network prior to confirming the transfer.
• Right to Withdraw Consent Prior to Execution: Where technically possible and prior to execution, customers may cancel or amend a transfer instruction.
• Right to Complain and Seek Redress: Customers have the right to lodge complaints regarding failed, delayed, or incorrect transfers, and to escalate unresolved matters to the Financial Services and Pensions Ombudsman (FSPO).
• Right to Protection of Funds and Assets: Customers’ crypto assets are safeguarded in segregated wallets and are not commingled with proprietary assets, ensuring that their ownership is preserved in the event of operational disruption or insolvency.
• Right to Information on Transfers: Customers have the right to obtain details of their transfer requests and historical transaction data in a durable medium at no additional cost.
• Right to Data Privacy: Customers’ personal and transactional data are processed in accordance with GDPR and only shared with third parties (e.g. for Travel Rule compliance) where legally required and transparently disclosed.

6. Information Collection, Disclosure, Customer Communication Requirements

The Company establishes, implements, and maintains internal policies and procedures to ensure that, prior to entering into an agreement for the provision of transfer services for crypto assets, each Customer receives, in a durable medium and in electronic format, the full scope of information and conditions related to the transfer services.

The Company ensures that the information is provided in a clear, fair, and non-misleading manner, enabling the Customer to make an informed decision. The Company ensures that the policies and procedures governing the provision of this information are consistent with MiCAR, ESMA Guidelines, and other Applicable Laws.

7. Information and Conditions to be Provided Prior to Agreement

Prior to entering into an agreement for the provision of crypto-asset transfer services, the Company ensures that each Customer is provided with clear and comprehensive information, in a durable and electronic format, as required under MiCAR and related regulations. This includes the following:

• Identification of the Company, including its legal name, registered office address, and available communication channels such as official email and any additional methods agreed with the Customer.
• Identification of the Supervisory Authority, including confirmation that the Company is regulated by the Central Bank of Ireland.
• Description of Crypto-Asset Transfer Services, including the characteristics of the services offered (e.g., supported asset types, DLT networks used, and general service flow), as well as an explanation of the types of DLT networks supported per crypto-asset, including their type (e.g., public or permissioned blockchain), consensus mechanism (e.g., Proof-of-Work, Proof-of-Stake), and typical behaviour (e.g., latency, finality conditions).
• Procedure for Transfer Initiation, Consent and Withdrawal, including:
  • The method for initiating a transfer through the Company’s app or platform;
  • The requirement for SCA prior to submission;
  • The process for withdrawal of consent before a transfer is broadcast to the DLT network;
  • The information required from the Customer to initiate a valid transfer (e.g., recipient DLA, asset type, amount, reference details);
  • Conditions under which the Company may reject a transfer, including missing or invalid information, AML/CFT or sanctions concerns, or transaction monitoring red flags.
• Transfer Instruction Receipt and Cut-Off Times, including confirmation that receipt times are determined via system timestamps and that no cut-off times are applied.
• Execution Time, including the maximum time required to execute a transfer based on the relevant DLT network, block confirmation thresholds, and information that actual execution time may vary due to external conditions such as network congestion.
• Disclosure of Fees, including a breakdown of all applicable charges (e.g., Company service fees, network gas fees, compliance-related fees) made available to the Customer prior to execution.
• Communication Channels, including:
  • The option to select preferred channels during onboarding;
  • Use of the in-app message centre for operational and security notices;
  • Use of email for confirmations and formal notices;
  • Use of the dashboard for transaction history and downloadable records;
  • Assurance that all channels meet GDPR and MiCAR security standards.
• Technical Requirements, including the need for a stable internet connection, a compatible and updated operating system (e.g., Android, iOS, Windows), a modern web browser (e.g., Chrome, Firefox), and access through secure login credentials and multi-factor authentication where applicable.
• Information Delivery Methods and Timing, including:
  • Provision of information prior to agreement via electronic channels;
  • On-demand availability via the Customer dashboard;
  • Advance notification of material changes to terms or conditions, allowing Customers to review and respond as necessary.
• Language of Communication, with English as the default communication language unless otherwise agreed with the Customer.
• Fraud and Security Notifications, including:
  • Immediate notification in the event of suspected or actual fraud or system breach;
  • Description of the types of incidents that trigger notification;
  • Expected Customer response and escalation procedures;
  • Reminders of Customer responsibilities to monitor communication channels and report suspicious activity.
• Customer Notifications for Incorrect or Unauthorised Transfers, including:
  • The Customer’s obligation to report such incidents within three business days;
  • A summary of the Company’s liability framework, including conditions for redress in accordance with applicable laws
• Termination Rights, including:
  • The Customer’s right to terminate the crypto-asset transfer service at any time without penalty, subject to prior notice;
  • The obligation to settle outstanding transfers or fees prior to termination;
  • The Company’s responsibility to disable access following successful termination and confirm the outcome via a durable medium;
  • The obligation to retain transfer-related data in line with AML/CFT and recordkeeping requirements. The Company ensures that the above information remains continuously available to the Customer throughout the duration of the Business Relationship. The Customer may request a copy of the agreement or any related information at any time in electronic format.

8. Information Availability, Updates, And Delivery Format

The Customer retains the right to access the agreement and all information described in Section 8 during the term of the Business Relationship. Such access is provided electronically, free of charge.

The Company ensures that all such information is communicated in plain, clear, and comprehensible language, enabling Customers to fully understand the nature and terms of the crypto assets transfer service.

The Company ensures that the Customer is notified in advance of any material changes to the information specified in Section 8, using durable communication channels such as email or in-app notifications. The notification provides a clear summary of the proposed changes, the rationale behind the update, and the effective date of the changes.

The Company submits notifications with sufficient lead time, no less than 14 calendar days, unless regulatory obligations require immediate implementation. The Customer is given the opportunity to review, request clarification, or raise concerns before the effective date. A record of each notification and any subsequent Customer interactions is retained by the Company in accordance with internal compliance procedures.

9. Pre-Execution Disclosures

Before executing any crypto asset transfer, the Company ensures full compliance with the requirements set out in the Travel Rule Regulation, These steps include:

• Verifying the presence and completeness of all required Originator and Beneficiary information;
• Conducting necessary screening (e.g., sanctions, PEP, adverse media) on the Customer and transfer counterparties;
• Ensuring the legitimacy of the crypto asset transfer’s purpose and reviewing the context where risk indicators are triggered;
• Confirming that the crypto asset transfer does not involve prohibited jurisdictions, self-hosted wallets lacking verification, or other restricted channels.
• In line with the Travel Rule Regulations.

The Company ensures that crypto asset transfer is not proceeded unless all compliance checks and data integrity requirements are satisfied. Any transaction that fails these checks is either rejected, suspended for further review, or escalated to the MLRO. The Company retains documented evidence of the compliance steps taken prior to execution in accordance with its internal audit and record keeping policy.

Prior to executing a transfer, the Company provides the Customer with:

• A standardised warning, displayed in a clear and prominent manner, informing the Customer that the crypto asset transfer, once executed, may be irreversible or only probabilistically reversible depending on the characteristics of the underlying DLT network;
• A comprehensive breakdown of estimated charges associated with the transfer, including but not limited to:
  • Gas or network fees, reflecting real-time estimates based on the selected DLT network’s current conditions;
  • Service fees charged by the Company for facilitating the crypto asset transfer, expressed as either a flat rate or a percentage of the crypto asset transfer’s amount; and
  • Any additional applicable charges, where applicable. The Company presents the above information to the Customer in a standardised, comprehensible format before the transfer is initiated. The Customer is required to acknowledge and explicitly consent to the crypto asset transfer based on this information prior to execution.

The Company executes the crypto asset transfer only after the Customer explicitly confirms acceptance.

Transfer Restrictions

CoinJar will not provide transfer services in respect of e-money tokens (i.e. stablecoins that reference a single official currency). A CoinJar customer cannot transfer e-money tokens off platform but can hold them, use them to purchase other crypto-assets, sell them for fiat currency, or purchase them directly from CoinJar. We reserve the right to change this permission at any time.

10. Post-Execution Information

Following the execution of each crypto asset transfer, the Company ensures that the Customer is provided, without undue delay and in electronic format, with at least the following information:

• Name of the Originator and Beneficiary;
• Originator’s DLA or crypto asset account number;
• Beneficiary’s DLA or crypto asset account number;
• A reference number enabling the Customer to identify the specific crypto asset transfer;
• The amount and type of crypto asset transferred or received;
• The debit or credit value date associated with the transfer;
• The amount of any charges, fees, or commissions applied, including a breakdown by component.

The Company ensures that information described above is made available to the Customer via the agreed electronic channel. Where such post-execution information is not provided more frequently than once per month, it is provided free of charge.

The Company’s internal procedures define how this information is compiled, verified, and distributed. The Company ensures accuracy, completeness, and auditability of all post-execution data, and retains appropriate records in accordance with applicable laws.

11. Customer Notification in Case of Rejected, Returned, or Suspended Crypto Assets Transfers

The Company maintains a process to ensure that, in the event a crypto asset transfer is rejected, returned, or suspended, the Customer is informed promptly and in a clear and secure manner.

The Company provides to the Customer, in electronic format and via agreed means of communication, at least the following information:

• The reason for the rejection, return, or suspension (e.g., invalid DLA, network disruption, or technical failure).
• Where applicable, instructions on how to resolve the issue that caused the rejection or suspension (e.g., submitting missing documentation or correcting input errors).
• The amount of any charges or fees incurred as a result of the failed crypto asset transfer, including whether these may be reimbursed under the circumstances.

The Company sends the notifications on the failed crypto asset transfer without undue delay, but no later than 4 business hours from the time the issue has been detected. The Company sends the notification with the information specified in the above points within 12 hours from the time the issue has been detected.

The Company ensures the message is conveyed in a format that is comprehensible to the Customer and consistent with MiCAR and ESMA expectations. The Company recognises the business hours as 09:00 to 18:00 EET on business days, excluding weekends and national holidays. If the issue is detected outside of these hours, the 4-hour window begins at the start of the next business day. All notifications include a time stamp of issuance and are logged for compliance tracking purposes.

All such events are recorded in internal systems and monitored to identify potential operational or compliance risks. The procedures also ensure appropriate escalation to the Compliance and Risk functions when repeated failures or suspicious patterns are detected.

12. Crypto Assets Transfer Timing and Finality Parameters

The Company defines and communicates timing and finality parameters applicable to crypto asset transfers. These parameters are disclosed to the Customer prior to initiating the crypto asset transfer and include the following:

• Maximum execution times:
  • The maximum time for executing a crypto asset transfer is set based on the asset type, selected DLT network, and current network conditions.
  • The Company monitors network performance and updates execution estimates periodically, at least every calendar quarter.
• Finality estimations:
  • For each supported DLT network, the Company defines a reasonable estimate of the time or number of block confirmations needed for the crypto asset transfer to be considered irreversible or sufficiently irreversible in case of probabilistic settlement.
  • These parameters are reviewed regularly, at least every calendar quarter, to reflect network behaviour, including risk of chain reorganisations or rollback events.
• Customer communication:
  • All timing expectations and finality indicators are presented to the Customer prior to confirming the crypto asset transfer.
  • Any deviations from standard processing (e.g., due to congestion or outages) are promptly communicated through agreed channels.

To support operational transparency and regulatory compliance, the Company maintains a centralised log of timing estimates and network finality assumptions. The Head of Compliance reviews this log periodically, at least every 6 months, to ensure alignment with technical developments, risk assessments, and ESMA guidance.

13. Risk-Based Decision Process for Transfer Outcomes

The Company establishes, implements, and maintains risk-based internal policies and procedures for determining whether and how to execute, reject, return, or suspend the crypto asset transfer. This decision process is supported by a risk assessment framework that considers multiple factors, including:

• The Customer’s risk profile and KYC classification.
• The nature, purpose, and counterparties involved in the crypto asset transfer.
• Results of sanctions screening, PEP status, and adverse media checks.
• Compliance with applicable AML/CFT regulations and the Travel Rule Regulation.
• The presence of incomplete or inconsistent information.
• Association with jurisdictions or sectors posing elevated ML/TF risks.

These procedures include automated and manual controls embedded into the Company’s transaction monitoring systems. Crypto asset transfers flagged for risk are either rejected or paused pending review and may be escalated to the MLRO for final determination.

Decisions and underlying rationales are documented and retained in accordance with the Company’s audit and regulatory reporting obligations.

The Disclosure ensures alignment with the provisions of the Regulation on Travel Rule Regulation and relevant EBA Guidelines on preventing the abuse of crypto asset transfers for money laundering or terrorist financing purposes.

14. Liability Framework for Unauthorised or Incorrectly Executed Transfers

The Company defines the conditions of its liability to the Customers in the event of unauthorised or incorrectly initiated or executed crypto asset transfers. This includes direct references in the Customer agreement to the relevant legal obligations under MiCAR and other applicable regulations.

Key elements of the liability framework include:

• Definition of liability conditions:
  • The Company clearly defines in the Customer agreement the circumstances under which it accepts liability for an unauthorised or incorrect transfer.
  • These include transfers executed without proper Customer authentication or those executed to a different DLA due to a processing error by the Company.
• Limitations and exclusions:
  • Liability may be limited in cases where the Customer fails to notify the Company within the specified time window (e.g., 3 business days) or where the Customer has acted with gross negligence.
  • The Company disclaims liability in instances involving force majeure, external DLT network failures, or if incorrect information was provided by the Customer.
• Remediation process:
  • Upon receiving a valid notification, the Company investigates the incident and determines the appropriate remediation, including reversal (if technically feasible) or reimbursement.
  • The outcome of the investigation is shared with the Customer.
• Communication and transparency:
  • The liability terms are disclosed in the service agreement and summarised in onboarding materials.
  • Customers are advised of their responsibilities in protecting access credentials and promptly reporting irregularities.

All liability claims, investigations, and outcomes are documented and retained in line with the Comp audit recordkeeping obligations.

15. Disclosure Review and Waivers

This Disclosure is reviewed at least annually.