VFTChain Compliance Framework

Effective Date: January 1, 2026 Last Updated: October 29, 2025 Version: 1.0

1. Executive Summary

This Compliance Framework establishes VFTChain's comprehensive approach to regulatory compliance across multiple jurisdictions. The framework addresses:

Sanctions Compliance: OFAC and international sanctions screening
AML/KYC: Anti-money laundering and know-your-customer procedures
Securities Regulations: Token classification and securities law compliance
Data Protection: GDPR, CCPA, and privacy regulations
Tax Compliance: Reporting and withholding obligations
Licensing: Money transmitter and exchange license analysis

Core Compliance Principles:

Non-custodial architecture minimizes regulatory burden
Utility token classification avoids securities regulations
Sanctions screening is mandatory and automated
Risk-based approach to AML/KYC
Continuous regulatory monitoring and adaptation

2. Regulatory Landscape Overview

2.1 United States

Federal Agencies

Securities and Exchange Commission (SEC):

Jurisdiction: Securities regulation
Relevance: VFTC token classification
Status: VFTC qualifies as utility token (NOT a security)
Monitoring: Ongoing SEC crypto guidance and enforcement actions

Commodity Futures Trading Commission (CFTC):

Jurisdiction: Commodities and derivatives
Relevance: VFTC may be classified as commodity (acceptable)
Status: No futures/derivatives offered (outside CFTC jurisdiction)
Monitoring: CFTC interpretive guidance on digital assets

Financial Crimes Enforcement Network (FinCEN):

Jurisdiction: Anti-money laundering, money services businesses
Relevance: MSB registration requirements
Status: Non-custodial = NOT MSB (no registration required)
Monitoring: FinCEN guidance on convertible virtual currencies

Office of Foreign Assets Control (OFAC):

Jurisdiction: Sanctions and embargoes
Relevance: MANDATORY compliance
Status: Automated wallet and geolocation screening implemented
Monitoring: Daily SDN list updates

Internal Revenue Service (IRS):

Jurisdiction: Tax reporting and withholding
Relevance: Information reporting (Form 1099)
Status: Monitoring developments, preparing reporting systems
Monitoring: IRS guidance on digital asset taxation

State Level

State Money Transmitter Licenses:

Requirement: 48+ state licenses typically required for custodial services
VFTChain Status: NOT REQUIRED (non-custodial architecture)
Exception: New York BitLicense (under review)

New York Department of Financial Services (NYDFS):

BitLicense Requirement: May be required for NY residents
Current Status: NY residents excluded pending legal analysis
Timeline: Application preparation for Q1 2026

2.2 European Union

Markets in Crypto-Assets Regulation (MiCA):

Effective: 2024-2025 (phased implementation)
Scope: Comprehensive crypto regulation across EU
Classification: VFTC likely qualifies as "utility token"
Requirements: Possible white paper publication, registration as CASP
Status: Monitoring implementation, preparing for compliance

General Data Protection Regulation (GDPR):

Scope: Personal data processing for EU residents
Requirements: Consent, data minimization, user rights, DPO appointment
Status: FULL COMPLIANCE (see Privacy Policy)
DPO: Appointed, contactable at Thomas@vftchain.com

5th Anti-Money Laundering Directive (5AMLD):

Scope: AML obligations for crypto service providers
Requirements: Risk assessment, transaction monitoring, suspicious activity reporting
Status: Risk-based approach implemented
Registration: May require CASP registration (under evaluation)

Payment Services Directive 2 (PSD2):

Scope: Payment services and electronic money
Relevance: Limited (no fiat payment processing)
Status: Monitoring for applicability

2.3 United Kingdom

Financial Conduct Authority (FCA):

Cryptoasset Regulations: Exchange tokens not currently regulated as financial instruments
Financial Promotions: Strict rules on marketing and advertising
Requirements: Possible FCA registration required
Status: Evaluating registration necessity

UK GDPR and Data Protection Act 2018:

Scope: Post-Brexit data protection framework
Requirements: Similar to EU GDPR
Status: Full compliance (separate from EU)

2.4 Asia-Pacific

Singapore Monetary Authority (MAS):

Payment Services Act: Licensing for digital payment token services
DPT Exemption: Application filed for standard payment institution license
Status: Favorable regulatory environment, active compliance

Japan Financial Services Agency (FSA):

Crypto Exchange Registration: May be required
Status: Monitoring regulatory developments, evaluating market entry

Hong Kong Securities and Futures Commission (SFC):

Virtual Asset Service Provider (VASP) License: May be required
Status: Evaluating Hong Kong market entry

2.5 Other Jurisdictions

Canada:

Regulatory Body: Canadian Securities Administrators (CSA)
Status: Monitoring provincial requirements

Australia:

Regulatory Body: Australian Securities and Investments Commission (ASIC)
Status: Monitoring AML/CTF obligations

Switzerland:

Regulatory Body: Swiss Financial Market Supervisory Authority (FINMA)
Status: Crypto-friendly jurisdiction, monitoring

3. OFAC Sanctions Compliance

3.1 Sanctions Overview

Mandatory Compliance: OFAC compliance is NON-NEGOTIABLE and MANDATORY for:

U.S. persons and entities
Platforms accessible from the United States
Any entity using U.S. financial infrastructure

Penalties for Violation:

Civil penalties: Up to $330,000 per violation or 2x transaction value
Criminal penalties: Up to $20 million and 30 years imprisonment
Reputational damage and business shutdown

3.2 Prohibited Jurisdictions

VFTChain COMPLETELY BLOCKS access from:

Tier 3 - Prohibited Jurisdictions:

North Korea (DPRK)
Iran
Syria
Cuba
Crimea region
Donetsk People's Republic (DNR)
Luhansk People's Republic (LNR)
Any other OFAC-sanctioned territories

Blocking Mechanisms:

Geolocation Screening: IP address-based blocking
VPN Detection: Advanced techniques to identify proxy usage
Wallet Screening: Comparison against OFAC SDN list
Transaction Monitoring: Real-time scanning for sanctioned addresses

3.3 Specially Designated Nationals (SDN) List

Daily Updates:

Automated download of OFAC SDN list every 24 hours
Immediate blocking of newly sanctioned wallet addresses
Retroactive screening of historical interactions

SDN List Sources:

OFAC SDN list (primary)
EU sanctions lists
UK sanctions lists
UN sanctions lists

Screening Process:

User connects wallet → Wallet address checked against SDN list
Match found → Connection blocked, transaction rejected
User attempts transaction → Real-time screening before execution
Periodic re-screening of existing users

3.4 Transaction Monitoring

Real-Time Monitoring:

All transactions screened before blockchain submission
Sanctioned wallet addresses rejected
Indirect transactions (through sanctioned intermediaries) flagged

Chainalysis Integration:

Blockchain analytics for sanctions compliance
Risk scoring of wallet addresses
Identification of sanctioned entity exposure

Monitoring Scope:

Direct transactions with sanctioned addresses (blocked)
Indirect transactions (1-2 hops from sanctioned addresses) (flagged, reviewed)
High-risk jurisdiction transactions (enhanced monitoring)

3.5 Record Keeping

Retention Period: 5 years Records Maintained:

All blocked transactions with reasons
SDN list matches and resolution
Geolocation blocks and circumvention attempts
Suspicious activity reports filed

Access: Records available to OFAC, law enforcement, and auditors upon request

3.6 Reporting

Blocked Property Reports:

If VFTChain "blocks" property of sanctioned person → Report to OFAC within 10 days
Note: Due to non-custodial architecture, we typically do not "block" property in the legal sense

Voluntary Self-Disclosure:

If sanctions violation discovered → Voluntary disclosure to OFAC considered
Mitigation of penalties through cooperation

4. Anti-Money Laundering (AML) Compliance

4.1 Risk-Based Approach

VFTChain employs a RISK-BASED AML APPROACH appropriate for a non-custodial platform:

Low-Risk Activities (No KYC):

Connecting a wallet to view interface
Browsing platform
Checking eligibility for airdrops
Claiming airdrop tokens (below threshold)

Medium-Risk Activities (Enhanced Monitoring):

Large airdrop claims (>$10,000 value)
High-frequency trading patterns
Unusual transaction patterns

High-Risk Activities (KYC Required):

Enterprise service agreements
Fiat on-ramp integration (if added in future)
Large-value transactions (>$50,000)

4.2 Customer Due Diligence (CDD)

Standard CDD (when applicable):

Full legal name
Date of birth
Residential address
Government-issued ID verification

Enhanced Due Diligence (EDD):

Source of funds verification
Proof of address
Enhanced background checks
Ongoing monitoring

Simplified Due Diligence:

Not applicable (risks too high for crypto)

4.3 Know Your Customer (KYC)

Current KYC Policy:

Basic Platform Use: NO KYC required (non-custodial, decentralized)
Airdrop Claims: NO KYC for claims under $10,000 value
Enterprise Accounts: KYC REQUIRED
High-Value Users: KYC at VFTChain's discretion

KYC Provider: Sumsub, Jumio, or similar (to be implemented) KYC Verification Process:

User submits ID and selfie
Automated document verification
Liveness detection (prevents photo spoofing)
Manual review for flagged cases
Approval or rejection within 24-48 hours

4.4 Transaction Monitoring

Automated Monitoring:

Large transactions (>$10,000 value)
Rapid transaction sequences
Structuring patterns (multiple transactions just below threshold)
Geographic risk patterns
Unusual compute usage patterns

Red Flags:

Transactions involving high-risk jurisdictions
Wallet addresses flagged by Chainalysis
Inconsistent activity patterns
Attempted circumvention of controls

Actions on Red Flags:

Flagged for Review: Compliance team investigates
Request for Information: User asked to provide additional details
Enhanced Monitoring: Increased scrutiny of future transactions
Account Suspension: If serious risk identified
SAR Filing: If suspicious activity confirmed

4.5 Suspicious Activity Reporting (SAR)

SAR Threshold: Transactions or patterns meeting FinCEN SAR criteria SAR Process:

Suspicious activity identified
Compliance officer review
SAR filed with FinCEN within 30 days of detection
Records maintained for 5 years
NO notification to user (prohibited by law)

SAR Criteria:

Money laundering indicators
Terrorist financing red flags
Fraud or scam patterns
Sanctions evasion attempts
Structuring or smurfing

4.6 Record Keeping

AML Records Retention: 5 years Records Maintained:

Customer identification information
Transaction records (amounts, dates, addresses)
Risk assessments and due diligence
Suspicious activity reports
Training records

5. Know Your Business (KYB)

5.1 Business Entity Verification

For enterprise accounts and GPU providers operating as businesses:

Required Information:

Legal business name
Business registration number
Tax identification number (EIN, VAT, etc.)
Business address
Beneficial ownership (>25% ownership)
Nature of business
Source of funds

Verification:

Corporate registry checks
UBO (Ultimate Beneficial Owner) identification
Business licenses verification
Sanctions screening of entity and UBOs

5.2 Politically Exposed Persons (PEPs)

PEP Definition: Government officials, senior executives of state-owned enterprises, family members PEP Screening:

Automated screening against PEP databases
Enhanced due diligence for identified PEPs
Source of wealth verification
Ongoing monitoring

PEP Policy:

PEPs NOT prohibited from using VFTChain
Enhanced due diligence REQUIRED
Senior management approval for high-risk PEPs

6. Securities Law Compliance

6.1 VFTC Token Classification

Legal Classification: UTILITY TOKEN (NOT a security) Howey Test Analysis:

❌ Investment of Money: Users acquire VFTC for utility, not investment
❌ Common Enterprise: No pooling of funds or collective investment
❌ Expectation of Profits: Token provides immediate utility value
❌ Efforts of Others: Decentralized network, no promoter dependency

Result: VFTC DOES NOT constitute a security under the Howey Test.

6.2 Legal Opinion

External Counsel Opinion: Obtained from [Law Firm Name]

Date: [To be obtained before launch]
Conclusion: VFTC is a utility token, not a security
Scope: U.S. federal securities law analysis
Updates: Annual review and update

6.3 Token Distribution

No Token Sale: VFTChain has NOT conducted a public token sale or ICO. Distribution Methods:

Airdrop (free distribution to eligible users)
Mining rewards (payment for compute services)
DEX purchases (secondary market, not primary sale)

Key Distinctions:

No "investment contract" offered
No promises of profit
No pre-sale or pre-mine to insiders
Immediate utility upon acquisition

6.4 Marketing and Promotions

Prohibited Statements:

"VFTC is an investment"
"Buy VFTC to profit from our efforts"
"Guaranteed returns on VFTC holdings"
"VFTC will increase in value"

Permitted Statements:

"VFTC is used to access compute services"
"Earn VFTC by providing GPU resources"
"VFTC is required for platform features"

Financial Promotions Compliance (UK):

All marketing materials reviewed for FCA compliance
Risk warnings included
No misleading claims about returns

6.5 Ongoing Monitoring

Regulatory Monitoring:

SEC crypto enforcement actions
SEC guidance and interpretive releases
Court precedents (SEC v. Ripple, etc.)
Congressional legislation (stablecoin bills, etc.)

Compliance Updates:

Quarterly review of token classification
Annual legal opinion update
Immediate response to adverse regulatory changes

7. Money Transmitter Licensing

7.1 FinCEN Analysis

Money Services Business (MSB) Definition:

Transfers funds on behalf of customers
Custodies customer funds
Exchanges currencies

VFTChain Analysis:

❌ No Fund Custody: Users retain full control of private keys
❌ No Fund Transfer: Transactions occur on-chain via user signatures
❌ No Currency Exchange: No fiat-to-crypto exchange service

Result: VFTChain is NOT an MSB under FinCEN regulations. Legal Basis:

FinCEN Guidance FIN-2019-G001
Non-custodial wallet providers NOT MSBs
Platforms facilitating peer-to-peer transactions NOT MSBs

7.2 State Money Transmitter Licenses

General Rule: 48+ states require money transmitter licenses for custodial services. VFTChain Analysis:

Non-custodial architecture = NO pooled funds
No transmission of "monetary value" on behalf of customers
Users transact directly on blockchain

Result: State money transmitter licenses NOT required. State-by-State Review:

Ongoing monitoring of state guidance
Legal opinions obtained for high-priority states
New York BitLicense under separate review

7.3 New York BitLicense

NYDFS BitLicense: Required for virtual currency business activity in New York VFTChain Status:

Currently: NY residents EXCLUDED from platform
Future: BitLicense application in progress
Timeline: Q1 2026 application filing target

Application Requirements:

Detailed compliance program
AML/KYC procedures
Cybersecurity program
Consumer protection measures
Financial statements and capitalization

8. Tax Compliance

8.1 U.S. Tax Reporting

Form 1099 Reporting:

Requirement: Report payments to service providers (GPU miners)
Threshold: >$600 per year
Information: Name, address, TIN, total payments
Deadline: January 31 following tax year

Current Status:

Monitoring IRS guidance on digital asset reporting
Preparing systems for 1099 reporting
TIN collection procedures for providers

Challenges:

Decentralized nature limits reporting capability
Wallet addresses not linked to identities
Compliance on best-efforts basis

8.2 User Tax Obligations

User Responsibility:

Users responsible for ALL tax obligations
Airdrop claims may be taxable income
Mining rewards may be taxable income
Token sales subject to capital gains tax

Disclaimers:

Platform provides NO tax advice
Users should consult tax professionals
VFTChain not responsible for user tax compliance

Tax Reporting Tools (Future):

Transaction history export for tax filing
Integration with crypto tax software (CoinTracker, Koinly)
Educational resources on crypto taxation

8.3 International Tax

Withholding Obligations:

Monitoring for FATCA/CRS obligations
No current withholding requirements
Preparing for future international reporting

9. Data Protection Compliance

9.1 GDPR Compliance

Full Compliance: See Privacy Policy (Document #2) Key Measures:

Data Protection Officer appointed
Privacy by design and default
Data processing agreements with vendors
User rights mechanisms (access, deletion, portability)
Data breach notification procedures

9.2 CCPA Compliance

California Consumer Privacy Act: Full compliance Key Measures:

Privacy policy disclosures
Right to know, delete, and opt-out
"Do Not Sell" (we don't sell data)
Authorized agent procedures

10. Compliance Governance

10.1 Compliance Officer

Chief Compliance Officer (CCO): [To be appointed]

Email: Thomas@vftchain.com
Responsibilities: Oversee all compliance functions
Reports to: Board of Directors

10.2 Compliance Committee

Members:

Chief Compliance Officer (Chair)
General Counsel
Chief Technology Officer
Chief Financial Officer

Meetings: Quarterly (or as needed) Responsibilities:

Review compliance risks
Approve policy updates
Oversee regulatory filings
Review SAR and OFAC reports

10.3 Training and Awareness

Employee Training:

Annual AML/sanctions training for all employees
Role-specific training (e.g., customer support)
Ongoing updates on regulatory changes

Compliance Culture:

Top-down commitment to compliance
Whistleblower protection
No retaliation for compliance concerns

10.4 Audits and Testing

Internal Audits:

Quarterly compliance audits
Testing of OFAC screening systems
Review of transaction monitoring

External Audits:

Annual third-party compliance audit
Penetration testing for security controls
Legal opinions on classification

11. Incident Response

11.1 Compliance Breach Protocol

Discovery:

Immediate notification to CCO
Preliminary investigation within 24 hours
Board notification if material

Investigation:

Fact-gathering and evidence preservation
Root cause analysis
Impact assessment

Remediation:

Immediate corrective action
Enhanced controls to prevent recurrence
User notification (if required)

Reporting:

Regulatory reporting (if required)
Law enforcement (if criminal activity)
Internal documentation

11.2 Sanctions Violation

If Sanctions Violation Discovered:

Immediate action: Block further transactions
Preservation: Preserve all records and evidence
Legal counsel: Engage sanctions counsel immediately
OFAC notification: Consider voluntary self-disclosure
Cooperation: Full cooperation with OFAC investigation

12. Monitoring and Updates

12.1 Daily Monitoring

OFAC SDN list updates
Sanctioned wallet address updates
Transaction monitoring alerts
Security incident monitoring

12.2 Weekly Monitoring

Regulatory news and developments
Enforcement actions in crypto industry
Court decisions affecting classification

12.3 Monthly Review

Compliance metrics dashboard
Risk assessment updates
Policy and procedure review
Training completion tracking

12.4 Quarterly Review

Full regulatory environment scan
Compliance committee meeting
External counsel consultation
Board compliance report

12.5 Annual Review

Comprehensive compliance audit
Legal opinion updates
Policy overhaul (as needed)
Strategic compliance planning

13. Compliance Checklist

13.1 Pre-Launch Checklist

[x] OFAC screening system deployed
[x] Geolocation blocking implemented
[x] Privacy Policy published (GDPR/CCPA)
[x] Terms of Service published
[x] Utility token legal opinion obtained
[x] AML risk assessment completed
[ ] Compliance officer appointed
[ ] Employee training program launched
[ ] Incident response plan finalized

13.2 Ongoing Compliance

[ ] Daily OFAC list updates
[ ] Weekly regulatory monitoring
[ ] Monthly compliance review
[ ] Quarterly committee meetings
[ ] Annual external audit

14. Contact Information

Compliance Officer: Email: Thomas@vftchain.com Legal Counsel: Email: Thomas@vftchain.com Data Protection Officer: Email: Thomas@vftchain.com Regulatory Inquiries: Email: Thomas@vftchain.com

Compliance Framework Version: 1.0 Last Updated: October 29, 2025 Effective Date: January 1, 2026 Next Review: January 31, 2026

This Compliance Framework establishes VFTChain's commitment to operating within all applicable legal and regulatory requirements while maintaining decentralization and user privacy.