NY DFS Consent Order to Paxos Trust Company

NEW YORK STATE DEPARTMENT OF F I NANCIAL SER VICES ONE STATE STREET NEW YORK, NEW YO RK 10004 --------------------------------------------------------------------------------- x In the Mat ter of PAXOS TRUS T COMPANY, LLC --------------------------------------------------------------------------------- x CONSENT O RDER The New Yo rk St ate Dep artment of Finan cial S ervi ces (the “ Depart ment” or “DFS”) and Paxos Trust Company, LLC (“Paxos” or the “Company”) are willing to resolve the matters described herein without further proceedings. WHEREAS, in 2015, the Depar tment became the first financ ial regulato r to establish a licensing and regulatory regime for virtua l currency businesses a nd Paxos became the fi rst company to secure a Limited Purpose Trust Charter for Digital Assets in New York; WHEREAS, the Dep artm ent’s l icensin g regim e and feder al and New Yo rk l aws requir e entities seeking to conduct virtual curre ncy business in New York to, among other things, maintain effective controls for the purpose of guarding against money laundering and certain other illic it activities;

3 WHEREAS, in 2015, Paxos, formerly known as itB it Trust Company LLC, was granted a charter by the Depar tment to operate as a limited pur pose trust company, pursuant to Article III of the New Yo rk St ate Ban kin g Law; WHEREAS, in 2020, Paxos signed a letter a greement (the “2020 Letter Agreement”) with the Department setting forth the terms and conditions that Paxos was expe cted to adopt and observe with respect to its ongoing relationship with B inance Holdings Limite d (“Bina nce”) and its administration of the Binance USD stablecoin; WHEREAS, through an enforcement investigation, the Department found that Paxos failed to conduct proper due diligence of Binance as required by the 2020 Letter Agree ment and that Paxos failed to maintain ef fective and compliant anti - money laundering a nd tr ansactio n monitoring programs; and WHEREAS, Paxos has cooperat ed with the Department’ s investigation, has ended its relationship with Binance, and has undertaken comprehensive enhancements to its complianc e function to prevent similar failures in the future. NOW THEREFORE, in connection with an agreeme nt to resolve this matter without further proceedings, pursuant to the Superintendent’s authority under S ections 39 and 44 of the New York Banking Law, the Department finds as follows: THE DEPART MENT’S FINDI NGS I. Parti es and Reg ulatory Fram ework A. The Par ties 1. Paxos is a virtual currency company that of fers various products and services, including stablecoins, asset tokenization services, settlement services, and cryptocurrency brokerage services. Paxos operates as a limited purpose trust company in New Y ork und er a charter granted by the Department in 2015.

4 2. The Depa rtment is th e finan cial serv ices r egul ator i n the S tate of N ew Y ork, and its head, the Superintendent of Financial Services (the “Superintendent”), bears the responsibility of ensuring the safety and soundness of New Y ork’ s financial services industry and promoting the reduction and elimination of fraud, abuse, and unethical conduct with respect to financial institutions lic ensed to opera te in the sta te. 3. The Depa rtment develop ed and overs ees a fi rst -of- its -kind regulatory framework pertaining to virtual currency businesses. Companies that conduct virtual currency business activity in the State of New Y ork must be authorized to do so by the Department — eit her through the Department’ s Limited Purpose Trust Cha rter or through a BitLicense — and are subject to the Department’ s ongoing supervision. 4. Paxos, as a cha rtere d lim ited purpose trust company authorized to conduct virtual currency business in New Y ork State, is obligated to abide by the Department’ s laws and regulations. These regulations include establishing, implementing, and maintaining an ef fective anti -money laundering (“AML”) program in addition to transaction monitoring and filtering programs. 5. The Superintendent has the power to conduct investigations, bring enforcement proceedings, levy monetary penalties, and order injunctive relief a gainst parties who have violated relevant laws and regulations. B. Anti -Money Laundering Regulations 6. Pursuant to 3 NYCRR § 1 16.2, Paxos is required to establish and maintain an ef f ective and compliant AML program, including a robust customer due diligence program. T his AML program should, at a minimum: (1) provide f or a system of internal controls, policies, and procedures designed to ensure ongoing compliance with all applicable AM L rules and

5 regulations; (2) provide for independent testing for compliance conducted by qualified internal personn el of the Depa rtment ’ s licens ee or a qu alifi ed ext ernal p arty; (3) des ignat e a quali fied individual or individuals responsible for coordinating and monitoring day- to -day compliance; and (4) provide ongoing training for appropriate personnel. C. T ransaction Monitoring and Filtering Pr ogram Regulations 7. For bank and non-bank institutions, including Paxos, Part 504 of the Superintendent’ s Regulations establishes cer tain minimum requirements governing financial institutions’ monitoring of customer transactions and compliance with United States T reasury Depa rtment’ s Office of Foreign Assets Control (“OF AC ”) screening requir ements. 8. Specifically, Part 504.3(a) requires that each regulated instituti on shall maintain a transaction monitoring program reasonably designed for the purpose of monitoring transactions after their execution for potential Money Laundering/T errorist Financing (“M L/TF”) violatio ns and suspicious activity reporting. The transaction monitoring program must be based on the risk assessment of the institution and be reviewed and periodically updated at risk- based interv als to take int o account and r eflect changes to app l icable ML/TF laws, regulations, and regulatory warnings, as well as any other relevant information; appropriately match ML/TF risks to the institution’ s businesses; have ML/TF dete ction scenarios with threshold values and amounts designed to detect potential money laundering or other suspicious or illegal activities; have end- to -end, pre- and post- imple mentation te sting; have docume ntation that a rticulates the institution’ s current detection scenarios and the underlying assumptions, parameters, and thresholds; have protocols setting forth how alerts generated by the T ransaction Monitoring Program will be investigated, the process for deciding which alerts will result in a filing or other actions, the operating areas and individuals responsible for making such a decision, and how the

6 investigative and decision-making process will be documented; and be subject to an on-going analysis to assess the continued relevancy of the detection scenarios, the underlying rules, threshold values, parameters, and assumptions. II. Events at Issue A. Paxos’ s Compliance Failur es Relating to Binance i. Initial Due Diligence and Business Relationship with Binance 9. In September 2018, Paxos partnered with Binance, the world’ s lar gest digita l asset exchange, to list its Paxos Standard (“P AX”) stablecoin. 10. The following year, Paxos again partnered with Binance to market and distribute the Binance USD (“BUSD”) stablecoin, with the intent to expand Paxos’ s market share and customer base beyond what it had previously achieved with P AX. In connection with thi s partnership, Paxos revie wed Bin ance ’ s existing compliance program, including its AML policies and procedures and its geofencing controls. In July and August 2019, Paxos asked Binance to provide assurances that it had imposed geofencing controls to ensure th at U. S. cust omers were not accessing an unregulated trading platform. Binance’ s C hief Compliance Of ficer responded, “[w]ith co nfid ence, I can say the p olici es and pro ced ures are al ready in effe ct” and lat er re - iterated that B inance. com was “comp letely rest rict ing US persons.” Paxos acc epted Bi nance at its word and did not undertake an independent review of Binance’ s assertions or request supporting documentation beyond the initial review it had conducted on Binance for the listin g o f PA X. 11. Thereafter, the Department asked Paxos for information about Binance’ s compliance program. In response, Paxos collaborated with Binance and the n drafted a lett er for Binance to send to the Department, which it did in August 2019, stating: “Binance u ses sof tware

7 to detect user IP addresses and blocks those it determines are based in the U.S. In the event that a customer ’ s IP is masked or a customer attempts to circumvent these IP restri ctions (e.g., customer is using a V irtu al Private Network), Binance employs a secondary manual control during the KYC process to check for U.S. persons and prevent onboarding.” Binance’ s C CO approved the language in the letter, which was subsequently signed by Binance and submitted to the Department in Augus t 2019. Paxos did not test or oth erwise v erify B ina nce’ s claim s. 12. On July 24, 2020, Paxos signed the 2020 Letter Agreement with the Department that set forth the terms and conditions that Paxos was required to adopt and fulfill with respect to its ongoing relationship with Binance and the continued administration of BUSD. 13. Pursuant to the 2020 Letter Ag reement, Paxos was obligated to review Binance’ s AML, sanctions, KYC, and related policies and procedures, and to maintain, administer, monitor, and revise ef f ective controls to detect, prevent, and respond to any potential or actual wrongful use of BUSD. Paxos was further obligated to ensure that Binance timely informed Paxos of any material changes to those policies and procedures. The 2020 Letter Agr eement further required Paxos to conduct periodic due diligence refreshes of Binance. ii. Article About Binance’ s Geofencing Failur es and Paxos ’s Response and Findings 14. In October 2020, a press outlet reported that Binance wa s accepting U.S. customers through the use of V irtual Private Networks (“VPN s ”) as a mean s to evade U.S. regulatory scrutiny. It further report ed th at Bin ance sought to undermine the ability of U.S. AML and sanc tions enf orcement to detect illic it activity occurring at or through Binan ce. 15. In response to the press r eport, the Department requested that Paxos provide information it had about the allegations. Paxos, in tu rn, requested information from Binance and

8 Binance confirmed that its U.S. restriction protocols remain unchanged. This time, however, Paxos requested that Binance support its assertion by, among other things, providing Paxos with Binance’ s independe nt AML audit and an audit focused specifically on Bin ance ’ s geofencing controls. Binance provided its most recent KYC review report to Paxos and its CCO reiterated what Binance had told Paxos in the past, “as for our geo-fencing controls, you cannot even pass KYC if you are a U.S. person.” 16. In fact, B inanc e’ s geofencing was d efici ent and ci rcum ventabl e by U.S. persons – a fact that Binan ce itself hinted at publicly. At least as early a s April 2019, Binance published a guide on the “Binance A cademy” section of its website, titled, “A Beginner ’ s Guide to V PNs.” The guide explained to customers that, “[i]f you want to be private about the websites you visit — and your location — you should use a VPN.” Binance’ s VP N guide also stated: “you might want to use a VPN to unl ock s ites t hat are restrict e d in your country.” 17. After the publication of the press report, Paxos began conducting monthly due diligence refreshes of Paxos transfers to Binance. In its first due diligenc e refre sh, Paxos identified 99 U.S.- based Paxos retail a nd institutio nal clie nts who dire ctly transfe rred BUSD from Paxos to Binance.com, including several lar ge institutional trading firms and market makers based in the U.S. In addition, two of Paxos’ s employees with lega cy Binance.com accounts tested Binance’ s supposed geographic restrictions. Both employees were able to access the exchan ge and make t rades from N ew Y o rk IP addres ses. Going forward, Paxos’ s monthly refresh routinely returned new and existing U.S. users transacting on Binance.com. Throughout the period of monthly refreshes, the number of U.S.-based Paxos users interacting with Binan ce.com gen erally decl ined e ach mont h and n ever ex ceeded t he init ial 99 accoun ts

9 identifie d. Paxos’ s r efreshes and sim ple tes ting made cle ar, however, th at e ven after the publication of the press report, Binance’ s suppose d geofencing restrictions were, in fact, illusory. iii. Binance’ s Exposur e to Illicit Activity 18. Pursuant to the 2020 Letter Ag reement, Paxos was required to conduct periodic risk assessments and due diligence refreshes of Binance and inform the Department immediately if there was a material increase in any risk involving or with respect to Binance. 19. Additionally, as a limited pur pose trust company, Paxos is subject to supervisory examinations by the Department. Among other thi ngs, such examinations provide an opportunity for the Dep artm ent to rev iew a co mpany’ s risk ma nagem ent and i ts Ban k Secre cy Act (“BS A”) /AML compliance program. In 2022, the Department concluded an examination of Paxos (“2022 Examination”) and determined that Paxos failed to demonstrate that it had the appropriate controls in p lace to ef fectively mon itor for sig nifican t illicit ac tivity occurring at or through Binan ce and also fail ed to escalate red fl ags to Paxos’ s senior manageme nt and its Board. 20. The Department further noted in its October 2022 examination closing letter that, contrary to Paxos’ s pos ition that, “Binance ha[d] a reasonable AM L and Sanctions program in place,” Binance had been significantly exposed to potentially illicit high- risk ac tivity since shortly after Paxos entered into the 2020 Letter Ag reement. Th e Department found that Paxos’ s knowledge of Binance’ s controls was based solely on a review of Binance’ s AML, sa nctions, KYC, and related policies and procedures and the findings o f Bi nance ’s e xternal auditor ’ s limited review of those same policies and procedures. Paxos did not have third- party ass uranc es that attested to Binance’ s degree of compliance with its own policies and procedures. 21. As a result of the Department’ s 2022 Examination, which required Paxos to provide a report documenting Binance’ s exposure to sanctions, terror ist financing, darknet

10 marketp laces, and other illicit ac tivity, Paxos requested that a third party blockchain analytics firm perform an enhanced due diligence (“EDD”) investigation of Binance. The firm reviewed all historical Binance transactions from its founding in July 2017 to November 2022, across a select set of virtual currency assets. It identified $1.6 billion in transactions flowing to or from the Binance platform involving illicit actors including sanctioned individuals in darknet marketp laces an d cardi ng m arketpl aces and throug h Ponzi schemes. Additio nally, the firm found that Binance had processed transactions to and from entities after OF AC h ad sanctioned them, including Chatex, Hydra Market, and T o rn ado Cash. For example, it found that Binance processed more than $32 million to or from Chatex, which had displayed Russian ransomware red flags, approximately $800,000 of which came after OF AC designated Chatex for facilitating financi al trans actio ns for ransom ware acto rs. 22. Notwithstanding Paxos’ s repr esentation to the Department that Binance had a reasonable AM L and Sanctions program in place, in January 2023, Paxos’ s then Chief Compliance Of fic er wrote to the Company’ s Head of Corporate Strate gy: “ B inance app ears t o maintain a reasonable Compliance program, but Binance does not have an independent external audit report of their AML /Sanctions program which attests to the degree of compliance with its own policies and procedures, and the quality assurance reviews that were provided are incomplete and absent remediation plans.” 23. On February 13, 2023, the Department announced that it had ordered Paxos to cease min ting P axos -issued BUSD as a result of unresolved issues related to the Com pany’ s oversight of its relationship with Binance. Paxos thereafter notified its customers of its intent to end its relationship with Binance for BUSD.

11 24. Paxos’ s failure to conduct proper due diligence of Binance with respect to its geofencing controls as well as its failure to conduct due diligence of Binance’ s deficient BSA/AML programs and policies constituted a breach of the 2020 Letter Agreement. B. Paxos ’s Compliance Failur es Unr elated to Binance 25. The BSA requires fina ncial institutions to e stablish, implement, and mainta in an effective AML program. New Y o rk law im poses t hes e same r equirem ents on regul ated fin ancial institutions such as Paxos. 26. The Department’ s investigation revea led that, prior to 2023, Paxos’ s BSA/AML compliance function was deficient. Notwithstanding the Department’ s guidance in 2022 to all virtual cur rency businesses highlighting the need to augment Know-your- Customer (“KYC ”) - related controls, Paxos onboarded customers with limited insigh t into the ir tr ue identitie s, the legitimacy of their businesses, or the sources of their funds. As a result, cust omers who shared certain b ehavi oral ch arac terist ics in dicativ e of coo rdinat ed activi ty we re abl e to open m ulti ple accounts with Paxos. Thi s prog ram weak ness w as exac erbated by Paxos ’ s lack of stand ardized investigation guidelines. In addition, though Paxos had written BSA/AML policies and procedures, they did not address certain trade - bas ed money laundering risks; nor did Paxos specifi cally train its compliance sta ff to identif y those risks. These failures creat ed an environment vulnerable to exploitation by criminal actors. i. Paxos's Know-your -Cus tomer Failur es 27. A core compone nt of an effective BSA/AML program is an institution’ s KYC program. A successful KYC program enables financial institut ions to establish the identity of a person or entity, assign a risk rating to t he customer, and then eff ectively manage the risk. This first line o f defe nse is critical to c ombating f inancial cr ime.

12 28. T o m anage it s KYC pro gram, Paxos ’ s compl iance s taff used a cent rali zed software tool to review its customers’ information, including KYC and transactional activity, and to take action, including processing user onboardings and assigning customer risk ratings. Paxos’ s software, however, did not include automated alerts to indicate potentially risky shared customer attributes or provide frontline search capabilities during the onboarding process. This weakness enabled customers who shared addresses, corporate documents, beneficial owners, and certa in behaviora l characteristic s indicativ e of pote ntial illicit c oordinate d activ ity to open multiple accounts and remain undetected. 29. For example, Paxos onboarded 1 1 businesses located in the same single-story strip mall in South Florida without identifying the ir shared att ribut es and Paxos’ s deficient compli ance use r inter face d id not generat e an al ert. Com pliance staf f at Paxos acknowledged that the system did not adequately address the “linking” of individuals and entities. Three of these businesses were associated with an individual who had transacted approximately $260 million on the exchange during a period of fourteen months. This individual was listed as the a ccountant for a company that prepared the corporate books for at least four other customers onboarded to the platform. 30. Financial institutions can guard aga inst money laundering by requiring verification of a prospective customer ’ s source of funds. Although P axos’ s written policies required that customers provide information on their source of funds, occupation, and a stated purpose for the account and business relationship, Paxos failed to take reas onab le steps to investigate account holders who submitted suspicious account opening or EDD materials. Paxos employees, instead, relied on prospective customers’ written responses during the EDD process and did not obtain adequate supporting documentation. Wh en questioned by Paxos employees

13 about their businesses, customers were able to submit unverified photographs and provide other generalized answers to pass Paxos’ s EDD requirements. Customers were also able to onboard with false or insuf fi cient documentation (e.g., invoices and bank statements) that did not align with the entity’ s stated business activity or purpose. 31. In 2023, Paxos’ s employees commented on Paxos’ s l ax approach toward customer due diligence. For example, one Paxos compliance employee wrote, “I feel like every export or trading company we have on platform is fake[.]” Another compliance employee noted, “so they told us they are an unlicensed [money services business] . . . and we onboarde d [laughing out loud] . . . also they are an [over -the-c ounter] desk . . . zero trades.” A third complianc e employ ee’ s comment is illus trative o f Pax os’ s signif icant ED D failings: “Y ea, going through this newer one I found, we never received anything from them showing that they should be conducting this volume of activity. Just a bunch of likely fake policies and or g docs and then just let them go becaus e th ey are an [o ver -the- counter] d esk[.]” 32. In 2023, a third -party auditor, engaged to audit the company from July 2021 through June 2022, identified deficiencies in the company’ s custom er due diligence process at onboarding and thereafter cautioned that such gaps could result in inaccurate identification and inaccur ate asses sment of the cust omers’ money lau nderi ng ris k. ii. Paxos’ s T ransaction Monitoring Failur es 33. As discussed above, maintaining an ef f ective transaction monitoring and filtering program is an important component of a financial institution’ s BSA/AML framework. The Departmen t’ s inv estig ation rev ealed P axos’ s failu res in t his area as well. 34. T o avoid raising alerts within banking and money transmitter systems, money launderers often break up lar ge transactions into smaller transactions. T o anonymize the

14 transactions, money launderers often use multiple real or fabricated identities on either side of the tran saction. A compliant AML program will includ e contro l scenarios to dete ct attempts to struct ure trans actio ns. 35. In 2019, 2020, and 2021, Paxos’ s risk assessments rated the Company’ s transaction monitoring capabilities as “fair” due to the retrospective nature of the systems. As the Company’ s then BSA Of ficer explained in March of 2020, “. . . [F]or AML i f there were a potential pattern of transactions indicative of money laundering or [Bitcoin] sourced from a darknet marketplace, we would not know until 2- 4 weeks l ater. ” Paxos’ s manually intensive and technolog ically limite d processes to monitor withdrawals in real-t ime prevented it from detec ting obvious and easily detectable patterns of money laundering. Paxos’ s q ualit y assuran ce team found as much, noting that Paxos failed to identify certain alerts as potentially suspicious and thus warranting an investigation. 36. Such was the case with a network of customers who engaged in a trade-based money laundering scheme (the “TBML network”) on Paxos’ s exchange for approximately five years. Their transactions followed one of two patterns: (l) a rapid movement of funds from fiat to cryptocurrency or (2) a rapid movement of funds from cryptocurrency deposit to fiat (specifically U.S. dollar wire withdrawal of all funds of f the pl atform to U. S. - based finan cial institutions). Some transactions occurred within minutes of eac h other, many deposits were in round-dollar amounts, and the customers rarely, if ever, maintained a balance on the Paxos platform. Based on the rapid movement of high-volume transactions, the use of multi ple accounts, and small to zero end-of- day bal ances, i t i s likel y that the accoun ts w ere used to layer funds, a means of money launderers to avoid detection of the actual source of the funds. Although many of these customers onboarded to the Paxos platform with the stated intention of

15 buying and selling cryptocurrency, their transactions on the platform indicated otherwise and these suspicious transactions went undetected. 37. By 2022, although Paxos had made improvements to its transaction monitoring systems, it wa s still failin g to appropriately tune these syste ms to the re lev ant AML risks by performing assessments on the business rules and scenarios employed by the systems. T hat same year, the Department issued industry guidance regarding Blockchain analytics and emphasized the importance of appropriately tailoring monitoring programs. iii. Paxos's Investigations Failur es 38. While transaction monitoring and the detection of suspicious patterns are vital components of an ef f ective AML program, the obligations of Department licensees do not end there. Licensees must maintain protocols that set forth how alerts generated by their transacti on monitoring programs will be investigated, the process for deciding which alerts will result in a filing or other action, the operating areas and individuals responsible for making such a decision, and how the investigative and the decision- mak ing process will be documented. 39. Prior to 2022, Paxos’ s formal in vestigation s policy did not require an investigation upon receipt of a law enforcement request, and instead left the decision of whether to perform an investigation to the discretion of the investigator. Thus, even if the pattern of transactions described in connection with the TBML network had resulted in alerts, it i s unclear what, if any, investigation would have followed. Paxos was on notice of this failing. A 2021 audit of its BSA/AML program included a finding that for SAR filing procedures, there were insuf ficient details f or minimum due diligence required for case investigations. In 2022, Paxos’ s internal audit also identified this as an outstanding issue, noting that the Company lacked defined case investigation procedures to comprehensively describe the minimum requirements for

16 investigative research and due diligence. After the TBML network had been discovered, this finding was repeated in a 2023 audit covering 2022 activity. Tha t audit noted that Paxos’ s case investigation procedures did not include minimum requirements for performing and documenting invest igati ve resea rch an d due di ligen ce. An external consulting firm hired by Paxos after the discovery of the TBML network found that the Company failed to investigat e 79 of 188 informatio n reque sts it receive d in a two -year period. In early 2023, the relevant policy was updated to require investigation following receipt of a law en forcem ent r eques t. 40. An example of the failure of Paxos to conduct thorough investigations was the TBML network. Of this network of customers, 32 accounts had previously been brought to Paxos’ s attention through law enforcement subpoenas or informa tion requests from other fina ncial institutions. Notwithstanding these inquiries, Paxos’ s compliance staf f failed to identify the lar ge r network. Paxos ’ s quali ty ass urance te am rep orted th at te am memb ers indi cated th at they did not want or did not have the time to investigate alerts. The qu alit y assuran ce team also found that there was a lack of accountability for poor quality work by Paxos employees. 41. In light of these compliance and due diligence failures, enforcement action is warranted, including a monetary penalty. Cooperation 42. Paxos complied with the De partme nt ’ s order that it cease mi nting Paxos-issued BUSD and cooperated in connection with the termination of its relationship with Binance. 43. The Department has given substantial weight to the cooperation of Paxos both in the course of the enforcement investigation and in connection with the Department’ s oversight of Paxos’ s termination of its rela tionship with Bina nce.

17 44. Additionally, the Depa rtment recognizes Paxos’ s ef forts to improve and strengthen its compliance function, including by growing its compliance team, expanding the scope of its vendor support and expertise, and dedicating personnel from outside of its compliance division to develop compliance tooling. Paxos also engaged an outside consultant upon learning of AML program deficiencies in January 2023. As part of that engagement, the consulting company conducted a broad multi-year lookback and root cause analy sis, the re sults of which Paxos shared with the Department in periodic updates and a final report. Paxos worked with the co nsultant to im plemen t recomme nded remedia tion steps in r eal -time during the engagemen t. V i olations of Law and Regulations 45. Paxos failed to maintain an ef fective and compliant AML program, in violation of 3 NYCRR § 1 16.2. 46. Paxos conducted business in an unsafe and unsound manner, in violation of New Y ork Banking Law § 44. 47. Paxos breached the 2020 Letter Ag reement, in violation of New Y ork Banking Law § 44. 48. Paxos faile d to comply with its obligations to main tain an e ff ective transaction monitoring program, in violation of 23 NYCRR § 504.3. NOW THEREFORE, to resolve this matter without further proceedings, the Department and the Company stipulate and agree to the following terms and conditions: SETTLEMEN T PROV ISIONS Monetary Penalt y 49. No later than ten (10) days after the Ef f ective Date (as defined below) of this Consent Order, Paxos shall pay a total civil monetary penalty pursuant to Banking Law §§ 39

18 and 44 to the Department in the amount of twenty-six million and five hundred thousand dollars and 00/100 Cents ($26,500,000.00). The payment shall be in the form of a wire transfer in accordance with instructions provided by the Department. 50. The Company shall not claim, assert, or apply for a tax deduction or tax credit with regard to any U.S. federal, state, or local tax, directly or indirectly, for any portion of the civil monetary penalty paid pursuant to this Consent Order. 51. The Company shall neither seek nor accept, directly or indirectly, reimbursement or indemnification with respect to payment of the penalty amount, including but not limited to, payment made pursuant to any insurance policy. Remediatio n and Compliance 52. In addition to the civil monetary penalty set forth above, Paxos sha ll commit, at a minimum, twenty - two million dollars and 00/100 Cents ($22,000,000.00) to continue to improve and strengthen its comp liance f unction over the years 2025 through 2027. As of the date of this Consent Order, Paxos has already spent $3,100,000 for the year 2025 in connection with improving and operating its compliance program. 53. Paxos shall s et asid e $3,150,000 in connection with its compliance program to be spent over the remainder of the year 2025. No later than Januar y 1, 2026, Paxos shall specifically set asi de $7,250,000 to be spent in 2026 in connection with its compliance program. No later than January 1, 2027, Paxos shall specifically set aside $8,500,000 to be spent in 2027 in connection with its compliance program. 54. W ithin thirty (30) days of Paxos’ s commitment of the dollar amounts listed above in paragraph 53 to be set aside in connection with Paxos’ s expenditure to improving and

19 operating its complianc e progra m, Paxos sha ll submit to the Depa rtment writte n confir mation that it has set aside such funds. Status Report 55. W ithin ninety (90) days of the execution of this Consent Order, the Company shall submi t a Stat us Report (herein after th e “St atus Report ”) accept able t o t he Departm ent on the following: Customer Due Diligence 56. Regarding customer due diligence, the Status Report shall include updates on, at a minimum, the Company’ s: a. policies, procedures, and controls to ensure that the Company collects, analyzes, and ret ain s com plete an d accurat e cust om er inform ation fo r all account holders; b. methodology and plans for subsequent enhancements for assigning risk ratings to account holders that considers additional factors such as type of customer, type of products and services, geographic location(s), and transaction volume; c. methodology to evaluate customers whose transactional activity requires additional enhanced due diligence and procedures to: i. determine the additional documentation necessary to verify the identity and business activities of the customer; ii. evaluate anti cipated a ctiv ity vers us actual trans acti on acti vity of the customer; d. enhancements to the periodic review process for the entire customer base to ensure that all necessary customer and account information is up to date; e. the customer risk rating system, including the Company’s policies and procedures governing the system; and f. the status of any vendor integration in connection with the customer due diligence process.

20 BSA/AML Compliance Pr ogram 57. Regarding BSA/AML compliance, the Status Report shall include updates on, at a minimum: a. Paxos’ s current system of internal controls reasonably designed to ensure compli ance wit h BSA/ AML req uirem ents an d rel evant st ate laws and regulations; b. Paxos’ s most recent annu al compr ehensiv e BS A/AML risk ass essmen t that identifies and considers all of the Company’ s products and services, customer types, geographic locations, and transaction volumes, as appropriate, in determining inherent and residual risks; c. the m anagement of the Company’ s BSA/AML compliance program by a qualified compliance of fi cer, who is given autonomy, independence, and responsib ility for imple menting an d maintaining an ef fective BSA/AML compliance program that is commensurate with the Company’ s size and risk profile, and is supported by adequate staff ing levels and resources; d. the case manag ement s yst ems on which Paxos can reasonably rely to ensure com plian ce wit h BS A/AML requirements and rel evant state l aws and regulations, and a timeline to review key systems to ensure that the case man agement systems are c onfigured to mitigate BSA/AM L risks; e. the c omprehensive and tim ely independent testing of the Company’ s complianc e with a pplicable BSA/AML requirements and r eleva nt state laws and regulations; f. the e ffective training of all appropriate personnel at the Company who perform BSA/AML compliance- relat ed fun ctions in all aspects o f BSA/ AML req uirement s, relevant s tate la ws and regul ation s, and rel evant internal policies and procedures; and g. enhancements to Paxos’ s case managem ent sys tem, including comprehensive metric reporting, ability to include key risk indicators, and product and customer segmentation. Suspicious Ac tivity Monitoring and Reporting 58. Regarding suspicious activity monitoring and reporting, the Status Report shall include updates on, at a minimum, the Company’ s improvement and ope ration of: a. a system of internal controls reasonably designed to conduct ongoing transaction monitoring to ensure compliance with suspicious activity

21 regulatory reporting requirements, including the ef fective monitoring of custom er accou nts and the m ainten ance of a ccurat e and co mpr ehensiv e transact ional d ata; b. a well -documented methodol ogy for establishing monitoring rules and thresholds appropriate for Paxos, considering factors such as type of customer, type of product or service, and geographic location; c. policies and procedures for analyzing, testing, and documenting change s to the Company’ s monitoring rules and thre sholds; and d. enhanced investigation and reporting criteria and procedures to ensure the timely detection, investigation, and reporting of all known or suspected violations of law and suspicious transactions, including, but not limited to: i. the appropriate allocation of resources to manage suspicious activi ty alert and cas e inv entory; ii. policies and/or procedures of the Company’ s investigation and analysis of potentially suspicious activity, includi ng its escalation and review of concerns through appropriate levels of management. Corporate Governance, Management Oversight and Reporting 59. Regarding corporate governance, management oversight, and reporting, the Status Report shall include updates on, at a minimum: a. actions that the Company has taken and will take to maintain ef fective control over and oversight of compliance with BSA/AML requirements and relev ant s tate laws and reg ulati ons; b. actions that the Company has taken and will take to improve its reporting to senior management about the Company’ s compliance with BSA/AML requirements and state laws and regulations; c. the current status of clearly defined roles, responsibilities, and accountability for the Company’ s respec tive management, compliance personnel, and independent audit staf f regarding compliance with BSA/AML requirements and state laws and regulations; d. measures t hat Pax os has t aken an d will take to ensure that the Company’ s senior m anagem ent app ropri ately t rack, es calat e, and review BS A/AML compli ance con cerns; e. measures that the Company has taken and will take to ensure that the person or groups at the Company char g ed with the responsibility of overseeing the Company’ s compliance with BSA/AML requirements and

22 relevant state laws and regulations possess appropriate subject matter expertise and are actively involved in carrying out such responsibilities; the Company’ s expenditure of a dequate resources to ensure its compliance with this Order, BSA/AML requirements, and state laws and regulations; and f. actions that the Company has taken and will take to establish an appropriate and ef fective reporting structure that permits the Company’ s BSA/AML complianc e of ficer to report inf ormation in a time ly and complete manner to relevant Company personnel, including the Company’ s senior management. Case and Rules Management 60. Regarding case and rules management, the Status Report shall include updates on, at a minimum, the Compa ny’ s: a. f urther enh anc ements t o its current c ase man agem ent sy stem; b. integration of advanced analytics into Paxos’s administration platform; c. centralized process, and enhancements thereto, for managing rule logic and system configurations used in case and rules management, ensuring alignment with documented policy requirements and model governance standards; and d. structured framework, and enhancements thereto, for rule ch ange management controls and maintenance of comprehensive audit trail capab ilities. T echnical Pr ogram Supp ort 61. Regarding technical program support, the Status Report shall include updates on, at a minimum: a. the development and maintenance of platform operations in connection with incident response processes; b. updates on the Company’ s t echnical support capabilities; and c. updates on enhancements to ensure continuous compliance effectiveness and system s tability. 62. Every six months from the Ef f ective Date of this Consent Order (as defined below), for a period of three years from the Ef fective Date, Paxos shall submit to the Department

23 written progress reports detailing the form, manner, and anticipated completion date of all actions taken to secure compliance with the provisions of this Order and the results thereof, including, but not limited to, the steps enumerated in paragraphs 56 to 61 above. This reporting obligation may be extended by the Department, in its sole regulatory discretion, by providing written notice to the Company. Full and Complete Cooperation 63. Paxos commits a nd agre es that it will fu lly cooper ate with the Depar tment regarding all terms of this Consent Order. Further A ction by the Department 64. No further action will be taken by the Department against the Company or its successors for the conduct set forth in this Consent Order, provided that the Company fully complies with the terms of the Consent Order. 65. Notwithstanding any other provision in this Consent Order, however, the Department may undertake additional action against the Company for transactions or conduct that were not disclosed in the wr itten mate rials submitted to the Depa rtment in conne ction with this matter. W aiver of Ri ghts 66. The Company submits to the authority of the Superintendent to ef f ectuate this Consent Order. 67. The parties understand and agree that no provision of this Consent Order is subject to review in any court, tribunal, or agency outside of the Department.

24 Parties Bound by the Consent Order 68. This Consent Order is binding on the Department and the Company, as well as any successors and assigns. This Consent Orde r does not bind any federal or other state agency or any law enforcement authority. Breach of Consent Order 69. In the even t that the D epartm ent bel ieves th e Co mpany t o be in m aterial breach o f the Consent Order, the Department will provide written notice to the Company, and the Company must, within ten (10) days of receiving such notice, or on a later date if so determined in the Departmen t’ s sol e discr etion, appear b efore t he Dep artment to demo nstrat e that no mat erial breach has occurred or, to the extent pertinent, that the breach is not material or has been cured. 70. The Company understands and agrees that its failure to make the require d showing within the designated time period shall be presumptive evidence of the Company’ s breach. Upon a finding that a breach of this Consent Order has occurred, the Department has all the remedies available to it under New Y ork Banking Law and New Y o rk Fi nancial Servic es Law, and any other applicable laws, and may use any evidence available to the Department in any ensuing hearings, notices, or orders. Notices 71. All notices or communications regarding this Consent Order shall be sent to: For th e Departmen t: Joseph C. Mineo Assistant Deputy Superintendent Consumer Protection and Financial Enforcement New York S tate Depart ment of Fi nanci al Serv ices One Com merce Pl aza Albany, New York 12257

25 For Paxos T rust Company LLC: Leighton Dellinger Head of L egal Paxos Trust Company, LLC 450 Lexington Ave, New York, New York 10163 Laure l Loomis Rimon Jenner & Block LLP 1099 New York Ave., NW Washington, DC 20001 Miscel laneous 72. This Consent Order and any dispute thereunder shall be governed by the laws of the State of New Y ork without regard to any conflicts of laws principles. 73. This Consent Order may not be altered, modified, or changed unless in writing and signed by the parties hereto. 74. This Consent Order constitutes the entire agreement between the Department and the Company and supersedes any prior communication, understanding, or agreement, whether written or oral, concerning the subject matter of this Consent Order. 75. Each provision of this Consent Order shall remain ef f ective and enforceable against the Company, it s succe ssors, and assigns, until stayed, modified, suspended, or termin ated by t he Dep artm ent. 76. In the event that one or more provisions contained in this Consent Order shall for any reason be held to be invalid, illegal, or unenforceable in any respect, such invalidity, illegality, or unenfor ceability shall not aff ect any other provision of this Con sent Ord er. 77. No promise, assurance, representation, or understanding other than those contained in this Consent Order has been made to induce any party to agree to the provisions of this Consent Order.

26 78. Nothing in this Consent Order shall be construed to prevent any consumer or any other third party from pursuing any right or remedy at law. 79. This Consent Order may be executed in one or more counterparts and shall become ef f ective when such counterparts have been signed by each of the parties hereto (the “Effective D ate”). [remainder of this page intentionally left blank]

27 IN WITNE SS WHER EOF, the parti es h ave caused this Consent Order to be signed on the dates set forth below. NEW YORK STA TE DEP ARTMEN T OF FINANCIAL SE RVICES PAXOS TRUS T COMPANY, LLC By: /s/ Kathryn A. Taylor By: /s/ Charles G. Cascarilla KATHRYN A. TAYLO R Deputy Director of Enforcement for Consumer Protection and Financial Enforcem ent CHARLES G. C ASCARILLA Chief E xecutiv e Office r August 1, 2025 August 4, 2025 By: /s/ Christopher B. Mulvihill CHRISTOPHER B. MULVIHILL Deputy Superintendent for Consumer Protect ion and Finan cial Enforcem ent Aug ust 4, 2025 By: /s/ R. Gabriel D. O ’ Malley R. GABRIEL D. O’MALLEY Executive Deputy Superintendent for Consumer Protection and Financial Enforcem ent August 4, 2025 THE FORE GOING IS HEREB Y APPROVED. IT IS SO ORDERE D. /s/ Adrienne A. Harris ADRIENNE A. HAR RIS Superintendent of Financial Services August 7, 2025