Kestrel AML Program

**AML Compliance Officer (AMLCO):** [Registered Principal — on file with FINRA via Form BD Schedule A] **Approved by:** Board of Directors, September 24, 2025. **Annual independent testing:** Performed by an external firm each calendar year.

1. Purpose and authority

This program is Kestrel Securities' written Anti-Money Laundering program, adopted pursuant to 31 CFR 1023.210 and implementing the Bank Secrecy Act as applied to broker-dealers. It is also designed to satisfy FINRA Rule 3310, which incorporates the federal AML program requirement as an SRO rule.

Covered regulatory references:

- 31 CFR Part 1023 — the broker-dealer BSA rulebook; - 31 CFR 1010 — the general BSA framework (definitions, OFAC, CTR); - FINRA Rule 3310 — AML program rule (SRO implementation); - FinCEN's customer due diligence ("CDD") rule at 31 CFR 1023.230 (beneficial ownership for legal entity customers); and - The Corporate Transparency Act beneficial-ownership reporting framework at 31 CFR 1010.380 (monitored for impact on CDD-rule operations).

2. Risk assessment

Kestrel conducts an annual AML risk assessment covering:

- **Customer risk**: the customer mix (retail natural-person accounts, trust and corporate cash-management, no prime-brokerage, no non-U.S. customers outside Canada); - **Product risk**: retail brokerage, wealth-management advisory, principal market-making in a limited OTC set; - **Geographic risk**: U.S. customers only (excluding a de minimis Canadian retail subset); - **Channel risk**: fully online account opening with documentary and non-documentary identity verification.

The risk assessment drives the calibration of the transaction- monitoring thresholds and the allocation of AML compliance resources. It is refreshed annually and documented in the AML Risk Assessment file maintained by the AMLCO.

3. Customer Identification Program (CIP)

The Kestrel CIP is adopted pursuant to 31 CFR 1023.220 as a component of this AML program.

3.1 Required information

Before opening an account, Kestrel obtains:

- Name; - Date of birth (for natural persons); - Address (residential or business street address, AFO/FPO, or next- of-kin address as permitted by 31 CFR 1023.220(a)(2)(i)(B)); - Identification number (SSN, TIN, or EIN for U.S. persons; passport, alien ID, or other qualifying government-issued document with country of issuance for non-U.S. persons).

3.2 Verification

Verification is performed within a reasonable time after account opening via a combination of documentary and non-documentary methods:

- **Documentary**: driver's license or passport for natural persons; articles of incorporation, partnership agreement, or trust instrument for legal entity customers; - **Non-documentary**: electronic identity-verification services cross-checking the customer-provided information against consumer reporting agency data, public databases, and industry-standard KYC sources.

3.3 Failure to verify

Where Kestrel cannot form a reasonable belief that it knows the true identity of a customer, the CIP specifies:

- The account may not be opened (for a new account with unresolved verification issues); - The account may be opened on a restricted basis while verification issues are resolved (no withdrawals, no margin, no wire transfers permitted) — such restrictions time out after 30 days absent resolution; - The account is closed, and a SAR-SF is filed where the facts warrant.

3.4 OFAC / government list comparison

At account opening, customer information is compared against the OFAC Specially Designated Nationals (SDN) list and against other Treasury- designated lists per 31 CFR 1023.220(a)(6). Ongoing screening occurs nightly against updated OFAC lists.

3.5 Customer notice

At account opening, each customer is provided a written notice that Kestrel is requesting the information to verify identity, delivered as part of the account-opening disclosure package.

3.6 CIP Recordkeeping

CIP records are retained for the lifetime of the account plus five years pursuant to 31 CFR 1023.220(a)(5).

4. Customer Due Diligence — beneficial ownership

For each legal entity customer that opens a new account after May 11, 2018, Kestrel identifies and verifies the beneficial owners under 31 CFR 1023.230. Beneficial owner means:

- Each individual who directly or indirectly owns 25% or more of the equity interests of the legal entity (ownership prong); and - A single individual with significant responsibility to control, manage, or direct the legal entity (control prong).

A Beneficial Ownership Certification is obtained at account opening and refreshed every three years or upon material change.

5. Transaction monitoring

5.1 Alert system

Kestrel's Transaction Monitoring System (TMS) is a vendor-hosted platform that ingests daily journal data, trade data, and money- movement data. The TMS applies rules calibrated against the Kestrel risk assessment, including (non-exhaustive):

- Cash-equivalent deposits exceeding $10,000 (currency is not accepted; this rule covers wires and cashiers' checks); - Rapid movement of funds in and out of an account with minimal trading; - Pattern-of-life anomalies (logins from atypical geographies, transaction bursts); - Aggregate journal activity inconsistent with the customer's stated investment objectives; - Trading in micro-cap, thinly traded, or high-risk names disproportionate to the customer's profile; - Known structuring patterns against the CTR threshold.

5.2 Alert disposition

Each alert is dispositioned by an AML analyst within three business days. Dispositions are either:

- **Close — false positive**; - **Close — explained** (with documented customer-provided or firm-verified explanation); - **Escalate** (for SAR review).

5.3 SAR-SF filing

Escalated alerts are reviewed by the AMLCO. SAR-SF decisions are made by the AMLCO. Filing criteria follow 31 CFR 1023.320(b). SAR-SFs are filed with FinCEN within 30 days of initial detection of facts constituting a basis for filing (or within 60 days if the firm is still identifying a suspect). SAR-SF confidentiality is maintained in accordance with 31 CFR 1023.320(d); disclosure is limited to FinCEN, the SEC, FINRA, NFA, and law enforcement.

6. Independent testing

Independent AML testing is performed annually by an external firm and reported to the Board's Audit Committee. Findings are tracked to remediation in an AML Audit Remediation log.

7. Training

All Kestrel employees complete AML training upon hire and annually thereafter. Role-based enhanced training is required for the AML analyst team, the AMLCO, registered representatives, and Operations money-movement personnel. Training completion is recorded in the LMS.

8. Designated AMLCO and reporting

The AMLCO is a FINRA-registered principal and a member of the Compliance organization. The AMLCO reports directly to the CCO and, on AML matters, has a reporting line to the Board's Audit Committee. The AMLCO meets with the Audit Committee at least annually and on an ad hoc basis for material matters.

9. Recordkeeping

- SAR-SF filings and supporting documentation: 5 years from filing (31 CFR 1023.320(e)); - CIP records: lifetime of the account + 5 years (31 CFR 1023.220(a)(5)); - CDD / beneficial ownership records: 5 years from the date the record is made; - AML program, training, and testing records: 5 years under 17 CFR 240.17a-4.

10. References

- 31 CFR Part 1023 (`31 CFR Part 1023`) - 17 CFR 240.17a-4 (`17 CFR 240.17a-3, 240.17a-4, 240.15c3-5`) - FINRA Rule 3110 (`FINRA-Rule-3110-3130`) - Kestrel-Information-Barriers - Kestrel-Code-of-Ethics - Kestrel-Trade-Surveillance-Alert-Summary