INTRODUCTION

The purpose of this policy for Anti-Money Laundering (AML), Combating Terrorist Financing (CFT) and Sanctions measures is to ensure that UAB Stormbenda (Company), which is a virtual currency exchange operator, has internal guidelines to prevent the use of its business for money laundering and terrorist financing and internal guidelines for implementation of international sanctions.

This policy has been adopted to ensure that the Company complies with the rules and regulations set out in Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing (Law). Where applicable, the following applicable legislation should be considered by the Company:

  • Order No. V-314 of November 30 of 2016 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “For the Technical Requirements for the Customer Identification Process for Remote Identification Authentication via Electronic Devices for Direct Video Transmission” (hereinafter – Technical Requirements).
  • Order No. V-240 of December 5 of 2014 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of the List of Criteria for Money Laundering and Suspicious or Unusual Monetary Operations or Transactions Identification” (as amended and supplemented from time to time) (hereinafter – Order on List of Criteria)
  • Order No. V-5 of 5 January 10 of 2020 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of Guidelines for the Depositary virtual currency wallet operators and virtual currency exchange operators to prevent money laundering and/ or terrorist financing.” (as amended and supplemented from time to time)
  • Order No. V-273 of October 20 of 2016 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the approval of the Instructions for the supervision of the proper implementation of international financial sanctions by the Financial Crimes Investigation Service under the Ministry of the Interior of the Republic of Lithuania” (as amended and supplemented from time to time) (hereinafter – Order on Sanctions)
  • Order No. 1V-701 of October 16 of 2017 of the Director of the Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the approval of the description of the procedure for the suspension of suspicious monetary operations or transactions and the submission of information on suspicious 
    • monetary operations or transactions to the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania, and the description of the procedure for the submission of information on cash operations and transactions, the amount of which is equal to or exceeds 15,000 euros or the equivalent amount in foreign currency, to the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania” (as amended and supplemented from time to time) (hereinafter – Order on Suspicious and Other Transactions
    • Order No. V-129 of September 4 of 2017 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of the Rules for Keeping the Register of Suspicious or Unusual Monetary Operations and Transactions of the Customer and Identification of the Criteria that Characterizes Large-Scale Permanent and Regular Monetary Operations “ (as amended and supplemented from time to time) (hereinafter – Order on Logbooks)
    • Order No. V-129 of May 21 of 2015 of the Director of the Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Forms of Submission of Information Pursuant to the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania on the approval of the Guidelines for the submission of the forms, the scheme of submission and the guidelines for the completion of the submission forms” (as amended and supplemented from time to time) (hereinafter – Order on Forms).

This policy is the subject of a review by the CEO at least annually. The proposal for a review and the review of this policy may be scheduled more often by the decision of the Company’s AML Officer. The Company must review and, where necessary, update this policy and its annexes (incl. the risk assessment policy and risk assessment made thereof) in the each of the following cases:

    • publication by the European Commission of the results of a European Union-wide risk assessment on money laundering and terrorist financing;
    • publication of the results of the National Money Laundering and Terrorist Financing Risk Assessment;
    • strengthen the applicable internal control procedures upon receipt of an order from the FCIS;
    • upon significant events or changes in the Company’s management and operations;
    • such necessity arises in the course of periodic monitoring of the implementation and adequacy of the Company’s internal policies.

This policy shall be accepted and approved by the resolution of the CEO and the AML Officer.

This policy must be followed by all Employees of the Company. The obligations of the Company as defined in this policy must be understood as the duties of all Employees of the Company unless it is provided that certain duties must be performed by a specially designated Employee of the Company (e.g. the AML Officer, Internal Control Officer, etc.).

All Employees of the Company, depending on the functions performed by them, shall be introduced to this policy upon their appointment by their signature. The Manager of the Company must ensure that all newly recruited relevant Employees are made aware of this policy in writing.

DEFINITIONS

AML Officer means a person, who is appointed to the Company as a senior employee for liaising with the Financial Crime investigation Service (FCIS) whose functions are set out in section “Organizational structure”.

Business Relationship means a relationship that is established upon conclusion of a long-term contract by the Company in economic or professional activities for the purpose of provision of a service or distribution thereof in another manner or that is not based on a long-term contract, but whereby a certain duration could be reasonably expected at the time of establishment of the contact and during which the Company repeatedly makes separate transactions in the course of economic or professional activities while providing a service.

Company means legal entity with following details:

  • company name: UAB Stormbenda
  • registration country: Lithuania;
  • registration number: 305990228;
  • address: Vilnius, Eišiškių Sodų 18-oji g. 11;
  • email: operations@genesisxchange.com.

Customer means a natural person which has the Business Relationship with the Company, as well as a natural person which intends to have the Business Relationship with the Company.

Employee means each Company´s employee, including Chief Executive Officer (CEO), the Internal Control Officer and the AML Officer.

FCIS means Lithuanian Financial Crime Investigation Service under The Ministry of the Interior of the Republic of Lithuania (Lithuanian Financial Intelligence Unit), which performs supervision of the Company’s activities of virtual currency services related to the prevention of money laundering and/or terrorist financing and which has the following details:

  • state institution;
  • registration number: 188608786;
  • address: Šermukšnių g. 3, LT-01106 Vilnius;

Monetary Operation means any payment, transfer or receipt of money.

Money Laundering (ML) means:

1) the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action;

2) the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity

3) the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity;

4) Participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points 1, 2 and 3.

Monitoring Specialist means the Employee, who is responsible for performing of the ODD/EDD measures in the course of the already established Business Relationship with the Customer. This Employee is responsible for making transactions in the course of services provision by the Company.

Occasional Transaction means the transaction performed by the Company in the course of economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner to the Customer outside the course of an established Business Relationship.

Onboarding Specialist means the Employee, who is responsible for performing of the Customer’s onboarding procedure (as described below) and application of CDD/EDD measures before the establishment of the Business Relationship with the Customer. This Employee is responsible for establishment of the Business Relationship with the Customer and has the right to perform actions for establishing the Business Relationship with the Customer on behalf of the Company.

PEP means the natural persons who are or have been entrusted with Prominent Public Functions and Close Family Members or Close Associates of such persons.

  1. Prominent Public Functions means:
    1. The head of the state, the head of the government, a minister, a vice- minister or a deputy minister, a secretary of the state, a chancellor of the parliament, government or a ministry; 
    2. A member of the parliament;
    3. A member of the Supreme Court, the Constitutional Court or any other supreme judicial authorities whose decisions are not subject to appeal; 
    4. A mayor of the municipality, a head of the municipal administration; 
    5. A member of the management body of the supreme institution of state audit or control, or a chair, deputy chair or a member of the board of the central bank; 
    6. Ambassadors of foreign states, a chargé d’affaires ad interim, the head of the Lithuanian armed forces, commander of the armed forces and units, chief of defence staff or senior officer of foreign armed forces;
    7. A member of the management or supervisory body of a public undertaking, a public limited company or a private limited company, whose shares or part of shares, carrying more than 1/2 of the total votes at the general meeting of shareholders of such companies, are owned by the state;
    8. A member of the management or supervisory body of a municipal undertaking, a public limited company or a private limited company whose shares or part of shares, carrying more than 1/2 of the total votes at the general meeting of shareholders of such companies, are owned by the state, and which are considered as large enterprises in terms of the Law on Financial Statements of Entities of the Republic of Lithuania;
    9. A director, a deputy director or a member of the management or supervisory body of an international intergovernmental organisation;
    10. A leader, a deputy leader or a member of the management body of a political party.
  2. Close Family Member means the spouse, the person with whom partnership has been registered (i.e., the cohabitant), parents, brothers, sisters, children and children’s spouses, children’s cohabitants.
  3. Close Associate means:
    1. A natural person who, together with the Politically Exposed Person, is a member of the same legal entity or of a body without legal personality or maintains other business relationship;

Sanctions mean the measures taken by the European Union, United Nations and the United States. These measures include a list of individuals and entities who/which are subject to sanctions. The Company shall use at least the following sources (databases) to verify the Customer´s relation to Sanctions:

Terrorist Financing (TF) means a provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offences within the meaning of Article 2 of the International Convention for the Suppression of the Financing of Terrorism of 9 December 1999.

Third Country means a state that is not a member state of the European Economic Area (EEA).

Virtual currency means a digital sentation of value that does not possess a legal status of currency or money, that is not issued or guaranteed by a central bank or any other public authority, is not necessarily attached to a currency, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored, traded, exchanged, invested and used for settlement electronically.

Virtual Currency Address means address/account generated from letters, numbers and/or symbols in the blockchain, by which the blockchain allocates the Virtual Currency to the owner or recipient.

Organizational structure

The Company consists of structural units with various functions, which together provide the Company with the opportunity to conduct business and provide services. The needs of the Company’s business unit may be covered by the Employees(s) or external service providers (third parties) which provide services to the Company under an appropriate contract. The Company’s organizational structure may be changed by the decision of the CEO.

Governing Principles

The Employees and the service providers (third parties) involved in the activities are obliged to act in accordance with the agreements concluded and internal policies established (incl. this policy). They should be aware of their subordination to other structural units of the Company. If the Company has more than 1 Employee in a structural unit, the CEO shall appoint a responsible employee whose task is, among other things, to perform daily supervision over the performance of the tasks of the structural unit (or part of it). The Company shall establish and regularly maintain contact details of external service provider’ designated person(s) responsible for providing the service (customer manager, project manager, etc.) and such persons shall be competent to represent the external service provider before the Company.

The day-to-day management of the Company takes place through the CEO. The CEO is responsible for assigning tasks to other structural units and controlling the performance of tasks. In case when the relevant Employee or third party is not appointed for performing of structural unit’s functions, the CEO shall be responsible for this structural unit’s functions. In addition to day-to-day management, the CEO organizes meetings and, if necessary, discusses decision-making with experts (mainly Employees, advisors and external service providers).

Chief Executive Officer

Chief Execution Officer (CEO) is higher executive body of the Company. This person is appointed by the General Meeting of Shareholders as the Company’s manager in accordance with Law of Companies. The CEO is responsible for day-to-day management of the Company.

The CEO has a critical oversight role – as the senior-most management of the company, they should approve and oversee policies for risk, risk management and compliance. The CEO also should have a clear understanding of the ML risks, including timely, complete, and accurate information related to the risk assessment to make informed decisions. The CEO shall appoint a qualified AML Officer with overall responsibility for the AML function and provide this senior-level officer with sufficient authority that when issues are raised they get the appropriate attention from the CEO and the business lines.

The CEO is responsible for the overall AML/CTF compliance policy of the Company and ensuring adequate resources are provided for the proper training of staff and the implementing of risk systems. The CEO will receive and consider quarterly compliance reports presented by the AML Officer. The CEO has the following functions and responsibilities:

  • organize implementation of the Company’s business strategy and tasks, establish related action plans, determine priorities of the Company’s activities;
  • organize implementation of internal controls relevant to the Company’s business and risk appetite, including but not limited to appointment of the Internal Control Officer and assessment of reports provided;
  • determine the Company’s risk appetite;
  • approve the corporate governance strategy and structure of the Company;
  • make decisions on the Company’s governance and activities;
  • make decisions on the Company’s products, services and pricing;
  • establish plans and objectives for the Company’s budget and finances;
  • evaluate and assess the Company’s compliance, AML and other activity reports;
  • evaluate and assess the Company’s financial position and statements;
  • evaluate and assess processes and systems relevant to the Company’s operations;
  • make decisions, within its competence, on the Company’s financial and legal liabilities, high value transactions and assets;
  • submit regular reports to the Company’s shareholder(s);
  • conduct the overall management of the Company’s business activities, expansion, marketing and sales;
  • plan, execute and supervise the day-to-day operations of the Company, and deal with current operational problems;
  • organize development, improvement, implementation and maintenance of the Company’s internal business processes, procedures and systems;
  • oversee the Company’s financial management and budget;
  • approve the Company’s transactions and financial operations;
  • approve significant decisions and proposals made by subordinate departments;
  • plan, organize and oversee the Company’s ongoing projects and issues and allocate relevant tasks within the Company;
  • organize and implement business transactions necessary for the performance of the Company’s activities;
  • coordinate marketing and sales processes of the Company, formulate goals for implementation of these processes;
  • take actions to eliminate deficiencies and risks of the Company’s activities, as well as organize implementation of preventive measures;
  • organize compilation of annual financial statements and prepare the Company’s annual report;
  • select the Company’s suppliers and partners, negotiate and sign contracts with them;
  • oversee, manage and evaluate performance of subordinate units;
  • promote risk-based approach and regulatory compliance culture within the Company;
  • organize implementation of requirements for the Company;
  • oversee and evaluate effectiveness of the Company’s services and their quality;
  • supervise execution of outsourced functions and their quality;
  • provide information and communicate with the state authorities (except FCIS);
  • perform other functions which are assigned to the Company’s manager (CEO) under the applicable law, internal policies, job description.

AML Officer

This unit consist of one Employee, and it is responsible for risk management and compliance functions in relation to ML, TF and Sanctions. Among other things, this unit performs supervision under the Customer Support unit and the Company’s activities. The following functions shall be performed by the AML Officer:

  • ensure that the AML/CFT, Sanctions policies, procedures and internal control measures are adequate and proportionate, taking into account the characteristics of the Company and the ML/TF, Sanctions risks to which it is exposed;
  • develop and, when necessary, update the Company’s internal policies related to AML/CTF and Sanctions;
  • ensure that there is periodical reporting to the CEO on the activities carried out by the AML officer and that the CEO is provided with sufficiently comprehensive and timely information and data on ML/TF, Sanctions risks and AML/CFT, Sanctions compliance, which is necessary to allow the CEO to carry out the role and functions entrusted to it. Such information should also cover the Company’s engagements with the national competent authority and communications with the FCIS, without prejudice to the confidentiality of suspicious transactions reporting, and any ML/TF-related findings of the competent authority against the Company including measures or sanctions imposed;
  • informing the CEO of any serious or significant AML/CFT, Sanctions issues and breaches and recommending actions to remedy them;
  • monitor and verify on an ongoing basis that the Company is fulfilling the requirements prescribed by internal policies established and according to applicable laws and regulations;
  • provide the Employees with advice and support regarding the rules related to AML/CTF and Sanctions;
  • inform and train the Employees about the rules relating to AML/CTF and Sanctions;
  • investigate and register sufficient data on received internal notifications and decide whether the activity can be justified or whether it is suspicious;
  • file the relevant reports (e. g. SAR, CTR) with the appropriate regulatory authorities in accordance with applicable legislation;
  • check and regularly assess whether the Company’s internal policies related to AML/CTF and Sanctions are fit for purpose and effective;
  • develop and maintain an ML/TF risk assessment for business-wide and individual ML/TF risk assessments;
  • cooperate and communicate with FCIS;
  • bring to the attention of the CEO the areas where the operation of AML/CFT, Sanctions controls should be implemented or improved and the appropriate suggestions of improvements;
  • provide information the CEO about the level of exposure to the ML/TF and Sanctions risks, and the measures taken or recommended to reduce and effectively manage these risks;
  • inform the CEO whether the human and technical resources allocated to the AML/CFT and Sanctions compliance function are insufficient and should be reinforced;
  • provide quarterly reports to the CEO regarding implementation of his/her duties;
  • act as a senior manager providing approval for establishing, or continuing the Business relationship with a PEP, correspondents relationship, another high-risk Customers;
  • perform other functions which are assigned to the AML Officer under the applicable law, internal policies, job description.

The AML Officer shall report to the CEO quarterly within report form approved (annex 2).

Internal Control Officer

This unit function and responsibility is to perform internal control in accordance this policy.

This structural unit must have the required competency, tools, and access to the relevant information in all structural units of the Company. The internal control methods must comply with the size of the Company, the nature, scope, and level of complexity of the activities and provided services, incl. the risk appetite and risks arising from activities of the Company.

The Internal Control Officer shall be appointed by the CEO and shall provide internal control report to the CEO quarterly.

Customer Support Department

This unit’s main function is ensuring the provision of the services to the Customers. For this reason, this unit is responsible for applying the CDD measures upon the Business Relationship and applying CDD measures during the Business Relationship. This unit consists of Onboarding Specialists and Monitoring Specialists.

For the aforementioned reasons, the Employees of this structural unit are required to:

  • adhere to all requirements outlined in this policy and other related documents;
  • report information, situations, activities, transactions or attempted transactions that are unusual for any type of service or customer relationship, regardless of the amount, whether or not the transaction was completed without delay to the AML Officer;
  • not inform or otherwise make Customers aware if the Customer or any other Customers are or may be the subject of a report or if a report has been or may be filed;
  • complete the appropriate AML training required for the Employees position(s).

The Onboarding Specialist is responsible for performing of the Customer’s onboarding procedure (as defined below) and application of CDD/EDD measures before the establishment of the Business Relationship with the Customer, including:

  • collecting the information and documents required for the onboarding procedure;
  • verification of the Customer’s identity;
  • verifying and analyzing the Customer’s information and documents gathered during the onboarding procedure (incl. making requests in relevant databases);
  • determining the risk level of the Customer;
  • requesting additional information and documents from the Customer in the case of a trigger event (e. g. sanctions watchlists match, unusual activity etc.) verifying and analyzing the information and documents (incl. making additional requests from relevant databases, public sources, etc.);
  • reporting to the AML Officer any suspicious and unusual circumstances identified when performing the CDD/EDD measures during the onboarding of the Customer;
  • communicating with the Customer in the course of the Customer’s onboarding procedure;
  • performing actions necessary to establish the Business Relationship with the Customer.

The Monitoring Specialist is responsible for performing of the ODD/EDD measures in the course of the established Business Relationship with the Customer (as defined below and in the relevant annex of this policy), including:

  • conducting the ongoing monitoring of the established Business Relationship with the Customer (incl. the monitoring of transactions and periodically updating the Customer’s information);
  • updating the Customer’s risk level, when necessary;
  • verifying and analyzing the Customer’s activity and transactions to identify any unusual or suspicious circumstances;
  • requesting additional information and documents from the Customer in the case of a trigger event (e. g. exceeding limits, unusual activity, watchlists match, change in the Customer’s risk profile etc.) and verifying and analyzing the information and documents (incl. making additional requests from relevant databases, public sources, etc.);
  • reporting to the AML Officer any suspicious and unusual circumstances identified when performing the ODD/EDD measures in the course of the established Business Relationship with the Customer;
  • communicating with the Customer in the course of the Business Relationship established;
  • performing transactions with the Customer on behalf of the Company in the course of services provision.

BASIC PRINCIPLES OF CUSTOMER DUE DILIGENCE MEASURES

Customer due diligence (CDD) measures are required for verifying the identity of a new or existing Customer as a well-performing risk-based ongoing monitoring of the Business Relationship with the Customer. The CDD measures consist of 3 levels, including the simplified and enhanced due diligence measures, as specified below.

Main Principles

The CDD measures are taken and performed to the extent necessary considering the Customer’s risk profile and other circumstances in the following cases:

  • upon establishment of the Business Relationship and ongoing monitoring of the Business Relationship;
  • upon verification of information gathered while applying CDD measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;
  • upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided for in this policy and applicable legislation.

The Company does not establish or maintain the Business Relationship and not perform transaction if:

  • the Company is not able to take and perform any of required CDD measures. In such case Company will carry out the money laundering and/or terrorist financing threat assessment. After detecting the risk of money laundering and/or terrorist financing (ML/TF), the Company will report the suspicious monetary operation or transaction to the FCIS;
  • the Company has any suspicions that the Company’s services or transaction will be used for ML, TF or violation of Sanctions;
  • the risk level of the Customer does not comply with the Company’s risk appetite.

In the case of receiving information in foreign languages within the framework of CDD measures implementation, the Company may request to demand translation of the documents to another language appliable for the Company. The use of translations may be avoided in situations when the original documents are prepared in a language appliable for the Company.

Achieving CDD is a process that starts with the CDD measures implementation. When that process is complete, documented individual risk level is assigned to the Customer which shall form the basis for follow-up measures, and which is followed up and updated when necessary.

The Company has applied CDD measures adequately if the Company has the inner conviction that they have complied with the obligation to apply due diligence measures. The principle of reasonability is observed in the consideration of inner conviction. This means that the Company must, upon the application of CDD measures, acquire the knowledge, understanding and assertation that they have collected enough information about the Customer, the Customer’s activities, the purpose of the Business Relationship and of the transactions carried out within the scope of the Business Relationship, the origin of the funds, etc., so that they understand the Customer and the Customer’s (business) activities, thereby taking into account the Customer’s risk level, the risk associated with the Business Relationship and the nature of such relationship. Such a level of assertation must make it possible to identify complicated, high-value and unusual transactions and transaction patterns that have no reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features of the business in question.

The Services Provided by the Company

The Company’s main economic activity is services of virtual currency exchange operator and custodian virtual currency wallet operator. In the course of this activity, the Company offers to the Customers the transaction types specified in the Program of Operations (annex 3).

The Company provides aforementioned services only for the following virtual currencies: ADA, AVAX, BTC, DOGE, DOT, ETH, MATIC, SHIB, SOL, UNI, USDC, USDT, XRP  and the following fiat currencies: EUR, GPB. Before using of new virtual currency or any changes in way of the services provision, the Company shall assess risks related to such changes, including, but not limited to, risks which may affect the virtual currency users’ anonymity. In regards of new virtual currency at least the virtual currency transactions flow and blockchain structure shall be assessed, as well as other important circumstances.

This Policy is prepared considering that the Company does not provide the aforementioned services in the course of Occasional Transactions with the Customers.

The Policy is prepared considering that the Company does not provide financial services and cash services. All of the Company’s services of virtual currency exchange operator are provided electronically through the website operated by the Company.

The Verification of Information used for the Customer’s Identification

Verification of the information for the Customer’s identification means using data from a reliable and independent source to confirm that the data is true and correct, also confirming, if necessary, that the data directly related to the Customer is true and correct. This inter alia means that the purpose of verification of information is to obtain reassurance that the Customer who wants to establish the Business Relationship is the person they claim to be.

The face-to-face identification (personal meeting with the Customer) is deemed to be the reliable and independent verification of the information obtained in the course of identification. In all other cases the reliable and independent source (must exist cumulatively) is verification of the information obtained in the course of identification:

  • which originates from two different sources;
  • where the Customer’s facial image and the original of the identification document provided by the Customer are captured by way of video streaming in accordance with the Technical Requirements;
  • which has been issued by (identity documents) or received from a third party or a place that has no interest in or connections with the Customer or the Company, i.e. that is neutral (e.g. information obtained from the Internet is not such information, as it often originates from the Customer themselves or its reliability and independence cannot be verified);
  • the reliability and independence of which can be determined without objective obstacles and reliability and independence are also understandable to a third party not involved in the Business Relationship; and
  • the data included in which or obtained via which are up to date and relevant and the Company can obtain reassurance about this (and reassurance can in certain cases also be obtained on the basis of the two previous clauses).

Application of Simplified Due Diligence Measures

Simplified due diligence (SDD) is the minimum level of due diligence that must be applied for a Customer. SDD may be carried out when Company assesses Customer’s risk as low and Customer meets at least one of the criteria under Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing (e.g., Customer is a listed company (EU or equivalent), Customer is a government and municipality institution). Considering the Company services provided and the Company’s risk assessment, the Company will not apply SDD measures to their Customers. Thus, to all Customers at least standard due diligence measures shall be applied as specified below.

Application of Standard Due Diligence Measures

Standard due diligence measures are applied to all Customers, if CDD measures must be applied in accordance with this policy. The following standard due diligence measures are applied to the Customers.

Identification of the Customer and verification of the submitted information based on information obtained from a reliable and independent source – this measure is performed in the course of the Customer’s onboarding procedure as specified below. The Company collects acceptable identity document and selfie. After documents are collected, software solution and the Onboarding Specialist perform checks related to authenticity of the document (whether the document has the appropriate security measures, whether the correct font has been used, if graphic editing software has been used for making document, etc.). The exact list of data and documents to be collected is provided in requirements for data collecting and verification (annex 5).

Understanding of the Business Relationships, transaction or operation and, where relevant, gathering information thereon – this measure is applied when:

  • the Customer confirms that the Company’s terms of services provision are accepted;
  • the Customer provides additional information in regards of transaction(s) performed (e. g. in the course of EDD measures or monitoring of the business relationship as specified below).

Gathering information on whether the Customer is PEP, their family member or a person known to be close associate – this measure is applied when the Customer confirms (by answering to questionnaire), that the Customer or person related to the Customer is not PEP, their family member or a person known to be close associate. Each Customer is verified against PEP watchlists through ShuftiPro software. In addition, this status may be verified manually by the Onboarding Specialist, if necessary (e. g. in the course of EDD measures).

PEP status itself does not incriminate individuals or entities. It does, however, put the Customer into a high-risk category and makes it subject to EDD measures. Such Customers remain high-risk for at least 12 moths officially ceases to be a PEP, unless it is established that that person still poses a risk specific to PEPs. PEP screening is an ongoing process for all Customers for the length of the Business relationship.

Monitoring of the Business Relationship – this measure is applied in the course of the Business Relationship established with the Customer. This measure includes the following actions:

  • regular update of information received in the course of CDD measures (incl. screening against updated watchlists) and re-assessment of the Customer’s risk profile;
  • ongoing monitoring of the Customer’s transactions and behaviour in the course of the Business Relationship, including real-time monitoring (screening) and transactions monitoring on regularly basis;
  • identification of the source and origin of the assets used in transaction(s).

The CDD measures specified above must be applied in the relevant cases before establishing the Business Relationship (except monitoring of the Business Relationship). The exact instructions and requirements for application standard due diligence measures is provided in this policy and its annexes.

Application of Enhanced Due Diligence Measures 

In addition to CDD measures, the Company applies enhanced due diligence (EDD) measures in order to manage and mitigate an established risk of money laundering and terrorist financing that is higher than usual. EDD involves objective, rigorous, and thorough research that provides a greater view of the Customer’s profile and the actions required to mitigate higher risks.

The Company always applies EDD measures, when the Customer’s risk profile indicates high risk level (considering risk factors established, incl. PEP status, the Customer’s place of residence, etc.) in the course of the Customer’s onboarding.

During the Business Relationship the Company assess whether the Customer’s risk profile is changed and if the relevant EDD measures shall be applied to the Customer.

When EDD measures must be applied, the amount of EDD measures and the scope of such measures shall be determined by the Employee responsible for EDD measures application  (e. g. the Onboarding Specialist or Monitoring Specialist) considering requirements established by the List of EDD measures (annex 6). The Employee shall notify the AML Officer about EDD measures before their application.

After application of EDD measures, an approval from the AML Officer to establish or continue the Business Relationship with such Customer(s) must be obtained.

In the case of application of EDD measures, the Company monitors the Business Relationship more often than usual and reassesses the Customer’s risk profile no later than every six months.

THE CUSTOMER’S ONBOARDING PROCEDURE

If the Company has obligation to apply CDD measures to the Customer, the latest shall pass onboarding (identification) procedure as specified below before the start of provision any of virtual currency services (as specified in annex 3).

The Customer must be identified by the methods described below. The Customer’s identification shall be performed remotely as a combination of automatic and manual onboarding by the Onboarding Specialist, except in case when EDD measures shall be applied. The data received in the course of the Customer’s onboarding procedure shall be verified according to requirements established (annex 5).

In case when information received during the onboarding procedure is mismatch or suspicious, the Onboarding Specialist must immediately notify AML officer and postpone the onboarding procedure until the relevant instructions from the AML Officer have been received.

The Customer’s remote identification via ShuftiPro software (natural person)

When using this identification method, the Customer shall go through the onboarding procedure with software provided by ShuftiPro. In the course of this procedure the following actions shall be performed.

  1. The Customer shall start the onboarding process on the Company’s website by choosing the personal account option. The Customer must also choose whether they want to open a Virtual Currency wallet with the company (internal account) or only use an external Virtual Currency wallet when using the Company’s services (external account). The Customer who chooses the latter option may only use the on-ramp service as described in annex 3.
  2. The Customer shall then:
    1. provide their email;
      1. email must be verified via sending a verification code and entering it to the website functional;
    2. choose and confirm their password;
    3. confirming the acceptance with the Company’s T&C and Privacy Policy:
    4. confirming that the Customer is not a PEP, relative of PEP or close associate of PEP;
  3. The Customer may further log into their internal account on the Company’s website using their email and password. The Customer may further log into their external account on the Company’s website using their email and entering the 2FA verification code to the Company’s website.
    1. The Customer shall verify their email every time they log into the website using a new device.
  4. The Customer shall pass verification by clicking to the button “create account”, in the course of which:
    1. The Customer provides their details;
    2. Pass verification through ShuftiPro widget with the following steps: 
      1. to take the photo of their identification document (ID);
      2. to make liveness selfie.
    3. to upload the documents which prove their address.
  5. After performing of aforementioned steps ShuftiPro software shall perform the Customer’s data check in accordance with requirements established (annex 5), assess the Customer’s risk level and to send result of checks performed to the Company’s internal system.
  6. After the data from ShuftiPro software is received notify the Onboarding Specialist if any actions needed (e. g. to apply EDD measures or if onboarding was unsuccessful).
  7. If there’s no additional actions needed – the Company shall notify the Customer (through website), that onboarding procedure is passed successfully, and the Customer may perform transactions with the Company.
  8. If any of additional actions needed – the Onboarding Specialist shall contact the Customer and perform actions needed. After this, the Onboarding Specialist shall manually confirm in the Company’s internal system, that the Customer has passed onboarding procedure. After this confirmation the Company shall notify the Customer (through website), that onboarding procedure is passed successfully, and the Customer may perform transactions with the Company.

MONITORING OF THE BUSINESS RELATIONSHIP

The Customer’s data updating

The  relevant KYC service provider’s software and the Monitoring Specialist shall check the relevance of the data collected in the course of CDD measures implementation (hereinafter in this chapter – the Customer´s Data). This check is performed with the following measures:

  • asking the Customer for confirmation, that the Customer´s Data used for the Customer´s identification is up to date;
  • the Customer´s Data verification in accordance with the requirements established for data collection and verification (annex 5).

The aforementioned check shall be performed in the following cases:

  • check shall be performed due to the time passed from the moment of the Customer´s Data collection (if 6 months has passed from the high-risk Customer´s onboarding and 1 year has passed from middle- or low-risk Customer’s onboarding);
  • the Customer notifies about changes in the Customer´s Data;
  • when the Customer´s behaviour (e. g. amount or number of transactions, payment institution(s) used, etc.) changes and it affects the Customer´s Data or the Customer’s risk score.

In addition to aforementioned, the Customers are continuously (when perform transactions or when any of watchlists is updated) screened against watchlists (incl. PEP, Sanctions and Adverse Media) through the relevant KYC service provider’s solution. In case of match – the Monitoring Specialist is notified and shall reassign the Customer’s risk level accordingly.

When the Customer´s Data is not relevant and shall be updated, the collection and verification of the data shall be performed in accordance with re4quirements established by this policy.

Requirements for ongoing monitoring of the Business Relationship

When providing the service(s) to the Customer, the Company through the Monitoring Specialists shall pay attention to the Customer behavior to identify circumstances which may affect the Customer’s risk profile, also ensure that the transactions executed correspond to the information held by the Company about the Customer, his business, risk nature and source of funds. If such circumstances arise, the Monitoring Specialist shall reassign the Customer’s risk level and apply relevant CDD/EDD measures (if any) or terminate the Business Relationship (if the Customer’s risk score is not acceptable by the Company).

The Customer’s transactions with the Company shall be monitored by the Chainalysis software and the Monitoring Specialist in accordance with requirements established for transactions monitoring (annex. 6) automatically and by the Monitoring Specialist.

In case of suspicion of Money Laundering or Terrorist Financing in the course of interactions with the Customer, the Monitoring Specialist shall immediately notify AML Officer.

Identification of source of funds used in the transactions

The Monitoring Specialist shall establish the Customer’s source of funds used for making transactions with the Company in case when the total transactions’ amount exceeds 15 000 € or its equivalent in other assets. The requirements for establishing source of funds are provided in the list of EDD measures (annex 7).

IMPLEMENTATION OF SANCTIONS

The Company shall follow the Order on Sanctions.

Procedure for identifying the subject of Sanctions and a transaction violating Sanctions

The Company verifies whether the Customer is a subject of Sanctions. A check against Sanctions lists shall be carried out during the Customer’s onboarding procedure.

The Company performs continuous screening of all Customers against Sanctions watchlists by using the relevant KYC service proivider solution. The check for all Customers is performed for the length of the Business Relationship (when any of watchlists is updated) and at the time of transaction(s). If Sanctions subject is identified – the relevant notice will be sent to the AML Officer.

If the Onboarding Specialist and/or Monitoring Specialist has doubts that a person is a subject of Sanctions, the Onboarding Specialist and/or Monitoring Specialist shall immediately notify the AML Officer. In this case the AML Officer shall decide on whether to ask or acquire additional data from the person or notify the FCIS immediately of their suspicion.

Actions when identifying the Sanctions subject or a transaction violating Sanctions

If the Onboarding Specialist and/or the Monitoring Specialist becomes aware that the Customer which is in the Business Relationship with the Company, as well as a potential Customer intending to establish the Business Relationship or to perform a transaction with the Company, is the subject of Sanctions, the Onboarding Specialist and/or Monitoring Specialist shall immediately notify the AML Officer about the identification of the subject of Sanctions, or the doubt thereof.

The Company will not establish business relationship with potential Customers subject to Sanctions.

If identified that the Customer is as being on a particular Sanction list, the following actions must be taken by the AML Officer:

  • Freeze Customer’s wallet and stop the transaction(s);
  • Within 2 working days inform the FCIS and the Ministry of Foreign Affairs;
  • Wait for further instructions from the FCIS and/ or the Ministry of Foreign Affairs.

When identifying the subject of the Sanctions, it is necessary to identify the measures that are taken to sanction this person. These measures are described in the legal act implementing the Sanctions, therefore it is necessary to identify the exact sanction what is implemented against the person to ensure legal and proper application of measures.

REFUSAL TO THE TRANSACTION OR THE BUSINESS RELATIONSHIP AND THEIR TERMINATION

The Company is prohibited to establish the Business Relationship and the established Business Relationship or transaction shall be terminated in cases when:

  • the Company suspects money laundering or terrorist financing;
  • it is impossible for the Company to apply the CDD/EDD measures, because the Customer does not submit the relevant data or refuses, avoids submitting it or the submitted data gives no grounds for reassurance that the collected data are adequate;
  • the Customer submits incomplete data or if the data is incorrect;
  • the Customer which capital consists of bearer shares or other bearer securities wants to establish the Business Relationship;
  • the Customer who is a natural person behind whom is another, actually benefiting person, wants to establish the Business Relationship (suspicion that a person acting as a front is used);
  • the Customer´s risk profile has become inappropriate with the Company´s risk appetite (i. e. the Customer´s risk profile level is “prohibited”).

In cases above, the AML Officer shall, upon assessment of the threat posed by money laundering and/or terrorist financing, decide on the appropriateness of forwarding a report on a suspicious monetary operation or transaction to the FCIS.

If the Business Relationship in accordance with this chapter is terminated and if the AML Officer reasonably decides that the risk of money laundering and/or terrorist financing does not arise in the cases set out above, the Company shall transfer the Customer’s assets within reasonable time, but preferably not later than within one month after the termination and as a whole to an account opened in a Virtual Asset Service Provider which is registered or whose place of business is in a contracting state of the European Economic Area. In exceptional cases, assets may be transferred to an account other than the Customer’s account by informing the FCIS about this with all the relevant and sufficient information at least 7 working days in advance and on the condition that the FCIS does not give a different order. Irrespective of the recipient of the funds, the minimum information given in English in the transaction details of the transfer of the Customer’s assets is that the transfer is related to the extraordinary termination of the Customer relationship (if such a transfer allows to specify transactions details).

REPORTING OBLIGATION

Internal reporting

There is a statutory and regulatory obligation on the CEO and the Employees to disclose information to the AML Officer in circumstances where they:

  • know or suspect, or
  • have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering or terrorist financing.

The Employees must disclose not only when they have actual knowledge or suspicion of money laundering or terrorist financing but also if, in the circumstances, they should have reached that conclusion and failed to do so. Any knowledge or suspicion must be reported to the AML officer as soon as possible as provided below. Employees must not delay any disclosures unnecessarily. Possible features of suspicious monetary operations or transactions are provided below in chapter “External reporting”.

In case when necessity to notify the AML Officer arise, such notification shall be performed by filling internal report in the form approved (annex 8). Internal report shall be prepared and signed by the Employee. Signed internal report shall be sent to the AML Officer’s email as soon as possible but not later than 24 hours after necessity to send report has arisen.

It should be note that if the necessity of internal report arises, the Employee must immediately postpone the transaction (if possible) and immediately notify the AML Officer about this.

The AML Officer shall immediately analyze the report received and take necessary actions (e. g. sending external report, terminate transaction, perform further investigation, etc.).

External reporting

The Company must suspend the transaction disregarding the amount of the transaction (except for the cases where this is objectively impossible due to the nature of the Monetary Operation or transaction, the manner of execution thereof or other circumstances) and the AML Officer must report to the FCIS on the activity or the circumstances that they identify in the course of economic activities and whereby:

  • the Company has established that the Customer is carrying out a suspicious transaction;
  • the Company knows or suspects that assets of any value are obtained directly or indirectly from criminal activity or participation in such activity.

Suspicious monetary operations or transactions shall be identified:

  • in accordance with Order of the List of Criteria;
  • by noting the activities of Customers which, by their nature, may be related to money laundering and/or terrorist financing;
  • when conducting Customer’s identification;
  • when conducting ongoing monitoring of the Customer’s Business relationship, including the investigation of transactions that have occurred during that relationship.
  • in accordance with the minimal characteristics of suspicious transactions are provided in the guidelines made by the FCIS (annex 9);

The reports specified above must be made before the completion of the transaction if the Company suspects or knows that Money Laundering or Terrorist Financing or related crimes are being committed and if said circumstances are identified before the completion of the transaction.

AML Officer is responsible to submit the external reports to FCIS. AML Officer keeps a track of all internal investigations and escalations performed.

When suspicious monetary operation or transaction is detected, a documented investigation must be completed, that operation or transaction must be suspended, and a report made to the FCIS within three business hours after suspicious activity determination. There is no minimal threshold or limit for such a report.

Report to the FCIS shall be made in accordance with:

  • Order on Suspicious and Other Transactions;
  • Order on Forms.

It is a criminal offence for anyone, following a disclosure to a nominated officer or to the appropriate institution, to do or say anything that might either “tip off” another person that a disclosure has been made or prejudice an investigation. When the Customer is the subject of an external reporting, there must be taken careful steps while communicating with the Customer and additional advice should be taken from the AML Officer in order not to accidentally disclose investigative actions to the Customer.

Reporting obligation regarding specific types of transactions

The Company through its AML Officer must send information on the Customer’s identity data and information on performed virtual currency operations (virtual currency purchase, sale, deposit or withdrawal) to the FCIS not later than within 7 working days after the identification of Virtual Currency exchange transactions or transactions in Virtual Currency, if the daily value of such transaction(s) is equal to or exceeds EUR 15,000 or the equivalent amount in foreign or Virtual Currency, regardless of whether the transaction is concluded in one or more related transactions within 24 hours period. The value of the virtual currency is determined at the time of the transaction performed.

In case specified above information submitted to the FCIS shall include:

  • the data confirming the Customer’s identity;
  • the amount of the transaction;
  • the currency in which the transaction was executed;
  • the date of execution of the transaction;
  • the manner of execution of the Monetary Operation;
  • the entity for whose benefit the Monetary Operation was executed (if it’s possible);
  • other data specified in the relevant FCIS instructions.

The reports mentioned in this chapter shall be sent in accordance with:

  • Order on Suspicious and Other Transactions;
  • Order on Forms.

The Company, the Employees are prohibited to inform a person, its representative or third party about a report submitted on them to the FCIS, a plan to submit such a report or the occurrence of reporting as well as about a precept made by the FCIS or about the commencement of criminal proceedings.

DATA RETENTION

The requirements for data retention and access management to the retained data are lined out in the requirements for data retention and access management (annex 11).

The CEO is responsible for access management to the retained data, including determination of which data shall be accessible by the Company’s structural units, certain Employees or third parties.

Documents and data must be retained in a manner that allows for exhaustive and immediate response to the request from the AML Officer, queries made by the FCIS or, pursuant to legislation, other supervisory authorities, investigation authorities or the court.

The Company shall implement all rules of protection of personal data upon application of the requirements arising from the applicable legislation. The Company is allowed to process personal data gathered upon CDD measures implementation only for the purpose of preventing money laundering and terrorist financing and the data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.

Registration logbooks keeping

The Company shall keep (complete) the following registration logbooks reflecting Monetary Operations and transactions (hereinafter – logbooks):

  • logbook of virtual currency exchange transactions or transactions in virtual currency, if such Monetary Operation or value of transaction is equal or greater than EUR 15 000 or currency/virtual currency equivalent, it is not important if transaction is executed through one or more related Monetary Operations;
  • logbook of reports of suspicious Monetary Operation and transactions;
  • logbook of the Customers with whom transactions or Business Relationships were refused or terminated under the circumstances related to violations of the procedure for the prevention of Money Laundering and/or Terrorist Financing.

The data specified above which shall be entered in the logbook (as described above) in chronological order on the basis of documents confirming a Monetary Operation or transaction or other legally valid documents related to the execution of Monetary Operations or transactions, immediately, but not later than within 3 business days after the execution of a Monetary Operation or transaction.

The storage of logbooks data shall be completed and kept in an electronic medium (in the Company’s internal system) automatically and the CEO is responsible for ensuring logbooks keeping. The list of information shall be stored in each logbook kept is provided in logbooks template file (annex 12).

The logbooks’ data is be stored using software allowing for export of details stored to Microsoft Office Excel, Word, or equivalent open-code software, without damaging integrity of the details.

The registration logs are kept in accordance with the Order on Logbooks .

Data retention terms

The following data shall be retained for 8 years after the termination of the relevant Business Relationship:

  • Copies of the identity documents of the Customer, direct video streaming/direct video broadcasting recordings, other data received at the time of establishing the identity of the Customer and wallet and/or agreement documentation (originals of the documents or documents in electronic form);
  • The logbooks (stored in paper or electronic form);
  • Information that allows the wallet of the virtual currency to be linked to the identity of the owner of the virtual currency.

The following data shall be retained for 8 years after completing transaction:

  • The documents confirming an operation or transaction and data or other legally binding documents and data related to the execution of Monetary Operations or conclusion of transactions.

The following data shall be retained for 5 years after the termination of the Business Relationship:

  • Correspondence with Customer during Business Relationship (stored in paper or electronic form).

The following data shall be retained for 5 years:

  • Internal investigation records of suspicious transactions (stored in paper or electronic form).

The time limits for record keeping may be extended additionally for no longer than two years upon a reasoned instruction of a competent authority.

The Company deletes the retained data after the expiry of the time period, unless the legislation regulating the relevant field establishes a different procedure or receives the instruction from competent authority to extent the retention periods. The deletion of data is responsibility of the CEO.

TRAINING

The Company ensures that its Employees have the relevant qualifications for their work tasks. When the Employee is recruited or engaged, the Employee’s qualifications are checked as part of the recruitment/appointment process.

In accordance with the requirements applicable to the Company on ensuring the suitability of the Employees, the Company makes sure that such Employees receive appropriate training and information on an ongoing basis to be able to fulfil the Company’s obligations in compliance with the applicable legislation. It shall be ensured through training that the Employees are knowledgeable within the area of AML/CFT to an appropriate extent considering the Employee’s tasks and functions. The training must provide, first and foremost, information on all the most contemporary money laundering and terrorist financing methods and risks arising therefrom.

This training refers to relevant parts of the content of the applicable rules and regulations, the Company’s risk assessment, the Company’s internal procedures and information that should facilitate such Employees detecting suspected money laundering and terrorist financing. The training is structured on the basis of the risks identified through the risk assessment policy (annex 1).

The content and frequency of the training is adapted to the Employee’s tasks and function on issues relating to AML/CFT measures. If this policy if its annexes are updated or amended in some way, the content and frequency of the training is adjusted appropriately.

For new Employees, the training comprises a review of the content of the applicable rules and regulations, the Company’s internal policies (incl. this policy) and other relevant procedures.

The Employees receive training on an ongoing basis under the auspices of the AML Officer in accordance with the following training plan:

  • periodicity: at least once a year for the CEO and the Employees;
  • scope: review of applicable rules and regulations, this policy and other relevant procedures. Specific information relating to new/updated features in the applicable rules and regulations. Report and exchange of experience relating to transactions reviewed since the previous training.

In addition to the above, the Employees are kept informed on an ongoing basis about new trends, patterns and methods and are provided with other information relevant to the prevention of money laundering and terrorist financing.

The training held is to be documented electronically and confirmed with the Employee’s signature on the training protocol (annex 13). This protocol should include the content of the training, names of participants and date of the training.

AVOIDING CONFLICT OF INTERESTS

The Employees must avoid the conflict of interests and when this happens, immediately notify the CEO.

The conflict of interests is understood as all the circumstances known to the Company or its Employees that may affect the decisions of making a transaction or establishing Business Relationship and which do not correspond to the interests of the Company or its Customer.

To achieve the goal of avoiding the conflict of interests, the Company shall collect and regularly update its Employee’s data in order to identify their interests in the context of preventing money laundering and terrorist financing. The Company collects the following data about each Employee:

  • the birthplace and place of residence;
  • other job positions and contracts of the Employee that they have in the context of the economic field;
  • the data regarding the close relatives of the Employee (spouse, parents, children, siblings, and their children): for each, their place of residence and place of work.
  • other data known to the Employee which may indicate to the interests in the context of preventing money laundering and terrorist financing.

The failure of the Employee to provide the data specified above is considered to be a significant violation of the employment contract and may result in the extraordinary cancellation of the employment contract for reason arising from the Employee.

The Company identifies and analyses, inter alia, whether the persons directing customers to the Company (e.g., agents, resellers, etc.) have any interests regarding the Customer (e.g., provide them with legal services, accounting services, services providing the establishment of companies and other legal structures, etc.) which cause the conflict of interests between the person directing Customers to the Company and the Company.

In case of identifying a conflict of interests or circumstances indicating a conflict of interests, the Company shall apply all necessary measures to prevent it. If it is impossible to prevent the conflict of interests, the Company must not conclude any transactions or establish the Business Relationship. The measures for preventing conflict of interests may include:

  • the Employee change when the Employee who usually performing task causes conflict of interest;
  • excluding persons directing the Customers to the Company (e.g. agents, resellers, etc.) from communication between the Company and the Customer;
  • excluding Employee from the decision-making process which may result conflict of interest;
  • prohibiting the activity of the Employee which may result the conflict of interest.

The CEO is responsible for avoiding conflict of interests in the Company and determination of measures related thereof.

INTERNAL CONTROL OF EXECUTION OF THE POLICY

The performance of this policy shall be internally controlled by the Internal Control Officer appointed by the CEO for performing relevant functions (hereinafter in this chapter – Internal Control Officer). The Internal Control Officer must have the required competency, tools, and access to the relevant information in all structural units of the Company.

The Internal Control Officer shall perform internal control functions at least in the following fields:

  • the Company´s compliance with established risk assessment policy and risk appetite;
  • CDD/EDD measures implementation;
  • implementation of Sanctions;
  • the Company´s obligation to refusal to the transaction or business relationship and their termination;
  • the Company´s reporting obligation;
  • the Company´s training obligation regarding the AML/CFT requirements;
  • the Company´s data retention obligation.

The exact measures for performing internal control shall be determined by the Internal Control Officer and must correspond to the Company’s size and their nature, scope and level of complexity of the activities and services provided. The Internal Control Officer must consider at least examination fields specified above. The internal control measures shall be performed at the time determined by the Internal Control Officer with the frequency set by him or her, at least once per quarter, if the nature of measure does not expressly provide otherwise.

The results of internal control measures implementation (hereinafter in this chapter – the Internal Control Data) shall be saved separately from other data and retained within 8 years. Only the CEO and the Internal Control Officer may have access to the Internal Control Data. Internal Control Officer may provide access to the Internal Control Data to other Employees or third parties (e. g. advisors, other auditors, etc.) only with prior consent of the CEO. The persons have access to the Internal Control Data must not disclose it to anyone without prior consent of the CEO.

The Internal Control Data shall be saved in chronological order with format, which allows to analyze this and understandable connect this to other relevant data.

The Internal Control Officer shall provide the internal control report (annex 14) to the CEO at least quarterly and to the general meeting of the Company’s shareholders at least annually. The provided internal control report shall include at least the following:

  • period of exercising the internal control;
  • name of the person executing the internal control;
  • description of the internal control measures that has been performed;
  • results of the internal control;
  • general conclusions from the exercised internal control;
  • determined deficiencies, which were eliminated in the period of exercising the internal control;
  • determined deficiencies, which were not eliminated at the end of period of exercising the internal control;
  • measures that are required to implement for elimination of determined deficiencies.

The CEO shall review the internal control report provided and make resolution regarding it. The Internal Control Officer shall be notified about the essence of such resolution in format which can be reproduced in writing. For this reason, the CEO is obliged to:

  • analyze the results of performed internal control;
  • implement actions to eliminate deficiencies occurred.

Risk assessment and risk appetite

The target of the implementation of internal control measures for Company’s compliance with established risk assessment policy (incl. established risk appetite) is examination of the following circumstances:

  • the Company establishes and uses risk-based approach when providing services to the Customers (e.g., CDD measures implemented in accordance with risk level);
  • the Company determined factors which affecting the arise of ML/TF risks and determined factors are relevant;
  • the Company determined and assessed ML/TF of all services which Company provides;
  • the Company composed the risk profile of the Customer prior the performing transactions or creating business relationship;
  • the Company updates risk profile of the Customer on regular basis;
  • the Company follows established risk appetite;
  • Company keeps records of all incidents in accordance with established risk assessment policy;
  • risk assessment policy was reviewed during the last year.

Customer due diligence measures implementation

The target of the implementation of internal control measures for Company’s compliance with CDD measures implementation is an examination of the following circumstances:

  • the Company apply CDD measures prescribed by this policy to all relevant Customers;
  • the Company collects proper documents and information when applying CDD measures;
  • the Company properly verifies data and documents collected when applying CDD measures;
  • the Company applies the relevant level of CDD measures (e. g. EDD measures, etc.);
  • the Company applies proper EDD measures to specific Customers (e. g. PEP, high-risk country, etc.);
  • the Company performs Customers´ onboarding in accordance with established procedure;
  • the Company properly identifies Customers´ PEP status;
  • the Company understands purpose and nature of business relationship or transaction;
  • the Company properly monitors business relationships with Customers.

Implementation of Sanctions

The target of the implementation of internal control measures for Company’s compliance with implementation of Sanctions is an examination of the following circumstances:

  • the Company applies procedure for identification of a subject of Sanctions or transaction violating Sanctions;
  • the Company performs actions if identifies a subject of Sanctions or transaction violating Sanctions.

Obligation to refusal of transaction or business relationship and their termination

The target of the implementation of internal control measures for Company’s compliance with obligation to refuse the transaction or business relationship and their termination is an examination of the following circumstances:

  • the Company refuses or terminates transaction or business relationship if it´s obligatory in accordance with this policy.

Reporting obligation

The target of the implementation of internal control measures for Company’s compliance with reporting obligation is an examination of the following circumstances:

  • the Company sends reports and information to the competent authorities (incl. relevant guidelines);
  • the reports sent to competent authorities are filled in accordance with the relevant guidelines and are sent in time.

Training obligation

The target of the implementation of internal control measures for Company’s compliance with training obligation in AML/CTF field is an examination of the following circumstances:

  • all Employees (incl. the AML Officer and the CEO) have relevant training;
  • each Employee (incl. the AML Officer and the CEO) has been training for the last 360 days.

Obligation of data retention

The target of the implementation of internal control measures for Company’s compliance with obligation of collection and preservation of data is an examination of the following circumstances:

  • all data which shall be saved in accordance with this policy (hereinafter in this chapter – the Saved Data) have been properly saved in chronological order with format, which allows to analyze this and understandable connect the Saved Data to other relevant data;
  • only Employees (incl. the AML Officer and the CEO) or authorized third parties have access to the Saved Data;
  • all relevant logbooks are kept in accordance with this policy;
  • the Saved Data in electronic format has backup;
  • the Saved Data in other formats (e. g. on paper) has backup in electronic format;
  • the Saved Data is irrevocably deleted if it’s obligatory.