INTRODUCTION
This risk assessment policy establishes grounds for the Company’s risk management of money laundering (ML), terrorist financing (TF) and violation of Sanctions risks, and documents risk appetite and risk assessment performed in accordance with this policy. This policy is the subject of a review by the Management Board at least annually. The proposal for a review and the review of this policy may be scheduled more often by the decision of the Head of Compliance or Internal Control Officer. The definitions used in this policy shall be interpreted in accordance with definitions and wordings provided for in the AML Policy, which annex this policy is.
RISK ASSESSMENT PROCEDURE
The Company shall prepare and regularly update the risk assessment in order to identify, assess, analyse and manage the risks of ML, TF or violation of Sanctions within the course of services provision. The process of risk assessment, executed by the Company shall include at least the following stages:
- risk factors identification;
- risks factors analysis;
- risks factors evaluation.
The risk assessment and the establishment of the risk appetite shall be documented, and the documents shall be updated when it is required. In the course of the Companies risk assessment at least the following relevant sources shall be used:
- national risk assessment;
- supra-national risk assessment;
- guidelines of authorities (incl. international organizations);
- the knowledge previously obtained when performing activities similar to the Company.
THE RISK CATEGORIES & RISK FACTORS
The Company identifies the risks/threats related to its activities, as well as the risks/threats that may arise in the near future, that is foreseeable risks/threats, and assess and analyse their significance and impact. The risks/threats are identified and assessed on a case-by-case basis as of the moment of the risk assessment and separately considering the situation where the Company should take the risks to the maximum extent permitted by the risk appetite. The Company identifies, assesses, and analyses risks of money laundering, terrorist financing and violation of Sanctions taking into account the following risk categories:
- risks relating to customers;
- risks relating to countries, geographic areas or jurisdictions:
- risks relating to products, services, or transactions, including risks relating to new and/or future products, services or transactions;
- risks relating to communication, mediation or products, services, transactions or delivery channels between the Company and customers.
The Company shall identify risk factors for the risk categories specified above that may affect the risk of ML, TF or violation of Sanctions within the course of services provision when the presence of the relevant risk factor in relation the Customer was established.
THE RISK ASSESMENT SCALES
The Company shall identify residual risk for each risk factor identified by using the following method:
When calculating the residual risk score, the following scoring scales shall be applied. The specific calculations are shown in the table of this policy below. A risk assessment starts with determining the inherent risks/risk factors, i.e. the risks that exist if there are no control measures in place to mitigate them. Inherent risks consist of threats and vulnerabilities. Threats and vulnerabilities are caused by external factors such as clients (incl. their location), products or delivery channels.
Impact
Impact is the negative influence on the continuity of the Company’s business when a risk factor occurs. The risk factor’s impact should be assessed with considering the consequences that may occur when the risk of ML, TF or violation of Sanction has taken place within the services provision when the relevant risk factor presence was established. The risk factor’s impacts shall be assessed with the use of the following scale:
| Impact score | Description |
|---|---|
|
Low - 1 point |
Short term or low costs consequences – warning or instructions of the regulatory body.
|
|
Medium - 2 points |
Medium term consequences with some costs and/or some non-financial damages (e.g., reputational) - the regulatory action in the form of public reprimand or fine may be imposed.
|
|
High – 3 points |
Long term, high costs consequences and/or high non-financial damages (e.g., reputational) - regulatory action in the form of revocation of the license(s) or regulatory fine in the amount of more than 100 000€ may be imposed.
|
|
Unacceptable - 4 points |
Punishment as for the criminal offence for the Company or Senior Management, as well as fine for the Company in the amount more than 200 000 € may be imposed. |
Likelihood
Likelihood is the chance that an impact occurs. The risk factor’s impact occurrence likelihood should be assessed in the context of involvement of the Company in ML or TF within the course of the services provision when the relevant risk factor presence was established in relation to the Customer. For the assessment of likelihood’s impact, the following scale shall be used.
| Likelihood score | Description |
|---|---|
|
Rare - 1 point |
May happen only in exceptional circumstances. |
|
Unlikely - 2 points |
May occur infrequently. |
|
Possible – 3 points |
May occur frequently. |
|
Almost certain - 4 points |
May occur in most cases. |
Controls
The scope of controls used for risk’s mitigation shall be assessed by using the following scale.
| Control score | Description |
|---|---|
|
Negligible- 1 point |
There are no mitigation measures established for or measures established cannot decrease the risk factor’s likelihood and/or impact
|
|
Weak - 2 points |
There is a number of mitigation measures which can insignificantly decrease the risk factor’s of likelihood and/or impact. |
|
Medium – 3 points |
There is a number of mitigation measures which can decrease the risk factor’s likelihood and/or impact. |
|
Strong - 4 points |
There is a number of mitigation measures which can significantly decrease the risk factor’s likelihood and/or impact. |
Residual Risk Score
The residual risk is the level of risk that remains after applicability of controls related to the risk factors identified (mitigation). The risk factor’s residual score shall be used for the further determination of the Customer’s risk profile. The following scale (points regarding circumstances) for the each identified risk factor’s residual risk shall be used.
| Residual risk score | Description |
|---|---|
|
Low – 0-1 point |
After mitigation risk factor has insignificant or it does not affect the occurrence of risks of ML or TF or violation of Sanctions and
does not increase or does increase insignificantly the occurrence of such risks |
|
Medium – from 1,1 up to 2,9 points |
After mitigation risk factor has medium affect to the occurrence of risks of ML or TF or violation of Sanctions and to the increase of the occurrence of such risks |
|
High – from 3 up to 7,9 points |
After mitigation risk factor has significant affect to the occurrence of risks of ML or TF or violation of Sanctions and to the increase of the occurrence of such risks. |
|
Prohibited – more than 7,9 points |
Risk factor does not meet the Company’s risk appetite. |
MODEL TO IDENTIFY THE CUSTOMER´S RISK PROFILE
The Company shall analyze the data obtained during implementation of CDD/EDD measures, compare the aforementioned data with risk factors identified in the risk assessment for each ML/TF risk category and determine the Customer’s risk profile in accordance with the following. For the Customer´s risk assessment the Company uses the following risk categories:
- risks relating to customers;
- risks relating to countries, geographic areas or jurisdictions:
- risks relating to products, services or transactions;
- risks relating to communication, mediation or products, services, transactions or delivery channels between the Companies and the Customers;
For the each of aforementioned risk categories following risk score may be identified:
Each risk category shall be assessed in accordance with risk factors identified for the Customer. The score for risk category shall be determined in accordance with higher identified risk factor´s residual score in the risk category. The Customer’s risk profile shall be determined as higher risk score of the any of risk categories. The Customer’s risk profile may be determined as “low” only in case when all risk categories have low residual risk score determined. In case when no risk factors established in a category – the medium risk shall be established for the risk category. The Customer’s risk score shall be saved in the Company’s internal system.
INCIDENTS´ MANAGEMENT
The Company shall manage incidents, which related to the occurrence or potential occurrence of risks of money laundering and terrorist financing and shall establish the risks which were not considered during the latest risk assessment. The Company shall keep a register of such incidents, which shall contain at least the following data:
- time of detection;
- the time of the event;
- the source of the incident information;
- the Employee and the structural unit that identified the incident;
- description of the incident;
- the Employee and the structural unit involved in the incident;
- the consequences of the incident and their extent;
- the cause of the incident;
- the actions taken.
THE UPDATE OF RISK ASSESSMENT
The Company shall update or renew the risk assessment when necessary, but not less than once per year. The Company's is obligated to update risk assessment in the each of the following cases:
- any sources (e. g. national or supra-national risk assessment, FATF guidelines) used for risk assessment were updated;
- in cases specified in the Company’s AML policy;
- there are violations of restrictions set by the Companies risk appetite;
- the financial performance (for example, profit or turnover) of the Companies has increased significantly over a short period;
- the number of Customers significantly increased;
- the number of Customers with high risk level significantly increased;
- number of claims from the Customers increased significantly;
- number of refusals for the Business Relationships with the Customers increased significantly.;
- number of notifications sent to the authorized bodies increased significantly;
- more than 20% of the employees were replaced or removed within 6 months;
- the number of orders from supervisory authorities has increased significantly;
- it systems used by the company were changed significantly;
- main service providers of the Companies were changed;
- new national risk assessment occurred;
- in the other cases if it’s required on the opinion of the AML Officer or Management Board.
The Company shall update risk assessment and the related documents before:
- starting of use new or emerging technologies;
- starting of providing new products or services;
- starting of using non-traditional sales channels;
- starting of using new channels for providing services or products.
THE COMPANY´S RISK APPETITE STATEMENT
Introduction
This Company’s risk appetite statement, together with the risk assessment, establishes the approach through which risk appetite is established, communicated, and monitored, including risk appetite statement, risk thresholds and limits for the material risks, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the risk appetite of the Company. The risk appetite is basis for risk management principles and risk-taking activities and establishing vision and strategy of risks that Company is prepared to accept and manage in pursuit of its business objectives. The objective of the risk appetite is to establish an appropriate and consistent links between the Company’s business strategy, the risk strategy, and the risk mitigation measures. The risk appetite is based on the Company’s strategy and business plans. The Company’s risk appetite statement should be approved by the Senior Management. The risk appetite statement will thereafter be reviewed at least once a year, taking into account changes in applicable laws and regulations and the Companies’ strategic plans. In the event of changes in applicable laws and regulations, the risk appetite statement will be revised as soon as possible or within the timeframe for applicability of the new requirements.
The Companies’ vision
The Companies focus on the services as defined in the Company’s program of operations (annex 3). The Company’s risk appetite is limited to providing aforementioned services. The Companies determined that the Business Relationships will be established with the Customers from a country outside the European Economic Area.
The Companies’ vision
The Company does not enter into the Business Relationship with Customers with the following characteristics:
- the Customer is less than 18 years old or doesn’t have legal capacity in their country of residence;
- the Customer is PEP, their family member or a person known to be close associate;
- the Customer’s place of residence or location is in high-risk third country;
- the Customer’s place of residence or location is in a country or jurisdiction which, based on the trustworthy sources in the country like mutual assessments, detailed assessment reports or published follow-up reports, has no valid and efficient systems of the prevention of money laundering and terrorist financing;
- the Customer’s place of residence or location is in a country or jurisdiction, which is subject to sanctions, embargos or similar measures issued by the European Union or the United Nations;
- the customer, person participating in a transaction or the transaction itself is related to a country, which in the FATF blacklist or which is included in the list of the State Sponsors of Terrorism;
- the Customer’s place of residence or location is in a country which doesn´t correspond with the Company’s risk appetite, the Customer is subject of Sanctions or become the subject of Sanctions;
- the Beneficial Owner of the Customer (who is a natural person) is some third person;
- the Customer is a legal entity;
- the Customer is subject to negative news related to ML , TF, violation of Sanctions and/or other offences (Adverse Media);
- the Customer has provided forged or edited KYC documents (e.g., identity documents, source of funds, etc.);
- the Customer is lacking knowledge or providing inaccurate information about the transaction, the source of funds, or the relationship with the counterparty (incl. providing information indicating that the transaction is in support of illicit activities);
- the Customer is refusing to provide sufficient information or documentation to demonstrate that factors specified above doesn’t apply to them;
- the Customer intends to use representative in transactions with the Company;
- the Customer’s IP address is related to a country or jurisdiction which is in a FATF black or grey list, which is subject of sanctions or other country which is not in line with the Company’s risk appetite;
- The Customer links several credit cards to their VA wallet to withdraw funds or deposit funds from ATM’s VA deposits to the credit cards or bank account
- The Customer's transactions or business activity is abnormal and/or seemingly unnecessary and does not have logical business explanation
- The Customer's activity suggests that the customer might favor anonymity (e.g. transactions with VAs that provide higher anonymity, use of VA ATM's)
All other Customers may be accepted by the Company, if the relevant CDD/EDD measures have been applied.
THE RISK ASSESSMENT
Risks related to customers
| Description of risk factor | Considerations (incl. quantitative data) | Impact | Likelihood | Mitigation Actions | Score of Controls | Residual risk (score) | Way for risk factor’s identification and continuous monitoring |
|---|---|---|---|---|---|---|---|
|
The customer is a company which securities are admitted to trading on a regulated market in one or more Member States of the EEA or other foreign company which securities are traded on regulated markets and which are subject to disclosure requirements consistent with the European Union legislation |
This risk factor is considered as being risk decreasing by applicable legislation and guidelines of competent authorities.
|
2 |
1 |
May apply CDD measures in relation to the Customer in accordance with AML policy and document “Requirements for data collection and verification”.
|
3 |
Low
(0,6) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution.
|
|
The customer is state or municipal institution or agency or the Bank of Lithuania |
This risk factor is considered as being risk decreasing by applicable legislation and guidelines of competent authorities. |
2 |
1 |
May apply CDD measures in relation to the Customer in accordance with AML policy and document “Requirements for data collection and verification”. |
3 |
Low
(0,6) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The customer is a financial institution covered by Lithuanian Law, or a financial institution registered in another Member State of the EEA or in a third country which imposes requirements equivalent to those laid down in Lithuanian Law and is supervised by competent authorities for compliance with those requirements and international organisations have identified a low level of corruption in that country (CPI < 59) |
This risk factor is considered as being risk decreasing by applicable legislation and guidelines of competent authorities. |
2 |
1 |
May apply CDD measures in relation to the Customer in accordance with AML policy and document “Requirements for data collection and verification”. |
3 |
Low
(0,6) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The customer is a natural person |
N/A |
2 |
2 |
Shall be applied CDD measures in relation to the Customer in accordance with AML policy and document “Requirements for data collection and verification”.
|
3 |
Medium
(1,3) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The customer is a legal entity with a firm and transparent structure and data of management bodies and beneficial owners that are not listed on regulated market |
N/A |
3 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
3 |
Medium
(1,3) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The customer is a legal entity of any form whose structure of the management bodies and/or beneficial owners is confusing and the relevant data is verified on the basis of the statement of the customer’s representative and/or internal or non-public documents provided by the customer |
This risk factor is considered as being risk decreasing by applicable legislation and guidelines of competent authorities.
|
3 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
High
(6) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The ownership structure of the customer seems, when considering the activities of the company, unusual or too complicated |
This risk factor is considered as creating increasing risk by applicable legislation and guidelines of competent authorities.
Risk factor is applicable when the Customer’s representative has no adequate explanations regarding ownership structure.
|
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
|
2 |
High
(4,5) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the S ShuftiPro solution. |
|
The customer has provided incomplete or insufficient KYC information |
This activity may point to the Customer’s plans being involved in ML, TF or violation of Sanctions. |
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”. |
2 |
High
(4,5) |
Shall be identified and verified by the relevant KYC service provider’s solution. |
|
The customer is significantly old (age over 70) |
Due to nature of the Company’s services, they are usually used by younger Customers: old people are less involved in activities related to virtual currencies and such people are more vulnerable for fraud and other crimes. |
3 |
2 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
|
2 |
High
(3) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The Customer’s appearance and behavior is not in line with the nature of the transaction performed by the Customer, |
This activity may point to the Customer’s plans being involved in ML, TF or violation of Sanctions. |
3 |
2 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
|
2 |
High
(3) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the the relevant KYC service provider’s solution and the Chainalysis’s solution. |
|
The customer’s activity includes one of the following activities: • Illegal drugs, substances designed to mimic illegal drugs, and equipment designed for making or using drugs • Products and services that are unfair, predatory, or deceptive Pyramid schemes • ‘Fast Money’ schemes • Negative reviews marketing and telemarketing • Predatory investment opportunities with no or low money down • Pornography and other mature audience content (including literature, imagery and other media) depicting nudity or explicit sexual acts • Adult services including prostitution, escorts, pay-per view, sexual massages, online cameras and adult live chat features • Firearms, explosives and dangerous materials • Guns, gunpowders, ammunitions, weapons, fireworks and other explosives Peptides, research chemicals, and other toxic, flammable and radioactive materials Gambling, Games of chance, Lotteries, Betting, Sports betting. • Unregulated Marijuana products • Unregulated Securities brokers, Assets managements, Trust funds • Multi-Level Marketing schemes |
Mentioned fields of activities are more vulnerable for ML/TF and violation of Sanctions. |
3 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
1 |
Prohibited
(12) |
verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The customer is less than 18 years old or doesn’t have legal capacity in their country of residence |
There’s no opportunity to perform CDD/EDD measures in the necessary amount and such Customers are not in line with the Company’s risk appetite. |
3 |
4 |
Refusal to on board the Customer and engage in business relationship. |
1 |
Prohibited
(12) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The Customer who is a legal entity is an NGO |
This risk factor is considered as increasing risk by guidelines of competent authorities and such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
Prohibited
(8) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The Customer who is a legal entity is an association of persons that does not have the status of a legal entity |
This risk factor is considered as increasing risk by guidelines of competent authorities and such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The Customer is subject to negative news related to ML , TF, violation of Sanctions and/or other offences (Adverse Media) |
The Customer’s involved in such activities may seek for opportunities to continue these activities by using the Company’s services. For this reason, such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
rohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the the relevant KYC service provider’s solution. |
|
The customer is PEP, the family member of the PEP or a person known to be the close associate of the PEP |
This factor is considered as risk heightening by the relevant regulations and authorities’ guidelines.
There’s no opportunity to perform CDD/EDD measures in the necessary amount and such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the relevant KYC service provider’s solution. |
|
The beneficial owner of the Customer (who is a natural person) is some third person |
This activity may point to the Customer’s plans being involved in ML, TF or violation of Sanctions.
There’s no opportunity to perform CDD/EDD measures in the necessary amount and such Customers are not in line with the Company’s risk appetite.
|
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution and the Chainalysis ’s solution. |
|
The customer is a subject of European Union or UN sanctions |
In some cases subjects of Sanctions can’t be involved in transactions with the Company. For this reason, such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
1 |
Prohibited
(16) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the relevant KYC service provider’s solution.
|
|
The Customer has provided forged or edited KYC documents (e.g., identity documents, source of funds, etc.) |
This activity may point to the Customer’s plans being involved in ML, TF or violation of Sanctions. For this reason, such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
1 |
Prohibited
(16) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the relevant KYC service provider’s solution.
|
|
The Customer is a legal entity that has nominee shareholders or bearer shares or its affiliate has nominee shareholders or bearer shares |
This activity may point to the Customer’s plans being involved in ML, TF or violation of Sanctions. For this reason, such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
Prohibited
(8) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution.
|
|
The Customer is a legal entity or another association of persons that does not have the status of a legal entity, if their economic activity does not have a reasonable and clear economic or lawful objective or it is not characteristic of a specific business field; |
This activity may point to the Customer’s plans being involved in ML, TF or violation of Sanctions. For this reason, such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
|
The Customer is legal entity or entity that not having legal personality and is personal asset-holding vehicle. |
This activity may point to the Customer’s plans being involved in ML, TF or violation of Sanctions. For this reason, such Customers are not in line with the Company’s risk appetite. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be identified and verified by ShuftiPro solution.
Shall be monitored in the course of ODD measures by the ShuftiPro solution. |
Risks related to countries, geographic areas or jurisdictions
| Description of risk factor | Considerations (incl. quantitative data) | Impact | Likelihood | Mitigation Actions | Score of Controls | Residual risk (score) | Way for risk factor’s identification |
|---|---|---|---|---|---|---|---|
|
The Customer’s place of residence and location is in the European Economic Area |
It includes the following countries:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, Norway, Switzerland.
This risk factor is considered as lowering risk by applicable legislation and guidelines of competent authorities.
|
2 |
1 |
Shall be applied CDD measures in relation to the Customer in accordance with AML policy and document “Requirements for data collection and verification”. |
3 |
Low
(0,6) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform.
|
|
The Customer’s place of residence or location is not in the European Economic Area |
This factor is considered as risk heightening by the relevant regulations and authorities’ guidelines |
3 |
2 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
|
2 |
High
(3) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform. |
|
The Customer’s place of residence or location is in high-risk third country. |
It includes the following countries:1 Afghanistan, Barbados, Burkina Faso, Cambodia, Cayman Islands, Haiti, Jamaica, Jordan, Mali, Morocco, Myanmar, Nicaragua, Pakistan, Panama, the Philippines, Senegal, South Sudan, Syria, Trinidad and Tobago, Uganda, Vanuatu, Yemen, Zimbabwe.
Iran and North Korea and some other countries are prohibited countries as provided below. |
4 |
4 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
|
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform.
|
|
The Customer’s place of residence or location is in a country or jurisdiction which, based on the trustworthy sources in the country like mutual assessments, detailed assessment reports or published follow-up reports, has no valid and efficient systems of the prevention of money laundering and terrorist financing |
It includes the following countries (according FATF):2
Albania, Barbados, Burkina Faso, Cambodia, Cayman Islands, Gibraltar, Haiti, Jamaica, Jordan, Mali, Morocco, Myanmar, Nicaragua, Pakistan, Panama, Philippines, Senegal, South Sudan, Syria, Turkey, Uganda, United Arab Emirates, Yemen.
This risk factor is considered as increasing risk by applicable legislation and guidelines of competent authorities.
Some of these countries are not in line with the Company’s risk appetite. |
4 |
4 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”. |
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform.
|
|
The Customer’s place of residence or location is in a country or jurisdiction, which is subject to sanctions, embargos or similar measures issued by the European Union or the United Nations. |
It includes the following countries:3
Afghanistan, Belarus, Bosnia & Herzegovina, Burundi, Central African Republic, China, Democratic Republic of the Congo, Guinea, Guinea-Bissau, Haiti, Iraq, Lebanon, Libya, Mali, Moldova, Montenegro, Myanmar (Burma), Nicaragua, Russia, Serbia, Somalia, South, Sudan, Sudan, Syria, Tunisia, Turkey, Ukraine, United States, Venezuela, Yemen, Zimbabwe. This risk factor is considered as increasing risk by applicable legislation and guidelines of competent authorities.
Iran and North Korea and some other countries are prohibited countries as provided below. |
4 |
4 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”. |
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform. |
|
The customer, person participating in a transaction or the transaction itself is related to a country, which in the FATF blacklist or which is included in the list of the State Sponsors of Terrorism |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform.
|
|
|
The Customer’s place of residence or location is in a country which doesn´t correspond with the Company’s risk appetite. |
It includes the following countries:
Afghanistan, Albania, Barbados, Belarus, Bosnia and Herzegovina, Burkina Faso, Burundi, Cambodia, Cayman Islands, Central African Republic, China, Congo, The Democratic Republic of the Congo, Guinea- Bissau, Gibraltar, Haiti, Iran,
Iraq, Jamaica, Japan, Jordan, Lebanon, Libya, Mali, Morocco, Mozambique, Myanmar, Nicaragua, North Korea, Panama, Philippines, Russia, Senegal, Somalia, South Sudan, Sudan, Syria, Tanzania, United Republic of Tanzania, Turkey, Uganda, Ukraine, USA, Venezuela, Yemen, Zimbabwe. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform. |
|
The wallet used by the Customer in transaction has high-risk score (incl. use of tumbler/mixer, etc.). |
The Customer’s behavior may be linked to ML/TF or violation of Sanctions. |
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
Purpose of transaction shall be clarified. |
2 |
High
(4,5) |
Shall be monitored in the course of ODD measures by the relevant Chainalysis solution. |
|
The Customer's transactions originate from or are destined to online gambling services |
Such services are more vulnerable for ML/TF and violation of Sanctions. |
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
Purpose of transaction shall be clarified. |
2 |
High
(4,5) |
Shall be monitored in the course of ODD measures by the Chainalysis solution. |
|
The Customer’s business activity or transactions are inconsistent with the customer profile (e.g. avaliable wealth, historical financial profile) |
The Customer’s behavior may be linked to ML/TF or violation of Sanctions. |
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
Purpose of transaction shall be clarified. |
2 |
High
(4,5) |
Shall be monitored in the course of ODD measures by the Chainalysis solution. |
|
The Customer repeatedly uses in transactions wallet(s) with high-risk score (incl. use of tumbler/mixer, etc.) and explanation about such transactions is insufficient. |
The Customer’s behavior may be linked to ML/TF or violation of Sanctions.
|
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
Prohibited
(8) |
Shall be monitored in the course of ODD measures by the Chainalysis solution. |
|
The Customer is providing fraudulent documents in the course of service provision (incl. SoF documents, etc.). |
Such behavior is not acceptable by the Company and may rely to the Customer’s intend to participate in ML, TF or violation of Sanctions. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the relevant KYC service provider’s solution.
|
|
The Customer links several credit cards to their VA wallet to withdraw funds or deposit funds from ATM’s VA deposits to the credit cards or bank account |
The Customer’s behavior may be linked to ML/TF or violation of Sanctions. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be monitored in the course of ODD measures by Chainalysis solution. |
|
The Customer's transactions or business activity is abnormal and/or seemingly unnecessary and does not have logical business explanation |
The Customer’s behavior may be linked to ML/TF or violation of Sanctions.
|
4 |
4 |
Refusal to onboard the Customer and engage in business relationship. |
2 |
Prohibited
(8) |
Shall be monitored in the course of ODD measures by the Chainalysis solution. |
|
The Customer's activity suggests that the customer might favour anonymity (e.g. transactions with VAs that provide higher anonymity, use of VA ATM's) |
The Customer’s behavior may be linked to ML/TF or violation of Sanctions.
|
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be monitored in the course of ODD measures by the Chainalysis solution. |
|
1) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R1675-20220313&qid=1661262065027
2) http://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/increased-monitoring-june-2022.html 3) https://www.sanctionsmap.eu/#/main , https://www.un.org/securitycouncil/sanctions/information 4) https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/call-for-action-june-2022.html 5) https://www.state.gov/state-sponsors-of-terrorism/ |
|||||||
Risks relating to delivery channels
| Description of risk factor | Considerations (incl. quantitative data) | Impact | Likelihood | Mitigation Actions | Score of Controls | Residual risk (score) | Way for risk factor’s identification |
|---|---|---|---|---|---|---|---|
|
The Customer makes payments within the scope of the business relationship only via an account located in a credit institution whose place of business is in a contracting state of the European Economic Area. |
Credit institutions located in EEA apply strict AML/CTF and Sanctions regimes and therefore their Customer’s risk may be considered as lower than usual. |
1 |
1 |
Shall be applied CDD measures in relation to the Customer in accordance with AML policy and document “Requirements for data collection and verification”.
|
3 |
Low
(0,3) |
Shall be monitored in the course of ODD measures by the Company’s platform |
|
The Customer’s IP address or location differs from used in the course of onboarding and there’s no logical explanation |
Such transaction pattern may link to ML. |
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”. |
2 |
High
(4,5) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform |
|
The Customer uses an IP address associated with a darknet or other similar software that allows anonymous communication, including encrypted emails and VPNs. |
Such activity is considered as red flag indicator by FATF |
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”.
|
2 |
High
(4,5) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform
|
|
The Customer uses credit institution, financial institution, paying institution or tax system that promotes anonymity (incl. shell banks) or that is located in a high-risk third country |
Relationships with such customers may be more vulnerable to ML, TF or Sanctions risks.
|
3 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”. |
2 |
High
(4,5) |
Shall be monitored in the course of ODD measures by the Company’s platform
|
|
The Customer wishes to use settlement channels and accounts belonging to unknown or unrelated third persons |
It includes use of third parties not related to the Customer for performing payments for services on behalf of the Customer (incl. virtual currency wallets and credit cards) |
2 |
3 |
In addition to CDD measures shall be applied EDD measures in relation to such Customer in accordance with the document “List of enhanced due diligence measures”. |
2 |
High
(3) |
Shall be monitored in the course of ODD measures by the Company’s platform
|
|
The Customer’s IP address is related to a country or jurisdiction which is in a FATF black or grey list, which is subject of sanctions or other country which is not in line with the Company’s risk appetite |
It may indicate that the Customer is from this country. |
4 |
4 |
Refusal to onboard the Customer and engage in business relationship.
|
2 |
Prohibited
(8) |
Shall be identified and verified by the relevant KYC service provider’s solution.
Shall be monitored in the course of ODD measures by the Company’s platform.
|