ANTI-MONEY LAUNDERING AND COUNTER TERRORIST FINANCING COMPLIANCE POLICY
DEFINITION OF KEY TERMS AND CONCEPTS
LIST OF ABBREVIATIONS
AML/CFT - Anti-Money Laundering and Combating Financing of Terrorism
CDD - Customer Due Diligence
CTR - Cash Transaction Report
EDD - Enhanced Due Diligence
FATF - Financial Action Task Force
FIU - Financial Intelligence Unit
KYC - Know Your Customer
ML - Money Laundering
MLRO - Money Laundering Reporting Officer
PF - Proliferation Financing
STR - Suspicious Transaction Report
TF - Terrorist Financing
INTRODUCTION
Foreword
This Policy provides guidelines and procedures ("AML/CFT Policy”) applicable to Software C Sp. z o.o. or” Company”. The increasing incidents of financial crimes have highlighted the serious threat to the integrity of financial systems, and the further requirement to take measures to prevent and combat such crimes.
Policy Statement
The Company is strongly committed to preventing the use of its systems, products and services for money laundering and financing of (collectively termed AML/CFT).
Accordingly, the Company will comply with all applicable laws and regulations designed to combat money laundering, terrorist financing and proliferation financing and is committed to cooperate with the appropriate local authorities and uphold the highest and best international standards in that regard given the multi-jurisdiction operations and the global reach of its products and services.
Legal Framework Governing AML/CFT Obligations
The AML/CTF Policy is guided by the principal requirements and obligations contained in AML/CFT Act.
Under the guidelines from the Republic of Poland, the minimum provisions of the internal AML/CFT procedure (AML policy) shall include a determination of:
The activities or actions taken with the aim of mitigating the risk of money laundering and terrorist financing as well as appropriate management of the identified risk of money laundering and terrorist financing.
The rules for recognizing and assessment of the risk of money laundering and terrorist financing associated with the given business relationships or an occasional transaction, including the rules for verification and updating of the assessment of the risk of money laundering and terrorist financing made previously.
The measures applied for the purpose of appropriate management of the recognized risk of money laundering or terrorist financing associated with the given business relationships or an occasional transaction.
The rules for the application of financial security measures; the rules for storing documents and information.
The rules for the fulfillment of the obligations include providing the General Inspector of information on transactions and notifications.
The rules for reporting by employees of actual or potential breaches of the provisions on combating money laundering and terrorist financing.
The rules for internal control or supervision of compliance of activity of an obliged institution with the provisions on combating money laundering and terrorist financing as well as the rules of conduct determined in the internal procedure.
The rules for noting discrepancies between the information gathered in the Central Register of Beneficial Owners and the information on beneficial owners of the customer in connection with the application of the Act.
The rules for documenting impediments determined in connection with verification of the identity of the beneficial owner as well as activities undertaken in connection with identification, as the beneficial owner, a natural person occupying a post in senior management.
To meet the various AML/CFT obligations imposed by the relevant frameworks, Company has put in place an AML/CFT Compliance Program comprising the following key components:
Board Approved Policies and Procedures
Designated Money Laundering Reporting Officer (MLRO)
Annual AML/CFT Risk Assessment
Risk-based controls
AML/CFT Training Program for all Staff
Independent testing (internal / external audits;)
Conformance activities (compliance monitoring/quality assurance)
Ongoing reporting to Senior Management and the Board; and
Compliance with local AML/CFT laws and regulations
[THE COMPANY] undertakes to ensure compliance with the Federal AML-CFT Laws including,
refrain from opening or conducting any financial or commercial transaction under an anonymous or fictitious name or by pseudonym or number, and maintaining a relationship or providing any services to it
ensure prompt application of the directives when issued by the Competent authorities in the Republic of Vanuatu for implementing United Nations Security Council Resolutions relating to the suppression and combating of terrorism, terrorist financing and proliferation of weapons of mass destruction and its financing, and other related directives, as well as compliance with all other applicable laws, regulatory requirements and guidelines in relation to economic sanctions
notwithstanding all relevant requirements in this Compliance and Risk Management Rulebook, maintain all records, documents, and data for all transactions, whether local or international, and make this information available to Regulators upon request; and
ensure full compliance with any other AML/CFT requirements and applicable laws, regulatory requirements and guidelines as may be promulgated by REPUBLIC OF VANUATU federal government bodies or FATF.
Purpose of the Policy
The AML/CFT Policy forms an integral part of the AML/CFT Compliance Program and seeks to:
Prevent the use of Company platforms/products/services for money laundering, terrorist financing and financing of proliferation of weapons of mass destruction.
Prevent damage to the Company’s name and reputation by association with money launderers, terrorist financiers and proliferators.
Ensure that the Company complies with AML/CFT jurisdiction specific legislation/regulations.
Specify basic expectations of all employees as regards their statutory obligations for the detection and prevention of ML and TF risks.
Scope of the Policy
The Policy shall apply to:
Board of Directors
Shareholders
Service Providers/Suppliers
All employees (permanent or temporary) including staff of agencies, consultants and contractors, irrespective of their location, function, grade or standing.
Policy Review
The Policy shall be reviewed on an annual basis or whenever there are new material developments.
GOVERNANCE FRAMEWORK
Every Director and Employee of the Company is individually responsible i.e. bear a personal legal liability, for observing and complying with applicable AML/CFT laws and regulations, this Policy and all related internal procedures and processes regarding the same.
To enhance this governance framework, the above-mentioned responsibility is included in all Job description (JD) for employees to understand and acknowledge full responsibilities with regards to AML/CFT and the contents of this Policy
Board of Directors
The ultimate responsibility for the AML/CFT Compliance Program rests with the Board of Directors. The Board of Directors shall be responsible for the:
Appointment of a qualified individual at management level, designated as the Money Laundering Reporting Officer (MLRO), with overall responsibility for the AML/CFT function.
Setting the tone from the top by openly voicing their commitment to the AML/CFT program, ensuring that their commitment flows through all service areas and lines of business, and holding responsible parties accountable for compliance.
Providing the MLRO with sufficient authority such that when AML/CFT issues are raised they get the appropriate attention from the Board, senior management, and the business lines.
Reviewing and approving the AML/CFT Policy and adopting appropriate AML/CFT Programs as well as ensuring that they are adequately implemented and maintained by staff.
Providing adequate resources to the Compliance function, including appropriate staff and technology to apply AML/CFT measures.
Approving or declining high-risk customers, including politically exposed persons.
AMLO Officer (MLRO)
The scope of AMLO (MLRO) activities can be divided into three groups:
(statutory obligation) ensuring compliance of the activities of the obliged institution and its employees and other persons performing activities for the benefit of this obliged institution with the provisions on anti-money laundering and terrorist financing (performance of tasks of a security guarantor),
performing other tasks related to AML/CFT, e.g. supervising and verifying risk-based ML/CFT assessment, preparing internal AML procedure, organizing external trainings for designated employees, self-education, participation in courses, trainings, symposia meetings etc. related to AML/CFT, cooperation with prosecutor’s office and services which are cooperating units (Police, ABW, CBA, KAS) – the above in accordance with the internal system of the obliged institution.
Money Laundering Reporting Officer (MLRO)
The Compliance Officer is the Company’s appointed MLRO who reports administratively to the Chief Executive Officer and functionally to the Board Risk Management and Compliance Committee.
The MLRO appointment shall be reviewed annually to ensure ongoing suitability for the discharging of the responsibilities.
The overall ownership and day-to-day management of the AML/CFT Policy rests with the MLRO. The MLRO shall:
Have full responsibility for overseeing, developing, updating and enforcing the AML/CFT Policy and the Compliance Program.
Conduct risk Institutional ML/TF risk assessments
Have sufficient authority to oversee, develop, update and enforce AML/CFT policies and procedures throughout the Company.
Be competent and knowledgeable regarding money laundering, terrorist financing and proliferation financing risks and the AML/CFT legal framework.
Serve as the contact person with regulators other Competent authorities in case of enquiries related to AML/CFT.
Respond within stipulated timeframes to information requests made by the regulator or other Competent authorities including FIU.
Receive suspicious or unusual transaction reports from staff and submitting the same to the responsible authorities.
Communicate all relevant AML/CFT issues throughout the Company.
Ensure that AML/CFT obligations are embedded into the day-to-day activities of the Company’s operations and that business has established appropriate internal controls and procedures to comply with applicable legislation and regulations.
Coordinate the training of employees on AML/CFT issues.
Inform the Board and Executive Management about AML/CFT compliance efforts, compliance failures and the status of corrective.
Regulators is obliged to refuse to grant approval if an individual fails to satisfy Regulator that the individual is a Fit and Proper Person. If an individual does not meet any individual elements set out in the Regulators Company Rulebook, Competent Authorities may nonetheless be satisfied that such an individual is a Fit and Proper Person considering all relevant factors.
Competent Authorities has the sole discretion to request a Company to provide such evidence as Competent Authorities may require which shows that the above requirements are satisfied. In addition, Competent Authorities shall take into consideration any failures by an individual to comply with the Compliance and Risk Management Rulebook when assessing whether an individual is a Fit and Proper Person.
AML/CFT activities may be delegated to appropriate Entities, provided that the MLRO shall continue to be held accountable for all responsibilities and obligations in relation to the implementation of the relevant policies and procedures; and all applicable requirements in the Company Rulebook, including Outsourcing management requirements, are complied with.
Heads of Departments / Line Managers
Heads of Departments or Line Managers are accountable for implementation of this Policy in their respective businesses. They shall be responsible for:
Establishing internal controls and procedures to comply with this Policy and ensuring that they adhered to and monitored for compliance.
Ensuring that all staff under their charge are aware of and understand both their own individual responsibilities and the obligations of the Company in terms of fulfilling and meeting the requirements of legislation/regulations for AML/CFT.
Incorporating AML/CFT obligations in the job description of every employee under their supervision.
Cooperating fully with any AML/CFT inspection or audit.
Recording and providing the MLRO with prompt advice of unusual/suspicious transactions and other matters of significance.
Internal Audit
The Internal Audit function shall independently review the adequacy of AML/CFT controls and effectiveness of the Company’s AML/CFT Program.
The Internal Audit Team is expected to have the required qualifications and expertise in AML coupled with a thorough understanding of the operations of the Company to be able to understand the regulatory obligations, best practices, as well as the latest money laundering typologies.
Employee Obligations
Anti-money laundering, countering the financing of terrorism and countering proliferation financing is the responsibility of every employee. At a minimum, every employee is expected to:
Know and understand the Company’s Policies and procedures which detail the processes to guide staff on the implementation of the various key AML/CFT obligations.
Participate actively in AML/CFT training and awareness programs.
Report suspected ML and TF activities to the Compliance function.
Fully cooperate with the Compliance function and/or Law Enforcement Agencies whenever required.
GENERAL PRINCIPALS
The goal of criminal operations is to generate a profit for the individuals or group that carries out the activity. Money laundering is the processing of these criminals’ disguise the illegal origin. This process is of critical importance as it enables the criminal to enjoy these earnings without jeopardizing their other activities.
Institutions involved in financial activities and related activities are required by law to identify, monitor, investigate and report transactions of a suspicious nature to the Financial Intelligence Units in respective jurisdictions. All these institutions must verify a customer’s identity (due diligence) by obtaining the required documents for further understanding of the kind of transactions in which the customer is likely to engage, and to make sure that funds do not involve money laundering.
Company shall implement several anti-money launderings and combating the financing of terrorism measures as required under applicable international standards and recommendations. Company has policies designed and procedures implemented to identify any suspicious activities and ensure that any transaction routed through is not used by criminals or terrorists.
With more emphasis to have a transparent business environment in both services to customers and compliance, it is considered sufficient to meet the requirements of the regulations, as in force within the Republic of Vanuatu laws and to ensure compliance with FATF Recommendations, UN, and other international regulatory bodies (where applicable).
This Policy will be reviewed annually and updated (when required) and will be approved by the Chief Executive Officer & Head of Legal and Managing Director.
ENFORCEMENT
Any Company employee found to have violated this Policy will receive a warning letter. Multiple (two or more) violations of this Policy will result in the termination of employment of the violating employee.
Employees will go through the AML compliance training arranged by the Company be aware of the consequences of their failure to comply with the Policy, including reporting potential fraudulent/suspicious activities that may lead to the employee’s voluntary or involuntary involvement into criminal activities.
Any third-party partner found to have violated this Policy will be subject to contract termination as well as any other remedial measures available under applicable law.
KEY AML/CFT CONCEPTS
Money laundering
Money laundering refers to any transaction aimed at concealing and/or changing the identity of illegally obtained money so that it appears to have originated from legitimate sources, where in fact it has not”.
Any person, having the knowledge that the funds are the proceeds of a felony or a misdemeanour, and who wilfully commits any of the following acts, shall be considered a perpetrator of the crime of Money Laundering:
Transferring or moving proceeds or conducting any transaction with the aim of concealing or disguising their Illegal source
Concealing or disguising the true nature, source or location of the proceeds as well as the method involving their disposition, movement, ownership of or rights with respect to said proceeds.
Acquiring, possessing or using proceeds upon receipt
Assisting the perpetrator of the predicate offense to escape punishment
For Money laundering to happen there should be always a predicate offence and these are as follows:
Organized criminal activity & racketeering.
Human Trafficking & migrant smuggling
Dealing in Narcotics & Psychotropic substances
Counterfeiting currency & piracy of products
Insider trading & market manipulation.
Sexual exploitation, including children
Kidnapping, piracy & terrorism
Offences committed in violation of environmental laws
Illicit dealing in firearms & ammunition
Bribery, embezzlement, damage to public property
Corruption, fraud, breach of trust & related offences
Stages of Money Laundering
Placement- The introduction or placement of illegal proceeds into the financial system is termed ‘Placement’. Often, this is accomplished by placing the funds into circulation through financial institutions.
Layering- The separation of illicit proceeds from their source by the layering of financial transactions intended to conceal the origin of the proceeds is called ‘Layering’. This second stage involves converting the proceeds of the crime into another form and creating complex layers of financial transactions to disguise the audit trail, source, and ownership of funds.
Integration- This stage entails using laundered proceeds in seemingly normal transactions to create the perception of legitimacy. The launderer, for instance, might choose to invest the funds in real estate, financial ventures, or luxury assets. By the integration stage, it is difficult to distinguish between legal and illegal wealth. This stage provides a launderer the opportunity to increase his wealth with the proceeds of crime. Integration is generally difficult to spot unless there are great disparities between a person’s or company’s legitimate sources of legitimate employment, business or investment ventures and a person’s wealth or a company’s income or assets.
Terrorist Financing
Terrorist Financing is a facility for providing financial support to terrorist groups or individual terrorists. Terrorist Financing may include both legitimate funds and proceeds of criminal conduct. The most common legitimate funds sources are charitable donations and legitimate sources include foreign government sponsors, business ownership, and personal employment.
This includes providing, collecting, preparing, or obtaining Proceeds or facilitating their obtainment by others with intent to use them, or while knowing that such proceeds will be used in whole or in part for the commitment of a terrorist offense, or if he has committed such acts on behalf of a terrorist organisation or a terrorist person while aware of their true background or purpose.
Any person who has engaged in the above activity being aware that the proceeds are wholly or partly owned by a terrorist organisation or terrorist person or intended to finance a terrorist organisation, a terrorist person or a terrorism crime, even if it without the intention to conceal or disguise their illicit origin would have committed a terrorist financing crime.
Difference between Money Laundering and Terrorist Financing
The main difference between money laundering and financing of terrorism is the origin of funds, in the case of financing of terrorism funds can be from legitimate sources as well.
The motivation differs between traditional money launderers and terrorist financiers. The actual methods used to fund terrorist operations can be the same as, or like, methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.
Risk of Money Laundering and the Financing of Terrorism
Money Laundering and Financing of Terrorism carries several risks which includes but are not limited to:
A breach of legislation and regulation for AML/CFT may show a weak compliance control of the Company and may cause civil and criminal penalties including jail terms against the members of the Company.
Reputational risk of the Company.
Liquidity risk in the Company capital cashflow in case compliance/legal risks and reputation risks are realized due to the involvement in money laundering, Company may suffer from getting funding from markets to realize the bearing costs.
Solvency risk in the worst case the solvency of the company may be threatened.
Operating licenses may be withdrawn or denied.
Controls
Compliance Programme
Company firmly conducts its business in compliance with applicable regulatory requirements and provides a secure and legitimate environment and service to customers.
A strong, properly designed, documented AML/CFT Compliance program ensures that the Company works within the regulatory ambit where any non-compliance issues are timely identified, reported, and actioned upon. Minimum requirements for a comprehensive compliance program include, but are not limited to:
Compliance Framework
Independent Compliance Officer
ML/FT Risk Assessment
AML/CFT Policies and Procedures
KYC/CDD/EDD Framework
Transaction Monitoring
Sanctions Compliance Program
Reporting
Training
Record Retention
RISK ASSESMENT METHODOLOGY
Money Laundering and Terrorist Financing (ML/TF) Risk Assessment
Money laundering/Financing terrorism (“ML/FT”) risk assessment provides reasonable assurance that essential ML/FT risks that may impact the well-being of an organization have been identified and appropriate mitigating controls have been implemented.
Company bases its AML/CFT controls on annual assessments of money laundering, terrorist financing and proliferation financing risks. The MLRO shall maintain a methodology for making this assessment. The methodology shall consider the following risk factors including, at a minimum:
Nature, scale, and complexity of the business, including its processes and operations, as well as volume and size of transactions.
Diversity of operations, including geographical diversity and the risks that arise from exposure to different geographies.
Customer risk.
Counterparty risk
Products and services; and
Delivery channels or Interface Risk.
Technology risk
The risk assessment to evaluate ML/TF/ risks shall also consider all the relevant inherent and residual risk factors at the country, sectoral, company specific and business relationship level, among others, to determine the risk profile of the organisation and the appropriate level of mitigation to be applied.
The Compliance Department shall have primary responsibility for the initiation and delivery aspects of the ML/TF Risk Assessment. This would include tasks such as methodology development, maintenance, periodic refresh process/activity initiation and record keeping of completed assessments.
Business line heads, as well as other departments, such as Information Technology, and Operational Risk, may also be required to contribute.
The MLRO shall obtain the agreement of Executive Management and acknowledgement from the Board Risk Management and Compliance Committee of the completed ML/TF risk assessments.
Where a risk assessment identifies gaps within controls or a requirement for new controls, an Action Plan to address any gaps must be devised by the MLRO and tracked to completion keeping the CEO and Board Risk Management and Compliance Committee updated.
New Products / Services
Prior to launching any new product, service or business practice, and before the use of any new technological innovation, for both new and existing products, the MLRO shall assess and document the money laundering, terrorist financing and proliferation financing risks posed by such product, service, business practice or technology and recommend measures to mitigate the risk. The Compliance functions shall be representation in the new product and business development team to ensure AML/CFT concerns are raised.
Risk Rating Matrix
The following Risk Rating Matrix will be applied while assessing regulatory requirement risk and its impact:
Gylor
Determination of inherent risk
Inherent risk implies that the potential for money laundering and terrorist financing is always present due to the nature of financial transactions and the sophistication of criminals and terrorist groups. This is the level of risk before application of risk mitigants.
Inherent risk (risk before treatment) = Risk likelihood * risk impact
Risk likelihood
ML/TF risk likelihood is the probability that an organization or entity will be exposed to money laundering or terrorist financing activities. It assesses the likelihood that such illicit activities will occur within the operations, transactions, and customer relationships of an organization. This assessment considers various factors, such as the nature of the business, the type of customers served, the geographic locations involved, the complexity of transactions, and the effectiveness of internal controls and anti-money laundering (AML) measures.
This is rated as below:
Risk Impact
ML/TF (Money Laundering/Terrorist Financing) risk impact refers to the potential consequences or harm that can result from the occurrence of money laundering or terrorist financing activities within an organization. It assesses the severity of the negative outcomes that may arise if illicit funds are successfully introduced and or placed into the [The Company] by MLs and TFs.
Control Effectiveness
The Risk assessment model also calculates the effectiveness of the control measures to determine whether additional controls are required, or de-risking is required.
Know Your Customer (KYC)
Company carry out the KYC process to identify who the real customer is and ensure the legitimacy of the funds involved in their transactions. The KYC process has been divided into 3 categories,
Customer Identification (CID)
Customer Due Diligence (CDD)
Enhanced Due Diligence (EDD)
Company relies on third parties to perform CDD and therefore shall remain liable for ensuring such third parties perform CDD in accordance with all relevant Rules and Directives.
Companyshall implement adequate measures in keeping with the nature and size of the businesses [including VA Activities] to ensure that such third parties’ performance of CDD is in accordance with all relevant Rules and Directives. This includes ongoing monitoring and testing and independent audits to identify any risk exposure.
The Company shall maintain record of the details of oversight of any outsourced third parties used for AML activities and provide periodic and or upon request by the regulators and or independent auditors.
According to Article 33 of the Polish AML Law, basic financial security measures include:
customer identification and verification of customer identity.
identification of the beneficial owner and taking reasonable steps to:
verification of his identity,
evaluation of the business relationship and, as appropriate, obtain information on its purpose and intended nature,
ongoing monitoring of client business relationships, including:
analysis of transactions conducted during a business relationship to ensure that the transactions are consistent with the obligated institution’s
knowledge of the customer, the nature and scope of the customer’s business, and consistent with the money laundering and terrorist financing risks
associated with that customer,
examination of the source of origin of property values being at the disposal of the client – in cases justified by the circumstances,
ensuring that documents, data or information held on business relationships are kept up to date.
Natural Persons (Individual)
Customer Identification
The customer identification process involves collection of the original identification documents for the customer and ensuring the below information is accurately captured in the system:
Customer’s full name,
Mobile Number
Nationality
Date of Birth
ID Type
ID Number
Address Proof
Legal Entities/Companies
If a customer is a body corporate, the [The Company] must obtain and verify:
the full name of the body corporate and any trading name.
the address of its registered office and, if different, its principal place of business.
the date and place of incorporation or registration.
a copy of the certificate of incorporation or registration.
the articles of association or other equivalent governing documents of
the body corporate.
the full names of its senior management and UBOs.
Copies of valid passports for UBOs and senior management
Proof of residence for UBOs and senior management
If a customer is a foundation, the firm must obtain and verify.
a certified copy of the charter and by-laws of the foundation or any other
documents constituting the foundation.
documentary evidence of the appointment of the guardian or any other
person who may exercise powers in respect of the foundation.
If a customer is an express trust or other similar legal arrangement, the
The firm must obtain and verify:
a certified copy of the trust deed or other documents that set out the
nature, purpose and terms of the trust or arrangement.
documentary evidence of the appointment of the trustee or any other
person exercising powers under the trust or arrangement.
the full names of its senior management and UBOs.
Copies of valid passports, Emirates IDs (where applicable) for the trustees / beneficiaries and senior management
Proof of residence for UBOs and senior management for the trustees / beneficiaries and senior management
Ultimate Beneficial Owners
Where the customer is an entity, the Company must identify and verify the Beneficial Owners (natural persons) who:
Own or control (directly or indirectly) 25% or more of the shares or voting rights.
control the Body Corporate by holding directly or indirectly 25% or more of the Body Corporate’s shares or voting rights or having the right to appoint or remove most of the board of directors of the Body Corporate.
Have the right to exercise, or exercises, significant influence, or control over the Body Corporate
Where the customer is under a partnership structure, the Firm must identify and verify the Beneficial Owners (natural persons) who:
Ultimately are entitled to or control (in each case whether directly or indirectly) a 25% or more share of the capital or profits of the partnership or 25% or more of the voting rights in the partnership; or
Exercise ultimate control over the management of the partnership
Where the customer is a trustee of a trust or similar legal arrangement, the Firm must identify and verify the Beneficial Owners (natural persons) including the settlor of the trust, any other trustee(s) aside from the customer, each beneficiary of the trust.
Customer Due Diligence
The CDD measures that must be carried out involve:
identifying the customer and verifying their identity including any individuals purporting to act on behalf of the customer.
identifying Beneficial Owner and verifying their identity through documentation.
obtaining information on the purpose and intended nature of the relationship.
conducting on-going due diligence of the relationship.
understanding the ownership and control structure in the case of legal entities.
Timing of customer due diligence
The [The Company] undertake customer due diligence when it:
establishes a business relationship with a customer.
suspects a customer of, or a transaction to be for the purposes of money laundering.
doubts the veracity or adequacy of documents, data or information obtained for the purposes of customer due diligence.
there is a change in risk-rating of the customer, or it is otherwise warranted by a change in circumstances of the customer.
Whenever there is an instruction from the customer and or any material change in the customer profile
Business relationship prior to verification of identification
There are instances where a business relationship with a customer may be established before completing the verification of the identification, care should be taken in this regard. This route may be taken if the following conditions are met:
approval from senior management is obtained on a case-by-case basis.
non-deferral of the verification of the customer or beneficial owner would interrupt or delay the normal conduct of business in respect of effecting a transaction.
there is little risk of money laundering occurring and any such risks identified can be effectively managed by the Firm.
the relevant verification is completed as soon as reasonably practicable.
Where timely verification of identification is not completed after establishing a business relationship, the following process should be followed:
document the reason for its non-compliance.
complete the verification as soon as possible.
consider whether there is a requirement to file a SAR or STR.
Consider terminating the relationship.
Customer Onboarding Process
To use the Company’s services, a customer must provide consent to the Company to retain and process the customer’s personal information and share it with third parties on a needed basis to provide the services to the customer. The Company is responsible for safeguarding the customer’s data from unauthorized disclosure.
A customer must register on the Company platform via the website and or application to be able to use Company’s services. The customer will have to enter the following personal information in addition to the details recorded in the system for the CDD process.
Email, if available
Country of birth
ID expiry details
Profession
Expected annual income
Source of funds
Purpose of transactions
Method of payments
Customer KYC verification is done via an onboarding solution to check the authenticity of the uploaded documents and to conduct name screening against the sanctions list, PEP list, Adverse media screening.
In case of potential match to the above lists, hits are created for Compliance review and investigation to determine if there are false or true positives. A decision is thereby taken to proceed with the onboarding if the alerted hits are False positive and if there are True Positives relevant procedures shall apply.
The solution shall carryout liveness checks since the onboarding is not face to face and this is to verify the and be assured that the passport photo, selfie photo and liveness photo are the same otherwise the onboarding will be rejected.
Intermediary Check are enhanced. Accounts open with fake names or nicknames will be blocked, and the customer will be requested to correct the account information by providing it within three days of the request of the Company.
Generally, the system doesn’t allow the registration of accounts with incomplete information. However, if such an account has been registered (for instance, using two letters as a street name), it will be checked and closed if the fake information provision is confirmed.
Risk Based Approach
Company shall implement its due diligence processes as guided by the RBA which requires application of controls which are commensurate to the level of risk. Three due diligence levels shall be instituted on all business processes and customers including:
Simplified Due Diligence
Standard Due Diligence
Enhanced Due Diligence
Simplified Due Diligence
Simplified due diligence shall be applied for low-risk customers. The company shall require basic KYC for customers in this category. This includes collection of identification documents, verify the documents, selfie, liveness test, name screening and sanctions screening. The company shall also obtain the intended purpose for establishing the relationship in a way to establish the customer profile.
In terms of KYC reviews, low risk customers shall have their KYC/CDD reviewed after every three (3) years.
Standard Due Diligence
This is applied for medium risk customers. The company shall collect identification documents for these customers and take considerable measures to verify them. In addition, the company shall obtain the source of funds, intended purpose of the relationship.
In terms of KYC reviews, low risk customers shall have their KYC/CDD reviewed after every two (2) years.
Enhanced Due Diligence
EDD shall be applied on high-risk customers to mitigate the heightened level of risk. Enhanced measures shall include the following:
Collection of identification documents and verifying them.
Verify the authenticity of the provided documents using government agencies.
Obtaining the source of funds and source of wealth.
Obtaining supporting documents for the SOF and SOW including requesting bank statements and other supporting documents.
Reducing UBO ownership and control from 25% to 10% thus the company shall obtain KYC and verify for UBOs owning at least 10% of the company or business.
Obtaining senior management approval prior establishing the relationship.
Enhanced monitoring instituted to have a hawk view of high-risk customers transactions.
KYC/CDD reviews to be done yearly.
Politically Exposed Persons
A PEP is or has been entrusted with prominent public functions in the Republic of Vanuatu or any other foreign country such as head of state or governments, senior politician, senior government official, judicial or military official, senior executive manager of state-owned corporations, and senior official of political parties and a person who is, or has previously been, entrusted with the management of an international organisation or any prominent function within such an organisation:
is an immediate family member or a known close associate of a person referred to in the immediately preceding paragraph.
Individuals having joint ownership rights in a legal person or arrangement or any other close business relationship with the PEP; and
Individuals having individual ownership rights in a legal person or arrangement established in Favor of the PEP.
If a customer claims to be a PEP and or if it is determined that the customer falls into a PEP category, the customer will be requested to pass both stages of the EDD process provided in this Policy. Additionally, senior management approval will be sought before entering a business relationship with the PEP. Senior management will be notified if an existing customer becomes a PEP.
To de-classify a PEP related individual, the MLRO’s approval shall be required to ensure that enough consideration is given to any publicly available information relating to the individual.
Ongoing monitoring shall be conducted for PEPs accounts on a risk sensitive basis. As a minimum measure, the Compliance Function shall facilitate screening of all customer relationships on at least a half yearly basis to identify any individual who may have subsequently become a PEP or closely related to a PEP.
Employee Screening
Employee screening is an integral part of the Compliance program which requires all employees of the Company to undergo screening at onboarding stage, periodic and event triggered.
Employee onboarding screening
All employees regardless of their grades, location, department must be screened manually against the Sanctions, PEP, Blacklist and adverse media to determine if the level of risk that the employee pose to the Company in relation to money laundering and terrorist financing and other related financial crimes.
The screening process shall be done prior to the offer letter signing ceremony and if the prospective employee carries a level of risk that is outside the Company’s risk appetite, then the onboarding process shall be terminated documenting the decision and the assessments thereof.
Periodic Screening
The company shall implement periodic screening on all employees as guided by the risk-based approach. For all Board members, Executives and Senior Management the screening shall be done once every 2 (two)years. For the rest of the teams, screening shall be done once every year.
Events triggered screening.
In some cases, there are events which warrants employee screening outside of the periodic screening which includes but not limited to the following:
Promotions or demotions
Suspicious activity or behaviour
Negative news on employees
Ongoing investigation on employee internal or external
All employee screening reports, and related documents shall be kept as per the Company document retention policy and should therefore be part of the employee’s profile.
Unacceptable Business relationships
Company will not establish a business relationship with a prospective customer that is a Legal Person or Legal Arrangement if the ownership or control arrangements of the customer prevent the Company from identifying one or more of the customer’s beneficial owners. Ownership arrangements which may prevent the Company from identifying one or more of the beneficial owners include bearer shares and other negotiable instruments in which ownership is determined by possession.
The Company does not establish business relationships with Shell Companies. A Shell Company is defined as a Company that has no physical presence in the country in which is it was incorporated or licensed and is not affiliated with a regulator that is subject to effective consolidated supervision.
The Company does not maintain anonymous accounts, accounts in a fictitious name, or nominee accounts which are held in the name of one person, but which are controlled by or held for the benefit of another person whose identity has not been disclosed to the company.
The Company shall not engage in cash transactions in Company with virtual assets either buying or selling virtual assets.
The Company shall not onboard any customer who is resident or located outside the Republic of Vanuatu jurisdiction.
The Company shall not establish any relationship with any sanctioned individual or entity despite the sanctioning regime.
The Company shall not operate from a sanctioned jurisdiction and or offer services to customers residing in sanctioned jurisdictions.
Company shall not establish a relationship with customers who are dealing in prohibited business including the below not exhaustive list:
Shell Company
Shell Bank
Alcohol Trading (if not licensed)
Arms and Weapons dealerships
Individuals / Entities in the Sanctions List or Internal Blacklist
Transaction Monitoring and ongoing monitoring of business relationships
The Company shall ensure monitoring of business relationship to ensure that they are in line with the expected and to determine if the customer is operating as per the purported cause of establishing the relationship.
Monitoring measures shall act to identify any deviations of actual account conduct from the expected and therefore pointing on to suspicious transactions or activity.
Ongoing monitoring helps the company to adjust the customer risk rating as guided by the actual business conduct thus a low-risk customer might engage in activities regarded as high risk therefore need to re rate the customer risk and adjust the risk profiles of the customer.
Transaction monitoring is ensuring that Company does not become a tool to launder money or finance terrorism, and only genuine transactions are processed through the Company.
Transaction monitoring involves scrutinizing the transaction to ensure that transactions are consistent with the customer, business, risk profile, sources of funds, annual transaction activity, etc
Company has implemented system and relying on most trusted transaction monitoring system “Chainalysis” being monitor and identify suspicious transactions and generate alerts for abnormal / suspicious transactions.
Transaction monitoring shall be in real time and ongoing to ensure detection of suspicious transactions.
The solution provides on chain and off chain alerts on suspicious transactions based on pre-set rules and thresholds for further investigation by the Compliance function.
The Company maintains a comprehensive alerts and case management procedures for the disposition of alerts and handing.
If the Compliance officer has determined that there are reasonable grounds to suspect any illicit behaviour, a suspicious transaction shall be filed.
Considerations for customer risk rerating shall be done and de-risking procedures shall be applied in the event the level of risk exposure is unacceptable.
The Compliance function shall review and document the solution capabilities and any identified weakness and establish controls for the identified weakness. Ongoing monitoring and testing for efficient functioning of the solution shall be established and documented.
Distributed ledger analytics
Company has evaluated the blockchain analytic tools available in the market and have considered Chainalysis based on the following:
Chainalysis has extensive coverage of multiple blockchains, including major cryptocurrencies like Bitcoin, Ethereum, Bitcoin Cash, and more. This broad coverage allows for a comprehensive analysis of transactions across different blockchain networks
Chainalysis uses sophisticated algorithms to trace and link transactions across the blockchain. This advanced transaction tracking helps in identifying patterns, relationships, and potential illicit activities on the blockchain
Chainalysis provides a user-friendly interface that allows investigators, compliance professionals, and other users to easily navigate and interpret blockchain data. The platform offers graphical representations and reports to enhance understanding.
Chainalysis employs address clustering techniques to group addresses that are likely controlled by the same entity. This helps in creating a more accurate picture of the flow of funds and the activities of specific users
Risk Assessment: The platform provides risk scoring for addresses and transactions, enabling users to assess the potential risk associated with specific cryptocurrency activities, such as money laundering or fraud.
Chainalysis allows for real-time monitoring of blockchain transactions, providing timely insights into potentially fraudulent or suspicious activities. This proactive approach helps organizations take prompt action to mitigate risks.
Compliance and Regulatory Support: Chainalysis helps organizations comply with anti-money laundering (AML) and Know Your Customer (KYC) regulations by providing tools to monitor and report suspicious transactions to regulatory authorities.
Investigation Support: Law enforcement agencies use Chainalysis to investigate and trace cryptocurrency transactions related to criminal activities, which can assist in solving cybercrimes and tracking illicit funds.
Chainalysis offers educational resources, training, and webinars to help users understand how to effectively use the platform. This support is valuable for ensuring that users can maximize the benefits of the tool
The tool allows users to analyze historical blockchain data, enabling them to trace the origin and evolution of transactions over time. This feature is essential for comprehensive investigations.
Chainalysis operates globally, providing services to a wide range of clients, including law enforcement agencies, financial institutions, and cryptocurrency businesses. This global reach enhances its ability to track and analyze transactions across borders.
The following limitations have been identified
False positives are expected to be high at the initial stage of implementation and get reduced after a certain period of data collection and analysis which will aid in better fine tuning of rules
Chainalysis primarily focuses on transactional data and may not provide a full contextual understanding of the reasons behind transactions. Without additional information, it may be challenging to distinguish between legitimate and illicit activities
As blockchain technology evolves, new cryptographic techniques and privacy-enhancing technologies may emerge. Chainalysis may not immediately adapt to these innovations, leading to potential blind spots in tracking transactions
Transactions conducted on a decentralized Company can be harder to track compared to those on centralized Company.
While blockchain addresses are pseudonymous, linking them to real-world identities can be challenging. Chainalysis may not always accurately attribute transactions to specific individuals, especially if users take measures to obfuscate their identity
Chainalysis relies on the available data on public blockchains. If certain transactions or addresses are not recorded on the blockchain, or if users employ privacy-focused cryptocurrencies, the tool may not capture a comprehensive view of financial activities.
Controls in place to mitigate the identified Chainalysis gaps
Implementation of robust user authentication and authorization mechanisms to ensure that only authorized personnel have access to the Chainalysis tool.
Conduct regular training sessions (annually at minimum) for users to enhance their understanding of the tool's capabilities and limitations. This helps in more accurate interpretation of results.
Company shall conduct periodic audits and reviews of the tool's outputs to identify any discrepancies or anomalies. This ensures that the tool is functioning as expected and that users are interpreting results correctly.
Implement controls that align with privacy regulations to protect sensitive information. This may include redacting or anonymizing certain data to meet privacy expectations.
Company shall set up a continuous monitoring processes to detect and respond to any unusual activities or deviations from expected patterns in the use of the Chainalysis tool.
Establish a feedback mechanism for users to report any concerns or issues related to the tool's performance. This fosters a culture of continuous improvement.
Reporting Requirements
The Company recognizes that reporting any wrongdoing is among the government’s primary weapons in the battle against money laundering and other financial crimes. The Company will report all necessary details of its activity in accordance with the requirements prescribed in the applicable laws.
Suspicious Transaction Report (STR)
A Suspicious Transaction Report (“STR”) is a report on the detected suspicious activity of the Company’s customers. STRs are among the government’s main weapons in the battle against money laundering and other money services crimes. Such reports are also a key component of an effective compliance program in this Policy.
Suspicious transaction indicators shall be regularly updated basing on new typologies and regulatory guidance and or past identified suspicious transactions/ activities and training shall be offered to the relevant employees to ensure that they are aware of the new indicators.
Suspicious transactions must be reported if the Company knows, suspects, or has a reason to suspect that the transaction or linked transactions:
Structuring VA transactions in small amounts, or in amounts under record-keeping or reporting thresholds, like structuring cash transactions.
Making multiple high-value transactions in short succession, such as within a 24-hour period and in a staggered and regular pattern, with no further transactions recorded during a long period afterwards.
Transactions which have no apparent purpose, which make no obvious economic sense, or which are designed or structured to avoid detection.
Accepting funds suspected as stolen or fraudulent including depositing funds from VA addresses that have been identified as holding stolen funds, or VA addresses linked to the holders of stolen funds.
Conducting a large initial deposit to open a new relationship with a VASP,
while the amount funded is inconsistent with the customer profile
Transactions requested by a Person without reasonable explanation, which are out of the ordinary range of services normally requested or are outside the experience.
A new user attempts to trade the entire balance of VAs or withdraws the VAs and attempts to send the entire balance off the platform.
Making frequent transfers in a certain period (e.g. a day, a week, a month, etc.) to the same VA account by more than one person or from the same IP address by one or more persons or concerning large amounts.
Where the size or pattern of Transactions, without reasonable explanation, is out of line with any pattern that has previously emerged or may have been deliberately structured to avoid detection.
Incoming transactions from many unrelated wallets in relatively small amounts (accumulation of funds) with subsequent transfer to another wallet or full Company for fiat currency. Such transactions by several related accumulating accounts may initially use VAs instead of fiat currency.
An extensive use of offshore accounts, companies, or structures in circumstances where the customer's economic needs do not support such requirements.
Transactions by a customer involving more than one type of VA, despite additional transaction fees, and especially those VAs that provide higher anonymity, such as anonymity-enhanced cryptocurrency (AEC) or privacy coins.
customers that operate as an unregistered/unlicensed VASP on peer-to-peer (P2P) Company websites, particularly when there are concerns that the customers handle huge amounts of VA transfers on its customer’s behalf and charge higher fees to its customer than transmission services offered by other companies. Use of bank accounts to facilitate these P2P transaction Unusual Transactions without an apparently profitable motive.
Internal reporting
Any employee who knows, suspects or has reasonable grounds for knowing or suspecting that a person is engaged in or attempting money laundering or terrorist financing, must promptly notify the MLRO and provide the MLRO with all relevant details. The use of the Internal Suspicious Activity Report Form (“Internal SAR”) is mandatory.
All employees must read and understand the Internal Suspicious Transaction Reporting or Internal Suspicious Activity Reporting Procedure Manual and have easy access to the iSTR template for the reporting of any suspicious activity or transaction to the Compliance Function.
The Company shall provide all necessary training and guidance to ensure that the employees are aware of:
Their obligations and responsibilities.
Possible liabilities and penalties for not disclosing or reporting any suspicious activity.
Any internal disciplinary sanctions that may apply for not reporting.
Procedures to be followed when reporting STRs.
Description of all the red flag indicators.
Documentation to be used to make reports.
Tipping off offense and
Employee protection.
Failure to report a suspicion may constitute a criminal offence that is punishable under the laws. It will also constitute a breach of internal procedures and gross misconduct, which may result in disciplinary action.
An employee who considers that a person is engaged in or engaging in an activity that he/she knows or suspects to be suspicious would not be expected to know the exact nature of the criminal offence or that the funds were definitely those arising from the crime of money laundering or terrorist financing, but they must report their suspicions to the MLRO.
External Reporting
Where the MLRO receives an Internal SAR, the MLRO does the following without delay:
Investigates and documents the circumstances in relation to which the Internal SAR was made.
Determines whether in accordance with Federal AML Legislation, an external SAR must be made to the FIU and documents such determination.
If required, makes an external SAR to the FIU as soon as practicable; and
Notifies the applicable regulators of the making of such SAR immediately following its submission to the FIU. Where the MLRO does not file an external SAR, the MLRO should record the reasons for not doing so.
If the MLRO decides to make an external SAR, the decision is made independently and is not subject to the consent or approval of the Company or any other person within the Company.
External SARs are submitted to the FIU and Competent Authorities.
If the Company has reported a suspicion to the FIU, the FIU may instruct the Company on how to continue its business relationship, including effecting any transaction with a person.
The MLRO shall respond to all additional information requests from the FIU and/or Competent Authorities promptly and in any event within forty-eight (48) hours.
Tipping off
Employees must ensure they do not disclose, directly or indirectly, to the customer or any other person that they have reported or are intending to report, a suspicious transaction. They must not disclose any information in the SAR, disclose that a SAR is being filed or has been filed or disclose that they are being investigated.
If an employee reasonably believes that performing customer due diligence measures will tip-off a customer or potential customer, he/she may choose not to pursue that process and should file a SAR. The Company and its staff will always be aware of and sensitive to these issues when considering customer due diligence measures.
It is a criminal offence, punishable for anyone to take any action likely to prejudice an investigation by informing (i.e. tipping off) the person who is the subject of a SAR, or anybody else, that they are being scrutinised for possible involvement in money laundering or being investigated by a competent authority.
Employee Protection
The Company strongly commits to the principle that it does not prejudice a staff member who discloses any information regarding money laundering to the regulator or to any relevant body involved in the prevention of money laundering. It is important that staff disclose any information regarding money laundering with no hesitation and the Company fully supports this protocol.
Travel Rule
As per the FATF recommendation 16 on Wire Transfers which establishes that ordering institutions, whether a virtual asset service provider (VASP) or other obliged entity such as a Financial Institution, involved in a virtual asset (VA) transfer, obtain and hold required and accurate originator information and required beneficiary information and submit them to beneficiary institutions.
To meet the requirements of the Travel rule the Company shall ensure that all sources of assets and its beneficiary will have to “travel” with the transaction and have it retained and stored before permitting any client access to virtual assets received from a transfer for.
As per Competent Authorities’ requirement the travel rule shall apply to incoming and outgoing transactions. The following information shall be mandatory for all transactions which fall within the Travel rule scope:
Originator information
Originator name
Originator distributed ledger address
Originator Crypto -asset Account Number
Originator address
Originator LEI (where applicable, or an equivalent official identifier)
Beneficiary information
Beneficiary name
Beneficiary distributed ledger address
Beneficiary Crypto -asset Account Number
Originator LEI (where applicable, or an equivalent official identifier)
Travel Rule Implementation
Risk Based Approach on Sunrise issue
The company shall fully comply with the travel rule requirements when sending or receiving funds with all obliged entities. Deposit and withdrawals with Travel rule non-compliant VASPs shall be considered as guided by the perceived risk of the transaction including the jurisdiction laws and regulations, the counterparty AML/KYC Program, the counterparty risk exposure and the value of the transaction.
The Company might enhance its due diligence measure on the verified part of the transaction who is the customer of the Company and obtain RFIs to shape the understanding of the underlying transaction.
Counterparty due diligence - The company shall carry out counterparty due diligence to assess the counterparties risk exposure and its ability to safeguard personal identifiable information before engaging in the Company of customer information.
If the transaction is initiated from a Travel rule non-compliant Company for our Company then we shall take enhanced measure to determine the risk exposure of the transaction including:
The risk profile of the receiving customer
The transaction history of the recipient to determine if there is economic sense for the underlying transaction.
Obtain unverified information about the sender from our verified customer.
Consider the value of the underlying transaction and determine the purpose of the transaction.
Have an enhanced transaction monitoring on the account activity to determine any suspicious behaviour or transaction.
Anonymity enhanced transactions
Anonymity-enhanced transactions are often associated with privacy coins or mixing services that aim to obscure the origin and destination of funds. The Company shall implement enhanced measures to mitigate the risk exposure from such services and transactions.
The company shall take considerable measures to determine the risk profile for a particular transaction or customer interacting with anonymity enhanced services including:
Customers interacting with anonymity enhanced services shall be classified as high-risk customers and therefore they will be subject to strict KYC and AMl procedures.
Customers interacting with anonymity enhanced services shall have their KYC /CDD reviewed every six (6) months a guided by the RBA.
The company has a zero appetite and tolerance to privacy tokens.
The company shall have a zero-thump rule for direct exposure to mixers and tumblers.
For indirect exposure the Company shall consider the number of hopes from or to the anonymity enhanced service and implement a post facto review instead of a stop and review approach.
A stop and review approach shall be implemented if the sending cluster has been identified as an anonymity enhanced service.
Enhanced transaction monitoring through alerting for investigation any transaction associated with privacy coins or mixing services.
De-risking customers who are frequently associating with anonymity-enhanced transactions with no apparent reasonable grounds.
If the company cannot mitigate the ML/TF risks associated with a given customer or products and services involving anonymity- enhanced transactions, then de-risking procedures shall be considered.
Sanctions Risk Management
Company is strongly committed to the adherence and enforcement of sanctions requirements that are relevant to its jurisdiction of operations. It shall take enhanced measures to identify and report any sanctioned party or transactions and any attempts for sanctions evasions.
Legal Framework Governing Sanctions Obligations
The Company is governed by the relevant federal law and executive regulations for the purpose of implementing local and UN sanctions in the Republic of Vanuatu including AML/CFT Act of Republic of Vanuatu.
Sanctions Risk Management
The Company applies the Risk Based Approach in its Sanctions Risk Management Framework. This mainly focuses on carrying out Sanctions Risk assessments, identifying and understanding the sanctions risks and applying controls that are commensurate with the level of risk. The company has categorised the Sanctions risk controls in 4 categories including,
Jurisdiction sanctions risk management
Customer onboarding/ Business relationship Establishment
Ongoing sanctions risk management
New products/ services sanctions risk management
To meet regulatory expectation and effectively mitigate sanctions risk, the Company commits to the development, implementation of the Sanctions Compliance Program. The Sanctions Compliance Program includes the following components,
Management Commitment
Risk Assessment
Internal controls
Testing and auditing
Training
Applicable Sanctions lists
The company shall adhere to the following sanctions regimes as guided by the licencing jurisdiction and regulatory authorities:
United Nations Security Council Resolution (Mandatory)
Local terrorist list (Mandatory)
OFAC sanctions list
European Union
UK Her Majesty
Sanctions Risk Assessment
Risk assessment is the Company’s foundation in ensuring effective sanctions risk management. As guided by the Risk based Approach, the Company takes on a well-planned and formulated risk assessment to understand its risk exposure and clearly draw the line for acceptable risk and unwanted risk (risk appetite) and ensure commensurate risk mitigants and controls are applied.
The risk assessment to evaluate Sanctions risks shall also consider all the relevant inherent and residual risk factors at the country, sectoral, company specific and business relationship level, among others, to determine the risk profile of the organisation and the appropriate level of mitigation to be applied.
The Compliance Department shall have primary responsibility for the initiation and delivery aspects of the sanctions risk assessment. This would include tasks such as methodology development, maintenance, periodic refresh process/activity initiation and record keeping of completed assessments.
Business line heads, as well as other departments, such as Information Technology, and Operational Risk, may also be required to contribute.
The MLRO shall obtain the agreement of Executive Management and acknowledgement from the Board Risk Management and Compliance Committee of the completed sanctions risk assessments.
Where a risk assessment identifies gaps within controls or a requirement for new controls, an Action Plan to address any gaps must be devised by the MLRO and tracked to completion keeping the CEO and Board Risk Management and Compliance Committee updated.
Company bases its sanctions controls on annual assessments of sanctions violation exposure. The MLRO shall maintain a methodology for making this assessment. The methodology shall consider the following risk factors including, at a minimum:
Nature, scale, and complexity of the business, including its processes and operations, as well as volume and size of transactions.
Diversity of operations, including geographical diversity and the risks that arise from exposure to different geographies.
Customer risk.
Counterparty risk
Products and services; and
Delivery channels or Interface Risk
New Products / Services
Prior to launching any new product, service, or business practice, and before the use of any new technological innovation, for both new and existing products, the MLRO shall assess and document the sanctions risk exposure by offering such product, service, business practice or technology and recommend measures to mitigate the identified risk. The Compliance function shall be representation in the new product and business development team to ensure sanctions concerns are raised.
Sanctions Due Diligence
Know your customer / know your customer business
Company carry out the KYC process to identify who the real customer is and ensure the legitimacy of the funds involved in their transactions. The KYC process has been divided into 3 categories,
a) Customer Identification (CID)
b) Customer Due Diligence (CDD)
c) Enhanced Due Diligence (EDD
Natural Persons (Individual)
Customer Identification
The customer identification process involves collection of the original identification documents for the customer and ensuring the below information is accurately captured in the system:
Customer’s full name,
Aliases
Mobile Number
Nationality
Date of Birth
ID Type
ID Number
Address Proof and last known address
Legal Entities/Companies
If a customer is a body corporate, the Company must obtain and verify:
the full name of the body corporate and any trading name.
aliases
the address of its registered office and, if different, its principal place of business.
Addresses of branches
the date and place of incorporation or registration.
a copy of the certificate of incorporation or registration.
the articles of association or other equivalent governing documents of
the body corporate.
the full names of its senior management and UBOs.
Copies of valid passports, Emirates IDs (where applicable) for UBOs and senior management
Proof of residence for UBOs and senior management
Ultimate Beneficial Owners
Where the customer is an entity, the Company must identify and verify the Beneficial Owners (natural persons) who:
Own or control (directly or indirectly) 25% or more of the shares or voting rights.
control the Body Corporate by holding directly or indirectly 25% or more of the Body Corporate’s shares or voting rights or having the right to appoint or remove a majority of the board of directors of the Body Corporate.
Have the right to exercise, or exercises, significant influence, or control over the Body Corporate
Where the customer is under a partnership structure, the Firm must identify and verify the Beneficial Owners (natural persons) who:
Ultimately are entitled to or control (in each case whether directly or indirectly) a 25% or more share of the capital or profits of the partnership or 25% or more of the voting rights in the partnership; or
Exercise ultimate control over the management of the partnership
Where the customer is a trustee of a trust or similar legal arrangement, the Firm must identify and verify the Beneficial Owners (natural persons) including the settlor of the trust, any other trustee(s) aside from the customer, each beneficiary of the trust.
Customer Due Diligence
The CDD measures that must be carried out involve:
identifying the customer and verifying their identity including any individuals purporting to act on behalf of the customer.
identifying Beneficial Owner and verifying their identity through documentation.
obtaining information on the purpose and intended nature of the relationship.
conducting on-going due diligence of the relationship.
understanding the ownership and control structure in the case of legal entities.
Timing of customer due diligence
The Company undertake customer due diligence when it:
establishes a business relationship with a customer.
suspects a customer of, or a transaction to be for the purposes of money laundering.
doubts the veracity or adequacy of documents, data or information obtained for the purposes of customer due diligence.
there is a change in risk-rating of the customer, or it is otherwise warranted by a change in circumstances of the customer.
Request for additional services or products of the customer
Business relationship prior to verification of identification
There are instances where a business relationship with a customer may be established before completing the verification of the identification, care should be taken in this regard. This route may be taken if the following conditions are met:
approval from senior management is obtained on a case-by-case basis.
non-deferral of the verification of the customer or beneficial owner would interrupt or delay the normal conduct of business in respect of effecting a transaction.
there is little risk of sanctions violation occurring and any such risks identified can be effectively managed by the Firm.
the relevant verification is completed as soon as reasonably practicable.
Where timely verification of identification is not completed after establishing a business relationship, the following process should be followed:
document the reason for its non-compliance.
complete the verification as soon as possible.
consider whether there is a requirement to file a SAR or STR.
Consider terminating the relationship.
Geographic restriction
The company has clear demarcations on jurisdiction that it does not want to serve based on the sanctions risk posed by serving such jurisdictions. This is shaped by the sanctions risk appetite of the company.
As guided by the sanctions risk appetite of the company the following jurisdictions have been determined to fall into the unacceptable level of risk with regards to sanction,
Democratic People’s Republic of Korea (DPRK)
Islamic Republic of Iran
Somalia
Iraq
Congo
Libya
Central African Republic
Yemen
South Sudan
Mali
This implies that no customer located in the above listed jurisdictions shall have access to the company’s products/services or platforms. The restriction is location based instead of nationality basis.
To enhance the restriction the restricted countries shall not be available on the list of countries during the interaction of the potential customer and the onboarding platform. In addition, the, the onboarding solution shall screen the IP address for the prospective customer and decline any application from the restricted jurisdiction. To enhance the restriction, any application using VPN shall be declined to mitigate the risk of onboarding customers from restricted jurisdictions.
The company’s Compliance function shall current on sanctions to effect any changes to the sanctions climate and ensure that the solution providers have implemented the changes in the system.
In an event of any changes regarding the geographic sanctions that poses a risk to the company, the company shall ensure that the changes are affected immediately after the receipt of the updates. Post implementations check of the changes shall be done to ensure that the system configurations are effective to minimise sanctions violation exposure.
Name Screening
Name screening is a control to mitigate sanctions risk prior establishing any relationship with customers, suppliers, employees, agencies and or 3rd parties.
Customer name screening- Onboarding
Prior to onboarding customers to our platform, name screening shall be performed against the sanctions lists.
Customer name screening- Periodic and ongoing
Due to the dynamics of the sanctions, the screening solution will screen all the customers daily and report if there are any possible or true matches identified which are alerted to the Compliance function for further review and investigation to determine whether it is false positive or true match. Below are the instances where periodic and ongoing portfolio screening applies:
When there are changes to the sanctions lists (name additions or removal)
Where there are material changes to customer information
When there is a suspicious activity or transaction or an underlying investigation on the customer
When the customer is applying for additional services or products
When terminating the customer relationship
Before processing any transaction
Employee name screening
All employed are screened against the sanctions list at different stages of their lifecycle at the company as following:
Prior onboarding
Periodic
Events triggered.
Suppliers, Agencies, 3rd Parties
The company shall screen all suppliers, buyers, sellers, freight forwarder, agencies and or 3rd parties against the sanctions lists before engaging in any relationship or agreement. This therefore implies that no relationship shall be established with a sanctioned supplier, agency or 3rd parties.
Parties to any transaction
Ultimate beneficial owners and ultimate controllers
Directors and or agencies acting on behalf of customers (including individuals with power of attorney)
In the event of a true match, the Compliance function shall report to the relevant regulatory board and consider freezing of the assets if the applicable sanctions have freezing requirements.
The company applies customer de-risking procedures in the event of true match and as guided by the regulatory authorities.
Transaction screening/ transaction diligence
As part of the ongoing due diligence, all transactions (incoming and outgoing) for all asserts undergo screening despite of the values. Transaction screening shall be anchored on the use of solutions to ensure the effective treatment of heightened risks associated with virtual assets and new technologies.
The company uses Chainalysis KYT and Reactor solutions for transaction diligence. The chainalysis KYT is a real-time transaction monitoring solution for crypto transactions. The solution provides alerts based on the preset rules for incoming and outgoing transactions for links to potential sanctioned addresses or nodes.
The Compliance function shall investigate on the alerted transactions from KYT to determine the sanctions exposure and take decisions based on the level of risk, regulatory requirements and the provisions from the relevant sanction’s regime.
Automated Screening tools
The Company shall highly prioritise ASTs which designed to screen against sanctions lists. ASTs generate hits against sanctions lists that may be consolidated into alerts based for review and investigation. The Company shall consider the following as per the RBA,
The sophistication and configurability of the matching software
Availability of screening rules to optimize alert creation/suppression
Support for the screening or transformation of data in non-Latin characters
Ad hoc, one-off, or manual screening functionality
Workflow configurability
Availability of metrics reporting
Testing and Auditing
The company shall engage in pre and post implementation testing for the acquired solutions for screening and monitoring purposes. This is to ensure that the systems are functioning as purported and therefore guaranteeing effective sanctions risk management.
Pre implementation testing shall be done and reported prior going life, and the user acceptance shall be signed off by the technical team and Compliance team as to certify that the implementation testing was successful, and the solution is performing as required or as per configurations.
Post implementation testing shall be done at several stages. The first post implementation testing shall be carried within the 1st month of going life to ensure that any glitches are quicky identified and remediated before they are carried forward for a longer period which warrants a heightened sanctions risk exposure.
Perioding testing shall be done after every 6 months and reports shall be shared with senior management as part of Compliance reporting. Considerations to report serious system glitches to the relevant regulatory authorities shall be made as part of disclosures obligations.
Events triggered testing shall be carried out in the event that the Compliance or Technical team have suspected a system glitch of example an unexpected high volume of alerts (false positive) or a low to non-volume of alerts for a given period. External parties or stakeholders might act as informers for the need for solutions testing for example request for more information from law enforcement for a suspicious transaction that the system could not detect.
It is the Technical and Compliance responsibilities to ensure that pre and post implications testing and reporting are done as per the company policies. Any mis- functionalities or glitches shall be reported to senior management and an assessment of the risk exposure shall be carried out and reported. Furthermore, remediation exercise shall be carried out to ensure that the system is put up to speed as soon as possible to ensure 24/7 compliance.
The testing report shall at minimum include the following information:
Date of testing and last testing date
Reason for testing (periodic or events triggered)
In case of events triggered, a description of the event shall be given
Documentation of the testing methodology and justification
Testing findings
Technical and Compliance signoffs if the solution is working as per expectation.
In case of solution mis functionalities, detailed description of the findings shall be given
Risk assessment of the findings
Remediation plan
Next testing date
Operationalisation of Sanctions Controls
Updating Sanctions list
The company shall register to receive automated email notifications on any updates to the Sanctions lists.
The registration shall ensure that the company receives updated and timely information about the designation and de-listing of individuals, entities or groups in the sanctions lists.
The Company shall ensure that any changes in the applicable sanctions list shall be affected in real time and portfolio screening to be carried out once updated to determine if there are existing customers matching with the sanctioned individuals or entities.
Upon any updates to the sanctions lists screening is done immediately and without delay to ensure compliance with implementing freezing measures without delay (within 24 hours)
In cases of additions to the sanctions list manual name search in the database is carried out to form a second layer on top of the automated screening thus ensuring effective sanctions risk management.
Freezing and blocking requirements
In the case of suspicion that a specific transaction or assets may be related to money laundering or financing of terrorism, the Financial Institution (obliged institution) is obliged to notify the General Inspector of Financial Information (GIFI).
Within 24 hours of confirmation of receipt of the notification, the FIs shall not carry out the transaction on which a reasonable suspicion has been raised, nor shall it carry out transactions debiting the account on which the assets have been accumulated.
The GIFI may submit to the FIs a request to block the account for a period not longer than 96 hours, counting from the date and time indicated in the notification acceptance confirmation. The GIFI shall notify a competent prosecutor about a suspicion of money laundering or terrorist financing crime.
The public prosecutor may by decision suspend the transaction or block the account for a specified period, not longer than 6 months.
The blocking of the account shall expire if, within the six-month period, the public prosecutor fails to issue another order – in this case: (i) a decision on securing property or (ii) a decision on material evidence.
So far, practice has shown that law enforcement has extended the blocking of accounts beyond the initial 6-month period by issuing a decision on material evidence, which appeared to be inconsistent with both the law and the guidelines of the General Prosecutor’s Office, which led to changes in the law:
the Supreme Court has held that funds (existing as entries in bank accounts) cannot be considered physical evidence,
in response to the Supreme Court’s resolution, the Polish legislator introduced Article 236b of the Code of Criminal Procedure, which, contrary to the position of the Supreme Court, explicitly allows for the funds in a bank account to be considered an item,
the newly introduced Article 86(11a) of the UAML allows the blockade to be extended 1 time for an additional 6 months, i.e. for a total of 12 months,
the law in this respect is retroactive – i.e. if the prosecutor issued the first decision to block the account before the above provision came into force, e.g. on November 20, 2021, then the prosecutor may extend it for another 6 months. If the Act did not contain Article 18, then the Prosecutor would be obliged to issue an order on property security or an order on material evidence, and otherwise the account blockade would fall.
Dealing in funds
The company shall ensure that all frozen assets are segregated thereby reducing the risk of dealing in funds. Dealing in funds include moving, transferring, alerting, using, or accessing frozen funds.
Segregated funds shall not be found to be changing in terms of volume, amount, location, ownership, possession, character, destination, or other change that would enable funds to be used, including portfolio management.
The obligation to freeze without delay shall not prevent additions to frozen accounts of:
Interest, profits, or other earnings due on the account
Payments due under contracts, agreements or obligations agreed upon prior to the date on which the account has become subject to freezing, provided such additions are immediately frozen.
For international sanctions the company shall ensure to follow the instructions from relevant Supervisory Authority on how to deal with matches to international sanctions lists.
Disclosure to target party
The Company shall consider disclosing the sanctions restriction or freeze to the customer if it does not jeopardise an underlying investigation.
Under normal circumstance, customers might enquire about their account status and the Company is not prohibited from disclosing to the customer that the assets have been frozen.
Compliance monitoring and testing
Compliance monitoring and testing shall be guided by the risk-based approach. This implies that the greater scrutiny shall be instituted on high-risk business process or activities which poses the business and its customers to a heightened level of risk.
Frequency of monitoring and testing shall also be determined by the risk Metrix of a particular event or business process.
High risk activities and business process flows include the following:
Security and safety of client and organisation funds
Compliance solutions including onboarding solutions, screening solutions and transaction monitoring solutions.
High risk customers including PEPs
High risk business relationships including 3rd parties, partners
High risk transactions including anonymity enhanced transactions
Compliance laws and regulations including local laws and international standards
Sanctions obligations since they carry strict liability
Transactions involving cross border and high-risk jurisdictions
Monitoring and testing for high-risk business activities and process shall be done within 6 months. The Compliance Officer shall document the findings and the risk level for any violations or deficiencies which shall be reported to the Board and senior management.
The CO shall provide recommendations to close the identified gaps and obtain regularization commitment from the responsible staff and or departments which must be within a reasonable time frames considering the level of risk exposure.
In the event of material deficiencies, the CO shall notify Competent Authorities and other relevant regulatory authorities of the findings and the remediation plan and timelines.
Independent Auditing
The internal Audit function shall independently review the adequacy of Sanctions risk management controls and effectiveness of the company’s Sanctions Compliance program.
The Internal Audit Team is expected to have the required qualifications and expertise in Sanctions compliance testing coupled with a thorough understanding of the operations of the Sanctions Compliance program to be able to understand the regulatory obligations and best practices.
If the internal Audit is not capacitated to engage in independent Sanctions compliance reviews, investment on capacitation shall be prioritised. The Company shall also consider engaging external auditors to conduct the reviews.
Outsourcing of 3rd parties for AML activities
For outsourcing of AML services and on an ongoing basis, Company established and maintained a comprehensive Outsourcing policy, contingency plan and Outsourcing risk management program.
Company shall be ultimately responsible for compliance with their legal and regulatory obligations and shall be accountable to Competent Authorities for all Functions that have been Outsourced to a Service Provider to the same extent as if the Function was performed in-house.
To ensure an oversight of the outsourced AML activities and Compliance with the regulatory requirements, Company shall
Ensure that the service to be outsourced is with the scope of functions and services that can be outsourced.
Conduct risk assessment to identify the associated risks and institute controls that are commensurate to the level of risk as guided by the risk-based approach.
Prior to selecting a Service Provider, Company must perform detailed due diligence in relation to the Service Provider to ensure that the Service Provider has the ability and capacity to undertake the provision of the Outsourcing effectively, reliably and to a high standard and on an ongoing basis.
The outsourcing arrangement will be undertaken in the form of a legally binding written agreement which clearly sets out the relevant rights, liabilities, and obligations of the Service Provider and the VASP.
Testing and monitoring shall be implemented in all stages of the lifecycle of the relationship including pre-implementation, post implementation and ongoing as guided by the risk-based approach.
Suspicious transaction reporting/ Suspicious activity reporting
STRs/SARs shall be filled if the Company has identified suspicious transactions or activities which might be related to sanctions evasion. These are reported to the FIU.
Below is a non-comprehensive list of TFS related RFRs when raising STRs/SARs:
Customer is engaging in complex commercial deals and arrangements that seem to be aiming to hide the final destiny of the transaction/good or the beneficial owner, which could be a designated individual, entity, or group.
Customer is carrying out multiple offramp withdrawals in short succession across various locations in territories where sanctioned people have influence or around the border of sanctioned countries linked to terrorist financing.
Customer is suspected to be working or acting on behalf of, or is controlled by, a sanctioned individual, entity, or group.
Customer or transaction is suspected of being linked (directly or indirectly) to DPRK’s nuclear related, WMD-related, or ballistic missiles weapons program.
Customer or transaction is suspected of being linked (directly or indirectly) to IRAN’s nuclear weapons program.
Customer or transaction is suspiciously involved in the supply, sale, delivery, export, or purchase of dual use, controlled, or military goods to countries of proliferation concerns or related to illegal armed groups.
Transaction involves sale, shipment, or export of dual use goods incompatible with the technical level of the country to which it is being shipped.
Inclusion of the individual/entity in the international sanctions list e.g. OFAC, UKHMT, EU
Employee Training
The Company will ensure that its employees are familiar with the key compliance requirements applicable to the Company’s activities. Further, the Company will develop an ongoing employee compliance training program quarterly. Training will be included with,
the Policy’s requirements, and principles and procedures related to compliance.
the requirements of compliance under the applicable law.
the Company’s record-keeping and reporting obligations.
guidance in identifying suspicious activity or transactions conducted.
guidance in identifying money laundering operations.
the procedure to be followed once the risks provided in this policy are identified (including how, when, and to whom to escalate red flags for analysis).
what the employees' roles are in the Company's compliance efforts and how to perform them.
the disciplinary consequences (including civil and criminal penalties) for non-compliance; and
the key business risks and the results of the risk analyses to enable the employees to take them into account in the course of their work routine.
And the training is based on following levels of procedures.
MLRO must provide Anti-Money Laundering training to all relevant employees at appropriate and regular intervals. (Company is conducting quarterly employee training programme followed by the mandatory assessment)
The regulator considers it appropriate that all new relevant employees of a relevant person be given appropriate Anti-Money Laundering training as soon as reasonably practicable after commencing employment.
Training is appropriately tailored to the relevant person's activities, including its products, services, customers, distribution channels, business partners and the level and complexity of its transactions and is appropriately tailored to the relevant person's activities, including its products, services, customers, distribution channels, business partners and the level and complexity of its transactions.
Appropriately tailored to the relevant person's activities, including its products, services, customers, distribution channels, business partners and the level and complexity of its transactions.
All relevant details of the relevant person's Anti-Money Laundering training must be recorded, dates when the training was given, the nature of the training and the names of the employees who received the training. (These records must be kept for at least 10 years from the date on which the training was given).
Record Retention
Company responsibility is to retain the records as per regulatory requirements under the applicable local laws. Records include electronic communication and documentation as well as physical, hard copy communication and documentation. As per the company policy required to retain data for not less than 5 years.
The electronic copies of the documents will be stored on the Company’s server at a secure location with limited access granted to certain employees on an as-needed basis. Paper documents will be kept in safe boxes by the responsible employees.
Records to be retained shall include the following:
A copy of all documents and information obtained in undertaking initial and ongoing CDD or due diligence for individuals and entities.
Records, consisting of the original documents or certified copies, in respect of the customer business relationship.
Business correspondence and other information relating to a customer’s account.
Sufficient records of transactions to enable individual transactions to be reconstructed.
Internal findings and analysis relating to a transaction or any business, if the transaction or business appears unusual or suspicious, whether it results in a Suspicious Activity Report
Suspicious Activity Reports and any relevant supporting documents and information, including internal findings and analysis.
Compliance Monitoring reports
Any relevant communications with the FIU.