KYC/AML Policy

ANTI-MONEY LAUNDERING  AND COUNTER-TERRORIST FINANCING POLICY 

VERSION 4.0 

by the intended recipient. Any information contained in this document cannot be used, published, or redistributed without the prior written consent of the Director of Zynta. 

1. GLOSSARY AND INTERPRETATION 

AML Anti-Money Laundering. 

Applicable laws Any laws, regulations, requirements, and orders applicable to the Company, including but not limited to the laws specified in the Chapter Overview of legal framework on AML/CTF of the Policy. 

Beneficial owner: 

• For a legal entity: 

(a)   A natural person who owns or controls, directly or indirectly, a legal entity through a sufficient proportion of that legal entity’s shares or voting rights, including bearer shares, other than public limited liability companies listed on regulated markets that are subject to requirements of the European Union legal acts for disclosure of information about own business or equal international standards, or who controls it otherwise. Natural persons who own 25 per cent + 1 share of the entity or proportion of assets exceeding 25 per cent of overall assets of the entity, is deemed as direct owner. The natural person(s) controlling the company or several companies, which own 25 per cent + one share or proportion of assets exceeding 25 per cent of overall assets of the Customers, is the indirect owner(s). 

(b)   A natural person in a senior management position, if the persons referred to in the point above has not been identified or if there is any doubt that the identified person is the Beneficial owner. 

• For a trust structure – all the following natural persons: the trustor(s); the trustee(s); the custodian(s), if any; natural persons deriving benefit from a legal entity or a subject without the status of legal entity or, if that person is still unknown, a group of persons whose interests that legal entity or a subject without the status of legal entity is supposed to represent or is representing at the moment; and any other natural person who controls the trust structure by having direct or indirect property, or by other means. 
• For a legal entity that administrates and allocates funds as a trust like subject: a natural person who holds a position on equivalent with the position specified in under the item above. 

Business relationship Business, professional or commercial relationships between the Company and Customer which are connected with professional activities of the Company and which are expected, at the time when the contact is established, to have an element of duration. 

CDD Customer Due Diligence. 

Custodial Wallet Public key-generated Virtual currency addresses for the storage and management of Virtual currencies entrusted to but remaining in the possession of other natural or legal persons (third parties). 

Close associate: 

• Natural person who participates in the same legal person or an organisation not having legal personality, or maintains any other business relationships, with the person who performs or performed the Prominent Public Functions. 
• A natural person who has sole beneficial ownership of the legal person or an organisation not having legal personality which has been set up or is operating for the de facto financial or any other private benefit of the person who performs or performed Prominent Public Functions. 

Company Zynta ltd, as a trading partner of Globachain CZ s.r.o. 

CTF Counter-Terrorist Financing. 

Customer Person with whom the Company enters into Business relationship which enables the Customer to use Company’s services. 

Director Director of the Company. 

EDD or Enhanced due diligence Enhanced due diligence.  

European Union or EU European Union and/or European Economic Area. 

FATF Financial Action Task Force. 

FCIS Financial Crime Investigation Service 

Currency Currency which is legal tender in accordance with Applicable laws. 

Immediate family members Spouse, the person with whom partnership has been 

registered, parents, brothers, sisters, children, children’s spouses and persons with whom children have registered partnership. 

KYC Know you customer. 

Law Law on Prevention of Money Laundering and Terrorist Financing of the U.K Management Board Management Board of the Company. 

MLRO Money Laundering Reporting Officer.  

Monetary operation means any payment, transfer or receipt of money. 

Money laundering or ML:  

• Conversion or transfer of Property, knowing that such Property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the Property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action. 
• Concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such Property is derived from criminal activity or from an act of participation in such an activity. 
• Acquisition, possession or use of property, knowing, at the time of receipt, that such Property was derived from criminal activity or from an act of participation in such an activity. 
• Participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred in Points above. 

NRA National Risk Assessment. 

Policy This Policy on AML/CTF. 

Politically Exposed Person or PEP Natural person, who is (or have been) entrusted with Prominent public functions and its Immediate family members or Close associates. 

Prominent public functions The following positions in the U.K the European Union, international or foreign institutions: 

• Head of state, head of the government, minister, vice-minister or a deputy minister, state secretary, chancellor of the parliament, government, or ministry. 
• Members of the parliament. 
• Member of Supreme Courts, of Constitutional Courts or of any other high-level judicial bodies whose decisions are not subject to appeal. 
• Mayor of the municipality, municipality administration director. 
• Member of the management body of the supreme state audit and control office or a chairperson, his/her deputy or a member of the board of the central bank. 
• Ambassador, chargé d’affaires ad interim, Commander of Armed Forces, commanders of army forces and units, Chief of the Defence Staff, or a high-ranking officer in the armed forces of foreign states. 
• A member of the management or supervisory body of a state-owned enterprise, public limited company, private limited company whose shares or part of the shares are attached with more than 1/2 of all votes at the general meeting of shareholders of these companies are owned by the state. 
• Member of the management or supervisory body of a municipal undertaking, public limited liability company, private limited liability company in which the shares or part of the shares attached with more than 1/2 of the total votes at the general meeting of their shareholders are owned by the municipality and which are classified as large undertakings under the Law on Financial Reporting by Undertakings of the U.K 
• Head, deputy head, member of the management or supervisory body of international intergovernmental organization. 
• Head, deputy head, member of the management body of a poltical party.  

Property Items, money, securities, other financial instruments, other assets and property rights, results of intellectual activities, information, actions and results of the actions, other material and non-material goods, as well as any other assets of any kind, whether corporeal or incorporeal, movable or immovable, tangible or intangible, and legal documents or instruments in any form including electronic or digital, evidencing title to or an interest in such assets. 

Sanctions Restrictions on the rights of entities, with respect to which international sanctions are implemented to manage, use and dispose of cash, securities, goods, other assets and property rights; payment restrictions for entities with respect to which international sanctions are implemented; other restrictions on financial activities. 

SAR Suspicious Activity Report. 

SDD or Simplified Due Diligence Simplified due diligence. 

STR Suspicious Transaction Report. 

Suspicious activity Monetary operation or transaction related to the Property which is suspected to be directly or indirectly derived from criminal activity and/or from an act of participation in such an activity, and/or is suspected to be related to TF. 

Target territory Foreign country or area enrolled in the List of Target Territories by the Minister of Finance of the U.K, where taxes are very low or non-applicable at all, and where persons registered therein seek minimum tax obligations or avoidance thereof. 

Terrorist financing or TF Any act which constitutes an offence within the scope of Article 2 of the International Convention for the Suppression of the Financing of Terrorism of 9 December 1999, i.e.: 

• Any person commits an offence within the meaning of this Convention if that person by any means, directly or indirectly, unlawfully and wilfully, provides or collects funds with the intention that they should be used or in the knowledge that they are to be used, in full or in part, in order to carry out: 

(a) An act which constitutes an offence within the scope of and as defined in one of these treaties: 

1. Convention for the Suppression of Unlawful Seizure of Aircraft, done at Hague on 16 December 1970. 
2. Convention for the Suppression of Unlawful Acts against the Safety of Civil Aviation, done at Montreal on 23 September 1971. 
3. Convention on the Prevention and Punishment of Crimes against Internationally Protected Persons, including Diplomatic Agents, adopted by the General Assembly of the United Nations on 14 December 1973. 
4. International Convention against the Taking of Hostages, adopted by the General Assembly of the United Nations on 17 December 1979. 
5. Convention on the Physical Protection of Nuclear Material, adopted at Vienna on 3 March 1980. 
6. Protocol for the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation, supplementary to the Convention for the Suppression of 

Unlawful Acts against the Safety of Civil Aviation, done at Montreal on 24 February 1988. 

7. Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation, done at Rome on 10 March 1988. 
8. Protocol for the Suppression of Unlawful Acts against the Safety of Fixed Platforms located on the Continental Shelf, done at Rome on 10 March 1988.
9. International Convention for the Suppression of Terrorist Bombings, adopted by the General Assembly of the United Nations on 15 December 1997. 

• Any other act intended to cause death or serious bodily injury to a civilian, or to any other person not taking an active part in the hostilities in a situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act. NB: For an act to constitute terrorist financing, it shall not be necessary that the funds were used to carry out an offence referred above. 

Third country: Any country other than a member state of the European Union. 

Third party: A financial institution supervised by competent authorities, other obliged entity or a financial institution or other obliged entity registered in Third country that meet the following requirements: 

• Are subject to mandatory professional registration established by laws. 
• Are registered in a member state of the European Union or in a Third country which imposes requirements for the identification of Customers and Beneficial owners and protection of information equivalent to those laid down by the European Union and the compliance with those requirements is supervised by competent authorities.

Virtual currency exchange operator: A legal person who is established in the U.K or who is a branch, established in the U.K, of a legal person of a member state of the European Union or a foreign state and who provides services of virtual currency exchange, purchase and/or sale for remuneration. 

Other terms which are not defined in this Policy shall have the meanings ascribed to them by the Law. 

Where, in this Policy, values are expressed in any FIAT currency or specific Virtual currency, this shall, in all cases, include the equivalent of that value in any other FIAT currency or Virtual currency. 

2. INTRODUCTION 

2.1 OVERVIEW 

The Policy sets out the procedure for the implementation of requirements of legal acts regulating the AML/CTF applicable to the activities of the Company. This Policy has been drawn up by Applicable laws and regulations in order to implement the requirements set forth in Article 29(1) of the Law. 

In the event of discrepancies between the Policy and the other applicable regulations, policies and internal procedures, then the more comprehensive and restrictive provisions will prevail. 

The Company is committed to conduct business operations in a transparent and open manner consistent with its regulatory obligations. 

The Company is committed to prohibit and actively prevent ML and any activity that facilitates ML, the funding of terrorism, avoiding of applicable Sanctions and other criminal activities by complying with all applicable regulations.  

The Company applies the risk-based approach. Application of risk-based approach enables the Company to devote additional resources to higher risk areas and the apply risk management measures respectively. The implementation of the risk-based approach is established in different parts of the Policy.  

This Policy applies to employees of the Company, members of management bodies of the Company and other persons performing operational functions for the Company under outsourcing agreements and otherwise. 

2.2 POLICY STATEMENT AND POLICY OVERVIEW 

The Company is operating as Virtual currency exchange operator and Custodial wallet operator, therefore it is obliged to apply AML/CTF in its activities. 

The Policy has been drawn up considering that Customers are natural persons and legal persons, with whom the Company enters into the Business relationships and who will use Company’s products and services to conclude various transactions with Virtual currency. 

This Policy has been drawn up taking into account the fact that the Company provides its services via the internet and therefore identifies its Customers only remotely. The Company never identifies a Customer in the physical presence of the person. 

Company’s business has unique risks and threats to ML/TF related to Virtual currencies that need to be identified and addressed. At the same time, activities of Virtual currency exchange operators and Custodial Wallet Operators are still weakly regulated, and the Company faces regulatory uncertainty while conducting its activities. These risks and threats are considered in this Policy.  

The Company designed the Policy based on the Company’s individual risks, in order to provide framework for effective compliance with AML/CTF regulations, and to communicate its clear commitment to a strong compliance and control culture. In particular, the Policy are designed to: 

• Specify applicable regulations and key provisions. 
• Confirm the appointment and responsibilities of the Management Board, the appointed member of the Management Board, the Director, MLRO and other staff members. 
• Outline the potential risks and consequences for non-compliance. 
• Outline the Company’s AML/CTF internal control. 
• Specify remote identification procedure, due diligence, enhanced due diligence regulatory obligations. 
• Outline risk assessment procedure and maintenance. 
• Determine Sanctions compliance measures. 
• Ensure appropriate transaction monitoring and knowledge of Suspicious Activity criteria. 
• Ensure AML/CTF compliance training is provided to all staff members, as appropriate. 
• Ensure periodic compliance quality assurance and review. 
• Ensure regular reporting to the management of the Company and FCIS on the Company’s AML/CTF operations. 
• Determine retention of logs and data.  

2.3 RISK APPETITE 

The Management Board is ultimately responsible for determining the Company’s ML/TF risk appetite and overseeing adequate and effective internal controls for the management of such risks.  

Company acknowledges that criminals embrace the use of Virtual currencies because of their anonymity and security vulnerabilities, which allow them to cover themselves and move funds easily without geographic, transaction size restrictions, or legal ground. Additionally, Virtual currency exchange operators also may serve criminals as easy access to Fiat Currency. 

To avoid any situations of Money laundering or Terrorist financing, the Company pays thorough attention to any activities that may be considered as Money laundering or Terrorist financing during Business relationships with Customers.  

Company has no tolerance for financial crime, regulatory breaches, and any attempt to circumvent Company’s internal documents governing AML/CTF. To do so, the Company adheres to the following principles: 

• To show zero tolerance for facilitation of financial crime, Money Laundering, Terrorism Financing, evasion of the Sanctions regime, and fraud. 
• To show zero tolerance to any criminal activities that constitute predicate offences:

PREDICATE OFFENCE
Terrorism, including any offence set out inDirective(EU) 2017/541 of the European Parliament and of the Council	Trafficking in human beings and migrant smuggling, including any offence set out inDirective 2011/36/EU of the EuropeanParliament and of the Council andCouncil Framework Decision 2002/946/JHA
Sexual exploitation, including any offence set out in Directive 2011/93/EU of the European Parliament and of the Council	Participation in an organised criminal group and racketeering
Illicit trafficking in narcotic drugs and psychotropic substances, including any offence set out in CouncilFramework Decision 2004/757/JHA	Corruption, including any offence set out in the Convention on the fight against corruption involving officials of the EuropeanCommunities or officials of Member States ofthe European Union and in Council Framework Decision 2003/568/JHA
Counterfeiting and piracy of products	Murder, grievous bodily injury
Illicit arms trafficking	Illicit trafficking in stolen goods and other goods
Fraud, including any offence set out inCouncil Framework Decision 2001/413/JHA	Counterfeiting of currency, including any offence set out in Directive 2014/62/EU of the European Parliament and of the Council
Piracy	Forgery
Environmental crime, including any offence set out in Directive 2008/99/EC of theEuropean Parliament and of the Council or inDirective 2009/123/EC of theEuropean Parliament and of the Council	Cybercrime, including any offence set out inDirective2013/40/EU of the European Parliament and of the Council
Kidnapping, illegal restraint and hostage-taking	Robbery or theft
Smuggling	Tax crimes relating to direct and indirect taxes, as laid down in national law
Extortion

Director of the Company approves the following lists: 

Prohibited (blacklisted) countries list. 

• Prohibited persons list. 
• Prohibited activities list. 

Company will not engage in a Business Relationship with Customers meeting any criteria established in the list above as the Company is in position that ML/TF risk related to these persons cannot be effectively mitigated. In particular, the Company does not: 

• Accept assets that are known or suspected to be the proceeds of criminal activity. 
• Enter into/maintain Business Relationships with individuals or entities known or suspected to be a terrorist or a criminal organization or member of such or subject to Sanctions. 
• Maintain anonymous relationships or relationships with shell banks. 
• Enter into Business Relationships with Customers from prohibited countries. 
• Enter into Business Relationships with persons operating in prohibited industries. 
• Enter into Business Relationships with persons included in the prohibited persons list. 

Company must refuse to provide services or to terminate an existing relationship, if the Company cannot form a reasonable belief that it knows the true identity of the Customer and/or Benefial owner and/or the nature of business or formal requirements concerning the identification of the Customer and/or Beneficial owner are not met.  

3. GOVERNANCE 

The Company has not appointed a Supervisory Board. 

The key bodies and employees of the Company in AML/CTF field are the Management Board, an appointed member of the Management Board, Director and MLRO. 

3.1 MANAGEMENT BOARD FUNCTIONS AND RESPONSIBILITIES 

The Management Board is responsible for setting, approving and overseeing the implementation of an adequate and effective internal governance and internal control framework to ensure compliance with applicable requirements in the context of the prevention of ML/TF.  

The Management Board in its supervisory function performs the following AML/CTF tasks: 

• overseeing the implementation of the AML/CTF policies and procedures and the extent to which these are adequate and effective in light of the ML/TF risks to which the Company is exposed and taking appropriate steps to ensure remedial measures are taken where necessary; 
• review of periodic compliance reports, business-wide risk assessment, testing, monitoring reports and independent testing reports within the area of AML/CTF; 

DISCLAIMER: the information contained in this document is confidential and is intended for internal use only and only assessing the effective functioning of the AML/CTF-related structural unit, at least once a year, by assessing, in particular, the adequacy of the human and technical resources allocated to the MLRO; overseeing the risk strategy, risk appetite and risk management framework of the Company; 

• actively discussing compliance matters with the MLRO, and ensuring that any discussions, including plans, resolutions and/or updates are properly documented in the Management Board meeting minutes. 

The Management Board in its supervisory function should possess adequate collective knowledge, skills and experience to be able to understand the ML/TF risks related to the Company’s activities and business model, including the knowledge of the national legal and regulatory framework relating to the prevention of ML/TF. 

The Management Board has entrusted supervision of AML/CTF and compliance to the appointed member of the Management Board, to be responsible for organizing the implementation of AML/CTF measures in the Company. 

The Management Board in its supervisory function ensures that the appointed member of the Management Board, responsible for the organization the implementation of ML/TF prevention measures: 

• has adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CTF policies, controls and procedures; 
• has a good understanding of the Company’s business model and the sector in which the Company is operating, and the extent to which this business model exposes the Company to ML/TF risks; 
• is informed in a timely manner of decisions that may affect the risks to which the Company is exposed. 

The Management Board in its supervisory function has access to and take into account data and information of sufficient detail and quality to enable it to discharge its AML/CTF functions effectively. 

At a minimum, the Management Board in its supervisory function has timely and direct access to the activity report of the MLRO, the report of the internal audit function, the findings and observations of external auditors, where applicable, as well as the findings of the competent authority, relevant communications with the FCIS and supervisory measures or sanctions imposed. 

The Company’s Management Board in its management function performs the following specific AML/CTF tasks: 

• implements the organisational and operational structure necessary to discharge the AML/CTF strategy defined by the Management Board, paying particular attention to the adequacy of the human and technical resources allocated to the MLRO function, the need for a dedicated AML/CTF structural unit to assist the MLRO:
  1. ensuring that the position of MLRO is independent from business lines; 
  2. establishing of committees when the need is identified and approving their work regulations; 
  3. providing an appropriate level of human and technological resources to effectively maintain and enforce this Policy. 
• Implements the internal AML/CTF policies and procedures:
  1. consider and approving AML/CTF Policies and Procedures, including policies and strategies on management of activities of the Company and risks related to its activities, as well as review of the said policies and strategies on a regular basis; (b) oversight and effectiveness of the AML/CTF Policy. 

• approves the MLRO’s activity report and ensures its completeness, seriousness, and accuracy including the annual independent testing of the AML/CTF framework, reports of special committees regarding internal controls (when such tasks are assigned to committees), and any AML/CTF issues escalated to the Management Board, including plans for corrective actions; 
• approves Business-Wide Risk Assessment of AML/CTF, and AML/CTF risk strategy (risk appetite) including risk assessment factor guidelines; 
• approving Annual MLRO Monitoring Plan; 
• ensures adequate, timely and sufficiently detailed AML/CTF reporting to the competent authority (FCIS, etc.); 
• approving the service providers to which the functions of AML/CTF systems and process are outsourced in line with the outsourcing written agreements and, if any, with Company’s outsourcing policy, and receiving regular reporting from the service providers; 
• all members of the Management Board have clearly established areas of responsibilities within the Company. In addition to other areas, the Management Board selects a one of its members as a controller of ML and TF risks management related to the Company and its activities (appointed member of the Management Board) which also will be responsible for management of matters related to possible conflicts of interest (e.g., for whistle-blowing procedure). 

Both this Policy and its implementing documents may set out other specific functions and responsibilities for the Management Board. 

3.2 THE FUNCTIONS AND RESPONSIBILITIES OF APPOINTED MEMBER OF THE MANAGEMENT BOARD 

The appointed member of the Management Board performs the following AML/CTF tasks: 

• organization of the implementation of AML/CTF measures specified in the Law; 
• oversight and effectiveness of the AML/CTF Program – ensuring that the AML/CTF policies, procedures and internal control measures are adequate and proportionate, taking into account the characteristics of the Company and the ML/TF risks to which the Company is exposed; 
• ensuring that the Management Board has taken the responsibility to implement the AML/CTF policies, procedures and internal control measures; •    ensuring MLRO position is independent of business lines; supporting the Management Board, assess the need for a dedicated AML/CTF structural unit to assist the MLRO in carrying out his/her functions, taking into account the scale and complexity of the Company’s operations and exposure to the ML/TF risks; ensuring that the Management Board is provided with sufficiently comprehensive and timely information and data on ML/TF risks and AML/CTF compliance, which is necessary to allow the Management Board, be it in its supervisory function or in its management function, to carry out the role and functions entrusted to it; 
• ensuring that there is periodical reporting to the Management Board on the activities carried out by the MLRO and that the Management Board receives information on the most relevant or significant communications and engagements between the Company and FCIS, without prejudice to the confidentiality of STRs/SARs, and any actions taken by the competent authority against the Company as well as with the competent authority when such engagement is related to ML/TF;

• making recommendations to the Management Board and, where these

recommendations are approved by the Management Board, ensuring that adequate and necessary action is taken to remedy any AML/CTF issues or breaches identified and to report to the Management Board of the progress made in implementing the remedial action; 

• ensuring that the MLRO (i) has direct access to all the information necessary to perform his tasks, (ii) has sufficient human and technical resources and tools to be able to adequately perform the tasks assigned to him/her, and (iii) is well-informed of the AML/CTF-related incidents brought to light by the internal control systems and of the shortcomings in implementing the AML/CTF provisions found by the national and foreign competent authorities. 

The appointed member of the Management Board acts as main contact point for the MLRO within the Management Board. In addition, the appointed member of the Management Board must ensure that any AML/CTF concerns that the MLRO has raised are duly addressed and, where this is not possible, are duly considered by the management body. If senior management decides not to follow the advice of the MLRO, it should duly motivate and record its decision in the light of the risks raised by the MLRO. 

In addition, the responsibilities of the appointed member of the Management Board will include the following: 

• creating a culture of compliance within the organization to reaffirm that compliance is the responsibility of the Company employees; 
• providing proposals regarding AML/CTF risk management measures, internal control measures, etc.; 
• reviewing AML/CTF compliance reports and any AML/CTF issues escalated to the Management Board, including plans for corrective actions; 
• reviewing the scope and results of regulatory examinations or correspondence relating to the Company’s AML/CTF Program and addressing any key issues resulting from such examinations or letters; and 
• actively discussing compliance matters with the MLRO, and ensuring that any discussions, including plans, resolutions and/or updates are properly documented in the Management Board meeting minutes. 

Both this Policy and its implementing documents may set out other specific functions and responsibilities for the appointed member of the Management Board. 

3.3 DIRECTOR’S FUNCTIONS AND RESPONSIBILITIES 

Director performs the following AML/CTF tasks: 

• formation and implementation of a strong culture of AML/CTF compliance within the Company’s culture and values; 
• review of periodic compliance reports, business-wide risk assessment, testing, monitoring reports and independent testing reports within the area of AML/CTF; 
• monitoring corrective action on AML/CTF and resolving escalated issues; 
• reviewing Business-wide AML/CTF compliance remediation plan; 
• implement an overall risk management strategy and framework to ensure that AML/CTF compliance functions have sufficient authority and resources to perform their functions; 
• ensuring that the Company has adequate resources (including human resources) for managing ML/TF risks, provide (or approve, where applicable) necessary access rights to internal control staff members that are needed to perform their duties (e.g., AML/CTF staff members must have all necessary access rights to systems, data and 

information);  

• overseeing annual, or more frequent as necessary, independent control testing and review of the Policy and reporting results to the Management Board; 
• ensuring that AML compliance goals are included in the performance objectives of key managers; 
• issuing approvals to enter into or continue Business relationships in EDD cases. 

Director is responsible for appointing the MLRO. 

Both this Policy and its implementing documents may set out other specific functions and responsibilities for the Director. 

3.4 MLRO‘S FUNCTIONS AND RESPONSIBILITIES 

MLRO is responsible for cooperation with FCIS, daily implementation of the Company’s AML/CTF 

Policy as well as control of systems which support and facilitate them and monitoring compliance of the 

Company’s activities with the legal requirements and standards of AML/CTF prevention. MLRO shall be responsible for the following tasks: 

• development of risk assessment framework; 
• drafting, implementation and maintenance of the Policy and its implementing documents; 
• AML/CTF compliance monitoring; 
• reporting to the Director and the Management Board, including the appointed member of the Management Board; 
• reporting to the FCIS; 
• AML/CTF trainings; 
• ensuring that relevant staff-members of the Company and service providers receive AML/CTF training and that the Company maintains training and attendance records; 

reviewing any changes to AML/CTF-related laws, regulations, guidance, or regulatory expectations and ensuring that the Company implements processes to remain in full compliance with its AML/CTF obligations and regulatory expectations; 

providing guidance and direction to the Company’s Management Board and Director about the steps they need to take to execute the Policy in their areas of responsibility; 

• provision of relevant independent information, analyses, and expert judgement on AML/CTF risk exposures, and advice on proposals and risk decisions made by business lines or internal units of the Company and informing the management of the Company as to whether they are consistent with the Company’s risk appetite and strategy; 
• reviewing the AML/CTF implications of any new or changed products, services, initiatives, or distribution channels and advising the Management Board and Director on necessary steps to mitigate AML/CTF risk; 
• recommendation of improvements to the AML/CTF risk management framework and corrective measures to remedy breaches of AML/CTF and risk policies, procedures, and limits; 
• promptly alerting the Management Board and the Director about any material issues of AML/CTF non-compliance and instituting and monitoring corrective actions; 
• managing regulatory relationships and the examination process in relation to 

AML/CTF;  

• seeking outside legal counsel in relation to AML/CTF compliance issues, as appropriate; 
• providing input into the performance of key staff in meeting AML/CTF compliance risk management goals; 
• providing suspicious transaction reports (“STRs”) and suspicious activity reports (“SARs”) to FCIS and cooperating with the said institution. 

All Company employees must cooperate and work with the MLRO and provide him/her with unrestricted access to any business records, IT systems, or locations to which him/her request access for purposes of executing his/her duties. The Company will also provide the MLRO with advance notice of any new products or changes to existing products that may affect (or broaden) potential Company exposure to AML/CTF risk. 

Both this Policy and its implementing documents may set out other specific functions and responsibilities for the MLRO. 

3.5 OTHER STAFF MEMBERS‘ FUNCTIONS AND RESPONSIBILITIES 

The Company shall prepare specific instructions to other staff members of the Company who perform some of the functions referred to in the Policy and its implementing documents. These instructions shall be approved by the Director. 

The Company’s employees must understand and be aware of this Policy and its implementing documents. 

3.6 REMUNERATION 

Remunation system applied in the Company shall aim to attract, maintain and motivate staff members possessing the required skills and competences, promote solid performance results, trustworthy conduct, and effective risk management, including ML/TF risk management.  

Remuneration system shall also encourage staff members to consistently adhere to the Company’s ethical principles and values in their work, and to act in line with the Company’s business and risk management strategy. 

The remuneration system applied in the Company is in the line long-term interests of the Company’s continuous operation, business strategy, goals and values, promote a reliable and effective risk management, including ML/TF risk management, help prevent conflicts of interests, and make sure that the remuneration paid is not providing any incentive to the staff members for excessive risk-taking. 

Remuneration of the staff members consists of fixed remuneration and variable remuneration (if applicable). Fixed remuneration forms the main part of the remuneration of staff members, specific base salary paid for work in a specific position per month, is set in the employment contract. Where variable remuneration is paid to the staff members, the Company should allocate the components of the remuneration to either fixed or variable remuneration. Where the clear allocation of a component to fixed remuneration is not possible, it should be considered as the variable remuneration. 

The Company pays its staff members fair remuneration in compliance with non-discrimination principles. The Company ensures that for the purposes of remuneration no employee is discriminated against on the grounds of gender, race, nationality, language, background, social status, age, sexual orientation, disability, ethnicity, membership in a political party or association, religion, faith, beliefs or opinions, intention to have a child (children), circumstances not related to the staff member’s professional characteristics and on other grounds established by Applicable laws. 

3.7 COMMUNICATION. INTERNAL REPORTING 

MLRO shall inform Director and the Management Board about communication with FCIS. Such information must be provided to the Director and the Management Board periodically but at least once a quarter. If communication with the FCIS has not been carried out during the relevant reporting period, appropriate confirmation shall be provided to the Director and the Management Board as well.  

MLRO shall in writing prepare report on implementation of AML/CTF controls and submit them to the Director and the Management Board at least on an annual basis.  

MLRO shall in writing prepare reports on ML/TF risk level of Customer’s portfolio and the monitoring of the Business relationships, including investigations of Monetary transactions and/or transactions carried out during the Business relationships and submit them to the Director at least once per three months.  

MLRO shall also inform the Director and the Management Board on performance of its functions by submitting the report at least once per year. The report shall indicate at least the following: 

• Statistical information about existing Customers’ portfolios (incl. amount of legal, natural persons, distribution by risk levels, number of new Customers, quantity of PEPs, etc.). 
• Statistical information about executed Monetary operations or transactions. 

Description, analysis, efficiency and adequacy assessment of AML/CTF measures applied within the Company. 

• Weaknesses of ML/TF prevention measures applied in the Company, suggestions for reduction of deficiencies. 
• Proposals for the application of additional measures to reduce the ML/TF risk in the Company. 
• Any other relevant information, including expected regulatory changes, related to the implementation of AML/CTF within the Company. 

4. RISK MANAGEMENT 

4.1 BUSINESS-WIDE RISK ASSESSMENT 

The Company maintains a business-wide risk assessment addressing its vulnerability and exposure to ML/TF risk. The risk assessment is reviewed in the event of any material changes in the risk of the business or on an annual basis.  

The business-wide risk assessment articulates the ML/TF risk appetite and sets out an assessment of the vulnerability to ML/TF risk, having regard to its organisational structure, Customers, jurisdiction with which Customers are connected, products and services and how those products and services are delivered.  

In evaluating the level of risk, the Company weighs several factors, including the inherent and mitigated risks of the following: 

• Customers. 
• Products, services, transactional and delivery channels. 
• Geographic locations.  

Using the results of the business wide risk assessment, the MLRO: 

• Identifies the Company’s current overall ML/TF risk profile. 
• Determines the adequacy and effectiveness of AML/CTF controls. 
• Evaluates the adequacy and application of AML/CTF resources. 
• Identifies the existence of any unmitigated and/or unacceptable ML/TF risk. 
• Provides risk assessment factors for individual Customer risk assessment. 
• Recommends and implements modifications to the Company’s activities, the AML/CTF compliance program (or the underlying procedures and processes). 

The business-wide risk assessment will be reviewed, at least annually and in conjunction with changes to the business and the management information provided to the Management Board.  

Any internal or external sources of data used when conducting business-wide risk assessment will be clearly referenced.  

The Company shall evaluate the ML/TF risks related to the introduction of new services and products, application of new (developing) technologies in business. Such risk assessment shall be carried out before starting the provision of new services, offering of new products, planning to apply new (developing) technologies, and based on the conclusions of such an assessment, certain measures shall be chosen to mitigate and control the mentioned risks. 

MLRO reports the results of the business-wide risk assessment to Director and the Management Board, including proposed enhancements to the Policy to mitigate any levels of excessive risk or control weaknesses identified, for review and approval. 

4.2 INDIVIDUAL RISK ASSESSMENT 

As required by the Applicable law, the Company shall consider risk posed by each of its Customer by way of assessing risk taking into consideration various factors, such as products, delivery channels, activity of the Customer etc. The information obtained from this assessment will be used to determine a risk rating for the Customer which will be used to determine the level of CDD required.  

Individual risk assessment is further detailed in this Policy. 

5. IDENTIFICATION AND CDD 

5.1 INTRODUCTION 

The KYC principle is essential in the AML/CTF. Knowing the Customers the Company is dealing with, is an essential element for the Company to mitigate risks related to ML / TF. By obtaining and verifying information with relation to the Customers, the Company can protect itself from being used to conceal illegally-obtained funds or being used as a vehicle for TF purposes.  

The Company needs to collect certain information in relation to Customers and verify that information against primary and/or secondary documents and/or sources. At all times when the identities of Customers and Beneficial owners are being established, the Company verifies the identity of the persons against documents, data, and information obtained from a reliable and independent source. 

By these means the Company aims to form a reasonable belief as to the true identity of the Customer and retain some record of the process by which the Company sought to verify the identity. The Company must understand the business of the Customer to make sure that the Customer does not launder illicit funds through the Company and/or these funds will not be used for TF purposes.  

If during identification of the Customer the Company has a reason to belief that the ML/TF offense is taking place, and the further process of identification of the Customer or the Beneficial owner may rise suspicions to the Customer that information about him may be transmitted to competent law enforcement authorities, the Company may discontinue the process of identifying the Customer or the Beneficial owner and may not provide its services to the Customer.  

5.2 APPLICATION OF IDENTIFICATION AND CDD 

The table below provides for specific circumstances when the CDD must be conducted. 

CUSTOMER TYPE	THRESHOLD	DETAILS
SITUATION: Business Relationship
Individual	N/A	• CDD must be applied regardless of the nature of the Business Relationship • Different levels of CDD may apply depending on the declared volume of the Business Relationship
Corporate	N/A	• CDD must be applied regardless of the nature of the Business Relationship • Different levels of CDD may apply depending on the declared volume of the Business Relationship
SITUATION: occasional transaction (exchange of Virtual currency or transaction with Virtual currency)
Individual	N/A	Company does not provide occasional transactions as a service for persons with whom Business Relationship is not established.
Corporate	N/A	Company does not provide occasional transactions as a service for persons with whom Business Relationship is not established.
SITUATION: doubts about the accuracy or authenticity of the identity data
Individual	N/A	Company shall in all cases carry out a CDD where there are doubts as to the correctness or authenticity of the Customer’s and UBO’s identity data previously obtained.
Corporate	N/A	Company shall in all cases carry out a CDD where there are doubts as to the correctness or authenticity of the Customer’s and UBO’s identity data previously obtained.
SITUATION: doubts about the accuracy or authenticity of the identity data
Individual	N/A	Company shall carry out a CDD in any other case where it suspects that ML/TF offences have been, are being or will be committed.
Corporate	N/A	Company shall carry out a CDD in any other case where it suspects that ML/TF offences have been, are being or will be committed.

Whenever the Customer’s identity is established the Company shall take appropriate, targeted, and proportionate measures to determine whether the Customer acts on his/her own behalf or is controlled and to identify the Beneficial owner and, where the Customer acts through a representative, also identify of that person. 

The Company shall, at the time of the identification of the Customer and Beneficial owner, require them to provide documents and other data on the basis of which the Company would understand the ownership, control structure and the nature of activities of the Customer which is a legal person. 

The Company shall obtain from the Customer information about the purpose and intended nature of the Customer’s Business relationships. 

During the identification of the Customer, Company’s responsible employee shall check whether there are circumstances for the application of the EDD. 

Where required under the applicable laws, the Customer is obliged to provide Company with notarized scanned copies of the above-mentioned documents and where necessary with mark “Apostille” or legalised in other ways that confirm the authenticity thereof. Where required, translations of the documents to English languages shall be provided. 

5.3 IDENTITY INFORMATION 

When conducting CDD, in case of natural persons, an identity document of the U.K or a foreign state or a residence permit which contains the following data confirming person`s identity must be collected and must contain:  

• Name/names. 
• Surname/surnames. 
• Personal number (in the case of the foreigner – date of birth (where available – personal number or any other unique sequence of symbols granted to that person, intended for personal identification), the number and period of validity of the residence permit and the place and date of its issuance (applicable to foreigners). 
• Photograph. 
• Signature (except for the cases where it is optional in the identity document). 
• Citizenship (in the case of a stateless person – the state which issued the identity document). 

When conducting CDD, in case of legal person, the Company shall require the Customer to provide the identity documents or copies thereof with a notarial certificate, confirming the authenticity of the copy of the document, which contain the following data:  

• Name. 
• Legal form, registered office/address, address of actual operation. 
• Registration number (if such number has been issued). 
• An extract of registration and its date of issuance. 

The identity of the representative of the legal person shall be established in the same manner as the identity of the Customer that is a natural person. The Customer must provide information about the director of the legal person: his name, surname, personal number (in the case of an alien – date of birth (where available – personal number or any other unique sequence of symbols granted to that person, intended for personal identification), his citizenship (in the case of a stateless person – the state which issued the identity document).  

5.4 REMOTE IDENTIFICATION 

The Company identifies the Customers and Beneficial owners(s) only without the physical presence of the Customer. The identification is performed using electronic means, allowing direct image or direct video streaming when the facial image of the Customer and the original of the identity document of the U.K or a foreign state or a residence permit shown by the Customer is recorded at the time of direct image or video streaming. 

The data submitted by the Customer shall be validated using electronic identification means issued in the European Union which operate under the electronic identification schemes with the assurance levels high or substantial, or with a qualified electronic signature supported by a qualified certificate for electronic signature which conforms to the requirements of Regulation (EU) No 910/2014, or using electronic means allowing direct video streaming, or with a signature in a written document. 

5.5 IDENTIFICATION OF THE CUSTOMER (NATURAL PERSON) 

When establishing the identity of the Customer (natural person), the Company requires the Customer to fill in the Natural Person’s Questionnaire and perform the remote identification procedure as described in the Policy. 

When the Customer (natural person) is represented by another natural person, the identity of this representative shall be established in the same way as the Customer. 

5.6 IDENTIFICATION OF THE CUSTOMER (LEGAL PERSON) 

The Company, when establishing the identity of the Customer (legal person), requires the following: 

• To identify representative of the Customer (legal person) and perform the remote identification procedure as described in the same manner as the identification of the Customer (natural person). 
• To fill in the Legal Person’s Questionniare, including: 

(a) Where the representative (natural person) is not the director of the Customer, the representative (natural person) of the Customer (legal person) shall: 

1. Provide information about the director of the Customer (legal person), i.e., name, surname, personal number (in the case of a foreigner – date of birth (where available – personal number or any other unique sequence of symbols granted to that person, intended for personal identification), the number and period of validity of the residence permit in the U.K and the place and date of its issuance (applicable to aliens), citizenship (in the case of a stateless person – the state which issued the identity document). 
2. Submit a power of attorney which allows him/her to represent the Customer (legal person). The Company shall check the validity of the submitted power of attorney (i.e., the right of the issuer to issue such a power of attorney, expiry date of the power of attorney, powers granted under such a power of attorney). The power of attorney must meet the requirements laid down in the Civil Code of the U.K. 
3. Provide Beneficial owners’ information as per this Policy. 
4. Provide the identity documents or copies thereof with a notarial certificate, confirming the authenticity of the copy of the document, which contain the following data: (i) name; (ii) legal form, registered office/address, address of actual operation; (iii) registration number (if such number has been issued); (iv)an extract of registration and its date of issuance. 

When identifying the Customers that are trusts or entities similar to trusts, the Company shall establish and verify the identity of the Beneficial owners, obtaining information concerning the settlor, trustee/trustees, protector/protectors, Beneficial owner(s) and other natural persons 

exercising control over the management of the trust or the entities similar to the trust (holding a certain ownership interest or controlling in any other way).  

5.7 IDENTIFICATION OF THE BENEFICIAL OWNER 

When identifying the Customer, in all cases it is obligatory to establish the identity of the Beneficial owner(s). In all cases the identification of the Beneficial owner shall mean the identification of a natural person or group of natural persons. 

Company shall ask the Customer to provide the following indentification data of the Beneficial owner(s): 

• Name/names. 
• Surname/surnames. 
• Personal number (in the case of foreigner – date of birth (where available – personal number or any other unique sequence of symbols granted to that person, intended for personal identification), the number and period of validity of the residence permit in the U.K and the place and date of its issuance). 
• Citizenship (in the case of a stateless person – the state which issued the identity document). 

Where the Beneficial owner is senior manager of the Customer, Company must verify the identity of the senior manager and keep records of the difficulties encountered in the process, if any.  

In all cases when the Customer and Beneficial owner must be identified, the Company must verify the identity of the Customer and Beneficial owner based on the documents, data or information obtained from a reliable and independent source. Such actions of the Company shall include a request for the Customer himself to indicate public sources which could validate the information about the Beneficial owner.  

Reliable and independed sources may be official documents with a personal photograph and/or relevant registration number, which cannot be copied or forged easily (such as a passport, personal ID card, registration certificate of a legal person, extract from the Register of Legal Entities, notarized copies of documents, etc.), indicating the Customer’s name(s), surname(s), personal number (in the case of an foreigner – date of birth, personal photograph and/or signature, citizenship (in the case of a stateless person – the state which issued the identity document) (with respect to natural persons) or name, legal form, registered office, address of actual operations, registration number, number of the registration certificate, extract from the registration certificate and its date of issuance (with respect to legal persons), publicly available information and data bases.  

Company has a right to use public information systems and registers, which store data on participants in legal entities, in order to establish the identity of the Beneficial owner. 

5.8 INDIVIDUAL RISK ASSESSMENT 

Assessment of risk of the Customer both before entering into Business relationships and when updating the Customer’s data will be carried out by the MLRO. A decision on acceptability of the Customer to the Company will be taken only after assessment of the Customer’s risk. 

The Company evaluates the individual Customer’s risk based on the business-wide risk assessment results to determine to what Money laundering, Terrorist financing, or Sanction risk the Company is exposed. 

When identifying ML/TF and Sanction risks, the Company assesses following risk factors: 

• Customer risk.  
• Product, service and delivery channel risk. 
• Transaction risk. 
• Geography risk. 

MLRO uses the information about the Customer or information provided by the Customer or his representative or any other information system used by the Company and verifies such information. After information, data and document assessment and verification, the MLRO will carry out the individual assessment of risk of the Customer and attribute the Customer to low, medium, high or prohibited risk.  

The Customer’s risk profile shall be regularly reviewed when updating information about the Customer and Beneficial owner and conducting the monitoring of the Business relationships. Where the information submitted by the Customer or significant circumstances concerning the changes of Customer data or any new information about the Customer is obtained, the MLRO shall assess the risks repeatedly in the light of the new occurring circumstances. 

5.9 IDENTIFICATION OF POLITICALLY EXPOSED PERSONS 

PEP status itself does not incriminate the Customer. It does however put the Customer, or a Beneficial owner, into a higher risk category. They present a higher risk of financial crime, such as bribery and corruption, due to their access to and/or influence over public decision making processes (including funding and procurement of contracts). 

The risk of handling the proceeds of corruption or becoming involved in an arrangement that is designed to facilitate corruption, is generally increased where a PEP is involved. Where the PEP also has connections to countries or business sectors where corruption is widespread, the risk is further increased. Corrupt persons also tend to abuse third party connections to shield the proceeds of corrupt activities from enquiry and Close family members and Close associates are most vulnerable to influence in this context and may be used to assist, knowingly or otherwise. 

Due to their inherent risk exposure, entities and arrangements that have a PEP or PEPs associations  must always be researched thoroughly prior to on-boarding, have EDD applied to them and then continually monitored and scrutinised with enhanced monitoring, such as source of wealth (SOW) and source of funds (SOF) information being obtained and substantiated on an ongoing basis. 

When conducting CDD, the Company must determine whether a Customer relationship involves a Politically Exposed Person.  

If the Customers itself, his representative, a director, or a Beneficial owner is a PEP, the Customer will be subject to EDD which means application of more extensive CDD measures.  

To determine if the Customer is a PEP, questions with relation to the status of a PEP are included in the CDD questionnaires. The Company verifies information provided by the Customer by screening all names indicated in the KYC forms through credible sources of commercially or publicly available information.  

PEPs do not automatically lose “high risk” status if they are no longer holding Prominent Public 

Functions. They remain “high risk” requiring EDD for at least one year and after that. The Company shall apply a risk-based approach to determine whether a former PEP should still be classified as high risk.  

When deciding whether a person is a Close Associate of a PEP, the Company need only have regard to any information which is in their possession, or which is publicly known. 

5.10 ENHANCED DUE DILIGENCE 

Where the ML/TF risks are higher, the Customer will be subject to Enhanced Due Diligence measures, consistent with the risks identified. Enhanced Due Diligence shall be conducted through application of additional Customer and Beneficial Owner identification measures.  

The Company shall pay particular attention to any ML/TF risk that may arise from any type of products, other results of human work, use of services rendered or transactions carried out where it is sought to conceal the identity of the Customer or the Beneficial owner (there is a tendency to favour anonymity), as well as from any Business relationship or transactions with the Customer whose identity has not been established in his physical presence and, if needed, immediately take measures to prevent the use of Property for the purpose of ML/TF. 

Enhanced due diligence shall be carried out under the following circumstances: 

• Where cross-border corresponding relationships are started with Third-country financial institutions. 
• In the case of performance of transactions or Business relationships with PEP. 
• Where transactions or Business relationships are carried out with natural persons residing or legal persons established in high-risk Third countries as identified by the European Commission. 
• Where transactions or Business relationships are carried out with natural persons residing or legal persons established in high-risk Third countries determined according to the lists of jurisdictions with strategic deficiencies in their frameworks to combat ML/TF published by the FATF. 
• Where higher ML/TF risk is identified based on the risk assessment and management procedures established by the Company. 

EDD measures shall not be obligatory in respect of branches or majority-owned subsidiaries of financial institutions or other obliged entities established in the European Union which are located in high-risk Third countries as identified by the European Commission, where those branches or majority-owned subsidiaries comply with the group-wide requirements equivalent to those established by the Law if the Company upon the assessment of risk establishes and may prove that the risk is mitigated and is not considered as high.    

EDD measures may include, but are not limited to: 

• Verifying source of funds and source of wealth of the Customer. 
• Screening all high risk Customers and their associated parties for adverse media. 
• Obtaining and assessing additional information on the purpose and intended nature of the relationship to understand why the Customer is establishing relationship with the Company. 
• Requiring additional documents for verification of identity. 
• Obtaining and assessing information for unusually high/frequent transactions. 
• Reviewing funding sources used for conducting transactions. 

The following Chapters of the Policy outline specific EDD measures applicable under specific circumstances.  

5.10.1 Application of EDD to PEPs 

The Company applies at least the following EDD measures to PEPs: 

• Identify and have in place internal procedures to determine whether the Customer and the Beneficial owner are PEPs. 
• Obtain approval from the Director for establishing Business relationships with such Customers or continuing the Business relationships with the Customers when they become PEPs.  

• Take adequate measures to establish the source of wealth and source of funds that are involved in the Business relationships or transaction. 
• Perform enhanced ongoing monitoring of the Business relationships with PEPs. 

Where a PEP is no longer entrusted with a Prominent public function, Company must, within at least 12 months, take into account the continuing risk posed by that person and apply enhanced Customer due diligence until such time as that person is deemed to pose no further risk specific to PEPs. 

5.10.2 Application of EDD for persons from high-risk Third countries as identified by the EC 

Where transactions or Business relationships are carried out with natural persons residing or legal persons established in high-risk Third countries as identified by the European Commission, the Company applies at least the following EDD measures: 

• Obtaining additional information on the Customer and on the Beneficial owner. 
• Obtaining additional information on the intended nature of the Business relationship. 
• Obtaining information on the source of funds and source of wealth of the Customer and of the Beneficial owner. 
• Obtaining information on the reasons for the intended or performed transactions. 
• Obtaining the approval of the Director for establishing Business relationships with these Customers or continuing Business relationships with them. 
• Conducting enhanced monitoring of the Business relationship with these by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination. 
• Ensuring that the first payment be carried out through an account in the Customer’s name with a credit institution, payment or electronic money institution, where the credit institution, payment or electronic money institution is registered in a Member State of the European Union or in a Third country which imposes requirements equivalent to those laid down in the Law and is supervised by competent authorities for compliance with those requirements. 

5.10.3 Application of EDD for persons from high-risk Third countries as identified 

by FATF 

Where transactions or Business relationships are carried out with natural persons residing or legal persons established in high-risk Third countries determined according to the lists of jurisdictions with strategic deficiencies in their frameworks to combat ML/TF published by the FATF, the Company applies at least the following EDD measures: 

• Obtain approval from the Director for establishing Business relationships with such Customers or continuing Business relationships with these Customers. 
• Take adequate measures to establish the Source of Wealth and Source of Funds that are involved in the Business relationship or transaction. 
• Perform enhanced ongoing monitoring of the Business relationship with such Customers. 

5.10.4 Application of EDD in higher risk situations 

Where higher ML/TF risk is identified based on the risk assessment and management procedures established by the Company, the Company applies at least the following EDD measures: 

• Obtain approval from the Director for establishing Business relationships with such 

Customers or continuing Business relationships with these Customers.  

• Take adequate measures to establish the source of wealth and source of funds that are involved in the Business relationship or transaction. 
• Perform enhanced ongoing monitoring of the Business relationship with such Customers. 

5.11 SIMPLIFIED DUE DILIGENCE 

The Company chose not to apply simplified CDD in its activities due to higher-risk nature of its activities. 

5.12 UPDATE OF CDD INFORMATION 

The records and data on the identity of the Customer and the Beneficial Owner must be regularly reviewed and kept up-to-date. The Company makes sure that it relies only on up to date CDD information.  

The Company needs to update the CDD information once in a while as the CDD information obtained by the Company may expire or become outdated. Also, certain other circumstances may trigger doubts whether information currently possessed by the Company is valid. Finally, the Company may become aware that the CDD information has changed (e.g. the new director of the corporate entity contacts the Company).   

The Company shall apply the measures of the Customer and Beneficial owner(s) identification not only in respect of new, but also in respect of the existing Customers, considering the level of risk, upon the emergence of new circumstances or appearance of new information related to the setting of the level of risk posed by the Customer or Beneficial owner(s), their identity information, activities and other relevant circumstances. 

Reasonable measures will be taken to keep Customer identification information, including beneficial ownership and business relationship information, up to date. The update requirements are established in risk sensitive basis. CDD information of the riskier Customers is updated more often than those Customers exposing the Company to lower risk.  

Information about the Customer mus be updated as follows: 

• Information about the Customers from the high risk group must be updated periodically and no less than once every 6 months. 
• Information about the Customers from the medium risk group must be updated periodically and no less than once every 12 months. 
• Information about the Customers from the low risk group must be updated periodically and no less than once every 24 months. 

When the following, but not limited triggers occurs, the MLRO shall also take actions to review and update information on the Customer and Beneficial owner(s): 

• Customer acts unusually or performs Suspicious Activity. 
• Customer or his Immediate family members or Close associates are newly identified as PEPs. 
• Requests from the competent authorities are received. 
• When there is a concern arising from the outcome of the internal investigation. 

When the identity of the Customer has to be re-established, the Company has a right to obtain document, data or information, required for the identification of the Customer or Customer’s Beneficial owner(s) directly from the state informational systems or registers. The Customer has to confirm such data with his signature according to the Law.  

Measures to keep Customer identification information up to date include asking the Customer to provide information to confirm or update CDD information and verifying a paper or electronic record. 

6. SANCTIONS POLICY 

The MLRO will be responsible for regular updating of the list of entities concerning whom Sanctions are applied or for the selection of the appropriate third party suppliers who provide services of updating the lists of consolidated international financial sanctions and for the control over the quality of their services, for the submission of reports to the FCIS and other authorities responsible for the supervision of the implementation of Sanctions. 

The Company both before entering a Business relationship with a Customer and in the course of ongoing Business relationships, checks whether the Customer, representative and the Beneficial owner are not persons subject to Sanctions and restrictive measures. Automated and/or manual verification of Customer data against Sanctions will be carried out prior establishing the business relationship with potential Customer, and on the ongoing basis (ongoing screening): 

• During the identification procedure of the Customer, representative and Beneficial owner. 
• Every time a Customer performs transactions through the Company. 
• Upon changes in Customer’s data. 
• When the Customer orders additional/new services. 
• Periodically and on the defined screening time sets. 

The Company in the course of business relationships with a Customer, checks whether the Customer does not execute transactions with persons subject to Sanctions and restrictive measures. 

The Company must: 

• Enforce Sanctions and carry out the actions established by resolutions of the Government of the U.K on the implementation of international Sanctions and regulations of the European Union on international sanctions and exemptions from their implementation. 
• Check whether the Company’s Customer, representative or the Beneficial owner are not included in the following lists: 

1. List of entities and their groups subject to sanctions established by resolutions of the United 

Nations Security Council against terrorism (United Nations Security Council’s Resolution 1267(1999) as amended). 

2. List of financial sanctions of the European Union (the updated consolidated list is also published on the official websites of the United Nations Organization and of the European Commission). 
3. Lists of financial sanctions published by the Office of Foreign Assets Control of the U.S. Treasury Department and/or of the U.K and shall apply measures provided in this Policy to such entities (including entities of the European 

Union indicated in the Common Position 2001/931/CFSP, as amended).  

• Pay special attention to the entities from countries included in the lists of non-cooperative countries and territories compiled by the FATF and the European Commission, as well as monetary operations or transactions carried out by them or for their benefit; the MLRO will periodically update the list of non-cooperative countries and notify the Responsible Employees of the updated list. 
• Restrict the right of entities included in the aforementioned lists of international financial sanctions to manage, use and dispose of the funds held by the Company, except for the implementation of derogations (for humanitarian purposes, provisioning of peacekeeping missions and other special cases) provided for in the decisions of international organizations establishing financial sanctions and/or legal acts of the European Union. 
• Immediately terminate or suspend the fulfilment of obligations arising before the establishment of implementation of Sanctions in the U.K for the period of implementation of Sanctions. 
• Immediately unilaterally or on agreement of the parties terminate transactions concluded before the establishment of implementation of Sanctions in the U.K or suspend their execution for the period of implementation of Sanctions. 
• In the case of suspension of the disposal of accounts for entities subject to Sanctions are implemented, within two (2) business days to the FCIS and to the Ministry of Foreign Affairs U.K („Foreign Affairs“); the reporting in the Company’s name will be carried out by the MLRO. 
• Provide to the FCIS the information on the implementation of financial sanctions and all data required for supervision purposes; communication with the FCIS on these matters will be carried out by the MLRO. 

The Company’s staff members and Customers will be prohibited from: 

• Carrying out any actions which are prohibited by the Sanctions being implemented in the U.K 
• Concluding transactions, the execution of which would be in conflict with the Sanctions being implemented in the U.K • Assuming new obligations the discharge of which would be in conflict with the Sanctions being implemented in the U.K 

Where decisions of international organizations that have established Sanctions and/or European Union legislation, except for regulations, provide for derogations regarding their implementation for humanitarian purposes, provisioning of peacekeeping missions and other special cases, the Company will have the right to carry out the actions specified in them in observance of resolutions of the Government of the U.K regulating the implementation of derogations from sanctions in the U.K. In any case, prior to carrying out such actions, a written conclusion of the MLRO should be obtained regarding the compliance of such actions with the derogations and with the regime of Sanctions. 

7. TRANSACTION MONITORING 

After entry into Business relationship with the Customer, in all cases the ongoing monitoring of Business relationships of the Customer must be carried out, including the investigation of transactions and monetary operations in order to ensure that transactions and monetary operations being carried out correspond to the information available to the Company about the Customer, his business, risk type and source of funds and are free from any indications of suspiciousness.  

The Company carries out the real-time (ex-ante) and retrospective monitoring (ex-post) of Business relationships and monetary operations using information systems, selecting monitoring scenarios according to the monitoring type, the Customer’s risk, and the Company’s risk assessment results. 

Ex-ante and ex-post transaction monitoring addresses aspects of ML, TF and Sanctions scenarios. 

The Company’s staff members must continuously monitor the Customer’s transactions in order to identify unusual operations or activities. Unusual indications may be related to the transaction amount which is incompatible with the Customer’s financial position or former known activities, the Customer’s knowledge or experience, unusual type of the transaction which is different from other types of activities or similar usual activities of the Customer, the complex structure of the transaction compared to the same transactions carried out by Customers of the same profile or in the market; the main indication of suspiciousness will be the absence of an obvious logical legal or economic explanation for such unusual transactions. 

The Company will also control monetary operations as regards possible breaches of international sanctions. Those controls will be carried out by automatically checking the details of the parties to the incoming and outgoing operations (details of the payer, payer’s bank, payee) in consolidated lists or databases of persons subject to sanctions. The compliance with sanctions will also be monitored when the MLRO, who investigates the unusual transaction or monetary operation, verifies it in the consolidated database of persons subject to sanctions to verify the parties to the transaction or monetary operation. 

The Company will regulatory review and back test (“back testing”) measures in order to evaluate their efficiency. 

Each alert or flagged situation, irrespective of ex ante and ex post monitoring measures and situation, which matches with suspicious activity and transaction criterions, will be reviewed by the MLRO and documented accordingly. Documented reviews and analysis will be stored securely and provided to FCIS and/or other authorities upon their request. 

When the Company identifies that due to the activity of the Customer an internal investigation must be carried out, results of internal investigation must be documents indicating the trail of investigation, information, and basis on which the decision was taken. Following decisions might be taken: 

• Decision to terminate internal investigation. 
• Decision to extend the internal investigation. 
• Decision to submit a SAR and report to FCIS. 

MLRO is responsible for organizing and implementing monitoring measures and internal investigation process. 

The Company maintains transaction limits on certain services in order to mitigate ML/TF risks. The MLRO will review the various transaction limits periodically to determine if adjustments are needed to address risk exposure. The MLRO may, at his discretion, recommend changes to transaction limits at any time, and inform the Director and the Management Board about the changes. 

8. EXIT POLICY 

If the Customer avoids or refuses to provide additional information to the Company at its request and within the requested time limits, the Company shall refuse performing Monetary 

operations or transactions, terminate transactions or Business relationships with the customer and/or report customer to FCIS. ​​It is prohibited for the Company to perform transactions through the bank accounts, establish or continue Business relationships, perform transactions when it has no possibilities to meet the requirements set forth in this chapter: if the Customer fails to submit data that verity his identity in the cases referred to in the Procedure, if the Customer fails to submit all data or such data is false, if the Customer or his representative avoids providing information necessary to identify him, conceals the identity of the Beneficial owner or avoids submitting information necessary to establish the identity of the Beneficial owner or the submitted documents are not sufficient for that purpose. In these cases the Company shall assess the ML/TF risk posed and decide on the necessity to report about a Suspicious Activity to FCIS. 

If during the identification procedure of the Customer the Company suspects the existence of ML/TF activities and further identification procedure of the Customer and of the Beneficial owner may raise suspicion to the Customer that information about him might be transmitted to the competent law enforcement authorities, the Company may refuse continuing the identification procedure of the Customer and Beneficial owner and starting Business relationships with the Customer. In these cases information shall be submitted to FCIS. 

9. TRAINING

The Company is required to ensure continuous training of staff members whose functions are related to AML/CTF to ensure their adequate knowledge considering the activities of the Company and the ML/TF risks the Company is exposed to. 

In line with the Applicable law, the Company trains its staff members.

The training will take into account the expected skills of the staff concerned, the nature of the transactions and their means of delivery.

The Company shall take appropriate measures that its relevant staff members know the applicable provisions of the Policy. These measures shall cover the participation of the Director, MLRO and other relevant staff members in the special continuous training programmes that aim to teach them how to identify the actions that might be related to ML/TF and instruct them how to act in such cases.

Training shall be conducted by means of internal trainings, external trainings and publicly available courses and materials. 

Training will be delivered via appropriate media to relevant staff, broadly comprising the following elements:

•   Requirements for the identification procedures, reporting to FCIS, keeping of registers and sanctions for the non-compliance with such requirements.

•   Procedures for making the staff members familiar with their responsibilities for the implementation of the Policy and its implementing documents.

•   Procedures for making the staff members, who have a contact with the Customers, deal with the execution of Monetary operations or transactions, identification procedure, reporting to FCIS, keeping of registers.

•   Procedures for making the staff members familiar with tipping-off restrictions.

The MLRO will keep up-to-date with legislative changes and industry standards, and guidance, in order to guide and develop appropriate training for relevant staff.

The MLRO receives external training and is required to evidence his further professional development..

The frequency of the training will be determined on a risk-based approach, with those who may be at greatest risk from handling Suspicious Activity, or who need to be kept up-to-date with changing vulnerabilities and trends, receiving training at more frequent intervals. The Company ensures that all relevant staff members receive training on at least an annual basis or within 30 days of joining the Company. The frequency of training provided to each staff member is determined by the MLRO with reference to the staff member’s role. Refresher training is repeated at appropriate intervals.  

The Company ensures that its new staff members who will have to apply the Policy in the course of the performance of their job functions get familiar with the requirements set forth in the Policy and its implementing documents prior to starting the performance of their job functions (at least to the extent it is necessary for the proper performance of the specific job functions of the staff member).

MLRO shall review and update the training materials on a regular basis in order to ensure the relevance of information and requirements. After the update, it shall be decided whether or not to inform the staff members thereof, including the manner of such information (in some cases it might be enough to inform the staff members by general email, but after greater/more significant updates, it might be necessary to organize a separate training programme). 

Where applicable, provision for training should be made in the contractual arrangements between the Company, the service provider and other relevant third-parties.

The Company shall compile information about all trainings carried out with regards to AML/CTF, including the date, materials of such trainings, staff members who participated in the trainings, tests (if applicable). A training log will be maintained to record the attendance of each staff member. Records relating to training are kept in accordance with retention of records policy. 

10. REPORTING TO FCIS

The Company is obliged to take steps to detect Suspicious Activity and submit SARs to the FCIS. This Chapter outlines Company‘s policy on the procesesses that the Company must conduct in order to implement the AML/CTF reporting obligations. 

10.1 REPORTABLE ACTIVITY

The Company is required to report to the FCIS the following:

EVENT	NOTES	DEADLINE
Virtual currency exchange operations or transactions in Virtual currency, if value amounts to EUR 15 000 or more	To report Customer identity data and information concerning transactionOne-off or several linked transactions to be reportedSeveral linked transactions shall mean several daily Virtual currency exchange operations or transactions in Virtual currency when the total value of operations and transactions in funds amounts to EUR 15 000 or more	Immediately, not later than within 7 business days from the day the transaction was carried out
Knowledge or suspicion of suspicious Property	To report if the Company knows or suspects that Property of any value is, directly or indirectly, derived from a criminal act or from involvement in such an actTo report if the Company knows or suspects that Property of any value is used to support one or several terrorists or a terrorist organisation	Immediately, not later than within 1 business day from emergence of knowledge or suspicion
Forseen Suspicious Activity	Having obtained information that the Customer is planning or will attempt to carry out a Suspicious Activity, the Company shall report this to FCIS immediately.If the aforementioned actions are carried out, a Suspicious Activity must be suspended.	Immediately
Suspicious Activity	Having found out that its Customer carries out a Suspicious Activity, theCompany shall suspend that Monetary operation or transactionSuspension may not be applied in cases where it is objectively impossible to suspend it due to the nature of the Monetary operation or transaction, the manner of execution thereof or other circumstances The obligation is to be valid regardless of the value of the Monetary operation or transaction.	Not later than within three business hours from the suspension of the Monetary operation or transaction

10.2 FCIS INSTRUCTION TO SUSPEND SUSPICIOUS ACTIVITY

If the Company receives a written or oral instruction from FCIS to suspend the Suspicious Activity carried out by the Customer, the Company shall suspend these operations or transactions from the time specified therein or emergence of specific circumstances for 10 business days.

FCIS actions upon the receipt of a report of a Suspicious operation or transaction:

•   If the suspension of a Monetary operation or transaction might impede the investigation into the legalization of money or Property derived from criminal activities, TF and other criminal acts related to ML/TF, FCIS shall inform the Company thereof.

•   Having received a written or oral report from FCIS that the suspension of a Monetary operation or transaction might impede the investigation into the legalization of money or Property derived from criminal activities, TF and other criminal acts related to ML/TF, the Company should not suspend the Customer’s Suspicious Activity and it shall resume the suspended Suspicious Activity as of the moment of receiving a written report or as of the moment stated therein.

•   FCIS shall carry out the actions necessary to substantiate or deny the suspicion of the alleged criminal acts which the Customer is carrying out or carried out within ten business days as of the receipt of information.

•   FCIS shall carry out the actions necessary to substantiate or deny the suspicion of the alleged criminal acts which the Customer is carrying out or carried out.

•   The Company shall submit to FCIS the requested information within one business day as of the receipt of a request from the FCIS in writing.

•   If at the moment of reporting Suspicious Activity the Company does not submit all data required by the Policy to FCIS or the data submitted is incomplete, FCIS may request to submit information again. These requests of FCIS must be carried out immediately.

•   If FCIS substantiates the legal nature of the funds or Property or denies the suspicion of the possible links with TF, it shall immediately report to the Company that Monetary operations or transactions may be resumed.

•   If the Company is not obliged to restrict the right of ownership on a temporary basis in accordance with the procedure set forth by the Code of Criminal Procedure of the U.K within ten business days as of the submission of a report or receipt of instructions, a Monetary operation or transaction shall be resumed.

10.3 REPORTING TO FCIS

The reports referred to in this Chapter of the Policy shall be provided via the FCIS information system by completing a relevant reporting form, considering the recommendations for completing such reporting forms.

If there are no possibility to submit the SAR by way of connecting to the information system, or

where this is impossible due to technical reasons, as well in emergency cases, the SAR may be submitted via phone, fax or e-mail.

10.4 RECORDS

All SARs/STRs, notifications regarding sanctions submitted to the FCIS shall be recorded in the logs maintained by the Company. The Company shall also record internal SARs, Investigations regardless of whether the internal SAR was later converted to the external SAR (i.e. submitted to the FCIS). Should after the internal investigation the MLRO decide to complete the investigation without making the external SAR, the decision must be substantiated and recorded accordingly. 

All internal and external SARs must be recorded with the supporting information to evidence the investigation process. 

11. TIPPING OFF

Tipping off is letting the Customer know that they are, or might be, the subject of a suspicion. It is forbidden to tip of the Customer subject of a suspicion to ensure that nothing is conducted which might hamper an investigation. If a criminal is tipped off, they are often able to hide their tracks and disappear before the appropriate investigations can be conducted. The AML/CTF would be undermined if criminals were alerted by the staff members of the Company as soon as a suspicion arose. 

Tipping off could occur at the stage of initial contact with the Customer, during the processing of transactions or obtaining information, when investigations are being conducted on a suspicion or even after reporting to the FCIS.

Persons entrusted with investigating and reporting duties must essentially conduct Customer enquiries in a tactful manner regarding the background to a transaction or activity, and carry out required CDD measures in a way which does not give rise to the Customer being aware that they are under suspicion.

Should any of the staff members fail to comply with these requirements, the liability established in the laws could be imposed to them accordingly. 

The information which is or must be submitted to the FCIS must not be published or made available to any other authorities or persons, except for cases established in the Law and Applicable laws or if FCIS specifically requests so. 

Unless otherwise instructed by the FCIS, this restriction shall not prevent the Company from exchanging information among financial institutions in the cases connected with the same Customer and with the same transaction covering two or more financial institutions, if they are registered within the territory of the EU Member State or the territory of a Third Country which has established requirements equivalent to those laid down by the Law, and if they are subject to equivalent obligations as regards professional secrecy and personal data protection. Such exchange of information is permitted exclusively for the purposes of the AML/CTF. This exeption does not apply if there is an individual decision of the European Commission on this issue. Where information is disclosed to the subjects registered in Third countries, these subjects shall be given personal data, but such a disclosure shall meet the requirements laid down in the Section V of the Regulation (EU) 2016/679.

Should any of the staff members fail to comply with these requirements, the liability established in the laws could be imposed to them accordingly. 

If during the investigation collection of additional information is required, any approach to the Customer should be made sensitively, and by someone other than the MLRO, to minimise the risk of alerting the Customer that a disclosure to the FCIS may be being considered. 

The Company is not liable to the Customer for failure to perform contractual obligations or damage caused due to fulfilment of reporting obligations.

The provision of information referred to in the Policy to FCIS shall not be considered as the disclosure of industrial, commercial or bank secret.

12. RETENTION OF RECORDS AND INFORMATION

12.1 MAINTENANCE OF LOGS AND RECORDS

The Company shall maintain at least the following logs:

• Log of STRs and Suspicious Activity.
• Log of the Customer’s Monetary operations and transactions.
• Log of the Customer’s Monetary operations and transactions exceeding EUR 15 000 (carried out as occasional transaction or linked transactions).
• Log of Customers with whom transactions or business relationships were refused or terminated due to the circumstances related to violations of procedure on AML/CTF and/or avoidance of Sanctions.

The Company will also retain trainings-related data (employees who participated in trainings, results of knowledge checks, content of trainings material, etc.). 

12.2 CONTENT OF LOGS

All logs maintained by the Company shall contain the following information:

•   Identity data of the Customer, his representative (where a Monetary operation or transaction is carried out through a representative): natural person’s name, surname, personal number (foreigner’s date of birth), citizenship, legal person’s name, legal form, registered office address, registration number (if any).

•   Data of a Monetary operation or transaction: date of execution of the transaction, description of the Property in respect of which the transaction is carried out (money, real estate, etc.) and value thereof (amount of money, currency in which the Monetary operation or transaction is carried out, market value of the Property, etc.).

•   Data of the person who is the payee: natural person’s name, surname, date of birth, legal person’s name, legal form, registered office address, reg. number (if any), except the cases wheremoney transfers are executed and accepted in accordance with Regulation (EU) No 847/2015 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006. In such case data of the payee indicated in

Regulation (EU) No 847/2015 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 shall be entered.

•   When it is not objectively possible to identify the identity of the payee, the Company shall enter into the register other information enabling the Virtual currency address to be linked to the Virtual currency owner identity (e.g., IP address, e-mail address, etc.).

In addition to the general content requirements, log of STRs and Suspicious Activity shall include but also additional data about the UBO (name and surname, personal number (foreigner’s date of birth), citizenship), and the Suspicious Activity criteria which is met shall be indicated. 

In addition to the general content requirements, log of Customers with whom transactions or business relationships were refused or terminated shall contain data required for log of STRs and Suspicious Activity, also data about the UBO(s) ((name and surname, personal ID number

(foreigner’s date of birth), citizenship), and the reasons for the termination of transactions or

Business relationships.                                      

Data shall be entered into the log in a chronological order based on the documents confirming a Monetary operation or transaction or any other legally binding documents that are related to the execution of Monetary operations or conclusion of transactions immediately and no later than within three business days as of the execution of the Monetary operation or conclusion of the transaction.

12.3 RETENTION OF INFORMATION RELATING TO BENEFICIAL OWNERS

The Company will also retain and provide, upon FCIS request, the following data about the Beneficial owners: (a) identity data of Beneficial owner; (b) evidence of verification of information provided by the Customer against reliable and independent sources; (c) data about the structure of the Customer (legal entity’s) ownership and control. 

12.4 FORM AND TIME LIMITS OF THE STORAGE OF INFORMATION

The data in the logs maintained by the Company shall be stored in paper or electronic form for eight years as of the date of termination of transactions or Business relationships with the Customer. 

Copies of the identity documents of the Customer, the identity data of the Beneficial owner, direct video streaming recordings, other data received at the time of establishing the identity of the Customer and account and/or agreement documentation (originals of the documents or electronic form documents, saved in the electronic form in accordance witht the Applicable laws) shall be stored for eight years as of the date of termination of transactions or Business relationships with the Customer. 

Business correspondence with the Customer shall be stored in paper or electronic form for five years as of the date of termination of transactions or Business relationships with the Customer. 

The documents confirming a Monetary operation or transaction and data or other legally binding documents and data related to the execution of Monetary operations or conclusion of transactions shall be stored for eight years as of the date of termination of the Monetary operation or conclusion of the transaction.

Records of the results of the review of complex transactions, unusually large transactions, transactions carried out in unusual manner, unusual transactional structures that do not have obvious economic or visible legitimate purpose, Business relationships or Monetary transactions with Customers from third countries, where AML/CTF measures are insufficient or do not meet international standards according to the information officially published by international intergovernmental organizations shall be retained for 5 years.

Trainings-related data is stored for five years after completion of the trainings (in hard copy or electronic form).

Time limits for storage may be additionally extended for up to two years upon a substantiated instruction of a competent authority.

The documents and information based on which entries were made in the Company’s registers will be stored in a way allowing:

•   Recovery of certain monetary operations or transactions.

•   When necessary, the submission of them and the information contained therein to

               FCIS or other competent authorities.                                      

12.5 PROTECTION OF RECORDS AND INFORMATION

Depending on the circumstances and the nature of information, documents in tangible form will be kept in locked rooms, while documents in electronic form will be stored on restricted access servers selected by the Company and access to such documents will be made available only to MLRO, Director and other persons specifically authorized by the Director.

The Company’s local network for processing information obtained under the Policy will be protected from the impact of external networks. 

The Company will implement at least the following measures to ensure prevention of unauthorized destruction, alteration and use of the records and information:

• Access to the registers and the right to complete, keep and manage the registers will be granted solely to authorized personnel.
• Access to the computer and/or computer network on which the registers are stored must be password-protected.
• The password must be changed every 3 months.
• The number of failed attempts of accessing the information will be set.
• Security of the premises on which the computer and/or server from which the registers may be accessed must be ensured. Access to respective premises by unauthorized persons will be restricted.

Data entered in the Company’s logs shall not be disclosed publicly or otherwise. MLRO will be entitled to provide the data entered in the logs solely to the Director or his/her authorized person, FCIS or other institutions stipulated by the Applicable laws. 

13. STAFF SUITABILITY POLICY

The Company ensures that the competence, working experience and qualification of the candidate to take the position of MLRO and Senior Management is assessed before these persons are appointed. 

The suitability assessment must include assessment of the level and nature of education, professional development, nature and duration of professional activity or work experience, other factors that may affect the person’s competence, experience and qualifications, as well as whether the person to be appointed as responsible for the implementation of AML/CTF measures has knowledge of risk management related to the implementation of AML/CTF measures.

14. COMPLIANCE MONITORING. QUALITY ASSURANCE

Company must ensure ongoing monitoring of the compliance, adequacy and sufficiency of AML/CTF controls. To this end, the Company shall implement the measures specified in this Section.

Compliance monitoring is conducted by way of executing these three processes:

• Annual compliance monitoring plan,
• Policy administration, and
• Independent testing.

14.1 ANNUAL COMPLIANCE MONITORING PLAN

The Compliance Officer shall, at the beginning of each year and no later than the end of the first quarter, draw up a compliance monitoring plan for the following year, based on a risk-based approach, which shall include AML/CTF compliance activities for the following year.

Annual compliance monitoring plan must be submitted to the appointed member of the

Management Board for approval. MLRO must report appointed member of the Management Board on the progress of implementation of actions specified in the compliance monitoring plan. 

14.2 POLICY ADMINISTRATION

The MLRO is responsible for review of the Policy and internal documents implementing the Policy. The MLRO will recommend appropriate changes for an approval by the Management Board. The review includes consideration of applicable law, feedback on the effectiveness of the Policy, annual businesswide risk assessment, internal documents implementing the Policy, and any supervisory examination or audit input.

The Policy and internal documents implementing the Policy will be reviewed at least on an annual basis. The Policy must also be reviewed upon completion of the annual business-wide risk assessment, in the event of changes in ML/TF risks associated with the activities of the Company, regulatory changes and/or other significant events. The Policy also needs to be reviewed prior to changes in business model, introduction of new projects, products and technologies.

14.3 INDEPENDENT AUDIT

Policy and other internal documents implementing the Policy must be regularly assessed by an independent auditor. 

The independent audit may be carried out by the internal audit function, if one is established within the Company. If the independent audit is carried out by the internal audit function, an independent evaluation must also be carried out periodically by an external auditor. In all cases where an internal audit function is not established, the independent audit must be performed by an external auditor.

The purpose of the independent audit is to ensure the ongoing and regular review of the adequacy and sufficiency of all AML/CTF requirements and the tools for their implementation. Independent audit may include assessment and testing of (the list is not exhaustive):

• Policy and internal documents implementing the Policy.
• Review of business-wide risk assessment.
• Testing of the effectiveness of CDD procedures.
• Sanctions program testing.
• Review of the effectiveness of transaction monitoring and assessment of the process for identifying and reporting Suspicious Activity.
• Transaction testing to confirm compliance with recordkeeping and reporting requirements.
• Review of training of staff members for adequacy.
• Assessment of the integrity and accuracy of management information systems used in the AML/CTF and/or avoidance of Sanctions.
• Testing of tools (software, third-party services, outsourcing arrangements etc.) used in implementation of AML/CTF controls. 

The review scope, procedures, operations testing, and findings must be documented and available for review, along with other documentation. 

Auditor will report its findings directly to the Management Board, Director and the MLRO in a timely manner. The Management Board will evaluate deficiencies highlighted by the report, document corrective actions to be taken and oversee a corrective program of work. 

15. FINAL PROVISIONS

The Policy will be amended and/or supplemented by the Management Board resolution of the Company. 

MLRO is responsible for communicating the amendments and/or supplements of the Policy to the staff member of the Company. MLRO will be responsible for obtaining of written acknowledgement of obligations under the Policy from staff members. The staff members that acknowledged obligations under this Policy will be held liable for violations of the Policy in accordance with the procedure established by law.No part of this Policy or other internal documents implementing the Policy should be interpreted as contravening or superseding any other legal and regulatory requirements imposed upon the Company. Any conflicts between the Policy and other legal obligations applicable to the Company must be submitted immediately to the MLRO for further evaluation who will, if necessary, consult outside legal counsel.