Policy on prevention of money laundering and terrorist financing

 i. GENERAL PROVISIONS

  1. Policy on prevention of money laundering and terrorist financing (hereinafter – the Policy) estab E-Pocket Europe, UAB (hereinafter – the Company) as obliged entity, for implementation and daily compliance of the legal requirements on prevention of money laundering and terrorist financing (hereinafter – ML/TF).
  1. The Policy is prepared according to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by Part 2 of the Criminal Justice Act 2013 and by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 (“the CJA 2010”) (hereinafter – the Law), reflecting the recommendations made by the Financial Action Task Force (FATF), at both European and Irish level.
  1. The main activity of the Company is the facilitating digital money transfers via deposit wallet services (hereinafter – the Services) and related services in the Republic of Ireland and across the European Union (EU). The Company, as a virtual currency deposit wallet and exchange operator, is obliged to provide services according to the Law in order to prevent ML/TF.
  1. The Company assesses the risks of ML/TF using a risk-based approach and evaluates the following types of risks:

4.1. Risk related to the Customer’s attributes;

4.2. Risk associated with the channel for the supply of a product, service, transaction, or service delivery;

4.3. Risk related to the area (country and/or geographical).

  1. The Policy is prepared considering that the Company does not provide physical financial services and cash services. All of the Company’s services are provided electronically through a service platform (website) operated by the Company.
  1. At least annually or in the case of significant events, the Company will carry out a risk assessment, monitor the adequacy of the measures set out in the Policy for the implementation of the ML/TF, where necessary, new or adequate preventive measures shall be amended or introduced.
  1. This Policy must be followed by all employees of the Company. The obligations of the Company as defined in the Policy must be understood as the duties of all employees of the Company unless it is provided that certain duties of the Company must be performed by a specially designated employee of the Company.
  1. The Company shall notify the Financial Intelligence Unit (hereinafter – the FIU) in writing of the appointment or change of the employees responsible for implementation of prevention of ML/TF measures in the Company no later than 7 business days after their appointment or change.

ii. RISK ASSESSMENT AND MANAGEMENT

  1. The Company shall apply a risk-based approach when implementing measures to mitigate the risk of ML/TF.
  1. The Company continually assesses and manages the ML/TF risks associated with the Company’s business relationship or incidental transactions. The Company’s risk assessment consists of:

10.1. Risk assessment at the Company level, which covers all activities of the Company, helps identify areas in which the Company has to implement priority risk management measures commensurate with the risks and the business specificities of the Company, the scope of its activities;

10.2. Risk assessment of relationships and transactions with customers and transaction validation, which includes identification, other Know Your Customer (KYC) procedures and ongoing monitoring;

10.3. Continuous monitoring of the level of risk arising from the ongoing monitoring of customer transactions, monetary operations and status to match the Company’s customer profile and be not suspicious, ensuring that the information available to the Company is relevant, allowing an assessment of whether the level of risk has remained unchanged.

  1. Comprehensive measures are applied by the Company to determine the risk of ML/TF both before and after establishing a business relationship with the customer, by analysing the customer’s behaviour and monetary operations, transactions carried out and information provided (documents) by him/her.
  2. Customers of the Company are divided into the following three risk groups:

12.1. Low-risk, customers who carry extremely low risk of ML/TF, including low risk to the Company’s reputation. Low risk group customers include all those who fulfil one or more of the low-risk attributes listed in Annex 1 of this Policy.

12.2. Medium-risk, customers rated as being at risk for some ML/TF by one or more attributes, but their status or operations carried out by them would not have the same impact on the Company’s reputation as high-risk customers or activities thereof. Medium-risk group customers include all those who do not fall under low or high risk customer categories as indicated in Annex 1 of this Policy.

12.3. High-risk customers who have one or more of the attributes of increased risk of ML/TF and in respect of whom the Company has a reasonable suspicion that they may significantly adversely affect the Company’s reputation. Higher risk group customers include all those who meet one or more of the high-risk attributes listed in Annex 1 of this Policy.

  1. Customers are assigned to one of the identified risk groups when establishing business relationships. Subsequently, the risk profile of the customer may be changed in light of the results of the monitoring of business relationships.
  1. The customer risk assessment is built on the principle that higher risk is given a bigger risk score.
  1. The establishment of the business relationship with high-risk customers must be approved by the Company’s director.
  1. The customer risk assessment, both prior to establishing a business relationship and updating the customer’s data is performed by Responsible employees. Only after the customer’s risk assessment is completed, a decision is made on establishing a business relationship.
  1. When assessing the risk of the customers, the primary aim is to evaluate all information available about the customers.
  1. During assessment of customer’s risk and establishment of business relationship, the Company shall collect duly filled-in and executed Company’s customers and/or ultimate beneficial owner questionnaire(s) in accordance with section V of this policy.

iii. CUSTOMER’S TRANSACTIONS AND OPERATIONS MONITORING

  1. After establishing a relationship with the customer, the customer’s business relationships, including transaction and operations, are monitored on an ongoing basis- ongoing customer due diligence (ODD) is applied. This shall ensure that transactions and operations are consistent with the Company’s information of the Customer, its business, risk profile and source of funds. The Company maintains real–time and retrospective monitoring of business relationships and operations.
  1. Responsible employees of the Company must monitor customer’s transactions on an ongoing basis for any unusual operations or activities. Unusual features may be related to the size of the transaction, which is inconsistent with the customer’s financial position or past known business, the customer’s knowledge or experience, the unusual nature of the transaction as distinguished from other customer’s methods of operation or similar usual business practices, the complex structure of the transaction as compared to similar transactions in a similar profile of the customer or the market. ODD also means that the Company periodically updates customer information.
  1. In the event of any employee of the Company having any doubts about the legality, economic or legal validity of the customer’s activities or of any particular operation or transaction, its inconsistency with the customer’s personal or business profile, sources of funds or financial capacity, the employee must immediately notify the Company’s director, who must then investigate further and determine the necessity of reporting to the FCIS of the customer’s activity or transaction.
  1. When monitoring the customer’s activities, transactions and operations, particular attention must be paid to:

22.1. Complex or unusually large transactions and any unusual transactional structures that have no apparent economic or visible legitimate purpose, and business relationships or operations with customers from third countries, where, in accordance with official information published by international intergovernmental organisations, measures to prevent ML/TF are insufficient or do not meet international standards.

22.2. Any threat of ML/TF that may arise from the use of the services provided or the transactions carried out in order to conceal the identity of the Customer or the beneficial owner, as well as in respect of any business relationship or transaction with the customer who has not been identified through direct presence and, where necessary, immediate measures are taken to prevent the use of money for ML/TF.

22.3. Whether the customer or a beneficial owner is included in the consolidated list of the United Nations of persons, groups and entities and bodies subject to EU financial sanctions.

22.4. Whether the customer or the beneficial owner has no links with countries that are classified in the category of higher risk countries: they are subject to European Union sanctions or other restrictive measures, as well as to the countries identified by the Financial Action Task Force as high risk or non-cooperative countries.

  1. The Company has ongoing control over its operations for possible violations of international sanctions. Depending on the nature of the Company’s activities – provision of virtual currency services – the Company implements this obligation through a third – party monitoring tool.
  1. The results and conclusions of unusual customer activities, transactions and operations investigations must be recorded in writing.
  1. All communications to the FIU are provided by the Company’s director or the Responsible employee who is assigned to perform this function.
  1. In case the Company has established a business relationship with the customer, determined as a high risk customer, the Company applies enhanced ongoing customers due diligence (EODD). In addition to the measures applied for ODD, the Company shall monitor and analyse the following actions of high risk customer:

26.1. Transaction types (e. g. series of high-value transactions in a short period of time, instant withdrawal of funds with no transaction activity);

26.2. Transaction patterns (e. g. frequent transfers of large amounts funds within a set period of time, to the same account from more than one person);

26.3. Anonymity (e. g. multiple e-Pocket wallets controlled from the same IP address, IP associated with suspicious sources);

26.4. Senders and recipients (e. g. elderly or financially vulnerable customers engaging in high volume transactions);

26.5 Source of funds (e. g. transactions involving accounts with known links to illegal activities, such as fraud, extortion, etc.).

  1. If the Responsible employee becomes aware or otherwise suspects that a transaction, operation, or customer activity is suspicious, or for any other reason listed in this Policy would be reported to FIU, he/she will promptly record it, re-examine, carry out further examination of the information available in order to assess whether there is a basis for providing such information to the FIU and, where available, submit the information in the format, procedures and timelines set by the FIU.
  1. All employees of the Company, without exception, must be prohibited from informing the customer or any other person that information about the customer’s operations or transactions, or any other information, has been provided to the FIU or other supervisory authority.
  1. The Company or its employees are not liable to the customer for failure to perform their contractual obligations or for damage if this occurs as a result of suspending an operation or transaction and reporting the allegations to the FIU or because of failure by the customer to provide data to confirm his identity, or providing incomplete or incorrect information, or if customer or his representative avoids providing the information necessary to identify him/her.
  1. No liability must be imposed on Company’s directors or other employees who, in good faith, report information on suspected ML/TF or suspicious operations or transactions to the FIU. Likewise, they may not be subject to any disciplinary action by the Company.
  1. The Company must notify the FIU immediately, no later than within 1 business day after the occurrence of such information or suspicion, if the Company is aware or suspects that assets of any value are directly or indirectly derived from a criminal offence or by participating in a criminal offence.
  1. Where it is determined that the customer carries out a suspicious operation or transaction, regardless of the amount of the operation or transaction, it is mandatory to suspend the operation or transaction (unless due to the nature of the operation or transaction, the manner in which it is performed or other circumstances it is objectively impossible) and no later than 3 business hours from the time of the transaction or the suspension of the monetary operation to report this operation or transaction to the FIU. If, due to the nature of the operation or transaction, the manner in which they are performed, or other circumstances, the operation or transaction has not been suspended, the FIU must be notified no later than 3 business hours after such operation or transaction is identified. Immediate reporting is also required when the Company employees receive information that the Customer intends or will attempt to execute a suspicious operation or transaction.
  1. The Company is required to unilaterally suspend a suspicious operation/transaction and upon receipt of a written order from the FIU must suspend any suspicious operation or transaction performed by the customer for a period of up to 10 business days from the time or circumstances specified in the order. During this period, the Company’s suspended transaction/operation may be renewed only with the permission of the FIU.
  1. If the Company is not obligated to execute the temporary restriction of the ownership rights within 10 business days after the notification or FIU order has been received, the operation or trans action shall be resumed.
  1. Notification of suspicious operations or suspicious transactions to the FIU must be submitted by logging in to the FIU information system and filling in the approved electronic form for the provision of information on suspicious operations or suspicious transactions.
  1. Only in exceptional cases, should the Company not be able to access the FIU information system and complete the information submission form, or would not be able to do so for other technical reasons, it may also, in emergency cases, submit the information to the FIU by phone, fax or email.
  1. The suspicious transaction report form must include:

37.1. Identity information of the customer, his representative (for natural persons – full name, date of birth, personal code; for legal entities – name, legal form of legal entity, registered address, legal code, if any).

37.2. To what kind of criteria approved by the FIU, to recognise that the operation or transaction is considered to be suspicious, the operation or transaction is in conformity.

37.3. Method for performing a suspicious operation or suspicious transaction.

37.4. The date of the suspicious operation or suspicious transaction, a description of the property to which the transaction relates to and its value.

37.5. Deposit wallet management methods.

37.6. Contact information of the customer, his representative (phone numbers, email addresses, contact persons).

37.7. A beneficiary in whose favour a suspicious operation or suspicious transaction is performed (for natural persons – full name, date of birth, personal code; for legal entities – name, legal form of legal entity, registered address, legal code, if any).

37.8. Date and time of suspension of the suspicious operation or suspicious transaction.

37.9. If the suspicious operation or transaction has not been stopped: the reasons for not stopping it.

37.10. Other information that the Company considers relevant.

  1. The Company will report to the FIU the customer identifying data and information on executed virtual currency exchange operations or transactions in the virtual currency where the value of such monetary operation or transaction equals or exceeds EUR 15 000 in Fiat currency or virtual currency, regardless of whether the transaction is made in one or several related monetary transactions.
  1. Multiple related transactions mean multiple virtual currency exchange operations or transactions in virtual currency during the day, where the total amount of operations and transactions equals or exceeds EUR 15 000 or the equivalent in Fiat currency or virtual currency.
  1. Notification of operations or transactions of EUR 15 000 or more must be submitted to the FIU without delay and no later than 7 business days after the date of the execution of the monetary operation or transaction.

iv. IMPLEMENTATION OF SANCTIONS

  1. The Responsible employee is an employee appointed by the Company who arranges the implementation of financial sanctions, is responsible for suspending the disposal of the deposit wallets, regular updating of the list of entities subject to financial sanctions or the selection of eligible third party suppliers to provide consolidated updates of international lists of financial sanctions and quality control of their services, reporting to FIU and other authorities responsible for overseeing the implementation of international sanctions.
  2. The Company must:

42.1. Implement financial sanctions.

42.2. Check in the consolidated databases used by the Company, and in their absence or if they are inoperative, in direct sources, whether the Company’s customer and its beneficial owner are not included in the list of entities and their groups, which are subject to United Nations Security Council resolutions against terrorism, a consolidated list of the European Union’s financial sanctions, as well as the lists of financial sanctions issued by the Republic of Ireland.

42.3. Pay particular attention to customers from countries on the lists of non-cooperating states and territories drawn up by the FATF and the European Commission, and operations or transactions carried out on their own or on their behalf.

42.4. Restrict the right of customers included in the abovementioned international financial sanctions lists to operate, use and dispose of the Fiat currency held in the Company, subject to the implementation exemptions provided for in international organisations decisions and/or European Union legislation.

42.5. Immediately terminate or suspend the obligations incurred prior to the imposition of the international financial sanctions in the Republic of Ireland for the period of the implementation of the international financial sanctions.

42.6. To terminate immediately – unilaterally or by agreement of the parties – transactions concluded prior to the imposition of financial sanctions in the Republic of Ireland, or to suspend their execution for the period of implementation of financial sanctions.

42.7. Inform the FIU of the suspension of the accounts of the customers subject to financial sanctions.

42.8. Provide information on the implementation of financial sanctions and all data necessary for supervision to the FIU.

  1. Company employees and customers are prohibited:

43.1. To carry out actions which are prohibited by international sanctions implemented in the Republic of Ireland.

43.2. To enter into transactions which would be contrary to international sanctions implemented in the Republic of Ireland.

43.3. To assume new obligations, the fulfilment whereof would be contrary to international sanctions implemented in the Republic of Ireland.

v. CUSTOMER AND BENEFICIAL OWNER IDENTIFICATION

  1. The Company’s employees whose functions include performing prevention of ML/TF (hereinafter – the Responsible employees) are responsible for the identification of the customer, its representative and the beneficial owner, collection and initial verification of customer’s, its representative and beneficial owner data and documents.
  1. The Company shall take steps to identify and verify the identity of the customer, its representative and the beneficial owner in the following cases:

45.1. Before starting a business relationship.

45.2. When there are doubts about the accuracy or authenticity of previously obtained customer and beneficial owner identities.

45.3. In any other case where there is a suspicion that ML/TF activities are, have been or will be carried out by the customer.

  1. The Company’s Responsible employees shall be responsible for reviewing the quality of the customer’s file, verifying the data in independent reliable sources available to the Company (lists of politically exposed persons, international sanctions, etc.). These responsible employees shall also perform risk assessment and assignment of the customer to the risk category and other compliance procedures as provided in the Policy.
  1. After gathering all the necessary information about the customer (duly filled-in and executed customer questionnaires), the Responsible employees first identifies the customer’s risk group.
  1. Upon making a decision to establish a business relationship with the customer, the Responsible employees, while providing the services to the customer, shall continue to monitor the customer on a regular basis.
  1. Customer and beneficial owner has to provide the following documents and information for identification purposes:

49.1. Passport or ID copy if the customer, its representative, beneficial owner is a natural person.

49.2. Utility bill indicating residence address of natural person.

49.3. Legalised commercial excerpt of the company if the customer is a legal entity.

49.4. Legalised Articles of Association of the company if the customer is a legal entity.

  1. The Company only considers provided documentation form the customer suitable if scanned copies and/or good quality photos are provided to the Company.
  1. In cases that a Responsible employee determines a customer as a low-risk customer, the Company might not apply rules indicated in point 48 of this Policy. The Company then:

51.1. Collects correctly filled-in and duly filled-in and executed customers questionnaires.

51.2. Ensures that the first payment of the customer would be carried out through an account with a credit institution, registered in a Member State of the European Union.

  1. If the Responsible employee determines a customer’s category as a high-risk, in addition to the documents listed in point 48 of this Policy, the Company shall:

52.1. Obtain additional information on the customer and on the beneficial owner;

52.2. Obtain additional information on the intended nature of the business relationship;

52.3. Obtain information on the source of funds and source of wealth of the customer and of the beneficial owner;

52.4. Obtain information on the reasons for the intended or performed transactions;

52.5. Obtain the approval upon point 15 of this Policy;

52.6. Conduct EODD of the ongoing business relationship with these by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination;

52.7. Ensures that the first payment of the customer would be carried out through an account with a credit institution, registered in a Member State of the European Union.

  1. It is forbidden to enter into transactions, to establish or continue business relationships, provide Services when customer identification is not possible in accordance with this Policy:

53.1. If the customer does not provide data proving his identity;

53.2. If the customer does not provide all data or data is incorrect;

53.3. If the customer or his representative avoids providing the information necessary for his identification or avoids providing the information necessary to identify the beneficial owner, or the data provided is not sufficient.

  1. If the customer avoids or refuses to provide additional information to the Company at its request and within the time limits, the Company shall take measures to mitigate the ML/TF risk in accordance with this Policy. The Company may also refuse to execute transactions or operations, suspend transactions or terminate business relationships with the customer. Upon termination of the business relationship, the Responsible employees must report such customer and other related information into the registration journal of customers with whom transactions or business relationships are terminated (Annex 5) in accordance with the procedure set forth in this Policy.
  1. If proper identification, verification, or follow-up is not possible, Responsible employees of the Company who notice such a case must immediately notify the Company’s director. The director shall decide on the advisability of reporting a suspicious operation or transaction report to the FIU.
  1. The customer and/or its representative shall perform identity verification remotely via tools presented by the Company.
  1. The documents, data or information submitted to the Company during the identification of the customer and the beneficial owner must remain true, accurate and up-to-date throughout the business relationship with the Company.
  1. The data of customers, both existing and new, is updated as the circumstances surrounding the customer change, as new circumstances become evident, and periodically, depending on the customer’s level of risk.
  1. High-risk customer data must be updated at least once a year, medium-risk customer data is updated at least every 2 years, low-risk customer data is updated upon learning of any changes, but at least every 3 years.
  1. If the customer has initiated updates in his account information, the changes must be evaluated, and risk should be reassessed accordingly.
  1. If the changes in the customer’s information resulted in a change of the customer’s risk level, the date from which the customer’s data must be updated is renewed according to his risk level.
  1. If the customer did not update his/her data when required according to his/her risk level during the period of 3 months, services provided by the Company to the customer will be limited.
  1. Updating the data means that it is obligatory to check that the Company has up-to-date information about the customer, its representatives and beneficial owners. It is necessary to ensure that the transactions and/or operations executed by the customer so far comply with the information available to the Company on the customer, its activities and the source of funds.
  1. During the review, it is always mandatory for customers to be screened for being included in the sanctions lists, changes in their status of politically exposed persons or existence of any negative information. If the functionality of the systems used by the Company allows, such verification must not be periodic, but is performed on a continuous basis through consolidated databases, whereby once entered, the customer’s information is constantly verified and any changes in customer status are reported to the Company’s director who periodically reviews system alerts for potential new results related to changes in the customer status and takes appropriate action.
  1. Evidence of the review is stored in the customer’s electronic file in the Company’s database.

vi. KYC AND CUSTOMER DUE DILIGENCE

  1. Customer due diligence (CDD) is a key responsibility of the Company in the implementation of the prevention of ML/TF and includes:

66.1. Customer identification and verification based on provided documents, data and information obtained from an independent and reliable source.

66.2. Identification of the beneficial owner and taking reasonable steps to verify that the named person is in fact the final beneficial owner and to verify his identity.

  1. The data provided by the customer must be verified on the basis of documents, data or information obtained from a reliable and independent source.
  1. The information must be verified by various means and sources available, including:

68.1 Checking the consistency of the information received (whether there are illogical or unexplained facts, inconsistencies);

68.2. Comparing the information provided by the customer with the content of official documents provided by the customer or received at the initiative of the Company, information contained in public registers;

68.3. Using targeted web search: for example, by typing in the customer’s name and certain keywords, depending on the search context, using information available on social networks to identify the customer’s relations, etc;

68.4. Using other reliable sources depending on the information to be verified.

vii. STORAGE OF INFORMATION

  1. The Company shall maintain the following journals and database:

69.1. Database for registration of customers with whom transactions or business relationships have been terminated in the cases provided for in the Policy or in other circumstances related to the prevention of ML/TF (Annex 5).

69.2. Database of reports submitted to FIU on suspicious operations and transactions (Annex 7).

  1. The information in the listed registration databases shall be maintained and stored in the Company’s information systems. Data may be entered in the databases no later than within 3 business days after the date of the transaction or suspension of transaction/termination of a business relationship, either manually or automatically.
  1. Copies of the customer’s identity documents, beneficial owner’s identity data, other data received during the customer’s identification, documentation shall be retained for 8 years from the date of termination of transactions or business relationships with the customer.
  1. Business correspondence with the customer must be stored for 5 years from the end of transactions or business relationship with the customer in paper or electronic form.
  1. Documents or information supporting operation or transaction or other legal instruments relating to the performance of operations or transactions must be stored for 8 years from the date of operation or transaction.
  1. Documents analysing the results of the transaction investigation are stored in an electronic database for 5 years.
  1. Retention periods may be further extended additionally for a period not exceeding 2 years, upon motivated instruction of the competent authority.

viii. TRAINING OF THE COMPANY’S EMPLOYEES

  1. All employees of the Company shall be introduced to the Policy upon their appointment by their signature. The director of the Company must ensure that all newly recruited employees are made aware of this Policy in writing and receive training, depending on the functions performed by the employee.
  2. The Company must review and, where necessary, update its internal control procedures:

77.1. Strengthen the applicable internal control procedures upon receipt of an order from the FIU;

77.2. Upon significant events or changes in the Company’s management and operations;

77.3. Periodic monitoring of the implementation and adequacy of internal control procedures.

  1. The director of the Company must ensure that the relevant employees of the Company are aware of the legal acts and requirements applicable to them and the provisions of this implementing Policy. These measures shall include participation of their relevant employees in special ongoing training programs to help them recognise the actions which may be related to ML/TF and to instruct them as to how to proceed in such cases.
  1. Responsible employees must continually upgrade their skills, following the Republic of Ireland, European Union legislation updates, recommendations of FATF and other organisations, to seek to participate in the training on ML/TF prevention and enforcement of international sanctions (courses, seminars, internships, etc.).
  1. The director of the Company also identifies the need for internal training of the Company’s employees. Any other member of the compliance department may also indicate such need.
  1. The director of the Company must ensure that Company’s employees are informed in a timely manner of material events occurring inside or outside the Company, incidents affecting the effectiveness of prevention of ML/TF or sanctions.

ix. FINAL PROVISIONS

  1. The implementation of measures for prevention of ML/TF is organised by the director of the Company in liaison with the FIU.
  1. The director of the Company must ensure that the Responsible employees have access to all information necessary to perform their functions, including information relating to the identity of the customer and the beneficial owner customer’s business relationship, cash operations and transactions, and other information.
  1. This Policy is approved by the director of the Company. This Policy and appendices to the Policy shall take effect from the date of its approval unless otherwise specified. The Policy may be withdrawn, amended and/or supplemented only by a decision of the director of the Company and shall enter into force on the day following the date of adoption of such amendments and/or additions. All employees of the Company are familiarised with the changes immediately.