1. General provisions

The Policy is developed and periodically updated by the Company’s compliance officer based on the general principles set up by the Company’s management with respect to prevention of money laundering and terrorist financing. The Policy shall be communicated to all employees of the Company that establish business relationships, manage and monitor transactions of customers. The obligation to observe the Policy rests with the Company’s management, the compliance officer, employees and any other outsourced professional staff who initiate or establish Business Relationship and monitor further transactions.

2. Definitions

“Money Laundering” means a set of activities with the property derived from criminal activity or property obtained instead of such property with the purpose to: (1) conceal or disguise the true nature, source, location, disposition, movement, right of ownership or other rights related to such property; (2) convert, transfer, acquire, possess or use such property for the purpose of concealing or disguising the illicit origin of property or of assisting a person who is involved in criminal activity to evade the legal consequences of his or her action; (3) participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counseling the commission of any of the actions referred to pp. (1) and (2) above.

“Terrorist Financing” means tools and methods used by terrorist organizations to finance their activities.

“International Sanctions” means a list of non-military measures decided by the European Union, the United Nations, another international organization, and aimed to maintain or restore peace, prevent conflicts and restore international security, support and reinforce democracy, follow the rule of law, human rights and international law and achieve other objectives of the common foreign and security policy of the European Union.

“Compliance Officer” means a representative appointed by the Company responsible for the effectiveness of the Policy, conducting compliance over the adherence to the Policy and serving as contact person of the FIU.

“Business Relationship” means a relationship of the Company established in its economic and professional activities with the Customer.

“Customer” means a natural person who has a business relationship with the Company.

“Politically Exposed Person or PEP” means a natural person who is or who has been entrusted with prominent public functions including a head of state, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d’affaires and a-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a state-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organization, except middle-ranking or more junior officials. The provisions set out above also include positions in the EU and in other international organizations. A family member of a person performing prominent public functions is the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person; a child and their spouse, or a person considered to be equivalent to a spouse, of a politically exposed person; a parent of a politically exposed person. A close associate of a person performing prominent public functions is a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a politically exposed person; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.

“Representatives” means the management, the Compliance Officer, employees and any other outsourced professional staff who initiate or establish Business Relationship and monitor further transactions.

“Virtual currency” means a value represented in the digital form, which is digitally transferable, preservable or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country.

3. Compliance officer

The Company shall appoint a Compliance Officer whose principal duties are:

• acting as a contact person;
• monitoring compliance with the other regulatory acts and procedures established by the Policy;
• keeping updated information regarding countries with high and low risk of Money Laundering and Terrorist Financing and economical activities with great exposure to Money Laundering and Terrorist Financing;
• obtaining the competence, means and access to relevant Company’s information, education, professional suitability, abilities, personal qualities, experience and good reputation;
• managing the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the obliged entity;
• reporting in the event of suspicion of money laundering or terrorist financing;
• performing any other duties and obligations related to compliance with the requirements of the legislation.

4. Due diligence measures

Customer due diligence is one of the main tools for ensuring the implementation of mandatory regulations aimed at preventing money laundering and terrorist financing and at applying sound business practices. Customer due diligence ensures the application of adequate risk management measures in order to ensure permanent monitoring of customers and their transactions, gathering and analyzing relevant information. Upon application of customer due diligence measures, the Company will follow principles compatible with its business strategy and, based on prior risk analysis and depending on the nature of the Customer’s Business Relationship.

For the purpose of identification, assessment and analysis of risks of money laundering and terrorist financing related to its activities, the Company prepares a risk assessment, taking into account geographical, customer and product risks.

No new Business Relationship can be formed if the Customer has failed to present documents and appropriate information required to conduct due diligence, or if based on the presented documents, the Representative suspects Money Laundering or Terrorist Financing.

Customer due diligence is applied on a risk-based approach, depending on the status of the Business Relationship or transactions. Depending on the risk level arising from the Customer and the fact whether the Business Relationship is an existing one or it is about to be established, the Company shall apply either normal due diligence measures or enhanced due diligence measures.

If the risk level of the Business Relationship or transaction is normal, the Company may apply normal due diligence measures but is not allowed to skip Customer due diligence entirely. If the risk level arising from the Customer is greater than normal, enhanced due diligence measures will be applicable.

To comply with due diligence principles and obligations, the Representatives shall have the following rights and obligations:

• to request appropriate documents in order to identify the Customer;
• to request documents and information regarding the activities of the Customer and source of funds;
• to screen the risk profile of the Customer, select the appropriate due diligence measures, assess the risk whether the Customer is or may become involved in Money Laundering or Terrorist Financing activities;
• to re-identify the Customer if there are any doubts regarding the correctness of the information received during initial identification.

Even though the Company may not send any special notifications or alerts as regards due diligence measures, it is required to follow mandatory procedures to comply with AML/KYC regulations. Any requests of documents to identify the Customer or information regarding the activities of the Customer and source of funds may not be viewed as attempt to abuse customer data or misappropriate their funds.

5. Risk assessment

The Company applies the following risk categories:

• Low risk (normal, expected activity);
• Normal risk (the risk level is normal, there are no high-risk characteristics present);
• Greater than normal risk (the risk level requires application of enhanced due diligence measures, further requests and document submission).
• Prohibited (the institution will not tolerate any dealings of any kind given the risk)

For every Customer who does not fall into the “normal risk” category, the Compliance officer shall make assessment of the Customer’s profile and estimate applicable risk category. Only the Compliance Officer shall have the right to change the risk category recorded for a Customer. When establishing the risk category of a Customer being a natural person, the country of residence of the Customer, the region where the Customer operates, and status of PEP shall be taken into account. The existence of Customer’s good business reputation is presumed where circumstances calling into doubt are absent. Proof of good business reputation needs only be provided if the person wishes to provide additional proof of this.

Before offering a new financial service or product, new or non-traditional sales channels to customers, or the introduction of new or emerging technologies, management of the Company, assesses the risks of money laundering and terrorist financing involved, shall map the risks associated with each new product, service, technology or sales channel. In assessing risks, both actual and potential risks are assessed and, if necessary, additional information on risks and their hedging measures is collected.

Based on the FATF 2020 Report “Money Laundering and Terrorist Financing Red Flag Indicators Associated with Virtual Assets”, the Company takes into account the following red flags depending on transactions, users, source of funds (wealth) and geography:

• Structuring transactions in small amounts, or in amounts under record-keeping or reporting thresholds, similar to structuring cash transactions;
• Operating funds suspected as stolen or fraudulent (e.g darknet market);
• Conducting a large initial transaction right after establishing a Business Relationship with the Company;
• Transactions involving the use of multiple virtual currencies, or multiple accounts, with no logical business explanation;
• Incoming transactions from many unrelated wallets in relatively small amounts (accumulation of funds) with subsequent transfer to another wallet or full exchange for fiat currency;
• Conducting transactions with fiat currency at a potential loss (e.g. when the value of virtual currencies is fluctuating, or regardless of abnormally high commission fees as compared to industry standards, and especially when the transactions have no logical business explanation);
• Converting a large amount of fiat currency into virtual currencies, or a large amount of one type of virtual currencies into other types of virtual currencies, with no logical business explanation;
• Virtual currencies transferred to or from wallets that show previous patterns of activity associated with the use of virtual currencies service providers that operate mixing or tumbling services or P2P platforms;
• Transactions making use of mixing and tumbling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces;
• A large number of seemingly unrelated virtual currencies wallets controlled from the same IP-address (or MAC-address), which may involve the use of shell wallets registered to different users to conceal their relation to each other;
• Creating separate accounts under different names to circumvent restrictions on trading or withdrawal limits;
• Transactions initiated from non-trusted IP addresses, IP addresses from sanctioned jurisdictions, or IP addresses previously flagged as suspicious;
• Trying to open an account frequently from the same IP address;
• Incomplete or insufficient KYC information, or a customer declines requests for KYC documents or inquiries regarding source of funds;
• Sender/recipient lacking knowledge or providing inaccurate information about the transaction, the source of funds, or the relationship with the counterparty;
• Customer has provided forged documents or has edited photographs and/or identification documents as part of the on-boarding process;
• A customer provides identification or account credentials (e.g. a non-standard IP address, or flash cookies) shared by another account;
• Discrepancies arise between IP addresses associated with the customer’s profile and the IP addresses from which transactions are being initiated.
• A customer is known via publicly available information to law enforcement due to previous criminal association.
• Customer sends funds to virtual currencies service providers operating in jurisdictions that have no regulation, or have not implemented AML/CFT controls.

After mapping the risks, management of the Company shall assess the likelihood of the realization of risks and the level of risk, with particular emphasis on risk-enhancing and mitigating circumstances. the Company assesses which of the most appropriate countermeasures to hedge the specific risks to the level of risk of the company and, if necessary, arranges the implementation of countermeasures, e.g.:

• application of enhanced due diligence measures;
• rejection to establish a Business Relationship;
• refund (in the same virtual currency and to the initial address);
• terrorist financing reporting requirements.

6. Data processing

The respective data is stored in a written format and/or in a format reproducible in writing and, if required, it shall be accessible by all appropriate staff of the Company (management, Representatives, Compliance officer, etc). Copies of the documents, which serve as the basis for identification of a person, and of the documents serving as the basis for establishing a Business Relationship, shall be stored for at least five (5) years following the termination of the Business Relationship. Personal data is processed pursuant to the GDPR requirements. The data of the document prescribed for the digital identification of a Customer, information on making an electronic query to the identity documents database, and the audio and video recording of the procedure of identifying the person and verifying the person’s identity shall be stored at least five (5) years following the termination of the Business Relationship. The following documents shall also be stored: (1) manner, time and place of submitting or updating of data and documents; (2) name and position of Representative who has established the identity, checked or updated the data.

7. Implementation of International Sanctions

The Company shall comply with regulations of the EU and the UN. The Company is also intended to comply also with partner countries sanction acts (sanctions administered by the UK Office of Financial Sanctions Implementation and sanctions administered by the US Office of Foreign Assets Control).

Representatives shall draw special attention to all its Customers (present and new), to the activities of the Customers and to the facts which refer to the possibility that the Customer is a subject to International Sanctions. Control and verification of possibly imposed International Sanctions shall be conducted by the Representatives as part of due diligence measures applied to the Customers in accordance with these Rules.

The Representatives who have doubts or who know that a Customer is subject to International Sanctions, shall immediately notify the Compliance Officer. The Compliance Officer shall be responsible for the implementation of International Sanctions. In case of doubt, if the Compliance Officer finds it appropriate, the Representative shall ask the Customer to provide additional information that may help to identify whether he/she is subject to International Sanctions or not.

If in the course of the check, it shall be detected that a Customer or a person who used to be a Customer is subject to International Sanctions, the Compliance Officer shall notify the Representatives who dealt with this Customer as well as management of the Company. The notification shall be submitted at least in the way that allows its reproduction in writing. The Customer who is subject to International Sanctions and about whom the notification is made, shall not be informed of the notification. When making checks of Customer, the possible distorting factors in personal information (i.e. way of written reproduction of name, etc.) must be kept in mind.

8. Training

The Company shall ensure that all Representatives who have contacts with Customers or matters involving Money Laundering are provided with regular training and information about the nature of the Money Laundering and Terrorist Financing risks, as well as any new trends within the field. The Compliance Officer shall arrange regular training concerning prevention of Money Laundering and Terrorist Financing to explain the respective requirements and obligations.

Initial training is provided at the start of Representatives employment. The Representatives who are communicating with the Customers directly may not start working before they have reviewed and committed to the adherence of this Policy or participated in the Money Laundering and Terrorist Financing prevention training.

Training is provided regularly, at least once a year, to all Representatives and other relevant designated staff of the Company. Training may be provided also using electronic means (conference calls, continuous email updates provided confirmation on receipt and acceptance is returned and similar means). Training materials and information shall be stored for at least 3 (three) years.

9. Internal audit and amendment of the Policy

Compliance with the Policy shall be inspected at least once a year by the Compliance Officer. If the inspection reveals any deficiencies in the Policy or their implementation, the report shall set out the measures to be applied to remedy the deficiencies, as well as the respective time schedule and the time of a follow-up inspection.

If a follow-up inspection is carried out, the results of the follow-up inspection shall be added to the inspection report, which shall state the list of measures to remedy any deficiencies discovered in the course of the follow-up inspection, and the time actually spent on remedying the same. The inspection report shall be presented to the management which shall decide on taking measures to remedy any deficiencies discovered.

10. List of prohibited countries

You confirm that you are not a national or resident of the following prohibited jurisdictions: Afghanistan, Algeria, Bahrain, Bangladesh, Bolivia, Cambodia, Central African Republic, Iran, Iraq, Jordan, Kuwait, Lebanon, Libya, Mali, Mauritania, Nepal, North Korea, Oman, Pakistan, Palestinian Territory, Somalia, Sri Lanka, Sudan, Syria, Yemen.