1. General Framework
We have no tolerance for money laundering, the financing of terrorism or any other form of illicit activity, and are committed to implementing appropriate policies, procedures and controls to prevent those activities. Our policies are shaped by industry best practices, a risk-based approach and the effective anti-money laundering standards applied in the European Union and worldwide. These policies apply, without exception, to all employees of the Company, its Board Members and Directors, as well as to its subsidiaries.
The purpose of this text is to provide to the Company’s Clients, Providers, Partners, Vendors, Contractors, Employees, Law enforcement and other concerned stakeholders a high-level and summarized overview of the Company’s main AML/CTF policies and procedures. By no means is this content to be considered as the whole set of all policies, procedures and controls that are implemented and in place by the Company for prevention of money laundering, financing of terrorism and other forms of illicit activity.
This document and all underlying policies, processes and procedures are prepared in line with provisions, requirements and recommendations of:
- Money Laundering and Terrorist Financing Prevention Act, as amended from time to time;
- FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Assets Service Providers.
The Company operates from, and under the laws of Estonia. This was among the first countries in the world who introduced Anti-money laundering (“AML“) and countering the financing of terrorism (“CTF“) requirements for businesses engaged in exchange of virtual currency for fiat currency and virtual currency custody in 2017. As a result, each entity rendering named services from or within the territory must apply for authorization to its Financial Intelligence Unit (“FIU“).
The Company is authorized to provide services of exchanging virtual currency against fiat currency and virtual currency wallet service (under license number FVT000333). The license can be validated on the official website of the Ministry of Economic Affairs and Communications.
As a regulated business, the company is required to comply with the Money Laundering and Terrorist Financing Prevention Act and International Sanctions Act, which require the company to identify and verify its clients’ identities appropriately, conduct ongoing monitoring of their activity (including transaction monitoring), maintain records of clients’ activity and related documents for at least six years and report suspicious transactions to authorities.
The Company understands Money Laundering as:
- The conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action;
- The concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity;
- the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity;
- Participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points above.
The company understands Terrorist financing as:
- Provides funds for terrorist activity, meaning as the provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offences within the meaning of the law.. This activity is done by intentionally killing, seriously harming or endangering a person, causing substantial property damage that is likely to seriously harm people or by seriously interfering with or disrupting essential services, facilities or systems.
2. Risk-Based Approach
The company takes a risk-based approach (“RBA”) towards assessing and containing the money laundering and terrorist financing risks arising from any transactions it has with clients and uses all available data when reviewing client activity.
The company performs a risk-based due diligence and collects necessary information and documentation on each prospective client in order to assess the risk profile. Before entering into a client relationship, necessary checks are conducted in line with the RBA so as to ensure that the identity of the clients does not match with an entity with a known criminal background or with banned entities, such as terrorist organizations. Enhanced due diligence is required for clients who are deemed to be of high risk, especially those for whom the business activity (sources of funds) are not clear, or for transactions of higher value and frequency, which can be determined by the company at its sole and absolute discretion.
The Company’s employees exercise care, due diligence and good judgement in determining the overall profile and business nature of its clients. The company conducts its business in accordance with the highest ethical standards and may decide not to enter into a client relationship that can adversely affect the company’s reputation.
For the purpose of identification, assessment and analysis of risks related to its activities, the company has established a risk assessment, taking account of the following factors:
- Client risk;
- Geographical risk;
- Product risk;
- Delivery channel risk.
After the risk assessed and attributed to a particular client. Depending on the assigned degree of risk, it will be revised periodically upon knowledge of the client and its activities.
3. Client Due Diligence
We require all business clients to undergo proper due diligence or Know Your Business (KYB) checks before using our services. This includes, without limitation:
- A high-resolution, clearly readable, non-expired, detailed and verifiable copy of the company incorporation document. This must include details on the ownership of the company, its address, tax number, website, purpose and activities;
- A description of the sector and business activities and corresponding online website. The website must be registered under the same entity name as the certificate of incorporation provided;
- Details of the bank account of the Client.
Additionally, for any clients deem to be of high risk, the Identity Verification may include:
- A high-resolution, clearly readable, non-expired copy of the business beneficial owners’ government-issued ID or IDs (passport, national identity card and/or a driver’s license);
- A high-resolution, clearly readable, non-expired proof of address document not older than 3 months old. The document must carry the Client’s business name and address (recent utility bill or bank statement);
- A video conference with the account holder/business contact person and/or company Director(s), if deemed necessary.
Further documentation may be required for businesses operating in certain regulated, restricted or high-risk sectors of activity.
Care must be taken that all documents provided are true copies of the original. Providing false, forged, modified or documents meant to deceive will be considered fraud and treated as such. All assets derived from fraudulent transactions and/or suspicious activity may be seized and forfeited. Such activity may also be reported to the relevant authorities.
The company may use recognized and specialized electronic providers for the technical acquisition of the identity data. The company may also decide to use the following non-documentary methods of verifying identity:
- Independently verifying the Client’s identity through the comparison of information provided by the Client with information obtained from a consumer reporting agency, public database or other source;
- Checking references with other institutions;
- Analyzing whether there is logical consistency between the identifying information provided, such as the Client’s name, street address, postal code, and date of birth;
- Utilizing complex device identification (such as “digital fingerprints” or IP geolocation checks); and
- Obtaining a notarized or certified true copy of an owner, manager, shareholder or UBO’s government-issued ID for valid identification.
When there shall be any suspicion of illicit activity including money laundering or terrorism financing activities, or where there shall be any doubt about the adequacy or veracity of previously obtained Clients’ identification data, further due diligence measures shall be undertaken, including verifying the identity of the Client again and obtaining information regarding the purpose and intended nature of the relationship with the company.
4. Compliance Officer
The management board of the company appointed a Compliance Officer, who acts as a contact person of the FIU and performs the AML/CTF duties and obligations of the Company. A Compliance Officer reports directly to the management board and has the competence, means and access to relevant information across all the structural units of the Company.
Only a person who has the education, professional suitability, the abilities, personal qualities, experience and impeccable reputation required for performance of the duties listed below may be appointed as a Compliance Officer. The appointment of a Compliance Officer is coordinated with the FIU.
The duties of a Compliance Officer include, among others:
- Organisation of the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the Company;
- Reporting to the FIU in the event of suspicion of money laundering or terrorist financing;
- Periodic submission of written statements on compliance with the requirements arising from the Act to the management board of the Company;
- Performance of other duties and obligations related to compliance with the requirements of the Company;
- Updating internal policy document, business and client risk assessment regularly.
5. Rules of Procedure & Internal Controls
The Company has developed and implemented rules of procedure that allow for effective mitigation and management of risks relating to money laundering and terrorist financing, which are identified in the risk assessment performed in accordance with the Company’s risk-based approach. Each employee of the Company must strictly adhere to rules of procedure set forth herein.
The rules of procedure consist of the following:
- a procedure for the application of due diligence measures regarding a client, including a procedure for the application of simplified and enhanced due diligence measures;
- a model for identification and management of risks relating to a client and its activities and the determination of the client’s risk profile;
- the methodology and instructions where the Company has a suspicion of money laundering and terrorist financing or an unusual transaction or circumstance is involved as well as for instructions for performing the reporting obligation;
- the procedure for data retention and making data available;
- instructions for effectively identifying whether a person is a politically exposed person or a local politically exposed person subject to international sanctions.
The Company applies at least the following due diligence measures:
- Requests identification of the company based on documentation submitted by the Client;
- Requests identification of the company’s sector of activity, place of incorporation and public profile (where applicable);
- Verifies the company-related information and documentation submitted by the Client;
- Requests identification of the beneficial owner(s) at the proper tier level, for the purpose of verifying their identity, taking measures to the extent that allows the Company to make certain that it knows who the beneficial owner is, and understands the ownership and control structure of the client;
- Performing additional due diligence for the Client and its transactions, as necessary per established risk assessment policies and procedures;
- Maintains ongoing monitoring of the business relationship and transactions.
6. Simplified Due Diligence
The Company may apply simplified due diligence (“SDD“) measures where a risk assessment prepared on the basis of these rules of procedure identifies that, in the case of the jurisdiction, economic sector of activity or amounts transacted the risk of money laundering or terrorist financing is lower than usual.
Before the application of SDD measures to a client, an employee of the Company establishes that the business relationship, transaction or act is of a lower risk and the Company attributes to the transaction, act or client a lower degree of risk.
The application of SDD measures is permitted to the extent that the Company ensures sufficient monitoring of transactions, acts and business relationships, so that it would be possible to identify unusual transactions and allow for notifying of suspicious transactions in accordance with these rules of procedure.
7. Enhanced Due Diligence
The Company applies enhanced due diligence (“EDD“) measures in order to adequately manage and mitigate a higher-than-usual risk of money laundering and terrorist financing.
EDD measures are applied always when:
Prior to client onboarding:
- Upon analysis of submitted client information and documents, there are reasonable doubts as to the truthfulness of the submitted data, authenticity of the documents or the true purpose of its business activities;
- The client is engaged in a sector or activity classified as high risk;
- The client is incorporated in a jurisdiction classified as high risk (eg: in jurisdictions that have not established effective AML/CTF systems that are in accordance with the recommendations of the Financial Action Task Force).
After client onboarding:
- When the client processed transactional volume exceed the assigned risk threshold for the client;
- If unusual or suspicious patterns of activity are detected;
- If a transaction request is not consistent with a client’s stated business activity.
The Company also applies EDD measures whereas the assessment of risk is assessed as higher, in accordance to its internal policies and procedures.
8. Sector and Jurisdiction Restrictions
We do not serve Clients from certain jurisdictions that are deemed too high-risk and/or unwelcoming from a legal or regulatory perspective.
While it’s beyond our scope to set policies for the client’s own business dealings, we reserve the right to not serve Clients who themselves have business activities, clients or otherwise accept purchases originating from certain jurisdictions.
It goes without saying that we can’t provide services to any client that isn’t legally established, or is offering illegal goods or services in their operating jurisdiction(s). Besides this base consideration we also cannot serve Clients who operate in certain restricted sectors.
We update and review those lists periodically, taking into account a range of international policies and recommendations.
Clients incorporated in non-serviced jurisdictions and from restricted sectors cannot access or be onboarded to use our services. Attempts to circumvent this policy, by providing false, forged or modified documents meant to deceive or mislead will be considered fraud and treated as such with law enforcement.
9. Politically Exposed Persons
Politically Exposed Persons (“PEP“) (as well as their families and persons known to be close associates, as described below) are required to be subject to enhanced scrutiny by reporting entities. This is because international standards issued by the Financial Action Task Force recognize that a PEP may be in a position to abuse their public office for private gain and a PEP may use the financial system to launder the proceeds of this abuse of office.
PEP means a natural person who is or who has been entrusted with prominent public functions including:
- head of State;
- head of government;
- minister and deputy or assistant minister;
- a member of parliament or of a similar legislative body;
- a member of a governing body of a political party;
- a member of a supreme court;
- a member of a court of auditors or of the board of a central bank;
- an ambassador, a chargé d’affaires and a high-ranking officer in the armed forces;
- a member of an administrative, management or supervisory body of a State-owned enterprise;
- a director, deputy director and member of the board or equivalent function of an international organisation.
PEPs do not include middle-ranking or more junior officials.
Family member of a PEP means the spouse, or a person considered to be equivalent to a spouse, of a PEP or local PEP; a child and their spouse, or a person considered to be equivalent to a spouse, of a PEP or local PEP; a parent of a PEP or local PEP.
A person known to be a close associate of a PEP means a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a PEP or a local PEP; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a PEP or local PEP.
While the company does not accept natural persons as clients, the PEP definition and classification still applies to the beneficial owners of the business and may constitute an additional factor of risk.
Dealing with persons against which imposed international sanctions poses a great risk to the Company, its directors, officers and owners. The Company may employ automated screening software to identify and block known virtual asset addresses associated with sanctions and numerous illegal and high-risk activity. Per its established policy, the company does not do business with companies under sanctions. Sanction lists considered include, among others:
- EU Sanctions;
- UN Sanctions;
- Sanctions administered by the Office of Foreign Assets Control (“OFAC-US”).
All verified matches are automatically blocked and the matter escalated to a Compliance Officer for further analysis and appropriate actions.
11. Suspicious Activity Monitoring and Reporting
An investigation into suspicious activity will try to establish the true motivation behind the activity in question. This may result in confirmation of the suspicious activity or removal of reasonable doubt. If suspicious activity is confirmed, the issue will be escalated accordingly both internally and externally. When such suspicious activity is detected, the Compliance Officer will determine whether a filing with any law enforcement authority is necessary.
Where the Company identifies an activity or facts whose characteristics refer to the use of criminal proceeds or terrorist financing or other criminal offences or an attempt thereof or with regard to which the Company suspects or knows that it constitutes money laundering or terrorist financing or the commission of another criminal offence, a Compliance Officer of the Company must report it to the FIU diligently.
When such suspicious activity is detected, the Compliance Officer will determine whether a filing with any law enforcement authority is necessary. The Company and all its employees, officers and directors are prohibited to inform a person, its beneficial owner, representative or third party about a report submitted on them to the FIU, an intention to submit such a report as well as about the commencement of criminal proceedings.
12. Termination of Services
The company reserves the right to deny or terminate servicing a client or account at any time in line with the terms stipulated in the User Agreement if suspicion arises that a Client is involved with or connected with money laundering, criminal activity, terrorist financing or any other predicate offense to money laundering or terrorist financing.
13. Data Retention
The company is obligated to retain all documents and information which served for identification and verification of the client, for a period of no less than 8 (eight) years after termination of the business relationship.
The Company implements necessary rules for the protection of personal data upon application of the requirements arising from its obligations hereunder.
The Company is allowed to process personal data gathered upon implementation of these rules only for the purpose of preventing money laundering and terrorist financing and the data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.
The Compliance Officer shall ensure that Company’s employees are fully aware of their legal obligations under the AML/CTF regime, by introducing a complete employees’ education and training program.
The timing and content of the training provided is determined according to the needs of the Company. The frequency of the training can vary depending on the amendments of legal and/or regulatory requirements, employees’ duties as well as any other changes in the business model. The training program aims at educating the Company’s employees on the latest developments in the prevention of money laundering and terrorist financing, including the practical methods and trends used for this purpose.
15. Cooperation and Information Requests
The Company is required to cooperate with supervisory and law enforcement authorities in preventing money laundering and terrorist financing, thereby communicating information available to the Company and replying to queries within a reasonable time, following the duties, obligations and restrictions arising from legislation. As part of its duties, as per applicable law and company policy, we are required to assist enforcement agencies’ requests. We comply with Law Enforcement requests for information where it pertains to specific preservation orders and fund freezing.
We will not and do not voluntarily disclose non-public information to a requesting party. In accordance with European Union privacy laws, the company will only disclose non-public user information if it has received consent of the user and in response to a legitimate and an enforceable subpoena, court order or search warrant from a body that has jurisdiction to compel the company to disclose that information. Please note that in case you represent the law enforcement agency outside of the European Union, procedure under the Mutual Legal Assistance Treaty (“MLAT”) may apply.
We take data protection and security seriously, and encourage you to consult our Terms of Service for more information.
General Guidelines for Requests:
- When law enforcement agencies request non-public information (such as a client personal or financial information), we will not share this information unless an enforceable court order, subpoena or search warrant has been issued, received and validated as legitimate;
- We will notify affected clients if we believe we are legally required to provide their personal or financial information to a law enforcement agency, unless we are prohibited by law from doing so;
- When law enforcement agencies request information about a client, we cannot and will not provide information about such client’s clients who are not our clients or platform users. We consider this information to be in the possession, control and custody of the client, who is the controller and processor of such information. If law enforcement agencies request this information, such requests for information should be directed to the relevant client and not us;
- Only information specifically requested and clearly outlined in an enforceable court order, subpoena or search warrant will be disclosed.
This policy does not constitute legal advice or a promise or guarantee that we will respond to any requests for information in a specific way, timeframe or at all. All legal requests for information are evaluated on a case-by-case basis. We reserve the right to change this policy or these guidelines in our sole discretion at any time.
When requesting the confirmation of the existence of data on our platform the law enforcement agency must be very specific about what information it is looking to obtain as we may not be able to respond to vague, ambiguous or blanket requests. Certain identifiers may be helpful in determining whether we currently retain the requested information.
Submitting a Request:
All legal requests must be submitted by email to the official compliance email, originating from an email address domain of a recognized government or enforcement authority.
To aid the expeditious review of information requests received, law enforcement officers must include at least the following information in their request:
- Name of the law enforcement authority;
- Proof that the officer is authorized to request the information (proof of authority) and current position within the law enforcement organization;
- Proof of identification of the requesting officer within the law enforcement organization (e.g. photo or other official ID which includes badge number, internal ID number);
- Email address from a government domain;
- Contact information (email address, phone number) from the governmental organization;
- The name of the legal entity that the request is addressed to;
- Details of the request, including:
- The subpoena / court order identification number in the subject line;
- Instructions on how we should authenticate the subpoena as valid (eg: call-back procedure);
- Any public address or transaction IDs in either plain, excel or comma-separated file formats (images or PDFs are not accepted);
- A reasonable deadline for the request;
- An official and enforceable court order, subpoena or search warrant;
- The reason for the requested information (eg:. possible crimes in question);
- MLAT request for cross-border law enforcement (if applicable).
Please do note that failure to include all the mandatory information stated above may result in delayed response times and/or no response.