UAB “AB Exchange”

ANTI-MONEY LAUNDERING AND COUNTER TERRORIST FINANCING COMPLIANCE GUIDELINES

Date: 26.07.2022

TABLE OF CONTENTS:

1. Introduction
2. Definitions
3. Principles of Customer Due Diligence Measures Implementation
   1. Main Principles
   2. The Verification of Information used for the Customer’s Identification
   3. Application of Simplified Due Diligence Measures (level 1)
   4. Application of Standard Due Diligence Measures (level 2)
   5. Application of Enhanced Due Diligence Measures (level 3)
   6. Not Acceptable Customers
4. Enterprise-Wide Risk Assessment:
   1. The Risk-Based Approach
   2. Risk Tolerance
   3. High-Risk Countries
5. Customer Due Diligence Measures
   1. Identification of the Customer – natural person
   2. Identification of the Customer – legal entity
   3. The identification of the Customer’s representative and their right of representation
   4. The identification of the Customer’s Beneficial Owner
   5. Political Exposed Person’s identification
   6. Identification of the purpose and nature of the business relationship or a transaction
   7. Monitoring of the business relationship
6. Refusal to the Transaction or Business Relationship and their termination
7. Internal Control of Execution of the Guidelines 

1. INTRODUCTION

The purpose of these Guidelines for Anti-Money Laundering (“AML”), Combating Terrorist Financing (“CFT”) and Sanctions measures is to ensure that UAB AB Exchange (“Company”) has internal guidelines to prevent the use of its business for Money Laundering and Terrorist Financing and internal guidelines for implementation of international sanctions.

These Guidelines have been adopted to ensure that the Company complies with the rules and regulations set out in the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing (“Law”) and other applicable legislation.

These Guidelines are subject to a review by the Management Board at least annually. Proposal for a review and the review of these Guidelines may be scheduled more frequently by the decision of the Company’s Money Laundering Reporting Officer (“MLRO”) or the Internal Control Officer.

2. DEFINITIONS

• “Applicant for Business Relationship” means a person seeking to form a Business Relationship, or carry out an Occasional Transaction, with the Company; 
• “Beneficial Owner” means a natural person who, taking advantage of their influence, makes a transaction, act, action, operation or step or exercises control in another manner over a transaction, act, action, operation or step or over another person and in whose interests or for whose benefit or on whose account a transaction or act, action, operation or step is made. In the case of a legal entity, a Beneficial Owner is a natural person whose direct or indirect holding, or the sum of all direct and indirect holdings in the legal entity, exceeds 25 percent, including holdings in the form of shares or other forms of the bearer shares.
• “Business Relationship” means a relationship that is established upon conclusion of a long-term contract by the Company in economic or professional activities for the purpose of provision of a service or distribution thereof in another manner or that is not based on a long-term contract, but whereby a certain duration could be reasonably expected at the time of the establishment of the contact and during which the Company repeatedly makes separate transactions in the course of economic or professional activities while providing a service.
• “Company” means the legal entity with the following data:
  • name: UAB AB Exchange;
  • registration country: Lithuania;
  • registration number: 305937695; 
  • address: Vilnius, Eišiškių Sodų 18-oji g. 11; 
  • email: [email protected]. 
• “Custodian Virtual Currency Wallet” means Virtual Currency Address(es) generated with the public key for storing and managing Virtual Currencies entrusted to the Company but remaining their property.
• “Customer” or “Client” – means a person (whether a natural person, legal person or legal arrangement) who is in a Business Relationship, or is carrying out an Occasional Transaction, with the Company. These two terms can be used interchangeably.
• “Employee” means the Company’s employee and any other person who is involved in the application of these Guidelines in the Company.
• “Monetary Operation” means any payment, transfer or receipt of money. 
• “Management Board” means the management board of the Company. If the Company has no management board – the manager of the Company shall be considered as the Management Board member and he or she shall be responsible for the Management Board duties in the context of the Guidelines.
• “Occasional Transaction” means the transaction performed by the Company in the course of economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner to the Customer outside the course of an established Business Relationship.
• “PEP” means a natural person who performs or has performed prominent public functions and with regard to whom related risks remain.
• “Third Country” means a state that is not a member state of the European Economic Area (“EEA”).
• “Trust or company service provider” means any natural or legal person that, by way of its business, provides any of the following services to third parties:
  • the formation of companies or other legal persons;
  • acting as, or arranging for another person to act as, the director of a company or holding another senior position, a partner of a partnership or, based on the competence, a similar position in relation to another legal person (natural person);
  • providing a registered office, business address, correspondence or administrative address or other related services for a company, a partnership or any other legal person;
  • acting as, or arranging for another person to act as, a trustee of an express trust or a similar legal arrangement;
  • acting as, or arranging for another person to act as, a nominee shareholder for another person other than a company listed on a regulated market that is subject to disclosure requirements in conformity with the European Union legislation or subject to equivalent international standards.
• “Virtual Currency” means a value represented in the digital form, which is digitally transferable, preservable or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, pp 35–127) or a payment transaction for the purposes of points (k) and (l) of Article 3 of the same Directive.
• “Virtual Currency Address” means address/account generated from letters, numbers and/or symbols in the blockchain, by which the blockchain allocates the Virtual Currency to the owner or recipient.

Other definitions are used within the meaning of the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing.

3. PRINCIPLES OF CUSTOMER DUE DILIGENCE MEASURES IMPLEMENTATION

Customer due diligence (“CDD”) measures are required for verifying the identity of a new or existing Customer as a well-performing risk-based ongoing monitoring of the Business Relationship with the Customer. The CDD measures consist of 3 levels, including simplified and enhanced due diligence measures, as specified below.

3.1. Main Principles

The CDD measures are taken and performed to the extent necessary considering the Customer’s risk profile and other circumstances in the following cases:

• upon establishment of the Business Relationship and during the ongoing monitoring of the Business Relationship;
• upon executing or mediating of Occasional Transaction(s) outside the Business Relationship, where the value of the transaction(s) amounts to 1 000 euros or more (or an equal amount in other assets) within 24 hours;
• upon verification of information gathered while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;
• upon suspicion of Money Laundering or Terrorist Financing, regardless of any derogations, exceptions or limits provided for in these Guidelines and applicable legislation.

The Company does not establish or maintain the Business Relationship and does not perform the transaction if:

• the Company is not able to take and perform any of the required CDD measures;
• the Company has any suspicions that the Company’s services or transactions will be used for Money Laundering or Terrorist Financing;
• the risk level of the Customer or of the transaction does not comply with the Company’s risk appetite.

In the case of receiving information in foreign languages within the framework of CDD implementation, the Company may request to demand translation of the documents to English or Lithuanian. The use of translations should be avoided in situations where the original documents are prepared in the aforementioned languages.

Achieving CDD is a process that starts with the implementation of CDD measures. When that process is complete, the Customer is assigned a documented individual risk level which shall form the basis for follow-up measures, and which is followed up and updated when necessary.

The Company has applied CDD measures adequately if the Company has the inner conviction that they have complied with the obligation to apply due diligence measures. The principle of reasonability is observed in the consideration of inner conviction. This means that the Company must, upon the application of CDD measures, acquire the knowledge, understanding and assertion that they have collected enough information about the Customer, the Customer’s activities, the purpose of the Business Relationship and of the transactions carried out within the scope of the Business Relationship, the origin of the funds, etc., so that they understand the Customer and the Customer’s (business) activities, thereby taking into account the Customer’s risk level, the risk associated with the Business Relationship and the nature of such relationship. Such a level of assertion must make it possible to identify complicated, high-value and unusual transactions and transaction patterns that have no reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features of the business in question.

       3.2. The Verification of Information used for the Customer’s Identification

Verification of the information for the Customer’s identification means using data from a reliable and independent source to confirm that the data is true and correct, also confirming, if necessary, that the data directly related to the Customer is true and correct. This, inter alia, means that the purpose of verification of information is to obtain reassurance that the Customer, who wants to establish the Business Relationship is the person they claim to be.

The reliable and independent source (must exist cumulatively) is verification of the information obtained in the course of identification:

• which originates from two different sources;
• which has been issued by (identity documents) or received from a third party or a place that has no interest in or connections with the Customer or the Company, i.e. that is neutral (e.g. information obtained from the Internet is not such information, as it often originates from the Customer themselves or its reliability and independence cannot be verified);
• the reliability and independence of which can be determined without objective obstacles and reliability and independence are also understandable to a third party not involved in the Business Relationship; and
• the data included in which or obtained via which are up to date and relevant and the Company can obtain reassurance about this (and reassurance can in certain cases also be obtained on the basis of the two previous clauses).

3.3. Application of Simplified Due Diligence Measures (level 1)

Simplified due diligence (“SDD”) measures are applied where the Customer’s risk profile indicates a low risk level of ML/TF.

When applying SDD measures, the Company must only obtain the following data of the Customer who is a natural person:

• name(s) and surname(s);
• personal number; or

In the case of the Customer, which is a legal entity, the following data:

• business name or name;
• legal form;
• registration number, if such number has been issued;
• head office (address) and address of actual operation;
• the Customer´s representative name(s), surname(s) and personal number or date of birth; and 
• ensure that the first payment is carried out through an account with a credit institution, where the credit institution is registered in EEA or in a Third Country which imposes requirements equivalent to those laid down in the relevant law and is supervised by competent authorities for compliance with those requirements.

SDD measures may be carried out only where the ongoing monitoring of the Customer’s Business Relationship is performed in accordance with the Guidelines and there is a possibility to identify suspicious Monetary Operations and transactions.

SDD measures must not be carried out in the circumstances where enhanced due diligence measures (as described below) must be carried out.

Where, in the course of performing ongoing monitoring of the Customer’s Business Relationships, it is established that the risk of ML and/or TF is no longer low, the Company must apply the relevant level of CDD measures.

3.4. Application of Standard Due Diligence Measures (level 2)

Standard due diligence measures are applied to all Customers where CDD measures must be applied in accordance with the Guidelines. The following standard due diligence measures should be applied:

• identification of the Customer and verification of the submitted information based on information obtained from a reliable and independent source;
• identification and verification of a representative of the Customer and their right of representation;
• identification of the Beneficial Owner and, for the purpose of verifying their identity, taking measures to the extent that allows the Company to make certain that it knows who the Beneficial Owner is, and understands the ownership and control structure of the Customer;
• understanding of Business Relationship, transactions or operations and, where relevant, gathering information thereon;
• gathering information on whether the Customer is a PEP, their family member or a person known to be a close associate;
• monitoring of the Business Relationship.

The CDD measures specified above must be applied before establishing the Business Relationship or performing a transaction. The exact instruction for the application of standard due diligence measures is provided in the Guidelines.

3.5. Application of Enhanced Due Diligence Measures (level 3)

In addition to standard due diligence measures, the Company applies enhanced due diligence (“EDD”) measures in order to manage and mitigate an established risk of Money Laundering and Terrorist Financing in the case where the risk is established to be higher than usual.

The Company always applies EDD measures, when:

• the Customer’s risk profile indicates a high risk level of ML / TF;
• upon identification of the Customer or verification of submitted information, there are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the Beneficial Owner;
• where cross-border correspondent relationships are commenced with the Customer, which is a financial institution of the Third Country;
• in the case of performance of transaction or Business Relationship with the PEP, the family member of the PEP or a person known to be the close associate of the PEP;
• where transaction or Business Relationship are carried out with natural persons residing or legal persons established in high-risk Third Countries as identified by the European Commission;
• the Customer is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the FATF.

Prior to applying EDD measures, the Company’s Employee ensures that the Business Relationship or transaction has a high risk and that a high-risk rate can be attributed to such Business Relationship or transaction. Above all, the Employee assesses prior to applying the EDD measures whether the features described above are present and applies them as independent grounds (that is, each of the factors identified allows the application of EDD measures with respect to the Customer).

When applying EDD measures where a cross-border correspondent relationship is commenced with the Customer, which is a financial institution of the Third Country, the Company must apply the following measures:

• gather sufficient information about the Customer to fully understand the nature of its business and to determine from publicly available information the reputation of the Customer and the quality of supervision;
• assess control mechanisms for AML of the Customer and the entity receiving funds;
• obtain approval from the Management Board member before establishing new correspondent relationships;
• document the respective responsibilities of the Customer;
• be satisfied that the Employee has carried out proper Customer due diligence (including verification of the Customer’s identity who has direct access to the Customer’s accounts and other verification activities of the Customer) and that he is able to provide the Company at its request with the relevant identification data of the Customer.

When applying EDD measures, where transactions or Business Relationships are carried out with the PEP, the family member of the PEP or a person known to be a close associate of the PEP, the Company must apply the following measures:

• obtain approval from the Management Board member before establishing Business Relationship with such Customer or continuing the Business Relationship with the Customer when he or she becomes a PEP;
• take adequate measures to establish the source of wealth and source of funds that are involved in the Business Relationship or transaction;
• perform ongoing monitoring of the Business Relationship with the Customer by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

When applying EDD measures where transaction or Business Relationship are carried out with natural persons residing or legal persons established in high-risk Third Countries as identified by the European Commission, the Company must apply the following measures:

• obtaining additional information on the Customer and on their Beneficial Owner;
• obtaining additional information on the intended nature of the Business Relationship;
• obtaining information on the source of funds and source of wealth of the Customer and their Beneficial Owner;
• obtaining information on the reasons for the intended or performed transactions;
• obtaining the approval of the Management Board member for establishing Business Relationships with the Customer or continuing Business Relationships with them;
• perform ongoing monitoring of the Business Relationship with the Customer by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination;
• ensuring that the first payment is carried out through an account in the Customer’s name with a credit institution, where the credit institution is registered in EEA or in a Third Country which imposes requirements equivalent to those laid down in the applicable law and is supervised by competent authorities for compliance with those requirements.

When applying EDD measures where the Customer is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the FATF, the Company must apply the following measures:

• obtaining the approval of the Management Board member for establishing Business Relationships with the Customer or continuing Business Relationships with them;
• obtaining information on the source of funds and source of wealth of the Customer and their Beneficial Owner;
• perform ongoing monitoring of the Business Relationship with the Customer by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

In any other cases when EDD measures must be applied, the amount of EDD measures and the scope shall be determined by the Employee, who is applying such measures. The following additional and relevant due diligence measures may be followed:

• verification of information additionally submitted upon identification of the Customer based on additional documents, data or information originating from a credible and independent source;
• gathering additional information on the purpose and nature of the Business Relationship or transaction and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source;
• gathering additional information and documents regarding the actual execution of transactions made in the Business Relationship in order to rule out the ostensibility of the transactions;
• gathering additional information and documents for the purpose of identifying the source and origin of the funds used in a transaction made in the Business Relationship in order to rule out the ostensibility of the transactions;
• the making of the first payment related to a transaction via an account that has been opened in the name of the Customer participating in the transaction in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force;
• the application of CDD measures regarding the Customer or their representative while being at the same place as the Customer or their representative;
• gathering additional information about the Customer and its Beneficial Owner, including identification of all owners of the Customer, incl. those whose shareholding is below 25%;
• gathering information on the origin of the funds and wealth of the Customer and its Beneficial Owner;
• improving the monitoring of the Business Relationship by increasing the number and frequency of the applied control measures and by choosing transaction indicators or transaction patterns that are additionally verified;
• obtaining the approval of the Management Board member for performing transactions or establishing business relationships with new and existing Customers.

The Employee shall notify about EDD measures applied within 2 working days after the start of applying the EDD measures by sending a relevant notification to the MLRO.

In the case of the application of EDD measures, the Company reassesses the Customer’s risk profile no later than every six months.

3.6. Not-Acceptable Customers

The following list predetermines the type of Customers who are not acceptable for establishing a Business Relationship or execution of an Occasional Transaction with the Company:

• Customers who fail or refuse to submit, the requested data and information for the verification of their identity, without adequate justification;
• Shell Banks;
• Customers from the jurisdictions which are being banned by internal policies from the company or international sanctions;
• Customers who were identified as the persons subject to International Sanction Act;
• Customers who were identified as the persons subject to the UN Sanctions; EU Sanctions; Sanctions administered by the Office of Financial Sanctions Implementation; Sanctions administered by the Office of Foreign Assets Control;
• the Company suspects money laundering or terrorist financing;
• any other that the Company considers risky to its business or suspicious in regards to Money Laundering and Terrorist Financing.

The Company will not accept as Сustomers, persons or entitled from Afghanistan, Angola, Algeria,  Bahamas, Bangladesh, Bolivia, Botswana, Burma (Myanmar), Burundi, Cambodia, Chad,  Guinea, Côte d’Ivoire, Crimea (Ukraine region), Cuba, Democratic People’s Republic of Korea, Egypt, Equatorial Guinea, Eritrea, Ghana, Guinea Bissau, Guyana, Iceland, Iran, Iraq, Haiti, Lao PDR, Lebanon, Libya, Mali, Mongolia, Morocco, Myanmar, Nepal, Nicaragua, North Macedonia, Pakistan, Panama, Qatar, Saudi Arabia, Somalia, South Sudan, Sudan, Syria, Trinidad and Tobago, Uganda, United States, Vanuatu, Venezuela, Yemen, Zimbabwe and other countries and jurisdictions, where these services cannot be provided by legislation countries.

The Company also does not accept any clients from disputed territories as they do not produce recognised official documents, these include: Donetsk People’s Republic (DPR)/Luhansk People’s Republic (LPR), Pridnestrovian Moldavian Republic, Nagorno-Karabakh Republic, Republic of Abkhazia, Republic of Somaliland, Republic of South Ossetia, Turkish Republic of Northern Cyprus, Republic of China (Taiwan), Passports issued by the Russian Federation in Crimea and passports issued to residents of Donetsk, Luhansk and other regions of Ukraine do not qualify for verification, Republic of Kosovo, Sahrawi Arab Democratic Republic, Republic of Artsakh.

Persons or entities from jurisdictions where a particular license or permit is required will not be accepted as Customers if the Company has not received such a permit or license.

4. ENTERPRISE-WIDE RISK ASSESSMENT

4.1. The Risk-Based Approach

The Company identifies the risks/threats related to its activities, as well as the risks/threats that may arise in the near future, that is foreseeable risks/threats, and assesses and analyses their significance and impact. The risks/threats are identified and assessed on a case-by-case basis as of the moment of the risk assessment and separately considering the situation where the Company should take the risks to the maximum extent permitted by the risk appetite. The Company identifies, assesses and analyses risks of money laundering or terrorist financing taking into account the following risk categories:

• risks relating to Customers;
• risks relating to countries, geographic areas or jurisdictions;
• risks relating to products, services or transactions, including risks relating to new and/or future products, services or transactions;
• risks relating to communication, mediation or products, services, transactions or delivery channels between the Company and Customers.

The Company shall identify risk factors for the risk categories specified above that increase or decrease the risk of money laundering and terrorist financing. 

4.2. Risk Tolerance

The following information establishes the Company’s risk appetite:

• the Company Management Board decided on the establishment of business relationships with Customers from non-EEA countries.
• the Company will provide only services, specified in the Guidelines;
• risks which correspond to the Company’s risk appetite (the risks assessed from low to high) and their assessment are specified in the Customers’ profiles (annex of these Guidelines);
• risks which Company intends to avoid (the risks assessed as prohibited) are specified in the Customers’ profiles (annex of these Guidelines).

4.3. High-Risk Countries

Certain countries are associated with crimes such as drug trafficking, fraud and corruption, and consequently pose a higher potential risk to the Company. Conducting a business relationship with an applicant/customer from such a country exposes the Company to reputational risk and legal risk. 

The Company should exercise additional caution and conduct EDD on individuals and/or entities based in high-risk countries. 

The Company exercises caution in respect of the acceptance of certified documentation from individuals/entities based in high-risk countries/territories and appropriate verification checks undertaken on such individuals/entities to ensure their legitimacy and reliability. 

While assessing the risk of a country, the Company considers: sanctions lists of the UN and UK, high risk and non-cooperative jurisdictions identified by the FATF, the FATF Recommendations as well as FATF-Style Regional Bodies (FSRBs) such as MONEYVAL, and also a study of the anti-corruption network Transparency International – Corruption Perceptions Index (CPI).

Websites which the Company uses include:

• FATF website at www.fatf-gafi.org; 
• the Financial Crimes Enforcement Network (FinCEN) at https://www.fincen.gov/; 
• the Office of Foreign Assets Control (OFAC) www.treas.gov/ofac; and 
• Transparency International, www.transparency.org.

5. CUSTOMER DUE DILIGENCE MEASURES

5.1. Identification of the Customer – natural person

The Company identifies the Customer who is a natural person and, where relevant, their representative and retains the following data on the Customer:

• name(s) and surname(s);
• personal number;
• citizenship;
• photograph;
• signature.

The following valid identity documents which contain the data specified above may be used as the basis for the identification of a natural person:

• an identity document of the Republic of Lithuania;
• an identity document of a foreign state;
• a residence permit in the Republic of Lithuania;
• a driving license issued in a state of the European Economic Area in accordance with the requirements laid down in Annex I to Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licenses (recast).

The Customer, who is a natural person, cannot use a representative in the course of the Business Relationship or Occasional Transaction with the Company.

5.2. Identification of the Customer – legal entity

The Company identifies the Customer which is a legal entity and its representative and retains the following data on the Customer:

• business name or name;
• legal form;
• registration number, if such number has been issued;
• name(s) and surname(s), personal number (in the case of a foreigner – date of birth or where available – personal number or any other unique sequence of symbols granted to that person, intended for personal identification) and citizenship of the director(s) or member(s) of the Management Board or member(s) of another equivalent body, and their authorities in representing the Customer;
• an extract of registration and its date of issuance;
• head office (address) and address of actual operation.

The following documents issued by a competent authority or body not earlier than six months before their use may be implied for identification of the Customer:

• registry card of the relevant register; or
• registration certificate of the relevant register; or
• a document equivalent with the aforementioned documents or relevant documents of the establishment of the Customer.

The Company verifies the correctness of the Customer’s data specified above, using information originating from a credible and independent source for that purpose. Where the Company has access to the relevant register of legal entities, the submission of the documents specified above does not need to be demanded from the Customer.

The identity of the legal entity and the right of the legal entity’s representation can be verified on the basis of a document specified above, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

5.3. The identification of the Customer’s representative and his right of representation

The representative of the Customer shall be identified as the Customer, who is a natural person in accordance with these Guidelines. The Company must also identify and verify the nature and scope of the right of representation of the Customer. The name, date of issue and name of issuer of the document that serves as a basis for the right of representation must be ascertained and retained, except in case, when the right of representation was verified using information originating from the relevant register.

The Company must observe the conditions of the right of representation granted to the legal entity’s representatives and provide services only within the scope of the right of representation.

The document confirming the authority has to be in line with the requirements of the Lithuanian Civil Code. The document confirming the authority issued abroad has to be legalized or bear an Apostille. In case the right of representation of the Customer (legal person) is evident from the registry extract, Articles of Association or equivalent documents evidencing the identity of the Customer (legal person), a separate document confirming the authority (e.g., a Power of Attorney) should not be required.

5.4. The identification of the Customer’s Beneficial Owner

The Company must identify the Beneficial Owner of the Customer and take measures to verify the identity of the Beneficial Owner to the extent that allows the Company to make sure that they know who the Beneficial Owner is. The Company collects the following data regarding the Customer’s Beneficial Owner(s):

• name(s) and surname(s);
• personal number;
• citizenship.

The Company shall request from the Customer information to the Customer’s Beneficial Owner (e. g. providing the Customer with an opportunity to specify their Beneficial Owner when collecting data about the Customer).

The Company does not establish a Business Relationship, if the Customer, who is a natural person has a Beneficial Owner who is not the same person as the Customer.

The Beneficial Owner of a legal entity is identified in stages, herewith the Company proceeds to each subsequent stage if the Beneficial Owner of the legal entity cannot be determined in the previous stage. At each stage it is necessary to establish the following:

• is it possible to identify, in respect of the Customer that is a legal entity or a person participating in the transaction, the natural person or persons who actually ultimately control the legal entity or exercise influence or control over it in any other manner, irrespective of the size of the shares, voting rights or ownership rights or its direct or indirect nature;
• whether the Customer that is a legal entity or the person participating in the transaction has a natural person or persons who own or control the legal entity via direct or indirect shareholding. Family connections and contractual connections must also be taken into account here;
• who is the member of senior management. Such person must be defined as the Beneficial Owner, since the result of execution of the previous two stages have not made it possible for the Company to identify the Beneficial Owner.

If the documents used for the legal entity´s identification or the other submitted documents do not indicate directly who the Beneficial Owner of the legal entity is, the relevant data (incl. data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statement of the representative of the legal entity or the document written by hand by the representative of the legal entity.

The Company shall apply reasonable measures to verify the accuracy of the information established on the basis of statements or a handwritten document (e.g., by making inquiries in the relevant registers), requiring the submission of the legal entity’s annual report or other relevant document. If the Company has doubts about the accuracy or completeness of the relevant information, the Company shall verify the information provided from publicly available sources and, if necessary, request additional information from the Customer.

Where the Company establishes the Business Relationship with the Customer whose information on Beneficial Owners must, in accordance with the legislation of EEA´s state, be submitted to the state or be registered there, the Company shall obtain a relevant registration certificate or registry extract upon identification of the Customer´s Beneficial Owner.

5.5. Political Exposed Person’s identification

The Company shall take measures to ascertain whether the Customer, the Beneficial Owner of the Customer or the representative of this Customer is a PEP, their family member or close associate or if the Customer has become such a person.

The Company shall request from the Customer information to identify if the Customer is a PEP, their family member or close associate (e.g., providing the Customer with an opportunity to specify the relevant information when collecting data about the Customer).

The Company shall verify the data received from the Customer by making inquiries in relevant databases or public databases or making inquiries or verifying data on the websites of the relevant supervisory authorities or institutions of the country in which the Customer has a place of residence or seat. PEP must be additionally verified using an international search engine (e.g., Google) and the local search engine of the Customer’s country of origin, if any, by entering the Customer’s name in both Latin and local alphabet with the Customer’s date of birth.

At least the following persons are deemed to be PEPs:

• the head of the state, the head of the government, a minister, a vice-minister or a deputy minister, a secretary of the state, a chancellor of the parliament, government or a ministry;
• a member of the parliament;
• a member of the Supreme Court, the Constitutional Court or any other supreme judicial authorities whose decisions are not subject to appeal;
• a mayor of the municipality, a head of the municipal administration; 
• a member of the management body of the supreme institution of state audit or control, or a chair, deputy chair or a member of the board of the central bank;
• ambassadors of foreign states, a chargé d’affaires ad interim, the head of the Lithuanian armed forces, commander of the armed forces and units, chief of defence staff or senior officer of foreign armed forces; 
• a member of the management or supervisory body of a public undertaking, a public limited company or a private limited company, whose shares or part of shares, carrying more than 1/2 of the total votes at the general meeting of shareholders of such companies, are owned by the state; 
• a member of the management or supervisory body of a municipal undertaking, a public limited company or a private limited company whose shares or part of shares, carrying more than 1/2 of the total votes at the general meeting of shareholders of such companies, are owned by the state, and which are considered as large enterprises in terms of the Law on Financial Statements of Entities of the Republic of Lithuania; 
• a director, a deputy director or a member of the management or supervisory body of an international intergovernmental organization; 
• a leader, a deputy leader or a member of the management body of a political party.

The Company shall identify close associates and family members of PEPs only if their connection with PEP is known to the public or if the Company has reason to believe that such a connection exists.

Where the Customer who is a PEP no longer performs important public functions placed upon them, the Company shall at least within 12 months take into account the risks that remain related to the Customer and apply relevant and risk sensitivity-based measures as long as it is certain that the risks characteristic of PEPs no longer exist in the case of the Customer.

5.6. Identification of the purpose and nature of the business relationship or a transaction

The Company shall understand the purpose and nature of establishing a Business Relationship or performing a transaction. Regarding the services provided, the Company may request from the Customer the following information for understanding the purpose and nature of the Business Relationship or transaction:

• whether the Customer will use the services of the Company for their own needs or will represent the interests of another person;
• contact information;
• information on the registered address and actual living address of the Customer;
• the estimated transactions turnover with the Company per calendar year;
• the estimated source of funds used in the Business Relationship or transaction;
• if the Business Relationship or transaction is related to the Customer´s performance of economic or professional activities and which activities they are;
• information on the source of funds related to the Business Relationship or transaction, if the number of transactions (incl. expected amount) exceeds the established limit.

The Company shall apply additional measures and collect additional information to identify the purpose and nature of the Business Relationship or an Occasional Transaction in cases where:

• there is a situation that refers to high turnover or is unusual and/or
• where the risk and/or risk profile associated with the Customer and the nature of the Business Relationship gives reason for the performance of additional actions in order to be able to appropriately monitor the Business Relationship later.

If the Customer is a legal entity, in addition to the aforementioned the Company shall identify the Customer´s area of activity, where the Company shall understand what the Customer deals with and intends to deal with in the course of the Business Relationship and how this corresponds to the purpose and nature of the Business Relationship in general and whether it is reasonable, understandable and plausible.

The area of activity must fit into the experience profile of the Customer’s representative (or key persons) and/or the Beneficial Owner. Thus, the Company has to identify where the representative’s and/or Beneficial Owner’s capacity, capability, skills and knowledge (experience in general) comes from in order to operate in this area of activity, with these business volumes and with these main business partners.

5.7. Monitoring of the business relationship

The Company shall monitor established Business Relationships where the following ongoing due diligence (“ODD”) measures are implemented:

• ensuring that the documents, data, or information collected in the course of the application of due diligence measures are updated regularly and in the case of trigger events, i.e., primarily the data concerning the Customer, their representative (incl. the right of representation) and Beneficial Owner as well as the purpose and nature of the Business Relationship;
• ongoing monitoring of the Business Relationship, which covers transactions carried out in the business relationship to ensure that the transactions correspond to the Company’s knowledge of the Customer, their activities and risk profile; 
• identification of the source and origin of funds used in the transaction(s).

The Company shall regularly check and update the documents, data and information collected within the course of the implementation of CDD measures and update the Customer’s risk profile. The regularity of the checks and update must be based on the risk profile of the Customer and the checks must take place at least:

• once semi-annually for the high-risk profile Customer;
• once annually for the medium-risk profile Customer;
• once every two years for the low-risk profile Customer.

The collected documents, data and information must also be checked if an event has occurred which indicates the need to update the collected documents, data and information.

In the course of the ongoing monitoring of the Business Relationship, the Company shall monitor the transactions performed during the Business Relationship in such a manner that it can determine whether the transactions to be performed correspond to the information previously known about the Customer (i.e., what the Customer declared upon the establishment of the Business Relationship or what has become known in the course of the Business Relationship).

The Company shall also monitor the Business Relationship to ascertain the Customer’s activities or facts that indicate criminal activities, Money Laundering or Terrorist Financing or the relation of which to Money Laundering or Terrorist Financing is probable, incl. complicated, high-value and unusual transactions and transaction patterns that do not have any reasonable or obvious economic or legitimate purpose or that are uncharacteristic of the specific features of the business in question. In the course of the Business Relationship, the Company shall constantly assess the changes in the Customer’s activities and assess whether these changes may increase the risk level associated with the Customer and the Business Relationship, giving rise to the need to apply EDD measures.

In the course of the ongoing monitoring of the Business Relationship, the Company applies the following measures: 

• screening i.e., monitoring transactions in real-time;
• monitoring i.e., analyzing transactions later.

The objective of screening is to identify: 

• suspicious and unusual transactions and transaction patterns;
• transactions exceeding the provided thresholds;
• politically exposed persons and circumstances regarding Sanctions.

The screening of the transactions is performed automatically and includes the following measures:

• establishing thresholds for the Customer´s transactions, depending on the Customer’s risk profile and the estimated transactions turnover declared by the Customer;
• the scoring of Virtual Currency wallets where the Virtual Currency shall be sent in accordance with the Customer’s order;
• the scoring of Virtual Currency wallets from which the Virtual Currency is received.

If the Customer gives an order for a transaction which exceeds the threshold established or for a transaction to the Virtual Currency wallet with high-risk score (e.g., wallets related to fraud, crime, etc.), the transaction shall be manually approved by the Employee, who shall assess, before the approval, the necessity to apply any additional CDD measures (e.g., applying EDD measures, asking source and origin of funds or asking additional information regarding the transaction).

When monitoring transactions, the Employee shall assess transactions to detect activities and transactions that:

• deviate from what there is reason to expect based on the CDD measures performed, the services provided, the information provided by the Customer and other circumstances (e.g., exceeding estimated transactions turnover, Virtual Currency sending each time to new Virtual Currency wallet, volume of transactions exceeding the limit);
• without deviating according to the previous clause, may be assumed to be part of a Money Laundering or Terrorist Financing;
• may affect the Customer’s risk profile score.

In the case, where the aforementioned fact is detected, the Employee shall notify MLRO and postpone any transaction of the Customer until MLRO´s decision regarding this.

In addition to the aforementioned, the MLRO shall review the Company´s transactions regularly (at least once per week) to ensure that:

• the Company’s Employees properly performed the aforementioned obligations;
• there are no transactions and transaction patterns that are complicated, high-value and unusual and that have no reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features.

The Company identifies the source and origin of the funds used in the transaction(s) if necessary. The need to identify the source and origin of funds depends on the Customer’s previous activities as well as other known information. Thereby the identification of the source and origin of the funds used in the transaction shall be performed in the following cases:

• the transactions exceed the limits established by the Company;
• the transactions do not correspond to the information previously known about the Customer;
• the Company wants to or should reasonably consider it necessary to assess whether the transactions correspond to the information previously known about the Customer;
• the Company suspects that the transactions indicate criminal activities, Money Laundering or Terrorist Financing or that the relation of transactions to Money Laundering or Terrorist Financing is probable, incl. complicated, high-value and unusual transactions and transaction patterns that do not have any reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features of the business in question.

5. REFUSAL TO THE TRANSACTION OR BUSINESS RELATIONSHIP AND THEIR TERMINATION

The Company is prohibited to establish a Business Relationship and the established Business Relationship or transaction shall be terminated (unless it is objectively impossible to do) in the case when:

• the Company suspects Money Laundering or Terrorist Financing;
• it is impossible for the Company to apply the CDD measures because the Customer does not submit the relevant data or refuses to submit them or the submitted data gives no grounds for reassurance that the collected data are adequate;
• the Customer whose capital consists of bearer shares or other bearer securities wants to establish the Business Relationship;
• the Customer who is a natural person behind whom is another, actually benefiting person, wants to establish the Business Relationship (a suspicion that the fictitious person is used);
• the Customer’s risk profile has become inappropriate with the Company’s risk appetite (i.e., the Customer’s risk profile level is “prohibited”).

In the event of a termination of the Business Relationship in accordance with this chapter, the Company shall transfer the Customer’s assets within a reasonable time, but preferably not later than within one month after the termination to an account opened in a credit institution which is registered or whose place of business is in a contracting state of the European Economic Area or in a country where requirements equal to those established in the relevant directives of the European Parliament and of the Council are applied. In exceptional cases, assets may be transferred to an account other than the Customer’s account or issued in cash. Regardless of the funds’ recipient, the minimum information specified in English in the payment details during the transfer of the Customer’s assets is that the transfer is related to the early termination of the relationship with the Customer.

7. INTERNAL CONTROL OF EXECUTION OF THE GUIDELINES

The performance of the Guidelines shall be internally controlled by the Management Board member, or the Employee appointed by the Management Board for performing relevant functions (hereinafter in this chapter – Internal Control Officer). The Internal Control Officer must have the required competency, tools, and access to the relevant information in all structural units of the Company.

The Internal Control Officer shall perform internal control functions at least in the following fields:

• the Company’s compliance with established risk assessment policy and risk appetite;
• CDD measures implementation;
• implementation of Sanctions;
• the Company’s obligation to refuse the transaction or to establish the Business Relationship and their termination;
• the Company’s reporting obligation to the FCIS;
• the Company’s training obligation regarding the AML/CFT requirements;
• the Company’s obligation for collection and preservation of data.

The exact measures for performing internal control shall be determined by the Internal Control Officer and must correspond to the Company’s size and the nature, scope and level of complexity of the activities and services provided. The Internal Control Offices must consider at least the examination fields specified above. The internal control measures shall be performed at the time determined by the Internal Control Officer with the frequency set by him or her, at least once per month, if the nature of the measure does not expressly provide otherwise.

The results of internal control measures implementation (hereinafter in this chapter – the Internal Control Data) shall be saved separately from other data and retained within 5 years. Only Management Board members and Internal Control Officer may have access to the Internal Control Data. Internal Control Officer may provide access to the Internal Control Data to other Employees or third parties (e.g., advisors, auditors, etc.) only with the prior consent of the Management Board. The persons who have access to the Internal Control Data must not disclose it to anyone without the prior consent of the Management Board.

The Internal Control Data shall be saved in chronological order with the format, which allows to analyze this and understandably connect this to other relevant data.

The Internal Control Officer shall provide the internal control report to the Management Board at least quarterly and to the general meeting of the Company’s shareholders at least annually. The provided internal control report shall include at least the following:

• period of exercising internal control;
• name and position of the person executing the internal control;
• description of the internal control measures that have been performed;
• results of the internal control;
• general conclusions from the exercised internal control;
• determined deficiencies, which were eliminated in the period of exercising the internal control;
• determined deficiencies, which were not eliminated at the end of the period of exercising the internal control;
• measures that are required to implement for the elimination of determined deficiencies.

The Management Board shall review the internal control report provided and make a resolution regarding it. The Internal Control Officer shall be notified about the essence of such resolution in a format which can be reproduced in writing. For this reason, the Management Board is obliged to:

• analyze the results of performed internal control;
• implement actions to eliminate deficiencies.

The Company must review and, if necessary, update internal control procedure at least annually and in the following cases:

• following the publication by the European Commission of the results of an EU-wide money laundering and terrorist financing risk assessment (available on the European Commission’s website http://ec.europa.eu);
• after the publication of the results of the National Money Laundering and Terrorist Financing Risk Assessment (published in the section “National Money Laundering and Terrorist Financing Risk Assessment” of the section “Prevention of Money Laundering” of the website www.fntt.lt);
• upon receipt of an instruction from the FCIS to strengthen the applicable internal control procedures;
• in the event of significant events or changes in the management and operations of the depository Virtual Currency money operator and the Virtual Currency exchange operator.

In case of any doubts or concerns, please contact us at: [email protected]