1. Introduction

AlphaPays (hereinafter referred to as ‘the Company’) [1] carries out a business activity related to virtual assets, having permission to such activity in the Czech Republic.

The Company operates in accordance with Law 253/2008 on certain measures against the laundering of proceeds of crime and the financing of terrorism (‘AML act), by which it identifies and screens clients with whom it enters into business relationships, monitors the nature, volume and other parameters of the business they conduct and thereby effectively seeks to prevent the laundering of proceeds from crime and the financing of terrorism (‘money laundering’) through a publisher small-scale electronic money.

The company provides several services to its Clients. The crypto exchange and crypto wallet service allows money to be sent and received worldwide in more than 20 currencies, a money transfer or e-money service within the EU and globally.

The main tool used by the Company to prevent money laundering is transactions monitoring and monitor the frequency and extent of deviations from normal transactions as well as the evolving Client Entry and Conduct System. This document is also created for the purposes of a risk control system to ensure full due diligence, identification, mitigation and risk management of money laundering. In the framework of the supervision, monitoring and evaluation of measures on anti-money laundering regulatory requirements (hereinafter referred to as AML/CFT), the Company shall comply with the applicable legislation of the Czech Republic, the European Union/EEC and shall also comply with the assessments, decisions and recommendations of international bodies such as the European Banking Association (EBA), the Financial Action Task Force (FATF) , the Moneyval Commission of the European Council and others.

Measures of Company have the following objectives:

• identifying and evaluating any ML/FT risks the Company may encounter;
• reporting mandatory information, identified restrictions and corrective actions taken by Company management;
• setting up processes for due diligence of clients as well as Company employees;
• regular training for staff who may encounter suspicious trades in the course of their work;
• appointment of the person responsible for compliance with AML regulations (MRL);
• the establishment of a system of internal policies, customer due diligence procedures and processes based on the accepted risk assessment and in accordance with the relevant legislation;
• identifying suspicious trades and taking appropriate steps to detect, investigate internally and notify early;
• provision and updating of appropriate control and monitoring systems for the early detection, investigation and notification of suspicious activities.

2. Terms

For the purposes of this document, the Terms below have the following meaning:

AML act	Act No 253/2008 Coll., on certain measures against the legalisation of proceeds from crime and the financing of terrorism, as amended
AML order	Order No 67/2018 Coll., on certain requirements for a system of internal principles, procedures and control measures against money laundering and terrorist financing, as amended
AML/CFT prevention	Measures to prevent money laundering and terrorist financing (Anti-Money Laundering / Countering the Financing of Terrorism)
KYC	Know Your Customer, or identifying Client and verifying Client information for the duration of the business relationship
CDD	Client Due Diligence, or customer due diligence, which builds on KYC and works with elements of verification of acquired client information
EDD	Enhanced Due Diligence that builds upon CDD
RBA	Risk Based Approach, risk management process based on their prior evaluation
FATF	The Financial Action Task Force, or Financial Action Committee, is an NGO dedicated to developing and promoting policy principles to protect the global financial system against money laundering, terrorist financing and proliferation of weapons of mass destruction
GDPR	General Data Protection Regulation, or General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
MLRO	Contact person for communication with the FAO, responsible for maintaining compliance processes (position Head of Compliance and Risk Department)
ML/FT	Legalisation of illicit funds / terrorist financing (Money Laundering / Financing of Terrorism)
SAR	Suspicious activity report, addressed to MLRO for possible STR submission
EEA	European Economic Area
EU	European Union
FAO	Financial Analytical Office
STR	Suspicious Transaction Report
PEP	Politically Exposed Person
UBO	Ultimate Beneficial Owner
SIP	Special Interest Person, or a natural person with a potential risk of criminal activity for which a person has been detained, charged, indicted or convicted
SIE	Special Interest Entity, or a legal person with a potential risk of criminal activity for which a person has been detained, charged, indicted or convicted
Sanction Act	Act No 69/2006 Coll., on the implementation of international sanctions, as amended
Company	IGBFA s.r.o., company ID 08009783, hereinafter referred to as „obliged entity“
Internal Principles	System of Internal Principles, procedures and control measures to fulfill the obligations of the AML by law, also as "Principles"

3. Definitions

Financing Terrorism	Collecting or providing funds or other property, knowing that it will be used, even in part, to commit an act of terror, a terrorist attack or an offence intended to enable or assist the commission of such an offence, or to support a person or group of persons preparing to commit such an offence. Actions to reward or compensate the perpetrator of an offence of terror, terrorist attack or criminal act intended to enable or assist the commission of such an offence, or a loved one within the meaning of the Criminal Code, or to collect funds for such reward or compensation. For the purposes of the AML Act, as well as the financing of the proliferation of weapons of mass destruction, which means the collection or provision of funds or other property in the knowledge that it will, even partially, be used by a proliferator of weapons of mass destruction or used to support the proliferation of such weapons in violation of the requirements of international law. It is not decisive whether the abovementioned act took place or is intended to take place, in whole or in part, in the territory of the Czech Republic or abroad.
Legalization of proceeds of criminal activity	Actions to conceal the unlawful origin of any economic advantage derived from criminal activity in order to give the appearance of a financial benefit acquired in accordance with the law; such acts consist, for example: in the conversion or transfer of property knowing that it is derived from criminal activity, in order to conceal it or to disguise its origin, or to assist a person who is engaged in such an activity in order to escape the legal consequences of his or her actions; concealing or disguising the true nature, source, location, movement or disposal of property, or changing rights relating to property, knowing that such property is derived from criminal activity; in the acquisition, possession, use or disposal of property knowing that it is derived from criminal activity; in a criminal organisation of persons or any other form of cooperation for the purpose of the conduct referred to above. It is not decisive whether the abovementioned act took place or is intended to take place, in whole or in part, in the territory of the Czech Republic or abroad.
MLRO	The person responsible for maintaining the Company's compliance with legal regulations as well as internal compliance, the management of the KYC department and the Risk Management department, as well as the reporting of suspicious transactions by the Company, as well as being the FAO's contact person (also the "Head of Compliance and Risk Department").
Concealment of Beneficial Ownership
Transaction	Any act of the Company with another person where such act is intended to dispose of that other person's property or to provide a service to that other person. Where a payment is split into several separate transactions, the value of the transaction or payment shall be the sum thereof if these transactions are linked. By definition, the obliged entity enters into business with the client on a one-off basis, i.e. when a business relationship is established (where the focus is mainly on identifying the client) as well as during the course of the business relationship with the client, it enters into sub-transactions (where the emphasis is on comparing, verifying and subsequently checking information already obtained).
Business Relationship	A contractual relationship between the Company and another person, the purpose of which is to dispose of that other person's property or to provide services to that other person, where, when the contractual relationship arises, it is clear, having regard to all the circumstances, that it will contain a recurring supply. The company concludes a framework contract with the client for the provision of payment services, stating that the contract contains, as per the client's request – the creation of an electronic wallet, the attachment of a prepaid card to an account, the creation of a special IBAN account under the Client profile, and the execution of electronic money or funds transfers under the company name or the Client's personal name with the collection of more than 20 international currencies.
KYC department	Department responsible for identification, setup, functionality and KYC process modifications, including client follow-up due diligence
Sales department	Department responsible for communicating with Client and for business development
Risk Department	Department responsible for monitoring client activities, conduct and transactions
Customer Support	Department responsible for providing support to clients
Suspicious Transaction	Transaction done in circumstances giving rise to suspicion of trying on the laundering of proceeds of crime, or the suspicion that funds used in trade are intended to finance terrorism, or that the transaction is otherwise related or connected to the financing of terrorism, or any other fact that might suggest such a suspicion.
Politically Exposed Person	a) a natural person who is or has been in an important public office of national or regional importance, such as, in particular, the head of state, the prime minister, the head of the central government department or his deputy (deputy, secretary of state), a member of parliament, a member of the governing body of a political party, a leader of a territorial government, a judge of the supreme court, the constitutional court or any other supreme judicial body whose decisions in general (with exceptions) are not subject to appeal, member - a central bank bank's bank board, a senior officer in the armed forces or corps, a member or representative of a member (if it is a legal person) of the statutory body of a trade corporation controlled by a state, an ambassador or the head of a diplomatic mission, or a natural person who performs or has performed a similar function in another state, an EU institution or an international organisation, b) a natural person, who is: 1) a person known to be a close associate to a person under letter a), 2) a business partner or beneficial owner of the same legal person, trust or other legal arrangement without legal personality as a person under letter a) or is known to the obliged entity as a person in a close business relationship with the person under letter a), or 3) a beneficial owner of a legal person, trust or other legal arrangement without legal personality known to the obliged entity to be created in favour of a person under letter a).
Identity Card	Document issued by a public administration authority stating first name and surname, date of birth together with image and potentially other identification features enabling identification of its bearer as the true holder.
Risk Country	Country at risk in terms of money laundering, terrorist financing or proliferation of weapons of mass destruction. The list of these countries is established by Commission Regulation (EU) 2016/1675 of 14 July 2016 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council on the identification of high risk third countries with strategic deficiencies, as amended. Other high-risk countries are listed in Annex 2.
SIE	Legal person with a potential increased risk of being involved in criminal activity for which a person has been detained, charged, indicted or convicted in connection with: property offences, terrorism or terrorist financing, trafficking in prohibited goods and services (narcotics, arms, trafficking in human beings), corruption, bribery or extortion, crimes committed by organised groups, war crimes.
SIP	Natural person with a potential increased risk of being involved in criminal activity for which a person has been detained, charged, indicted or convicted in connection with: property offences, terrorism or terrorist financing, trafficking in prohibited goods and services (narcotics, arms, trafficking in human beings), corruption, bribery or extortion, crimes committed by organised groups, war crimes.
Beneficial owner	Beneficial owner shall mean a natural person having factual or legal possibility to realize directly or indirectly decisive influence in a legal person, trust or other legal arrangement without legal personality. It shall be deemed that under the conditions given in the first sentence the beneficial owner is: a) for a business corporation a natural person, who: 1. alone or in connection with other persons acting in concert with that person handles more than 25 % of voting rights of the business corporation, or has more than 25 % share in ordinary stock, 2. alone or in connection with other persons acting in concert with the natural person controls the person under point 1, 3. should be the recipient of at least 25 % of profit of the business corporation, or 4. is a member of a statutory body, representative of a legal person in such body and/or in position similar to a member of a statutory body if there is no beneficial owner or it is not possible to determine it in accordance with points 1 to 3, b) for an association, public service company, owners association, church, religious society or other legal person under the Act regulating position of churches and religious societies a natural person, who: 1. handles more than 25 % of its voting rights, 2. should be a recipient of at least 25 % of distributed funds, or 3. is a member of a statutory body, representative of a legal person in such body and/or in position similar to a member of statutory body if there is no beneficial owner or it is not possible to determine it in accordance with points 1 and 2, c) for a foundation, institute, trust or other legal arrangement without legal personality a natural person or beneficial owner of a legal person, who is in a position of: 1. a founder, 2. a trustee, 3. a beneficiary, 4. a person in whose interests was the foundation, institute, trust or other legal arrangement without legal personality established or is functioning, if a beneficiary is not determined, and 5. a persons allowed to maintain supervision on administration of the foundation, institute, trust or other legal arrangement without legal personality. AML Act determines the Actual Owner threshold of more than 25%, Company, even with respect to the FATCA, has decided to apply a limit of Beneficial owner of more than 10%.
Country of origin	for a client - a natural person each state of which that person is a national, and at the same time all other states in which he or she is registered to reside for more than 1 year, or for permanent residence if known to the Company, for client - a legal person who is also a obliged entity within the meaning of Section 2 of the AML Act is the country of origin of the State in which it has its registered office,

4. Customer Identification

The first identification of a client who is a natural person and of any natural person acting on behalf of a client who is a legal person shall be carried out by the Company either in the physical presence of the identified person or in a manner pursuant to Section 11 of the AML of the Act and specified in paragraph 4.2.

Each Client goes through registration via the website alphapays.com. The e-mail address entered in the registration form is the first step of checking the applicant - they receive an e-mail sent by the Company system with a link directing it to their profile. Subsequently, access to his profile is verified using a phone number.

This procedure is common to all services offered by the Company. In parallel, the Client Check phase is started with the use of automated screening to assess whether the Client is a PEP or not on one of the sanctions lists (EU, UN, OFAC).

The next stage involves a manual check by an employee of the KYC Department, namely a check of the background information received from the Client (including a check of the ID card supplied and a certificate of residency), an IP address check to determine the true location of the client and the verification carried out by it, a check of the Client's jurisdiction (whether it is in the country according to Annex 2), a categorisation of the Client according to the Risk Assessment and the decision to approve the Client or to add further information.

1. Performing of Customer Identification

The company will identify the client each time a business relationship is established:

- always regardless of the limit set above when it comes to suspicious trade;

- where a transaction is divided into several distinct transactions, the value of the transaction shall be the sum of those transactions if the transaction is connected. The obviously related services must therefore be aggregated and treated as a single transaction. The identification of such a link shall consist of the ratio of the frequency, the amount of each transaction and the sum of the total value of those transactions over time. A typical example for the Company is the transfer of funds from the Client account to counterparty accounts that do not exceed the EUR 1000 limit, are carried out with a frequency that prevents a monthly aggregated check on the amount of transactions executed, while the recipient or sender is the same counterparty, not specified in the KYC questionnaire. The Compliance and Risk Department uses transaction monitoring implemented in the Company's system to detect such suspicious activities, which automatically generates compliance reports (frequency of transactions over time, individual and aggregate amounts).

- these conditions take into account the type of Client (natural person v. legal entity), whether the transaction(s) is risky according to the amount transferred or in case of higher frequency over time (cumulative) and the client's risk assessment obtained. Details of the risk factors are given in Annex 1, which includes a client risk assessment.

Submit of identification data

Company as a part of performing identification of client, who is:

• Natural person: the obliged entity shall record identification data and verify them from an identity card, if the identity card includes them, and then record the type and number of the identity card, issuing country or issuing authority and the validity; simultaneously, it verifies if the holder matches the photo on the identity card,
• Legal entity: the obliged entity shall record identification data and verify them from a document on legal person’s existence and identify a natural person acting on behalf of such legal person in a transaction under letter a), if a statutory body, its member or controlling person of such legal person is another legal person, the obliged entity shall record its identification data as well. Individuals who are members of the legal entity's statutory body but do not act in the transaction in question are surveyed and recorded for identification and verification of identity. These data are those that can be identified from available sources, typically from the Commercial Register, i.e. in particular name, surname, date of birth and address. Where the client's statutory body (or its member or controlling person) is another legal person, the obliged entity shall also record its identifying data.

Identification data:

• Birth number: an indication compulsory for Czech citizens, foreigners with permission to stay in the territory of the Czech Republic, asylum seekers and other persons to whom the birth number is assigned according to Section 16 of Act No 133/2000 Coll., on the registration of residents as amended, or substitute thereof.
• ID number: For non-Czech citizens and residents a government issued Identification Number
• Date of Birth: data mandatory for persons not assigned a birth number according to Czech regulations.
• Sex: in significant cases (for foreigners with names whose gender is not obvious - they do not contain the suffix -ová;
• Place of birth: municipality, state
• Permanent or other residence: relevant residence in format house/apartment number, street, municipality, state
• Authority that issued the identity card: This data is to be recorded especially in a situation where the client is a Czech national, In which case it is not useful to record only the State that issued the ID card, as this card could not have been issued by anyone other than the Czech Republic (except when the client has dual citizenship and presents an ID card issued by a State other than the Czech Republic for identification purposes)

General requirements of all client’s Identification document:

• must be valid and unaltered by any software;
• All parts of the documents must be clearly visible, while all four corners must be visible;
• Visibly undamaged (detached, broken and glued, unreadable or deleted information, etc.);
• must not be in handwriting or with an expiration date within 24 hours after submission

Required types of Identification document:

• Identity card or other valid identity card of the applicant's country, passport, driving licence, foreign residence card
• The following types of identity cards can only be accepted if they comply with the following: it is a valid document issued by the state:
• not a card damaged beyond normal wear (e.g. missing sheets, glued, transcribed, illegible, etc.);
• holder's likeness on the licence must correspond to the real form of the holder and must be clear or undamaged enough to identify the holder with a sufficient degree of probability;
• document from which it can be determined which authority of which State issued it;
• the date of birth must correspond to the date stated when the applicant is registered;
• if the identity card contains the date of issue and expiry, then the expiry period must correspond to the type of documents and must not be less than 24 hours from the time of identification. The date of issue must not precede the date of identification;
• must contain visible safety features: watermark, holograms, etc.;
• this is a document which, for whatever reason, does not raise doubts about its authenticity.

Required typed of Proof of Residence:

• Accounts (telephone, gas, electricity, hydro, storable, interest);
• Bank account statement/bank account confirmation;
• Listings from non-bank institutions;
• Confirmation of stay from local administrative authorities;
• Confirmation of payment of rent no more than 3 months after the date of confirmation (The Company does not accept the submission of the lease itself);
• Confirmation of mortgage loan repayments, no more than 3 months after the date of the confirmation (The Company does not accept the submission of the mortgage contract itself);
• Real estate insurance tax document (no more than 3 months old);
• another official identity card showing a valid address;
• Payslip/pension slip;
• credit card statement with noticeable transactions.

• The aforementioned types of confirmation of the applicant's permanent or other residence can only be accepted if they meet the following requirements:
• They were issued no later than 3 months ago from the time of the Company's receipt
• Copies are color, in good and readable condition, free of additional editing

If some identifying information (e.g. sex, address of stay) is not included on the ID card, the Client is asked to provide a supporting document containing the missing identification information.

The company may make copies or extracts of the documents submitted and process the information thus obtained for the purposes of the AML Act. The making of copies of personal documents under personal identification is only possible with the consent of the holder. The company shall only copy those parts of the ID which are necessary for identification, in accordance with FAO Methodological Guideline No.8 of 9.10.2020.

If, when entering into a transaction (or business relationship), the Company suspects that the client is not acting on its own behalf, or that it is disguising that it is acting on behalf of a third party, it shall invite the client to provide evidence of the original or a certified copy of the power of attorney. Everyone is obliged to comply with this request, otherwise it is a suspicious transaction.

If the applicant provides a false or modified identity card, such a document will not be accepted and information about such an attempt will be given to law enforcement authorities by notification.

In accordance with the RBA, the company will request additional information in addition to the documents required for identification and verification, such as an account management certificate, marriage certificate, other identity card, etc.

During verification, the Company has the right to suspend receipt of funds for the Client account or temporarily shut down the Client account if deficiencies in the submitted information are identified as part of the client identification.

2. Legal Entity client identification:

Company shall identify the client's organisational and ownership structure and ensure that it understands the client's legal form, as well as the reasons for which the Client requests the Company's services, all before the business relationship is established.

Identification of the ownership structure of the Client and its Beneficial Owners is necessary to assess the Client in terms of AML risks. Therefore, the Company identifies any natural person acting in or on behalf of a legal person for the first transaction, as well as all the legal person's directors, the legal person's shareholders, the legal person's beneficial owners, the domain owners.

The Company is required to request the following documents as part of the Client identification (or it’s substtitude):

• Identification of any directors, shareholders, domain owners and persons acting on behalf of the Client following the above procedure for natural persons
• If the application is from a different domain, proof of domain ownership;
• Certificate of Establishment (Excerpt from Commercial Register);
• the charter/contract;
• For high-risk merchants, Declaration of the beneficial owner with a percentage interest in the legal person;
• Service billing/statement of account for the legal entity;
• a copy of the licence (if necessary for the business of the legal person);
• If relevant The Company may request a Legal opinion stating that a legal person may provide regulated services in the relevant jurisdiction (if related to the business activity of the legal person);
• Identification of all directors, relevant shareholders and beneficial owners;
• The Company may request a Business plan if the activity of the legal person is:

• unclear or,
• The client provided details of a legal person not listed in the Company Register or,
• if a legal person's website is too simple or missing altogether.

The business plan shall include sufficient details of the business activity planned by the applicant, its planned budget, strategic objectives and other relevant dates, including background of activities, sources of funding, target markets and marketing plan.

If the KYC Department is unable to complete the identification of the Client and its verification due to the absence of Client information, such an applicant will not be accepted.

As part of the identification of legal entities, the Company shall record and verify the following mandatory information:

• company name and business name (if different from the registration form);
• Company address and head office address (if different from the registration form);
• ID/registration number;
• the company's website;
• the name of the holding company (if holding);
• Holding company address (if holding);
• the name of the supervisory authority (if the company is supervised);
• type of regulated trading activity (where the company is regulated);
• Number of licence/authorisation from supervising body (if activity requires licence or other authorisation);
• description of business activities (end-users) and suggested volumes.

The above mentioned information must be verified according to business registers or other sources, and copies must be verified by the competent authorities for that purpose (if not a register with a constructive notice). All documents must be officially translated into Czech or English and duly authenticated.

Further documentation will be required if:

• a new company will appear in the applicant's company structure;
• the applicant's website is owned by another company.

On the basis of the information supplied, the Company shall identify relevant relationships with other legal entities for the identification of specific individuals or multiple individuals having a significant impact on Client's activities.

After identifying the beneficial owners, the Company shall verify that the beneficial owners are listed as sanctioned persons in the appropriate sanctions lists. If the applicant's beneficial owner matches the sanctions list, it is not possible to establish a business relationship with the applicant or to continue a business relationship with the client.

3. PEP identification

As part of customer identification, the Company detects through a check of www.complyadvantage.com implemented in the Company's internal system, which automatically searches and records whether or not the person entered is a politically exposed person at the time of registration of the application and subsequently every 3 months after the establishment of the business relationship and the first PEP check.

In this way, the Company verifies the client and all persons who are the beneficial owner of the client, if this is discovered, or are acting for the Client.

Complyadvantage.com evaluates the applicant/client name, surname, date of birth, country of origin against its own database. In case there is a match on the alert according to the criteria:

(a) above 75%, the applicant/client is suspended from making changes to the profile as well as access to the services provided, so there will be no establishment of a business relationship/there will be verification of the client's existing data and a possible determination of whether the match between the alert and the client is a suspicious transaction (The client submitted false information or did not inform about the change in PEP status).

(b) below 75%, the client is temporarily suspended from making changes to the profile, but has access to the services provided, The KYC Department will conduct an investigation into additional client information to exclude client and PEP matches.

Along with this, the existence of PEP is targeted by the question in Annex 1 “Is a member of the body of the company or the owner of the company a person who has the status of PEP?”, which makes it possible to refine the information obtained from Complyadvantage, as well as the client's statement about the status of PEP, which the client fills in as part of the initial questionnaire.

If a client is found to be a PEP, until MLRO approval is given for the continuation of the business relationship with the client (or approval for the establishment of such a relationship), there is a suspension of the use of the Company's services for the transfer of funds outside of the Client's electronic wallets on the instructions of a KYC employee, for reasons of high risk of the client.

Subsequently, the consent of the MRL is required to continue or establish a business relationship. There shall be no business relationship/continuation/execution of budding business until it has issued or decided on a course of action.

Obligations and restrictions relating to politically exposed persons shall be applied by the Company for a period of 24 months from the date on which the Company has received information or has established, as a matter of periodic review, that the Client has lost its PEP status (has ceased to perform the relevant function); in which case, based on a risk assessment, it is first necessary to exclude the client-specific risk for politically exposed persons. During that period, it shall also apply, to the same extent, to a client whose beneficial owner is a politically exposed person and to a person known to the Company to be acting for the benefit of a politically exposed person.

The KYC department uses the procedures of the FAO Guideline No. 7 from 9th October 2020, which defines PEPs according to the functions listed in Annex 1, when assessing whether or not a Client is a PEP. It follows the same line for foreign PEPs.

4. Identification of subjects under International sanctions

As part of customer identification, the Company ascertains and records whether the client is a person to whom the Czech Republic applies international sanctions of a financial nature (the ‘sanctioned entity’). In this way, it is necessary to verify the client, the persons who are authorised to act on behalf of the client in the context of the business (or business relationship) in question, and in the case of the client - the legal person, all persons who are members of the client's statutory body, all established beneficial owners of the client and all persons identified on the basis of the information obtained by the investigation of the client's management and ownership structure.

The company detects, similarly to the PEP survey, www.complyadvantage.com, implemented in the Company's internal system, which automatically searches and records whether a given person is kept on one of the sanctions lists (OFAC sanctions list, EU sanctions list, UN sanctions list or not, both when the application is registered and then automatically every 3 months after the business relationship is established.

In the same way, finding out if the Client is listed on the sanctions list is activated whenever the Client information is modified, when the request for payment (trade) is entered, irrespective of the amount of the transaction being executed. Thus, the company is effective in limiting the risk of financing individuals, on sanctions lists both before and during the commercial relationship.

In this way, the Company verifies the client and all persons who are the beneficial owner of the client, if this is discovered, or are acting for the Client.

In case there is a match on the record by evaluation of name, surname, company name (if the subject of sanctions is a legal person) date of birth, country of origin versus own database.

In case that match is under specified details:

(a) above 75%, the applicant/client has been suspended from making changes to the profile as well as from accessing the services provided, so there will be no business relationship/The KYC department will immediately verify the client's existing data and forward the MLRO within 24 hours so that it can decide on the STR, while stopping access to the services provided, the changes made to the client's profile.

(b) less than 75%, the client is temporarily suspended from making changes to the profile, but has access to the services provided, The KYC Department conducts an investigation of additional client information to exclude client compliance with the sanctions list and either allows the client to continue or requests additional information from the Client that clearly excludes the possibility that he is a Client/Applicant of a person subject to sanctions, or whether this is a situation for which an STR is necessary.

5. SIP and SIE identification

The aim of the SIP and SIE checks is to exclude the possibility that the Client has been convicted, arrested or charged in connection with criminal activity according to available information, has a criminal record or, according to available information, maintains a connection with persons associated with criminal groups or is directly involved in the illegal activity of these groups.

Similar to PEP and Sanctions Lists, for SIP and SIE detection, the Company relies on automated client screening for negative SIP information, SIE.

If the applicant is a SIP or SIE, the business relationship or any trade in it is subject to due diligence (EDD) and the approval of the applicant by SIP or SIE, or the duration of the business relationship with the client that has been zipped to be a SIP or SIE is decided by MLRO. The specifications and criteria that apply to the PEP survey apply mutatis mutandis to SIPs and SIEs.

6. Additional Identification

In addition to the identification performed in the physical presence of the client, the Company makes use of the following additional options when performing client identification:

Mediated Identification

At the request of the Client or the Company, the identification of the Client, or a natural person acting on behalf of the Client, may be made by a notary or a public administration contact point, in the physical presence of the identified natural person. The notary or the public administration contact point shall draw up the instrument of identification, which shall be a public document, containing the particulars and annexes referred to in Section 10(a). 2 and 3 AML of the Act, namely:

Information:

1) who, at whose request and for what purpose made the identification

2) client identification data

3) the certification of the statement of the identified natural person, the person acting on behalf of the identified legal person or the representative of the identified person on the purpose of the identification made and on the confirmation of the accuracy of the identification, and, where applicable, the reservations on the identification made

4) the place and date of drawing up the document, where applicable, the place and date where and when the identification took place, if different from the place or date of drafting

5) the signature of the person who made the identification, the imprint of his official stamp and the serial number of the identification document

6) the annex to the identification document shall be copies of those parts of the documents, used for identification, from which identification details can be ascertained, as well as the type and number of the identity card, the State or, where applicable, the authority which issued it and its period of validity, and a copy of the application, if submitted in writing. As regards ifentification of the agent, the original of the power of attorney or a certified copy thereof is also annexed.

This public document, including its attachments, must be deposited with the obliged entity prior to the establishment of the business relationship or the execution of the transaction.

7. Third Party Identification

The company usually performs client identification remotely. Personal verification can only be performed if the Actual Owner(s), Director(s) or authorized employees of the potential Client meet with a Company representative (e.g. for conference, business meetings, social activities, etc.). In such a case, the Company accepts personal identification if the meeting is supported by a written confirmation of such fact by an authorized Company employee and accompanied by KYC documentation by the Client. The identification details shall be transmitted by the authorised employee to the Department of KYC without undue delay for the transfer of information to the Company's internal system.

The Company will perform Client identification without physical presence after Client:

1) Concludes with the Company a contract for the provision of financial services in written or electronic form

2) The client will provide information using the process described in point 4

3) The client provides an additional ID card, namely driving licence, passport, employee card, birth or marriage certificate

4) The first payment from the contract will be made through an account held in the name of a client with a credit institution (including in the territory of another EU/EEA Member State).

5) Demonstrates the existence of an account held in the name of the Client (The Company also accepts the existence of a joint account held specifically for both spouses or even just one spouse). The company considers the account agreement or a copy of the current statement from such account (no more than 3 months old) to be a sufficient document.

Only after all the above conditions have been fulfilled, following an inspection by the Department of KYC, which is responsible for checking the information entered in the Company's internal system, will the decision on sufficient identification, simple doubts about the Client's real identity, shift to the management of the company and the possibility of carrying out transactions.

The company is aware that the use of surrogate identification under the relevant provisions of Section 11 of the AML Act does not relieve it of its responsibility for the proper and complete fulfilment of the identification and, where applicable, the client control acts taken. The risk factor of distance identification is then taken into account in the client's risk assessment.

5. Due Diligence

The Company shall carry out a client inspection, in order to obtain information on the purpose and intended nature of the transaction or business relationship, to establish the ownership and management structure of the Client and its beneficial owner, to monitor the business relationship with an overview of the purpose and to assess the conformity of the transactions carried out with the information provided, to examine the sources of funds or other assets, in the trade or business relationship and to check the origin of the property with PEP, as well as to check the Client against the received and appropriate sanctions to comply with legal requirements and the Company can effectively identify and combat risks.

Company shall perform customer Due diligence:

• prior establishing the business relationship,
  1. with PEP;
  2. with a person established in the country to be considered at risk by designation in Annex 2

• when the business relationship is established (at the latest before the first transaction);
• for the duration of the business relationship, at least once every 6 months each Client is inspected and once in 3 months for High Risk clients, based on risk assessment. Referring to the risk assessment in Annex 1, the client control is carried out in a similar way as in the case of its identification.

• The specificity of the business relationship with Clients in the Company's case is the high risk resulting from the predominant identification of clients so-called remotely is balanced by the type of services the Company provides to Clients. This allows checking individual client trades, when activating any of the checkpoints below.

Due Diligence contain:

1. Obtaining information on the purpose and intended nature of the transaction;
2. Identifying the ownership and management structure of a client and its beneficial owner when the client is a legal person, trust or other legal arrangement without legal personality, and taking measures to identify and verify the identity of the beneficial owner;
3. Monitoring of the business relationship, including reviewing transactions conducted during the course of the relationship to determine whether trades are consistent with what the obliged entity is aware of the client and its business and risk profile;
4. Reviewing the sources of funds or other assets involved in the transaction (or business relationship);
5. In the context of the commercial relationship with PEP, adequate measures are also taken to establish the origin of its assets.
   
   

5.1 Obtaining information on the purpose and intended nature of the transaction

The purpose of obtaining this information is to create the conditions for a future evaluation of whether sub-transactions show signs of suspicious trade. Clients Companies may use crypto payment services. The Cash Transfer Service allows Client to receive or send transactions in several ways – The KYC and Risk Management Department evaluates the rationality of the transactions carried out, which corresponds to the information received when the client enters into a business relationship, as well as transaction models which show a consistent pattern of similar amounts over time, towards or from the 3rd person, where both the amount and the frequency of the transactions executed correspond to the type of business. The KYC and Risk Department will request information on the purpose in a situation where:

1. The client's business is performed with a non-Company known counterparty
2. The deal value exceeds the Client's usual transaction
3. The store has no apparent connection to the business object of the Client/Counterparty was not listed in the KYC for

5.2 Identifying the ownership and management structure of a client

Obtaining information about the client's ownership structure and identifying the client's beneficial owner is essential for assessing the client for the potential risk of ML/FT. The Company shall identify relevant relationships up to a specific natural person or multiple natural persons who have significant influence over the activities of that client, including indirectly (through other natural or legal persons).

When conduct Due diligence of Legal entity, Company shall detect and record:

• In the case of the beneficial owner, and the data to verify his identity and the procedure for establishing it, the identification of the legal person shall follow that recorded in point 4
• Legal entities are limited by the Company to commercial corporations in the relevant Czech or foreign regulation (European company, joint stock company, limited liability company, public commercial company, limited partnership). Funds and other legal entities other than those listed are not accepted by the Company for the establishment of a business relationship.
• If the beneficial owner and ownership structure is established, the Company is examining whether the persons thus identified are included in the list of sanctioned entities, as well as the possible existence of SIP/SIE or PEP.
• The KYC shall invite a person acting on behalf of a client to produce documents proving the ownership structure (founder's deeds, shareholder inventories or declarations, minutes of general meetings, etc.);
• In the absence of such documents, the sales team shall invite the Client to complete the information in the form of a solemn declaration, in which case this fact, entailing a higher degree of risk, shall be reflected in the Risk Assessment and Client Categorisation.
• if the client does not cooperate, or there are doubts about the veracity or credibility of the information provided, the KYC team will refuse to make the transaction or establish a business relationship, or inform the sales team of the need to terminate it.

 

5.3 Ongoing monitoring of the business relationship and transactions monitoring

In addition to the justification for CDD and EDD authentication, the other basic rule of effective ML and TF prevention is continuous monitoring of the trades and activities of the Client. For the Company, this activity is a prerequisite for sustaining an RBA where high-risk clients are subject to appropriate regular due diligence.

The KYC team, together with the Risk team, performs ongoing monitoring of clients and their business, with an emphasis on the frequency and extent of deviations from the client's normal business activities. In the case of the identification of a suspicious transaction, the Risk team conducts an individual assessment of the characteristics of the transaction (in terms of the nature, volume, beneficiary. It will then make a comparison with previous transactions recorded under the Company's internal system for the client, taking into account the client type, purpose of account creation and client's pre-existing risk profile.

If the Client changes the nature of the transactions, if it increases the number or value of transactions compared to its past behaviour or with the estimates originally provided, the Risk team shall determine the reason for such developments. In case of doubt, the Risk team shall be entitled to request additional information and appropriate supporting documents from the Client to justify the changes, in particular.

These measures shall be taken by the Company at the latest before the execution of the business and for the duration of the business relationship.

If a particular business relationship fulfils at least one of the following headings, the responsible staff of the Risk team shall report the fact to the head of the Head of Risk and Compliance Department, who shall decide the course of action. The list includes, but is not limited to:

- unusual requirements for the execution of a transaction (e.g. a client requires the execution of a transaction that is unusual in its volume or is executed in an unusual manner);

- client resources do not clearly match the nature or scope of the client's business activities;

- transactions are directed to areas where the Client does not normally have or is not expected to have business interests;

the transaction lacks an economic, factual or legal basis;

- the description of the transaction makes no sense or is not transparent from an economic perspective;

- the transaction is carried out with a potential PEP;

- The Company is aware that the transaction goes to/from a country categorised as high risk or if it exceeds EUR 10,000.00;

- the transaction goes to/from a country categorised as risky or if it exceeds EUR 20,000.00;

- the quantity transferred is just below the mandatory identification or due diligence (EDD) limit;

- transactions to/from countries subject to international sanctions;

- group of clients makes similar transactions.

The Company shall refuse to undertake any transaction in the following cases:

- The client will not provide the necessary assistance, will refuse to undergo a check or will refuse to submit the identification details of the person he is dealing with;

- The client or its beneficial owner is a person (natural or legal) to whom the Czech Republic applies international sanctions under the relevant law;

Continuous monitoring (monitoring) is intended to monitor the background of the Client's business and update its risk profile, taking into account any changes that have occurred since the Client's hiring, in order to reduce financial and reputational risks. 

The reputation monitoring consists of checking the validity of the client's license (if the Client is subject to supervision), warnings issued by supervisory authorities, negative reports, complaints and online ratings on the web.

Other measures to be taken into account are continuous checks of the Client website to ensure that the products and services offered comply with all relevant regulations.

If the Company determines that the type of business does not correspond to the described activities and documentation when it receives the Client, or if the Client reports false information in the context of identifying or providing the assistance, the employee shall report that fact using an internal compliance report.

Subsequent monitoring (post-transaction) checks that current transactions match the Client profile, taking into account relevant amounts, transaction frequency and total volume.

If the Risk team, in cooperation with the KYC team, discovers during the process of receiving a Client in the Company's internal system that the Client is suspected of supporting terrorism, such information will be transmitted using an internal Compliance report for the purpose of the STR

5.4 Reviewing the sources of funds or other assets involved in the transaction

As part of the Client Control Process, the Company may request information regarding the origin of the funds involved in the transaction or business relationship, other than the identification itself.
Besides KYC team, the origin of money may also be required from the Risk team when a particular transaction achieves a higher level of risk. To review the client's cash resources, the Company accepts:

• account statements proving the origin of incoming payments;
• issuance of a secured or unsecured loan certificate;
• Payslip or employer contract;
• annual income (e.g. employer's certificate or tax return);
• profit and loss statement, audited financial statements;
• invoices;
• contracts;
• transport documents.

Below are additional options for determining the origin of Client's money through an independent source:

• reports from private credit rating agencies;
• publicly available information;
• financial statements or annual reports issued by Client;
• independent search through EDD services companies;
• references from another obliged entity/bank.

The aim of the check is to establish the source of the funds used in the transaction or business relationship. In the case of a business relationship, this part of the client's control is carried out in particular at the time of its creation, so that the benchmarks for future control can be used. If there is any doubt as to the declared origin of the funds, the Sales team is asked, in agreement with the KYC team, how to secure information from the Client (in the form of an additional questionnaire on the origin of the funds, the Client's current business activity, or certain private events associated with accepting a gift or acquiring an inheritance).

If the Risk team determines that the origin of the Client's money is clearly from legitimate sources and the transaction corresponds to the purpose and identified Client information at identification or control, further Client investment may be waived in a specific transaction.

Conversely, if the Client poses a high risk in terms of MLs and information on the origin of the money indicates an increase in risk compared to the risk profile identified so far, the KYC team is required to consider further investing the business or Client.

5.5 Adequate measures for Source of Funds where Client is PEP

In the case of PEP, which is separately categorised as a high-risk Client under Annex 1, the Company finds information on the source of the Client's assets used in the transaction, as well as the determination of the volume of such assets, the frequency of the acquisition/generation of such assets or funds over time. If the Compliance and Risk Department may not allow such business to take place, even in the context of an existing business relationship with Client. The procedure of PEP clinet identification should be applied.

5.6 Additional information to perform and check client identification

Client shall provide the obliged entity with the information necessary to make the identification. Also in the context of control, active cooperation of the client is foreseen, which may consist, for example, in the presentation of relevant documents and declarations. The client must be informed that the information being obtained is required under the AML law (the confidentiality obligation extends to any STR filing and FAU investigation).

The company may make copies or extracts of the documents submitted and process the information obtained to fulfil the purpose of the AML Act. However, making copies is subject to obtaining the consent of the client.

In case of doubt, the obliged entity may request further supporting or clarifying information from the client and, in the absence of such information or lack of clarity, the Company will not undertake the transaction, or may submit it to the STR. If the client refuses to cooperate, the obliged entity will not conduct the transaction. If doubts about possible misuse persist after the inspection, this justifies the submission of an STR.

When carrying out individual transactions, when establishing a business relationship with a client, as well as during the course of that relationship Company shall:

• ensures and maintains such information about the Client as will allow it to evaluate whether it is a risky client;
• Checks the validity and completeness of client details and updates them;
• gives increased attention to business:
  • where any of the risk factors determined on the basis of the risk assessment carried out occurs;
  • with PEP;
  • for which the Company is known that the client's beneficial owner is PEP, or that PEP will participate otherwise;
  • large volume or high level of complexity, in particular with regard to the type of client, the subject matter, the amount and method of settlement of the transaction, the purpose of the transaction and the subject matter of the client.

6. Risk Assesment

Risk assessment involves identifying and evaluating the attendant risks that the Company may face by the nature of its business and developing appropriate strategies to manage those risks.

During its operations, the Company may be exposed to the following risks:

• Country or relevant jurisdiction ML or TF risk exposure: concerns about insufficient measures against terrorist financing
• Risk in relation to Clients: identification of the Beneficial Owners/PEPs
• Client identification in relation to risk profile: client-business relationship, long-term and active business relationship with the Company
• Preventing tax non-compliance
• Risks associated with receiving Clients without personal identification (non face to face): making sure that appropriate checks are applied to prevent the possibility of confusion between Clients and another person
• Risks associated with the geographical area: an assessment of the area in which the business is operated. For risk areas with a higher risk of ML/TF, the possibility of ML/TF is logically increasing.
• Risks associated with virtual currencies: the ability to understand the risks associated with trades using virtual currencies
• Cyberattack risk: implementation of technical requirements, hacker attacks, viruses, malware or data leaks
• Excluding the creation of a business relationship with a person on the client's list of sanctioned entities.
• Not -clear ownership structure
• Unable to get information about Client's Beneficial Owners
• Unclear origin of client's money
• Client's economic "inactivity"
• Unusual combination of transaction factors relating to Client, value and method of settlement, purpose of business relationship and business activities of Client
• Facts giving rise to suspicion that Client is making suspicious transactions

Due to the nature of the Company's business activity, an appropriate process was created to identify the Client before entering into a business relationship with him. This RBA approach The Company applies prior to completion of verification in the context of client identification or before entering into a business relationship.

In order to evaluate and manage the risks of ML/TF, the Company has developed a detailed acceptance form for Clients, including Client Risk Assessment and Compliance under Recruitment. This form serves as a basis for determining the risk category and for any due diligence of the Client.

For acceptance purposes, the client shall undergo an overall risk assessment based on an evaluation of the following sub-risks:

• types, actions and behaviors of the Client and its customers
• complexity and Volume of Client Stores
  • facts giving rise to suspicion that Client is making suspicious trades
  • unusual grouping of transactions with respect to the type of Client, the value and manner of execution of trades, the purpose of the business relationship and the business activities of the Client and its customers
• Client's geographic business area, e.g. location of business spaces, Client's region of origin, or receiving Client's transferred funds

Below is a summary, listing the client's own risks and their assessment, with guidance provided to employees of the Company for Client Categorization:

• prohibited
• high-risk
• medium risk
• low risk.

Risk Assesment – Client Typology

Risk category	Examples of Clients
Very low/low risk	Public authorities, ministries and national companies; Simple ownership and corporate structures; The identification of the Client was made in the physical presence (face-to-face). The origin of the client's funds can be easily identified and corresponds to the information received
Medium risk	Any client that does not fall under the previous category of "low risk" clients or the following category of "high risk clients" will be categorised as a medium risk Client.
High/Very high risk	Client identification could not be made in person; There is an increased risk of ML or TF due to Client's CDD-based business activity; Negative records in any medium in relation to the company or individuals involved in the management of Client or its ownership structure; Anonymous accounts, so-called shell accounts or exclusively pay-through accounts, through which the Client plans to make or clear payments within the Company; Unclear source of client funds; The names of the management or directors on the website do not correspond to the names provided in the context of client control; The client's ownership structure includes PEP, a person close to PEP, SIP or SIE; Transactions planned for execution through the Company do not have a clear meaning and purpose from a financial point of view; The client is owned by appointed shareholders (‘nominee shareholders’). Telephone contact is provided from a country which was not mentioned in the pre-contract negotiations and does not correspond to the CDD provided; Repeated address changes when accepting a Client or in the course of a business relationship; The address or other relevant Client information provided when identifying a natural or legal person appears vague or unusual; The client is a charitable or other non-profit organisation; Non-transparent client ownership structure; The address provided is undetectable by normal publicly available means (web). The main business activity involves one or more of the following: - Pharmacy - Dating services - VoIP or telemarketing - investment in diamonds or precious metals - occult services
Prohibited	Client does not provide assistance in identification or checking There is a discrepancy in the information provided that the Client is unable to credibly explain. The client will not provide the necessary synergy in controlling the origin of the money. The client is not economically active, with no plans to be economically active The client issued/issues bearer shares. The client is PEP and the Company is not known about the origin of the funds; Client or beneficial owner of the client is listed in the list of persons or organisations subject to international sanctions under the relevant legislation; The client acts in the name of another person, is accompanied or followed by other persons who appear to wish to remain anonymous; The Client's business area includes prohibited activities under these Measures. The client has, according to available information, been convicted, arrested or charged in connection with criminal activity, has a criminal record or, according to available information, maintains a connection with persons associated with criminal groups or is directly involved in their illegal activities. Client has country of origin in high-risk country according to Annex 2.1

Company shall not accept a person who carries on as his main business:

• purchase/sale of collector's items
• Help with loan adjustment or consolidation or advice in relation to these activities
• investment in alcohol
• e-cigarettes and tobacco, tobacco aids
• supply of arms and accessories for military purposes
• small-scale bonds
• providing multi-level marketing
• Unregulated agents, offering investment services to the public in relation to trading in binary options, contracts for difference, derivatives or indices

Based on information gathered during client identification and due diligence, the Company will perform a client categorization, taking into account the risks listed above. This evaluation enables the Company to establish and update risk assessments and to establish rules for commencing a business relationship or refusing to establish a business relationship.

If the average AML compliance score of a new or pre-existing Client is evaluated on the basis of the criteria above, the final risk score is calculated to determine the required level of control (due diligence) with the possibility of necessary management approval according to the criteria below. In this way, the Company can justify to the oversight body performing the compliance check the appropriateness of the scope of the Client inspection.

Risk Assesment – Client’s Typology
Risk Category	Low Risk	Medium and High Risk
Level of Due Diligence	CDD CDD and client screening must meet the RBA's request and justify requesting further information.	EDD EDD and client screening must meet the RBA's request and justify requesting further information.
Approval Level	KYC Department	MLRO/ MLRO assistant

In order to effectively implement the measures set out above, the Sales team (as the first level of ML/FT risk protection, responsible for communicating with clients) is required to cooperate with the Compliance and Risk Department, responsible for further verification and monitoring of Clients and their activities.

The Company Client identification process is normally performed remotely. Personal verification can only be performed if the Actual Owner(s), Director(s) or authorized employees of the potential Client meet with a Company representative (conferences, business meetings, social activities, etc.). In such a case, the KYC Department may also accept personal identification if the face-to-face meeting is supported by written confirmation of such fact by the relevant Company representative, accompanied by the KYC documentation by the Client.

The following facts are given special attention in the process of identifying the Client in the form of the EDD if the Company detects any of the following:

• If the applicant for the account is from a country at risk as listed in Annex 2 or a country with low documentation quality and low documentation standards;
• If the applicant provides a telephone number from another country and the address provided is marked as "non-existent" by the search engine;
• Where an unexplained address mismatch is found when checking all documents provided;
• If the applicant submits documents on behalf of another person;
• If the applicant is identified and flagged by one of the Company's fraud detection systems: as a result of a negative record, shared accounts;
• If the data provided by the applicant is linked to other fraudulent customers;
• If the applicant uses a VPN or software to mask the IP address;
• If the applicant informs the Commercial Department that he is not aware of the opening of an account or the execution of a transaction/transactions on his account;
• If the applicant carries out a suspicious transaction;
• Client or Beneficial Owner's country of origin is risk according to Annex 2;
• The funds are to be transferred to or from a country designated as a risk country under Annex 2;
• The client has contacts or connections to areas susceptible to ML/FT or where international sanctions are regularly imposed.

The KYC team is responsible for the escalation of high-risk cases to the final MRL opinion.

In the following cases, the Company will refuse to open an account/enter into a business relationship or will be required to terminate an existing account/business relationship and refuse any further transaction:

• If Client's business activities are linked to the prohibited sectors in this chapter above;
• It is not possible to detect or remain distrustful in establishing the true identity of the Client or UBO, or the formal requirements for identification of the Client or UBO are not met.
• If the nature of the Client's activities is not clear or does not match the information provided at identification;
• If suspicion arises that the Client has been, is or may be involved in illegal gaming activities/transactions;
• If there is suspicion that Client is involved in corrupt conduct, bribery or tax evasion;
• When suspicion is raised or the Client's property is found to be criminal;
• When suspicion or discovery arises that the Client is involved in a terrorist organisation, drug distribution or trafficking, a member of a criminal group, listed on a sanctions list or coming from a sanctioned country;
• When it is suspected that Client has been convicted, arrested or charged in connection with criminal activity according to the information available, has a criminal record or maintains a connection with persons associated with criminal groups or is directly involved in the illegal activities of such groups.
• When suspicion has arisen that Client maintains anonymous accounts, shell accounts or only pay through accounts.

The risk assessment methodology is as follows:

• Creating a profile of the Client and targeted acquisition of data about him
• An efficient system for filtering received information
• Automated screening of the client in the internal system, targeting sanctions lists, PEPs, SIPs, SIEs or other risky activity (e.g. Implementation of OFAC blacklist crypto wallet address checks)
• Maintaining appropriate records of both client checks and identification
• Guiding client-related questions and clear risk escalation processes

The risk assessment shall be made in writing and kept up to date. The risk assessment check, including documentation of changes, shall be carried out by the Company at least once a year.

 

6.1 Risk categorisation of products and related services that may be misused for ML/FT

By the nature of its activities, the company performs a limited range of risk identification of individual sub-products (for which the Client requests either at the beginning of the business relationship or during the course of the business relationship over the amendments to the Framework Agreement) less disaggregated.

The crypto wallet service allows the Client to send and receive money around the world (i.e. both within and outside the SEPA area) in different currencies, a money transfer or e-money service within the EU and globally.

These are risks associated with standard transfers to an account under a special scheme, whereby the Company accepts the funds of its clients and credits them to an electronic wallet without appropriate transfer fees.

Additional risks compared to crypto transfers (in addition to customer identification and the reason for payment between banks) that may arise in the context of the transfer of funds between clients' wallets, the funds of which have already been received on a special mode account, where there is no real movement in the bank account, but clients can move cryptocurrencies between themselves. Thus, a chain of payments may occur without their being reflected in a separate scheme account, unless any client requests a transfer from an electronic wallet to a recipient who is not a Company client.

Outside SEPA transfers, the Company gives the possibility of international crypto transfers where there is an additional risk of taking into account the country to which the payment is sent in connection with the reason for the payment and customer identification.

During those transfers, there is a conversion of funds where the Company relies in this respect on the bank's conversion rate, which accepts its client funds for a separate mode account. Society accepts the exchange rate of a given currency pair, offered by a bank. This applies to both standard transfers and electronic wallets.

All of these services The Company understands as a whole for the time being, with this in mind, is conducting a Risk Assessment including a categorisation of products more generally than a larger institution, e.g. a bank with dozens of products for clients, has a range of services.

6.2 Detailed non-exhaustive list of suspicious transaction

Facultative signs of suspicious transaction

Transaction is considered suspicious if, for example any of the following are discovered by the Company:

• the client acts as if he is acting for or for someone else, is accompanied or followed by another person or persons who appear to want to remain anonymous;
• the client performs activities which may assist in disguising its identity or disguising the identity of the beneficial owner;
• the client or beneficial owner is a person from a risky country;
• the company has doubts about the veracity or completeness of the client data obtained. For example, the context suggests that the client is intent on giving inaccurate or incomplete information about himself;
• ID documents have a questionable appearance;
• the client behaves nervously, refuses identification or undergoes it only reluctantly, or gives false details for his identification or control (e.g. origin of money or business line);
• is known to have criminal history of a client or connections or links to persons connected to criminal groups or directly committing crimes;
• the client has business relationships with counterparties in risky countries as listed in Annex 2, or attempts to trade with these counterparties and these counterparties have not been
• the client has unusual requirements to execute the transaction, is more in a hurry to execute the transaction than is usual for similar transactions;
• the client carries out asset transfers that clearly have no economic justification or conducts complex or unusually large transactions;
• in one day or the days immediately following, a client shall carry out significantly more monetary operations than is usual for its business or a comparable type of client;
• the funds handled by the client are clearly not commensurate with the nature or scale of his business or his financial circumstances;
• the client is active in a field related to the risk of association with criminal groups (e.g. erotic services, discos and other night enterprises, trade in military material and especially weapons, etc.);
• the client knowingly conducts loss-making trades or trades at a disproportionate level of contractual penalty;
• transactions are made by large quantities of lower value currency, possibly by the unusual transfer of a larger volume of cash (e.g. plastic bags, pockets of clothing, etc.);
• transactions are directed to or from areas where the client does not normally have, or cannot be assumed to have, business interests;
• transactions are carried out at just below the threshold of mandatory client identification or control;
• the transaction lacks an economic, factual or legal basis;
• the transaction is carried out with a potential PEP;
• the transaction goes to/from a country categorised as high risk or if it exceeds EUR 10,000.00;
• the transaction goes to/from a country categorised as risky or if it exceeds EUR 20,000.00.

Obligatory signs of suspicious

In the situations listed below, transaction is considered as a suspicious and is reasonable to report a such a transactions as suspicious

• the client or beneficial owner is the person against whom the Czech Republic applies international sanctions under the Sanctions Act;
• the client refuses to submit to an inspection or refuses to give the identification details of the person for whom he is acting;
• the situation described in 9.1.

7. Rejection of Transaction

A company shall reject a transction (or refuse to establish a business relationship or terminate a business relationship with Client) in the event that an identification obligation is given pursuant to Section 7(a) 1 or 2 of AML Act:

• Client refuses to submit to identification;
• The client will refuse to provide evidence of power of attorney if represented by an agent;
• Client will not provide the necessary interaction when checking Client;
• For another reason, client identification or checking cannot be performed;
• If a Company employee has doubts about the veracity of the information provided by the client or the authenticity of the documents submitted (in which case an STR must be filed at the same time);
• A client, the beneficial owner of a client or a person acting on behalf of a client or a member of the client's statutory body is a person who is on the list of sanctioned entities (in which case an STR must be filed at the same time);
• It is a PEP business and the Company is not aware of the origin of the assets used in the business (or business relationship);
• internal system Company reports conformity of Client's record in sanctions list;
• MLRO does not approve to establish a business relationship with PEP.

8. Procedure for disclosure of data retained to competent authorities

Record Keeping

The Company shall, in accordance with Section 16 of the AML Act, keep the following information for 5 years from the last single transaction or the termination of the client business relationship:

• Identifying information, other information concerning the identity card of a client who is a natural person or a person acting on behalf of a client who is a legal person;
• Records of whether the Client is a PEP or a person against whom the Czech Republic applies international sanctions under the Sanctions Act;
• Copies of documents submitted for identification, if any;
• An indication of who and when made the Client's first identification;
• Information and copies of documents obtained in the Client inspection;
• Documents justifying an exemption from client identification and control;
• In the case of representation, the original or a certified copy of the power of attorney or the number of the court decision appointing the guardian.

The Company receives, stores and maintains copies of these data in accordance with the Record Retention Requirements of the Personal Data Processing Act (GDPR).

The retention period shall begin on the first day of the calendar year following the year in which the last transaction known to the obliged entity was made or in which the business relationship was terminated.

As part of its compliance with the AML policy, the Company also maintains the following documents:

• A copy of the evidence obtained to fulfil client identification and control obligations;
• Contracts between Client and Company;
• Transaction details, stored in the Company's internal system;
• A register of outsourced service providers, relevant licences and audits carried out;
• Reports by internal and external auditors in relation to the Company;
• Written records of implementation of risk assessments;
• Written records of internal regulations, including AML principles;
• Details of STRs submitted by MRLs (including no STR submission information) together with related documentation;
• Written records of staff training (internal and external).

The record-keeping period shall begin on the first day of the calendar year following the year in which the last known transaction known to the Company was made or in which the business relationship was terminated.

The assessment report, together with an appropriate statement, shall be kept by the Company under Section 21 of the AML Order for a period of 5 years.

The company can retroactively reconstruct all approval and decision-making processes and control activities under the measures, including associated responsibilities, powers, background and assessment of the assessment report. Information on findings made in the course of customer inspection, the review of trades and correspondence relating to trades and business relationships is also retrospective reconstructive. It must also be retrospectively reconstructive to such a process that results in the conclusion that there are no grounds for changing the client's risk profile or for submitting/not submitting an STR. All of this data is stored in the Company's internal system, is not publicly available and is made available for use by each employee at initial training.

Responsibility for the retention and transmission of Client data lies with the Compliance and Risk Department.

The assessment report, together with an appropriate statement, shall be kept by the Company under Section 21 of the AML Order for a period of 5 years.

The entire data retention process is retroactively reconstructable including historical versions of the evaluation report as well as PIEs and other internal company regulations. The data is stored electronically by dedicated servers. Similarly, data on all client transactions executed are retained, based on the relevant internal regulation governing the handling of data in the internal system. Documents delivered in electronic form shall be stored in principle electronically, in accordance with the requirements of Section 16 of the AML Act.

Review of trades, correspondence relating to trades and business relations with Client, information obtained from Client identification, as well as internal reporting of suspect activity from the employee who referred the report to the MLRO to the STR itself performed by the MLR are also stored in the Company's internal system, communications between the employee and the MLRO are traceable in retrospect, while information on their handling is extremely sensitive, subject to confidentiality.

All employees of the Company are aware of the fact that informing the person against whom an internal report submitted to the MLRO has been made, or against whom an ML or TF investigation is being conducted, is prohibited, as is taking any action that may entail forwarding internal reporting information to that person (so-called "tip off"). Falsifying, concealing or destroying documents essential to the reporting of a suspicious transaction from the perspective of ML or TF is also an unlawful act.

The Compliance and Risk Department is responsible for the retention of data pursuant to Section 16 of the AML Act, with special arrangements for the reporting of the STR (as well as the submission of a route notification) for which the FAO (police authority) is responsible, obtaining the requested information and communicating with the authorities, including the breach of confidentiality pursuant to Section 39 of the AML Act, is liable to the MLRO.

All Company employees are required to provide the MRL without delay with the necessary on-demand assistance by the corporate email client, no later than 1 working day from the dispatch of such request.

9. Reporting Suspicious Activity

9.1 Internal reporting of suspicious activity

If the Risk team has assessed the transaction as suspicious, and if he has confirmed the reasons for doing so, or if the KYC team has confirmed the activity of the Client (Behaviour) as suspicious, they are required to promptly inform the MLRO via the Company's internal system or to the MRL's service address, but no later than 2 days from the date of discovery of such fact.

An internal suspicious activity report shall contain all information for a full evaluation of potentially suspicious activity, including a description of the facts and material circumstances of the transaction, the transaction date or the detection of the Client's suspicious activity.

The MLRO has access to the relevant documentation underlying the submission of the internal report, including the identification or check performed on such Client (before or after the unusual activity), taking into account the Client's behavioural patterns and transaction volumes.

Normally, an internal report will be filed by members of the KYC or Risk team, involved in client identification and follow-up. The sales team can report changes to the Client's structure, business and business (non)successes.

Notwithstanding the above, all Company employees must be aware that they may be present with unusual client behaviour which may be the cause of the fact or circumstance on the basis of which the internal report will be submitted to the MLRO.

 

Each staff member is required to:

• Providing a correct, truthful and accurate internal report, containing the full and undistorted fact, without delay;
• Keeping confidential the nature of the internal report vis-à-vis any natural or legal person who is the subject of the report;
• Notification of any concerns, findings or findings in relation to internal MLRO reporting.

All employees of the Company are aware of the fact that informing the person against whom an internal report submitted to the MLRO has been made, or against whom an ML or TF investigation is being conducted, is prohibited, as is taking actions that may entail transmitting information about an internal report to the person under investigation (so-called "tip off"). Falsifying, concealing or destroying documents essential to the reporting of a suspicious transaction from the perspective of ML or TF is also an unlawful act.

9.2 The situation where an STR is administered at FAU

The company shall report suspicious trade on the basis of the above, but in particular if:

• doubts remain about possible misuse of ML/FT even after the client check;
• the client refuses to identify himself prior to the transaction (business relationship) and the Company has partial information to the client (in these cases all information from the representatives of the obliged entity relating to the description, conduct, conduct of negotiations with the unidentified trader, his arrival and departure is included in the STR); the essential identification details of the Company personnel who negotiated with the unidentified trader and could, if appropriate, further supplement or perform his description subsequent identification;
• the client does not cooperate in obtaining data and information in the context of customer identification and control (in this case, the Company will consider, depending on the current situation, whether the presumption of obtaining the relevant explanation from a client, for example, is only temporarily unavailable. In such cases, the client may be given a reasonable time to comply with the co-operation and the STR may be delayed until it expires);
• the origins of the assets used in the PEP trade are not known to the company from public sources and the person refuses to explain the origins of the assets;
• if there are obligatory grounds for doing so under § 6(1)) 2 AML law;
• it is not a specific suspicious transaction, but "other facts" that could indicate the laundering of proceeds of crime and terrorism-related transactions. If the Company identifies a suspicious transaction in connection with its activities, it shall notify the FAO without undue delay, at the latest within 5 calendar days from the date the suspicious transaction was identified. If the end of the period falls on a Saturday, a Sunday, or a public holiday, the last day of the time limit is the first following working day.
  
  If the circumstances of the suspected case so require, in particular if there is a risk of delay, the Company shall report the suspected transaction as soon as it has been identified. This is necessary in a situation where there is a risk that funds used in trade could escape the reach of law enforcement. In this case, the Company must notify the suspicious transaction immediately after its discovery, even if the notification does not contain all relevant information (the notification will be added subsequently).
  
  In cases where there is a risk that complying promptly with the client's order could frustrate or make it significantly more difficult to secure the proceeds of crime or funds intended to finance terrorism, the obliged entity may comply with the client's suspicious trade order no earlier than 24 hours after the STR is filed, see 10.
  
  The STR shall be filed with the FAO, by registered letter in writing or verbally on the record at the place designated after prior agreement. A notification made electronically by technical means ensuring the special protection of the transmitted data, i.e. the Encrypted Electronic Connection System with the Financial Analysis Bureau ‘MoneyWeb Lite’, which the Company prefers as a method of filing STR, shall also be considered a written notification.

 

FAU contact detail

Phone connection (7:45 AM – 4:15 PM): +420 257 044 501; (4:15 PM – 7:45 AM): +420 603 587 663

Fax: +420 257 044 502

Personal Delivery Address: Washingtonova 1621/11, 110 00 Praha 1

Mail Delivery Address: P. O. BOX 675, Jindřišská 14, 111 21 Praha 1

E-mail: [email protected] (cannot be used for administering STR)

Data box: egi8zyh (cannot be used for administering STR)

9.3  STR Properties

The STR shall contain all information available to the notifier about the transaction, its context and its participants, namely:

1. Identifying information of the whistleblower: business name (name and surname or name including distinguishing appendix) or other designation, registered office (address for service, if applicable), identification number, subject of business according to the Commercial Register entry or the Business or Other Business Card (only the business object to which the notification relates shall be specified) and type of obliged entity with reference to the relevant provision of the AML Act (indicate the relevant paragraph, letter and point (a) corresponding to the type of obliged entity;

2. The identification details of the person concerned by the notification as follows with regard to:
   1. Physical non-entrepreneurial person: forenames and surnames, including any other names and surnames used (in contentious cases, make a clear distinction between forenames and surnames), address of the place of residence in the Czech Republic and, where applicable, outside the Czech Republic and other addresses it uses, birth or date of birth, place of birth, type and number of identity card, when and by whom it was issued and details of its validity, nationality, sex (if not clear from further information), and any other identifying information provided in the identity card
   2. legal person: business name or name including distinguishing appendix or other designation, registered office, identification number or similar number assigned abroad, forename, surname, birth or date of birth and place of residence of persons who are its statutory body or its member, if the statutory body or its member is a legal person, its business name or name, including its distinguishing appendix or other designation, registered office, place of business or place of business, identification number and name shall also be provided. (a) the identification of persons who are its statutory body or its members, the identification of the majority shareholder or the controlling person;
   3. in the case of the representation of a natural person and always in the case of a legal person, the identification details of the person acting on behalf of the person concerned by the notification shall be provided;
3. The identification details of all other traders held by the obliged entity at the time of notification;
4. A detailed description of the object and material circumstances of the suspicious transaction, in particular:

• the reason for the transaction stated by the trade participant;
• a description of the crypto currency or cash used and other circumstances of the cash payment;
• time data;
• the numbers of the accounts on which the funds are concentrated, in respect of which the notification is made, and the numbers of all the accounts to or from which the money has been or is to be transferred, including the identification of their owners and holders, where this information is accessible to the notifier;
• currency;
• what the trade is suspected of;
• related transactions data;
• a description of the conduct of the trade participant and any associates;
• where appropriate, telephone and fax numbers identified, description and registration numbers of means of transport;
• other information that could be of informative interest to the persons involved or the transaction in question, as well as, where appropriate, other data that may be related to the suspicious transaction and is relevant to its assessment in terms of AML/CFT prevention;
• the notification shall include copies of all documents in the possession of the notifier, referred to in this notification and subject to a related notification;

5. Warning when the notification also covers property subject to international sanctions issued to maintain or restore international peace and security, human rights protection or the fight against terrorism. A brief description of the property, its location and owner shall be included with the warning, if known to the whistleblower. It shall also include information as to whether there is an imminent risk of damage, impairment or unlawful use of such property;
6. The notifier shall always indicate if and when the transaction was executed or postponed or the reason why the transaction was or was not executed. Where compliance with the order has been deferred, the obliged entity may not do so (except in relation to the seizure of property subject to international sanctions and subject to the provisions of Section 40(2)). 3 AML of the law) to inform the client;
7. Contact information

• The STR contains the name, surname and job title of the contact person who, on behalf of the obliged entity, submits this notification and the links to receive instructions from the FAO, including the possibility to connect even outside normal working hours (phone, fax, e-mail).
• further, the STR contains the date, time and place of the notification and the signature of the person fulfilling the notification obligation;

The STR shall not include details of the employee of the obliged entity or a person in a similar employment relationship who has identified the suspicious transaction;About filing of the STR the Company maintains confidentiality towards the Client, except for § 40(2)) 3 AML of the law.

10. Measures to prevent the thwarting or substantial impediment of securing the proceeds of crime by promptly complying with the client's order

Compliance with a client order here includes the completion of any transaction in which ML/FT is suspected.

Where there is a risk that complying promptly with the client's order could frustrate or make it significantly more difficult to secure proceeds of crime or funds intended to finance terrorism, the obliged entity may comply with the client's suspicious trade order no earlier than 24 hours after the STR has been served on the FAO. Property to which the client order relates shall be secured in an appropriate manner against manipulation that would be contrary to the purpose of the AML Act.

Compliance with the client's order shall not be delayed where such postponement is not possible or where it is known to the obliged entity that such postponement could frustrate or otherwise jeopardise the investigation of a suspicious transaction; the obliged entity shall immediately inform the FAO of compliance with the client's order. Where the transaction has taken place by the time the STR is filed, the obliged entity shall communicate the information about the transaction directly in that notification if the transaction takes place at a later date, the obliged entity shall file the information with reference to the notification lodged and in it shall communicate the exact timing of the transaction.

If there is a risk that immediate compliance with the client's order could frustrate or make it significantly more difficult to secure the proceeds of crime or the means of financing terrorism, and the investigation of suspicious trade requires a longer period of time for complexity, the FAO may decide:

• to extend the period for which compliance with the client's order is deferred, but not longer than an additional 2 working days; or
• to postpone the fulfilment of the client's order or to secure the assets to be subject to suspicious trade from the obliged entity where those assets are located for up to 3 working days.

The abovementioned time limits do not apply to the seizure of property if the property is to be seized in accordance with the relevant legislation issued to implement international sanctions. Detention takes place on the basis of the relevant sanctioning regulation, so there is no need (or possibility) to implement precautionary measures under the AML Act. At the same time, however, there is always suspicious trade within the meaning of Paragraph 6(2) of the Sixth Directive. 2 AML of the Act and is therefore required to file an STR. Silence under Paragraph 38(1)) 1 The AML of the Act applies only to the STR in such a case, not to the fact of being secured under the relevant sanction code. The person concerned by the seizure may be informed of it and may also seek the lifting of the restriction through the courts. It may also claim that it is not against whom sanctions are to be applied (match or form of names, misidentification, etc.). Such detention is not limited in time as a precautionary measure under Section 20 of the AML Act, but lasts for the entire duration of the sanction.

11. Technical and personnel measures to defer the customer order under Section 20 of AML act

Contact person: See Annex 5

Fulfilment of the information obligation

MLRO at the request of the FAO within the deadline set by it, in the form customary for collecting information on Clients (data information, files and/or scans of paper backings:

• disclose details of transactions related to the identification obligation or for which the FAO is investigating;
• provide documentary evidence of such transactions or give access to them to authorised FAO staff when examining STRs and exercising administrative supervision;
• provide information on persons involved in any way in the transactions in question.

The obliged entity shall provide clients with the information required under the provisions of Section 11 of Act No 101/2000 Coll., on the protection of personal data, before establishing a business relationship or conducting a business outside a business relationship. This information shall in particular contain a general warning regarding the obligation of the obliged entity to process personal data for the purpose of preventing ML/FT.

Measures to implement deferral of client order

A proclamation of an FAO decision to defer compliance with a client order may be made orally, by telephone, by fax or by electronic means, but a copy of the written copy of the decision is always subsequently served.

Where the obliged entity has notified the FAO of a suspicious transaction, the basic deferral period of the client order, including its extension, shall be calculated from the time the FAO received the notification.

If the obliged entity has not notified the FAO of the suspicious transaction and the FAO decides to postpone the fulfilment of the client order or the seizure of the property, the beginning of the period is determined by the declaration of the FAO decision.

The obliged entity shall in turn certify to the FAO that the deferral of the client's compliance has been deferred, that the extension has been applied, or that the security of the property has been realised, and confirm the time from which the period is calculated.

In addition, the obliged entity shall keep the FAO informed of all material facts concerning the assets identified in the decision (e.g. attempts to break collateral).

If the FAO has not informed the obliged entity by the end of the period specified by it that it has made a complaint or has revoked the detention order by decision before the end of the period, the obliged entity may carry out the client's order.

If the FAO notifies the law enforcement agency within the deadline, the suspension of compliance with the client's order or seizure of the property shall be extended by 3 working days from the date of the complaint in question. The FAO informs the person liable of making the complaint. The obliged entity therefore carries out the client's order at the earliest after the expiry of a period of 3 working days from the date of the complaint, but only if the law enforcement agency has not decided by the end of that period to withdraw or secure the object of the suspicious transaction. The period of 3 working days shall end either at the end of the period or earlier, provided that the law enforcement authorities implement the appropriate precautionary measures before the expiry of that period. (The time limit of 3 working days is calculated from the beginning of the day following the date on which the FAO filed the complaint.)

Where the Company has executed a client's order because postponing the order could frustrate or otherwise jeopardize the investigation of a suspicious transaction, it will always inform the FAO of the client's MLRO compliance.

12. Non-disclosure clause

Company and all employees Companies are required by Section 38 of the AML Act to maintain confidentiality and thereby ensure in particular:

• Undisturbed conduct of inquiries into suspicious trade;
• protection of processed and stored information for as long as the results of the investigation are transmitted to another authority pursuant to Section 32 of the AML Act;
• maintaining the possibility of applying protective measures against property in any subsequent criminal proceedings;
• Protect those reporting suspicious transactions from threats or hostile acts.

The confidentiality obligation applies to:

• the submission of an STR and its investigation under § 18 of the AML Act;
• property collateral under section 20 of the AML Act;
• fulfilment of the information obligation under § 24(2)) 1 AML of the law.

The confidentiality obligation shall not be waived by the transfer of the Company's employees to another job, the termination of their employment relationship or the cessation of the Company's activities referred to in Section 2 of the AML Act.

Any facts that are subject to confidentiality are bound to be kept confidential by anyone who learns about them.

13. Provisions for providing staff training

All employees of the Company are required to give informed consent to having read and understood these Measures and to give their consent in writing within 30 days from the date of commencement of their employment. Regardless of job position, each Company employee shall undergo an Inter AML/CFT training organised and approved by MLRO. Staff in the KYC and Risk Department will also receive specialised training from respected training providers to further develop and reflect new trends in suspicious transactions, identification and control of individuals, while reflecting in the form of updated training material to other staff.

Internal AML/CFT training for all staff is designed to provide information to all staff and their understanding of the following:

• AML Company policies and processes, incl. legislation in relation to AML/CTF;
• typologies and characteristics of suspicious transactions;
• processes for detecting and evaluating suspicious transactions;
• client reception and risk assessment processes;
• determining client risk profile;
• procedures for establishing a business relationship, correct application of CDD and EDD;
• penalty monitoring and PEP identification;
• cases where a business relationship is not established or is dissolved;
• changes to AML or internal regulations contain internal AML principles;
• processes for internal STR submission;
• regulatory changes;
• record retention requirements;
• the consequences of non-compliance with both the Company's Measures and the AML/CFT Regulations.

Company employees will confirm their presence at the training sessions by signing attendance. The company archives attendance together with personnel training records and a list of topics discussed.

By way of management, the Company will carry out an ongoing compliance check within the Company among its employees. This includes also the action taken by MLRO:

• Investigation, testing and evaluation of the effectiveness and functionality of the system of measures to prevent MLs and legalise proceeds of crime and TFs;
• verifying the compliance of these internal rules with the relevant legislation;
• Performing random checks on staff to prevent so-called "insiders".

14. Provisions on drafting assessment reports of obliged entities

MLRO shall produce an annual report evaluating the Company's ML prevention activities (hereinafter referred to as the ‘Evaluation Report’) no later than the end of the fourth calendar month following the end of the period for which they are processed, and submit it to the director. The company keeps the evaluation reports for 5 years.

The evaluation report shall consist of the following:

• Evaluation of the effectiveness of processes and measures applied to ML prevention;
• Evaluation of deficiencies in internal regulations, processes and arrangements with subsequent risk assessment; if deficiencies are detected, suggesting steps to eliminate them;
• An assessment of the compliance of internal regulations with relevant legislation;

Statutory body The company, shall discuss the evaluation report no later than 4 months after the end of the period for which it is being prepared and shall comment on the shortcomings identified and the proposals contained therein.

15. Binding and Effectiveness

The Company constantly monitors developments and changes in the fight against ML/FT (i.e. laws, decrees, government regulations, etc.) and trends in the development of risks associated with the area of business. For legislative changes, the Company will bring the content of the Measure into line with legislative changes and ensure that all employees affected by such changes are trained. Similarly, the Company is proceeding with the detection of new risks and taking necessary complementary measures to mitigate them.

These measures are binding on all Company employees and effective with them from 23rd of October 2020.

Annex 1 KYC and Client Risk Assesment

This form is only for accepting new Clients. It must be completed by a member of the KYC or Risk team and signed by the MLRO and management (if necessary for high-risk clients) prior to activation of the Client Account. The AML policies and risk profile of the client that the Company accepts must be taken into account in the process of defining the risks associated with the new Client. Some questions may not be relevant to a particular Client, not filling them out does not automatically imply higher risks. For non-relevant questions, the filling employee is required to explain the reason and provide supplementary information to the Company's internal system.

The purpose of the form is to provide Client Assessment for the KYC and Risk team so that the Client can be evaluated and accepted, taking into account the associated risks and the Company's services used by the Client. Complete completion of KYC and Customer risk and onboarding will determine whether and how to perform the Client check as well as what additional measures the Company will accept if the Client is accepted.

Filling employee

Name of the person filling out the report/ department
Date

 

Client identification

Name
Form of business activity (Plc, LP, Ltd., other)
Business Name
Company Address
TIN/Company Registration Number
Registration Date
Regulated activity (if Yes what type + licence number)
Name of regulator (if relevant)
Client website
Other places of conduct business (country)
Contact point of operation (address, contact details)

 

Company Structure/Identification of Beneficial Owners

Specify the nature of the client's ownership structure, e.g. sole trader, Ltd., LP, holding.
Provide the names of all directors/shareholders/partners and their shares in %.
Are there nominees in the company?
Was the company founded with bearer shares or similar instruments? (Yes – What type/No)
Have Beneficial Owners been identified?
List of all beneficial owners (all)
Is the person who has PEP status a member of the body of the company or the owner of the company?
Is a member of an organ of a company or the owner of a company a person who, according to the information available, has been convicted, indicted or charged in connection with a crime, has a criminal record?
Has the Beneficial Owner been identified personally? If so, please state his name.
Has the Beneficial Owner been identified electronically/remotely? If so, please state his name.
Was Client the subject of searchable negative media reports? State the nature and source of such negative reports.
List the steps taken to verify the veracity of negative information in the media.

 

Client Services

Client Business Sector
Description of the client's services or goods offered.
Please list Client's supplier (existing, planned, incl. country of business).
Specify Client customer (existing, planned, incl. country of business).
Indicate the likely area from which Client customers originate/will originate.

Estimated volumes - Year 1

Estimated monthly amount of transactions (QUANTITY/CURRENCY)
Estimated amount of trades in one transaction (QUANTITY/CURRENCY)

 

Rating your own risks

What rating was assigned to Client (high/medium/low).
Reasons behind the decision (In accordance with the Measures and established under JMSLG[2].

 

The assessment of own risks is based on the JMSLG methodology table below

The company uses the JMSLG methodology as the industry standard along with meeting the relevant legislative requirements.

Additional/Residual RISK

Other, or residual, risks remain after self-risk controls are applied. They are determined by the difference between the level of own risks and the overall level of risk management/control. The residual risk rating is used to assess if ML risks are adequately managed within a financial institution.

OWN RISKS	LEVEL OF CONTROL	RESIDENTIAL RISKS
LOW	90-100%	LOW
	80-90%	LOW
	under 80%	MEDIUM
MEDIUM	90-100%	LOW
	80-90%	MEDIUM
	UNDER 80%	HIGH
HIGH	90-100%	MEDIUM
	80-90%	HIGH
	UNDER 80%	HIGH

 

Initial recommendation of the risk management employee and KYC in relation to client acceptance

Does the employee recommend accepting such a client?	If Yes, state the reasons for such a decision, taking into account the JMLSG guidelines.	If No, give reasons for such a decision, taking into account the JMLSG Directives.
Yes/No
If the employee recommends the acceptance of the client, does the necessity of applying the client due diligence measures or client monitoring take into account the client in relation to the Client or its customers?	If so, give reasons for such a decision, taking into account the client's risk rating, the EDD measure and the increased monitoring required.	If not, give reasons for such a decision taking into account the client's risk rating as well as other parts of the Measures.
Yes/No

 

Management oversight

Date the report was first produced
Date of approval by Head Compliance and Risk Department
Date of management approval (for accepting high-risk clients)

NAME RISK FACTORS IN RELATION TO THE CLIENT STATE

1. RISK FACTORS CLIENT

1. Business or professional activity

Risk factors that may be determinative of the risks associated with the commercial or professional activities of the Client or the Beneficial Owner include:

• Do Client or Beneficial Owner have links to sectors associated with high risks of corruption, such as construction, pharmaceuticals or healthcare, arms trade, mining and public procurement?
• Do Client or Beneficial Owner have links to high-risk ML or TF-related industries, such as money exchange business, casinos, rare metal distributors?
• Do Client or Beneficial Owner have links to an industry where there is a significant amount of cash?
• If the Client is a legal person, what is the purpose of its establishment? For example, what is the nature of its business?
• Does the Client have political connections, such as being a politically exposed person (PEP) or is he the Beneficial Owner of PEP? Does Client or Beneficial Owner have a significant connection to PEP, e.g. is one of the directors of Client PEP? And if so, does PEP exercise significant control over the person of the Client or the Beneficial Owner? What jurisdiction is PEP, its business or the business it is connected to?
• Does the Client or the Beneficial Owner hold any other public office that allows him to abuse such an office for personal gain? Do they, for example, hold a senior position or a regional function in the public administration with the possibility of influencing the award of contracts, decisive members of senior sports bodies or natural persons known to influence government or other senior decision-makers?
• Is the Client a legal person subject to enforceable disclosure requirements, ensuring that responsible information about the Client's beneficial owner is publicly available, e.g. exchange-traded companies, which allow such disclosure under the terms of reference?
• Is the client a credit or financial institution from a jurisdiction with an effective AML/CFT regime and is supervised for compliance with AML/CTF obligations? Is there any evidence that Client has already been subject to sanctions by the oversight body or enforcement for non-compliance with AML/CTF obligations or extended obligations during recent years?
• Is the Client a public body or a national enterprise from a jurisdiction with low levels of corruption?
• Is the background of the Client or Actual Owner consistent with the information the Company has on the original, current or planned business, turnover, origin of money or source of the Client's or Actual Owner's assets?

2. Reputation

The following risk factors may be significant when considering the risks associated with the Client's or Beneficial Owners' reputation:

• Have any negative media reports or other substantial information sources about Client been published? For example, have there been any criminal or terrorism charges against Client or its Beneficial Owners? And are they trustworthy? The company will determine the credibility of allegations based on the quality and independence of data sources and, among other things, the frequency of reporting such allegations. The lack of a criminal record may be insufficient to stop a charge of any illegal activity.
• Have Client, the Beneficial Owner or a person publicly known and close to Client had their assets frozen because of administrative or criminal proceedings, or a terrorism or terrorist financing claim? Does the Company have reason to suspect the Client or the Beneficial Owner, or a person publicly known and close to the Client, that they have previously had their assets frozen?
• Does the Company have information that the Client or the Beneficial Owner would be the subject of a suspicious past activity report?
• Does the Company have its own information on the integrity of the Client or the Beneficial Owner, obtained for example in a long-term business relationship?

3. Nature and behaviour

The following risk factors may be significant when taking into account the risks associated with the nature and behaviour of the Client or the True Owners (all of the following risks will initially be unrecognisable, however they may occur within a pre-existing business relationship):

• Did the Client give legitimate reasons for his inability to provide sufficient evidence of his identity, presumably because he is an asylum seeker?
• Does the Company have doubts about the authenticity or accuracy of the Client's or Beneficial Owner's identity information?
• Are there indications that Client might seek to avoid creating a business relationship? For example, that it expects to carry out one or several one-off transactions when creating a business relationship would be of greater economic importance?
• Is Client's ownership and management structure transparent and makes sense? If the client's ownership and management structure is complex or patchy, is there an obvious economic or legal reason behind it?
• Does Client issue bearer shares or have nominee shareholders?
• Is the Client a legal person or arrangement that can be used as an asset holding tool?
• Is there a clear case for changes to the client ownership and management structure?
• Does the Client require transactions that are complex, unusually large or have unusual or unexpected patterns without a clear economic or legal reason or a reasonable business reason? Are there reasons to suspect Client of trying to avoid certain levels?
• Does Client Require Unusual or Inadequate Privacy Levels? Does the Client, for example, refuse to share CDD information or provide it in such a way as to conceal the true nature of its activities?
• Is it possible to explain the origin of the Client's or Beneficial Owner's assets simply, for example, by his employment, inheritance or investment?
• Does the Client use its products or services as expected only from the time the business relationship was established?
• If the Client is non-resident, could its services be better provided elsewhere?
• Is there a reasonable economic or legal reason for a client to require this type of financial service?
• Is the Client a non-profit organisation whose activities expose it to a high risk of abuse for terrorist financing purposes?

2. RISK FACTORS OF COUNTRIES AND GEOGRAPHICAL AREAS

In identifying the risks associated with countries and geographical areas, the Company shall take into account the risks associated with the following:

1. the jurisdiction where the client or the beneficial owner has its country of origin or domicile;
2. the jurisdictions in which the Client's main operations are located;

If a Client-Legal Person has its registered office or principal place of business in a country included in the list of high-risk countries in Annex 2, such a circumstance is automatically a reason not to establish a business relationship, because of the disproportionate risk to the Company.

If a Client-Legal Person has its registered office or principal place of business in a country included in the list of risk countries in Annex 2, such a circumstance is automatically a reason not to establish a business relationship, because of the disproportionate risk to the Company.

If a Client – a natural person, has a country of origin in a country included in the list of high-risk countries in Annex 2, such a circumstance is automatically a reason not to establish a business relationship.

If a Client – a natural person, has a country of origin in a country listed on the list of risk countries in Annex 2, a business relationship can only be established if the Client was identified in the physical presence and the Client was subject to due diligence.

3. RISK FACTORS CONNECTED WITH PRODUCTS, SERVICES AND TRANSACTIONS

In identifying the risks associated with its products, services or transactions, the Company must take into account the risks associated with:

1. the level of transparency or opacity of products, services or transactions;
2. the complexity of a product, service or transaction;
3. the value or range of products, services or transactions.

The risk factors that may be relevant when considering the risks associated with the transparency of products, services or transactions include:

• To what extent do products or services allow anonymity or lack of clarity in relation to Client, ownership structure or Beneficial Owners, e.g. pool accounts, bearer shares, deposits via splitting, offshore or trust funds, legal entities such as foundations structured in a way that promotes the possibility of anonymity and dealing with shell companies or companies with so-called nominee shareholders that may be exploited for abusive purposes?
• To what extent is it possible for a third party not part of a business relationship to give instructions e.g. in a correspondent banking relationship?

Risk factors that may be relevant when taking into account risks associated with the complexity of products, services or transactions include:

• To what extent are transactions complex and involve multiple parties or multiple jurisdictions, e.g. certain commercial financial transactions? Are the transactions direct, e.g. regular payments to the pension fund?
• To what extent do products or services allow them to accept payments from third parties or to accept excessive payments that were not expected? If the expected payments are from third parties, does the Company know the identity of such a party? Or are products and services paid exclusively by transfers from the Client's own account held with a financial institution subject to AML/CFT standards and supervision comparable to that in the EU?
• Is the Company aware of the risks associated with new or innovative products or services, especially if this involves the use of new technologies or payment methods?

Risk factors that may be relevant to account for risks associated with the value or range of products, services or transactions include:

• To what extent is cash used for products or services such as payment services but also for certain current accounts?
• To what extent do products or services allow high-value transactions? Are there restrictions on transaction volumes that would limit the use of products or services for ML or TF purposes?

4. RISK FACTORS OF TRANSACTION CANALS

In identifying the risks associated with how a Client acquires products or services, the Company must consider the risks in relation to the following:

1. The extent to which a business relationship is conducted on an impersonal basis;

As part of the assessment of the risks associated with the way Client acquires products or services, the Company must take into account a number of factors, as set out below:

• is the Client physically present for authentication purposes? If not present, has the Company used a reliable form of impersonal identification? Has it taken steps to prevent AML risks regarding client identity?
• Has the Client been introduced from a non-financial segment to what extent can the Company rely on this performance as an assurance that the Client does not pose an excessive ML/TF risk to the Company? What has the Company done to make sure that the group from which Client originates applies CDD measures at EU standards level?

2. If the Client has been introduced by a third party, e.g. a bank that is not part of the same group, is it necessary to ask if the third party is a financial institution or is its main business activity other than providing financial services? Has the Company verified any of the following:
   • A third party applies CDD measures and maintains records according to EU standards and is supervised on AML/CFT obligations comparable to those of the EU?
   • Did the third party immediately upon request provide relevant copies of identification and verification data, including in accordance with the requirements of EU standards?
   • Can reliance be placed on the quality of third party CDD measures?

• Does Client use a broker, is it due?

3. Regulated person, subject to AML obligations, equivalent to those within the EU regime?
4. Person subject to effective AML supervision? Are there indications that the level of compliance of the intermediary with the relevant AML legislation is insufficient, e.g. because the intermediary has been sanctioned for breaching obligations under the AML/CFT regulations? Or is it based in jurisdictions where there is a high risk of ML/TF?

Annex 2 List of risky and high-risk countries from the perspective of preventing money laundering and terrorist financing

Risk countries according to the categorisation of high-risk jurisdictions of FATF (2021) with strategic deficiencies in AML/CFT as divided by the following list of countries published according to FATF (FATF list) and list of countries according to the European Commission standard (Commission Regulation (2016/1675), Directive (EU) 2015/849).

2.1 List of high-risk countries according to AML/CFT measures that are sanctioned and prohibited to onboard:

Iran

North Korea

Russia

If the Client has the nationality, residence (permanent or temporary), registered office, branch or organisational entity mentioned in the list of risk countries above, this circumstance is reinforced when assessing the risks as high risk and can’t be accepted.

If a Client has a country of origin listed in the above-mentioned list of high-risk countries, that circumstance automatically justifies not establishing a business relationship because of the disproportionate risk to the Company.

In the case of a country matching at multiple levels, the risk assessment takes into account the category of high risk country, ahead of the risk country.

Any changes made to the risk country lists (FATF and EU list) are taken into account in turn (thanks to automatic monitoring of new reports from the relevant sources below) and applied from the moment the content of this Annex changes and refells in the Company's internal system.

Overview of existing restrictive measures in the Czech Republic

http://www.financnianalytickyurad.cz/mezinarodni-sankce/aktualne-o-sankcich.html
FATF list:

http://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/call-for-action-february-2021.html

European Union restrictive measures in force (sanctions):

https://www.sanctionsmap.eu/#/main

OFAC restrictive measures in force (sanctions):

https://sanctionssearch.ofac.treas.gov

Further information on AML/CFT can be found here:

https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx 

http://eur-lex.europa.eu/homepage.html

Annex 3 STR

SUSPICIOUS TRANSACTION REPORT / OZNÁMENÍ PODEZŘELÉHO OBCHODU

Finanční analytický úřad Poštovní přihrádka 675, Jindřišská 14 111 21 Praha _______________________________________________________________________

In /v Prague, on / dne ………

Věc: Suspicious transaction report / Oznámení o podezřelém obchodu

Povinná osoba/obligated entity - § 2 odst. 1 písm. b) bodu 5 ZAML:

IGBFA s.r.o., se sídlem Jelinkova 982/26, 616 00 Brno-Žabovřesky, IČO 08009783

zapsaná v Obchodním rejstříku MS v Praze, oddíl C, vložka 281813
Identifikační údaje/Identification:

Jméno a příjmení, název obchodní společnosti/Name:

RČ (datum narození), I/date of birth, ID number:

Místo narození/Place of birth:

Pohlaví/Sex:

Trvalý nebo jiný pobyt/Residence:

Státní občanství/Citizenship: 

Jednající (u PO)/Representing:

Identifikační údaje všech dalších účastníků obchodu / Identification of all other business participants: Typ obchodu/type of transaction:

Informace o podstatných okolnostech obchodu/ Information on transaction circumstances:

Safe Payments Solutions s.r.o.

MLRO………

INTERNÍ HLÁŠENÍ O PODEZŘELÉM OBCHODU/INTERNAL SUSPICIOUS ACTIVITY REPORT

Identifikace pracovníka/identification of employee jméno a příjmení/ name:

Útvar/Unit: …………………………………… 

Identifikační údaje toho, koho se oznámení týká/Indetification of subject of report:

Jméno a příjmení, název obchodní společnosti /name:

RČ (datum narození),identifikační číslo/date of birth, ID number:

Místo narození/Place of birth:

Pohlaví/Sex:

Trvalý nebo jiný pobyt/Residence:

Státní občanství/Citizenship: 

Jednající (u PO)/Representing:

Identifikační údaje všech dalších účastníků obchodu /Identification of all other business participants: 

Informace o podstatných okolnostech podezřelé činnosti/Information on suspicious circumstances:

Informace o dosavadních postupech/provedení či odložení obchodu/Information about current process or about realization or postpone of transaction

Čas a datum oznámení /Time and date of report:

………………………………

Jméno,příjmení/Name
Útvar/Unit

Podpis /Signature

Annex 4 Record of staff training

Employee /Department	Training type	Training type	Training type	Training type
Employee name	Training Date	Training Date	Training Date	Training Date
Example
Employee /Department	Introductory AML Training	Internal policies and processes	AML/CFT	Updating internal policies
Jan Novák, KYC	1.3.2020	15.3.2020	15.3.2020	20.8.2020

---

[1] IGBFA s.r.o. – legalt entity estabilished under Civil Code and Business Corporation Act, based in Jelinkova 982/26, 616 00 Brno-Žabovřesky, reg. number 08009783.

[2] JMSLG - Joint Money Laundering Steering Group 

---

IGBFA s.r.o., trading as AlphaPays, is a company registered in Czech Republic under the registration number 08009783 with permission to provide services related to virtual assets