Anti-Money Laundering Policy
Anti-Money Laundering and Counter-Terrorist Financing Policy of UAB Amonra Limited
I. Introduction
Overview
UAB Amonra Limited (hereinafter referred to as “UAB Amonra” or “the Company”) is an financial institution established and licensed by the Bank of Lithuania under the laws of the Republic of Lithuania. Registered at Vilnius, Architektų g. 56-101, LT-04111, with Reg.No.306133544.
As a financial institution, UAB Amonra must comply with the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania. Money laundering is a criminal activity that involves disguising the proceeds of illegal activities as legitimate funds, while terrorist financing involves providing financial support to terrorist groups. These activities pose a significant threat to the global financial system and the stability of the economy. UAB Amonra is committed to preventing money laundering and the financing of terrorism in all its operations. The Company has established an anti-money laundering and counter-terrorism financing policy (also, “AML policy” or “The Policy”) which sets out rules of procedures the Company has put in place to meet obligations under AML laws and regulations. The policy adopts a risk-based approach that takes into account the nature, size, complexity, and diversity of the Company`s business, as well as the jurisdictions and countries in which the Company operates.
The Company regularly reviews its AML policy to ensure that it remains up-to-date and effective. All employees of UAB Amonra are required to comply with the AML policy as part of their job responsibilities.
Anti-Money Laundering Policy
What are the AML requirements for Cwallet?
Risk assessment. Conducting a risk assessment is essential to identify and mitigate potential AML risks. Implementing risk-based AML measures allows companies to allocate resources effectively and address high-risk areas.
Know Your Customer (KYC) and Customer Due Diligence (CDD). KYC procedures involve verifying the identities of customers and collecting relevant information to establish their legitimacy. This typically includes collecting personal information such as government-issued ID, proof of address, and, in some cases, conducting enhanced due diligence for high-risk customers. CDD involves assessing the risk associated with each customer and implementing appropriate measures to mitigate those risks. This may include ongoing monitoring of customer accounts and transactions, as well as periodic reviews of customer information.
Cryptocurrency transaction monitoring. VASPs are required to monitor transactions on their platforms for suspicious activity, such as large or unusual transactions, transactions involving high-risk jurisdictions, or patterns indicative of money laundering or other illicit activities. Reporting suspicious activity. VASPs are obligated to report any suspicious transactions or activities to the relevant authorities, such as financial intelligence units (FIUs), to aid in the investigation and prevention of money laundering and other financial crimes.
Compliance programs. VASPs are required to establish and maintain comprehensive AML compliance programs that outline their policies, procedures, and controls for preventing money laundering and complying with regulatory requirements.
This Anti-Money Laundering Policy (“Policy”) is a part of our voluntarily applied regime to prevent money laundering, terrorist financing, fraud, or other financial crime. References in these Terms to “we”, “our” or “us”, are to UAB Amonra, and references to “you”, “your” are to the person, including both individuals and entities, accessing or using our software, applications or services.
Upon accessing or using our software, applications or services, you agree to be legally bound by and to comply with this Policy that can be amended from time to time at our sole discretion.
Definitions The definition “entity” shall include any business, partnership, joint venture, agency, association, firm, corporation, limited liability company or other entity of any kind.
Identification and Verification The performance of identity verification is an essential part of our anti-money laundering regime. We require all our users to pass identity verification upon registration at our software and/or applications and at any moment thereafter.
For the purposes of this Policy we may require you to provide us with the following information: first name, last name, address, telephone number, e-mail address, date of birth, taxpayer identification number, a government identification, and, if applicable, information regarding your bank account (such as the name of the bank, the account type, SWIFT code, and account number). Also, we may request from you your driving license or any other national ID, internal or international passport, bank statement, utility bill, tax document and/or other documents that we consider necessary for your identification. We may request from you video identification or your selfie with a specified ID or passport.
When you act on behalf of an entity, in addition, we may require such entity to pass entity verification prior it starts using our services and at any moment thereafter. In this case, we may require you to provide us with the following information: business name of the entity, registry code or registration number and the date of registration; ID of the shareholders (same as for the natural person identification), ID of the director(s) and/or members of the management board (same as for the natural person identification), ID’s of the representatives (same as for the natural person identification), proof of the registered office/seat of the entity, ID’s of the beneficial owners (same as for the natural person identification), bank statements, proof of representation and powers; articles of association and/or other information and documents that we consider necessary.
The submitted documents (other than driving license, national ID, internal or international passport, articles of association or entity’s by-laws) should be issued no more than three months prior to the date of identification and should list your name and your current address. In providing us with this or any other information that may be required, you confirm that the information is accurate and authentic. You agree to keep us updated if any of the information or document you provide changes.
You acknowledge and agree that we may additionally investigate certain of our users who have been determined by us to be of the higher risk or suspicious.
You acknowledge and agree that we may use subcontractors for the purpose of your identity verification. In this case processing of the requested information and documents would be governed by such subcontractor’s privacy policy and you would be able to read such privacy policy before you submit any information.
You hereby agree to provide us or our subcontractors with the information we or our subcontractors request and you hereby permit us and our subcontractors to keep a record of such information.
You authorize us and our subcontractors to make inquiries, whether directly or through third parties, that we and our subcontractors consider necessary to verify your identity, prove your address, prove a source of your funds or protect you and/or us against fraud or other financial crime, and to take action we reasonably deem necessary based on the results of such inquiries.
We shall have the right to verify your identity, request you to prove your address, request you to prove a source of your funds on an on-going basis, including cases when your identification information has been changed or your activity seemed to be suspicious (unusual for you). We reserve the right to request up-to-date documents from you and/or represented entity, even though you have passed identity verification in the past.
Restricted and High-Risk Regions We may refuse your use of our software, applications or services if you are:
a. A citizen, a permanent resident or located at any state, country, territory or other jurisdiction that is embargoed by the United Nations or Lithuania;
a citizen, a permanent resident or located at any state, country, territory or other jurisdiction where your purchase, ownership and/or use of crypto assets would be illegal or otherwise violate any applicable law;
an entity established at or carrying day-to-day management from any state, country, territory or other jurisdiction, specified in subsections (i)-(ii) of this Section;
you are restricted or barred from conducting banking or financial transactions, in any jurisdiction or under any applicable laws;
you are placed on any list of suspicious persons banned from traveling or conducting business or financial transactions in any jurisdiction;
you are a politically exposed person (“PEP”) or a person connected with the PEP;
a representative of any of such persons specified in subsections (i)-(vi) of this Section.
b. Also, we may refuse your use of our software, applications or services if you are a citizen, permanent resident or located in the country which based on various criteria selected by our anti-money laundering team as imposing anti-money laundering or counter-terrorist financing high risk (for example Corruption Perceptions Index by Transparency International, FATF warnings, countries with weak anti-money laundering and terrorist financing regimes determined by authorities) or you are an entity established at or carrying day-to-day management from such country.
Refusal a. You hereby acknowledge and agree that we shall have the right at any moment to terminate your use of our software, applications or services without the obligation of any refunds to you in the following cases:
you provided us with false or incomplete information, you are reluctant to provide complete information or you refused to provide us with any requested information;
you are or become a citizen of, a permanent resident of, or your entity’s day- to-day management is transferred to any of country, territory or jurisdiction specified in subsections (i)-(ii) of Section 3(a) or in the Section 3(b);
you are or become restricted or barred from conducting banking or financial transactions, in any jurisdiction or under any applicable laws;
you are or were placed on any list of suspicious persons banned from travelling or conducting business or financial transactions in any jurisdiction;
you are or become a PEP or a person connected with the PEP;
we have the suspicion that you are engaged in illegal activity or you using funds that come from illicit sources.
b. We shall have no liability to you for any damage caused by such termination of your use of our software, applications or services.
Monitoring Transactions, Reporting We may monitor and analyze your transactions. We may perform compliance-related tasks, including capturing data, filtering, record-keeping, investigation management and reporting. We may place you on watch and service denial lists, open cases for investigation where needed, send internal communications and fill out statutory reports, if applicable.
We may check addresses of your cryptocurrency or crypto assets wallets against common blacklists and known security discrepancies, to ensure that the funds do not come from illicit sources, and there are no signs of money laundering (location, layers, integration), either manually or using a third party service.
We shall have the right to report your transactions of suspicious nature to the proper law enforcement, request you to provide any additional information and documents in case of suspicious transactions.
Purpose
The purpose of the Policy is: • To ensure that UAB Amonra conducts commercial business practices that comply with industry standards and are in line with the laws and regulations set forth by the governing authorities of the country, it is imperative to implement measures to combat money laundering and counteract terrorist financing activities.
• To achieve this, UAB Amonra must adhere to internationally accepted Know Your Customer (KYC) compliance standards and report suspicious activity involving money laundering promptly and in accordance with the directives of the Bank of Lithuania or any other applicable laws.
• To maintain a high level of awareness within the organization, it is crucial to train staff on identifying and processing ML/TF transactions, AML Policies, and Procedures, as well as to educate employees and customers on the seriousness of the impact of ML/TF activities.
• UAB Amonra must establish effective administrative processes to implement and adhere to the AML standards accepted internationally and Lithuanian laws, while also avoiding the opening of accounts for anonymous, sanctioned, or fictitious entities.
• Finally, staff must be provided with proper training and knowledge to verify the identity of prospective customers before establishing a relationship, ensuring that UAB Amonra complies with all relevant regulations and standards regarding ML/TF.
The Policy is based on following legislations and regulatory requirements: • Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing;
• Republic of Lithuania Law on Electronic money and electronic money institutions;
• Republic of Lithuania Law on Payment Institutions;
• Republic of Lithuania Law on Financial Institutions;
• Republic of Lithuania Law on Payments;
• FATF Recommendations;
• The United Nations Security Council Sanctions List (UN);
• The Consolidated List of European Union Financial Sanctions (EU);
• Sanction lists administered by the United States Office of Foreign Assets Control (OFAC); including the List of Specially Designated Nationals and Blocked Persons;
• Directive (EU) 2018/843 of the European parliament and of the council (5AMLD);
• Directive (EU) 2018/1673 of the European parliament and of the council (6AMLD);
• Other governmental sanctions lists.
Principles
Customers establishing business relationships with UAB Amonra must comply with the legal procedures and implement the ML/TF prevention measures. Employees depending on their position and functions within UAB Amonra must comply with the following principles covered in this AML Policy:
Risk assessment;
Customer due diligence;
Ongoing monitoring;
Transaction monitoring (including identification of suspicious transactions and reporting to FCIS);
II. Governance of AML
The governance structure of UAB Amonra assigns responsibilities for the effective implementation of the organization`s AML policies, monitoring structure, and overall accountability. To align with our business requirements, this structure incorporates guidance from the Bank of Lithuania and relevant EU directives, along with elements consistent with evolving best practices in the industry.
III. Business wide risk assessment
The Company uses a risk-based approach for identifying and assessing money laundering and terrorist financing risks that may appear in the Company`s business. The Company constantly assesses and manages the risks of Money Laundering and Terrorist Financing related to its activities and business relationships. To identify the risks, the Company applies comprehensive customer due diligence, business relationship and transaction monitoring measures, including periodic reassessment of the risks at both business wide and customer level.
The business wide ML/TF risk assessment serves as a means of establishing the level of risk to which the company is exposed, while also identifying its areas of vulnerability in terms of AML/CTF. The assessment additionally assists in tracking the evolution of relevant risk criteria and levels over time, thereby making it possible to determine whether the changes identified necessitate the implementation of additional measures or re-evaluation of currently-established risk tolerance levels. Furthermore, such risk assessment enables the identification of specific activity areas that may require additional resources. The Board of the Company should understand the nature and level of the risks that the Company is exposed to and ensure that systems and processes are in place to identify, assess, monitor, manage and mitigate ML/TF risks.
To assist the Board of the Company, the MLRO will prepare an ML/TF risk assessment report for the Company that assesses the inherent risks facing the Company, outlines the controls in place to mitigate the inherent risks and produces a residual risk rating for the Company. The ML/TF risk assessment report incorporates the findings of the Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing Report into its business wide ML/TF risk assessment process.
The business wide ML/TF risk assessment framework includes a consolidated assessment of ML/TF risks that at least include the following types of risk: • Customer risk;
• Product or service risk and/or operational risk;
• Country-based risk and/or geographical.
Business wide ML/TF risks are rated on two levels: the vulnerability or likelihood of the Company to the risk occurring, and the threat or impact of the risk occurring. The results of those two ratings form the basis for the calculation of the risk level. The same approach is used to assess both inherent and residual ratings.
The business wide ML/TF risk assessment of all activities would be carried out, reviewed and updated regularly, but at least once a year and/or upon the occurrence of significant changes. The business wide ML/TF risk assessment process is described in “Money Laundering and Terrorist Financing Risk Assessment Procedure”. After conducting business wide ML/TF risk assessment, the MLRO should write the business wide AML risk assessment report and provide it to the Company`s Board for approval. If identifying that existing risk management measures are inadequate, the MLRO or AML Board Member shall establish a risk management / mitigation plan to be approved by the Board.
The Companys Board receives the risk assessment report and the action plan for managing (mitigating) money laundering and/or terrorist financing risks. Subsequently the Companys Board obliges the responsible division(s) to inform the Board about its implementation on a regular basis. The Company shall keep risk assessments up to date. All risk assessments shall be documented and kept in a written form with a maintenance control register.
IV. Customer due diligence
For the Company, Customer due diligence (CDD) is one of the main AML/CFT measures and is crucial in the process of identification, assessment and mitigation of ML/TF risks. CDD helps the Company understand whether Customers are who they say they are and enables them to assist FCIS and other competent authorities by providing information about suspicious activity which are being investigated. CDD process includes below:
• Identify the customer and verify the customers identity on the basis of documents, data or information obtained from a reliable and independent source;
• Identify the BO and take reasonable measures to verify that persons identity so that the Company is satisfied that they know who the BO is;
• Assess and, as appropriate, obtain information on the purpose and intended nature of the business relationship; and
• Conduct ongoing monitoring of the Business Relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the Company`s knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.
The timing of CDD
The Company performs due diligence in following situations:
• Prior to establishing a business relationship;
• Prior to executing one-off or several linked transactions or concluding transactions amounting to EUR 15 000 or more, or an equivalent amount in foreign currency, whether the transaction is carried out in a single operation or in several operations which appear to be linked, except for the cases where the customer and the beneficial owner have already been identified;
• When there are doubts about the veracity or authenticity of the previously obtained identification data of the customer and beneficial owner;
• In any other case, when there are suspicions that an act of money laundering and/or terrorist financing is, was or will be carried out. When identification or verification process (including EDD measures) cannot be completed within the requested time frame, the Company should:
• Terminate the business relationship after 60 business days;
• Assess whether the circumstances surrounding the failure to identify or verify identity provide grounds for suspicion of ML/TF/PF; and in such circumstances, the person concerned must consider making an Internal SAR/ATR to the MLRO based on the information in their possession (remaining aware of the tipping off obligations - see Suspicious Activity section below).
The business relationship can only commence after the Company has duly performed at least the following actions:
• Identified the customer and verified its identity;
• Identified the BO and verified its identity;
• Determined the purpose and intended nature of the business relationship;
• Assessed the ML/TF risk of the customer and allocated the customer to an appropriate risk category;
• Screened the relevant persons against the relevant financial sanctions list;
• Made sure there are no grounds to apply EDD (including screening the relevant persons against PEP lists), and applied EDD in case necessary.
Customer identification and verification
The Compliance Analyst (the CA) is responsible for customer identification, data collection and verification. All customers of the UAB Amonra must be identified appropriately. The Company will not enter into a new relationship or continue existing relationships:
• If the customer provides false or fraudulent information and/or documents;
• If the customer avoids to provide information and/or documentation to identify the customer and/or beneficial owner;
• If the customer fails to provide information and/or documentation within a reasonable time frame;
• If the customer is hesitant or fails to provide the required information and/or documentation;
• If there is suspicion that the business may be criminal in intent or origin;
• If the approval is not provided to accept the customer.
Declined business relationships should be recorded in the system and consideration should be given to making an SAR/STR to the MLRO if necessary. Customer identification methods The Company uses face-to-face and non-face-to-face (when the customer is not physically present) identification methods.
Face-to-face • When the customer or its representative is physically present. Non-face-to-face (remote)
• When the customer or its representative is without physical presence, the Company establishes the identity of the customer and/or BO by using electronic identification means allowing video streaming: the customers facial image and the original of the identification document or the equivalent residence permit in Lithuania produced by the customer are captured by way of video streaming, during the video streaming - The Company collects direct transmission of a picture of the customers face and of the displayed original identification document: the customers facial image is photographed from the front (face and shoulders of the customer need to be visible, the image must be clearly visible and distinguishable from other objects in the background); A direct picture transmission of the presented original identification document is conducted. The Company applies a self-developed program to ensure that the process of taking pictures is uninterrupted and that it is impossible to transfer images not in real-time, ensuring to record high quality pictures, allowing the records to be easy to reproduce and save, ensuring that the data received by using such program cannot be altered or used for other purposes incompatible with customer identification.When Customer, representative and the BO(s) identification using the above mentioned video streaming tool is be performed, at least the following requirements are fulfilled:
1.It is performed in real time;
2.The presented document images and/or the Customers face must be clearly visible;
3.The continuity of the streaming process is ensured. If the process is discontinued, the identification has to be repeated;
4.The quality of directly transmitted pictures must be of such quality that allows to easily scan the information from the provided identification documents and to clearly see facial features of the person pictured in the identification document.
Information and documentation collection
The compliance analyst must collect information and documentation in order to verify the identity of the customer and related parties (such as beneficial owners, representatives and others). In identifying the customer (legal person) the Company has to obtain the following data on the customer: • name;
• legal form;
• registered office address;
• actual business address;
• legal code (if any);
• extract from the register and the date of its issuance.
The Company must request from the customer the following identity data on the BO(s):
• name;
• surname;
• personal code. For a foreign national - date of birth (if available - personal code or any other unique sequence of symbols intended for the identification of a person); number of residence permit in Lithuania and its term of validity, place and date of its issuance;
• citizenship. If the person is stateless - the country which has issued the identification document. Also, the Company has to obtain information about the manager of the customer (legal person):
• name(s);
• surname(s);
• personal code. If the manager is a foreign national – date of birth (if available – personal code or any other unique sequence of symbols intended for the identification of a person);
• citizenship (if the person is stateless – the country which has issued the identification document). The Company may obtain data or information on the manager of the customer (legal person) directly from the state information systems or registries and not to require such data or information from the customer (legal person).
For a customer (legal person) that is in the process of incorporation but is not yet incorporated, the Company should require at least original copies of an incorporation act or memorandum of incorporation and, if deemed necessary, a document evidencing the authority of the Customers representative. The customer (legal persons) representative also has to provide a document evidencing the authorization and the Company has to verify:
• the validity of the document (i.e. the right of the issuing person to issue such authorization);
• the date of expiry of the authorization;
• the actions to be performed under the authorization.
Where the customer (legal person) is represented by a natural person, the identity of such representative has to be established in the same manner as applied to the customer (natural person). In identifying the Customer (natural person), the Company has to obtain the following data:
• name(s);
• surname(s);
• personal identification number (in the case of foreigners – the date of birth (if any – personal identification number or other unique sequence of symbols assigned to the person for identification purposes, the number and validity term of the residence permit in the Republic of Lithuania, place and date of its issue (applicable to foreigners));
• photo;
• signature (unless it is not necessary in the identification document);
• citizenship (in the case of a stateless person – the country where the personal identity document was issued).
In order to verify the above information the Company must obtain the appropriate documents. Normally the data referred to the Customer (legal person) above is provided for in the extract from the Register of Legal Entities of the Republic of Lithuania or equivalent registers abroad. In case the aforementioned documents are obtained from the Customer itself, they have to be either in an original form or copies certified by a notary public.
Verification The identification Information and documentation provided by the customer must be verified based on data obtained from reliable and independent sources. The compliance analyst has discretion to choose sources to be considered as reliable and independent. Some of sources that company considers as reliable:
• Consolidated lists of persons, groups and entities subject to the Lithuanian, EU, OFAC or United Nations financial sanctions: www.urm.lt http://eeas.europa.eu/cfsp/sanctions/consol-list/index_en.htm https://sanctionssearch.ofac.treas.gov/ https://www.un.org/sc/suborg/en/sanctions/un-sc-consolidated-list
• Register of the Legal Persons of the Republic of Lithuania: http://www.registrucentras.lt/jar/
• Worldwide database of the registers of legal persons: https://www.gov.uk/government/publications/overseas-registries
Additionally, the compliance analyst uses a web-based tool – Sumsub, which performs searches for following:
• Watch list (Sanctions, PEPs, etc.): a comprehensive database of sanctioned persons from OFAC, EU, UN, and worldwide governmental Sanctions lists, as well as PEPs.
• State Owned Entities: worldwide SOE data that help identifying and monitoring corruption risk.
• Adverse Media: identification of persons/companies that may have had negative media coverage. During verification process, the compliance analyst must:
• Check consistency of all information provided, and diligently scrutinize any observed disparities between accompanying documentation and the disclosed information;
• Compare all information that is provided by the customer with information that was obtained by the Company from reliable and independent sources;
• Use provided Sumsub tool to screen against sanctions and adverse media (the customer and all related entities/individuals must be screened) while checking the customer, beneficial owner/-s and other related parties;
• Use search engines (i.e., google.com) to search customers names with certain keywords related to ML/TF (i.e., “fraud”, “drug trafficking”, or “terrorism”). Detailed process of information collection and verification is described in the Companys KYC Procedure. In case of any suspicion, the designated employee must consult with the MLRO on further actions.
Customer risk assessment
Customer risk assessment is critical to maintain the integrity of the companys business operations and protecting against financial losses or reputational damage. The Company must put in place internal procedures to carry out a risk-based approach to evaluate potential ML/TF risk associated with each customer, subsequently dividing customers into risk groups, thereby determining the requisite level of due diligence measures that are to be implemented. The customer risk assessment must take into account at least the following risks: • Jurisdiction of the customer (e.g., the countries in which the customer (and its beneficial owner(s)) reside or from which they operate); • Customers characteristics, including nature and purpose of the relationship or nature of the transaction;
• Product, service, transaction and delivery channel risks, including volume, sizes, and counterparties.
To evaluate each customers overall risk the Company uses Customer Risk Assessment Model which is provided in the Companys Money Laundering and Terrorist Financing Risk Assessment Procedure. The Risk Model serves as a valuable tool for assessing the level of ML/TF risk associated with incoming customers while also facilitating continuous monitoring and reassessment of such risks. Once the Customer Risk Assessment Model automatically generates a customer risk level, compliance analysts will review it and ensure it is appropriate and in alignment with the customer profile. When necessary, a customer risk level can be also adjusted manually. When compliance analysts discover a customers risk level is inappropriate he/she may escalate to the board of directors for final decision. Each UAB Amonra customer has only one risk level assigned: low, medium, high, prohibited. The Company does not establish new or continue existing relationships with customers that are of prohibited risk level. During the customer onboarding process, a customer will be carried out a risk assessment and assigned a risk level by evaluating the customers profile.
During business relationships, periodic risk assessment for existing customers rated high shall be reviewed and updated on at least an annual basis, customers rated medium shall be reviewed and updated every two years, and customers, who are rated low risk, shall be reviewed and updated every three years. Trigger events for risk reassessment are events that warrant a review of the existing customers accounts and applicable CDD outside of the periodic review time frames. 23The Company will not solicit, open or maintain the type of accounts listed below:
• Accounts where the Company is unable to identify the Customer and beneficiary;
• Payable through Accounts;
• Foreign accounts for individuals or entities from countries designated by FATF-GAFI as high-risk jurisdictions subject to a Call for Action (i.e. "black list");
• Foreign accounts for individuals or entities that are currently sanctioned by UN, EU, OFAC, and other governmental sanctions;
• Accounts for Political Campaigns;
• Accounts for Shell Banks;
• Accounts for engaging in business activities that are prohibited under this Policy;
• Other prohibited types of customers/accounts, i.e. those identified based on the results of the Risk Assessment Model used to assess each customers potential risk, as well as those are out of the Companys risk appetite. The detailed list of risk appetite is outlined in the Companys Money Laundering and Terrorist Financing Risk Assessment Procedure.
The Company is accountable for ensuring that the process for performing the risk assessment of money laundering and terrorist financing is properly regulated, subject to regular reviews, and periodically updated as needed. At a minimum, the Company should define criteria for determining risks, outline risk factors, and define the detailed process for assessing the money laundering and terrorist financing risk of the customer.
Enhanced due diligence
The Company applies stricter customer due diligence measures in order to better understand potential risks with high risk customers, activities or transactions. Enhanced due diligence (EDD) measures cannot be substituted for regular CDD measures but must be applied in addition to regular CDD measures. EDD is conducted if the customer involves the following cases:
• Dealing with politically exposed persons (PEPs) or their immediate family members or close associates (currently the Company does not open accounts for PEPs);
• Dealing with financial institutions (Requests for such accounts will not be accepted unless preliminarily investigated by the Compliance Officer or MLRO on a case-by-case basis and final approved by the Board of Directors. In such instances the Board of Directors, if the circumstances warrant, may grant the opening of the account, and must document the reasoning for the decision accordingly);
• Dealing with customers that are of a high risk level/ located in high-risk jurisdictions;
• Dealing with customers who conduct high-value transactions that are unusual for the customers profile;
• Dealing with customers in industries that are particularly susceptible to money laundering, such as money service businesses. Measures:
• Obtain additional information about the client and beneficial owner;
• Obtain information on source of funds and source of wealth of the customer and beneficial owners with supporting documents;
• Obtain information on customers business partners, clients and supporting documents;
• Conduct more detailed background checks on the customer and any associated parties;
• Obtain clarification on purpose of transactions with supporting documents;
• Receive approval from MLRO (and Board of Directors when necessary) for on boarding or continuing existing relationship with such customers;
• Ensure that after the account is opened, the customers first payment is made from the customers account held at a credit, payment or electronic money institution, when the credit, payment or electronic money institution is registered in a member state of the European Union or in a third country established for the requirements of this law equivalent requirements, and the competent authorities supervise its compliance with these requirements;
• Conduct periodic reviews of the customer relationship to ensure ongoing compliance. High-risk customers and their transactions are reviewed more closely at account opening and more frequently throughout the term of their relationship with the Company. Normally, the EDD for High-risk customers will be executed on an annual basis.
In case of business relationships or transactions with PEPs, when applying the EDD measures the Company must: • Determine and introduce internal procedures which allow determining whether the customer, its representative, its senior managers (as indicated below) and/or BO are PEPs;
• Receive an approval/refusal of the Board of Director to conclude business relationship with such customers or to continue/terminate business relationship with the customers after they become PEPs;
• Take appropriate measures to establish the source of wealth and source of funds related to the business relationship or transaction of the customer and BO who is a PEP;
• Perform enhanced ongoing monitoring of the business relationship of PEPs.
Sanctions, PEP and adverse media screening
The Company uses the professional screening service provided by the third-party supplier, Sumsub. The lists include Sanctions lists, PEP lists and adverse media lists. Sanction profiles contain information from the most important sanctions lists worldwide, including but not limited to the United Nations, the European Union, OFAC and some important business-related countries. Also, the customer's actual business address, incorporation address, and mailing address, as well as the locations of any connected parties are screened against the sanctioned, targeted and high risk countries lists that are prepared and constantly updated by UAB Amonra.
The Company must effectively carry out sanctions, PEP, adverse media screening, and do not provide services to customers whose comprehensive risk is determined to be unacceptable for the Company. Before establishing a business relationship, the Company must screen the customer, the customers representative, the persons that make up the customers ownership structure and its BO against the relevant sanctions, PEP and adverse media lists. When the customer performs a monetary operation or transaction as a part of the business relationship, the Company must screen both parties of the monetary operation or transaction, as well as screen the other payment details (in case a payment is made), against the sanctions, PEP and adverse media lists.
In order to comply with the latest sanctions list requirements, the Company also conducts continuous daily scanning for existing customers and its connected parties (representative, the persons that make up the customer`s ownership structure and the BO) as well as the most recent one year transactions, against the relevant sanctions list.
Sanctions: If a transaction, transaction party, a new customer and/or an established customer matches against any sanction lists, it must be escalated to and reviewed by the MLRO. Whenever a search results in a positive match, the compliance analyst who conducted the search must bring the results to the MLRO to conduct enhanced due diligence to determine whether the match is valid. The MLRO will take further action as applicable to reject, block, report, apply for a license, or otherwise contact the FCIS and relevant
regulatory body whenever further information or clarification is necessary.
If a transaction, transaction party, a new customer and/or an established customer is found to be a valid match against EU, UN, and/or OFAC lists, any funds for transactions requested or in process will be held, and the customer/account will be temporarily restricted and prevented from accessing any services.
The MLRO will have the responsibility of verifying the accuracy of the Sanction hit and determine if it`s positive. In order to avoid instances of mistaken identity, the following pieces of information concerning a person will be verified against that which is provided on the list: (a) date of birth; (b) known addresses; (c) current address; and (d) nationality (e) criminal record declaration.
If, after additional verification, it concludes that the match is indeed a positive match on Sanction lists, then the MLRO will report to the Board of Director and decline the Customer registration or permanently suspend all further activity, and any transaction request or in process will be frozen and reported. All files must contain complete documentation evidencing due diligence measures taken to Sanctions verification. The CO or MLRO should also prepare Memorandum with respect to any consultations or other contact with regulatory authority. The Memorandum must clearly describe the events and conclusion as to whether a Sanction violation has occurred. The Company does not provide services to sanctioned entities, entities located in or related to sanctioned countries.
PEPs: The compliance analysts should, during onboarding and ongoing due diligence, determine if the customer is or has become PEP. Such actions should include asking the relevant information from the customers as well as screening the customer base against the relevant databases (verifying information in the reliable and independent source). Additionally, the Company is required at least once a year to screen the customer base against the relevant PEP databases to determine whether they have not become PEPs, and if an ad-hoc ongoing due diligence is not required.
When determining whether the customer is a PEP, the Company must obtain written customers declaration on whether the customer, its representative or the BO is a PEP, and check the relevant reliable and independent databases, e.g. data on private interest declarations could be checked at the Chief Official Ethics Commission of the Republic of Lithuania. It is recommended that such information also include information on the customers senior manager (e.g. CEO, managing director, head of administration) (for customers legal persons).
Where a PEP is no longer entrusted with a Prominent Public Function, the Company has to:
• For at least 12 months take further into account the continuing risk posed by that person;
• Apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to PEPs.
Adverse media: An Adverse Media Screening result may indicate potential AML risk if it identifies negative news or potentially illegal activities related to the customer or their transactions. The organization will apply a risk- based approach to determine if the Adverse Media Screening result is associated with AML risk. The risk assessment will consider factors such as the customer's profile, transaction history, and geographic location.
If the Adverse Media Screening result generates a high-risk alert, it will be reviewed by the MLRO who will conduct further checks on the customer and their transactions. The MLRO will analyze the alert in the context of the customers risk profile and available information to determine if it is associated with AML risk. If the assessment verifies the existence of the unfavorable information and that there is a potential for money laundering, the AML compliance department will take appropriate actions, such as enhanced due diligence, filing a suspicious activity report, or terminating the business relationship. It is essential to have a clear understanding of the Companys risk-based approach and the criteria for assessing adverse media screening results associated with AML risk. Adequate training, resources, and policies will enable the compliance analysts and MLRO to make informed decisions and mitigate any potential threats associated with AML risks.
Simplified due diligence
Simplified due diligence (SDD) is not an exemption from any of the CDD measures, however, the Company may adjust the amount, timing or type of each or all of the CDD measures in a way that is commensurate to the low risk they identified. This notwithstanding, the information the Company obtains when applying SDD measures must enable it to be reasonably satisfied that the risk associated with the Business Relationship is low. It must also be sufficient to give the Company enough information about the nature of the Business Relationship to identify any suspicious transactions.
The Company may apply SDD in following cases: • The customer is a company whose securities are admitted trading on a regulated market in one or more EEA Member States, and other companies from third countries whose securities are traded in regulated markets and which are subject to disclosure requirements consistent with EU legislation; • Where the customer is a Lithuanian or EU public authority or public body and it complies with all of the following criteria:
Such public functions have been established in accordance with the Treaty on European Union, Community treaties or Community secondary legislation;
Information on a customers identity is publicly accessible, and the Company has no reservations as regards its transparency; The activities and accounting methods of the customer are clear and comprehensible to the Company; The customer is accountable to the EU institution or to the public authorities of the EU Member State. • In case of electronic money, where a limit of EUR 1,000 or an equivalent amount in foreign currency is imposed on the total amount transacted in a calendar year, except the cases when an amount of EUR 500 or an equivalent amount in foreign currency, or more is redeemed in that same calendar year upon the electronic money holders request;
• in case of electronic money, if all the below listed risk-mitigation conditions are met: a) The electronic money payment instrument may be used only in the Republic of Lithuania; b) The electronic money payment instrument is not reloadable, or – if loadable – has a maximum monthly payment transactions limit of EUR 150; c) The maximum amount stored in the electronic money payment instrument does not exceed EUR 150; d) The electronic money payment instrument is used exclusively to purchase goods or services; e) The electronic money stored in the payment instrument cannot be funded with anonymous electronic money; f) The electronic money stored in the payment instrument cannot be redeemed by cash.
When applying the SDD measures, the Company has to comply with the following requirements:
• Perform the ongoing monitoring of the business relationship and transactions, except in cases of the accumulation of a portion of contributions of the state social insurance pension fund. In case of SDD, the extent of the ongoing monitoring may be adjusted to reflect its determination of the low degree of ML/ TF risk;
• Keep the information obtained during the identification and verification of the Customers identity up to date;
• Report knowledge or suspicion of money ML/TF in case of suspicious monetary operations or transactions. Simplified due diligence cannot apply, if a separate decision of the European Commission has been adopted on this issue. Simplified due diligence cannot apply, if there exist circumstances when the conduction of the enhanced customer identification is required. If the regular monitoring of the customers business relationship reveals that the risk of money laundering and / or terrorist financing is no longer low, additional due diligence measures must be applied.
V. Ongoing monitoring
Ongoing monitoring of business relations is a fundamental feature of an effective AML/CFT risk management system. Ongoing monitoring should be conducted in relation to all business relations, but the Company may adjust the extent and depth of monitoring of a customer according to the customers ML/TF risk profile. The adequacy of monitoring systems and the factors leading the Company to adjust the level of monitoring should be reviewed regularly for effectiveness in mitigating the Companys ML/TF risks.
The Company must put in place and implement adequate systems and processesto conduct the following ongoing monitoring:
• Monitor its business relationships with all customers, including maintaining relevant and up-to date CDD data, documents and information so that the the Company can identify changes to the customers risk profile;
• Detect and report suspicious, complex, unusually large or unusual patterns of transactions undertaken throughout the course of business relationships, to ensure that the transactions being conducted are consistent with the Companys knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.
VI. Transaction monitoring
The Company utilizes an internally developed Automated Transaction Monitoring System and the pre-established rules to monitor real time and retrospective transactions that are abnormal. These rules have been designed tailoring to the nature of different products and services. The system is designed to detect unusual/suspicious patterns or trends that may indicate money laundering or terrorist financing. The process of transaction monitoring depends on the customers risk level (the higher level, the stricter rules apply). Transaction monitoring involves following:
• Automatic alert generation (any transaction that meets the predetermined threshold or criteria is flagged as a potentially suspicious activity and generates an alert. The alert includes all relevant transaction details).
• Manual alert creation (when transactions meet certain suspicion criteria, but did not trigger any automatic alert. Examples when manual alerts are created: information from police, the FCIS or any other institution is received informing about customers fraudulent activity; during customers risk evaluation, the compliance analyst notices suspicious transactions that are not investigated and additional review is needed).
• Data collection (information and/or documentation is collected from various sources such as open sources, registries, the customer).
• Investigation and filtering (once data is collected, transaction(s) is investigated and filtered to determine if suspicious or not).
• Reporting (any unusual/suspicious transaction/activity/the customer is reported to relevant authorities).
The compliance analyst is responsible for handling automatic/manual transaction monitoring alerts, data collection and reporting suspicious transactions to the MLRO. The compliance analyst has the right to contact the customer for supporting information and documentation if he/she considers the transaction or activity is suspicious or unusual. If the customer refuses to provide, or provided information is inconsistent, or forged, the compliance analyst will reject such transactions and escalate the customer to the MLRO for termination of the relationship. All transaction monitoring steps and results are documented in written form and saved in the Companys transaction monitoring system (in customers profile). Detailed procedures on how to handle transaction monitoring and screening alerts are described in “Transaction Monitoring Procedure” and “Screening Procedure”.
Identification of suspicious transactions
A transaction which appears unusual is not necessarily suspicious. Therefore, the unusual is, in the first instance, only a basis for further investigation. The compliance analyst must check for at least following points in order to determine if a transaction is suspicious:
• The fields of activity specified in the registered identification document of the customer (legal persons) such as business registration, do not correspond to the usual business relationship between the Company and the customer;
• The nature of the monetary operations or transactions conducted by the customer raises suspicion and when requested by the company the customer does not provide the reasonable explanations and information regarding the performed transaction;
• The customer makes such monetary operations (acquisition of E-money and/or payments) which exceed the paying capacity of the customer known to the Company; the payment capacity of the customer is established based on the information obtained during the due diligence procedure as well as the results of the ongoing monitoring of the customer;
• The customer asks to pay the amount due to the customer to persons who are obviously unrelated to the usual field of activity of the customer; and when requested by the Company the customer cannot provide the reasonable explanations and information regarding such monetary operations;
• The full amount of advance payment or other contribution (or a major part of the latter) is paid by persons that obviously have no relation to the usual activity of the customer; and when requested by the Company the customer cannot provide the reasonable explanations and information regarding such monetary operations;
• The customer performs monetary operations or concludes transactions for which it is difficult or impossible to identify the beneficial owner (where applicable) and when requested by the Company the customer cannot provide the reasonable explanations and information regarding such monetary operations or transactions as well as refuses to identify the beneficial owner (where applicable);
• The customer conducts monetary operations or concludes transactions for which there is no clear economic grounds or which do not corresponds to the usual Business relationship with such customer; this criterion is considered fulfilled if requested by the Company the customer cannot provide or refuses to provide the reasonable explanations and information regarding such monetary operations or transaction;
• The customer consistently performs monetary operations or concludes transactions with legal persons or other organizations which are registered in the Target territories, when there are no clear economic grounds for this activity; and when requested by the Company the customer cannot provide the reasonable explanations and information regarding such monetary operations;
• The customer consistently conducts monetary operations or concludes transactions with the legal or natural persons from the territories other than FATF countries as provided in the list available under the following link: http://www.fatf-gafi.org/countries/#high-risk;
• The customer, its representative, the beneficial owner (where relevant), the payer of the funds received by the customer or the payee of the funds to be transferred upon the instruction of the customer are subject to financial sanctions in accordance with the Law on the Implementation of Economic and other International Sanctions of the Republic of Lithuania; this criterion is considered fulfilled where the said persons or entities are included into the consolidated lists of persons and entities subject to EU, OFAC and/or United Nations financial sanctions;
• The transfers in small amounts from different payers to the customer or the transfers in small amounts by the customer to numerous unrelated payees which become extraordinarily frequent without obvious reasons and does not correspond to the usual business relationship with the customer; this criterion is fulfilled if requested by the Company, the customer does not provide or refuses to provide the reasonable explanations and information regarding such monetary operations.
Special attention must be given to the complex or unusually large transactions and all unusual patterns of transactions which have no apparent economic or visible lawful purpose, and business relationship or monetary operations with the end customers from the countries outside the EU and the third countries with the equivalent regime.
If any suspicious activity/transaction listed above or other types of suspicious activity are noticed, such activity should be immediately reported to the MLRO. If necessary, an investigation of the matter may include gathering additional information internally or from third parties or other sources, suspending the monetary operation or transaction, as well as filling a Suspicious Activity/Transaction Report to the FCIS.
The suspiciousness of transaction or customers activity is analyzed and evaluated by the compliance analyst, who must escalate to the MLRO about the transaction or activity in written form prior executing customers transactions.
The Company has engaged the MLRO to perform the following:
• Receive all risk notifications from the various services providers/partners concerning suspicious customers or suspicious activity;
• Investigate and determine whether the SAR/STR received constitutes a suspicion or knowledge of ML/TF and, if so, whether it should be reported to the FCIS;
• Where it is determined that a report constitutes suspicion or knowledge of ML/TF, to file a SAR/STR with the FCIS within the required business days of detection;
• Maintain a register of all SARs/STRs received including: documents detailing the investigation/review of the SARs/STRs; details of the determination made as to whether the SARs/STRs should be submitted to the FCIS and the basis of the determination;
• Documentation of SARs/STRs made to the FCIS and any communications or instructions received from the FCIS ;
• Ensure that no communications of ML/TF suspicions are given by the MLRO to the subject of the SAR/STR, in order to avoid a risk of committing the offence of "Tipping Off";
• Disclose to the FCIS any potential business that is reported to the MLRO as declined due to a suspicion that it might be criminal in intent or origin or where a customer is hesitant or fails to provide adequate documentation.
An Internal SAR/STR should not be discussed with anyone apart from the MLRO or a person designated by the MLRO. The Internal SAR/STR (or a copy thereof) should not be disclosed in any circumstances, other than those disclosures which have been sanctioned by the MLRO and are in accordance with Lithuania legislation.
Reporting to the FCIS and communication
The MLRO is responsible for suspicious activity/transaction report submission to the FCIS and further communication. Due to a strict time frame for submitting external reports to the FCIS, the compliance analyst must submit all internal reports to the MLRO in a timely manners.
Reporting timeline: • The Company, having established that their customer is conducting a suspicious monetary transaction, regardless of the monetary transaction amount, must suspend that transaction and report it no later than within 3 (three) business hoursto FCIS starting from the suspension of the transaction;
• The company must notify the FCIS immediately, no later than within 1 (one) working day of the occurrence of such knowledge or suspicion, if it knows or suspects that assets of any value are directly derived from criminal activity or participation in such act, and if it knows or suspects, that these assets are linked to terrorist financing.
The FCIS may instruct the company to suspend a particular operation or transaction. In the latter event the Company must suspend such Monetary operation or Transaction for up to 10 (ten) business days. The FICS must verify the reported Monetary operation or Transaction within 10 (ten) business days of the receipt of the respective report or as of the submission of the respective instructions to the Company. If within 10 business days of the suspension of the Suspicious Monetary operation or Transaction the Company is not required to perform temporary restriction of ownership rights according to the procedure established by the Code of Criminal Procedure of the Republic of Lithuania, the Monetary operation or Transaction has to be resumed.
The FCIS may request the Company to provide all necessary information which is needed for the FIU to carry out the verification of the Suspicious Monetary operation or Transaction. In the latter event the Company must provide the requested information within 1 (one) business day after the receipt of the respective request of the FCIS.
The MLRO is responsible for reporting to the FCIS, handling further communication and taking further actions.
Last updated