The purpose of this policy for Anti-Money Laundering (AML), Combating Terrorist Financing (CFT) and Sanctions measures is to ensure that UAB Superb Payments (Company), which is a virtual currency exchange and virtual currency wallet operator, has internal guidelines to prevent the use of its business for money laundering and terrorist financing and internal guidelines for implementation of international sanctions.
This policy has been adopted to ensure that the Company complies with the rules and regulations set out in Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing (Law). Where applicable, the following applicable legislation should be considered by the Company:
- Order No. V-314 of November 30 of 2016 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “For the Technical Requirements for the Customer Identification Process for Remote Identification Authentication via Electronic Devices for Direct Video Transmission”.
- Order No. V-240 of December 5 of 2014 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of the List of Criteria for Money Laundering and Suspicious or Unusual Monetary Operations or Transactions Identification”.
- Order No. V-5 of 5 January 10 of 2020 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of Guidelines for the Depositary virtual currency wallet operators and virtual currency exchange operators to prevent money laundering and/ or terrorist financing.”
- Order No. V-273 of October 20 of 2016 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the approval of the Instructions for the supervision of the proper implementation of international financial sanctions by the Financial Crimes Investigation Service under the Ministry of the Interior of the Republic of Lithuania”.
- Order No. 1V-701 of October 16 of 2017 of the Director of the Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the approval of the description of the procedure for the suspension of suspicious monetary operations or transactions and the submission of information on suspicious monetary operations or transactions to the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania, and the description of the procedure for the submission of information on cash operations and transactions, the amount of which is equal to or exceeds 15,000 euros or the equivalent amount in foreign currency, to the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania”.
- Order No. V-129 of September 4 of 2017 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of the Rules for Keeping the Register of Suspicious or Unusual Monetary Operations and Transactions of the Customer and Identification of the Criteria that Characterizes Large-Scale Permanent and Regular Monetary Operations“.
- Order No. V-129 of May 21 of 2015 of the Director of the Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Forms of Submission of Information Pursuant to the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania on the approval of the Guidelines for the submission of the forms, the scheme of submission and the guidelines for the completion of the submission forms”.
This policy is the subject of a review by the CEO at least annually. The proposal for a review and the review of this policy may be scheduled more often by the decision of the Company’s AML Officer.
AML Officer means a person, who is appointed to the Company as a senior employee for liaising with the Financial Crime investigation Service (FCIS) whose functions are set out in section “Organizational structure”.
Head of Risk, Compliance and AML/CTF Department means that this unit consist of is responsible for risk management and compliance functions in relation to ML, TF and Sanctions (can be outsourced).
Beneficial Owner means any the natural person who owns or controls the Customer (legal entity) and/or the natural person on the natural person on whose behalf a transaction or activity is carried out. The beneficial owner shall include:
1) in the case of a legal person:
- a) the natural person who owns or manages the legal person through direct or indirect ownership of a sufficient percentage of the shares or voting rights in that legal person, including management through bearer shareholdings, or through control via other means, other than public limited liability companies or undertakings for collective investment whose securities are traded on regulated markets that are subject to disclosure requirements consistent with the European Union legislation or subject to equivalent international standards. A shareholding of 25 % plus one share or an ownership interest of more than 25 % in the client held by a natural person shall be an indication of direct ownership. A shareholding of 25 % plus one share or an ownership interest of more than 25 % in the client held by an undertaking, which is under the control of a natural person(s), or by multiple undertakings, which are under the control of the same natural person(s), shall be an indication of indirect ownership;
- b) if no person under sub-point (a) of point 1 is identified, or if there is any doubt that the person identified is the beneficial owner, the natural person who holds the position of senior managing official in the legal person who has been identified;
2) in the case of a trust, all following persons:
- a) the settlor/settlors;
- b) the trustee/trustees;
- c) the protector/protectors, if any;
- d) the natural persons benefiting from the legal person or entity not having legal personality, or where such persons have yet to be determined, persons in whose main interest that legal person or entity not having legal personality is set up or operates;
- e) any other natural person exercising ultimate control over the trust by means of direct or indirect ownership or by other means;
3) in the case of a legal person which administers and distributes funds, an entity similar to a trust – the natural person holding an equivalent position to that referred to in point 2.
Business Relationship means a relationship that is established upon conclusion of a long-term contract by the Company in economic or professional activities for the purpose of provision of a service or distribution thereof in another manner or that is not based on a long-term contract, but whereby a certain duration could be reasonably expected at the time of establishment of the contact and during which the Company repeatedly makes separate transactions in the course of economic or professional activities while providing a service.
Company means legal entity with following details:
- company name: UAB Superb Payments;
- registration country: Lithuania;
- registration number: 306102584;
- address: Vilnius, Eišiškių Sodų 18-oji g. 11;
- email: firstname.lastname@example.org.
Customer means a natural person or a legal entity (incl. collective investment undertaking) which has the Business Relationship with the Company, as well as a natural person or a legal entity (incl. collective investment undertaking) which intends to have the Business Relationship with the Company.
Employee means each Company´s employee, including Chief Executive Officer (CEO), the Internal Control Officer and the AML Officer.
FCIS means Lithuanian Financial Crime Investigation Service under The Ministry of the Interior of the Republic of Lithuania (Lithuanian Financial Intelligence Unit), which performs supervision of the Company’s activities of virtual currency services related to the prevention of money laundering and/or terrorist financing and which has the following details:
- state institution;
- registration number: 188608786;
- address: Šermukšnių g. 3, LT-01106 Vilnius;
- email: email@example.com.
Monetary Operation means any payment, transfer or receipt of money.
Money Laundering (ML) means:
1) the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action;
2) the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity
3) the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity;
4) Participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points 1, 2 and 3.
Monitoring Specialist means the Employee, who is responsible for performing of the ODD/EDD measures in the course of the already established Business Relationship with the Customer. This Employee is responsible for making transactions in the course of services provision by the Company.
Occasional Transaction means the transaction performed by the Company in the course of economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner to the Customer outside the course of an established Business Relationship.
Onboarding Specialist means the Employee, who is responsible for performing of the Customer’s onboarding procedure (as described below) and application of CDD/EDD measures before the establishment of the Business Relationship with the Customer. This Employee is responsible for establishment of the Business Relationship with the Customer and has the right to perform actions for establishing the Business Relationship with the Customer on behalf of the Company.
PEP means the natural persons who are or have been entrusted with Prominent Public Functions and Close Family Members or Close Associates of such persons.
Sanctions mean the measures taken by the European Union, United Nations and the United States. These measures include a list of individuals and entities who/which are subject to sanctions. The Company shall use at least the following sources (databases) to verify the Customer´s relation to Sanctions:
Terrorist Financing (TF) means a provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offences within the meaning of Article 2 of the International Convention for the Suppression of the Financing of Terrorism of 9 December 1999.
Third Country means a state that is not a member state of the European Economic Area (EEA).
Virtual currency means a digital representation of value that does not possess a legal status of currency or money, that is not issued or guaranteed by a central bank or any other public authority, is not necessarily attached to a currency, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored, traded, exchanged, invested and used for settlement electronically.
Virtual Currency Address means address/account generated from letters, numbers and/or symbols in the blockchain, by which the blockchain allocates the Virtual Currency to the owner or recipient.
The Company consists of structural units with various functions, which together provide the Company with the opportunity to conduct business and provide services. The needs of the Company’s business unit may be covered by the Employees(s) or external service providers (third parties) which provide services to the Company under an appropriate contract. The Company’s organizational structure may be changed by the decision of the CEO.
The Employees and the service providers (third parties) involved in the activities are obliged to act in accordance with the agreements concluded and internal policies established (incl. this policy). They should be aware of their subordination to other structural units of the Company. If the Company has more than 1 Employee in a structural unit, the CEO shall appoint a responsible employee whose task is, among other things, to perform daily supervision over the performance of the tasks of the structural unit (or part of it). The Company shall establish and regularly maintain contact details of external service provider’ designated person(s) responsible for providing the service (customer manager, project manager, etc.) and such persons shall be competent to represent the external service provider before the Company.
The day-to-day management of the Company takes place through the CEO. The CEO is responsible for assigning tasks to other structural units and controlling the performance of tasks. In case when the relevant Employee or third party is not appointed for performing of structural unit’s functions, the CEO shall be responsible for this structural unit’s functions. In addition to day-to-day management, the CEO organizes meetings and, if necessary, discusses decision-making with experts (mainly Employees, advisors and external service providers).
Chief Execution Officer (CEO) is higher executive body of the Company. This person is appointed by the General Meeting of Shareholders as the Company’s manager in accordance with Law of Companies. The CEO is responsible for day-to-day management of the Company.
The CEO has a critical oversight role – as the senior-most management of the company, they should approve and oversee policies for risk, risk management and compliance. The CEO also should have a clear understanding of the ML risks, including timely, complete, and accurate information related to the risk assessment to make informed decisions. The CEO shall appoint a qualified AML Officer with overall responsibility for the AML function and provide this senior-level officer with sufficient authority that when issues are raised they get the appropriate attention from the CEO and the business lines.
The CEO is responsible for the overall AML/CTF compliance policy of the Company and ensuring adequate resources are provided for the proper training of staff and the implementing of risk systems. The CEO will receive and consider quarterly compliance reports presented by the AML Officer.
A person, who is appointed to the Company as a senior employee for liaising with the Financial Crime investigation Service (FCIS).
Head of Risk, Compliance and AML/CTF Department
This unit consist of is responsible for risk management and compliance functions in relation to ML, TF and Sanctions. Among other things, this unit performs supervision under the Customer Support unit and the Company’s activities.
Internal Control Officer
This unit function and responsibility is to perform internal control in accordance this policy (can be outsourced).
This structural unit must have the required competency, tools, and access to the relevant information in all structural units of the Company. The internal control methods must comply with the size of the Company, the nature, scope, and level of complexity of the activities and provided services, incl. the risk appetite and risks arising from activities of the Company.
The Internal Control Officer shall be appointed by the CEO and shall provide internal control report to the CEO quarterly.
Customer Support Department
This unit’s main function is ensuring the provision of the services to the Customers (can be outsourced). For this reason, this unit is responsible for applying the CDD measures upon the Business Relationship and applying CDD measures during the Business Relationship. This unit consists of Onboarding Specialists and Monitoring Specialists.
The Onboarding Specialist is responsible for performing of the Customer’s onboarding procedure (as defined below) and application of CDD/EDD measures before the establishment of the Business Relationship with the Customer.
The Monitoring Specialist is responsible for performing of the ODD/EDD measures in the course of the established Business Relationship with the Customer.
BASIC PRINCIPLES OF CUSTOMER DUE DILIGENCE MEASURES
Customer due diligence (CDD) measures are required for verifying the identity of a new or existing Customer as a well-performing risk-based ongoing monitoring of the Business Relationship with the Customer. The CDD measures consist of 3 levels, including the simplified and enhanced due diligence measures.
The CDD measures are taken and performed to the extent necessary considering the Customer’s risk profile and other circumstances in the following cases:
- upon establishment of the Business Relationship and ongoing monitoring of the Business Relationship;
- upon verification of information gathered while applying CDD measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;
- upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided for in this policy and applicable legislation.
The Company does not establish or maintain the Business Relationship and not perform transaction if:
- the Company is not able to take and perform any of required CDD measures. In such case Company will carry out the money laundering and/or terrorist financing threat assessment. After detecting the risk of money laundering and/or terrorist financing (ML/TF), the Company will report the suspicious monetary operation or transaction to the FCIS;
- the Company has any suspicions that the Company’s services or transaction will be used for ML, TF or violation of Sanctions;
- the risk level of the Customer does not comply with the Company’s risk appetite.
Achieving CDD is a process that starts with the CDD measures implementation. When that process is complete, documented individual risk level is assigned to the Customer which shall form the basis for follow-up measures, and which is followed up and updated when necessary.
Application of Simplified Due Diligence Measures
Simplified due diligence (SDD) is the minimum level of due diligence that must be applied for a Customer. SDD may be carried out when Company assesses Customer’s risk as low and Customer meets at least one of the criteria under Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing (e.g., Customer is a listed company (EU or equivalent), Customer is a government and municipality institution). Considering the Company services provided and the Company’s risk assessment, the Company will not apply SDD measures to their Customers. Thus, to all Customers at least standard due diligence measures shall be applied as specified below.
Application of Standard Due Diligence Measures
Standard due diligence measures are applied to all Customers, if CDD measures must be applied in accordance with this policy. The following standard due diligence measures are applied to the Customers:
- Identification of the Customer and verification of the submitted information based on information obtained from a reliable and independent source.
- Identification and verification of a representative of the Customer and their right of representation.
- Identification of the Beneficial Owner and, for the purpose of verifying their identity, taking measures to the extent that allows the Company to make certain that it knows who the Beneficial Owner is, and understands the ownership and control structure of the Customer.
- Understanding of the Business Relationships, transaction or operation and, where relevant, gathering information thereon.
- Gathering information on whether the Customer is PEP, their family member or a person known to be close associate.
- Monitoring of the Business Relationship – this measure is applied in the course of the Business Relationship established with the Customer. This measure includes the following actions:
- regular update of information received in the course of CDD measures (incl. screening against updated watchlists) and re-assessment of the Customer’s risk profile;
- ongoing monitoring of the Customer’s transactions and behaviour in the course of the Business Relationship, including real-time monitoring (screening) and transactions monitoring on regularly basis;
- identification of the source and origin of the assets used in transaction(s).
The CDD measures specified above must be applied in the relevant cases before establishing the Business Relationship (except monitoring of the Business Relationship). The exact instructions and requirements for application standard due diligence measures is provided in this policy.
Application of Enhanced Due Diligence Measures
In addition to CDD measures, the Company applies enhanced due diligence (EDD) measures in order to manage and mitigate an established risk of money laundering and terrorist financing that is higher than usual. EDD involves objective, rigorous, and thorough research that provides a greater view of the Customer’s profile and the actions required to mitigate higher risks.
The Company always applies EDD measures, when the Customer’s risk profile indicates high risk level (considering risk factors established, incl. PEP status, the Customer’s place of residence, etc.).
During the Business Relationship the Company assess whether the Customer’s risk profile is changed and if the relevant EDD measures shall be applied to the Customer.
In the case of application of EDD measures, the Company monitors the Business Relationship more often than usual and reassesses the Customer’s risk profile no later than every six months.
MONITORING OF THE BUSINESS RELATIONSHIP
The Company’s internal system and the Monitoring Specialist shall check the relevance of the data collected in the course of CDD measures implementation. This check is performed with the following measures:
- asking the Customer for confirmation, that the Customer´s Data used for the Customer´s identification is up to date;
- the Customer´s Data verification;
The aforementioned check shall be performed in the following cases:
- check shall be performed due to the time passed from the moment of the Customer´s Data collection (if 6 months has passed from the high-risk Customer´s onboarding and 1 year has passed from middle- or low-risk Customer’s onboarding);
- the Customer notifies about changes in the Customer´s Data;
- when the Customer´s behaviour (e. g. amount or number of transactions, payment institution(s) used, etc.) changes and it affects the Customer´s Data or the Customer’s risk score.
In addition to aforementioned, the Customers are continuously screened against watchlists (incl. PEP, Sanctions and Adverse Media). In case of match – the Monitoring Specialist is notified and shall reassign the Customer’s risk level accordingly.
When the Customer´s Data is not relevant and shall be updated, the collection and verification of the data shall be performed in accordance with requirements established by this policy.
Requirements for ongoing monitoring of the Business Relationship
When providing the service(s) to the Customer, the Company through the Monitoring Specialists shall pay attention to the Customer behavior to identify circumstances which may affect the Customer’s risk profile, also ensure that the transactions executed correspond to the information held by the Company about the Customer, his business, risk nature and source of funds. If such circumstances arise, the Monitoring Specialist shall reassign the Customer’s risk level and apply relevant CDD/EDD measures (if any) or terminate the Business Relationship (if the Customer’s risk score is not acceptable by the Company).
In case of suspicion of Money Laundering or Terrorist Financing in the course of interactions with the Customer or their representative, the Monitoring Specialist shall immediately notify AML Officer.
IMPLEMENTATION OF SANCTIONS
The Company verifies whether the Customer is a subject of Sanctions. A check against Sanctions lists shall be carried out during the Customer’s onboarding procedure as well as performs continuous screening of all Customers against Sanctions watchlists. The check for all Customers is performed for the length of the Business Relationship (when any of the watchlists is updated) and at the time of transaction(s). If the Sanction subject is identified – the relevant notice will be sent to the AML Officer.
The Company will not establish business relationships with potential Customers subject to Sanctions.
REFUSAL TO THE TRANSACTION OR THE BUSINESS RELATIONSHIP AND THEIR TERMINATION
The Company is prohibited to establish the Business Relationship and the established Business Relationship or transaction shall be terminated in cases when:
- the Company suspects money laundering or terrorist financing;
- it is impossible for the Company to apply the CDD/EDD measures, because the Customer does not submit the relevant data or refuses, avoids submitting it or the submitted data gives no grounds for reassurance that the collected data are adequate;
- the Customer submits incomplete data or if the data is incorrect;
- the Customer which capital consists of bearer shares or other bearer securities wants to establish the Business Relationship;
- the Customer who is a natural person behind whom is another, actually benefiting person, wants to establish the Business Relationship (suspicion that a person acting as a front is used);
- the Customer´s risk profile has become inappropriate with the Company´s risk appetite (i. e. the Customer´s risk profile level is “prohibited”).
In cases above, the AML Officer shall, upon assessment of the threat posed by money laundering and/or terrorist financing, decide on the appropriateness of continuing the relationship with the client and/or forwarding a report on a suspicious monetary operation or transaction to the FCIS.
There is a statutory and regulatory obligation on the CEO and the Employees to disclose information to the AML Officer in circumstances where they:
- know or suspect, or
- have reasonable grounds for knowing or suspecting, that another person is engaged in money laundering or terrorist financing.
The Employees must disclose not only when they have actual knowledge or suspicion of money laundering or terrorist financing but also if, in the circumstances, they should have reached that conclusion and failed to do so. Any knowledge or suspicion must be reported to the AML officer as soon as possible.
The AML Officer shall immediately analyze the report received and take necessary actions (e. g. sending external report, terminate transaction, perform further investigation, etc.).
The Company must suspend the transaction disregarding the amount of the transaction (except for the cases where this is objectively impossible due to the nature of the Monetary Operation or transaction, the manner of execution thereof or other circumstances) and the AML Officer must report to the FCIS on the activity or the circumstances that they identify in the course of economic activities and whereby:
- the Company has established that the Customer is carrying out a suspicious transaction;
- the Company knows or suspects that assets of any value are obtained directly or indirectly from criminal activity or participation in such activity.
When suspicious monetary operation or transaction is detected, a documented investigation must be completed, that operation or transaction must be suspended, and a report made to the FCIS within three business hours after suspicious activity determination. There is no minimal threshold or limit for such a report.
Documents and data must be retained in a manner that allows for exhaustive and immediate response to the request from the AML Officer, queries made by the FCIS or, pursuant to legislation, other supervisory authorities, investigation authorities or the court.
The Company shall implement all rules of protection of personal data upon application of the requirements arising from the applicable legislation. The Company is allowed to process personal data gathered upon CDD measures implementation only for the purpose of preventing money laundering and terrorist financing and the data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.
The following data shall be retained for 8 years after the termination of the relevant Business Relationship:
- Copies of the identity documents of the Customer (originals of the documents or documents in electronic form);
- The logbooks (stored in paper or electronic form);
- Information that allows the wallet of the virtual currency to be linked to the identity of the owner of the virtual currency.
The following data shall be retained for 8 years after completing transaction:
- The documents confirming an operation or transaction and data or other legally binding documents and data related to the execution of Monetary Operations or conclusion of transactions.
The following data shall be retained for 5 years after the termination of the Business Relationship:
- Correspondence with Customer during Business Relationship (stored in paper or electronic form).
The following data shall be retained for 5 years:
- Internal investigation records of suspicious transactions (stored in paper or electronic form).
The time limits for record keeping may be extended additionally for no longer than two years upon a reasoned instruction of a competent authority.
The Company deletes the retained data after the expiry of the time period, unless the legislation regulating the relevant field establishes a different procedure or receives the instruction from competent authority to extent the retention periods.
The Company ensures that its Employees have the relevant qualifications for their work tasks. When the Employee is recruited or engaged, the Employee’s qualifications are checked as part of the recruitment/appointment process.
In accordance with the requirements applicable to the Company on ensuring the suitability of the Employees, the Company makes sure that such Employees receive appropriate training and information on an ongoing basis to be able to fulfil the Company’s obligations in compliance with the applicable legislation. It shall be ensured through training that the Employees are knowledgeable within the area of AML/CFT to an appropriate extent considering the Employee’s tasks and functions.
The content and frequency of the training is adapted to the Employee’s tasks and function on issues relating to AML/CFT measures.
For new Employees, the training comprises a review of the content of the applicable rules and regulations, the Company’s internal policies (incl. this policy) and other relevant procedures.
The Employees receive training on an ongoing basis under the auspices of the AML Officer in accordance with the following training plan:
- periodicity: at least once a year for the CEO and the Employees;
- scope: review of applicable rules and regulations, this policy and other relevant procedures. Specific information relating to new/updated features in the applicable rules and regulations. Report and exchange of experience relating to transactions reviewed since the previous training.
In addition to the above, the Employees are kept informed on an ongoing basis about new trends, patterns and methods and are provided with other information relevant to the prevention of money laundering and terrorist financing.
The training held is to be documented electronically and confirmed with the Employee’s signature on the training protocol (annex 12). This protocol should include the content of the training, names of participants and date of the training.
AVOIDING CONFLICT OF INTERESTS
The Employees must avoid the conflict of interests and when this happens, immediately notify the CEO.
The conflict of interests is understood as all the circumstances known to the Company or its Employees that may affect the decisions of making a transaction or establishing Business Relationship and which do not correspond to the interests of the Company or its Customer.
To achieve the goal of avoiding the conflict of interests, the Company shall collect and regularly update its Employee’s data in order to identify their interests in the context of preventing money laundering and terrorist financing.
The Company identifies and analyses, inter alia, whether the persons directing customers to the Company (e.g., agents, resellers, etc.) have any interests regarding the Customer (e.g., provide them with legal services, accounting services, services providing the establishment of companies and other legal structures, etc.) which cause the conflict of interests between the person directing Customers to the Company and the Company. The CEO is responsible for avoiding conflict of interests in the Company and determination of measures related thereof.
INTERNAL CONTROL OF EXECUTION OF THE POLICY
The performance of this policy shall be internally controlled by the Internal Control Officer appointed by the CEO for performing relevant functions (hereinafter in this chapter – Internal Control Officer). The Internal Control Officer must have the required competency, tools, and access to the relevant information in all structural units of the Company.
The Internal Control Officer shall perform internal control functions at least in the following fields:
- the Company´s compliance with established risk assessment policy and risk appetite;
- CDD/EDD measures implementation;
- implementation of Sanctions;
- the Company´s obligation to refusal to the transaction or business relationship and their termination;
- the Company´s reporting obligation;
- the Company´s training obligation regarding the AML/CFT requirements;
- the Company´s data retention obligation.
The exact measures for performing internal control shall be determined by the Internal Control Officer and must correspond to the Company’s size and their nature, scope and level of complexity of the activities and services provided. The internal control measures shall be performed at the time determined by the Internal Control Officer with the frequency set by him or her, at least once per quarter, if the nature of measure does not expressly provide otherwise.
The results of internal control measures implementation shall be saved separately from other data and retained within 8 years. Only the CEO and the Internal Control Officer may have access to the Internal Control Data. Internal Control Officer may provide access to the Internal Control Data to other Employees or third parties (e. g. advisors, other auditors, etc.) only with prior consent of the CEO. The persons have access to the Internal Control Data must not disclose it to anyone without prior consent of the CEO.
The Internal Control Data shall be saved in chronological order with format, which allows to analyze this and understandable connect this to other relevant data.