KYC / AML / CTF POLICY

INTRODUCTION

This is a short version of our Anti-money laundering (hereinafter referred to as: “AML”) and Counter-terrorist financing (hereinafter referred to as: “CTF”) Policy, which Kriptomat applies to its service. Kriptomat OÜ is Estonian company and must follow European and Estonian rules for detecting and managing financial crime. Our main two internal bylaws include:

  • AML/CTF procedure for providers of a service of exchanging a virtual currency against a fiat currency;
  • AML/CTF procedure for providers of a service of storing a virtual currency (wallet).

The procedures are monitored by the compliance officer and his team. The compliance team monitors the compliance of the internal rules and procedures with the relevant laws and compliance of the activity of the Representatives with the procedures established by the Rules.

As per definition from our AML policy we do not work with offshore banks and shell banks or with any country listed as “High risk”.

AML/CTF FRAMEWORK

Estonian Cryptocurrency Exchanges are defined in the Estonian law as Providers of Alternative Means of Payment, licensed as an Estonian Financial Institution by holding a Financial Activity License from the Estonian Financial Intelligence Unit (hereinafter referred to as: “FIU”), which is the Anti Money Laundering authority in Estonia with the ability to grant, revoke and supervise financial activity licenses. The AML requirements and Know your customer (hereinafter referred to as: “KYC”) due diligence measures for the service providers are set forth in the Estonian Money Laundering and Terrorist Financing Act and other legal guidelines given by the Estonian Minister of Finance.

A cardinal part of the licensing procedure, and a significant FIU consideration for granting licenses is the quality of the Rules of Procedures which according to the Act, must be meticulously drafted by the license applicant. These Rules of Procedure must comply with the Estonian law’s various requirements, which require them, among other things, to include specification of user due diligence measures the company intends to take, assessment of money laundering risk, the manner of the collection and keeping of records, internal control rules, etc.

Kriptomat OÜ has been issued operating licenses by the Financial Intelligence Unit for:

  • Providing​ services of exchanging a virtual currency against a fiat currency (License No. FVR000079 – https://mtr.mkm.ee/taotluse_tulemus/481714).
  • Providing a virtual currency wallet service​ (License No. FRK000060 –
    https://mtr.mkm.ee/taotluse_tulemus/481745).

Given the above, Kriptomat aims to be fully compliant and transparent especially when it comes to detecting and monitoring financial crimes.

Kriptomat has implemented measures, which protect Kriptomat from involvement in money laundering or terrorist financing activities (hereinafter: “suspicious transactions”), by:

  • performing compliant due diligence procedure (the KYC) for every user who registers on the platform,
  • making risk assessment for every user that successfully passed the KYC,
  • detecting suspicious transactions by risk categories and risk levels,
  • monitoring suspicious transactions,
  • reporting suspicious transactions to the authorities.

In order to protect us and our users from the possible financial crimes, Kriptomat shall:

  • Perform Know Your Customer procedures on all users and clients (natural and legal persons) on a regular basis.
  • Perform an enterprise-wide risk assessment to determine the risk profile of the Company.
  • Implement internal controls throughout its operations that are designed to mitigate risks of money laundering and terrorism financing.
  • Conduct an periodic AML audit.
  • Provide AML training to its employees.

 

THE KYC AND RISK ASSESSMENT

In the user due diligence process, Kriptomat shall perform a KYC for every:

  • User – a natural or legal person;
  • Representative of the User – an individual who is authorized to act on behalf of the User;
  • Beneficial Owner of the User;
  • Politically exposed person (“PEP”) or a person connected with the PEP.

During the registration procedure, every user must provide to Kriptomat with several personal information and documents, which Kriptomat need to establish a portfolio of the user and access the risk, connected to it.

NATURAL PERSON NEEDS TO PROVIDE AT LEAST: First name, last name; Date of birth, place of birth; Home address; Phone number and email; Government issued ID document (both sides); Selfie with ID document; Proof of residence (utility bill or similar); Bank account details; Video conference; Other information and documents on the request of Kriptomat.
LEGAL PERSON NEEDS TO PROVIDE AT LEAST: Business name of the legal person; Registry code or registration number and the date of registration; ID of the shareholders (same as for the natural person identification), ID of the director(s) and/or members of the management board (same as for the natural person identification), ID’s of the representatives (same as for the natural person identification); Proof of the registered office/seat; ID’s of the beneficial owners (same as for the natural person identification); Bank statement; Proof of representation; Articles of association; Other information and documents on the request of Kriptomat.
Kriptomat makes sure to protect users personal data in accordance with the relevant laws and the Privacy policy.

RISK LEVELS

The risk is divided to 3 LEVELS:

NORMAL
The risk level is normal, there are no high risk characteristics present.

HIGH 1
1. User is from high risk country.
2. User is local PEP or a person. associated with a PEP.
3. The legal person’s area of activity is associated with enhanced money-laundering risk.
4. The legal person is situated in a country, which is listed in the list of risk countries.
5. The legal persons activities and liability are insufficiently regulated by law, and the legality of financing of which is not easy to screen.
6. The representative or the Beneficial Owner / Shareholder of a legal person is a local PEP or his / her family member.

HIGH 2
1. User is suspected to be or to have been linked with a financial offence or other suspicious activities.
2. User is a non-resident individual, whose place of residence or activities is in a country, which is listed in the list of risk countries.
3. The representative or the Beneficial Owner / Shareholders of a legal person is a PEP or his or her family member
4. There is information that legal person is suspected to be or to have been linked with a financial offence or other suspicious activities
6. A legal person registered outside the European Economic Area, whose field of business is associated with a high risk of Money Laundering, or registered in a low tax rate country.

RISK CATEGORIES

RISK BY USERS:

Suspicious facts such as but not limited to the: discrepancies in provided id documents, fictitious person, stolen identity, counterfeited id document, post box home address, pervious financial crime record, terrorist record, wanted person, no contact phone number, not valid documents, discrepancies in provided documents for the legal person, etc.

Politically exposed persons such as but not limited to the: prominent public functions:head of state, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d’affaires and a high-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a state-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organisation, except middle-ranking or more junior officials.

RISK BY COUNTRIES:

Country of residence / nationality is a country with prohibition/restriction on cryptocurrencies such as but not limited to: Afghanistan, Algeria, American Samoa, Bangladesh, Bolivia, China, Democratic Republic Of Congo, Democratic People’s Republic Of Korea (Dprk), Ecuador, Egypt, Ethiopia, Fyr Macedonia, India, Iran, Iraq, Kyrgyzstan, Pakistan, Palestine, Qatar, Saudi Arabia, Syria, Morocco, Nepal, United States Of America, Vanuatu, Vietnam, Zambia.

Resident / Citizen Of The High Risk Countries such as but not limited to: Bahrain, Yemen, Jordan, Kuwait, Lebanon, Libya, Malaysia, Mali, Mauritania, Nigeria, Oman, Somalia, Serbia, Sri Lanka, Sudan, Tunisia, Turkey, Ethnic Groups Of Caucasus Belonging To Russian Federation (Chechens, Etc.), Trinidad & Tobago.

Low Tax Or Tax-free Countries such as but not limited to: United Arab Emirates, Oman, Bahrain, Qatar, Saudi Arabia, Kuwait, Bermuda, Cayman Islands, The Bahamas, Brunei, Vanuatu, Anguilla, Belize, Costa Rica, Guatemala, Panamá, Nicaragua.

RISK BY TRANSACTIONS

Kriptomat shall inspect any outstanding transaction, which include but is not limited to the: large transactions that do not correspond to user’s source of funds and/or source of wealth, transactions to offshore or shell bank (financial institution that does not have a physical presence in any country), executing payment via non-licensed payment institution, large daily movements of fiat or virtual money, etc.

DETECTION OF SUSPICIOUS TRANSACTIONS

Kriptomat shall diligently monitor transactions for suspicious activity. Transactions that are unusual will be carefully reviewed to determine if it appears that they make no apparent sense or appear to be for an unlawful purpose.

Implemented internal controls will serve as ongoing monitoring system in order to detect the suspicious activity or transaction. When such suspicious activity is detected, Kriptomat shall determine whether a filing with any law enforcement authority is necessary. Suspicious activity can include more than just suspected money laundering attempts. Activity may be suspicious, and Kriptomat may wish to make a filing with a law enforcement authority, even if no money is lost as a result of the transaction.

Kriptomat shall initially make the decision of whether a transaction is potentially suspicious. Once Kriptomat has finished the review of the transaction details, he or she will consult with its management to make the decision as to whether the transaction meets the definition of suspicious transaction or activity and whether any filings with law enforcement authorities should be filed. Kriptomat shall maintain a copy of the filing as well as all backup documentation. The fact that a filing has been made is confidential. No one, other than those involved in the investigation and reporting should be told of its existence. In no event should the parties involved in the suspicious activity be told of the filing.

REPORTING REQUIREMENTS

Reasonable procedures for maintaining records of the information used to verify a person’s name; address and other identifying information are required under this Policy. The following are required steps in the record keeping process:

● Kriptomat shall maintain a record of identifying information provided by the user.
● Where Kriptomat relies upon a document to verify identity, Kriptomat shall maintain a copy of the document that the Company relied on that clearly evidences the type of document and any identifying information it may contain.
● Kriptomat shall also record the methods and result of any additional measures undertaken to verify the identity of the user.
● Kriptomat shall record the resolution of any discrepancy in the identifying information obtained.
● All transaction and identification records will be maintained for a minimum period of five years.

If you have more questions, please contact us at: [email protected]

 

INTRODUCTION

This is a short version of our AMP Policy and procedure, which Kriptomat applies to its services. Kriptomat OÜ is a company, established under the laws of Estonia and we follow two internal procedures:

  • AML procedure for providers of a service of exchanging a virtual currency against a fiat currency;
  • AML procedure for providers of a service of storing a virtual currency (wallet).

The procedures are monitored by the compliance officer and his team. They monitor the compliance of the Rules with the relevant laws and compliance of the activity of the Representatives with the procedures established by the Rules.

Kriptomat is available primarily to EU member states based customers, but will also be enabled for the rest of the world, taking into account prohibitions and restrictions in certain areas across the world (see: Terms of Service) As per definition from our AML policy we do not work with offshore banks and shell banks or with any country listed as “High risk”.

 

FRAMEWORK

Estonian Cryptocurrency Exchanges are defined in the Estonian law as Providers of Alternative Means of Payment, licensed as an Estonian Financial Institution by holding a Financial Activity License from the Estonian Financial Intelligence Unit (FIU), which is the Anti Money Laundering (AML) authority in Estonia with the ability to grant, revoke and supervise financial activity licenses. The AML and KYC requirements of the service providers are subject to are set forth in the Estonian Money Laundering and Terrorist Financing Act  and other legal guidelines given by the Estonian Minister of Finance.

A cardinal part of the licensing procedure, and a significant FIU consideration for granting licenses is the quality of the Rules of Procedures which according to the Act, must be meticulously drafted by the license applicant. These Rules of Procedure must comply with the Estonian law’s various requirements, which require them, among other things, to include specification of customer due diligence measures the company intends to take, assessment of money laundering risk, the manner of the collection and keeping of records, internal control rules, etc.

Kriptomat OÜ has been issued operating licenses by the Financial Intelligence Unit for:

Given the above, Kriptomat aims to be fully compliant and transparent especially when it comes to AML / CTF (Counter-Terrorist Financing).

 

KRIPTOMAT has implemented protection measures, which protect KRIPTOMAT from involvement in money laundering or suspicious activity by the following:

  • Performing an enterprise-wide risk assessment to determine the risk profile of the Company.
  • Establishing AML / CTF policies and procedures.
  • Implementing internal controls throughout its operations that are designed to mitigate risks of money laundering and terrorism financing.
  • Performing know your customer (“KYC”) procedures on all users and clients.
  • Designating a Compliance Officer with full responsibility for the AML / CTF Program.
  • Conducting an periodic AML audit.
  • Providing AML training to its employees.

 

DUE DILIGENCE MEASURES

  1. Identifying the Client and verifying its identity using reliable, independent sources, documents or data, including e-identifying;
  2. Obtaining proof of address, such as a copy of a utility bill or bank statement from the account holder;
  3. Identifying and verifying of the representative of the Client and the right of representation;
  4. Identifying the Client’s Beneficial Owner / Shareholders;
  5. Assessing and, as appropriate, obtaining information on the purpose of the Business Relationship;
  6. Conducting ongoing Due Diligence on the Client’s business (legal persons) to ensure the Provider of services knowledge of the Client and its source of funds is correct;
  7. Obtaining information whether the Client is a PEP or PEP’s family member or PEP’s close associate;
  8. The Provider of service shall establish the source of wealth of the Client, where appropriate;
  9. Risk assessment according to Risk categories and a List of risk countries* and application of additional due diligence measures.

Documents used in opening an account relationship must be verified prior to establishing the account. KRIPTOMAT shall:

  1. Request appropriate identity documents to identify the Client or its representatives;
  2. Request documents and information regarding the activities of the Client and legal origin of funds;
  3. Request information about Beneficial Owners / shareholders of a legal person;
  4. Screen the risk profile of the Client, select the appropriate Due Diligence measures, assess the risk whether the Client is or may become involved in Money Laundering or Terrorist Financing;
  5. Re-identify the Client or the representative of the Client, if there are any doubts regarding the correctness of the information received in the course of initial identification;
  6. Annual review of a Client being a legal entity is carried out regularly once a year;
  7. No entering into Business Relationships with anonymous Clients.

 

RISK CATEGORIES AND RISK ASSESSMENT

The risk is divided to 3 categories:

RISK NORMAL HIGHER (High 1) THE HIGHEST (High 2)
WHEN The risk level is normal, there are no high risk characteristics present. 1. The place of residence or employment or business of a Client is in a country, which is included in the list of risk countries.

2. The Client is local PEP or a person. associated with a PEP

3. The legal person registered in the European Economic Area or in Switzerland, whose area of activity is associated with enhanced money-laundering risk.

4. The legal person is situated in a country, which is listed in the list of risk countries.

5. The legal person is a non-profit association, trust, civil law partnership or another contractual legal arrangement, whose activities and liability are insufficiently regulated by law, and the legality of financing of which is not easy to screen.

6. The representative or the Beneficial Owner / Shareholder of a legal person is a local PEP or his / her family member.

1. The Client is suspected to be or to have been linked with a financial offence or other suspicious activities

2. The Client is a non-resident individual, whose place of residence or activities is in a country, which is listed in the list of risk countries

3. The representative or the Beneficial Owner / Shareholders of a legal person is a PEP or his or her family member

4. There is information that legal person is suspected to be or to have been linked with a financial offence or other suspicious activities

6. A legal person registered outside the European Economic Area, whose field of business is associated with a high risk of Money Laundering, or registered in a low tax rate country**.

 

SIMPLIFIED due diligence (Section 8) NORMAL due diligence (Section 6) ENHANCED due diligence (Section 9)
WHEN – A company listed on a regulated market that is subject to disclosure requirements consistent with European Union law; 

– a legal person governed by public law founded in Estonia;

– a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;

– an authority of the European Union;

– a credit institution or a financial institution, acting on behalf of itself, located in a contracting state of the European Economic Area or in a third country (see Exhibit 1), which in the country of location is subject to equal requirements and the performance of which is subject to state supervision.

– Upon establishing a new Business Relationship;

– In the event of insufficiency or suspected incorrectness of the documents or information gathered previously in the course of carrying out DD measures;

– Upon suspicion of Money Laundering or Terrorist Financing.

The risk level of the Client is higher:

– The Client is a person associated with a PEP

– The Client is PEP or local PEP

– The actual place of residence or employment or business of a Client is in a country, which is included in the list of risk countries

– the Client is suspected to be or to have been linked with a financial offence or other suspicious activities

– The Client is a non-resident individual, whose place of residence or activities is in a country, which is listed in the list of risk countries

– when suspicion arises regarding truthfulness of the provided data and/or of authenticity of the identification documents regarding the Client or its Beneficial Owners

– in a situation with higher risk of Money Laundering and terrorists financing

– in case of companies that have nominee shareholders or shares in bearer form

 

 

(High 1)THE HIGHEST (High 2)

 

 

MEASURES Include: Include: IN ADDITION TO NORMAL DUE DILIGENCE THE MEASURES INCLUDE:
  – the Client can be identified on the basis of publicly available information;

– the ownership and control structure of the Client is transparent and constant;

– the operations of the Client and their accounting or payment policies are transparent;

– Client reports to and is controlled by an authority of executive power of Estonia or a contracting state of the European Economic Area, another agency performing public duties, or an authority of the European Union.

Identification of a natural person (Identification details and copy of ID documents), video call in case of deposit of more than 15.000 EUR

– Identification of a legal person (Corporate details, Certificate of incorporation, Articles of association, ID of representatives and shareholders)

– the Client can be identified on the basis of publicly available information;

– the ownership and control structure of the Client is transparent and constant;

– the operations of the Client and their accounting or payment policies are transparent;

– Identification and verification of a Client on the basis of additional documents, data or information, which originates from a reliable and independent source

– Identification and verification of a Client while being present at the same place

– Asking the identification or verification documents to be notarised or officially authenticated

– Obtaining additional information on the purpose and nature of the Business Relationship and verification from a reliable and independent source

– Reassessment of a risk profile of a Client not later than 6 months after establishment of Business Relationship

The above listed DD measures can be combined, as appropriate, in respect to other listed or non-listed risks.

 

* List Of Risk Countries

We distinguish two different types of risk countries:

  1. Countries which according to FATF does not follow requirements of prevention of Money Laundering and Terrorism Financing. You can find it here:  http://www.fatf-gafi.org/countries/#high-risk

 

  1. Countries which according to the FIU are under big threat of terrorism:

Afghanistan, Algeria, United Arab Emirates, Bahrein, Bangladesh, Egypt, Indonesia, Iraq, Iran, Yemen, Jordanian, Qatar, Kuwait, Lebanon, Libya, Malaysia, Mali, Morocco, Mauritania, Nigeria, Oman, Pakistan, Palestine, Saudi Arabia, Somalia, Sri Lanka, Sudan, Syria, Tunisia, Turkey, Ethnic groups of Caucasus belonging to Russian Federation (Chechens, Lesgid, ossetians, Ingushes etc.)

 

Kriptomat has its sole discretion to enter into business relationship with any legal or natural person from such country up front.

 

** List Of Non-low Tax Countries

List of countries that are NOT regarded as low tax rate countries (established by estonian Financial Ministry) can be found here:

 

DETECTION OF SUSPICIOUS TRANSACTIONS

KRIPTOMAT shall diligently monitor transactions for suspicious activity. Transactions that are unusual will be carefully reviewed to determine if it appears that they make no apparent sense or appear to be for an unlawful purpose.

 

Implemented internal controls will serve as ongoing monitoring system in order to detect the suspicious activity or transaction. When such suspicious activity is detected, KRIPTOMAT shall determine whether a filing with any law enforcement authority is necessary. Suspicious activity can include more than just suspected money laundering attempts. Activity may be suspicious, and KRIPTOMAT may wish to make a filing with a law enforcement authority, even if no money is lost as a result of the transaction.

 

KRIPTOMAT shall initially make the decision of whether a transaction is potentially suspicious. Once KRIPTOMAT has finished the review of the transaction details, he or she will consult with its management to make the decision as to whether the transaction meets the definition of suspicious transaction or activity and whether any filings with law enforcement authorities should be filed. KRIPTOMAT shall maintain a copy of the filing as well as all backup documentation. The fact that a filing has been made is confidential. No one, other than those involved in the investigation and reporting should be told of its existence. In no event should the parties involved in the suspicious activity be told of the filing.

 

REPORTING REQUIREMENTS

Reasonable procedures for maintaining records of the information used to verify a person’s name; address and other identifying information are required under this Policy. The following are required steps in the record keeping process:

 

  • KRIPTOMAT shall maintain a record of identifying information provided by the customer.
  • Where KRIPTOMAT relies upon a document to verify identity, KRIPTOMAT shall maintain a copy of the document that the Company relied on that clearly evidences the type of document and any identifying information it may contain.
  • KRIPTOMAT shall also record the methods and result of any additional measures undertaken to verify the identity of the customer.
  • KRIPTOMAT shall record the resolution of any discrepancy in the identifying information obtained.
  • All transaction and identification records will be maintained for a minimum period of five years.