Elitium Limited

Anti Money Laundering &
Countering the Financing of Terrorism Policy
AML & CFT Policy

1. INTRODUCTION

Money laundering and the financing of terrorism have been identified as risks to Elitium Limited (the “Company”), given the Company’s sale of EUM tokens.
Legislation derives from the European Union Anti Money Laundering Directives. Individual guidance is provided by each jurisdiction where the Company operates, hence we are obliged to adhere to this guidance. Gibraltar, as well as many other countries around the world, have passed legislation designed to prevent money laundering and to combat terrorism. This legislation, together with regulations, rules and industry guidance/codes, forms the cornerstone of Anti-Money Laundering (AML)/Countering the Financing of Terrorism (CFT) obligations for licence holders and outlines the offences and penalties for failing to comply. In particular, the Proceeds of Crime Act was amended on 16
th March 2018 to bring within scope of AML “undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of distributed ledger technology or a similar means of recording a digital representation of an asset.” The requirements of the different legislations apply to the Company globally. The Company may have additional local policies and procedures designed to comply with their local legislation, regulations and any government approved guidance in the jurisdiction(s) in which they operate.

2. POLICY STATEMENT

The Company and its directors are committed to full compliance with all applicable laws and regulations regarding money laundering and the financing of terrorism.
Every officer, director, employee and associated person of the Company is responsible for assisting in the Company’s efforts to detect, deter and prevent money laundering and other activities intended to facilitate the funding of terrorism or criminal activities through its business.

3. SCOPE

This Policy applies to all customers of the Company. This Policy also applies to all staff and any third party the Company might do business with.

4. LEGAL AND REGULATORY FRAMEWORK

The principal requirements, obligations and penalties, on which the Company’s Systems and Controls are based, are contained in:
● The Fourth Anti Money Laundering Directive;
● Gibraltar Proceeds of Crime Act 2017;
● Gibraltar Counter Terrorism Act 2010;
● Gibraltar Terrorism Act 2005; and
● Gibraltar Crimes Act 2011.
5. WHAT IS MONEY LAUNDERING
Money laundering is the generic term used to describe the process by which criminals disguise the original ownership and control of the proceeds of criminal conduct by making such proceeds appear to have derived from a legitimate source.

6. MONEY LAUNDERING OFFENCES & PENALTIES
TYPE: CRIMINAL

6.1 Arrangements
A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person.
The maximum penalty for this offence on conviction on indictment is fourteen years in prison or a fine or both.
6.2 Acquisition, possession or use of criminal property
A person commits an offence if he-
(a) acquires criminal property;
(b) uses criminal property; or
(c) has possession of criminal property.
The maximum penalty for this offence on conviction on indictment is fourteen years in prison or a fine or both.
6.3 Concealing, transferring etc. proceeds of criminal conduct.
A person commits an offence if he-
(a) conceals criminal property;
(b) disguises criminal property;
(c) converts criminal property;
(d) transfers criminal property; or
(e) removes criminal property from Gibraltar.
The maximum penalty for this offence on conviction on indictment is fourteen years in prison or a fine or both.
6.4 Tipping-off
A person is guilty of an offence if–
(a) he discloses that a money laundering suspicion report has been made or is being contemplated or is being carried out; and
(b) the information on which the disclosure is based came to him in the course of a business or activity in the regulated sector
The maximum penalty for this offence on conviction on indictment is five years in prison or a fine or both.
6.5 Failure to disclose: relevant financial business
A person is guilty of an offence if–
(a) he knows, suspects or has reasonable grounds to suspect that another person is engaged in money laundering, or is attempting to launder money;
(b) the information or other matter, on which that knowledge or suspicion is based came to his attention in the course of his trade, profession, business or employment; and (c) he does not disclose the information or other matter to the Gibraltar Financial Intelligence Unit (‘GFIU’) as soon as is reasonably practicable after it comes to his attention.
The maximum penalty for this offence on conviction on indictment is fourteen years in prison or a fine or both.
TYPE: REGULATORY
In addition to the criminal offences and consequences described above, there are also regulatory consequences the Company can face, such as:
● Warning;
● Licence suspension and/or revocation;
● Personal management licence review and/or suspension/revocation; and ● Financial penalties i.e. fines.

7. WHAT IS TERRORISM FINANCING

Terrorist financing means (in accordance with Part 2(1) of the Gibraltar Counter-Terrorism Act 2010, similar definition applies in the UK):
(a) the use of funds or other assets, or the making available of funds or assets, by any means, directly or indirectly for the purposes of terrorism; or
(b) the acquisition, possession, concealment, conversion or transfer of funds that are (directly or indirectly) to be used or made available for those purposes.
Compared with money laundering (which involves the proceeds of all crimes), the amount of money that could be used as terrorism financing is quite small and can also come from legitimate sources.
However, the social, political and economic consequences of allowing terrorist organisations to function and prosper are devastating and it is for this reason that Company staff must be on the alert for terrorist financing as well as for the proceeds of crime.

8. TERRORISM FINANCING OFFENCES & PENALTIES

A person commits an offence if he-
(a) Raises funds for terrorism
(b) Uses and possesses money or other property for terrorism (c) Arranges funds for terrorism
(d) Arranges the retention or control of terrorism property The penalty for these offences is fourteen years in prison or a fine or both.

9. COMPLIANCE DIRECTOR AND MONEY LAUNDERING REPORTING
OFFICER (MLRO)

It is a requirement for a director of the Company to have overall responsibility and oversight of all compliance matters by the Company and its officers and staff. The holder of this position, in the Company, would be a member of the board of directors. This position is known as the Compliance Officer.
It is a requirement for the Company to appoint an MLRO. The holder of this position, in the Company, would be a member of the Compliance & Regulatory Team (if any, and failing that, an independent officer of the Company nominated by the Company’s board of directors). This position is also known as the Nominated Officer.
The MLRO is responsible for:
● Developing, implementing and overseeing all AML matters within the Company’s business; ● Undertaking a risk assessment for the business;
● Creating relevant policies, processes and procedures to prevent the Company from falling foul of applicable anti money laundering regulations and legislation; ● Providing training to staff in order for them to be able to identify red flags; ● Receiving and considering any internal suspicious activity reports; ● Liaising with the relevant Commissioner, the appropriate Financial Intelligence Unit (‘FIU’) and any other relevant government authority;
● Submitting regulatory reports; and
● Presenting an MLRO report to the Board, at least, annually whereby the operation and effectiveness of the Company’s systems and controls is evaluated.

10. REPORTING: SUSPICIOUS ACTIVITY REPORTS (SAR)

The Company is required to report all circumstances where it has knowledge, suspicion or reasonable grounds to suspect that money laundering or the financing of terrorism is being or has taken place or attempted through its facilities.
Employees are trained in order to recognise suspicious activities and therefore submit SARs where relevant. An internal SAR form is available on the Intranet for employees to use (please refer to Annex 1). The MLRO will also make the SAR form available to any employee upon request.
The MLRO is responsible for investigating any internal SAR received and/or any suspicion of money laundering/ terrorist finance. The MLRO will acknowledge receipt of any internal SAR received.
When considering a SAR, the MLRO will determine whether or not it needs to be disclosed to the authorities. This includes events in Gibraltar that may also be reported to other regulators and agencies.
In making a decision, the MLRO will consider, amongst others: ● the information available regarding the case, i.e. customer information, documentation, media news; ● transactions involved;
● account activity inconsistent with the customer’s risk profile; ● correspondence with the customer;
● the reasons for suspicion, etc.
Based on the above consideration, if the MLRO knows or suspect or has reasonable grounds to know or suspect that money laundering or terrorist financing has taken place, then a disclosure will be made accordingly. In the case the MLRO decides not to make a disclosure, this will be thoroughly documented with the reasons why.
Any disclosure is made to the appropriate country Fraud Investigation Unit.

10.1. SAR’s Log

The MLRO will record all internal SARs received by employees in the SAR’s Log. This Log will be kept up to date with any new information that might arise on any given case.

11. AML/CFT RISK ASSESMENT

The Company shall perform a risk assessment, at least, on an annual basis. There will be triggers and thresholds in place as part of the assessment.
The risk assessment will be conducted on all customers. The customer’s risk profile will be reviewed at least annually and/or where there is a trigger event which prompts the review.
If and when necessary, the Company will implement remediation projects in order to deal with any deficiencies which might be identified as part of the Know Your Customer/Customer Due Diligence process.
Based on this risk assessment, the level of due diligence will vary, as set out in section 12 below, taking into consideration the following type of risks:

11.1. Customer Risk

This is the identification of the risk posed by the type of customer of the Company: ● politically exposed persons;
● customers whose spend is not consistent with their wealth or income; and ● customers located/residing in a high risk jurisdiction.
Customer profile
Each customer of the Company will have a risk profile based on factors such as: ● payment method, i.e. deposit via one method and withdrawal via another; ● using high risk payment methods, i.e. prepaid cards, cryptocurrencies, etc.; ● account activity, i.e. significant changes in customer account activity; ● products used, i.e. tokens, Elitium platform etc.;
● balance, i.e. amount of deposits and value, withdrawal practices, etc.; ● Any other risk factor identified as part of the onboarding risk assessment process and/or ongoing business relationship, i.e. money laundering and/or terrorist financing risks.

11.2. Product Risk

The type of products the Company offers are cryptographic tokens and access to the Elitium platform.

11.3. Interface Risk

The Company recognises that, as a seller of tokens, it may not meet its customers face to face. Therefore, the interface risk may be considered high.

11.4. Country Risk

Country risk is used to describe the risk posed to the Company by the geographic origin of the economic activity of the business relationship. This is wider than just the country of residence of the customer and will, for example, include where the customer’s money is coming from.
The Company will determine which countries are high risk based on the high-risk and non-cooperative jurisdictions list produced by the Financial Action Task Force as well as the Corruption Perception Index from Transparency International.

12. CUSTOMER IDENTIFICATION (KNOW YOUR CUSTOMER) AND
CUSTOMER DUE DILIGENCE

The Proceeds of Crime Act 2015 (“Act”) transposes the EU Anti-Money Laundering Directive into Gibraltar law.
The Act sets out that a ‘relevant financial business’ must apply different levels of due diligence measures based on a risk based approach, and these are either:
(a) Customer due diligence (“CDD”);
(b) Simplified due diligence (“SDD”); or
(c) Enhanced due diligence (“EDD”).
Customer Due Diligence
Section 11 of the Act states that a ‘relevant financial business’ must apply customer due diligence measures where it does any of the following:
(a) establishes a business relationship;
(b) carries out an occasional transaction amounting to €15,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked; (c) in the case of persons trading in goods, when carrying out occasional transactions in cash amounting to €10,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked;
(d) suspects money laundering or terrorist financing, regardless of any derogation, exemption or threshold; (e) doubts the veracity or adequacy of documents, data or information previously obtained for the purposes of identification or verification;
(f) constitutes a transfer of funds, as defined in Article 3(9) of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (1), exceeding €1,000.
It is a requirement under section 12 of the Act that a ‘relevant financial business’ must conduct an ongoing monitoring of the business relationship, which means that the entity must scrutinize transactions undertaken throughout the course of the business relationship in order to ensure that such transactions are consistent with: (a) the relevant financial business’s or person’s knowledge of the customer; (b) his business and risk profile.
Where an entity seeks to establish a business relationship or carry out a transaction amounting to €15,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked and is carrying out due diligence measures, the entity must verify the identity of the customer before the establishment of a business relationship or the carrying out of an occasional transaction.
Customer Due Diligence (“CDD”) is required by law since you can better identify suspicious transactions if you know your customer and understand the reasoning behind their dealings with you. CDD involves a combination of Basic Customer Due Diligence and Enhanced Customer Due Diligence as further explained below.
Know Your Customer (“KYC”) is the process used by the Company to verify the identity of our customers.
There are different levels of due diligence we need to perform. This will be determined on a risk based approach.
The Company will apply CDD when:
➢ it establishes a business relationship;
➢ it suspects money laundering or terrorist financing;
➢ it doubts the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification; and
➢ it receives any amounts from the sale of tokens.
Moreover, the Company will also apply CDD:
➢ in relation to any transaction that amounts to €150 or more, whether the transaction is executed in a 1 single operation or in several operations which appear to be linked; ➢ at other appropriate times to existing customers on a risk-based approach; or ➢ when the Company becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer have changed.
12.1.1. Enhanced Customer Due Diligence (EDD)
The Act also prescribes that a ‘relevant financial business’ must apply EDD measures to appropriately manage and mitigate risks:
(a) in the cases referred to in Articles 19 to 24 of the European Union Fourth Anti-Money Laundering Directive (the “Directive”);
(b) when dealing with natural persons or legal entities established in third countries identified by the European Commission as high risk third countries; and
(c) in other cases of higher risk identified:
(i) by the relevant financial business; or
(ii) by the Minister by notice in the Gazette.
EDD measures need not be invoked automatically with respect to branches or majority-owned subsidiaries of obliged entities established in the European Union which are located in high-risk third countries, where those branches or majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with Article 45 of the Directive, and such cases must be handled on a risk sensitive basis.
Where the customer is not physically present for identification purposes, the relevant entity must take specific and adequate measures for the higher risk, such as:
(a) ensuring that the customer’s identity is established by additional documents, data or information; (b) supplementary measures to verify or certify the documents supplied, or requiring confirmatory certification by a credit or financial institution which is subject to the Directive; and (c) ensuring that the first payment is carried out through an account opened in the customer’s name with a credit institution.
The Company will apply enhanced customer due diligence measures and enhanced ongoing monitoring in order to manage and mitigate the money laundering or terrorist financing risks arising in the following cases: ● where there is a high risk of money laundering or terrorist financing; ● where the customer is situated in a high-risk third country identified by the European Commission or by the FATF (whichever has the lower threshold);
● where a customer or potential customer is a PEP, or a family member or known close associate of a PEP; ● in any case where a transaction is complex or unusually large, or there is an unusual pattern of transactions, and the transaction or transactions have no apparent economic or legal purpose; ● for VIP customers; and
● in any other case which, by its nature, can present a higher risk of money laundering or terrorist financing.
Before a customer is considered a VIP, additional checks will be performed in order to be satisfied with the information we hold for the customer, i.e. level of expending in line with income, etc.
Where the Company discovers that a customer has provided false or stolen identification documentation or information, and/or where the information held by the Company differs from that of the customer’s transaction patterns, the relationship will be terminated. Any customer account closed on these circumstances, will be added 1 ‘Transaction’ consists of:
● The sale of EUM tokens.
to an internal blacklist.
The enhanced measures will include, but not be limited to: ● examining the background and purpose of the transaction, as far as reasonably possible; ● increasing the degree and nature of monitoring of the business relationship in which the transaction is made, to determine whether the transaction or the relationship appear to be suspicious; ● depending on the requirements of the case, may also include, among other things: ✓ seeking additional independent, reliable sources to verify information provided or made available to the Company;
✓ taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction, i.e. payslips, savings, inheritance, bank statements, etc.;
✓ taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
✓ increasing the monitoring of the business relationship, including greater scrutiny of the transactions.
Therefore, applying CDD measures involves several steps:
1. The Company is required to identify customers;
● identification of a customer means being told or coming to know of the customer’s identifying details, such as their name and address. The Company identifies the customer by obtaining a range of information about the customer.
2. The Company must then verify the customers identities, upon registration; ● verification means obtaining some evidence which supports this claim of identity. The verification of the identity consists of the Company verifying the information received against documents, data or information obtained from a reliable and independent source.
3. The Company must also verify and whitelist the wallets from which customers remit any cryptocurrencies; ● verification means obtaining some evidence which confirms the wallet: (i) is not related to terrorist financing; (ii) is not related to the darknet market; (iii) does not belong to mixers; or (iv) does not relate to a sanctioned country. The verification of the wallet consists of the Company verifying the information received against documents, data or information obtained from a reliable and independent source.
● The company shall also collect IP addresses and to the extent applicable MAC addresses from its customers during the identification and verification process.
Simplified Due Diligence
The Act states that where a ‘relevant financial business’: (a) identifies areas of lower risk; and
(b) has ascertained that the business relationship or the transaction presents a lower degree of risk; it may, in accordance with section 16 of the Act apply simplified customer due diligence measures.
Section 16 of the Act should not be construed as derogating from the need to undertake sufficient monitoring of  the transactions and business relationships to enable the detection of unusual or suspicious transactions or from the provisions of section 12 of the Act.
When assessing the risks of money laundering and terrorist financing relating to types of customers, geographic areas, and particular products, services, transactions or delivery channels, a relevant financial entity must take into account at least the factors of potentially lower risk situations set out in Schedule 6 of the Act.
12.2. Gibraltar specifics
12.2.1. Basic Customer Due Diligence (BDD)
Basic Customer Due Diligence is a two stage process which will always be undertaken upon registration. It consists of:
1. first, the operator must obtain the required personal identification details through an effective and reliable customer registration process; and
2. thereafter verify that identity using reliable and independent means, including databases, documents or other supplementary methods of confirming/assuring identity.
12.2.2. Enhanced Due Diligence (EDD)
All customers that make a deposit will be subject to EDD. This will consist of basic due diligence plus an additional third stage that includes:
1. undertaking additional information checks; or
2. supplementary measures to verify or certify documents; or 3. ensuring that payments from or to the customer are from/to a bank account or cryptocurrency wallet in his name.
The above measures would be in addition to the arrangements to establish identity or age and will be recorded.
EDD will be performed as soon as practicable:
● where a customer makes the first deposit in fiat currency or cryptocurrency; ● where a customer’s deposits reach the equivalent of €150 (or equivalent); and ● where a customer seeks to withdraw fiat currency or cryptocurrency; In any case, where EDD is necessary, additional information and/or documentation will be requested, i.e. source of wealth, source of funds, payment method ownership, etc. Additional verification is also performed.
If the EDD process is not concluded in a reasonable timeframe (generally within 28 days), the account will be subject to additional and proportionate supervision, consistent with the value and risk profile of the account and the deposits.
Where the verification process fails then no further transactions will be allowed, including transfers or withdrawals in fiat currency or cryptocurrency. Where necessary, deposits in fiat currency or cryptocurrency will be retained until identification is resolved.
Therefore, CDD is a three stage process:
1. obtaining sufficient information on customer identity;
2. verification of that identity against reliable and independent means; and 3. further identity verification by way of additional database checks, “supplementary means” or a bank process or cryptocurrency wallet whitelisting process in the name of the customer.
Policy
Section 2(1) of the Act states:
“A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person.”
Section 8 of the Act states that “business relationship” means: “a business, professional or commercial relationship which is connected with the professional activities of a relevant financial business and which is expected, at the time when contact is established, to have an element of duration.” Section 9(1)(p) of the Act brings companies which carry out token sales within the definition of “relevant financial business” as follows:
“(p) undertakings that receive, whether on their own account or on behalf of another person, proceeds in any form from the sale of tokenised digital assets involving the use of distributed ledger technology or a similar means of recording a digital representation of an asset.”
By virtue of the fact that it will carry out its sale of tokens from Gibraltar, the Company will need to ensure compliance with the Act and apply appropriate customer due diligence measures to all the participants in the token sale.
The directors and officers of the Company are notified of the overarching responsibility imposed by Section 2(1) of the Act which creates an offence if a person enters into or becomes concerned in an arrangement which he/she knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person.
In light of this, the following KYC procedures have been adopted by the Company: (a) Information to be received from any participant in the token sale who pays an amount less than €150: (i) name;
(ii) address;
(iii) date of birth;
(iv) email;
(v) wallet address; and
(vi) IP address and to the extent applicable a MAC address.
(b) In addition to the information set out in (a) above, documentation to be received from each participant in the token sale who pays between €150 and €10,000:
(i) passport copy; and
(ii) a second recognised form of photographic identification.
(c) In addition to the information set out in (a) above, documentation to be received from each participant in the token sale who pays between €10,000 and €50,000 and is considered a low risk participant: (i) passport copy;
(ii) a second recognised form of photographic identification; and (iii) plausible and verifiable source of wealth.
(d) In addition to the information set out in (a) above, documentation to be received from each participant in the token sale who pays over €150 and is considered a high risk participant: AML & CFT Policy Page 11 of 18
(i) passport copy;
(ii) a second recognised form of photographic identification; and (iii) documentary and verifiable source of wealth.
(e) In addition to the information set out in (a) above, documentation to be received from each participant in the token sale who pays more than €50,000:
(i) passport copy;
(ii) a second recognised form of photographic identification; and (iii) documentary and verifiable source of wealth.
12.2.3. Due Diligence for corporate participants
For any corporate participant the following information is captured: • Company name;
• Cryptocurrency addresses (addresses that will be used to make a payment); • Company’s address (address from where the company operates from); • Tax registration number;
• Email for contact person (person who is a responsibility to contact us); • Company website address (if applicable);
• Extract from the official company register (the legal status of a public registered company, company data from commercial registers);
• List of directors/shareholders visible in company register extract/ annual return (or equivalent) confirming the directors and shareholders;
• Economic Activity of company;
• Proof of income (e.g. tax declaration, extract from business bank account, financial statements); • Beneficial owner’s details including:
(i) Full name;
(ii) Nationality;
(iii) Date of birth;
(iv) Address;
(v) Percentage of shares;
(vi) Whether is a PEP;
(vii) ID/Passport Number; and
(viii) Source of wealth.
The principal requirement is to look behind a corporate entity to identify the individuals who control the entity and its assets, with particular attention being paid to any shareholders or others who exercise a significant influence over the affairs of the company.
The risk assessment of the customer will determine what information we should obtain from corporate customers and this may include the following:
• Copy of the latest report and accounts (audited where applicable); • Copy of the company’s Memorandum & Articles of Association; • Copy of the board resolution to open the relationship and the empowering authority for those who will operate any accounts;
• Copy of the certificate of incorporation/certificate of trade or equivalent; and • Original certificate of good-standing.
The following persons (i.e. individuals or legal entities) will also be identified: • All directors;
• All authorized signatories for the account/transaction; AML & CFT Policy Page 12 of 18
• All holders of powers of attorney to operate the account/transaction; • The beneficial owner(s) of the company. The natural person(s) who ultimately own or control a legal entity through direct or indirect ownership or control over a sufficient percentage of the shares or voting rights in that legal entity, including through bearer share holdings, other than a company listed on a regulated market that is subject to disclosure requirements consistent with Community legislation or subject to equivalent international standards; a percentage of 10% plus one share shall be deemed to meet this criterion; and
• Majority shareholders of the company (if different from the beneficial owners).
Only the UBOs (Ultimate Beneficial Owners) need be verified. (Unless the UBO is a company, at such time the company Director(s) (or Management Control) information should be sought). Documentation would follow the same lines as for individuals.
As indicated, the corporate and all individuals will be screened for Sanctions/PEPs and a period of review of the corporate and all documents will be established after on-boarding.
For companies with multi-layered ownership structures, the company is required to document their understanding of the ownership and control structure of the natural and legal persons at each stage in the structure. This does not require for director and shareholder information to be obtained at every level, but documentation should be obtained from reliable and verifiable sources that confirm the company’s existence, its registered shareholdings and management.
Confirmation of identity is required for any individuals who own more than a 10% share in the company with whom the business relationship is being established.
13. ANONYMOUS AND/OR DUPLICATE/MULTIPLE ACCOUNTS
The Company does not permit the use of anonymous and/or duplicate/multiple accounts.
The Company has the necessary systems and controls in place to detect and deter these occurrences. If a customer is found to have opened more than one account, the accounts will be closed.
The Company will use a software (or procure the services of a third-party service provider) to be able to identify this type of account. Daily reports will then be analysed by the Risk and Payment Team, who will then take actions (i.e. close accounts) accordingly.
14. ONGOING MONITORING
The Company performs ongoing monitoring of its customers. The Company uses a software provider who analyses customers’ historical information and account profile. This is the way a “whole picture” is produced which analysis customer’s profile, risk levels, and predicted future activity.
The software also generates reports and create alerts to suspicious activity which are further analysed by the Company in order to take actions accordingly.
There will also be instances whereby the analysis of transactions, information and/or documentation needs to be done manually. The responsibility for this analysis will depend on various factors, but generally will be performed by fraud, risk and/or compliance.
14.1. Type of Monitoring
Based on a variety of internal reports, including exception reports, the following monitoring will be performed: 14.1.1 Product monitoring
Monitoring of products used by customers, in order to identify changes/irregular patterns/behaviour.
14.1.2. Transaction and activity monitoring
This will include but not be limited to:
● change of payment methods;
● whether the transactions or activity are inconsistent (unusual) with the customer’s risk profile; ● whether the transactions or activity are complex or unusually large; ● whether the transactions or activity form part of an unusual pattern; ● whether the transactions present a higher risk of money laundering or financing of terrorism; or ● change in customer behaviour.
14.1.4. Media monitoring
This will monitor news media on specific countries, languages and publications. The Company will use a software provider to monitor media. The information will be analysed by Compliance (if any, and failing that, by the board of directors).
15. RECORD KEEPING
The Company keeps records of the procedures applied to establish the identity of its customers, and records of the value of their transactions, for at least 5 years after the relationship ends. This is consistent with data protection legislation and AML/CFT requirements.
16. POLITICALLY EXPOSED PERSONS (‘PEPs’)
A PEP generally presents a higher risk for potential involvement in bribery and corruption by virtue of their position and the influence that they may hold.
16.1. Definition
The Fourth Money Laundering Directive defines a ‘politically exposed person’ as a natural person who is or who has been entrusted with prominent public functions and includes the following: (a) heads of State, heads of government, ministers and deputy or assistant ministers; (b) members of parliament or of similar legislative bodies; (c) members of the governing bodies of political parties;
(d) members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances; (e) members of courts of auditors or of the boards of central banks; (f) ambassadors, chargés d’affaires and high-ranking officers in the armed forces; (g) members of the administrative, management or supervisory bodies of State-owned enterprises; (h) directors, deputy directors and members of the board or equivalent function of an international organisation.
No public function referred to in points (a) to (h) shall be understood as covering middle-ranking or more junior officials;
‘family members’ includes the following:
(a) the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person; (b) the children and their spouses, or persons considered to be equivalent to a spouse, of a politically exposed person;
(c) the parents of a politically exposed person;
‘persons known to be close associates’ means:
(a) natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person; (b) natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.
16.2. PEPs LOG
All identified PEPs will be assessed by senior management and a decision will be made on whether to continue with the relationship or terminate it. This will then be recorded in the PEPs Log. PEPs are monitored on a daily basis, using a data software, in order to identify any new information which might change their risk profile.
17. SANCTION LISTS
All new customers are screened against sanction lists. If a potential or current customer is identified as being in a sanction list, the relationship will be terminated immediately.
Under no circumstances the Company will, knowingly, engage in a relationship with a person and/or organisation appearing in a Sanctions List.
Screening of customers against PEPs databases and Sanctions Lists is performed on a daily basis.
18. COOPERATION WITH GOVERNMENT BODIES
The Company is committed to the fight against money laundering and the financing of terrorism. As such, the Company will cooperate with any and all law enforcement requests and/or investigations, the GFIU, the Royal Gibraltar Police and any other relevant government authority.
18.1. External Data Request
Any external request received by the Company will be dealt with by the Compliance Department (if any, and failing that, by the board of directors) or other officer and escalated to a director where appropriate. All staff is made aware of this process, both, through this Policy and via internal email communications.
19. COMMUNICATION
This policy will be placed on the Intranet page and also communicated to staff by email. When the Company engages in business with third parties, this Policy will be provided.
Any changes or amendments to this Policy, will also be communicated to relevant stakeholders (i.e. employees, third parties, etc.) accordingly.
20. REVIEW
The Company will review this policy, at least, every year. The review will involve all relevant stakeholders. The Company will make such changes as are reasonably necessary to comply with this Policy and any on-going licence obligations.
21. NON-COMPLIANCE
All Company’s employees are required to read and comply with this policy. Failure to comply with this policy would be considered gross misconduct and might result in termination of employment.