1. General provisions
These rules of procedure for prevention of money laundering and terrorist financing and compliance with international sanctions (hereinafter the “Rules”) are prepared by AlfaCash OÜ, incorporated and registered in Estonia with the company number 14692639, whose registered office is at Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 3 // 5 // 7, 10145 (hereinafter the “Company”).
AlfaCash OÜ is authorized to provide (1) services of exchanging a virtual currency against a fiat currency and (2) virtual currency wallet service (3) services of exchanging a virtual currency against a virtual currency under operating license issued by Estonian Financial Intelligence Unit, Police and Border Guard Board (hereinafter the “FIU”). The operating license (No. FVT000402) can be validated on the official website of the Ministry of Economic Affairs and Communications of Estonia.
The Rules are based on Estonian Money Laundering and Terrorist Financing Prevention Act (hereinafter the “MLTFPA”), Estonian International Sanctions Act (hereinafter the “ISA”), Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (hereinafter the “AMLD5”), Financial Action Task Force (hereinafter “FATF”) Guidance for a risk-based approach to virtual Assets and virtual assets service providers and other regulatory acts of Estonia.
The Rules regulate and establish:
- the procedure for applying customer due diligence measures with respect to customers, including application of normal or enhanced customer due diligence measures;
- basic principles of assessment, management and reduction of risks associated with money laundering and terrorist financing;
- guidance on proper determination of politically exposed persons, customers subject to international sanctions or persons whose place of residence or location is in the prohibited country;
- data collection and cyber security measures;
- methodology and guidance for determining if an obliged entity is suspected in connection with money laundering and terrorist financing, or the case is with a suspicious transaction or circumstances, as well as guidance on compliance with notification requirements and procedures of reporting to the management;
- management and assessment of related risks in connection with the available new technologies, services and products, including new or unconventional sales channels or in connection with developing technologies.
The Rules are developed and periodically updated by the Company’s compliance officer based on the general principles set up by the Company’s management board with respect to prevention of money laundering and terrorist financing. The Rules shall be communicated to all employees of the Company that establish business relationship, manage and monitor transactions of customers. The obligation to observe the Rules rests with the management board, the compliance officer, employees and any other outsourced professional staff who initiate or establish Business Relationship and monitor further transactions
2. Description of activities
The Company is engaged in B2C e-commerce business and provides to natural persons (1) services of exchanging a virtual currency against a fiat currency that allow Customers to trade different virtual currencies for fiat currencies and vice versa based on terms and conditions adopted by the Company (2) virtual currency wallet services that are aimed at safeguarding private cryptographic keys on behalf of Customers, to hold, store and transfer virtual currencies.
3. Compliance officer
The Management Board shall appoint a Compliance Officer whose principal duties are:
- acting as a contact person of the FIU;
- monitoring compliance with the MLTFPA, ISA, AMLD5 and other regulatory acts of Estonia and procedures established by the Rules;
- keeping updated information regarding countries with high and low risk of Money Laundering and Terrorist Financing and economical activities with great exposure to Money Laundering and Terrorist Financing;
- obtaining the competence, means and access to relevant Company’s information, education, professional suitability, abilities, personal qualities, experience and good reputation;
- managing the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the obliged entity;
- reporting to the FIU in the event of suspicion of money laundering or terrorist financing;
- reporting directly to the Management Board on money laundering and terrorist financing matters and submitting written statements on compliance with the requirements arising from the MLTFPA;
- performing any other duties and obligations related to compliance with the requirements of the MLTFPA.
The Compliance Officer must meet all the requirements, prescribed by the MLTFPA, and appointment of the Compliance Officer shall be coordinated with the FIU. If, as a result of a background check carried out by the FIU, it becomes evident that the Compliance Officer’s credibility is under suspicion due to their previous acts or omissions, the Company may extraordinarily terminate the Compliance Officer’s contract due to the loss of credibility.
4. Due diligence measures
Customer due diligence is one of the main tools for ensuring the implementation of mandatory regulations aimed at preventing money laundering and terrorist financing and at applying sound business practices. Customer due diligence ensures the application of adequate risk management measures in order to ensure permanent monitoring of customers and their transactions, gathering and analyzing relevant information. Upon application of customer due diligence measures, the Company will follow principles compatible with its business strategy and, based on prior risk analysis and depending on the nature of the Customer’s Business Relationship.
For the purpose of identification, assessment and analysis of risks of money laundering and terrorist financing related to its activities, the Company prepares a risk assessment, taking into account geographical, customer and product risks.
In order to grant access to the Standard Account, the Company requests the following information including, but not limited to:
- name proven with a photocopy of official government ID document or digital ID document, e.g. (1) personal ID card, e-resident card, residence permit card, (2) national passport or (3) driving license that meets requirements of the Identity Documents Act;
- email address;
Access to the Premium Account could be granted to the following categories of Customers:
- Estonian citizens or E-residents of Estonia (without need to submit any other documents and information as described below);
- EU/EEA nationals or residents whose total sum of outgoing payments exceeds 15,000 EUR per month regardless of whether such amount is reached in a lump sum or in several linked payments;
- Non-EEA nationals or residents.
In order to verify a Premium Personal Account of the Customer, the Company in addition to documents and information required for the standard personal account requests:
- residential address proven with a photocopy of the following documents, e.g. (1) bank statement (2) utility bill (3) tax bill (4) other government issued residential statements or certificates).
- identification with the use of information technology means in accordance with applicable Estonian regulations, including real-time video interview, identification questionnaire, a working camera, microphone, the hardware and software required for digital identification and an Internet connection of adequate quality.
The Company does not accept and process any of the following documents (1) checks, (2) envelopes with the address as a confirmation of your address of residence, (3) stickers with the address on the parcels as a confirmation of your address of residence, (4) mobile phone bills, (5) insurance documents, (6) medical prescriptions, recipes, invoices and other documents, (7) prepaid card invoices, (8) mobile SIM cards.
The Company shall make verification of submitted documents against additional information sources or databases. For a real-time video interview, the Company follows specific requirements and instructions as described in Estonian Minister of Finance Regulation dated 23.05.2018 No. 25 “Requirements and procedure for identification of persons and verification of person’s identity data with information technology means”.
For a real-time video interview, the Company follows specific requirements and instructions as described in Estonian Minister of Finance Regulation dated 23.05.2018 No. 25 “Requirements and procedure for identification of persons and verification of person’s identity data with information technology means”.
After completing documents verification, the Customer might be asked to confirm the payment method (the ownership of the bank card/online wallet). The Customer will be asked to take a picture of a bank card or a picture of a crypto wallet or online bank account (with the name visible on it). In some cases, instead of the picture, the Customer may be asked to enter the details of your payment method or pass liveness verification. In order to access SEPA bank transfer funding (deposits and withdrawals), the Customer’s bank account needs to meet the following requirements: (1) must be under the same name as the personal account, (2) located in the SEPA zone (3) be able to send and receive SEPA transfers.
Customer verification procedures shall be performed with the use of technology means required under Regulations adopted by the Estonian Ministry of Finance (“Requirements and procedure for identification of persons and verification of person’s identity data with information technology means” as of 23.05.2018 No. 25) as well as automated tools provided to the Company under the service contract with Sum & Substance Ltd (UK). Management Board of the Company hereby confirms that the materiality and risks from the existing outsourcing agreement are remote, due diligence results indicate that the Company is capable to employ a high standard of care in the performance of the outsourcing arrangement.
The Company shall conduct simplified due diligence measures upon assessment of factors referring to a lower risk:
- where the customer is from or the customer’s place of residence or seat is in, may be deemed a factor reducing geographic risks: (1) a contracting state of the European Economic Area; (2) a third country that has effective AML/CFT systems; (3) a third country where, according to credible sources, the level of corruption and other criminal activity is low; or (4) a third country where, according to credible sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force (FATF), and where the requirements are effectively implemented;
- where the customer’s total sum of outgoing payments does not exceed 1,000 EUR per calendar month, regardless of whether such amount is reached in a lump sum or in several linked payments (de minimis rule).
The simplified measures should be commensurate with the lower risk factors (e.g. the simplified measures could relate only to customer acceptance measures or to aspects of ongoing monitoring) Examples of possible measures are:
- verifying the identity of the customer and the beneficial owner after the establishment of the business relationship (e.g. if account transactions rise above a defined monetary threshold of EUR 1,000).
- reducing the frequency of customer identification updates.
- reducing the degree of on-going monitoring and scrutinizing transactions, based on a reasonable monetary threshold.
- not collecting specific information or carrying out specific measures to understand the purpose and intended nature of the business relationship, but inferring the purpose and nature from the type of transactions or business relationship established.
No new Business Relationship can be formed, if the Customer has failed to present documents and appropriate information required to conduct due diligence, or if based on the presented documents, the Representative suspects Money Laundering or Terrorist Financing.
5. Risk assessment
The Company applies the following risk categories:
- Low risk (normal, expected activity);
- Normal risk (the risk level is normal, there are no high-risk characteristics present);
- Greater than normal risk (the risk level requires application of enhanced due diligence measures, further requests and document submission).
- Prohibited (the institution will not tolerate any dealings of any kind given the risk)
For every Customer who does not fall into the “normal risk” category, the Compliance officer shall make assessment of the Customer’s profile and estimate applicable risk category. Only the Compliance Officer shall have the right to change the risk category recorded for a Customer. When establishing the risk category of a Customer being a natural person, the country of residence of the Customer, the region where the Customer operates, and status of PEP shall be taken into account. The existence of Customer’s good business reputation is presumed where circumstances calling into doubt are absent. Proof of good business reputation need only be provided if the person wishes to provide additional proof of this.
For every Customer the Compliance officer shall make assessment of the Customer’s profile and estimate applicable risk category. Only the Compliance Officer shall have the right to change the risk category recorded for a Customer. When establishing the risk category of a Customer being a natural person, the country of residence of the Customer, the region where the Customer operates, and status of PEP shall be taken into account. The existence of Customer’s good business reputation is presumed where circumstances calling into doubt are absent. Proof of good business reputation need only be provided if the person wishes to provide additional proof of this.
Before offering a new financial service or product, new or non-traditional sales channels to customers, or the introduction of new or emerging technologies, the management board of the company, assesses the risks of money laundering and terrorist financing involved, shall map the risks associated with each new product, service, technology or sales channel. In assessing risks, both actual and potential risks are assessed and, if necessary, additional information on risks and their hedging measures is collected.
After mapping the risks, the management board of the company shall assess the likelihood of the realization of risks and the level of risk, with particular emphasis on risk-enhancing and mitigating circumstances.
After assessing the risks and their effects, the company assesses which of the most appropriate countermeasures to hedge the specific risks to the level of risk of the company and, if necessary, arranges the implementation of countermeasures.
6. Data processing
The respective data is stored in a written format and/or in a format reproducible in writing and, if required, it shall be accessible by all appropriate staff of the Company (Management Board, Representatives, Compliance officer etc). Copies of the documents, which serve as the basis for identification of a person, and of the documents serving as the basis for establishing a Business Relationship, shall be stored for at least five (5) years following the termination of the Business Relationship. Personal data is processed pursuant to the GDPR requirements.The data of the document prescribed for the digital identification of a Customer, information on making an electronic query to the identity documents database, and the audio and video recording of the procedure of identifying the person and verifying the person’s identity shall be stored at least five (5) years following the termination of the Business Relationship. The following documents shall also be stored: (1) manner, time and place of submitting or updating of data and documents; (2) name and position of Representative who has established the identity, checked or updated the data.
7. Implementation of International Sanctions
The Company shall comply with Estonian International Sanctions Act as well as other sanction regulations of the EU and the UN. The Company is also intended to comply also with partner countries sanction acts (sanctions administered by the UK Office of Financial Sanctions Implementation and sanctions administered by the US Office of Foreign Assets Control).
The Company shall ensure that all Representatives who have contacts with Customers or matters involving Money Laundering are provided with regular training and information about the nature of the Money Laundering and Terrorist Financing risks, as well as any new trends within the field. The Compliance Officer shall arrange regular training concerning prevention of Money Laundering and Terrorist Financing to explain the respective requirements and obligations.
Initial training is provided at the start of Representatives employment. The Representatives who are communicating with the Customers directly may not start working before they have reviewed and committed to the adherence of these Rules or participated in the Money Laundering and Terrorist Financing prevention training.
Training is provided regularly, at least once a year, to all Representatives and other relevant designated staff of the Company. Training may be provided also using electronic means (conference calls, continuous email updates provided confirmation on receipt and acceptance is returned and similar means). Training materials and information shall be stored for at least 3 (three) years.
9. Internal audit and amendment of the Rules
Compliance with the Rules shall be inspected at least once a year by the Compliance Officer, whose job duties are set out in Section 4. If the inspection reveals any deficiencies in the Rules or their implementation, the report shall set out the measures to be applied to remedy the deficiencies, as well as the respective time schedule and the time of a follow-up inspection.
If a follow-up inspection is carried out, the results of the follow-up inspection shall be added to the inspection report, which shall state the list of measures to remedy any deficiencies discovered in the course of the follow-up inspection, and the time actually spent on remedying the same. The inspection report shall be presented to the Management Board which shall decide on taking measures to remedy any deficiencies discovered.
List of SEPA countries
Andorra, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom.
List of prohibited countries
Afghanistan, Algeria, Bahrain, Bangladesh, Bolivia, Cambodia, Central African Republic, Egypt, Indonesia, Iran, Iraq, Jordan, Kuwait, Lebanon, Libya, Malaysia, Mali, Mauritania, Morocco, Nepal, Nigeria, North Korea, Oman, Pakistan, Palestinian Territory, Qatar, Saudi Arabia, Somalia, Sri Lanka, Sudan, Syria, Tunisia, Turkey, United Arab Emirates, Yemen.
List of low-risk countries
Argentina, Australia, Brazil, Canada, Chile, Hong Kong, Israel, Japan, Mexico, New Zealand, Russia, Singapore, South Africa, South Korea, Uruguay.