1. General provisions

The purpose of the rules is to contribute to the capacity to resist money laundering and terrorist financing and to mitigate risks. The purpose of establishing and enforcing the rules is to reduce the likelihood of the financial sector being exploited for criminal purposes by reducing risks and increasing the stability, reliability, and transparency of the Company.

The Rules regulate and establish:

• procedure for appointment of the responsible member of the management board, rights and obligations of the contact person

• the procedure for applying customer due diligence measures with respect to customers, including the application of normal or enhanced customer due diligence measures;

• basic principles of assessment, management, and reduction of risks associated with money laundering and terrorist financing;

• guidance on proper determination of politically exposed persons, customers subject to international sanctions or persons whose place of residence or location is in a high-risk country;

• data collection and cyber security measures;

• methodology and guidance for determining if an obliged entity is suspected in connection with money laundering and terrorist financing, or the case is with a suspicious transaction or circumstances, as well as guidance on compliance with notification requirements and procedures of reporting to the management;

• management and assessment of related risks in connection with the available new technologies, services and products, including new or unconventional sales channels or in connection with developing technologies.

The Rules are developed and periodically updated by the Company's compliance officer based on the general principles set up by the Company's management board with respect to the prevention of money laundering and terrorist financing. The Rules shall be communicated to all employees of the Company that establish Business Relationships, manage and monitor transactions of customers. The obligation to observe the Rules rests with the management board, the compliance officer, employees, and any other outsourced professional staff who initiate or establish business relationships and monitor further transactions.

2. Definitions

"Money Laundering" means 1) the conversion or transfer of property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person's actions; 2) the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein; 3) the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such an activity.

"Terrorist financing'" means the financing and supporting of an act of terrorism and commissioning thereof within the meaning of § 237^3^ and 237^6^ of the Penal Code.

"International Sanctions" means a list of non-military measures decided by the European Union, the United Nations, another international organization, or the government of the Republic of Estonia and aimed to maintain or restore peace, prevent conflicts and restore international security, support and reinforce democracy, follow the rule of law, human rights and international law and achieve other objectives of the common foreign and security policy of the European Union. In Estonia, this area is primarily regulated by the International Sanctions Act.

"Compliance Officer" means a representative appointed by the Management Board responsible for the effectiveness of the Rules, conducting compliance over the adherence to the Rules and serving as a contact person of the FIU.

"FIU" means a Financial Intelligence Unit

"Business Relationship" means a relationship of the Company established in its economic and professional activities with the Customer.

"Customer" means a natural person who has a business relationship with the Company.

"Politically Exposed Person or PEP" means a natural person (within the meaning of the MLTFPA) who is or who has been entrusted with prominent public functions including a head of state, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d'affaires and a-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a state-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organization, except middle-ranking or more junior officials. The provisions set out above also include positions in the EU and in other international organizations. A family member of a person performing prominent public functions is the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person; a child and their spouse, or a person considered to be equivalent to a spouse, of a politically exposed person; a parent of a politically exposed person. A close associate of a person performing prominent public functions is a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a politically exposed person; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.

"Local Politically Exposed Person or local PEP" means a natural person falling under a PEP definition above, who performs or has performed prominent public functions in Estonia, a contracting state of the European Economic Area or in an institution of the European Union.

"Management Board" means a management board of the Company.

"Representatives" means the Management Board, the Compliance Officer, employees and any other outsourced professional staff who initiate or establish Business Relationship and monitor further transactions.

"Virtual currency" means a value represented in the digital form, which is digitally transferable, preservable, or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, pp. 35--127) or a payment transaction for the purposes of points (k) and (l) of Article 3 of the same Directive.

"Virtual currency exchange service or VCES" means service with the help of which a person exchanges a virtual currency against a fiat currency or a fiat currency against a virtual currency or a virtual currency against another virtual currency.

3. Description of activities

The Company is engaged in B2C e-commerce business and provides individuals with services of exchanging a virtual currency against a fiat currency that allows Customers to trade different virtual currencies for fiat currencies and vice versa based on terms and conditions adopted by the Company.

4. Appointment of the management board member in charge and Compliance Officer

The Management Board of the Company appoints a Management Board member responsible for the effectiveness of the Rules in accordance with MLTFPA, conducting compliance over the adherence to the Rules, and serving as a contact person of the FIU (hereinafter the "Compliance Officer"). The Compliance Officer reports directly to the Management Board of the Company and has the necessary competence, resources, and access to relevant information about the Company to comply with the requirements of the FIU. The Compliance Officer of the virtual currency service provider may not be the contact person of another virtual currency service provider or the head of a structural unit.

The Management Board shall appoint a Compliance Officer whose principal duties are:

• acting as a contact person of the FIU;

• monitoring compliance with the MLTFPA, ISA, AMLD5 and other regulatory acts of Estonia and procedures established by the Rules;

• keeping updated information regarding countries with high and low risk of Money Laundering and Terrorist Financing and economical activities with great exposure to Money Laundering and Terrorist Financing;

• obtaining the competence, means and access to relevant the Company's information, education, professional suitability, abilities, personal qualities, experience and good reputation;

• managing the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the obliged entity;

• reporting to the FIU in the event of suspicion of money laundering or terrorist financing;

• reporting directly to the Management Board on money laundering and terrorist financing matters and submitting written statements on compliance with the requirements arising from the MLTFPA; 

• performing any other duties and obligations related to compliance with the requirements of the MLTFPA.

The Compliance Officer must meet all the requirements, prescribed by the MLTFPA, and the appointment of the Compliance Officer shall be coordinated with the FIU. If, as a result of a background check carried out by the FIU, it becomes evident that the Compliance Officer's credibility is under suspicion due to their previous acts or omissions, the Company may extraordinarily terminate the Compliance Officer's contract due to the loss of credibility.

The Compliance Officer has the right to:

• to make proposals to the Management Board of the Company for amending and supplementing the rules of procedure containing the requirements for the prevention of money laundering and terrorist financing and for organizing the training specified in subsection 14 (6) of the MLTFPA;

• to require the Management Board of the Company to eliminate the deficiencies identified in the compliance with the requirements for the prevention of money laundering and terrorist financing within a reasonable time;

• to obtain the data and information necessary for the performance of the duties of the contact person, i.e. in particular access to the information which is the basis or prerequisite for the establishment of business relations, including information, data, or documents reflecting the identity of the client and his business activities;

• make proposals for the process of submitting suspicious and unusual notifications;

• receive training in the field.

Only a person who works permanently in Estonia and who has the necessary education, professional suitability, necessary abilities, personal qualities and experience and an impeccable reputation to perform the duties of a contact person may be appointed as a Compliance Officer.

5. Due diligence measures

Customer due diligence is one of the main tools for ensuring the implementation of mandatory regulations aimed at preventing money laundering and terrorist financing and at applying sound business practices. Customer due diligence ensures the application of adequate risk management measures in order to ensure permanent monitoring of customers and their transactions, gathering and analyzing relevant information. Upon application of customer due diligence measures, the Company will follow principles compatible with its business strategy and, based on prior risk analysis and depending on the nature of the Customer's Business Relationship. The purpose of applying due diligence measures is to prevent the concealment, conversion, etc. of criminal assets of money laundering in various phases. The purpose of the due diligence measures is to comply with the "know your customer" principle.

For the purpose of identification, assessment and analysis of risks of money laundering and terrorist financing related to its activities, the Company prepares a risk assessment, taking into account geographical, customer and product risks. The Company is prohibited from providing services outside the business relationship.

The Company applies the following due diligence measures:

• identifying the Customer and verifying its identity using reliable, independent sources, documents or data, including verification of identity data with information technology means; 

• identifying and verifying of the representative of the Customer and the right of representation; 

• assessing and, as appropriate, obtaining information on the purpose of the Business Relationship;

• conducting ongoing due diligence on the Customer's business to ensure the Company's knowledge of the Customer and its source of funds is correct;

• obtaining information whether the Customer is a PEP or PEP's family member or PEP's close associate.

Due diligence measures for business relationship monitoring:

• control of transactions to ensure that they are done in accordance with the Company's knowledge of the client, his or her activities, and risk profile;

• regular update of relevant documents, data, or information as a part of due diligence measure;

• identification of the source and origin of funds considering the client, his or her activities, and risk profile.

Customer due diligence is applied on a risk-based approach, depending on the status of the Business Relationship or transactions. Depending on the risk level arising from the Customer and the fact whether the Business Relationship is an existing one or it is about to be established, the Company shall apply either normal due diligence measures or enhanced due diligence measures.

If the risk level of the Business Relationship or transaction is normal, the Company may apply normal due diligence measures but is not allowed to skip Customer due diligence entirely. If the risk level arising from the Customer is greater than normal, enhanced due diligence measures will be applicable.

The Company is not allowed to cooperate or open an account in a so-called shell bank.

To comply with due diligence principles and obligations, the Representatives shall have the following rights and obligations:

• to request appropriate documents in order to identify the Customer;

• to request documents and information regarding the activities of the Customer and source of funds;

• to screen the risk profile of the Customer, select the appropriate due diligence measures, assess the risk whether the Customer is or may become involved in Money Laundering or Terrorist Financing activities;

• to re-identify the Customer if there are any doubts regarding the correctness of the information received during initial identification.

6. Customer identification

The Company does not establish Business Relationships with anonymous, unidentified persons as well as legal entities. The Company relies on MLTFPA provisions for non-face-to-face identification of persons and verification of data using information technology means.

Access to the Standard Account could be granted to the following categories of Customers:

• Estonian citizens;

• EU/EEA nationals or residents.

The use of the services is subject to a limit on the volume, stated in EUR or other fiat currency or virtual currency, the Customer may transact or transfer in a given period (e.g. monthly). The maximum limit for transactions (outgoing payments) with a Personal Account is 15,000 EUR per calendar month. Transaction limits may vary depending on your payment method, verification steps you have completed, and other factors. The Company reserves the right to change applicable limits as it deems necessary.

In order to grant access to the Standard Account, the Company requests the following information including, but not limited to:

• name proved with a photocopy of an official government ID document or digital ID document, e.g. (1) personal ID card, e-resident card, residence permit card, (2) national passport or (3) driving license that meets requirements of the Identity Documents Act;

• place of birth

• mobile phone number;

• email address;

• residential address, proved by a copy of the following documents, e.g. (1) bank statement (2) utility bill (3) tax declaration (4) other extracts or certificates of residence issued by a public authority;

• liveliness selfie.

The Company shall make verification of submitted documents against additional information sources or databases. The Company may also require the Customer to provide or verify additional information or to wait some amount of time after completion of a transaction, before permitting use of any services. 

The Company does not accept and process any of the following documents (1) checks, (2) envelopes with the address as a confirmation of your address of residence, (3) stickers with the address on the parcels as a confirmation of your address of residence, (4) mobile phone bills, (5) insurance documents, (6) medical prescriptions, recipes, invoices and other documents, (7) prepaid card invoices, (8) mobile SIM cards.

The identity of the Customer can be verified on the basis of documents, which has been authenticated by a notary public, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

The Company shall not enter into any business relationship with Politically Exposed Person or PEP. If a business relationship is established with the Customer that will become later on or later it will become known that he or she has become a Politically Exposed Person, then the Compliance Officer has an obligation to inform the Management Board immediately.

Access to the Premium Account could be granted to the following categories of Customers:

• Estonian citizens (without the need to submit any other documents and information as described below);

• EU/EEA nationals or residents whose total sum of outgoing payments exceeds 15,000 EUR per year;

• Non-EEA nationals or residents.

In order to verify a Premium Personal Account of the Customer, the Company in addition to documents and information required for the standard personal account requests a real-time video interview with a working camera, microphone, the hardware and software required for digital identification and an Internet connection of adequate quality.

The Company shall make verification of submitted documents against additional information sources or databases. For a real-time video interview, the Company follows specific requirements and instructions as described in the Estonian Minister of Finance Regulation dated 23.05.2018 No. 25 "Requirements and procedure for identification of persons and verification of person's identity data with information technology means".

After completing document verification, the Customer might be asked to confirm the payment method (the ownership of the bank card/online wallet). The Customer will be asked to take a picture of a bank card or a picture of a crypto wallet or online bank account (with the name visible on it). In some cases, instead of the picture, the Customer may be asked to enter the details of your payment method or pass liveness verification. In order to access SEPA bank transfer funding (deposits and withdrawals), the Customer's bank account needs to meet the following requirements: (1) must be under the same name as the personal account, (2) located in the SEPA zone (3) be able to send and receive SEPA transfers.

Customer verification procedures shall be performed by the Representatives with the use of technology means required under Regulations adopted by the Estonian Ministry of Finance ("Requirements and procedure for identification of persons and verification of person's identity data with information technology means" as of 23.05.2018 No. 25) as well as automated tools outsourced by the Company under the service contract with Sum & Substance Ltd (UK). Management Board of the Company hereby confirms that the materiality and risks from the existing outsourcing agreement are remote, due diligence results indicate that the Company is capable to employ a high standard of care in the performance of the outsourcing arrangement.

AML Screening: International Sanctions, PEPs, Watchlists and Adverse Media	A solution for checking whether the Customer is on any of the global sanctions lists, PEP lists, watchlists, blacklists or adverse media (OFAC, UN, HMT, EU, DFT etc.). Ongoing monitoring is included by default for one year once the check is completed. Ongoing monitoring means regular (daily) review of the data collected during the AML Screening.
Identity Verification	A platform equipped with tools for completely automatic verification as well as for checks based upon human review that is compliant to current European legislation to non-face-to-face customer identification, i.e. expert knowledge enhanced with AI and machine learning. The system is built on a risk-based approach and follows global and local regulatory norms (including FATF, FINMA, FCA, CySEC, MAS). Identity verification platform is globally applicable, as its approach and methodology are carefully designed according to FATF recommendations regarding AML and CTF requirements (specifically, Article 10), which served the international basis for local AML laws. Sum & Substance is responsible for accurate personal data protection under European, U.S., Asian and CIS legal regulations (GDPR, PDPA or FZ-152). Identity verification software enables to collect the personal information with the following means: ID Document verification (integrity, authenticity checks, and database checks) Biometric checks (matching an ID with a selfie, liveness checks) Screening (scammer blacklists and third-party databases, automated monitoring of unfavorable information in the media) These three layers of customer verification process are aimed at preventing account takeovers, online frauds and compliance with regulatory requirements.
Face Match and Liveness Check	A solution comparing faces on the submitted images and analyzing the movements of the person, confirming that the documents belong to a particular person and that person is real.
Proof of Address Check	Checks the address and residency by analyzing additional documents

The Company continually assesses changes in the customer's activities in the course of the business relationship and identifies whether the level of risk associated with the customer and the business relationship may increase and, if necessary, enhanced due diligence measures should be applied.

7. Normal due diligence measures

The Company shall conduct normal due diligence measures each time upon establishing a new Business Relationship with Customers and focus on proper Customer identification procedures as provided for in the Section 6.

No new Business Relationship can be formed, if the Customer has failed to present documents and appropriate information required to conduct due diligence, or if based on the presented documents, the Representatives suspects Money Laundering or Terrorist Financing. In all such cases the Representatives shall perform enhanced due diligence measures as provided for in the Section 9.

8. Enhanced due diligence measures

Enhanced due diligence measures must be taken in cases where the risk level of the Customer is greater than normal. The Representative shall establish the Customer's risk profile and determine the risk category in accordance with the Rules. The risk category may be altered during the course of the Business Relationship, taking into consideration the changes in data gathered.

The Representative, who upon entering into a Business Relationship with a new Customer, detects that there is at least one of the following high-risk characteristics present with respect to the Customer, shall consult with and report to the Compliance Officer, and shall take the due diligence measures set out in the Rules. The Representative shall apply enhanced due diligence measures in the following situations:

• The Customer is suspected in forgery and or submission of falsified documents;

• the Customer is located in a third country, which is included in the list of high-risk countries;

• The Customer or his close relative was previously known for being suspected of money laundering; 

• the Customer is suspected to be under the control of a third party;

• the Customer is suspected to use services of intermediaries that make it difficult to identify him;

• the Customer is suspected to be subject to International Sanctions.

• the wallet that the Customer used for a transaction with the Company has been reported by Chainalysis KYT as a suspicious wallet during the ongoing monitoring;

• the wallet that the Customer used for a transaction with the Company has been reported by Chainalysis KYT as a suspicious wallet during the ongoing monitoring

• other cases when the Compliance officer has a suspicion over the Customer or his transactions.

Enhanced due diligence measures shall include one of the following measures in addition to normal due diligence measures:

• obtaining additional information regarding the proof of sources of funds;

• request of additional information and commentaries as regards publicly available derogatory information;

• request of the bank statement;

• asking to complete a written questionnaire;

• asking the identification or verification documents to be notarized or officially authenticated;

• reassessment of a risk profile of a Customer not later than 6 months after the establishment of Business Relationship.

After taking enhanced due diligence measures, the Management Board shall decide whether to establish or continue the Business Relationship with the Customer with respect to whom enhanced due diligence measures were taken.

In addition to the application of enhanced due diligence measures, the Company examines the background of an individual transaction to the extent reasonably necessary, including recording the details of the transaction and analyzing the circumstances that have arisen, in order to identify the most common features of the most common transactions. The main factors to consider when analyzing such transactions are:

• whether there are any suspicious circumstances in the operations, transactions or other circumstances;

• whether the Company is satisfied that it knows the customer to the required extent and whether the customer's activities correspond to previously known information about it or whether it is necessary to collect additional information about it and use reasonable and sufficient measures to understand the background and purpose of the transaction;

• whether there have been repeated manifestations of suspicious operations and transactions (incl. in relation to similar situations or circumstances);

• whether it is necessary to pay more attention to the client's activities and business relationship in general in the future, including details;

• whether it is necessary to comply with the obligation to notify the FIU.

9. Data processing, collection and storage

The Company registers and maintains:

• information on the establishment of a business relationship or the circumstances of the refusal to establish a business relationship;

• information where due diligence cannot be applied by means of information technology;

• the circumstances of the waiver of the establishment of a business relationship or the conclusion of the transaction at the initiative of the person participating in the transaction or the client, if the waiver is related to the application of the Company's due diligence measures;

• the documents on which the identification and verification of the information provided are based

• a description of the date or period of the transaction and the content of the transaction;

Also the following information related to transactions:

• upon deposit of the property, the deposit number and the market price of the property on the day of deposit, or an exact description of the property if the market price of the specified property cannot be determined;

• in the case of another transaction, the amount, currency and account number of the transaction;

• data and documents collected during the monitoring of the business relationship;

• All correspondence related to the instructions of the FIU and the fulfillment of the obligations of the MLTFA;

• Information on which the FIU is required to notify;

• information on suspicious or unusual transactions or circumstances that were not reported to the FIU;

• information on the circumstances of the termination of the business relationship.

The respective data is stored in a written format and/or in a format reproducible in writing and, if required, it shall be accessible by all appropriate staff of the Company (Management Board, Representatives, Compliance officer etc). Copies of the documents, which serve as the basis for identification of a person, and of the documents serving as the basis for establishing a Business Relationship, shall be stored for at least five (5) years following the termination of the Business Relationship. Personal data is processed pursuant to the GDPR requirements. The data of the document prescribed for the digital identification of a Customer, information on making an electronic query to the identity documents database, and the audio and video recording of the procedure of identifying the person and verifying the person's identity shall be stored at least five (5) years following the termination of the Business Relationship. The following documents shall also be stored: (1) manner, time and place of submitting or updating of data and documents; (2) name and position of Representative who has established the identity, checked or updated the data.

10. Mandatory reporting

Any circumstances identified in the Business Relationship are unusual or suspicious or there are characteristics which point to Money Laundering, Terrorist Financing, or an attempt of the same according to the official "Guidelines on the characteristics of suspicious transactions" issued by the FIU, the Representative shall promptly notify the Compliance Officer. The Compliance Officer shall analyze and forward the respective information to the Management Board. Before reporting any transaction connected with suspected Money Laundering or Terrorist Financing to the FIU, the Compliance Officer shall analyze the content of the information received, considering the Customer's current area of activity and other known information.

The Compliance Officer shall decide whether to forward the information to the FIU.The Compliance Officer shall make a notation "AML" behind the name of the Customer in the Company's database or on the documents, and shall notify the FIU promptly, but not later than within 2 business days after discovering any activities or circumstances or arising of suspicion, using the respective web-form for notifying the FIU. Copies of the documents as set forth by guidelines of FIU or further requested by FIU shall be appended to the notice. The FIU shall be notified of any suspicious and unusual transactions considering mandatory forms and guidelines issued by the FIU. The Compliance Officer shall store in a format reproducible in writing any reports received from the Representatives about suspicious circumstances, as well as all information gathered to analyze such notices, as well as other linked documents and notices to be forwarded to the FIU, along with the time of forwarding the notice, and the information about the Representatives who forwarded the same.

The Customer who is reported to the FIU as being suspicious, may not be informed of the same. It is also prohibited to inform any third persons, including other Representatives, of the fact that information has been reported to the FIU, and the content of the reported information, except for the Management Board/Compliance Officer.

The decision on terminating the Business Relationship shall be taken by the Management Board, considering also the proposal of the Compliance Officer. The Customer shall be notified of the termination of Business Relationship in writing. Notation about the cancellation of the Business Relationship shall be made in the Company's database or documentation, and an "AML" note shall be added to the Customer's data.

The Company and its Representatives shall not, upon the performance of the obligations arising from the Rules, be liable for damage arising from failure to carry out any transactions (by the due date) if the damage was caused to the persons in connection with notification of the FIU of the suspicion of Money Laundering or Terrorist Financing in good faith, or for damage caused to a Customer or in connection with the cancellation of a Business Relationship. Fulfilment of the notification obligation by the Representative acting in good faith, and reporting the appropriate information shall not be deemed a breach of the confidentiality obligation imposed by the law or the contract, and no liability stemming from the legislation or the contract shall be imposed upon the person who has performed the notification obligation.

11. Implementation of International Sanctions

The Company shall comply with Estonian International Sanctions Act as well as other sanction regulations of the EU and the UN. The Company is also intended to comply also with partner countries' sanction acts (Sanctions administered by the UK Office of Financial Sanctions Implementation and sanctions administered by the US Office of Foreign Assets Control).

Representatives shall draw special attention to all its Customers (present and new), to the activities of the Customers and to the facts which refer to the possibility that the Customer is subject to International Sanctions. Control and verification of possibly imposed International Sanctions shall be conducted by the Representatives as part of due diligence measures applied to the Customers in accordance with these Rules.

The Representatives who have doubts or who know that a Customer is subject to International Sanctions shall immediately notify the Compliance Officer. The Compliance Officer shall be responsible for the implementation of International Sanctions. In case of doubt, if the Compliance Officer finds it appropriate, the Representative shall ask the Customer to provide additional information that may help to identify whether he/she is subject to International Sanctions or not.

If in the course of the check, it shall be detected that a Customer or a person who used to be a Customer is subject to International Sanctions, the Compliance Officer shall notify the Representatives who dealt with this Customer, the Management Board and FIU. The notification shall be submitted at least in the way that allows its reproduction in writing. The Customer who is subject to International Sanctions and about whom the notification is made, shall not be informed of the notification. Application of special measures and sanctions on the Customer who is detected to be subject to International Sanctions should be authorized by FIU. When making checks of Customer, the possible distorting factors in personal information (i.e. way of written reproduction of name etc.) must be kept in mind.

12. Training

The Company shall ensure that all Representatives who have contacts with Customers or matters involving Money Laundering are provided with regular training and information about the nature of the Money Laundering and Terrorist Financing risks, as well as any new trends within the field. The Compliance Officer shall arrange regular training concerning prevention of Money Laundering and Terrorist Financing to explain the respective requirements and obligations.

Initial training is provided at the start of Representatives employment. The Representatives who are communicating with the Customers directly may not start working before they have reviewed and committed to the adherence of these Rules or participated in the Money Laundering and Terrorist Financing prevention training.

Training is provided regularly, at least once a year, to all Representatives and other relevant designated staff of the Company. Training may be provided also using electronic means (conference calls, continuous email updates provided confirmation on receipt and acceptance is returned and similar means). Training materials and information shall be stored for at least 3 (three) years.

The Compliance Officer is required to pass Chainalysis KYT certification and training in order to (1) interpret indirect exposure with a risk-based approach (2) formulate policies and procedures based on the information provided by Chainalysis KYT and Reactor user interfaces (3) investigate greater than normal risk cases and users and communicate findings with Management Board through KYT user management tool.

13. Internal audit and conflict of interest

Compliance with the Rules shall be inspected at least once a year by the certified Internal auditor. If the inspection reveals any deficiencies in the Rules or their implementation, the report shall set out the measures to be applied to remedy the deficiencies, as well as the respective time schedule and the time of a follow-up inspection.

The requirements and legal bases for the activities of a certified internal auditor are set out in the Auditors Activities Act. The internal auditor shall not perform any duties which give rise to or may give rise to a conflict of interests.

The duties of the internal auditor are to check the compliance of the activities of the Company and its managers and employees with the legislation, precepts of the FIU, decisions of the management board, internal rules, agreements entered into by the Company and good practice.

The Сompany guarantees the internal auditor all the rights and working conditions necessary for the performance of his duties, including the right to receive explanations and information from the Сompany's managers and employees, and to monitor the elimination of identified deficiencies and compliance with the proposals made.

The internal auditor is obliged to immediately forward in writing to the Management Board and the FIU any information that has become known to the Company that indicates violations or damage to the interests of clients.

If a follow-up inspection is carried out, the results of the follow-up inspection shall be added to the inspection report, which shall state the list of measures to remedy any deficiencies discovered in the course of the follow-up inspection, and the time actually spent on remedying the same. The inspection report shall be presented to the Management Board which shall decide on taking measures to remedy any deficiencies discovered.

The rules have been prepared taking into account the principles of separation of functions and prevention of conflicts of interest, and procedures for the management and prevention of conflicts of interest have been established.

The Compliance Officer warrants that it is authorized to enter into the relationship with the Company and that its performance thereof will not conflict with any other agreement. The Company acknowledges and agrees that the services may only be used for lawful purposes. Transmission of any material in violation of any laws is prohibited. This includes, but is not limited to copyrighted material, material legally judged to be threatening or obscene, or material protected by trade secrets.

Signed: Alina Komarova

Job Title: Compliance officer

Date: 30 May 2022

ANNEX 1

List of SEPA countries

Andorra, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom.

List of prohibited countries

Afghanistan, Albania, American Samoa, Anguilla, Antigua and Barbuda, Aruba, Algeria, Bahamas, Barbados, Bahrain, Bangladesh, Belarus, Bermuda, Bolivia (Plurinational State of), Burkina Faso, Burundi, Cambodia, Cayman Islands, Central African Republic, Congo (Democratic Republic of the), Cook Islands, Cuba, Egypt, Dominica, Fiji, Guam, Guinea, Guinea-Bissau, Haiti, Indonesia, Iran, Iraq, Jamaica, Jordan, Kuwait, Lebanon, Libya, Malaysia, Mali, Marshall Islands, Mauritania, Morocco, Myanmar, Nepal, Nigeria, Nicaragua, North Korea, Oman, Qatar, Saudi Arabia, Pakistan, State of Palestine, Panama, Philippines, Russia, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Samoa, Senegal, Somalia, Sri Lanka, South Sudan, Syrian Arab Republic, Trinidad and Tobago, Tunisia, Turks and Caicos Islands, Uganda, Vanuatu, Venezuela, Virgin Islands (British), Virgin Islands (U.S.), Yemen, Zimbabwe, Eritrea, Ethiopia, Madagascar, Mongolia, Mozambique, Niger, Sierra Leone, United Republic of Tanzania, Ukraine.