Anti-Money Laundering Policy

Applies to: All employees, officers, contractors, agents, and business Clients of Paykassma (hereinafter, the "Service Provider")

1. General Provisions

1.1. This Anti-Money Laundering and Security Policy (hereinafter, the "Policy") has been adopted by the Service Provider in order to establish a clear and effective framework for the detection, prevention, deterrence, and reporting of money laundering, terrorist financing, the financing of proliferation of weapons of mass destruction, and other illicit financial activities, as well as for the implementation of reasonable, proportionate, and effective information security safeguards.

1.2. This Policy outlines the internal rules, procedures, and control mechanisms adopted by the Service Provider to ensure full compliance with applicable legal, regulatory, and technical requirements, including but not limited to:

  • (a) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing ("4th AMLD"), as amended by Directive (EU) 2018/843 ("5th AMLD");
  • (b) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR");
  • (c) Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market ("PSD2");
  • (d) Regulation (EU) 2015/847 on information accompanying transfers of funds;
    (e) Relevant implementing legislation of EU Member States, as applicable to the Service Provider’s activities;
  • (f) Guidelines and recommendations of the European Banking Authority ("EBA"), the Financial Action Task Force ("FATF"), and national financial supervisory authorities;
  • (g) All applicable international sanctions regimes, including but not limited to those administered by the United Nations Security Council, the European Union, the United States Department of the Treasury's Office of Foreign Assets Control (OFAC), and the UK Office of Financial Sanctions Implementation (OFSI).

1.3. The provisions of this Policy are binding upon all employees, managers, executive officers, board members, agents, contractors, consultants, and any other individuals or entities performing services for or on behalf of the Service Provider (collectively referred to as "Representatives").

1.4. Each Representative must acknowledge in writing their understanding of, and commitment to adhere to, the requirements of this Policy. This acknowledgement shall be obtained during the onboarding process and shall be renewed on an annual basis or upon material updates to the Policy.

1.5. The objectives of this Policy are to: 

  • (a) Establish effective, risk-based systems and controls to prevent the Service Provider from being used, intentionally or unintentionally, for money laundering, terrorist financing, or the circumvention of international sanctions; 
  • (b) Set forth minimum standards for Client due diligence (CDD), ongoing monitoring, record-keeping, suspicious activity reporting, and cooperation with competent authorities; 
  • (c) Ensure that a culture of compliance, transparency, and accountability is embedded throughout the Service Provider’s operations; 
  • (d) Maintain and enforce high standards of cybersecurity, data integrity, and the confidentiality of all information processed by or stored within the Service Provider’s infrastructure.

1.6. This Policy is to be read in conjunction with the Service Provider’s Terms of Use, Privacy Policy, Cookie Policy, and any other internal or public-facing policies, guidelines, or operational procedures that may apply.

1.7. The Management Board of the Service Provider has adopted this Policy and retains overall responsibility for its implementation and effectiveness. The Compliance Officer ("CO") is designated as the individual responsible for the operational management, enforcement, and continuous improvement of the Policy.

1.8. This Policy may be updated or amended at the sole discretion of the Service Provider in accordance with changes in applicable laws, supervisory expectations, risk assessment results, or operational requirements. All Representatives will be notified of such updates, and the current version will be published on the Service Provider’s official website.

1.9. Failure to comply with the obligations set forth in this Policy may result in disciplinary measures, including termination of employment or engagement, and may lead to criminal or administrative liability, as provided under applicable law.

2. Definitions

2.1. "Money Laundering" refers to the conversion or transfer of property, knowing that such property is derived from criminal activity, for the purpose of concealing or disguising the illicit origin of the property or assisting any person involved in such activity to evade the legal consequences of their actions; the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of property; and the acquisition, possession, or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such activity.

2.2. "Terrorist Financing" means the provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in whole or in part, for the purpose of carrying out terrorist acts within the meaning of Article 1 of Council Framework Decision 2002/475/JHA and subsequent amendments.

2.3. "Client" means any natural person or legal entity who enters into a business relationship with the Service Provider or who uses, or intends to use, the services of the Service Provider.

2.4. "Business Relationship" means a professional or commercial relationship which is connected with the professional activities of the Service Provider and which is expected, at the time when the contact is established, to have an element of duration.

2.5. "Transaction" refers to any act involving the movement of funds or value, including but not limited to a payment instruction, credit or debit transfer, cash movement, cryptocurrency transaction, or any other value exchange facilitated or monitored by the Service Provider.

2.6. "Beneficial Owner" refers to any natural person(s) who ultimately owns or controls the Client and/or the natural person(s) on whose behalf a transaction or activity is being conducted, in accordance with Article 3(6) of Directive (EU) 2015/849.

2.7. "Politically Exposed Person (PEP)" means a natural person who is or who has been entrusted with prominent public functions and includes immediate family members or persons known to be close associates of such persons, as defined in Article 3(9) of Directive (EU) 2015/849.

2.8. "Compliance Officer (CO)" refers to the individual appointed by the Management Board of the Service Provider and designated as responsible for AML/CTF compliance and coordination with competent authorities, including the relevant Financial Intelligence Unit (FIU).

2.9. "Sanctioned Person or Entity" means any natural or legal person who is subject to restrictive measures under any applicable sanctions regime, including but not limited to those imposed by the EU, UN, OFAC, or OFSI.

2.10. "High-Risk Jurisdiction" means a third country identified by the European Commission or FATF as having strategic deficiencies in their national AML/CTF regimes that pose significant threats to the financial system.

2.11. "Suspicious Activity Report (SAR)" means a formal report made to the FIU concerning known or suspected instances of money laundering, terrorist financing, or other criminal conduct as observed or suspected by the Service Provider or its Representatives.

2.12. "Risk-Based Approach (RBA)" refers to the methodology by which the Service Provider assesses and mitigates the risk of money laundering, terrorist financing, and other financial crimes in proportion to the nature and scale of its operations.

2.13. "Data Subject" means a natural person whose personal data is processed by the Service Provider in the context of CDD, transaction monitoring, or regulatory compliance, as defined under GDPR Article 4.

2.14. "International Sanctions" means non-military measures imposed by international bodies such as the United Nations, European Union, or national governments, aimed at maintaining international peace and security, preventing terrorism, and upholding international law and human rights.

3. Description of Activities of the Service Provider

3.1. The Service Provider is a technology-based platform that provides business Clients (merchants, developers, platforms, aggregators, and other corporate users) with access to software solutions that facilitate integration with payment service providers (PSPs), acquiring banks, and local or global financial networks. The Service Provider enables merchants to route and manage online payment processing through a unified technological interface.

3.2. The Service Provider operates exclusively in a business-to-business (B2B) model and does not offer services to consumers or retail users directly. Its Clients are verified legal entities who are themselves subject to financial, regulatory, or licensing oversight in their own jurisdictions, or who engage in lawful commercial activities requiring digital payment services.

3.3. The Service Provider’s core services include, but are not limited to: 

  • (a) API-based integration of merchant websites or platforms with third-party payment processing infrastructure; 
  • (b) Technical support and maintenance for the hosted environment used by merchants to process financial transactions; 
  • (c) Configuration and automation of routing, payment flow optimization, and transaction tracking for settlement or reconciliation purposes; 
  • (d) Real-time analytics and reporting dashboards for transactional data insights; 
  • (e) Custom security configurations for Clients, including fraud prevention modules.

3.4. The Service Provider does not itself provide financial services, issue payment instruments, acquire funds, operate accounts, engage in money or value transfer services, or transmit fiat or virtual currency on behalf of end-users. The Service Provider is not a licensed payment institution or e-money institution under Directive (EU) 2015/2366 unless and until it obtains the necessary regulatory authorisation in the relevant Member State.

3.5. The Service Provider does not hold Client funds or customer balances and does not participate in the flow of monetary value between the Client and its end-user or counterparty. The Service Provider’s function is strictly limited to software enablement and back-end integration for digital payment flows.

3.6. As a matter of operational policy, the Service Provider maintains technological neutrality and does not interfere with or control the commercial terms between the Client and any third-party provider (e.g. PSP, acquirer, or bank).

3.7. The Service Provider shall, however, implement strict internal controls, monitoring procedures, and audit trails to detect and report any misuse of its platform for purposes contrary to applicable AML, CTF, or sanctions obligations.

3.8. Where applicable, the Service Provider shall cooperate with payment institutions, regulators, and law enforcement agencies in the prevention, investigation, and prosecution of financial crimes, subject to applicable data protection rules and legal privilege limitations.

3.9. The Service Provider may, in the future, expand its service scope to include additional compliance modules, transaction verification protocols, and KYB (Know Your Business) automation services, which shall be subject to separate risk assessments and, where applicable, additional licensing or registration obligations

4. Compliance Officer

4.1. The Management Board (MB) of the Service Provider shall designate a qualified and competent individual to serve as the Compliance Officer ("CO"). The CO shall be responsible for the operational management and continuous improvement of the AML/CTF framework, including ensuring compliance with this Policy and all applicable legal and regulatory obligations.

4.2. The CO shall be appointed based on criteria that include professional integrity, relevant education, demonstrable experience in compliance, and sound understanding of applicable AML/CTF legislation, data protection rules (including GDPR), and financial crime typologies. The CO must not have any conflicts of interest in the performance of their duties and must be granted sufficient independence and authority to carry out their responsibilities effectively.

4.3. The principal duties and responsibilities of the CO shall include, but not be limited to: 

  • (a) Monitoring compliance by all Representatives with the provisions of this Policy, applicable laws, and regulatory guidelines; 
  • (b) Establishing, maintaining, and updating the Service Provider’s internal AML/CTF systems, policies, and procedures; 
  • (c) Acting as the principal point of contact between the Service Provider and relevant regulatory, supervisory, and law enforcement authorities, including the Financial Intelligence Unit (FIU); 
  • (d) Investigating and assessing reports of unusual, suspicious, or high-risk transactions and ensuring timely filing of Suspicious Activity Reports (SARs) in accordance with applicable law; 
  • (e) Reviewing and approving the onboarding of Clients falling within higher risk categories, including politically exposed persons (PEPs) and Clients from high-risk jurisdictions; 
  • (f) Maintaining an up-to-date understanding of the evolving AML/CTF landscape, and ensuring timely integration of applicable guidance or best practices into the Service Provider’s control environment; 
  • (g) Coordinating the periodic AML risk assessments of the Service Provider’s activities, clients, and service lines; 
  • (h) Organizing regular AML/CTF training sessions and awareness campaigns for Representatives; 
  • (i) Maintaining comprehensive and secure records of AML compliance activities, training logs, internal investigations, regulatory correspondence, and policy updates; 
  • (j) Reporting directly to the MB on a regular basis and immediately in case of material AML/CTF breaches or regulatory findings.

4.4. The CO shall have full and unrestricted access to all data, personnel, and systems required to fulfil their duties and shall be granted the necessary support, tools, and resources from the MB to ensure effective execution of their mandate.

4.5. In jurisdictions where regulatory notification or pre-approval is required for the appointment of a CO, such requirements shall be fully complied with prior to the CO formally assuming the role.

4.6. The CO may be supported by a compliance team or department whose members shall operate under the CO’s direction. In such cases, appropriate delegation protocols shall be established and documented.

4.7. In the event of a temporary or permanent vacancy in the CO position, the MB shall designate an interim officer with equivalent competencies to assume the responsibilities of the CO without delay.

4.8. The CO shall be evaluated at least annually by the MB based on objective performance criteria, including but not limited to the effectiveness of the AML program, regulatory inspection outcomes, responsiveness to emerging risks, and internal audit findings.

5. Application of Due Diligence Measures

5.1. The Service Provider shall establish, document, and maintain robust Client due diligence (CDD) procedures in line with the principles of a risk-based approach (RBA), as mandated by Directive (EU) 2015/849 (AMLD4), as amended, and other applicable regulations. CDD measures shall be proportionate to the nature, size, complexity, and risk profile of the Client, Transaction, and geographic exposure.

5.2. The objectives of applying CDD measures include: 

  • (a) Identifying and verifying the identity of the Client and any natural person purporting to act on their behalf; 
  • (b) Identifying and verifying the identity of the ultimate beneficial owner (UBO) where the Client is a legal entity; 
  • (c) Obtaining information on the purpose and intended nature of the business relationship; 
  • (d) Conducting ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship to ensure consistency with the Service Provider’s knowledge of the Client, its business and risk profile, and, where necessary, the source of funds.

5.3. The Service Provider shall apply CDD measures in the following instances: 

  • (a) When establishing a business relationship; 
  • (b) When carrying out occasional transactions that amount to EUR 15,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked; 
  • (c) When there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold; 
  • (d) When there are doubts about the veracity or adequacy of previously obtained Client identification data.

5.4. CDD shall comprise the following actions: 

  • (a) Identification of the Client and verification of the Client’s identity on the basis of documents, data or information obtained from a reliable and independent source; 
  • (b) Identification and verification of any person acting on behalf of the Client and verification of that person’s authority to act on behalf of the Client; 
  • (c) Identification and verification of the beneficial owner(s) of the Client, including clarification of the ownership and control structure of legal entities; 
  • (d) Obtaining information on the purpose and intended nature of the business relationship; 
  • (e) Conducting ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship.

5.5. Enhanced due diligence (EDD) measures shall be applied in situations that present a higher risk of money laundering or terrorist financing. These include but are not limited to: 

  • (a) Where the Client is a politically exposed person (PEP), a close associate, or a family member of a PEP; 
  • (b) Where the Client is established in or conducts significant business with a high-risk third country as identified by the European Commission or the FATF; 
  • (c) Where complex or unusually large transactions are observed, or transactions that have no apparent economic or lawful purpose; 
  • (d) Where the Client’s business or ownership structure is unusually complex or lacks transparency.

5.6. EDD measures may include, inter alia: 

  • (a) Obtaining additional information on the Client and beneficial owner(s); 
  • (b) Obtaining additional information on the intended nature of the business relationship; 
  • (c) Obtaining information on the source of funds and source of wealth of the Client and beneficial owner(s); 
  • (d) Obtaining the approval of senior management for establishing or continuing the business relationship; 
  • (e) Conducting enhanced ongoing monitoring of the business relationship.

5.7. The Service Provider shall apply simplified due diligence (SDD) measures only in strictly limited and justified circumstances as permitted under applicable EU law and where a lower risk of money laundering or terrorist financing has been clearly identified and documented. The decision to apply SDD must be approved by the CO and justified by a documented risk assessment.

5.8. The Service Provider shall take all reasonable steps to ensure that the documents, data, or information collected under this Section are kept up to date. CDD information shall be reviewed and, where necessary, updated: 

  • (a) At least annually for Clients assessed as high risk; 
  • (b) Upon material change in the Client’s business, ownership, or activities; 
  • (c) When new risk factors are identified; 
  • (d) At any time upon the CO’s request.

5.9. The Service Provider shall not establish or maintain a business relationship, nor carry out any transaction, where it is unable to comply with CDD requirements. In such cases, the matter shall be escalated to the CO for evaluation, and a decision will be made regarding the termination of the relationship and/or the filing of a SAR.

5.10. The Service Provider may rely on third parties to meet CDD requirements only to the extent permitted by Article 25 of Directive (EU) 2015/849 and subject to the conditions set forth therein, including obtaining immediately all relevant documentation, ensuring that the third party is subject to equivalent CDD and record-keeping obligations, and that the third party is supervised in accordance with applicable AML law.

5.11. All CDD procedures and decisions shall be documented in a manner that ensures a clear audit trail and accountability. Records shall be maintained in accordance with the requirements of Section 10 of this Policy.

6. Identification of a Person

6.1. The Service Provider shall ensure that identification and verification of natural persons and legal entities are conducted in accordance with Articles 13 to 15 of Directive (EU) 2015/849 and relevant national legislation, using a risk-based approach and reliable, independent source documentation.

6.2. The identification and verification process shall apply to: 

  • (a) Natural persons (individual Clients); 
  • (b) Legal entities (corporate Clients); 
  • (c) Representatives acting on behalf of a Client; 
  • (d) Ultimate Beneficial Owners (UBOs); 
  • (e) Politically Exposed Persons (PEPs) and their associates.

6.3. For natural persons, the following minimum information shall be obtained and recorded: 

  • (a) Full legal name, date of birth, nationality, and residential address; 
  • (b) Official personal identification number, or in the absence thereof, a unique identifier from a government-issued document; 
  • (c) Valid and current identification document issued by a competent authority, such as a passport, national ID card, or residence permit; 
  • (d) Details of occupation or business activity; 
  • (e) Purpose and intended nature of the business relationship.

6.4. For legal persons, the following information shall be obtained and recorded: 

  • (a) Full legal name, legal form, registration number, date of incorporation, registered office, and principal place of business; 
  • (b) Valid extract from a national company registry, or other reliable and independent documentation establishing legal existence; 
  • (c) Details of directors, senior managers, or legal representatives with authority to act on behalf of the entity; 
  • (d) Identification of all UBOs in accordance with the definition and thresholds under Article 3(6) of AMLD4; 
  • (e) Ownership and control structure, supported by organizational charts and declarations of beneficial ownership; 
  • (f) Information regarding the purpose and intended nature of the business relationship.

6.5. The identity of all UBOs must be verified using appropriate documentation and reasonable measures must be taken to understand the Client’s ownership and control structure. If, after having exhausted all possible means, no natural person is identified, the senior managing official(s) shall be recorded as UBOs.

6.6. Identification of a person acting on behalf of the Client shall include: 

  • (a) Verification of the representative’s identity using official documentation; 
  • (b) Verification of the representative’s authority to act on behalf of the Client, including notarized power of attorney or corporate resolution; 
  • (c) Confirmation that the representative is not subject to applicable sanctions or restrictions.

6.7. Identification of PEPs, their family members, and known close associates shall include: 

  • (a) Screening against relevant databases and public sources; 
  • (b) Obtaining the source of funds and source of wealth information; 
  • (c) Enhanced due diligence measures, including senior management approval for onboarding; 
  • (d) Ongoing enhanced monitoring of the business relationship.

6.8. Where electronic means of identification are used, they shall conform to Regulation (EU) No 910/2014 (eIDAS Regulation) and relevant national standards. Digital identification systems must be secure, independently verified, and recognized within the EU.

6.9. Where documentary evidence cannot be obtained in original form, copies must be certified by a competent authority (e.g. notary public) or verified via electronic authentication tools approved by national regulators. Any certifications must include the certifier’s full name, title, and date of certification.

6.10. Identification and verification procedures must be completed before any business relationship is formally established. Exceptionally, verification may be completed during the establishment phase only where: 

  • (a) It is necessary not to interrupt the normal conduct of business; 
  • (b) There is little risk of money laundering or terrorist financing; 
  • (c) Verification is completed as soon as reasonably practicable thereafter.

6.11. In the event of failure to complete identification or verification, the Service Provider shall refrain from establishing a business relationship or carrying out the transaction, and shall consider submitting a Suspicious Activity Report (SAR) to the competent FIU.

6.12. All identification data and documents collected shall be securely stored in accordance with Section 10 of this Policy, with restricted access granted only to authorized Representatives and in compliance with applicable data protection legislation.

7. Establishing the Purpose and Actual Substance of a Transaction

7.1. In order to mitigate the risk of the Service Provider being misused for illicit financial activity, it is essential that the purpose and actual substance of each transaction and business relationship be adequately understood and documented. This obligation extends to the initial onboarding phase and throughout the duration of the Client relationship.

7.2. At the outset of each business relationship, the Service Provider shall assess and record the economic rationale and legal justification for the Client’s use of the Service Provider’s infrastructure, taking into account: 

  • (a) The Client’s sector, nature of business, and usual transaction patterns; 
  • (b) The volume and frequency of anticipated transactions; 
  • (c) The geographic distribution of the Client’s counterparties and clients; 
  • (d) Any declared third-party relationships relevant to the expected transactions; 
  • (e) The source of funds and, where applicable, source of wealth of the Client.

7.3. The Service Provider shall ensure that any transaction conducted through its systems has a legitimate economic or lawful purpose. In case of doubt or if a transaction appears inconsistent with the stated purpose of the business relationship, the matter shall be escalated to the Compliance Officer (CO) for further investigation.

7.4. The Representative assigned to a Client shall, at a minimum: 

  • (a) Record the Client’s stated purpose for using the Service Provider’s services; 
  • (b) Verify that the proposed use case corresponds to the Client’s known line of business; 
  • (c) Assess whether the transaction profile is proportionate and reasonable given the Client’s financial capacity and business model; 
  • (d) Request supporting documentation or clarifications from the Client if necessary.

7.5. Particular scrutiny shall be applied to: 

  • (a) Clients with opaque or complex ownership structures without clear economic justification; 
  • (b) Clients from or dealing extensively with high-risk jurisdictions or offshore financial centres; 
  • (c) Transactions involving unusual routing patterns, inconsistent transaction volumes, or uncharacteristic spikes in activity; 
  • (d) Transactions involving large cash components or where the declared counterparties cannot be adequately identified.

7.6. Where the declared purpose or business model appears inconsistent with observed behavior, or where the Client fails or refuses to provide adequate clarification or documentation, the Service Provider shall: 

  • (a) Decline to process the transaction; 
  • (b) Suspend or terminate the business relationship, if necessary; 
  • (c) Submit a Suspicious Activity Report (SAR) to the relevant Financial Intelligence Unit (FIU) in accordance with Section 11 of this Policy.

7.7. The Service Provider shall maintain a clear record of the declared purpose and business profile of each Client, including the economic logic of their transactions, which shall be reviewed and updated: 

  • (a) Annually for high-risk Clients; 
  • (b) Upon material changes in business structure, geography, or operations; 
  • (c) Following any alert or event triggering enhanced due diligence.

7.8. Information collected and recorded in accordance with this Section shall form part of the Client’s profile and shall be subject to all applicable recordkeeping and data protection requirements under this Policy and relevant law.

7.9. The Service Provider may, at its discretion, adopt and implement automated transaction monitoring systems that utilize predefined rules and machine learning algorithms to detect discrepancies between a Client’s expected activity and actual behavior. Alerts generated by such systems shall be reviewed by the CO or a delegated compliance analyst.

8. Enhanced Due Diligence Measures

8.1. Enhanced Due Diligence (EDD) shall be applied in cases where a business relationship or transaction is determined to present a higher risk of money laundering, terrorist financing, or circumvention of international sanctions. The Service Provider shall document and justify each instance where EDD measures are applied, consistent with the requirements under Article 18 of Directive (EU) 2015/849.

8.2. EDD measures must be applied in, but are not limited to, the following circumstances:

  • (a) Where the Client or beneficial owner is a Politically Exposed Person (PEP), a family member of a PEP, or a known close associate of a PEP; 
  • (b) Where the Client resides in, or is incorporated in, a high-risk third country identified by the European Commission or FATF; 
  • (c) Where transactions are unusually large or complex, or inconsistent with the Client’s known legitimate business activities; 
  • (d) Where the Client's ownership or control structure is opaque, unnecessarily complex, or appears to serve the purpose of concealing the true nature or ownership of assets; 
  • (e) Where the Client is a cash-intensive business or deals frequently in high-value goods; 
  • (f) Where there is reason to believe that the Client or related transactions may be associated with tax evasion, cybercrime, corruption, or other predicate offences.

8.3. EDD measures shall include, as appropriate: 

  • (a) Obtaining additional information on the Client and on the ultimate beneficial owner(s); 
  • (b) Obtaining additional information on the intended nature and purpose of the business relationship; 
  • (c) Obtaining additional information on the source of funds and source of wealth of the Client and beneficial owner(s); 
  • (d) Obtaining senior management approval for establishing or continuing the business relationship; 
  • (e) Conducting enhanced monitoring of the business relationship, including more frequent updates of CDD data and scrutiny of transactions.

8.4. Where the Client is determined to be a PEP, the Service Provider must: 

  • (a) Obtain approval from senior management before establishing or continuing the relationship; 
  • (b) Take reasonable measures to establish the source of wealth and source of funds; 
  • (c) Apply enhanced and continuous monitoring to the relationship, including review of media reports, legal filings, and public disclosures.

8.5. In cases involving cross-border correspondent relationships or similar arrangements with institutions located in high-risk jurisdictions, the Service Provider shall: 

  • (a) Gather sufficient information about the respondent institution to understand fully the nature of its business and to determine, from publicly available information, its reputation and the quality of its supervision; 
  • (b) Assess the respondent’s AML/CTF controls and whether they are adequate and effective; 
  • (c) Document the respective responsibilities of each institution and obtain approval from senior management before establishing such relationships.

8.6. The Service Provider may adopt technological tools for enhanced monitoring, including pattern recognition, anomaly detection, and advanced risk scoring algorithms, provided such tools are subject to validation and periodic review by the Compliance Officer or a qualified designee.

8.7. Where EDD is required, no business relationship shall commence, and no transaction shall be processed, until all EDD requirements have been fulfilled, unless the Compliance Officer determines that risk mitigation measures are adequate and has documented such justification.

8.8. The Service Provider shall maintain detailed records of all EDD actions taken, including the rationale for classification as high-risk, all additional information obtained, decisions of senior management, and results of enhanced monitoring. These records shall be made available to competent authorities upon request and retained for at least five (5) years after the termination of the business relationship.

8.9. The Service Provider shall regularly review and update its list of high-risk indicators and typologies in light of emerging threats, regulatory guidance, and internal case experience.

9. Risk Assessment

9.1. The Service Provider shall adopt a comprehensive risk-based approach (RBA) to assess and manage the risks of money laundering, terrorist financing, and related financial crimes. This approach shall be consistent with Articles 7 and 8 of Directive (EU) 2015/849 and relevant guidance issued by the European Banking Authority (EBA), the Financial Action Task Force (FATF), and competent national authorities.

9.2. The purpose of risk assessment is to enable the Service Provider to: 

  • (a) Identify and assess the specific risks inherent in its business activities, Clients, delivery channels, and geographic exposure; 
  • (b) Apply proportionate risk mitigation measures, including appropriate levels of due diligence, monitoring, and oversight; 
  • (c) Allocate resources effectively, ensuring higher scrutiny is applied where risks are elevated.

9.3. The Service Provider shall conduct and document an enterprise-wide risk assessment (EWRA) at least annually, or more frequently if material changes occur in the Service Provider’s operations, regulatory framework, or risk profile. The EWRA shall cover: 

  • (a) Product and service risks; 
  • (b) Client and customer-type risks; 
  • (c) Geographic and jurisdictional risks; 
  • (d) Distribution channel risks; 
  • (e) Transactional and behavioral risks; 
  • (f) Emerging threats (e.g., cybercrime, virtual assets, sanctions evasion).

9.4. A risk classification framework shall be developed to categorize Clients into risk levels (e.g., low, medium, high). This classification shall be based on: 

  • (a) Nature and purpose of the business relationship; 
  • (b) Client’s industry and business model; 
  • (c) Transparency of ownership structure; 
  • (d) PEP or sanctions status; 
  • (e) Jurisdiction of incorporation or operation; 
  • (f) Historical transaction behavior.

9.5. Risk ratings assigned to Clients shall be subject to periodic review. Clients classified as high-risk shall be reviewed at least annually and be subject to enhanced due diligence and transaction monitoring. Medium- and low-risk Clients shall be reviewed periodically in accordance with documented procedures.

9.6. The Compliance Officer shall be responsible for maintaining and updating the risk assessment methodology, validating its consistency with regulatory expectations, and reporting findings and recommendations to the Management Board.

9.7. All identified risks must be documented, and controls to mitigate each risk must be specified and implemented. These controls shall be proportionate, tested periodically, and revised as necessary to ensure ongoing effectiveness.

9.8. In addition to the EWRA, individual Client risk assessments shall be performed during onboarding and updated throughout the life of the relationship based on transactional activity, alerts, or changes in the Client’s risk indicators.

9.9. The Service Provider shall maintain a documented risk appetite statement approved by the Management Board, defining the level and types of risk the Service Provider is willing to accept in the course of business.

9.10. Where third-party providers or business partners introduce Clients or participate in operational processes, their associated risks shall be evaluated and integrated into the overall risk management framework.

9.11. Risk assessments, control strategies, and all related documentation shall be retained for at least five (5) years and made available to competent authorities upon request.

10. Registration and Storage of Data

10.1. The Service Provider shall ensure that all Client identification data, transactional records, due diligence documentation, and compliance-related data are properly recorded, secured, and retained in accordance with applicable legal requirements under Directive (EU) 2015/849, Regulation (EU) 2016/679 (GDPR), and national implementing legislation.

10.2. Data shall be recorded in a durable medium and stored in a format that allows timely retrieval and use by authorized personnel, including the Compliance Officer (CO), internal auditors, and regulators.

10.3. The following categories of data shall be recorded: 

  • (a) Identification and verification documents collected as part of Client due diligence (e.g., passports, corporate registry extracts, proof of address); 
  • (b) Ultimate Beneficial Ownership declarations and documentation; 
  • (c) Risk assessment results and scoring, including changes to risk categorization; 
  • (d) Internal approvals for onboarding, including high-risk Client approvals by senior management; 
  • (e) Records of transactions, including transaction values, timestamps, counterparty data, and any associated metadata; 
  • (f) Details of any alerts triggered through transaction monitoring systems, and records of the investigation and disposition of such alerts; 
  • (g) Any Suspicious Activity Reports (SARs) submitted to the Financial Intelligence Unit (FIU), including supporting documentation and internal analysis.

10.4. The following minimum retention periods shall apply: 

  • (a) Five (5) years following the termination of a business relationship for all CDD documentation, transactional data, and risk assessments; 
  • (b) Five (5) years from the date of a transaction for all one-off transaction data not associated with a business relationship; 
  • (c) Five (5) years for internal communications, approvals, and compliance logs related to AML/CTF obligations; 
  • (d) Five (5) years for any submitted SARs and associated files, beginning from the date of submission.

10.5. All data subject to retention requirements shall be securely protected against unauthorized access, loss, alteration, or destruction. The Service Provider shall implement: 

  • (a) Encryption of sensitive personal and transactional data in storage and in transit; 
  • (b) Access controls with role-based permissions and audit logging; 
  • (c) Redundancy and secure backup procedures; 
  • (d) Physical security controls for on-premise or third-party storage environments; 
  • (e) Periodic testing of the integrity and retrievability of stored records.

10.6. Data relating to Clients that are flagged for suspicious or prohibited activity shall be marked accordingly in internal systems and retained in a manner that ensures compliance with ongoing monitoring and reporting obligations. Such Clients must not be deleted from systems prior to the expiration of the relevant retention period.

10.7. Where applicable, pseudonymisation or anonymisation techniques may be employed, provided that the data remain retrievable and usable for AML/CTF, sanctions screening, or regulatory compliance purposes during the retention period.

10.8. Upon expiration of the mandatory retention period, the data shall be securely destroyed unless required to be retained under other legal or regulatory obligations (e.g., tax laws, contractual claims, court orders).

10.9. The Compliance Officer shall oversee data governance for AML/CTF purposes, including ensuring: 

  • (a) That retention policies are documented and applied consistently; 
  • (b) That periodic reviews are conducted to ensure records are complete and up-to-date; 
  • (c) That data minimization principles are respected to the extent possible without compromising AML/CTF objectives; 
  • (d) That all data handling practices comply with applicable data protection laws, including rights of data subjects under the GDPR.

10.10. All Representatives handling Client data must undergo training on data handling, recordkeeping obligations, and confidentiality requirements. Breaches of these obligations shall be subject to disciplinary measures and may be escalated to the Management Board.

10.11. The Service Provider shall cooperate fully with requests from competent supervisory authorities for access to AML-related records and shall ensure such data are made available without undue delay upon lawful request.

11. Reporting of Suspicious Transactions

11.1. The Service Provider is committed to the timely identification, escalation, and reporting of any suspicious activity that may indicate actual or attempted money laundering, terrorist financing, or other financial crimes.

11.2. All Representatives are under a continuing obligation to be alert to any circumstances that may give rise to suspicion and must promptly report any such observations to the Compliance Officer (CO). Failure to do so may constitute a breach of both internal policies and applicable law.

11.3. Suspicious Activity Reports (SARs) shall be submitted to the competent Financial Intelligence Unit (FIU) of the relevant EU Member State, in accordance with applicable AML legislation.

11.4. A transaction or attempted transaction may be considered suspicious if it involves: 

  • (a) Anomalous patterns or behavior that do not conform to the Client's known business model; 
  • (b) Unusually large or complex transactions without a clear lawful purpose; 
  • (c) Structuring or layering of transactions to evade detection or thresholds; 
  • (d) Clients from high-risk jurisdictions or those with sanctions exposure; 
  • (e) Unwillingness or failure by the Client to provide required information or documents; 
  • (f) Use of third parties or shell entities without legitimate justification; 
  • (g) Use of virtual assets in ways that obscure the origin or destination of funds.

11.5. The CO shall assess all internal reports of suspicious activity and, where deemed appropriate, prepare and submit a SAR. The CO must also: 

  • (a) Ensure timely and secure submission using the prescribed channels (e.g., goAML); 
  • (b) Retain a copy of the SAR, supporting documents, and internal correspondence; 
  • (c) Document the rationale for filing or not filing a SAR, even if no external report is made;
  • (d) Notify senior management when a SAR is submitted, without disclosing this fact to the Client or unauthorized persons.

11.6. No business relationship or transaction may be executed once suspicion arises, unless there is a compelling reason (e.g., preventing tipping-off, or safety concerns). In such cases, the CO shall assess the necessity of proceeding and submit the SAR immediately thereafter.

11.7. It is strictly prohibited to disclose to the Client or any third party that a SAR has been submitted or that an investigation is ongoing. This prohibition on “tipping-off” is enshrined in AMLD4 and national law and applies to all Representatives.

11.8. If a Client or transaction has previously been the subject of a SAR, any further activity shall be scrutinized with heightened vigilance and reported if new suspicious indicators arise. Access to such Client files shall be restricted to designated personnel.

11.9. The CO shall maintain a secure SAR register, documenting: 

  • (a) The internal report reference; 
  • (b) The date and time of receipt; 
  • (c) Actions taken, including external reporting; 
  • (d) Persons involved in the review and decision process; 
  • (e) Whether a response or further inquiry was received from the FIU.

11.10. All SAR-related records must be retained for at least five (5) years from the date of submission or from the conclusion of any related investigation or proceedings, whichever is later. Access to these records shall be strictly limited to authorized personnel only.

11.11. The Management Board shall support the CO in ensuring that reporting obligations are fulfilled without delay, resources are allocated, and independence is preserved to handle all AML/CTF alerts impartially and effectively.

12. Implementation of International Sanctions

12.1. The Service Provider shall ensure full compliance with international, regional, and national sanctions regimes, including but not limited to sanctions adopted by the European Union, the United Nations Security Council, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), and other applicable authorities.

12.2. All Representatives shall be trained and required to identify, report, and respond appropriately to any actual or potential sanctions risks encountered in the course of their duties.

12.3. Sanctions screening shall be conducted: 

  • (a) During the onboarding process for all Clients and beneficial owners; 
  • (b) On a periodic basis throughout the business relationship; 
  • (c) Prior to the execution of any transaction where sanctions risk is identified; 
  • (d) Immediately upon notification of any updates to sanctions lists.

12.4. The Compliance Officer (CO) shall be responsible for: 

  • (a) Maintaining access to up-to-date sanctions lists from all relevant authorities; 
  • (b) Ensuring automated and manual sanctions screening tools are in place and effective; 
  • (c) Performing secondary verification of any matches or potential matches flagged by screening systems; 
  • (d) Notifying competent authorities immediately upon detection of a confirmed or suspected match; 
  • (e) Ensuring that no funds, goods, or services are made available, directly or indirectly, to or for the benefit of any designated party.

12.5. In the event of a positive match or suspicion that a Client, counterparty, or transaction may be subject to international sanctions: 

  • (a) The transaction shall be immediately suspended pending further investigation; 
  • (b) The CO shall escalate the case to the Management Board and appropriate authorities; 
  • (c) A report shall be filed with the competent sanctions enforcement body as required by law;
  • (d) The Client shall not be informed of the investigation or reporting (in accordance with anti-tipping-off provisions).

12.6. The Service Provider shall implement internal controls to mitigate sanctions risk, including: 

  • (a) Real-time and batch screening systems integrated into Client onboarding and payment processing platforms; 
  • (b) Mandatory pre-transaction screening for all outbound and inbound payments; 
  • (c) Alert resolution procedures and workflow documentation; 
  • (d) Escalation pathways to the CO and the Management Board.

12.7. The CO shall maintain comprehensive records of: 

  • (a) All sanctions screening activity and matches (confirmed or false positive); 
  • (b) All communications with enforcement authorities and regulators; 
  • (c) All decisions taken by the Service Provider concerning sanctions exposure and related Client actions.

12.8. The CO shall conduct periodic testing of the sanctions compliance program and screening tools, including validation of the accuracy, completeness, and timeliness of sanctions list updates.

12.9. Sanctions compliance shall be incorporated into the enterprise-wide risk assessment and updated at least annually. Risk appetite with respect to sanctioned jurisdictions, sectors, or persons shall be clearly documented.

12.10. Training on sanctions compliance shall be mandatory for all employees and tailored for high-risk roles. Such training must be delivered at least annually and upon material changes to applicable laws or policies.

12.11. Any breach or potential breach of sanctions obligations shall be treated as a serious compliance incident and shall be subject to internal investigation, possible disciplinary action, and reporting to the competent authorities.

12.12. The Management Board shall provide adequate resources and authority to ensure the effectiveness and independence of the sanctions compliance function and shall review the sanctions program at least annually.

13. Training

13.1. The Service Provider shall ensure that all Representatives involved in the development, delivery, oversight, or support of any service, including those with Client-facing, compliance, IT security, or transactional roles, receive mandatory training on Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), sanctions compliance, and information security.

13.2. The training program shall be approved by the Compliance Officer (CO) and reviewed periodically for relevance, regulatory alignment, and practical application. Training shall reflect the latest legislative and regulatory changes, typologies, and emerging risks, including developments in virtual assets and cyber-enabled crime.

13.3. Mandatory training sessions shall be conducted: 

  • (a) Upon commencement of employment or engagement; 
  • (b) At least annually for all staff; 
  • (c) Upon promotion or transition into a compliance-sensitive role; 
  • (d) When material changes to applicable legislation, internal procedures, or risk assessments occur.

13.4. The training curriculum shall include, at a minimum: 

  • (a) Understanding of AML/CTF risks, obligations, and regulatory frameworks (e.g., AMLD4, AMLD5, FATF Recommendations); 
  • (b) Identification and reporting of suspicious transactions; 
  • (c) Recognition and handling of Politically Exposed Persons (PEPs), beneficial owners, and high-risk jurisdictions; 
  • (d) Sanctions awareness and avoidance of transactions with designated individuals or entities; 
  • (e) Data protection principles and confidentiality obligations, including GDPR compliance;
  • (f) Proper recordkeeping, document retention, and audit trail requirements; 
  • (g) Internal reporting lines and escalation protocols.

13.5. Tailored training shall be delivered to specific teams based on role sensitivity and risk exposure, including but not limited to: 

  • (a) Senior management and board members; 
  • (b) Customer support and onboarding agents; 
  • (c) Developers of onboarding and transaction systems; 
  • (d) The Compliance Department and Internal Audit.

13.6. Training shall be delivered using a mix of methods including in-person seminars, e-learning modules, written materials, interactive sessions, and compliance briefings. All participants must confirm completion through signed acknowledgment or automated tracking systems.

13.7. The CO shall maintain comprehensive records of all training activities, including: 

  • (a) Dates and duration of training sessions; 
  • (b) Names and roles of participants; 
  • (c) Content covered and version control for materials used; 
  • (d) Completion rates and assessment scores, where applicable.

13.8. Failure to complete required training may result in temporary suspension from sensitive duties or access to restricted systems until such time as training is completed. Repeated non-compliance may be escalated to the Management Board for disciplinary action.

13.9. The CO shall conduct periodic evaluations to assess the effectiveness of the training program, identify knowledge gaps, and implement continuous improvements.

13.10. The Service Provider shall ensure training content and delivery is capable of withstanding scrutiny by external auditors, regulators, and supervisory authorities, and that all personnel understand their individual accountability within the broader compliance framework.

14. Internal Audit and Amendment of the Rules

14.1. The Service Provider shall conduct periodic internal audits of its AML/CTF and security framework to ensure the effectiveness, integrity, and adequacy of the policies and procedures established under this Policy. Internal audits shall be conducted at least annually, or more frequently if required due to regulatory updates, risk assessment results, or supervisory feedback.

14.2. The Compliance Officer (CO), in coordination with the Internal Audit function (if separate), shall: 

  • (a) Define the scope and methodology of the audit in accordance with the Service Provider’s risk profile; 
  • (b) Evaluate the adequacy of controls, training programs, reporting mechanisms, and monitoring systems; 
  • (c) Review the application and enforcement of client due diligence (CDD), enhanced due diligence (EDD), and transaction monitoring processes; 
  • (d) Identify control gaps, procedural violations, and emerging compliance risks; 
  • (e) Issue written reports to the Management Board detailing findings, recommendations, corrective measures, and implementation timelines.

14.3. The results of internal audits shall be formally reviewed and discussed by the Management Board. Any deficiencies shall be prioritized for remediation in accordance with the risk level and materiality of the findings.

14.4. The CO shall follow up on the implementation of corrective actions and ensure that appropriate measures are taken within the defined deadlines. The effectiveness of these actions shall be tested in subsequent audits.

14.5. The internal audit report shall include: 

  • (a) Time, location, and scope of the audit; 
  • (b) Names and roles of auditors or reviewers; 
  • (c) Summary of reviewed documentation and systems; 
  • (d) Observations, identified non-compliance issues, and risk implications; 
  • (e) Proposed recommendations and management responses; 
  • (f) Completion status of previous audit findings.

14.6. The Service Provider shall update this Policy and related procedures: 

  • (a) Immediately upon the enactment of relevant changes in applicable EU regulations, directives, or national laws; 
  • (b) Following significant changes in the Service Provider’s business operations, services, or organizational structure; 
  • (c) In response to findings or recommendations made by internal or external audits, or regulatory inspections.

14.7. Amendments to this Policy may be proposed by the CO and must be reviewed and approved by the Management Board. A log of all policy changes, including dates, reasons, and authorizations, shall be maintained by the CO.

14.8. All Representatives shall be notified of material amendments to the Policy. Where applicable, updated training shall be provided to ensure proper understanding and implementation of the changes.

14.9. The latest version of this Policy shall be published internally and, where necessary, externally (e.g., website disclosures), with a clear version history and effective date. Archived versions shall be retained for a minimum of five (5) years.

15. Liability and Legal Protection

15.1. The Service Provider and its employees, contractors, officers, agents, and representatives shall not be held liable for any direct or indirect damages resulting from the good faith execution of duties under this Policy, including but not limited to refusal to carry out a transaction, termination of a business relationship, or reporting a Client to the competent authority.

15.2. No Representative shall suffer any legal, civil, administrative, or disciplinary liability for breach of any restriction on the disclosure of information imposed by contract or legislative, regulatory, or administrative provisions if such disclosure is made in good faith in accordance with this Policy and applicable AML/CTF legislation.

15.3. Where a Representative, in the course of duty, identifies and reports a suspicious transaction or Client, and acts in good faith, the Service Provider shall ensure full support, legal protection, and indemnification against any claims arising from such actions, except where gross negligence or willful misconduct is proven.

15.4. The Service Provider shall maintain adequate professional indemnity insurance coverage or equivalent legal safeguards to protect its employees and operations from liability associated with AML/CTF obligations.

15.5. The Service Provider reserves the right to take immediate action, including termination of business relationships, suspension of services, or refusal of transactions, when there is a reasonable suspicion of criminal activity, regulatory non-compliance, or reputational risk. Such actions may be taken without prior notice where permitted by law.

15.6. In the event of legal disputes arising from AML/CTF controls or enforcement actions: 

  • (a) The Service Provider shall cooperate fully with relevant authorities and regulatory bodies; 
  • (b) All documentation, including due diligence records, internal decisions, and communications related to the case, shall be made available to authorized entities as required by law; 
  • (c) Legal counsel shall be consulted immediately to mitigate legal, financial, or reputational risk.

15.7. Clients are responsible for the accuracy, completeness, and timeliness of the information and documentation provided to the Service Provider. Any misrepresentation, withholding of material facts, or failure to comply with verification requests may result in refusal of service and reporting to authorities.

15.8. By engaging with the Service Provider, Clients acknowledge and agree that all AML/CTF, data processing, and security measures implemented under this Policy are lawful, proportionate, and mandatory under applicable European Union legislation, and do not constitute grounds for legal claims against the Service Provider or its Representatives.

16. Final Provisions

16.1. This Policy shall be read in conjunction with all applicable laws and regulations of the European Union, including but not limited to:

  • Directive (EU) 2015/849 (4th AML Directive) as amended by Directive (EU) 2018/843 (5th AML Directive);
  • Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR);
  • Relevant implementing laws of the EU Member State where the Service Provider operates.

16.2. In the event of any inconsistency between this Policy and applicable legislation, the latter shall prevail. However, where this Policy establishes stricter standards, such provisions shall apply unless contrary to law.

16.3. If any provision of this Policy is found to be invalid, illegal, or unenforceable, such provision shall be deemed severable and shall not affect the validity or enforceability of the remaining provisions.

16.4. This Policy shall be reviewed at least annually and updated as necessary to reflect changes in laws, regulations, business practices, or identified risks. Updates shall be communicated in a timely manner to all affected personnel.

16.5. The Management Board retains final authority over the interpretation, implementation, and enforcement of this Policy.

16.6. Questions or concerns regarding this Policy or its application shall be directed to the Compliance Officer via internal communication channels or through secure email to [email protected] 

16.7. This Policy is issued in English and may be translated into other languages for convenience. In case of discrepancies, the English version shall prevail.