AML — Nibble Finance

AML

INTERNAL RULES AND PROCEDURES FOR THE PREVENTION OF MONEY LAUNDERING AND TERRORISM FINANCING AND FOR THE APPLICATION OF INTERNATIONAL SANCTIONS

These Internal Rules and Procedures for the Prevention of Money Laundering and Terrorism Financing and for the Application of International Sanctions (hereinafter referred to as the “Rules”) were prepared in accordance with the Directive 2018/843 of the EU and the EBA Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions under Articles 17 and 18(4) of Directive (EU) 2015/849 (hereinafter referred to as the “ML/TF Risk Factors Guidelines”), the Money Laundering and Terrorist Financing Prevention Act (hereinafter referred to as “MLTFPA”), the International Sanctions Act (hereinafter referred to as “ISA”), and the Guidelines issued by the Financial Intelligence Unit (hereinafter referred to as “FIU”) and Financial Supervision Authority (hereinafter referred to as “Finantsinspektsioon”).

1. OVERVIEW AND GENERAL PROVISIONS

1.1. The present Rules set out the internal rules and procedures implemented at OÜ Nibble itsf, a private limited company registered pursuant to the laws of Estonia with registration number 14831029 and having its registered address at Harju maakond, Tallinn, Kristiine linnaosa, Kotkapoja tn 2a-10, Estonia 10615 (hereinafter referred to as the “Company”), for the purposes of compliance with the applicable regulatory requirements in the sphere of prevention of money laundering and terrorist financing, and the application of international sanctions.

1.2. The present Rules regulate and establish the following:

1.2.1. the general principles of assessment, management and reduction of risks associated with money laundering and financing of terrorism and the application of international financial sanctions;

1.2.2. the procedure for applying customer due diligence measures in respect of the customer, including the procedure for applying simplified or enhanced customer due diligence measures;

1.2.3. a model for identification and management of risks relating to a customer and its activities and the determination of the customer’s risk profile;

1.2.4. the methodology and instructions where the Company has a suspicion of money laundering and terrorist financing or an unusual transaction or circumstance is involved as well as instructions for performing the reporting obligation;

1.2.5. the procedure for data retention and making data available;

1.2.6. instructions for effectively identifying whether a person is a politically exposed person or a local politically exposed person subject to international sanctions or a person whose place of residence or seat is in a high-risk third country or country that meets the criteria specified in subsection 4 of § 37 of MLTFPA;

1.2.7. the procedure for identification and management of risks relating to new and existing technologies, and services and products, including new or non-traditional sales channels and new or emerging technologies.

1.3. The provisions of these Rules apply to all transactions and business relations with customers, including the transactions concluded through agents, if any.

1.4. The Management Board (hereinafter referred to as the “Board”) of the Company must ensure that sufficient resources are allocated in order to ensure compliance with anti-money laundering (hereinafter referred to as “AML”) and counter-terrorist financing (hereinafter referred to as “CTF”) requirements established by the applicable laws and regulations as well as these Rules.

1.5. Obligations of Members of the Board and Employees to Familiarize Themselves with these Rules: The members of the Board of the Company, as well as all employees of the Company are obliged to fully familiarize themselves with the provisions of these Rules prior to accepting the job with the Company as well as on an annual basis (by way of recap) and when amendments have been introduced thereto.

1.6. Members of the Board and Employees’ AML/CTF Training: Members of the Board and employees of the Company are required to know and strictly adhere to the provisions of the MLTFPA and other applicable laws and regulations in the sphere of AML/CTF, including the guidelines issued by the FIU and Finantsinspektsioon. To this end, the Company shall organize training for all members of the Board and employees on a regular basis (annually) as well as if and when necessary, including where there have been amendments introduced to the applicable AML/CTF rules and regulations and these Rules. Additionally, the members of the Board and employees of the Company should independently familiarize themselves with the laws and regulations published on the official website of Finantsinspektsioon here and FIU’s website here at least once a year.

1.7. Regular review and update of these Rules: The present Rules shall be updated on a regular basis, but in any event not later than once a year, and/or as necessary to ensure compliance with the applicable AML/CTF laws and regulations in case any amendments are introduced thereto.

2. DEFINITIONS

2.1. Money laundering means:

2.1.1. the conversion or transfer of property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions;

2.1.2. the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein;

2.1.3. the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such an activity;

2.1.4. the participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counseling the commission of any of the activities referred to in clauses 2.1.1.-2.1.3. above.

2.2. Terrorist financing means the provision of funds or any kind of financial support to a terrorist organization, any of its members, or any person whose activities are aimed at committing an act of terrorism (as defined under § 237 of the Estonian Penal Code), collecting funds or making the means for that available.

2.3.Financial Intelligence Unit (hereinafter referred as “FIU”) means an independent government agency under the jurisdiction of the Ministry of Finance charged with oversight within the area of prevention of money laundering and terrorist financing, as well as implementation of financial sanctions. In particular, FIU analyses and verifies information about suspicions of money laundering or terrorist financing, taking measures for preservation of property where necessary and immediately forwarding materials to the competent authorities upon detection of elements of a criminal offence.

2.4. Business relationship means a relationship that is established between a customer and the Company upon conclusion of a user contract with the Company in the course of its economic or professional activities for the purpose of provision of a service.

2.5. Customer means any natural or legal person who is using or has used the services provided by the Company, regardless of whether such person already has a business relationship established with the Company;

2.6. Beneficial owner means a natural person who, taking advantage of their influence, makes a transaction, act, action, operation or step or otherwise exercises control over a transaction, act, action, operation or step or over another person and in whose interests or favour or on whose account a transaction or act, action, operation or step is made.

In the case of legal persons a beneficial owner is a natural person who ultimately owns or controls such a legal person through direct ownership or indirect ownership of 25% plus one share or ownership interest of more than 25% in a legal person of the shares or voting rights or ownership interest.

Direct ownership is a manner of exercising control whereby a natural person directly holds a shareholding of 25% plus one share or an ownership interest of more than 25% in a company. Indirect ownership is a manner of exercising control whereby a company which is under the control of a natural person holds or multiple companies which are under the control of the same natural person hold a shareholding of 25% plus one share or an ownership interest of more than 25% in a company.

Where, after all possible means of identification have been exhausted, it is not possible to identify a beneficial owner, the natural person who holds the position of a senior managing official is deemed to be the beneficial owner. Where there are several senior managing officials, several senior management bodies or where another legal person holds shares in a company via one or several persons or chains of persons, the person(s) who exercise(s) actual control over the company and make(s) strategic decisions in the company or, upon absence of such persons, perform(s) day-to-day and regular management is (are) considered the beneficial owner(s).

2.7. Politically exposed person (hereinafter referred to as “PEP”) means a natural person who is or who has been entrusted with prominent public functions including a head of State, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d'affaires and a high-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a State-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organisation, except middle-ranking or more junior officials;

2.8. Local politically exposed person (hereinafter referred to as “Local PEP”) means a PEP who is or who has been entrusted with prominent public functions in Estonia, another contracting state of the European Economic Area or an institution of the European Union;

2.9. Family member means the spouse, or a person considered to be equivalent to a spouse, of a PEP or Local PEP; a child and their spouse, or a person considered to be equivalent to a spouse, of a PEP or Local PEP; a parent of a PEP or Local PEP;

2.10. Person known to be close associate means a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a PEP or Local PEP; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a PEP or Local PEP;

2.11. Senior management of the Company means an officer or employee with sufficient knowledge of the Company’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the Board;

2.12. Group means a group of undertakings which consists of a parent undertaking, its subsidiaries within the meaning of § 6 of the Commercial Code of Estonia, and the entities in which the parent undertaking or its subsidiaries hold a participation, as well as undertakings that constitute a consolidation group for the purposes of subsection 3 of § 27 of the Accounting Act of Estonia;

2.13. High-risk third country means a country or jurisdiction where, according to reliable sources such as mutual evaluations, reports or published follow-up reports, there is no effective system for the prevention of money laundering and terrorist financing as specified by:

  • The Commission Delegated Regulation (EU) 2016/1675 adopted on the basis of Article 9(2) of Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. The list of high-risk third countries is available here.
  • The Financial Action Task Force (hereinafter referred to as “FATF”). The list of countries designated by FATF as high-risk countries is disclosed here.

2.14.Low tax rate territory means the territory on which the tax liability applies at the lowest rate or does not apply at all. There is no official list of countries that are considered low tax rate territories. When determining which jurisdictions constitute low tax rate territories, guidance can be sought from the Decree no. 55 of the Minister of Finance «List of Territories That Are Not Considered Low Tax Rate Territories», adopted on 18.12.2014.

2.15. Reliable source, inter alia, means the data available in the relevant State registries or the documents issued by State institutions. With regards to document assessment, the main criteria of reliability are as follows:

2.15.1. whether or not the document is an original copy;

2.15.2. if a copy of the original — whether or not the document has been certified by the notary

2.15.3. the time and/or place of the document’s issue or preparation.

In order to identify or to verify a beneficial owner(s) under the transaction, electronic web-based or other public sources may be used.

2.16. Compliance officer means the employee of the Company appointed by the Board to be the responsible person for the purposes of compliance with the prevention of money laundering and terrorist financing rules and regulations as well as the contact person at FIU. The compliance officer of the Company is also in charge of imposing international financial sanctions. If a compliance officer is not appointed by the decision of the Board, the duties of the compliance officer shall be performed by the designated member of the Board.

2.17.International sanctions means measures which are not related to the use of armed forces and the imposition thereof has been decided by the European Union, the United Nations, another international organization or the Government of the Republic of Estonia to achieve the following objectives: to maintain or restore peace, prevent conflicts and restore international security, support and reinforce democracy, follow the rule of law, human rights and international law and achieve other objectives of the common foreign and security policy of the European Union.

2.18. Subject of international sanctions means a state, a territory, a territorial unit, a regime, an organization, an association or a group against whom the measures prescribed by the act on the imposition of international sanctions are introduced and implemented; also a natural or legal person, an agency, a civil law partnership or any other entity which is directly specified in the act on the imposition or implementation of international sanctions and with regard to whom the measures prescribed therein are taken.

3. EXCEPTIONS FROM THE CUSTOMER PROFILE

3.1. The Company shall not establish business relationships and shall refuse to provide services to persons having the following characteristics:

3.1.1. Anonymous and fictitious persons;

3.1.2. Shadow banks and credit and financial institutions that enable shadow banks to use their services;

3.1.3. Partnerships, trusts, and the providers of trust management services.

3.2. The Company does not provide services outside the business relationships established with its customers.

3.3. The Company does not conclude user agreements with anonymous customers nor does it make decisions to open anonymous accounts.

4. DETERMINING THE RISK PROFILE OF CUSTOMERS

4.1. These Rules provide for a different procedure when establishing business relationships or making a transaction in case of different risk profiles. Generally, there are three categories of customers on the basis of their risk profile:

4.1.1. Low risk – an employee may establish a business relationship and make a transaction immediately.

4.1.2. Average risk – an employee must analyse whether or not it is required to apply additional due diligence measures, and if there is no need for that, he or she may establish a business relationship or make a transaction. In the event of the emergence of the need to apply additional due diligence measures, an employee must apply additional due diligence measures and, based on the result thereof, decide whether or not a business relationship may be established, and whether or not a transaction may be concluded.

4.1.3. High risk – if a customer or a transaction have a «high» risk profile, before carrying out a transaction, enhanced due diligence measures should be applied, including obtaining an authorization from the Board of the Company for establishing a business relationship or making a transaction.

4.2. Each customer is assigned a risk category on the basis of the Risk Assessment Policy prepared by the Company and contained in a separate document.

5. PROCEDURE FOR THE APPLICATION OF DUE DILIGENCE MEASURES

5.1. When providing a service to the customers, the employees of the Company shall apply the following due diligence measures:

5.1.1. Identification of a customer or a person participating in a transaction on the basis of the documents and data submitted by him or her based on information obtained from a reliable and independent source, including using means of electronic identification and of trust services for electronic transactions;

5.1.2. Identification and verification of a representative of a natural or a legal person and their right of representation;

5.1.3. Identification of the beneficial owner and, for the purpose of verifying their identity, taking measures to the extent that allows the Company to make certain that it knows who the beneficial owner is, and understands the ownership and control structure of the customer;

5.1.4. Understanding the purpose of the business relationship or the purpose of the transaction, identifying, inter alia, the permanent seat, place of business or place of residence, profession or field of activity, main contracting partners, payment habits, and, in the case of a legal person, also the experience of the customer;

5.1.5. Gathering information on whether a person is a PEP or a Local PEP, their family member or a person known to be a close associate;

5.1.6. Monitoring of a business relationship;

5.1.7. In the relevant case, gathering information about the origin of the wealth of the customer.

5.2. The responsible employee of the Company shall apply due diligence measures listed in clauses 5.1.1-5.1.5 above at least in the following cases:

5.2.1. upon the establishment of business relationships;

5.2.2. upon the occurrence of occasional transactions where a transaction with a value at least equal to 15,000 EUR or an equivalent sum in another currency is made, regardless of whether the financial obligation is performed in the transaction in a lump sum or in several related payments over a period of up to 1 (one) year, unless otherwise provided by law;

5.2.3. upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided for in the MLTFPA;

5.2.4. when there is doubt as to the sufficiency or truthfulness of documents or data previously gathered in the course of identification of a person, verification of submitted information or updating the relevant details.

5.3. The due diligence measures listed in clauses 5.1.1.-5.1.5. above must be applied before the conclusion of the transaction, and prior to the establishment of a business relationship with a customer. The identity of a customer or of the customer’s representative may be verified on the basis of information obtained from a credible and independent source also at the time of establishment of the business relationship, provided that it is necessary for not disturbing the ordinary course of business. In such an event the verification of identity must be carried out as quickly as possible and before the taking of binding measures.

5.4. The Company applies all the due diligence measures specified in clauses 5.1.1. — 5.1.6. above with regard to the customer, but determines the scope and exact manner of their application and the need specified in clause 5.1.7. based on previously assessed risks of money laundering and terrorist financing or those relating to a specific business relationship or to a specific person.

6. THE USE OF INFORMATION TECHNOLOGY MEANS FOR THE PURPOSES OF IDENTIFICATION AND VERIFICATION OF IDENTITY OF CUSTOMERS

6.1. The Company must carry out the requisite identification and verification of identity with the help of information technology means where:

6.1.1. The total amount of payments made by a natural person being the resident of the European Economic Area within one calendar month exceeds 15,000 EUR;

6.1.2. The total amount of payments made by a legal person being the resident of the European Economic Area within one calendar month exceeds 25,000 EUR;

6.1.3. A person that comes from a country outside of the European Economic Area, or whose place of residence or seat is outside of the countries of the European Economic Area;

6.1.4. Due diligence measures are applied in relation to a person or their representative while not being physically present at the same place as such person or representative.

6.2. When carrying out identification by information technology means, the Company shall proceed from the decree «Requirements and Procedure for Identification of Persons and Verification of Person’s Identity Data with Information Technology Means» of the Minister of Finance.

7. DOCUMENTS OBTAINED IN FOREIGN COUNTRIES

7.1. The Company accepts certified copies of documents, whose certifier has been entered into the relevant list of officials from foreign countries accepted by the Republic of Estonia «A List of Officials of Foreign States Whose Power of Attorney Authenticated or Certified by Them is Equal to a Power of Attorney Authenticated by an Estonian Notary».

8. ESTABLISHING THE IDENTITY OF A NATURAL PERSON UPON THE ESTABLISHMENT OF A BUSINESS RELATIONSHIP

8.1. When establishing the identity of a natural person, and, where relevant, their representative the following shall be ascertained:

8.1.1. First name and surname;

8.1.2. Personal identification code or, where none, the date and place of birth;

8.1.3. Place of residence or seat;

8.1.4. Information on the identification and verification of the right of representation and scope thereof and, where the right of representation does not arise from law, the name of the document serving as the basis for the right of representation, the date of issue, and the name of the issuer;

8.1.5. Means of communication, including at least phone number and email;

8.1.6. Activity profile;

8.1.7. Profession and field of activity;

8.1.8. Purpose and nature of establishment of business relationship;

8.1.9. A beneficial owner, if there is a need for such.

8.2. The establishment and verification of identity of a natural person takes place by a responsible employee on the basis of an identity document. The responsible employee shall put down the data in writing on the basis of a questionnaire, and a person must sign the document in order to confirm the correctness of the data.

8.3. Documents that can be used for identification purposes:

8.3.1. An identity document;

8.3.2. A digital identity document;

8.3.3. A residence permit;

8.3.4. An Estonian passport;

8.3.5. A diplomatic passport;

8.3.6. A seafarer's discharge book;

8.3.7. An alien passport;

8.3.8. A temporary travel document;

8.3.9. A refugee’s travel document;

8.3.10. A certificate of record of service on Estonian ships;

8.3.11. A certificate of return;

8.3.12. A permit for return;

8.3.13. A valid travel document issued in a foreign state;

8.3.14. A driving licence that has a name of the user, his or her photo or face image, signature, or a signature image, and a date of birth or a personal identification number on it.

8.4. If the original document specified in clause 8.3. above cannot be produced by the customer, a notarized copy of the document and also notarized or officially certified copy of the document or the information from other independent and reliable sources, including the means of electronic identification and through electronic transactions can be used in order to verify the identity, thereby using at least two different sources for the purposes of data verification in such cases.

8.5. In order to establish identity of a natural person on the basis of submitted documents, the following shall be assessed:

8.5.1. The validity of a document in accordance with their terms of validity;

8.5.2. The person resembles the person depicted on the document photo in terms of appearance and age and the data included in the document;

8.5.3. Whether or not the document has visible signs of forgery or is damaged.

8.6. The employee shall make a copy from the pages with personal information and a photo in the submitted document and register other data collected about a person in the information system of the Company.

PEP

8.7. In addition to identification, the employee of the Company upon the application of due diligence measures shall also ascertain whether or not the customer is a PEP.

8.8. First and foremost, the employee must try to ascertain whether or not the customer is a PEP on the basis of his or her statements or assertions. If the employee suspects that, regardless of the statements of the customer, he or she is a PEP, a family member or a person known to be a close associate of a PEP, the employee must carry out an initial check-up, using online search engines or relevant databases. If suspicions persist, the employee should turn for further instructions to the compliance officer or the Board of the Company.

8.9. The employee of the Company shall also ascertain close associates and family members of a PEP if there is reason to believe that there is a connection.

8.10. Beneficial owner of a natural person: A beneficial owner of a natural person shall be identified if the employee has a suspicion that the natural person has been asked, tempted, threatened, bribed, or in any other manner forced to establish a business relationship or make a transaction. In this case a person that exercises control over a natural person shall be considered a beneficial owner of a natural person.

8.11. When in the course of establishing the identity of a customer a justifiable suspicion arises that the customer does not act on its own behalf or at its own expense, the employee should establish the identity of the person on whose behalf or at whose expense the customer acts. If the identity of a person, on behalf of whom, or at whose expense the other person acts, cannot be established, the employee is prohibited from making a transaction or establishing a business relationship. In such a case, a notification shall be made in writing to FIU.

8.12. Verification of documents and data:

8.12.1. The employee of the Company shall check the data submitted for the purpose of establishing the identity of a natural person as well as relevant references by means of reliable and independent sources, including public registers and official bodies.

8.12.2. The responsible employee of the Company shall be in charge of regular verification of data.

9. ESTABLISHING THE IDENTITY OF A LEGAL PERSON UPON THE ESTABLISHMENT OF A BUSINESS RELATIONSHIP

9.1. When establishing the identity of a legal person, the following shall be ascertained:

9.1.1. Business name;

9.1.2. Registry code, or registration number and date;

9.1.3. Place of seat and field of activity;

9.1.4. Information about the legal form and legal capacity;

9.1.5. Name of the head of the company or the names of the members of the Board or the members of another body acting on behalf of the Board and their authorities upon the representation of the legal entity;

9.1.6. Means of communication, including at least phone number and email;

9.1.7. Existence of PEPs among the persons exercising the management and control;

9.1.8. Data concerning a beneficial owner.

9.2. A legal person is identified on the basis of the data contained in the register. The following documents are allowed to be used as the basis for the legal entity’s identity verification:

9.2.1. extract from the registration card of the relevant register or from the registration certificate or an equivalent document issued by the competent authority or institution not earlier than six months prior the filing (in the case of a legal entity registered in Estonia and a branch of a foreign commercial enterprise registered in Estonia);

9.2.2. extract from the registration card of the relevant register or from the registration certificate or an equivalent document issued by the competent authority or institution not earlier than six months prior the filing (in the case of a foreign legal entity).

9.3. Where the original document specified in clause 9.2 above is not available, the identity of a legal entity can be verified on the basis of the relevant document, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using two different sources for the purposes of data verification in such cases.

9.4. If the Company has access to the Commercial Register, a Register of Non-Profit Associations and Foundations, or to the data contained in relevant foreign registers, the customer does not have to submit a register card to the Company. The responsible employee shall register the data concerning a legal person on the basis of the questionnaire, and a representative of a legal entity undertakes to confirm the correctness of data by his or her signature.

9.5. The responsible employee shall make copies of identity documents of the representatives of a person and register the data of a legal person in the information system of the Company.

9.6. Identifying a beneficial owner: If it is not directly obvious from the documents submitted for the purpose of identification or from any other documents who a beneficial owner of a legal person is, the relevant data shall be registered on the basis of written confirmation provided by the representative of a legal person. The correctness of the data contained in the written confirmation shall be verified by applying reasonable measures, including making enquiries into relevant registers, asking for the submission of annual reports of a legal person or for the submission of other relevant documents.

9.7. Establishing and verifying the right of representation: The responsible employee must make sure whether or not a person is acting on his or her own behalf or on behalf of some other natural or legal person. If a person is acting on behalf of some other person, the employee must establish who this person is.

9.8. The responsible employee must ascertain the ground for the right of representation of a representative, its scope, and term of validity. When dealing with a document authorizing the rights of representation, it is necessary to clarify the fact whether the entity who issued the document had the authority to do so. The identity of a natural person who is a representative of a legal person shall be established under the same conditions as of a customer who is a natural person.

9.9. With regard to authorized and legal representatives, the employee should find out whether the representative knows the person he or she is representing. Hereby, among other things, it should be checked whether the representative knows:

  • The essence and purpose of the expressions of will of a person he or she is representing; his or her economic and professional activities;
  • The goal of transactions;
  • The partners of a person;
  • The source and origin of the funds used within the transaction;
  • The circle of owners of a legal person.

9.10. The representative shall confirm with his or her signature that he or she knows and is sure of the source and the legal origin of the funds used within the transaction carried out on behalf of the person he or she is representing.

9.11. Area and profile of activities of a customer who is a legal person: When the Company establishes business relationship with a customer who is a legal person, a responsible employee should ascertain the area and profile of activities of the customer with a view to distinguish the circumstances which indicate money laundering or terrorist financing in the conduct of the customer. The responsible employee shall, among other things, ascertain permanent business establishments in third countries, its essential business partners and payment practices of the customer, with due consideration of specifics of operation of the Company.

9.12. If it is not possible to establish the area or profile of activities of a legal person on the basis of the information provided by the customer or his or her representative in a convincing manner, the responsible employee should get in touch with public sources (Register of Commercial Activities, Commercial Register, published annual business reports), Internet (search engines, information registers), and check the information the customer has submitted and supplement it whenever required.

10. PROCEDURE FOR UPDATING DATA/DOCUMENTS USED FOR THE PURPOSES OF IDENTIFICATION

10.1. The employee of the Company updates the data obtained in the course of identification and verification at least one (1) time a year, and with regard to high-risk cases, every six (6) months.

10.2. For updating, the employee of the Company uses the following means and measures:

10.2.1. Verifies data in public databases and registries;

10.2.2. When the term of validity of a document is coming to an end, the employee shall get in touch with the customer and ask him or her to submit an updated document.

11. SIMPLIFIED CUSTOMER DUE DILIGENCE

11.1. The employee of the Company may apply simplified due diligence measures listed in these Rules in the event of a low risk of money laundering and terrorist financing, if the risk profile of the customer is low, and if the risk assessment prepared by the Company identifies that, under such circumstances, the risk of money laundering or terrorist financing is lower than usual.

11.2. Before the application of simplified due diligence measures to the customer, the employee of the Company establishes that the business relationship, transaction or act is of a lower risk, and a lower risk level than usual may be attributed to such transaction, act or customer. First and foremost, the employee of the Company before applying simplified due diligence measures, shall assess the likelihood of emergence of circumstances referring to a lower level of risk and implement them as separate grounds (i.e. the existence of every single circumstance allows to implement simplified due diligence measures in relation to the customer).

11.3. The Company shall apply simplified due diligence measures only within the scope which guarantees sufficient monitoring of transactions and business relationship, so that it would be possible to identify unusual transactions and notify the competent authorities about suspicious transactions.

11.4. In the event of application of simplified due diligence measures listed in clauses 5.1.1. and 5.1.2. of these Rules, the identity of a customer or the customer’s representative may be verified on the basis of information obtained from a credible and independent source also at the time of establishment of the business relationship, provided that it is necessary for not disturbing the ordinary course of business.

11.5. In the event of application of a due diligence measure specified in clause 5.1.6. of the Rules, they may be applied in accordance with the simplified procedure, provided that a factor characterizing a lower risk has been established and at least the following criteria are met:

11.5.1. A long-term contract has been concluded with the customer in writing, electronically or in a form reproducible in writing;

11.5.2. Payments accrue to the Company in the framework of the business relationship only via an account held in a credit institution or the branch of a foreign credit institution registered in the Estonian commercial register or in a credit institution established or having its place of business in a contracting state of the European Economic Area or in a country that applies requirements equal to the ones listed above;

11.5.3. The total value of incoming and outgoing payments in transactions made in the framework of the business relationship does not exceed 15,000 EUR in any given year.

11.6. No simplified due diligence measures apply if the employee has a suspicion of money laundering and terrorist financing.

12. ENHANCED CUSTOMER DUE DILIGENCE

12.1. The Company applies enhanced due diligence measures in order to adequately manage and mitigate a higher-than-usual risk of money laundering and terrorist financing.

12.2. Enhanced due diligence measures are applied always when:

12.2.1. Upon identification of a person or verification of submitted information by a customer, there are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner(s);

12.2.2. A participant in the transaction is a PEP (except for a Local PEP), his or her family member, or a close associate;

12.2.3. A participant in the transaction is from a high-risk third country, his or her place of residence or seat or the seat of the payment service provider of the payee is in a high-risk third country;

12.2.4. A participant in the transaction is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective money laundering and terrorist financing systems that are in accordance with the recommendations of the Financial Action Task Force, or that is considered a low tax rate territory.

12.2.5. It has been identified in the risk appetite document of the Company or in the risk profile of a customer that in the event of such circumstances, we are dealing with a higher-than-usual risk situation of money laundering and terrorist financing.

12.3. Enhanced customer due diligence measures do not need to be applied regarding the branch of an obliged entity established in a contracting state of the European Economic Area or a majority-owned subsidiary seated in a high-risk third country, provided that the branch and the majority-owned subsidiary fully comply with the group-wide procedures and the obliged entity assesses that the waiver to apply enhanced customer due diligence measures does not entail major additional risks of money laundering and terrorist financing.

12.4. Before the application of enhanced due diligence measures to the customer, the employee of the Company establishes that the business relationship, transaction or act is of a higher risk, and a higher risk level than usual may be attributed to such transaction, act or customer. First and foremost, the employee of the Company before applying enhanced due diligence measures, shall, in addition to the grounds listed in clause 12.2. above, also assess the likelihood of emergence of circumstances referring to a higher level of risk listed in the Risk appetite document and implement them as separate grounds (i.e. the existence of every single circumstance allows to implement enhanced due diligence measures in relation to the customer).

12.5. At least one of the following additional measures shall be applied as an enhanced due diligence measure:

12.5.1. Establishment of identity and the check-up of submitted data on the basis of additional documents, data and information, which originate from reliable and independent sources or from a credit institution entered into the Commercial Register in Estonia or from a subsidiary of a foreign credit institution, or from a credit institution that has been registered or whose actual place of activity is in the contractual state of the European Economic Area or in a country, where the requirements equivalent to the ones established by the MLTFPA are in place;

12.5.2. Application of additional measures in order to assure oneself of the authenticity of the documents that have been submitted and the data included in them, among others, to demand for their notarial or official certification or the verification of the data by the credit institution specified in the first clause, which has issued the document;

12.5.3. Gathering additional information on the purpose and nature of the business relationship or transaction and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source;

12.5.4. Gathering additional information and documents regarding the actual execution of transactions made in the business relationship in order to rule out the ostensibility of the transactions;

12.5.5. Making of the first payment related to a transaction via an account that has been opened in the name of the person or a customer participating in the transaction in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equal to those of the MLTFPA are in place;

12.5.6. Establishment of business partnership or making a transaction at the permission of the members of the Board of the Company;

12.5.7. Application of due diligence measures regarding a customer or their representative while being at the same place with them.

12.6. Upon the application of enhanced due diligence measures, the Company must apply the monitoring of a business relationship more frequently than usual, including reassessing the customer’s risk profile not later than six months after the establishment of the business relationship.

13. ADDITIONAL CUSTOMER DUE DILIGENCE: CUSTOMERS FROM HIGH RISK COUNTRIES AND PEPs

13.1. Customers coming from high risk countries

13.1.1. Enhanced due diligence measures shall be applied with regard to the persons coming from high-risk third countries. In particular,

13.1.1.1. Additional identity documents shall be asked from the customer and/or his or her beneficial owner and verified using a reliable and independent source;

13.1.1.2. Additional information about the beneficial owner of the customer shall be obtained;

13.1.1.3. Additional information on the planned substance of the business relationship shall be obtained;

13.1.1.4. The origin of the assets used in the transaction shall be established;

13.1.1.5. The origin of the wealth of the customer and/or his or her beneficial owner shall be identified;

13.1.1.6. A permit for establishing a business relationship or carrying out a transaction shall be obtained from the members of the Board of the Company;

13.1.1.7. Improving the monitoring of business relationship by increasing the number and frequency of the applied control measures and by choosing transaction indicators that are additionally verified;

13.1.1.8. Demanding payments only from the account registered in the name of a customer at a credit institution in a contracting state of the European Economic Area or in a third country where requirements equal to those are in place.

13.2. Customers who are PEPs or whose beneficial owner is a PEP

13.2.1. With regard to PEPs, the following due diligence measures are additionally applied:

13.2.1.1. Obtaining the required additional information from a customer in order to ascertain the source of his or her wealth and the origin of the funds that are used within the frames of business partnership or a transaction;

13.2.1.2. Verification of data or submitting enquiries to the databases of state institutions of a relevant country as well as searching for and verifying the data that can be obtained online;

13.2.1.3. Submitting enquiries and verifying the data on relevant web-pages of supervision institutions and other official bodies in the customer’s home country.

13.2.2. The employee verifying the data shall notify the members of the Board of the Company if a customer or its beneficial owner (in case of a legal entity) is or might become a PEP.

13.2.3. The members of the Board of the Company make a decision as to whether or not to establish a business relationship with a customer:

13.2.3.1. Where the customer is a PEP, a family member of a PEP or its close associate;

13.2.3.2. Where the beneficial owner of the customer which is a legal entity is a PEP, a family member or a close associate of a PEP.

13.2.4. Regular enhanced check-ups are implemented with regard to business relationships with PEPs. Regular enhanced check-ups shall also be implemented after a PEP has ceased acting as a PEP if a higher level of risk still accompanies that person, proceeding from the risk-based approach.

13.2.5. Where a PEP no longer performs important public functions placed upon him or her, it is necessary within at least within 12 months to take into account the risks that remain related to the person and apply relevant and risk sensitivity-based measures as long as it is certain that the risks characteristic of PEPs no longer exist in the case of the person.

13.2.6. The Company does not need to apply due diligence measures provided for in the present section 13 if a customer is a Local PEP and there are no other factors that refer to a higher-than-usual risk.

14. MONITORING OF BUSINESS RELATIONSHIP AND THE APPLICATION OF THE “KNOW YOUR CLIENT” PRINCIPLE

14.1. «Know Your Client» (KYC) principle

14.1.1. The «Know Your Client» principle (hereinafter referred to as “KYC”) means gathering relevant information and data about a customer, including, in addition to customer identification, also identifying profile of activities of a customer, the purpose of his or her activities, the beneficial owner and, if required, also the sources used within the transaction and their origin, which will enable the Company to assess whether or not the transactions made by a customer conform to his or her main field of activities and/or payment practices and to decide whether or not the transaction is usual or suspicious or unusual.

14.1.2. The employee of the Company shall select a suitable scope of the implementation of KYC in accordance with a risk level attributed to a specific business relationship or a transaction, based on a risk-based approach.

14.1.3. In order to ascertain in a fast and efficient manner whether or not the customer is (i) a PEP, (ii) his/her place of residence or seat is in a high-risk third country or on the low tax rate territory, (iii) a person, with regard to whose activities there is a prior suspicion that he or she might be related to money laundering and terrorist financing, (iv) a person, with regard to whom international sanctions apply, or (v) a person, with whom a transaction is executed by means of communication, the responsible employee shall use relevant web-pages and databases, the member of the Board responsible for AML/CTF in the Company shall provide the availability of relevant databases and their use (including the provision of access and relevant training).

14.2. In order to implement KYC, the responsible employee of the Company must:

14.2.1. Implement measures in order to ascertain the field of activity and profile of activities of a customer, including:

14.2.1.1. Asking for information from a customer upon the establishment of a business partnership or making a transaction;

14.2.1.2. Making check-ups in public databases and registries;

14.2.1.3. Monitoring, analysing, and distinguishing the transactions executed by the customer in the Company;

14.2.1.4. If the responsible employee has a suspicion of money laundering or terrorist financing related to the transaction with a low level of risk, he or she should apply enhanced due diligence measures, proceeding from the provisions of clause 12 of the Rules.

14.3. The monitoring of a business relationship must include at least the following:

14.3.1. Checking of transactions made within a business relationship in order ensure that the transactions are in line with the Company’s knowledge of the customer, its activities and risk profile;

14.3.2. Regular updating of relevant documents, data or information gathered in the course of application of due diligence measures;

14.3.3. Identifying the source and origin of the funds used in a transaction;

14.3.4. Paying more attention to transactions made in the business relationship, the activities of a customer and circumstances that refer to criminal activity, money laundering or terrorist financing or that are likely to be linked with money laundering or terrorist financing, including to complex, high-value and unusual transactions and transaction patterns that do not have a reasonable or visible economic or lawful purpose or that are not characteristic of the given business specifics, including ascertaining the nature, reason, and background of such transactions, and also gathering other data in order to understand the nature of transactions;

14.3.5. Paying more attention to business relationship or transaction whereby a representative of a customer or a beneficial owner is from a high-risk third country, or whereby a customer is a citizen of such country, or whereby the customer’s place of residence or seat or the seat of the payment service provider of the payee is in such country or territory.

14.4. When monitoring business relationships, the responsible employees of the Company must:

14.4.1. Monitor and remember the characteristics of suspicious transactions listed in the guideline issued by FIU;

14.4.2. Check the transactions made by a customer with the frequency that conforms to the risk level attributed to a customer, remembering about the fact that with regard to the customers with a low level of risk, check-ups should be carried out at least once annually, while with regard to the customers with a high level of risk, check-ups should be performed once every 6 (six) months;

14.4.3. Notify the compliance officer or the member of the Board performing the duties of a compliance officer about every single transaction that is suspected of money laundering or terrorist financing;

14.4.4. Where necessary, change the risk level of a customer.

14.5. Protection of employees: The Company establishes a system of measures ensuring that the employees and representatives who report of a suspicion of money laundering or terrorist financing or of any other violation of the MLTFPA or any other applicable laws and regulations in the field of AML, CTF and international financial sanctions either to the compliance officer or to the member Board performing the duties of a compliance officer within the Company are protected from being exposed to threats or hostile action by other employees, management body members or customers, in particular from adverse or discriminatory employment actions.

15. REFUSAL TO CONCLUDE A TRANSACTION OR ESTABLISH A BUSINESS RELATIONSHIP, AND TERMINATION OF BUSINESS RELATIONSHIP

15.1. It is prohibited to establish a business relationship or allow for making or closing an occasional transaction if at least one of the following circumstances exists:

15.1.1. It is not possible to apply required due diligence measures;

15.1.2. There is a suspicion of money laundering and terrorist financing;

15.1.3. There is a suspicion that a person is a subject of international sanctions.

15.2. The Company has the right to postpone the execution of a transaction until a customer has submitted the required documents and information for the purpose of implementation of due diligence measures, including proving the origin of assets constituting the object of a transaction or carrying out the monitoring of business relationships.

15.3. The Company does not establish business relationship (it is forbidden to establish business relationship and execute transactions) if a person participating in a transaction or in a professional act or a customer, in spite of a respective request, does not submit documents and relevant information required for the purpose of applying due diligence measures specified in clauses 5.1.1.-5.1.6. of these Rules, or where, based on the submitted documents, the employee comes to suspect money laundering or terrorist financing.

15.4. The Company must extraordinarily withdraw from business relationship if a person or a customer participating in the transaction, in spite of a respective request, does not submit documents and relevant information required for the purpose of identification of the existence of circumstances listed in clauses 5.1.1. -5.1.6. of these Rules, or the documents and relevant information that would prove the legal origin of assets constituting the object of a transaction, or if on the basis of documents and submitted information the Company comes to suspect money laundering or terrorist financing. The business relationship is deemed terminated as of the submission of a termination notice to a customer after which the services are completely unavailable to the customer.

15.5. If a person or a customer participating in the transaction, in spite of a respective request, does not submit documents and relevant information required for the purpose of performing the obligation specified in clauses 5.1.1.- 5.1.6. of these Rules, it shall be deemed a fundamental breach of the contract, and the Company has the obligation to terminate the agreement serving as the basis for the business relationship. The business relationship is deemed terminated as of the submission of a termination notice to a customer after which the services are completely unavailable to the customer.

15.6. It is prohibited to establish business relationships or make a transaction with a person whose capital consists of bearer shares or other bearer securities in the scope of over 10 percent.

15.7. In the event of refusal from making a transaction or establishing business partnership as well as in the event of extraordinary withdrawal from the long-term contract serving as the basis for the business relationship, the responsible employee has to register and preserve an explanation concerning detailed circumstances underlying the refusal or withdrawal as well as any other information serving as the basis for the duty to report in accordance with the procedure for gathering and retaining data listed in these Rules.

15.8. If the Company refuses from establishing business partnership or making a transaction or withdraws extraordinarily from the long-term contract serving as the basis for the business relationship on the grounds listed in clause 15 of these Rules, and if a person has transferred some funds to the payment account of the Company, the Company may only transfer such funds back to the account of a customer that was opened in a credit institution or the branch of a foreign credit institution registered in the Estonian commercial register or in a credit institution established or having its place of business in a contracting state of the European Economic Area or in a country that applies similar requirements. Funds/assets may be transferred to an account different from the one specified above only if FIU has been notified about it at least seven days in advance, and unless FIU has ordered otherwise.

16. RETENTION, STORAGE AND DELETION OF DATA

16.1. Preservation of the used data

16.1.1. The responsible employee shall preserve the data and documents used for the purpose of customer identification in such a manner that it would allow their reproduction in writing at least in the following scope:

  • First name and surname of a person;
  • Personal identification number, date and place of birth;
  • Address of the place of residence (actual place of residence of a person, postbox number is not acceptable);
  • Citizenship;
  • Activity profile, professional field of activity;
  • Means of communication (phone number and email address);
  • Whether or not a person is a PEP or a close associate of a PEP;
  • Information about all procedures that have been applied in order to identify a beneficial owner of a person participating in the transaction on behalf of a customer;
  • Name and number of the document used for the purpose of identification and verification, the date of its issue and name of the institution that has issued it;
  • Copy of the document used for identification;
  • The manner, date and place of submission or updating of data or documents;
  • Other data gathered in the course of identification and the reference to the fact whether or not data has been gathered in order to establish business partnership, including in connection with opening an account, or using some other service that does not involve opening an account;
  • Information about establishing business relationships or the circumstances pertaining to refusing from making a transaction or terminating business relationship;
  • The circumstances of refusing from making a transaction or establishing business partnership at the initiative of a customer if the refusal has been related to the application of due diligence measures;
  • The name and position of the employee that has carried out identification, checked or updated data.

16.1.2. The name and position of the employee that has updated data must also be retained.

16.2. Data registration

16.2.1. The content of both a transaction or a proceeding as well as the time or a time period of a transaction or a proceeding shall be registered about all transactions and proceedings. In the course of identification and verification of submitted data, the relevant proceeding shall be registered as of the date or time period when it was conducted.

16.2.2. The following data shall be registered about a transaction:

16.2.2.1. When opening an account, the type, number, and currency of the account as well as other significant attributes of securities or other assets;

16.2.2.2. The transaction amount, the currency and the account number;

16.2.2.3. The date of making every single entry and an explanation pertaining to it.

16.2.3. The Company shall also register and preserve the following data:

16.2.3.1. Information about the circumstances of refusal from establishment of business relationship or making an occasional transaction;

16.2.3.2. Information about the circumstances of refusal from business relationship with a customer or from making a transaction if such a refusal has been related to the application of due diligence measures on the part of the Company;

16.2.3.3. The entire scope of information if it not possible to apply due diligence measures with the help of information technology means;

16.2.3.4. The circumstances of termination of a business relationship in connection with the impossibility of application of the due diligence measures;

16.2.3.5. Information serving as the basis for the duty to report;

16.2.3.6. The entire correspondence and all the data and documents gathered in the course of monitoring the business relationship and data on suspicious or unusual transactions or circumstances which FIU was not notified of.

16.3. Method of preservation of data and terms of preservation

16.3.1. The data listed in clause 16 above shall be preserved in a manner in that allows for exhaustively and immediately replying to the enquiries of FIU or, in accordance with legislation, those of other supervisory authorities, investigative bodies or courts, inter alia, regarding whether the Company has or has had in the preceding 5 (five) years a business relationship with the given person and what is or was the nature of the relationship.

16.3.2. The Company and its foreign branches (if established) shall keep the data provided for in clause 16 above unchanged and available to FIU for 5 (five) years as of the end of the business relationship with the customer, unless FIU has established a different term by a precept or a longer term is not provided by law.

16.3.3. Data about business relationships (including the correspondence related to the application of due diligence measures and all the documents gathered in the course of monitoring the business relationship as well as data on suspicious or unusual transactions or circumstances which FUI was not notified of) shall be preserved for 5 (five) years after the termination of the business relationship.

16.3.4. Data about a transaction shall be preserved for 5 (five) years after the transaction has been made.

16.3.5. Data about the performance of the duty to report to FIU shall be preserved for 5 (five) years after the relevant obligation has been performed.

16.3.6. The Company shall guarantee the deletion of gathered data after the expiry of the term of its preservation, except for the cases when a longer term of preservation arises from legislation, another legal act, or a precept.

16.4. Protection of personal data

16.4.1. The data gathered upon the establishment of business relationship and within its duration shall be only used for the purpose of money laundering and terrorist financing prevention as well as for the purpose of performance of obligations listed in the MLTFPA, and that data must not be used in any other ways or for any other purposes not specified in the present procedure, except for the cases when a customer has given his or her consent to the usage of data for other purposes.

16.4.2. Before establishing a business relationship, the information pertaining to the processing of personal data shall be sent to a potential customer by the Company. The scope of such information also includes general information about the obligations of the Company upon the processing of personal data for the purpose of money laundering and terrorist financing prevention.

16.4.3. The Company, upon the implementation of the requirements arising from the present procedure, shall apply all of the rules of personal data protection that are listed in the Personal Data Protection Act.

17. OUTSOURCING ACTIVITIES

17.1. The Company may outsource an activity related to identification to a third party that is:

17.1.1. An obliged entity within the context of the MLTFPA;

17.1.2. An organization, association or union whose members are obliged entities under the MLTFPA; or

17.1.3. Another person who applies due diligence measures equivalent to those established in the MLTFPA and complies with the data retention requirements equivalent to those prescribed under the Estonian legislation, and who is subject to or is prepared to be subjected to AML supervision or financial supervision in a contracting state of the European Economic Area regarding compliance with requirements.

17.2. The Company shall not outsource relevant activities to a person that has been founded in a high-risk third country.

17.3. Relevant activities may only be outsourced to third parties that hold required knowledge and skills or have prerequisites for their acquisition, and that are capable of fulfilling the obligations provided for in the MLTFPA and these Rules. Upon outsourcing of relevant activities, the Company shall notify a third party about all laws, other legal acts issued on the basis of such laws, relevant requirements arising from the guidelines issued by Finantsinspektsioon and FIU and the present Rules, and reserve the right to check the compliance with those requirements. The Company reserves the right to withdraw from the contract entered into with a third party if there are shortcomings in the way the third party is performing its duties.

17.4. Whenever the need arises, the Company shall offer relevant training in the field of AML and CTF to a third party (and its employees), that will be held by the responsible employee or another expert in the field assigned by the Company. The Company may enable a third party (and its employees) to take part in the training arranged by the Company for its own employees if the parties agree accordingly. If the need for training a third party in the field of AML and CTF is minor, the Company must explain to a third party at least the requirements listed in the Rules and notify the third party about amendments made in the Rules, global best practices, or the applicable laws and regulations.

17.5. Upon the assessment of both the suitability of a third party and his or her need for training, the parties shall proceed from his or her usual professional and economic activities and the main job duties of the third party and his or her employees as well as their education and other circumstances that may refer to insufficient knowledge or capacity for dealing with the activities to be outsourced.

17.6. The Company may outsource relevant activities only in the manner that does not affect its own interests or the interests of its customers, its own activities or the performance of its obligations listed in the MLTFPA and the present Rules and does not interfere with state supervision exercised over it. Upon outsourcing its duties the Company shall proceed under the following conditions:

17.6.1. The members of the Board of the Company must not delegate their liabilities upon outsourcing;

17.6.2. Outsourcing must not damage the interests of the customers of the Company or the relations with the customers, and the commitments of the Company to the customers must not change due to outsourcing;

17.6.3. Outsourcing must not contradict the conditions that the Company must conform to in order to receive an authorisation and remain in compliance with it.

17.7. In order to outsource relevant activities, the Company shall enter into a written contract with a third party, which shall provide:

17.7.1. That outsourcing shall not hinder the activities of the Company or the performance of obligations listed in the MLTFPA or the present Rules;

17.7.2. That a third party shall perform all of the obligations of the Company related to outsourcing;

17.7.3. That outsourcing shall not interfere with supervision exercised over the Company, if any;

17.7.4. That the FIU will be able to exercise supervision over the person performing the outsourced activities via the Company, including by means of on-site check-ups and other supervision measures;

17.7.5. The existence of required knowledge and skills at the person’s carrying out relevant activities and his or her capacity to conform to the requirements listed in the MLTFPA and these Rules;

17.7.6. The Company has the right to check on the compliance with requirements listed in the MLTFPA and these Rules without any limitations;

17.7.7. Documents and data gathered for the purpose of compliance with the requirements arising from MLTFPA are preserved and, at the request of the Company, copies of documents relating to the identification of a customer and its beneficial owner or copies of other relevant documents are handed over or submitted to the competent authority immediately.

17.8. Upon identification, a third person shall notify the compliance officer immediately about a suspicion of money laundering and terrorist financing, who will then notify FIU in accordance with the provisions of these Rules.

17.9. While performing the obligations delegated to him or her, a third person must apply due diligence measures listed in these Rules and comply with the requirements pertaining to gathering data and preserving it that are applied by the responsible employee of the Company.

17.10. A third person to whom the activities have been outsourced shall apply the present Rules on the same grounds as the responsible employee of the Company.

17.11. The Company shall notify FIU about entering into a contract for outsourcing relevant activities no later than within 2 working days before entering into the contract. In the notification, the Company, among other things, shall also note down the scope of outsourced activities. At the request of FIU, the Company shall forward to FUI the contract entered into for the purpose of outsourcing activities.

18. INTERNATIONAL FINANCIAL SANCTIONS

18.1. Upon entry into force of an act on the imposition or implementation of international financial sanctions the responsible employees of the Company shall take measures to fulfill the obligations arising therefrom and shall demonstrate due diligence to ensure the achieving of the objective of the international financial sanction and shall avoid any breach of such sanctions.

18.2. The responsible employee shall draw special attention to the person who is in business relationship with the Company or is making a transaction or carrying out a proceeding with him or her, as well as to the activities of the person intending to establish business relationship, make a transaction or carry out a proceeding with him or her and to the facts which refer to the possibility that the person is a subject of international financial sanction.

18.3. If the responsible employee has doubts or knows that a person, who is in business relationship with the Company or is making a transaction or carrying out a proceeding with him or her, as well as a person intending to establish business relationship, make a transaction or carry out a proceeding, is a subject of international financial sanction, shall immediately notify FIU of the identification of the subject of international financial sanction, of the doubt thereof and of the measures taken.

18.4. If a person who is in a business relationship with the Company or is making transactions or is carrying out a proceeding, as well as a person who intends to establish business relationship, make a transaction or carry out a proceeding, refuses to provide additional information or it is impossible to identify by means thereof if the person is a subject of international financial sanction, a responsible person shall refuse to make a transaction or carry out a proceeding and shall notify the compliance officer or the member of the Board of the Company performing the duties of the compliance officer immediately, who shall take measures provided for in the act on the imposition or implementation of international financial sanction and shall notify immediately FIU of his or her doubts and of the measures taken.

18.5. A compliance officer or the member of the Board of the Company performing the duties of the compliance officer shall regularly check the webpage of FIU at https://fiu.ee/rahvusvahelised-sanktsioonid/rahvusvahelised-finantssanktsioonid in order to monitor the changes made in the list of subjects of a financial sanction and in the acts on the imposition or implementation of international financial sanctions and shall immediately take measures provided for in the act on the imposition or implementation of the international financial sanction in order to ensure the achievement of the objective of the international financial sanction and prevent breach of the international financial sanctions.

18.6. Upon entry into force of an act on the imposition or implementation of international financial sanction, the amendment, repeal or expiry thereof, the compliance officer or the member of the Board of the Company performing the duties of the compliance officer or another authorized person shall immediately check whether a person with whom the Company is in business relationship or is making a transaction or carrying out a proceeding, as well as a person intending to establish business relationship, make a transaction or carry out a proceeding is a subject of international financial sanction with regard to whom the financial sanction is imposed, amended or terminated.

18.7. The responsible employee shall pay attention to the factors distorting personal data. The following errors or differences that may occur upon translating, handling, or processing of personal data and names are the factors distorting personal data:

18.7.1. Transcription of foreign names, including differences arising in the course of latinization of Russian and Scandinavian names;

18.7.2. Different order of words in personal or company names consisting of several words, e.g. AS TOOMAS RAMM or RAMM TOOMAS AS;

18.7.3. Replacing letters with diacritical marks (points or letters with diacritical markings denoting stressed vowels) with other letters or leaving them out (partially);

18.7.4. Replacing double letters with single ones (and the other way round), e.g. METALL or METAL;

18.7.5. Replacing letters F, Š, Z, Ž, C… with other letters or letter combinations, e.g. FARMA or PHAR-MA, CRISTAL or KRISTAL;

18.7.6. Replacing foreign letters W, Q, X, Y… with other letters, e.g. WOX QYIT or VOKS KÜIT;

18.7.7. Replacing double letters and foreign letters with other letters or leaving them out (partially);

18.7.8. Using abbreviations;

18.7.9. Writing numbers in the text properly, e.g. 2 FAST 4 YOU or TWO FAST FOUR/FOR/ YOU;

18.7.10. Using/not using subordinate compounds and prepositions (letters, conjunctions);

18.7.11. Other factors, including but not limited to faults arising from human error; replacing hard consonants with soft consonants and the other way round, e.g. AS GAASI KÜTE or AS KAASI GÜTE; and inclusion of a name or its part into another name or its part.

18.8. The compliance officer or the member of the Board of the Company performing the duties of the compliance officer shall gather and preserve the following information for 5 (five) years:

18.8.1. Time of check-up;

18.8.2. Name of a person that has done check-up;

18.8.3. Results of check-up;

18.8.4. Measures taken.

19. PROCEDURE PERTAINING TO THE DUTY TO REPORT

19.1. In a situation where, within the frames of relations with a customer, unusual circumstances arise or the circumstances, with regard to which the employee of the Company comes to a suspicion of money laundering or terrorist financing, the compliance officer or the member of the Board of the Company performing the duties of the compliance officer should be notified about it immediately, who in turn will make a decision as to whether or not to forward the information immediately to FIU. The compliance officer or the member of the Board of the Company performing the duties of the compliance officer shall notify FIU without delay, but no later than within 2 (two) working days after coming to a suspicion of money laundering. Among other things, FIU must be notified if the responsible person has refused from establishing a business relationship or from making a transaction or terminated business relationship extraordinarily because of the refusal to provide the information required for the implementation of due diligence measures, or if such information has not been provided, in spite of a respective request.

19.2. FUI must be notified about the following circumstances in accordance with the procedure described in clause 19.1 of the Rules:

19.2.1. Business relationship has not been established, a transaction or a proceeding has not been made, or a service has not been provided;

19.2.2. The parties refuse from establishing business relationships or making a transaction due to the impossibility of application of due diligence measures;

19.2.3. The parties refuse from establishing business relationships or making a transaction because the capital of a person consists of bearer shares or other bearer securities;

19.2.4. In spite of a respective request, the customer has not submitted documents or relevant information or data or documents proving the origin of assets serving as an object of a transaction, or on the basis of data and documents that have been submitted the suspicion of money laundering and terrorist financing occurs;

19.2.5. Of each learned transaction whereby a pecuniary obligation of over 32,000 EUR or an equal sum in another currency is performed in cash, regardless of whether the transaction is made in a single payment or in several linked payments over a period of up to 1 (one) year.

19.3. The main conditions that parties should proceed from when analyzing suspicious and unusual transactions are the following:

19.3.1. Is there a suspicious circumstance pertaining to a proceeding, a transaction, or some other situation?

19.3.2. Has the Company made sure that it knows a customer to a required extent, or should additional data be gathered about the customer?

19.3.3. When identifying a customer or his or her representative while making a transaction or carrying out a proceeding, the Company must make sure that they have completed the relevant procedure accordingly. Was any information or data insufficient? Did the Company have to ask for additional data or demand that a customer would provide rectification in any other way?

19.3.4. To find out whether or not there have been recurrent manifestations of suspicious proceedings and transactions.

19.4. By collecting the data, the process of gathering information about suspicious or unusual transactions from the employees, agents (if there are any), and contractual partners of the Company as well as systematization and analysis of the accumulated scope of information is meant.

19.5. The Board of the Company shall retain in a form that can be reproduced in writing all of the notices about suspicious or unusual transactions received from its employees, and also the information collected for the purpose of analyzing those notices as well as other related documents and the notices that have been forwarded to FIU, together with the data concerning the time when each notice was forwarded and the name of the employee that has forwarded it.

19.6. Where the Company suspects or knows that terrorist financing or money laundering or related criminal offences are being committed, the making of the transaction or professional act or the provision of the official service must be postponed until the submission of a report or notice to FIU. Where the postponement of the transaction may cause considerable harm, it is not possible to omit the transaction or it may impede catching the person who committed possible money laundering or terrorist financing, the transaction or professional act will be carried out or the official service will be provided and a report or notice shall be submitted to FIU thereafter.

19.7. It is prohibited to notify a customer or any other party that has participated in the transaction (including his or her representatives and other related parties), in whose regard a notice has been sent to FIU, about sending such notice.

19.8. The compliance officer or the member of the Board of the Company performing the duties of the compliance officer must submit the notice together with the required data to FIU via the web form here. The data used for identification and verification of submitted data as well as copies from documents should be attached to the notice.

20. COMPLIANCE OFFICER

20.1. The duties of the compliance officer responsible for the implementation of these Rules shall be performed by the designated member of the Board of the Company unless another person is appointed as the compliance officer by the Board.

20.2. An employee of the Company that conforms to the requirements established by the MLTFPA and all other applicable laws and regulations in the field of AML and CTF may be appointed by the Board as a compliance officer. The appointed compliance officer shall, inter alia, have the education, professional suitability, abilities, personal qualities, experience and impeccable reputation required for the performance of the duties of a compliance officer. The appointed compliance officer shall be directly responsible to the Board of the Company. FUI and Finantsinspektsioon shall be informed of the appointment of a compliance officer.

20.3. The compliance officer shall have the following duties and responsibilities:

20.3.1. Arranging the gathering of information about unusual data or the data referring to money laundering or terrorist financing within the activities of the Company and its analysis;

20.3.2. Forwarding the relevant data to FIU if there is a suspicion of money laundering and terrorist financing;

20.3.3. Quarterly submitting a written overview to the Board of the Company about the implementation of the Rules;

20.3.4. Performance of other obligations imposed under these Rules or any applicable laws and regulations in the field of AML, CTF and international financial sanctions.

20.4. For the purpose of appropriate performance of obligations on the part of the compliance officer, he shall have access to the information serving as the basis and a prerequisite for establishing business relationships, including the information, data, and documents describing a customer and his or her commercial activities.

20.5. The compliance officer has the right:

20.5.1. To make suggestions to the Board of the Company about making amendments in and supplementing the rules of procedure containing the requirements pertaining to money laundering and terrorist financing as well as organizing training courses;

20.5.2. To demand from a structural unit that the shortcomings that have been revealed in the course of adhering to the requirements pertaining to money laundering and terrorist financing prevention would be eliminated within a reasonable time period;

20.5.3. To receive information and documents that they need in order to fulfill their tasks;

20.5.4. To make suggestions concerning the facilitation of the process of forwarding notices about suspicious or unusual transactions;

20.5.5. To take part in training courses in the relevant field.

20.6. The compliance officer of the Company or the member of the Board of the Company performing the duties of the compliance officer shall receive training in the area of AML and CTF compliance. Such training shall occur on a regular basis (annually) as well as if and when necessary, including where there have been amendments introduced to the applicable AML/CTF rules and regulations. In the course of training, among other things, information should be provided, inter alia, on the following matters:

20.6.1. the envisaged amendments to the existing legal requirements to the internal AML/CTF rules and procedures;

20.6.2. the modern methods of money laundering and the terrorist financing and on the risks that may arise out of the business operations of the Company;

20.6.3. the requirements for the protection of personal data obtained in the course of business operations;

20.6.4. the methods of recognizing transactions that may be related to money laundering and terrorist financing, and the course of action in such situations.

21. PROCEDURE FOR THE PERFORMANCE OF INTERNAL COMPLIANCE CHECKS AND UPDATING OF THE RULES

21.1. The purpose of an internal check-up is to ensure compliance with the applicable laws and regulations in the sphere of money laundering and terrorist financing prevention and the introduction and successful implementation of all relevant internal rules and procedures within the Company. The checks are performed by the Board of the Company.

21.2. The Board of the Company shall be responsible for the compliance with the applicable laws, regulations and instructions received from the competent supervisory bodies, as well as for the updating the internal AML and CTF rules and procedures of the Company. The Board shall revise these Rules and any other internal documents at least once a year and update them where necessary.

21.3. At least once a year the compliance officer or the member of the Board of the Company performing the duties of the compliance officer shall check the work of responsible employees upon the performance of obligations arising from the procedure in the field of AML and CTF and the implementation of international financial sanctions:

21.3.1. In the course of identification and verification (including by information technology means);

21.3.2. When conducting video interviews;

21.3.3. In the course of establishment and verification of the right of representation;

21.3.4. In the course of establishment of beneficial owners;

21.3.5. In the course of establishment of PEPs;

21.3.6. In the course of establishment of subjects of international financial sanctions;

21.3.7. While registering data;

21.3.8. In the course of establishment of the origin of assets;

21.3.9. In the course of establishment of suspicious and unusual transactions and performing the duty to report;

21.3.10. While gathering and retaining information and documents;

21.3.11. In the course of monitoring business relationships.

21.4. The inspection report drawn up by the compliance officer or the member of the Board of the Company performing the duties of the compliance officer pursuant to clause 20.3 of the Rules must include at least the following information:

21.4.1. Purpose of inspection;

21.4.2. Time and date when the inspection took place;

21.4.3. Name and position of a person that has carried out an inspection;

21.4.4. Description of the inspection that has taken place;

21.4.5. Analysis of the results of the inspection or general conclusions made.

21.5. If any shortcomings in the Rules or their practical implementation have been detected in the course of inspection, the description of such shortcomings should be added into the report together with the analysis of related threats. The report should also include the time provided for the elimination of shortcomings, the measures that can be used for the elimination of shortcomings, and the time of follow-up control.

21.6. While carrying out a follow-up control, the analysis of the results of the follow-up control should be added into the report as well as the list of measures for eliminating shortcomings with the indication of the time that has actually been spent on the elimination of shortcomings.

21.7. In order to provide due performance of the guidelines, the Board of the Company undertakes to provide sufficient resources for the purpose of carrying out internal inspections, to carry out inspections regularly, to assess the training needs of the employees, to assess the reports drawn up after a relevant inspection has been completed and submitted to the Board of the Company, and where necessary to take measures in order to eliminate shortcomings.

22. TRAINING

22.1. The Board of the Company must provide to the employees, whose job tasks include the establishment of business relationships with the customers and making transactions, training courses in the relevant field, required for the purpose of performing the obligations arising from the MLTFPA and any other applicable laws and regulations, which should take place as soon as this or that employee sets out to perform his or her job tasks and take place regularly or where necessary. Among other things, a training course should provide its participants with the information about the obligations established in these Rules, modern methods of money laundering and terrorist financing prevention and accompanying risks, the requirements in the field of personal data protection, the ways to distinguish the proceedings related to possible money laundering and terrorist financing, and the instructions on how to act in such situations.

22.2. Any new employee that has to undergo training is required to familiarize themselves with the Rules after the employment contract has been entered into, but in any event no later than within one week after the new employee has started working. The employee confirms that he or she has familiarized themselves with the Rules by signing the document.

22.3. The task of the Board of the Company is to provide annual training of employees. The Board of the Company determines the exact time and place of the training. The time period between two training sessions should in any event not be longer than 12 months. The training may be conducted either by the compliance officer or the member of the Board of the Company performing the duties of the compliance officer, or by any other person invited to conduct the training that holds sufficient knowledge and competence in the field of AML and CTF compliance.

22.4. The Board of the Company, at the suggestion of the compliance officer or the member of the Board of the Company performing the duties of the compliance officer, may organize training more frequently, including but not limited to the circumstances where the employees need to be informed of the updates and upgrades arising from the introduction of amendments in the MLTFPA and any other applicable laws and regulations in the field of AML/CTF or any other changes introduced to these Rules.

23. AUDIT

23.1. The Company is not required to conduct an internal audit, except when required by the Board or by a general meeting of shareholders, or when the conduct of internal audit is required by law.