1. GENERAL

This Policy on Anti-Money Laundering and combating the Financing of Criminal or Terrorist Acts (“AML Policy” or this “Policy”) is adopted by BITPAPA IC FZC LLC, a company incorporated under the laws of Ajman media City Free Economic Zone of United Arab Emirates, company number 5069, with a registered office at A-0059-652 - Flamingo Villas, Ajman, UAE (the “Company” or “BITPAPA”), as of the date written above, to be executed and observed by the Company, its employees, affiliates and service providers in order to achieve full compliance with the relevant anti-money laundering legislation.

 

The Company is a provider of  digital asset exchange services, including, but not limited to, custodian wallet services for crypto assets.

The Company has obtained all necessary licenses under local legislation. Best practice and legislation require us to be subject to AML and KYC (Know Your Client) requirements, set forth in the Federal Decree-law No. (20) of 2018 ON ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM AND FINANCING OF ILLEGAL ORGANISATIONS (the “Regulation”) and other legal guidelines given by the UAE Ministry of Economy and the Central Bank of the UAE (the “Instruments”). This Policy should be read in conjunction with these Instruments, in any conflict between the contents of this Policy and said Instruments, the latter shall prevail.

All amounts denominated in this Policy in United Arab Emirates Dirham (AED) shall be read to include the equivalent amounts in any other currency or digital currency, as traded at the date of the relevant transaction.

This Policy aims to provide specific instructions on how personnel of the Company should perform actions, mandate internal procedures, and provide general guidelines for the instruction, control and training within the Company and its affiliates, in connection with the mitigation and handling of ML/TF risks.

This Policy shall act as binding guidelines to all relevant Company personnel, and all such personnel must be aware of, and adhere to, this Policy.

  1. THE OFFENCE OF MONEY LAUNDERING

The crime of money laundering is not restricted to operations connected with money obtained from drug trafficking but include many types of criminal activity that can yield proceeds. This includes among others terrorism, fraud, robbery or theft, forgery, smuggling, counterfeiting, and extortion.

The definition of money laundering is set forth in Articles 1 and 2 of the Regulation as follows:

  • Transferring or moving proceeds or conducting any transaction with the aim of concealing or disguising their Illegal source.
  • Concealing or disguising the true nature, source or location of the proceeds as well as the method involving their disposition, movement, ownership of or rights with respect to said proceeds.
  • Acquiring, possessing or using proceeds upon receipt.
  • Assisting the perpetrator of the predicate offense to escape punishment.any financial or banking transaction aimed at concealing or changing the source of illegally obtained funds, by passing it through the financial and banking system in order to make it appear as originating from legitimate sources, and then re-pumping and investing it illegally
  • “Illegal Organisations” means organisations whose establishment is criminalized or which exercise a criminalized activity.
  • “Financing Illegal Organisations” means any physical or legal action aiming at providing funding to an illegal organisation, or any of its activities or its members.
  • “Funds” mean assets in whatever form, tangible or intangible, movable or immovable including national currency, foreign currencies, documents or notes evidencing the ownership of those assets or associated rights in any forms including electronic or digital forms or any interests, profits or income originating or earned from these assets.
  • “Proceeds” means funds generated directly or indirectly from the commitment of any crime or felony including profits, privileges, and economic interests, or any similar funds converted wholly or partly into other funds.
  • “Means” mean any means used or intended to be used to commit an offence or felony.
  • "Terrorism financing" means any acts mentioned in Articles (29, 30) of Federal Law no. (7) of 2014, including acquisition, collection, obtainment or facilitation of obtainment of funds for the purpose of using same although aware that they will be used, in part or in whole, in the commission of a terrorist offence, along with acquisition, possession, use, managing, keeping, investment, replacement or dealing in the funds for the purpose of concealing or camouflaging their truth, origin or illegal purpose.

 

The definition of money laundering covers those operations where a person knows, or should have reason to believe, that the money with which they are concerned is derived, obtained or realized, directly or indirectly, from an unlawful activity as described above. It is only necessary that the person should have knowledge or reasonable grounds for knowledge of the unlawful source of the funds to be guilty of the offence. Positive knowledge is not the test; knowledge may be inferred from objective factual circumstances. Concerning companies it is sufficient that a director, officer, employee or agent of the body corporate acting in the course of his employment or agency had that state of mind. Guilty knowledge of any employee can result in an offence being committed by the employer (as well as by the employee).

  1. REPORTING ENTITES AND THEIR OBLIGATIONS

Under Articles 1, 15 of the Regulation, the Reporting Entities are defined as follows:

  • Financial institutions: Anyone who conducts one or several of the activities or operations defined in the Implementing Regulation of the present Decree Law for the account of /or on behalf of a client.
  • Designated Nonfinancial Businesses and Professions, that include: lawyers, notaries, other legal professionals and independent legal auditors, except when the information related to these operations have been obtained subject to professional confidentiality; company incorporation, management, mergers, acquisitions and company sale or purchase businesses, etc..

The Reporting Entities are obliged to conduct KYC procedures, ongoing monitoring and report suspicious activities to the Financial Intelligence Unit of the Central Bank of the UAE as well as to other relevant authorities.

  1. INTERNAL CONTROLS, POLICIES AND PROCEDURES

All Company employees must undergo AML training in a manner, scope and frequency appropriate to their role in the Company. The Company must set forth internal policies, controls and procedure, including the employee AML training, so that it can effectively manage the risks identified and mitigate them, and to review and update them continuously, and apply this to all subsidiaries and affiliates in which the Company holds a majority stake.

  1. IDENTIFICATION REQUIREMENTS AND KYC PROCEDURES

Each person who applies to become a user of the Company’s services (“Client”) shall undergo an onboarding process comprised of a questionnaire, which shall include the Client’s identification as well as certain additional information about the Client and its planned business relationship with the Company (the “KYC Questionnaire”), of an external review, flagging possible reputational ML/TF risks associated with the Client (the “Screening”) and of an identification through documentation submitted by the Client (the “Identification”) (together the “KYC Process”).

The Company shall document and preserve any information and documents gathered in the KYC process, in a manner making it possible to respond fully and without unreasonable delay to relevant inquiries from competent authorities.

The KYC Process shall be accomplished following the KYC principle, according to which the operating profile, purpose of operation, beneficial owner of the Client and, if necessary, the source and origin of the funds used in the transaction and other similar information essential for the establishment of a business relationship shall be identified in addition to the identity of the Client itself. The KYC shall provide the necessary information for determining the Client’s initial risk profile.

The Company may use third party service providers during the KYC process and/or ongoing monitoring

 

KYC Questionnaire

Any person applying to become a Client shall complete a short questionnaire to provide the Company with the basic information about itself, as the Company shall determine required considering the client’s circumstances (the “KYC Questionnaire”), including regarding:

a. General Information

– Client’s purpose and intent in the establishment of the business relationship;

– Client’s anticipated size of transactions;

– Client’s sources of income, fortune and assets;

– Client’s occupation or field of activity;

– Client’s permanent seat (place of residence/place of business);

– Client’s main contracting partners (if relevant);

– Identity of the beneficial owner (if necessary);

– Client’s telecommunication contact details;

– Any additional information which seems relevant in connection to a specific Client or group of Clients

– Full name;

– Personal identification code, or, if none, the date and place of birth;

– Whether the Client is himself a politically exposed person or related to one (“PEP”);

 

Screening

The details of the Client, as provided in the KYC Questionnaire, shall be screened against updated ‘watchlists’ (the “Screening”). The specific watchlists to be used for the Screening shall be determined by the Compliance Officer, and shall include, inter alia, sanction lists published by national and international authorities, lists of ML/TF suspicious persons published or held by third parties, and lists of identified PEPs.

 

Identification

Prior to entering into a business relationship, the Client must be identified by providing the Company with the information detailed in the KYC Questionnaire, backed with a copy of the following documents (the “Identifying Documents”):

Any individual who must be identified under this Policy shall present one of the following identifying documents:

i. A document issued for digital identification of a person;

ii. Valid travel document issued in a foreign country; or-

iii. Valid driver’s license.

 

Establishing the Identity of Relevant Persons

 

Where the Client is a legal entity, the identities of the following persons (the “Relevant Persons”) must be established, through the measures prescribed above, in addition to the identity of the Client itself:

a. Beneficial Owners

The Client shall provide the Company with the information required to identify its beneficial owner. The following persons shall be considered as “beneficial owners”, whose identity must be established in addition to the identity of the Client itself, for the purposes of this Policy:

i. A natural person who, taking advantage of their influence, makes a transaction, act, action, operation or step or otherwise exercises control over a transaction, act, action, operation or step or over another person and in whose interests or favor or on whose account a transaction or act, action, operation or step is made;

ii. If any Controlling Person is not a natural person, any natural person who is to be regarded as controlling (in the sense given in paragraph (ii) above) is such a Controlling Person;

iii. If no Controlling Persons can be determined in accordance with paragraphs (ii) and (iii) above, the highest managing director or officer of the Client.

b. Representative

Where a person who is not the Client (e.g. signatory or representative) establishes the business relationship, the Client shall provide the Company with the following:

i. The identity of the natural person(s) who establish the business relationship (the “Representative”), in addition to that of the Client;

ii. Documents setting the Representative’s authority (e.g. Power of Attorney) must be obtained and documented.

c. Where the business relationship is established by a trustee, nominee, protector, receiver, etc., all relevant documents establishing or confirming such person carrying out such a position must also be obtained and documented.

d. If there is any doubt regarding the authenticity or the legal force of a relationship referred to under this Section, further information, documents and/or proof should be obtained, and the business relationship shall not commence prior to such relationship being clarified.

Based on the information gathered via the KYC Process, the Company shall assemble an individual profile of the Client upon entry into a business relationship (the “Client Profile”). The Client Profile shall allow the Company to understand the Client’s financial background, the origin of the Assets, and the purpose of the business relationship, as well as to check their plausibility in terms of legitimacy, or to identify circumstances that require particular clarification. Based on the Client Profile the Company shall preform a risk assessment, to determine the Client’s risk profile and the necessary corresponding mitigating due diligence measures to be taken (the “Risk Profile”).

 

ONGOING AML REQUIREMENTS

Ongoing Monitoring

a. Ongoing Monitoring of Transactions

Every transaction which is undertaken by a Client with the Company shall be electronically monitored and reviewed to ensure that they are in concert with the Client’s initial declared scope and purpose for the establishment of the business relationship and coherent with the Client’s Risk Profile and transaction history (the “IT Monitoring”). Said monitoring shall identify transactions which should be more thoroughly examined, based, among others, on frequency of transactions, forming or breaking of any pattern of behavior, size of transaction, etc., taking into account the profile of the specific Client, and the observed characteristics of relevant groups of Clients.

Where a transaction is flagged as unusual or suspicious of ML/TF, the Compliance Function shall manually review the findings, assess the risks and operate according to its findings. After the aforementioned review is undertaken, the Risk Function shall document the transaction and the results of its review in the Client’s AML File.

If the Risk Function determines that a transaction is suspicious of ML/TF, it shall provide a Report of Suspicion as detailed below.

b. Ongoing Monitoring of Business Relationships

i. All Business Relationships

A. Screening

The details of Clients (as well as those of their Relevant Persons) shall undergo a Screening, at least:

i) Where the Client’s Risk Profile is Low – every 3 months;

ii) Where the Client’s Risk Profile is Medium – every 2 months;

iii) Where the Client’s Risk Profile is High – every month;

B. The IT Monitoring procedures shall be conducted on an ongoing basis, identifying not only suspicious transactions, but also other issues related to the Clients and the business relationships which should raise awareness. Once such an issue is flagged by the IT Monitoring, the Compliance Function shall immediately review it manually.

C. The Compliance Function shall periodically review all existing business relationship to identify any changes which seem to have occurred in connection with the Clients, conduct a more overreaching review of the different transactions made with it over the entire business relationship, and identify any unusual or suspicious details which might have been missed in the review of specific transactions as described above.

Such reviews shall take place at least:

– For Low Risk Profile Clients – once every 18 months;

– For Medium Risk Profile Clients – once every 12 months;

– For High Risk Profile Clients – once every 6 months;

D. The Compliance Officer shall perform routine sampling of the AML Files, reviewing the appropriateness and completeness of such Files and the processes documented therein.

ii. Medium Risk Profile Business Relationships

In addition to the reviews undertaken in accordance with paragraph (i) above, the Compliance Officer shall review, at least once per year, each business relationship of Medium Risk Profile Clients.

iii. High Risk Profile Business Relationships

In addition to the reviews undertaken in accordance with paragraphs (i) and (ii) above, the AML Board Member shall annually review and decide on the continuation of any High Risk Profile business relationship.

c. Identifying ‘Suspicious’ Business Relationships/Transactions

The reviews described above shall aim at detecting:

i. any discrepancies between the information previously gathered (as documented in the Client’s AML File) and any information which is currently known or is available to the Company (e.g. any updates or changes which have occurred in the Client’s details);

ii. any discrepancies between the Client Profile and the transactions undertaken by it (e.g. transactions which do not seem to match the Client’s financial status or expected scope of business); and

iii. any other suspicious behaviour or pattern (e.g. transactions with no visible business logic, frequent purchase/sell/transfer of funds).

If any of the above is detected by an employee, whether as part of a routine review by the Compliance Function, or by any other means, it shall immediately be reported to the Compliance Officer.

An employee does not need to have evidence that money laundering is taking place in order to have a suspicion of such money laundering. All employees will be encouraged to seek advice from their manager and/or the Compliance Officer if they have any queries.

d. Change in Risk Levels

If, at any time after the establishment of the business relationship, there is a reason to alter the Client’s Risk Level, this issue shall be brought before the Compliance Officer, who may decide on this issue and alter such Risk Level, or bring it before the Board to do the same.

Such reasons may include, inter alia:

– New information regarding the Client that has come up during Screening;

– Suspicion regarding the Client has been rising by one of the Company’s employees;

– The Company becomes aware of any new and relevant information.

e. Inactive Business Relationship

Where a Client does not perform any transaction with the Company for a period exceeding 6 months, such Client will become an ‘inactive client’ and the Company will cease performing all ongoing measures described above. Where an inactive Client wishes to perform another transaction, the Company shall perform the necessary reviews to revalidate its status before completing such transaction.

Registration and Storage of Data

a. The Company shall register all the Client’s information obtained in the KYC Process and DD procedures in the Company’s Clients database, including all data regarding Company decisions on approval or refusal of establishment of business relationship or a transaction.

b. The respective data shall be stored in a format reproducible in writing and, if required, shall be made accessible by all appropriate staff of the Company.

c. Documents which serve as the basis for the identification of a Client or Client representative, and documents serving for the establishment of a business relationship shall be kept and stored by the Company for at least five (5) years following the termination of the business relationship, or as otherwise required by applicable law.

 

REPORTING SUSPICIOUS BUSINESS RELATIONSHIPS/TRANSACTION

Report to the Compliance Officer

Internal reporting of any suspicious matters in connection with this Policy shall be made immediately by the individual having such suspicions (regardless of whether or not such individual part of the Compliance Function) to the Compliance Officer.

The Compliance Officer shall analyze the content of the information received and forward the respective information to the AML Board Member.

a. Evaluation of Suspicion

The Compliance Officer, upon receiving a report (or in any other manner becoming aware of any suspicion of ML/TF), shall immediately review such suspicion, evaluate its merits, and conclude what actions shall be taken in connection therewith. In doing so, the Compliance Officer may consult the Compliance Function, the employee who reported the suspicion, the Board, or any other person within the Company.

The actions which the Compliance Officer may decide to be taken may vary depending on the circumstances, and include any action mentioned in this Policy. These include, but are not limited to:

i. no-action;

ii. instructing the Compliance Function to conduct further review;

iii. reclassification of the Risk Level of the business relationship;

iv. immediate termination of negotiations aimed at establishing the business relationship;

v. reporting to the AML Board Member; and

vi. reporting to authorities, as further described below.

Report to the relevant authority

The Compliance Officer is responsible for determining when a report to the relevant authority is to be made, and for making the report.

The relevant authority shall be notified of any suspicious and unusual transactions, regardless of whether the transaction is made in a single payment or several related payments over the course of a year.

The Client who is reported to the relevant authority as being suspicious, may not be informed of the same. It is also prohibited to inform any third persons, including other employees, of the fact that information has been reported to the relevant authority, and the content of the reported information, except for the AML Board Member/Compliance Officer.

a. Duty to Report

A report to the relevant authority must be filed if the Company knows or has reasonable grounds to suspect that assets involved (or which are expected to be involved) in the business relationship, not later than within twenty-four (24) hours after discovering any activities or circumstances or arising of suspicion:

i. Are the proceeds of a felony or of an aggravated tax misdemeanor;

ii. Are connected to money laundering or to a criminal organisation which pursues the objective of committing crimes of violence or which aims at financial gain by criminal means;

iii. Serve the financing of terrorism;

iv. Are subject to the power of disposal of a criminal organisation; or

v. Are related to persons contained on sanction lists.

The abovementioned duty to report to the relevant authority arises whether such knowledge or suspicion arises before or after a business relationship is established (i.e. whether the Company refuses to establish the relationship or establishes it and gain such knowledge or suspicion at a later date).

A report to the relevant authority must also be made immediately if any other competent authority, forwards to the Company in any manner the details of a person which they consider to be involved in unlawful activities of any kind, and the Company finds that the information regarding such person matched or is very similar to that of a Client, its controlling person, beneficial owner of the assets or authorized signatory of a business relationship or transaction. In any such event, the Company must immediately freeze the assets entrusted to it which relate to the report, until it receives an order from the competent prosecution authority, but at the most five (5) working days from the time at which the relevant report was filed with the relevant authority.

  1. DUE DILIGENCE

The Company is committed to recognizing, assessing and understanding ML/TF risks it may face in connection with its Clients and their transactions, and to take appropriate measures to mitigate these risks using a risk-based approach.

The Company shall apply Client due diligence measures, to ensure the proper identification and verification of the Client or Client representatives participating in the transaction, as well as ongoing monitoring of business relationships, including transactions carried out during business relationships, regular verification of data used for identification, update of relevant documents, data or information and, when necessary, identification of the source and origins of funds used in transactions (the “Due-Diligence” or “DD” process).

Depending on the Client Risk Profile level and depending on whether the business relationship is an existing one or about to be established, the Company shall apply varying DD measures. For this reason, not all the procedures contained in this Part III shall be applicable to all Clients. Whenever the Company is unable to complete a DD measure, or doubt is arises during the application of a DD measure, the Company shall automatically raise the Client’s Risk Profile Level, and apply a more stringent DD measure.

When determining the risk profile and the corresponding due diligence mitigating measures, the Company shall take account, when relevant, the information detailed in subsection (a) and the risk assessment detailed in subsection (b):

a. Information affecting the risk profile

– Provisions of the National Risk Assessment, as published on the website of the Ministry of Economy;

– Information regarding the nature of the business relationship and/or occasional transaction, as gathered in the KYC Process;

– The volume of the property deposited by the customer or the proprietary volume of the transaction or of transactions made during a professional act;

– The estimated duration of the business relationship;

b. Risk assessment

The risk assessment shall take into account the following risk categories, the probability and consequences of their realization and the probability of an increase in the risk:

i. Client associated risks, whose factors arise from the person or client participating in a transaction. These factors may include:

– The legal form, management structure and field of activity of the client, including whether it is a trust fund, civil law partnership or another similar contractual legal entity or a legal person with bearer shares;

– Whether the client is a PEP;

– Whether a third party (individual) is the beneficial owner;

– Whether the identity of the beneficial owner is impeded by complex and non-transparent relations;

– The residency of the client, including whether the client is registered in a low tax rate jurisdiction;

– Whether the client is included in international sanctions lists ;

– Circumstances (including those identified in the course of a prior business relationship) resulting from the experience of communicating with the client, its business partners, owners, representatives and any other such persons;

– Whether the origin of the client’s assets or the source and origin of the funds used for a transaction can be easily identified;

– The type and characteristics of the client’s business;

– The possibility of classifying the client as a “typical client”; and-

– Problems during the client’s identification procedures.

ii. Transaction associated risks, whose factors result from the Client’s economic activities or the exposure of a specific product or service to potential money laundering risks. These factors may include:

– The transaction involves currency exchange or purchase of precious metals;

– The transaction involves a private bank;

– The transaction involves alternative payment methods;

– The transaction involves gambling;

– The transaction involves rarities or exclusive goods;

– The transaction involves innovations;

– The transaction involves commercials; and-

– The transaction involves company establishment or management.

iii. Country or geographical associated risks, whose factors arise from differences in the legal environment of various countries, these factors may include:

– Whether the transaction involves low tax rate jurisdictions, entailing a company registered to such jurisdiction or services provided at such jurisdictions ;

– Whether the jurisdictions involved apply legal provisions that are in compliance with the international standards of AML/CFT ;

– Whether the transaction involves a jurisdiction with a high crime rate (including drug-related crime rate);

– Whether the transaction involves a jurisdiction that is included in international sanction lists; and –

– Whether the transaction involves a jurisdiction with high levels of corruption according to the Corruption Perceptions Index (“CPI”) published by Transparency International.

iv. Interface associated risks, whose factors arise from the channels (mainly the Internet) through which the business relationship is established, and the transactions are carried out, these factors may include:

– Whether the client is identified face-to-face;

– Whether the channel facilitates anonymity; and-

– Whether the channel facilitates third party funding.

Risk profile

The conducted risk assessment shall result in a risk profile, identified through the risk factors mentioned above, and according to the following scale:

a. Low Risk Profile: risk is considered low when there are no influential risk factors in any category. The client and the transaction can be described as “typical” and transparent, and there is no suspicion that the combination of risk factors may lead to the risk of ML/TF.

b. Medium Risk Profile: risk is considered medium when there are one or more risk factors that differ from the sphere of the “typical” client, but the transaction itself is clear (i.e. there are no risk factors in the transaction associated risks category). At the same time, there is no suspicions that a combination of the risk factors may indicate of ML/TF;

c. High Risk Profile: risk is considered high when there are multiple risk factors and the transaction itself is not clear. The combination of these factors casts doubt on the transparency of the client’s identity and transactions, indicating of ML/TF.

– Any Client identified as a PEP shall be classified as High Risk Profile;

Examples of risk indicators applicable to the above categorization is attached hereto as Annex 1.

The Company shall document the determination of the risk profile, update it and make the data available to competent authorities, if necessary.

Verification

The Company shall verify the identity of the Client and, in the case of legal entities, the Client’s representatives and beneficial owners, as provided through the KYC Questionnaire and Identification Documents, applying the following measures:

a. Individuals

i. Where the Client’s Risk Profile is low – A document submitted to the Company for identification shall be assessed by the Compliance Function as follows:

– Validity of the document based on the expiry date;

– The outward likeness and age of the person match the appearance of the person represented on the document;

– When relevant, the personal identification code matches the gender and age of the submitter;

ii. Where the Client’s Risk Profile is medium – in addition to the measures described above, The Compliance Officer shall describe and apply additional verification measures, which may include:

– Additional documents, data or information originating from a reliable and independent source; or-

– Verification on the basis of trust services;

iii. Where the Client’s Risk Profile is high – in addition to the measures described above, The Compliance Officer shall obtain the further verification measures, which shall be approved by the AML Board Member, these may include:

– Additional documents, data or information originating from a reliable and independent source;

– A notarized or officially authenticated copy of the Identification Documents;

b. Legal Entities

i. Where the Client’s Risk Profile is low – A document submitted to the Company for identification shall be assessed by the Compliance Function by accessing the relevant register electronic database;

ii. Where the Client’s Risk Profile is medium – in addition to the measures described above, The Compliance Officer shall describe and apply additional verification measures, which may include:

– Obtaining additional documents, data or information originating from a reliable and independent source;

– Verification on the basis of trust services;

iii. Where the Client’s Risk Profile is high – in addition to the measures described above, The Compliance Officer shall obtain the further verification measures, which shall be approved by the AML Board Member, these may include:

– Additional documents, data or information originating from a reliable and independent source;

– Obtaining corporate documents certified or authenticated by a notary or officially;

c. Verification of the Identity of Beneficial Owners

The Company shall verify the identity of the Beneficial Owner, applying the following measures:

i. Where the Client is a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner – no additional verification measures shall be required;

ii. Where the Client’s Risk Profile is low – a written statement must be obtained, confirming such persons being all of the Controlling Persons (or highest managing director or officer, in the case of 10(‎iv above) of the Client (the “Controlling Persons Statement”). The Controlling Persons Statement must be dated and signed by the person authorized by the Client to do so, on behalf of the Client and approved by the Compliance Function;

iii. Where the Client’s Risk Profile is Medium – in addition to the measure detailed in subsection (b), enquiries to the respective registers shall be made and additional documentation identifying the Controlling Persons must be obtained. The additional documentation may include company records or annual reports clearly identifying the Controlling Persons, as approved by the Compliance Officer;

iv. Where the Client’s Risk Profile is High – in addition to the measures detailed in subsection (b)-(c) above, the Company shall obtain additional verification from credible sources. This verification may include information received in a format reproducible in writing from a credit institution (“CI”) registered in the United Arab Emirates or in an equivalent third country or a branch thereof. The additional verification shall be brought before and approved by the AML Board Member.

Whenever the Company establishes that the identification of a Client is insufficient, enhanced verification measures shall be applied.

Clarifications and Collection of Additional Information

For any risk indicator identified by the Company during the performance of the procedures described above, additional details and information shall be collected for the purpose of understanding and mitigating such risks. As prescribed by the competent Company function (determined in accordance with the Client’s risk level), the following measures shall be applied in connection with each risk factor identified:

a. Where the Client’s Risk Profile is Low – Compliance Function shall contact the Client for further clarifications, provision of documentation and/or proof;

b. Where the Client’s Risk Profile is Medium – in addition to the measure described above, The Compliance Function shall conduct a verification of the further information received from the Client through a reliable and independent source of information;

c. Where the Client’s Risk Profile is High – in addition to the measures described above, the Compliance Function shall conduct a thorough review of each Risk Factor and additional information received regarding it, which may include its verification through an additional second reliable and independent source of information as well as requiring further documentation from the Client, and submit the same for the review and approval of the Compliance Officer.

– For example: in the case of a Client’s High Risk Profile due to doubts regarding its source of funds, the Compliance Function may require the Client to submit bank confirmations and tax reports, conduct a verification of the documents filed, and review the plausibility of the Client’s funds in light of the additional information gathered. If the Compliance Function is convinced that the documents provided are complete and accurate, and provide sufficient comfort regarding the legitimacy of the Client’s funds, a report of the same shall be submitted to the approval of the Compliance Officer.

d. Where the Client’s is a PEP – in addition to the measures described above, a thorough review into the Client’s source of funds (regardless of any additional risk indicator applicable), and gathering of relevant documentation shall be conducted by the Compliance Officer, the results of which shall be brought for the final approval of the AML Board member.

Approval of Client Business Relationship

Upon the completion of the DD measures described above, the business relationship may be approved by the corresponding authority within the Company and established, as follows:

a. Where the Client’s Risk Profile is Low – The Compliance Function shall review the information gathered in the DD process and approve the establishment of a business relationship;

b. Where the Client’s Risk Profile is Medium – The Compliance Officer shall review the information gathered in the DD process and approve the establishment of a business relationship;

c. Where the Client’s Risk Profile is High – The AML Board Member shall review the information gathered in the DD process and approve the establishment of a business relationship.

Поддержка