AML POLICY

1. Introduction

The Managing Director of Tapins Company S.R.O., registration number 047 93 391 ('the Company') has established these rules in accordance with the Czech Law on measures against money laundering and the financing of terrorism ("AML") as well as European regulations and general guidelines on measures against money laundering and the financing of terrorism ("AML regulations").

2. Definitions

Customer: Users of the Company's services and from which it receives, distributes or pays out funds or otherwise has established a business relationship.

Customer relationship: A Customer with whom the Company has a contractual relationship.

3. Instructions, routines and responsibilities

The M.D. is responsible for ensuring that these internal rules are appropriate at the time based on the nature, scope and complexity of the business.

The Company has also developed procedures for how employees in the Company, must act to minimize the risk of money laundering and terrorist financing. The Company's Head of Compliance (CCO), and of the Board of Directors has appointed a Money Laundering Reporting Officer (MLRO) in accordance with AML regulations. The MLRO's "functional responsibilities" is to decide on risk assessment, procedures, control systems, order reports, training programs and guidelines on measures against money laundering and the financing of terrorism within the framework of these rules.

4. Procedures to evaluate and update the Company's risk assessment.

To prevent the Company's activities and services being used for money laundering and terrorist financing, the Company shall take action on the basis of a risk-based approach and deploy risk-based procedures, involving both the ongoing analysis of the Company's business based on its nature, scope and complexity. The Company will take measures based on established procedures in conjunction with the results of such a risk assessment. The risk assessment and related measures will be reviewed, at least annually, to ensure that they fulfil their function and that they are considered in those areas of the business where existing risks have been identified. The risk assessment will be reviewed at least yearly to:

  1. Assess risk associated with new
  2. New geographical areas of
  3. New or revised regulations from regulatory

The risk assessment shall always be evaluated at the Company's introduction of new services or entering new markets. The M.D. is responsible for ensuring that the risk assessment is developed and updated, but practical work on the risk assessment shall be led by the MLRO. The risk assessment takes into account factors such as the Company's customers, their behavior patterns and geographical location as well as the Company's products/services and other relevant factors such as distribution channels and markets.

5. Customer due diligence procedures

The Company must take basic measures to achieve customer insight in the following cases;

  1. When a new Customer relationship is established.
  2. If the Company believes that it is uncertain whether the information provided is reliable enough.
  3. If, for some reason, the Company suspects that the transaction is related to money laundering or terrorist financing.

5.1. Measures taken to achieve customer due diligence

The Company takes the following measures to achieve customer information. Verification of the identity of the Customer is implemented as shown below.

a. Natural person remotely

(i) collection of data concerning the customer's name, address and personal data (or equivalent identification basis) together with a copy of the customer's identity; verification of any information on available public records or certificate or equivalent documentation, or

(ii) When applicable; information retrieval based on measures for due diligence

carried out by third parties pursuant to Chapter 2, provided, first, that such third party is resident in the EEA and that the Company without delay, receive the information about the Customer that the third party has obtained and the documentation that forms the basis of the data.

b. Legal person-physically or remotely

(i) Through the acquisition of the certificate of incorporation or equivalent authorisation documents, or by the equivalent check to an external control registry, as well as checks of the representative of the legal entity; upon identity check at a distance also sought information from the representative is checked against the certificate of incorporation or equivalent authorisation documents or data from other external repositories.

5.2. Control of the real identity of the beneficial owner

Control of the beneficial owner's identity is implemented as shown below.

a. Natural person remotely

The Company collects relevant data from Customer on whether the customer is acting on behalf of another natural person; If the answer is 'Yes', the Customer shall provide information on the beneficial owner together with the document proving the Customer's authority to act on behalf of the beneficial owner, for real.

b. Legal person-physically or remotely

The Company collects identity information in a questionnaire declaring the details of the natural person's direct or indirect ownership of more than 25% of the customer, or the natural person who otherwise has control over the customer (beneficial owner).

5.2.1. Verification against EU, UN and OFAC sanctions lists

The Company deploys controls against the EU, UN and OFAC sanctions lists to verify that the Customer is not sanctioned.

5.2.2. Obtaining information on the purpose and nature of the business relationship

All Customers are requested in a questionnaire to declare the purpose and nature of the business relationship.

5.2.3. Politically exposed person

All Customers are requested in a questionnaire to declare if the customer, the customer's next of kin or the customer's beneficial owner is a politically exposed person ("PEP") under Chapter 3, section 10 AML. The Company makes a search for relevant records to determine whether the customer or the customer's actual beneficial owner is a PEP. If Customer or Customer's beneficial owner is a PEP client will be denied access to the company's services.

5.3 Simplified customer due diligence

Simplified customer due diligence will only be applied if the Customer or transaction is identified as having lower degree of risk, as set out in the Company's policy for a risk-based approach, taking into consideration the risk profile assigned to the Customer as well as geographical risk. Simplified customer due diligence will only be applied if the risk is considered lower based on factors such as the country of residence, incorporation or operations, the nature and the size of the transaction or transactions, the product and the delivery channel.

Simplified customer due diligence will only be applied if a transaction with a Customer has a value that does not exceed EUR 50 during one rolling twelve-month period, whether that transaction is carried out in a single operation or in several operations which appear to be linked.

Simplified customer due diligence will still, at minimum require the collection of the name, surname, address, phone number and email of the Customer. The phone number and e-mail must be verified with, respectively, an SMS verification code and a verification link sent to the customer.

The Company will also use technology to determine if there are other indicators that potentially could mean the risk would not be lower, when determining if a simplified customer due diligence can be sufficient.

5.4 Enhanced customer due diligence measures

The Customer will in a questionnaire declare the origin of the funds that are managed within the framework of the business relationship or the single transaction. If the declared information by the Customer is not considered enough to achieve satisfactory due diligence, the Company will request additional information from the Customer.

6. Mechanisms for ongoing monitoring of the business relationship

The company applies an electronic CRM system to continuously follow up the Company's business relationships with Customers to ensure that transactions are consistent with the historical data about the customer. The Company has its risk and business profile and, if knowledge about the origin of managed funds originate and otherwise in the manner described in section 8 the CRM system will be updated for new business transactions between the Customer and the Company.

6.1 Screening of EU, UN and OFAC Sanction lists

The Company deploys monthly screening of our customers against the EU, UN and OFAC sanctions lists to verify that the Customer is not sanctioned.

Screening will be deployed regardless of the customer's risk category registered in our CRM system.

7. Procedures to preserve documents

The CRM system described above, is designed to provide a searchable way to preserve all documents and information about the measures taken to achieve customer insight, for at least five years after the business relationship ends, at which point the measures expire.

8. The audit obligation

The Company has, through the CRM system, implemented procedures to review the transactions in order to detect whether these constitute suspicious transactions in the manner provided in AML regulations.

The review aims primarily to draw attention to transactions involving particular risk and in particular complex or extensive transactions and unusual patterns of transactions. In addition, geography, country of residence or birth of the customer.

The review takes the above into consideration along with deviating transactions identified in an audit and conducts a risk assessment. These are measured by assigned risk scores in a CDD process taking geographical areas into account, mentioned in Appendix 1 pp. 11-21. These scores are divided into three risk ratings classified as Low, Medium and High. These risk ranges are defined in a matrix as:

  • 0 – 500, Low
  • 501 – 800, Medium
  • 801 – upwards, High

The CRM system will apply a methodology to detect deviations in the historical data and with assigned risk score to classify customer in appropriate risk profiles. A due diligence and risk assessment is then conducted based on the Customer's transaction patterns (such as critical transaction volumes in terms of amount and number of changes within a given time span, in crediting method for execution of transactions, changing IP addresses when carrying out transactions, etc.). These CRM system routines are set to constantly monitor all transactions and CRM system activity to raise "red flags" in case of abnormal behavior or deviations from set rules.

Depending on assigned risk level the customers are reviewed at different intervals.

  • Low risk customers are re-evaluated every 1 month
  • Medium risk customer are re-evaluated every 2 weeks (bi weekly)
  • High risk customer are re-evaluated every 1 day (if transactions recorded)

At the "red flags", the Company shall update its risk assessment accordance with AML Regulations, and otherwise ensure that the Customer provides sufficient information about the purpose and nature of the business relationship and the origin of the funds that are managed within the framework of the business relationship that is ongoing in accordance with AML Regulations. In the event that the Company believes that the transaction is suspicious, or the Company has reasonable grounds to suspect that the transaction is part of money laundering or terrorist financing, qualified staff shall ensure that the transaction is investigated by the MLRO. See further section 9.

The Company's audit routine will lead to one of four outcomes.

  1. The transaction is accepted without action (no abnormalities detected),
  2. The transaction is accepted but marked as suspicious ('red flag'); additional information from the Customer to be obtained (CDD),
  3. The transaction is denied and marked as suspicious ('red flag'); additional information from the Customer to be obtained to satisfy an enhanced due diligence (EDD),
  4. The transaction is denied, or
  5. The entry is denied, and the Customer's account will be

9. Obligation to report to the authorities

In a case in which the Company has acted in accordance with section 8 (b)-(d), and still suspect that the transaction is part of money laundering or terrorist financing, information on the circumstances that indicate such activities, without delay, shall be submitted to the authorities in manner prescribed by the current laws, rules and regulations valid in the Czechia.

10. Retention of data on measures taken

The Company shall preserve information concerning the measures taken by the review of transactions in the manner described in section 7.

The Company has noted that situations may arise where the Company's employees may be exposed to threats or hostile action as a result of the review and report suspicions of money laundering or terrorist financing. In cases where such situations arise, they should inform the MLRO about the incident. MLRO considers what action to take and is responsible for the investigation of the incident and that the knowledge thus obtained is used to update the procedures that protect employees.

11. Training programs

The employees involved in the monitoring of transactions are trained continuously in matters related to money laundering and terrorist financing. Programs, workshops, and training efforts shall be put forth by the MLRO. Training activities will include ongoing information about the changes in the regulatory environment and trends, patterns, and methods used, and can be used in money laundering and terrorist financing. Appropriate training measures must be taken without delay if the Function responsible or else discovered flaws in the company's organizational or IT-related procedures which are likely to lead to an increased risk to the Company's operations to be used for money laundering or terrorist financing. Please see appendix 2 for additional information.

12. Procedures to protect employees

The Company has noted that situations may arise where the Company's employees may be exposed to threats or hostile action as a result of the review and report suspicions of money laundering or terrorist financing. In cases where such situations arise, they should inform the MLRO about the incident. He considers what action to take and is responsible for the investigation of the incident and that the knowledge thus obtained is used to update the procedures that protect employees.

13. Guidelines on internal control, compliance and internal information

The Company shall, by means of internal control and control of regulatory compliance ensure that the internal rules are compliant with money laundering regulations and the Company's procedures, in particular with regard to the company's procedures for auditing and disclosure as described above. The MLRO is responsible for this control. Checks shall be carried out by sampling, interviews with relevant staff and through continuous review and assessment of the Company's processes and procedures and how they are documented. Of particularism importance is that enforcement must be taken when implementing operational changes or changes in the relevant regulations, or when the Company learned of new designs or methods which are or could be used for money laundering or terrorist financing.

The MLRO responsible shall also to the Board and the M.D. propose measures to correct any abnormalities after the review has been established in the business. The MLRO is also responsible for evaluating the measures taken to remedy any deviations.

In the CRM system, effective procedures for Company's internal information management should be implemented to ensure that all relevant information generated in the CRM system is conveyed to the MLRO.

14. Independent audit of risk and control framework

The Company deploys a risk and control system with two lines of defense:

  • The first line consists of the Company's business operations, in particular Customer facing business units, such as and including the MD and the board of directors. They should know and carry out the policies and procedures and be allotted sufficient resources to do this
  • The second line consists of an independent in-house Compliance Officer and an independent in-house Risk Officer, or teams with the same functions, that utilizes full data and systems access to manage risks according with the business objectives and regulatory requirements. These function independently, and assess the AML and CFT risks, together with the effectiveness of controls, regularly reporting findings and compliance planning strategies to the Board of

The company does not at present have an internal audit, which would have constituted a third line of defence. The Internal audit function has not been instituted, because the Company does not hold the opinion that it is required to have such a function under AML regulations. The Internal audit would be and advisory role to improve processes if an internal audit were to be implemented.

1) Appendix

Appendix 1 Geographical areas

Geographical area Risk category
Afghanistan High
Albania High
Algeria High
American Samoa Medium
Andorra High
Angola High
Anguilla High
Antarctica Low
Antigua and Barbuda High
Argentina Medium
Armenia High
Aruba High
Australia Low
Austria Low
Azerbaijan Medium
Bahamas High
Bahrain High
Bangladesh High
Barbados Medium
Belarus High
Belgium Low
Belize High
Benin High
Bermuda High
Bhutan High
Bolivia High
Bonaire, Sint Eustatius and High
Bosnia and Herzegovina High
Botswana High
Bouvet Islands High
Brazil Medium
British Indian Ocean Territory High
British Virgin Islands High
Brunei Darussalam High
Bulgaria Medium
Burkina Faso High
Burundi High
Cambodia High
Cameroon High
Canada Low
Cape Verde High
Cayman Islands High
Central African Republic High
Chad High
Chile Low
China High
Christmas Islands High
Cocos Islands High
Colombia Medium
Comoros High
Congo Democratic Republic High
Cook Islands High
Costa Rica Medium
Côte d'Ivoire High
Croatia Medium
Cuba High
Curacao High
Cyprus Medium
Czech Republic Low
Denmark Low
Djibouti High
Dominica High
Dominican Republic High
Ecuador High
Egypt High
El Salvador High
Equatorial Guinea High
Eritrea High
Estonia Low
Ethiopia High
Falkland Islands Medium
Faroe Islands Low
Fiji High
Finland Low
France Low
French Guiana Medium
French Polynesia Medium
French Southern Territories Medium
FYR of Macedonia Medium
Gabon High
Gambia High
Georgia Medium
Germany Low
Ghana Medium
Gibraltar Medium
Greece Low
Greenland Low
Grenada High
Guadeloupe Medium
Guam Medium
Guatemala High
Guernsey High
Guinea High
Guinea-Bissau High
Guyana High
Haiti High
Heard Island and McDonald Islands Medium
Holy See (Vatican City) High
Honduras High
Hong Kong Medium
Hungary Low
Iceland Low
India Medium
Indonesia High
Iran High
Iraq High
Ireland Low
Isle of Man High
Israel Medium
Italy Low
Jamaica High
Japan Low
Jersey High
Jordan Medium
Kazakhstan High
Kenya High
Kiribati High
Kosovo High
Kuwait Medium
Kyrgyzstan High
Laos High
Latvia Medium
Lebanon High
Lesotho High
Liberia High
Libya High
Liechtenstein Medium
Lithuania Low
Luxembourg Low
Macau High
Madagascar High
Malawi High
Malaysia High
Maldives High
Mali High
Malta Medium
Marshall Islands High
Martinique Medium
Mauritania High
Mauritius Medium
Mayotte Medium
Mexico Medium
Micronesia High
Moldova High
Monaco High
Mongolia High
Monserrat High
Montenegro Medium
Morocco High
Mozambique High
Myanmar High
Namibia High
Nauru High
Nepal High
Netherlands Low
Netherlands Antilles Medium
New Caledonia Medium
New Zealand Low
Nicaragua High
Niger High
Nigeria High
Niue High
Norfolk Island High
North Korea High
Northern Mariana Islands High
Norway Low
Oman High
Pakistan High
Palau High
Palestinian Territory Occupied High
Panama High
Papua New Guinea High
Paraguay Medium
Peru High
Philippines High
Pitcairn Medium
Poland Low
Portugal Low
Puerto Rico Medium
Qatar Medium
Republic of Congo High
Réunion Island Medium
Romania Medium
Russia High
Rwanda High
Saba High
Saint Barthelemy Medium
Saint Helena Medium
Saint Kitts And Nevis High
Saint Lucia High
Saint Martin Medium
Saint Pierre and Miquelon Medium
Saint Vincent and the Grenadines High
Samoa High
San Marino High
Sao Tome And Principe High
Saudi Arabia Medium
Senegal High
Serbia Medium
Seychelles High
Sierra Leone High
Singapore Low
Sint Maarten High
Slovakia Low
Slovenia Low
Solomon Islands High
Somalia High
South Africa Low
South Georgia and the South Sandwich Islands Medium
South Korea Low
South Sudan High
Spain Low
Sri Lanka High
State) High
Sudan High
Suriname High
Svalbard and Jan Mayen Low
Swaziland High
Sweden Low
Switzerland Medium
Syria High
Taiwan Medium
Tajikistan High
Tanzania High
Thailand High
Timor-Leste High
Togo High
Tokelau High
Tonga Islands High
Trinidad and Tobago High
Tunisia High
Turkey Medium
Turkmenistan High
Turks and Caicos Islands Medium
Tuvalu High
Uganda High
Ukraine High
United Arab Emirates Medium
United Kingdom Low
United States Low
United States Minor Outlying Islands Medium
Uruguay Medium
US Virgin Islands High
Uzbekistan High
Wallis and Futuna Medium
Vanuatu High
Venezuela High
Western Sahara High
Vietnam High
Yemen High
Zambia High
Zimbabwe High
Åland Islands Low

2) Training programs and education of personnel

Roles in the Company have AML education annually in accordance with area of responsibility. Areas of responsibility and contents are:

  • Board and management
    • Governing bodies
    • Overview of rules
    • Responsibilities
  • Developers
    • Governing bodies
    • Overview of rules
    • Security by SW design
    • Suspicious activity reporting
  • Office personnel and consultants
    • Governing bodies
    • Overview of rules
    • Suspicious activity reporting
    • Relevant case examples
  • Compliance and Customer Service
    • Governing bodies
    • Deep insight in the rules
    • Suspicious activity reporting
    • Relevant case examples
  • MLRO
    • Full knowledge and insight