AML POLICY
1. Introduction
The Managing Director of Tapins Company S.R.O., registration number 047 93 391 ('the Company') has established these rules in accordance with the Czech Law on measures against money laundering and the financing of terrorism ("AML") as well as European regulations and general guidelines on measures against money laundering and the financing of terrorism ("AML regulations").
2. Definitions
Customer: Users of the Company's services and from which it receives, distributes or pays out funds or otherwise has established a business relationship.
Customer relationship: A Customer with whom the Company has a contractual relationship.
3. Instructions, routines and responsibilities
The M.D. is responsible for ensuring that these internal rules are appropriate at the time based on the nature, scope and complexity of the business.
The Company has also developed procedures for how employees in the Company, must act to minimize the risk of money laundering and terrorist financing. The Company's Head of Compliance (CCO), and of the Board of Directors has appointed a Money Laundering Reporting Officer (MLRO) in accordance with AML regulations. The MLRO's "functional responsibilities" is to decide on risk assessment, procedures, control systems, order reports, training programs and guidelines on measures against money laundering and the financing of terrorism within the framework of these rules.
4. Procedures to evaluate and update the Company's risk assessment.
To prevent the Company's activities and services being used for money laundering and terrorist financing, the Company shall take action on the basis of a risk-based approach and deploy risk-based procedures, involving both the ongoing analysis of the Company's business based on its nature, scope and complexity. The Company will take measures based on established procedures in conjunction with the results of such a risk assessment. The risk assessment and related measures will be reviewed, at least annually, to ensure that they fulfil their function and that they are considered in those areas of the business where existing risks have been identified. The risk assessment will be reviewed at least yearly to:
- Assess risk associated with new
- New geographical areas of
- New or revised regulations from regulatory
The risk assessment shall always be evaluated at the Company's introduction of new services or entering new markets. The M.D. is responsible for ensuring that the risk assessment is developed and updated, but practical work on the risk assessment shall be led by the MLRO. The risk assessment takes into account factors such as the Company's customers, their behavior patterns and geographical location as well as the Company's products/services and other relevant factors such as distribution channels and markets.
5. Customer due diligence procedures
The Company must take basic measures to achieve customer insight in the following cases;
- When a new Customer relationship is established.
- If the Company believes that it is uncertain whether the information provided is reliable enough.
- If, for some reason, the Company suspects that the transaction is related to money laundering or terrorist financing.
5.1. Measures taken to achieve customer due diligence
The Company takes the following measures to achieve customer information. Verification of the identity of the Customer is implemented as shown below.
a. Natural person remotely
(i) collection of data concerning the customer's name, address and personal data (or equivalent identification basis) together with a copy of the customer's identity; verification of any information on available public records or certificate or equivalent documentation, or
(ii) When applicable; information retrieval based on measures for due diligence
carried out by third parties pursuant to Chapter 2, provided, first, that such third party is resident in the EEA and that the Company without delay, receive the information about the Customer that the third party has obtained and the documentation that forms the basis of the data.
b. Legal person-physically or remotely
(i) Through the acquisition of the certificate of incorporation or equivalent authorisation documents, or by the equivalent check to an external control registry, as well as checks of the representative of the legal entity; upon identity check at a distance also sought information from the representative is checked against the certificate of incorporation or equivalent authorisation documents or data from other external repositories.
5.2. Control of the real identity of the beneficial owner
Control of the beneficial owner's identity is implemented as shown below.
a. Natural person remotely
The Company collects relevant data from Customer on whether the customer is acting on behalf of another natural person; If the answer is 'Yes', the Customer shall provide information on the beneficial owner together with the document proving the Customer's authority to act on behalf of the beneficial owner, for real.
b. Legal person-physically or remotely
The Company collects identity information in a questionnaire declaring the details of the natural person's direct or indirect ownership of more than 25% of the customer, or the natural person who otherwise has control over the customer (beneficial owner).
5.2.1. Verification against EU, UN and OFAC sanctions lists
The Company deploys controls against the EU, UN and OFAC sanctions lists to verify that the Customer is not sanctioned.
5.2.2. Obtaining information on the purpose and nature of the business relationship
All Customers are requested in a questionnaire to declare the purpose and nature of the business relationship.
5.2.3. Politically exposed person
All Customers are requested in a questionnaire to declare if the customer, the customer's next of kin or the customer's beneficial owner is a politically exposed person ("PEP") under Chapter 3, section 10 AML. The Company makes a search for relevant records to determine whether the customer or the customer's actual beneficial owner is a PEP. If Customer or Customer's beneficial owner is a PEP client will be denied access to the company's services.
5.3 Simplified customer due diligence
Simplified customer due diligence will only be applied if the Customer or transaction is identified as having lower degree of risk, as set out in the Company's policy for a risk-based approach, taking into consideration the risk profile assigned to the Customer as well as geographical risk. Simplified customer due diligence will only be applied if the risk is considered lower based on factors such as the country of residence, incorporation or operations, the nature and the size of the transaction or transactions, the product and the delivery channel.
Simplified customer due diligence will only be applied if a transaction with a Customer has a value that does not exceed EUR 50 during one rolling twelve-month period, whether that transaction is carried out in a single operation or in several operations which appear to be linked.
Simplified customer due diligence will still, at minimum require the collection of the name, surname, address, phone number and email of the Customer. The phone number and e-mail must be verified with, respectively, an SMS verification code and a verification link sent to the customer.
The Company will also use technology to determine if there are other indicators that potentially could mean the risk would not be lower, when determining if a simplified customer due diligence can be sufficient.
5.4 Enhanced customer due diligence measures
The Customer will in a questionnaire declare the origin of the funds that are managed within the framework of the business relationship or the single transaction. If the declared information by the Customer is not considered enough to achieve satisfactory due diligence, the Company will request additional information from the Customer.
6. Mechanisms for ongoing monitoring of the business relationship
The company applies an electronic CRM system to continuously follow up the Company's business relationships with Customers to ensure that transactions are consistent with the historical data about the customer. The Company has its risk and business profile and, if knowledge about the origin of managed funds originate and otherwise in the manner described in section 8 the CRM system will be updated for new business transactions between the Customer and the Company.
6.1 Screening of EU, UN and OFAC Sanction lists
The Company deploys monthly screening of our customers against the EU, UN and OFAC sanctions lists to verify that the Customer is not sanctioned.
Screening will be deployed regardless of the customer's risk category registered in our CRM system.
7. Procedures to preserve documents
The CRM system described above, is designed to provide a searchable way to preserve all documents and information about the measures taken to achieve customer insight, for at least five years after the business relationship ends, at which point the measures expire.
8. The audit obligation
The Company has, through the CRM system, implemented procedures to review the transactions in order to detect whether these constitute suspicious transactions in the manner provided in AML regulations.
The review aims primarily to draw attention to transactions involving particular risk and in particular complex or extensive transactions and unusual patterns of transactions. In addition, geography, country of residence or birth of the customer.
The review takes the above into consideration along with deviating transactions identified in an audit and conducts a risk assessment. These are measured by assigned risk scores in a CDD process taking geographical areas into account, mentioned in Appendix 1 pp. 11-21. These scores are divided into three risk ratings classified as Low, Medium and High. These risk ranges are defined in a matrix as:
- 0 – 500, Low
- 501 – 800, Medium
- 801 – upwards, High
The CRM system will apply a methodology to detect deviations in the historical data and with assigned risk score to classify customer in appropriate risk profiles. A due diligence and risk assessment is then conducted based on the Customer's transaction patterns (such as critical transaction volumes in terms of amount and number of changes within a given time span, in crediting method for execution of transactions, changing IP addresses when carrying out transactions, etc.). These CRM system routines are set to constantly monitor all transactions and CRM system activity to raise "red flags" in case of abnormal behavior or deviations from set rules.
Depending on assigned risk level the customers are reviewed at different intervals.
- Low risk customers are re-evaluated every 1 month
- Medium risk customer are re-evaluated every 2 weeks (bi weekly)
- High risk customer are re-evaluated every 1 day (if transactions recorded)
At the "red flags", the Company shall update its risk assessment accordance with AML Regulations, and otherwise ensure that the Customer provides sufficient information about the purpose and nature of the business relationship and the origin of the funds that are managed within the framework of the business relationship that is ongoing in accordance with AML Regulations. In the event that the Company believes that the transaction is suspicious, or the Company has reasonable grounds to suspect that the transaction is part of money laundering or terrorist financing, qualified staff shall ensure that the transaction is investigated by the MLRO. See further section 9.
The Company's audit routine will lead to one of four outcomes.
- The transaction is accepted without action (no abnormalities detected),
- The transaction is accepted but marked as suspicious ('red flag'); additional information from the Customer to be obtained (CDD),
- The transaction is denied and marked as suspicious ('red flag'); additional information from the Customer to be obtained to satisfy an enhanced due diligence (EDD),
- The transaction is denied, or
- The entry is denied, and the Customer's account will be
9. Obligation to report to the authorities
In a case in which the Company has acted in accordance with section 8 (b)-(d), and still suspect that the transaction is part of money laundering or terrorist financing, information on the circumstances that indicate such activities, without delay, shall be submitted to the authorities in manner prescribed by the current laws, rules and regulations valid in the Czechia.
10. Retention of data on measures taken
The Company shall preserve information concerning the measures taken by the review of transactions in the manner described in section 7.
The Company has noted that situations may arise where the Company's employees may be exposed to threats or hostile action as a result of the review and report suspicions of money laundering or terrorist financing. In cases where such situations arise, they should inform the MLRO about the incident. MLRO considers what action to take and is responsible for the investigation of the incident and that the knowledge thus obtained is used to update the procedures that protect employees.
11. Training programs
The employees involved in the monitoring of transactions are trained continuously in matters related to money laundering and terrorist financing. Programs, workshops, and training efforts shall be put forth by the MLRO. Training activities will include ongoing information about the changes in the regulatory environment and trends, patterns, and methods used, and can be used in money laundering and terrorist financing. Appropriate training measures must be taken without delay if the Function responsible or else discovered flaws in the company's organizational or IT-related procedures which are likely to lead to an increased risk to the Company's operations to be used for money laundering or terrorist financing. Please see appendix 2 for additional information.
12. Procedures to protect employees
The Company has noted that situations may arise where the Company's employees may be exposed to threats or hostile action as a result of the review and report suspicions of money laundering or terrorist financing. In cases where such situations arise, they should inform the MLRO about the incident. He considers what action to take and is responsible for the investigation of the incident and that the knowledge thus obtained is used to update the procedures that protect employees.
13. Guidelines on internal control, compliance and internal information
The Company shall, by means of internal control and control of regulatory compliance ensure that the internal rules are compliant with money laundering regulations and the Company's procedures, in particular with regard to the company's procedures for auditing and disclosure as described above. The MLRO is responsible for this control. Checks shall be carried out by sampling, interviews with relevant staff and through continuous review and assessment of the Company's processes and procedures and how they are documented. Of particularism importance is that enforcement must be taken when implementing operational changes or changes in the relevant regulations, or when the Company learned of new designs or methods which are or could be used for money laundering or terrorist financing.
The MLRO responsible shall also to the Board and the M.D. propose measures to correct any abnormalities after the review has been established in the business. The MLRO is also responsible for evaluating the measures taken to remedy any deviations.
In the CRM system, effective procedures for Company's internal information management should be implemented to ensure that all relevant information generated in the CRM system is conveyed to the MLRO.
14. Independent audit of risk and control framework
The Company deploys a risk and control system with two lines of defense:
- The first line consists of the Company's business operations, in particular Customer facing business units, such as and including the MD and the board of directors. They should know and carry out the policies and procedures and be allotted sufficient resources to do this
- The second line consists of an independent in-house Compliance Officer and an independent in-house Risk Officer, or teams with the same functions, that utilizes full data and systems access to manage risks according with the business objectives and regulatory requirements. These function independently, and assess the AML and CFT risks, together with the effectiveness of controls, regularly reporting findings and compliance planning strategies to the Board of
The company does not at present have an internal audit, which would have constituted a third line of defence. The Internal audit function has not been instituted, because the Company does not hold the opinion that it is required to have such a function under AML regulations. The Internal audit would be and advisory role to improve processes if an internal audit were to be implemented.
1) Appendix
Appendix 1 Geographical areas
Geographical area | Risk category |
---|---|
Afghanistan | High |
Albania | High |
Algeria | High |
American Samoa | Medium |
Andorra | High |
Angola | High |
Anguilla | High |
Antarctica | Low |
Antigua and Barbuda | High |
Argentina | Medium |
Armenia | High |
Aruba | High |
Australia | Low |
Austria | Low |
Azerbaijan | Medium |
Bahamas | High |
Bahrain | High |
Bangladesh | High |
Barbados | Medium |
Belarus | High |
Belgium | Low |
Belize | High |
Benin | High |
Bermuda | High |
Bhutan | High |
Bolivia | High |
Bonaire, Sint Eustatius and | High |
Bosnia and Herzegovina | High |
Botswana | High |
Bouvet Islands | High |
Brazil | Medium |
British Indian Ocean Territory | High |
British Virgin Islands | High |
Brunei Darussalam | High |
Bulgaria | Medium |
Burkina Faso | High |
Burundi | High |
Cambodia | High |
Cameroon | High |
Canada | Low |
Cape Verde | High |
Cayman Islands | High |
Central African Republic | High |
Chad | High |
Chile | Low |
China | High |
Christmas Islands | High |
Cocos Islands | High |
Colombia | Medium |
Comoros | High |
Congo Democratic Republic | High |
Cook Islands | High |
Costa Rica | Medium |
Côte d'Ivoire | High |
Croatia | Medium |
Cuba | High |
Curacao | High |
Cyprus | Medium |
Czech Republic | Low |
Denmark | Low |
Djibouti | High |
Dominica | High |
Dominican Republic | High |
Ecuador | High |
Egypt | High |
El Salvador | High |
Equatorial Guinea | High |
Eritrea | High |
Estonia | Low |
Ethiopia | High |
Falkland Islands | Medium |
Faroe Islands | Low |
Fiji | High |
Finland | Low |
France | Low |
French Guiana | Medium |
French Polynesia | Medium |
French Southern Territories | Medium |
FYR of Macedonia | Medium |
Gabon | High |
Gambia | High |
Georgia | Medium |
Germany | Low |
Ghana | Medium |
Gibraltar | Medium |
Greece | Low |
Greenland | Low |
Grenada | High |
Guadeloupe | Medium |
Guam | Medium |
Guatemala | High |
Guernsey | High |
Guinea | High |
Guinea-Bissau | High |
Guyana | High |
Haiti | High |
Heard Island and McDonald Islands | Medium |
Holy See (Vatican City) | High |
Honduras | High |
Hong Kong | Medium |
Hungary | Low |
Iceland | Low |
India | Medium |
Indonesia | High |
Iran | High |
Iraq | High |
Ireland | Low |
Isle of Man | High |
Israel | Medium |
Italy | Low |
Jamaica | High |
Japan | Low |
Jersey | High |
Jordan | Medium |
Kazakhstan | High |
Kenya | High |
Kiribati | High |
Kosovo | High |
Kuwait | Medium |
Kyrgyzstan | High |
Laos | High |
Latvia | Medium |
Lebanon | High |
Lesotho | High |
Liberia | High |
Libya | High |
Liechtenstein | Medium |
Lithuania | Low |
Luxembourg | Low |
Macau | High |
Madagascar | High |
Malawi | High |
Malaysia | High |
Maldives | High |
Mali | High |
Malta | Medium |
Marshall Islands | High |
Martinique | Medium |
Mauritania | High |
Mauritius | Medium |
Mayotte | Medium |
Mexico | Medium |
Micronesia | High |
Moldova | High |
Monaco | High |
Mongolia | High |
Monserrat | High |
Montenegro | Medium |
Morocco | High |
Mozambique | High |
Myanmar | High |
Namibia | High |
Nauru | High |
Nepal | High |
Netherlands | Low |
Netherlands Antilles | Medium |
New Caledonia | Medium |
New Zealand | Low |
Nicaragua | High |
Niger | High |
Nigeria | High |
Niue | High |
Norfolk Island | High |
North Korea | High |
Northern Mariana Islands | High |
Norway | Low |
Oman | High |
Pakistan | High |
Palau | High |
Palestinian Territory Occupied | High |
Panama | High |
Papua New Guinea | High |
Paraguay | Medium |
Peru | High |
Philippines | High |
Pitcairn | Medium |
Poland | Low |
Portugal | Low |
Puerto Rico | Medium |
Qatar | Medium |
Republic of Congo | High |
Réunion Island | Medium |
Romania | Medium |
Russia | High |
Rwanda | High |
Saba | High |
Saint Barthelemy | Medium |
Saint Helena | Medium |
Saint Kitts And Nevis | High |
Saint Lucia | High |
Saint Martin | Medium |
Saint Pierre and Miquelon | Medium |
Saint Vincent and the Grenadines | High |
Samoa | High |
San Marino | High |
Sao Tome And Principe | High |
Saudi Arabia | Medium |
Senegal | High |
Serbia | Medium |
Seychelles | High |
Sierra Leone | High |
Singapore | Low |
Sint Maarten | High |
Slovakia | Low |
Slovenia | Low |
Solomon Islands | High |
Somalia | High |
South Africa | Low |
South Georgia and the South Sandwich Islands | Medium |
South Korea | Low |
South Sudan | High |
Spain | Low |
Sri Lanka | High |
State) | High |
Sudan | High |
Suriname | High |
Svalbard and Jan Mayen | Low |
Swaziland | High |
Sweden | Low |
Switzerland | Medium |
Syria | High |
Taiwan | Medium |
Tajikistan | High |
Tanzania | High |
Thailand | High |
Timor-Leste | High |
Togo | High |
Tokelau | High |
Tonga Islands | High |
Trinidad and Tobago | High |
Tunisia | High |
Turkey | Medium |
Turkmenistan | High |
Turks and Caicos Islands | Medium |
Tuvalu | High |
Uganda | High |
Ukraine | High |
United Arab Emirates | Medium |
United Kingdom | Low |
United States | Low |
United States Minor Outlying Islands | Medium |
Uruguay | Medium |
US Virgin Islands | High |
Uzbekistan | High |
Wallis and Futuna | Medium |
Vanuatu | High |
Venezuela | High |
Western Sahara | High |
Vietnam | High |
Yemen | High |
Zambia | High |
Zimbabwe | High |
Åland Islands | Low |
2) Training programs and education of personnel
Roles in the Company have AML education annually in accordance with area of responsibility. Areas of responsibility and contents are:
- Board and management
- Governing bodies
- Overview of rules
- Responsibilities
- Developers
- Governing bodies
- Overview of rules
- Security by SW design
- Suspicious activity reporting
- Office personnel and consultants
- Governing bodies
- Overview of rules
- Suspicious activity reporting
- Relevant case examples
- Compliance and Customer Service
- Governing bodies
- Deep insight in the rules
- Suspicious activity reporting
- Relevant case examples
- MLRO
- Full knowledge and insight