I. GENERAL PROVISIONS

Policy on prevention of money laundering and terrorist financing (hereinafter – “the Policy”) establishes the procedures of the company UAB Sapion Solution (hereinafter – “the Company”) as obliged entity, for implementation and daily compliance of the legal requirements on prevention of money laundering and terrorist financing (hereinafter – “ML/TF”).

The Policy is prepared according to the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania No. VIII-275 (hereinafter – ”the Law”), Order of the director of the Financial Crime Investigation Service Under the Ministry of Interior of the Republic of Lithuania “On instructions to deposit virtual currency wallet operators and virtual currency exchange operators to prevent money laundering and / or terrorist financing” (hereinafter – “the Order”), and other EU and national legal acts.

The main activity of the Company is the provision of virtual currency exchange and virtual currency deposit wallet services (hereinafter -

“the Services”) and related services in the Republic of Lithuania. According to the Article 2 Paragraph 10 Points 10 an 11 of the Law, the Company as a virtual currency deposit wallet and exchange operator is obliged to provide services according to the Law in order to prevent ML/TF.

The Company assesses the risks of ML/TF using a risk-based approach and evaluates the following types of risks:

• risk related to the Customer’s attributes;
• risk associated with the channel for the supply of a product, service, transaction, or service delivery
• risk related to the area (country and/or geographical).

The Policy is prepared considering that the Company does not provide financial services and cash services. All of the Company’s services are provided electronically through a service platform (website) operated by the Company.

At least annually or in the case of significant events, the Company will carry out a risk assessment, monitor the adequacy of the measures set out in the Policy for the implementation of the ML/TF, where necessary, new or adequate preventive measures shall be amended or introduced.

This Policy must be followed by all employees of the Company. The obligations of the Company as defined in the Policy must be understood as the duties of all employees of the Company unless it is provided that certain duties of the Company must be performed by a specially designated employee of the Company.

The Company shall notify the Financial Crime Investigation Service (hereinafter – “the FCIS”) in writing of the appointment or change of the employee (hereinafter – “the AML Officer”) responsible for implementation of prevention of ML/TF measures in the Company no later than 7 business days after their appointment or change.

This policy shall be accepted and approved by the resolution of the CEO and the AML Officer.

 

II. RISK ASSESSMENT AND MANAGEMENT

The Company shall apply a risk-based approach when implementing measures to mitigate the risk of ML/TF.

The Company continually assesses and manages the ML/TF risks associated with the Company’s business relationship or incidental transactions. The Company’s risk assessment consists of:

• Risk assessment at the Company level, which covers all activities of the Company, helps identify areas in which the Company has to implement priority risk management measures commensurate with the risks and the business specificities of the Company, the scope of its activities;
• Risk assessment of relationships and transactions with customers and transaction validation, which includes identification, other KYC procedures and ongoing monitoring;
• Continuous monitoring of the level of risk arising from the ongoing monitoring of customer transactions, monetary operations and status to match the Company’s customer profile and be not suspicious, ensuring that the information available to the Company is relevant, allowing an assessment of whether the level of risk has remained unchanged.

Comprehensive measures are applied by the Company to determine the risk of ML/TF both before and after establishing a business relationship with the customer, by analyzing the customer’s behavior and monetary operations, transactions carried out and information provided (documents) by him/her.

Customers of the Company are divided into following three risk groups:

• Low-risk, customers who carry extremely low risk of ML/TF, including low risk to the Company’s reputation. Low risk group customers include all those who fulfil one or more of the low-risk attributes listed in Annex 1 of this Policy.
• Medium-risk, customers rated as being at risk for some ML/TF by one or more attributes, but their status or operations carried out by them would not have the same impact on the Company’s reputation as high-risk customers or activities thereof. Medium-risk group customers include all those who do not fall under low or high risk customer categories as indicated in Annex 1 of this Policy.
• High-risk, customers who have one or more of the attributes of increased risk of ML/TF and in respect of whom the Company has a reasonable suspicion that they may significantly adversely affect the Company’s reputation. Higher risk group customers include all those who meet one or more of the high-risk attributes listed in Annex 1 of this Policy.

Customers are assigned to one of the identified risk groups when establishing business relationships. Subsequently, the risk profile of the customer may be changed in the light of the results of the monitoring of business relationships.

The customer risk assessment is built on the principle that higher risk is given a bigger risk score.

The establishment of the business relationship with high-risk customers must be approved by the AML Officer.

The customer risk assessment, both prior to establishing a business relationship and updating the customer’s data, is performed by employees responsible for the customer’s onboarding. Only after the customer’s risk assessment is completed, a decision is made on establishing a business relationship.

When assessing the risk of the customers, the primary aim is to evaluate all information available about the customers.

During assessment of customer's risk and establishment of business relationship the Company shall collect duly filled-in and executed Company's customers and/or ultimate beneficial owner questionnaire(-s) in accordance to section V of this policy. The Company's customers and ultimate beneficial owner questionnaire are presented in annexes of this Policy, accordingly Annex 2 and Annex 4.

 

III. CUSTOMER’S TRANSACTIONS AND OPERATIONS MONITORING

After establishing a relationship with the customer, the customer’s business relationships, including transaction and operations, are monitored on an ongoing basis- ongoing customer due diligence (ODD) is applied. This shall ensure that transactions and operations are consistent with the Company’s information of the Customer, its business, risk profile and source of funds. The Company maintains real–time and retrospective monitoring of business relationships and operations.

Employees of the Company (incl. the CEO and the AML Officer) must monitor customer’s transactions on an ongoing basis for any unusual operations or activities. Unusual features may be related to the size of the transaction, which is inconsistent with the customer’s financial position or past known business, the customer’s knowledge or experience, the unusual nature of the transaction as distinguished from other customer’s methods of operation or similar usual business practices, the complex structure of the transaction as compared to similar transactions in a similar profile of the customer or the market. ODD also means that the Company periodically updates of customer’s information.

In the event of any employee of the Company having any doubts about the legality, economic or legal validity of the customer’s activities or of any particular operation or transaction, its non-consistence with customer’s personal or business profile, sources of funds or financial capacity, the employee must immediately notify the AML Officer, who must then investigate further and determine decide on the necessity of reporting to the FCIS of the customer’s activity or transaction.

When monitoring the customer’s activities, transactions and operations, particular attention must be paid to:

• complex or unusually large transactions and any unusual transactional structures that have no apparent economic or visible legitimate purpose, and business relationships or operations with customers from third countries, where, in accordance with official information published by international intergovernmental organizations, measures to prevent ML/TF are insufficient or do not meet international standards.
• any threat of ML/TF that may arise from the use of the services provided or the transactions carried out in order to conceal the identity of the Customer or the beneficial owner, as well as in respect of any business relationship or transaction with the customer who has not been identified through direct presence and, where necessary, immediate measures are taken to prevent the use of money for ML/TF.
• whether the customer or a beneficial owner is included in the consolidated list of the United Nations of persons, groups and entities and bodies subject to EU financial sanctions.
• whether the customer or the beneficial owner has no links with countries that are classified in the category of higher risk countries: they are subject to European Union sanctions or other restrictive measures, as well as to the countries identified by the Financial Action Task Force as high risk or non-cooperative countries.

The Company has ongoing control over its operations for possible violations of international sanctions. Depending on the nature of the Company’s activities – provision of virtual currency services – the Company implements this obligation through a third-party monitoring tool.

The results and conclusions of unusual customer activities, transactions and operations investigations must be recorded in writing.

All communications to the FCIS are provided by the Company’s CEO or the AML Officer who is assigned to perform this function.

In case the Company has established a business relationship with the customer, determined as a high-risk customer, the Company applies enhanced ongoing customers due diligence (EODD). In addition to the measures applied for ODD, the Company shall monitor and analyze the following actions of high-risk customer:

• Transaction types (e. g. series of high-value cryptocurrency transactions in a short period of time, instant withdraw of cryptocurrency deposits with no transaction activity);
• Transaction patterns (e. g. frequent transfers of large amounts of crypto within a set period of time, to the same account from more than one person);
• Anonymity (e. g. multiple cryptocurrency wallets controlled from the same IP address, IP associated with suspicious sources);
• Senders and recipients (e. g. elderly or financially vulnerable customers engaging in high-volume cryptocurrency transactions);
• Source of funds (e. g. transactions involving cryptocurrency accounts with known links to illegal activities, such as fraud, extortion, etc.).

If the employee (incl. the CEO and the AML Officer) becomes aware or otherwise suspects that a transaction, operation, or customer activity is suspicious, or for any other reason listed in this Policy would be reported to FCIS, he/she will promptly record it, re-examine, carry out further examination of the information available in order to assess whether there is a basis for providing such information to the FCIS and, where available, submit the information in the format, procedures and timelines set by the FCIS.

All employees of the Company, without exception, must be prohibited from informing the customer or any other person that information about the customer’s operations or transactions, or any other information, has been provided to the FCIS or other supervisory authority.

The Company or its employees are not liable to the customer for failure to perform their contractual obligations or for damage if this occurs as a result of suspending an operation or transaction and reporting the allegations to the FCIS or because of failure by the customer to provide data to confirm his identity, or providing incomplete or incorrect information, or if customer or his representative avoids providing the information necessary to identify him/her.

No liability must be imposed on Company’s CEO, the AML Officer or other employees who, in good faith, report information on suspected ML/TF or suspicious operations or transactions to the FCIS. Likewise, they may not be subject to any disciplinary action by the Company.

The Company must notify the FCIS immediately, no later than within 1 (one) business day after the occurrence of such information or suspicion, if the Company is aware or suspects that assets of any value are directly or indirectly derived from a criminal offence or by participating in a criminal offence.

Where it is determined that the customer carries out a suspicious operation or transaction, regardless of the amount of the operation or transaction, it is mandatory to suspend the operation or transaction (unless due to the nature of the operation or transaction, the manner in which it is performed or other circumstances it is objectively impossible) and no later than 3 business hours from the time of the transaction or the suspension of the monetary operation to report this operation or transaction to the FCIS. If, due to the nature of the operation or transaction, the manner in which they are performed, or other circumstances, the operation or transaction has not been suspended, the FCIS must be notified no later than 3 business hours after such operation or transaction is identified. Immediate reporting is also required when the Company employees receive information that the Customer intends or will attempt to execute a suspicious operation or transaction.

The Company is required to unilaterally suspend a suspicious operations/transaction and upon receipt of a written order from the FCIS must suspend any suspicious operation or transaction performed by the customer for a period of up to 10 business days from the time or circumstances specified in the order. During this period, the Company’s suspended transaction/operation may be renewed only with the permission of the FCIS.

If the Company is not obligated to execute the temporary restriction of the ownership rights within 10 business days after the notification or FCIS order has been received, the operation or transaction shall be resumed.

Notification of suspicious operations or suspicious transactions to the FCIS must be submitted by logging in to the FCIS information system and filling in the approved electronic form for the provision of information on suspicious operations or suspicious transactions.

Only in exceptional cases, should the Company not be able to access the FCIS information system and complete the information submission form, or would not be able to do so for other technical reasons, it may also, in emergency cases, submit the information to the FCIS by phone, fax or email.

The suspicious transaction report form must include:

• identity information of the customer, his representative (for natural persons – full name, date of birth, personal code; for legal entities – name, legal form of legal entity, registered address, legal code, if any).
• to what kind of criteria approved by the FCIS, to recognize that the operation or transaction is considered to be suspicious, the operation or transaction is in conformity.
• method for performing a suspicious operation or suspicious transaction.
• the date of the suspicious operation or suspicious transaction, a description of the property to which the transaction relates and its value.
• Deposit wallet management methods.
• contact information of the customer, his representative (phone numbers, e-mail addresses, contact persons).
• A beneficiary in whose favor a suspicious operation or suspicious transaction is performed (for natural persons – full name, date of birth, personal code; for legal entities – name, legal form of legal entity, registered address, legal code, if any).
• date and time of suspension of the suspicious operation or suspicious transaction.
• if the suspicious operation or transaction has not been stopped, – the reasons for not stopping it.
• other information that the Company considers relevant.

The Company will report to the FCIS the customer identifying data and information on executed virtual currency exchange operations or transactions in the virtual currency where the value of such monetary operation or transaction equals or exceeds EUR 15 000 in Fiat currency or virtual currency, regardless of whether the transaction is made in one or several related monetary transactions.

Multiple related transactions mean multiple virtual currency exchange operations or transactions in virtual currency during the day, where the total amount of operations and transactions equals or exceeds EUR 15 000 or the equivalent in fiat currency or virtual currency.

Notification of operations or transactions of EUR 15 000 or more must be submitted to the FCIS without delay and no later than 7 business days after the date of the execution of the monetary operation or transaction.

 

IV. IMPLEMENTATION OF SANCTIONS

The AML Officer is an employee appointed by the Company who arranges the implementation of financial sanctions, is responsible for suspending the disposal of the deposit wallets, regular updating of the list of entities subject to financial sanctions or the selection of eligible third party suppliers to provide consolidated updates of international lists of financial sanctions and quality control of their services, reporting to FCIS and other authorities responsible for overseeing the implementation of international sanctions.

The Company must:

• implement financial sanctions.
• Check in the consolidated databases used by the Company, and in their absence or if they are inoperative, in direct sources, whether the Company’s customer and its beneficial owner are not included in the list of entities and their groups, which are subject to United Nations Security Council resolutions against terrorism, a consolidated list of the European Union's financial sanctions, as well as the lists of financial sanctions issued by the United States Treasury Department's Office of Foreign Control and/or the Republic of Lithuania.
• pay particular attention to customers from countries on the lists of non-cooperating states and territories drawn up by the FATF and the European Commission, and operations or transactions carried out on their own or on their behalf.
• restrict the right of customers included in the abovementioned international financial sanctions lists to operate, use and dispose of the virtual currency and the Fiat currency held in the Company, subject to the implementation exemptions provided for in international organizations decisions and/or European Union legislation.
• immediately terminate or suspend the obligations incurred prior to the imposition of the international financial sanctions in the Republic of Lithuania for the period of the implementation of the international financial sanctions.
• to terminate immediately – unilaterally or by agreement of the parties – transactions concluded prior to the imposition of financial sanctions in the Republic of Lithuania, or to suspend their execution for the period of implementation of financial sanctions.
• inform the FCIS of the suspension of the accounts of the customers subject to financial sanctions.
• provide information on the implementation of financial sanctions and all data necessary for supervision to the FCIS.

 

Company employees and customers are prohibited:

• to carry out actions which are prohibited by international sanctions implemented in the Republic of Lithuania.
• to enter into transactions which would be contrary to international sanctions implemented in the Republic of Lithuania.
• to assume new obligations, the fulfillment whereof would be contrary to international sanctions implemented in the Republic of Lithuania.

 

V. CUSTOMER AND BENEFICIAL OWNER IDENTIFICATION

The Company’s employees whose functions include performing prevention of ML/TF (hereinafter – “the Responsible employees”) are responsible for the identification of the customer, its representative and the beneficial owner, collection and initial verification of customer’s, its representative and beneficial owner data and documents.

The Company shall take steps to identify and verify the identity of the customer, its representative and the beneficial owner in the following cases:

• Before starting a business relationship.
• Before performing occasional virtual currency exchange operations or occasional transactions in virtual currency equal to or exceeding EUR 700 or the equivalent in foreign or virtual currency, or by making an occasional deposit or withdrawal of virtual currency in the amount of or exceeding EUR 700 or the equivalent in a foreign or virtual currency, whether the transaction is concluded in one or more related transactions (the value of the virtual currency is determined at the time of the monetary transaction or transaction), unless the identity of the customer and the beneficial owner has already been established.
• When there are doubts about the accuracy or authenticity of previously obtained customer and beneficial owner identities.
• In any other case where there is a suspicion that ML/TF activities are, have been or will be carried out by the customer.

The Company’s Responsible employees shall be responsible for reviewing the quality of the customer’s file, verifying the data in independent reliable sources available to the Company (lists of politically exposed persons, international sanctions, etc.). These responsible employees shall also perform risk assessment and assignment of the customer to the risk category and other compliance procedures as provided in the Policy.

After gathering all the necessary information about the customer (duly filled-in and executed customer questionnaires), the Responsible employees first identifies the customer’s risk group.

Upon making a decision to establish a business relationship with the customer, the Responsible employees, while providing the services to the customer, shall continue to monitor the customer on a regular basis.

Customer and beneficial owner has to provide the following documents and information for identification purposes:

• Passport or ID copy if the customer, its representative, beneficial owner is a natural person.
• Utility bill indicating residence address of natural person.
• Apostilled or legalized commercial excerpt of the company if customer is legal entity (translated to English language).
• Apostilled or legalized Articles of Association of the company if the customer is a legal entity (translated to English language).

The Company only considers provided documentation form the customer suitable if scanned copies and/or good quality photos are provided to the Company.

In case the Responsible employee determines a customer as a low-risk customer, the Company might not apply rules indicated above in Section V of this Policy. The Company then:

• collects correctly filled-in and duly filled-in and executed customers questionnaires.
• ensures that the first payment of the customer would be carried out through an account with a credit institution, registered in a Member State of the European Union.

If the Responsible employee determines customers category as a high-risk, in addition to the documents listed above in Section V of this Policy, the Company shall:

• obtain additional information on the customer and on the beneficial owner;
• obtain additional information on the intended nature of the business relationship;
• obtain information on the source of funds and source of wealth of the customer and of the beneficial owner;
• obtain information on the reasons for the intended or performed transactions;
• obtaining the approval upon paragraph 6 Section II of this Policy;
• conduct EODD of the ongoing business relationship with these by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination;
• ensures that the first payment of the customer would be carried out through an account with a credit institution, registered in a Member State of the European Union.

It is forbidden to enter into transactions, to establish or continue business relationships, provide Services when customer identification is not possible in accordance with this Policy:

• if the customer does not provide data proving his identity.
• if the customer does not provide all data or data is incorrect.
• if the customer or his representative avoids providing the information necessary for his identification or avoids providing the information necessary to identify the beneficial owner, or the data provided is not sufficient.

If the customer avoids or refuses to provide additional information to the Company at its request and within the time limits, the Company shall take measures to mitigate the ML/TF risk in accordance with this Policy. The Company may also refuse to execute transactions or operations, suspend transactions or terminate business relationships with the customer. Upon termination of the business relationship, the Responsible employees must report such customer and other related information into the registration journal of customers with whom transactions or business relationships are terminated (Annex 5) in accordance with the procedure set forth in this Policy.

If proper identification, verification, or follow-up is not possible, Responsible employees of the Company who notices such a case must immediately notify the Company’s AML Officer. The AML Officer shall decide on the advisability of reporting a suspicious operation or transaction report to the FCIS.

The customer and/or its representative shall perform identity verification remotely via tools presented by the Company.

The documents, data or information submitted to the Company during the identification of the customer and the beneficial owner must remain true, accurate and up-to-date throughout the business relationship with the Company.

The data of customers, both existing and new, is updated as the circumstances surrounding the customer change, as new circumstances become evident, and periodically, depending on the customer’s level of risk.

High-risk customer data must be updated at least once a year, medium-risk customer data is updated at least every 2 years, low-risk customer data is updated upon learning of any changes, but at least every 3 years.

If the customer has initiated updates in his account information, the changes must be evaluated, and risk should be reassessed accordingly.

If the changes in the customer’s information resulted in a change of the customer’s risk level, the date from which the customer’s data must be updated is renewed according to their risk level.

If the customer did not update his/her data when required according to his/her risk level during the period of 3 months, services provided by the Company to the customer will be limited.

Updating the data means that it is obligatory to check that the Company has up-to-date information about the customer, its representatives and beneficial owners. It is necessary to ensure that the transactions and/or operations executed by the customer so far comply with the information available to the Company on the customer, its activities and the source of funds.

During the review, it is always mandatory for customers to be screened for being included in the sanctions lists, changes in their status of politically exposed persons or existence of any negative information. If the functionality of the systems used by the Company allows, such verification must not be periodic, but is performed on a continuous basis through consolidated databases, whereby once entered, the customer's information is constantly verified and any changes in customer status are reported to the Company’s CEO who periodically reviews system alerts for potential new results related to changes in the customer status and takes appropriate action.

Evidence of the review is stored in the customer’s electronic file in the Company’s database.

 

VI. KYC AND CUSTOMER DUE DILIGENCE

Customer due diligence (CDD) is a key responsibility of the Company in the implementation of the prevention of ML/TF and includes:

• Customer identification and verification based on provided documents, data and information obtained from an independent and reliable source.
• Identification of the beneficial owner and taking reasonable steps to verify that the named person is in fact the final beneficial owner and to verify his identity.

The data provided by the customer must be verified on the basis of documents, data or information obtained from a reliable and independent source.

The information must be verified by various means and sources available, including:

• checking the consistency of the information received (whether there are illogical or unexplained facts, inconsistencies).
• comparing the information provided by the customer with the content of official documents provided by the customer or received at the initiative of the Company, information contained in public registers.
• using targeted web search: for example, by typing in the customer’s name and certain keywords, depending on the search context, using information available on social networks to identify the customer’s relations, etc.
• using other reliable sources depending on the information to be verified.

 

VII. STORAGE OF INFORMATION

The Company shall maintain the following journals and database:

• Database/ journal for registration of customers with whom transactions or business relationships have been terminated in the cases provided for in the Policy or in other circumstances related to the prevention of ML/TF (Annex 5).
• Database/journal of virtual currency exchange operations or transactions in virtual currency amounting to or above EUR 15 000 or equivalent in Fiat currency or virtual currency (Annex 6).
• Database/journal of reports submitted to FCIS on suspicious operations and transactions (Annex 7).

The information in the listed registration databases shall be maintained and stored in the Company’s information systems. Data may be entered in the databases no later than within 3 business days after the date of the transaction or suspension of transaction/termination of a business relationship, either manually or automatically.

Copies of the customer’s identity documents, beneficial owner’s identity data, other data received during the customer’s identification, documentation shall be retained for 8 years from the date of termination of transactions or business relationships with the customer.

Business correspondence with the customer must be stored for 5 years from the end of transactions or business relationship with the customer in paper or electronic form.

Documents or information supporting operation or transaction or other legal instruments relating to the performance of operations or transactions must be stored for 8 years from the date of operation or transaction.

Documents analyzing the results of the transaction investigation are stored in an electronic database for 5 years.

Retention periods may be further extended additionally for a period not exceeding 2 years, upon motivated instruction of the competent authority.

 

VIII. TRAINING OF THE COMPANY’S EMPLOYEES

All employees of the Company shall be introduced to the Policy upon their appointment by their signature. The CEO of the Company must ensure that all newly recruited employees are made aware of this Policy in writing and receive training, depending on the functions performed by the employee.

The Company must review and, where necessary, update its internal control procedures:

• strengthen the applicable internal control procedures upon receipt of an order from the FCIS.
• upon significant events or changes in the Company’s management and operations.
• periodic monitoring of the implementation and adequacy of internal control procedures.

The CEO of the Company must ensure that the relevant employees of the Company are aware of the legal acts and requirements applicable to them and the provisions of this implementing Policy. These measures shall include participation of their relevant employees in special ongoing training programs to help them recognize the actions which may be related to ML/TF and to instruct them as to how to proceed in such cases.

Responsible employees must continually upgrade their skills, following the Republic of Lithuania, European Union legislation updates, recommendations of FATF and other organizations, to seek to participate in the training on ML/TF prevention and enforcement of international sanctions (courses, seminars, internships, etc.).

The CEO of the Company also identifies the need for internal training of the Company’s employees. Any other member of the compliance department may also indicate such need.

The CEO of the Company must ensure that Company’s employees are informed in a timely manner of material events occurring inside or outside the Company, incidents affecting the effectiveness of prevention of ML/TF or sanctions.

 

IX. FINAL PROVISIONS

The implementation of measures for prevention of ML/TF is organized by the AML Officer in liaison with the FCIS.

The CEO of the Company must ensure that the AML Officer has access to all information necessary to perform their functions, including information relating to the identity of the customer and the beneficial owner customer’s business relationship and other information.

This Policy is approved by the CEO and the AML Officer of the Company. This Policy and appendices to the Policy shall take effect from the date of its approval unless otherwise specified. The Policy may be withdrawn, amended and/or supplemented only by a decision of the CEO and the AML Officer of the Company and shall enter into force on the day following the date of adoption of such amendments and/or additions. All employees of the Company are familiarized with the changes immediately.

 

X. Legal information

 

Company   Name:       Sapion Solution UAB

Company   Number:   306182986

Legal   Address:           Kriviy g. 5, LT-01204 Vilnius, Lithuania

Email:                            [email protected]