Compliance & Risk Manual Coinbuy
Version 1.1 Date 20.6.2019
HashFort OÜ (Company Registry 14648319)
Peterburi tee 47, Lasnamäe linnaosa,
Tallinn, Harju maakond,
11415 Estonia -
Compliance & Risk Management
KYC / AML POLICY
This is our Anti-money laundering (hereinafter referred to as: “AML”) and Counter-terrorist financing (hereinafter referred to as: “CTF”) Policy, which Hashfort applies to its service. Hashfort OÜ is Estonian company and must follow European and Estonian rules for detecting and managing financial crime. Our main two internal bylaws include:
AML/CTF procedure for providers of a service of exchanging a virtual currency against a fiat currency;
AML/CTF procedure for providers of a service of storing a virtual currency (wallet).
The procedures are monitored by the compliance officer and his team. The compliance team monitors the compliance of the internal rules and procedures with the relevant laws and compliance of the activity of the Representatives with the procedures established by the Rules.
As per definition from our AML policy we do not work with
offshore banks and shell banks or with any country listed as “High risk”;
Any money transfer from any third party. Clients can transfer money only from and to their own bank account, already been approved by another licenced financial institution.
Our obligations, as an Estonian Cryptocurrency-FIAT Exchanges, are defined in the Estonian law as Providers of Alternative Means of Payment, licensed as an Estonian Financial Institution by holding a Financial Activity License from the Estonian Financial Intelligence Unit (hereinafter referred to as: “FIU”), which is the Anti Money Laundering authority in Estonia with the ability to grant, revoke and supervise financial activity licenses. The AML requirements and Know your customer (hereinafter referred to as: “KYC”) due diligence measures for the service providers are set forth in the Estonian Money Laundering and Terrorist Financing Act and other legal guidelines given by the Estonian Minister of Finance.
Wider framework is referred to the AMLD5 of EU (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018L0843) that is an integral part of this AML/KYC Procedure.
A cardinal part of the licensing procedure, and a significant FIU consideration for granting licenses is the quality of the Rules of Procedures which according to the Act, must be meticulously drafted by the license applicant. These Rules of Procedure must comply with the Estonian law’s various requirements, which require them, among other things, to include specification of user due diligence measures the company intends to take, assessment of money laundering risk, the manner of the collection and keeping of records, internal control rules, etc.
Hashfort OÜ has been issued operating licenses by the Financial Intelligence Unit for:
Providing services of exchanging a virtual currency against a fiat currency (License No. FVR000672).
Providing a virtual currency wallet service (License No. FRK0000579).
Given the above, Hashfort aims to be fully compliant and transparent especially when it comes to detecting and monitoring financial crimes.
Hashfort has implemented measures, which protect Hashfort from involvement in money laundering or terrorist financing activities (hereinafter: “suspicious transactions”), by:
performing compliant due diligence procedure (the KYC) for every user who registers on the platform,
making risk assessment for every user that successfully passed the KYC,
detecting suspicious transactions by risk categories and risk levels,
monitoring suspicious transactions,
reporting suspicious transactions to the authorities.
In order to protect us and our users from the possible financial crimes, Hashfort shall:
Perform Know Your Customer procedures on all users and clients (natural and legal persons) on a regular basis.
Perform an enterprise-wide risk assessment to determine the risk profile of the Company.
Implement internal controls throughout its operations that are designed to mitigate risks of money laundering and terrorism financing.
Conduct an periodic AML audit.
Provide AML training to its employees.
THE KYC AND RISK ASSESSMENT
In the user due diligence process, Hashfort shall perform a KYC for every:
User – a natural or legal person;
Representative of the User – an individual who is authorized to act on behalf of the User;
Beneficial Owner of the User;
Politically exposed person (“PEP”) or a person connected with the PEP.
During the registration procedure, every user must provide to Hashfort with several personal information and documents, which Hashfort need to establish a portfolio of the user and access the risk, connected to it.
Verifying Customer’s Identity
Customer identification is a major part of every AML compliance program. In this section we account for all the procedures and measures taken by us to identify and verify the customer’s identity, to form a reasonable belief that they know the true identity of each customer.
In this part, our anti-money laundering policy outlines measures put in place to identify and verify beneficial owners, politically exposed persons (PEP), and senior management of an organization. Under customer due diligence, the AML policy describes the procedure for establishing a customer’s risk rating and when enhanced due diligence procedures will be appropriate. The policy also outlines when adverse media checks, sanctions list screenings and ongoing AML monitoring will be appropriately applied for certain customers.
The first step is outlining which information should be obtained for the purpose of identification and from who. Here the anti-money laundering policy describes which information will be collected when opening a new account for a customer or their beneficial owners. The information the company obtains depends on the type of account and the risks associated with it.
Let’s go through the steps of customer Identification in our AML policy.
NATURAL PERSON NEEDS TO PROVIDE AT LEAST:
First name, Last name;
Date of birth, place of birth;
Phone number and email;
Government issued ID document (both sides);
Selfie with ID document;
Proof of residence (utility bill or similar);
Bank account details;
Customer occupation, magnitude and origins of salary and annual incomes
Being a PEP or not
Other information and documents on the request of Hashfort.
LEGAL PERSON NEEDS TO PROVIDE AT LEAST:
Business name of the legal person;
Registry code or registration number and the date of registration;
ID of the shareholders (same as for the natural person identification),
ID of the director(s) and/or members of the management board (same as for the natural person identification),
ID’s of the representatives (same as for the natural person identification); Proof of the registered office/seat;
ID’s of the beneficial owners (same as for the natural person identification);
Proof of representation;
Articles of association;
Other information and documents on the request of Hashfort.
Under customer identification procedures, Hashfort adequately notify by e-mail customers when requesting information for identity verification purposes.
Information verification is based on a “four eyes” principle, with a double layer of human control, as pre-approval by the employees and the confirmation by the manager.
Hashfort will control through non documentary means the customer’s email and the mobile provided, via OTP procedure, automatically embedded in our verification software. When this point has been properly checked, Hashfort through documentary means control the coherence between the data inserted and the data in the scanned documents. In particular, the passport will be checked by the MRZ system included in our verification software.
Inability to Verify Customer’s Identity
In case of inability to verify Customer’s identification, the procedures in response to situations include Hashfort’s refusal to open an account with that customer. In case of an exit sting customer, Hashfort may temporarily block or close an account if further attempts at verification fail.
When the Customer declines to provide information or provides false information
In case of discrepancy in informations, or if the customer decline to provide informations, Hasforth will refuse to open the account and will notify the customer. If intentionally providing false information, Hashfort, according to the nature of the false information in itself, may inform the competent authorities. In any case, the account won’t be opened and Customer will be blacklisted with his mobile number and email.
Limits and Threshold of Financial Transactions
Hashfort policy is to prohibit any transaction bigger than 10.000 euro.
At the moment when the annual volume will become bigger than 10.000 euro, further Due Diligence will be requested by Hashfort case by case, including but not limited to
Review of KYC
Contacting client and asking for evidence or additional documentation
Phone call or Video Conference to client
Require client to send an updated bank statement
Require client to send employment contract or History of funds
Place IP address on watch list
Place account on watch list
CUSTOMER RISK LEVELS
The risk is divided to 3 LEVELS:
The risk level is normal, there are no high risk characteristics present.
1. User is from high risk country.
2. User is local PEP or a person. associated with a PEP.
3. The legal person’s area of activity is associated with enhanced money-laundering risk.
4. The legal person is situated in a country, which is listed in the list of risk countries.
5. The legal persons activities and liability are insufficiently regulated by law, and the legality of financing of which is not easy to screen.
6. The representative or the Beneficial Owner / Shareholder of a legal person is a local PEP or his / her family member.
User is suspected to be or to have been linked with a financial offence or other suspicious activities.
User is a non-resident individual, whose place of residence or activities is in a country, which is listed in the list of risk countries.
The representative or the Beneficial Owner / Shareholders of a legal person is a PEP or his or her family member
There is information that legal person is suspected to be or to have been linked with a financial offence or other suspicious activities
A legal person registered outside the European Economic Area, whose field of business is associated with a high risk of Money Laundering, or registered in a low tax rate country.
RISK BY USERS:
Suspicious facts such as but not limited to the: discrepancies in provided id documents, fictitious person, stolen identity, counterfeited id document, post box home address, pervious financial crime record, terrorist record, wanted person, no contact phone number, not valid documents, discrepancies in provided documents for the legal person, etc.
Politically exposed persons such as but not limited to the: prominent public functions:head of state, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d’affaires and a high-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a state-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organisation, except middle-ranking or more junior officials.
RISK BY COUNTRIES:
Country of residence / nationality is a country with prohibition/restriction on cryptocurrencies such as but not limited to: Afghanistan, Algeria, American Samoa, Bangladesh, Bolivia, China, Democratic Republic Of Congo, Democratic People’s Republic Of Korea (Dprk), Ecuador, Egypt, Ethiopia, Fyr Macedonia, India, Iran, Iraq, Kyrgyzstan, Pakistan, Palestine, Qatar, Saudi Arabia, Syria, Morocco, Nepal, United States Of America, Vanuatu, Vietnam, Zambia.
Resident / Citizen Of The High Risk Countries such as but not limited to: Yemen, Jordan, Kuwait, Lebanon, Libya, Malaysia, Mali, Mauritania, Nigeria, Oman, Somalia, Serbia, Sri Lanka, Sudan, Tunisia, Turkey, Ethnic Groups Of Caucasus Belonging To Russian Federation (Chechens, Etc.), Trinidad & Tobago.
Low Tax Or Tax-free Countries such as but not limited to: United Arab Emirates, Oman, Bahrain, Qatar, Saudi Arabia, Kuwait, Bermuda, Cayman Islands, The Bahamas, Brunei, Vanuatu, Anguilla, Belize, Costa Rica, Guatemala, Panamá, Nicaragua.
RISK BY TRANSACTIONS
Hashfort shall inspect any outstanding transaction, which include but is not limited to the: large transactions that do not correspond to user’s source of funds and/or source of wealth, transactions to offshore or shell bank (financial institution that does not have a physical presence in any country), executing payment via non-licensed payment institution, large daily movements of fiat or virtual money, etc.
DETECTION OF SUSPICIOUS TRANSACTIONS
Hashfort shall diligently monitor transactions for suspicious activity. Transactions that are unusual will be automatically detected by the system, suspended and carefully reviewed by a human to determine if it appears that they make no apparent sense or appear to be for an unlawful purpose or unblocked.
Implemented internal controls will serve as ongoing monitoring system in order to detect the suspicious activity or transaction. When such suspicious activity is detected, Hashfort shall determine whether a filing with any law enforcement authority is necessary. Suspicious activity can include more than just suspected money laundering attempts. Activity may be suspicious, and Hashfort may wish to make a filing with a law enforcement authority, even if no money is lost as a result of the transaction.
Hashfort shall initially make the decision of whether a transaction is potentially suspicious. Once Hashfort has finished the review of the transaction details, he or she will consult with its management to make the decision as to whether the transaction meets the definition of suspicious transaction or activity and whether any filings with law enforcement authorities should be filed. Hashfort shall maintain a copy of the filing as well as all backup documentation. The fact that a filing has been made is confidential. No one, other than those involved in the investigation and reporting should be told of its existence. In no event should the parties involved in the suspicious activity be told of the filing. If the AML officer will deem as necessary, Hashfort will file the Suspicious Activity Report (SAR).
Keeping AML-Related Data and Transaction Records
Hashfort will record the transaction according to the AMLD5.
The following are required steps in the record keeping process:
Hashfort shall maintain a record of identifying information provided by the user.
Where Hashfort relies upon a document to verify identity, Hashfort shall maintain a copy of the document that the Company relied on that clearly evidences the type of document and any identifying information it may contain.
Hashfort shall also record the methods and result of any additional measures undertaken to verify the identity of the user.
Hashfort shall record the resolution of any discrepancy in the identifying information obtained.
All transaction and identification records will be maintained for a minimum period of five years.