AML policy

INTRODUCTION

TRASTRA EU UAB (referred to as “TRASTRA” “the Firm”, “the Company”, “we” or “us”) is committed to the highest standards in the prevention of Money Laundering (AML), Bribery and Corruption (ABAC), Counter Terrorism Financing (CTF), Fraud and other punishable criminal acts.

This Anti-Money Laundering, Countering Terrorist Financing and Financial Crime Policy (“the Policy”) provides guidelines and procedures applicable to daily activities of the Company, which are intended to prohibit and actively prevent using the Company’s services for money laundering, funding of terrorist or criminal activities, or facilitation of any such activity.

The Company has developed and implemented this Policy using a risk-based approach to address the risk of money laundering specific to the Company’s services, customers and business partners in order to comply with the Requirements and combat money laundering, terrorist financing, and other financial crimes.

Scope

The Policy outlines the minimum general standards of AML and CTF controls which should be followed by the Company’s management and employees in order to mitigate any legal, regulatory, reputational and as consequence financial risks. Detailed procedures will be produced for each AML/CTF measure in order to match local and international standards and best practices. The company adopts the following procedures:

Customer due diligence;
Risk-based approach;
Record keeping;
Internal reporting;
External reporting;
Training

Definitions

MLRO – The Firm’s Money Laundering Reporting Officer (also known as the “MLRO”), whose responsibility is to supervise, implement and report any activity which could be related to Money Laundering or Terrorism Financing.

AML – Anti-Money Laundering is a set of procedures, laws or regulations designed to stop the practice of generating income through illegal actions.

ML – Money Laundering means the concealment of the origins of illegally obtained money, typically by means of transfers involving banks or legitimate businesses. In most cases money launderers hide their actions through a series of steps that disguise money coming from illegal or unethical sources to appear as if it were legitimate funds.

TF – Terrorism Financing refers to the processing of funds to sponsor or facilitate terrorist activity. A terrorist group, like any other criminal organisation, builds and maintains an infrastructure to facilitate the development of sources of funding, to channel those funds to the providers of materials and or services to the organisation, and, possibly, to launder the funds used in financing the terrorist activity, or resulting from that same activity. Terrorist organizations derive income from a variety of sources, often combining both lawful and unlawful funding, and where the agents involved do not always know the illegitimate portion of that income.

KYC – Know your customer (“KYC”) is the process used by businesses to verify the identity of their customers. KYC policies are becoming increasingly important globally to prevent identity theft, financial fraud, money laundering and terrorism financing.

CDD – Customer Due Diligence means:

identifying the customer and verifying the customers’ identity based on documents, data or information;
identifying where there is a beneficial owner who is not the customer;
obtaining information on the purpose and intended nature of the business relationship.

EDD – Enhanced Due Diligence designates additional steps of examination and caution to identify the customers and confirm that their activities and funds are legitimate.

SDD – Simplified Due Diligence – means that it is not required for a business to apply the standard customer due diligence measures, where the business has reasonable grounds for believing that a customer falls into the relevant categories representing low risk for money laundering or terrorism financing.

PEP – Politically Exposed Persons (“PEPs”) are individuals who are or have been entrusted with prominent governmental / public functions.

FATF – Financial Action Task Force (www.fatf-gafi.org) is an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, terrorist financing and proliferation of weapons of mass destruction.

OFAC – Office of Foreign Assets Control – Is part of the U.S. Department of the Treasury. It is responsible for administering and enforcing trade and economic sanctions.

FCIS – Financial Crime Investigation Service – Financial Intelligence Unit (LT). The FCIS is the national central agency in UK that is responsible for the collection, collation, processing, analysis and dissemination of information with a view to combating money laundering and the funding of terrorism.

MFSA – Malta Financial Services Authority. The authority is the single regulator for financial services in Malta.

MONEYVAL – The Council of Europe Select Committee of Experts on the Evaluation of anti-Money Laundering Measures and the Financing of Terrorism

Tipping Off – Improper or illegal act of notifying a suspect that they are the subject of a Suspicious Activity / Transaction Report or is otherwise being investigated or pursued by the authorities.

Monitoring – An element of an institution’s anti-money laundering program in which customer activity is reviewed for unusual or suspicious patterns, trends or outlying transactions that do not fit a normal pattern. Transactions are often monitored using software that weighs the activity against a threshold of what is deemed “normal and expected” for the customer.

Risk-Based Approach – The assessment of the varying risks associated with different types of businesses, customers, accounts and transactions in order to maximise the effectiveness of an anti-money laundering program.

UBO – ‘Ultimate Beneficial owner’ means any natural person(s) who ultimately owns and consequently controls or directs the customer and/or the natural person(s) on whose behalf a transaction or activity is being conducted and includes at least.

SAR – A Suspicious Activity Report made by the MLRO to the FCIS regarding suspicious activity.

RBA – Risk-Based approach.

Regulatory framework

The Company must comply with the following regulatory framework (“the Requirements”):

Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market;
5th AML Directive: Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018;
The General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016;
Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds;
Transparency International’s corruption perception index;
Technical Requirements for the Customer Identification Process for Remote Identification Authentication via Electronic Devices for Direct Video Transmission approved by the Director of the Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania on November 30th 2016 by Resolution No. V-314 “For the Technical Requirements for the Customer Identification Process for Remote Identification Authentication via Electronic Devices for Direct Video Transmission” (hereinafter – Technical Requirements);^[1]
Resolution No. V-240 of December 5th of 2014 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of the List of Criteria for Money Laundering and Suspicious or Unusual Monetary Operations or Transactions Identification”;^[2]
Resolution No. V-5 of 5 January 10th of 2020 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of Guidelines for the Depositary virtual currency wallet operators and virtual currency exchange operators to prevent money laundering and/ or terrorist financing.”;^[3]
Resolution No. V-273 of October 20^th of 2016 of the Director of Financial Crime Investigation Service under the Ministry of Internal Affairs of the Republic of Lithuania “On the Approval of Guidelines for the Supervision of Financial Crimes for the Implementation of International Financial Sanctions in the Field of Regulations of the Ministry of Internal Affairs of the Republic of Lithuania.”;^[4]
the Minister of the Interior of the Republic of Lithuania 2017 October 16 by order no. 1V-701 “On Suspension of Suspicious Monetary Transactions or Transactions and Submission of Information on Suspicious Monetary Transactions or Transactions to the Financial Crime Investigation Service under the Description of Procedure of the Ministry of the Interior of the Republic of Lithuania and Information on Cash Transactions or Transactions equal to or exceeding 15,000 euros or submission of the corresponding amount in foreign currency to the Financial Crime Investigation Service under the approval of the description of the procedure of the Ministry of the Interior of the Republic of Lithuania ”;^[5]
Director of the Financial Crime Investigation Service 2015 May 21 by order no. V-129 “On Approval of Information Forms, Submission Schemes and Recommendations for Completion of Information Provided in Accordance with the Requirements of the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania”;^[6]
Lithuanian Law on the Prevention of Money Laundering and Terrorist Financing.

RESPONSIBILITIES

Compliance

The Compliance Officer and thus the Compliance Department monitor compliance with the relevant requirements and standards of the regulatory system for the activities of the Company. The compliance functions must not be involved in the performance of the services or activities they monitor.

The department also realizes day to day non-exhaustive list of functions including:

Assisting with the development, implementation, and maintenance of anti-money laundering and other regulatory compliance programs within the company.
Ensuring compliance with current AML/CFT regulations, and other relevant legislation.
Developing and maintaining a risk assessment framework for products and services, customers and customers, and other issues relating to money laundering and other financial crimes the company may be exposed to.
Compliance reporting to the authorities.
Arranging and implementing inspections and audits from third-party organizations and making compliance recommendations based on their findings.
Briefing and reporting to senior management on matters relating to adequacy of the internal policies and procedures and compliance with internal policies and procedures.
Overseeing and implementing an ongoing training program for other employees.

Money Laundering Reporting Officer

The Money Laundering Reporting Officer is responsible for the oversight of all aspects of the Company’s AML activities

MLRO is responsible for reporting ML/FT activity or transaction by fulfilling the following steps:

receiving reports of knowledge or suspicion of ML/FT;
considering such reports to determine whether a suspicion of ML/FT is valid;
reporting knowledge or suspicion of ML/FT to the FCIS;
responding promptly to any request for information made by the FCIS.

The MLRO is also responsible for reporting regarding specific transactions without ML/TF activity (e.g. for daily transactions with ≤ €15,000 value).

The Company may appoint a nominated officer to carry out information disclosure tasks. The Compliance officer may execute functions of the MLRO.

The Board of Directors

In its task of directing the company, the board has the following responsibilities:

To designate an individual as the MLRO.

To be informed about the management of the Compliance Program executed by the MLRO.

To assign the required budget and resources to the MLRO for appropriately performing and running the AML CTF Compliance Function and its Program.

To review and approve the AML CFT Policy and its updates proposed by the MLRO.

Senior Management

The Company’s senior management is responsible for establishing and communicating the Compliance policy and maintaining the Compliance function.

In its responsibility, the AML CTF Lithuanian Law has assigned the role to review and approve establishing relationships with High Risk Customers (HRC), when those are being proposed as prospective clients by the MLRO, before entering into a business relationship with, or when a customer from the stock becomes a HRC.

Senior management accepts their Compliance responsibilities and understands the key elements of the regulatory regime and how it impacts the activities and aspirations of the company.

Senior management is kept fully informed of Compliance activities and priorities. Senior management lends their full support to the Compliance Department.

Middle Management and Employees

Middle management and all staff of the company should be fully aware and understand their legal and regulatory responsibilities and obligations with regards to money laundering and terrorist financing activities.

Employees AML training programs will be organised with respect of operational tasks and responsibilities.

Enforcement and Disciplinary Consequences

Any employee found to have violated this Policy will receive a verbal warning. The second incident of the same nature will result in a warning letter to the employee. A third such violation will result in termination of employment of the employee. Deliberate breach of this Policy might result in dismissal for gross misconduct and external report to authorities.

Employees have to pass mandatory AML compliance training arranged by the Company and be aware about the consequences of their failure to comply with the Policy, including reporting potential fraudulent/suspicious activities that may lead to the employee’s voluntary or involuntary involvement into criminal activities. (See more in Training)

Any third-party partner found to have violated this Policy will be subject to contract termination as well as any other remedial measures available under applicable law including reporting to FCIS.

The company will never ignore AML concerns or information from its partners: Financial Institutions, Merchants, Customers and/or law enforcement agencies. Each such concern, information, request will be carefully considered and investigated by the MLRO, and relevant necessary measures will be taken by the Company.

CUSTOMER AND PARTNER DUE DILIGENCE

This Policy also applies to certain engagements of third parties intermediaries or agents (“partners”) who are retained to act on behalf of the Company to solicit new customers, support efforts to retain existing customers or supply services to fulfill a legal, regulatory or practical business operational need. The Company expects all business partners to act with integrity and in accordance with the highest business standards.

Prior to the conclusion of business relationship with a customer or partner the company obtains a range of information from the customer/partner and verifies this information using reliable, independent source documents, data or information. Satisfactory identification of the customer takes place on the onboarding stage. Satisfactory identification of the partner is done prior to signing the agreement or making a payment (whichever occurs first).

As a starting point for the partners, the Company’s employee is required to get information on the nature and purpose of the proposed business cooperation. This includes understanding what the partners business is, cooperation of what sort is expected, and what value for the Company it might bring.

Due Diligence measures are to be designed but not limited to:

be satisfied that its customers are who they say they are;
understand whether its customers are acting on behalf of others;
the identity of any ultimate beneficial owner(s);
understand its customers’ circumstances to guard against them being used for fraud, money laundering or other criminal activity;
prognose the expected amount of referrals from the partner and assess their quality;
prognose the expected level of customers’ activity in terms of volume, velocity or geography;
regularly review and update if necessary, the information about a customer/partner.

Identification and Verification of Natural Persons

The Customer registers in the system and uploads identification documents into his profile.

Identification Information and contact details.

Name;
Surname;
Place and date of birth;
ID number, issue date, expiry date, issuing authority;
Citizenship;
Residence, permanent residential address;
Email;
Telephone number;
Selfie and likeness check;
Documents for verification of identification information.

The information required for the partners, at a minimum, consists for natural persons of:

Name;
Surname;
Date of birth;
ID number, issue date, expiry date, issuing authority;
Citizenship;
Residence, permanent residential address;
Email;
Telephone number;
Documents for verification, including valid photographic identification document and utility bill (not older than 90 days).

The verification of the details provided by the person on his identity shall be carried out by referring to a government-issued document containing photographic evidence of identity such as:

a valid unexpired passport;
a valid unexpired national or other government-issued identity card;
a valid unexpired residence card; or
a valid unexpired driving license.

Documents containing photographic evidence of identity that are not government-issued but which are nonetheless recognized as a legal means of identification by the national law of an EU or a reputable jurisdiction may also be used to verify the identity of the applicant for business, provided that such documents are valid and unexpired.

Residential address accuracy is checked by a third-party provider and by card delivery.

Identification and Verification of Legal Entities

The Company shall verify the details of the legal entity by viewing and downloading the relevant entity constitution documents from the official website of the registrar of companies of the country. When this is not possible (e.g., when the legal entity or its parent entity is registered in a country in which such information is not available online), the documentation listed below must be provided by the customer/partner:

Certificate of Incorporation;
Constitutional document (e.g. Memorandum and Articles of Association);
Certificate of Incumbency/extract from the companies register or similar document displaying directors and shareholders (not older than 60 days);
Register of Directors;
Register of Shareholders;
Most recent bank statement (not older than 6 months) or opening letter confirming settlement account details.

Where applicable:

Copy of license for regulated industries;
Latest audited financial statements;
Other additional documents required by Compliance.

These documents will be also required for corporate shareholders ultimately holding 25%+ or in default otherwise exercising control over the management of the company. For natural persons directors, shareholders and the UBO, the Company must request documents and conduct check in accordance with Section Identification and Verification of Natural Persons.

Requirements to digital and hard copy documentation

All document copies and/or photos should be of good quality, with clear imaging and clear, legible text;
The identity and company documents only from EEA jurisdictions, but not covering natural entities in the international format are accepted (only for customers);
The documents of a local format can be accepted if it contains the information in Western format;
Non-English language documentation requires translation. A full, official translation is not necessary but, each piece of documentation should be translated by an accredited translator or a company’s employee. The following information must be translated: the type and nature of the document; and the main points contained within the document. The Company reserves the right to have any such translations certified.

Enhanced Due Diligence

Enhanced Due Diligence procedures imply additional documents or measures to the standard CDD documentation. The company will adhere to EDD measure in any situation, which by its nature presents a higher risk of money laundering or terrorism financing.

The following procedures can be part of EDD:

verify or certify the documentation supplied using supplementary measures; these measures include certification for verification purposes to identity by legal professional, accountancy profession, a notary, a person undertaking relevant financial business within EEA;
request to receive hard copies of all certified documents;
transactions should be carried out through an account in the customer’s name;
request for documented evidence regarding source of funds or source of wealth (employment confirmations, payslips, tax declaration, loan confirmation or any other documentation that serves the purpose);
interview with representative of the company (via telephone or video call);
personal visit to the office/meeting;
request to provide a proof of address.

The verification of the residential address shall be carried out by making reference to any one of the following documents, provided that the residential address and the full name of the applicant for business are referred to in a clear and unequivocal manner in the document itself:

a recent statement or reference letter issued by a recognized credit institution;
a recent utility bill;
correspondence from a central or local government authority, department or agency;
a record of a visit to the address by a senior official of the subject person;
any identification document listed in paragraph (1) above, where a clear indication of residential address is provided;
an official conduct certificate;
any other government-issued document not mentioned above;
mobile bills are unacceptable for this purpose due to their transient nature.

Business relations with PEPs

Due to high risk of bribery and corruption, PEPs are always considered a higher risk that warrants taking EDD measures.

100% of customers are scanned against PEPs and sanction lists within the integrated software of the system. This scan takes place at the registration stage, identification and verification in order to catch the match at the earliest stage before account application is complete.

The lists in the software are updated regularly. If there is a new match, the system will catch it even if the customer is already active in the system and the event will trigger the alert and pushes the transactions of this customer into a high-risk category. This transaction will appear in the Compliance module. (See more in the Ongoing Monitoring section)

In addition, business relationships with domestic PEPs and international organisation PEPs that are determined to be higher risk should be subject to such measures. In both circumstances, the following EDD measures apply:

Manager’s approval;
reasonable measures to establish the source of wealth and the source of funds, and
enhanced ongoing monitoring of the business relationship.

Manager’s approval should be in writing and filed in the customer’s file. In addition, all confirmed matches must be submitted to UAB “Finansinės paslaugos „Contis“ via the appropriate email: [email protected] for sanctions and [email protected] for PEPs.

Establish the Source of Wealth and Source of Funds

The source of wealth refers to the origin of the PEP’s entire body of wealth (i.e., total assets). This information will usually give an indication as to the volume of wealth the customer would be expected to have, and a picture of how the PEP acquired such wealth. Although the company may not have specific information about assets not deposited or processed by them, it may be possible to gather general information from commercial databases or other open sources.

The source of funds refers to the origin of the particular funds or other assets which are the subject of the business relationship between the PEP and the company (e.g., the amounts being invested, deposited, or wired as part of the business relationship). Normally it will be easier to obtain this information, but it should not simply be limited to knowing from which financial institution the money has been transferred. The information obtained should be substantive and establish a provenance or reason for having been acquired.

The following sources of information are useful for verifying the accuracy of the customer’s declaration regarding their source of wealth and source of funds: publicly available property registers, land registers, asset disclosure registers, company registers, past transactions (in the case of existing customers), and other sources of information about legal and beneficial ownership, where available.

In the case of particularly high-profile PEPs, an internet search (including social media) may also reveal useful information about the PEP’s wealth and lifestyle and about their official income. Discrepancies between customer declarations and information from other sources could be indicators of ML suspicion and should never be disregarded.

Regardless all the EDD measures, the transaction involving a PEP will always fall into high-risk category before processing in the course on ongoing monitoring.

Reliance on third-parties in CDD

The company may rely on the CDD measures carried out by other subject persons or third parties, providing their activities falling under the definition of ‘relevant financial business’ or relevant activity if the third-party is compliant with the Company’s regulatory framework.

Company may rely on the third party in relation to:

the identification and verification of an applicant for business;
the identification and verification of an ultimate beneficial owner, where applicable;
information on the purpose and intended nature of the business relationship.

In all cases the Company must have unlimited access to copies of the identification and verification data and other relevant documentation. If additional documentation is required, it must be forwarded immediately upon request.

The business agreement with such a third-party must include a specific arrangement in relations to cooperation in AML/AFC area.

The following entities can qualify as third-parties:

carrying out activities which are equivalent to ‘relevant financial business’ or ‘relevant activity’ in a in a reputable jurisdiction;
and a subject to authorisation or to mandatory professional registration recognized by law;

e.g., banks, licensed financial institutions, payment systems, other regulated entities, auditors, external accountants, tax advisors, notaries, independent legal professionals, trustees and other fiduciaries etc. located in UK, EU, EEA and other reputable jurisdictions according to current list approved by the Manager. (See Annex Prohibited and Reputable Jurisdictions).

Due Diligence Updates

The Company will request an update or confirmation of the CDD information and documents, kept in the Company’s files:

as frequently as needed (i.e. for transactions executed by the customer which are unusual for its profile or KYC data; changes in its inherent attributes which may impact on the customer’s risk index, like change of jurisdiction, business activity, product portfolio offered) for the purpose to fulfill this policy.
At least yearly to High Risk Customers (HRC)
Each 3 years to Normal Risk Customers.

The customer/partner will be requested to confirm that their personal details are unchanged. Unless otherwise instructed, the customer/partner will be requested to provide a new photo ID upon the expiration date of the Customer’s identification document stored in his file.

Requests for updating documents and/or information will be generated automatically by the Company’s software. Compliance may initiate the CDD update anytime. The request will be made via email.

A customer whose Identification Documents (IDs) have expired in the Company’s system, will not be able to use the service as the account is automatically deactivated.

All customers and partners will be screened against sanctions lists automatically upon any change introduced to such lists. Any positive match will automatically generate a high-risk alert in the Compliance module and block the customer account/stop cooperation with the partner.

In case of a proven positive match, customer access to the Company’s services will be immediately terminated, assets frozen and reported.

CUSTOMER ACCEPTANCE

Distant Verification of Identity

The Company uses an electronic copy of the identification document and photograph provided by the customer, uploaded from within the customer’s secured cabinet. The time and date of when such documents were received are recorded. The documents uploaded by the customer can only be accessed in read-only mode.

After the system completes the process of distant verification, the profile of the customer is set to ‘Verified’.

Prohibited businesses

There are business activities if practiced by a customer which are unacceptable by the Company in any circumstances. These prescribed activities, which are described below, will result in the immediate decline of any transaction:

Companies offering environmentally destructive products and services;
Any person/corporation involved in any form of trade in protected species (contrary to the CITES convention), or trading in ivory or similar activities;
Traders in counterfeit, spoofed or fake products or services of any nature;
Persons/corporations involved in promoting, controlling or operating religious denominations or organizations of any nature;
“Migrants associations”, peculiar ‘religious’ organizations that come with questionable introductions (especially from countries connected with terrorism);
‘Hawala’ or similar unlicensed money transfer activities that defeat common sense explanations;
Bearer Share companies;
Unregulated or unlicensed businesses which require to hold regulatory licenses but cannot produce such a license;
Businesses involved in pyramid or Ponzi schemes, high yield investments, conflict diamonds, counterfeit products, boiler room frauds, land banking, carbon trading or share tipping and other illegal activity of any nature;
Political Parties;
Businesses dealing in adult entertainment, pornography, or any other unethical activities;
Offshore banks;
Businesses involved in illegal drug paraphernalia; and
Shell banks.

Prohibited jurisdictions

The Company does not seek to target any customers with residence outside of the EEA. This does not prevent the Company from establishing business cooperation with companies outside of the EEA for the purpose of promoting its services within the EEA.

The list of prohibited jurisdictions is to be reviewed monthly, consulting the following guidance, and considering current global political and economical situations. The changes in the list are to be approved by Head of Compliance department. The list is included in the system for automatic screening of customers. (See Annex Prohibited Jurisdiction)

Customer approval procedures

The customer completes the online form on the Company’s portal, providing personal details, and agreeing to the Firm’s Terms of Business and Privacy policy and any other terms appearing on the Company’s site relating to any other of the Firm’s products and services. The customer must register providing their email address, full name, mobile phone number and the country of residence;
Following the registration process the customer must provide Proof of Identity and if needed a Proof of address (See Identification and Verification of Natural Persons). Scanned documents must be uploaded to the system for verification by the customer;
After the application for verification has been submitted, all provided information will be processed by software to complete distant verification;
If all criteria are met and accepted, the application will be checked through PEP and Sanctions lists (OFSI UK, EU, UN, OFAC);
The software provides electronic verification of the identity by reference to scanned documents, as well as the selfie check (See more in Distant Verification);
If the software check was unsuccessful an EDD must be performed;
If EDD fails, the application will be declined, if passed the application will be forwarded for further checks through the PEP and Sanctions lists;
The next step will be to assign a risk category depending on the customer risk profile;
Once the risk category has been assigned, the low and middle risk customer account will be set up and activated;
The high-risk customer must be subject to EDD;
If EDD allows to decrease customer risk to ‘Acceptable’, then the account is confirmed and activated;
The confirmation of the activation will be sent to the customer’s email and since that ongoing monitoring of the account commences.

Rejection of a Customer Application

Applications are rejected from the following persons:

Natural persons whose name(s) appear on sanction or boycott lists issued by the OFSI, United Nations, the European Union, and similar organizations (such as OFAC, FATF, Bank of Lithuania, UN, EU);
Natural persons who are known or suspected money launderers or terrorist financiers no matter how their business or occupation is described;
Natural persons determined to have used photoshop, fake documents or otherwise tampered documents;
Natural persons unwilling to provide additional information or documentation upon Compliance request;
Natural Persons and Legal Entities which performs the business activities which falls out of the risk appetite of Trastra, due to its High Risk of money laundering, terrorism financing and fraud.

Shell banks prohibition of cooperation

Shell banks are banks that have no physical presence (i.e., meaningful mind and management) in the country where they are incorporated and licensed and are not affiliated to any financial services group that is subject to effective consolidated supervision.

Cooperation, which means usage of the financial services provided by Shell banks or providing these types of organizations with our services, is prohibited.

RISK-BASED APPROACH: AML RISK ASSESSMENT

General risk assessment AML

The Company maintain comprehensive and continuous risk assessment of its services, proactive and holistic approach to monitoring, and the Company’s resources are directed proportionately in accordance with the extent of the financial crime risks posed, so that the business, products and customers posing the highest risks receive the highest attention.

The extent of the CDD requirements will be determined on a risk-sensitive basis, depending on the customer and its activity.

The RBA of the company involves the identification, recognition, assessment, categorization and ranking of financial crime risks and the establishment of reasonable controls for the prevention and management of such risks. The RBA entails the implementation of a framework which consists of several steps:

identifying and assessing risks;
managing and controlling risks;
monitoring controls; and
recording the actions taken.

The identification and assessment of risks is an ongoing procedure, since risks change over time, depending on how circumstances develop and how threats evolve.

Risk level and Due Diligence

The risk profiling is performed by the Company based on the information collected by it. The risk profiling depends on type of relationship:

potential customer/partner;
one off customer/partner;
occasional customer/partner;
permanent customer/partner.

The risk score is assigned based on the type of product/service offered and the type of business the customer/partner is operating. High risk customers/partners, included in the following borderline industries, will be subject to enhanced Compliance due diligence and monitoring:

gambling;
funds remittance;
forex;
other risks.

The Company assigns its own risk score for partners.

The risk assessment for customers is dynamic and continuously performed The risk profiling is based on the Asset Vulnerability Threat Analysis and aims to divide customers of the Company into low, medium, high risk customers category.

Each risk level is assigned to a particular depth of Due Diligence and approval.

Transactions or customers which are in a high risk category need approval of the senior management, when the MLRO will propose them as potential customers after the previous review of the latter .

Risk assessment of new products from AML CTF perspective

A new product implies an extension of business activities that will have an impact on the work process as well as the risk or profit situation of the Company. This is particularly the case if in comparison to the products traded so far, the new product leads a new type of risk, new markets or a change in the risk profile, or if not, empirical information is available on the inherent risk.

We also speak of a new product if a planned transaction cannot be properly mapped by means of existing systems and methods. The introduction of a new parameter for an existing product is to be treated in the same manner as when launching a new product to enable the measurement and analysis of the additional risk involved, such as risks created by correlations or new time series.

When the parameters of an existing product are modified, and the modification is not increasing the Company’s risk, this change is not regarded as a new product.

All the specialised units concerned must be informed and must be involved in the product launch. This applies particularly to Compliance.

The AML risks associated with a new product will be assessed mainly by the following categories:

Transparency: e.g., possibility for the beneficial owner to remain anonymous or hide the identity;
Complexity: e.g., multiple third parties and multiple jurisdictions are involved;
Value and size: e.g., cash intensive, possibility of high value transactions;
Delivery channel: e.g., directly face to face, directly non-face to face, through intermediaries; and
Customer base risk: e.g., target audience profile.

Dynamic customer risk

The company realizes that the initial Customer Risk Profile is a starting point in assessing risks of a business relationship. In the course of time and customer activity, there are new factors that should be considered in order to effectively mitigate financial crime risks and develop KYC program.

The following factors could be considered during business relationship with a customer. These factors can either decrease or increase the customer risk profile score.

New customer vs. old customer;
Expected activity vs actual activity;
Expected volume and frequency of transactions vs. actual volume and frequency of transactions;
Level of verification/trust achieved (satisfactory EDD outcome);
Expected turnover vs. actual turnover;
Adverse media discoveries;
History of red flags for suspicious activity (regardless of the fact how it was resolved);
PEP status (updates in lists);
Sanction status (updates in lists);
Updates in geographic location/residency;
Customer behavior (non-cooperative, abusive to employees);
Change in financial behavior.

The Company realizes that it is quite complex to quantify the customer risk profile taking into consideration all circumstances surrounding the customer and the customer activity to decrease the risk of financial crime; however, the Company has implemented monitoring procedures that are able to alert of many unusual patterns and scenarios of high risk, in order to mitigate them.

ONGOING MONITORING PROCESS

The company recognizes the risks relevant to its business model and operations and uses internal solutions for monitoring. One of the vital processes for this task is an ongoing monitoring of customer activity.

Suspicious Activity: Characteristics and Red Flags

Suspicious activity is any activity that might involve or relate to illegal actions and can vary from one transaction to another based on the circumstances around the transaction or group of transactions. Suspicious activity might have the following characteristics

involves funds derived from illicit activity with the intent to hide or disguise the illicit funds;
designed to pass by the AML requirements, whether through structuring or other means;
does not bear an evident business purpose.

Examples of suspicious activity include, but not limited to:

Patterns of repetitive transactions that do not appear to have a reasonable explanation / lawful purpose;
High rates of unauthorised returns/chargebacks;
Other transactions that are unusual or non-typical for a particular customer;
Unexpected increase in the turnover per user or per a specific service;
Transactions involving money from criminal activity;
Transactions intended to use the Company’s services to facilitate criminal activity;
Altering a transaction to avoid technical thresholds;
Structured transactions (transaction that has been modified- split into series of smaller transactions).

In addition, some red flags of suspicious activity may include, but not limited to:

Customer uses a fake ID;
Two or more customers use similar IDs;
Customer alters a transaction upon learning that they must show ID;
Customer alters spelling or order of their full name;
Awareness or suspicion that a customer is conducting multiple bill payment transactions just below relevant thresholds;
Two or more customers work together to break one transaction into two or more smaller transactions;
Customer refuses to provide customer-identifying information when required by the Company;
Split transfers – one transfer is split into few smaller ones;
Services are being used by an organised interconnected group of people – a group of people which may have connection via one sender or receiver;
Customer is having difficulties to explain the source of the funds;
Customer is trying to avoid being questioned — non-cooperative;
The customer is too interested in the AML regime, and the threshold for inspections;
The customer offers a great commission for obvious business reason.

Automated systems - The AML filters for real life monitoring

The Company uses an automatic internal monitoring system which allows Real-time alerts, for monitoring of transactions against sanctions lists and Post Monitoring alerts, for monitoring transactions triggered by a given frequency and amounts outlined as an unusual transaction scenario. The AML filters are designed by the Compliance department and can be updated/changed/added when required to the transaction flow.

When a Real-time alert is generated, the transaction is blocked and it is sent for review to the Compliance Specialist which will review if there is or not a true match. If it is false positive, the transaction is allowed to continue its flow. If the Real-time alert results a true positive, the transaction is rejected and the case is escalated to the MLRO to proceed to report it as a suspicious activity report (SAR) to the Financial Intelligence Unit (FNTT from Lithuania) and proceed with the account termination.

When a Post Monitoring Alert is triggered, an investigation case will be opened for the review of the Compliance Specialist, which will review the alerted transaction, review and consider its rationale with the available information from customer’s KYC and evaluate if such information is sufficient to explain the unusual transaction activity.

If after the evaluation the Compliance Specialist reviewing the Post Monitoring case, estimates that the available information is insufficient to explain the rationale behind the transaction, it will require the customer for further information/documentation/evidence which are necessary to understand or ascertain the suitability of it given the customer’s profile. If after such a request of information is completed, the Compliance Specialist estimates that information provided or available is insufficient to explain the rationale behind the alerted transaction, the case will be escalated to the MLRO for decision taking which can involve a report of suspicious activity report (SAR) to the FYU (FNTT) and or proceed with the customer’s account termination.

Even with the availability of Real Time and Post Monitoring Alerts, each employee dealing with transactions and customers (e.g., Finance, Customer Support, IT, Compliance) has been given awareness through training sessions about its responsibility for detecting and reporting suspicious activities to the MLRO or the Compliance Team through available whistleblower channels. If employees recognise any of the red flags during a transaction, they should:

report any detected suspicious activity (along with supporting documents) to the Compliance department or MLRO;
not advise a customer that the employee suspects suspicious activity or that a SAR will probably be filed (for instance, if a customer is attempting to structure a transaction when the initial one was rejected by the system). This is known as ‘Tipping Off’ and carries severe penalties;
be alert for suspicious activity in their daily activities;
not tell customers about the regulatory reporting and identification requirements;
not suggest that a customer break a transaction into separate transactions to circumvent controls/alerts;
If a Customer or potential Customer inquiries about the STR filing process or the reasons for his transaction having been rejected (if the reason is a potential suspicious activity), the employee must reply that the customer shall refer himself to the terms and conditions of the Service Agreement without giving more details;
If the individual persists, the employee must report this event to the MLRO, who will determine further actions to be taken.

Post Monitoring Alerts Analysis by Compliance

The Compliance department analyses all detections which were generated by the automatic AML filters daily;
Based on the analysis of detections, decisions about the EDD of customers can be made;
The Compliance department analyses the onboarding statistics to determine inconsistencies (e.g., Multiple registrations from the same country, almost duplicated profiles);
Compliance may request IT to generate various reports with selected data profiles for analysis;
Compliance analyses the amount of alerts and unblocked transaction to understand the efficiency of a certain AML filter;
Compliance will analyse the automated monitoring process to identify if any changes to filters are needed;
Based on historical data, Compliance generates the necessary requirements for changes in the system, , new alerting scenarios, procedures or features.

Protocol of actions upon detecting Suspicious activity

Upon detection of suspicious activity or suspicious transaction during automatic or manual monitoring or at any other moment of operations, the following actions are taken:

A transaction is blocked in the Compliance module if it is the result of automatic monitoring;
The customer account is temporarily deactivated if necessary;
Hold on funds is realized if necessary;
A relevant mitigating measure is applied in order to decrease the transaction risk level (e.g., EDD, re-confirmation of identity);
Investigation is conducted if necessary, especially based on the change in financial behaviour of a customer (reconfirm identity);
Customer is blacklisted if EDD is not satisfactory and account stays deactivated;
Internal SAR is submitted if EDD is not satisfactory;
External SAR is submitted subject to the MLRO’s final decision;
If EDD is satisfactory, the transaction is unblocked, funds released, account is activated.

The Company will not carry out a transaction that is suspected or known to be related to ML/FT until they report it to the FYU (FNTT) and this entity responds that it is possible to continue or not with the transaction.

After acknowledging the receipt of the information, the FNTT will determine whether the execution of the transaction should be delayed or blocked/rejected.

REPORTING

Internal Reporting and SAR Procedure

Identification of Suspicious activity by employees: Internal Reporting

All employees are provided with AML training which educates on the red flags which should be reported to Compliance department;
The relevant information should be provided to Compliance department with the comments of the employee who identified the suspicious activity;
A comment can be included in the customer communication ticket or subtask is created;
The ticket is then assigned to Compliance department for investigation;
The Head of Compliance department assigns an investigator to the case;
Upon carrying out an initial investigation, the investigator decides whether to proceed to create an internal SAR;
If the Suspicious Activity involves an employee, the internal SAR should be immediately made available to the MLRO in any format.

Identification and investigation of Suspicious Activity by Compliance: Internal SAR Procedure

Compliance employees are provided with AML training so that they may identify suspicious activity at the onboarding stage or during monitoring;
A ticket is created in the internal ticketing system by the Compliance employee;
The Suspicious activity is investigated;
The relevant documentation and communication should be included in the internal report if necessary;
If the investigation is not satisfactory, the investigator presents a SAR to the MLRO.

The internal SAR should contain:

a documented outline of the research that has been undertaken into the transaction and the information that is held in relation to the customer;
a list of any documents examined during the enquiry (which should also be retained with this record);
what conclusions have been drawn from their findings;
what decisions have been reached as regards whether to disclose;
how conclusions have led to that decision;
the date and time of the final completion of the record.

If the MLRO decides not to file an external SAR, the reason should be kept on record together with the internal SAR.

External SAR (report to FNTT) Procedure

When all the applicable information gathered is analysed and documented by the MLRO and they decide that a SAR is required, the information should be described in the SAR.

It is the MLRO’s responsibility to file a SAR. Therefore, they must ensure that all relevant information is verified, disclosed with the SAR and compliant with the legal requirement. The information generated is crucial and plays an important basis for identifying a potential illegal activity such as money laundering and terrorist financing hence, it should be as accurate and complete as possible. It assists the responsible authority in detecting and preventing the flow of illicit funds through the financial systems.

SAR’s Content

The SAR should include all the related information and information obtained through the account opening process and through the ongoing monitoring process. The SAR should identify six elements of information which are the following:

Who is conducting the suspicious activity? – Describe the suspect/s, including occupation and nature of the suspect’s business(es). As much information about the suspect must be included, for example primary and secondary or other known addresses including post office box numbers, identification such as a passport, driver’s license number.
What instrument or methods are being used to facilitate the suspicious transaction? This requires a description of what was used to facilitate the suspicious activity, for example, wire transfer, debit cards, internal transfer etc. In some cases, different methods may have been used and will need to be disclosed. The flow of funds must include the original source of funds. In describing the movement of funds, identify all account numbers at financial institutions affected by the suspicious activity.
When did the suspicious activity take place? – If activity took place over a period, indicate the date when the suspicious activity was first noticed and describe the duration of the activity. Describe the flow of funds by stating the individual dates and amounts of transactions in the narrative.
Where did the suspicious activity take place? – Use the narrative to indicate whether multiple financial institutions or a single financial institution were involved in the suspicious activity providing addresses of those locations.
Why does the reporting officer think the activity is suspicious? – Describe as fully as possible, why the activity or transaction is unusual for the customer, considering the product or service used normally by the customer.
How did the suspicious activity occur? – Use the narrative section to describe the method of operation of the subject conducting the suspicious activity, in a concise, accurate and logical manner, describe how the suspect transaction or pattern of transactions was committed.

A SAR should provide a full complete picture of the suspicious activity involved, for example is there suspicion of structuring of wire transfers. Information should include: dates, destinations, amounts, accounts, frequency and beneficiaries or originators of funds. A SAR is filed according to the procedure provided by the FCIS.

The record of a SAR is kept in the customer Profile in the digital form and/or in the hard copy format.

Obligatory reports

The Firm’s MLRO also shall be notified in case when daily value of the Customer’s transaction(s) is equal to or exceeds €15,000 or the equivalent amount in foreign or Virtual Currency, regardless of whether the transaction is concluded in one or more related transactions. After receiving this type of notification the Firm’s MLRO within 7 working days shall send report to the FCIS. Such report shall include at least the following information:

the data confirming the Customer’s identity, and where the transaction is carried out through a representative – also the data confirming the identity of the representative;
the amount of the transaction(s);
the currency in which the transaction was executed;
the date of execution of the transaction;
the manner of execution of the transaction;
the entity for whose benefit the transaction was executed (if it’s possible);
other data specified in the relevant FCIS instructions.

Tipping off

All the company’s employees are given the awareness of what constitutes a Tipping Off activity in the Training Activities deployed.

The employees are told that they will commit an offence which may incur a sanction up to termination of contract and or a lawsuit, if they disclose any information that is likely to prejudice any actual or contemplated investigation following a report to our customers or another third party.

INFORMATION SHARING

Cooperation with state agencies

Any request from a governmental authority / enforcement agency will be addressed to the MLRO who is responsible for the proper and timely response to such requests. Generally, such requests relate to a transaction/transactions or a particular customer’s activities. The MLRO or delegated senior Compliance employee will prepare the Company’s answer to the request within three [3] business days, unless a shorter term is specified in the request.

The requests must contain the following attributes in order to be considered as precedent to be answered:

The third party requesting the info has a special agreement signed with the company and has signed NDAs or it is faculted to do such requests according to the regulation or law.
The third party discloses in the request the laws which grants them the right to do such information requests.
The third party discloses in the request the reason under which they are requiring such information (i.e. Investigation for Fraud, ML TF or other crime)
The third party indicates that this information request shall be maintained in strict confidence, without divulging the Data Subject (the Customer from whom the information has been requested) about the information request.

Sharing information with other Financial Institutions

The Company will share transactional information with other licensed financial institutions regarding individuals, entities, organizations and countries for purposes of identifying and, where appropriate, reporting activities that the Company suspects may involve possible terrorist activity or money laundering, provided that:

It is a licensed financial institution;
The licensed financial institution has legally binding confidentiality obligations before this Company, with respect to the shared information; and
The licensed financial institution is subject to the confidentiality obligations imposed by applicable law.

No other information sharing with any third-party financial institution will be done by the Company.

The Company and each of its employees will ensure that any information received from another financial institution will not be used for any purpose other than:

identifying and, where appropriate, reporting on money laundering, terrorism financing or fraudulent activities;
determining whether to engage in a transaction; or
assisting the Company in complying with this Policy.

EMPLOYEES

The company is required to ensure that all employees are aware of their legal obligations and internal policies related to Anti-Money Laundering. Therefore, training and education are considered as the most important priorities in The Company AML program. The aim of such training is to ensure that employees can recognise, and handle transactions carried out by, or on behalf of, any person who may have been, is, or appears to be engaged in money laundering.

Training is provided to the employees whose duties include the handling of either relevant financial business irrespective of their level of seniority, in view of the fact that such employees will be in a position to detect transactions which may be related to ML/FT. This includes directors, senior management, the MLRO him/herself, compliance staff and generally all members of staff involved in the activities of the company which fall within the definition of relevant financial business and relevant activity.

The Institution also ensures that appropriate procedures are in place when hiring new employees as Know your Employee (KYE), where sanction screening and adverse media checks are conducted previously to be recruited.

Employee checking and vetting

During the hiring process the following might be requested from a potential employee:

professional references;
employment history;
confirmation of qualifications.

A Non-Disclosure Agreement is signed separately with each employee as part of their Contract of Employment.

Training program

The Company will ensure that its employees are familiar with key Compliance requirements applicable to the Company’s activities. Training will be arranged by the Head of Compliance department on an annual basis, unless extraordinary training is required. Training can be conducted by the Head of Compliance department or another delegated senior Compliance employee.

Training is conducted face to face or via conference call.

The Head of Compliance department will develop an ongoing employee Compliance training program, that will explain:

the requirements of the policy, and principles and procedures related to Compliance;
record-keeping and reporting obligations;
guidance in identifying suspicious activity or transactions conducted with an intention to avoid record-keeping or reporting requirements;
guidance in identifying money laundering operations;
the procedure to be followed once a suspicious activity is identified (including how, when and to whom to escalate AML red flags for analysis);
what the employees’ roles are in the Company’s Compliance effort and how to perform them;
the disciplinary consequences (including civil and criminal penalties) for non-Compliance.

There are 3 levels of standard training programs targeting various employees/departments depending on their responsibility and the level of access to data (Access Rights) in the Company.

Level 1: Mandatory annual training for all employees and for all newcomers.

Level 2: Specialized AML CTF training activities for the Compliance Department, provided by the MLRO

Level 3: Specialized AML CTF training activities for the Compliance Department, provided by third parties (Seminars from ACAMS, FNTT, LT Fintech Hub and other related entities).

The Head of Compliance department will maintain records of staff training, the dates, and the subject matter of their training.

RECORD RETENTION

List of documents

The Company will keep the following documents and records for eight (8) according to the Lithuanian regulation:

Copies of, or references to, the evidence obtained of a customer’s identity for eight years after the end of the customer relationship;
Details of customer transactions for eight years from the date of the relevant transaction;
Records of all AML/CTF training delivered;
Details of actions taken in respect of internal and external suspicion reports;
Details of information considered by the MLRO or his nominee in respect of an internal report where no external report is made.

SAR storage

All internal and external SAR filings and copies of supporting documentation are segregated by the Head of Compliance department from other Company books and records to avoid unauthorised disclosure of those documents.

Records and reports are stored separately from all other Company confidential information and documentation, including SARs.

Disposal Procedures

Documents no longer required to be retained will be disposed of in accordance with the Company’s Information Security Policy, including:

electronic documents will be deleted without a recovery option, and
the paper documents will be shredded.

Disposition will be made and recorded by the Head of Compliance department, and the records of disposal will be maintained for eight [8] years.

AUDIT OF THE CURRENT AML CTF Program

The Head of Compliance department is responsible for annually reviewing and assessing this policy. The Head of Compliance department will keep a record of this procedure and protocol the results. Based on the results of this audit, the Head of Compliance department will suggest the necessary amendments for internal procedures and controls which will be presented at the next Board meeting for the approval of necessary policy amendments and operational changes.
Using statistical data, records and testing, the audit will include, but not be limited to, the evaluation of the following:
- Customer types;
- Duration of business relations;
- Number and nature of new accounts;
- Number of closed and blocked accounts;
- Analysis of international activity: customer locations and transaction jurisdictions;
- Review the strength of screening systems;
- List of approved PEPs;
- Transactions data: amount, velocity for each product/service;
- High value transactions;
- Review of initial risk profile score;
- Assessment of random customer accounts and their activity;
- Assessment of random transactions and their AML Compliance;
- Review of internal and external SARs;
- Review amount of external Compliance requests (from authorities and other FIs);
- AML employee’s expertise and coverage;
- Reviews of training records and scheduling training program for the next calendar year;
- Review AML audits from previous years to assess the progress and efficiency of changes.