PAYBILLA Estonia OÜ
RULES OF PROCEDURE AND INTERNAL CONTROL RULES OF VIRTUAL CURRENCY WALLET SERVICE PROVIDER
For implementation of Money Laundering and Terrorist Financing Prevention Act and implementation of International Sanctions Act
Tallinn 2019
GENERAL PROVISIONS AND DEFINITIONS
These rules of procedure (hereinafter the Rules of Procedure) regulate the activities of PAYBILLA Estonia OÜ for the implementation of the Money Laundering and Terrorist Financing Prevention Act (hereinafter the MLTFPA) and the implementation of the International Sanctions Act (hereinafter the ISA). The Rules of Procedure have been established by a resolution of shareholders of PAYBILLA Estonia OÜ.
In these Rules of Procedure, the following definitions have the following meaning:
Money laundering means:
- the conversion or transfer of property derived from criminal activity or property obtained instead of such property, knowing that such property was derived from criminal activity or from an act of participation therein, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions;
- the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein;
- the concealment or disguise of the true nature, origin, location, disposition, movement or right of ownership or other rights with respect to property derived from criminal activity or property obtained instead of such property, knowing that such property was derived from criminal activity or from an act of participation therein.
Terrorist financing means the financing and supporting of an act of terrorism and commissioning thereof within the meaning of § 2373 of the Penal Code.
Beneficial owner means a natural person who, taking advantage of their influence, makes a transaction, act, action, operation or step or otherwise exercises control over a transaction, act, action, operation or step or over another person and in whose interests or favour or on whose account a transaction or act, action, operation or step is made.
Private limited company means the virtual currency wallet service provider, which is an obliged entity for the purposes of the MLTFPA.
Business relationship means a relationship that is established upon entry into a long-term contract by an obliged entity in economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner or that is not based on a long-term contract, but whereby a certain duration of the relationship could be reasonably expected at the time of establishment of the contact and during which the obliged entity repeatedly makes separate transactions in the course of economic or professional activities while providing a service or professional service, performing professional acts or offering goods.
Customer means a person who has a business relationship with an obliged entity.
Staff means an employee of the Private Limited Company, head of the Private Limited Company, members of the management board, members of the supervisory board.
Compliance officer means a person appointed by the management board to act as a contact person of the Financial Intelligence Unit. A member of the management board or another Staff member of the Private Limited Company may act as a compliance officer.
Person means a natural or legal person who wants to enter into a contract with the Private Limited Company for using the Services provided by the Private Limited Company, but who has not yet been identified by an Employee of the Private Limited Company.
Financial Intelligence Unit means an independent structural unit of the Police and Border Guard Board (an up-to-date definition in accordance with § 53 of the MLTFPA).
Politically exposed person means a natural person who is or who has been entrusted with prominent public functions, including a head of State, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d'affaires and a high-ranking officer in the armed forces; a member of the management board and an administrative or supervisory body of a State-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organisation, except middle-ranking or more junior officials.
Risk appetite means the total of the exposure level and types of the Private Limited Company, which the Private Limited Company is prepared to assume for the purpose of its economic activities and attainment of its strategic goals and which is established by the management board of the Private Limited Company in writing.
- MANDATORY NATURE OF IMPLEMENTATION OF MLTFPA
The Private Limited Company as a virtual currency wallet service provider agrees to follow these rules of procedure as provided by clause 2 (1) 11) of the Money Laundering and Terrorist Financing Prevention Act and clause 6 5) of the International Sanctions Act.
The management board of the Private Limited Company agrees to ensure that each Staff member comply with the requirements provided by these Guidelines, the MLTFPA and legal acts issued on the basis thereof. Staff members of the Private Limited Company must know and comply with legal acts and relevant guidelines of authorities and independently examine amendments to legal acts and guidelines.
A Staff member is personally responsible for the compliance with the requirements arising from the MLTFPA and these Guidelines. Failure to comply with the requirements may result in the termination of the employment contract as well as punishment pursuant to misdemeanour or criminal procedure.
- Management of risks relating to money laundering and terrorist financing
- The Private Limited Company has clearly defined areas of responsibility and functions for ensuring the obligations provided by the MLTFPA and ISA at the level of both the management and the Employee.
- The management board of the Private Limited Company verifies that the Rules of Procedure are up to date regularly once a year and, if necessary, supplements them or establishes new rules of procedure, taking into account the written overview prepared by the Compliance Officer on the compliance with the Rules of Procedure.
- It is prohibited to establish a Business Relationship or make a Transaction if:
- the Person wants to pay in cash or the object of the Transaction is more than 10,000 euros or an equivalent amount in another currency, regardless of whether the pecuniary obligation is performed in the Transaction as a single payment or as several interrelated payments within a period of up to one year and the Person does not submit documents and relevant information required for the implementation of due diligence measures;
- the submitted documents or other information make an Employee suspect money laundering or terrorist financing. An Employee immediately notifies of the suspicion the Compliance Officer who is being guided in their further activities by the provisions of clause 20 of the Rules of Procedure.
- An Employee has the right to refuse to execute a Transaction if the Person, regardless of a corresponding request, does not submit the documents that certify the legal origin of the money or other property being the object of the Transaction.
- A Business Relationship may be cancelled on an extraordinary basis without following the term for advance notice if the Customer does not submit, regardless of a corresponding request, documents and relevant information or if the submitted documents and data do not dispel the suspicion that the purpose of the Transaction or Business Relationship may be money laundering or terrorist financing.
- Information about the refusal to establish a Business Relationship or make a Transaction and the circumstances of the termination of the Business Relationship and/or information about the suspicion of money laundering or terrorist financing is registered and retained pursuant to the procedure provided by the Rules of Procedure.
- Once a year the Compliance Officer prepares for the management board a written overview of the compliance with the Rules of Procedure that includes:
- a list of the notices submitted to the Financial Intelligence Unit;
- precepts issued by the Financial Intelligence Unit in respect of the Private Limited Company or its Customers;
- completed or pending proceedings conducted in respect of the Private Limited Company and regarding the prevention of money laundering and terrorist financing and complying with an international sanction;
- proposals for amending the Rules of Procedure;
- other observations and proposals for improving the work organisation of the Private Limited Company in order to ensure that the obligations arising from legal acts are met.
- Assessment of risks relating to money laundering and terrorist financing and determining level of applicable due diligence measures upon providing virtual currency wallet service
- Upon establishing a Business Relationship, during it as well as upon making Transactions, risks must be assessed as follows:
Upon assessing the nature of the Business Relationship or Transaction: - the purpose of establishing the Business Relationship or the Transaction and the understandability thereof;
- the Transaction value;
- the sensitivity of the Service to be provided;
- the connection of the Business Relationship or Transaction with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with supporting terrorist activities, or where the corruption level is high;
- the circle of people participating in the Transaction and the possibility and reliability of identifying that;
- the division of Transaction-related costs between different people;
- the transparency of the Transaction (including the identifiability of the origin of the funds serving as a basis for the transaction);
- the possibility and reliability of identifying the owner of the Transaction object;
- the expected duration of the Business Relationship.
Upon assessing the Customer participating in the Business Relationship or Transaction: - the connection of the Customer with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with supporting terrorist activities, or where the crime or corruption level is high;
- in the case of a legal person, the complexity of its structure;
- the possibility and reliability of identifying the circle of beneficial owners of the Customer;
- the proportion of bearer shares;
- the tax system and amount of taxes of the Customer’s location or area of operation;
- the Customer’s political background and connection with politically exposed persons;
- the financial sanctions imposed on the Customer;
- earlier suspicions about the Customer’s connections with money laundering or terrorist financing;
- the type and turnover of the Services provided by the Private Limited Company to the Customer;
- the expected duration of the Business Relationship.
- Four risk categories must be considered in assessing the level of the risk of money laundering and terrorist financing:
- geographic risk;
- Customer risk;
- Transaction-related risk;
- risk related to communication or mediation channels or transmission channels of Transactions.
- As a result of the risk assessment, the Private Limited Company establishes:
- the fields of a lower and higher risk of money laundering and terrorist financing;
- the Risk Appetite, including the volume and scope of the services provided in the course of business activities;
- the risk management model, including simplified and enhanced due diligence measures, in order to mitigate identified risks.
- Applicable due diligence measures are chosen as follows:
- tlow risk level – simplified due diligence measures;
- tusual risk level – usual due diligence measures;
- thigh risk level – enhanced due diligence measures.
- The risk of money laundering or terrorist financing is considered high if a suspicion arises, for any reason, that the Person, Customer or the Transaction to be made by the Customer may have a connection with money laundering or terrorist financing.
- If any such circumstances become evident in the case of the Person, Customer or Transaction that refer to a higher risk, the enhanced due diligence measures specified in clause 8 of the Rules of Procedure must be implemented.
- The situations that refer to a higher risk with regard to a Person and Customer are, above all, such where:
- the Business Relationship is based on unusual factors, including in the event of complex and unusually large Transactions and unusual transaction patterns that do not have a reasonable, clear economic or lawful purpose or that are not characteristic of the given business specifics;
- the Person or Customer is a resident of a higher-risk geographic area listed in clause 4.9 of the Rules of Procedure;
- the Person or Customer is a legal person or another association of persons that does not have the status of a legal person, which is engaged in holding personal assets;
- the Person or Customer is a legal person registered in a low tax rate area;
- the Person or Customer is a cash-intensive business;
- the Person or Customer is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;
- the Person or Customer has been entered in the list kept by the UN or the European Union of persons against whom international financial sanctions are applied;
- the ownership structure of the company who is the Person or Customer appears unusual or excessively complex, given the nature of the company’s business;
- it is known beforehand in respect of the Person or Customer that they may be involved in money laundering or terrorist financing.
- The situations that refer to a higher risk with regard to a Transaction or transmission channel are, above all, such that constitute:
- the execution or mediation of a Transaction that may favour anonymity or the purpose of which is the concealment of the actual parties to the transaction or the actual owner of the object of the transaction;
- a Transaction that involves the exchange of funds received from unknown or unassociated third parties;
- payment for a Transaction in cash by a person who is not a Customer;
- a Transaction that does not have any understandable reasonable business, economic, tax-related or legal purpose;
- a Business Relationship or Transaction that is established or initiated in a manner where the Customer, the Customer’s representative or a party to the Transaction is not met physically in the same place and their identity is not verified using information technology means;
- new business practices, including the use of a new transmission mechanism or new or developing technology for both new and pre-existing services.
- A factor increasing the geographic risk is deemed to be a situation where the Person, Customer or the Transaction itself is connected with a following country or jurisdiction:
- that, according to reliable sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML/CFT (anti-money laundering and countering the financing of terrorism) systems;
- that, according to reliable sources, has significant levels of corruption or other criminal activity;
- that is subject to sanctions, embargoes or similar measures established by, for example, the European Union or the United Nations;
- that provides funding for or supports terrorist activities, or that has terrorist organisations operating within their territory, as identified by the European Union or the United Nations.
- A risk related to a Person or Customer is considered low if the Customer or Person is:
- a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
- a legal person governed by public law and established in Estonia;
- a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
- an institution of the European Union;
- a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equivalent to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
- a person who is a resident of a country or geographic area having the characteristics specified in clause 4.11.
- A Transaction-related risk is considered low if:
- The funds serving as a basis for the Transaction have been transferred to the bank account of the Private Limited Company via an account that has been opened in the name of the Customer in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in effect.
- A geographic risk is considered low if the Person or Customer is from or their place of residence or seat is in a following country:
- a contracting state of the European Economic Area;
- a third country that has effective AML/CFT systems;
- a third country where, according to reliable sources, the level of corruption and other criminal activity is low;
- a third country where, according to reliable sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force have been established and where the requirements are effectively implemented.
- A risk related to communication channels and transmission channels of services is considered low if the Person or Customer uses the solutions that are generally known and approved by the Private Limited Company for communicating with the Private Limited Company and the Transactions are only made via the software of the Private Limited Company.
- Assessment of risks relating to money laundering and terrorist financing and determining level of applicable due diligence measures upon providing Service
- Upon establishing a Business Relationship, during it as well as upon providing the Service, risks must be assessed as follows:
Upon assessing the nature of the Business Relationship: - the purpose of establishing the Business Relationship and the understandability thereof;
- the connection of the Business Relationship with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with terrorist financing, or where the corruption level is high;
- the circle of people using the Service and the possibility and reliability of identifying that;
- the division of Service-related costs between different people;
- the transparency of using the Transaction (including the identifiability of the origin of the funds used);
- the possibility and reliability of identifying the user of the Service;
- the expected duration of the Business Relationship.
Upon assessing the Customer participating in the Business Relationship or using the Service: - the connection of the Customer with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with supporting terrorist activities, or where the crime or corruption level is high;
- in the case of a legal person, the complexity of its structure;
- the possibility and reliability of identifying the circle of beneficial owners of the Customer;
- the proportion of bearer shares;
- the tax system and amount of taxes of the Customer’s location or area of operation;
- the Customer’s political background and connection with politically exposed persons;
- the financial sanctions imposed on the Customer;
- earlier suspicions about the Customer’s connections with money laundering or terrorist financing;
- the turnover of the Service provided by the Private Limited Company to the Customer;
- the expected duration of the Business Relationship.
- Four risk categories must be considered in assessing the level of the risk of money laundering and terrorist financing:
- geographic risk;
- Customer risk;
- Service-related risk;
- risk related to communication or mediation channels or transmission channels of the Service.
- As a result of the risk assessment, the Private Limited Company establishes:
- the fields of a lower and higher risk of money laundering and terrorist financing;
- the Risk Appetite, including the volume and scope of the services provided in the course of business activities;
- the risk management model, including simplified and enhanced due diligence measures, in order to mitigate identified risks.
- Applicable due diligence measures are chosen as follows:
- low risk level – simplified due diligence measures;
- usual risk level – usual due diligence measures;
- high risk level – enhanced due diligence measures.
- The risk of money laundering or terrorist financing is considered high if a suspicion arises, for any reason, that the Person, Customer or the Service to be used by the Customer may have a connection with money laundering or terrorist financing.
- If any such circumstances become evident in the case of the Person, Customer or use of the Service that refer to a higher risk, the enhanced due diligence measures specified in clause 8 of the Rules of Procedure must be implemented.
- The situations that refer to a higher risk with regard to a Person and Customer are, above all, such where:
- the Business Relationship is based on unusual factors, including making complex and unusually large transfers when using the Service and in the event of unusual transaction patterns that do not have a reasonable, clear economic or lawful purpose or that are not characteristic of the given business specifics;
- the Person or Customer is a resident of a higher-risk geographic area listed in clause 5.9 of the Rules of Procedure;
- the Person or Customer is a legal person or another association of persons that does not have the status of a legal person, which is engaged in holding personal assets;
- the Person or Customer is a legal person registered in a low tax rate area;
- the Person or Customer is a cash-intensive business;
- the Person or Customer is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;
- the Person or Customer has been entered in the list kept by the UN or the European Union of persons against whom international financial sanctions are applied;
- the ownership structure of the company who is the Person or Customer appears unusual or excessively complex, given the nature of the company’s business;
- it is known beforehand in respect of the Person or Customer that they may be involved in money laundering or terrorist financing.
- The situations that refer to a higher risk with regard to the Service or transmission channel are, above all, such that constitute:
- a Transaction that is made via the Service and that may favour anonymity or the purpose of which is the concealment of the actual parties to the transaction or the actual owner of the object of the Service;
- payments received from unknown or unassociated third parties to the Customer’s virtual wallet;
- the use of the Service for transactions that do not have any understandable reasonable business, economic, tax-related or legal purpose;
- a Business Relationship or transaction, which is made via the Service, that is established or initiated in a manner where the Customer or the Customer’s representative is not met physically in the same place and their identity is not verified using information technology means;
- new business practices, including the use of a new transmission mechanism or new or developing technology.
- A factor increasing the geographic risk is deemed to be a situation where the Person, Customer or the Transaction itself is connected with a following country or jurisdiction:
- that, according to reliable sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML/CFT systems;
- that, according to reliable sources, has significant levels of corruption or other criminal activity;
- that is subject to sanctions, embargoes or similar measures established by, for example, the European Union or the United Nations;
- that provides funding for or supports terrorist activities, or that has terrorist organisations operating within their territory, as identified by the European Union or the United Nations.
- A risk related to a Person or Customer is considered low if the Customer or Person is:
- a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
- a legal person governed by public law and established in Estonia;
- a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
- an institution of the European Union;
- a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equivalent to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
- a person who is a resident of a country or geographic area having the characteristics specified in clause 5.11.
- A geographic risk is considered low if the Person or Customer is from or their place of residence or seat is in a following country:
- a contracting state of the European Economic Area;
- a third country that has effective AML/CFT systems;
- a third country where, according to reliable sources, the level of corruption and other criminal activity is low;
- a third country where, according to reliable sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force have been established and where the requirements are effectively implemented.
- A risk related to communication channels and transmission channels of the Service is considered low if the Person or Customer uses the solutions that are generally known and approved by the Private Limited Company for communicating with the Private Limited Company and the Service is only used by implementing the software of the Private Limited Company.
- General grounds for application of due diligence measures
- The Private Limited Company applies due diligence measures:
- upon the establishment of a Business Relationship;
- upon making Transactions where the value of the Transaction exceeds 15,000 euros or an equivalent amount in another currency, regardless of whether the pecuniary obligation is performed in the Transaction in a single payment or in several linked payments over a period of up to one year;
- if the Private Limited Company is paid or pays in cash more than 10,000 euros or an equivalent amount in another currency, regardless of whether the pecuniary obligation is performed in a single payment or in several linked payments over a period of up to one year;
- upon verification of information collected while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data collected earlier while updating the relevant data;
- upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided by the Rules of Procedure or the MLTFPA.
- Heightened attention must be paid to the activities of the Person or Customer and to circumstances that refer to money laundering or terrorist financing or that are likely to be associated with money laundering or terrorist financing, including complicated, high-value and unusual Transactions of no reasonable economic purpose.
- The Private Limited Company does not provide the Service to a Person with whom the Private Limited Company has not established a Business Relationship.
- In order to enter into a customer agreement, the Person completes a customer questionnaire with main compulsory data for the establishment and verification of their identity as set out in legal acts. The Person confirms the accuracy of the data set out in the customer questionnaire with their signature under the questionnaire. An Employee saves a completed and signed questionnaire in an electronic folder kept in respect of the Customer.
- An Employee verifies whether the Person is acting on their own behalf or that of another (natural or legal) person. If the Person acts on behalf of another person, an Employee must also identify the person on whose behalf the Transactions are made. If the Person on whose behalf or account the other person is acting cannot be identified, it is prohibited for an Employee to execute the Transaction. An Employee is also required to immediately inform the Compliance Officer.
- The Private Limited Company has appointed a customer manager for each Customer, who supplements, systematises, arranges and updates the folder kept in respect of the Customer as well as the data in electronic databases of the Private Limited Company.
- Applicable due diligence measures are:
- establishment of the Customer’s identity and verification of the submitted information based on information obtained from a reliable and independent source;
- establishment and verification of the identity of the Customer’s representative and their right of representation;
- identification of the beneficial owner and, for the purpose of verifying their identity, taking measures to the extent that allows an Employee to make certain that they know who the beneficial owner is, and understands the ownership and control structure of the Customer;
- understanding of the Business Relationship and, where relevant, collecting additional information thereon, including identifying the permanent seat, place of business or place of residence, profession or field of activity, main transaction partners, payment habits and, in the case of a legal person, also the experience of the Customer;
- gathering information on whether the Customer is a politically exposed person, their family member or a person known to be a close associate;
- gathering information on the reliability of providers of the Service related to a Transaction;
- constant monitoring of the Customer’s Business Relationship, including monitoring Transactions executed during the Business Relationship, regular verification of the data used upon the establishment of identity, updating relevant documents, data and information and, where necessary, identification of the source and origin of the funds used in a Transaction;
- in the case of implementation of simplified due diligence measures – identification of the circumstances serving as a basis for the application of simplified procedure;
- verification of the information submitted upon implementation of enhanced due diligence measures based on information obtained from a reliable and independent source.
- Upon the application of due diligence measures, the circumstances subject to identification are generally determined on the basis of the original documents submitted electronically by the Customer. If an original document cannot be obtained, documents authenticated by a notary or certified by a notary or officially, including by an attorney, may be used. If this is practical in consideration of the risk level, the copy of an original document must be certified with the relevant seal and/or the issuer’s signature and it may be sent electronically (in a format that can be reproduced in writing). A copy may not be relied on if there are suspicions about its correspondence to the original.
- Upon the application of the due diligence measures specified in clause 6.7, the information obtained in a format that can be reproduced in writing from a credit institution entered in the Commercial Register in Estonia or a branch of a foreign credit institution or a credit institution that is registered or whose place of business is in a contracting state of the European Economic Area or a third country where requirements equivalent to those provided by the MLTFPA are in effect may also be relied on (the list of the countries is set out in Annex 3).
- The due diligence measures specified in sub-clauses 1) to 6) of clause 6.7 must be applied before the establishment of a Business Relationship or execution of a Transaction. If a pecuniary obligation associated with a Transaction is performed by making interrelated payments and the general amount of the payments is not known, the identity of the person participating in the Transaction must be established and the submitted information must be verified as soon as the amount in cash exceeds 10,000 euros.
- The identity of the Customer and beneficial owner may be established and the submitted information may be verified during the establishment of the Business Relationship or execution of the Transaction if this is necessary in order not to interrupt the ordinary course of economic activities and if the risk of money laundering and terrorist financing is low. In such a case the application of due diligence measures must be terminated as soon as possible after the establishment of the first contact and before the performance of binding acts.
- The application of due diligence measures results in creating a Customer’s risk profile that specifies the scope of the Customer’s declarations of intention, actual needs and possibilities, risk tolerance and capability for executing respective Transactions. Before establishing a Business Relationship and making Transactions with the Customer, an Employee makes sure that the Service offered is in compliance with the Customer’s actual objectives and that the interests of the Private Limited Company or other Customers are not damaged.
- Before establishing a Business Relationship with a politically exposed person of a contracting state of the European Economic Area or a third country, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives instructions for monitoring further Business Relationship with the politically exposed person.
- Before establishing a Business Relationship with a legal person the beneficial owner of which is a politically exposed person of a contracting state of the European Economic Area or a third country, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives instructions for monitoring further Business Relationship with the politically exposed person.
- Before establishing a Business Relationship with a legal person the seat of which is in a third country, where no sufficient AML/CFT measures have been taken, or which does not engage in international AML/CFT cooperation, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives instructions for monitoring further Business Relationship with the person.
- Before establishing a Business Relationship with a legal person whose activities, persons with the right of representation or beneficial owners are subject to a prior suspicion that the aforementioned persons may be involved in money laundering or terrorist financing, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives the Employee instructions for monitoring further customer relationship with the person.
- It is advisable to establish the Customer’s identity in the case of a cash transaction of less than 10,000 euros if:
- the documents or data, which have been collected earlier in the course of establishing identity and verifying the submitted information or updating corresponding data, are insufficient or a suspicion arises that they are not true;
- a reasonable suspicion arises that the money or property used in the Transaction have/has been derived from crime.
- An Employee is required to ask for additional data if not all the Customer’s personal data can be identified on the basis of the submitted documents and, if possible, verify the data through third parties or databases.
- Lists of the persons suspected of terrorist financing can be verified on the website of the Financial Intelligence Unit at https://www2.politsei.ee/et/organisatsioon/rahapesu/finantssanktsiooni-subjekti-otsing-ja-muudatused-sanktsioonide-nimekirjas/ in the ‘International financial sanctions’ subsection.
- Implementation of simplified due diligence measures
- An Employee of the Private Limited Company applies simplified due diligence measures if the risk of money laundering or terrorist financing related to the Customer or Transaction is low.
- A condition for applying simplified due diligence measures is that the Transaction does not allow for anonymity and in the course of it an Employee of the Private Limited Company can immediately apply the due diligence measures specified in the Rules of Procedure (establishment of identity and identification of beneficial owners, identification of the purpose and nature of the Business Relationship and Transaction, constant monitoring of the Business Relationship) if a suspicion of money laundering or terrorist financing arises.
- Simplified due diligence measures are not applied if:
- any suspicion of money laundering or terrorist financing has arisen in any stage of communicating with the Customer;
- it appears from the publicly available information that the risk of money laundering or terrorist financing related to the Customer or Transaction is not low.
- The Customer’s identity may be established pursuant to simplified procedure if the risk assessment has identified that this constitutes a situation of a lower-than-usual risk of money laundering or terrorist financing.
- A factor reducing risks relating to the Customer type can be deemed to be a situation where the Customer is:
- a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
- a legal person governed by public law and established in Estonia;
- a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
- an institution of the European Union;
- a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equivalent to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
- a company of a contracting state of the European Economic Area or a third country, in respect of which AML/CFT systems are efficiently implemented and the securities issued by which are traded on a regulated securities market in one or several contracting state(s) of the European Economic Area;
- a person who is a resident of a country or geographic area having the characteristics specified in clause 7.6.
- A factor reducing geographic risks is deemed to be a situation where the Customer is from or their place of residence or seat is in a following country:
- a contracting state of the European Economic Area;
- a third country that has effective AML/CFT systems;
- a third country where, according to reliable sources, the level of corruption and other criminal activity is low;
- a third country where, according to reliable sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force have been established and where the requirements are effectively implemented.
- Upon implementing simplified procedure when establishing the identity of the Customer or the Customer’s representative and their right of representation as well as verifying the submitted information, the identity of the Customer or their representative may also be verified on the basis of information obtained from a reliable and independent source at the time of establishing a Business Relationship if this is necessary in order not to disturb the ordinary course of business activities. In such a case the verification of identity must be completed as soon as possible and before the performance of binding acts.
- Upon identifying the beneficial owner, establishing their identity, collecting information about the Business Relationship and gathering information on whether the person is a politically exposed person, their family member or a person known to be a close associate, an Employee may, when implementing simplified procedure, choose the scope of performing their obligation and the need to verify the source of information and the data used for that purpose from a reliable and independent source.
- Simplified procedure may be implemented upon monitoring a Business Relationship if a factor characterising a lower risk has been identified and at least the following conditions are met:
- a long-term contract has been entered into with the Customer in writing, electronically or in a format that can be reproduced in writing;
- the Private Limited Company receives payments in the framework of the Business Relationship only via an account held in a credit institution entered in the Commercial Register in Estonia or in a branch of a foreign credit institution or in a credit institution established or having its place of business in a contracting state of the European Economic Area or in a country that applies requirements equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council;
- the total value of incoming or outgoing payments of Transactions made in the Business Relationship does not exceed 15,000 euros per year.
- Simplified due diligence measures may not be applied if a suspicion of money laundering or terrorist financing has arisen.
- Implementation of enhanced due diligence measures
- An Employee of the Private Limited Company applies enhanced due diligence measures if such factors exist that refer to a higher-than-usual risk of money laundering or terrorist financing related to the Customer or Transaction.
- Enhanced due diligence measures are implemented always when:
- an Employee suspects money laundering or terrorist financing;
- a suspicion has arisen, upon the establishment of identity or verification of submitted information, regarding the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner;
- the Customer is a politically exposed person, except for a local politically exposed person, their family member or a close associate;
- the Customer is from a high-risk third country or their place of residence or seat is in a high-risk third country;
- the Customer is from such a country or territory or their place of residence or seat is in a country or territory that, according to reliable sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the Financial Action Task Force, or that is considered a low tax rate territory.
- In the case specified in clause 8.2, an Employee must apply at least one of the following enhanced due diligence measures:
- verification of information additionally submitted upon the establishment of identity based on additional documents, data or information originating from a reliable and independent source;
- collecting additional information on the purpose and nature of the Business Relationship or Transaction and verifying the submitted information based on additional documents, data or information originating from a reliable and independent source, including requesting notarial or official certification of the submitted documents;
- collecting additional information and documents regarding the actual execution of Transactions to be made in the Business Relationship, among other things regarding the beneficial owner, in order to rule out the ostensibility of the Transactions;
- collecting additional information and documents for the purpose of identifying the source and origin of the funds used in a Transaction made in the Business Relationship, in order to rule out the ostensibility of the Transactions;
- the application of due diligence measures regarding the Person or their representative while being at the same place as the Person or their representative.
- If such circumstances exist that provide a basis for the implementation of enhanced due diligence measures, the Business Relationship will be monitored at least once within six months. If enhanced due diligence measures have been implemented upon the establishment of a Business Relationship, the Customer’s risk profile will be reassessed no later than six months after the establishment of the Business Relationship.
- If the Customer operates in a high-risk third country, the following due diligence measures will be implemented:
- gathering additional information on the Customer and their beneficial owner;
- gathering additional information on the planned substance of the Business Relationship;
- gathering information on the origin of the funds and wealth of the Customer and their beneficial owner;
- gathering information on the underlying reasons of planned or executed Transactions;
- receiving permission from the senior management to establish or continue a Business Relationship;
- improving the monitoring of a Business Relationship by increasing the number and frequency of the applicable control measures and by choosing Transaction indicators that are additionally verified;
- making a payment by the Customer from an account held in the Customer’s name in a credit institution of a contracting state of the European Economic Area or of a third country that implements requirements equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council.
- Establishment of identity and verification of data using information technology means
- Identity may be established and data may be verified with the help of information technology means if:
- a Business Relationship is established with an e-resident or a Person from a country outside of the European Economic Area or whose place of residence or seat is in such a country and if the due diligence measures are not applied while being physically in the same place as the person or their representative.
- a Business Relationship is established with a person from a contracting state of the European Economic Area or whose place of residence or seat is in such a country and whose total sum of outgoing payments relating to a Transaction exceeds in the case of a Customer who is a natural person 15,000 euros per calendar month or, in the case of a Customer who is a legal person, 25,000 euros per calendar month, and if the due diligence measures are not applied while being physically in the same place as the person or their representative.
- A document issued by the Republic of Estonia for digital identification of a person or another e-identification system with assurance level ‘high’ is used for the establishment of identity and verification of data with the help of information technology means. Where a person is a foreign national, the identity document issued by the competent authority of the foreign country must also be used for the establishment of identity and verification of data in addition to the aforementioned means.
- Additionally, information originating from a reliable and independent source is used for the establishment of identity and verification of data. To establish the identity of an e-resident and verify data, an Employee has the right to use the personal identification data entered in the database of identity documents.
- In addition, personal identification systems provided by third independent parties (Shufti Pro – https://shuftipro.com/ /) are also used.
- Establishment of identity of natural person
- The documents used for the establishment and verification of the identity of a natural person must be in compliance with the following requirements:
- it must be an original document, a copy authenticated by a notary or certified by a notary or officially or other information originating from a reliable and independent source, including information obtained via e-identification and trust services of e-transactions, using at least two different sources to verify the data in such a case. Upon transmitting an electronic copy, the file must be in .jpg, .png or .pdf format;
- the document must set out the following data of the natural person unless otherwise provided by law:
- first names and surnames;
- personal identification code or, if none, the date and place of birth;
- the name and number of the document, the date of issue of the document and the name of the authority that issued the document, the term of validity of the document;
- a photograph, facial image;
- signature or image of signature;
- the document must be valid.
- The following valid documents may be used for the establishment of the identity of a natural person:
- an identity card (ID card) issued by state authorities of Estonia;
- an ID card of a citizen of the European Union;
- an Estonian citizen’s passport;
- a passport of a citizen of a foreign country (internal passports of the Ukraine and the Russian Federation are not acceptable);
- a diplomatic passport;
- a seafarer’s discharge book;
- an alien’s passport;
- a certificate of record of service on ships;
- a certificate of return;
- a permit of return;
- a driving licence issued in the Republic of Estonia;
- a driving licence issued in a foreign country if the user’s name, photograph or facial image, signature or image of signature and date of birth or personal identification code have been indicated on the document;
- a valid travel document issued in a foreign country;
- a photograph that is submitted with the identity document and has been taken of the Person holding in their hand the identity document that is open on the photograph page of the document.
- Upon the establishment of identity, an Employee must assess the authenticity of the submitted document according to the following circumstances:
- the validity of the document and its compliance with the requirements of the Identity Documents Act;
- the person’s appearance and age match the person depicted in the document photograph and the data included in the document.
- For retention purposes, a copy is made of the pages of the identity document submitted for the establishment of identity and containing personal data or entries and a photograph. In addition, based on the information obtained from the person, an Employee registers the following personal data in writing:
- the name, actual place of residence or seat and the profession or field of activity of the natural person;
- personal identification code or, if none, the date and place of birth;
- the name, number and date of issue of the document used upon the establishment and verification of identity, and the name of the authority that issued the document;
- information on the identification and verification of the right of representation and scope thereof, and the name and date of issue of the document serving as a basis for the right of representation, and the name of the issuer of the document
- If the Customer participating in a Transaction is a natural person of another contracting state of the European Economic Area or a third country, an Employee registers information about whether the person is a politically exposed person for the purposes of clauses 3 11) to 14) of the MLTFPA.
- The aforementioned requirements for the establishment of identity are also in effect upon the identification of a person with restricted active legal capacity or a minor person, a representative of a natural person, (a) member(s) of a civil law partnership and representatives thereof and a non-resident natural person as well as upon the identification and specification of a representative of a person without active legal capacity. A representative of a Person must also submit a document certifying the right of representation that sets out the basis for as well as the scope and term of validity of the right of representation.
- The aforementioned requirements for the establishment of identity are also in effect upon the identification of the natural persons acting on behalf or on the account of a legal person and having the right to dispose of the funds of the legal person as well as upon the establishment of the identity and specification of members of a civil law partnership or representatives thereof. A representative must be able to provide exhaustive responses to questions concerning the activities of the legal person and the origin of the property.
- Upon making Transactions with a politically exposed person of another Member State and a third country, an Employee follows the provisions of § 41 of the MLTFPA.
- Establishment of identity of legal person
- The identity of a legal person is established and verified on the basis of the following documents:
- the registry card of the relevant register;
- the registration certificate of the relevant register; or
- another equivalent document.
- If it is not possible to submit the original document specified in clause 11.1, the identity can be verified on the basis of a document, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a reliable and independent source, including means of e-identification and trust services of e-transactions, using at least two different sources for the verification of data in such a case. Upon transmitting an electronic copy, the file must be in .jpg, .png or .pdf format.
- The document specified in clause 11.1 may not be older than 30 days.
- In order to identify the right of representation of a representative of a legal person, the power of attorney issued to the representative by the legal person is submitted if the right of representation is not set out in the documents specified in clause 11.1.
- If a legal person has been established or operates in a country that is not a contracting state of the European Economic Area or where no requirements equivalent to those provided by the MLTFPA have been established, the document certifying the right of representation of the representative of the legal person must be in compliance with the following requirements:
- the document must set out the basis for the right of representation (for example, reference to a resolution of a competent body of the person, reference to a specific provision of a legal act);
- the document must set out the scope of the right of representation (e.g. whether it has been issued for making a single Transaction or repeated Transactions during a certain period, the amount to the extent of which the person may make Transactions, etc.);
- the document must set out its term of validity;
- if it is a written document, it must have been signed by hand by the principal or their representative.
- An Employee registers the following data on the basis of the documents specified in clause 11.1 or, if the documents do not set out the relevant data, on the basis of the information obtained from the representative of the legal person participating in the Transaction:
- the existence of passive legal capacity;
- the name or business name, area of activity, seat and address of the legal person;
- the registry code or registration number of the legal person, date of the register entry, and name and location of the register;
- the date of issue of the document and the name of the authority that issued the document;
- the names, places of residence and personal identification codes (if any) of the director or members of the management board or other body replacing it, and their authorisation in representing the legal person;
- the names of the beneficial owners of the legal person;
- the legal form, field of activity and operation profile of the legal person;
- members of managing bodies and representatives of the legal person;
- in the case of a representative of the legal person, the basis for as well as the scope and term of validity of their authorisation, while the authorisation must be authenticated by a notary, legalised or apostilled;
- permanent business establishments in a third country, major business partners and payment patterns;
- the details of the means of communication of the legal person.
- In order to ascertain the Customer’s field of activity and operation profile, the following circumstances are established:
- the purpose of entry into a Business Relationship or Transaction;
- the legal form and field of activity of the person;
- whether the Customer is a politically exposed person;
- whether activities take place via a representative of the legal person;
- permanent business establishments of the legal person in a third country, major business partners and payment patterns;
- the person’s residency, including whether the person is registered in a low tax rate area;
- circumstances arising from previous communication with the Customer, their partners, owners, representatives and other similar persons (for example, suspicious Transactions identified in the course of an earlier Business Relationship);
- the duration of activities, nature of business relationships.
- To find out the operation profile and purposes of a legal person, other credible data may also be relied on in addition to public databases or information published by state and supervisory authorities.
- If the documents submitted by the representative of the legal person or the other submitted documents do not set out the data specified in clause 11.7, the relevant data (including data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statements of the representative of the legal person or the document written or signed by hand by the representative of the legal person.
- If an Employee has a suspicion that the person’s activities indicate money laundering or terrorist financing, they will ask the Customer additional information about the origin of the money or property used in the Transaction.
- Upon the identification of a legal person, additional information must be requested about the other shareholders, partners and other persons who exercise control or other significant influence over the activities of the legal person.
- If there is information that a politically exposed person from another contracting state of the European Economic Area or a third country may be related to the Customer participating in the Transaction, information about whether the person is a politically exposed person for the purposes of clauses 3 11) to 14) of the MLTFPA must also be registered on the basis of the information obtained from the representative of the legal person in addition to the data specified in clause 10.7.
- The requirements for the establishment of identity as specified above are also in effect upon the identification and specification of a legal person whose seat is in another contracting state of the European Economic Area or a third country where requirements equivalent to the MLTFPA are in effect. Upon the identification of non-resident legal persons, an Employee must fulfil requirements similar to the establishment of the identity of resident Customers within as large a scope as possible, taking into account the specificities arising from the country of location and legal form of the non-resident Customer.
- A representative of a legal person of a foreign country must submit, at the request of an Employee of the Private Limited Company, a document that proves their authorisation and has been certified by a notary or in an equivalent manner and that has been legalised or certified with a certificate that replaces legalisation (Apostille), unless otherwise provided by an international agreement.
- An Employee of the Private Limited Company may request the submission of a legalised or certified document provided with a certificate that replaces legalisation if:
- it is not possible to use the publicly available information sources specified in clause 13.3 of the Rules of Procedure for verifying the authorisation and competence of a person;
- an Employee of the Private Limited Company suspects that the authorisation of the representative of a legal person of a foreign country may not be true or valid;
- the activities of a legal person or their representative refer to money laundering or terrorist financing;
- the person is a legal person of a foreign country or their representative that does not take sufficient measures for the prevention of money laundering and terrorist financing or this country does not cooperate internationally in the field of preventing money laundering and terrorist financing or if the territory is a low tax rate area.
- Identification of beneficial owner
- The beneficial owner is identified using the information obtained from the representative of a legal person.
- An Employee analyses the documents submitted by the representative of the legal person and, if necessary, asks for additional documents and data for the purpose of establishing the beneficial owner(s) of the legal person.
- If the Employee has a suspicion as to whether the relevant information is correct or complete, they verify the submitted information against publicly available sources and request additional information from the Customer, if necessary.
- If the documents establishing the identity of the legal person or the other submitted documents do not indicate directly who the beneficial owner of the legal person is, the relevant data (including data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statements of the representative of the legal person or the document written by hand by the representative of the legal person.
- Upon the identification of the beneficial owner, attention must be paid, above all, to companies established in low tax rate areas, because it is not always abundantly clear whether they have passive legal capacity.
- If another legal person has control over the legal person complying with the definition of a beneficial owner, the Employee must assess the person’s or Customer’s risk and, based on that, collect data about other legal persons related to the person in order to identify the beneficial owner.
- In the cases where the beneficial owners of a legal person, civil law partnership or another contractual legal arrangement, such as a fund or trust fund, must already be defined and therefore it is not possible to establish the persons of the beneficial owner, it is sufficient to identify the circle of persons who may benefit from the fund or trust fund. This requirement does not include the identification of private individuals within this circle of persons.
- Gathering information on the purpose and nature of the business relationship and transaction
- Gathering information on the nature of the Customer’s activities as well as the purpose and nature of the Transactions involves the establishment of the following circumstances:
- the legal form and field of activity of the person;
- whether the Customer is a politically exposed person;
- whether activities take place via a representative of the legal person;
- the person’s residency, including whether the person is registered in a low tax rate area;
- the possibility to qualify the Customer as a typical customer of a certain customer category;
- circumstances arising from previous communication with the Customer, their partners, owners, representatives and other similar persons
- (for example, suspicious Transactions identified in the course of an earlier Business Relationship);
- the origin of the virtual currency used in the Transaction;
- the duration of activities, nature of Business Relationships, justification for the need for cash.
- If the documents submitted by the representative of the legal person or the other submitted documents do not set out the circumstances specified in clause 13.1, the relevant data (including data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statements of the representative of the legal person or the document written by hand by the representative of the legal person.
- An Employee gathers information from the following publicly available sources:
- documents of the Customer or their representative, including documents prepared by them or completed by them in the presence of a representative of the Private Limited Company;
- identity documents of the Customer or their representative and documents certifying the right of representation;
- documents submitted by the Customer or their representative;
- state registers and other similar public databases (Commercial Register, non-profit associations and foundations register, population register, criminal records database, Ametlikud Teadaanded publication, land register, register of economic activities, etc.);
- reliable and independent private databases (Krediidiinfo, WorldCheck, GBG, databases of credit institutions, etc.);
- the European Union and other recognised international organisations and the data available on their website;
- state authorities and foreign missions of the Republic of Estonia and missions of foreign countries in the Republic of Estonia;
- data available on the website of state and local government, on the condition that requirements equivalent to those provided by MLTFPA are valid in this country;
- information published by state and supervisory authorities;
- data available on the website of a publicly traded company;
- search engines (for example, google.com, etc.).
- An Employee may also rely on other data, but these must be reliable and verifiable. If this may reasonably contribute to making sure of the reliability of the data, the Employee contacts the source of the data either by e-mail or telephone and asks about the details of the origin, collection method, time at which the data were created and other material information that could help the Employee of the Private Limited Company fulfil their obligations upon establishing identity. The Employee must thereby make every effort to keep the fact of collecting data about the Customer confidential.
- In the event of foreign-language documents, the Employee has the right to demand the documents to be translated into Estonian, English or Russian, certified by a sworn translator or a notary. The Private Limited Company does not compensate the costs, including translation costs, notary fees, etc., incurred by the Customer for certifying identity and the right of representation.
- Making Transactions
- Upon making a Transaction with the personal presence of the Customer in the office of the Private Limited Company, the Customer must, at the request of the Employee, confirm the submitted orders by their signature.
- Upon making a Transaction using means of communication (telephone, Skype, Customer Environment), the Customer’s identity must be established on the basis of an oral or electronic code given to the Customer upon the establishment of a Business Relationship. Upon making a Transaction:
- via the Customer Environment on the basis of the user name and password that the Customer uses for secure logging in to the Customer Environment;
- by Skype or telephone on the basis of the password that the Customer uses for confirming the orders given to the Private Limited Company by Skype or telephone.
- An Employee registers the following data about each Transaction:
- the date or period of making the Transaction;
- the description of the substance of the Transaction;
- the amount of the Transaction;
- the currency of the Transaction;
- the bank account numbers.
- An Employee registers the following data about each Transaction:
- the date or period of making the Transaction;
- the description of the substance of the Transaction;
- the amount of the Transaction;
- the currency of the Transaction;
- the bank account numbers.
- Constant monitoring of Customer’s Business Relationship
- An Employee must constantly assess the Transactions executed in the course of a Business Relationship in order to understand the purposes of the Customer’s Transactions and the Customer’s business and risk profile. If the Customer executes a Transaction that is unusual compared to the previous known Transactions or a Transaction in the case of which the source and origin of the funds used in the Transaction are not known, the Employee requests information from the Customer about the source and origin of the funds used in the Transaction.
- An Employee must verify the data collected upon establishing identity and in the course of applying due diligence measures. If information about changes in the personal data of the Customer becomes known or if more than one year has passed from the last Transaction, the Employee will establish the Customer’s identity again.
- An employee must assess and pay more attention to Transactions made in the Business Relationship, the activities of the Customer and the circumstances that refer to a criminal activity, money laundering or terrorist financing or that are likely to be linked with money laundering or terrorist financing, including to complex, high-value and unusual Transactions and transaction patterns that have no reasonable or visible economic or lawful purpose or that are not characteristic of the given business specifics. The Employee finds out the nature, reason and background of the Transactions described before.
- Registration, verification and retention of data
- Upon the registration of data, an Employee notifies the Customer of processing personal data for AML/CFT purposes. The data are processed applying all the personal data protection rules.
- The Employee or the software used by the Private Limited company registers in respect of the Customer the number as well as the date and place of issue of the document used upon establishing the Customer’s identity.
- The Employee or the software used by the Private Limited Company registers the following data in respect of the Transaction to be executed:
- the person that submitted the order;
- the description of the substance of the Transaction;
- upon the establishment of a customer relationship, the object of the customer agreement;
- the date or period of making the Transaction.
- If an Employee has a suspicion that the Customer’s activities indicate money laundering or terrorist financing, they will ask the Customer additional information about the origin of the money or property used in the Transaction.
- If necessary and in the case of a suspicion, the accuracy of the documents or data submitted for the establishment of identity may be verified using the databases of third parties or the accuracy of the data may be verified via third parties (for example, state registers, supervisory authorities, credit institutions, foreign missions of the Republic of Estonia, missions of foreign countries in the Republic of Estonia, etc.).
- All the data to be collected about Customers are systematised into folders located on data media in such a manner as they have initially been saved, i.e. a separate electronic folder has been prepared for each Customer. The backup of electronic data media takes place in accordance with the internal procedure for movement of information and documents. In order to retain the original documents submitted on paper, an Employee of the Private Limited Company prepares a separate physical file about each Customer. All the documents in respect of which an Employee of the Private Limited Company is required to make a copy are included in the electronic folder. A copy is made of original documents, which is retained in the electronic folder, and the original is added to the physical file prepared in respect of the Customer if the retention of the original is required in accordance with the requirements arising from the Rules of Procedure and legal acts.
- The Private Limited Company must retain, either in the physical file kept in respect of the Customer or in a folder on an electronic data media, for at least five years the following data:
- information on a suspicion or knowledge of money laundering or terrorist financing;
- a detailed description of suspicious or unusual Transactions, related parties, date and place of the Transaction;
- information on refusing to establish a Business Relationship or make a Transaction or on continuing or terminating the execution thereof;
- information according to which it is not possible, by using information technology means, to establish or verify the identity of the Customer, the identity of the Customer’s representative, the beneficial owner or their identity, or the fact of whether the person is a politically exposed person, their family member or a person known to be a close associate, or to perform monitoring the Business Relationship;
- information on refusing to establish a Business Relationship or execute a Transaction at the person’s initiative if this arose from the submission of the data or documents requested by an Employee of the Private Limited Company;
- information on the circumstances of termination of a Business Relationship in connection with the impossibility of application of the due diligence measures;
- upon making Transactions with a representative of a civil law partnership, community or another association of persons that does not have the status of a legal person, trust fund or trustee, the fact that the person has such a status, and an extract of the registry card from the register or a certificate from the registrar of the register where the association of persons that does not have the status of a legal person has been registered.
- The Private Limited Company is required to retain copies and, if necessary, also originals, of identity documents and other documents serving as a basis for the establishment of the identity of a natural or legal person, documents serving as a basis for the establishment of a Business Relationship, and other data on any data medium that allows for exhaustively and immediately replying to enquiries made by the Financial Intelligence Unit or, in accordance with legal acts, by other investigative bodies or courts for at least five years after the end of the Business Relationship.
- The Private Limited Company retains, for at least five years after the end of the business relationship, all the correspondence related to the performance of the obligations arising from the Rules of Procedure and the MLTFPA as well as all the data and documents collected in the course of monitoring the Business Relationship, and data of suspicious or unusual Transactions or circumstances of which the Financial Intelligence Unit was not notified.
- If the Customer’s identity has been established on the basis of an enquiry made to a database belonging to the state information system or using other information technology means, the Private Limited Company retains information about making the electronic enquiry and the audio and video recording of the procedure for the establishment and verification of identity for five years after the end of the Business Relationship or execution of the Transaction.
- The data and documents collected by the Private Limited Company must allow for immediate written reproduction of the following:
- a copy made of the personal data and photograph page of the identity document presented for the establishment of identity;
- the data registered in respect of a Customer who is a natural or legal person upon establishing a Business Relationship or making a Transaction;
- other data collected upon the establishment of identity with a reference to whether the data were collected for establishing a Business Relationship or using another service;
- the name and position of the Employee, who established identity, or verified or updated the data;
- - data on the Transaction:
- the person that submitted the order;
- the date of submitting the order;
- the person who transferred the funds for executing the order;
- the method of receipt of funds (by transfer, in cash, etc.).
- After the expiry of the term specified in this clause, the Private Limited Company will delete the retained data unless otherwise provided by the legal acts in effect.
- Updating Customer data and documents
- An Employee is required to update the data used upon the establishment of identity at least once a year.
- An Employee must immediately update the data related to the Customer if the data concerning the Customer’s Transactions reveal that significant changes have taken place in the Customer’s risk profile, field of activity or volumes of activity.
- Upon updating the data, the following must be registered in a format that can later be reproduced in writing:
- the manner, time and place of updating the data and documents;
- the name and position of the Employee, who updated the data.
- The same sources may be used for updating the data that are generally used for the establishment of identity upon establishing a Business Relationship or making Transactions.
- Updated data must have been made available to all the structural units providing services to Customers no later than on the next working day after updating the data.
- An Employee may, in order to perform their obligations, request necessary documents and data directly from the Customer and, if necessary, verify the data via third parties or their databases (for example, state registers, supervisory authorities, credit institutions, foreign missions of the Republic of Estonia, missions of foreign countries in the Republic of Estonia, etc.).
- Data may be updated using the data obtained from the Customer, public databases, a credit institution entered in the Commercial Register of Estonia or a branch of a foreign credit institution or a credit institution that is registered or whose place of business is in a contracting state of the European Economic Area or a third country where requirements equivalent to those provided by the MLTFPA are in effect.
- If the data used for the establishment of a Customer’s identity could not be verified within a reasonable period of time or if a reasonable suspicion has arisen that the activities of the person have been terminated, the Business Relationship with such a Customer may be terminated.
- Refusal to establish business relationship and termination of business relationship
- The Private Limited Company has the right to refuse to establish a Business Relationship if:
- it is not possible to establish the identity of the Person;
- it is not possible to verify the submitted information based on information obtained from a reliable and independent source;
- it is not possible to establish the identity of the representative of the Person;
- it is not possible to identify or verify the right of representation of the representative of the Person;
- it is not possible to identify the beneficial owner and establish their identity;
- the capital of the Person consists of bearer shares or other bearer securities;
- the Person does not submit documents and relevant information or data or documents proving the origin of the property constituting the object of the Transaction or if, based on the submitted data and documents, a suspicion of money laundering or terrorist financing or the commission of related criminal offences or an attempt of such activity arises;
- there is no permission from the management to establish the Business Relationship or make a Transaction;
- a party to a Transaction has been entered in the list of persons suspected of terrorist financing that has been published on the website of the Financial Intelligence Unit;
- a party to a Transaction has been entered in the ‘black’ list of the Financial Action Task Force (FATF);
- a suspicion of money laundering or terrorist financing has arisen.
- In the cases listed in the Rules of Procedure, the Private Limited Company has the right to extraordinary termination of a Business Relationship, by submitting to this end the Customer a declaration of cancellation of the Business Relationship at least in a format that can be reproduced in writing within seven days of learning of the respective circumstances.
- The Compliance Officer must immediately be notified of the refusal to establish a Business Relationship and of the extraordinary cancellation of the Business Relationship.
- Postponement of Transaction
- If an Employee suspects or knows that money laundering or terrorist financing or related criminal offences are being committed or if a Transaction is related to a subject of an international financial sanction, the execution of the Transaction must be postponed until a notice has been submitted to the Financial Intelligence Unit. If the postponement of the Transaction may cause considerable harm, it is not possible to omit the transaction or it may impede capture of the person who committed possible money laundering or terrorist financing, the Transaction will be made and a notice will be submitted the Financial Intelligence Unit thereafter.
- An Employee postpones the execution of a Transaction if the permission of the management board of the Private Limited Company is needed for the execution of the Transaction.
- To decide on the postponement of a Transaction, the Employee engaged with a respective Transaction consults the Compliance Officer, if possible. If the Compliance Officer finds that the Transaction must be postponed, the Employee may not continue the execution of the Transaction.
- Transactions with politically exposed person
- If the Customer or beneficial owner is a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person, the following due diligence measures are implemented in addition to the usual due diligence measures:
- prior approval from the senior management is needed to establish or continue a Business Relationship with the Person;
- the origin of the wealth of the Person and the sources of the funds that are used in the Business Relationship are established;
- the Business Relationship is monitored in an enhanced manner.
- Where a politically exposed person no longer performs important public functions placed upon them, such risks must be taken into account at least within 12 months that remain related to the person and relevant and risk sensitivity-based measures are implemented as long as it is certain that the risks characteristic of politically exposed persons no longer exist in the case of the Customer.
- The application of the due diligence measures specified in this cause in respect of a local politically exposed person, their family member or a person known to be their close associate is not necessary if there are no other factors that refer to a higher-than-usual risk.
- Notification obligation in case of suspicion of money laundering and terrorist financing and informing management
- The Financial Intelligence Unit must be notified of each Transaction whereby a pecuniary obligation of over 32,000 euros or an equivalent amount in another currency is performed in cash, regardless of whether the Transaction is made in a single payment or in several linked payments over a period of up to one year. In respect of the characteristics of Transactions suspected of money laundering, an Employee may notify the Compliance Officer already in the case of a cash transaction exceeding 20,000 euros.
- Where an Employee identifies in the course of economic activities an activity or facts whose characteristics refer to the use of profit derived from criminal activity, to terrorist financing or to the commission of related criminal offences or to an attempt thereof or with regard to which the Employee suspects or knows that it constitutes money laundering or terrorist financing or the commission of related criminal offences, the Employee is required to immediately notify the Compliance Officer thereof, who will notify immediately, but not later than within two working days after identifying the activity or facts or after the arousal of the suspicion, the management board of the Private Limited Company and the Financial Intelligence Unit. In such a case, the amount of the sum of money and its payment method are not important.
- The Financial Intelligence Unit must also be notified of an extraordinary termination of a Business Relationship or if the Private Limited Company refuses to make a Transaction on the grounds for refusal provided by the Rules of Procedure.
- A notice is submitted to the Financial Intelligence Unit on a web-based electronic form that can be found on the website of the Financial Intelligence Unit (https://www2.politsei.ee/et/organisatsioon/rahapesu/saada-teade.dot). If this is not possible, the notice is transmitted in any format or form that can be reproduced (including orally). The data used for establishing the identity of the Customer and verifying the submitted information and, if available, copies of the documents are appended to the notice.
- The contact details of the Financial Intelligence Unit are as follows:
postal address: Tööstuse 51, 10416 Tallinn
e-mail: rahapesu@politsei.ee
telephone: +372 612 3840 - The Person in respect of whom a notice has been sent to the Financial Intelligence Unit may not be informed thereof. Such an action is punishable pursuant to misdemeanour procedure.
- The notification obligation is performed on behalf of the Private Limited Company by the Compliance Officer. The Compliance Officer is appointed by the management board of the Private Limited Company.
- Compliance with precept issued by Financial Intelligence Unit
- In the case of a precept issued by the Financial Intelligence Unit, the Private Limited Company is required, in accordance with the content of the precept, to:
- suspend a Transaction, i.e. not execute the Customer’s order or, if the order has been accepted for execution, suspend its execution until the expiry of the term specified in the precept or until receiving additional instructions from the Financial Intelligence Unit;
- ensure that the restriction established by the Financial Intelligence Unit on the disposal of the property constituting the object of the Transaction is complied with for up to 90 calendar days as of the delivery the precept, including, if necessary, keep the respective property in a bank account of the Private Limited Company separately prescribed to this end and make sure that the property is not seized or transferred in enforcement or bankruptcy proceedings;
- apply, if necessary, for a written permission from the Financial Intelligence Unit for derogating from the restriction on disposal in order to make a Transaction within the term specified in previous clause;
- submit information, including information subject to banking or business secrecy, within the time limit set in the precept in writing or in a format that can be reproduced in writing.
- Implementation of international sanction
- The Private Limited Company is a person having specific obligations for the purposes of the ISA.
- Upon entry into force of a legal act on the imposition or implementation of an international financial sanction, Employees of the Private Limited Company take measures to perform the obligations arising therefrom and demonstrate due diligence to ensure that the purpose of the international financial sanction is achieved and the breach of a sanction is avoided.
- Upon entry into a Business Relationship, an Employee agrees to identify whether the Customer is a subject of an international financial sanction, using to this end public databases and the website of the Financial Intelligence Unit (https://www2.politsei.ee/et/organisatsioon/rahapesu/finantssanktsiooni-subjekti-otsing-ja-muudatused-sanktsioonide-nimekirjas/).
- If an Employee suspects or knows that a person who is in a Business Relationship or makes a Transaction with the Private Limited Company as well as a person intending to establish a Business Relationship or make a Transaction with the Private Limited Company is a subject of an international financial sanction, the Employee will immediately notify the Compliance Officer of the identification of a subject of an international financial sanction, of a respective suspicion, and of the measures taken and the Compliance Officer will immediately notify the Financial Intelligence Unit and the management board of the Private Limited Company thereof.
- Upon providing the Service, an Employee pays special attention to the activities of a person who is in a Business Relationship or makes a Transaction with the Private Limited Company and to the activities of a Person who intends to establish a Business Relationship or make a Transaction with the Private Limited Company as well as to the circumstances that refer the possibility that the Person is a subject of an international financial sanction.
- An Employee establishing a Business Relationship must regularly monitor the website of the Financial Intelligence Unit and immediately take the measures provided by a legal act imposing or implementing an international financial sanction to ensure that the purpose of the international financial sanction is achieved and to avoid breaches of the international financial sanction.
- Upon entry into force, amendment, repeal or expiry of a legal act imposing or implementing an international financial sanction, an Employee verifies whether the Customer or the Person is a subject of an international financial sanction in respect of whom the financial sanction is imposed, amended or terminated. The Employee collects and retains the following data when performing this obligation:
- the time of the verification;
- the name of the person who performed the verification;
- the results of the verification;
- the measures taken.
- If the Employee doubts whether the Customer or Person is a subject of an international financial sanction, they will notify the Compliance Officer and ask for additional information from the aforementioned person in order to make it sure.
- If the Customer or Person refuses to provide additional information or it is impossible to identify by means thereof whether the person is a subject of an international financial sanction, the Employee will refuse to establish a Business Relationship or make a Transaction, take the measures provided by the legal act imposing or implementing the international financial sanction and immediately notify the Compliance Officer of their doubt and of taking measures and the latter will, in turn, notify the management board of the Private Limited Company and the Financial Intelligence Unit.
- If the legal act imposing or implementing an international financial sanction is repealed, expires or is amended in such a manner that the implementation of the international financial sanction in respect of the subject of the international financial sanction is terminated fully or partially, the Private Limited Company will immediately terminate the implementation of the measure to the extent provided by the legal act amending the legal act that imposes or implements the international financial sanction.
- Compliance Officer
- The Compliance Officer is appointed by the management board of the Private Limited Company with its resolution. If no compliance officer has been appointed, the obligations of the Compliance Officer are performed by the management board.
- The duties of the Compliance Officer include:
- organising the collection and analysis of information referring to unusual Transactions or Transactions or circumstances suspected of money laundering or terrorist financing, which become evident in the activities of the Private Limited Company;
- verifying compliance with the requirements for the prevention of money laundering and requirements of international financial sanctions;
- transmitting information to the Financial Intelligence Unit in the case of a suspicion of money laundering or terrorist financing or a suspicion of a subject of an international financial sanction;
- replying to enquiries made and complying with the precepts issued by the Financial Intelligence Unit;
- informing the management board in writing of shortcomings in complying with the internal control rules, Rules of Procedure and other legal acts;
- providing Employees of the Private Limited Company with (including organising) training in the prevention of money laundering and terrorist financing;
- instructing new Employees and introducing the Rules of Procedure to them within at least one week after entry into the employment contract.
- The Compliance Officer has the right to:
- verify Transactions and the execution thereof in accordance with the legal acts of the Republic of Estonia and the Rules of Procedure;
- verify the activities of the Private Limited Company in following the AML/CFT activities and application of international financial sanctions;
- make proposals to the management board of the Private Limited Company for amending and modifying the Rules of Procedure and organising regular training in the performance of the obligations arising from the MLTFPA for the Employees of the Private Limited Company whose official duties include establishing Business Relationships or making Transactions;
- request that the requirements set out in the Rules of Procedure be fulfilled and the breach thereof be immediately terminated if the circumstances of the breach of the requirements have become clear;
- obtain the data and information necessary for the performance of the duties of the Compliance Officer;
- organise, from time to time, tests the purpose of which is to check the knowledge of an Employee of the Private Limited Company in connection with that set out in the Rules of Procedure;
- receive training in the field.
- Upon performing their duties, the Compliance Officer is required to:
- respect the privacy of Employees;
- disturb the work of the Private Limited Company as little as possible;
- carry out tests the purpose of which is to check the knowledge of Employees in connection with that set out in the Rules of Procedure only within a reasonable scope.
- The Compliance Officer may transmit information or data that have come to their knowledge in connection with a suspicion of money laundering or a subject of an international financial sanction only to:
- the management board and an Employee appointed by the management board;
- the Financial Intelligence Unit;
- a preliminary investigation authority in connection with criminal proceedings;
- a court on the basis of a court order or judgment.
- In the case of a reasonable suspicion of money laundering or terrorist financing, the Compliance Officer informs the management board thereof and immediately transmits a notice to the Financial Intelligence Unit.
- The notice is transmitted to the Financial Intelligence Unit orally, in writing or via electronic means of communication. If a notice is transmitted orally, the Compliance Officer will repeat it in writing within no later than the next working day.
- Copies of the documents that serve as a basis for the Transaction as well as the data or a copy of the document used as a basis for the establishment of the identity of the person are appended to the completed notice form.
- The Compliance Officer transmits a notice to the Financial Intelligence Unit being guided by Regulation No. 42 of the Minister of the Interior of 27 November 2017 that provides the form of the notice to be submitted to the Financial Intelligence Unit and guidelines for completing thereof.
- The notices prepared by the Compliance Officer are kept, used and retained similarly to other information in accordance with the provisions of the Rules of Procedure.
- Obligations of Employee
- An Employee must notify the Compliance Officer of all the cases of refusing to establish a Business Relationship, Transactions suspected of money laundering or unusual Transactions as well as cases of extraordinary cancellation of a Business Relationship.
- Where an Employee identifies activities or facts whose characteristics refer to money laundering or terrorist financing or with regard to which the Employee suspects or knows that it constitutes money laundering or terrorist financing, the Employee notifies the Compliance Officer thereof immediately. Upon identifying suspicious Transactions, the Employee relies, among other things, on the guidelines regarding the characteristics of Transactions suspected of money laundering as specified in § 56 of the MLTFPA and the guidelines regarding the transactions suspected of terrorist financing as issued by the Financial Intelligence Unit.
- In order to identify whether, in the light of the Customer’s behaviour thus far, the circumstance is a different yet explicable or rather a Transaction suspected of money laundering or terrorist financing, an Employee:
- analyses the circumstances that have become evident in respect of the Transaction(s), being guided by the advisory guidelines developed by the Financial Intelligence Unit and regarding the characteristics of Transactions suspected of money laundering and terrorist financing;
- verifies the origin of the property before a Transaction is executed at least if, in the light of the Business Relationship thus far, the Transaction is unusual and not explicable or refers to money laundering or terrorist financing;
- analyses, before notifying the Compliance Officer of the Transaction suspected of money laundering or terrorist financing, the content of the received information, taking into account the Customer’s current field of activity, payment habits and other known information.
- An Employee must notify the Compliance Officer, who must, in turn, notify the Financial Intelligence Unit and the management board of the Private Limited Company of each Transaction whereby a pecuniary obligation of over 32,000 euros or an equivalent amount in another currency is performed in cash, regardless of whether the Transaction is made in a single payment or in several linked payments over a period of up to one year. This notification obligation is amount-based and does not depend on whether the Employee had a suspicion of money laundering or not.
ANNEX 1 – Guidelines Regarding Characteristics of Transactions Suspected of Money Laundering
Suspicious transactions in the case of a suspicion of money laundering are the Customer’s transactions and operations that have no clear economic or legal reason and that cannot be regarded as the Customer’s ordinary economic activities.
Indicators of suspicious transactions in the case of transactions of more than 10,000 euros in cash:
- the person cannot be identified or tries not to submit their identification data;
- the person’s representative tries to conceal the actual party to the transaction or does not know their personal data;
- the person tries to enter into a fictitious or another unlawful transaction;
- upon the establishment of a more long-term customer relationship, the person only wants to settle in cash;
- a suspicion arises that the person does not make the transaction on their own behalf;
- the person has been suspected of money laundering earlier;
- the person wants to settle in cash in an amount of more than 10,000 euros;
- the person repeatedly settles in cash in amounts of more than 10,000 euros;
- the person makes a payment in cash that remains only slightly below the limit established in respect of the obligation to identify a person (10,000 euros);
- the payment is made via a missing trader or a bank of a tax-free territory;
- the payment is preceded by a cash payment exceeding 10,000 euros into the account of a third party.
Arousal of suspicion upon entry into customer agreement:
Unusual documents:
- the person’s authorisation or identity documents do not comply with formal requirements;
- the person’s authorisation or identity documents are not valid;
- the documents submitted give rise to a suspicion that they may be forged.
ANNEX 2 – Guidelines Regarding Characteristics of Transactions Suspected of Terrorist Financing
Suspicious transactions in the case of a suspicion of terrorist financing are the Customer’s transactions and operations that have no clear economic or legal reason and that cannot be regarded as the Customer’s ordinary economic activities.
General indicators:
- The natural person was born in a risk country;
- The natural person has a citizenship of a risk country;
- The natural person has a place of residence in a risk country;
- The natural person is related to a legal person or another association registered in a risk country;
- The legal person or another association has been registered in a risk country;
- The parent company of a legal person or a branch of another association has been registered in a risk country.
Indicators of suspicious transactions in the case of transactions of more than 10,000 euros in cash:
- It may be presumed, based on the appearance of a person, that the person is from a risk country and the person tries not to submit their identification data;
- A person from a risk country wants to settle in cash in an amount of more than 10,000 euros;
- A suspicion arises that the person does not act on their own behalf and may represent a person related to a risk country;
- The payment is made via a bank registered in the territory of a risk country;
- The person wants to pay in a currency used in a risk country;
- A person from a risk country makes a payment in cash that remains only slightly below the limit established in respect of the obligation to identify a person (10,000 euros) or tries to pay in several parts in order to avoid the identification obligation;
- A person from a risk country wants to use the virtual currency wallet service to the value exceeding 10,000 euros.
ANNEX 3 – List of Equivalent Third Countries in Accordance with Anti-Money Laundering Directive (Directive 2005/60/EC)
At the moment the Rules of Procedure are adopted, the following third countries are regarded as countries having AML/CFT systems equivalent to those of the European Union:
Australia
Brazil
Canada
Hong Kong
India
Japan
South Korea
Mexico
Russian Federation
Singapore
Switzerland
Republic of South Africa
USA
The Rules of Procedure have been approved by a resolution of the management board of PAYBILLA Estonia OÜ, in accordance with which Robert Günter Knapp is appointed compliance officer.