Terms of Use

1. How to read this Agreement
   1. The headings are for reference only. Some capitalised terms have specific definitions in section 4. Underlined words in this Agreement contain hyperlinks to further information.
   2. The Agreement sets out different types of Users and User accounts. Make sure you read the correct terms which apply to your type of user account.
2. Why you should read this Agreement
   1. What this Agreement covers. These are the terms and conditions on which we provide our Services to you.
   2. Why you should read them. Please read this Agreement carefully before you start to use our Services. This Agreement (always together with the documents referred to in it) tells you who we are, how we will provide the Services to you, how this Agreement may be changed or ended, what to do if there is a problem and other important information. If you think that there is a mistake in this Agreement or require any changes, please contact us to discuss.
   3. Other additional documents which apply to you. This Agreement refers to the following additional documents, which also apply to your use of our Services:
      (a) Our Privacy Policy, which sets out the terms on which we process any personal data we collect about you, or that you provide to us. By using our Services, you consent to such processing and you promise that all data provided by you is accurate.
      (b) Our Reseller Agreement, which sets out the terms for Merchants using Paybilla Reseller Services.
      (c) Our Frequently Asked Questions ("FAQ") which provides answers to common customer questions.
      (d) In order to receive some of our Services, you may be asked to agree to additional terms and conditions, which we will notify you about at the relevant time.
      
3. Introduction
   1. Your use of the Site (https://home.paybilla.com) and/or Services is subject to your acceptance without modification of these Terms of Use and all other operating rules, guidelines, instructions, policies (including the Privacy Policy) and any future modifications thereto (collectively ​Terms​). When accepted by you, the Terms form a legally binding agreement (Agreement​) between Paybilla Estonia OÜ and you, the person who uses the Services and/or the Site (hereinafter also “the Client”, “you”, “your” or “yourself”. If you do not agree to be bound by the Terms, then please do not access, browse or otherwise use the Site.
   2. Paybilla Estonia OÜ has a registered office at Roosikrantsi 2, Tallinn, Estonia.
   3. Paybilla Estonia OÜ has activity licenses for providing service of exchanging a virtual currency against a fiat currency and providing virtual currency wallet service issued by the Estonian Financial Intelligence Unit.
   4. By using the Site and/or the Services and agreeing to Terms you warrant that you are at least 18 (eighteen) years old; You must have authority to bind your business. If you are not a consumer, you confirm that you have authority to bind any business or entity on whose behalf you use our Services, and that business or entity accepts these terms.
   5. The Company may suspend, modify, remove or add terms to the Services at any time.
   6. Paybilla is not a Payment Institution under the Payment Services Directive 2 (PSD2), nor does Paybilla process payments. Paybilla provides software solutions which are connected to third parties via Application Programming Interface (API ). In short, APIs allow applications to communicate with one another.
   7. Following any updates to the Terms of Use, the Company has no obligation to check whether users are using the Services and/or the Site in accordance with the Terms. The Company may terminate or suspend the usage of the Service at any time if the User is not using the Service as set forth in the Terms.
4. Definitions
   1. Affiliate Management Module – Part of the Paybilla Services enabling to manage affiliates and affiliate data, affiliate payments, etc.
   2. Account – User account of the person who has been registered at Paybilla Site.
   3. Analytics Module – Part of the Paybilla Services enabling Merchant to analyse its sales data.
   4. Agreement – present agreement between you and Paybilla;
   5. Billing Module – Part of the Paybilla Services enabling to manage billing related matters, such as issuing invoices, viewing past billing information, etc.
   6. Customer – end-user of the Services and/or Site (online shopper).
   7. Digital Currency – a value represented in the digital form, which is digitally transferable, preservable or tradable on Paybilla Services (i.e. cryptocurrency);
   8. Digital Wallet – a service in the framework of which keys are generated for customers or customers’ encrypted keys are kept, which can be used for the purpose of keeping, storing and transferring virtual/digital currencies (cryptocurrencies);
   9. Exchange Module – Part of the Paybilla Services enabling exchanging Digital Currency against Fiat Money.
   10. Fiat Money – government issued money;
   11. The Company/Paybilla/us/our/we – Paybilla Estonia OÜ (14690942) a company incorporated under the laws of Estonia;
   12. Merchant – a Company using Paybilla Services to sell its products/services and/or to exchange Digital Currency against Fiat Money.
   13. Modification – changes (including amendments, updates) in the Terms;
   14. Privacy policy – a policy available at: ​ describing how the Company gathers, uses and discloses personal data, and the steps the Company takes to protect such personal data;
   15. Site – website of Paybilla (https://home.paybilla.com)
   16. Services – the services provided by Paybilla;
   17. Terms – these Terms of Use, Privacy Policy and all other rules and terms that a Client shall accept to use the Services and/or the Site;
   18. User – person who is using Paybilla Services.
   19. Registered User – person who has a registered account on Paybilla Site.
   20. Unregistered User – person using Paybilla Services without a registered account.
   21. Wallet Module – A part of the Paybilla Services enabling the usage of the Digital Wallet, i.e. keeping, storing and transferring virtual/digital currencies
5. Changes
   1. The Company may update the Site and the Services and may change the content at any time.
   2. The Company may amend, update or modify the Terms (“Modification”), at any time. Unless otherwise expressly stated in the Terms, we will notify you of Modification by posting a new version of the Terms on the Site. The new version of the Terms will take effect after its publication on the Site. Your use of the Services or and/or Site after any such Modification represents your acceptance of new version of the Terms.
   3. If you do not agree with any Modification to the Terms, you shall terminate your use of the Services and/or Site and close your Account (as defined in the Terms).
6. The Services
   1. The following services offered by Paybilla may be available for only certain types of registered Users, as explained in this Terms of Use. The services are:
      1. Software as a Service (SaaS) for Merchants;
      2. Reseller services for Merchants – the use of Reseller Services is regulated and described under the Reseller Agreement;
      3. Services of exchanging Digital Currency (to Fiat Money or to other Digital Currencies) for Merchants and Users with a trading account;
7. Software As A Service (SaaS) Description
   1. Paybilla provides Digital Wallet Service to hold Digital Currencies and the Fiat Money of the Merchant.
   2. Paybilla provides services of exchanging the Digital Currencies against the Fiat Money on the behalf of the Merchant.
   3. While using the Paybilla SaaS platform, the Merchant directs all Customers during the checkout process to Paybilla, where the Customers have the option of making the payment in Digital Currencies.
   4. The Customers can deposit the Digital Currency directly to the Digital Wallet owned by the Merchant and hosted by Paybilla. The list of accepted Digital Currencies will be listed on the Site. Upon receiving the payment, the Merchant will issue and send an invoice to the Customer’s e-mail address using the Paybilla Billing Module.
   5. Paybilla does not process any Fiat Money payments. Payments are processed by third parties via API. Paybilla merely provides user interface and services of exchanging Digital Currencies against Fiat Money, and the Digital Wallet Service to store Digital Currencies.
   6. The Merchant can choose how much of the received Digital Currencies will be exchanged to Fiat Money or to any other Digital Currencies. The following samples are optional and are not binding in any way:
      1. The Merchant can choose to exchange all received Digital Currencies to Fiat Money.
      2. The Merchant can choose to exchange all received Digital Currencies against another Digital Currency like Bitcoin, Ethereum, any stable coin or any other preferred Digital Currency.
      3. The Merchant can choose to exchange all received Digital Currencies to a predefined mix of Fiat Money and Digital Currencies.
   7. The Merchant may request Paybilla to pay-out the received Digital Currencies on a regular basis.
   8. Paybilla invoices the exchange fees for the performed exchanges from the Merchant once a month. The exchange fee is seen in the fee schedule in the clause 12.4. of this agreement.
   9. Paybilla has no commercial relationship with the Customers in case The Merchant opens and uses the Paybilla SaaS account.
8. Services of exchanging Digital Currency
   1. Services which allow you to exchange Digital Currency against Fiat Money (EUR, USD, CAD, etc) or against other Digital Currency using the Paybilla Exchange Module, or where Paybilla exchanges Digital Currency against Fiat Money (or Digital Currency against another Digital Currency) on behalf of the Client.
9. User types and access to modules
   1. Merchants using Paybilla SaaS Services. Merchant Account required.
      Main functions and access to modules under Paybilla SaaS:
      a. Exchange Module – No access, the exchanging of Digital Currencies is performed by Paybilla;
      b. Wallet Module (Crypto, Fiat) – Yes
      c. Affiliate Management Module – Yes
      d. Billing Module - Yes
      e. Analytics Module – Yes
      
   2. Merchants using Paybilla Reseller Services. Merchant Account required.
      a. Exchange Module - No access, the exchanging of Digital Currencies is performed by Paybilla.
      b. Wallet Module (Crypto, Fiat) – No access, the funds are held by Paybilla.
      c. Affiliate Management Module – Yes
      d. Billing Module – Yes
      e. Analytics Module – Yes
      
   3. Registered User using registered Paybilla account for purchases and/or exchanging cryptocurrencies.
      a. Exchange Module - Yes
      b. Wallet Module (Crypto, Fiat) – Yes
      c. Affiliate Management Module – No access
      d. Billing Module – Yes
      e. Analytics Module – No
      
   4. Unregistered User of the Services using Paybilla payment interface to purchase products/services of the Merchants.
      Unregistered users have access to the following modules:
      a. Exchange Module – No access
      b. Wallet Module (Crypto, Fiat) – No access
      c. Affiliate Management Module – No access
      d. Billing Module – Yes
      e. Analytics Module – No access
      
10. Registration
    1. In order to use the Services, which require the Account, you must register the Account.
    2. To register the Account, you shall provide the requested information such as your name, ID number, date of birth, address, telephone number, email address, address, in case of a Merchant Account, also the information relating to the ultimate beneficial owner of the organization, and other relevant data asked by Paybilla upon registration.
    3. To identify you, the Company may require a copy of your passport, ID, use third-party sources for a background check, proof of address, your digital signature or use any other information technology means pursuant to laws of Estonia.
    4. The Company may ask and you will be obligated to provide additional information after the registration process.
    5. You warrant that all information provided to us is true, accurate, and complete, and that you shall immediately update this information to keep it up to date. Your name shall match the name on the credit/debit card(s) or other payment accounts (e.g. personal virtual wallet) which you provide to us.
    6. If the Company should become aware that information provided by you is inaccurate, incomplete, or not satisfactory, has a suspicion about inaccuracy of the information, it has a right to ask for accurate information. If you do not provide the correct information, the Company has a right to suspend your right of using the Services and/or Site.
    7. We may also ask you for information on your business, including your business’s legal name, address of the business, your company's website and other relevant information. The information that you provide at the time of account opening must be accurate and complete and you must inform us immediately, but not later than within ten business (10) days of any changes to such information. We may also obtain information about you from third parties. We have the right to reject your account registration or to later close your account, if you do not provide us with accurate, complete, and satisfactory information.
    8. To identify you, the Company may require a copy of your passport, ID, third-party sources for a background check, proof of address, your digital signature or use any other information technology means pursuant to laws of Estonia.
    9. We reserve the right to verify your data at any time, by requesting documents. If deemed necessary, we may request apostilled, legalised (meaning that an authority certifies the signature on the document and the authenticity of the impression of a seal or stamp or the competence of the undersigned person) or notarized copies of the documents, meaning that the documents are stamped and attested by a certified notary. In the event our requests for documents are not completed to our satisfaction, the Company may at its sole discretion terminate the Account. Should the documents fail our internal security checks we shall not accept such documents, and we are under no obligation to provide feedback on the exact nature of our findings with regards to these documents.
    10. To Register the Account and use the Services you shall warrant us the following:
        1. you are at least 18-years old;
        2. you are not be barred from receiving the Services under the laws of Estonia or any other countries including the country in which you are resident or from which you use the Services;
        3. you provide accurate and complete information;
        4. you have read, understood and accepted the Terms.
11. Account
    1. You acknowledge and warrant the following:
       1. the Account is for your own personal use, unless it is a Merchant Account;
       2. you shall only open one Account;
       3. you shall not assist others in obtaining unauthorized access to Services and/or to your Account;
       4. you shall not access the Account of any other person with the Site;
       5. you shall be fully responsible for any activities undertaken on your Account;
       6. you will not do anything deceptive or fraudulent;
       7. you will not engage in activities that affect the functioning and security of the Site and/or Services;
       8. you will not reveal your Account username or password or your private digital wallet address to any person and you shall take all steps to ensure that such details are not revealed to any person.
    2. You are responsible for maintaining the confidentiality of your Account’s information, including username, password and other sensitive, confidential details, the safeguarding of your own Digital Currency in case of direct access to the Wallet provided by Paybilla, as well as the transactional activity posted to your Account. You understand that any compromise of your Account information may expose your Account to unauthorized access by a third party which may result in loss or theft of Digital Currency, as well as any linked accounts, such as your linked bank accounts and credit cards.
    3. You are responsible for the security of your username and password as well as your digital wallet address on your own personal computer or internet access location. We are not liable, if someone gains unauthorized access to data in your computer and receives your username and password combination.
    4. You shall inform the Company immediately of any hacking or any attempt to gain unauthorized access to data from your computer. Nonetheless, acknowledge that it is your responsibility to secure your data.
    5. If you should attempt or gain unauthorized access to the Services without the Company’s permission, the Company has the right to suspend or terminate your use of the Services (including pending purchase/sale offers) immediately.
    6. The Company has a sole discretion whether to provide the Service or not.
12. Payment Processing and fees charged by Paybilla
    1. You give permission to Paybilla to provide your data and/or documentation about you to third party service providers, including payment processors, as shall be required to complete a transaction or pursuant to an inquiry or investigation for KYC/AML purposes.
    2. With regard to any payments in Fiat Money to Paybilla, you further agree not to make or attempt to initiate chargebacks, and/or deny or reverse any payment or deposit that you have made. In any such event, we reserve the right to cease to provide the Services, terminate the Terms of Use, and take any further action we may deem appropriate, including the right to adjust the Account records accordingly to reflect any Company deduction from the deposit section to set-off any loss suffered due to your chargeback or reversal of transactions.
    3. You must provide us with a written notice at least three (3) business days prior to closing or changing your bank account, which is connected to the Account. If you wish to continue to receive direct deposits, you must provide us with information for a substitute bank account. You are solely liable for all fees and costs associated with your bank account and for all overdrafts. You are also liable to us for any fees that we may incur based on your provision of inaccurate information or instructions. You authorize us to initiate electronic credits to your bank account at any time, as necessary to process your transactions. We will not be liable for any delays in receipt of funds or errors in bank account entries caused by third parties.
    4. ou can see our fee structure on the "Pricing" page. For clarity, the fees applicable to you as set out on the "Pricing" page forms part of this Agreement which may be subject to change.
    5. We can make deductions from your Paybilla Account. You agree that we are authorised to deduct our fees, any applicable reversal amounts, and/or any amounts you owe us from your Paybilla Account. If you don’t have enough money in your Paybilla Account to cover these amounts, we may refuse to execute the relevant transaction or provide any Services to you.
13. Intellectual property rights
    1. All contents of this Site, including but not limited to works, images, archives, information, materials, information on Site, Site layout, design of the Site, are owned by the Company in accordance with the law, including but not limited to trademark rights, patents, copyrights, trade secrets and etc.
    2. No person shall use, copy, download, modify, reproduce, publicly transmit, alter, distribute or publish the contents of this Site without the written consent of the Company.
    3. Respect for intellectual property rights is your duty, and if there is any breach, you shall bear the full liability for damages. You agree to respect all copyright, property rights and other legal notices and information Paybilla Site or Services accessed through the Site or the Services. You agree not to change, translate, or otherwise create derivative works of the Services.
    4. You are not allowed to use Paybilla trademark, logo, domain name, etc. without prior written consent from Paybilla.
    5. You undertake not to:
       1. Copy, redistribute, publish, reverse engineer, decompile, disassemble, modify, translate or make any attempt to access the source code to create derivative works of the source code, or otherwise;
       2. sell, assign, sublicense, transfer, distribute or lease the Software;
       3. make the Software available to any third party through a computer network or otherwise;
       4. export the Software to any country (whether by physical or electronic means); or use the Software in a manner prohibited by any laws or regulations which apply to the use of the Software.
    6. By using the Site and/or the Services and agreeing to these Terms you also agree to be bound by the Company’s Privacy Policy. The Company may change Privacy Policy on the same conditions as it may change these Terms. Privacy Policy of the Company is available at: ...... ..
14. Client Content
    1. You warrant that with respect to any content you may upload and/or post to the Site, including without limitation, any text, photo, or other material (“Client Content”): (a) you own or have the right to post such Client Content, and (b) such Client Content, or its use by the Company as contemplated by the Terms of Use, does not violate any agreement or any other rights set forth in the Terms of Use, applicable law, or the intellectual property, publicity, personality, or other rights of others.
    2. In addition, you undertake that any such Client Content will not consist of:
       1. false, misleading information and/or misappropriation of any information;
       2. obscene, offensive, profane, unlawful content or any content which, subject to Company’s sole discretion, may harm or risk the Company’s good name and reputation;
       3. infringe the rights of others;
       4. anything that is otherwise prohibited by any applicable laws, regulations or directives; and/or
       5. statements about the Company or the Site or any other Internet site connected to the Company that are untrue and/or malicious and/or damaging to the Company.
    3. The Company assumes no responsibility in connection with any Client Content, nor does it endorse or claim authenticity of any Client Content that may be uploaded and/or posted on the Site. The Company, in its sole discretion, has the right to remove any Client Content and take any further action which the Company deems necessary. This does not relieve you of your responsibility of adhering to the rules above.
15. Your Compliance with Applicable Regulations
    1. You confirm that:
       1. your use of the Site and/or Services is compliant with applicable laws and regulations;
       2. You don’t use the Services and/or Site for any unlawful, criminal or fraudulent activity or any prohibited transaction pursuant to the applicable laws and regulations;
       3. the Digital Currency and Fiat Money that you’re using for our Services is not derived from any illegal activity or any prohibited transaction under the laws that apply to you.
16. Account Termination
    1. The Company may update the content at the Site and the Site itself any time. You understand that the Company may terminate the provision of the Services without prior notice and suspend or close all or part of your Account and all relevant information and files in the Account. The Company may deny or restrict access to the Site including its content or tools, delay or remove hosted content, and take technical and legal measures; deny processing any transaction; cancel or reverse any transaction or pending transaction, even if funds have been debited from your payment method. These actions are all subject to the Company’s sole discretion, including without limitation, as a result of the Company reasonably suspecting or if you should do any of the following:
       1. you have breached Terms;
       2. your failure to make required payments of Fiat Money and/or transfer of Digital Currency;
       3. you have not logged in to the Site or used the Services for 36 consecutive months;
       4. another person is using your Account;
       5. you attempt to gain unauthorized access to the Site or another Client’s Account or to provide assistance to others’ attempt to do so;
       6. your transaction involves money laundering, terrorist financing, fraud, or any other crime, or non-compliance with any applicable laws;
       7. due to court order, law enforcement and/or other government or regulatory inquiry or order;
       8. you are abusing any and/or all of the Services, including without limitation by opening multiple accounts;
       9. any of the Company’s third-party providers refuses to provide you with any services which the Company requires for Company’s fulfillment of some of the Services;
       10. you are creating problems on the Site and/or to the Company, you adversely affect the Company’s reputation in any way whatsoever, or pose as any other liability to the Company;
       11. force majeure events, including operational and technical errors;
       12. your Account is associated with any suspended or terminated account for breach of the Terms or suspended/terminated for any other reason; or
       13. you fail internal or external compliance/KYC/AML checks.
    2. The Company reserves the right to suspend or terminate your access to your Account and/or Services for any other reason that may not be listed hereunder.
    3. Should the Company suspend or terminate your access to your Account and/or the Services, you shall not use your Account nor use any or all of the Services. In case of termination or suspension of your Account by us, we may: cancel pending orders to exchange Digital Currency.
    4. If you wish to stop using the Services and terminate the Agreement between you and the Company you should send an email to ______ or navigate in your Account to section “Terminate Account”.
    5. The termination of the Agreement takes effect upon closing your Account. It shall occur within 10 business days after an email about your wish to terminate the Agreement and necessary information to do so is received by us. You will remain responsible for any activity on your Account between sending us such email and the closing of your Account.
    6. Following termination or suspension of your Account by us, or our receipt of an email from you terminating your Account we reserve the right to cancel pending orders to exchange Digital Currency.
    7. On termination of the Account or suspension of your Account for any reason whatsoever, you shall: stop using the Site, Software and the Services. In addition, you will be responsible for fulfilling any outstanding payment obligations (whether in Digital Currency or Fiat Money) to the Company existing as of the effective date of termination and to settle any pending transactions.
    8. The Company is not obligated to disclose the results of the Company’s security and risk management procedures. In the event your Account is suspended or terminated by the Company, the Company may provide you with notice of such suspension or termination.
    9. The right to terminate the Terms, given by this clause shall not prejudice any other right or remedy of either party in respect of the breach concerned (if any) or any other breach.
17. No Warranty
    1. You understand and agree that you use the Services, the Site and/or software at your own risk.
    2. We provide the services on an “as is” and “as available” basis, and your use of the services is at your own risk. To the maximum extent permitted by applicable law, we provide the Services without warranties of any kind, whether express or implied (including, without limitation, warranties of merchantability, fitness for a particular purpose, or non-infringement). Without limiting the foregoing, we do not warrant that the Services (and our website): will operate error-free or that defects or errors will be corrected; will meet your requirements or will be available, uninterrupted or secure at any particular time or location; are free from viruses or other harmful content. We do not endorse, warrant, guarantee or assume responsibility for any product or service offered or advertised by a third party through the Services or through Site, and we will not be a party to nor monitor any interactions between you and third-party providers of products or services.
    3. We do not make any warranties about the validity, authenticity, quality, suitability, or otherwise, about any Digital Currency you receive through the Site.
18. Liability
    1. We are responsible to you for foreseeable loss and damage caused by us. If we do not reasonably meet our commitments to you, we are responsible for loss or damage you suffer that is a foreseeable result of our breaking this contract or our failing to use reasonable care and skill. We are not responsible for any loss or damage that is not foreseeable. Loss or damage is foreseeable if either it is obvious that it will happen or if, at the time the contract was made, both we and you knew it might happen, for example, if you discussed it with us during your account sign up process.
    2. We do not exclude or limit in any way our liability to you where it would be unlawful to do so. This includes liability for death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors; for fraud or fraudulent misrepresentation.
    3. You are liable for breaking this Agreement or applicable laws. In the unlikely event of loss or claims or costs and expenses arising out of your breach of this Agreement, any applicable law or regulation and/or your use of our Services, you agree to compensate us and our affiliates and hold us harmless. This provision will continue after our relationship ends.
    4. You shall be held liable for any loss, including direct and indirect damages, costs or expenses, we may suffer as a result of your prohibited deeds. You agree to immediately notify us if you commit any prohibited deeds or if you have the knowledge of any third party committing any prohibited deeds. You agree to provide us with reasonable assistance with any inquiry investigation we may conduct as a result of the information provided by you in this respect.
    5. You should use a reputable and available virus screening and prevention software at all times. The Company shall not bear any liability, whatsoever, for any damage or interruptions caused by computer viruses, spyware, Trojan horses, worms or other malware that may affect your systems, computer or other equipment, or any phishing, spoofing or other virus attacks. The Company cautions you to carefully review any electronic messages purporting to originate from the Company, and to beware that electronic devices are vulnerable to phishing and spoofing scams and additional viruses. The Company maintains that you should always log into your Account through the Site only and avoid using unauthentic communication advising you options to log in.
    6. Once you have an Account you become responsible for your account and content you create and upload and/or post to the Site. The Company may remove any content from the Site that is in conflict with the Terms. You warrant that you will:
       1. not post information you know is false, misleading, or inaccurate;
       2. not do anything deceptive or fraudulent;
       3. respect rights of the others and will not threat, abuse, harass, defame, or engage in behavior that is libelous, tortious, obscene, profane, or invasive of another person’s privacy;
       4. avoid spam and unsolicited communications and will not distribute unsolicited or unauthorized advertising or promotional material, or any junk mail, spam, or chain letters;
       5. respect the property of others and will not distribute software viruses, or anything else designed to interfere with the proper function of any software, hardware, or equipment on the Site or the use of the Site by any other User;
       6. not access the Site if the Company has prohibited you from using it;
       7. not engage in activities that affect the functioning and security of the Site;
       8. respect the privacy of other users and will not disclose information which has become known to you while using the Services;
       9. you own or have the right to post Client Content if you should post such content;
       10. not promote illegal activities.
    7. The Company assumes no responsibility in connection with any Client Content, nor does it endorse or claim authenticity of any Client Content that may be uploaded and/or posted on the Site.
19. Limitation of Liability
    1. To the maximum event permitted by applicable law, in no event will the Company be liable to you or any third party for any direct, indirect, special, incidental, consequential, exemplary or punitive damages or any loss, theft, disappearance, or damages for lost profits, lost revenues, lost data or other intangible losses that result from the use of, inability to use, or unavailability of the services, regardless of the form of action and whether or not we knew that such damage may have been incurred. In no event will we be liable to you or any third party for any damage, loss or injury resulting from hacking, tampering, virus transmission or other unauthorized access or use of the services, your Account, or any information contained therein. In no event will our liability for any damages arising in connection with the services exceed the fees earned by us in connection with your use of the Services during the 6-month period immediately preceding the event giving rise to the claim for liability. The foregoing limitations of liability shall apply to the fullest extent permitted by law in the applicable jurisdiction.
    2. We are not liable for things which are outside of our control. We (and our affiliates) cannot be liable for our inability to deliver or delay as a result of things which are outside our control.
    3. We are not liable for any acts made by any user or Registered user of the Site and/or Services.
    4. We have no control over websites linked to and from our Website. We assume no responsibility for their content or any loss or damage that may arise from your use of them.
    5. We are not liable for business losses. If you use our Services for any commercial or business purpose we will have no liability to you for any loss of profit, loss of business, business interruption, or loss of business opportunity.
    6. We are not liable for technological attacks. We will not be liable for any loss or damage caused by a virus, or other technological attacks or harmful material that may infect your computer equipment, computer programmes, data or other proprietary material related to your use of our Services or Site..
20. Indemnification
    1. You agree to indemnify the Company, its related entities, its officers, employees and other Registered Users from any claims, costs, losses, liabilities, damages, expenses and judgments of any and every kind (costs, fines, expenses and attorneys’ fees) suffered by any of them that may arise in connection with:
       1. any breach of the Terms by you;
       2. your breach of representation;
       3. your wrongful use of the Services;
       4. a third party using your Account, whether or not with your authorization;
       5. any violation by you of any law, rule, regulation and/or directive; and/or
       6. the rights of any third party.
21. Third Parties
    1. While using the Site and/or Services you may be offered services, products, special offers of other events that are not owned or controlled by the Company.
    2. If you decide to use these third-party services, you do so at your own risk and are solely responsible for reviewing, understanding and complying with the associated terms and conditions. We expressly disclaim any liability for the third-party services. We are not responsible for the performance of the third-party services.
    3. These third-party websites may have their own terms and conditions of use and your use of them will be governed by and subject to such terms. As they may be different from our Terms, you must ensure that you have read, understood and agreed to all of the terms and conditions.
    4. If you use third-party services or websites, we cannot guarantee that unauthorized persons will never gain access to your information, therefore, you shall acknowledge that you provide your information at your own risk, except as otherwise provided by applicable law.
    5. The Company shall not be liable for any third-party services, statements, or any other content of that third-party website.
    6. The Company is not responsible for content posted on the Site by third parties. If you have a reason to believe that the content on the Site infringes your intellectual property rights or other rights, please inform the Company immediately. We will review your notice and take appropriate actions.
22. Linking to our site

    You may link to our Website provided you follow certain rules. You may link to our Website, provided:

    a) you do so in a way that is fair and legal and does not damage our reputation or take advantage of it;
    b) you do not suggest any form of association, approval or endorsement on our part where none exists;
    c) you do not frame our Website on any other site; and
    d) the website complies with our Terms of Use.
    

    We reserve the right to withdraw linking permission without notice.

23. Disclaimer
    1. You understand and agree that the Company does not provide any investment advice, recommendation, or guidance. We may provide information on the price, range, volatility of Digital Currency, but this is not considered investment advice and should not be construed as such. If there should be communication between the Company and you, it should not be considered as investment advice. Before you invest in the Digital Currency, you have to remember that it involves risks. If you do not have a lot of experience in Digital Currency, we recommend you to consult with an expert.
24. Risk Factors related to buying and trading Digital Currencies
    1. Consider and evaluate all risks before you buy, sell or trade anything on the crypto-currency market. Remember that it involves a considerable risk. An inherent risk exists that you will lose all or part of value in your assets.
    2. You understand that value and market liquidity of Digital Currency may change and drop and the Company cannot guarantee that Digital Currency will maintain a certain value or market liquidity.
    3. The theft, loss or destructions of a private key required to access Digital Currency is irreversible, and because the Company does not have access to those private keys, such private keys cannot be restored by the Company, and the Company will not be responsible for Client’s loss of access to its personal virtual wallet.
    4. You understand that all risks of trading, buying or selling Digital Currency may have not been set forth in the Terms. You shall assess the risks responsibly. It is your responsibility to assess all risks. If you do not have prior experience with crypto-currency we recommend seeking professional advice before using the Services and the Site.
    5. It is your own responsibility to ensure compliance of your activities with applicable laws as in some jurisdictions Digital Currency may be classified as security.
    6. Liquidity of Digital Currency markets is highly variable. Therefore, the exchange of Digital Currency is considered a risky transaction with speculative outcomes.
25. Other important terms
    1. Nobody else has any rights under this Agreement. This Agreement is between you and us. No other person shall have any rights to enforce any of its terms. Neither of us will need to get the agreement of any other person in order to end or make any changes to this Agreement.
    2. We may transfer this Agreement to someone else. You may not transfer, assign, mortgage, charge, subcontract, declare a trust over or deal in any other manner with any or all of your rights and obligations under this Agreement without our prior written consent. We reserve the right to transfer, assign or novate this Agreement or any right or obligation under this Agreement at any time without your consent. This does not affect your rights to close your Paybilla account.
    3. If a court finds part of this Agreement illegal, the rest will continue in force. Each of the paragraphs of this Agreement operates separately. If any court or relevant authority decides that any of them are unlawful, the remaining paragraphs will remain in full force and effect.
    4. Even if we delay in enforcing this Agreement, we can still enforce it later. If we delay in asking you to do certain things or in taking action, it will not prevent us taking steps against you at a later date.
    5. This Agreement supersedes any other previous agreements. This Agreement supersedes and extinguishes all previous agreements between you and Paybilla, whether written or oral, relating to its subject matter.
    6. This Agreement is governed by the Estonian law. Any dispute between you and us in connection with your Paybilla Account and/or this Agreement may be brought in the courts of Estonia.

PAYBILLA Estonia OÜ

RULES OF PROCEDURE AND INTERNAL CONTROL RULES OF VIRTUAL CURRENCY WALLET SERVICE PROVIDER

For implementation of Money Laundering and Terrorist Financing Prevention Act and implementation of International Sanctions Act

Tallinn 2019

GENERAL PROVISIONS AND DEFINITIONS

These rules of procedure (hereinafter the Rules of Procedure) regulate the activities of PAYBILLA Estonia OÜ for the implementation of the Money Laundering and Terrorist Financing Prevention Act (hereinafter the MLTFPA) and the implementation of the International Sanctions Act (hereinafter the ISA). The Rules of Procedure have been established by a resolution of shareholders of PAYBILLA Estonia OÜ.

In these Rules of Procedure, the following definitions have the following meaning:

Money laundering means:

1. the conversion or transfer of property derived from criminal activity or property obtained instead of such property, knowing that such property was derived from criminal activity or from an act of participation therein, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions;
2. the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein;
3. the concealment or disguise of the true nature, origin, location, disposition, movement or right of ownership or other rights with respect to property derived from criminal activity or property obtained instead of such property, knowing that such property was derived from criminal activity or from an act of participation therein.

Terrorist financing means the financing and supporting of an act of terrorism and commissioning thereof within the meaning of § 2373 of the Penal Code.

Beneficial owner means a natural person who, taking advantage of their influence, makes a transaction, act, action, operation or step or otherwise exercises control over a transaction, act, action, operation or step or over another person and in whose interests or favour or on whose account a transaction or act, action, operation or step is made.

Private limited company means the virtual currency wallet service provider, which is an obliged entity for the purposes of the MLTFPA.

Business relationship means a relationship that is established upon entry into a long-term contract by an obliged entity in economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner or that is not based on a long-term contract, but whereby a certain duration of the relationship could be reasonably expected at the time of establishment of the contact and during which the obliged entity repeatedly makes separate transactions in the course of economic or professional activities while providing a service or professional service, performing professional acts or offering goods.

Customer means a person who has a business relationship with an obliged entity.

Staff means an employee of the Private Limited Company, head of the Private Limited Company, members of the management board, members of the supervisory board.

Compliance officer means a person appointed by the management board to act as a contact person of the Financial Intelligence Unit. A member of the management board or another Staff member of the Private Limited Company may act as a compliance officer.

Person means a natural or legal person who wants to enter into a contract with the Private Limited Company for using the Services provided by the Private Limited Company, but who has not yet been identified by an Employee of the Private Limited Company.

Financial Intelligence Unit means an independent structural unit of the Police and Border Guard Board (an up-to-date definition in accordance with § 53 of the MLTFPA).

Politically exposed person means a natural person who is or who has been entrusted with prominent public functions, including a head of State, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d'affaires and a high-ranking officer in the armed forces; a member of the management board and an administrative or supervisory body of a State-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organisation, except middle-ranking or more junior officials.

Risk appetite means the total of the exposure level and types of the Private Limited Company, which the Private Limited Company is prepared to assume for the purpose of its economic activities and attainment of its strategic goals and which is established by the management board of the Private Limited Company in writing.

1. MANDATORY NATURE OF IMPLEMENTATION OF MLTFPA

   The Private Limited Company as a virtual currency wallet service provider agrees to follow these rules of procedure as provided by clause 2 (1) 11) of the Money Laundering and Terrorist Financing Prevention Act and clause 6 5) of the International Sanctions Act.

   The management board of the Private Limited Company agrees to ensure that each Staff member comply with the requirements provided by these Guidelines, the MLTFPA and legal acts issued on the basis thereof. Staff members of the Private Limited Company must know and comply with legal acts and relevant guidelines of authorities and independently examine amendments to legal acts and guidelines.

   A Staff member is personally responsible for the compliance with the requirements arising from the MLTFPA and these Guidelines. Failure to comply with the requirements may result in the termination of the employment contract as well as punishment pursuant to misdemeanour or criminal procedure.

2. Management of risks relating to money laundering and terrorist financing
   1. The Private Limited Company has clearly defined areas of responsibility and functions for ensuring the obligations provided by the MLTFPA and ISA at the level of both the management and the Employee.
   2. The management board of the Private Limited Company verifies that the Rules of Procedure are up to date regularly once a year and, if necessary, supplements them or establishes new rules of procedure, taking into account the written overview prepared by the Compliance Officer on the compliance with the Rules of Procedure.
   3. It is prohibited to establish a Business Relationship or make a Transaction if:
      1. the Person wants to pay in cash or the object of the Transaction is more than 10,000 euros or an equivalent amount in another currency, regardless of whether the pecuniary obligation is performed in the Transaction as a single payment or as several interrelated payments within a period of up to one year and the Person does not submit documents and relevant information required for the implementation of due diligence measures;
      2. the submitted documents or other information make an Employee suspect money laundering or terrorist financing. An Employee immediately notifies of the suspicion the Compliance Officer who is being guided in their further activities by the provisions of clause 20 of the Rules of Procedure.
   4. An Employee has the right to refuse to execute a Transaction if the Person, regardless of a corresponding request, does not submit the documents that certify the legal origin of the money or other property being the object of the Transaction.
   5. A Business Relationship may be cancelled on an extraordinary basis without following the term for advance notice if the Customer does not submit, regardless of a corresponding request, documents and relevant information or if the submitted documents and data do not dispel the suspicion that the purpose of the Transaction or Business Relationship may be money laundering or terrorist financing.
   6. Information about the refusal to establish a Business Relationship or make a Transaction and the circumstances of the termination of the Business Relationship and/or information about the suspicion of money laundering or terrorist financing is registered and retained pursuant to the procedure provided by the Rules of Procedure.
   7. Once a year the Compliance Officer prepares for the management board a written overview of the compliance with the Rules of Procedure that includes:
      1. a list of the notices submitted to the Financial Intelligence Unit;
      2. precepts issued by the Financial Intelligence Unit in respect of the Private Limited Company or its Customers;
      3. completed or pending proceedings conducted in respect of the Private Limited Company and regarding the prevention of money laundering and terrorist financing and complying with an international sanction;
      4. proposals for amending the Rules of Procedure;
      5. other observations and proposals for improving the work organisation of the Private Limited Company in order to ensure that the obligations arising from legal acts are met.
3. Assessment of risks relating to money laundering and terrorist financing and determining level of applicable due diligence measures upon providing virtual currency wallet service
   1. Upon establishing a Business Relationship, during it as well as upon making Transactions, risks must be assessed as follows:
      
      Upon assessing the nature of the Business Relationship or Transaction:
      1. the purpose of establishing the Business Relationship or the Transaction and the understandability thereof;
      2. the Transaction value;
      3. the sensitivity of the Service to be provided;
      4. the connection of the Business Relationship or Transaction with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with supporting terrorist activities, or where the corruption level is high;
      5. the circle of people participating in the Transaction and the possibility and reliability of identifying that;
      6. the division of Transaction-related costs between different people;
      7. the transparency of the Transaction (including the identifiability of the origin of the funds serving as a basis for the transaction);
      8. the possibility and reliability of identifying the owner of the Transaction object;
      9. the expected duration of the Business Relationship.
      
      Upon assessing the Customer participating in the Business Relationship or Transaction:
      1. the connection of the Customer with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with supporting terrorist activities, or where the crime or corruption level is high;
      2. in the case of a legal person, the complexity of its structure;
      3. the possibility and reliability of identifying the circle of beneficial owners of the Customer;
      4. the proportion of bearer shares;
      5. the tax system and amount of taxes of the Customer’s location or area of operation;
      6. the Customer’s political background and connection with politically exposed persons;
      7. the financial sanctions imposed on the Customer;
      8. earlier suspicions about the Customer’s connections with money laundering or terrorist financing;
      9. the type and turnover of the Services provided by the Private Limited Company to the Customer;
      10. the expected duration of the Business Relationship.
   2. Four risk categories must be considered in assessing the level of the risk of money laundering and terrorist financing:
      1. geographic risk;
      2. Customer risk;
      3. Transaction-related risk;
      4. risk related to communication or mediation channels or transmission channels of Transactions.
   3. As a result of the risk assessment, the Private Limited Company establishes:
      1. the fields of a lower and higher risk of money laundering and terrorist financing;
      2. the Risk Appetite, including the volume and scope of the services provided in the course of business activities;
      3. the risk management model, including simplified and enhanced due diligence measures, in order to mitigate identified risks.
   4. Applicable due diligence measures are chosen as follows:
      1. tlow risk level – simplified due diligence measures;
      2. tusual risk level – usual due diligence measures;
      3. thigh risk level – enhanced due diligence measures.
   5. The risk of money laundering or terrorist financing is considered high if a suspicion arises, for any reason, that the Person, Customer or the Transaction to be made by the Customer may have a connection with money laundering or terrorist financing.
   6. If any such circumstances become evident in the case of the Person, Customer or Transaction that refer to a higher risk, the enhanced due diligence measures specified in clause 8 of the Rules of Procedure must be implemented.
   7. The situations that refer to a higher risk with regard to a Person and Customer are, above all, such where:
      1. the Business Relationship is based on unusual factors, including in the event of complex and unusually large Transactions and unusual transaction patterns that do not have a reasonable, clear economic or lawful purpose or that are not characteristic of the given business specifics;
      2. the Person or Customer is a resident of a higher-risk geographic area listed in clause 4.9 of the Rules of Procedure;
      3. the Person or Customer is a legal person or another association of persons that does not have the status of a legal person, which is engaged in holding personal assets;
      4. the Person or Customer is a legal person registered in a low tax rate area;
      5. the Person or Customer is a cash-intensive business;
      6. the Person or Customer is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;
      7. the Person or Customer has been entered in the list kept by the UN or the European Union of persons against whom international financial sanctions are applied;
      8. the ownership structure of the company who is the Person or Customer appears unusual or excessively complex, given the nature of the company’s business;
      9. it is known beforehand in respect of the Person or Customer that they may be involved in money laundering or terrorist financing.
   8. The situations that refer to a higher risk with regard to a Transaction or transmission channel are, above all, such that constitute:
      1. the execution or mediation of a Transaction that may favour anonymity or the purpose of which is the concealment of the actual parties to the transaction or the actual owner of the object of the transaction;
      2. a Transaction that involves the exchange of funds received from unknown or unassociated third parties;
      3. payment for a Transaction in cash by a person who is not a Customer;
      4. a Transaction that does not have any understandable reasonable business, economic, tax-related or legal purpose;
      5. a Business Relationship or Transaction that is established or initiated in a manner where the Customer, the Customer’s representative or a party to the Transaction is not met physically in the same place and their identity is not verified using information technology means;
      6. new business practices, including the use of a new transmission mechanism or new or developing technology for both new and pre-existing services.
   9. A factor increasing the geographic risk is deemed to be a situation where the Person, Customer or the Transaction itself is connected with a following country or jurisdiction:
      1. that, according to reliable sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML/CFT (anti-money laundering and countering the financing of terrorism) systems;
      2. that, according to reliable sources, has significant levels of corruption or other criminal activity;
      3. that is subject to sanctions, embargoes or similar measures established by, for example, the European Union or the United Nations;
      4. that provides funding for or supports terrorist activities, or that has terrorist organisations operating within their territory, as identified by the European Union or the United Nations.
   10. A risk related to a Person or Customer is considered low if the Customer or Person is:
       1. a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
       2. a legal person governed by public law and established in Estonia;
       3. a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
       4. an institution of the European Union;
       5. a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equivalent to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
       6. a person who is a resident of a country or geographic area having the characteristics specified in clause 4.11.
   11. A Transaction-related risk is considered low if:
       1. The funds serving as a basis for the Transaction have been transferred to the bank account of the Private Limited Company via an account that has been opened in the name of the Customer in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in effect.
   12. A geographic risk is considered low if the Person or Customer is from or their place of residence or seat is in a following country:
       1. a contracting state of the European Economic Area;
       2. a third country that has effective AML/CFT systems;
       3. a third country where, according to reliable sources, the level of corruption and other criminal activity is low;
       4. a third country where, according to reliable sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force have been established and where the requirements are effectively implemented.
   13. A risk related to communication channels and transmission channels of services is considered low if the Person or Customer uses the solutions that are generally known and approved by the Private Limited Company for communicating with the Private Limited Company and the Transactions are only made via the software of the Private Limited Company.
4. Assessment of risks relating to money laundering and terrorist financing and determining level of applicable due diligence measures upon providing Service
   1. Upon establishing a Business Relationship, during it as well as upon providing the Service, risks must be assessed as follows:
      Upon assessing the nature of the Business Relationship:
      1. the purpose of establishing the Business Relationship and the understandability thereof;
      2. the connection of the Business Relationship with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with terrorist financing, or where the corruption level is high;
      3. the circle of people using the Service and the possibility and reliability of identifying that;
      4. the division of Service-related costs between different people;
      5. the transparency of using the Transaction (including the identifiability of the origin of the funds used);
      6. the possibility and reliability of identifying the user of the Service;
      7. the expected duration of the Business Relationship.
      Upon assessing the Customer participating in the Business Relationship or using the Service:
      1. the connection of the Customer with the countries or territories in respect of which an international sanction has been imposed, where the measures for the prevention of money laundering and terrorist financing are not sufficient or which, according to reliable resources, are connected with supporting terrorist activities, or where the crime or corruption level is high;
      2. in the case of a legal person, the complexity of its structure;
      3. the possibility and reliability of identifying the circle of beneficial owners of the Customer;
      4. the proportion of bearer shares;
      5. the tax system and amount of taxes of the Customer’s location or area of operation;
      6. the Customer’s political background and connection with politically exposed persons;
      7. the financial sanctions imposed on the Customer;
      8. earlier suspicions about the Customer’s connections with money laundering or terrorist financing;
      9. the turnover of the Service provided by the Private Limited Company to the Customer;
      10. the expected duration of the Business Relationship.
   2. Four risk categories must be considered in assessing the level of the risk of money laundering and terrorist financing:
      1. geographic risk;
      2. Customer risk;
      3. Service-related risk;
      4. risk related to communication or mediation channels or transmission channels of the Service.
   3. As a result of the risk assessment, the Private Limited Company establishes:
      1. the fields of a lower and higher risk of money laundering and terrorist financing;
      2. the Risk Appetite, including the volume and scope of the services provided in the course of business activities;
      3. the risk management model, including simplified and enhanced due diligence measures, in order to mitigate identified risks.
   4. Applicable due diligence measures are chosen as follows:
      1. low risk level – simplified due diligence measures;
      2. usual risk level – usual due diligence measures;
      3. high risk level – enhanced due diligence measures.
   5. The risk of money laundering or terrorist financing is considered high if a suspicion arises, for any reason, that the Person, Customer or the Service to be used by the Customer may have a connection with money laundering or terrorist financing.
   6. If any such circumstances become evident in the case of the Person, Customer or use of the Service that refer to a higher risk, the enhanced due diligence measures specified in clause 8 of the Rules of Procedure must be implemented.
   7. The situations that refer to a higher risk with regard to a Person and Customer are, above all, such where:
      1. the Business Relationship is based on unusual factors, including making complex and unusually large transfers when using the Service and in the event of unusual transaction patterns that do not have a reasonable, clear economic or lawful purpose or that are not characteristic of the given business specifics;
      2. the Person or Customer is a resident of a higher-risk geographic area listed in clause 5.9 of the Rules of Procedure;
      3. the Person or Customer is a legal person or another association of persons that does not have the status of a legal person, which is engaged in holding personal assets;
      4. the Person or Customer is a legal person registered in a low tax rate area;
      5. the Person or Customer is a cash-intensive business;
      6. the Person or Customer is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;
      7. the Person or Customer has been entered in the list kept by the UN or the European Union of persons against whom international financial sanctions are applied;
      8. the ownership structure of the company who is the Person or Customer appears unusual or excessively complex, given the nature of the company’s business;
      9. it is known beforehand in respect of the Person or Customer that they may be involved in money laundering or terrorist financing.
   8. The situations that refer to a higher risk with regard to the Service or transmission channel are, above all, such that constitute:
      1. a Transaction that is made via the Service and that may favour anonymity or the purpose of which is the concealment of the actual parties to the transaction or the actual owner of the object of the Service;
      2. payments received from unknown or unassociated third parties to the Customer’s virtual wallet;
      3. the use of the Service for transactions that do not have any understandable reasonable business, economic, tax-related or legal purpose;
      4. a Business Relationship or transaction, which is made via the Service, that is established or initiated in a manner where the Customer or the Customer’s representative is not met physically in the same place and their identity is not verified using information technology means;
      5. new business practices, including the use of a new transmission mechanism or new or developing technology.
   9. A factor increasing the geographic risk is deemed to be a situation where the Person, Customer or the Transaction itself is connected with a following country or jurisdiction:
      1. that, according to reliable sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML/CFT systems;
      2. that, according to reliable sources, has significant levels of corruption or other criminal activity;
      3. that is subject to sanctions, embargoes or similar measures established by, for example, the European Union or the United Nations;
      4. that provides funding for or supports terrorist activities, or that has terrorist organisations operating within their territory, as identified by the European Union or the United Nations.
   10. A risk related to a Person or Customer is considered low if the Customer or Person is:
       1. a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
       2. a legal person governed by public law and established in Estonia;
       3. a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
       4. an institution of the European Union;
       5. a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equivalent to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
       6. a person who is a resident of a country or geographic area having the characteristics specified in clause 5.11.
   11. A geographic risk is considered low if the Person or Customer is from or their place of residence or seat is in a following country:
       1. a contracting state of the European Economic Area;
       2. a third country that has effective AML/CFT systems;
       3. a third country where, according to reliable sources, the level of corruption and other criminal activity is low;
       4. a third country where, according to reliable sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force have been established and where the requirements are effectively implemented.
   12. A risk related to communication channels and transmission channels of the Service is considered low if the Person or Customer uses the solutions that are generally known and approved by the Private Limited Company for communicating with the Private Limited Company and the Service is only used by implementing the software of the Private Limited Company.
5. General grounds for application of due diligence measures
   1. The Private Limited Company applies due diligence measures:
      1. upon the establishment of a Business Relationship;
      2. upon making Transactions where the value of the Transaction exceeds 15,000 euros or an equivalent amount in another currency, regardless of whether the pecuniary obligation is performed in the Transaction in a single payment or in several linked payments over a period of up to one year;
      3. if the Private Limited Company is paid or pays in cash more than 10,000 euros or an equivalent amount in another currency, regardless of whether the pecuniary obligation is performed in a single payment or in several linked payments over a period of up to one year;
      4. upon verification of information collected while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data collected earlier while updating the relevant data;
      5. upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided by the Rules of Procedure or the MLTFPA.
   2. Heightened attention must be paid to the activities of the Person or Customer and to circumstances that refer to money laundering or terrorist financing or that are likely to be associated with money laundering or terrorist financing, including complicated, high-value and unusual Transactions of no reasonable economic purpose.
   3. The Private Limited Company does not provide the Service to a Person with whom the Private Limited Company has not established a Business Relationship.
   4. In order to enter into a customer agreement, the Person completes a customer questionnaire with main compulsory data for the establishment and verification of their identity as set out in legal acts. The Person confirms the accuracy of the data set out in the customer questionnaire with their signature under the questionnaire. An Employee saves a completed and signed questionnaire in an electronic folder kept in respect of the Customer.
   5. An Employee verifies whether the Person is acting on their own behalf or that of another (natural or legal) person. If the Person acts on behalf of another person, an Employee must also identify the person on whose behalf the Transactions are made. If the Person on whose behalf or account the other person is acting cannot be identified, it is prohibited for an Employee to execute the Transaction. An Employee is also required to immediately inform the Compliance Officer.
   6. The Private Limited Company has appointed a customer manager for each Customer, who supplements, systematises, arranges and updates the folder kept in respect of the Customer as well as the data in electronic databases of the Private Limited Company.
   7. Applicable due diligence measures are:
      1. establishment of the Customer’s identity and verification of the submitted information based on information obtained from a reliable and independent source;
      2. establishment and verification of the identity of the Customer’s representative and their right of representation;
      3. identification of the beneficial owner and, for the purpose of verifying their identity, taking measures to the extent that allows an Employee to make certain that they know who the beneficial owner is, and understands the ownership and control structure of the Customer;
      4. understanding of the Business Relationship and, where relevant, collecting additional information thereon, including identifying the permanent seat, place of business or place of residence, profession or field of activity, main transaction partners, payment habits and, in the case of a legal person, also the experience of the Customer;
      5. gathering information on whether the Customer is a politically exposed person, their family member or a person known to be a close associate;
      6. gathering information on the reliability of providers of the Service related to a Transaction;
      7. constant monitoring of the Customer’s Business Relationship, including monitoring Transactions executed during the Business Relationship, regular verification of the data used upon the establishment of identity, updating relevant documents, data and information and, where necessary, identification of the source and origin of the funds used in a Transaction;
      8. in the case of implementation of simplified due diligence measures – identification of the circumstances serving as a basis for the application of simplified procedure;
      9. verification of the information submitted upon implementation of enhanced due diligence measures based on information obtained from a reliable and independent source.
   8. Upon the application of due diligence measures, the circumstances subject to identification are generally determined on the basis of the original documents submitted electronically by the Customer. If an original document cannot be obtained, documents authenticated by a notary or certified by a notary or officially, including by an attorney, may be used. If this is practical in consideration of the risk level, the copy of an original document must be certified with the relevant seal and/or the issuer’s signature and it may be sent electronically (in a format that can be reproduced in writing). A copy may not be relied on if there are suspicions about its correspondence to the original.
   9. Upon the application of the due diligence measures specified in clause 6.7, the information obtained in a format that can be reproduced in writing from a credit institution entered in the Commercial Register in Estonia or a branch of a foreign credit institution or a credit institution that is registered or whose place of business is in a contracting state of the European Economic Area or a third country where requirements equivalent to those provided by the MLTFPA are in effect may also be relied on (the list of the countries is set out in Annex 3).
   10. The due diligence measures specified in sub-clauses 1) to 6) of clause 6.7 must be applied before the establishment of a Business Relationship or execution of a Transaction. If a pecuniary obligation associated with a Transaction is performed by making interrelated payments and the general amount of the payments is not known, the identity of the person participating in the Transaction must be established and the submitted information must be verified as soon as the amount in cash exceeds 10,000 euros.
   11. The identity of the Customer and beneficial owner may be established and the submitted information may be verified during the establishment of the Business Relationship or execution of the Transaction if this is necessary in order not to interrupt the ordinary course of economic activities and if the risk of money laundering and terrorist financing is low. In such a case the application of due diligence measures must be terminated as soon as possible after the establishment of the first contact and before the performance of binding acts.
   12. The application of due diligence measures results in creating a Customer’s risk profile that specifies the scope of the Customer’s declarations of intention, actual needs and possibilities, risk tolerance and capability for executing respective Transactions. Before establishing a Business Relationship and making Transactions with the Customer, an Employee makes sure that the Service offered is in compliance with the Customer’s actual objectives and that the interests of the Private Limited Company or other Customers are not damaged.
   13. Before establishing a Business Relationship with a politically exposed person of a contracting state of the European Economic Area or a third country, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives instructions for monitoring further Business Relationship with the politically exposed person.
   14. Before establishing a Business Relationship with a legal person the beneficial owner of which is a politically exposed person of a contracting state of the European Economic Area or a third country, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives instructions for monitoring further Business Relationship with the politically exposed person.
   15. Before establishing a Business Relationship with a legal person the seat of which is in a third country, where no sufficient AML/CFT measures have been taken, or which does not engage in international AML/CFT cooperation, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives instructions for monitoring further Business Relationship with the person.
   16. Before establishing a Business Relationship with a legal person whose activities, persons with the right of representation or beneficial owners are subject to a prior suspicion that the aforementioned persons may be involved in money laundering or terrorist financing, an Employee must obtain permission for that from the management who decides whether it is practical to establish the Business Relationship and gives the Employee instructions for monitoring further customer relationship with the person.
   17. It is advisable to establish the Customer’s identity in the case of a cash transaction of less than 10,000 euros if:
       1. the documents or data, which have been collected earlier in the course of establishing identity and verifying the submitted information or updating corresponding data, are insufficient or a suspicion arises that they are not true;
       2. a reasonable suspicion arises that the money or property used in the Transaction have/has been derived from crime.
   18. An Employee is required to ask for additional data if not all the Customer’s personal data can be identified on the basis of the submitted documents and, if possible, verify the data through third parties or databases.
   19. Lists of the persons suspected of terrorist financing can be verified on the website of the Financial Intelligence Unit at https://www2.politsei.ee/et/organisatsioon/rahapesu/finantssanktsiooni-subjekti-otsing-ja-muudatused-sanktsioonide-nimekirjas/ in the ‘International financial sanctions’ subsection.
6. Implementation of simplified due diligence measures
   1. An Employee of the Private Limited Company applies simplified due diligence measures if the risk of money laundering or terrorist financing related to the Customer or Transaction is low.
   2. A condition for applying simplified due diligence measures is that the Transaction does not allow for anonymity and in the course of it an Employee of the Private Limited Company can immediately apply the due diligence measures specified in the Rules of Procedure (establishment of identity and identification of beneficial owners, identification of the purpose and nature of the Business Relationship and Transaction, constant monitoring of the Business Relationship) if a suspicion of money laundering or terrorist financing arises.
   3. Simplified due diligence measures are not applied if:
      1. any suspicion of money laundering or terrorist financing has arisen in any stage of communicating with the Customer;
      2. it appears from the publicly available information that the risk of money laundering or terrorist financing related to the Customer or Transaction is not low.
   4. The Customer’s identity may be established pursuant to simplified procedure if the risk assessment has identified that this constitutes a situation of a lower-than-usual risk of money laundering or terrorist financing.
   5. A factor reducing risks relating to the Customer type can be deemed to be a situation where the Customer is:
      1. a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
      2. a legal person governed by public law and established in Estonia;
      3. a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
      4. an institution of the European Union;
      5. a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equivalent to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
      6. a company of a contracting state of the European Economic Area or a third country, in respect of which AML/CFT systems are efficiently implemented and the securities issued by which are traded on a regulated securities market in one or several contracting state(s) of the European Economic Area;
      7. a person who is a resident of a country or geographic area having the characteristics specified in clause 7.6.
   6. A factor reducing geographic risks is deemed to be a situation where the Customer is from or their place of residence or seat is in a following country:
      1. a contracting state of the European Economic Area;
      2. a third country that has effective AML/CFT systems;
      3. a third country where, according to reliable sources, the level of corruption and other criminal activity is low;
      4. a third country where, according to reliable sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force have been established and where the requirements are effectively implemented.
   7. Upon implementing simplified procedure when establishing the identity of the Customer or the Customer’s representative and their right of representation as well as verifying the submitted information, the identity of the Customer or their representative may also be verified on the basis of information obtained from a reliable and independent source at the time of establishing a Business Relationship if this is necessary in order not to disturb the ordinary course of business activities. In such a case the verification of identity must be completed as soon as possible and before the performance of binding acts.
   8. Upon identifying the beneficial owner, establishing their identity, collecting information about the Business Relationship and gathering information on whether the person is a politically exposed person, their family member or a person known to be a close associate, an Employee may, when implementing simplified procedure, choose the scope of performing their obligation and the need to verify the source of information and the data used for that purpose from a reliable and independent source.
   9. Simplified procedure may be implemented upon monitoring a Business Relationship if a factor characterising a lower risk has been identified and at least the following conditions are met:
      1. a long-term contract has been entered into with the Customer in writing, electronically or in a format that can be reproduced in writing;
      2. the Private Limited Company receives payments in the framework of the Business Relationship only via an account held in a credit institution entered in the Commercial Register in Estonia or in a branch of a foreign credit institution or in a credit institution established or having its place of business in a contracting state of the European Economic Area or in a country that applies requirements equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council;
      3. the total value of incoming or outgoing payments of Transactions made in the Business Relationship does not exceed 15,000 euros per year.
   10. Simplified due diligence measures may not be applied if a suspicion of money laundering or terrorist financing has arisen.
7. Implementation of enhanced due diligence measures
   1. An Employee of the Private Limited Company applies enhanced due diligence measures if such factors exist that refer to a higher-than-usual risk of money laundering or terrorist financing related to the Customer or Transaction.
   2. Enhanced due diligence measures are implemented always when:
      1. an Employee suspects money laundering or terrorist financing;
      2. a suspicion has arisen, upon the establishment of identity or verification of submitted information, regarding the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner;
      3. the Customer is a politically exposed person, except for a local politically exposed person, their family member or a close associate;
      4. the Customer is from a high-risk third country or their place of residence or seat is in a high-risk third country;
      5. the Customer is from such a country or territory or their place of residence or seat is in a country or territory that, according to reliable sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the Financial Action Task Force, or that is considered a low tax rate territory.
   3. In the case specified in clause 8.2, an Employee must apply at least one of the following enhanced due diligence measures:
      1. verification of information additionally submitted upon the establishment of identity based on additional documents, data or information originating from a reliable and independent source;
      2. collecting additional information on the purpose and nature of the Business Relationship or Transaction and verifying the submitted information based on additional documents, data or information originating from a reliable and independent source, including requesting notarial or official certification of the submitted documents;
      3. collecting additional information and documents regarding the actual execution of Transactions to be made in the Business Relationship, among other things regarding the beneficial owner, in order to rule out the ostensibility of the Transactions;
      4. collecting additional information and documents for the purpose of identifying the source and origin of the funds used in a Transaction made in the Business Relationship, in order to rule out the ostensibility of the Transactions;
      5. the application of due diligence measures regarding the Person or their representative while being at the same place as the Person or their representative.
   4. If such circumstances exist that provide a basis for the implementation of enhanced due diligence measures, the Business Relationship will be monitored at least once within six months. If enhanced due diligence measures have been implemented upon the establishment of a Business Relationship, the Customer’s risk profile will be reassessed no later than six months after the establishment of the Business Relationship.
   5. If the Customer operates in a high-risk third country, the following due diligence measures will be implemented:
      1. gathering additional information on the Customer and their beneficial owner;
      2. gathering additional information on the planned substance of the Business Relationship;
      3. gathering information on the origin of the funds and wealth of the Customer and their beneficial owner;
      4. gathering information on the underlying reasons of planned or executed Transactions;
      5. receiving permission from the senior management to establish or continue a Business Relationship;
      6. improving the monitoring of a Business Relationship by increasing the number and frequency of the applicable control measures and by choosing Transaction indicators that are additionally verified;
      7. making a payment by the Customer from an account held in the Customer’s name in a credit institution of a contracting state of the European Economic Area or of a third country that implements requirements equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council.
8. Establishment of identity and verification of data using information technology means
   1. Identity may be established and data may be verified with the help of information technology means if:
      1. a Business Relationship is established with an e-resident or a Person from a country outside of the European Economic Area or whose place of residence or seat is in such a country and if the due diligence measures are not applied while being physically in the same place as the person or their representative.
      2. a Business Relationship is established with a person from a contracting state of the European Economic Area or whose place of residence or seat is in such a country and whose total sum of outgoing payments relating to a Transaction exceeds in the case of a Customer who is a natural person 15,000 euros per calendar month or, in the case of a Customer who is a legal person, 25,000 euros per calendar month, and if the due diligence measures are not applied while being physically in the same place as the person or their representative.
   2. A document issued by the Republic of Estonia for digital identification of a person or another e-identification system with assurance level ‘high’ is used for the establishment of identity and verification of data with the help of information technology means. Where a person is a foreign national, the identity document issued by the competent authority of the foreign country must also be used for the establishment of identity and verification of data in addition to the aforementioned means.
   3. Additionally, information originating from a reliable and independent source is used for the establishment of identity and verification of data. To establish the identity of an e-resident and verify data, an Employee has the right to use the personal identification data entered in the database of identity documents.
   4. In addition, personal identification systems provided by third independent parties (Shufti Pro – https://shuftipro.com/ /) are also used.
9. Establishment of identity of natural person
   1. The documents used for the establishment and verification of the identity of a natural person must be in compliance with the following requirements:
      1. it must be an original document, a copy authenticated by a notary or certified by a notary or officially or other information originating from a reliable and independent source, including information obtained via e-identification and trust services of e-transactions, using at least two different sources to verify the data in such a case. Upon transmitting an electronic copy, the file must be in .jpg, .png or .pdf format;
      2. the document must set out the following data of the natural person unless otherwise provided by law:
         - first names and surnames;
         - personal identification code or, if none, the date and place of birth;
         - the name and number of the document, the date of issue of the document and the name of the authority that issued the document, the term of validity of the document;
         - a photograph, facial image;
         - signature or image of signature;
         - the document must be valid.
         
   2. The following valid documents may be used for the establishment of the identity of a natural person:
      1. an identity card (ID card) issued by state authorities of Estonia;
      2. an ID card of a citizen of the European Union;
      3. an Estonian citizen’s passport;
      4. a passport of a citizen of a foreign country (internal passports of the Ukraine and the Russian Federation are not acceptable);
      5. a diplomatic passport;
      6. a seafarer’s discharge book;
      7. an alien’s passport;
      8. a certificate of record of service on ships;
      9. a certificate of return;
      10. a permit of return;
      11. a driving licence issued in the Republic of Estonia;
      12. a driving licence issued in a foreign country if the user’s name, photograph or facial image, signature or image of signature and date of birth or personal identification code have been indicated on the document;
      13. a valid travel document issued in a foreign country;
      14. a photograph that is submitted with the identity document and has been taken of the Person holding in their hand the identity document that is open on the photograph page of the document.
   3. Upon the establishment of identity, an Employee must assess the authenticity of the submitted document according to the following circumstances:
      1. the validity of the document and its compliance with the requirements of the Identity Documents Act;
      2. the person’s appearance and age match the person depicted in the document photograph and the data included in the document.
   4. For retention purposes, a copy is made of the pages of the identity document submitted for the establishment of identity and containing personal data or entries and a photograph. In addition, based on the information obtained from the person, an Employee registers the following personal data in writing:
      1. the name, actual place of residence or seat and the profession or field of activity of the natural person;
      2. personal identification code or, if none, the date and place of birth;
      3. the name, number and date of issue of the document used upon the establishment and verification of identity, and the name of the authority that issued the document;
      4. information on the identification and verification of the right of representation and scope thereof, and the name and date of issue of the document serving as a basis for the right of representation, and the name of the issuer of the document
   5. If the Customer participating in a Transaction is a natural person of another contracting state of the European Economic Area or a third country, an Employee registers information about whether the person is a politically exposed person for the purposes of clauses 3 11) to 14) of the MLTFPA.
   6. The aforementioned requirements for the establishment of identity are also in effect upon the identification of a person with restricted active legal capacity or a minor person, a representative of a natural person, (a) member(s) of a civil law partnership and representatives thereof and a non-resident natural person as well as upon the identification and specification of a representative of a person without active legal capacity. A representative of a Person must also submit a document certifying the right of representation that sets out the basis for as well as the scope and term of validity of the right of representation.
   7. The aforementioned requirements for the establishment of identity are also in effect upon the identification of the natural persons acting on behalf or on the account of a legal person and having the right to dispose of the funds of the legal person as well as upon the establishment of the identity and specification of members of a civil law partnership or representatives thereof. A representative must be able to provide exhaustive responses to questions concerning the activities of the legal person and the origin of the property.
   8. Upon making Transactions with a politically exposed person of another Member State and a third country, an Employee follows the provisions of § 41 of the MLTFPA.
10. Establishment of identity of legal person
    1. The identity of a legal person is established and verified on the basis of the following documents:
       1. the registry card of the relevant register;
       2. the registration certificate of the relevant register; or
       3. another equivalent document.
    2. If it is not possible to submit the original document specified in clause 11.1, the identity can be verified on the basis of a document, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a reliable and independent source, including means of e-identification and trust services of e-transactions, using at least two different sources for the verification of data in such a case. Upon transmitting an electronic copy, the file must be in .jpg, .png or .pdf format.
    3. The document specified in clause 11.1 may not be older than 30 days.
    4. In order to identify the right of representation of a representative of a legal person, the power of attorney issued to the representative by the legal person is submitted if the right of representation is not set out in the documents specified in clause 11.1.
    5. If a legal person has been established or operates in a country that is not a contracting state of the European Economic Area or where no requirements equivalent to those provided by the MLTFPA have been established, the document certifying the right of representation of the representative of the legal person must be in compliance with the following requirements:
       1. the document must set out the basis for the right of representation (for example, reference to a resolution of a competent body of the person, reference to a specific provision of a legal act);
       2. the document must set out the scope of the right of representation (e.g. whether it has been issued for making a single Transaction or repeated Transactions during a certain period, the amount to the extent of which the person may make Transactions, etc.);
       3. the document must set out its term of validity;
       4. if it is a written document, it must have been signed by hand by the principal or their representative.
    6. An Employee registers the following data on the basis of the documents specified in clause 11.1 or, if the documents do not set out the relevant data, on the basis of the information obtained from the representative of the legal person participating in the Transaction:
       1. the existence of passive legal capacity;
       2. the name or business name, area of activity, seat and address of the legal person;
       3. the registry code or registration number of the legal person, date of the register entry, and name and location of the register;
       4. the date of issue of the document and the name of the authority that issued the document;
       5. the names, places of residence and personal identification codes (if any) of the director or members of the management board or other body replacing it, and their authorisation in representing the legal person;
       6. the names of the beneficial owners of the legal person;
       7. the legal form, field of activity and operation profile of the legal person;
       8. members of managing bodies and representatives of the legal person;
       9. in the case of a representative of the legal person, the basis for as well as the scope and term of validity of their authorisation, while the authorisation must be authenticated by a notary, legalised or apostilled;
       10. permanent business establishments in a third country, major business partners and payment patterns;
       11. the details of the means of communication of the legal person.
    7. In order to ascertain the Customer’s field of activity and operation profile, the following circumstances are established:
       1. the purpose of entry into a Business Relationship or Transaction;
       2. the legal form and field of activity of the person;
       3. whether the Customer is a politically exposed person;
       4. whether activities take place via a representative of the legal person;
       5. permanent business establishments of the legal person in a third country, major business partners and payment patterns;
       6. the person’s residency, including whether the person is registered in a low tax rate area;
       7. circumstances arising from previous communication with the Customer, their partners, owners, representatives and other similar persons (for example, suspicious Transactions identified in the course of an earlier Business Relationship);
       8. the duration of activities, nature of business relationships.
       9. To find out the operation profile and purposes of a legal person, other credible data may also be relied on in addition to public databases or information published by state and supervisory authorities.
       10. If the documents submitted by the representative of the legal person or the other submitted documents do not set out the data specified in clause 11.7, the relevant data (including data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statements of the representative of the legal person or the document written or signed by hand by the representative of the legal person.
       11. If an Employee has a suspicion that the person’s activities indicate money laundering or terrorist financing, they will ask the Customer additional information about the origin of the money or property used in the Transaction.
    8. Upon the identification of a legal person, additional information must be requested about the other shareholders, partners and other persons who exercise control or other significant influence over the activities of the legal person.
    9. If there is information that a politically exposed person from another contracting state of the European Economic Area or a third country may be related to the Customer participating in the Transaction, information about whether the person is a politically exposed person for the purposes of clauses 3 11) to 14) of the MLTFPA must also be registered on the basis of the information obtained from the representative of the legal person in addition to the data specified in clause 10.7.
    10. The requirements for the establishment of identity as specified above are also in effect upon the identification and specification of a legal person whose seat is in another contracting state of the European Economic Area or a third country where requirements equivalent to the MLTFPA are in effect. Upon the identification of non-resident legal persons, an Employee must fulfil requirements similar to the establishment of the identity of resident Customers within as large a scope as possible, taking into account the specificities arising from the country of location and legal form of the non-resident Customer.
    11. A representative of a legal person of a foreign country must submit, at the request of an Employee of the Private Limited Company, a document that proves their authorisation and has been certified by a notary or in an equivalent manner and that has been legalised or certified with a certificate that replaces legalisation (Apostille), unless otherwise provided by an international agreement.
    12. An Employee of the Private Limited Company may request the submission of a legalised or certified document provided with a certificate that replaces legalisation if:
        1. it is not possible to use the publicly available information sources specified in clause 13.3 of the Rules of Procedure for verifying the authorisation and competence of a person;
        2. an Employee of the Private Limited Company suspects that the authorisation of the representative of a legal person of a foreign country may not be true or valid;
        3. the activities of a legal person or their representative refer to money laundering or terrorist financing;
        4. the person is a legal person of a foreign country or their representative that does not take sufficient measures for the prevention of money laundering and terrorist financing or this country does not cooperate internationally in the field of preventing money laundering and terrorist financing or if the territory is a low tax rate area.
11. Identification of beneficial owner
    1. The beneficial owner is identified using the information obtained from the representative of a legal person.
    2. An Employee analyses the documents submitted by the representative of the legal person and, if necessary, asks for additional documents and data for the purpose of establishing the beneficial owner(s) of the legal person.
    3. If the Employee has a suspicion as to whether the relevant information is correct or complete, they verify the submitted information against publicly available sources and request additional information from the Customer, if necessary.
    4. If the documents establishing the identity of the legal person or the other submitted documents do not indicate directly who the beneficial owner of the legal person is, the relevant data (including data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statements of the representative of the legal person or the document written by hand by the representative of the legal person.
    5. Upon the identification of the beneficial owner, attention must be paid, above all, to companies established in low tax rate areas, because it is not always abundantly clear whether they have passive legal capacity.
    6. If another legal person has control over the legal person complying with the definition of a beneficial owner, the Employee must assess the person’s or Customer’s risk and, based on that, collect data about other legal persons related to the person in order to identify the beneficial owner.
    7. In the cases where the beneficial owners of a legal person, civil law partnership or another contractual legal arrangement, such as a fund or trust fund, must already be defined and therefore it is not possible to establish the persons of the beneficial owner, it is sufficient to identify the circle of persons who may benefit from the fund or trust fund. This requirement does not include the identification of private individuals within this circle of persons.
12. Gathering information on the purpose and nature of the business relationship and transaction
    1. Gathering information on the nature of the Customer’s activities as well as the purpose and nature of the Transactions involves the establishment of the following circumstances:
       1. the legal form and field of activity of the person;
       2. whether the Customer is a politically exposed person;
       3. whether activities take place via a representative of the legal person;
       4. the person’s residency, including whether the person is registered in a low tax rate area;
       5. the possibility to qualify the Customer as a typical customer of a certain customer category;
       6. circumstances arising from previous communication with the Customer, their partners, owners, representatives and other similar persons
       7. (for example, suspicious Transactions identified in the course of an earlier Business Relationship);
       8. the origin of the virtual currency used in the Transaction;
       9. the duration of activities, nature of Business Relationships, justification for the need for cash.
    2. If the documents submitted by the representative of the legal person or the other submitted documents do not set out the circumstances specified in clause 13.1, the relevant data (including data about being a member of a group and the ownership and management structure of the group) are registered on the basis of the statements of the representative of the legal person or the document written by hand by the representative of the legal person.
    3. An Employee gathers information from the following publicly available sources:
       1. documents of the Customer or their representative, including documents prepared by them or completed by them in the presence of a representative of the Private Limited Company;
       2. identity documents of the Customer or their representative and documents certifying the right of representation;
       3. documents submitted by the Customer or their representative;
       4. state registers and other similar public databases (Commercial Register, non-profit associations and foundations register, population register, criminal records database, Ametlikud Teadaanded publication, land register, register of economic activities, etc.);
       5. reliable and independent private databases (Krediidiinfo, WorldCheck, GBG, databases of credit institutions, etc.);
       6. the European Union and other recognised international organisations and the data available on their website;
       7. state authorities and foreign missions of the Republic of Estonia and missions of foreign countries in the Republic of Estonia;
       8. data available on the website of state and local government, on the condition that requirements equivalent to those provided by MLTFPA are valid in this country;
       9. information published by state and supervisory authorities;
       10. data available on the website of a publicly traded company;
       11. search engines (for example, google.com, etc.).
    4. An Employee may also rely on other data, but these must be reliable and verifiable. If this may reasonably contribute to making sure of the reliability of the data, the Employee contacts the source of the data either by e-mail or telephone and asks about the details of the origin, collection method, time at which the data were created and other material information that could help the Employee of the Private Limited Company fulfil their obligations upon establishing identity. The Employee must thereby make every effort to keep the fact of collecting data about the Customer confidential.
    5. In the event of foreign-language documents, the Employee has the right to demand the documents to be translated into Estonian, English or Russian, certified by a sworn translator or a notary. The Private Limited Company does not compensate the costs, including translation costs, notary fees, etc., incurred by the Customer for certifying identity and the right of representation.
13. Making Transactions
    1. Upon making a Transaction with the personal presence of the Customer in the office of the Private Limited Company, the Customer must, at the request of the Employee, confirm the submitted orders by their signature.
    2. Upon making a Transaction using means of communication (telephone, Skype, Customer Environment), the Customer’s identity must be established on the basis of an oral or electronic code given to the Customer upon the establishment of a Business Relationship. Upon making a Transaction:
       1. via the Customer Environment on the basis of the user name and password that the Customer uses for secure logging in to the Customer Environment;
       2. by Skype or telephone on the basis of the password that the Customer uses for confirming the orders given to the Private Limited Company by Skype or telephone.
       3. An Employee registers the following data about each Transaction:
       4. the date or period of making the Transaction;
       5. the description of the substance of the Transaction;
       6. the amount of the Transaction;
       7. the currency of the Transaction;
       8. the bank account numbers.
    3. An Employee registers the following data about each Transaction:
       1. the date or period of making the Transaction;
       2. the description of the substance of the Transaction;
       3. the amount of the Transaction;
       4. the currency of the Transaction;
       5. the bank account numbers.
14. Constant monitoring of Customer’s Business Relationship
    1. An Employee must constantly assess the Transactions executed in the course of a Business Relationship in order to understand the purposes of the Customer’s Transactions and the Customer’s business and risk profile. If the Customer executes a Transaction that is unusual compared to the previous known Transactions or a Transaction in the case of which the source and origin of the funds used in the Transaction are not known, the Employee requests information from the Customer about the source and origin of the funds used in the Transaction.
    2. An Employee must verify the data collected upon establishing identity and in the course of applying due diligence measures. If information about changes in the personal data of the Customer becomes known or if more than one year has passed from the last Transaction, the Employee will establish the Customer’s identity again.
    3. An employee must assess and pay more attention to Transactions made in the Business Relationship, the activities of the Customer and the circumstances that refer to a criminal activity, money laundering or terrorist financing or that are likely to be linked with money laundering or terrorist financing, including to complex, high-value and unusual Transactions and transaction patterns that have no reasonable or visible economic or lawful purpose or that are not characteristic of the given business specifics. The Employee finds out the nature, reason and background of the Transactions described before.
15. Registration, verification and retention of data
    1. Upon the registration of data, an Employee notifies the Customer of processing personal data for AML/CFT purposes. The data are processed applying all the personal data protection rules.
    2. The Employee or the software used by the Private Limited company registers in respect of the Customer the number as well as the date and place of issue of the document used upon establishing the Customer’s identity.
    3. The Employee or the software used by the Private Limited Company registers the following data in respect of the Transaction to be executed:
       1. the person that submitted the order;
       2. the description of the substance of the Transaction;
       3. upon the establishment of a customer relationship, the object of the customer agreement;
       4. the date or period of making the Transaction.
    4. If an Employee has a suspicion that the Customer’s activities indicate money laundering or terrorist financing, they will ask the Customer additional information about the origin of the money or property used in the Transaction.
    5. If necessary and in the case of a suspicion, the accuracy of the documents or data submitted for the establishment of identity may be verified using the databases of third parties or the accuracy of the data may be verified via third parties (for example, state registers, supervisory authorities, credit institutions, foreign missions of the Republic of Estonia, missions of foreign countries in the Republic of Estonia, etc.).
    6. All the data to be collected about Customers are systematised into folders located on data media in such a manner as they have initially been saved, i.e. a separate electronic folder has been prepared for each Customer. The backup of electronic data media takes place in accordance with the internal procedure for movement of information and documents. In order to retain the original documents submitted on paper, an Employee of the Private Limited Company prepares a separate physical file about each Customer. All the documents in respect of which an Employee of the Private Limited Company is required to make a copy are included in the electronic folder. A copy is made of original documents, which is retained in the electronic folder, and the original is added to the physical file prepared in respect of the Customer if the retention of the original is required in accordance with the requirements arising from the Rules of Procedure and legal acts.
    7. The Private Limited Company must retain, either in the physical file kept in respect of the Customer or in a folder on an electronic data media, for at least five years the following data:
       1. information on a suspicion or knowledge of money laundering or terrorist financing;
       2. a detailed description of suspicious or unusual Transactions, related parties, date and place of the Transaction;
       3. information on refusing to establish a Business Relationship or make a Transaction or on continuing or terminating the execution thereof;
       4. information according to which it is not possible, by using information technology means, to establish or verify the identity of the Customer, the identity of the Customer’s representative, the beneficial owner or their identity, or the fact of whether the person is a politically exposed person, their family member or a person known to be a close associate, or to perform monitoring the Business Relationship;
       5. information on refusing to establish a Business Relationship or execute a Transaction at the person’s initiative if this arose from the submission of the data or documents requested by an Employee of the Private Limited Company;
       6. information on the circumstances of termination of a Business Relationship in connection with the impossibility of application of the due diligence measures;
       7. upon making Transactions with a representative of a civil law partnership, community or another association of persons that does not have the status of a legal person, trust fund or trustee, the fact that the person has such a status, and an extract of the registry card from the register or a certificate from the registrar of the register where the association of persons that does not have the status of a legal person has been registered.
    8. The Private Limited Company is required to retain copies and, if necessary, also originals, of identity documents and other documents serving as a basis for the establishment of the identity of a natural or legal person, documents serving as a basis for the establishment of a Business Relationship, and other data on any data medium that allows for exhaustively and immediately replying to enquiries made by the Financial Intelligence Unit or, in accordance with legal acts, by other investigative bodies or courts for at least five years after the end of the Business Relationship.
    9. The Private Limited Company retains, for at least five years after the end of the business relationship, all the correspondence related to the performance of the obligations arising from the Rules of Procedure and the MLTFPA as well as all the data and documents collected in the course of monitoring the Business Relationship, and data of suspicious or unusual Transactions or circumstances of which the Financial Intelligence Unit was not notified.
    10. If the Customer’s identity has been established on the basis of an enquiry made to a database belonging to the state information system or using other information technology means, the Private Limited Company retains information about making the electronic enquiry and the audio and video recording of the procedure for the establishment and verification of identity for five years after the end of the Business Relationship or execution of the Transaction.
    11. The data and documents collected by the Private Limited Company must allow for immediate written reproduction of the following:
        1. a copy made of the personal data and photograph page of the identity document presented for the establishment of identity;
        2. the data registered in respect of a Customer who is a natural or legal person upon establishing a Business Relationship or making a Transaction;
        3. other data collected upon the establishment of identity with a reference to whether the data were collected for establishing a Business Relationship or using another service;
        4. the name and position of the Employee, who established identity, or verified or updated the data;
        5. - data on the Transaction:
           - the person that submitted the order;
           - the date of submitting the order;
           - the person who transferred the funds for executing the order;
           - the method of receipt of funds (by transfer, in cash, etc.).
    12. After the expiry of the term specified in this clause, the Private Limited Company will delete the retained data unless otherwise provided by the legal acts in effect.
16. Updating Customer data and documents
    1. An Employee is required to update the data used upon the establishment of identity at least once a year.
    2. An Employee must immediately update the data related to the Customer if the data concerning the Customer’s Transactions reveal that significant changes have taken place in the Customer’s risk profile, field of activity or volumes of activity.
    3. Upon updating the data, the following must be registered in a format that can later be reproduced in writing:
       1. the manner, time and place of updating the data and documents;
       2. the name and position of the Employee, who updated the data.
    4. The same sources may be used for updating the data that are generally used for the establishment of identity upon establishing a Business Relationship or making Transactions.
    5. Updated data must have been made available to all the structural units providing services to Customers no later than on the next working day after updating the data.
    6. An Employee may, in order to perform their obligations, request necessary documents and data directly from the Customer and, if necessary, verify the data via third parties or their databases (for example, state registers, supervisory authorities, credit institutions, foreign missions of the Republic of Estonia, missions of foreign countries in the Republic of Estonia, etc.).
    7. Data may be updated using the data obtained from the Customer, public databases, a credit institution entered in the Commercial Register of Estonia or a branch of a foreign credit institution or a credit institution that is registered or whose place of business is in a contracting state of the European Economic Area or a third country where requirements equivalent to those provided by the MLTFPA are in effect.
    8. If the data used for the establishment of a Customer’s identity could not be verified within a reasonable period of time or if a reasonable suspicion has arisen that the activities of the person have been terminated, the Business Relationship with such a Customer may be terminated.
17. Refusal to establish business relationship and termination of business relationship
    1. The Private Limited Company has the right to refuse to establish a Business Relationship if:
       1. it is not possible to establish the identity of the Person;
       2. it is not possible to verify the submitted information based on information obtained from a reliable and independent source;
       3. it is not possible to establish the identity of the representative of the Person;
       4. it is not possible to identify or verify the right of representation of the representative of the Person;
       5. it is not possible to identify the beneficial owner and establish their identity;
       6. the capital of the Person consists of bearer shares or other bearer securities;
       7. the Person does not submit documents and relevant information or data or documents proving the origin of the property constituting the object of the Transaction or if, based on the submitted data and documents, a suspicion of money laundering or terrorist financing or the commission of related criminal offences or an attempt of such activity arises;
       8. there is no permission from the management to establish the Business Relationship or make a Transaction;
       9. a party to a Transaction has been entered in the list of persons suspected of terrorist financing that has been published on the website of the Financial Intelligence Unit;
       10. a party to a Transaction has been entered in the ‘black’ list of the Financial Action Task Force (FATF);
       11. a suspicion of money laundering or terrorist financing has arisen.
    2. In the cases listed in the Rules of Procedure, the Private Limited Company has the right to extraordinary termination of a Business Relationship, by submitting to this end the Customer a declaration of cancellation of the Business Relationship at least in a format that can be reproduced in writing within seven days of learning of the respective circumstances.
    3. The Compliance Officer must immediately be notified of the refusal to establish a Business Relationship and of the extraordinary cancellation of the Business Relationship.
18. Postponement of Transaction
    1. If an Employee suspects or knows that money laundering or terrorist financing or related criminal offences are being committed or if a Transaction is related to a subject of an international financial sanction, the execution of the Transaction must be postponed until a notice has been submitted to the Financial Intelligence Unit. If the postponement of the Transaction may cause considerable harm, it is not possible to omit the transaction or it may impede capture of the person who committed possible money laundering or terrorist financing, the Transaction will be made and a notice will be submitted the Financial Intelligence Unit thereafter.
    2. An Employee postpones the execution of a Transaction if the permission of the management board of the Private Limited Company is needed for the execution of the Transaction.
    3. To decide on the postponement of a Transaction, the Employee engaged with a respective Transaction consults the Compliance Officer, if possible. If the Compliance Officer finds that the Transaction must be postponed, the Employee may not continue the execution of the Transaction.
19. Transactions with politically exposed person
    1. If the Customer or beneficial owner is a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person, the following due diligence measures are implemented in addition to the usual due diligence measures:
       1. prior approval from the senior management is needed to establish or continue a Business Relationship with the Person;
       2. the origin of the wealth of the Person and the sources of the funds that are used in the Business Relationship are established;
       3. the Business Relationship is monitored in an enhanced manner.
    2. Where a politically exposed person no longer performs important public functions placed upon them, such risks must be taken into account at least within 12 months that remain related to the person and relevant and risk sensitivity-based measures are implemented as long as it is certain that the risks characteristic of politically exposed persons no longer exist in the case of the Customer.
    3. The application of the due diligence measures specified in this cause in respect of a local politically exposed person, their family member or a person known to be their close associate is not necessary if there are no other factors that refer to a higher-than-usual risk.
20. Notification obligation in case of suspicion of money laundering and terrorist financing and informing management
    1. The Financial Intelligence Unit must be notified of each Transaction whereby a pecuniary obligation of over 32,000 euros or an equivalent amount in another currency is performed in cash, regardless of whether the Transaction is made in a single payment or in several linked payments over a period of up to one year. In respect of the characteristics of Transactions suspected of money laundering, an Employee may notify the Compliance Officer already in the case of a cash transaction exceeding 20,000 euros.
    2. Where an Employee identifies in the course of economic activities an activity or facts whose characteristics refer to the use of profit derived from criminal activity, to terrorist financing or to the commission of related criminal offences or to an attempt thereof or with regard to which the Employee suspects or knows that it constitutes money laundering or terrorist financing or the commission of related criminal offences, the Employee is required to immediately notify the Compliance Officer thereof, who will notify immediately, but not later than within two working days after identifying the activity or facts or after the arousal of the suspicion, the management board of the Private Limited Company and the Financial Intelligence Unit. In such a case, the amount of the sum of money and its payment method are not important.
    3. The Financial Intelligence Unit must also be notified of an extraordinary termination of a Business Relationship or if the Private Limited Company refuses to make a Transaction on the grounds for refusal provided by the Rules of Procedure.
    4. A notice is submitted to the Financial Intelligence Unit on a web-based electronic form that can be found on the website of the Financial Intelligence Unit (https://www2.politsei.ee/et/organisatsioon/rahapesu/saada-teade.dot). If this is not possible, the notice is transmitted in any format or form that can be reproduced (including orally). The data used for establishing the identity of the Customer and verifying the submitted information and, if available, copies of the documents are appended to the notice.
    5. The contact details of the Financial Intelligence Unit are as follows:
       postal address: Tööstuse 51, 10416 Tallinn
       e-mail: rahapesu@politsei.ee
       telephone: +372 612 3840
    6. The Person in respect of whom a notice has been sent to the Financial Intelligence Unit may not be informed thereof. Such an action is punishable pursuant to misdemeanour procedure.
    7. The notification obligation is performed on behalf of the Private Limited Company by the Compliance Officer. The Compliance Officer is appointed by the management board of the Private Limited Company.
21. Compliance with precept issued by Financial Intelligence Unit
    1. In the case of a precept issued by the Financial Intelligence Unit, the Private Limited Company is required, in accordance with the content of the precept, to:
       1. suspend a Transaction, i.e. not execute the Customer’s order or, if the order has been accepted for execution, suspend its execution until the expiry of the term specified in the precept or until receiving additional instructions from the Financial Intelligence Unit;
       2. ensure that the restriction established by the Financial Intelligence Unit on the disposal of the property constituting the object of the Transaction is complied with for up to 90 calendar days as of the delivery the precept, including, if necessary, keep the respective property in a bank account of the Private Limited Company separately prescribed to this end and make sure that the property is not seized or transferred in enforcement or bankruptcy proceedings;
       3. apply, if necessary, for a written permission from the Financial Intelligence Unit for derogating from the restriction on disposal in order to make a Transaction within the term specified in previous clause;
       4. submit information, including information subject to banking or business secrecy, within the time limit set in the precept in writing or in a format that can be reproduced in writing.
22. Implementation of international sanction
    1. The Private Limited Company is a person having specific obligations for the purposes of the ISA.
    2. Upon entry into force of a legal act on the imposition or implementation of an international financial sanction, Employees of the Private Limited Company take measures to perform the obligations arising therefrom and demonstrate due diligence to ensure that the purpose of the international financial sanction is achieved and the breach of a sanction is avoided.
    3. Upon entry into a Business Relationship, an Employee agrees to identify whether the Customer is a subject of an international financial sanction, using to this end public databases and the website of the Financial Intelligence Unit (https://www2.politsei.ee/et/organisatsioon/rahapesu/finantssanktsiooni-subjekti-otsing-ja-muudatused-sanktsioonide-nimekirjas/).
    4. If an Employee suspects or knows that a person who is in a Business Relationship or makes a Transaction with the Private Limited Company as well as a person intending to establish a Business Relationship or make a Transaction with the Private Limited Company is a subject of an international financial sanction, the Employee will immediately notify the Compliance Officer of the identification of a subject of an international financial sanction, of a respective suspicion, and of the measures taken and the Compliance Officer will immediately notify the Financial Intelligence Unit and the management board of the Private Limited Company thereof.
    5. Upon providing the Service, an Employee pays special attention to the activities of a person who is in a Business Relationship or makes a Transaction with the Private Limited Company and to the activities of a Person who intends to establish a Business Relationship or make a Transaction with the Private Limited Company as well as to the circumstances that refer the possibility that the Person is a subject of an international financial sanction.
    6. An Employee establishing a Business Relationship must regularly monitor the website of the Financial Intelligence Unit and immediately take the measures provided by a legal act imposing or implementing an international financial sanction to ensure that the purpose of the international financial sanction is achieved and to avoid breaches of the international financial sanction.
    7. Upon entry into force, amendment, repeal or expiry of a legal act imposing or implementing an international financial sanction, an Employee verifies whether the Customer or the Person is a subject of an international financial sanction in respect of whom the financial sanction is imposed, amended or terminated. The Employee collects and retains the following data when performing this obligation:
       1. the time of the verification;
       2. the name of the person who performed the verification;
       3. the results of the verification;
       4. the measures taken.
    8. If the Employee doubts whether the Customer or Person is a subject of an international financial sanction, they will notify the Compliance Officer and ask for additional information from the aforementioned person in order to make it sure.
    9. If the Customer or Person refuses to provide additional information or it is impossible to identify by means thereof whether the person is a subject of an international financial sanction, the Employee will refuse to establish a Business Relationship or make a Transaction, take the measures provided by the legal act imposing or implementing the international financial sanction and immediately notify the Compliance Officer of their doubt and of taking measures and the latter will, in turn, notify the management board of the Private Limited Company and the Financial Intelligence Unit.
    10. If the legal act imposing or implementing an international financial sanction is repealed, expires or is amended in such a manner that the implementation of the international financial sanction in respect of the subject of the international financial sanction is terminated fully or partially, the Private Limited Company will immediately terminate the implementation of the measure to the extent provided by the legal act amending the legal act that imposes or implements the international financial sanction.
23. Compliance Officer
    1. The Compliance Officer is appointed by the management board of the Private Limited Company with its resolution. If no compliance officer has been appointed, the obligations of the Compliance Officer are performed by the management board.
    2. The duties of the Compliance Officer include:
       1. organising the collection and analysis of information referring to unusual Transactions or Transactions or circumstances suspected of money laundering or terrorist financing, which become evident in the activities of the Private Limited Company;
       2. verifying compliance with the requirements for the prevention of money laundering and requirements of international financial sanctions;
       3. transmitting information to the Financial Intelligence Unit in the case of a suspicion of money laundering or terrorist financing or a suspicion of a subject of an international financial sanction;
       4. replying to enquiries made and complying with the precepts issued by the Financial Intelligence Unit;
       5. informing the management board in writing of shortcomings in complying with the internal control rules, Rules of Procedure and other legal acts;
       6. providing Employees of the Private Limited Company with (including organising) training in the prevention of money laundering and terrorist financing;
       7. instructing new Employees and introducing the Rules of Procedure to them within at least one week after entry into the employment contract.
    3. The Compliance Officer has the right to:
       1. verify Transactions and the execution thereof in accordance with the legal acts of the Republic of Estonia and the Rules of Procedure;
       2. verify the activities of the Private Limited Company in following the AML/CFT activities and application of international financial sanctions;
       3. make proposals to the management board of the Private Limited Company for amending and modifying the Rules of Procedure and organising regular training in the performance of the obligations arising from the MLTFPA for the Employees of the Private Limited Company whose official duties include establishing Business Relationships or making Transactions;
       4. request that the requirements set out in the Rules of Procedure be fulfilled and the breach thereof be immediately terminated if the circumstances of the breach of the requirements have become clear;
       5. obtain the data and information necessary for the performance of the duties of the Compliance Officer;
       6. organise, from time to time, tests the purpose of which is to check the knowledge of an Employee of the Private Limited Company in connection with that set out in the Rules of Procedure;
       7. receive training in the field.
    4. Upon performing their duties, the Compliance Officer is required to:
       1. respect the privacy of Employees;
       2. disturb the work of the Private Limited Company as little as possible;
       3. carry out tests the purpose of which is to check the knowledge of Employees in connection with that set out in the Rules of Procedure only within a reasonable scope.
    5. The Compliance Officer may transmit information or data that have come to their knowledge in connection with a suspicion of money laundering or a subject of an international financial sanction only to:
       1. the management board and an Employee appointed by the management board;
       2. the Financial Intelligence Unit;
       3. a preliminary investigation authority in connection with criminal proceedings;
       4. a court on the basis of a court order or judgment.
    6. In the case of a reasonable suspicion of money laundering or terrorist financing, the Compliance Officer informs the management board thereof and immediately transmits a notice to the Financial Intelligence Unit.
    7. The notice is transmitted to the Financial Intelligence Unit orally, in writing or via electronic means of communication. If a notice is transmitted orally, the Compliance Officer will repeat it in writing within no later than the next working day.
    8. Copies of the documents that serve as a basis for the Transaction as well as the data or a copy of the document used as a basis for the establishment of the identity of the person are appended to the completed notice form.
    9. The Compliance Officer transmits a notice to the Financial Intelligence Unit being guided by Regulation No. 42 of the Minister of the Interior of 27 November 2017 that provides the form of the notice to be submitted to the Financial Intelligence Unit and guidelines for completing thereof.
    10. The notices prepared by the Compliance Officer are kept, used and retained similarly to other information in accordance with the provisions of the Rules of Procedure.
24. Obligations of Employee
    1. An Employee must notify the Compliance Officer of all the cases of refusing to establish a Business Relationship, Transactions suspected of money laundering or unusual Transactions as well as cases of extraordinary cancellation of a Business Relationship.
    2. Where an Employee identifies activities or facts whose characteristics refer to money laundering or terrorist financing or with regard to which the Employee suspects or knows that it constitutes money laundering or terrorist financing, the Employee notifies the Compliance Officer thereof immediately. Upon identifying suspicious Transactions, the Employee relies, among other things, on the guidelines regarding the characteristics of Transactions suspected of money laundering as specified in § 56 of the MLTFPA and the guidelines regarding the transactions suspected of terrorist financing as issued by the Financial Intelligence Unit.
    3. In order to identify whether, in the light of the Customer’s behaviour thus far, the circumstance is a different yet explicable or rather a Transaction suspected of money laundering or terrorist financing, an Employee:
       1. analyses the circumstances that have become evident in respect of the Transaction(s), being guided by the advisory guidelines developed by the Financial Intelligence Unit and regarding the characteristics of Transactions suspected of money laundering and terrorist financing;
       2. verifies the origin of the property before a Transaction is executed at least if, in the light of the Business Relationship thus far, the Transaction is unusual and not explicable or refers to money laundering or terrorist financing;
       3. analyses, before notifying the Compliance Officer of the Transaction suspected of money laundering or terrorist financing, the content of the received information, taking into account the Customer’s current field of activity, payment habits and other known information.
    4. An Employee must notify the Compliance Officer, who must, in turn, notify the Financial Intelligence Unit and the management board of the Private Limited Company of each Transaction whereby a pecuniary obligation of over 32,000 euros or an equivalent amount in another currency is performed in cash, regardless of whether the Transaction is made in a single payment or in several linked payments over a period of up to one year. This notification obligation is amount-based and does not depend on whether the Employee had a suspicion of money laundering or not.

ANNEX 1 – Guidelines Regarding Characteristics of Transactions Suspected of Money Laundering
Suspicious transactions in the case of a suspicion of money laundering are the Customer’s transactions and operations that have no clear economic or legal reason and that cannot be regarded as the Customer’s ordinary economic activities.

Indicators of suspicious transactions in the case of transactions of more than 10,000 euros in cash:

1. the person cannot be identified or tries not to submit their identification data;
2. the person’s representative tries to conceal the actual party to the transaction or does not know their personal data;
3. the person tries to enter into a fictitious or another unlawful transaction;
4. upon the establishment of a more long-term customer relationship, the person only wants to settle in cash;
5. a suspicion arises that the person does not make the transaction on their own behalf;
6. the person has been suspected of money laundering earlier;
7. the person wants to settle in cash in an amount of more than 10,000 euros;
8. the person repeatedly settles in cash in amounts of more than 10,000 euros;
9. the person makes a payment in cash that remains only slightly below the limit established in respect of the obligation to identify a person (10,000 euros);
10. the payment is made via a missing trader or a bank of a tax-free territory;
11. the payment is preceded by a cash payment exceeding 10,000 euros into the account of a third party.

Arousal of suspicion upon entry into customer agreement:
Unusual documents:

1. the person’s authorisation or identity documents do not comply with formal requirements;
2. the person’s authorisation or identity documents are not valid;
3. the documents submitted give rise to a suspicion that they may be forged.

ANNEX 2 – Guidelines Regarding Characteristics of Transactions Suspected of Terrorist Financing
Suspicious transactions in the case of a suspicion of terrorist financing are the Customer’s transactions and operations that have no clear economic or legal reason and that cannot be regarded as the Customer’s ordinary economic activities.

General indicators:

1. The natural person was born in a risk country;
2. The natural person has a citizenship of a risk country;
3. The natural person has a place of residence in a risk country;
4. The natural person is related to a legal person or another association registered in a risk country;
5. The legal person or another association has been registered in a risk country;
6. The parent company of a legal person or a branch of another association has been registered in a risk country.

Indicators of suspicious transactions in the case of transactions of more than 10,000 euros in cash:

1. It may be presumed, based on the appearance of a person, that the person is from a risk country and the person tries not to submit their identification data;
2. A person from a risk country wants to settle in cash in an amount of more than 10,000 euros;
3. A suspicion arises that the person does not act on their own behalf and may represent a person related to a risk country;
4. The payment is made via a bank registered in the territory of a risk country;
5. The person wants to pay in a currency used in a risk country;
6. A person from a risk country makes a payment in cash that remains only slightly below the limit established in respect of the obligation to identify a person (10,000 euros) or tries to pay in several parts in order to avoid the identification obligation;
7. A person from a risk country wants to use the virtual currency wallet service to the value exceeding 10,000 euros.

ANNEX 3 – List of Equivalent Third Countries in Accordance with Anti-Money Laundering Directive (Directive 2005/60/EC)
At the moment the Rules of Procedure are adopted, the following third countries are regarded as countries having AML/CFT systems equivalent to those of the European Union:
Australia
Brazil
Canada
Hong Kong
India
Japan
South Korea
Mexico
Russian Federation
Singapore
Switzerland
Republic of South Africa
USA

The Rules of Procedure have been approved by a resolution of the management board of PAYBILLA Estonia OÜ, in accordance with which Robert Günter Knapp is appointed compliance officer.

Privacy Policy

This Privacy Policy applies to you if you use, have used or have expressed an intention to use Paybilla Site and/or Services. This Privacy Policy describes how Paybilla Processes your Personal Data and applies solely to Personal Data collected by Paybilla. Paybilla is responsible for processing your Personal Data. Paybilla is processing data pursuant to General Data Protection Regulation (GDPR). Please read this Privacy Policy before using the Site and/or Services or submitting your Personal Data.

Definitions

GDPR means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Personal Data means any information which Paybilla directly relates to you (a legal or natural person or an organization legally engaged in business activities or any other business). In particular by reference to an identifier such as a name, date of birth, contact information, location data, an online identifier etc;

Processing means any operation carried out with Personal Data (collection, recording, storing etc.).

By agreeing to this Agreement or using the Services and/or the Site, you agree that the Paybilla will use, disclose and process your personal information in accordance with this Privacy Policy:

1. Paybilla Terms of Service and present Privacy Policy applies to communication between you and Paybilla (incl. emails, phone calls, etc.) and to your use of the Site and Services and establishes the policy on which Personal Data will be processed by Paybilla.
2. Paybilla may process any information submitted, shared or exchanged to provide the Services. Paybilla collects information by email, phone calls or by questionnaire or any other means. Some information may also be collected via automatic means, e.g. cookies. Paybilla may also collect information from third parties. Paybilla shall do all that is reasonably possible to ensure the confidentiality of the Personal Data that Paybilla has collected.
3. Paybilla processes Personal Data only if it has your consent to do so, or if it is necessary for providing you the Services, or Paybilla has the legitimate interest to do so, or if it is required by applicable legislation.
4. Paybilla mainly processes data to comply with applicable laws, regulations and instructions, to manage the relationship between Paybilla and you, to provide additional services, to prevent illegal activities and misuse of the Service and Site, to ensure to quality of the Service and Site, etc.
5. You are required to provide your real name, address, nationality, telephone number, e-mail address, as well as other information as required by applicable laws and regulations. You can also choose to fill in additional information. By providing the previously mentioned information you understand and agree to that Paybilla, will access your Personal Data (including but not limited to mobile phones, electronic mail, etc.) to send you relevant notices and other commercial electronic information to provide you with new services and opportunities. Paybilla will not share your Personal Data without your previous consent unless, we are legally obliged to.
6. Paybilla collects some of the information automatically. Information that is collected automatically is associated with your use of the Services and/or the Site. Paybilla may collect information (incl. IP address, operating system, browser ID, location, language settings, demographic information, Personal information, and other information about the interaction of you and the Site) about your usage or the Service and/or the Site. Paybilla may use authorised processors and services provided by third parties to collect and process data.
7. In order to ensure the safety of your use of the Services and the Site and to continuously improve the quality of service, Paybilla will record and keep information about your login and use of the Service and the Site, but Paybilla undertakes not to provide such information to any third party (unless otherwise agreed upon by both parties, or other laws and regulations).
8. Paybilla will keep tight security of all the complete comprehensive statistics regarding identity data of Paybilla users and will not use and/or disclose them for sale and reward. Paybilla reserves the right to transmit the Personal Data to law enforcement institutions, state authorities and financial institutions if it should be required to comply with valid laws.
9. Paybilla only processes your Personal Data on your consent, if there is a legitimate interest to process data or if it is required by valid legislation. In order to provide you with a more efficient service, you agree that Paybilla shall have the right to provide your registered information which you have furnished to Paybilla in the course of your registration and use of the Service. At the same time, Paybilla reserves the right to require you to submit identity information (including but not limited to identity card, bank account book, passports, and other certificates or other documents). Except as otherwise provided in Terms of Service or present Privacy Policy, Paybilla does not disclose or provide your information to third parties except in the following cases:
   1. with your explicit authorization;
   2. only to disclose your Personal Data in order to provide you with required products and/or services;
   3. disclosure in accordance with the requirements of this Privacy Policy;
   4. according to the provisions of applicable laws and regulations;
   5. in accordance with the instruction and requirements of applicable laws
   6. and Authorities etc;
   7. for the maintenance of Paybilla legitimate rights and interests;
   8. to verify the authenticity of the identity of you or your representative company.
10. Your Personal Data will be processed no longer than necessary. The retention period of your Personal Data may be based on the applicable law (e.g. Money Laundering and Terrorist Financing Prevention Act, etc.) or legitimate interest of Paybilla or agreements signed between you and Paybilla.
11. Paybilla ensures that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement and (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
    1. The Client and the Processor have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under Part A of the Annex to this Agreement (Article 28, para 3(c) GDPR);
    2. the Processor shall not involve any third party in the processing of the Data without the consent of The Client. Such consent may be withheld without reason.
    3. taking into account the nature of the processing, assist The Client by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of The Client’ obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc (Article 28, para 3(e) GDPR);
    4. assist, if possible, The Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals;
    5. at The Client’ choice safely delete or return the Data at any time. [It has been agreed that the Processor will in any event securely delete the Data at the end of the Services]. Where the Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data. Where there is a legal requirement the Processor will prior to entering into this Agreement confirm such an obligation in writing to The Client. Upon request by The Client the Processor shall provide certification of destruction of all Data (Article 28, para 3(g) GDPR);
    6. make immediately available to The Client all information necessary to demonstrate compliance with the obligations laid down under this Agreement (Article 28, para 3(h) GDPR);
    7. arrangements relating to the secure transfer of the Data from The Client to the Processor and the safe keeping of the Data by the Processor are detailed under Part A of the Annex.
    8. maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and
    9. immediately contact The Client if there is any personal data breach or incident where the Data may have been compromised.
    Compliance with Article 32 of GDPR
12. Consideration of anonymisation, pseudonymisation and encryption.
    Paybilla is obliged to make an effort to encrypt all the data from the third parties, if possible.
13. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and related services.
    
    Paybilla will use qualified and proven software solutions to facilitate the data and to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and related services.
14. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
    
    Paybilla will use qualified and proven software solutions which allow to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
15. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to data transmitted, stored or otherwise processed.
    
    All documents are securely uploaded by the Client directly to our Client Portal.
16. The Processor to ensure that anyone acting on their behalf does not process any of the Data unless following instructions from The Client unless they are required to do so under Estonian law.