Procedure for the Prevention of Money Laundering and Terrorism Financing

1. INTRODUCTION

1.1. This Procedure sets out the procedure to be followed by LABELRAILS SOLUTIONS SP. Z O.O. (hereinafter the “Company”) in the prevention of money laundering and terrorism financing.

1.2. The obligation to establish and implement this Procedure arises from S. 50 of the Polish Act of Parliament of 1 March 2018 on the prevention of money laundering and terrorism financing.

1.3. The Procedure includes, in particular, the following:

a) actions or measures taken to limit the risk of money laundering and terrorism financing and to manage the identified risks properly;

b) principles for recognizing and assessing the risk of money laundering and terrorism financing associated with specific business relationships or occasional transactions, including principles for verifying and updating the previously conducted risk assessment of money laundering and terrorism financing;

c) measures employed to properly manage the identified risk of money laundering or terrorism financing associated with specific business relationships or occasional transactions;

d) principles for the application of financial security measures;

e) principles for the retention of documents and information;

f) principles for providing information to the General Inspector for Financial Information and other authorities;

g) principles for disseminating knowledge among employees regarding the regulations on the prevention of money laundering and terrorism financing;

h) principles for the reporting by employees of actual or potential violations of regulations on the prevention of money laundering and terrorism financing;

i) principles of internal control or compliance supervision of the activities of the obliged institution in accordance with the regulations on the prevention of money laundering and terrorism financing and the procedures outlined in this internal procedure;

j) principles for recording discrepancies between information collected in the Central Register of Beneficial Owners and information about the beneficial owners of the customer determined in connection with the application of the Act;

k) principles for documenting difficulties encountered in verifying the identity of the beneficial owner and actions taken in connection with the identification of an individual holding a senior management position.

2. DEFINITIONS

Beneficial Owner, this refers to:

  • natural person(s) who, directly or indirectly, exercise(s) control over a customer through authorized powers resulting from legal or factual circumstances, enabling them to exert decisive influence over actions taken by the customer, or (a) natural persons on whose behalf business relationships are established or occasional transactions are conducted;
  • in the case of a customer that is a legal person other than a company whose securities are admitted to trading on a regulated market subject to disclosure requirements under the law of the European Union or corresponding laws of a third country;
  • a natural person who is a shareholder or shareholder entitled to ownership of more than 25% of the total number of shares in that legal entity;
  • a natural person who holds more than 25% of the total voting rights in the governing body of the customer, also as a pledgee or usufructuary, or based on agreements with other persons entitled to vote;
  • a natural person who exercises control over a legal person or legal persons which, in total, have the right to ownership of more than 25% of the total number of shares in the customer or in total hold more than 25% of the total voting rights in the customer’s governing body, also as a pledgee or usufructuary, or based on agreements with other persons entitled to vote;
  • a natural person holding a senior management position in case of documented inability to determine or doubts about the identity of natural persons specified in the preceding sub-items and in case of no suspicion of money laundering or terrorism financing.

Virtual assets service provider (VASP), this refers to an entity conducting a business as defined in the Polish Business Persons Act of 6 March 2018 [Prawo przedsiebiorców] (Journal of Laws of 2021, item 162), whose core business is to provide services related to the exchange of funds into cryptocurrencies.

PEP – this refers to natural persons, which is:

  • heads of state, heads of government, ministers, deputy ministers, state secretaries, including the President of the Republic of Poland, the Prime Minister, and Deputy Prime Ministers;
  • members of parliament or similar legislative bodies, including members of then Seim [the lower house of Polish Parliament] and the Senate [the upper house of Polish Parliament];
  • members of the governing bodies of political parties;
  • members of the highest courts, constitutional tribunals, and other top-level judicial bodies, whose decisions are not subject to appeal, except in extraordinary circumstances, including judges of the Supreme Court, the Constitutional Tribunal, the Supreme Administrative Court, voivodeship administrative courts, and judges of appellate courts;
  • members of audit courts or boards of central banks, including the President and members of the National Bank of Poland;
  • ambassadors, charges d’affaires, and senior officers of the armed forces;
  • members of administrative, management, or supervisory bodies of state-owned enterprises, including directors of state-owned enterprises and members of the management boards and supervisory boards of joint-stock companies.

Persons Known as Close Associates of PEPs, this refers to natural persons:

  • who are beneficial owners of legal persons, unincorporated organizations, or trusts together with a person holding an exposed political position or maintain other close relationships connected with their economic activity;
  • who are the sole beneficial owners of legal persons, unincorporated organizations, or trusts, known to have been established for the purpose of obtaining a real benefit by a person holding an exposed political position.

Transaction – legal or factual act that results in the transfer of ownership or possession of property values, or a legal or factual act carried out to transfer ownership or possession of property values.

Transaction Execution – implementation of orders or Procedures issued by the customer or a person acting on their behalf.

Money Laundering – this refers to the act as defined in s.299 of the Polish Penal Code Act of 6 June 1997.

Terrorist Financing – this refers to the act as defined in Article 165a of the Act of June 6, 1997 – the Penal Code.

Customer – a natural person, legal person, or unincorporated organization that the obliged institution provides services to or with whom they engage in economic relations within the scope of their professional activity, including those with whom the obliged institution establishes economic relations, or on whose behalf the obliged institution conducts occasional transactions. In the case of an insurance contract by the customer of the obliged institution, the term “customer” shall be understood as the policyholder, and in the case of an agreement to maintain a register of shareholders referred to in s.30032 and s.3282 of the Commercial Companies Code Act of 16 September 2000 Kodeks spótek handlowych] (Journal of Laws of 2020, item 1526), the term “customer” shall be understood exclusively as a shareholder, pledgee, or holder of shares subject to entry in that register in connection with the transaction forming the basis for entry.

3. SUMMARY

3.1. Virtual assets service provider shall identify and assess the risk associated with money laundering and terrorist financing related to its activities, taking into account:

  • risk factors related to customers,
  • risk factors related to countries or geographic areas,
  • risk factors related to products, services, transactions,
  • the level of assets deposited by the customer or the value of transactions conducted,
  • channels of delivery.

3.2. Virtual assets service provider shall conduct business activities in the following areas:

  • exchange between virtual currencies and fiat funds;
  • exchange between virtual currencies;
  • intermediation in exchanges;
  • conducting, in electronic form, a collection of identification data providing authorized persons with the possibility of using units of virtual currencies, including conducting transactions of their exchange.

3.3. VASP is required to record transactions where the circumstances of the transaction indicate that it may be related to money laundering or terrorist financing, regardless of its value and nature.

3.4. The obligation shall apply in cases where the cryptocurrency exchange office knows or, with due diligence, should know about such a transaction in connection with the execution of an agreement with the customer.

3.5. VASP shall introduce this internal procedure to limit the risk of money laundering and terrorist financing.

3.6. VASP shall prepare a risk assessment in paper form, which is updated no less frequently than every 2 years.

3.7. VASP shall apply financial security measures.

3.8. VASP shall update its knowledge in the field of combating money laundering and terrorist financing.

3.9. VASP shall develop and implement an anonymous reporting procedure.

4. FINANCIAL SECURITY MEASURES

4.1. VASP is required to implement financial security measures (FSMs).

4.2. Financial security measures include:

a) identifying the customer and verifying their identity;

b) identifying the ultimate beneficial owner (UBO) and taking reasonable steps to:

  • verify their identity,
  • determine the ownership and control structure (in the case of a legal entity, unincorporated entity, or trust);

c) assessing business relationships and, as applicable, obtaining information about their purpose and intended nature;

d) monitoring, on an ongoing basis, its business relationships with customers, including:

  • analyzing transactions conducted within the business relationship to ensure they align with the institution’s knowledge of the customer, the type and scope of thèi business activity, and the AML/CFT risk associated with the customer;
  • investigating the source of wealth under circumstances justified by the facts, ensuring that documents, data, or information concerning business relationships are continuously updated.

4.3. Financial security measures must be applied, in particular:

  • when a new business relationship is established;
  • when there is suspicion of money laundering or terrorist financing, regardless of the value of the transaction, the customer’s organizational form, or the customer type;
  • when doubt arises regarding the truthfulness or completeness of previously obtained customer identification data;
  • when there is a change in the previously established nature or circumstances of business relationships;
  • when there is a change in the previously established data concerning the customer or the ultimate beneficial owner;
  • when the obliged institution was required by law during a given calendar year to contact the customer to verify information about ultimate beneficial owners, particularly when such an obligation arose from the provisions of the law of 9 March 2017 regarding the exchange of tax information with other countries (Journal of Laws of 2021, item 626).

4.4. Financial security measures shall be applied to all VASP customers.

5. CUSTOMER IDENTIFICATION

5.1. The Company requires a good working knowledge of the Client’s activities in order to provide an effective service, including evidence of their identity. The Company needs to identify the Clients, their 5.2. Beneficial owners (where applicable) and the representatives (where applicable) in the following circumstances:

  • prior to establishing a business relationship.

and before:

  • executing occasional virtual currency exchange transactions or operations in virtual currency with funds equal to or above EUR 1000 or currency/virtual currency equivalent;
  • occasional depositing or withdrawing of virtual currency amounting to or above EUR 1000 or currency/virtual currency equivalent;
  • transaction is carried out in one or more interrelated transactions (the value of the virtual currency being determined at the time of the monetary transaction or operation) unless the customer and beneficial owner have already been identified.
  • when there are doubts about the veracity or adequacy of previously obtained identification data of the Client and/or the Beneficial owner and/or the representative of the Client (where applicable);
  • in any other case when there are suspicions that the act of ML or TF is, was or will be performed.

5.3. The identification evidence must be obtained before the provision of any services to a prospective Client or an established Client – if sufficient evidence cannot be obtained the Company must not proceed with the business. 

5.4. CDD measures for individual customers involve a number of discrete steps:

  • identifying the customer, and verifying their identity;
  • understanding and, if necessary, obtaining information on, the purpose and intended nature of the business relationship;
  • taking adequate measures to establish and, where necessary, verify source of funds (SoF);
  • in higher risk situations, taking adequate measures to establish and if necessary, verify source of wealth (SoW);
  • obtaining other additional customer information which is deemed necessary for identification purposes i.e. email address/mobile phone number.

5.5. The identity of a customer has a number of principal aspects:

  • full name, which may change;
  • residential address, which may change;
  • nationality, of which there may be more than one and which may also change; and
  • date of birth.

5.6. Identifying a customer involves obtaining principal aspects of identity as noted above. The verification of identity consists of verifying some or all of this information, using independent and reliable sources.

5.7. The amount of information or evidence to request from a customer, in order to be reasonably satisfied that a customer is who they say they are, will depend on the risk assessment of a customer. Identity verification must be based on a selfie photo taken by an individual and submission of a government issued document which incorporates the customer’s full name, date of birth and photograph.

5.8. In verifying customer identity by means of a biometric liveness technology selfie and documentation, controls must be established to confirm that:

  • where documents include a photograph, that the individual appearing in the document is the individual appearing in the selfie;
  • the documents relied upon are not forged, altered or stolen; and
  • foreign language documents do in fact provide evidence of a customer’s identity.

5.9. Relationships must not be established where:

  • they are prohibited under this Procedure;
  • the individual appearing in the selfie may not be the individual whose photograph appears in identity documentation;
  • identification documents are assessed as being forged, altered, stolen or are insufficient to evidence identity;
  • where customers are identified as appearing to be acting under duress or under the influence of alcohol or drugs.

5.10. Once the identity of a customer has been satisfactorily verified, there is no obligation to re-verify identity, unless doubts arise as to the veracity or adequacy of the evidence previously obtained.

5.11. Establishing and Verifying Customer’s Address. Customer’s address must be identified prior performing transactions involving fiat currency. However, in higher risk situations, or where there is a suspicion that the country of the customer’s IP differs from their actual country of residence, further address verification might be required at the stage of onboarding or during periodic review. In instances where further verification is required, documents used for the purpose of individual’s identification cannot be also used for address verification and a separate document needs to be obtained to verify the address.

5.12. A list of documents acceptable for address verification must be documented in CDD/EDD Procedures.

5.13. Purpose and intended nature of relationships. Understanding the nature of the relationship with the customer is essential to understand risks of potential misuse of products offered by the Company. In instances where necessary obtaining information on the purpose and intended nature of the business relationship may be in the form of addressing the following:

  • purpose of the account and the nature of activity to be undertaken;
  • amount of the initial deposit and expected monthly credits/deposits on account.

5.14 Source of Funds and Source of Wealth. Source of Funds refers to the initial or ongoing funds that will be deposited on a customer’s account. Source of funds usually refers to the activity that generates funds, for example:

  • employment income;
  • inherited family wealth;
  • insurance compensation pay-out;
  • sale of assets.

6. CORPORATE CUSTOMER DUE DILIGENCE

6.1. CDD measures for corporate customers must involve:

  • identifying and verifying the entity, which is separate and distinct from the people who own and manage it;
  • identifying and verifying beneficial owners and controllers;
  • identifying and verifying the names of directors;
  • know your customer business (KYB), which includes establishing the nature of the
  • entity’s business and other operational details;
  • understanding and, if necessary, obtaining information on, the purpose and intended nature of the business relationship;
  • taking adequate measures to establish and, where necessary verify source of funds (SoF);
  • in higher risk situations, taking adequate measures to establish and verify source of wealth (SoW) for the beneficial owners and controllers.

6.2. The following information must be established and recorded for the purpose of identifying corporate customers:

  • company name;
  • previous company names (if any);
  • registered number;
  • date of incorporation;
  • registered address;
  • principal place of business (if different from registered office);
  • tax identification number(s).

6.3. Corporate customer identity information must be verified by way of the relevant Company Registry.

6.4. Applications to open Corporate Accounts may only be accepted from individuals who are confirmed by the relevant Companies Registry to be current directors of applicant companies.

6.5. Applicant directors must confirm that they are properly authorized by Corporate Customers to open accounts on their behalf. 

6.6. Corporate customers must be subject to 25% UBO threshold with all relevant UBOs and/or individuals with significant control identified and verified. 

6.7. The following information must be established and recorded for the purpose of identifying persons of significant control:

  • forenames – where an individual has more than one forename, all forenames must be established and recorded;
  • surnames – where an individual has more than one surname, all surnames must be established and recorded;
  • residential address;
  • date of birth;
  • nationality(ies).

6.8. The following information on company directors must be established and verified by way of the Relevant Companies Registry:

  • name;
  • month and year of birth
  • country of residence;
  • nationality.

6.9. The following information must, as a minimum, be established and recorded for the purpose of understanding the nature of the business conducted by customers:

  • nature of activities;
  • annual turnover;
  • whether the customer has a presence in, connections to or is conducting business with or through high-risk countries, or high risk third countries or those subject to sanctions or embargo measures;
  • contact email address;
  • contact telephone number;
  • customer Website (if available).

7. IDENTIFICATION OF THE ULTIMATE BENEFICIAL OWNER (UBO)

7.1. The Company is obligated to:

a) verify the identity of the customer, the person authorized to act on their behalf, and the ultimate beneficial owner. This verification must involve confirming the established identification data based on a document confirming the individual’s identity, a document containing current data from the relevant register excerpt, or other documents, data, or information from a reliable and independent source. This may also include, where available, data from electronic identification means or from relevant trust services as specified in Regulation 910/2014.

b) In the case of identifying the ultimate beneficial owner, VASP shall document:

  • all obstacles leading to an inability to establish or doubts regarding the identity of individuals.
  • all obstacles related to reasonable actions taken to verify the identity of the ultimate beneficial owner.

c) When applying a financial security measure, as mentioned in s.34(1)(2), information from the Central Register of Beneficial Owners or a register, as specified in Article 30 or Article 31 of Directive 2015/849, maintained in the relevant Member State, should not be the only source of information that is relied on.

8. CUSTOMER RISK ASSESSMENT AND RISK CLASSIFICATION

8.1. Customer risk assessment (CRA) must be conducted prior to the establishment of a relationship and reassessed where appropriate on an ongoing basis. CRA assists the Company in identifying those customers that are outside of risk appetite and those who require enhanced due diligence and enhanced ongoing monitoring measures.

8.2. The Company is responsible for establishing and maintaining systems and controls for the purpose of assessing financial crime risk arising from customers relationships. The customer risk assessment control framework and risk assessment methodologies including risk factor weightings applied in assessing customer risk, must be defined, documented and maintained by the Company.

8.3. Customer risk assessment system, controls and methodologies must be approved by the AML Officer, who must conduct ongoing assurance of such systems, controls and methodologies.

8.4. All proposals to change customer risk assessment methodologies must be approved by the AML Officer prior to changes being affected. Approval to effect changes must be submitted in writing and include justification for change.

8.5. Change proposals and associated approvals must be retained in accordance with the Record Keeping section of this Procedure.

8.6. The Company must ensure that where customer risk assessments are undertaken by central or specialized functions, or by means of automated systems, that such functions and systems are operating in compliance with requirements set out in this Procedure.

8.7. The Company must ensure that staff conducting manual risk assessments and those authorized to make changes to customer risk ratings, have sufficient levels of experience, training and skills to effect such changes.

8.8. All customers must be subject to risk assessment prior to on-boarding. 

8.9. On completion of CRA, customer relationships must be classified as Low risk, Medium risk, High risk or Out of Appetite.

8.10. In assessing the financial crime risk arising from Individual Customers the following factors must as a minimum, be applied: 

a) Customer risk factors:

  • customer residency;
  • type of customer – natural or legal person; non-profit or religious organization, etc
  • customer occupation – whether occupation is associated with sectors that give rise to high risk of financial crime, including cash intensive businesses and those more susceptible to bribery and corruption;
  • customer tax residency – whether an individual qualifies as a tax resident under the tax residence rules of more than one jurisdiction, and therefore is a tax resident in more than one jurisdiction;
  • the intended nature of the business relationship i.e. the size of the initial and ongoing deposits and activity turnover on account;
  • whether the customer is subject of sanctions measures, fraud reports, adverse media or is a politically exposed person (PEP);
  • whether the customer uses VPN, TOR, encrypted, anonymous or randomly generated email or a temporary email service;
  • whether the customer is involved in digital asset mining operations (either directly or indirectly through relationships with third parties);
  • weather any complex structure (for example, trusts) of UBO’s is present (for client legal entity);
  • corporate risk rating where the customer is a proprietor or director or ultimate beneficial owner/controller of a Corporate Customer.

b) Geographical risk factors:

  • a jurisdiction of the financial institution used by customers to deposit funds;
  • whether the customer has an association with countries that are assessed as anything other than ‘Low’ risk i.e. a tax resident or a national of such countries.

c) Product and delivery channel risk:

  • the assessed risk arising from the product;
  • the assessed risk arising from the delivery channel, to include additional data points gathered by the Company during the establishment or ongoing maintenance of a relationship, which may indicate increased financial crime risks.
  • the assessed risk arising from the movement of funds to/from darknet markets or other illegal/high-risk sources, such as an unregulated exchange, or is associated with market abuse, ransomware, hacking, fraud, Ponzi schemes, sanctioned crypto addresses or gambling sites;
  • the assessed risk from the analyses of wallets to identify where deposits come from and withdrawals go to.

8.11. In assessing the financial crime risk arising from Corporate customers the following factors must as a minimum, be applied:

a) Customer risk factors:

  • customer type – whether it involves complex business ownership structures, which can facilitate concealment of underlying beneficiaries and controllers;
  • customer status – whether listed on a recognised stock exchange, a regulated financial institution subject to the requirements of AML legislation, subject of any sanctions measures, or adverse publicity from an financial crime or reputational risk perspective;
  • customer business – whether activities have been assessed as giving rise to higher risk of financial crime, including cash intensive businesses and those more susceptible to bribery and corruption;
  • customer ownership and control – whether the proprietor or for corporate customers, the directors and ultimate beneficial owners/controllers are subject of sanctions measures, fraud reports, adverse media or are politically exposed persons;
  • customer tax residency – whether an entity qualifies as a tax resident under the tax
  • residence rules of more than one jurisdiction, and therefore is a tax resident in more than one jurisdiction;
  • the intended nature of the business relationship i.e. the size of the initial and ongoing deposits and activity turnover on account;
  • individual risk ratings of associated proprietors or directors, ultimate beneficial owners/controllers;
  • corporate risk ratings of other customers where there are common proprietors, directors, beneficial owners or controllers.

b) Geographical risk factors:

  • the jurisdiction of company incorporation and if different, the countries in which its registered office address and principal place of business are located;
  • whether the customer has a presence in, connections to or is conducting business with or through high-risk countries or those subject to sanctions or embargo measures;
  • whether directors or persons of significant control have connections to countries assessed as anything other than ‘Low’ risk i.e. resident in, tax resident of, or a national of.

c) Product and delivery channel risk:

  • the assessed risk arising from the product;
  • the assessed risk arising from the delivery channel, country of product channel to include additional data points gathered by the Company during the establishment or ongoing maintenance of a relationship, which may indicate increased financial crime risks for example, jurisdictions from which the App has been accessed, and known ‘risky user’ device data etc.;
  • the assessed risk arising from the movement of funds to/from darknet markets or other illegal/high-risk sources, such as an unregulated exchange, or is associated with market abuse, ransomware, hacking, fraud, Ponzi schemes, sanctioned crypto addresses or gambling sites;
  • the assessed risk from the analyses of wallets to identify where deposits come from and withdrawals go to.

8.12. Customer risk classification is one of the drivers for the appropriate level of CDD to be conducted. Risk classifications must be reviewed and updated as appropriate in accordance with periodic reviews requirements referred to below. The trigger for a customer to be rated as high risk is related to the overall assessment of the customer taking into account:

  • PEP links;
  • adverse media findings;
  • high risk occupation or nature of business;
  • high risk jurisdiction of residence and/or occupation for personal customers. High risk jurisdiction of registration and operations for corporate customers;
  • source of funds (SoF) is being generated in high-risk jurisdiction;
  • results of a blockchain analysis indicate a higher risk.

8.13. Prohibited relations. The Company must ensure that it does not accept (or continue) any relationship categorized as Prohibited within the scope of this Procedure. This includes, for example, the instances where:

  • the crypto asset comes from, or is associated with, a darknet or other illegal/high-risk sources, such as an unregulated exchange, or is associated with market abuse, ransomware, hacking, fraud, Ponzi schemes, sanctioned bitcoin addresses or gambling sites;
  • the results of a blockchain analysis indicate risks outside of the Company’s risk appetite. For example, a customer exploits technological glitches or failures to his advantage for obtaining crypto assets;
  • a customer is a money transmitter who is unable to produce the required KYC information and documentation;
  • a customer persistently avoids KYC thresholds through smaller transactions which in the course of monitoring appear to be above the permitted threshold values;
  • a customer requests an exchange to or from a state-sponsored virtual currency that may be used to avoid sanctions;
  • a customer is closely associated with jurisdiction where crypto currency is prohibited.

8.14. The use of the following high-risk activities, which may not necessarily be illegal on their own, should serve as a risk factor for ongoing monitoring in order to identify, report, and if necessary due to high risk of financial crime, block customer’s account prohibiting further transactions:

  • mixers or tumblers;
  • Internet Protocol (IP) anonymizers;

9. ONGOING MONITORING

9.1. VASP is obligated to continuously monitor business relationships in order to identify events or circumstances that may indicate money laundering activities. This includes:

  • analyzing transactions conducted within business relationships to ensure they are consistent with the knowledge of the customer, the nature and scope of their business, and the associated money laundering and terrorist financing risks;
  • investigating the source of the wealth or assets under the customer’s control when circumstances warrant it;
  • ensuring that documents, data, or information related to business relationships are regularly updated.

9.2. The monitoring shall consider the following factors:

  • Economic factor: examining customer behaviors related to the scope and scale of their business activities concerning transactions, considering connections, transaction prices compared to market rates, and investigating the source of assets where reasonable.
  • Geographic factor: considering the company’s registered location, branches, place of residence, nationality, the direction of asset flows, with particular attention to entities indicating locations or territories.
  • Taking into account the type of business activities, especially in cases particularly susceptible to money laundering, such as trading in scrap and fuels, transactions conducted by non-residents, share trading, gambling.

9.3. Additionally, attention should be paid to other circumstances, such as:

  • scrap and fuel trade,
  • trade conducted by non-residents,
  • share trading in a company’s capital,
  • gambling,
  • furthermore, other circumstances should also be noted, such as:
    • imposition of sanctions on the customer in connection with suspicion of money laundering or terrorism financing,
    • opening an account for the purpose of executing one or several transactions in short intervals for relatively high amounts, often using fictitious documents, transfers of small amounts to one account, from which they are immediately withdrawn in cash – which are often subsequently deposited into another account.

10. TRANSACTION MONITORING

10.1. In the course of its operations, VASP is obliged to pay attention to transactions that may be related to money laundering or terrorist financing.

10.2. VASP is required to monitor transactions that may be linked to money laundering or terrorist financing.

10.3. The identification of transactions can result from VASP’s knowledge or due diligence-related actions in connection with the execution of a customer agreement.

10.4. As part of due diligence, VASP must take actions to ensure that it has done everything possible to carry out its tasks as effectively as possible, especially in preventing money laundering or terrorist financing. Individuals who may come into contact with money laundering or terrorist financing should be trained in preventing money laundering or terrorist financing and should be required to pay attention to situations or events related to the customer that may be linked to money laundering or terrorist financing.

11. TRANSACTIONS RECORDING

11.1. The identified transactions must be recorded in a transaction register.

11.2. The transaction register must be maintained by VASP in hard-copy or electronic form.

11.3. Information about each registered transaction shall include, in particular, the following:

  • the date of the transaction;
  • information identifying the parties to the transaction;
  • the amount, currency and type of transaction;
  • account numbers used for the transaction, in the case of transactions involving such accounts;
  • justification of and the place, date and method of placing the order.

11.4. Information about each transaction shall be entered in the register without delay, but no later than the next working day after identifying a transaction whose circumstances indicate that it may be related to money laundering or terrorist financing.

11.5. The register is maintained in the form of bound and sequentially numbered transaction cards, prepared and filled out separately for each registered transaction.

11.6. Transaction cards should be completed manually or mechanically, in a careful, legible, and durable manner, and any errors found should be corrected by:

  • striking out the previous content and entering new content while maintaining the legibility of the erroneous entry
  • adding the date and a clear signature of the person making the correction

12. AUTHORITIES

12.1. In the event of suspicion of money laundering or terrorist financing, the responsible person shall provide the General Inspector for Financial Information with information about these circumstances.

12.2. The notification is to be provided promptly, no later than within 2 business days from the date VASP confirms the suspicion of money laundering or terrorist financing.

12.3. The notification shall include:

  • information identifying VASP’s customers,
  • available identifying information, of natural persons, legal entities, and organizational units without legal personality, who are not customers of the institution obligated to submit the notification,
  • the type and amount of assets, as well as their storage location.
  • the account number held for the customer of the institution obligated to submit the notification, marked with the IBAN identifier or a country code and account number in the case of accounts not marked with IBAN,
  • available information regarding the transactions or attempted transactions,
  • indication of the European Economic Area country with which the transaction is associated if it was carried out in the course of a cross-border activity,
  • available information about recognized money laundering or terrorist financing risk anc about the prohibited act from which the assets may originate, justification for submitting the notification.

12.4. For the initial fulfillment of its reporting obligations, VASP must submit a form with information identifying the obliged institution to the Inspector General.

13. REPORTING TO GIIF

13.1. Upon a written request from the General ​​Inspector for Financial Information, the Company is obliged to promptly provide information regarding customer transactions.

13.2 The report shall include, in particular, the transfer of information about transaction parties, document contents, providing their verified copies, of making relevant documents available for inspection by authorized employees of the Department of Financial Information at the Ministry of Finance for the purpose of making notes or copies.

13.3. The request may also be submitted electronically.

13.4. VASP is also obligated, upon request by authorized authorities, to demonstrate the financial security measures applied in relation to the risk of money laundering and terrorist financing.

13.5 It is prohibited to disclose to unauthorized persons the fact of informing the Inspector General for Financial Information about a transaction.

14. RECORD KEEPING

14.1. VASP shall retain, for a period of 5 years from the date of the termination of economic relations with the customer or from the date of conducting an occasional transaction:

a) copies of documents and information obtained as a result of implementing financial security measures, including information obtained through electronic identification means and trust services enabling electronic identification as defined in Regulation 910/2014;

b) evidence confirming the conducted transactions and transaction records, including original documents or copies of documents necessary to identify transactions.

14.2. VASP shall retain the results of the analyses as mentioned in Article 34 paragraph 3 of the Act for a period of 5 years from the date of their completion.

14.3. The collected documents should be kept in an office folder marked with the symbol GIIF.

15. RESPONSIBLE PERSONS

15.1. The person responsible at VASP for performing the duties specified in the Act is Viktoriia Mykhalchuk.

15.2. The person responsible for performing the duties arising from this Procedure is Viktoriia Mykhalchuk.

15.3. The person responsible for supervising the performance of duties arising from this Procedure is Viktoriia Mykhalchuk.

15.4. The supervision mentioned in this Article shall be carried out continuously. At least every six months, a report illustrating such supervisions shall be prepared by the person named in this Article.

16. TRAINING

16.1. VASP shall disseminate knowledge about anti-money laundering and terrorist financing regulations among employees and individuals responsible for the institution’s knowledge of anti-money laundering and terrorist financing issues through training on the subject of anti-money laundering and terrorist financing.

16.2. Training shall be conducted not less frequently than once a year.

16.3. After completing the training, the employee shall be issued a training certificate.

16.4. The training shall be conducted by external institutions with knowledge of anti-money laundering and terrorist financing issues.

17. INTERNAL CONTROL

17.1. A designated person shall exercise internal control in the scope of anti-money laundering and terrorist financing.

17.2. Not less frequently than every 2 years, VASP shall convene an audit committee to verify VASP’s compliance with anti-money laundering and terrorist financing regulations.

18. REPORTING VIOLATIONS

18.1. VASP shall implement the principles of the reporting, by its employees, of actual or potential violations of anti-money laundering and terrorist financing regulations, which have been developed in a separate document called the Procedure for Anonymous Reporting of Violations.

18.2. Regardless of the provisions of that procedure, employees have the right to report actual or potential violations by sending reports by email to: sygnalisci.GIIF@mf.gov.pl