RULES OF PROCEDURE FOR PREVENTION OF MONEY LAUNDERING AND TERRORIST FINANCING AND COMPLIANCE WITH INTERNATIONAL SANCTIONS
1. General provisions
1.1.These rules of procedure for prevention of money laundering and terrorist financing, and compliance with international sanctions (hereinafter Rules) lay down requirements for screening the Clients (as defined in section 2.7) in order to prevent entering into deals involving suspected Money Laundering and Terrorist Financing, and to ensure identification and reporting of such.
2.1.Money Laundering – is a set of activities with the property derived from criminal activity or property obtained instead of such property with the purpose to:
- conceal or disguise the true nature, source, location, disposition, movement, right of ownership or other rights related to such property;
- convert, transfer, acquire, possess or use such property for the purpose of concealing or disguising the illicit origin of property or of assisting a person who is involved in criminal activity to evade the legal consequences of his or her action;
- participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to subsections 2.1.i and 2.1.ii.
2.2.Terrorist Financing – acts of financing of terrorism as defined in § 2373 of the Penal Code of Estonia.
2.3.International Sanctions – list of non-military measures decided by the European Union, the United Nations, another international organisation or the government of the Republic of Estonia and aimed to maintain or restore peace, prevent conflicts and restore international security, support and reinforce democracy, follow the rule of law, human rights and international law and achieve other objectives of the
common foreign and security policy of the European Union.
2.4.Compliance Officer or CO – representative appointed by the Management Board responsible for the effectiveness of the Rules, conducting compliance over the adherence to the Rules and serving as contact person of the FIU.
2.5.FIU – Financial Intelligence Unit of the Police and Border Guard Board of Estonia.
2.6.Business Relationship – a relationship of the Provider of service established in its economic and professional activities with the Client.
2.7.Client – a natural or legal person, who uses services of the Provider of service.
2.8.Beneficial Owner – is a natural person, who:
- Taking advantage of his influence, exercises control over a transaction, operation or another person and in whose interests or favour or on whose account a transaction or operation is performed taking advantage of his influence, makes a transaction, act, action, operation or step or otherwise exercises control over a transaction, act, action, operation or step or over another person and in whose interests or favour or on whose account a transaction or act, action, operation or step is made.
- Ultimately owns or controls a legal person through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that person, including through bearer shareholdings, or through control via other means. Direct ownership is a manner of exercising control whereby a natural person holds a shareholding of 25 per cent plus one share or an ownership interest of more than 25 per cent in a company. Indirect ownership is a manner of exercising control whereby a company which is under the control of a natural person holds or multiple companies which are under the control of the same natural person hold a shareholding of 25 per cent plus one share
or an ownership interest of more than 25 per cent in a company.
- Holds the position of a senior managing official, if, after all possible means of identification have been exhausted, the person specified in clause ii cannot be identified and there is no doubt that such person exists or where there are doubts as to whether the identified person is a beneficial owner.
- In the case of a trust, civil law partnership, community or legal arrangement, the beneficial owner is the natural person who ultimately controls the association via direct or indirect ownership or otherwise and is such associations’: settlor or person who has handed over property to the asset pool, trustee or manager or possessor of the property, person ensuring and controlling the preservation of property, where such person has been appointed, or the beneficiary, or where the beneficiary or beneficiaries have yet to be determined, the class of persons in whose main interest such association is set up or operates.
2.9.Politically Exposed Person or PEP – is a natural person who is or who has been entrusted with prominent public functions including a head of state, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d’affaires and a high-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a state-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organisation, except middle-ranking or more junior officials.
2.11.Provider of service – PayRCurrencyOÜ, registry code 14529885, address Roosikrantsi 2-487K, Tallinn 10119, Estonia.
2.12.Management Board or MB – management board of the Provider of service. Member of the MB, as appointed by relevant MB decision, is responsible for implementation of the Rules.
2.13.Equivalent Third Country – means a country not a Member State of European Economic Area but applying an equivalent regime to the European Union corresponding (AML) framework (see also Exhibit 1).
2.14.Virtual currency – a value represented in the digital form, which is digitally transferable, preservable or tradable and which persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market or a payment transaction for the purposes of points (k) and (l) of Article 3 of the same directive.
3. Description of activities of the Provider of service
4. Compliance Officer
5. Application of due diligence measures
- Identifying the Client and verifying its identity using reliable, independent sources, documents or data, including e-identifying;
- Identifying and verifying of the representative of the Client and the right of representation;
- Identifying the Client’s Beneficial Owner;
- Assessing and, as appropriate, obtaining information on the purpose of the Business Relationship;
- Conducting ongoing DD on the Client’s business to ensure the Provider of service’s knowledge of the Client and its source of funds is correct;
- Obtaining information whether the Client is a PEP or PEP’s family member or PEP’s close associate.
- request appropriate identity documents to identify the Client and its representatives;
- request documents and information regarding the activities of the Client and legal origin of funds;
- request information about Beneficial Owners of a legal person;
- screen the risk profile of the Client, select the appropriate DD measures, assess the risk whether the Client is or may become involved in Money Laundering or Terrorist Financing;
- re-identify the Client or the representative of the Client, if there are any doubts regarding the correctness of the information received in the course of initial identification;
- Keeping up-to-date the documents, data or information, obtained during taking DD measures;
- Paying particular attention Client’s conduction, leading to criminal activity or Money Laundering or Terrorist Financing;
- Paying particular attention to the Business Relationship, if the Client is from or the seat of a Client being a legal person is located in a third country, which is included in the list of risk countries (see Exhibit 1).
- the Client addresses the Provider of service with the request to amend a long-term contract during the term of its validity;
- upon identification and verification of the information there is reason to suspect that the documents or data gathered earlier are insufficient, have changed or are incorrect. In this case, the Representative may conduct a face-to-face meeting with the Client;
- the Provider of service has learned through third persons or the media that the activities or data of the Client have changed significantly.
6. Normal due diligence measures
- Upon establishing a new Business Relationship;
- In the event of insufficiency or suspected incorrectness of the documents or information gathered previously in the course of carrying out DD measures;
- Upon suspicion of Money Laundering or Terrorist Financing.
6.2. In the course of conducting normal DD measures, the Representative shall apply the measures of DD as provided for in section 5.4.
7. Identification of a person
- Client – a natural or legal person;
- Representative of the Client – an individual who is authorized to act on behalf of the Client;
- Beneficial Owner of the Client;
- PEP – if the PEP is the Client or a person connected with the Client (see Section 2.9).
7.3.For identification of a Client and verification of the identity of a Client by using information technology means, the Provider of service shall use:
7.5.Identification of a Client being a natural person and a representative of a Client who is a legal person
7.6.Identification of a Client being a legal person
- Check the information concerning a legal person by accessing the relevant electronic databases (e-commercial register/ e-äriregister and European Business Register);
- If it is not possible to obtain an original extract from the register or the respective data, request documents (extract from the relevant registry, certificate of registration or equivalent document) certified or authenticated by a notary public or authenticated officially for verification of the identity of the legal person, or use data obtained from other reliable and independent sources (including electronical identification) on condition that information is obtained from at least two different sources;
- Ask the representative of a foreign legal person to present an identity documents and a document evidencing of his/her power of attorney, which has been notarised or authenticated pursuant to an equal procedure and legalised or authenticated by a certificate substituting for legalisation (apostille), unless otherwise prescribed by an international agreement;
- On the basis of the information received from the representative of the foreign legal person, control whether or not the legal person could be linked with a PEP (see Section 7.9);
- If the seat of a Client being a legal person is located in a third country, which is included in the list of risk countries (see Exhibit 1), report this to the CO, who shall decide the additional measures to be applied to identifying and background checking of the person.
- business name, registry code (number), date of registration, seat and address;
- names and authorisations of members of the Management Board or the head of branch or the other relevant body.
7.7.Consequences of insufficient identification of a Client
- Promptly apply the enhanced DD measures pursuant to the Rules;
- Notify the CO of the failure to implement normal DD in a timely manner;
- Assess the risk profile of the Client and notify CO and/or MB for the purposes of the provisions in Section 12.3.
7.8.Identification of the Beneficial Owner of the Client
- Gather information about the ownership and control structure of the Client on the basis of information provided in pre-contractual negotiations or obtained from another reliable and independent source;
- In situations, where no single person holds the interest or ascertained level of control to the extent of no less than 25 per cent (see Section 2.9), apply the principle of proportionality to establishing the circle of beneficiaries, which means asking information about persons, who control the operations of the legal person, or otherwise exercise dominant influence over the same;
- If the documents used to identify a legal person, or other submitted documents do not clearly identify the Beneficial Owners, record the respective information (i.e. whether the legal person is a part of a group, and the identifiable ownership and management structure
of the group) on the basis of the statements made by the representative of the legal person, or a written document under the hand of the representative;
- To verify the presented information, make enquiries to the respective registers, and request an annual report or another appropriate document to be presented.
- If no natural person is identifiable who ultimately owns or exerts control over a Client and all other means of identification are exhausted, the senior managing official(s) might be considered to be the Beneficial Owner(s).
- Pay attention to companies established in low tax rate regions (see Exhibit 1).
7.9.Identification of Politically Exposed Person
- asking the Client to provide necessary information;
- making an enquiry or checking the data on websites of the respective supervisory authorities or institutions of the country of location of the Client.
- take enhanced DD measures (see Section 9);
- establish the source of wealth of this person;
- monitor the Business Relationship on a continual basis.
7.10.Documents that can be used for identification
- Personal ID card (whether ID card, e-resident card or residence permit card);
- Passport or diplomatic passport;
- Travel document issued in a foreign country;
- Driving licence (if it has name, facial image, signature and personal code or date of birth of holder on it).
7.10.3.In addition to an identity document, the representative of a Client shall submit a document
in the required format certifying the right of representation.
7.10.4.Legal person and its passive legal capacity shall be identified and verified on the basis of the following documents:
- in case of legal persons registered in Estonia and branches of foreign companies registered in Estonia, the identification shall be conducted on the basis of an extract of a registry card of commercial register;
- foreign legal persons shall be identified on the basis of an extract of the relevant register or a transcript of the registration certificate or an equal document, which has been issued by competent authority or body not earlier that six months before submission thereof.
- Name of the Client;
- Personal identification code (in case of absence the date and place of birth and place of residence);
- Information regarding identification and verification of the right of representation. If the right of representation does not arise from law, name of the document used for establishing and verification of the right of representation, the date of issue and the name or name of the issuing party.
- Name of the Client;
- Registry code (or registration number and registration date) of the Client;
- Names and authorisations of members of the Management Board or the head of branch or the other relevant body;
- Telecommunications numbers.
8. Simplified due diligence measures
- A company listed on a regulated market that is subject to disclosure requirements consistent with European Union law;
- a legal person governed by public law founded in Estonia;
- a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
- an authority of the European Union;
- a credit institution or a financial institution, acting on behalf of itself, located in a contracting state of the European Economic Area or in a third country (see Exhibit 1), which in the country of location is subject to equal requirements and the performance of which is subject to state supervision.
- the Client can be identified on the basis of publicly available information;
- the ownership and control structure of the Client is transparent and constant;
- the operations of the Client and their accounting or payment policies are transparent;
- Client reports to and is controlled by an authority of executive power of Estonia or a contracting state of the European Economic Area, another agency performing public duties, or an authority of the European Union.
9. Enhanced due diligence measures
10. Risk assessment
- Normal risk (the risk level is normal, there are no high risk characteristics present);
- High risk, which is subcategorized as High risk I and High risk II.
10.4.Assessment of risk profile of natural persons
10.4.1.When establishing the risk category of a Client being a natural person, the country of residence of the Client, the region where the Client operates, and status of PEP shall be taken into account.
High risk category I
High risk category II
10.5.Assessment of risk profile of legal persons
10.5.2.If there are several characteristics of the category “High risk I”, or if, in addition to the characteristics of “High risk I”, at least one of the “High risk II” characteristics is present, the Client shall be determined to be falling into the category “High risk II”.
High risk category I
High risk category II
10.7.Identification and management of risks of technology and services
10.7.1.The above listed DD measures can be combined, as appropriate, in respect to other listed or nonlisted risks.
- Client’s accounts/wallets will be protected by Secure Sockets Layer (hereinafter SSL) certificate, answering security question or 2FA verification: either to use Google Authenticator or secure passcode.
- In case of hacking, the Provider of service’s employees will act according to the incident response plan: backing up the system, define the losses that occurred, inform the person or entity who’s account was affected by the hack, report to the relevant authorities.
11. Registration and storage of data
- Name, personal ID code or, in the absence of the latter, date of birth and the address of the person’s permanent place of residence and other places of residence;
- the name and number of the document used for identification and verification of the identity of the person, its date of issue and the name of the issuing authority;
- occupation, profession or area of activity – establish the area of activity (occupation) and the status of the person (trader, employee, student, pensioner);
- If the Client is a natural person, the Representative shall record information about whether the person is performing or has performed prominent public functions, or is a close associate or family member of the person performing prominent public functions;
- Citizenship and the country of tax residency;
- the origin of assets.
11.2.2.In case of a representative, the following info shall be recorded:
- same as provided for in pints i-ii of Section 11.2.1;
- the name of the document used for establishing and verification of the right of representation, the date of issue and the name or name of the issuing party.
11.2.3.If the Business Relationship is established by the Client or the representative with the use of the ID card or other e-identification system, the data of the document used for identification is saved automatically in the digital signature. If identification takes place at a face-to-face meeting with the Client, the data of the document used for identification is recorded on the copy of the identification document.
11.3.Registration of data of a Client who is a legal personent.
- Name, legal form, registry code, address, date of registration and activity locations;
- information concerning means of communication and contact person(s);
- names of the members of the management board or an equivalent governing body, and their powers to represent the Client, and whether any of them is a PEP;
- information about the Beneficial Owners;
- Field(s) of activity (i.e. the NACE codes);
- name and number of the document used for identification and verification of the identity, its date of issue and the name of the issuing authority;
- country of tax residency of the legal person (VAT number);
- origin of assets (normal business operations/other);
- date of registration of the legal person in the Provider of service’s database;
- purpose of the Business Relationship;
- Name, personal ID code or, in the absence of the latter, date of birth and place of residence;
- type of control over the enterprise (e.g. shareholder);
- is the person a PEP;
- information about the representative as set forth under 11.2.2.
11.5.Storage of Data
- manner, time and place of submitting or updating of data and documents;
- name and position of Representative who has established the identity, checked or updated the data.
12.1.Notification of the CO
12.1.1.Any circumstances identified in the Business Relationship are unusual or suspicious or there
are characteristics which point to Money Laundering, Terrorist Financing, or an attempt of the
same the Representative shall promptly notify the CO.
12.2.Notification of FIU
12.3.Termination of the Business Relationship with a Client in the event of suspected Money Laundering , and Terrorist Financing
- The Client fails to present upon identification or upon updating the previously gathered data or the taking of DD measures, true, full and accurate information, or
- The Client or a person associated with the Client does not present data and documents
evidencing of the lawfulness of the economic activities of the Client, or
- the Provider of service suspects for any other reasons that the Client or the person associated with the Client is involved in Money Laundering or Terrorist Financing, or
- the documents and data submitted by the Client do not dispel the Provider of service’s suspicions about the Client’s possible links with Money Laundering or Terrorist Financing.
12.4.Indemnification of the Representatives
13. Implementation of International Sanctions
- regularly follow the webpage of FIU (https://www.politsei.ee/et/organisatsioon/rahapesu/finantssanktsiooni-subjekti-otsingja-muudatused-sanktsioonide-nimekirjas/) and immediately take measures provided for in the act on the imposition or implementation of International Sanctions;
- upon entry into force of an act on the imposition or implementation of International Sanctions, the amendment, repeal or expiry thereof, immediately check whether any of the Clients is subject to International Sanctions with regard to whom the financial sanction is imposed, amended or terminated;
- if an act on the imposition or implementation of International Sanctions is repealed, expires or is amended in such a manner that the implementation of International Sanctions with regard to the subject of International Sanctions is terminated wholly or partially, terminate the implementation of the measure to the extent provided for in the act on the imposition or application of International Sanctions;
- keep an updated record of subjects of International Sanctions and submit this information to the Representatives in the form that allows to use this information in the course of their activity;
- provide training to the Representatives that allows them to establish independently the subjects of International Sanctions;
- assist the Representatives if they have doubt or knowledge that a Client is a subject to International Sanctions;
- supervise the application of the Rules regarding the implementation of International Sanctions by the Representatives;
- review and keep updated the Rules regarding the implementation of International Sanctions
- notify FIU of Clients who are subject to International Sanctions or in part of whom the CO, the Representatives have doubts;
- keep record of made checks, notifications submitted to FIU and applied measures in part of detected subjects to International Sanctions.
- Time of inspection;
- Name of person who carried out inspection;
- Results of inspection;
- Measures taken.
15. Internal audit and amendment of the Rules
- time of the inspection;
- name and position of the person conducting the inspection;
- purpose and description of the inspection;
- analysis of the inspection results, or the conclusions drawn on the basis of the inspection.
Exhibit 1a. Contracting states of the European Economic Area
Exhibit 1b. Countries who have established Anti-Money Laundering requirements equivalent to theEuropean Union AML framework
Exhibit 1c. List of risk countries (countries which according to FATF does not follow requirements of prevention of
Money Laundering and Terrorism Financing)
Exhibit 1d. List of countries that are NOT regarded as low tax rate countries