Políticas

GRUPO TRANSFI
POLÍTICA DE PRIVACIDAD GLOBAL

Última actualización: octubre de 2024

CONTACTA CON NOSOTROS
Si tiene alguna pregunta sobre esta Política de privacidad, puede ponerse en contacto con nosotros:
Por correo electrónico: compliance@transfi.com

1. ¿Cuál es el objetivo de la política de privacidad de TransFi?

«TransFi» se refiere a Trans-Fi Inc. y sus filiales y subsidiarias en todo el mundo, incluidas Trans-Fi UAB y NEOMONEY INC. (en conjunto, «TransFi Group», «TransFi», «nosotros», «nos» o «nuestro»).

TransFi puede compartir sus datos personales con sus otras entidades (subsidiarias y afiliadas) y usarlos de acuerdo con esta Política de privacidad.

El objetivo de la política de privacidad de TransFi (todas las subsidiarias y afiliadas) (la «Política de privacidad») es comprometerse a proteger su privacidad. Lea esto detenidamente, ya que esta política es legalmente vinculante cuando decide utilizar nuestros Servicios. A los efectos de las normas de protección de datos pertinentes, TransFi puede actuar como «controlador de datos», «procesador de datos» o ambas cosas sobre su información.

Esta Política de privacidad describe cómo recopilamos, usamos, manejamos y, bajo ciertas condiciones, divulgamos sus datos personales cuando accede a nuestros Servicios, que incluyen nuestro contenido en el sitio web ubicado en www.transfi.com o cualquier otro sitio web, página, función o contenido que poseamos u operemos, incluida la plataforma de transacciones de pagos de TransFi (en conjunto, los «sitios web») o cualquier widget, interfaz de programación de aplicaciones («API») de TransFi o aplicaciones de terceros que dependan de dicha API, productos (Payouts, Collections y Ramp) y servicios relacionados (denominados colectivamente «Servicios»).

Esta Política de privacidad también explica las medidas que hemos tomado para proteger su información personal. Por último, esta Política de privacidad explica sus opciones con respecto a la recopilación, el uso y la divulgación de su información personal. Al visitar el sitio web, usted acepta las prácticas descritas en esta Política de privacidad para el sitio web. Si no reconoce ni acepta esta Política de privacidad, no podrá utilizar los Servicios.

Si tiene alguna pregunta sobre esta política, envíela a compliance@transfi.com.

2. ¿Qué información personal recopilamos de usted?

Por información personal se entiende cualquier dato relacionado con una persona viva que pueda identificarse a partir de esos datos, o a partir de esos datos y otra información, que esté en posesión de TransFi (o sus representantes o proveedores de servicios) o que pueda llegar a estar en posesión de TransFi (o de sus representantes o proveedores de servicios). Además de la información, incluye cualquier expresión de opinión sobre una persona y cualquier indicación de las intenciones de TransFi o de cualquier otra persona con respecto a una persona. La definición de información personal depende de la ley pertinente aplicable a su ubicación física. Los datos que TransFi puede recopilar y utilizar sobre usted se describen a continuación en las secciones 2.1-2.3 de esta Política de privacidad.

TransFi obtiene información sobre usted de varias fuentes. «Usted» puede ser una persona física o jurídica que celebre un acuerdo de servicios empresariales con TransFi y/o cree una cuenta de usuario con TransFi y utilice los Servicios prestados o a través de nuestro sitio web o API («Usuario»), una entidad legal o empresa identificada según los requisitos de identificación contra el lavado de dinero («AML») o la financiación del terrorismo («CTF») según la normativa local, verificada por TransFi, que utiliza nuestros Servicios para cobrar pagos y realizar pagos o facilita transferencias transfronterizas («Cliente»), una entidad legal que tiene una relación contractual con un Es cliente de TransFi y puede estar sujeto a requisitos de identificación de AML/CTF, verificados por TransFi o por el Cliente («Comerciante»), una entidad legal que es cliente de un comerciante y puede estar sujeta a requisitos de identificación de AML/CTF, verificados por TransFi o el comerciante («subcomerciante»), o personas físicas o jurídicas que son los usuarios finales de los comerciantes que interactúan con los Servicios prestados («Usuario final»). También puede ser un destinatario/beneficiario de uno de nuestros Servicios o un visitante de nuestro sitio web u otro servicio que enlace a nuestra API y nuestros Servicios. Si usted es un comerciante, un subcomerciante o un usuario final, el uso que haga de los Servicios se regirá por el acuerdo aplicable entre TransFi y el cliente correspondiente.

2.1 Información que nos proporciona

Esto incluye la información que nos proporciona para establecer una cuenta y acceder a nuestros Servicios. Esta información es exigida por ley (por ejemplo, para verificar tu identidad), necesaria para prestar los Servicios solicitados (por ejemplo, tendrás que proporcionar tu número de cuenta bancaria si quieres vincular esa cuenta a TransFi) o es relevante para nuestros intereses legítimos, que se describen con más detalle a continuación.

La naturaleza de los Servicios que utilice o con los que interactúe determinará el tipo de información personal que podríamos solicitar, pero puede incluir:

• Información de identificación personal: nombre completo, fecha de nacimiento, edad, nacionalidad/ciudadanía, país de residencia, detalles de identificación emitidos por el gobierno (incluidos el número de identificación, el tipo de identificación, las fechas de emisión y caducidad), número de seguro social, número de identificación fiscal, credenciales de cuenta, geolocalización, detalles únicos del dispositivo, información de red o dirección de protocolo de Internet, dirección de billetera, sexo, firma, facturas de servicios públicos, fotografías, número de teléfono, domicilio, correo electrónico y/o cualquier otra información que se considere necesaria para cumplir con nuestras obligaciones legales en virtud de las leyes y reglamentos aplicables;
• Documentos de identidad oficiales: documentos de identidad emitidos por el gobierno, como un pasaporte, una visa o un documento de identidad nacional, una tarjeta de identificación estatal, una licencia de conducir y/o cualquier otra información que se considere necesaria para cumplir con nuestras obligaciones legales en virtud de las leyes y reglamentos aplicables;
• Información financiera: información de la cuenta bancaria, información de la tarjeta de pago, número de identificación fiscal («TIN»), historial de transacciones, datos comerciales. Para los detalles de la transacción, almacenamos los detalles del pedido, el número de cuenta bancaria del usuario, el nombre de la cuenta bancaria y la información de la tarjeta, incluidos el nombre del titular de la tarjeta, el número de tarjeta, el CVV y la fecha de caducidad. Como contamos con la certificación del estándar de seguridad de datos del sector de las tarjetas de pago («PCI DSS»), podemos almacenar esta información de forma segura para cumplir con nuestras obligaciones de cumplimiento y garantizar la seguridad de los datos. Si bien no almacenamos las credenciales de inicio de sesión de su cuenta de usuario de TransFi, gestionamos y almacenamos de forma segura los datos de las tarjetas de acuerdo con las normas PCI DSS. La información de las tarjetas de pago también puede procesarse a través de nuestro sistema durante las transacciones realizadas a través de proveedores de servicios externos seguros.
• Información de transacciones: información sobre las transacciones que realiza en relación con nuestros Servicios, como el nombre del destinatario, su nombre, el importe y/o la marca de tiempo, el propósito de la transacción y la jurisdicción de la transacción;
• Información de verificación: para verificar su identidad, incluida la información para las comprobaciones de fraude y otra información que proporcione, incluidas imágenes suyas y un control de calidad;
• Información de empleo: ubicación de la oficina, cargo y/o descripción del puesto; o
• Correspondencia: respuestas a la encuesta, información proporcionada a nuestro equipo de soporte o equipo de investigación de usuarios.

Si es una empresa, podemos solicitar información como el número de identificación de su empleador (o un número comparable emitido por un gobierno), un comprobante de formación jurídica (por ejemplo, escritura de constitución) e información de identificación personal para todos los beneficiarios reales importantes a los efectos de Conozca su negocio («KYB»).

Si no nos proporciona la siguiente información, es posible que no podamos proporcionarle los Servicios o que su uso de los Servicios esté restringido.

Además de la información que nos proporciona en relación con su uso de los Servicios, también puede optar por enviarnos información a través de otros canales, incluso en relación con una relación comercial real o potencial con TransFi.

2.2 Información que recopilamos automáticamente o generamos sobre usted

Esto incluye la información que recopilamos automáticamente, por ejemplo, cada vez que interactúa con nuestro sitio web o utiliza nuestros servicios. Con respecto al uso de nuestros Servicios, podemos recopilar automáticamente la siguiente información:

• Detalles de las transacciones que realiza al utilizar nuestros Servicios, incluida la ubicación geográfica desde la que se origina la transacción;
• Información técnica, incluida la dirección de protocolo de Internet («IP») utilizada para conectar su computadora a Internet, su información de inicio de sesión, el nombre, el tipo y la versión del navegador, la configuración de la zona horaria, los tipos y versiones de los complementos del navegador, el sistema operativo, los detalles y la plataforma de geolocalización y seguimiento y los detalles del dispositivo;
• Información sobre su visita, incluidos los datos de autenticación, las preguntas de seguridad, el flujo de clics de los localizadores uniformes de recursos («URL») completos hacia, desde y desde nuestro sitio web o aplicación móvil (incluidas la fecha y la hora); los productos que ha visto o buscado; los tiempos de respuesta de las páginas, los errores de descarga, la duración de las visitas a ciertas páginas, la información de interacción con la página (como el desplazamiento, los clics y el paso del ratón) y los métodos utilizados para salir de la página y cualquier correo electrónico utilizado para contactar nosotros.
• Cookies y otras tecnologías. Al igual que muchos sitios web, nuestro sitio web emplea cookies, servicios basados en la ubicación y balizas web (también conocidas como tecnología GIF transparente o «etiquetas de acción») para acelerar su navegación por nuestro sitio web, reconocerle a usted y sus privilegios de acceso y realizar un seguimiento de su uso. Por favor, lea nuestro Política de cookies para obtener más información.

2.3 Información recopilada de terceros

Podemos recibir información sobre usted si visita o utiliza nuestro sitio web o utiliza nuestros servicios. Esto incluye la información que podemos obtener sobre usted de fuentes de terceros. Los principales tipos de terceros de los que recibimos su información personal son:

• Bases de datos públicas, socios de verificación de identidad para verificar su identidad de acuerdo con la ley aplicable. Los socios de verificación de identidad utilizan una combinación de registros gubernamentales e información disponible públicamente sobre ti para verificar tu identidad. Dicha información puede incluir su nombre, dirección, puesto laboral, perfil de empleo público, situación en las listas de sanciones mantenidas por las autoridades públicas y otros datos relevantes;
• Datos de blockchain para garantizar que las partes que utilizan nuestros Servicios no participen en actividades ilegales o prohibidas, jurisdicciones sancionadas, redes oscuras, abuso infantil, etc., y para analizar las tendencias de las transacciones con fines de investigación y desarrollo comprobando la dirección de la billetera para determinar la fuente de los fondos;
• Socios de marketing y revendedores para que podamos entender mejor cuáles de nuestros Servicios pueden interesarle;
• Los bancos o proveedores de servicios financieros que utilices para transferirnos dinero nos proporcionarán tu información personal básica, como tu nombre y dirección, así como tu información financiera, como los detalles de tu cuenta bancaria;
• Los socios comerciales pueden proporcionarnos su nombre y dirección, así como información financiera, como la información de pago con tarjeta; y
• Las redes publicitarias, los proveedores de análisis y los proveedores de información de búsqueda pueden proporcionarnos información seudonimizada sobre usted, como confirmar cómo encontró nuestro sitio web.

3. ¿Cómo utilizamos su información personal?

Podemos usar su información de las siguientes maneras y para los siguientes fines:

(a) Uso interno: utilizamos su información personal para proporcionarle nuestros Servicios. Podemos utilizar su información personal para mejorar el contenido y el diseño de nuestro sitio web y mejorar nuestras iniciativas de marketing. Además, utilizamos su información para garantizar la seguridad y la integridad de nuestros Servicios mediante la protección contra las actividades fraudulentas, no autorizadas o ilegales, la supervisión de la identidad y el acceso a los servicios y la gestión de los riesgos de seguridad.

(b) Comunicaciones con usted: de acuerdo con sus preferencias y de conformidad con la ley aplicable, podemos enviarle comunicaciones de marketing para informarle sobre eventos, ofrecer marketing dirigido y compartir ofertas promocionales. Esto puede implicar enviarle comunicaciones por correo electrónico o notificaciones desde aplicaciones móviles sobre nuestros Servicios, funciones, promociones, encuestas, noticias, actualizaciones y eventos, gestionar su participación en promociones y eventos, ofrecer marketing dirigido y determinar información general sobre el comportamiento de uso de los visitantes en el sitio web. Nuestra comercialización se llevará a cabo de acuerdo con sus preferencias de publicidad y marketing y según lo permita la ley aplicable. Necesitamos cierta información, como su identificación, detalles de contacto y pago, para proporcionar y mantener nuestros Servicios. Si es un nuevo usuario o cliente, nos pondremos en contacto con usted por medios electrónicos con fines de marketing únicamente si ha dado su consentimiento a dicha comunicación. Si no desea que le enviemos comunicaciones de marketing, vaya a la configuración de su cuenta para excluirse o envíe una solicitud a través de Correo electrónico: compliance@transfi.com.

Es posible que le enviemos actualizaciones del servicio sobre información administrativa o relacionada con la cuenta, problemas de seguridad u otra información relacionada con las transacciones. Estas comunicaciones son importantes para compartir las novedades relacionadas con su cuenta que pueden afectar a la forma en que puede utilizar nuestros Servicios. No puede optar por dejar de recibir comunicaciones de servicio críticas.

También procesamos su información personal cuando se pone en contacto con nosotros para resolver cualquier pregunta, disputa, cobrar tarifas o solucionar problemas. Sin procesar su información personal para tales fines, no podemos responder a sus solicitudes y garantizar su uso ininterrumpido de los Servicios.

(c) Cumplimiento legal y reglamentario: TransFi debe procesar su información personal de conformidad con las leyes de AML/CTF y de seguridad, que pueden incluir la recopilación, el uso y el almacenamiento de su información de ciertas maneras. Por ejemplo, debemos identificar y verificar a los clientes que utilizan nuestros Servicios, lo que incluye recopilar una identificación con fotografía y utilizar proveedores de servicios externos para comparar su información personal con la de las bases de datos y los registros públicos. Cuando intentes vincular una cuenta bancaria a tu cuenta de TransFi, podemos solicitar información adicional para verificar tu identidad o dirección y gestionar el riesgo, según lo exige la ley aplicable. Además, podemos divulgar información personal en respuesta a solicitudes de las fuerzas del orden, citaciones, órdenes judiciales o según lo exija la ley, y cuando sea necesario para proteger nuestros derechos legales, hacer cumplir los acuerdos o prevenir el fraude y el abuso de nuestros Servicios. Esto incluye los esfuerzos para reducir el riesgo de comprometer la cuenta o la pérdida de fondos, investigar las quejas, reclamaciones o disputas y cumplir con las solicitudes o consultas reglamentarias o legales.

(d) Uso externo: divulgamos información a nuestros proveedores de servicios para que puedan prestar los Servicios en su nombre. Por ejemplo, para facilitar la compra y custodia de activos digitales, compartimos cierta información con terceros, como su nombre, dirección de correo electrónico, dirección física, número de seguro social, fecha de nacimiento, identificación emitida por el gobierno y la cantidad de activos digitales que se están comprando. Además, los tipos de datos que recopilamos y compartimos con terceros se describen anteriormente en la información que nos proporciona, que incluye su fecha de nacimiento, país de residencia, nombre y apellidos, número de identificación, tipo de identificación, fecha de emisión y fecha de caducidad de la identificación, su cuenta bancaria número, nombre de la cuenta bancaria e información de la tarjeta, incluido el nombre de la tarjeta, el número de la tarjeta, el CVV y la fecha de caducidad.

Podemos compartir información no personal (como la cantidad de visitantes diarios a nuestro sitio web o el tamaño de un pedido realizado en una fecha determinada) con terceros. Esta información no lo identifica personalmente ni directamente a usted ni a ningún usuario. Para evitar cualquier duda, cualquier dirección IP, dispositivo u otro identificador que recopilemos puede compartirse con uno o más terceros.

(e) Nuestros intereses comerciales legítimos: en ocasiones, el procesamiento de su información personal es necesario para nuestros intereses comerciales legítimos, como:

• control de calidad y formación del personal;
• para mejorar la seguridad, supervisar y verificar la identidad o el acceso a los servicios y combatir el spam u otro malware o riesgos de seguridad;
• fines de investigación y desarrollo;
• para mejorar su experiencia con nuestros Servicios y Sitio web;
• para facilitar las adquisiciones, fusiones o transacciones corporativas;

para llevar a cabo las operaciones internas necesarias para prestar nuestros Servicios, incluida la resolución de errores de software y problemas operativos.

4. ¿Qué información personal divulgamos a terceros?

Permitimos que accedan a su información personal solo aquellos que requieren acceso para realizar su trabajo y la compartimos solo con terceros que tengan un propósito legítimo para acceder a ella. TransFi nunca venderá ni alquilará su información personal a terceros sin su consentimiento explícito. Solo compartiremos su información personal con terceros seleccionados, entre los que se incluyen:

• Servicios de verificación de identidad para prevenir el fraude. Esto permite a TransFi confirmar su identidad comparando la información que nos proporciona con los registros públicos y otras bases de datos de terceros;
• Instituciones financieras con las que nos asociamos para procesar los pagos que ha autorizado;
• Filiales, socios comerciales, proveedores y subcontratistas para el cumplimiento y la ejecución de cualquier contrato que celebremos con ellos o con usted;
• proveedores de análisis y motores de búsqueda que nos ayudan a mejorar y optimizar nuestro sitio web;
• Empresas u otros terceros en relación con transferencias comerciales o procedimientos de quiebra;
• Empresas u otras entidades que compren activos de TransFi;
• Las fuerzas del orden, los reguladores o cualquier otro tercero cuando la ley aplicable nos obligue a hacerlo o si creemos de buena fe que dicho uso es razonablemente necesario, incluso para proteger los derechos, la propiedad o la seguridad de TransFi, los clientes de TransFi, terceros o el público; cumplir con las obligaciones o solicitudes legales; hacer cumplir nuestros términos y otros acuerdos; o detectar o abordar de otro modo problemas de seguridad, fraude o técnicos; y
• Si autoriza a una o más aplicaciones de terceros a acceder a nuestros Servicios, la información que ha proporcionado a TransFi puede compartirse con esos terceros. Una conexión que autorices o habilites entre tu cuenta de TransFi y una cuenta, instrumento de pago o plataforma que no sea de TransFi se considera una «conexión de cuenta». A menos que otorgue más permisos, TransFi no autorizará a estos terceros a usar esta información para ningún otro propósito que no sea facilitar sus transacciones utilizando nuestros Servicios. Tenga en cuenta que los terceros con los que interactúa deben tener sus propias políticas de privacidad y TransFi no es responsable de sus operaciones ni del uso de los datos que recopilan.

Entre los ejemplos de conexiones de cuentas se incluyen:

• Comerciantes: Si utiliza su cuenta TransFi para realizar una transacción con un comerciante externo, el comerciante puede proporcionarnos datos sobre usted y su transacción.
• Sus proveedores de servicios financieros: por ejemplo, si nos envía fondos desde su cuenta bancaria, su banco nos proporcionará información de identificación además de información sobre su cuenta para completar la transacción.

Usted reconoce y acepta que TransFi puede continuar usando y divulgando sus datos personales durante un período razonable después de la finalización de la relación entre usted y TransFi para uno o más de los siguientes propósitos:

• para permitir a TransFi cumplir con sus obligaciones pendientes con usted en virtud de cualquier acuerdo, si corresponde;
• para permitir a TransFi hacer valer sus derechos en virtud de cualquier acuerdo, si corresponde;
• para cualquier propósito para el que haya otorgado su consentimiento por escrito;
• según lo exija la ley aplicable; y según lo exija una orden de un tribunal de jurisdicción competente.

5. Enlaces a otros sitios

Nuestro sitio web puede contener enlaces a otros sitios web para su comodidad o información. Estos sitios web son operados por entidades no afiliadas a TransFi, y no controlamos, respaldamos ni nos hacemos responsables de su contenido o prácticas de privacidad. Cada sitio web enlazado puede tener sus propias condiciones de uso y políticas de privacidad, que pueden diferir de las nuestras. Le recomendamos que revise estas políticas cada vez que visite sitios web de terceros, ya que TransFi no es responsable de las prácticas o políticas de estos sitios externos.

6. ¿Cómo protegemos y almacenamos la información personal?

TransFi implementa y mantiene medidas razonables para proteger su información personal. Sus archivos están protegidos con medidas de seguridad de acuerdo con la sensibilidad de la información relevante. Nuestros sistemas informáticos están sujetos a controles razonables (como el acceso restringido).

TransFi es una empresa internacional con operaciones en varios países. Esto significa que podemos transferirnos a ubicaciones fuera de su país. Cuando transfiramos su información personal a otro país, nos aseguraremos de que cualquier transferencia de su información personal cumpla con la ley de protección de datos aplicable.

Podemos almacenar y procesar toda o parte de su información personal y transaccional, incluida cierta información de pago, como su cuenta bancaria cifrada o sus números de ruta. Protegemos su información personal mediante el mantenimiento de medidas de seguridad físicas, electrónicas y procedimentales de conformidad con las leyes y reglamentos aplicables.

Como condición de empleo, los empleados de TransFi deben cumplir con todas las leyes y reglamentos aplicables, incluso en relación con la ley de protección de datos. El acceso a la información personal confidencial está limitado a los empleados que la necesitan para desempeñar sus funciones. El uso o la divulgación no autorizados de la información confidencial de los clientes por parte de un empleado de TransFi están prohibidos y pueden dar lugar a medidas disciplinarias.

Por último, confiamos en proveedores de servicios externos para la seguridad física de algunos de nuestros equipos informáticos. Exigimos a esos proveedores de servicios externos que cumplan con las prácticas y medidas de seguridad razonables desde el punto de vista comercial. Por ejemplo, cuando visita nuestro sitio web, accede a servidores que se mantienen en un entorno seguro. Si bien tomamos las precauciones estándar del sector para proteger su información personal y su cuenta, ningún sistema puede ser completamente seguro. Como tal, asumes el riesgo de posibles infracciones y sus consecuencias. Para proteger tu cuenta, protege tus credenciales, elige una contraseña compleja al registrarte, habilita funciones de seguridad avanzadas como la autenticación de dos factores y nunca compartas las credenciales de tu cuenta con terceros.

Si anonimizamos su información personal para que ya no pueda asociarse con usted, ya no se considerará información personal y podremos usarla sin previo aviso.

No solicitamos a sabiendas recopilar información personal de ninguna persona menor de 18 años. Si se sospecha que un usuario que envía información personal es menor de 18 años, TransFi requerirá que el usuario cierre su cuenta y no permitirá que el usuario siga utilizando nuestros Servicios. También tomaremos medidas para eliminar la información lo antes posible.

Conservamos la información personal durante el tiempo que sea razonablemente necesario para cumplir con los fines previstos y cumplir con nuestras obligaciones contractuales y legales. Las direcciones de correo electrónico y los números de teléfono se almacenan hasta que el usuario utilice los servicios de TransFi, y los datos se conservan durante cinco años una vez que el usuario se da de baja o se da de baja. La información se eliminará o se anonimizará cuando ya no sea necesaria, a menos que la ley exija una retención más prolongada. TransFi conserva cierta información en virtud de las regulaciones AML/CTF y conserva los datos durante un período de cinco años. Si no podemos eliminar por completo o anonimizar la información, tomaremos las medidas razonables para evitar su procesamiento posterior.

7. ¿Elaboramos perfiles y tomamos decisiones de forma automatizada?

Es posible que usemos algunos casos de sus datos para personalizar nuestros Servicios y la información que le proporcionamos, y para satisfacer sus necesidades, como su país de dirección y el historial de transacciones. Por ejemplo, si envías fondos con frecuencia de una divisa concreta a otra, podemos utilizar esta información para informarte sobre nuevas actualizaciones de productos o funciones que puedan resultarte útiles. Al hacerlo, tomamos todas las medidas necesarias para garantizar la protección de tu privacidad y seguridad, y solo utilizamos datos seudonimizados siempre que sea posible. Esta actividad no tiene ningún efecto legal sobre usted.

8. ¿Cuáles son sus derechos de privacidad y acceso a la información?

Según la ley aplicable de su lugar de residencia, es posible que pueda hacer valer ciertos derechos relacionados con su información personal. Estos derechos incluyen:

• el derecho a obtener información sobre el procesamiento de su información personal y el acceso a la información personal que tenemos sobre usted;
• el derecho a retirar su consentimiento para el procesamiento de su información personal en cualquier momento. Sin embargo, tenga en cuenta que es posible que sigamos teniendo derecho a procesar su información personal si tenemos otro motivo legítimo para hacerlo (por ejemplo, es posible que necesitemos conservar la información personal para cumplir con una obligación legal);
• en algunas circunstancias, el derecho a recibir cierta información personal en un formato estructurado, de uso común y legible por máquina y/o solicitar que transmitamos esos datos a un tercero cuando sea técnicamente posible. Tenga en cuenta que este derecho solo se aplica a la información personal que haya proporcionado directamente a TransFi;
• el derecho a solicitar que rectifiquemos su información personal si es inexacta o está incompleta;
• el derecho a solicitar que eliminemos su información personal en determinadas circunstancias. Tenga en cuenta que puede haber circunstancias en las que nos pida que eliminemos su información personal, pero tenemos el derecho legal de conservarla;
• el derecho a objetar o solicitar que restrinjamos nuestro procesamiento de su información personal en determinadas circunstancias. Una vez más, puede haber circunstancias en las que se oponga a nuestro procesamiento de su información personal o nos pida que restrinjamos, pero tenemos el derecho legal de rechazar esa solicitud;
• el derecho a presentar una reclamación ante el regulador de protección de datos correspondiente si cree que hemos infringido alguno de sus derechos; y
• el derecho a transferir sus datos personales entre controladores de datos, por ejemplo, para mover los detalles de su cuenta de una plataforma en línea a otra.

Nuestros Servicios pueden, de vez en cuando, contener enlaces hacia y desde los sitios web de nuestros socios, anunciantes y afiliados. Si sigue un enlace a cualquiera de estos sitios web, tenga en cuenta que estos sitios web tienen sus propias políticas de privacidad y que no asumimos ninguna responsabilidad por ellas. Consulte estas políticas antes de enviar cualquier dato personal a estos sitios web. Puede obtener más información sobre sus derechos poniéndose en contacto con la autoridad supervisora de protección de datos ubicada en su jurisdicción.

Sujeto a las leyes aplicables, es posible que tenga derecho a acceder a la información que tenemos sobre usted. Su derecho de acceso puede ejercerse de acuerdo con la legislación de protección de datos pertinente.

9. ¿Con qué frecuencia se actualiza la Política de privacidad?

Podemos actualizar esta Política de privacidad de vez en cuando y sin previo aviso para reflejar los cambios en nuestras prácticas de información, y cualquier modificación de este tipo se aplicará a la información ya recopilada y que se recopilará. El uso continuado de nuestro sitio web o de cualquiera de nuestros servicios después de cualquier cambio en esta Política de privacidad indica que acepta los términos de la Política de privacidad revisada.

Revise esta Política de privacidad periódicamente y especialmente antes de proporcionarnos datos personales. Si realizamos cambios importantes en esta Política de privacidad, se lo notificaremos aquí, por correo electrónico o mediante un aviso en la página de inicio de nuestro sitio web. La fecha de la última actualización de la Política de privacidad se indica en la parte superior de este documento.

10. ¿Cómo puede ponerse en contacto con nosotros en relación con cualquier pregunta sobre privacidad?

Si tiene alguna pregunta sobre esta Política de privacidad, póngase en contacto con nosotros en compliance@transfi.com o envíe un correo físico a la entidad correspondiente que se indica a continuación:

Trans-Fi UAB

calle Lvivo 21A, Vilna LT-09313, Lituania

NEOMONEY INC.

325 Front Street West, segundo piso

Toronto, ON M5V2Y1

Canadá

Política de KYC de TransFi AML

Última actualización: abril de 2025February 2025

‍

‍

1. INTRODUCTION 
   
   1. The purpose of this Policy is to define the ML / TF prevention measures and the enforcement thereof in the process of the Company’s operations.
   2. The Company shall carry out its business aiming to ensure effective prevention of ML / TF as required by the Law and other applicable legal requirements and good practice. Taking this into account, all employees of the Company shall adhere to the procedure and requirements for the implementation of the ML / TF prevention measures as outlined herein.
   3. Managing ML/TF risks shall be an integral part of the Company’s overall risk management system. Considering the scope and nature of its business, the Company shall implement ML / TF risk identification, assessment, and management procedures, as well as effective tools to mitigate such risks.
   4. In managing its ML / TF risks, the Company shall at all times ensure compliance with the requirements outlined in the present Policy to the maximum extent possible. 
   5. In case the Company performs certain functions related to the ML/TF field (for instance, Customer identification, and monitoring) through third parties, the Company shall ensure that such third parties also comply with requirements established under the Policy and the Law. 
2. RISK APPETITE STATEMENT

‍

1. The Company has zero tolerance for financial crime, regulatory breaches, and any attempt to circumvent the Company’s financial crime policies and controls. However, being engaged in the provision of Services, the Company cannot completely avoid ML / TF risks, and aiming to minimize them to the lowest extent possible, the Company applies relevant control measures which are described in this Policy and which are technically ensured in real activities. 
2. While engaging in provision of Services, the Company adheres to the following core principles (list not exhaustive):
   
   1. To show zero tolerance for the facilitation of financial crime, money laundering, financing of terrorism, and fraud;
   2. To avoid knowingly conducting business with individuals or entities believed to be engaged in inappropriate and unlawful behavior;
   3. To avoid risks that could jeopardize the Company’s strategic plans, including activities that could make the Company vulnerable to any type of public or private litigation or enforcement that could be damaging to the Company’s reputation and cause deterioration of relationship with regulators;
   4. To avoid or seize any activity/service towards which the Company’s management believes that the Company’s control mechanisms cannot protect the Company from risks that exceed the tolerance threshold;
   5. To regularly perform enterprise-wide risk assessment aiming to identify changes within the Customers’, products’, geographics’ and distribution channels’ base and verify whether existing control measures are sufficient to make the residual risk low;
   6. The Company aims to have strong and sufficient control measures mitigating ML / TF risks so that the residual risk would always be low; etc.;
3. Company managers at all levels are particularly responsible for evaluating their risk environment, implementing appropriate controls, and monitoring the effectiveness of those controls. The risk management culture emphasizes careful analysis and management of risk in all business processes.

3. CRYPTOCURRENCIES ACCEPTED. DEALING WITH ANONYMITY 
   
   1. The Company services the following cryptocurrencies: USDC, EUROC, SOL, TON, and BNB. In time, the Company may start servicing other cryptocurrencies as well. 
   2. The Company does not provide any Services involving cryptocurrencies that prioritize anonymity. The Company will apply a wallet screening function, both in deposit and withdrawal cases,  which will allow identification of risky wallets and any exposure to tainted funds in the wallet (e.g. related to sanctioned jurisdictions, dark market, child abuse tumblers, mixers, etc.).
   3. This means that the Company will not process any transactions that cannot be traced back to a specific individual or entity.
4. ACCEPTABLE CLIENTS’ SEGMENT 
   
   1. The Company shall offer and provide Services for both individual and corporate Clients. 
   2. In the case of individuals, any user over 18 years of age is an acceptable Client (below 18 years – not accepted). The upper age limit is 60 years of age for Europe and 70 years of age for other countries we work in (older natural persons are not accepted).
   3. In the case of legal entities, we engage with trusted Customers who are identified and verified thoroughly through the KYB process where we not only verify the documents but also do a thorough internet profiling to know about any online footprint. Additionally, the business relationship is established after several rounds of conversations, which establishes trust. 
5. SERVICE PROVIDERS AND TOOLS
   
   1. The Company leverages certain third-party tools for our Compliance framework:
      
      1. KYC / KYB verification (identity verification) – SumSub (www.sumsub.com);
      2. Crypto transaction monitoring – Chainalysis (https://app.chainalysis.com/); 
      3. Wallet monitoring – Chainalysis (https://app.chainalysis.com/);
      4. Sanctions screening – SumSub (www.sumsub.com);
      5. Internet profiling – With Accend (withaccend.com);
      6. Email risks check – At data (https://instantdata.atdata.com/);
      7. Device and behavior biometrics – Sardine (www.sardine.ai)
6. RESPONSIBLE PERSONS
   
   1. The following bodies and officers are involved in the AML / CTF implementation functions within the Company:
      
      1. the Board;
      2. Responsible AML Board member;
      3. MLRO (2^nd line officer);
      4. CEO (to a certain extent);
      5. Compliance Officer ( 2nd line officer).
   2. The Board shall have the following responsibilities in the AML / CTF area:
      
      1. Approve the AML / CTF Policy and other Policy level documents;
      2. Review quarterly compliance reports submitted by the MLRO. Provide feedback and recommendations; 
      3. Reviewing, giving comments, and approving annual Enterprise-Wide Risk Assessment and its methodology;
      4. Overview the entire AML / CTF framework, decide on the provision of the required budget for AML / CTF measures implementation;
      5. Hear out the Responsible AML Board member and the MLRO, when necessary;
      6. Discuss AML / CTF matters during the Board meetings (based on the prepared agenda), decide on the required actions and measures;
      7. Perform other duties and functions assigned to the Board by this Policy as well as other internal documents of the Company and laws.
   3. The Responsible AML Board member shall have the following responsibilities in the AML / CTF area:
      
      1. Supervise activities of the MLRO, advise and/or give assistance when required by the MLRO; 
      2. Organize the implementation of the AML / CTF framework within the Company. This involved being the first point (with the MLRO) in addressing and highlighting the main AML / CTF aspects that require improvement, change, etc. Such highlighting should be made to the Senior Management; 
      3. If requested by the MLRO, review quarterly compliance reports prepared by the MLRO (prior to the review of the Board as a body);
      4. Perform other duties and functions assigned to the Responsible AML Board member by this Policy as well as other internal documents of the Company and laws.
   4. The MLRO shall have the following responsibilities in the AML / CTF area:
      
      1. Implementing the AML / CTF framework within the Company;
      2. Ensuring timely and proper communication with and timely reporting to FCIS; 
      3. Reporting every quarter to the Senior Management of the Company regarding the Company’s activity data, including the number of Customers onboarded by the Company during the relevant quarter, profiles of such Customers (i.e. how many natural persons and how many legal entities were onboarded during the relevant quarter, from what jurisdictions they are, to which risk groups they were assigned, number of Customers with whom Business Relationship was terminated, etc.). Template of such Quarterly Report is provided as Annex No. 8 to this Policy;
      4. Approving/rejecting high-risk customers; 
      5. Organizing and ensuring ongoing Company employee education in the ML/TF area, including organization of training for employees related to identifying suspicious activity, understanding customer identification, and record-keeping requirements;
      6. Ensuring that all employees working with the Customers and their onboarding, risk assessment, monitoring, etc. are familiarized with this Policy and annexes thereof, and all related Company’s internal documentation;
      7. Ensuring the proper implementation of Know Your Customer requirements in the Company’s activities, including proper assessment of Customer’s identification documents, collection of their copies, record keeping, etc.; 
      8. Ensuring implementation of transaction monitoring procedures;
      9. Ensuring that the Policy and annexes thereof are revised and updated (if needed) regularly (at least once per year);
      10. Ensuring that the Company keeps and maintains all the required records and logs; 
      11. Ensuring that ML/TF prevention measures applied by the Company are properly integrated in the Company’s internal control system; 
      12. Be responsible for writing, updating, and maintaining the Company’s procedures and other documents related to ML/TF prevention area;  
      13. Preparing the annual Enterprise-Wide Risk Assessment and presenting it to the Senior Management; 
      14. Perform other duties and functions assigned to the MLRO by this Policy as well as other internal documents of the Company and laws.
   5. The CEO’s responsibilities shall include, but shall not be limited, to:
      
      1. Ensuring that the Company’s UBOs data are provided to the JANGIS (Centre of Register of Lithuania) in time;
      2. Getting familiar with all documents, reports, and information submitted by the MLRO and/or the Board of Directors; 
      3. Approving the Procedure, Rules, Methodology, and Description level documents (the Board shall also have a right to approve such level documents);
      4. Implement Board of Directors decisions to the extent requiring the CEO’s involvement; 
      5. Perform other duties and functions assigned to the CEO by this Policy as well as other internal documents of the Company and laws.
   6. The Compliance Officer shall have the following responsibilities in the AML / CTF area:
      
      1. Ensure that the risk of non-compliance with Applicable Laws is properly managed, that ongoing monitoring of non-compliance risk is performed, non-compliance risks are identified and assessed and measures of managing such risks are planned and implemented;
      2. Identify the need for changes in the regulation of the Company’s activities, identify regulation gaps, including gaps arising from amendments to Applicable Laws, inform the Management Bodies of these gaps and required changes, draft compliance-related documentation, and participate in the development of internal rules and procedures of the Company related to the compliance risks;
      3. Prepare, on the basis of elements provided in Annex no. 1 to this Policy, an annual Compliance Monitoring Programme and implement supervision of compliance based on this programme;
      4. Oversee compliance monitoring activities across the Company, ensure that identified gaps are corrected, implement relevant recommendations, and provide updates to the Management Bodies. Analyze proposed amendments to legal acts, inform the Management Bodies and employees of upcoming requirements, and ensure the Company is prepared for these changes;
      5. Organize and direct investigations in situations where non-compliance with Applicable Laws is suspected, examine all cases of non-compliance, determine the level of risk in each case, and implement urgent measures to ensure compliance in the future;
      6. Participate in the decision-making process to ensure compliance requirements are met, provide advice on risks related to new services, and substantial changes in existing services, and offer input on legal requirements related to business decisions, license updates, or renewals;
      7. Set compliance principles, rules, and procedures, monitor the efficiency of risk management measures related to compliance with Applicable Laws, and make proposals for the regulation of the Company’s compliance processes;
      8. Provide information and assist in organizing training for employees on compliance-related areas and changes in compliance-related Applicable Laws, participate in the process of conducting compliance training for new employees, and inform the team leads of Functions about changes in legal provisions on a regular or ad hoc basis. The team leads of structural units must pass the information to their subordinates;
      9. Inform the Management Bodies of any breaches of Applicable Laws, prepare and submit reports on their activities, record situations where deviations from the Compliance Officer’s recommendations are observed, and take part in the meeting of the Management Bodies at which the compliance risk assessment reports and/or the reports on the implementation of compliance function are considered;
      10. Liaise with the Supervisory Body, Financial Crime Investigation Service of the Republic of Lithuania (FCIS), perform the function of a contact person or coordinate the relationships with them, and provide information to the Supervisory Body and other competent institutions about incidents and other significant circumstances, take part in the investigations, checks, inspections, and other actions taken by supervisory authorities to the extent not covered by the Money Laundering Reporting Officer;
      11. Receive information about important customers’ complaints, take part in the complaints handling process, where required, and supervise complaints’ handling process in case of need;
      12. Undertake any other duties as assigned by the Board or derived from internal documentation.
   7. Rights, functions, responsibilities, duties, etc. of the above-listed bodies and officers, as well as other positions formed within the Company, may be established in other internal documents as well. The above lists shall be read as initial (general) ones.
7. Customer IDENTIFICATION The Company’s Customers are legal entities and natural persons.
   
   1. The Company performs Customers’ identification procedures remotely. Physical identification measures are not applied by the Company.
   2. Detailed instructions on Customer identification procedures and applicable requirements are established under Annex No. 1 to this Policy.
8. RISK ASSESSMENT 

Risk groups 

1. To assess the ML/TF risks, the Company shall deploy a risk-based approach.
2. The Company recognizes the following types of risks relevant to its activities:

1. According to the nature:
   
   1. Customer risk;
   2. Country / geographical area risk;
   3. Product/services risk; 
   4. Delivery channel risk.
2. According to the risk level:
   
   1. Low;
   2. Medium;
   3. High.
   4. Unacceptable

Individual risk assessment

3. The Company shall perform an individual risk assessment of each Customer:

1. Before entering into the Business Relationship with the Customer; or

Client

2. In case the Company becomes aware of certain circumstances indicating the possible change in Customer’s risk group;
3. In case of concerns regarding the correctness of previously collected Customer’s KYB / KYC data or when there are concerns that possible ML / TF activity may be taking place. 

4. Each Customer of the Company shall always be assigned to the relevant risk group. The Company must maintain a tool for Customer risk segmentation which allows, after assessing relevant individual circumstances of the Customer, to assign the Customer to a relevant risk group as listed under Section 8.2 above.

Enterprise-wide risk assessment

5. The Company shall at least once a year perform Enterprise-Wide Risk Assessment of all risks relevant to its activities (Clause 8.2(i) of this Policy). The purpose of such assessment is to establish the risk level to which the Company is exposed to be able to assess how relevant risk criteria and risk levels evolved over time and to decide whether identified changes require putting in place additional measures or to re-consider set risk tolerance levels. 
6. Enterprise-Wide Risk Assessment shall be performed in a written format. The MLRO is responsible for the performance of the Enterprise-Wide Risk Assessment which shall be prepared and submitted to the Senior Management of the Company. The Enterprise-Wide Risk Assessment shall be performed by the MLRO of the Company following the risk assessment methodology to be approved by the Board.

9. MONITORING OF BUSINESS RELATIONSHIP 

1. The Company shall carry out ongoing monitoring of the Business Relationship and wallets. This includes transaction monitoring and keeping the underlying Customer’s information up to date.
2. The Company shall ensure and apply both the instant and retrospective monitoring procedures. The difference between them is that:

1. Instant monitoring – following criteria and scenarios set by the Company, the system „catches” potentially suspicious transactions or operations and does not release them until the MLRO or other authorized compliance employee looks into it and ascertains that the transaction/operation is not suspicious and may be released. Such an assessment shall be started by the MLRO or other authorized compliance employee within 1 (one) business day as of the day when the alert is generated. The alert assessment time should be reasonable, and the MLRO or other authorized compliance employee should take appropriate and timely measures to ascertain whether the transaction/operation is suspicious or not. If the Customer is requested to provide additional information needed for the assessment, the overall alert assessment term may be extended, however, in such a case the Customer needs to be informed that the Customer’s transaction/operation will not be executed until the Customer provides sufficient information. The term shall not be extended for more than 4 days in total (except for very specific situations when there is a reasonable ground to extend the term more). If the Customer fails to provide requested information and/or if the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Suspicious Operation Report to FCIS as specified under Section 13 of this Policy. 

‍

2. Retrospective monitoring – there are two types of retrospective monitoring to be applied by the Company:

‍

1. Following criteria and scenarios set by the Company, the system „catches” activities that are not standard for the particular Customer, but which are executed and not blocked on a real-time basis. Such „caught” transactions or operations shall be assessed by MLRO or other authorized compliance employee no later than within 30 calendar days period from the moment the relevant transaction or operation was flagged in the retrospective monitoring system. If the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Report to FCIS;
2. On a regular basis but not less frequently than once per half a year the MLRO may decide to check historical transactions of a relevant type of Customer which would serve as a secondary measure in addition to the main retrospective monitoring procedure described in item (a) above. The aim of such additional checks is to ascertain that all potentially suspicious or non-standard transactions were found and assessed by the Company. MLRO shall be responsible and shall decide what type of Customers should be checked (e.g. 10 biggest Customers according to the amount of their payments; Customers whose payments are related to high-risk geographical regions, etc.).

3. The Company shall monitor transactions to ensure that they are in line with the Customer’s risk, and examine the source of funds when required (Annex No. 7 to this Policy) to detect possible ML / TF. The Company shall also keep the documents, data, or information it holds up to date, with a view to understanding whether the risk associated with the Business Relationship has changed.
4.            The Company collects source of funds documents under the following circumstances: 
   
   1. All types of Customers: when they are high risk are subjected to EDD;
   2. All types of Customers: when they reach daily / monthly transaction thresholds;
   3. All types of Customers: when the Client’s transaction behavior shows major changes (e.g. order size is significantly bigger than the average order size of previous transactions);
   4. Only legal entity Customers: All businesses that fall under our requirements of EDD are required to submit these documents. EDD kicks in when the business falls under the following criteria:

• Provide crypto / digital assets services 

• Provide other crypto / digital assets services 

• Provide money services/payments / other financial services 

• Are regulated gambling services 

• Any Customer with a politically exposed beneficial owner 

5. Individuals: All individuals that are PEP are required to submit these documents 

‍

5. Monitoring (instant and/or retrospective) might be carried out by using the services of third parties. In such a case the Company shall ensure that third parties would follow requirements specified in this Policy and the Law and would align their IT systems and platforms so that all monitoring criteria and scenarios set by the Company would be properly covered.
6. The Company will use a risk-based matrix that will define various risk levels, namely, high, medium, and low. All the risk categories will be subjected to transaction thresholds which are based on various qualifiers in the case of an individual or a legal entity:
   
   1. Individual: the Company will categorise the Client in various risk categories and impose transaction thresholds based on the selection of payment methods and jurisdictions along with user behaviour.
   2. Legal entity: The Company will categorise the Client into various risk categories and impose transaction thresholds based on various risk factors like the pedigree of the company, Internet risk profiling score, onboarding tenure, and geographical risks.
7. The Company will use a comprehensive approach to transaction monitoring including, but not limited to screening i.e., monitoring transactions in real-time, and monitoring i.e., analyzing transactions later. The objective of screening is to identify: 
   
   1. Suspicious and unusual transactions and transaction patterns; 
   2. transactions exceeding the provided thresholds.
8. The screening of the transactions is performed automatically and includes the following measures: 
   
   1. Established thresholds for transactions, depending on the user/Client's risk profile and the estimated transaction turnover declared by the user/Client; 
   2. The scoring of virtual currency wallets where the virtual currency shall be sent in accordance with the user / Client’s order; 
   3. The scoring of virtual currency wallets from which the virtual currency is received.
9. General requirements applicable to monitoring procedures are established under Annex No. 3 to this Policy.

10. SCREENING AGAINST PEP, INTERNATIONAL SANCTIONS AND ADVERSE MEDIA

1. The Company deploys automatic solutions for political exposure, international sanctions, and adverse media screening.
2. Such screening is performed: 
   
   1. Prior to entering into a Business Relationship;
   2. Daily during Business Relationship;
   3. In addition, crypto wallet screening is performed both prior to entering into a Business Relationship as well as prior to each transaction and on an ongoing basis.     
3. Screening against international sanctions is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
4. Screening against PEP exposure is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
5. Screening against adverse media is performed for the following persons:
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
6. At least the following data shall be screened: 
   
   1. For natural persons: full name and surname, date of birth (or personal code), citizenship, residence country. 
   2. For legal entities: full title,      registration country, legal entity code, country of actual address or address (if relevant). 
7. If the screening indicates: 
   
   1. That the Client is a PEP – Business Relationship may be started, however, prior to this the Client must undergo enhanced due diligence procedure as specified under Annex No. 1 to this Policy.

‍

2. That the Client is subject to international sanctions – the Client cannot be onboarded, transaction cannot be executed, Services cannot be provided to the Client. The MLRO must notify the FCIS as specified under Section 13 of this Policy. 

‍

3. That the Client is subject to adverse media: 

‍

1. If adverse media indicates that the Client is involved in financial crime, ML/TF cases – the Client must be rejected, Services cannot be provided;
2. If adverse media indicates that the Client is sanctioned –an  assessment regarding the  relevance of international sanctions must be performed and if it is confirmed, then measures listed above under point (ii) must be followed;
3. If adverse media indicates other criteria – the MLRO shall be informed and shall take a decision on whether the Client can be onboarded and if “yes”, which risk group shall be assigned to the Client. 

8. Screening data (evidence proving data screening is/was performed) must be available to the Company. The Company should be able to prove when and how screening was performed, if required (e.g. if requested by the regulator). Such data may be available in the IT systems and tools. 

11. IMPLEMENTATION OF TRAVEL RULE

1. The Travel Rule, as implemented by EU Regulation 2023/1113 and EBA Travel Rule Guidelines, requires that all crypto-asset transfers be accompanied by information on the originator and beneficiary of the crypto-transfer transaction.
2. Crypto-asset transfers conducted by the Company include the following information: 

About the originator of the transfer: 

1. The name of the originator;
2. the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;
3. the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. the originator’s address, including the name of the country, official personal document number, and customer identification number, or, alternatively, the originator’s date and place of birth; 
5. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the originator.

About the beneficiary of the transfer:

1. The name of the beneficiary;
2. the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;
3. the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the beneficiary.

2. The Company shall not allow for the initiation, or execute any outgoing transfer, of crypto-assets before ensuring that all the originator’s information is available and verified. 
3. For the incoming transfers, the Company shall check prior to the acceptance of the transfer whether it maintains all the necessary information and verify whether the beneficiary data accompanying the transfer is verified based on the information maintained by the Company about the beneficiary. If not (e.g. the data is inaccurate, incomplete, etc.), the transaction shall be suspended, until the verified information is received after was requested by the Company, or rejected.

1. RENEWAL OF INFORMATION ABOUT THE Customer (ODD)

1. Information collected about the Customer shall be renewed by the Company within the below timeframes:

‍

2. Review and renewal of information shall cover:
   
   1. Information about the Customer collected during the onboarding process (all KYC information); 
   2. Review of Customer’s identity document – it should be checked whether the ID document is still valid and if valid – additional documents are not required, however, if the ID document is no longer valid – a valid ID document should be required in addition;
   3. Check historical transactions with an aim to determine whether they indicate additional risks or a need to update the Customer’s risk profile. 
3. All data reviewed, updated, collected, and assessed must be stored in the Customer’s file with dates evidencing when the document was collected/assessed.

13. REPORTING TO FCIS (AML / CTF MATTERS)

List of reports:

1. The Company is required to report to FCIS in case of:

1. Suspicious Operations or Transactions (SARs submission).
2. Knowledge or suspicion that the transaction is directly or indirectly related to criminal activity or is intended to be used for such a purpose.
3. Knowledge or suspicion that the Customer will try to perform a suspicious operation/transaction.
4. Report on virtual currency exchange transactions or transactions with virtual currency only if the transaction is suspicious and the MLRO has reasons to believe and the value of such transaction is equal or exceeds 15.000 Eur (or equivalent in another currency, including virtual currency),     Annual report on Company’s activity.

1. Details of each report are the following:

‍

Key communication with FCIS timelines and requirements

1. FCIS shall within 10 business days of the receipt of the report's performance assessment take necessary actions if a basis for this is established (e.g. notify the Police and initiate a pre-trial investigation). FCIS must notify the Company accordingly. 
2. If the Company does not receive a response from the FCIS within 10 business days of the submission of reports listed under Clause 13.2 of this Policy or where the Company is not obligated by FCIS to temporarily restrict the ownership rights in accordance with the procedure established by the Code of Criminal Procedure of Lithuania, this is the basis for the Company to consider that FCIS did not determine any illegal activity and restrictions should be eliminated. However, if the MLRO has doubts regarding the renewal of the suspended transaction/activity of the Customer, the MLRO shall contact the FCIS in addition, and ask for their guidance with respect to the renewal and/or possible institutional actions.
3. The Company shall not be responsible to the Customer for the non-fulfillment of contractual obligations and for the damage caused in the course of performing the duties and actions specified in this Section (as long as they are performed in line with legal requirements). Immunity from legal proceedings shall also apply to the directors or other employees of the Company who report, in good faith, information about suspected ML / TF or Suspicious Operations or transactions carried out by the Customer to the MLRO; they also may not be subject to disciplinary sanctions because of such actions.
4. The Company must ensure that it maintains internal systems enabling MLRO to respond rapidly, through secure channels and in a manner that ensures full confidentiality of inquiries, to the inquiries from the FCIS concerning the submission of the information related to AML / CTF and ensure the submission of this information within 14 working days from the receipt of the inquiry, unless a shorter period is set by the FCIS, this Policy or the Law.
5. All information submitted to the FCIS and/or received from the FCIS shall be considered confidential and not subject to disclosure to third persons, including employees of the Company who are not involved in handling the particular case reported to the FCIS or informed by the FCIS. The MLRO shall be the key contact point for communication with the FCIS and the MLRO shall ensure the confidentiality of FCIS-related information, the email of the MLRO shall be used for communication with FCIS. In addition, information to the FCIS shall be always submitted via a dedicated FCIS information system while email dokumentas@fntt.lt should be used only in exceptional cases (e.g. where the FCIS information system is now available due to technical reasons). Tipping-off prohibition shall be ensured in all cases meaning that information about suspicious Client’s transactions or behaviour and/or a fact that SAR was submitted to the FCIS as well as what exact information led to suspicious cannot be disclosed to the Customer, the Company’s employees who do not have a right to possess such data (i.e. who are not working with the Customer’s case, investigation, etc.) and to third parties, unless exemptions are allowed following legal requirements, including exemptions under Article 23 of Lithuanian AML Law.

Report on 15.000 EUR virtual currency transactions

6. The MLRO is responsible for the submission of information to FCIS regarding virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR “15,000” (irrespective of whether the transaction was carried out as a single or multiple transaction) and considered suspicious by the MLRO. Information about such transactions shall be submitted to FCIS within 7 business days of their performance day. 

Report on suspicious activity/transaction

7. Suspicious Operations or Transactions are those that, by virtue of their nature, in the opinion of the Company, may be related to ML/TF or fraud cases. If it is determined that the relevant transaction or operation is a Suspicious Operation or Transaction, the MLRO of the Company shall report it to FCIS as specified below in this Section.
8. The Company welcomes all applicants unless they are citizens or were born in or reside within the countries under the prohibited countries or are otherwise prohibited persons under applicable AML/CFT legislation. If born in prohibited countries, they may still register if they provide evidence of renouncing their original nationality and taking citizenship of a non-prohibited country.
9. High-risk jurisdictions and other jurisdictions monitored by the FATF, as described in Annex No. 6 to this Policy.
10. The Company shall also screen each applicant/user and, where applicable, associated persons, authorized persons, and BOs of the applicant/user for compliance with sanctions as described in Annex No. 6 to this Policy.
11. The Company engages third-party service providers who provide tools/databases to screen for compliance with the aforementioned sanctions, PEP lists, and money laundering databases.
12. In all cases, the company must complete the verification before accepting the applicant as a user. Any Applicant (or their Related Persons, Authorized Persons, and BOs) who has/have a positive match to the verification list (which after investigation and assessment by Compliance cannot be rejected) and is on a prohibited list (e.g. Applicant in a prohibited country or business) cannot be accepted as a User of the Company and will be rejected from becoming a User.
13. For Applicants (or their Related Persons, Authorized Persons, and BOs) who have/had a positive result (which after investigation and assessment by Compliance cannot be rejected) and are not on the Prohibited List, but have received adverse information as a result of the review, the Company will consider whether the Applicant falls into a high-risk group where ECDD is required before the Applicant can be accepted as a User.
14. The Compliance Service shall keep a record of the results of the screening and the carried-out assessment.
15. A suspicion may be caused by various objective and subjective circumstances, for example, the Customer performs transactions or operations that are not typical to its activities, provides incorrect data on themselves or the operation, is reluctant to provide additional information (documents) about the Customer, the operation being assessed by the Company, etc.
16. When assessing relevant transaction or operation from the suspicious Customer’s activity perspective, the MLRO of the Company shall obtain sufficient information on the ground and purposes of the Suspicious Operation or Transaction, as well as the origin of funds, in order to properly examine the activities and/or operations and transactions carried out by the Customer and must provide their conclusions on that in writing. 
17. The Company is not obliged to find out whether the activity of the Customer contains a composition of crime. If the Company knows or suspects that the transaction or operation is a Suspicious Operation or Transaction, it must:
    
    1. Suspend the transaction/operation (if possible); and 
    2. Notify the FCIS within 3 business hours of the suspension moment.

18. The list of criteria applied when recognizing Suspicious Operations or Transactions is presented in Annex No. 2 to this Policy.
19. Where the transaction/operation fails to meet any criteria specified in Annex No. 2 to this Policy and yet a suspicion arises to an employee of the Company with regard to the operation or transaction and/or the Customer’s activity, such transaction or operations must be regarded as Suspicious Operations or Transactions and shall be reported to FCIS within 3 business hours.
20. The Company is subject to “tipping off” prohibition. This means that the Company is prohibited by law from disclosing (“tipping-off”) to the Customer or other persons (except for the responsible internal team members and relevant authorities) a fact that a suspicious transaction report or related information is being filed or was filled with the FCIS.

12. TERMINATION OF TRANSACTIONS OR BUSINESS RELATIONSHIP 

General requirements

2. If the Customer is reluctant or refuses to provide additional information at the request of the Company, the Company, depending on the nature and importance of such information as well as on the reasons why such information is not provided, may refuse to carry out operations or transactions, terminate their execution or Business Relationship with the Customer.
3. The Company shall not be liable to the Customer for failure to fulfill contractual obligations or damage incurred due to failure to carry out the Customer’s operations or transactions provided that the Company did not carry out the Customer’s operations or transactions on the basis of reasons laid down in below Clause 14.4 of the Policy.
4. The Company shall be prohibited from executing transactions, establishing or maintaining Business Relationships if the Customer:
   
   1. Fails to provide information verifying their identity or is reluctant to provide information necessary to establish his identity or the provided information is insufficient;
   2. Provides incomplete data or it is incorrect;
   3. Are subject to international sanctions;
   4. Do not meet the risk tolerance limits set by the Company;
   5. Requests to provide anonymous services. 
5. In cases specified in Clause 14.4 and after identifying that the relevant operation, transaction, or behavior of the Customer is suspicious (irrespective of whether such operation or transaction was performed or not), the Company shall report the Suspicious Operation or Transaction to FCIS.
6. If during the identification of the Customer the Company has a reason to believe that the ML/TF offense is taking place, and the further process of identification of the Customer may raise suspicions to the Customer that information about him/her may be transmitted to competent law enforcement authorities, the Company may discontinue the process of identifying the Customer and may not establish Business Relationship with the Customer. In these cases, the information shall be transmitted to FCIS as soon as possible but not later than within 1 business day.  

Termination of Business Relationship based on Customer’s initiative

7. The Customer has a right to terminate the Business Relationship with the Company without specifying any reason and unilaterally without applying to court. Particular terms for implementation of such right may be applied based on the Company’s T&Cs.  

Termination of the Business Relationship with the Customer on the Company’s initiative or where so required under legal acts

8. The Company has the right to terminate the Business Relationship with the Customer without any notification in advance and without applying to court, where the legal basis agreed between the Parties via the BSA agreement is met, or where other legal grounds exist. 
9. The Client must immediately (the same business day) be notified via e-mail about the termination of the Business Relationship unless notification is prohibited under the legal acts. If there is a suspicion of ML/TF, the Company shall notify FCIS and until the assessment on suspicious activity is performed by FCIS, termination may be postponed, and the Client cannot be informed about ongoing investigation or application to the FCIS.

13. LOGS. RECORD KEEPING. DATA STORAGE

1. The Company shall keep at least the following logs:

1. Log of Suspicious Operations or Transactions and reports submitted to FCIS; 
2. Log of virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR 15.000, only when considered suspicious by the MLRO (irrespective of whether the transaction was carried out as single or multiple transactions), including data about such transaction reporting to FCIS;
3. Log of Clients with whom transactions or Business Relationships have been terminated due to circumstances related to infringements of the procedure for the prevention of ML / TF, including cases when Business Relationships were terminated because Clients or their representative(s) tried to conceal information about themselves or Beneficial Owners, did not provide all required information, etc.;

‍

2. The templates of the above-mentioned logs to be kept by the Company are provided in Annex No. 4 of this Policy. 
3. Data shall be entered in the logs in chronological order, on the basis of the documents supporting the operation or transaction or other documents with legal effect related to the performance of the operations or conclusion (or termination) of transactions, or termination of Business Relationship, immediately but no later than within three business days as of the performance of the operation or conclusion of the transaction, or the date when the specified circumstances occurred or were established.
4. The following data storage requirements shall be ensured:

‍

1. The time limits for record keeping may be additionally extended for no longer than two (2) years upon a reasoned instruction of a competent authority.
2. The Company shall ensure that the documents and information referred to in Clause 15.4 of the Policy would be stored irrespective of whether: (i) transactions are local or international; and/or (ii) the Business Relationship with the Client continues or has ended.
3. The Company shall ensure that the documents referred to in Clause 15.4 of the Policy would be stored so that it would be possible: (i) to restore information about the specific transaction; and (ii) upon necessity, to provide them and information set out therein to FCIS.

12. EMPLOYEE TRAINING 

4. Ongoing employee training programs related to ML/TF prevention requirements shall be prepared and conducted in the Company under the leadership of the MLRO. The training log shall be prepared by the MLRO each year and shall contain information about training (to be) performed, participants, training dates, titles of the training, organizer, certificates issued, and other relevant information, if any. A training log is provided as Annex No. 9 to this Policy. 

‍

1. The training shall be performed at least annually (on a calendar year basis). It shall be based on the Company’s business activity and shall be updated as necessary to reflect any new developments in the laws and risks faced by the Company in accordance with the annual risk assessment.
2. Employees’ training program shall ensure that all Company employees who face ML/TF prevention measures in dealing with their functions would be properly educated to identify the Client, notice Suspicious Operations or Transactions, perform an assessment of alerts received during the monitoring procedure, etc. 
3. All new employees shall be trained for the prevention of ML/TF risks purposes prior to engaging in any Client-facing activity as part of the boarding and reimbursement process. The MLRO of the Company shall be responsible for ensuring training for new employees. The MLRO himself shall undergo annual AML/CTF training. 

13. FINAL PROVISIONS

Annual audit

1. The Company shall at least once per year perform an audit over AML / CTF measures and their implementation within the Company. The Senior Management is responsible for ensuring that the audit takes place while the MLRO is responsible for organizing the audit. 

Approval, review

2. This Policy (and annexes thereof) shall enter into force from the day of their approval and may be abolished, amended, and/or supplemented only by a decision of the Board.
3. Amendments and/or supplements to the Policy shall enter into force on the following day after its approval. 
4. The MLRO shall periodically (at least once a year) or upon the occurrence of important events or changes (for instance, in case of changes in legal acts or in case of new risk relevant to the Company arises) revise the Policy and update it, if needed. A review of the Policy shall be also ensured in the following cases:
   
   1. When the European Commission published a supranational risk assessment (published on https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022DC0554);
   2. When the National Risk Assessment is published by FCIS (published on www.fntt.lt); 
   3. When the FCIS issues an order to the Company to make the internal controls stronger and stricter; 
   4. When important changes are made within the Company’s management and activity organization; 
   5. When audit results or other activity indicators dictate a need to change internal controls. 

Employee acquaintance 

5. The MLRO is responsible for the acquaintance of the Company’s employees with the Policy (and annexes thereof) and its later versions, if any. Such acquaintance shall be made by providing the Company’s employees with the Policy (and annexes thereof) and after that by requiring each employee to confirm his / her acquaintance with the Policy (and annexes thereof) by signing in the table provided in Annex No. 5 of the Policy.

Assessment of knowledge and experience of the responsible personnel 

6. The Company shall ensure that, prior to the appointment of the MLRO, CEO, Board members, Senior Officer, and other employees responsible for the AML/CTF framework within the Company, a thorough assessment of their competence, work experience, and qualifications is conducted. This assessment shall take into account their education, professional development, relevant work experience (including its duration and nature), and other criteria that may impact their suitability and qualifications. Such assessments shall be completed in writing before their appointment or hiring.

Requirements for Senior Management members and UBOs of the Company

7. A person cannot be a member of Senior Management or Ultimate Beneficial Owner of the Company if at least one of the following criteria exist: 
   
   1. A person is found guilty of having committed a serious or very serious crime provided for in the Criminal Code of the Republic of Lithuania or a criminal act corresponding to any of these crimes according to the criminal laws of other states, regardless of whether the person's criminal record has disappeared or been annulled; 
   2. A person is found guilty of having committed a minor or aggravated crime against property, property rights and property interests, economy and business order, financial system, public service and public interests, public safety, or a criminal act corresponding to any of these crimes under the criminal laws of other countries, provided for in the Criminal Code and 5 years have not passed since the disappearance or annulment of the person's criminal record; 
   3. A person is found guilty of having committed a criminal act other than that specified in points 1 and 2 of this part, provided for in the Criminal Code or in the criminal laws of other states, and 3 years have not passed since the date of execution of the sentence, postponement of the execution of the sentence or release from the execution of the sentence.
8. If the circumstances listed in above Clause 16.7 are determined, the Company must take measures to notify the FCIS accordingly and ensure the fulfillment of the requirement (e.g. to change manager, etc.).

14. ANNEXES  

1. The following is the list of documents which are an integral part of the Policy: 

Annex No 1 – Client Identification Procedure

Annex No 2 – Criteria for Identifying Suspicious Operations or Transactions

Annex No 3 – Relationship Monitoring Policy

Annex No 4 – The Forms of Logs

Annex No 5 – The Form of Employees’ Acquaintance with the Policy

Annex No 6 – Prohibited Countries List

Annex No 7 – Acceptable Evidence of Sources of Wealth and Sources of Funds

Annex No 8 – Template of the MLRO quarterly report

Annex No 9 – Training Log

‍

‍

2. Annex No. 1 

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

3.      CUSTOMER IDENTIFICATION PROCEDURE

‍

1. INTRODUCTION

1. The Company is a B2B2C business and shall provide Services to Business. The end users can be both natural persons and legal entities. The Company provides services primarily to the business who are Customers-Clients, Merchants, and end users. Both the Merchants and the End Users receive Services and both these subjects are considered as Customers of the Company, who shall be identified accordingly.

Trans-Fi UAB’s current product suite is described below. All of these products are available as both a solution and as a single Application Programming Interface (“API”) and provide a dashboard or other solution for monitoring transactions and orders:

• Payins: Enabling our Clients/their Merchants to collect payments in fiat currency (e.g. the US Dollar or Euro) or stablecoins from their counterparties (both businesses or individuals) by sending a payment link and settling in stablecoins or fiat, as desired, with ease from anywhere across the world. Stablecoins used in our products are reserve-backed crypto-assets pegged to a fiat currency, notably the EUR and USD stablecoins issued by Circle:  EURC and USDC. Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 

‍

• Payouts: Enabling our Clients/their Merchants to pay their employees, vendors, freelancers, and trade partners globally in fiat or stablecoins across the world by exchanging crypto-assets for fiat (stablecoin-to-fiat) or exchanging fiat for crypto-assets (fiat-to-stablecoin) or crypto-assets for crypto-assets (crypto-to-stablecoin). Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 
  4. Exchange of crypto-assets for other crypto-assets 

‍

• Ramp: Enabling our Clients to offer the exchange of fiat to crypto-assets (fiat-to-crypto “onramp”) and the exchange of crypto-assets to fiat (crypto-to-fiat “offramp”) to their Merchants and/or End Users. Within this product, the following MiCA services will be used: 
  
  1. Exchange of crypto-assets for funds 

‍

• Wallet issuance as a service (“WIaaS”): Enables our Clients to issue custodial wallets (using Circle as a provider) for themselves, their Merchants, or their End Users to pre-fund transactions for seamless payouts, or to collect payins from their counterparties, or to offer top-ups and refunds to the wallets & gaming accounts of their End Users, by offering the fiat-to-stablecoin and stablecoin-to-fiat transfers, and subsequent settlements with gaming Customers. TransFi will be enabling an “earn feature” on these wallets shortly, leveraging third-party providers, so that wallet owners earn returns (using staking). Within this product, the following MiCA services will be used: 
  
  1. Custody and administration of crypto-assets on behalf of clients 

2. The Company applies remote Customer identification methods following requirements of Article 11(1)(4)(b) of Lithuanian AML Law.
3. The Company shall ensure that identification is performed for the Customer in the following cases:

1. Prior to establishing a Business Relationship with the Customer;
2. When doubts about the Customer’s identification data and documents, collected earlier, occur;
3. When there are doubts that ML / TF activity may take place. 
4. When there is a change in the transaction patterns of the Customer

4. In cases listed under Clause 1.3 above, the Company shall at least:

1. Identify the Customer (its representative, UBOs, determine directors and ownership structure);
2. Collect KYC / KYB data about the Customer;
3. Check PEP status;
4. Check international sanctions application status;
5. Check adverse media status;
6. Check if there are any circumstances requiring applying enhanced due diligence;
7. Re-assess the information collected with data received from official sources.

8. Collect information about the purpose and nature of the Business Relationship.
9. Collect information about Customer’s sources and funds (for high-risk Customers);

9. Receive MLRO’s approval (for high-risk Customers).

‍

1.5 As described in Clause 1, all our Customers are subjected to KYC and KYB in the case of individuals and legal entities respectively 

1.6  Having such information, the Company shall assess it and, following the assessment, assign the Customer to the relevant risk group. All this shall be done until the moment when Business Relationships are started 

2. TYPES OF CUSTOMER DUE DILIGENCE 
   
   1. The Company shall recognize the following types of Customer’s risk: 

1. Low;
2. Medium;
3. High;
4. Unacceptable/Prohibited. 

2. The Company applies two types of Customer due diligence:
   
   1. Standard Due Diligence (SDD), also known as Ordinary Due Diligence: SDD is applied where the Customer’s risk profile indicates low or medium risk and where, in accordance with the risk assessment of the Company, it has been identified that in such circumstances the risk of ML / TF is low or medium.
   2. Enhanced Due Diligence (EDD): EDD is applied for Customers that are flagged as high-risk Customers. EDD requires the application of additional Customer due diligence measures in comparison to SDD.

‍

3. In case of unacceptable/prohibited risk Customer – no due diligence can be applied as the applicant shall be rejected. 
4. In order to determine to which risk group each Customer is exposed, the Company shall perform an individual risk assessment of each Customer before entering them into a Business Relationship.   
5. SDD procedure is established in Section 4 (for individual Customers) and Section 5 (for Business Customers) of this Annex. 
6. EDD procedure is established in Section 6 of this Annex. 
7. The Company will have the below as prohibited Customer types:

1. Known beneficiaries of corruption or illegal activities; 
2. Shell companies/shell banks; 
3. Unregulated casinos or unlicensed gambling companies; 
4. Incomplete or failed KYB (Know your business); 
5. Unlicensed money transmitters/payments/financial services companies; and 
6. Customers with bearer shares in the ownership structure. 
7. Marijuana/cannabis; 
8. Guns, Arms and ammunition, and Military; 
9. Precious metals; 
10. Adult content or Pornography. 

3. GENERAL REQUIREMENTS FOR THE REAL-TIME PHOTO (VIDEO) TRANSMISSION 
   
   1. Real-time photo (video) transmission is a method for Customer (natural person) or representative (legal entity) identification and identity verification.
   2. The following principles shall be applied and ensured during the remote Customer identification procedure via real-time photo (video) transmission:
      
      1. Only one person (Customer or its representative) can participate in the remote Customer identification process;
      2. The quality of the internet connection shall be sufficient, no interruptions should occur;
      3. The Company shall be entitled and have the technical possibility to provide the Customer with additional instructions if it is needed for identification;
      4. Quality of photos/video taken during the Customer’s identification procedure shall allow the Company to identify the person in the photos easily;
      5. The remote Customer identification process shall be carried out uninterruptedly and must be a part of a single Customer identification process;
      6. The screen used by the Customer shall be big enough to ensure that the Customer’s face is visible and identifiable throughout the session;
      7. All recordings and photos have to contain a mark with the Customer’s name, surname, personal code, and IP address (in the event the latter is applicable) and the date of recording;
      8. The Company shall use special programs, applications, or other means which shall ensure that the process of photo recording is continuous and the transmission of photos otherwise than in real-time would be impossible;
      9. Upon completion of actions referred to above, the Customer shall be informed that by providing data the Customer also confirms the authenticity of that data;
      10. Photos/video transmitted shall be of a quality allowing to read the information easily from the ID documents provided and to clearly see the features of the particular person and the person captured in the photo of the identity document.
   3. The Company shall ensure that its IT systems are capable and adapted to remote Customer identification as per the above requirements. 
   4. The Customer’s identification process shall be considered failed if any of the below occur:
      
      1. The Customer has deliberately submitted data that does not match the identification data of the ID document received from the official database or does not match information or data collected through other procedures;
      2. The session expires during verification, and the Customer does not initiate the identification process from the beginning;
      3. Image (video) of the ID document or the Customer is not clearly visible; 
      4. The Customer did not provide the required information and data;
      5. The Customer refuses to follow instructions to comply with the requirements set for framing the Customer’s face and ID document;
      6. The Customer uses the assistance of another person during verification without permission from the Company (permission might be issued only in exclusive cases);
      7. Circumstances arise that indicate suspected ML / TF. The Company shall immediately submit a notification of suspicion to FCIS;
      8. The Company received information that the Customer is subject to financial sanctions which shall be immediately notified to FCIS;
      9. The Customer has not completed any activities in the Customer identification module for more than 15 minutes in a row;
      10. The real-time photo (video) transmission is terminated or problems regarding the real-time photo (video) transmission arise;
      11. The quality of the real-time photo (video) transmission does not allow clearly the face of the Customer or Customer/s representative (if any) and (or) to establish the identity of the Customer or representative (if any) from the photo (video) of the face image in the identity document;
      12. The quality of the real-time photo (video) transmission is poor;
      13. The Customer’s identity document is being captured without adhering to the requirements laid down in this annex;
      14. The Customer does not perform the actions required for their identification appropriately and on time;
      15. It is established that the document provided by the Customer is impaired, fake or there are other circumstances that raise doubts due to the authenticity of such an identity document (for example, the copy of the document is being shown). In such case, the identification process may be continued, and the information necessary to establish the identity of the Customer or the representative (if any) may be collected only with the purpose, having assessed the ML / TF threat, to immediately notify the FCIS as suspicious activity no later than within 3 business hours;  
      16. It is established that the identity document provided by the Customer does not correspond to the requirements of information content applicable to such document;
      17. The Company has reasonable doubts that the Customer, the identity of which is being established, and the owner of the provided identity document, proving the Customer’s identity, are not the same person. This should be immediately reported to FCIS;
      18. If more than one person participates in the process of Customer identification;
      19. The Customer disagrees with remote Customer identification.
   5. Having assessed the ML / TF threat, the Company has the right to suspend or terminate the process of the identification due to any other reasons.
4.      IDENTIFICATION OF A CUSTOMER ( NATURAL PERSON )
   
   1. The Customer (natural person) identification and ID document validity verification shall be performed following these steps:
      
      1. Registration: The Customer shall enter First name, Last name, Date of Birth, Email, the country of citizenship on the web page      dedicated to onboarding;
      2. Identification: The Company applies remote identification – via real-time selfie and ID document photo (video) transmission. Namely:

In case of a photo transmission: 

1. The Customer shall take a photo of his / her ID document. 

Only the following ID documents can be accepted for Customer due diligence purposes. The Company shall accept only those ID documents that are valid and only if there are no circumstances showing possible forgery of the ID document:

• Passports,
•  ID cards, 
• Lithuanian Residence permits 
• Any other acceptable ID allowed by regulation

The collected ID document shall contain the following information about the Customer:

• Name(s);
• Surname(s);
• Personal code (for foreigners – date of birth or personal code or any other personal number);
• Photo;
• Signature (unless it is not required to be placed in the driver’s license based on the country’s requirements);
• Citizenship (unless it is not required to be recorded in the driver’s license based on the country’s requirements).

If the collected ID document does not contain citizenship data, the Company must collect additional ID documents of the Customer maintaining citizenship data.

Taking a photo of the ID document shall proceed by holding the ID document up in front of the mobile phone/computer camera in the area specified on the screen in a manner that the image of the ID document fits into the frame displayed on the screen. 

If the Customer uses a passport, a photo must be taken of the page with the Customer’s facial image and the back of the image.

If the Customer uses an ID card Lithuanian Residence Permit, or any other acceptable ID allowed by the regulation, a photo must first be taken of the front of the document and then of the back. 

The Customer shall click the relevant button for capture displayed on the screen and the device will capture a photo of the ID document. If the photo is not of the best resolution, the Customer shall be asked again to capture a picture. The Company shall use the photo with the best resolution. If the photo is suitable, the relevant message shall appear on the screen and the Customer shall click on the button which allows proceeding. If the photo is not suitable for identification purposes, the Customer shall be requested to take a new photo;

2. After the ID document photo has been confirmed (it takes a few seconds), the Customer shall be re-directed to and shall take a Live selfie of himself/herself. When taking the photo, the Customer shall look straight into the camera, with the head visible and in the frame. The Customer shall remove any head or face covering and not wear glasses with dark or darkening lenses. The Customer’s facial expression shall be easily recognizable, there cannot be any shadows around the Customer’s eyes, and background lighting cannot disturb reading the Customer’s facial expression. The Customer shall click on the capture button displayed on the mobile phone/computer screen, and the device shall automatically take a live photo of the Customer. If the live photo is suitable, the Customer shall click the continue button; if the portrait photo is unsuitable, the Customer will be required to click on the try again button and take a new photo. Both photos shall be saved by the Company. The Company shall conduct a visual verification of the portrait photos taken by the Customer. The Customer’s live photo shall permit the Company to verify the person depicted in the portrait photo. After the live photo has been confirmed by the Customer, the Customer shall be directed to the module, where the Company will be able to collect additional information about the Customer.

NOTE: the order of capturing of Customer’s ID document and facial image may differ depending on the platform used (i.e. firstly the photo of the ID document may be taken and only then the facial image or otherwise).

The live selfie session should be uninterrupted and of good quality.

3. Collection of additional KYC data: The Customer is required to provide a few information The customer is required to provide a few additional details, including but not limited to the following:

1. Nature and purpose of Business Relationship;
2. Country of residence;
3. Sources of funds (Annex No 7); only in case of EDD (Enhanced due diligence)
4. When the Customer is KYC-ed he is screened for adverse media, sanctions, and PEP screenings through an automated solution, if flagged for PEP, the Customer needs to confirm if he is a PEP or not. In case of a PEP, he is subjected to EDD, In case of false hits, the Customer is required to share a declaration over email that he is not a PEP.

4. Informing the Customer: After the Customer provides all the above-requested information, he/she is asked to confirm it and submit it. After the submission, the customer is informed in some time (ranging from a few seconds to a few minutes) that the KYC is approved, rejected, or in manual review with Compliance. Basis the results of the manual review, the Compliance team clears the onboarding of the Customer in no later than 2 business days. 
5. Verification of data by the Company: All the data submitted by the Customer is assessed through an automated system and the KYC is approved, rejected, or goes in manual review with the Compliance team.

• Application data (name, surname, personal code, citizenship of the Customer, application date, etc.);
• Validity and authenticity of ID document. – whether the ID document’s validity date is still valid (not expired), etc.). 

NOTE: data should be stored as evidence in the Customer’s file (with a clearly visible date when and based on what data the check was performed).

• Proof of Address, data extraction, and data verification. For Proof of Address purposes, the Company shall request the Customer to provide a utility bill or rent agreement, rent registration extract, or employment agreement with a clear reference to the residence address, etc. 
• Live photo of the Customer. The Company shall conduct an automatic check on the Customer’s portrait photo against the facial image contained in the ID document. This is done automatically using a service provider;
• Customer’s device data (for instance, IP address, etc.);  
• Identity verification – The company shall check whether the Customer’s live photo matches the facial image on the ID document photo in conjunction with algorithms. This is done automatically by the selected service provider;
• ID document data. The Company shall check the following data of ID document in external official databases: surname, first name, personal identification code, sex, date and place of birth, ID document number, document date of issue and expiry, citizenship;
• The Company shall also check the Customer’s background, including, but not limited to political exposure, possible application of financial sanctions, 
• Verification of Customer data shall be made by making a search in reliable external databases,      which allows checking whether the person is PEP, whether financial sanctions are applied with respect to the Customer, etc. The Company in addition might also conduct research on official websites, like Google, etc.
• In case of manual reviews, the Company shall review the results of the review and verification of the Customer’s data; 
• The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 

5. IDENTIFICATION OF A CUSTOMER- LEGAL ENTITY
   
   1. Real-time photo (video) transmission, as Customer’s identification method for the legal entity, shall be applied in the following manner: 
      
      1. The Customer is requested to provide information about the legal entity (potential Customer), including but not limited to the following:

1. Legal entity’s details, including the following: full name, legal form, legal code, establishment country, registered and actual business address;
2. Details of UBOs, including the following: full name, personal code (if not available – date of birth), citizenship, percentage of shares held in the legal entity of each Beneficial Owner, residing address;
3. Details of Key Directors, including the following: full name, personal code (if not available – date of birth), citizenship;
4. Nature and purpose of Business Relationship;
5. Sources of funds of the legal entity, only in case of EDD (Enhanced due diligence);
6. Whether the UBO Owner and/or a Representative is PEP;
7. Expected amount (in EUR) of monthly and yearly operations and countries to which/ from which operations will be initiated/received.
8. Whether the customer is a PEP

‍

2. The identity of Customer’s representative/UBO shall be established by applying all measures that are listed in clauses 4.1(i)-(ii) above in this Annex and that are applicable to the identification of a Customer – a natural person using real-time photo (video) transmission;
3. After the representative of the legal entity (potential Customer) provides all the above-requested information, he/she is asked to confirm it and submit it. After this session is over, the Customer by automatic message is informed that his / her information will be assessed, and the Customer will be informed about the decision of the Company to onboard the Customer as soon as possible but in any case no later than within 2 business days. 
4. After actions above are performed, the Company shall check the correctness and validity of the information provided by the representative of the Customer by performing actions indicated in clause 4.1(v) above.
5. The Company shall collect documents about the Customer that confirm the existence of the Customer, as a legal entity, and other Customer’s KYC information provided by its representative in the course of a real-time photo transmission session. The Company shall collect such documents itself from public registries, available online.
6. The Company shall collect at least the following official documents:

1. Power of Attorney, if a representative of the Customer is not the UBO; 
2. Memorandum of Associations or Articles of Association of the Customer;  
3. Self-certified shareholders’ registry (not older than 6 months);
4. A document that sets out how the prospective Customer is operated, governed, and owned and the extent of Authority/ powers key executives hold in the due diligence form (SDD form for low-risk customers and EDD form for high-risk customers)
5. Proof of official address; 
6. EIN / TIN number; 
7. Additional documents that may be required considering the specifics of certain Customers and/or in case a need to apply enhanced due diligence is determined (e.g. financial statements or key agreements in order to ascertain sources of funds, etc.).

7. All Customer’s UBOs are required to perform identification measures (the same as are applied for an individual Customer as per clause 4.1(ii) of this Annex. 
8. The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 
9. The Company, after completing the Customer’s verification, shall make a decision to “approve” the Customer or “decline” the Customer. In both cases, the Customer should be informed about the final decision. The decision of the Company shall be made within 4 business days as of the moment when the Customer performs identification actions. 

6. ENHANCED DUE DILIGENCE (EDD)
   
   1. EDD shall be conducted for the Customers who are:
      
      1. PEPs (incl. when the Customer himself, Customer’s representative, and/or director, and/or UBO are PEPs);
      2. Assigned to a high-risk category based on risk segmentation criteria established by the Company (see a separate internal document, Customer risk matrix);
      3. When the activity of the Customer hits established daily/monthly thresholds;

‍

4. Only for Customers legal entities – when the main activity of the Customer in one of the following business areas:

• Custodial crypto / digital assets services;
• Other crypto / digital assets services (non-custodial);
• Money services, payments, and other financial services;
• Licensed Gambling services. 

2. In situations described under clause 6.1 above, the Company shall:

1. Perform all identification measures established for ordinary due diligence; and 
2. Obtain written consent of the MLRO of the Company to enter into or continue Business Relationships with such Customers; and 
3. Ask for additional documents from the Customer that would help to identify the source of the property and funds relating to the Business Relationship or a transaction, in accordance with Annex No. 7; and
4. Ask for additional information regarding reasons for the transactions and Services; and
5. Ask for additional information regarding expected volumes of transactions within the Company; and
6. Ask for additional information, if any documents that are indicated by the MLRO in his/her consent  to enter into a Business Relationship with such a Customer (if any); and
7. Perform enhanced ongoing monitoring of the Business Relationship with such Customers, inter alia by establishing more sensitive operations thresholds and monitoring rules; and
8. In case when the Customer is subject to EDD due to the fact that its business area is the one as per the list under clause 6.1 (iv) – in addition to the above EDD measures, the Company shall collect and assess:

• Customer’s AML Policy; 
• Relevant license
• Financial statement or source of funds 
• any other document that may be necessary to further assess.
• This may also include other details like the below if needed: the customer’s latest ML and TF risks assessment (EWRA); the customer’s latest audit report, covering ML and TF risks;
• Details about the main person responsible for AML / CTF matters within the Customer (e.g. Customer’s MLRO, etc.);

(ix)  In case the Customer is established in countries like Bulgaria, Cameroon, Croatia, Kenya, Nigeria,Philippines, South Africa, Tanzania, Uganda, United Arab Emirates and Vietnam are the countries, that are not subject to enhanced due diligence, but subject to differential scrutiny are treated in this manner because

• Bulgaria and Croatia are part of the European Union
• The remaining jurisdictions are fast growing developing economies and house many global financial institutions such as HSBC, Standard Chartered, Wells Fargo and Citibank. 

‍

All users in these jurisdictions are subject to robust checks including sanctions & adverse media screening, ID verification, liveness test, PEP screening, transaction monitoring, browser & behaviour checks, email risks related checks, social media profiling, name matching and crypto monitoring.  EDD (Enhanced due diligence) checks will be triggered in the event of:

• Regulated business activities
• Transaction thresholds being exceeded
• Suspicious events;
• High risk customers.

‍

In addition to the above, transaction limits post KYC and KYB limits in these jurisdictions are lower than those for TransFi users from non-high risk countries.

‍

(x) In case the Customer is established in countries like Barbados, Burkina Faso, Gibraltar,Jamaica, Monaco, Mozambique, Namibia, Panama, Senegal and Trinidad and Tobago, we ask for additional information, if required 

• To apply increased timelines for transaction monitoring; 
• To apply increased number of internal control measures;
• To assess and decide on types of transactions which require more deep internal investigation and performing such investigations;

‍

3. The Company shall not provide Services to Customers from Lithuania state sanction list,  European Union Sanctions Lists, United Nations Sanctions lists (UN), United Nations Security Council resolution 1373 (2001) Sanctions List, Office of Foreign Assets Control (OFAC) (as described in Annex No 6 of the Policy).

‍

4. Annex No. 2

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

5. CRITERIA FOR IDENTIFYING SUSPICIOUS OPERATIONS OR TRANSACTIONS

‍

1. Suspicious operations or transaction criteria are established by FCIS Resolution No V-240. The list constantly changes and the MLRO’s duty is to check such changes and implement them in the activity of the Company. 
2. The below reflects some criteria from the mentioned FCIS Resolution. However, the MLRO must consider additional relevant criteria to the Company and adapt the below list accordingly. 
3. The Company does not engage in cash-related services. Therefore, cash-related criteria are not listed below. 
4. The criteria for recognizing Suspicious Operations or Transactions related to the behavior of the Customer are as follows: 

1. At the time of entering into a Business Relationship or during the Business Relationship, the Customer is reluctant to provide information necessary to identify the Customer, providing documents that raise doubts as to their genuineness, authenticity, etc.
2. It is difficult to obtain from the Customer information or documents necessary for the monitoring of the Business Relationship: it is difficult to contact the Customer, their place of residence/registration as well as contact details often change; nobody answers the phone number provided by the Customer is always disconnected; the Customer fails to respond when addressed via e-mail.
3. The Customer is unable to answer questions regarding ongoing/planned financial activity and the nature thereof, cannot provide relevant documents, and is excessively nervous.
4. The Customer cannot explain the sources of funds used for the transactions. 
5. The Customer connects to the Customer’s custodian virtual currency wallet, using services of the TOR network and the IP address is constantly different.
6. The Customer does not have sufficient knowledge about virtual currency, and cannot explain why certain transactions are performed (although the activity of the Customer in virtual asset transactions is high).
7. Several companies are registered at the address of the Customer.
8. The same person is the manager of several unconnected companies. 

5. The criteria for recognizing Suspicious Operations or Transactions related to operations or transactions carried out by the Customer are as follows:
   
   1. The operations or transactions of the Customer are not in line with the types of activities indicated by the Customer during the Customer’s identification process or reflected in the publicly available information. 
   2. The nature of the operations or transactions that are being conducted by the Customer raises a suspicion that the Customer is seeking to avoid entering the operations and transactions into the registration logs maintained by the Company.
   3. The Customer carries out a transaction (transactions) which is (are) beyond the Customer’s possibilities known to the Company.
   4. The Customer or the owner of the Property requests to pay the amount belonging to them to persons who are clearly unrelated to the Customer’s normal activity.
   5. The Customer is continuously engaged in transactions in property where the value is clearly not in line with the average market value.
   6. The Customer carries out operations or concludes transactions without any apparent economic justification.
   7. The age, current position, and financial status of the Client are objectively not in line with the activity conducted by this Customer (e.g. the Customer’s income is small compared to the scope of his / her activity in relation to Services).
   8. The Customer uses mixer/tumbler services. 
   9. The Customer executes operations in the dark net using virtual currency addresses that are connected to illegal activity.
   10. Virtual currency exchange to fiat currency (and vice versa) is not consistent with the Customer profile, or previous activity.
   11. The performance of virtual currency-related transactions is connected to IP addresses that are related to the countries where ML / TF activity is high. 
   12. Loss-making exchange of virtual currency into fiat currency.
   13. The Customer’s operations may potentially be related to fraud.
6. The criteria for recognizing Suspicious Operations or Transactions related to the geographical aspect of the operations or transactions carried out by the Customer are as follows:

‍

1. Operations or transactions are carried out with natural and legal persons located in sanctioned jurisdictions as stated in Annex 6 of the policy.

‍

2. The Customer permanently resides in a country that is not a member of the FATF or does not have observer status with the FATF and is not a member of the international organization combating the ML/TF, whereas the economic justification of the operations or transactions carried out by the Client is unclear.

‍

3. The Client's operations with virtual currency are initiated from Internet Protocol (IP) addresses located in sanctioned countries as stated in Annex 6 of the policy.

7. The e criteria for recognizing Suspicious Operations or Transactions related to the possible corrupt activities of the Client are as follows:
   
   1. An individual participating in politics, their close associate, or family member receives an unusually high compensation that does not align with market value for participation in seminars, conferences, or as a consultant on projects.

‍

2. Operations are conducted for an individual participating in politics, their close associate, or family member from a foreign country with a corruption perception index (CPI) score below 50.

‍

3. A legal entity conducting business in a foreign country with a CPI score below 50 performs business-related financial operations of excessive value for individuals under consultancy, legal, or similar service agreements.

‍

4. International financial operations are conducted for an individual participating in politics, their close associate, or family member without a clear economic basis.

‍

5. A physical or legal entity grants a loan to an individual participating in politics, their close associate, or family member under unusually favorable conditions (no repayment term specified, favorable repayment conditions, low interest rates, etc.) or without a contract or other documentation.

‍

6. A physical or legal entity pays for travel and accommodation services for an individual participating in politics both in Lithuania and abroad if such payments are not typical for the financial activities of the paying entities.

‍

7. An individual participating in politics transfers funds to countries where they do not conduct professional activities.

‍

8. Funds are transferred to targeted territories when the transaction is related to government contracts.

‍

9. The beneficiary, founder, authorized person, or otherwise related person of a preferential tax company is an individual participating in politics in Lithuania or abroad, their close associate, or family member.

8. In the assessment of the alleged connection of the property with the TF, the following aspects must be taken into consideration: 
   
   1. Funds shall mean any type of intangible virtual currency or tangible fiat currency
   2. The funds may be of either legal or illegal origin – it is important that it is being collected, accumulated, or provided for purposes of the TF.

‍

3. Both direct and indirect collection, accumulation, or provision of the property (funds) shall be treated as the TF activity.

‍

4. Collection, accumulation, or provision of the property (funds) shall be regarded as an intentional deliberate activity where it is seeking or knowing that this property (funds) or only a part thereof will be aimed at the TF, i.e. mere perception of a person that the property might be aimed at the TF is sufficient, even if he/she does not have an intentional pursuit thereof.

‍

5. TF includes collection, accumulation, provision of the property (funds) for committing particular terrorist crimes (e.g. to perform a terrorist attack), training of terrorists (e.g. inciting crimes of terrorism, recruiting, training terrorists, creating terrorist groups, etc.), and also supporting individual or several terrorists or terrorist groups even if this property will not be aimed at committing particular terrorist crimes (e.g. for the rent of premises, material support, healthcare, relief, etc.). It is not necessary to establish a connection between the collected, accumulated, the provided property (funds) with a particular terrorist crime. 

9. Final Provisions
   
   1. The above-listed criteria shall not be assessed as exhaustive and the Company shall take into consideration other criteria that may be implicating suspicion with respect to operations and transactions of the Client, including but not limited to criteria established by FCIS. 

‍

2. The above-listed criteria indicating Suspicious Operations or Transactions should be assessed in each case separately and should not be applied in a formal way, i.e. the Company should always assess whether concrete criteria (even though listed above) could be justified or not in a concrete case and to consider it as suspicious only if any circumstance that could justify it cannot be found.  

‍

6. Annex No. 3

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB  

‍

7. RELATIONSHIP MONITORING POLICY

‍

1. INTRODUCTION

1. All transactions conducted by the Customer shall be constantly monitored by the Company. 
2. The Company shall perform and ensure instant and retrospective monitoring. 
3. Monitoring shall cover:
   
   1. Transactions;
   2. Wallet; 
   3. Customer-individual;
   4. Customer-legal entity;
4. Monitoring procedures will be performed both manually and by using automatic means. Regardless of the method selected by the Company, the Company shall ensure that the selected method allows to properly monitor all transactions and to identify Suspicious Operations or Transactions in due time. 
5. The purpose of monitoring is to ensure proper and timely identification of unusual transactions, patterns, and activity as well as to ensure the relevance of the information of the Client, its representative (if any), and the relevance of the assigned risk level to the Client. It also involved the monitoring of Client profiles (both the Individual and Businesses), whether they are exposed to any adverse media, or sanctions hit. 
6. The monitoring shall be performed by assessing the factual transactions made by each Customer, information received by the Company during the Customer’s identification procedure as well as other information received/collected by the Company, if any.

2. CUSTOMER’S FILE
   
   1. Monitoring procedures shall cover the assessment of information about the Customer. All information about a particular Customer shall be kept in the Customer’s file.
   2. The Customer’s file shall consist, as a minimum, of the following documents:

1. Proof of Customer’s identification and collection of relevant information about the Customer(i.e. sources of funds in case of EDD, the purpose of Business Relationship, services intended to be used by the Customer, etc.);
2. Proof of verification of the identity of the Customer, the Customer’s representative (if any), Beneficial Owners (if any) in public and independent sources of data;
3. Proof of verification of the political exposure of the Customer, the Customer’s representative, and Beneficial Owners (if applicable) in public and independent sources of data;
4. A description of the Customer's risk profile;
5. A description of the Customer’s assignment to a risk group;
6. Information about the Services provided to the Customer;
7. Information about cases when the Customer made Suspicious Operations or Transactions;
8. PEP and sanctions check data and evidence;
9. In the case of high-risk Customers – approval for entering/continuing Business Relationships alongside issued by the Company’s MLRO;
10. Corporate documents of the Customer;
11. Other documents and information indicated in this Policy and/or that the Company considers as important for the Client’s file. 

‍

3. The Customer’s file shall be stored in an electronic form.

‍

4. Information obtained in the process of identifying the Client and Client’s representative (if any) shall be continuously documented and shall be kept in written or electronic form.

3. MONITORING OF BUSINESS RELATIONSHIP / OPERATIONS 
   
   1. The Company shall exercise an ongoing monitoring of operations and ongoing monitoring of the Business Relationship of the Customer, including:

‍

1. Investigation of transactions to make sure that transactions that are being carried out are in line with information available to the Company about the Customer, his / her / its activities (types and nature of activities, nature of transactions, business partners, and so on), risk nature, and knowledge about the source of funds in case of EDD;
2. Principles of assigning the Customer to the relevant risk group, establishing the procedures of Collecting and storing information about the operations performed by the higher-risk Clients.

‍

2. During the monitoring, particular emphasis shall be placed on the following:

1. Operations that, by virtue of their nature, may be related to ML / TF, and complicated and unusually large transactions; 
2. Any unusual transaction structures that do not have an evident economic or visible legal goal;
3. Every ML / TF threat that may arise due to the usage of products of any nature, other results of usage of the services provided, or transactions being carried out, when efforts are made to conceal the identity of the Customer or Customer’s representative (if any) (leaning towards anonymity), as well as due to Business Relationship or transactions with the Customer who was not identified being present in person, and, where applicable, shall immediately take measures in order to prevent the property from being used for ML / TF purposes;
4. Operations when efforts are made to conceal the identity of the Customer or Customer’s representative (if any), as well as the Business Relationship or transactions with the Customer whose identity was not established with being him/her/its representative in person;
5. Whether the Customer is not included on the general list of persons or groups of persons or companies and institutions that are subject to financial sanctions by the EU, UN, OFAC;

‍

3. If the monitoring of the Business Relationship indicates that the Business Relationship entails a higher risk, then the Company shall assign a particular Customer to the higher-risk group (if he/she/it was not assigned to a high-risk group before).

‍

4. The Company shall document the results of the investigation in writing (electronically or in paper form).

4. ENHANCED MONITORING OF BUSINESS RELATIONSHIP
   
   1. In the course of the enhanced monitoring of Business Relationships, the Company shall maintain a risk matrix that monitors the operations by keeping transaction thresholds at different KYC levels. 
5. FINAL PROVISIONS
   
   1. The MLRO of the Company shall prepare and present to the Senior Management a monitoring summary in his quarterly report (Annex No. 8 to the Policy), which would include the main findings that were identified during the relevant quarter. Such a summary should include information about transactions that were identified as suspicious and submitted to the FCIS. 

‍

2. The monitoring of Business Relationships shall be exercised on a regular basis, keeping information on measures applied in the process of monitoring and information collected in the process of taking such actions, keeping information on the purpose and nature of Business Relationships, and making reviews and updates of such information on a regular basis.

8. Annex No. 4

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

9. FORM OF LOGS

‍

/Attached as a separate Excel file/

10. Annex No. 5

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

11. THE FORM OF EMPLOYEES’ ACQUAINTANCE WITH THE POLICY

‍

Employees of the Company who sign the below table confirm that they are acquainted with the Policy of the Implementation of Prevention Measures on Money Laundering and Terrorist Financing of the Company (including annexes thereof). 

In case the Policy (and annexes thereof) are amended, employees of the Company shall be properly acquainted with the amendments. Employees shall confirm their acquaintance with all amendments by providing information indicated in the table below and by signing it each time.

6. Annex No. 6

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

7. PROHIBITED COUNTRIES LIST ALONG WITH HIGH RISK COUNTRY LISTS WITH TREATMENT

‍

All below countries are considered as prohibited by the Company: 

‍

1. Prohibited by the Company;
2. Sanctioned countries by EU and UNO
3. Sanctioned countries by OFAC except for Hong Kong.

‍

Prohibited by the Company:: Abkhazia, Angola, Bosnia and Herzegovina, Burundi, China, Croatia, Guinea-Bissau, Kosovo, Macedonia (North), Mali, Montenegro, Nagorno-Karabakh, Nicaragua, Northern Cyprus, Sahrawi Arab Democratic Republic, Serbia, Slovenia, Somaliland, South Ossetia

‍

Countries prohibited for transactions by Tran

sFi include the following: (Sanctioned countries by EU and UNO, including TransFi)

‍

‍

TransFi identifies high-risk jurisdictions based on the following lists

• The Financial Action Task Force (FATF)
• EU High Risk Countries

‍

EU and FATF high-risk countries:

‍

The identified countries, excluding those already prohibited as above, are :

Amongst the list of high risk countries, any customers from the countries listed below, are subject to enhanced due diligence before onboarding.

The enhanced due diligence process requires the below process:
Individual:The Customer is required to share proof of address and source of funds which gets reviewed by the team and the customer is approved for further transactions if there are no suspicious flags.

Legal Entity : The customer is required to share source of funds, relevant license, AML policy (attached as Annex 3.4.2) and any other document which is deemed to be required for further investigation. It is reviewed by the team and the customer is approved for further transactions if there are no suspicious flags.

‍

The following countries are an exception from the Enhanced due diligence requirement where we do not do EDD but apply differential scrutiny.

‍

These countries, that are not subject to enhanced due diligence, but subject to differential scrutiny are treated in this manner because

• Bulgaria and Croatia are part of the European Union
• The remaining jurisdictions are fast growing developing economies and house many global financial institutions such as HSBC, Standard Chartered, Wells Fargo and Citibank. 

‍

All users in these jurisdictions are subject to robust checks including sanctions & adverse media screening, ID verification, liveness test, PEP screening, transaction monitoring, browser & behaviour checks, email risks related checks, social media profiling, name matching and crypto monitoring.  EDD (Enhanced due diligence) checks will be triggered in the event of:

• Regulated business activities
• Transaction thresholds being exceeded
• Suspicious events;
• High risk customers.

‍

In addition to the above, transaction limits post KYC and KYB limits in these jurisdictions are lower than those for TransFi users from non-high risk countries.

‍

6. Annex No. 7

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

1. ACCEPTABLE EVIDENCE OF SOURCES OF WEALTH AND SOURCES OF FUNDS

‍

6. Annex No. 8

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

7. TEMPLATE OF THE MLRO QUARTERLY REPORT

‍

MLRO REPORT FOR [Q1 2025]

‍

TRANS-FI UAB (the “Company“) is committed to conducting business operations in a transparent, open manner, consistent with its regulatory obligations. As per the Company’s Policy for the Implementation of the Prevention Measures on Money Laundering and Terrorist Financing (the AML Policy), the aim of this report is to review the AML/CTF program and inform the Company’s Board of the situation and standing of AML / CTF program as well as update on changes and key indicators that are relevant for the reporting quarter. 

‍

1. SUMMARY OF KEY LEGISLATIVE CHANGES 

‍

The following key legislative changes took place during the Reporting Quarter: [Provide a list with a brief summary. If none – add “None”].

‍

2. TYPE OF CRYPTOCURRENCY SERVICED 

‍

The following cryptocurrency is being serviced by the Company: [INSERT].

‍

[Describe differences: newly involved cryptocurrency, expected to be included soon, etc.]

‍

3. NUMBER OF CLIENTS

‍

The following reflects the Company’s Clients’ number and risk scores relevant for the Reporting Quarter:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. big high-risk customers increase, etc.]

‍

1. CLIENTS’ GEOGRAPHIES

‍

The following reflects the geographies of the Clients (for natural persons – citizenships) relevant for the Reporting Quarter: 

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. high increase of Clients from relevant jurisdiction, etc.]

‍

1. TERMINATED BUSINESS RELATIONSHIP 

‍

The following reflects the number of terminated business relationships with the Client during the Reporting Quarter:

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. termination due to the same occurring reason, etc.]

‍

1. TOTAL NUMBER OF PEPS 

‍

The following reflects the number of PEPs identified in the Clients’ base during the Reporting Quarter:  [number of PEPs], which forms a [percentage]% of the overall Clients’ base equal to [number]. 

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. high and unexpected increase of PEPs, etc.]

‍

2. INFORMATION ON INTERNATIONAL SANCTIONS 

‍

The following reflects the number of international sanctions alerts generated during the Reporting Quarter:

‍

‍

In case of true positive, describe actions that were taken: [FREE TEXT; IF NO SUCH CASES – ADD N/A]

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. it was determined that the relevant sanction rule was generating too many false positive Policies and was suspended/eliminated.]

‍

1. TOTAL NUMBER OF INTERNAL INVESTIGATIONS AND SARS

‍

The following is data reflecting the number of Suspicious Activity Reports (“SARs”) submitted to the FCIS during the Reporting Quarter: 

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. enormous increase of SARs and determined reasons for this, etc.]

‍

1. TRAINING 

‍

The following is data about training held for employees of the Company during the Reporting Quarter:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. scheduled training, conferences, etc.]

‍

1. REPORTING TO AUTHORITIES

‍

The following is information about requests/reports submitted to the relevant regulator during the Reporting Quarter (note: this covers not only submission of the mandatory reports but also all communication with the relevant authority which was initiated on behalf of the institution itself or the Company):

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen]

‍

1. MONITORING AND INVESTIGATION 

‍

Total number of monitoring alerts generated during the Reporting Period: [number] 

‍

Total number of monitoring alerts that are currently being assessed by the Company: [number]

‍

The average term of alert handling: [days]

‍

Other important information: [FREE TEXT FORM]

‍

2. MAJOR INTERNAL PROCEDURE CHANGES 

‍

The following internal procedures were updated, prepared are in a review/preparation stage during the Reporting Period:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. internal audit is pending which may indicate additional changes]

‍

1. MAJOR SYSTEM CHANGES 

‍

The following systems were installed, updated, and reviewed during the Reporting Period:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. internal audit is pending which may indicate additional changes]

‍

1. AML / CTF STAFF

‍

During the Reporting Quarter, the Company had in total [number] of employees working in AML / CTF and international sanctions area, from them:

‍

1. [number] – responsible for monitoring;
2. [number] – responsible for FCIS reporting;
3. [number] – reporting for Client identification;
4. [number] – [FREE TEXT].  

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. new positions to be employed in the upcoming quarter, etc.]

‍

2. OTHER INFORMATION 

‍

[FREE TEXT – to add descriptions about other relevant information/cases for the Reporting Quarter. For instance, when an internal audit will be launched/finalized; when EWRA will be performed/launched/finalized; maybe there will be any other changes in organizational structure, etc.]

‍

FREE TEXT – to add descriptions about identified shortcomings in AML / CTF and international sanctions area which, in the opinion of the MLRO, should be addressed to the Senior Management and should be rectified]

‍

3. ACTIONS OF THE MLRO FOR THE UPCOMING QUARTER

‍

Considering the information provided in this Quarterly Report, the MLRO will ensure the following actions during the next quarter:

‍

1. [Ensure that XXX internal procedures are finalized and approved by the Board]. 
2. [Finalize EWRA and submit to the Board]
3. […]
4. […]
5. […]

‍

Name Surname

MLRO     Signature

6. Annex No. 9

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

1. TRAINING LOG TEMPLATE

‍