ポリシー

トランスフィグループ
グローバルプライバシーポリシー

最終更新日: 2024年10月

お問い合わせ
このプライバシーポリシーについてご質問がある場合は、以下にお問い合わせください。
メールで: compliance@transfi.com

1。TransFiのプライバシーポリシーの目的は何ですか？

「TransFi」とは、Trans-Fi Inc. およびその関連会社および世界中の子会社（Trans-Fi UABおよびNEOMONEY INCを含む）を指します。（総称して「TransFiグループ」、「TransFi」、「当社」、「当社」）。

TransFiは、お客様の個人データを他の法人（子会社および関連会社）と共有し、このプライバシーポリシーに従って使用することがあります。

TransFi（すべての子会社および関連会社）のプライバシーポリシー（「プライバシーポリシー」）の目的は、お客様のプライバシーを保護することを約束することです。本ポリシーは、お客様が当社のサービスの利用を選択する際に法的拘束力を持つため、本ポリシーをよくお読みください。関連するデータ保護規則の目的上、TransFiはお客様の情報の「データ管理者」、「データ処理者」、あるいはその両方の役割を果たす場合があります。

このプライバシーポリシーは、お客様が当社のサービスにアクセスする際に、当社がお客様の個人データを収集、使用、取り扱い、および特定の条件下で開示する方法について説明しています。これらのサービスには、次の場所にあるウェブサイト上のコンテンツが含まれます。 www.transfi.com または、TransFi決済取引プラットフォーム（総称して「ウェブサイト」）、またはTransFiウィジェット、アプリケーションプログラミングインターフェイス（「API」）、またはそのようなAPIに依存するサードパーティのアプリケーション、製品（支払い、コレクション、ランプ）および関連サービス（以下、総称して「サービス」）を含む、当社が所有または運営するその他のWebサイト、ページ、機能、またはコンテンツ（総称して「サービス」）。

このプライバシーポリシーでは、お客様の個人情報を保護するために当社が講じた措置についても説明しています。最後に、このプライバシーポリシーでは、個人情報の収集、使用、開示に関するお客様の選択肢について説明しています。本ウェブサイトにアクセスすることにより、本ウェブサイトのプライバシーポリシーに記載されている慣行に同意したものとみなされます。本プライバシーポリシーを承諾せず、同意しない場合、本サービスを利用することはできません。

本ポリシーについてご不明な点がございましたら、下記までお送りください。 compliance@transfi.com。

2。弊社はお客様からどのような個人情報を収集しますか？

個人情報とは、TransFi（またはその代表者またはサービスプロバイダー）が所有している、またはTransFi（またはその代表者またはサービスプロバイダー）が所有している、または所有する可能性のある、そのデータ、およびその他の情報から識別できる、生きている個人に関連するすべてのデータを意味します。情報に加えて、個人情報には、個人に関する意見の表明、および個人に関するTransFiまたはその他の人物の意図を示すものが含まれます。個人情報の定義は、お客様の所在地に適用される関連法によって異なります。TransFiが収集し使用するお客様に関するデータは、本プライバシーポリシーの第2.1条から第2.3条に記載されています。

TransFiは、さまざまな情報源からお客様に関する情報を取得します。「お客様」とは、TransFiとビジネスサービス契約を締結し、またはTransFiとユーザーアカウントを設定し、当社のウェブサイトまたはAPIを通じて提供されるサービスを利用する個人または法人（「ユーザー」）、マネーロンダリング防止（「AML」）またはテロ資金供与対策（「CTF」）の防止要件に基づいて特定され、TransFiによって検証され、現地の規制に従って本サービスを使用して支払いを回収し、支払いを行う法人/企業（「ユーザー」）である場合があります。支払いまたは国境を越えた送金の促進（「クライアント」）（「クライアント」）と契約関係にある法人TransFiクライアントは、TransFiまたはクライアント（「マーチャント」）のいずれかによって検証されたAML/CTF識別要件の対象となる場合があります。マーチャントのクライアントである法人、TransFiまたはマーチャント（「サブマーチャント」）のいずれかによって検証されたAML/CTF識別要件の対象となる可能性のある法人、または提供されるサービスとやり取りするマーチャントのエンドユーザーである個人または法人（「エンドユーザー」）。また、当社のサービスのいずれかの受領者/受益者、または当社のAPIおよびサービスにリンクする当社のWebサイトまたはその他のサービスの訪問者である場合もあります。お客様がマーチャント、サブマーチャント、またはエンドユーザーである場合、お客様による本サービスの利用には、TransFiと当該クライアントとの間の該当する契約が適用されます。

2.1 お客様が当社に提供する情報

これには、アカウントを開設して当社のサービスにアクセスするためにお客様が当社に提供する情報が含まれます。この情報は、法律で義務付けられているもの（本人確認など）、要求されたサービスを提供するために必要なもの（たとえば、アカウントをTransFiにリンクしたい場合は銀行口座番号を提供する必要がある）、または以下に詳しく説明する当社の正当な利益に関連するものです。

お客様が使用またはやり取りしているサービスの性質によって、当社が求める個人情報の種類が決まりますが、以下が含まれる場合があります。

• 個人識別情報：氏名、生年月日、年齢、国籍/市民権、居住国、政府発行のID情報（ID番号、IDタイプ、発行日および有効期限を含む）、社会保障番号、納税者ID番号、アカウント認証情報、位置情報、固有のデバイスの詳細、ネットワーク情報またはインターネットプロトコルアドレス、ウォレットアドレス、性別、署名、公共料金請求書、写真、電話番号、自宅住所、電子メール、その他の情報適用法および規制に基づく当社の法的義務を遵守するために必要であるとみなされる。
• 公的身分証明書：パスポート、ビザ、国民IDカード、州IDカード、運転免許証などの政府発行の身分証明書、および/または適用法および規制に基づく当社の法的義務を遵守するために必要と思われるその他の情報。
• 財務情報：銀行口座情報、支払いカード情報、納税者番号（「TIN」）、取引履歴、取引データ。取引情報については、注文の詳細、ユーザーの銀行口座番号、銀行口座名、およびカード所有者の名前、カード番号、CVV、有効期限などのカード情報を保存します。当社はペイメントカード業界データセキュリティ基準（「PCI DSS」）の認定を受けているため、この情報を安全に保管してコンプライアンス義務を果たし、データセキュリティを確保することができます。TransFi ユーザーアカウントのログイン認証情報は保存しませんが、PCI DSS 標準に準拠してカードの詳細を安全に取り扱い、保管します。支払いカード情報は、安全な第三者サービスプロバイダーによる取引中に、当社のシステムを通じて処理されることもあります。
• 取引情報：受取人の名前、名前、金額および/またはタイムスタンプ、取引の目的、取引の管轄区域など、当社のサービスに関連して行う取引に関する情報。
• 認証情報：本人確認のため。これには、詐欺調査のための情報や、お客様が提供したその他の情報（ご自分の画像や活気確認など）が含まれます。
• 雇用情報:オフィスの所在地、役職、および/または役割の説明、または
• 通信：アンケートの回答、サポートチームまたはユーザー調査チームに提供された情報。

お客様が企業の場合、Know Your Business（「KYB」）の目的で、すべての重要な受益者について、雇用者識別番号（または政府によって発行された同等の番号）、法的成立証明（定款など）、個人識別情報などの情報を求める場合があります。

お客様が以下の情報を当社に提供しない場合、当社はお客様にサービスを提供できないか、またはお客様による本サービスの利用が制限される場合があります。

お客様は、本サービスの利用に関連して当社に提供する情報に加えて、TransFiとの実際のまたは潜在的なビジネス関係に関連する情報を含め、他のチャネルを通じて当社に情報を送信することを選択することもできます。

2.2 当社がお客様について自動的に収集または生成する情報

これには、お客様が当社のウェブサイトを操作したり、当社のサービスを利用したりするたびに、自動的に収集される情報が含まれます。お客様による本サービスの利用に関して、当社は以下の情報を自動的に収集することがあります。

• 取引が行われた地理的位置を含む、当社のサービスを利用する際にお客様が行った取引の詳細
• コンピュータをインターネットに接続するために使用されるインターネットプロトコル（「IP」）アドレス、ログイン情報、ブラウザ名、種類とバージョン、タイムゾーン設定、ブラウザプラグインの種類とバージョン、オペレーティングシステム、位置情報/追跡情報、プラットフォーム、デバイスの詳細を含む技術情報。
• お客様の訪問に関する情報。これには、認証データ、セキュリティに関する質問、当社のウェブサイトまたはモバイルアプリケーションへ、または経由する完全なUniform Resource Locators（「URL」）のクリックストリーム（日時を含む）、お客様が閲覧または検索した製品、ページの応答時間、ダウンロードエラー、特定のページへの訪問時間、ページインタラクション情報（スクロール、クリック、マウスオーバーなど）、ページや使用した電子メールから別のページに移動するために使用された方法が含まれます私達に連絡してください。
• クッキーおよびその他のテクノロジー。多くのウェブサイトと同様に、当社ウェブサイトでは、クッキー、ロケーションベースのサービス、およびウェブビーコン（クリアGIFテクノロジーまたは「アクションタグ」とも呼ばれる）を採用して、お客様による当社ウェブサイトのナビゲーションを迅速化し、お客様とそのアクセス権限を認識し、お客様の利用状況を追跡しています。当社をお読みください。 クッキーポリシー 詳細については。

2.3 第三者から収集された情報

お客様が当社のウェブサイトにアクセスまたは使用したり、当社のサービスを使用したりする場合、お客様に関する情報を受け取る場合があります。これには、第三者の情報源からお客様について入手する情報が含まれます。当社がお客様の個人情報を受け取る主な第三者は、以下のとおりです。

• 適用法に従ってお客様の本人確認を行うための公開データベース、本人確認パートナーID 検証パートナーは、政府記録と公開されているお客様情報を組み合わせて本人確認を行います。このような情報には、お客様の氏名、住所、職務、公的雇用プロフィール、公的機関が管理する制裁措置リストへの掲載状況、その他の関連データが含まれる場合があります。
• ブロックチェーンデータにより、本サービスを利用する当事者が違法または禁止行為、制裁対象地域、ダークネット、児童虐待などに関与していないことを確認し、資金源となるウォレットアドレスをスクリーニングすることにより、研究開発目的で取引の傾向を分析することができます。
• マーケティングパートナーおよび再販業者。これにより、どのサービスがお客様にとって関心があるかをより正確に把握できます。
• お客様が当社への送金に使用する銀行/金融サービスプロバイダーは、お客様の名前や住所などの基本的な個人情報と、銀行口座の詳細などの財務情報を当社に提供します。
• ビジネスパートナーは、お客様の名前と住所、およびカード支払い情報などの財務情報を当社に提供する場合があります。そして
• 広告ネットワーク、分析プロバイダー、検索情報プロバイダーは、お客様が当社ウェブサイトをどのように見つけたかを確認するなど、お客様に関する仮名化された情報を当社に提供する場合があります。

3。お客様の個人情報はどのように使用されますか？

当社は、お客様の情報を以下の方法および目的で使用することがあります。

(a) 内部利用：当社は、お客様に当社のサービスを提供するためにお客様の個人情報を使用します。当社は、ウェブサイトのコンテンツやレイアウトを改善し、マーケティング活動を改善するために、お客様の個人情報を使用する場合があります。さらに、お客様の情報を使用して、詐欺、不正または違法行為からの保護、身元とサービスへのアクセスを監視し、セキュリティリスクに対処することにより、サービスの安全性、セキュリティ、および完全性を確保します。

(b) お客様とのコミュニケーション：お客様の希望に応じて、適用法に従い、イベントに関する通知、ターゲットを絞ったマーケティングの提供、およびプロモーションオファーの共有を目的として、マーケティングコミュニケーションを送信する場合があります。これには、当社のサービス、機能、プロモーション、アンケート、ニュース、アップデート、イベントに関するメールまたはモバイルアプリケーション通知の送信、プロモーションやイベントへのお客様の参加の管理、ターゲットを絞ったマーケティングの提供、ウェブサイトでの訪問者の利用行動に関する一般情報の確認などが含まれます。当社のマーケティングは、お客様の広告およびマーケティングに関する好みに従い、適用法で許可されている範囲で実施されます。当社は、本サービスを提供および維持するために、お客様の身分証明書、連絡先、支払情報などの特定の情報が必要です。お客様が新規ユーザーまたはクライアントである場合は、お客様がかかる通信に同意した場合に限り、マーケティング目的で電子的手段でお客様に連絡します。当社によるマーケティングコミュニケーションの送信を希望しない場合は、アカウント設定に移動してオプトアウトするか、以下の方法でリクエストを送信してください。 compliance@transfi.com。

管理情報またはアカウント関連情報、セキュリティ問題、またはその他の取引関連情報に関するサービスの最新情報をお送りする場合があります。これらの連絡は、お客様による本サービスの利用方法に影響する可能性のある、お客様のアカウントに関する進展を共有するために重要です。重要なサービス通信の受信をオプトアウトすることはできません。

また、お客様が質問、紛争の解決、料金の徴収、または問題のトラブルシューティングのために当社に連絡したときも、お客様の個人情報を処理します。このような目的でお客様の個人情報を処理しない限り、お客様の要求に応えることはできず、サービスの利用が中断されないことを保証することもできません。

(c) 法律および規制の遵守：TransFiは、AML/CTF、およびセキュリティ法に従ってお客様の個人情報を処理する必要があります。セキュリティ法には、特定の方法によるお客様の情報の収集、使用、保存が含まれる場合があります。たとえば、写真付き身分証明書の収集や、第三者のサービスプロバイダーを利用してお客様の個人情報をデータベースや公的記録と比較するなど、本サービスを利用しているお客様を特定して確認する必要があります。お客様が銀行口座をTransFi口座にリンクしようとする場合、適用法で義務付けられているとおり、お客様の身元または住所の確認およびリスク管理のための追加情報を求める場合があります。さらに、法執行機関からの要請、召喚状、裁判所命令に応じて、または法律で義務付けられている場合、および当社の法的権利の保護、契約の執行、または当社サービスの詐欺や悪用の防止に必要な場合には、個人情報を開示することがあります。これには、アカウントの不正利用や資金の損失の軽減、苦情、請求、紛争の調査、規制上または法律上の要求/問い合わせへの対応などが含まれます。

(d) 外部利用：当社は、サービスプロバイダーがお客様に代わってサービスを実施できるようにするために、情報を開示します。たとえば、デジタル資産の購入と保管を円滑に進めるために、お客様の名前、メールアドレス、住所、社会保障番号、生年月日、政府発行の身分証明書、購入されたデジタル資産の金額などの特定の情報を第三者と共有します。さらに、当社が収集して第三者と共有するデータの種類は、生年月日、居住国、名、姓など、お客様が当社に提供する情報の上に記載されています。名前、ID番号、IDタイプ、ID発行日、ID有効期限、銀行口座番号、銀行口座名、およびカード情報（カードに記載されている名前、カード番号、CVV、有効期限など）。

当社は、非個人情報（当社のウェブサイトへの毎日の訪問者数や特定の日に行われた注文の量など）を第三者と共有する場合があります。この情報は、お客様やユーザーを直接特定するものではありません。誤解を避けるために説明すると、当社が収集したIPアドレス、デバイス、その他の識別子は、1つまたは複数の第三者と共有される場合があります。

(e) 当社の正当な事業上の利益：以下のような当社の正当な事業上の利益のために、お客様の個人情報の処理が必要な場合があります。

• 品質管理とスタッフトレーニング。
• セキュリティを強化し、身元またはサービスへのアクセスを監視および検証し、スパムやその他のマルウェアまたはセキュリティリスクに対抗するため。
• 研究開発の目的;
• 当社のサービスおよびウェブサイトをより快適にご利用いただくため。
• 企業買収、合併、または取引を促進するため。

ソフトウェアのバグや運用上の問題のトラブルシューティングなど、サービスの提供に必要な内部業務を実施するため。

4。どのような個人情報を第三者に開示しますか？

当社は、業務を遂行するためにアクセスを必要とする者のみがお客様の個人情報にアクセスし、アクセスする正当な目的を持つ第三者にのみ個人情報を共有することを許可しています。TransFiは、お客様の明示的な同意なしに、お客様の個人情報を第三者に販売または貸与することはありません。当社は、お客様の個人情報を、以下を含む特定の第三者にのみ共有します。

• 詐欺を防止するための本人確認サービス。これにより、TransFiは、お客様から提供された情報を公の記録やその他の第三者のデータベースと比較することにより、お客様の身元を確認することができます。
• お客様が承認した支払いを処理するために当社が提携している金融機関
• 関連会社、ビジネスパートナー、サプライヤー、および下請け業者が、それらまたはお客様と締結した契約の履行および履行のため。
• 当社ウェブサイトの改善と最適化を支援する分析および検索エンジンプロバイダー。
• 事業譲渡または破産手続きに関連する企業またはその他の第三者。
• TransFi資産を購入する企業またはその他の団体
• 法執行機関、規制当局、またはその他の第三者（TransFi、TransFiの顧客、第三者、または公衆の権利、財産、安全の保護、法的義務または要求の遵守、当社の条件およびその他の契約の執行、またはセキュリティ、詐欺、または技術的な問題の検出または対処を含む）が合理的に必要であると当社が誠実に判断した場合。
• お客様が1つまたは複数の第三者アプリケーションに当社のサービスへのアクセスを許可した場合、お客様がTransFiに提供した情報はそれらの第三者と共有される場合があります。お客様がTransFiアカウントとTransfi以外のアカウント、支払い手段、またはプラットフォームとの間で許可または有効にした接続は、「アカウント接続」とみなされます。お客様が追加の許可を与えない限り、TransFiは、これらの第三者に対し、本サービスを利用したお客様の取引を促進する以外の目的で当該情報を使用することを許可しません。お客様がやり取りする第三者には独自のプライバシーポリシーが必要であり、TransFiはその運営や収集したデータの使用について責任を負わないことにご注意ください。

アカウント接続の例には以下が含まれます。

• マーチャント：お客様がTransFiアカウントを使用して第三者のマーチャントと取引を行う場合、マーチャントはお客様とお客様の取引に関するデータを当社に提供することがあります。
• お客様の金融サービスプロバイダー:たとえば、お客様が銀行口座から当社に送金する場合、お客様の銀行は、取引を完了するために、お客様の口座に関する情報に加えて識別情報を当社に提供します。

お客様は、お客様とTransFiとの関係が終了した後も、TransFiが以下の1つまたは複数の目的でお客様の個人データを妥当な期間使用および開示し続ける場合があることを認め、同意します。

• TransFiが契約に基づくお客様に対する未払いの義務を履行できるようにするため（該当する場合）。
• 該当する場合、TransFiが任意の契約に基づく権利を行使できるようにすること。
• お客様が書面による同意を得たあらゆる目的のため
• 適用法で義務付けられている場合、および管轄裁判所からの命令により義務付けられているとおり。

5。他のサイトへのリンク

当社のウェブサイトには、お客様の利便性または情報提供を目的として、他のウェブサイトへのリンクが含まれている場合があります。これらのウェブサイトはTransFiとは関係のない団体によって運営されており、当社はそのコンテンツやプライバシー慣行を管理、推奨、または責任を負いません。リンク先のウェブサイトには、それぞれ独自の利用規約およびプライバシーポリシーが定められている場合があり、それらは当社のものとは異なる場合があります。TransFiは、これらの外部サイトの慣行やポリシーについて責任を負わないため、第三者のウェブサイトにアクセスするたびにこれらのポリシーを確認することをお勧めします。

6。個人情報をどのように保護し、保存するか？

TransFiは、お客様の個人情報を保護するための合理的な対策を実施し、維持しています。お客様のファイルは、関連情報の機密性に応じた保護手段で保護されています。当社のコンピューターシステムには、合理的な管理 (アクセス制限など) が設けられています。

TransFiは、複数の国で事業を展開する国際企業です。つまり、お客様の国以外の場所に移転する可能性があります。当社がお客様の個人情報を他の国に移転する場合、当社はお客様の個人情報の移転が適用されるデータ保護法に準拠していることを確認します。

暗号化された銀行口座やルーティング番号などの特定の支払い情報を含む、お客様の個人情報および取引情報の全部または一部を保存および処理する場合があります。当社は、適用法および規制に従い、物理的、電子的、および手続き上の保護手段を維持することにより、お客様の個人情報を保護します。

雇用条件として、TransFiの従業員は、データ保護法に関連するものを含め、適用されるすべての法律および規制に従う必要があります。機密性の高い個人情報へのアクセスは、職務を遂行するためにそれを必要とする従業員に限定されます。TransFiの従業員による顧客の機密情報の不正使用または開示は禁止されており、懲戒処分の対象となる可能性があります。

最後に、一部のコンピューターハードウェアの物理的なセキュリティについては、サードパーティのサービスプロバイダーに頼っています。当社は、これらの第三者サービスプロバイダーに対し、商業的に合理的なセキュリティ慣行および対策を遵守するよう求めています。たとえば、お客様が当社のウェブサイトにアクセスすると、安全な環境に置かれたサーバーにアクセスすることになります。当社はお客様の個人情報を保護し、お客様のアカウントを保護するために業界標準の予防措置を講じていますが、完全に安全なシステムはありません。そのため、お客様は潜在的な侵害とその結果のリスクを負うことになります。アカウントを保護するために、認証情報を保護し、登録時に複雑なパスワードを選択し、二要素認証などの高度なセキュリティ機能を有効にし、アカウントの認証情報を第三者と共有しないようにしてください。

当社がお客様の個人情報を匿名化してお客様と関連付けられないようにした場合、その情報はもはや個人情報とは見なされず、お客様への通知なしに使用することができます。

18歳未満の人から個人情報を収集するよう意図的に要求することはありません。個人情報を送信したユーザーが18歳未満であると疑われる場合、TransFiはユーザーにアカウントの閉鎖を要求し、ユーザーが当社のサービスを継続して使用することを許可しません。また、できるだけ早く情報を削除するための措置を講じます。

当社は、意図された目的を達成し、契約上および法的義務を果たすために合理的に必要な限り、個人情報を保持します。メールアドレスと電話番号は、ユーザーがTransFiサービスを使用するまで保存され、ユーザーが登録を解除するか削除した後も、データは5年間保持されます。法律により長期間の保存が義務付けられている場合を除き、情報は不要になった時点で削除または匿名化されます。TransFiは、AML/CTF規制に基づいて特定の情報を保持し、5年間データを保持します。情報を完全に削除または匿名化できない場合、さらなる処理が行われないように合理的な措置を講じます。

7。プロファイリングや自動意思決定は行っていますか？

当社は、当社のサービスおよびお客様に提供する情報をカスタマイズするため、およびお客様のニーズ（お客様の住所の国や取引履歴など）に対応するために、お客様のデータの一部を使用する場合があります。たとえば、お客様がある特定の通貨から別の通貨に頻繁に送金する場合、当社はこの情報を使用して、お客様にとって有用と思われる新製品のアップデートや機能についてお知らせすることがあります。その際、お客様のプライバシーとセキュリティを確実に保護するために必要なすべての措置を講じ、可能な限り仮名化されたデータのみを使用します。この行為はお客様に法的効力を持ちません。

8。あなたのプライバシーと情報へのアクセス権はどのようになっていますか？

お住まいの地域の適用法によっては、個人情報に関する特定の権利を主張できる場合があります。これらの権利には以下が含まれます。

• お客様の個人情報の処理に関する情報を取得する権利、および当社がお客様について保持している個人情報にアクセスする権利。
• 個人情報の処理に対する同意をいつでも撤回する権利。ただし、別の正当な理由がある場合（たとえば、法的義務を遵守するために個人情報を保持する必要がある場合など）には、引き続きお客様の個人情報を処理する権利がある場合があることに注意してください。
• 状況によっては、構造化され、一般的に使用され、機械で読み取り可能な形式で個人情報を受け取る権利、および/または技術的に可能な場合にそのデータを第三者に送信するよう要求する権利。この権利は、お客様がTransFiに直接提供した個人情報にのみ適用されることにご注意ください。
• お客様の個人情報が不正確または不完全である場合に、その修正を当社に要求する権利
• 特定の状況において、お客様の個人情報を消去するよう当社に要求する権利。お客様が当社に個人情報の消去を求める場合がありますが、当社にはそれを保持する法的権利があることにご注意ください。
• 特定の状況におけるお客様の個人情報の処理に異議を唱える権利、または当社がお客様の個人情報を処理することを制限するよう要求する権利繰り返しになりますが、お客様が当社によるお客様の個人情報の処理に異議を唱えたり、制限を求めたりする場合もありますが、当社にはその要求を拒否する法的権利があります。
• お客様の権利のいずれかが当社によって侵害されたと思われる場合に、関連するデータ保護規制当局に苦情を申し立てる権利、および
• データ管理者間で個人データを転送する権利。たとえば、アカウントの詳細をあるオンラインプラットフォームから別のオンラインプラットフォームに移動する権利。

当社のサービスには、当社のパートナー、広告主、および関連会社のウェブサイトとの間のリンクが含まれている場合があります。これらのウェブサイトへのリンクをたどる場合、これらのウェブサイトには独自のプライバシーポリシーがあり、弊社はそれらについて一切の責任を負わないことにご注意ください。これらのウェブサイトに個人データを送信する前に、これらのポリシーを確認してください。お客様の権利に関する詳細情報は、お客様の管轄区域に所在するデータ保護監督当局に問い合わせることで入手できる場合があります。

適用法に従い、お客様は当社が保有するお客様に関する情報にアクセスする権利を有する場合があります。お客様のアクセス権は、関連するデータ保護法に従って行使できます。

9。プライバシーポリシーはどのくらいの頻度で更新されますか？

当社は、当社の情報慣行の変更を反映するために、お客様への事前の通知なしに本プライバシーポリシーを随時更新することがあります。そのような修正は、すでに収集され、収集される予定の情報に適用されるものとします。本プライバシーポリシーが変更された後も、お客様が当社のウェブサイトまたはいずれかのサービスを継続して使用することは、改訂されたプライバシーポリシーの条件に同意したものとみなされます。

このプライバシーポリシーを定期的に、特に個人データを当社に提供する前に、確認してください。このプライバシーポリシーに重大な変更を加える場合は、ここ、電子メール、または当社ウェブサイトのホームページの通知によってお客様に通知します。プライバシーポリシーの最終更新日は、本文書の上部に記載されています。

10。プライバシーに関する質問については、どのように当社に連絡すればよいですか？

このプライバシーポリシーについてご質問がある場合は、compliance@transfi.com までお問い合わせいただくか、以下の関連団体に郵送してください。

トランスファイ UAB

リトアニア、ビリニュスLT-09313、リヴィボ通り 21A

株式会社ネオマネー

325 フロントストリートウエスト 2階

オンタリオ州トロント M5V2Y1

カナダ

トランスフィー AML KYC ポリシー

最後にアップデートされたのは：2025年4月February 2025

‍

‍

1. INTRODUCTION 
   
   1. The purpose of this Policy is to define the ML / TF prevention measures and the enforcement thereof in the process of the Company’s operations.
   2. The Company shall carry out its business aiming to ensure effective prevention of ML / TF as required by the Law and other applicable legal requirements and good practice. Taking this into account, all employees of the Company shall adhere to the procedure and requirements for the implementation of the ML / TF prevention measures as outlined herein.
   3. Managing ML/TF risks shall be an integral part of the Company’s overall risk management system. Considering the scope and nature of its business, the Company shall implement ML / TF risk identification, assessment, and management procedures, as well as effective tools to mitigate such risks.
   4. In managing its ML / TF risks, the Company shall at all times ensure compliance with the requirements outlined in the present Policy to the maximum extent possible. 
   5. In case the Company performs certain functions related to the ML/TF field (for instance, Customer identification, and monitoring) through third parties, the Company shall ensure that such third parties also comply with requirements established under the Policy and the Law. 
2. RISK APPETITE STATEMENT

‍

1. The Company has zero tolerance for financial crime, regulatory breaches, and any attempt to circumvent the Company’s financial crime policies and controls. However, being engaged in the provision of Services, the Company cannot completely avoid ML / TF risks, and aiming to minimize them to the lowest extent possible, the Company applies relevant control measures which are described in this Policy and which are technically ensured in real activities. 
2. While engaging in provision of Services, the Company adheres to the following core principles (list not exhaustive):
   
   1. To show zero tolerance for the facilitation of financial crime, money laundering, financing of terrorism, and fraud;
   2. To avoid knowingly conducting business with individuals or entities believed to be engaged in inappropriate and unlawful behavior;
   3. To avoid risks that could jeopardize the Company’s strategic plans, including activities that could make the Company vulnerable to any type of public or private litigation or enforcement that could be damaging to the Company’s reputation and cause deterioration of relationship with regulators;
   4. To avoid or seize any activity/service towards which the Company’s management believes that the Company’s control mechanisms cannot protect the Company from risks that exceed the tolerance threshold;
   5. To regularly perform enterprise-wide risk assessment aiming to identify changes within the Customers’, products’, geographics’ and distribution channels’ base and verify whether existing control measures are sufficient to make the residual risk low;
   6. The Company aims to have strong and sufficient control measures mitigating ML / TF risks so that the residual risk would always be low; etc.;
3. Company managers at all levels are particularly responsible for evaluating their risk environment, implementing appropriate controls, and monitoring the effectiveness of those controls. The risk management culture emphasizes careful analysis and management of risk in all business processes.

3. CRYPTOCURRENCIES ACCEPTED. DEALING WITH ANONYMITY 
   
   1. The Company services the following cryptocurrencies: USDC, EUROC, SOL, TON, and BNB. In time, the Company may start servicing other cryptocurrencies as well. 
   2. The Company does not provide any Services involving cryptocurrencies that prioritize anonymity. The Company will apply a wallet screening function, both in deposit and withdrawal cases,  which will allow identification of risky wallets and any exposure to tainted funds in the wallet (e.g. related to sanctioned jurisdictions, dark market, child abuse tumblers, mixers, etc.).
   3. This means that the Company will not process any transactions that cannot be traced back to a specific individual or entity.
4. ACCEPTABLE CLIENTS’ SEGMENT 
   
   1. The Company shall offer and provide Services for both individual and corporate Clients. 
   2. In the case of individuals, any user over 18 years of age is an acceptable Client (below 18 years – not accepted). The upper age limit is 60 years of age for Europe and 70 years of age for other countries we work in (older natural persons are not accepted).
   3. In the case of legal entities, we engage with trusted Customers who are identified and verified thoroughly through the KYB process where we not only verify the documents but also do a thorough internet profiling to know about any online footprint. Additionally, the business relationship is established after several rounds of conversations, which establishes trust. 
5. SERVICE PROVIDERS AND TOOLS
   
   1. The Company leverages certain third-party tools for our Compliance framework:
      
      1. KYC / KYB verification (identity verification) – SumSub (www.sumsub.com);
      2. Crypto transaction monitoring – Chainalysis (https://app.chainalysis.com/); 
      3. Wallet monitoring – Chainalysis (https://app.chainalysis.com/);
      4. Sanctions screening – SumSub (www.sumsub.com);
      5. Internet profiling – With Accend (withaccend.com);
      6. Email risks check – At data (https://instantdata.atdata.com/);
      7. Device and behavior biometrics – Sardine (www.sardine.ai)
6. RESPONSIBLE PERSONS
   
   1. The following bodies and officers are involved in the AML / CTF implementation functions within the Company:
      
      1. the Board;
      2. Responsible AML Board member;
      3. MLRO (2^nd line officer);
      4. CEO (to a certain extent);
      5. Compliance Officer ( 2nd line officer).
   2. The Board shall have the following responsibilities in the AML / CTF area:
      
      1. Approve the AML / CTF Policy and other Policy level documents;
      2. Review quarterly compliance reports submitted by the MLRO. Provide feedback and recommendations; 
      3. Reviewing, giving comments, and approving annual Enterprise-Wide Risk Assessment and its methodology;
      4. Overview the entire AML / CTF framework, decide on the provision of the required budget for AML / CTF measures implementation;
      5. Hear out the Responsible AML Board member and the MLRO, when necessary;
      6. Discuss AML / CTF matters during the Board meetings (based on the prepared agenda), decide on the required actions and measures;
      7. Perform other duties and functions assigned to the Board by this Policy as well as other internal documents of the Company and laws.
   3. The Responsible AML Board member shall have the following responsibilities in the AML / CTF area:
      
      1. Supervise activities of the MLRO, advise and/or give assistance when required by the MLRO; 
      2. Organize the implementation of the AML / CTF framework within the Company. This involved being the first point (with the MLRO) in addressing and highlighting the main AML / CTF aspects that require improvement, change, etc. Such highlighting should be made to the Senior Management; 
      3. If requested by the MLRO, review quarterly compliance reports prepared by the MLRO (prior to the review of the Board as a body);
      4. Perform other duties and functions assigned to the Responsible AML Board member by this Policy as well as other internal documents of the Company and laws.
   4. The MLRO shall have the following responsibilities in the AML / CTF area:
      
      1. Implementing the AML / CTF framework within the Company;
      2. Ensuring timely and proper communication with and timely reporting to FCIS; 
      3. Reporting every quarter to the Senior Management of the Company regarding the Company’s activity data, including the number of Customers onboarded by the Company during the relevant quarter, profiles of such Customers (i.e. how many natural persons and how many legal entities were onboarded during the relevant quarter, from what jurisdictions they are, to which risk groups they were assigned, number of Customers with whom Business Relationship was terminated, etc.). Template of such Quarterly Report is provided as Annex No. 8 to this Policy;
      4. Approving/rejecting high-risk customers; 
      5. Organizing and ensuring ongoing Company employee education in the ML/TF area, including organization of training for employees related to identifying suspicious activity, understanding customer identification, and record-keeping requirements;
      6. Ensuring that all employees working with the Customers and their onboarding, risk assessment, monitoring, etc. are familiarized with this Policy and annexes thereof, and all related Company’s internal documentation;
      7. Ensuring the proper implementation of Know Your Customer requirements in the Company’s activities, including proper assessment of Customer’s identification documents, collection of their copies, record keeping, etc.; 
      8. Ensuring implementation of transaction monitoring procedures;
      9. Ensuring that the Policy and annexes thereof are revised and updated (if needed) regularly (at least once per year);
      10. Ensuring that the Company keeps and maintains all the required records and logs; 
      11. Ensuring that ML/TF prevention measures applied by the Company are properly integrated in the Company’s internal control system; 
      12. Be responsible for writing, updating, and maintaining the Company’s procedures and other documents related to ML/TF prevention area;  
      13. Preparing the annual Enterprise-Wide Risk Assessment and presenting it to the Senior Management; 
      14. Perform other duties and functions assigned to the MLRO by this Policy as well as other internal documents of the Company and laws.
   5. The CEO’s responsibilities shall include, but shall not be limited, to:
      
      1. Ensuring that the Company’s UBOs data are provided to the JANGIS (Centre of Register of Lithuania) in time;
      2. Getting familiar with all documents, reports, and information submitted by the MLRO and/or the Board of Directors; 
      3. Approving the Procedure, Rules, Methodology, and Description level documents (the Board shall also have a right to approve such level documents);
      4. Implement Board of Directors decisions to the extent requiring the CEO’s involvement; 
      5. Perform other duties and functions assigned to the CEO by this Policy as well as other internal documents of the Company and laws.
   6. The Compliance Officer shall have the following responsibilities in the AML / CTF area:
      
      1. Ensure that the risk of non-compliance with Applicable Laws is properly managed, that ongoing monitoring of non-compliance risk is performed, non-compliance risks are identified and assessed and measures of managing such risks are planned and implemented;
      2. Identify the need for changes in the regulation of the Company’s activities, identify regulation gaps, including gaps arising from amendments to Applicable Laws, inform the Management Bodies of these gaps and required changes, draft compliance-related documentation, and participate in the development of internal rules and procedures of the Company related to the compliance risks;
      3. Prepare, on the basis of elements provided in Annex no. 1 to this Policy, an annual Compliance Monitoring Programme and implement supervision of compliance based on this programme;
      4. Oversee compliance monitoring activities across the Company, ensure that identified gaps are corrected, implement relevant recommendations, and provide updates to the Management Bodies. Analyze proposed amendments to legal acts, inform the Management Bodies and employees of upcoming requirements, and ensure the Company is prepared for these changes;
      5. Organize and direct investigations in situations where non-compliance with Applicable Laws is suspected, examine all cases of non-compliance, determine the level of risk in each case, and implement urgent measures to ensure compliance in the future;
      6. Participate in the decision-making process to ensure compliance requirements are met, provide advice on risks related to new services, and substantial changes in existing services, and offer input on legal requirements related to business decisions, license updates, or renewals;
      7. Set compliance principles, rules, and procedures, monitor the efficiency of risk management measures related to compliance with Applicable Laws, and make proposals for the regulation of the Company’s compliance processes;
      8. Provide information and assist in organizing training for employees on compliance-related areas and changes in compliance-related Applicable Laws, participate in the process of conducting compliance training for new employees, and inform the team leads of Functions about changes in legal provisions on a regular or ad hoc basis. The team leads of structural units must pass the information to their subordinates;
      9. Inform the Management Bodies of any breaches of Applicable Laws, prepare and submit reports on their activities, record situations where deviations from the Compliance Officer’s recommendations are observed, and take part in the meeting of the Management Bodies at which the compliance risk assessment reports and/or the reports on the implementation of compliance function are considered;
      10. Liaise with the Supervisory Body, Financial Crime Investigation Service of the Republic of Lithuania (FCIS), perform the function of a contact person or coordinate the relationships with them, and provide information to the Supervisory Body and other competent institutions about incidents and other significant circumstances, take part in the investigations, checks, inspections, and other actions taken by supervisory authorities to the extent not covered by the Money Laundering Reporting Officer;
      11. Receive information about important customers’ complaints, take part in the complaints handling process, where required, and supervise complaints’ handling process in case of need;
      12. Undertake any other duties as assigned by the Board or derived from internal documentation.
   7. Rights, functions, responsibilities, duties, etc. of the above-listed bodies and officers, as well as other positions formed within the Company, may be established in other internal documents as well. The above lists shall be read as initial (general) ones.
7. Customer IDENTIFICATION The Company’s Customers are legal entities and natural persons.
   
   1. The Company performs Customers’ identification procedures remotely. Physical identification measures are not applied by the Company.
   2. Detailed instructions on Customer identification procedures and applicable requirements are established under Annex No. 1 to this Policy.
8. RISK ASSESSMENT 

Risk groups 

1. To assess the ML/TF risks, the Company shall deploy a risk-based approach.
2. The Company recognizes the following types of risks relevant to its activities:

1. According to the nature:
   
   1. Customer risk;
   2. Country / geographical area risk;
   3. Product/services risk; 
   4. Delivery channel risk.
2. According to the risk level:
   
   1. Low;
   2. Medium;
   3. High.
   4. Unacceptable

Individual risk assessment

3. The Company shall perform an individual risk assessment of each Customer:

1. Before entering into the Business Relationship with the Customer; or

Client

2. In case the Company becomes aware of certain circumstances indicating the possible change in Customer’s risk group;
3. In case of concerns regarding the correctness of previously collected Customer’s KYB / KYC data or when there are concerns that possible ML / TF activity may be taking place. 

4. Each Customer of the Company shall always be assigned to the relevant risk group. The Company must maintain a tool for Customer risk segmentation which allows, after assessing relevant individual circumstances of the Customer, to assign the Customer to a relevant risk group as listed under Section 8.2 above.

Enterprise-wide risk assessment

5. The Company shall at least once a year perform Enterprise-Wide Risk Assessment of all risks relevant to its activities (Clause 8.2(i) of this Policy). The purpose of such assessment is to establish the risk level to which the Company is exposed to be able to assess how relevant risk criteria and risk levels evolved over time and to decide whether identified changes require putting in place additional measures or to re-consider set risk tolerance levels. 
6. Enterprise-Wide Risk Assessment shall be performed in a written format. The MLRO is responsible for the performance of the Enterprise-Wide Risk Assessment which shall be prepared and submitted to the Senior Management of the Company. The Enterprise-Wide Risk Assessment shall be performed by the MLRO of the Company following the risk assessment methodology to be approved by the Board.

9. MONITORING OF BUSINESS RELATIONSHIP 

1. The Company shall carry out ongoing monitoring of the Business Relationship and wallets. This includes transaction monitoring and keeping the underlying Customer’s information up to date.
2. The Company shall ensure and apply both the instant and retrospective monitoring procedures. The difference between them is that:

1. Instant monitoring – following criteria and scenarios set by the Company, the system „catches” potentially suspicious transactions or operations and does not release them until the MLRO or other authorized compliance employee looks into it and ascertains that the transaction/operation is not suspicious and may be released. Such an assessment shall be started by the MLRO or other authorized compliance employee within 1 (one) business day as of the day when the alert is generated. The alert assessment time should be reasonable, and the MLRO or other authorized compliance employee should take appropriate and timely measures to ascertain whether the transaction/operation is suspicious or not. If the Customer is requested to provide additional information needed for the assessment, the overall alert assessment term may be extended, however, in such a case the Customer needs to be informed that the Customer’s transaction/operation will not be executed until the Customer provides sufficient information. The term shall not be extended for more than 4 days in total (except for very specific situations when there is a reasonable ground to extend the term more). If the Customer fails to provide requested information and/or if the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Suspicious Operation Report to FCIS as specified under Section 13 of this Policy. 

‍

2. Retrospective monitoring – there are two types of retrospective monitoring to be applied by the Company:

‍

1. Following criteria and scenarios set by the Company, the system „catches” activities that are not standard for the particular Customer, but which are executed and not blocked on a real-time basis. Such „caught” transactions or operations shall be assessed by MLRO or other authorized compliance employee no later than within 30 calendar days period from the moment the relevant transaction or operation was flagged in the retrospective monitoring system. If the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Report to FCIS;
2. On a regular basis but not less frequently than once per half a year the MLRO may decide to check historical transactions of a relevant type of Customer which would serve as a secondary measure in addition to the main retrospective monitoring procedure described in item (a) above. The aim of such additional checks is to ascertain that all potentially suspicious or non-standard transactions were found and assessed by the Company. MLRO shall be responsible and shall decide what type of Customers should be checked (e.g. 10 biggest Customers according to the amount of their payments; Customers whose payments are related to high-risk geographical regions, etc.).

3. The Company shall monitor transactions to ensure that they are in line with the Customer’s risk, and examine the source of funds when required (Annex No. 7 to this Policy) to detect possible ML / TF. The Company shall also keep the documents, data, or information it holds up to date, with a view to understanding whether the risk associated with the Business Relationship has changed.
4.            The Company collects source of funds documents under the following circumstances: 
   
   1. All types of Customers: when they are high risk are subjected to EDD;
   2. All types of Customers: when they reach daily / monthly transaction thresholds;
   3. All types of Customers: when the Client’s transaction behavior shows major changes (e.g. order size is significantly bigger than the average order size of previous transactions);
   4. Only legal entity Customers: All businesses that fall under our requirements of EDD are required to submit these documents. EDD kicks in when the business falls under the following criteria:

• Provide crypto / digital assets services 

• Provide other crypto / digital assets services 

• Provide money services/payments / other financial services 

• Are regulated gambling services 

• Any Customer with a politically exposed beneficial owner 

5. Individuals: All individuals that are PEP are required to submit these documents 

‍

5. Monitoring (instant and/or retrospective) might be carried out by using the services of third parties. In such a case the Company shall ensure that third parties would follow requirements specified in this Policy and the Law and would align their IT systems and platforms so that all monitoring criteria and scenarios set by the Company would be properly covered.
6. The Company will use a risk-based matrix that will define various risk levels, namely, high, medium, and low. All the risk categories will be subjected to transaction thresholds which are based on various qualifiers in the case of an individual or a legal entity:
   
   1. Individual: the Company will categorise the Client in various risk categories and impose transaction thresholds based on the selection of payment methods and jurisdictions along with user behaviour.
   2. Legal entity: The Company will categorise the Client into various risk categories and impose transaction thresholds based on various risk factors like the pedigree of the company, Internet risk profiling score, onboarding tenure, and geographical risks.
7. The Company will use a comprehensive approach to transaction monitoring including, but not limited to screening i.e., monitoring transactions in real-time, and monitoring i.e., analyzing transactions later. The objective of screening is to identify: 
   
   1. Suspicious and unusual transactions and transaction patterns; 
   2. transactions exceeding the provided thresholds.
8. The screening of the transactions is performed automatically and includes the following measures: 
   
   1. Established thresholds for transactions, depending on the user/Client's risk profile and the estimated transaction turnover declared by the user/Client; 
   2. The scoring of virtual currency wallets where the virtual currency shall be sent in accordance with the user / Client’s order; 
   3. The scoring of virtual currency wallets from which the virtual currency is received.
9. General requirements applicable to monitoring procedures are established under Annex No. 3 to this Policy.

10. SCREENING AGAINST PEP, INTERNATIONAL SANCTIONS AND ADVERSE MEDIA

1. The Company deploys automatic solutions for political exposure, international sanctions, and adverse media screening.
2. Such screening is performed: 
   
   1. Prior to entering into a Business Relationship;
   2. Daily during Business Relationship;
   3. In addition, crypto wallet screening is performed both prior to entering into a Business Relationship as well as prior to each transaction and on an ongoing basis.     
3. Screening against international sanctions is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
4. Screening against PEP exposure is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
5. Screening against adverse media is performed for the following persons:
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
6. At least the following data shall be screened: 
   
   1. For natural persons: full name and surname, date of birth (or personal code), citizenship, residence country. 
   2. For legal entities: full title,      registration country, legal entity code, country of actual address or address (if relevant). 
7. If the screening indicates: 
   
   1. That the Client is a PEP – Business Relationship may be started, however, prior to this the Client must undergo enhanced due diligence procedure as specified under Annex No. 1 to this Policy.

‍

2. That the Client is subject to international sanctions – the Client cannot be onboarded, transaction cannot be executed, Services cannot be provided to the Client. The MLRO must notify the FCIS as specified under Section 13 of this Policy. 

‍

3. That the Client is subject to adverse media: 

‍

1. If adverse media indicates that the Client is involved in financial crime, ML/TF cases – the Client must be rejected, Services cannot be provided;
2. If adverse media indicates that the Client is sanctioned –an  assessment regarding the  relevance of international sanctions must be performed and if it is confirmed, then measures listed above under point (ii) must be followed;
3. If adverse media indicates other criteria – the MLRO shall be informed and shall take a decision on whether the Client can be onboarded and if “yes”, which risk group shall be assigned to the Client. 

8. Screening data (evidence proving data screening is/was performed) must be available to the Company. The Company should be able to prove when and how screening was performed, if required (e.g. if requested by the regulator). Such data may be available in the IT systems and tools. 

11. IMPLEMENTATION OF TRAVEL RULE

1. The Travel Rule, as implemented by EU Regulation 2023/1113 and EBA Travel Rule Guidelines, requires that all crypto-asset transfers be accompanied by information on the originator and beneficiary of the crypto-transfer transaction.
2. Crypto-asset transfers conducted by the Company include the following information: 

About the originator of the transfer: 

1. The name of the originator;
2. the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;
3. the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. the originator’s address, including the name of the country, official personal document number, and customer identification number, or, alternatively, the originator’s date and place of birth; 
5. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the originator.

About the beneficiary of the transfer:

1. The name of the beneficiary;
2. the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;
3. the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the beneficiary.

2. The Company shall not allow for the initiation, or execute any outgoing transfer, of crypto-assets before ensuring that all the originator’s information is available and verified. 
3. For the incoming transfers, the Company shall check prior to the acceptance of the transfer whether it maintains all the necessary information and verify whether the beneficiary data accompanying the transfer is verified based on the information maintained by the Company about the beneficiary. If not (e.g. the data is inaccurate, incomplete, etc.), the transaction shall be suspended, until the verified information is received after was requested by the Company, or rejected.

1. RENEWAL OF INFORMATION ABOUT THE Customer (ODD)

1. Information collected about the Customer shall be renewed by the Company within the below timeframes:

‍

2. Review and renewal of information shall cover:
   
   1. Information about the Customer collected during the onboarding process (all KYC information); 
   2. Review of Customer’s identity document – it should be checked whether the ID document is still valid and if valid – additional documents are not required, however, if the ID document is no longer valid – a valid ID document should be required in addition;
   3. Check historical transactions with an aim to determine whether they indicate additional risks or a need to update the Customer’s risk profile. 
3. All data reviewed, updated, collected, and assessed must be stored in the Customer’s file with dates evidencing when the document was collected/assessed.

13. REPORTING TO FCIS (AML / CTF MATTERS)

List of reports:

1. The Company is required to report to FCIS in case of:

1. Suspicious Operations or Transactions (SARs submission).
2. Knowledge or suspicion that the transaction is directly or indirectly related to criminal activity or is intended to be used for such a purpose.
3. Knowledge or suspicion that the Customer will try to perform a suspicious operation/transaction.
4. Report on virtual currency exchange transactions or transactions with virtual currency only if the transaction is suspicious and the MLRO has reasons to believe and the value of such transaction is equal or exceeds 15.000 Eur (or equivalent in another currency, including virtual currency),     Annual report on Company’s activity.

1. Details of each report are the following:

‍

Key communication with FCIS timelines and requirements

1. FCIS shall within 10 business days of the receipt of the report's performance assessment take necessary actions if a basis for this is established (e.g. notify the Police and initiate a pre-trial investigation). FCIS must notify the Company accordingly. 
2. If the Company does not receive a response from the FCIS within 10 business days of the submission of reports listed under Clause 13.2 of this Policy or where the Company is not obligated by FCIS to temporarily restrict the ownership rights in accordance with the procedure established by the Code of Criminal Procedure of Lithuania, this is the basis for the Company to consider that FCIS did not determine any illegal activity and restrictions should be eliminated. However, if the MLRO has doubts regarding the renewal of the suspended transaction/activity of the Customer, the MLRO shall contact the FCIS in addition, and ask for their guidance with respect to the renewal and/or possible institutional actions.
3. The Company shall not be responsible to the Customer for the non-fulfillment of contractual obligations and for the damage caused in the course of performing the duties and actions specified in this Section (as long as they are performed in line with legal requirements). Immunity from legal proceedings shall also apply to the directors or other employees of the Company who report, in good faith, information about suspected ML / TF or Suspicious Operations or transactions carried out by the Customer to the MLRO; they also may not be subject to disciplinary sanctions because of such actions.
4. The Company must ensure that it maintains internal systems enabling MLRO to respond rapidly, through secure channels and in a manner that ensures full confidentiality of inquiries, to the inquiries from the FCIS concerning the submission of the information related to AML / CTF and ensure the submission of this information within 14 working days from the receipt of the inquiry, unless a shorter period is set by the FCIS, this Policy or the Law.
5. All information submitted to the FCIS and/or received from the FCIS shall be considered confidential and not subject to disclosure to third persons, including employees of the Company who are not involved in handling the particular case reported to the FCIS or informed by the FCIS. The MLRO shall be the key contact point for communication with the FCIS and the MLRO shall ensure the confidentiality of FCIS-related information, the email of the MLRO shall be used for communication with FCIS. In addition, information to the FCIS shall be always submitted via a dedicated FCIS information system while email dokumentas@fntt.lt should be used only in exceptional cases (e.g. where the FCIS information system is now available due to technical reasons). Tipping-off prohibition shall be ensured in all cases meaning that information about suspicious Client’s transactions or behaviour and/or a fact that SAR was submitted to the FCIS as well as what exact information led to suspicious cannot be disclosed to the Customer, the Company’s employees who do not have a right to possess such data (i.e. who are not working with the Customer’s case, investigation, etc.) and to third parties, unless exemptions are allowed following legal requirements, including exemptions under Article 23 of Lithuanian AML Law.

Report on 15.000 EUR virtual currency transactions

6. The MLRO is responsible for the submission of information to FCIS regarding virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR “15,000” (irrespective of whether the transaction was carried out as a single or multiple transaction) and considered suspicious by the MLRO. Information about such transactions shall be submitted to FCIS within 7 business days of their performance day. 

Report on suspicious activity/transaction

7. Suspicious Operations or Transactions are those that, by virtue of their nature, in the opinion of the Company, may be related to ML/TF or fraud cases. If it is determined that the relevant transaction or operation is a Suspicious Operation or Transaction, the MLRO of the Company shall report it to FCIS as specified below in this Section.
8. The Company welcomes all applicants unless they are citizens or were born in or reside within the countries under the prohibited countries or are otherwise prohibited persons under applicable AML/CFT legislation. If born in prohibited countries, they may still register if they provide evidence of renouncing their original nationality and taking citizenship of a non-prohibited country.
9. High-risk jurisdictions and other jurisdictions monitored by the FATF, as described in Annex No. 6 to this Policy.
10. The Company shall also screen each applicant/user and, where applicable, associated persons, authorized persons, and BOs of the applicant/user for compliance with sanctions as described in Annex No. 6 to this Policy.
11. The Company engages third-party service providers who provide tools/databases to screen for compliance with the aforementioned sanctions, PEP lists, and money laundering databases.
12. In all cases, the company must complete the verification before accepting the applicant as a user. Any Applicant (or their Related Persons, Authorized Persons, and BOs) who has/have a positive match to the verification list (which after investigation and assessment by Compliance cannot be rejected) and is on a prohibited list (e.g. Applicant in a prohibited country or business) cannot be accepted as a User of the Company and will be rejected from becoming a User.
13. For Applicants (or their Related Persons, Authorized Persons, and BOs) who have/had a positive result (which after investigation and assessment by Compliance cannot be rejected) and are not on the Prohibited List, but have received adverse information as a result of the review, the Company will consider whether the Applicant falls into a high-risk group where ECDD is required before the Applicant can be accepted as a User.
14. The Compliance Service shall keep a record of the results of the screening and the carried-out assessment.
15. A suspicion may be caused by various objective and subjective circumstances, for example, the Customer performs transactions or operations that are not typical to its activities, provides incorrect data on themselves or the operation, is reluctant to provide additional information (documents) about the Customer, the operation being assessed by the Company, etc.
16. When assessing relevant transaction or operation from the suspicious Customer’s activity perspective, the MLRO of the Company shall obtain sufficient information on the ground and purposes of the Suspicious Operation or Transaction, as well as the origin of funds, in order to properly examine the activities and/or operations and transactions carried out by the Customer and must provide their conclusions on that in writing. 
17. The Company is not obliged to find out whether the activity of the Customer contains a composition of crime. If the Company knows or suspects that the transaction or operation is a Suspicious Operation or Transaction, it must:
    
    1. Suspend the transaction/operation (if possible); and 
    2. Notify the FCIS within 3 business hours of the suspension moment.

18. The list of criteria applied when recognizing Suspicious Operations or Transactions is presented in Annex No. 2 to this Policy.
19. Where the transaction/operation fails to meet any criteria specified in Annex No. 2 to this Policy and yet a suspicion arises to an employee of the Company with regard to the operation or transaction and/or the Customer’s activity, such transaction or operations must be regarded as Suspicious Operations or Transactions and shall be reported to FCIS within 3 business hours.
20. The Company is subject to “tipping off” prohibition. This means that the Company is prohibited by law from disclosing (“tipping-off”) to the Customer or other persons (except for the responsible internal team members and relevant authorities) a fact that a suspicious transaction report or related information is being filed or was filled with the FCIS.

12. TERMINATION OF TRANSACTIONS OR BUSINESS RELATIONSHIP 

General requirements

2. If the Customer is reluctant or refuses to provide additional information at the request of the Company, the Company, depending on the nature and importance of such information as well as on the reasons why such information is not provided, may refuse to carry out operations or transactions, terminate their execution or Business Relationship with the Customer.
3. The Company shall not be liable to the Customer for failure to fulfill contractual obligations or damage incurred due to failure to carry out the Customer’s operations or transactions provided that the Company did not carry out the Customer’s operations or transactions on the basis of reasons laid down in below Clause 14.4 of the Policy.
4. The Company shall be prohibited from executing transactions, establishing or maintaining Business Relationships if the Customer:
   
   1. Fails to provide information verifying their identity or is reluctant to provide information necessary to establish his identity or the provided information is insufficient;
   2. Provides incomplete data or it is incorrect;
   3. Are subject to international sanctions;
   4. Do not meet the risk tolerance limits set by the Company;
   5. Requests to provide anonymous services. 
5. In cases specified in Clause 14.4 and after identifying that the relevant operation, transaction, or behavior of the Customer is suspicious (irrespective of whether such operation or transaction was performed or not), the Company shall report the Suspicious Operation or Transaction to FCIS.
6. If during the identification of the Customer the Company has a reason to believe that the ML/TF offense is taking place, and the further process of identification of the Customer may raise suspicions to the Customer that information about him/her may be transmitted to competent law enforcement authorities, the Company may discontinue the process of identifying the Customer and may not establish Business Relationship with the Customer. In these cases, the information shall be transmitted to FCIS as soon as possible but not later than within 1 business day.  

Termination of Business Relationship based on Customer’s initiative

7. The Customer has a right to terminate the Business Relationship with the Company without specifying any reason and unilaterally without applying to court. Particular terms for implementation of such right may be applied based on the Company’s T&Cs.  

Termination of the Business Relationship with the Customer on the Company’s initiative or where so required under legal acts

8. The Company has the right to terminate the Business Relationship with the Customer without any notification in advance and without applying to court, where the legal basis agreed between the Parties via the BSA agreement is met, or where other legal grounds exist. 
9. The Client must immediately (the same business day) be notified via e-mail about the termination of the Business Relationship unless notification is prohibited under the legal acts. If there is a suspicion of ML/TF, the Company shall notify FCIS and until the assessment on suspicious activity is performed by FCIS, termination may be postponed, and the Client cannot be informed about ongoing investigation or application to the FCIS.

13. LOGS. RECORD KEEPING. DATA STORAGE

1. The Company shall keep at least the following logs:

1. Log of Suspicious Operations or Transactions and reports submitted to FCIS; 
2. Log of virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR 15.000, only when considered suspicious by the MLRO (irrespective of whether the transaction was carried out as single or multiple transactions), including data about such transaction reporting to FCIS;
3. Log of Clients with whom transactions or Business Relationships have been terminated due to circumstances related to infringements of the procedure for the prevention of ML / TF, including cases when Business Relationships were terminated because Clients or their representative(s) tried to conceal information about themselves or Beneficial Owners, did not provide all required information, etc.;

‍

2. The templates of the above-mentioned logs to be kept by the Company are provided in Annex No. 4 of this Policy. 
3. Data shall be entered in the logs in chronological order, on the basis of the documents supporting the operation or transaction or other documents with legal effect related to the performance of the operations or conclusion (or termination) of transactions, or termination of Business Relationship, immediately but no later than within three business days as of the performance of the operation or conclusion of the transaction, or the date when the specified circumstances occurred or were established.
4. The following data storage requirements shall be ensured:

‍

1. The time limits for record keeping may be additionally extended for no longer than two (2) years upon a reasoned instruction of a competent authority.
2. The Company shall ensure that the documents and information referred to in Clause 15.4 of the Policy would be stored irrespective of whether: (i) transactions are local or international; and/or (ii) the Business Relationship with the Client continues or has ended.
3. The Company shall ensure that the documents referred to in Clause 15.4 of the Policy would be stored so that it would be possible: (i) to restore information about the specific transaction; and (ii) upon necessity, to provide them and information set out therein to FCIS.

12. EMPLOYEE TRAINING 

4. Ongoing employee training programs related to ML/TF prevention requirements shall be prepared and conducted in the Company under the leadership of the MLRO. The training log shall be prepared by the MLRO each year and shall contain information about training (to be) performed, participants, training dates, titles of the training, organizer, certificates issued, and other relevant information, if any. A training log is provided as Annex No. 9 to this Policy. 

‍

1. The training shall be performed at least annually (on a calendar year basis). It shall be based on the Company’s business activity and shall be updated as necessary to reflect any new developments in the laws and risks faced by the Company in accordance with the annual risk assessment.
2. Employees’ training program shall ensure that all Company employees who face ML/TF prevention measures in dealing with their functions would be properly educated to identify the Client, notice Suspicious Operations or Transactions, perform an assessment of alerts received during the monitoring procedure, etc. 
3. All new employees shall be trained for the prevention of ML/TF risks purposes prior to engaging in any Client-facing activity as part of the boarding and reimbursement process. The MLRO of the Company shall be responsible for ensuring training for new employees. The MLRO himself shall undergo annual AML/CTF training. 

13. FINAL PROVISIONS

Annual audit

1. The Company shall at least once per year perform an audit over AML / CTF measures and their implementation within the Company. The Senior Management is responsible for ensuring that the audit takes place while the MLRO is responsible for organizing the audit. 

Approval, review

2. This Policy (and annexes thereof) shall enter into force from the day of their approval and may be abolished, amended, and/or supplemented only by a decision of the Board.
3. Amendments and/or supplements to the Policy shall enter into force on the following day after its approval. 
4. The MLRO shall periodically (at least once a year) or upon the occurrence of important events or changes (for instance, in case of changes in legal acts or in case of new risk relevant to the Company arises) revise the Policy and update it, if needed. A review of the Policy shall be also ensured in the following cases:
   
   1. When the European Commission published a supranational risk assessment (published on https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022DC0554);
   2. When the National Risk Assessment is published by FCIS (published on www.fntt.lt); 
   3. When the FCIS issues an order to the Company to make the internal controls stronger and stricter; 
   4. When important changes are made within the Company’s management and activity organization; 
   5. When audit results or other activity indicators dictate a need to change internal controls. 

Employee acquaintance 

5. The MLRO is responsible for the acquaintance of the Company’s employees with the Policy (and annexes thereof) and its later versions, if any. Such acquaintance shall be made by providing the Company’s employees with the Policy (and annexes thereof) and after that by requiring each employee to confirm his / her acquaintance with the Policy (and annexes thereof) by signing in the table provided in Annex No. 5 of the Policy.

Assessment of knowledge and experience of the responsible personnel 

6. The Company shall ensure that, prior to the appointment of the MLRO, CEO, Board members, Senior Officer, and other employees responsible for the AML/CTF framework within the Company, a thorough assessment of their competence, work experience, and qualifications is conducted. This assessment shall take into account their education, professional development, relevant work experience (including its duration and nature), and other criteria that may impact their suitability and qualifications. Such assessments shall be completed in writing before their appointment or hiring.

Requirements for Senior Management members and UBOs of the Company

7. A person cannot be a member of Senior Management or Ultimate Beneficial Owner of the Company if at least one of the following criteria exist: 
   
   1. A person is found guilty of having committed a serious or very serious crime provided for in the Criminal Code of the Republic of Lithuania or a criminal act corresponding to any of these crimes according to the criminal laws of other states, regardless of whether the person's criminal record has disappeared or been annulled; 
   2. A person is found guilty of having committed a minor or aggravated crime against property, property rights and property interests, economy and business order, financial system, public service and public interests, public safety, or a criminal act corresponding to any of these crimes under the criminal laws of other countries, provided for in the Criminal Code and 5 years have not passed since the disappearance or annulment of the person's criminal record; 
   3. A person is found guilty of having committed a criminal act other than that specified in points 1 and 2 of this part, provided for in the Criminal Code or in the criminal laws of other states, and 3 years have not passed since the date of execution of the sentence, postponement of the execution of the sentence or release from the execution of the sentence.
8. If the circumstances listed in above Clause 16.7 are determined, the Company must take measures to notify the FCIS accordingly and ensure the fulfillment of the requirement (e.g. to change manager, etc.).

14. ANNEXES  

1. The following is the list of documents which are an integral part of the Policy: 

Annex No 1 – Client Identification Procedure

Annex No 2 – Criteria for Identifying Suspicious Operations or Transactions

Annex No 3 – Relationship Monitoring Policy

Annex No 4 – The Forms of Logs

Annex No 5 – The Form of Employees’ Acquaintance with the Policy

Annex No 6 – Prohibited Countries List

Annex No 7 – Acceptable Evidence of Sources of Wealth and Sources of Funds

Annex No 8 – Template of the MLRO quarterly report

Annex No 9 – Training Log

‍

‍

2. Annex No. 1 

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

3.      CUSTOMER IDENTIFICATION PROCEDURE

‍

1. INTRODUCTION

1. The Company is a B2B2C business and shall provide Services to Business. The end users can be both natural persons and legal entities. The Company provides services primarily to the business who are Customers-Clients, Merchants, and end users. Both the Merchants and the End Users receive Services and both these subjects are considered as Customers of the Company, who shall be identified accordingly.

Trans-Fi UAB’s current product suite is described below. All of these products are available as both a solution and as a single Application Programming Interface (“API”) and provide a dashboard or other solution for monitoring transactions and orders:

• Payins: Enabling our Clients/their Merchants to collect payments in fiat currency (e.g. the US Dollar or Euro) or stablecoins from their counterparties (both businesses or individuals) by sending a payment link and settling in stablecoins or fiat, as desired, with ease from anywhere across the world. Stablecoins used in our products are reserve-backed crypto-assets pegged to a fiat currency, notably the EUR and USD stablecoins issued by Circle:  EURC and USDC. Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 

‍

• Payouts: Enabling our Clients/their Merchants to pay their employees, vendors, freelancers, and trade partners globally in fiat or stablecoins across the world by exchanging crypto-assets for fiat (stablecoin-to-fiat) or exchanging fiat for crypto-assets (fiat-to-stablecoin) or crypto-assets for crypto-assets (crypto-to-stablecoin). Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 
  4. Exchange of crypto-assets for other crypto-assets 

‍

• Ramp: Enabling our Clients to offer the exchange of fiat to crypto-assets (fiat-to-crypto “onramp”) and the exchange of crypto-assets to fiat (crypto-to-fiat “offramp”) to their Merchants and/or End Users. Within this product, the following MiCA services will be used: 
  
  1. Exchange of crypto-assets for funds 

‍

• Wallet issuance as a service (“WIaaS”): Enables our Clients to issue custodial wallets (using Circle as a provider) for themselves, their Merchants, or their End Users to pre-fund transactions for seamless payouts, or to collect payins from their counterparties, or to offer top-ups and refunds to the wallets & gaming accounts of their End Users, by offering the fiat-to-stablecoin and stablecoin-to-fiat transfers, and subsequent settlements with gaming Customers. TransFi will be enabling an “earn feature” on these wallets shortly, leveraging third-party providers, so that wallet owners earn returns (using staking). Within this product, the following MiCA services will be used: 
  
  1. Custody and administration of crypto-assets on behalf of clients 

2. The Company applies remote Customer identification methods following requirements of Article 11(1)(4)(b) of Lithuanian AML Law.
3. The Company shall ensure that identification is performed for the Customer in the following cases:

1. Prior to establishing a Business Relationship with the Customer;
2. When doubts about the Customer’s identification data and documents, collected earlier, occur;
3. When there are doubts that ML / TF activity may take place. 
4. When there is a change in the transaction patterns of the Customer

4. In cases listed under Clause 1.3 above, the Company shall at least:

1. Identify the Customer (its representative, UBOs, determine directors and ownership structure);
2. Collect KYC / KYB data about the Customer;
3. Check PEP status;
4. Check international sanctions application status;
5. Check adverse media status;
6. Check if there are any circumstances requiring applying enhanced due diligence;
7. Re-assess the information collected with data received from official sources.

8. Collect information about the purpose and nature of the Business Relationship.
9. Collect information about Customer’s sources and funds (for high-risk Customers);

9. Receive MLRO’s approval (for high-risk Customers).

‍

1.5 As described in Clause 1, all our Customers are subjected to KYC and KYB in the case of individuals and legal entities respectively 

1.6  Having such information, the Company shall assess it and, following the assessment, assign the Customer to the relevant risk group. All this shall be done until the moment when Business Relationships are started 

2. TYPES OF CUSTOMER DUE DILIGENCE 
   
   1. The Company shall recognize the following types of Customer’s risk: 

1. Low;
2. Medium;
3. High;
4. Unacceptable/Prohibited. 

2. The Company applies two types of Customer due diligence:
   
   1. Standard Due Diligence (SDD), also known as Ordinary Due Diligence: SDD is applied where the Customer’s risk profile indicates low or medium risk and where, in accordance with the risk assessment of the Company, it has been identified that in such circumstances the risk of ML / TF is low or medium.
   2. Enhanced Due Diligence (EDD): EDD is applied for Customers that are flagged as high-risk Customers. EDD requires the application of additional Customer due diligence measures in comparison to SDD.

‍

3. In case of unacceptable/prohibited risk Customer – no due diligence can be applied as the applicant shall be rejected. 
4. In order to determine to which risk group each Customer is exposed, the Company shall perform an individual risk assessment of each Customer before entering them into a Business Relationship.   
5. SDD procedure is established in Section 4 (for individual Customers) and Section 5 (for Business Customers) of this Annex. 
6. EDD procedure is established in Section 6 of this Annex. 
7. The Company will have the below as prohibited Customer types:

1. Known beneficiaries of corruption or illegal activities; 
2. Shell companies/shell banks; 
3. Unregulated casinos or unlicensed gambling companies; 
4. Incomplete or failed KYB (Know your business); 
5. Unlicensed money transmitters/payments/financial services companies; and 
6. Customers with bearer shares in the ownership structure. 
7. Marijuana/cannabis; 
8. Guns, Arms and ammunition, and Military; 
9. Precious metals; 
10. Adult content or Pornography. 

3. GENERAL REQUIREMENTS FOR THE REAL-TIME PHOTO (VIDEO) TRANSMISSION 
   
   1. Real-time photo (video) transmission is a method for Customer (natural person) or representative (legal entity) identification and identity verification.
   2. The following principles shall be applied and ensured during the remote Customer identification procedure via real-time photo (video) transmission:
      
      1. Only one person (Customer or its representative) can participate in the remote Customer identification process;
      2. The quality of the internet connection shall be sufficient, no interruptions should occur;
      3. The Company shall be entitled and have the technical possibility to provide the Customer with additional instructions if it is needed for identification;
      4. Quality of photos/video taken during the Customer’s identification procedure shall allow the Company to identify the person in the photos easily;
      5. The remote Customer identification process shall be carried out uninterruptedly and must be a part of a single Customer identification process;
      6. The screen used by the Customer shall be big enough to ensure that the Customer’s face is visible and identifiable throughout the session;
      7. All recordings and photos have to contain a mark with the Customer’s name, surname, personal code, and IP address (in the event the latter is applicable) and the date of recording;
      8. The Company shall use special programs, applications, or other means which shall ensure that the process of photo recording is continuous and the transmission of photos otherwise than in real-time would be impossible;
      9. Upon completion of actions referred to above, the Customer shall be informed that by providing data the Customer also confirms the authenticity of that data;
      10. Photos/video transmitted shall be of a quality allowing to read the information easily from the ID documents provided and to clearly see the features of the particular person and the person captured in the photo of the identity document.
   3. The Company shall ensure that its IT systems are capable and adapted to remote Customer identification as per the above requirements. 
   4. The Customer’s identification process shall be considered failed if any of the below occur:
      
      1. The Customer has deliberately submitted data that does not match the identification data of the ID document received from the official database or does not match information or data collected through other procedures;
      2. The session expires during verification, and the Customer does not initiate the identification process from the beginning;
      3. Image (video) of the ID document or the Customer is not clearly visible; 
      4. The Customer did not provide the required information and data;
      5. The Customer refuses to follow instructions to comply with the requirements set for framing the Customer’s face and ID document;
      6. The Customer uses the assistance of another person during verification without permission from the Company (permission might be issued only in exclusive cases);
      7. Circumstances arise that indicate suspected ML / TF. The Company shall immediately submit a notification of suspicion to FCIS;
      8. The Company received information that the Customer is subject to financial sanctions which shall be immediately notified to FCIS;
      9. The Customer has not completed any activities in the Customer identification module for more than 15 minutes in a row;
      10. The real-time photo (video) transmission is terminated or problems regarding the real-time photo (video) transmission arise;
      11. The quality of the real-time photo (video) transmission does not allow clearly the face of the Customer or Customer/s representative (if any) and (or) to establish the identity of the Customer or representative (if any) from the photo (video) of the face image in the identity document;
      12. The quality of the real-time photo (video) transmission is poor;
      13. The Customer’s identity document is being captured without adhering to the requirements laid down in this annex;
      14. The Customer does not perform the actions required for their identification appropriately and on time;
      15. It is established that the document provided by the Customer is impaired, fake or there are other circumstances that raise doubts due to the authenticity of such an identity document (for example, the copy of the document is being shown). In such case, the identification process may be continued, and the information necessary to establish the identity of the Customer or the representative (if any) may be collected only with the purpose, having assessed the ML / TF threat, to immediately notify the FCIS as suspicious activity no later than within 3 business hours;  
      16. It is established that the identity document provided by the Customer does not correspond to the requirements of information content applicable to such document;
      17. The Company has reasonable doubts that the Customer, the identity of which is being established, and the owner of the provided identity document, proving the Customer’s identity, are not the same person. This should be immediately reported to FCIS;
      18. If more than one person participates in the process of Customer identification;
      19. The Customer disagrees with remote Customer identification.
   5. Having assessed the ML / TF threat, the Company has the right to suspend or terminate the process of the identification due to any other reasons.
4.      IDENTIFICATION OF A CUSTOMER ( NATURAL PERSON )
   
   1. The Customer (natural person) identification and ID document validity verification shall be performed following these steps:
      
      1. Registration: The Customer shall enter First name, Last name, Date of Birth, Email, the country of citizenship on the web page      dedicated to onboarding;
      2. Identification: The Company applies remote identification – via real-time selfie and ID document photo (video) transmission. Namely:

In case of a photo transmission: 

1. The Customer shall take a photo of his / her ID document. 

Only the following ID documents can be accepted for Customer due diligence purposes. The Company shall accept only those ID documents that are valid and only if there are no circumstances showing possible forgery of the ID document:

• Passports,
•  ID cards, 
• Lithuanian Residence permits 
• Any other acceptable ID allowed by regulation

The collected ID document shall contain the following information about the Customer:

• Name(s);
• Surname(s);
• Personal code (for foreigners – date of birth or personal code or any other personal number);
• Photo;
• Signature (unless it is not required to be placed in the driver’s license based on the country’s requirements);
• Citizenship (unless it is not required to be recorded in the driver’s license based on the country’s requirements).

If the collected ID document does not contain citizenship data, the Company must collect additional ID documents of the Customer maintaining citizenship data.

Taking a photo of the ID document shall proceed by holding the ID document up in front of the mobile phone/computer camera in the area specified on the screen in a manner that the image of the ID document fits into the frame displayed on the screen. 

If the Customer uses a passport, a photo must be taken of the page with the Customer’s facial image and the back of the image.

If the Customer uses an ID card Lithuanian Residence Permit, or any other acceptable ID allowed by the regulation, a photo must first be taken of the front of the document and then of the back. 

The Customer shall click the relevant button for capture displayed on the screen and the device will capture a photo of the ID document. If the photo is not of the best resolution, the Customer shall be asked again to capture a picture. The Company shall use the photo with the best resolution. If the photo is suitable, the relevant message shall appear on the screen and the Customer shall click on the button which allows proceeding. If the photo is not suitable for identification purposes, the Customer shall be requested to take a new photo;

2. After the ID document photo has been confirmed (it takes a few seconds), the Customer shall be re-directed to and shall take a Live selfie of himself/herself. When taking the photo, the Customer shall look straight into the camera, with the head visible and in the frame. The Customer shall remove any head or face covering and not wear glasses with dark or darkening lenses. The Customer’s facial expression shall be easily recognizable, there cannot be any shadows around the Customer’s eyes, and background lighting cannot disturb reading the Customer’s facial expression. The Customer shall click on the capture button displayed on the mobile phone/computer screen, and the device shall automatically take a live photo of the Customer. If the live photo is suitable, the Customer shall click the continue button; if the portrait photo is unsuitable, the Customer will be required to click on the try again button and take a new photo. Both photos shall be saved by the Company. The Company shall conduct a visual verification of the portrait photos taken by the Customer. The Customer’s live photo shall permit the Company to verify the person depicted in the portrait photo. After the live photo has been confirmed by the Customer, the Customer shall be directed to the module, where the Company will be able to collect additional information about the Customer.

NOTE: the order of capturing of Customer’s ID document and facial image may differ depending on the platform used (i.e. firstly the photo of the ID document may be taken and only then the facial image or otherwise).

The live selfie session should be uninterrupted and of good quality.

3. Collection of additional KYC data: The Customer is required to provide a few information The customer is required to provide a few additional details, including but not limited to the following:

1. Nature and purpose of Business Relationship;
2. Country of residence;
3. Sources of funds (Annex No 7); only in case of EDD (Enhanced due diligence)
4. When the Customer is KYC-ed he is screened for adverse media, sanctions, and PEP screenings through an automated solution, if flagged for PEP, the Customer needs to confirm if he is a PEP or not. In case of a PEP, he is subjected to EDD, In case of false hits, the Customer is required to share a declaration over email that he is not a PEP.

4. Informing the Customer: After the Customer provides all the above-requested information, he/she is asked to confirm it and submit it. After the submission, the customer is informed in some time (ranging from a few seconds to a few minutes) that the KYC is approved, rejected, or in manual review with Compliance. Basis the results of the manual review, the Compliance team clears the onboarding of the Customer in no later than 2 business days. 
5. Verification of data by the Company: All the data submitted by the Customer is assessed through an automated system and the KYC is approved, rejected, or goes in manual review with the Compliance team.

• Application data (name, surname, personal code, citizenship of the Customer, application date, etc.);
• Validity and authenticity of ID document. – whether the ID document’s validity date is still valid (not expired), etc.). 

NOTE: data should be stored as evidence in the Customer’s file (with a clearly visible date when and based on what data the check was performed).

• Proof of Address, data extraction, and data verification. For Proof of Address purposes, the Company shall request the Customer to provide a utility bill or rent agreement, rent registration extract, or employment agreement with a clear reference to the residence address, etc. 
• Live photo of the Customer. The Company shall conduct an automatic check on the Customer’s portrait photo against the facial image contained in the ID document. This is done automatically using a service provider;
• Customer’s device data (for instance, IP address, etc.);  
• Identity verification – The company shall check whether the Customer’s live photo matches the facial image on the ID document photo in conjunction with algorithms. This is done automatically by the selected service provider;
• ID document data. The Company shall check the following data of ID document in external official databases: surname, first name, personal identification code, sex, date and place of birth, ID document number, document date of issue and expiry, citizenship;
• The Company shall also check the Customer’s background, including, but not limited to political exposure, possible application of financial sanctions, 
• Verification of Customer data shall be made by making a search in reliable external databases,      which allows checking whether the person is PEP, whether financial sanctions are applied with respect to the Customer, etc. The Company in addition might also conduct research on official websites, like Google, etc.
• In case of manual reviews, the Company shall review the results of the review and verification of the Customer’s data; 
• The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 

5. IDENTIFICATION OF A CUSTOMER- LEGAL ENTITY
   
   1. Real-time photo (video) transmission, as Customer’s identification method for the legal entity, shall be applied in the following manner: 
      
      1. The Customer is requested to provide information about the legal entity (potential Customer), including but not limited to the following:

1. Legal entity’s details, including the following: full name, legal form, legal code, establishment country, registered and actual business address;
2. Details of UBOs, including the following: full name, personal code (if not available – date of birth), citizenship, percentage of shares held in the legal entity of each Beneficial Owner, residing address;
3. Details of Key Directors, including the following: full name, personal code (if not available – date of birth), citizenship;
4. Nature and purpose of Business Relationship;
5. Sources of funds of the legal entity, only in case of EDD (Enhanced due diligence);
6. Whether the UBO Owner and/or a Representative is PEP;
7. Expected amount (in EUR) of monthly and yearly operations and countries to which/ from which operations will be initiated/received.
8. Whether the customer is a PEP

‍

2. The identity of Customer’s representative/UBO shall be established by applying all measures that are listed in clauses 4.1(i)-(ii) above in this Annex and that are applicable to the identification of a Customer – a natural person using real-time photo (video) transmission;
3. After the representative of the legal entity (potential Customer) provides all the above-requested information, he/she is asked to confirm it and submit it. After this session is over, the Customer by automatic message is informed that his / her information will be assessed, and the Customer will be informed about the decision of the Company to onboard the Customer as soon as possible but in any case no later than within 2 business days. 
4. After actions above are performed, the Company shall check the correctness and validity of the information provided by the representative of the Customer by performing actions indicated in clause 4.1(v) above.
5. The Company shall collect documents about the Customer that confirm the existence of the Customer, as a legal entity, and other Customer’s KYC information provided by its representative in the course of a real-time photo transmission session. The Company shall collect such documents itself from public registries, available online.
6. The Company shall collect at least the following official documents:

1. Power of Attorney, if a representative of the Customer is not the UBO; 
2. Memorandum of Associations or Articles of Association of the Customer;  
3. Self-certified shareholders’ registry (not older than 6 months);
4. A document that sets out how the prospective Customer is operated, governed, and owned and the extent of Authority/ powers key executives hold in the due diligence form (SDD form for low-risk customers and EDD form for high-risk customers)
5. Proof of official address; 
6. EIN / TIN number; 
7. Additional documents that may be required considering the specifics of certain Customers and/or in case a need to apply enhanced due diligence is determined (e.g. financial statements or key agreements in order to ascertain sources of funds, etc.).

7. All Customer’s UBOs are required to perform identification measures (the same as are applied for an individual Customer as per clause 4.1(ii) of this Annex. 
8. The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 
9. The Company, after completing the Customer’s verification, shall make a decision to “approve” the Customer or “decline” the Customer. In both cases, the Customer should be informed about the final decision. The decision of the Company shall be made within 4 business days as of the moment when the Customer performs identification actions. 

6. ENHANCED DUE DILIGENCE (EDD)
   
   1. EDD shall be conducted for the Customers who are:
      
      1. PEPs (incl. when the Customer himself, Customer’s representative, and/or director, and/or UBO are PEPs);
      2. Assigned to a high-risk category based on risk segmentation criteria established by the Company (see a separate internal document, Customer risk matrix);
      3. When the activity of the Customer hits established daily/monthly thresholds;

‍

4. Only for Customers legal entities – when the main activity of the Customer in one of the following business areas:

• Custodial crypto / digital assets services;
• Other crypto / digital assets services (non-custodial);
• Money services, payments, and other financial services;
• Licensed Gambling services. 

2. In situations described under clause 6.1 above, the Company shall:

1. Perform all identification measures established for ordinary due diligence; and 
2. Obtain written consent of the MLRO of the Company to enter into or continue Business Relationships with such Customers; and 
3. Ask for additional documents from the Customer that would help to identify the source of the property and funds relating to the Business Relationship or a transaction, in accordance with Annex No. 7; and
4. Ask for additional information regarding reasons for the transactions and Services; and
5. Ask for additional information regarding expected volumes of transactions within the Company; and
6. Ask for additional information, if any documents that are indicated by the MLRO in his/her consent  to enter into a Business Relationship with such a Customer (if any); and
7. Perform enhanced ongoing monitoring of the Business Relationship with such Customers, inter alia by establishing more sensitive operations thresholds and monitoring rules; and
8. In case when the Customer is subject to EDD due to the fact that its business area is the one as per the list under clause 6.1 (iv) – in addition to the above EDD measures, the Company shall collect and assess:

• Customer’s AML Policy; 
• Relevant license
• Financial statement or source of funds 
• any other document that may be necessary to further assess.
• This may also include other details like the below if needed: the customer’s latest ML and TF risks assessment (EWRA); the customer’s latest audit report, covering ML and TF risks;
• Details about the main person responsible for AML / CTF matters within the Customer (e.g. Customer’s MLRO, etc.);

(ix)  In case the Customer is established in countries like Bulgaria, Cameroon, Croatia, Kenya, Nigeria,Philippines, South Africa, Tanzania, Uganda, United Arab Emirates and Vietnam are the countries, that are not subject to enhanced due diligence, but subject to differential scrutiny are treated in this manner because

• Bulgaria and Croatia are part of the European Union
• The remaining jurisdictions are fast growing developing economies and house many global financial institutions such as HSBC, Standard Chartered, Wells Fargo and Citibank. 

‍

All users in these jurisdictions are subject to robust checks including sanctions & adverse media screening, ID verification, liveness test, PEP screening, transaction monitoring, browser & behaviour checks, email risks related checks, social media profiling, name matching and crypto monitoring.  EDD (Enhanced due diligence) checks will be triggered in the event of:

• Regulated business activities
• Transaction thresholds being exceeded
• Suspicious events;
• High risk customers.

‍

In addition to the above, transaction limits post KYC and KYB limits in these jurisdictions are lower than those for TransFi users from non-high risk countries.

‍

(x) In case the Customer is established in countries like Barbados, Burkina Faso, Gibraltar,Jamaica, Monaco, Mozambique, Namibia, Panama, Senegal and Trinidad and Tobago, we ask for additional information, if required 

• To apply increased timelines for transaction monitoring; 
• To apply increased number of internal control measures;
• To assess and decide on types of transactions which require more deep internal investigation and performing such investigations;

‍

3. The Company shall not provide Services to Customers from Lithuania state sanction list,  European Union Sanctions Lists, United Nations Sanctions lists (UN), United Nations Security Council resolution 1373 (2001) Sanctions List, Office of Foreign Assets Control (OFAC) (as described in Annex No 6 of the Policy).

‍

4. Annex No. 2

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

5. CRITERIA FOR IDENTIFYING SUSPICIOUS OPERATIONS OR TRANSACTIONS

‍

1. Suspicious operations or transaction criteria are established by FCIS Resolution No V-240. The list constantly changes and the MLRO’s duty is to check such changes and implement them in the activity of the Company. 
2. The below reflects some criteria from the mentioned FCIS Resolution. However, the MLRO must consider additional relevant criteria to the Company and adapt the below list accordingly. 
3. The Company does not engage in cash-related services. Therefore, cash-related criteria are not listed below. 
4. The criteria for recognizing Suspicious Operations or Transactions related to the behavior of the Customer are as follows: 

1. At the time of entering into a Business Relationship or during the Business Relationship, the Customer is reluctant to provide information necessary to identify the Customer, providing documents that raise doubts as to their genuineness, authenticity, etc.
2. It is difficult to obtain from the Customer information or documents necessary for the monitoring of the Business Relationship: it is difficult to contact the Customer, their place of residence/registration as well as contact details often change; nobody answers the phone number provided by the Customer is always disconnected; the Customer fails to respond when addressed via e-mail.
3. The Customer is unable to answer questions regarding ongoing/planned financial activity and the nature thereof, cannot provide relevant documents, and is excessively nervous.
4. The Customer cannot explain the sources of funds used for the transactions. 
5. The Customer connects to the Customer’s custodian virtual currency wallet, using services of the TOR network and the IP address is constantly different.
6. The Customer does not have sufficient knowledge about virtual currency, and cannot explain why certain transactions are performed (although the activity of the Customer in virtual asset transactions is high).
7. Several companies are registered at the address of the Customer.
8. The same person is the manager of several unconnected companies. 

5. The criteria for recognizing Suspicious Operations or Transactions related to operations or transactions carried out by the Customer are as follows:
   
   1. The operations or transactions of the Customer are not in line with the types of activities indicated by the Customer during the Customer’s identification process or reflected in the publicly available information. 
   2. The nature of the operations or transactions that are being conducted by the Customer raises a suspicion that the Customer is seeking to avoid entering the operations and transactions into the registration logs maintained by the Company.
   3. The Customer carries out a transaction (transactions) which is (are) beyond the Customer’s possibilities known to the Company.
   4. The Customer or the owner of the Property requests to pay the amount belonging to them to persons who are clearly unrelated to the Customer’s normal activity.
   5. The Customer is continuously engaged in transactions in property where the value is clearly not in line with the average market value.
   6. The Customer carries out operations or concludes transactions without any apparent economic justification.
   7. The age, current position, and financial status of the Client are objectively not in line with the activity conducted by this Customer (e.g. the Customer’s income is small compared to the scope of his / her activity in relation to Services).
   8. The Customer uses mixer/tumbler services. 
   9. The Customer executes operations in the dark net using virtual currency addresses that are connected to illegal activity.
   10. Virtual currency exchange to fiat currency (and vice versa) is not consistent with the Customer profile, or previous activity.
   11. The performance of virtual currency-related transactions is connected to IP addresses that are related to the countries where ML / TF activity is high. 
   12. Loss-making exchange of virtual currency into fiat currency.
   13. The Customer’s operations may potentially be related to fraud.
6. The criteria for recognizing Suspicious Operations or Transactions related to the geographical aspect of the operations or transactions carried out by the Customer are as follows:

‍

1. Operations or transactions are carried out with natural and legal persons located in sanctioned jurisdictions as stated in Annex 6 of the policy.

‍

2. The Customer permanently resides in a country that is not a member of the FATF or does not have observer status with the FATF and is not a member of the international organization combating the ML/TF, whereas the economic justification of the operations or transactions carried out by the Client is unclear.

‍

3. The Client's operations with virtual currency are initiated from Internet Protocol (IP) addresses located in sanctioned countries as stated in Annex 6 of the policy.

7. The e criteria for recognizing Suspicious Operations or Transactions related to the possible corrupt activities of the Client are as follows:
   
   1. An individual participating in politics, their close associate, or family member receives an unusually high compensation that does not align with market value for participation in seminars, conferences, or as a consultant on projects.

‍

2. Operations are conducted for an individual participating in politics, their close associate, or family member from a foreign country with a corruption perception index (CPI) score below 50.

‍

3. A legal entity conducting business in a foreign country with a CPI score below 50 performs business-related financial operations of excessive value for individuals under consultancy, legal, or similar service agreements.

‍

4. International financial operations are conducted for an individual participating in politics, their close associate, or family member without a clear economic basis.

‍

5. A physical or legal entity grants a loan to an individual participating in politics, their close associate, or family member under unusually favorable conditions (no repayment term specified, favorable repayment conditions, low interest rates, etc.) or without a contract or other documentation.

‍

6. A physical or legal entity pays for travel and accommodation services for an individual participating in politics both in Lithuania and abroad if such payments are not typical for the financial activities of the paying entities.

‍

7. An individual participating in politics transfers funds to countries where they do not conduct professional activities.

‍

8. Funds are transferred to targeted territories when the transaction is related to government contracts.

‍

9. The beneficiary, founder, authorized person, or otherwise related person of a preferential tax company is an individual participating in politics in Lithuania or abroad, their close associate, or family member.

8. In the assessment of the alleged connection of the property with the TF, the following aspects must be taken into consideration: 
   
   1. Funds shall mean any type of intangible virtual currency or tangible fiat currency
   2. The funds may be of either legal or illegal origin – it is important that it is being collected, accumulated, or provided for purposes of the TF.

‍

3. Both direct and indirect collection, accumulation, or provision of the property (funds) shall be treated as the TF activity.

‍

4. Collection, accumulation, or provision of the property (funds) shall be regarded as an intentional deliberate activity where it is seeking or knowing that this property (funds) or only a part thereof will be aimed at the TF, i.e. mere perception of a person that the property might be aimed at the TF is sufficient, even if he/she does not have an intentional pursuit thereof.

‍

5. TF includes collection, accumulation, provision of the property (funds) for committing particular terrorist crimes (e.g. to perform a terrorist attack), training of terrorists (e.g. inciting crimes of terrorism, recruiting, training terrorists, creating terrorist groups, etc.), and also supporting individual or several terrorists or terrorist groups even if this property will not be aimed at committing particular terrorist crimes (e.g. for the rent of premises, material support, healthcare, relief, etc.). It is not necessary to establish a connection between the collected, accumulated, the provided property (funds) with a particular terrorist crime. 

9. Final Provisions
   
   1. The above-listed criteria shall not be assessed as exhaustive and the Company shall take into consideration other criteria that may be implicating suspicion with respect to operations and transactions of the Client, including but not limited to criteria established by FCIS. 

‍

2. The above-listed criteria indicating Suspicious Operations or Transactions should be assessed in each case separately and should not be applied in a formal way, i.e. the Company should always assess whether concrete criteria (even though listed above) could be justified or not in a concrete case and to consider it as suspicious only if any circumstance that could justify it cannot be found.  

‍

6. Annex No. 3

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB  

‍

7. RELATIONSHIP MONITORING POLICY

‍

1. INTRODUCTION

1. All transactions conducted by the Customer shall be constantly monitored by the Company. 
2. The Company shall perform and ensure instant and retrospective monitoring. 
3. Monitoring shall cover:
   
   1. Transactions;
   2. Wallet; 
   3. Customer-individual;
   4. Customer-legal entity;
4. Monitoring procedures will be performed both manually and by using automatic means. Regardless of the method selected by the Company, the Company shall ensure that the selected method allows to properly monitor all transactions and to identify Suspicious Operations or Transactions in due time. 
5. The purpose of monitoring is to ensure proper and timely identification of unusual transactions, patterns, and activity as well as to ensure the relevance of the information of the Client, its representative (if any), and the relevance of the assigned risk level to the Client. It also involved the monitoring of Client profiles (both the Individual and Businesses), whether they are exposed to any adverse media, or sanctions hit. 
6. The monitoring shall be performed by assessing the factual transactions made by each Customer, information received by the Company during the Customer’s identification procedure as well as other information received/collected by the Company, if any.

2. CUSTOMER’S FILE
   
   1. Monitoring procedures shall cover the assessment of information about the Customer. All information about a particular Customer shall be kept in the Customer’s file.
   2. The Customer’s file shall consist, as a minimum, of the following documents:

1. Proof of Customer’s identification and collection of relevant information about the Customer(i.e. sources of funds in case of EDD, the purpose of Business Relationship, services intended to be used by the Customer, etc.);
2. Proof of verification of the identity of the Customer, the Customer’s representative (if any), Beneficial Owners (if any) in public and independent sources of data;
3. Proof of verification of the political exposure of the Customer, the Customer’s representative, and Beneficial Owners (if applicable) in public and independent sources of data;
4. A description of the Customer's risk profile;
5. A description of the Customer’s assignment to a risk group;
6. Information about the Services provided to the Customer;
7. Information about cases when the Customer made Suspicious Operations or Transactions;
8. PEP and sanctions check data and evidence;
9. In the case of high-risk Customers – approval for entering/continuing Business Relationships alongside issued by the Company’s MLRO;
10. Corporate documents of the Customer;
11. Other documents and information indicated in this Policy and/or that the Company considers as important for the Client’s file. 

‍

3. The Customer’s file shall be stored in an electronic form.

‍

4. Information obtained in the process of identifying the Client and Client’s representative (if any) shall be continuously documented and shall be kept in written or electronic form.

3. MONITORING OF BUSINESS RELATIONSHIP / OPERATIONS 
   
   1. The Company shall exercise an ongoing monitoring of operations and ongoing monitoring of the Business Relationship of the Customer, including:

‍

1. Investigation of transactions to make sure that transactions that are being carried out are in line with information available to the Company about the Customer, his / her / its activities (types and nature of activities, nature of transactions, business partners, and so on), risk nature, and knowledge about the source of funds in case of EDD;
2. Principles of assigning the Customer to the relevant risk group, establishing the procedures of Collecting and storing information about the operations performed by the higher-risk Clients.

‍

2. During the monitoring, particular emphasis shall be placed on the following:

1. Operations that, by virtue of their nature, may be related to ML / TF, and complicated and unusually large transactions; 
2. Any unusual transaction structures that do not have an evident economic or visible legal goal;
3. Every ML / TF threat that may arise due to the usage of products of any nature, other results of usage of the services provided, or transactions being carried out, when efforts are made to conceal the identity of the Customer or Customer’s representative (if any) (leaning towards anonymity), as well as due to Business Relationship or transactions with the Customer who was not identified being present in person, and, where applicable, shall immediately take measures in order to prevent the property from being used for ML / TF purposes;
4. Operations when efforts are made to conceal the identity of the Customer or Customer’s representative (if any), as well as the Business Relationship or transactions with the Customer whose identity was not established with being him/her/its representative in person;
5. Whether the Customer is not included on the general list of persons or groups of persons or companies and institutions that are subject to financial sanctions by the EU, UN, OFAC;

‍

3. If the monitoring of the Business Relationship indicates that the Business Relationship entails a higher risk, then the Company shall assign a particular Customer to the higher-risk group (if he/she/it was not assigned to a high-risk group before).

‍

4. The Company shall document the results of the investigation in writing (electronically or in paper form).

4. ENHANCED MONITORING OF BUSINESS RELATIONSHIP
   
   1. In the course of the enhanced monitoring of Business Relationships, the Company shall maintain a risk matrix that monitors the operations by keeping transaction thresholds at different KYC levels. 
5. FINAL PROVISIONS
   
   1. The MLRO of the Company shall prepare and present to the Senior Management a monitoring summary in his quarterly report (Annex No. 8 to the Policy), which would include the main findings that were identified during the relevant quarter. Such a summary should include information about transactions that were identified as suspicious and submitted to the FCIS. 

‍

2. The monitoring of Business Relationships shall be exercised on a regular basis, keeping information on measures applied in the process of monitoring and information collected in the process of taking such actions, keeping information on the purpose and nature of Business Relationships, and making reviews and updates of such information on a regular basis.

8. Annex No. 4

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

9. FORM OF LOGS

‍

/Attached as a separate Excel file/

10. Annex No. 5

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

11. THE FORM OF EMPLOYEES’ ACQUAINTANCE WITH THE POLICY

‍

Employees of the Company who sign the below table confirm that they are acquainted with the Policy of the Implementation of Prevention Measures on Money Laundering and Terrorist Financing of the Company (including annexes thereof). 

In case the Policy (and annexes thereof) are amended, employees of the Company shall be properly acquainted with the amendments. Employees shall confirm their acquaintance with all amendments by providing information indicated in the table below and by signing it each time.

6. Annex No. 6

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

7. PROHIBITED COUNTRIES LIST ALONG WITH HIGH RISK COUNTRY LISTS WITH TREATMENT

‍

All below countries are considered as prohibited by the Company: 

‍

1. Prohibited by the Company;
2. Sanctioned countries by EU and UNO
3. Sanctioned countries by OFAC except for Hong Kong.

‍

Prohibited by the Company:: Abkhazia, Angola, Bosnia and Herzegovina, Burundi, China, Croatia, Guinea-Bissau, Kosovo, Macedonia (North), Mali, Montenegro, Nagorno-Karabakh, Nicaragua, Northern Cyprus, Sahrawi Arab Democratic Republic, Serbia, Slovenia, Somaliland, South Ossetia

‍

Countries prohibited for transactions by Tran

sFi include the following: (Sanctioned countries by EU and UNO, including TransFi)

‍

‍

TransFi identifies high-risk jurisdictions based on the following lists

• The Financial Action Task Force (FATF)
• EU High Risk Countries

‍

EU and FATF high-risk countries:

‍

The identified countries, excluding those already prohibited as above, are :

Amongst the list of high risk countries, any customers from the countries listed below, are subject to enhanced due diligence before onboarding.

The enhanced due diligence process requires the below process:
Individual:The Customer is required to share proof of address and source of funds which gets reviewed by the team and the customer is approved for further transactions if there are no suspicious flags.

Legal Entity : The customer is required to share source of funds, relevant license, AML policy (attached as Annex 3.4.2) and any other document which is deemed to be required for further investigation. It is reviewed by the team and the customer is approved for further transactions if there are no suspicious flags.

‍

The following countries are an exception from the Enhanced due diligence requirement where we do not do EDD but apply differential scrutiny.

‍

These countries, that are not subject to enhanced due diligence, but subject to differential scrutiny are treated in this manner because

• Bulgaria and Croatia are part of the European Union
• The remaining jurisdictions are fast growing developing economies and house many global financial institutions such as HSBC, Standard Chartered, Wells Fargo and Citibank. 

‍

All users in these jurisdictions are subject to robust checks including sanctions & adverse media screening, ID verification, liveness test, PEP screening, transaction monitoring, browser & behaviour checks, email risks related checks, social media profiling, name matching and crypto monitoring.  EDD (Enhanced due diligence) checks will be triggered in the event of:

• Regulated business activities
• Transaction thresholds being exceeded
• Suspicious events;
• High risk customers.

‍

In addition to the above, transaction limits post KYC and KYB limits in these jurisdictions are lower than those for TransFi users from non-high risk countries.

‍

6. Annex No. 7

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

1. ACCEPTABLE EVIDENCE OF SOURCES OF WEALTH AND SOURCES OF FUNDS

‍

6. Annex No. 8

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

7. TEMPLATE OF THE MLRO QUARTERLY REPORT

‍

MLRO REPORT FOR [Q1 2025]

‍

TRANS-FI UAB (the “Company“) is committed to conducting business operations in a transparent, open manner, consistent with its regulatory obligations. As per the Company’s Policy for the Implementation of the Prevention Measures on Money Laundering and Terrorist Financing (the AML Policy), the aim of this report is to review the AML/CTF program and inform the Company’s Board of the situation and standing of AML / CTF program as well as update on changes and key indicators that are relevant for the reporting quarter. 

‍

1. SUMMARY OF KEY LEGISLATIVE CHANGES 

‍

The following key legislative changes took place during the Reporting Quarter: [Provide a list with a brief summary. If none – add “None”].

‍

2. TYPE OF CRYPTOCURRENCY SERVICED 

‍

The following cryptocurrency is being serviced by the Company: [INSERT].

‍

[Describe differences: newly involved cryptocurrency, expected to be included soon, etc.]

‍

3. NUMBER OF CLIENTS

‍

The following reflects the Company’s Clients’ number and risk scores relevant for the Reporting Quarter:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. big high-risk customers increase, etc.]

‍

1. CLIENTS’ GEOGRAPHIES

‍

The following reflects the geographies of the Clients (for natural persons – citizenships) relevant for the Reporting Quarter: 

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. high increase of Clients from relevant jurisdiction, etc.]

‍

1. TERMINATED BUSINESS RELATIONSHIP 

‍

The following reflects the number of terminated business relationships with the Client during the Reporting Quarter:

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. termination due to the same occurring reason, etc.]

‍

1. TOTAL NUMBER OF PEPS 

‍

The following reflects the number of PEPs identified in the Clients’ base during the Reporting Quarter:  [number of PEPs], which forms a [percentage]% of the overall Clients’ base equal to [number]. 

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. high and unexpected increase of PEPs, etc.]

‍

2. INFORMATION ON INTERNATIONAL SANCTIONS 

‍

The following reflects the number of international sanctions alerts generated during the Reporting Quarter:

‍

‍

In case of true positive, describe actions that were taken: [FREE TEXT; IF NO SUCH CASES – ADD N/A]

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. it was determined that the relevant sanction rule was generating too many false positive Policies and was suspended/eliminated.]

‍

1. TOTAL NUMBER OF INTERNAL INVESTIGATIONS AND SARS

‍

The following is data reflecting the number of Suspicious Activity Reports (“SARs”) submitted to the FCIS during the Reporting Quarter: 

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. enormous increase of SARs and determined reasons for this, etc.]

‍

1. TRAINING 

‍

The following is data about training held for employees of the Company during the Reporting Quarter:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. scheduled training, conferences, etc.]

‍

1. REPORTING TO AUTHORITIES

‍

The following is information about requests/reports submitted to the relevant regulator during the Reporting Quarter (note: this covers not only submission of the mandatory reports but also all communication with the relevant authority which was initiated on behalf of the institution itself or the Company):

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen]

‍

1. MONITORING AND INVESTIGATION 

‍

Total number of monitoring alerts generated during the Reporting Period: [number] 

‍

Total number of monitoring alerts that are currently being assessed by the Company: [number]

‍

The average term of alert handling: [days]

‍

Other important information: [FREE TEXT FORM]

‍

2. MAJOR INTERNAL PROCEDURE CHANGES 

‍

The following internal procedures were updated, prepared are in a review/preparation stage during the Reporting Period:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. internal audit is pending which may indicate additional changes]

‍

1. MAJOR SYSTEM CHANGES 

‍

The following systems were installed, updated, and reviewed during the Reporting Period:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. internal audit is pending which may indicate additional changes]

‍

1. AML / CTF STAFF

‍

During the Reporting Quarter, the Company had in total [number] of employees working in AML / CTF and international sanctions area, from them:

‍

1. [number] – responsible for monitoring;
2. [number] – responsible for FCIS reporting;
3. [number] – reporting for Client identification;
4. [number] – [FREE TEXT].  

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. new positions to be employed in the upcoming quarter, etc.]

‍

2. OTHER INFORMATION 

‍

[FREE TEXT – to add descriptions about other relevant information/cases for the Reporting Quarter. For instance, when an internal audit will be launched/finalized; when EWRA will be performed/launched/finalized; maybe there will be any other changes in organizational structure, etc.]

‍

FREE TEXT – to add descriptions about identified shortcomings in AML / CTF and international sanctions area which, in the opinion of the MLRO, should be addressed to the Senior Management and should be rectified]

‍

3. ACTIONS OF THE MLRO FOR THE UPCOMING QUARTER

‍

Considering the information provided in this Quarterly Report, the MLRO will ensure the following actions during the next quarter:

‍

1. [Ensure that XXX internal procedures are finalized and approved by the Board]. 
2. [Finalize EWRA and submit to the Board]
3. […]
4. […]
5. […]

‍

Name Surname

MLRO     Signature

6. Annex No. 9

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

1. TRAINING LOG TEMPLATE

‍