Mga Patakaran

GRUPO NG TRANSFI
PANDAIGDIGANG PATAKARAN SA PRIVACY

Huling na-update: Oktubre 2024

MAKIPAG-UGNAY SA AMIN
Kung mayroon kang anumang mga katanungan tungkol sa Patakaran sa Pagkapribado na ito, maaari kang makipag-ugnay sa amin:
Sa pamamagitan ng email: compliance@transfi.com

1. Ano ang layunin ng Patakaran sa Pagkapribado ng TransFi?

Ang “TransFi” ay tumutukoy sa Trans-Fi Inc. at ang mga kaakibat at subsidiari nito sa buong mundo, kabilang ang Trans-Fi UAB at NEOMONEY INC. (sama-sama na “TransFi Group”, “TransFi”, “kami”, “amin” o “aming”).

Maaaring ibahagi ng TransFi ang iyong personal na data sa iba pang mga entidad nito (mga subsidiari at kaakibat) at gamitin ito alinsunod sa Patakaran sa Privacy na ito.

Ang layunin ng patakaran sa privacy ng TransFi (lahat ng mga subsidiari at kaakibat) (ang “Patakaran sa Pagkapribado”) ay upang magpakita sa protektahan ang iyong privacy. Mangyaring basahin ito nang mabuti dahil ang patakarang ito ay ligal na nauugnay kapag pinili mong gamitin ang aming Mga Serbisyo. Para sa layunin ng mga nauugnay na regulasyon sa proteksyon ng data, maaaring kumilos ang TransFi bilang alinman sa “data controller”, “data processor” o parehong impormasyon mo.

Inilalarawan ng Patakaran sa Privacy na ito kung paano namin kinokolekta, ginagamit, hawakan at, sa ilalim ng ilang mga kundisyon, ibunyag ang iyong personal na data, kapag na-access mo ang aming Mga Serbisyo, na kasama ang aming nilalaman sa Website na matatagpuan sa www.transfi.com o anumang iba pang mga website, pahina, feature, o nilalaman na pagmamay-ari o pinapatakbo namin, kabilang ang TransFi payment trading platform (kasama, ang “Website (s)”), o anumang TransFi widget, application programming interface (“API”) o mga application ng third party na umaasa sa naturang API, mga produkto (Payouts, Collections at Ramp) at mga kaugnay na serbisyo (kasama na tinutukoy bilang “Mga Serbisyo”).

Ipinapaliwanag din ng Patakaran sa Privacy na ito ang mga hakbang na ginawa namin upang ma-secure ang iyong personal na impormasyon. Sa wakas, ipinaliwanag ng Patakaran sa Privacy na ito ang iyong mga pagpipilian tungkol sa koleksyon, paggamit at pagsisiwalat ng iyong personal na impormasyon Sa pamamagitan ng pagbisita sa Website, tinatanggap mo ang mga kasanayan na inilarawan sa Patakaran sa Pagkapribado na ito para sa Website. Kung hindi mo kinikilala at tanggapin ang Patakaran sa Pagkapribado na ito, hindi mo maaaring gamitin ang mga Serbisyo.

Kung mayroon kang anumang mga katanungan tungkol sa patakarang ito, mangyaring ipadala ang mga ito sa compliance@transfi.com.

2. Anong personal na impormasyon ang kinokolekta namin mula sa iyo?

Ang personal na impormasyon ay nangangahulugan ng anumang data na nauugnay sa isang nabubuhay na indibidwal na maaaring makilala mula sa data na iyon, o mula sa data at iba pang impormasyong iyon, na nasa pag-aari ng, o malamang na dumarating sa, TransFi (o mga kinatawan o service provider nito). Bilang karagdagan sa impormasyon, kasama dito ang anumang pagpapahayag ng opinyon tungkol sa isang indibidwal at anumang indikasyon ng mga intensyon ng TransFi o anumang iba pang tao hinggil sa isang indibidwal. Ang kahulugan ng personal na impormasyon ay depende sa nauugnay na batas na naaangkop para sa iyong pisikal na lokasyon. Ang data na maaaring kolektahin at gamitin ng TransFi tungkol sa iyo ay inilarawan sa ibaba sa mga seksyon 2.1-2.3 ng Patakaran sa Pagkapribado na ito.

Nakukuha ng TransFi ang impormasyon tungkol sa iyo mula sa iba't ibang mga mapagkukunan. Ang “Ikaw” ay maaaring isang indibidwal o legal na entidad na pumasok sa isang kasunduan sa serbisyo sa negosyo sa TransFi at/o gumagamit ng mga serbisyo na ibinigay o sa pamamagitan ng aming Website o API (“User”), isang legal entity/business na kinikilala sa ilalim ng anti-money landing (“AML”) o pagbabayad sa pagbabayad ayon sa lokal na regulasyon, na-verify ng TransFi, na gumagamit ng aming mga Serbisyo upang mangolekta ng mga pagbabayad, gumawa ng pagbabayad, o mapadali ang mga transbordang paglilipat (“Kliyente”), isang ligal na entidad na may kontraktwal na relasyon sa isang Ang TransFi Client at maaaring napapailalim sa mga kinakailangan sa pagkakakilanlan ng AML/CTF, na-verify alinman ng TransFi o ng Client (“Merchant”), isang legal na entidad na kliyente ng isang Merchant at maaaring napapailalim sa mga kinakailangan sa pagkakakilanlan ng AML/CTF, na-verify alinman ng TransFi o Merchant (“Sub-Merchant”), o mga indibidwal o legal na mga user ng Merchant na nakikipag-ugnayan sa mga Serbisyo na ibinigay (“End User”). Maaari ka ring maging isang tatanggap/benepisyaryo ng isa sa aming Mga Serbisyo, o isang bisita sa aming Website o iba pang serbisyo na nag-link sa aming API at Serbisyo. Kung ikaw ay isang Merchant, isang Sub-Merchant, o End User, ang iyong paggamit ng mga Serbisyo ay pamamahalaan ng naaangkop na kasunduan sa pagitan ng TransFi at ng nauugnay na Client.

2.1 Impormasyong ibinibigay mo sa amin

Kasama dito ang impormasyong ibinibigay mo sa amin upang magtatag ng isang account at ma-access ang aming Mga Serbisyo. Ang impormasyong ito ay kinakailangan ng batas (halimbawa upang mapatunayan ang iyong pagkakakilanlan), kinakailangan upang magbigay ng hiniling na Serbisyo (halimbawa, kakailanganin mong ibigay ang iyong bank account number kung nais mong i-link ang account na iyon sa TransFi), o may kaugnayan sa aming mga lehitimong interes na inilarawan nang mas detalyado sa ibaba.

Ang likas na katangian ng mga Serbisyong ginagamit mo o nakikipag-ugnayan ay matutukoy sa uri ng personal na impormasyon na maaari naming hilingin, ngunit maaaring isama ang:

• Personal na Impormasyon sa Pagkakakilanlan: buong pangalan, petsa ng kapanganakan, edad, nasyona/pagkamamamayan, bansa ng tirahan, mga detalye ng ID na ibinigay ng gobyerno (kabilang ang ID number, uri ng ID, mga petsa ng pag-expire), numero ng tax ID, kredensyal ng account, geolocation, natatanging device, impormasyon sa network o internet protocol address, wallet address, kasarian, utility bill, litrato, phone address, email at/o anumang iba pang impormasyon sa aming mga ligal na obligasyon sa ilalim ng naaangkop na batas at regulasyon;
• Opisyal na Dokumento ng Pagkakakilanlan: dokumento ng pagkakakilanlan na ibinigay ng gobyerno tulad ng isang pasaporte, visa o pambansang card ng pagkakakilanlan, state ID card, lisensya sa pagmamaneho, at/o anumang iba pang impormasyong itinuturing na kinakailangan upang sumunod sa aming mga ligal na obligasyon sa ilalim
• Impormasyon sa Pinansyal: impormasyon sa bank account, impormasyon sa card ng pagbabayad, numero ng pagkakakilanlan ng buwis (“TIN”), kasaysayan ng transaksyon, data ng pangangalakal Para sa mga detalye ng transaksyon, nag-iimbak kami ng mga detalye ng order, ang numero ng bank account ng Gumagamit, pangalan ng bank account, at impormasyon sa card, kabilang ang pangalan ng may-ari ng card, numero ng card, CVV, at petsa ng pag-expire. Dahil sertipikado kami ng Payment Card Industry Data Security Standard (“PCI DSS”), ligtas naming maiimbak ang impormasyong ito upang matugunan ang aming mga obligasyon sa pagsunod at matiyak ang seguridad ng data. Bagama't hindi namin iniimbak ang iyong mga kredensyal sa pag-login sa TransFi User account, ligtas naming pinangangasiwaan at nag-iimbak ang mga detalye ng card na sumusunod sa mga pamantayan ng PCI DSS. Ang impormasyon sa card ng pagbabayad ay maaari ring maproseso sa pamamagitan ng aming system habang mga transaksyon sa pamamagitan ng secure na mga provider ng serbisyo ng third-party
• Impormasyon sa Transaksyon: impormasyon tungkol sa mga transaksyon na iyong isinasagawa nang may kaugnayan sa aming Mga Serbisyo, tulad ng pangalan ng tatanggap, iyong pangalan, halaga at/o timestamp, layunin ng transaksyon, hurisdiksyon ng transaksyon;
• Impormasyon sa Pagpapatunay: upang mapatunayan ang iyong pagkakakilala, kabilang ang impormasyon para sa mga tseke sa pandaraya at iba pang impormasyong ibinibigay mo, kabilang ang mga imahe ng iyong sarili at isang
• Impormasyon sa Pagtatrabaho: Lokasyon ng opisina, pamagat ng trabaho, at/o paglalarawan ng papel; o
• Sulatan: Mga tugon sa survey, impormasyong ibinigay sa aming koponan ng suporta o koponan ng pagsasaliksik ng User.

Kung ikaw ay isang kumpanya, maaari kaming humiling ng impormasyon tulad ng iyong employer Identification number (o maihahambing na numero na ibinigay ng isang gobyerno), patunay ng legal na pagbuo (hal. Mga Artikulo ng Inkorporasyon) at personal na impormasyon para sa lahat ng materyal na kapaki-pakinabang na may-ari para sa mga layunin ng Know Your Business (“KYB”).

Kung hindi mo sa amin ibinibigay ang impormasyon sa ibaba, maaaring hindi namin maibigay ang mga Serbisyo sa iyo, o maaaring mapaghigpitan ang iyong paggamit ng mga Serbisyo.

Bilang karagdagan sa impormasyong ibinibigay mo sa amin na may kaugnayan sa iyong paggamit ng mga Serbisyo, maaari mo ring piliing magsumite ng impormasyon sa amin sa pamamagitan ng iba pang mga channel, kabilang ang kaugnayan sa isang aktwal o potensyal na relasyon sa negosyo sa TransFi.

2.2 Ang impormasyong awtomatikong kinokolekta namin o binubuo tungkol sa iyo

Kasama dito ang impormasyong awtomatikong kinokolekta namin, tulad ng tuwing nakikipag-ugnayan ka sa aming Website o ginagamit ang aming Mga Serbisyo. Tungkol sa iyong paggamit ng aming Mga Serbisyo maaari naming awtomatikong mangolekta ng sumusunod na impormasyon:

• Mga detalye ng mga transaksyon na iyong isinasagawa kapag ginagamit ang aming Mga Serbisyo, kabilang ang heograpikong lokasyon kung saan nagmula ang transaksyon;
• Teknikal na impormasyon, kabilang ang address ng Internet protocol (“IP”) na ginamit upang ikonekta ang iyong computer sa Internet, iyong impormasyon sa pag-login, pangalan ng browser, uri at bersyon, setting ng time zone, mga uri at bersyon ng plug-in ng browser, operating system, mga detalye ng geolocation/tracking at platform, mga detalye ng aparato;
• Impormasyon tungkol sa iyong pagbisita, kabilang ang data ng pagpapatunay, mga katanungan sa seguridad, full Uniform Resource Locators (“URL”) clickstream sa, sa pamamagitan ng at mula sa aming Website o mobile application (kabilang ang petsa at oras); mga produkto na iyong tiningnan o hinanap; oras ng pagtugon ng pahina, error sa pag-download, haba ng mga pagbisita sa ilang mga pahina, impormasyon sa pakikipag-ugnayan sa pahina (tulad ng pag-scroll, click, at mouse-over). upang makipag-ugnay sa amin.
• Cookies at iba pang Teknolohiya. Tulad ng maraming website, gumagamit ng aming Website ang cookies, Serbisyong nakabatay sa lokasyon at web beacon (kilala rin bilang clear GIF technology o “action tags”) upang mapabilis ang iyong pag-navigation sa aming Website, makilala ka at ang iyong mga pribilehiyo sa pag-access, at subaybayan ang iyong paggamit. Mangyaring basahin ang aming Patakaran sa Cookie para sa karagdagang impormasyon.

2.3 Impormasyon na nakolekta mula sa mga third party

Maaari kaming makatanggap ng impormasyon tungkol sa iyo kung bisitahin mo o ginagamit ang aming Website o ginagamit ang aming Mga Serbisyo. Kasama dito ang impormasyong maaari naming makuha tungkol sa iyo mula sa mga mapagkukunan ng third-party. Ang mga pangunahing uri ng mga third party na natatanggap namin ang iyong personal na impormasyon ay:

• Mga pampublikong database, kasosyo sa pag-verify ng ID upang mapatunayan ang iyong pagkakakilanlan alinsunod sa naaangkop na batas. Ang mga kasosyo sa pagpapatunay ng ID ay gumagamit ng isang kumbinasyon ng mga tala ng gobyerno at magagamit na impormasyon tungkol sa iyo upang mapatunayan ang iyong Maaaring kabilang sa gayong impormasyon ang iyong pangalan, address, tungkulin ng trabaho, profile ng pampublikong trabaho, katayuan sa mga listahan ng anumang parusa na pinananatili ng mga pampublikong awtoridad, at iba pang nauugnay na data
• Data ng blockchain upang matiyak na ang mga partido na gumagamit ng aming Mga Serbisyo ay hindi nakikibahagi sa ilegal o ipinagbabawal na aktibidad, pinapayagan na hurisdiksyon, dark net, pang-abuso sa bata, atbp at upang suriin ang mga trend ng transaksyon para sa mga layunin ng pananaliksik at pag-unlad sa pamamagitan ng pag-scan ng wallet address para sa pinag
• Mga kasosyo sa marketing at reseller upang mas maunawaan namin kung alin sa aming Mga Serbisyo ang maaaring maging interes sa iyo;
• Ang mga bangko/tagapagbigay ng serbisyong pampinansyal na ginagamit mo upang maglipat ng pera sa amin ay magbibigay sa amin ng iyong pangunahing personal na impormasyon, tulad ng iyong pangalan at address, pati na rin ang iyong impormasyon sa pananalapi tulad ng mga detalye ng iyong bank account;
• Maaaring ibigay sa amin ng mga kasosyo sa negosyo ang iyong pangalan at address, pati na rin ang impormasyon sa pananalapi, tulad ng impormasyon sa pagbabayad sa card; at
• Ang mga network ng advertising, mga provider ng analytics at mga provider ng impormasyon sa paghahanap ay maaaring magbigay sa amin ng pseudonymized na impormasyon tungkol sa iyo, tulad ng pagpapatunay kung paano mo natagpuan ang aming Website.

3. Paano namin gagamitin ang iyong personal na impormasyon?

Maaari naming gamitin ang iyong impormasyon sa mga sumusunod na paraan at para sa mga sumusunod na layunin:

(a) Panloob na Paggamit: Ginagamit namin ang iyong personal na impormasyon upang maibigay sa iyo ang aming Mga Serbisyo. Maaari naming gamitin ang iyong personal na impormasyon upang mapabuti ang nilalaman at layout ng aming Website, at mapabuti ang aming mga pagsisikap sa marketing. Bilang karagdagan, ginagamit namin ang iyong impormasyon upang matiyak ang kaligtasan, seguridad, at integridad ng aming Mga Serbisyo sa pamamagitan ng pagproteksyon laban sa mapanlinlang, hindi awtorisadong, o ilegal na aktibidad; pagsubaybay sa pagkakakilanlan at pag-access sa serbisyo; at pagtugon sa

(b) Komunikasyon sa Iyo: Ayon sa iyong mga kagustuhan at ayon sa naaangkop na batas, maaari kaming magpadala sa iyo ng mga komunikasyon sa marketing upang ipaalam sa iyo ang tungkol sa mga kaganapan, upang maghatid ng naka-target na marketing at magbahagi ng mga alok na pang-promosyon. Maaaring kasangkot ito ang pagpapadala sa iyo ng mga komunikasyon sa pamamagitan ng mga email o mga notification sa mobile application tungkol sa aming Mga Serbisyo, feature, promosyon, survey, balita, update, at kaganapan, pamamahala ng iyong pakikilahok sa mga promosyon at kaganapan, paghahatid ng target na marketing, at pagtukoy ng pangkalahatang impormasyon tungkol sa pag-uugali ng mga bisita sa Website. Ang aming marketing ay isasagawa alinsunod sa iyong mga kagustuhan sa advertising at marketing at ayon sa pinapayagan ng naaangkop na batas. Kailangan namin ng ilang impormasyon, tulad ng iyong pagkakakilanlan, pakikipag-ugnay, at mga detalye ng pagbabayad, upang ibigay at mapanatili ang aming Mga Serbisyo Kung ikaw ay isang bagong Gumagamit o Kliyente, makikipag-ugnay kami sa iyo sa pamamagitan ng elektronikong paraan para sa mga layunin ng marketing lamang kung pumayag ka sa gayong komunikasyon. Kung ayaw mong magpadala kami sa iyo ng mga komunikasyon sa marketing, mangyaring pumunta sa mga setting ng iyong account upang mag-opt out o magsumite ng kahilingan sa pamamagitan ng compliance@transfi.com.

Maaari kaming magpadala sa iyo ng mga update sa serbisyo tungkol sa impormasyong pang-administratibo o nauugnay sa account, mga isyu sa seguridad, o iba pang impormasyong nauugnay sa transaksyon. Mahalaga ang mga komunikasyong ito upang ibahagi ang mga pag-unlad na nauugnay sa iyong account na maaaring makaapekto sa kung paano mo magagamit ang aming Mga Serbisyo. Hindi ka maaaring mag-opt out sa pagtanggap ng mga kritikal na komunikasyon sa serbisyo.

Pinoproseso din namin ang iyong personal na impormasyon kapag nakikipag-ugnay ka sa amin upang malutas ang anumang mga katanungan, pagtatalo, mangolekta ng bayarin, o upang malutas ang mga problema. Nang hindi pinoproseso ang iyong personal na impormasyon para sa gayong mga layunin, hindi kami maaaring tumugon sa iyong mga kahilingan at tiyakin ang iyong walang tigil na paggamit ng mga Serbisyo.

(c) Pagsunod sa Legal at Regulasyon: Kinakailangang iproseso ng TransFi ang iyong personal na impormasyon ayon sa pagsunod sa AML/CTF, at mga batas sa seguridad, na maaaring kasama ang koleksyon, paggamit, at pag-iimbak ng iyong impormasyon sa ilang mga paraan. Halimbawa, dapat naming kilalanin at i-verify ang mga customer na gumagamit ng aming Mga Serbisyo, kabilang ang pagkolekta ng pagkakakilanlan ng larawan at paggamit ng mga tagapagbigay ng serbisyo ng third-party upang ihambing ang iyong personal na impormasyon laban sa Kapag hinahangad mong i-link ang isang bank account sa iyong TransFi account, maaari kaming humiling ng karagdagang impormasyon upang mapatunayan ang iyong pagkakakilanlan o address at pamahalaan ang panganib, ayon sa kinakailangan ng naaangkop na batas. Bukod pa rito, maaari naming ibunyag ang personal na impormasyon bilang tugon sa mga kahilingan mula sa pagpapatupad ng batas, subpoenas, mga utos ng korte, o kung kinakailangan ng batas, at kung kinakailangan upang maprotektahan ang aming mga ligal na karapatan, ipatupad ang mga kasunduan, o maiwasan ang pandaraya at pag-abuso sa aming Mga Serbisyo. Kabilang dito ang mga pagsisikap upang mapagaan ang kompromiso sa account o pagkawala ng pondo, imbestigahan ang mga reklamo, pag-aangkin at/o hindi pagkakaunawaan, at sumunod sa mga regulasyon o ligal na kahiling

(d) Panlabas na Paggamit: Isiwalat namin ang impormasyon sa aming mga nagbibigay ng serbisyo upang matulungan silang magsagawa ng mga Serbisyo sa iyong ngalan. Halimbawa, upang mapadali ang pagbili at pangangalaga ng mga digital asset, nagbabahagi kami ng ilang impormasyon sa mga third party, tulad ng iyong pangalan, email address, social security number, petsa ng kapanganakan, pagkakakilanlan na ibinigay ng gobyerno at dami ng mga digital asset na binili. Dagdag pa rito, ang mga uri ng data na kinokolekta at ibinabahagi namin sa mga third party sa impormasyong ibinigay mo sa amin, kasama ang iyong petsa ng kapanganakan, bansa ng tirahan, pangalan, numero ng ID, uri ng ID, petsa ng isyu ng ID, at petsa ng pag-expire ng ID, ang iyong bank account numero, pangalan ng bank account, at impormasyon sa card, kabilang ang pangalan sa card, numero ng card, CVV, at petsa ng pag-expire.

Maaari kaming ibahagi ang hindi personal na impormasyon (tulad ng bilang ng mga pang-araw-araw na bisita sa aming Website o ang laki ng isang order na inilagay sa isang tiyak na petsa) sa mga third party. Ang impormasyong ito ay hindi direktang nakikilala sa iyo o sa anumang Gumagamit. Para sa pag-iwas sa pag-aalinlangan, ang anumang mga IP address o isang aparato o iba pang tagakilala na kinokolekta namin ay maaaring ibahagi sa isa o higit pang mga third party.

(e) Ang aming Mga Lehitimong Interes sa Negosyo: Minsan ang pagproseso ng iyong personal na impormasyon ay kinakailangan para sa aming lehitimong interes sa negosyo, tulad ng:

• kontrol sa kalidad at pagsasanay ng kawani;
• upang mapahusay ang seguridad, subaybayan at i-verify ang pagkakakilanlan o pag-access sa serbisyo, at upang labanan ang spam o iba pang mga panganib sa malware o seguridad;
• mga layunin ng pananaliksik at pag-unlad;
• upang mapahusay ang iyong karanasan sa aming Mga Serbisyo at Website;
• upang mapadali ang mga pagkuha ng korporasyon, pagsasama, o transaksyon;

upang magsagawa ng mga panloob na operasyon na kinakailangan upang maihatid ang aming Mga Serbisyo, kabilang ang pag-aayos ng mga bug sa software at

4. Anong personal na impormasyon ang isiniwalat namin sa mga third party?

Pinapayagan namin ang iyong personal na impormasyon na ma-access lamang ng mga nangangailangan ng access upang maisagawa ang kanilang gawain at ibahagi lamang ito sa mga third party na may lehitimong layunin para ma-access ito. Hindi kailanman ibebenta o magrenta ng TransFi ang iyong personal na impormasyon sa mga third party nang walang malinaw na pahintulot mo. Ibabahagi lamang namin ang iyong personal na impormasyon sa mga napiling third party kabilang ang:

• Mga serbisyo sa pagpapatunay ng pagkakakilanlan upang mai Pinapayagan nito ang TransFi na kumpirmahin ang iyong pagkakakilanlan sa pamamagitan ng paghahambing ng impormasyong ibinibigay mo sa amin sa mga pampublikong tala at iba pang mga database
• Mga institusyong pampinansyal na nakikipagtulungan namin upang iproseso ang mga pagbabayad na pinahint
• Mga kaakibat, kasosyo sa negosyo, mga tagapagtustos at sub-kontratista para sa pagganap at pagpapatupad ng anumang kontrata na pinagsasagawa namin sa kanila o sa iyo;
• Mga provider ng Analytics at search engine na tumutulong sa amin sa pagpapabuti at pag-optimize ng aming Website;
• Mga kumpanya o iba pang mga third party na may kaugnayan sa mga paglilipat ng negosyo o paglilipat ng pagkalugi;
• Mga kumpanya o iba pang mga entidad na bumili ng mga asset ng TransFi;
• Ang pagpapatupad ng batas, regulator, o anumang iba pang mga third party kapag pinilitan kaming gawin ito ng naaangkop na paniniwala kaming makatuwirang kailangan ang naturang paggamit, kabilang na protektahan ang mga karapatan, pag-aari, o kaligtasan ng TransFi, mga customer ng TransFi, third party, o publiko; sumunod sa mga legal na obligasyon o kahilingan; ipatupad ang aming mga tuntunin at iba pang mga kasunduan; o matugunan o anumang iba pang mga isyu sa seguridad, pandaraya, o teknikal;
• Kung pinahihintulutan mo ang isa o higit pang mga application ng third-party na ma-access ang aming Mga Serbisyo, ang impormasyong ibinigay mo sa TransFi ay maaaring ibahagi sa mga third party na iyon. Ang isang koneksyon na pinapahintulutan mo o pinagana sa pagitan ng iyong TransFi account at isang non-TransFi account, instrumento sa pagbabayad, o platform ay itinuturing na isang “koneksyon sa account.” Maliban kung magbibigay ka ng karagdagang mga pahintulot, hindi pahintulot ng TransFi ang mga third party na gamitin ang impormasyong ito para sa anumang layunin maliban sa upang mapadali ang iyong mga transaksyon gamit ang aming Mga Serbisyo. Mangyaring tandaan na ang mga third party na nakikipag-ugnayan mo, ay dapat magkaroon ng kanilang sariling mga patakaran sa privacy at hindi responsable ang TransFi para sa kanilang mga operasyon o sa kanilang paggamit ng data na kinokolekta nila.

Kasama sa mga halimbawa ng mga koneksyon sa account ang:

• Mga Merchant: Kung gagamitin mo ang iyong TransFi account upang magsagawa ng isang transaksyon sa isang third-party na negosyante, maaaring magbigay ang merchant ng data tungkol sa iyo at sa iyong transaksyon sa amin.
• Ang iyong mga nagbibigay ng mga serbisyong pampinansyal: Halimbawa, kung magpapadala ka sa amin ng mga pondo mula sa iyong bank account, bibigyan kami ng iyong bangko ng impormasyon sa pagkilala bilang karagdagan sa impormasyon tungkol sa iyong account upang makumpleto ang transaksyon.

Kinikilala at sumasang-ayon ka na maaaring patuloy na gamitin at ibunyag ng TransFi ang iyong personal na data sa loob ng isang makatwirang panahon kasunod ng pagwawakas ng relasyon sa pagitan mo at TransFi para sa isa o higit pa sa mga sumusunod na layunin:

• upang payagan ang TransFi na matupad ang mga natitirang obligasyon nito sa iyo sa ilalim ng anumang kasunduan, kung naaangkop;
• upang payagan ang TransFi na ipatupad ang mga karapatan nito sa ilalim ng anumang kasunduan, kung naaangkop;
• para sa anumang layunin kung saan mo ibinigay ang iyong nakasulat na pahintulot;
• ayon sa kinakailangan sa ilalim ng naaangkop na batas; at ayon sa iniutos ng isang utos mula sa isang korte ng karampatang hurisdiksyon.

5. Mga link sa iba pang mga site

Ang aming Website ay maaaring maglaman ng mga link sa iba pang mga website para sa iyong kaginhawaan o impormasyon. Ang mga website na ito ay pinapatakbo ng mga entidad na hindi nauugnay sa TransFi, at hindi namin kinokontrol, ini-endorso, o kumukuha ng responsibilidad para sa kanilang nilalaman o mga kasanayan sa privacy. Ang bawat naka-link na website ay maaaring magkaroon ng sarili nitong mga tuntunin ng paggamit at mga patakaran sa privacy, na maaaring naiiba mula sa atin. Hinihikayat ka naming suriin ang mga patakarang ito tuwing bumisita ka sa mga website ng third-party, dahil hindi responsable ang TransFi para sa mga kasanayan o patakaran ng mga panlabas na site na ito.

6. Paano namin maprotektahan at nag-iimbak ng personal na impormasyon?

Nagpapatupad at pinapanatili ng TransFi ang mga makatuwirang hakbang upang maprotektahan ang iyong Ang iyong mga file ay protektado ng mga pangangalaga ayon sa pagiging sensitibo ng may-katuturang impormasyon. Ang mga makatwirang kontrol (tulad ng limitadong pag-access) ay inilalagay sa aming mga computer system.

Ang TransFi ay isang internasyonal na negosyo na may mga operasyon sa maraming mga bansa. Nangangahulugan ito na maaari kaming lumipat sa mga lokasyon sa labas ng iyong bansa. Kapag inililipat namin ang iyong personal na impormasyon sa ibang bansa, titiyakin namin na ang anumang paglipat ng iyong personal na impormasyon ay sumusunod sa naaangkop na batas sa proteksyon ng data.

Maaari naming mag-imbak at iproseso ang lahat o bahagi ng iyong personal at transaksyonal na impormasyon, kabilang ang ilang impormasyon sa pagbabayad, tulad ng iyong naka-encrypt na bank account at/o mga numero ng routing. Pinoprotektahan namin ang iyong personal na impormasyon sa pamamagitan ng pagpapanatili ng mga pisikal, elektronikong, at pamamaraan na proteksyon ayon sa naaangkop na mga batas at regulasyon.

Bilang isang kondisyon ng trabaho, kinakailangang sundin ng mga empleyado ng TransFi ang lahat ng naaangkop na mga batas at regulasyon, kabilang ang may kaugnayan sa batas sa proteksyon ng data. Ang pag-access sa sensitibong personal na impormasyon ay limitado sa mga empleyado na nangangailangan ito upang maisagawa ang kanilang mga tungkulin. Ang hindi awtorisadong paggamit o pagsisiwalat ng kumpidensyal na impormasyon sa customer ng isang empleyado ng TransFi ay ipinagbabawal at maaaring magresulta sa mga hakbang

Sa wakas, umaasa kami sa mga tagapagbigay ng serbisyo ng third-party para sa pisikal na seguridad ng ilan sa aming computer hardware. Hinihiling namin ang mga nagbibigay ng serbisyo ng third-party na sumunod sa komersyal na makatwirang mga kasanayan at hakbang Halimbawa, kapag binisita mo ang aming Website, na-access mo ang mga server na pinananatili sa isang ligtas na kapaligiran. Habang gumagawa kami ng pag-iingat sa pamantayan sa industriya upang maprotektahan ang iyong personal na impormasyon at i-secure ang iyong account, walang system na maaaring maging ganap na ligtas. Dahil dito, ipinapalagay mo ang panganib ng mga potensyal na paglabag at ang kanilang mga kahihinatnan. Upang protektahan ang iyong account, mangyaring protektahan ang iyong mga kredensyal, pumili ng isang kumplikadong password kapag nagrehistro, paganahin ang mga advanced na feature ng seguridad tulad ng double-factor na pagpapatunay, at huwag kailanman ibahagi ang iyong mga kredensyal

Kung ipapakilala namin ang iyong personal na impormasyon upang hindi na ito maiugnay sa iyo, hindi na ito ituturing na personal na impormasyon, at magagamit namin ito nang walang karagdagang abiso sa iyo.

Hindi namin sinasadyang humihingi na mangolekta ng personal na impormasyon mula sa sinumang taong wala pang 18 taong gulang. Kung ang isang User na nagsusumite ng personal na impormasyon ay pinaghihinalaan na mas bata sa 18 taong gulang, hihilingin ng TransFi sa Gumagamit na isara ang kanyang account at hindi papayagan ang User na magpatuloy sa paggamit ng aming Mga Serbisyo. Gagawin din kami ng mga hakbang upang tanggalin ang impormasyon sa lalong madaling panahon.

Pinapanatili namin ang personal na impormasyon hangga't makatwirang kinakailangan upang matupad ang mga layunin nito at matugunan ang aming mga kontrata at ligal na obligasyon. Ang mga email address at mga numero ng telepono ay nakaimbak hanggang sa gumamit ng Gumagamit ang Mga Serbisyo ng TransFi, at pinapanatili ang data sa loob ng limang taon kapag nag-unsubscribe o alisin ng User ang kanilang sarili. Tatanggalin o tatanggalin ang impormasyon kapag hindi na kinakailangan, maliban kung ang mas matagal na pagpapanatili ay kinakailangan ng batas. Pinapanatili ng TransFi ang ilang impormasyon sa ilalim ng mga regulasyon ng AML/CTF at nagtatago ng data sa loob ng limang taon. Kung hindi namin ganap na tanggalin o tanggalin ang impormasyon, gagawa kami ng mga makatuwirang hakbang upang maiwasan ang karagdagang pagproseso.

7. Gumagawa ba tayo ng anumang pagprofiling at awtomatikong paggawa ng desisyon?

Maaari naming gamitin ang ilang mga pagkakataon ng iyong data upang ipasadya ang aming Mga Serbisyo at ang impormasyong ibinibigay namin sa iyo, at upang matugunan ang iyong mga pangangailangan - tulad ng iyong bansa ng address at kasaysayan ng transaksyon. Halimbawa, kung madalas kang nagpadala ng mga pondo mula sa isang partikular na pera patungo sa isa pa, maaari naming gamitin ang impormasyong ito upang ipaalam sa iyo ang mga bagong update ng produkto o tampok na maaaring maging kapaki-pakinabang para sa iyo. Kapag ginagawa namin ito, ginagawa namin ang lahat ng kinakailangang hakbang upang matiyak na ang iyong privacy at seguridad ay protektado - at gumagamit lamang kami ng pseudonymised na data kung saan maaari. Ang aktibidad na ito ay walang ligal na epekto sa iyo.

8. Ano ang iyong privacy at mga karapatan sa pag-access sa impormasyon?

Depende sa naaangkop na batas kung saan ka nakatira, maaari mong ipahiwatig ang ilang mga karapatang nauugnay sa iyong personal na impormasyon. Kasama sa mga karapatang ito ang:

• karapatang makakuha ng impormasyon tungkol sa pagproseso ng iyong personal na impormasyon at pag-access sa personal na impormasyon na hawak namin tungkol sa iyo;
• ang karapatang bawiin ang iyong pahintulot sa pagproseso ng iyong personal na impormasyon sa anumang oras. Mangyaring tandaan, gayunpaman, na maaari pa rin kaming karapatan na iproseso ang iyong personal na impormasyon kung mayroon kaming isa pang lehitimong dahilan para gawin ito (halimbawa, maaaring kailanganin naming panatilihin ang personal na impormasyon upang sumunod sa isang ligal na obligasyon);
• sa ilang mga sitwasyon, ang karapatang makatanggap ng ilang personal na impormasyon sa isang nakabalangkas, karaniwang ginagamit at makina-basahin na format at/o hilingin na maipadala namin ang data na iyon sa isang third party kung saan ito ay teknikal na magagawa. Mangyaring tandaan na ang karapatang ito ay nalalapat lamang sa personal na impormasyon na ibinigay mo nang direkta sa TransFi;
• karapatang humiling na ayusin namin ang iyong personal na impormasyon kung hindi tumpak o hindi kumpleto;
• ang karapatang hilingin na burahin namin ang iyong personal na impormasyon sa ilang mga pangyayari. Mangyaring tandaan na maaaring may mga pangyayari kung saan hinihiling mo sa amin na burahin ang iyong personal na impormasyon, ngunit legal kaming karapat-dapat na mapanatili ito;
• ang karapatang tumutol sa, o hilingin na limitahan namin, ang aming pagproseso ng iyong personal na impormasyon sa ilang mga pangyayari. Muli, maaaring may mga pangyayari kung saan tumutulan mo sa amin, o hilingin sa amin na limitahan, ang aming pagproseso ng iyong personal na impormasyon ngunit legal kaming may karapatan na tanggihan ang kahilingan na iyon;
• ang karapatang magsumite ng reklamo sa nauugnay na regulator ng proteksyon ng data kung sa palagay mo ang alinman sa iyong mga karapatan ay nilabag namin; at
• ang karapatang ilipat ang iyong personal na data sa pagitan ng mga controller ng data, halimbawa, upang ilipat ang mga detalye ng iyong account mula sa isang online platform patungo sa isa pa.

Ang aming Mga Serbisyo ay maaaring, paminsan-minsan, maglaman ng mga link papunta at mula sa mga website ng aming mga kasosyo, advertiser at kaakibat. Kung susundin mo ang isang link sa alinman sa mga website na ito, mangyaring tandaan na ang mga website na ito ay may sariling mga patakaran sa privacy at hindi namin tinatanggap ang anumang responsibilidad para sa kanila. Mangyaring suriin ang mga patakarang ito bago ka magsumite ng anumang personal na data sa mga website na ito. Ang karagdagang impormasyon tungkol sa iyong mga karapatan ay maaaring makuha sa pamamagitan ng pakikipag-ugnay sa awtoridad ng pangangasiwa ng proteksyon ng data na matatag

Napapailalim sa mga naaangkop na batas, maaari kang magkaroon ng karapatang ma-access ang impormasyong hawak namin tungkol sa iyo. Maaaring gamitin ang iyong karapatan sa pag-access alinsunod sa nauugnay na batas sa proteksyon ng data.

9. Gaano kadalas na-update ang Patakaran sa Pagkapribado?

Maaari naming i-update ang Patakaran sa Pagkapribado na ito paminsan-minsan at nang walang paunang abiso sa iyo upang maipakita ang mga pagbabago sa aming mga kasanayan sa impormasyon, at ang anumang naturang mga pagbabago ay ilalapat sa impormasyong nakolekta na at makolekta. Ang iyong patuloy na paggamit ng aming Website o alinman sa aming Mga Serbisyo pagkatapos ng anumang mga pagbabago sa Patakaran sa Privacy na ito ay nagpapahiwatig ng iyong kasunduan sa mga tuntunin ng binagong Patakaran sa

Mangyaring suriin ang Patakaran sa Privacy na ito nang pana-panahon at lalo na bago ka magbigay ng personal na data sa amin. Kung gumawa kami ng mga materyal na pagbabago sa Patakaran sa Pagkapribado na ito, aabisuhan ka namin dito, sa pamamagitan ng email o sa pamamagitan ng isang abiso sa home page ng aming Website. Ang petsa ng huling pag-update ng Patakaran sa Pagkapribado ay ipinahiwatig sa tuktok ng dokumentong ito.

10. Paano ka makikipag-ugnay sa amin tungkol sa anumang mga katanungan sa privacy?

Kung mayroon kang anumang mga katanungan tungkol sa Patakaran sa Privacy na ito, mangyaring makipag-ugnay sa amin sa compliance@transfi.com o magpadala ng pisikal na mail sa nauugnay na entidad sa ibaba:

Trans-Fi UAB

Lvivo str. 21A, Vilnius LT-09313, Lithuania

NEOMONEY INC.

325 Front Street West ika-2 palapag

Toronto, ON M5V2Y1

Canada

Patakaran ng TransFi AML KYC

Huling na-update: Abril 2025February 2025

‍

‍

1. INTRODUCTION 
   
   1. The purpose of this Policy is to define the ML / TF prevention measures and the enforcement thereof in the process of the Company’s operations.
   2. The Company shall carry out its business aiming to ensure effective prevention of ML / TF as required by the Law and other applicable legal requirements and good practice. Taking this into account, all employees of the Company shall adhere to the procedure and requirements for the implementation of the ML / TF prevention measures as outlined herein.
   3. Managing ML/TF risks shall be an integral part of the Company’s overall risk management system. Considering the scope and nature of its business, the Company shall implement ML / TF risk identification, assessment, and management procedures, as well as effective tools to mitigate such risks.
   4. In managing its ML / TF risks, the Company shall at all times ensure compliance with the requirements outlined in the present Policy to the maximum extent possible. 
   5. In case the Company performs certain functions related to the ML/TF field (for instance, Customer identification, and monitoring) through third parties, the Company shall ensure that such third parties also comply with requirements established under the Policy and the Law. 
2. RISK APPETITE STATEMENT

‍

1. The Company has zero tolerance for financial crime, regulatory breaches, and any attempt to circumvent the Company’s financial crime policies and controls. However, being engaged in the provision of Services, the Company cannot completely avoid ML / TF risks, and aiming to minimize them to the lowest extent possible, the Company applies relevant control measures which are described in this Policy and which are technically ensured in real activities. 
2. While engaging in provision of Services, the Company adheres to the following core principles (list not exhaustive):
   
   1. To show zero tolerance for the facilitation of financial crime, money laundering, financing of terrorism, and fraud;
   2. To avoid knowingly conducting business with individuals or entities believed to be engaged in inappropriate and unlawful behavior;
   3. To avoid risks that could jeopardize the Company’s strategic plans, including activities that could make the Company vulnerable to any type of public or private litigation or enforcement that could be damaging to the Company’s reputation and cause deterioration of relationship with regulators;
   4. To avoid or seize any activity/service towards which the Company’s management believes that the Company’s control mechanisms cannot protect the Company from risks that exceed the tolerance threshold;
   5. To regularly perform enterprise-wide risk assessment aiming to identify changes within the Customers’, products’, geographics’ and distribution channels’ base and verify whether existing control measures are sufficient to make the residual risk low;
   6. The Company aims to have strong and sufficient control measures mitigating ML / TF risks so that the residual risk would always be low; etc.;
3. Company managers at all levels are particularly responsible for evaluating their risk environment, implementing appropriate controls, and monitoring the effectiveness of those controls. The risk management culture emphasizes careful analysis and management of risk in all business processes.

3. CRYPTOCURRENCIES ACCEPTED. DEALING WITH ANONYMITY 
   
   1. The Company services the following cryptocurrencies: USDC, EUROC, SOL, TON, and BNB. In time, the Company may start servicing other cryptocurrencies as well. 
   2. The Company does not provide any Services involving cryptocurrencies that prioritize anonymity. The Company will apply a wallet screening function, both in deposit and withdrawal cases,  which will allow identification of risky wallets and any exposure to tainted funds in the wallet (e.g. related to sanctioned jurisdictions, dark market, child abuse tumblers, mixers, etc.).
   3. This means that the Company will not process any transactions that cannot be traced back to a specific individual or entity.
4. ACCEPTABLE CLIENTS’ SEGMENT 
   
   1. The Company shall offer and provide Services for both individual and corporate Clients. 
   2. In the case of individuals, any user over 18 years of age is an acceptable Client (below 18 years – not accepted). The upper age limit is 60 years of age for Europe and 70 years of age for other countries we work in (older natural persons are not accepted).
   3. In the case of legal entities, we engage with trusted Customers who are identified and verified thoroughly through the KYB process where we not only verify the documents but also do a thorough internet profiling to know about any online footprint. Additionally, the business relationship is established after several rounds of conversations, which establishes trust. 
5. SERVICE PROVIDERS AND TOOLS
   
   1. The Company leverages certain third-party tools for our Compliance framework:
      
      1. KYC / KYB verification (identity verification) – SumSub (www.sumsub.com);
      2. Crypto transaction monitoring – Chainalysis (https://app.chainalysis.com/); 
      3. Wallet monitoring – Chainalysis (https://app.chainalysis.com/);
      4. Sanctions screening – SumSub (www.sumsub.com);
      5. Internet profiling – With Accend (withaccend.com);
      6. Email risks check – At data (https://instantdata.atdata.com/);
      7. Device and behavior biometrics – Sardine (www.sardine.ai)
6. RESPONSIBLE PERSONS
   
   1. The following bodies and officers are involved in the AML / CTF implementation functions within the Company:
      
      1. the Board;
      2. Responsible AML Board member;
      3. MLRO (2^nd line officer);
      4. CEO (to a certain extent);
      5. Compliance Officer ( 2nd line officer).
   2. The Board shall have the following responsibilities in the AML / CTF area:
      
      1. Approve the AML / CTF Policy and other Policy level documents;
      2. Review quarterly compliance reports submitted by the MLRO. Provide feedback and recommendations; 
      3. Reviewing, giving comments, and approving annual Enterprise-Wide Risk Assessment and its methodology;
      4. Overview the entire AML / CTF framework, decide on the provision of the required budget for AML / CTF measures implementation;
      5. Hear out the Responsible AML Board member and the MLRO, when necessary;
      6. Discuss AML / CTF matters during the Board meetings (based on the prepared agenda), decide on the required actions and measures;
      7. Perform other duties and functions assigned to the Board by this Policy as well as other internal documents of the Company and laws.
   3. The Responsible AML Board member shall have the following responsibilities in the AML / CTF area:
      
      1. Supervise activities of the MLRO, advise and/or give assistance when required by the MLRO; 
      2. Organize the implementation of the AML / CTF framework within the Company. This involved being the first point (with the MLRO) in addressing and highlighting the main AML / CTF aspects that require improvement, change, etc. Such highlighting should be made to the Senior Management; 
      3. If requested by the MLRO, review quarterly compliance reports prepared by the MLRO (prior to the review of the Board as a body);
      4. Perform other duties and functions assigned to the Responsible AML Board member by this Policy as well as other internal documents of the Company and laws.
   4. The MLRO shall have the following responsibilities in the AML / CTF area:
      
      1. Implementing the AML / CTF framework within the Company;
      2. Ensuring timely and proper communication with and timely reporting to FCIS; 
      3. Reporting every quarter to the Senior Management of the Company regarding the Company’s activity data, including the number of Customers onboarded by the Company during the relevant quarter, profiles of such Customers (i.e. how many natural persons and how many legal entities were onboarded during the relevant quarter, from what jurisdictions they are, to which risk groups they were assigned, number of Customers with whom Business Relationship was terminated, etc.). Template of such Quarterly Report is provided as Annex No. 8 to this Policy;
      4. Approving/rejecting high-risk customers; 
      5. Organizing and ensuring ongoing Company employee education in the ML/TF area, including organization of training for employees related to identifying suspicious activity, understanding customer identification, and record-keeping requirements;
      6. Ensuring that all employees working with the Customers and their onboarding, risk assessment, monitoring, etc. are familiarized with this Policy and annexes thereof, and all related Company’s internal documentation;
      7. Ensuring the proper implementation of Know Your Customer requirements in the Company’s activities, including proper assessment of Customer’s identification documents, collection of their copies, record keeping, etc.; 
      8. Ensuring implementation of transaction monitoring procedures;
      9. Ensuring that the Policy and annexes thereof are revised and updated (if needed) regularly (at least once per year);
      10. Ensuring that the Company keeps and maintains all the required records and logs; 
      11. Ensuring that ML/TF prevention measures applied by the Company are properly integrated in the Company’s internal control system; 
      12. Be responsible for writing, updating, and maintaining the Company’s procedures and other documents related to ML/TF prevention area;  
      13. Preparing the annual Enterprise-Wide Risk Assessment and presenting it to the Senior Management; 
      14. Perform other duties and functions assigned to the MLRO by this Policy as well as other internal documents of the Company and laws.
   5. The CEO’s responsibilities shall include, but shall not be limited, to:
      
      1. Ensuring that the Company’s UBOs data are provided to the JANGIS (Centre of Register of Lithuania) in time;
      2. Getting familiar with all documents, reports, and information submitted by the MLRO and/or the Board of Directors; 
      3. Approving the Procedure, Rules, Methodology, and Description level documents (the Board shall also have a right to approve such level documents);
      4. Implement Board of Directors decisions to the extent requiring the CEO’s involvement; 
      5. Perform other duties and functions assigned to the CEO by this Policy as well as other internal documents of the Company and laws.
   6. The Compliance Officer shall have the following responsibilities in the AML / CTF area:
      
      1. Ensure that the risk of non-compliance with Applicable Laws is properly managed, that ongoing monitoring of non-compliance risk is performed, non-compliance risks are identified and assessed and measures of managing such risks are planned and implemented;
      2. Identify the need for changes in the regulation of the Company’s activities, identify regulation gaps, including gaps arising from amendments to Applicable Laws, inform the Management Bodies of these gaps and required changes, draft compliance-related documentation, and participate in the development of internal rules and procedures of the Company related to the compliance risks;
      3. Prepare, on the basis of elements provided in Annex no. 1 to this Policy, an annual Compliance Monitoring Programme and implement supervision of compliance based on this programme;
      4. Oversee compliance monitoring activities across the Company, ensure that identified gaps are corrected, implement relevant recommendations, and provide updates to the Management Bodies. Analyze proposed amendments to legal acts, inform the Management Bodies and employees of upcoming requirements, and ensure the Company is prepared for these changes;
      5. Organize and direct investigations in situations where non-compliance with Applicable Laws is suspected, examine all cases of non-compliance, determine the level of risk in each case, and implement urgent measures to ensure compliance in the future;
      6. Participate in the decision-making process to ensure compliance requirements are met, provide advice on risks related to new services, and substantial changes in existing services, and offer input on legal requirements related to business decisions, license updates, or renewals;
      7. Set compliance principles, rules, and procedures, monitor the efficiency of risk management measures related to compliance with Applicable Laws, and make proposals for the regulation of the Company’s compliance processes;
      8. Provide information and assist in organizing training for employees on compliance-related areas and changes in compliance-related Applicable Laws, participate in the process of conducting compliance training for new employees, and inform the team leads of Functions about changes in legal provisions on a regular or ad hoc basis. The team leads of structural units must pass the information to their subordinates;
      9. Inform the Management Bodies of any breaches of Applicable Laws, prepare and submit reports on their activities, record situations where deviations from the Compliance Officer’s recommendations are observed, and take part in the meeting of the Management Bodies at which the compliance risk assessment reports and/or the reports on the implementation of compliance function are considered;
      10. Liaise with the Supervisory Body, Financial Crime Investigation Service of the Republic of Lithuania (FCIS), perform the function of a contact person or coordinate the relationships with them, and provide information to the Supervisory Body and other competent institutions about incidents and other significant circumstances, take part in the investigations, checks, inspections, and other actions taken by supervisory authorities to the extent not covered by the Money Laundering Reporting Officer;
      11. Receive information about important customers’ complaints, take part in the complaints handling process, where required, and supervise complaints’ handling process in case of need;
      12. Undertake any other duties as assigned by the Board or derived from internal documentation.
   7. Rights, functions, responsibilities, duties, etc. of the above-listed bodies and officers, as well as other positions formed within the Company, may be established in other internal documents as well. The above lists shall be read as initial (general) ones.
7. Customer IDENTIFICATION The Company’s Customers are legal entities and natural persons.
   
   1. The Company performs Customers’ identification procedures remotely. Physical identification measures are not applied by the Company.
   2. Detailed instructions on Customer identification procedures and applicable requirements are established under Annex No. 1 to this Policy.
8. RISK ASSESSMENT 

Risk groups 

1. To assess the ML/TF risks, the Company shall deploy a risk-based approach.
2. The Company recognizes the following types of risks relevant to its activities:

1. According to the nature:
   
   1. Customer risk;
   2. Country / geographical area risk;
   3. Product/services risk; 
   4. Delivery channel risk.
2. According to the risk level:
   
   1. Low;
   2. Medium;
   3. High.
   4. Unacceptable

Individual risk assessment

3. The Company shall perform an individual risk assessment of each Customer:

1. Before entering into the Business Relationship with the Customer; or

Client

2. In case the Company becomes aware of certain circumstances indicating the possible change in Customer’s risk group;
3. In case of concerns regarding the correctness of previously collected Customer’s KYB / KYC data or when there are concerns that possible ML / TF activity may be taking place. 

4. Each Customer of the Company shall always be assigned to the relevant risk group. The Company must maintain a tool for Customer risk segmentation which allows, after assessing relevant individual circumstances of the Customer, to assign the Customer to a relevant risk group as listed under Section 8.2 above.

Enterprise-wide risk assessment

5. The Company shall at least once a year perform Enterprise-Wide Risk Assessment of all risks relevant to its activities (Clause 8.2(i) of this Policy). The purpose of such assessment is to establish the risk level to which the Company is exposed to be able to assess how relevant risk criteria and risk levels evolved over time and to decide whether identified changes require putting in place additional measures or to re-consider set risk tolerance levels. 
6. Enterprise-Wide Risk Assessment shall be performed in a written format. The MLRO is responsible for the performance of the Enterprise-Wide Risk Assessment which shall be prepared and submitted to the Senior Management of the Company. The Enterprise-Wide Risk Assessment shall be performed by the MLRO of the Company following the risk assessment methodology to be approved by the Board.

9. MONITORING OF BUSINESS RELATIONSHIP 

1. The Company shall carry out ongoing monitoring of the Business Relationship and wallets. This includes transaction monitoring and keeping the underlying Customer’s information up to date.
2. The Company shall ensure and apply both the instant and retrospective monitoring procedures. The difference between them is that:

1. Instant monitoring – following criteria and scenarios set by the Company, the system „catches” potentially suspicious transactions or operations and does not release them until the MLRO or other authorized compliance employee looks into it and ascertains that the transaction/operation is not suspicious and may be released. Such an assessment shall be started by the MLRO or other authorized compliance employee within 1 (one) business day as of the day when the alert is generated. The alert assessment time should be reasonable, and the MLRO or other authorized compliance employee should take appropriate and timely measures to ascertain whether the transaction/operation is suspicious or not. If the Customer is requested to provide additional information needed for the assessment, the overall alert assessment term may be extended, however, in such a case the Customer needs to be informed that the Customer’s transaction/operation will not be executed until the Customer provides sufficient information. The term shall not be extended for more than 4 days in total (except for very specific situations when there is a reasonable ground to extend the term more). If the Customer fails to provide requested information and/or if the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Suspicious Operation Report to FCIS as specified under Section 13 of this Policy. 

‍

2. Retrospective monitoring – there are two types of retrospective monitoring to be applied by the Company:

‍

1. Following criteria and scenarios set by the Company, the system „catches” activities that are not standard for the particular Customer, but which are executed and not blocked on a real-time basis. Such „caught” transactions or operations shall be assessed by MLRO or other authorized compliance employee no later than within 30 calendar days period from the moment the relevant transaction or operation was flagged in the retrospective monitoring system. If the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Report to FCIS;
2. On a regular basis but not less frequently than once per half a year the MLRO may decide to check historical transactions of a relevant type of Customer which would serve as a secondary measure in addition to the main retrospective monitoring procedure described in item (a) above. The aim of such additional checks is to ascertain that all potentially suspicious or non-standard transactions were found and assessed by the Company. MLRO shall be responsible and shall decide what type of Customers should be checked (e.g. 10 biggest Customers according to the amount of their payments; Customers whose payments are related to high-risk geographical regions, etc.).

3. The Company shall monitor transactions to ensure that they are in line with the Customer’s risk, and examine the source of funds when required (Annex No. 7 to this Policy) to detect possible ML / TF. The Company shall also keep the documents, data, or information it holds up to date, with a view to understanding whether the risk associated with the Business Relationship has changed.
4.            The Company collects source of funds documents under the following circumstances: 
   
   1. All types of Customers: when they are high risk are subjected to EDD;
   2. All types of Customers: when they reach daily / monthly transaction thresholds;
   3. All types of Customers: when the Client’s transaction behavior shows major changes (e.g. order size is significantly bigger than the average order size of previous transactions);
   4. Only legal entity Customers: All businesses that fall under our requirements of EDD are required to submit these documents. EDD kicks in when the business falls under the following criteria:

• Provide crypto / digital assets services 

• Provide other crypto / digital assets services 

• Provide money services/payments / other financial services 

• Are regulated gambling services 

• Any Customer with a politically exposed beneficial owner 

5. Individuals: All individuals that are PEP are required to submit these documents 

‍

5. Monitoring (instant and/or retrospective) might be carried out by using the services of third parties. In such a case the Company shall ensure that third parties would follow requirements specified in this Policy and the Law and would align their IT systems and platforms so that all monitoring criteria and scenarios set by the Company would be properly covered.
6. The Company will use a risk-based matrix that will define various risk levels, namely, high, medium, and low. All the risk categories will be subjected to transaction thresholds which are based on various qualifiers in the case of an individual or a legal entity:
   
   1. Individual: the Company will categorise the Client in various risk categories and impose transaction thresholds based on the selection of payment methods and jurisdictions along with user behaviour.
   2. Legal entity: The Company will categorise the Client into various risk categories and impose transaction thresholds based on various risk factors like the pedigree of the company, Internet risk profiling score, onboarding tenure, and geographical risks.
7. The Company will use a comprehensive approach to transaction monitoring including, but not limited to screening i.e., monitoring transactions in real-time, and monitoring i.e., analyzing transactions later. The objective of screening is to identify: 
   
   1. Suspicious and unusual transactions and transaction patterns; 
   2. transactions exceeding the provided thresholds.
8. The screening of the transactions is performed automatically and includes the following measures: 
   
   1. Established thresholds for transactions, depending on the user/Client's risk profile and the estimated transaction turnover declared by the user/Client; 
   2. The scoring of virtual currency wallets where the virtual currency shall be sent in accordance with the user / Client’s order; 
   3. The scoring of virtual currency wallets from which the virtual currency is received.
9. General requirements applicable to monitoring procedures are established under Annex No. 3 to this Policy.

10. SCREENING AGAINST PEP, INTERNATIONAL SANCTIONS AND ADVERSE MEDIA

1. The Company deploys automatic solutions for political exposure, international sanctions, and adverse media screening.
2. Such screening is performed: 
   
   1. Prior to entering into a Business Relationship;
   2. Daily during Business Relationship;
   3. In addition, crypto wallet screening is performed both prior to entering into a Business Relationship as well as prior to each transaction and on an ongoing basis.     
3. Screening against international sanctions is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
4. Screening against PEP exposure is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
5. Screening against adverse media is performed for the following persons:
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
6. At least the following data shall be screened: 
   
   1. For natural persons: full name and surname, date of birth (or personal code), citizenship, residence country. 
   2. For legal entities: full title,      registration country, legal entity code, country of actual address or address (if relevant). 
7. If the screening indicates: 
   
   1. That the Client is a PEP – Business Relationship may be started, however, prior to this the Client must undergo enhanced due diligence procedure as specified under Annex No. 1 to this Policy.

‍

2. That the Client is subject to international sanctions – the Client cannot be onboarded, transaction cannot be executed, Services cannot be provided to the Client. The MLRO must notify the FCIS as specified under Section 13 of this Policy. 

‍

3. That the Client is subject to adverse media: 

‍

1. If adverse media indicates that the Client is involved in financial crime, ML/TF cases – the Client must be rejected, Services cannot be provided;
2. If adverse media indicates that the Client is sanctioned –an  assessment regarding the  relevance of international sanctions must be performed and if it is confirmed, then measures listed above under point (ii) must be followed;
3. If adverse media indicates other criteria – the MLRO shall be informed and shall take a decision on whether the Client can be onboarded and if “yes”, which risk group shall be assigned to the Client. 

8. Screening data (evidence proving data screening is/was performed) must be available to the Company. The Company should be able to prove when and how screening was performed, if required (e.g. if requested by the regulator). Such data may be available in the IT systems and tools. 

11. IMPLEMENTATION OF TRAVEL RULE

1. The Travel Rule, as implemented by EU Regulation 2023/1113 and EBA Travel Rule Guidelines, requires that all crypto-asset transfers be accompanied by information on the originator and beneficiary of the crypto-transfer transaction.
2. Crypto-asset transfers conducted by the Company include the following information: 

About the originator of the transfer: 

1. The name of the originator;
2. the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;
3. the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. the originator’s address, including the name of the country, official personal document number, and customer identification number, or, alternatively, the originator’s date and place of birth; 
5. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the originator.

About the beneficiary of the transfer:

1. The name of the beneficiary;
2. the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;
3. the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the beneficiary.

2. The Company shall not allow for the initiation, or execute any outgoing transfer, of crypto-assets before ensuring that all the originator’s information is available and verified. 
3. For the incoming transfers, the Company shall check prior to the acceptance of the transfer whether it maintains all the necessary information and verify whether the beneficiary data accompanying the transfer is verified based on the information maintained by the Company about the beneficiary. If not (e.g. the data is inaccurate, incomplete, etc.), the transaction shall be suspended, until the verified information is received after was requested by the Company, or rejected.

1. RENEWAL OF INFORMATION ABOUT THE Customer (ODD)

1. Information collected about the Customer shall be renewed by the Company within the below timeframes:

‍

2. Review and renewal of information shall cover:
   
   1. Information about the Customer collected during the onboarding process (all KYC information); 
   2. Review of Customer’s identity document – it should be checked whether the ID document is still valid and if valid – additional documents are not required, however, if the ID document is no longer valid – a valid ID document should be required in addition;
   3. Check historical transactions with an aim to determine whether they indicate additional risks or a need to update the Customer’s risk profile. 
3. All data reviewed, updated, collected, and assessed must be stored in the Customer’s file with dates evidencing when the document was collected/assessed.

13. REPORTING TO FCIS (AML / CTF MATTERS)

List of reports:

1. The Company is required to report to FCIS in case of:

1. Suspicious Operations or Transactions (SARs submission).
2. Knowledge or suspicion that the transaction is directly or indirectly related to criminal activity or is intended to be used for such a purpose.
3. Knowledge or suspicion that the Customer will try to perform a suspicious operation/transaction.
4. Report on virtual currency exchange transactions or transactions with virtual currency only if the transaction is suspicious and the MLRO has reasons to believe and the value of such transaction is equal or exceeds 15.000 Eur (or equivalent in another currency, including virtual currency),     Annual report on Company’s activity.

1. Details of each report are the following:

‍

Key communication with FCIS timelines and requirements

1. FCIS shall within 10 business days of the receipt of the report's performance assessment take necessary actions if a basis for this is established (e.g. notify the Police and initiate a pre-trial investigation). FCIS must notify the Company accordingly. 
2. If the Company does not receive a response from the FCIS within 10 business days of the submission of reports listed under Clause 13.2 of this Policy or where the Company is not obligated by FCIS to temporarily restrict the ownership rights in accordance with the procedure established by the Code of Criminal Procedure of Lithuania, this is the basis for the Company to consider that FCIS did not determine any illegal activity and restrictions should be eliminated. However, if the MLRO has doubts regarding the renewal of the suspended transaction/activity of the Customer, the MLRO shall contact the FCIS in addition, and ask for their guidance with respect to the renewal and/or possible institutional actions.
3. The Company shall not be responsible to the Customer for the non-fulfillment of contractual obligations and for the damage caused in the course of performing the duties and actions specified in this Section (as long as they are performed in line with legal requirements). Immunity from legal proceedings shall also apply to the directors or other employees of the Company who report, in good faith, information about suspected ML / TF or Suspicious Operations or transactions carried out by the Customer to the MLRO; they also may not be subject to disciplinary sanctions because of such actions.
4. The Company must ensure that it maintains internal systems enabling MLRO to respond rapidly, through secure channels and in a manner that ensures full confidentiality of inquiries, to the inquiries from the FCIS concerning the submission of the information related to AML / CTF and ensure the submission of this information within 14 working days from the receipt of the inquiry, unless a shorter period is set by the FCIS, this Policy or the Law.
5. All information submitted to the FCIS and/or received from the FCIS shall be considered confidential and not subject to disclosure to third persons, including employees of the Company who are not involved in handling the particular case reported to the FCIS or informed by the FCIS. The MLRO shall be the key contact point for communication with the FCIS and the MLRO shall ensure the confidentiality of FCIS-related information, the email of the MLRO shall be used for communication with FCIS. In addition, information to the FCIS shall be always submitted via a dedicated FCIS information system while email dokumentas@fntt.lt should be used only in exceptional cases (e.g. where the FCIS information system is now available due to technical reasons). Tipping-off prohibition shall be ensured in all cases meaning that information about suspicious Client’s transactions or behaviour and/or a fact that SAR was submitted to the FCIS as well as what exact information led to suspicious cannot be disclosed to the Customer, the Company’s employees who do not have a right to possess such data (i.e. who are not working with the Customer’s case, investigation, etc.) and to third parties, unless exemptions are allowed following legal requirements, including exemptions under Article 23 of Lithuanian AML Law.

Report on 15.000 EUR virtual currency transactions

6. The MLRO is responsible for the submission of information to FCIS regarding virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR “15,000” (irrespective of whether the transaction was carried out as a single or multiple transaction) and considered suspicious by the MLRO. Information about such transactions shall be submitted to FCIS within 7 business days of their performance day. 

Report on suspicious activity/transaction

7. Suspicious Operations or Transactions are those that, by virtue of their nature, in the opinion of the Company, may be related to ML/TF or fraud cases. If it is determined that the relevant transaction or operation is a Suspicious Operation or Transaction, the MLRO of the Company shall report it to FCIS as specified below in this Section.
8. The Company welcomes all applicants unless they are citizens or were born in or reside within the countries under the prohibited countries or are otherwise prohibited persons under applicable AML/CFT legislation. If born in prohibited countries, they may still register if they provide evidence of renouncing their original nationality and taking citizenship of a non-prohibited country.
9. High-risk jurisdictions and other jurisdictions monitored by the FATF, as described in Annex No. 6 to this Policy.
10. The Company shall also screen each applicant/user and, where applicable, associated persons, authorized persons, and BOs of the applicant/user for compliance with sanctions as described in Annex No. 6 to this Policy.
11. The Company engages third-party service providers who provide tools/databases to screen for compliance with the aforementioned sanctions, PEP lists, and money laundering databases.
12. In all cases, the company must complete the verification before accepting the applicant as a user. Any Applicant (or their Related Persons, Authorized Persons, and BOs) who has/have a positive match to the verification list (which after investigation and assessment by Compliance cannot be rejected) and is on a prohibited list (e.g. Applicant in a prohibited country or business) cannot be accepted as a User of the Company and will be rejected from becoming a User.
13. For Applicants (or their Related Persons, Authorized Persons, and BOs) who have/had a positive result (which after investigation and assessment by Compliance cannot be rejected) and are not on the Prohibited List, but have received adverse information as a result of the review, the Company will consider whether the Applicant falls into a high-risk group where ECDD is required before the Applicant can be accepted as a User.
14. The Compliance Service shall keep a record of the results of the screening and the carried-out assessment.
15. A suspicion may be caused by various objective and subjective circumstances, for example, the Customer performs transactions or operations that are not typical to its activities, provides incorrect data on themselves or the operation, is reluctant to provide additional information (documents) about the Customer, the operation being assessed by the Company, etc.
16. When assessing relevant transaction or operation from the suspicious Customer’s activity perspective, the MLRO of the Company shall obtain sufficient information on the ground and purposes of the Suspicious Operation or Transaction, as well as the origin of funds, in order to properly examine the activities and/or operations and transactions carried out by the Customer and must provide their conclusions on that in writing. 
17. The Company is not obliged to find out whether the activity of the Customer contains a composition of crime. If the Company knows or suspects that the transaction or operation is a Suspicious Operation or Transaction, it must:
    
    1. Suspend the transaction/operation (if possible); and 
    2. Notify the FCIS within 3 business hours of the suspension moment.

18. The list of criteria applied when recognizing Suspicious Operations or Transactions is presented in Annex No. 2 to this Policy.
19. Where the transaction/operation fails to meet any criteria specified in Annex No. 2 to this Policy and yet a suspicion arises to an employee of the Company with regard to the operation or transaction and/or the Customer’s activity, such transaction or operations must be regarded as Suspicious Operations or Transactions and shall be reported to FCIS within 3 business hours.
20. The Company is subject to “tipping off” prohibition. This means that the Company is prohibited by law from disclosing (“tipping-off”) to the Customer or other persons (except for the responsible internal team members and relevant authorities) a fact that a suspicious transaction report or related information is being filed or was filled with the FCIS.

12. TERMINATION OF TRANSACTIONS OR BUSINESS RELATIONSHIP 

General requirements

2. If the Customer is reluctant or refuses to provide additional information at the request of the Company, the Company, depending on the nature and importance of such information as well as on the reasons why such information is not provided, may refuse to carry out operations or transactions, terminate their execution or Business Relationship with the Customer.
3. The Company shall not be liable to the Customer for failure to fulfill contractual obligations or damage incurred due to failure to carry out the Customer’s operations or transactions provided that the Company did not carry out the Customer’s operations or transactions on the basis of reasons laid down in below Clause 14.4 of the Policy.
4. The Company shall be prohibited from executing transactions, establishing or maintaining Business Relationships if the Customer:
   
   1. Fails to provide information verifying their identity or is reluctant to provide information necessary to establish his identity or the provided information is insufficient;
   2. Provides incomplete data or it is incorrect;
   3. Are subject to international sanctions;
   4. Do not meet the risk tolerance limits set by the Company;
   5. Requests to provide anonymous services. 
5. In cases specified in Clause 14.4 and after identifying that the relevant operation, transaction, or behavior of the Customer is suspicious (irrespective of whether such operation or transaction was performed or not), the Company shall report the Suspicious Operation or Transaction to FCIS.
6. If during the identification of the Customer the Company has a reason to believe that the ML/TF offense is taking place, and the further process of identification of the Customer may raise suspicions to the Customer that information about him/her may be transmitted to competent law enforcement authorities, the Company may discontinue the process of identifying the Customer and may not establish Business Relationship with the Customer. In these cases, the information shall be transmitted to FCIS as soon as possible but not later than within 1 business day.  

Termination of Business Relationship based on Customer’s initiative

7. The Customer has a right to terminate the Business Relationship with the Company without specifying any reason and unilaterally without applying to court. Particular terms for implementation of such right may be applied based on the Company’s T&Cs.  

Termination of the Business Relationship with the Customer on the Company’s initiative or where so required under legal acts

8. The Company has the right to terminate the Business Relationship with the Customer without any notification in advance and without applying to court, where the legal basis agreed between the Parties via the BSA agreement is met, or where other legal grounds exist. 
9. The Client must immediately (the same business day) be notified via e-mail about the termination of the Business Relationship unless notification is prohibited under the legal acts. If there is a suspicion of ML/TF, the Company shall notify FCIS and until the assessment on suspicious activity is performed by FCIS, termination may be postponed, and the Client cannot be informed about ongoing investigation or application to the FCIS.

13. LOGS. RECORD KEEPING. DATA STORAGE

1. The Company shall keep at least the following logs:

1. Log of Suspicious Operations or Transactions and reports submitted to FCIS; 
2. Log of virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR 15.000, only when considered suspicious by the MLRO (irrespective of whether the transaction was carried out as single or multiple transactions), including data about such transaction reporting to FCIS;
3. Log of Clients with whom transactions or Business Relationships have been terminated due to circumstances related to infringements of the procedure for the prevention of ML / TF, including cases when Business Relationships were terminated because Clients or their representative(s) tried to conceal information about themselves or Beneficial Owners, did not provide all required information, etc.;

‍

2. The templates of the above-mentioned logs to be kept by the Company are provided in Annex No. 4 of this Policy. 
3. Data shall be entered in the logs in chronological order, on the basis of the documents supporting the operation or transaction or other documents with legal effect related to the performance of the operations or conclusion (or termination) of transactions, or termination of Business Relationship, immediately but no later than within three business days as of the performance of the operation or conclusion of the transaction, or the date when the specified circumstances occurred or were established.
4. The following data storage requirements shall be ensured:

‍

1. The time limits for record keeping may be additionally extended for no longer than two (2) years upon a reasoned instruction of a competent authority.
2. The Company shall ensure that the documents and information referred to in Clause 15.4 of the Policy would be stored irrespective of whether: (i) transactions are local or international; and/or (ii) the Business Relationship with the Client continues or has ended.
3. The Company shall ensure that the documents referred to in Clause 15.4 of the Policy would be stored so that it would be possible: (i) to restore information about the specific transaction; and (ii) upon necessity, to provide them and information set out therein to FCIS.

12. EMPLOYEE TRAINING 

4. Ongoing employee training programs related to ML/TF prevention requirements shall be prepared and conducted in the Company under the leadership of the MLRO. The training log shall be prepared by the MLRO each year and shall contain information about training (to be) performed, participants, training dates, titles of the training, organizer, certificates issued, and other relevant information, if any. A training log is provided as Annex No. 9 to this Policy. 

‍

1. The training shall be performed at least annually (on a calendar year basis). It shall be based on the Company’s business activity and shall be updated as necessary to reflect any new developments in the laws and risks faced by the Company in accordance with the annual risk assessment.
2. Employees’ training program shall ensure that all Company employees who face ML/TF prevention measures in dealing with their functions would be properly educated to identify the Client, notice Suspicious Operations or Transactions, perform an assessment of alerts received during the monitoring procedure, etc. 
3. All new employees shall be trained for the prevention of ML/TF risks purposes prior to engaging in any Client-facing activity as part of the boarding and reimbursement process. The MLRO of the Company shall be responsible for ensuring training for new employees. The MLRO himself shall undergo annual AML/CTF training. 

13. FINAL PROVISIONS

Annual audit

1. The Company shall at least once per year perform an audit over AML / CTF measures and their implementation within the Company. The Senior Management is responsible for ensuring that the audit takes place while the MLRO is responsible for organizing the audit. 

Approval, review

2. This Policy (and annexes thereof) shall enter into force from the day of their approval and may be abolished, amended, and/or supplemented only by a decision of the Board.
3. Amendments and/or supplements to the Policy shall enter into force on the following day after its approval. 
4. The MLRO shall periodically (at least once a year) or upon the occurrence of important events or changes (for instance, in case of changes in legal acts or in case of new risk relevant to the Company arises) revise the Policy and update it, if needed. A review of the Policy shall be also ensured in the following cases:
   
   1. When the European Commission published a supranational risk assessment (published on https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022DC0554);
   2. When the National Risk Assessment is published by FCIS (published on www.fntt.lt); 
   3. When the FCIS issues an order to the Company to make the internal controls stronger and stricter; 
   4. When important changes are made within the Company’s management and activity organization; 
   5. When audit results or other activity indicators dictate a need to change internal controls. 

Employee acquaintance 

5. The MLRO is responsible for the acquaintance of the Company’s employees with the Policy (and annexes thereof) and its later versions, if any. Such acquaintance shall be made by providing the Company’s employees with the Policy (and annexes thereof) and after that by requiring each employee to confirm his / her acquaintance with the Policy (and annexes thereof) by signing in the table provided in Annex No. 5 of the Policy.

Assessment of knowledge and experience of the responsible personnel 

6. The Company shall ensure that, prior to the appointment of the MLRO, CEO, Board members, Senior Officer, and other employees responsible for the AML/CTF framework within the Company, a thorough assessment of their competence, work experience, and qualifications is conducted. This assessment shall take into account their education, professional development, relevant work experience (including its duration and nature), and other criteria that may impact their suitability and qualifications. Such assessments shall be completed in writing before their appointment or hiring.

Requirements for Senior Management members and UBOs of the Company

7. A person cannot be a member of Senior Management or Ultimate Beneficial Owner of the Company if at least one of the following criteria exist: 
   
   1. A person is found guilty of having committed a serious or very serious crime provided for in the Criminal Code of the Republic of Lithuania or a criminal act corresponding to any of these crimes according to the criminal laws of other states, regardless of whether the person's criminal record has disappeared or been annulled; 
   2. A person is found guilty of having committed a minor or aggravated crime against property, property rights and property interests, economy and business order, financial system, public service and public interests, public safety, or a criminal act corresponding to any of these crimes under the criminal laws of other countries, provided for in the Criminal Code and 5 years have not passed since the disappearance or annulment of the person's criminal record; 
   3. A person is found guilty of having committed a criminal act other than that specified in points 1 and 2 of this part, provided for in the Criminal Code or in the criminal laws of other states, and 3 years have not passed since the date of execution of the sentence, postponement of the execution of the sentence or release from the execution of the sentence.
8. If the circumstances listed in above Clause 16.7 are determined, the Company must take measures to notify the FCIS accordingly and ensure the fulfillment of the requirement (e.g. to change manager, etc.).

14. ANNEXES  

1. The following is the list of documents which are an integral part of the Policy: 

Annex No 1 – Client Identification Procedure

Annex No 2 – Criteria for Identifying Suspicious Operations or Transactions

Annex No 3 – Relationship Monitoring Policy

Annex No 4 – The Forms of Logs

Annex No 5 – The Form of Employees’ Acquaintance with the Policy

Annex No 6 – Prohibited Countries List

Annex No 7 – Acceptable Evidence of Sources of Wealth and Sources of Funds

Annex No 8 – Template of the MLRO quarterly report

Annex No 9 – Training Log

‍

‍

2. Annex No. 1 

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

3.      CUSTOMER IDENTIFICATION PROCEDURE

‍

1. INTRODUCTION

1. The Company is a B2B2C business and shall provide Services to Business. The end users can be both natural persons and legal entities. The Company provides services primarily to the business who are Customers-Clients, Merchants, and end users. Both the Merchants and the End Users receive Services and both these subjects are considered as Customers of the Company, who shall be identified accordingly.

Trans-Fi UAB’s current product suite is described below. All of these products are available as both a solution and as a single Application Programming Interface (“API”) and provide a dashboard or other solution for monitoring transactions and orders:

• Payins: Enabling our Clients/their Merchants to collect payments in fiat currency (e.g. the US Dollar or Euro) or stablecoins from their counterparties (both businesses or individuals) by sending a payment link and settling in stablecoins or fiat, as desired, with ease from anywhere across the world. Stablecoins used in our products are reserve-backed crypto-assets pegged to a fiat currency, notably the EUR and USD stablecoins issued by Circle:  EURC and USDC. Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 

‍

• Payouts: Enabling our Clients/their Merchants to pay their employees, vendors, freelancers, and trade partners globally in fiat or stablecoins across the world by exchanging crypto-assets for fiat (stablecoin-to-fiat) or exchanging fiat for crypto-assets (fiat-to-stablecoin) or crypto-assets for crypto-assets (crypto-to-stablecoin). Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 
  4. Exchange of crypto-assets for other crypto-assets 

‍

• Ramp: Enabling our Clients to offer the exchange of fiat to crypto-assets (fiat-to-crypto “onramp”) and the exchange of crypto-assets to fiat (crypto-to-fiat “offramp”) to their Merchants and/or End Users. Within this product, the following MiCA services will be used: 
  
  1. Exchange of crypto-assets for funds 

‍

• Wallet issuance as a service (“WIaaS”): Enables our Clients to issue custodial wallets (using Circle as a provider) for themselves, their Merchants, or their End Users to pre-fund transactions for seamless payouts, or to collect payins from their counterparties, or to offer top-ups and refunds to the wallets & gaming accounts of their End Users, by offering the fiat-to-stablecoin and stablecoin-to-fiat transfers, and subsequent settlements with gaming Customers. TransFi will be enabling an “earn feature” on these wallets shortly, leveraging third-party providers, so that wallet owners earn returns (using staking). Within this product, the following MiCA services will be used: 
  
  1. Custody and administration of crypto-assets on behalf of clients 

2. The Company applies remote Customer identification methods following requirements of Article 11(1)(4)(b) of Lithuanian AML Law.
3. The Company shall ensure that identification is performed for the Customer in the following cases:

1. Prior to establishing a Business Relationship with the Customer;
2. When doubts about the Customer’s identification data and documents, collected earlier, occur;
3. When there are doubts that ML / TF activity may take place. 
4. When there is a change in the transaction patterns of the Customer

4. In cases listed under Clause 1.3 above, the Company shall at least:

1. Identify the Customer (its representative, UBOs, determine directors and ownership structure);
2. Collect KYC / KYB data about the Customer;
3. Check PEP status;
4. Check international sanctions application status;
5. Check adverse media status;
6. Check if there are any circumstances requiring applying enhanced due diligence;
7. Re-assess the information collected with data received from official sources.

8. Collect information about the purpose and nature of the Business Relationship.
9. Collect information about Customer’s sources and funds (for high-risk Customers);

9. Receive MLRO’s approval (for high-risk Customers).

‍

1.5 As described in Clause 1, all our Customers are subjected to KYC and KYB in the case of individuals and legal entities respectively 

1.6  Having such information, the Company shall assess it and, following the assessment, assign the Customer to the relevant risk group. All this shall be done until the moment when Business Relationships are started 

2. TYPES OF CUSTOMER DUE DILIGENCE 
   
   1. The Company shall recognize the following types of Customer’s risk: 

1. Low;
2. Medium;
3. High;
4. Unacceptable/Prohibited. 

2. The Company applies two types of Customer due diligence:
   
   1. Standard Due Diligence (SDD), also known as Ordinary Due Diligence: SDD is applied where the Customer’s risk profile indicates low or medium risk and where, in accordance with the risk assessment of the Company, it has been identified that in such circumstances the risk of ML / TF is low or medium.
   2. Enhanced Due Diligence (EDD): EDD is applied for Customers that are flagged as high-risk Customers. EDD requires the application of additional Customer due diligence measures in comparison to SDD.

‍

3. In case of unacceptable/prohibited risk Customer – no due diligence can be applied as the applicant shall be rejected. 
4. In order to determine to which risk group each Customer is exposed, the Company shall perform an individual risk assessment of each Customer before entering them into a Business Relationship.   
5. SDD procedure is established in Section 4 (for individual Customers) and Section 5 (for Business Customers) of this Annex. 
6. EDD procedure is established in Section 6 of this Annex. 
7. The Company will have the below as prohibited Customer types:

1. Known beneficiaries of corruption or illegal activities; 
2. Shell companies/shell banks; 
3. Unregulated casinos or unlicensed gambling companies; 
4. Incomplete or failed KYB (Know your business); 
5. Unlicensed money transmitters/payments/financial services companies; and 
6. Customers with bearer shares in the ownership structure. 
7. Marijuana/cannabis; 
8. Guns, Arms and ammunition, and Military; 
9. Precious metals; 
10. Adult content or Pornography. 

3. GENERAL REQUIREMENTS FOR THE REAL-TIME PHOTO (VIDEO) TRANSMISSION 
   
   1. Real-time photo (video) transmission is a method for Customer (natural person) or representative (legal entity) identification and identity verification.
   2. The following principles shall be applied and ensured during the remote Customer identification procedure via real-time photo (video) transmission:
      
      1. Only one person (Customer or its representative) can participate in the remote Customer identification process;
      2. The quality of the internet connection shall be sufficient, no interruptions should occur;
      3. The Company shall be entitled and have the technical possibility to provide the Customer with additional instructions if it is needed for identification;
      4. Quality of photos/video taken during the Customer’s identification procedure shall allow the Company to identify the person in the photos easily;
      5. The remote Customer identification process shall be carried out uninterruptedly and must be a part of a single Customer identification process;
      6. The screen used by the Customer shall be big enough to ensure that the Customer’s face is visible and identifiable throughout the session;
      7. All recordings and photos have to contain a mark with the Customer’s name, surname, personal code, and IP address (in the event the latter is applicable) and the date of recording;
      8. The Company shall use special programs, applications, or other means which shall ensure that the process of photo recording is continuous and the transmission of photos otherwise than in real-time would be impossible;
      9. Upon completion of actions referred to above, the Customer shall be informed that by providing data the Customer also confirms the authenticity of that data;
      10. Photos/video transmitted shall be of a quality allowing to read the information easily from the ID documents provided and to clearly see the features of the particular person and the person captured in the photo of the identity document.
   3. The Company shall ensure that its IT systems are capable and adapted to remote Customer identification as per the above requirements. 
   4. The Customer’s identification process shall be considered failed if any of the below occur:
      
      1. The Customer has deliberately submitted data that does not match the identification data of the ID document received from the official database or does not match information or data collected through other procedures;
      2. The session expires during verification, and the Customer does not initiate the identification process from the beginning;
      3. Image (video) of the ID document or the Customer is not clearly visible; 
      4. The Customer did not provide the required information and data;
      5. The Customer refuses to follow instructions to comply with the requirements set for framing the Customer’s face and ID document;
      6. The Customer uses the assistance of another person during verification without permission from the Company (permission might be issued only in exclusive cases);
      7. Circumstances arise that indicate suspected ML / TF. The Company shall immediately submit a notification of suspicion to FCIS;
      8. The Company received information that the Customer is subject to financial sanctions which shall be immediately notified to FCIS;
      9. The Customer has not completed any activities in the Customer identification module for more than 15 minutes in a row;
      10. The real-time photo (video) transmission is terminated or problems regarding the real-time photo (video) transmission arise;
      11. The quality of the real-time photo (video) transmission does not allow clearly the face of the Customer or Customer/s representative (if any) and (or) to establish the identity of the Customer or representative (if any) from the photo (video) of the face image in the identity document;
      12. The quality of the real-time photo (video) transmission is poor;
      13. The Customer’s identity document is being captured without adhering to the requirements laid down in this annex;
      14. The Customer does not perform the actions required for their identification appropriately and on time;
      15. It is established that the document provided by the Customer is impaired, fake or there are other circumstances that raise doubts due to the authenticity of such an identity document (for example, the copy of the document is being shown). In such case, the identification process may be continued, and the information necessary to establish the identity of the Customer or the representative (if any) may be collected only with the purpose, having assessed the ML / TF threat, to immediately notify the FCIS as suspicious activity no later than within 3 business hours;  
      16. It is established that the identity document provided by the Customer does not correspond to the requirements of information content applicable to such document;
      17. The Company has reasonable doubts that the Customer, the identity of which is being established, and the owner of the provided identity document, proving the Customer’s identity, are not the same person. This should be immediately reported to FCIS;
      18. If more than one person participates in the process of Customer identification;
      19. The Customer disagrees with remote Customer identification.
   5. Having assessed the ML / TF threat, the Company has the right to suspend or terminate the process of the identification due to any other reasons.
4.      IDENTIFICATION OF A CUSTOMER ( NATURAL PERSON )
   
   1. The Customer (natural person) identification and ID document validity verification shall be performed following these steps:
      
      1. Registration: The Customer shall enter First name, Last name, Date of Birth, Email, the country of citizenship on the web page      dedicated to onboarding;
      2. Identification: The Company applies remote identification – via real-time selfie and ID document photo (video) transmission. Namely:

In case of a photo transmission: 

1. The Customer shall take a photo of his / her ID document. 

Only the following ID documents can be accepted for Customer due diligence purposes. The Company shall accept only those ID documents that are valid and only if there are no circumstances showing possible forgery of the ID document:

• Passports,
•  ID cards, 
• Lithuanian Residence permits 
• Any other acceptable ID allowed by regulation

The collected ID document shall contain the following information about the Customer:

• Name(s);
• Surname(s);
• Personal code (for foreigners – date of birth or personal code or any other personal number);
• Photo;
• Signature (unless it is not required to be placed in the driver’s license based on the country’s requirements);
• Citizenship (unless it is not required to be recorded in the driver’s license based on the country’s requirements).

If the collected ID document does not contain citizenship data, the Company must collect additional ID documents of the Customer maintaining citizenship data.

Taking a photo of the ID document shall proceed by holding the ID document up in front of the mobile phone/computer camera in the area specified on the screen in a manner that the image of the ID document fits into the frame displayed on the screen. 

If the Customer uses a passport, a photo must be taken of the page with the Customer’s facial image and the back of the image.

If the Customer uses an ID card Lithuanian Residence Permit, or any other acceptable ID allowed by the regulation, a photo must first be taken of the front of the document and then of the back. 

The Customer shall click the relevant button for capture displayed on the screen and the device will capture a photo of the ID document. If the photo is not of the best resolution, the Customer shall be asked again to capture a picture. The Company shall use the photo with the best resolution. If the photo is suitable, the relevant message shall appear on the screen and the Customer shall click on the button which allows proceeding. If the photo is not suitable for identification purposes, the Customer shall be requested to take a new photo;

2. After the ID document photo has been confirmed (it takes a few seconds), the Customer shall be re-directed to and shall take a Live selfie of himself/herself. When taking the photo, the Customer shall look straight into the camera, with the head visible and in the frame. The Customer shall remove any head or face covering and not wear glasses with dark or darkening lenses. The Customer’s facial expression shall be easily recognizable, there cannot be any shadows around the Customer’s eyes, and background lighting cannot disturb reading the Customer’s facial expression. The Customer shall click on the capture button displayed on the mobile phone/computer screen, and the device shall automatically take a live photo of the Customer. If the live photo is suitable, the Customer shall click the continue button; if the portrait photo is unsuitable, the Customer will be required to click on the try again button and take a new photo. Both photos shall be saved by the Company. The Company shall conduct a visual verification of the portrait photos taken by the Customer. The Customer’s live photo shall permit the Company to verify the person depicted in the portrait photo. After the live photo has been confirmed by the Customer, the Customer shall be directed to the module, where the Company will be able to collect additional information about the Customer.

NOTE: the order of capturing of Customer’s ID document and facial image may differ depending on the platform used (i.e. firstly the photo of the ID document may be taken and only then the facial image or otherwise).

The live selfie session should be uninterrupted and of good quality.

3. Collection of additional KYC data: The Customer is required to provide a few information The customer is required to provide a few additional details, including but not limited to the following:

1. Nature and purpose of Business Relationship;
2. Country of residence;
3. Sources of funds (Annex No 7); only in case of EDD (Enhanced due diligence)
4. When the Customer is KYC-ed he is screened for adverse media, sanctions, and PEP screenings through an automated solution, if flagged for PEP, the Customer needs to confirm if he is a PEP or not. In case of a PEP, he is subjected to EDD, In case of false hits, the Customer is required to share a declaration over email that he is not a PEP.

4. Informing the Customer: After the Customer provides all the above-requested information, he/she is asked to confirm it and submit it. After the submission, the customer is informed in some time (ranging from a few seconds to a few minutes) that the KYC is approved, rejected, or in manual review with Compliance. Basis the results of the manual review, the Compliance team clears the onboarding of the Customer in no later than 2 business days. 
5. Verification of data by the Company: All the data submitted by the Customer is assessed through an automated system and the KYC is approved, rejected, or goes in manual review with the Compliance team.

• Application data (name, surname, personal code, citizenship of the Customer, application date, etc.);
• Validity and authenticity of ID document. – whether the ID document’s validity date is still valid (not expired), etc.). 

NOTE: data should be stored as evidence in the Customer’s file (with a clearly visible date when and based on what data the check was performed).

• Proof of Address, data extraction, and data verification. For Proof of Address purposes, the Company shall request the Customer to provide a utility bill or rent agreement, rent registration extract, or employment agreement with a clear reference to the residence address, etc. 
• Live photo of the Customer. The Company shall conduct an automatic check on the Customer’s portrait photo against the facial image contained in the ID document. This is done automatically using a service provider;
• Customer’s device data (for instance, IP address, etc.);  
• Identity verification – The company shall check whether the Customer’s live photo matches the facial image on the ID document photo in conjunction with algorithms. This is done automatically by the selected service provider;
• ID document data. The Company shall check the following data of ID document in external official databases: surname, first name, personal identification code, sex, date and place of birth, ID document number, document date of issue and expiry, citizenship;
• The Company shall also check the Customer’s background, including, but not limited to political exposure, possible application of financial sanctions, 
• Verification of Customer data shall be made by making a search in reliable external databases,      which allows checking whether the person is PEP, whether financial sanctions are applied with respect to the Customer, etc. The Company in addition might also conduct research on official websites, like Google, etc.
• In case of manual reviews, the Company shall review the results of the review and verification of the Customer’s data; 
• The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 

5. IDENTIFICATION OF A CUSTOMER- LEGAL ENTITY
   
   1. Real-time photo (video) transmission, as Customer’s identification method for the legal entity, shall be applied in the following manner: 
      
      1. The Customer is requested to provide information about the legal entity (potential Customer), including but not limited to the following:

1. Legal entity’s details, including the following: full name, legal form, legal code, establishment country, registered and actual business address;
2. Details of UBOs, including the following: full name, personal code (if not available – date of birth), citizenship, percentage of shares held in the legal entity of each Beneficial Owner, residing address;
3. Details of Key Directors, including the following: full name, personal code (if not available – date of birth), citizenship;
4. Nature and purpose of Business Relationship;
5. Sources of funds of the legal entity, only in case of EDD (Enhanced due diligence);
6. Whether the UBO Owner and/or a Representative is PEP;
7. Expected amount (in EUR) of monthly and yearly operations and countries to which/ from which operations will be initiated/received.
8. Whether the customer is a PEP

‍

2. The identity of Customer’s representative/UBO shall be established by applying all measures that are listed in clauses 4.1(i)-(ii) above in this Annex and that are applicable to the identification of a Customer – a natural person using real-time photo (video) transmission;
3. After the representative of the legal entity (potential Customer) provides all the above-requested information, he/she is asked to confirm it and submit it. After this session is over, the Customer by automatic message is informed that his / her information will be assessed, and the Customer will be informed about the decision of the Company to onboard the Customer as soon as possible but in any case no later than within 2 business days. 
4. After actions above are performed, the Company shall check the correctness and validity of the information provided by the representative of the Customer by performing actions indicated in clause 4.1(v) above.
5. The Company shall collect documents about the Customer that confirm the existence of the Customer, as a legal entity, and other Customer’s KYC information provided by its representative in the course of a real-time photo transmission session. The Company shall collect such documents itself from public registries, available online.
6. The Company shall collect at least the following official documents:

1. Power of Attorney, if a representative of the Customer is not the UBO; 
2. Memorandum of Associations or Articles of Association of the Customer;  
3. Self-certified shareholders’ registry (not older than 6 months);
4. A document that sets out how the prospective Customer is operated, governed, and owned and the extent of Authority/ powers key executives hold in the due diligence form (SDD form for low-risk customers and EDD form for high-risk customers)
5. Proof of official address; 
6. EIN / TIN number; 
7. Additional documents that may be required considering the specifics of certain Customers and/or in case a need to apply enhanced due diligence is determined (e.g. financial statements or key agreements in order to ascertain sources of funds, etc.).

7. All Customer’s UBOs are required to perform identification measures (the same as are applied for an individual Customer as per clause 4.1(ii) of this Annex. 
8. The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 
9. The Company, after completing the Customer’s verification, shall make a decision to “approve” the Customer or “decline” the Customer. In both cases, the Customer should be informed about the final decision. The decision of the Company shall be made within 4 business days as of the moment when the Customer performs identification actions. 

6. ENHANCED DUE DILIGENCE (EDD)
   
   1. EDD shall be conducted for the Customers who are:
      
      1. PEPs (incl. when the Customer himself, Customer’s representative, and/or director, and/or UBO are PEPs);
      2. Assigned to a high-risk category based on risk segmentation criteria established by the Company (see a separate internal document, Customer risk matrix);
      3. When the activity of the Customer hits established daily/monthly thresholds;

‍

4. Only for Customers legal entities – when the main activity of the Customer in one of the following business areas:

• Custodial crypto / digital assets services;
• Other crypto / digital assets services (non-custodial);
• Money services, payments, and other financial services;
• Licensed Gambling services. 

2. In situations described under clause 6.1 above, the Company shall:

1. Perform all identification measures established for ordinary due diligence; and 
2. Obtain written consent of the MLRO of the Company to enter into or continue Business Relationships with such Customers; and 
3. Ask for additional documents from the Customer that would help to identify the source of the property and funds relating to the Business Relationship or a transaction, in accordance with Annex No. 7; and
4. Ask for additional information regarding reasons for the transactions and Services; and
5. Ask for additional information regarding expected volumes of transactions within the Company; and
6. Ask for additional information, if any documents that are indicated by the MLRO in his/her consent  to enter into a Business Relationship with such a Customer (if any); and
7. Perform enhanced ongoing monitoring of the Business Relationship with such Customers, inter alia by establishing more sensitive operations thresholds and monitoring rules; and
8. In case when the Customer is subject to EDD due to the fact that its business area is the one as per the list under clause 6.1 (iv) – in addition to the above EDD measures, the Company shall collect and assess:

• Customer’s AML Policy; 
• Relevant license
• Financial statement or source of funds 
• any other document that may be necessary to further assess.
• This may also include other details like the below if needed: the customer’s latest ML and TF risks assessment (EWRA); the customer’s latest audit report, covering ML and TF risks;
• Details about the main person responsible for AML / CTF matters within the Customer (e.g. Customer’s MLRO, etc.);

(ix)  In case the Customer is established in countries like Bulgaria, Cameroon, Croatia, Kenya, Nigeria,Philippines, South Africa, Tanzania, Uganda, United Arab Emirates and Vietnam are the countries, that are not subject to enhanced due diligence, but subject to differential scrutiny are treated in this manner because

• Bulgaria and Croatia are part of the European Union
• The remaining jurisdictions are fast growing developing economies and house many global financial institutions such as HSBC, Standard Chartered, Wells Fargo and Citibank. 

‍

All users in these jurisdictions are subject to robust checks including sanctions & adverse media screening, ID verification, liveness test, PEP screening, transaction monitoring, browser & behaviour checks, email risks related checks, social media profiling, name matching and crypto monitoring.  EDD (Enhanced due diligence) checks will be triggered in the event of:

• Regulated business activities
• Transaction thresholds being exceeded
• Suspicious events;
• High risk customers.

‍

In addition to the above, transaction limits post KYC and KYB limits in these jurisdictions are lower than those for TransFi users from non-high risk countries.

‍

(x) In case the Customer is established in countries like Barbados, Burkina Faso, Gibraltar,Jamaica, Monaco, Mozambique, Namibia, Panama, Senegal and Trinidad and Tobago, we ask for additional information, if required 

• To apply increased timelines for transaction monitoring; 
• To apply increased number of internal control measures;
• To assess and decide on types of transactions which require more deep internal investigation and performing such investigations;

‍

3. The Company shall not provide Services to Customers from Lithuania state sanction list,  European Union Sanctions Lists, United Nations Sanctions lists (UN), United Nations Security Council resolution 1373 (2001) Sanctions List, Office of Foreign Assets Control (OFAC) (as described in Annex No 6 of the Policy).

‍

4. Annex No. 2

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

5. CRITERIA FOR IDENTIFYING SUSPICIOUS OPERATIONS OR TRANSACTIONS

‍

1. Suspicious operations or transaction criteria are established by FCIS Resolution No V-240. The list constantly changes and the MLRO’s duty is to check such changes and implement them in the activity of the Company. 
2. The below reflects some criteria from the mentioned FCIS Resolution. However, the MLRO must consider additional relevant criteria to the Company and adapt the below list accordingly. 
3. The Company does not engage in cash-related services. Therefore, cash-related criteria are not listed below. 
4. The criteria for recognizing Suspicious Operations or Transactions related to the behavior of the Customer are as follows: 

1. At the time of entering into a Business Relationship or during the Business Relationship, the Customer is reluctant to provide information necessary to identify the Customer, providing documents that raise doubts as to their genuineness, authenticity, etc.
2. It is difficult to obtain from the Customer information or documents necessary for the monitoring of the Business Relationship: it is difficult to contact the Customer, their place of residence/registration as well as contact details often change; nobody answers the phone number provided by the Customer is always disconnected; the Customer fails to respond when addressed via e-mail.
3. The Customer is unable to answer questions regarding ongoing/planned financial activity and the nature thereof, cannot provide relevant documents, and is excessively nervous.
4. The Customer cannot explain the sources of funds used for the transactions. 
5. The Customer connects to the Customer’s custodian virtual currency wallet, using services of the TOR network and the IP address is constantly different.
6. The Customer does not have sufficient knowledge about virtual currency, and cannot explain why certain transactions are performed (although the activity of the Customer in virtual asset transactions is high).
7. Several companies are registered at the address of the Customer.
8. The same person is the manager of several unconnected companies. 

5. The criteria for recognizing Suspicious Operations or Transactions related to operations or transactions carried out by the Customer are as follows:
   
   1. The operations or transactions of the Customer are not in line with the types of activities indicated by the Customer during the Customer’s identification process or reflected in the publicly available information. 
   2. The nature of the operations or transactions that are being conducted by the Customer raises a suspicion that the Customer is seeking to avoid entering the operations and transactions into the registration logs maintained by the Company.
   3. The Customer carries out a transaction (transactions) which is (are) beyond the Customer’s possibilities known to the Company.
   4. The Customer or the owner of the Property requests to pay the amount belonging to them to persons who are clearly unrelated to the Customer’s normal activity.
   5. The Customer is continuously engaged in transactions in property where the value is clearly not in line with the average market value.
   6. The Customer carries out operations or concludes transactions without any apparent economic justification.
   7. The age, current position, and financial status of the Client are objectively not in line with the activity conducted by this Customer (e.g. the Customer’s income is small compared to the scope of his / her activity in relation to Services).
   8. The Customer uses mixer/tumbler services. 
   9. The Customer executes operations in the dark net using virtual currency addresses that are connected to illegal activity.
   10. Virtual currency exchange to fiat currency (and vice versa) is not consistent with the Customer profile, or previous activity.
   11. The performance of virtual currency-related transactions is connected to IP addresses that are related to the countries where ML / TF activity is high. 
   12. Loss-making exchange of virtual currency into fiat currency.
   13. The Customer’s operations may potentially be related to fraud.
6. The criteria for recognizing Suspicious Operations or Transactions related to the geographical aspect of the operations or transactions carried out by the Customer are as follows:

‍

1. Operations or transactions are carried out with natural and legal persons located in sanctioned jurisdictions as stated in Annex 6 of the policy.

‍

2. The Customer permanently resides in a country that is not a member of the FATF or does not have observer status with the FATF and is not a member of the international organization combating the ML/TF, whereas the economic justification of the operations or transactions carried out by the Client is unclear.

‍

3. The Client's operations with virtual currency are initiated from Internet Protocol (IP) addresses located in sanctioned countries as stated in Annex 6 of the policy.

7. The e criteria for recognizing Suspicious Operations or Transactions related to the possible corrupt activities of the Client are as follows:
   
   1. An individual participating in politics, their close associate, or family member receives an unusually high compensation that does not align with market value for participation in seminars, conferences, or as a consultant on projects.

‍

2. Operations are conducted for an individual participating in politics, their close associate, or family member from a foreign country with a corruption perception index (CPI) score below 50.

‍

3. A legal entity conducting business in a foreign country with a CPI score below 50 performs business-related financial operations of excessive value for individuals under consultancy, legal, or similar service agreements.

‍

4. International financial operations are conducted for an individual participating in politics, their close associate, or family member without a clear economic basis.

‍

5. A physical or legal entity grants a loan to an individual participating in politics, their close associate, or family member under unusually favorable conditions (no repayment term specified, favorable repayment conditions, low interest rates, etc.) or without a contract or other documentation.

‍

6. A physical or legal entity pays for travel and accommodation services for an individual participating in politics both in Lithuania and abroad if such payments are not typical for the financial activities of the paying entities.

‍

7. An individual participating in politics transfers funds to countries where they do not conduct professional activities.

‍

8. Funds are transferred to targeted territories when the transaction is related to government contracts.

‍

9. The beneficiary, founder, authorized person, or otherwise related person of a preferential tax company is an individual participating in politics in Lithuania or abroad, their close associate, or family member.

8. In the assessment of the alleged connection of the property with the TF, the following aspects must be taken into consideration: 
   
   1. Funds shall mean any type of intangible virtual currency or tangible fiat currency
   2. The funds may be of either legal or illegal origin – it is important that it is being collected, accumulated, or provided for purposes of the TF.

‍

3. Both direct and indirect collection, accumulation, or provision of the property (funds) shall be treated as the TF activity.

‍

4. Collection, accumulation, or provision of the property (funds) shall be regarded as an intentional deliberate activity where it is seeking or knowing that this property (funds) or only a part thereof will be aimed at the TF, i.e. mere perception of a person that the property might be aimed at the TF is sufficient, even if he/she does not have an intentional pursuit thereof.

‍

5. TF includes collection, accumulation, provision of the property (funds) for committing particular terrorist crimes (e.g. to perform a terrorist attack), training of terrorists (e.g. inciting crimes of terrorism, recruiting, training terrorists, creating terrorist groups, etc.), and also supporting individual or several terrorists or terrorist groups even if this property will not be aimed at committing particular terrorist crimes (e.g. for the rent of premises, material support, healthcare, relief, etc.). It is not necessary to establish a connection between the collected, accumulated, the provided property (funds) with a particular terrorist crime. 

9. Final Provisions
   
   1. The above-listed criteria shall not be assessed as exhaustive and the Company shall take into consideration other criteria that may be implicating suspicion with respect to operations and transactions of the Client, including but not limited to criteria established by FCIS. 

‍

2. The above-listed criteria indicating Suspicious Operations or Transactions should be assessed in each case separately and should not be applied in a formal way, i.e. the Company should always assess whether concrete criteria (even though listed above) could be justified or not in a concrete case and to consider it as suspicious only if any circumstance that could justify it cannot be found.  

‍

6. Annex No. 3

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB  

‍

7. RELATIONSHIP MONITORING POLICY

‍

1. INTRODUCTION

1. All transactions conducted by the Customer shall be constantly monitored by the Company. 
2. The Company shall perform and ensure instant and retrospective monitoring. 
3. Monitoring shall cover:
   
   1. Transactions;
   2. Wallet; 
   3. Customer-individual;
   4. Customer-legal entity;
4. Monitoring procedures will be performed both manually and by using automatic means. Regardless of the method selected by the Company, the Company shall ensure that the selected method allows to properly monitor all transactions and to identify Suspicious Operations or Transactions in due time. 
5. The purpose of monitoring is to ensure proper and timely identification of unusual transactions, patterns, and activity as well as to ensure the relevance of the information of the Client, its representative (if any), and the relevance of the assigned risk level to the Client. It also involved the monitoring of Client profiles (both the Individual and Businesses), whether they are exposed to any adverse media, or sanctions hit. 
6. The monitoring shall be performed by assessing the factual transactions made by each Customer, information received by the Company during the Customer’s identification procedure as well as other information received/collected by the Company, if any.

2. CUSTOMER’S FILE
   
   1. Monitoring procedures shall cover the assessment of information about the Customer. All information about a particular Customer shall be kept in the Customer’s file.
   2. The Customer’s file shall consist, as a minimum, of the following documents:

1. Proof of Customer’s identification and collection of relevant information about the Customer(i.e. sources of funds in case of EDD, the purpose of Business Relationship, services intended to be used by the Customer, etc.);
2. Proof of verification of the identity of the Customer, the Customer’s representative (if any), Beneficial Owners (if any) in public and independent sources of data;
3. Proof of verification of the political exposure of the Customer, the Customer’s representative, and Beneficial Owners (if applicable) in public and independent sources of data;
4. A description of the Customer's risk profile;
5. A description of the Customer’s assignment to a risk group;
6. Information about the Services provided to the Customer;
7. Information about cases when the Customer made Suspicious Operations or Transactions;
8. PEP and sanctions check data and evidence;
9. In the case of high-risk Customers – approval for entering/continuing Business Relationships alongside issued by the Company’s MLRO;
10. Corporate documents of the Customer;
11. Other documents and information indicated in this Policy and/or that the Company considers as important for the Client’s file. 

‍

3. The Customer’s file shall be stored in an electronic form.

‍

4. Information obtained in the process of identifying the Client and Client’s representative (if any) shall be continuously documented and shall be kept in written or electronic form.

3. MONITORING OF BUSINESS RELATIONSHIP / OPERATIONS 
   
   1. The Company shall exercise an ongoing monitoring of operations and ongoing monitoring of the Business Relationship of the Customer, including:

‍

1. Investigation of transactions to make sure that transactions that are being carried out are in line with information available to the Company about the Customer, his / her / its activities (types and nature of activities, nature of transactions, business partners, and so on), risk nature, and knowledge about the source of funds in case of EDD;
2. Principles of assigning the Customer to the relevant risk group, establishing the procedures of Collecting and storing information about the operations performed by the higher-risk Clients.

‍

2. During the monitoring, particular emphasis shall be placed on the following:

1. Operations that, by virtue of their nature, may be related to ML / TF, and complicated and unusually large transactions; 
2. Any unusual transaction structures that do not have an evident economic or visible legal goal;
3. Every ML / TF threat that may arise due to the usage of products of any nature, other results of usage of the services provided, or transactions being carried out, when efforts are made to conceal the identity of the Customer or Customer’s representative (if any) (leaning towards anonymity), as well as due to Business Relationship or transactions with the Customer who was not identified being present in person, and, where applicable, shall immediately take measures in order to prevent the property from being used for ML / TF purposes;
4. Operations when efforts are made to conceal the identity of the Customer or Customer’s representative (if any), as well as the Business Relationship or transactions with the Customer whose identity was not established with being him/her/its representative in person;
5. Whether the Customer is not included on the general list of persons or groups of persons or companies and institutions that are subject to financial sanctions by the EU, UN, OFAC;

‍

3. If the monitoring of the Business Relationship indicates that the Business Relationship entails a higher risk, then the Company shall assign a particular Customer to the higher-risk group (if he/she/it was not assigned to a high-risk group before).

‍

4. The Company shall document the results of the investigation in writing (electronically or in paper form).

4. ENHANCED MONITORING OF BUSINESS RELATIONSHIP
   
   1. In the course of the enhanced monitoring of Business Relationships, the Company shall maintain a risk matrix that monitors the operations by keeping transaction thresholds at different KYC levels. 
5. FINAL PROVISIONS
   
   1. The MLRO of the Company shall prepare and present to the Senior Management a monitoring summary in his quarterly report (Annex No. 8 to the Policy), which would include the main findings that were identified during the relevant quarter. Such a summary should include information about transactions that were identified as suspicious and submitted to the FCIS. 

‍

2. The monitoring of Business Relationships shall be exercised on a regular basis, keeping information on measures applied in the process of monitoring and information collected in the process of taking such actions, keeping information on the purpose and nature of Business Relationships, and making reviews and updates of such information on a regular basis.

8. Annex No. 4

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

9. FORM OF LOGS

‍

/Attached as a separate Excel file/

10. Annex No. 5

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

11. THE FORM OF EMPLOYEES’ ACQUAINTANCE WITH THE POLICY

‍

Employees of the Company who sign the below table confirm that they are acquainted with the Policy of the Implementation of Prevention Measures on Money Laundering and Terrorist Financing of the Company (including annexes thereof). 

In case the Policy (and annexes thereof) are amended, employees of the Company shall be properly acquainted with the amendments. Employees shall confirm their acquaintance with all amendments by providing information indicated in the table below and by signing it each time.

6. Annex No. 6

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

7. PROHIBITED COUNTRIES LIST ALONG WITH HIGH RISK COUNTRY LISTS WITH TREATMENT

‍

All below countries are considered as prohibited by the Company: 

‍

1. Prohibited by the Company;
2. Sanctioned countries by EU and UNO
3. Sanctioned countries by OFAC except for Hong Kong.

‍

Prohibited by the Company:: Abkhazia, Angola, Bosnia and Herzegovina, Burundi, China, Croatia, Guinea-Bissau, Kosovo, Macedonia (North), Mali, Montenegro, Nagorno-Karabakh, Nicaragua, Northern Cyprus, Sahrawi Arab Democratic Republic, Serbia, Slovenia, Somaliland, South Ossetia

‍

Countries prohibited for transactions by Tran

sFi include the following: (Sanctioned countries by EU and UNO, including TransFi)

‍

‍

TransFi identifies high-risk jurisdictions based on the following lists

• The Financial Action Task Force (FATF)
• EU High Risk Countries

‍

EU and FATF high-risk countries:

‍

The identified countries, excluding those already prohibited as above, are :

Amongst the list of high risk countries, any customers from the countries listed below, are subject to enhanced due diligence before onboarding.

The enhanced due diligence process requires the below process:
Individual:The Customer is required to share proof of address and source of funds which gets reviewed by the team and the customer is approved for further transactions if there are no suspicious flags.

Legal Entity : The customer is required to share source of funds, relevant license, AML policy (attached as Annex 3.4.2) and any other document which is deemed to be required for further investigation. It is reviewed by the team and the customer is approved for further transactions if there are no suspicious flags.

‍

The following countries are an exception from the Enhanced due diligence requirement where we do not do EDD but apply differential scrutiny.

‍

These countries, that are not subject to enhanced due diligence, but subject to differential scrutiny are treated in this manner because

• Bulgaria and Croatia are part of the European Union
• The remaining jurisdictions are fast growing developing economies and house many global financial institutions such as HSBC, Standard Chartered, Wells Fargo and Citibank. 

‍

All users in these jurisdictions are subject to robust checks including sanctions & adverse media screening, ID verification, liveness test, PEP screening, transaction monitoring, browser & behaviour checks, email risks related checks, social media profiling, name matching and crypto monitoring.  EDD (Enhanced due diligence) checks will be triggered in the event of:

• Regulated business activities
• Transaction thresholds being exceeded
• Suspicious events;
• High risk customers.

‍

In addition to the above, transaction limits post KYC and KYB limits in these jurisdictions are lower than those for TransFi users from non-high risk countries.

‍

6. Annex No. 7

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

1. ACCEPTABLE EVIDENCE OF SOURCES OF WEALTH AND SOURCES OF FUNDS

‍

6. Annex No. 8

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

7. TEMPLATE OF THE MLRO QUARTERLY REPORT

‍

MLRO REPORT FOR [Q1 2025]

‍

TRANS-FI UAB (the “Company“) is committed to conducting business operations in a transparent, open manner, consistent with its regulatory obligations. As per the Company’s Policy for the Implementation of the Prevention Measures on Money Laundering and Terrorist Financing (the AML Policy), the aim of this report is to review the AML/CTF program and inform the Company’s Board of the situation and standing of AML / CTF program as well as update on changes and key indicators that are relevant for the reporting quarter. 

‍

1. SUMMARY OF KEY LEGISLATIVE CHANGES 

‍

The following key legislative changes took place during the Reporting Quarter: [Provide a list with a brief summary. If none – add “None”].

‍

2. TYPE OF CRYPTOCURRENCY SERVICED 

‍

The following cryptocurrency is being serviced by the Company: [INSERT].

‍

[Describe differences: newly involved cryptocurrency, expected to be included soon, etc.]

‍

3. NUMBER OF CLIENTS

‍

The following reflects the Company’s Clients’ number and risk scores relevant for the Reporting Quarter:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. big high-risk customers increase, etc.]

‍

1. CLIENTS’ GEOGRAPHIES

‍

The following reflects the geographies of the Clients (for natural persons – citizenships) relevant for the Reporting Quarter: 

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. high increase of Clients from relevant jurisdiction, etc.]

‍

1. TERMINATED BUSINESS RELATIONSHIP 

‍

The following reflects the number of terminated business relationships with the Client during the Reporting Quarter:

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. termination due to the same occurring reason, etc.]

‍

1. TOTAL NUMBER OF PEPS 

‍

The following reflects the number of PEPs identified in the Clients’ base during the Reporting Quarter:  [number of PEPs], which forms a [percentage]% of the overall Clients’ base equal to [number]. 

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. high and unexpected increase of PEPs, etc.]

‍

2. INFORMATION ON INTERNATIONAL SANCTIONS 

‍

The following reflects the number of international sanctions alerts generated during the Reporting Quarter:

‍

‍

In case of true positive, describe actions that were taken: [FREE TEXT; IF NO SUCH CASES – ADD N/A]

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. it was determined that the relevant sanction rule was generating too many false positive Policies and was suspended/eliminated.]

‍

1. TOTAL NUMBER OF INTERNAL INVESTIGATIONS AND SARS

‍

The following is data reflecting the number of Suspicious Activity Reports (“SARs”) submitted to the FCIS during the Reporting Quarter: 

‍

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. enormous increase of SARs and determined reasons for this, etc.]

‍

1. TRAINING 

‍

The following is data about training held for employees of the Company during the Reporting Quarter:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. scheduled training, conferences, etc.]

‍

1. REPORTING TO AUTHORITIES

‍

The following is information about requests/reports submitted to the relevant regulator during the Reporting Quarter (note: this covers not only submission of the mandatory reports but also all communication with the relevant authority which was initiated on behalf of the institution itself or the Company):

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen]

‍

1. MONITORING AND INVESTIGATION 

‍

Total number of monitoring alerts generated during the Reporting Period: [number] 

‍

Total number of monitoring alerts that are currently being assessed by the Company: [number]

‍

The average term of alert handling: [days]

‍

Other important information: [FREE TEXT FORM]

‍

2. MAJOR INTERNAL PROCEDURE CHANGES 

‍

The following internal procedures were updated, prepared are in a review/preparation stage during the Reporting Period:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. internal audit is pending which may indicate additional changes]

‍

1. MAJOR SYSTEM CHANGES 

‍

The following systems were installed, updated, and reviewed during the Reporting Period:

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. internal audit is pending which may indicate additional changes]

‍

1. AML / CTF STAFF

‍

During the Reporting Quarter, the Company had in total [number] of employees working in AML / CTF and international sanctions area, from them:

‍

1. [number] – responsible for monitoring;
2. [number] – responsible for FCIS reporting;
3. [number] – reporting for Client identification;
4. [number] – [FREE TEXT].  

‍

NOTE: [FREE TEXT – comments may be added in case some factors are seen, e.g. new positions to be employed in the upcoming quarter, etc.]

‍

2. OTHER INFORMATION 

‍

[FREE TEXT – to add descriptions about other relevant information/cases for the Reporting Quarter. For instance, when an internal audit will be launched/finalized; when EWRA will be performed/launched/finalized; maybe there will be any other changes in organizational structure, etc.]

‍

FREE TEXT – to add descriptions about identified shortcomings in AML / CTF and international sanctions area which, in the opinion of the MLRO, should be addressed to the Senior Management and should be rectified]

‍

3. ACTIONS OF THE MLRO FOR THE UPCOMING QUARTER

‍

Considering the information provided in this Quarterly Report, the MLRO will ensure the following actions during the next quarter:

‍

1. [Ensure that XXX internal procedures are finalized and approved by the Board]. 
2. [Finalize EWRA and submit to the Board]
3. […]
4. […]
5. […]

‍

Name Surname

MLRO     Signature

6. Annex No. 9

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

1. TRAINING LOG TEMPLATE

‍