TRANSFI GROUP
GLOBAL PRIVACY POLICY

Last Updated: October 2024

CONTACT US
If you have any questions about this Privacy Policy, You can contact us:
By email: compliance@transfi.com

1. What is the objective of TransFi’s Privacy Policy?

“TransFi” refers to Trans-Fi Inc. and its affiliates and subsidiaries worldwide, including Trans-Fi UAB and NEOMONEY INC. (collectively “TransFi Group”, “TransFi”, “we”, “us” or “our”). 

TransFi may share your personal data with its other entities (subsidiaries and affiliates) and use it in accordance with this Privacy Policy.

The objective of TransFi’s (all subsidiaries and affiliates) privacy policy (the “Privacy Policy”) is to commit to protecting your privacy. Please read this carefully as this policy is legally binding when you choose to use our Services. For the purpose of the relevant data protection regulations, TransFi may act as either the “data controller”, “data processor” or both of your information.

This Privacy Policy describes how we collect, use, handle and, under certain conditions, disclose your personal data, when you access our Services, which include our content on the Website located at www.transfi.com or any other websites, pages, features, or content we own or operate, including the TransFi payments transaction platform (collectively, the “Website(s)”), or any TransFi widget, application programming interface (“API”) or third party applications relying on such an API, products (Payouts, Collections and Ramp) and related services (referred to collectively hereinafter as “Services”).

This Privacy Policy also explains the steps we have taken to secure your personal information. Finally, this Privacy Policy explains your options regarding the collection, use and disclosure of your personal information. By visiting the Website, you accept the practices described in this Privacy Policy for the Website. If you do not acknowledge and accept this Privacy Policy, you may not use the Services.  

If you have any questions about this policy, please send them to compliance@transfi.com.

2. What personal information do we collect from you?

Personal information means any data which relates to a living individual who can be identified from that data, or from that data and other information, which is in the possession of, or is likely to come into the possession of, TransFi (or its representatives or service providers). In addition to information, it includes any expression of opinion about an individual and any indication of the intentions of TransFi or any other person in respect of an individual. The definition of personal information depends on the relevant law applicable for your physical location. The data TransFi may collect and use about you is described below in sections 2.1-2.3 of this Privacy Policy. 

TransFi obtains information about you from various sources. “You” may be an individual or legal entity entering into a business services agreement with TransFi and/or setting up a user account with TransFi and using the Services provided or through our Website or API (“User”), a legal entity/business identified under anti money laundering (“AML”) or counter terrorist financing (“CTF”) identification requirements as per local regulations, verified by TransFi, that uses our Services to collect payments, make payouts, or facilitate cross-border transfers (“Client”), a legal entity that has a contractual relationship with a TransFi Client and may be subject to AML/CTF identification requirements, verified either by TransFi or the Client (“Merchant”), a legal entity that is a client of a Merchant and may be subject to AML/CTF identification requirements, verified either by TransFi or the Merchant (“Sub-Merchant”), or individuals or legal entities that are the end users of Merchants who interact with the Services provided (“End User”). You may also be a recipient/beneficiary of one of our Services, or a visitor to our Website or other service that links to our API and Services. If You are a Merchant, a Sub-Merchant, or End User, your use of the Services will be governed by the applicable agreement between TransFi and the relevant Client.

2.1 Information you provide to us

This includes information you provide to us in order to establish an account and access our Services. This information is either required by law (e.g. to verify your identity), necessary to provide the requested Services (e.g. you will need to provide your bank account number if you would like to link that account to TransFi), or is relevant for our legitimate interests described in greater detail below.

The nature of the Services you are using or interacting with will determine the kind of personal information we might ask for, but may include:

• Personal Identification Information: full name, date of birth, age, nationality/citizenship, country of residence, government-issued ID details (including ID number, ID type, issuance and expiry dates), social security number, tax ID number, account credentials, geolocation, unique device details, network information or internet protocol address, wallet address,  gender, signature, utility bills, photographs, phone number, home address, email and/or any other information deemed necessary to comply with our legal obligations under applicable law and regulations;
• Official Identity Documents: government-issued identity document such as a passport, visa or national identity card, state ID card, driver’s licence,  and/or any other information deemed necessary to comply with our legal obligations under applicable law and regulations;
• Financial Information: bank account information, payment card information, tax identification number (“TIN”), transaction history, trading data. For transaction details, we store order details, the User’s bank account number, bank account name, and card information, including the cardholder’s name, card number, CVV, and expiration date. As we are Payment Card Industry Data Security Standard (“PCI DSS”) certified, we are able to securely store this information to meet our compliance obligations and ensure data security. While we do not store your TransFi User account login credentials, we securely handle and store card details in compliance with PCI DSS standards. Payment card information may also be processed through our system during transactions via secure third-party service providers. 
• Transaction Information: information about the transactions you undertake in connection with our Services, such as the name of the recipient, your name, the amount and/or timestamp, purpose of transaction, jurisdiction of transaction; 
• Verification Information: to verify your identify, including information for fraud checks and other information you provide, including images of yourself and a liveliness check;
• Employment Information: Office location, job title, and/or description of role; or
• Correspondence: Survey responses, information provided to our support team or User research team.

If you are a company, we may request information such as your employer Identification number (or comparable number issued by a government), proof of legal formation (e.g. Articles of Incorporation) and personal identification information for all material beneficial owners for Know Your Business (“KYB”) purposes.

If you do not provide us with the information below, we may not be able to provide the Services to you, or your use of the Services may be restricted. 

In addition to the information you provide to us in connection with your use of the Services, you may also choose to submit information to us via other channels, including in connection with an actual or potential business relationship with TransFi.

2.2 Information we collect automatically or generate about you

This includes information we collect automatically, such as whenever you interact with our Website or use our Services. With regard to your use of our Services we may automatically collect the following information:

• Details of the transactions you carry out when using our Services, including geographic location from which the transaction originates;
• Technical information, including the Internet protocol (“IP”) address used to connect your computer to the Internet, your login information, browser name, type and version, time zone setting, browser plug-in types and versions, operating system, geolocation/tracking details and platform, device details;
• Information about your visit, including the authentication data, security questions, full Uniform Resource Locators (“URL”) clickstream to, through and from our Website or mobile application (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any email used to contact us.
• Cookies and other Technology. Like many websites, our Website employs cookies, location-based Services and web beacons (also known as clear GIF technology or “action tags”) to speed your navigation of our Website, recognize you and your access privileges, and track your usage. Please read our Cookie Policy for more information.

2.3 Information collected from third parties

We may receive information about you if you visit or use our Website or use our Services. This includes information we may obtain about you from third-party sources. The main types of third parties we receive your personal information from are:

• Public databases, ID verification partners in order to verify your identity in accordance with applicable law. ID verification partners use a combination of government records and publicly available information about you to verify your identity. Such information may include your name, address, job role, public employment profile, status on any sanction’s lists maintained by public authorities, and other relevant data;
• Blockchain data to ensure parties using our Services are not engaged in illegal or prohibited activity, sanctioned jurisdiction, dark net, child abuse, etc. and to analyze transaction trends for research and development purposes by screening wallet address for the source of funds;
• Marketing partners & resellers so that we can better understand which of our Services may be of interest to you;
• The banks/financial service providers you use to transfer money to us will provide us with your basic personal information, such as your name and address, as well as your financial information such as your bank account details;
• Business partners may provide us with your name and address, as well as financial information, such as card payment information; and
• Advertising networks, analytics providers and search information providers may provide us with pseudonymised information about you, such as confirming how you found our Website.

3. How do we use your personal information?

We may use your information in the following ways and for the following purposes:

(a) Internal Use: We use your personal information to provide you with our Services. We may  use your personal information to improve our Website’s content and layout, and improve our marketing efforts. . Additionally, we use your information to ensure the safety, security, and integrity of our Services by protecting against fraudulent, unauthorised, or illegal activity; monitoring identity and service access; and addressing security risks. .

(b) Communications with You: According to your preferences and in compliance with applicable law, we may send you marketing communications to inform you about events, to deliver targeted marketing and to share promotional offers. This may involve sending you communications via emails or mobile application notifications about our Services, features, promotions, surveys, news, updates, and events, managing your participation in promotions and events, delivering targeted marketing, and determining general information about visitors’ usage behaviour on the Website. Our marketing will be conducted in accordance with your advertising and marketing preferences and as permitted by applicable law. We require certain information, such as your identification, contact, and payment details, to provide and maintain our Services. If you are a new User or Client, we will contact you by electronic means for marketing purposes only if you have consented to such communication. If you do not want us to send you marketing communications, please go to your account settings to opt out or submit a request via compliance@transfi.com.

We may send you service updates regarding administrative or account-related information, security issues, or other transaction-related information. These communications are important to share developments relating to your account that may affect how you can use our Services. You cannot opt out of receiving critical service communications.

We also process your personal information when you contact us to resolve any questions, disputes, collect fees, or to troubleshoot problems. Without processing your personal information for such purposes, we cannot respond to your requests and ensure your uninterrupted use of the Services.

(c) Legal and Regulatory Compliance:  TransFi is required to process your personal information in compliance with AML/CTF, and security laws, which may include the collection, use, and storage of your information in certain ways. For example, we must identify and verify customers using our Services, including collecting photo identification and using third-party service providers to compare your personal information against databases and public records. When you seek to link a bank account to your TransFi account, we may request additional information to verify your identity or address and manage risk, as required by applicable law. Additionally, we may disclose personal information in response to requests from law enforcement, subpoenas, court orders, or as otherwise required by law, and where necessary to protect our legal rights, enforce agreements, or prevent fraud and abuse of our Services. This includes efforts to mitigate account compromise or loss of funds, investigate complaints, claims and/or disputes, and comply with regulatory or legal requests/inquiries.

(d) External Use: We disclose information to our service providers to help enable them to perform Services on your behalf. For example, to facilitate the purchase and custody of digital assets, we share certain information with third parties, such as your name, email address, physical address, social security number, date of birth, government-issued identification and the amount of digital assets being purchased.Further, the types of data we collect and share with third parties are described above in the information you provide to us, which includes your date of birth, country of residence, first name, last name, ID number, ID type, ID issue date, and ID expiry date, your bank account number, bank account name, and card information, including the name on the card, card number, CVV, and expiration date.

We may share non-personal information (such as the number of daily visitors to our Website or the size of an order placed on a certain date) with third parties. This information does not directly personally identify you or any User. For the avoidance of doubt, any IP addresses or a device or other identifier we collect may be shared with one or more third parties.

(e) Our Legitimate Business Interests: Sometimes the processing of your personal information is necessary for our legitimate business interests, such as:

• quality control and staff training;
• to enhance security, monitor and verify identity or service access, and to combat spam or other malware or security risks;
• research and development purposes;
• to enhance your experience of our Services and Website; 
• to facilitate corporate acquisitions, mergers, or transactions;

to conduct internal operations needed to deliver our Services, including troubleshooting software bugs and operational issues.

4. What personal information do we  disclose to third parties?

We allow your personal information to be accessed only by those who require access to perform their work and share it only with third parties who have a legitimate purpose for accessing it. TransFi will never sell or rent your personal information to third parties without your explicit consent. We will only share your personal information with selected third parties including:

• Identity verification services to prevent fraud. This allows TransFi to confirm your identity by comparing the information you provide us to public records and other third-party databases;
• Financial institutions which we partner with to process payments you have authorised;
• Affiliates, business partners, suppliers and sub-contractors for the performance and execution of any contract we enter into with them or you;
• Analytics and search engine providers that assist us in the improvement and optimisation of our Website;
• Companies or other third parties in connection with business transfers or bankruptcy proceedings;
• Companies or other entities that purchase TransFi assets;
• Law enforcement, regulators, or any other third parties when we are compelled to do so by applicable law or if we have a good faith belief that such use is reasonably necessary, including to protect the rights, property, or safety of TransFi, TransFi customers, third party, or the public; comply with legal obligations or requests; enforce our terms and other agreements; or detect or otherwise address security, fraud, or technical issues; and
• If you authorise one or more third-party applications to access our Services, then the information you have provided to TransFi may be shared with those third parties. A connection you authorise or enable between your TransFi account and a non-TransFi account, payment instrument, or platform is considered an “account connection.” Unless you provide further permissions, TransFi will not authorise these third parties to use this information for any purpose other than to facilitate your transactions using our Services. Please note that third parties you interact with, should have their own privacy policies and TransFi is not responsible for their operations or their use of data they collect.

Examples of account connections include:

• Merchants: If you use your TransFi account to conduct a transaction with a third-party merchant, the merchant may provide data about you and your transaction to us.
• Your financial services providers: For example, if you send us funds from your bank account, your bank will provide us with identifying information in addition to information about your account in order to complete the transaction.

You acknowledge and agree that TransFi may continue to use and disclose your personal data for a reasonable period following the termination of the relationship between you and TransFi for one or more of the following purposes: 

• to enable TransFi to fulfil its outstanding obligations to you under any agreement, if applicable; 
• to allow TransFi to enforce its rights under any agreement, if applicable; 
• for any purposes to which you have provided your written consent; 
• as required under applicable law; and as mandated by an order from a court of competent jurisdiction.

5. Links to other sites

Our Website may contain links to other websites for your convenience or information. These websites are operated by entities unaffiliated with TransFi, and we do not control, endorse, or take responsibility for their content or privacy practices. Each linked website may have its own terms of use and privacy policies, which may differ from ours. We encourage you to review these policies whenever you visit third-party websites, as TransFi is not responsible for the practices or policies of these external sites.

6. How do we protect and store personal information?

TransFi implements and maintains reasonable measures to protect your personal information. Your files are protected with safeguards according to the sensitivity of the relevant information. Reasonable controls (such as restricted access) are placed on our computer systems.

TransFi is an international business with operations in multiple countries. This means we may transfer to locations outside of your country. When we transfer your personal information to another country, we will ensure that any transfer of your personal information is compliant with applicable data protection law.

We may store and process all or part of your personal and transactional information, including certain payment information, such as your encrypted bank account and/or routing numbers. We protect your personal information by maintaining physical, electronic, and procedural safeguards in compliance with the applicable laws and regulations.

As a condition of employment, TransFi’s employees are required to follow all applicable laws and regulations, including in relation to data protection law. Access to sensitive personal information is limited to those employees who need it to perform their roles. Unauthorized use or disclosure of confidential customer information by a TransFi employee is prohibited and may result in disciplinary measures.

Finally, we rely on third-party service providers for the physical security of some of our computer hardware. We require those third-party service providers to comply with commercially reasonable security practices and measures. For example, when you visit our Website, you access servers that are kept in a secure environment. While we take industry-standard precautions to safeguard your personal information and secure your account, no system can be completely secure. As such, you assume the risk of potential breaches and their consequences. To protect your account, please safeguard your credentials, choose a complex password when registering, enable advanced security features like two-factor authentication, and never share your account credentials with third parties.

If we anonymize your personal information so that it can no longer be associated with you, it will no longer be considered personal information, and we can use it without further notice to you.

We do not knowingly request to collect personal information from any person under the age of 18. If a User submitting personal information is suspected of being younger than 18 years of age, TransFi will require the User to close his or her account and will not allow the User to continue using our Services. We will also take steps to delete the information as soon as possible. 

 We retain personal information as long as reasonably necessary to fulfil its intended purposes and meet our contractual and legal obligations. Email addresses and phone numbers are stored until the User uses the TransFi Services, and data is retained for five years once the User unsubscribes or removes themselves. Information will be deleted or de-identified when no longer needed, unless longer retention is required by law. TransFi retains certain information under AML/CTF regulations and holds data for a period of five years. If we cannot fully delete or de-identify information, we will take reasonable measures to prevent further processing.

7. Do we do any profiling and automated decision making?

We may use some instances of your data in order to customise our Services and the information we provide to you, and to address your needs - such as your country of address and transaction history. For example, if you frequently send funds from one particular currency to another, we may use this information to inform you of new product updates or features that may be useful for you. When we do this, we take all necessary measures to ensure that your privacy and security are protected - and we only use pseudonymised data wherever possible. This activity has no legal effect on you.  

8. What are your privacy and information access rights?

Depending on applicable law of where you reside, you may be able to assert certain rights related to your personal information. These rights include:

• the right to obtain information regarding the processing of your personal information and access to the personal information which we hold about you;
• the right to withdraw your consent to the processing of your personal information at any time. Please note, however, that we may still be entitled to process your personal information if we have another legitimate reason for doing so (for example, we may need to retain personal information to comply with a legal obligation);
• in some circumstances, the right to receive some personal information in a structured, commonly-used and machine-readable format and/or request that we transmit that data to a third party where this is technically feasible. Please note that this right only applies to personal information which you have provided directly to TransFi;
• the right to request that we rectify your personal information if it is inaccurate or incomplete;
• the right to request that we erase your personal information in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal information, but we are legally entitled to retain it;
• the right to object to, or request that we restrict, our processing of your personal information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal information but we are legally entitled to refuse that request;
• the right to lodge a complaint with the relevant data protection regulator if you think that any of your rights have been infringed by us; and
• the right to transfer your personal data between data controllers, for example, to move your account details from one online platform to another.

Our Services may, from time to time, contain links to and from the websites of our partners, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility for them. Please check these policies before you submit any personal data to these websites. Further information about your rights may be obtained by contacting the supervisory data protection authority located in your jurisdiction.

Subject to applicable laws, you may have the right to access information we hold about you. Your right of access can be exercised in accordance with the relevant data protection legislation.

9. How often is the Privacy Policy updated?

We may update this Privacy Policy from time to time and without prior notice to you to reflect changes in our information practices, and any such amendments shall apply to information already collected and to be collected. Your continued use of our Website or any of our Services after any changes to this Privacy Policy indicates your agreement with the terms of the revised Privacy Policy. 

Please review this Privacy Policy periodically and especially before you provide personal data to us. If we make material changes to this Privacy Policy, we will notify you here, by email or by means of a notice on the home page of our Website. The date of the last update of the Privacy Policy is indicated at the top of this document.

10. How can you contact us regarding any privacy questions?

If you have any questions about this Privacy Policy, please contact us at compliance@transfi.com or send physical mail to the relevant entity below:

Trans-Fi UAB

Lvivo str. 21A, Vilnius LT-09313, Lithuania

NEOMONEY INC. 

325 Front Street West 2nd floor 

Toronto, ON M5V2Y1

Canada

TransFi AML KYC Policy

Last updated: April 2025

‍

1. INTRODUCTION 
   
   1. The purpose of this Policy is to define the ML / TF prevention measures and the enforcement thereof in the process of the Company’s operations.
   2. The Company shall carry out its business aiming to ensure effective prevention of ML / TF as required by the Law and other applicable legal requirements and good practice. Taking this into account, all employees of the Company shall adhere to the procedure and requirements for the implementation of the ML / TF prevention measures as outlined herein.
   3. Managing ML/TF risks shall be an integral part of the Company’s overall risk management system. Considering the scope and nature of its business, the Company shall implement ML / TF risk identification, assessment, and management procedures, as well as effective tools to mitigate such risks.
   4. In managing its ML / TF risks, the Company shall at all times ensure compliance with the requirements outlined in the present Policy to the maximum extent possible. 
   5. In case the Company performs certain functions related to the ML/TF field (for instance, Customer identification, and monitoring) through third parties, the Company shall ensure that such third parties also comply with requirements established under the Policy and the Law. 
2. RISK APPETITE STATEMENT

1. The Company has zero tolerance for financial crime, regulatory breaches, and any attempt to circumvent the Company’s financial crime policies and controls. However, being engaged in the provision of Services, the Company cannot completely avoid ML / TF risks, and aiming to minimize them to the lowest extent possible, the Company applies relevant control measures which are described in this Policy and which are technically ensured in real activities. 
2. While engaging in provision of Services, the Company adheres to the following core principles (list not exhaustive):
   
   1. To show zero tolerance for the facilitation of financial crime, money laundering, financing of terrorism, and fraud;
   2. To avoid knowingly conducting business with individuals or entities believed to be engaged in inappropriate and unlawful behavior;
   3. To avoid risks that could jeopardize the Company’s strategic plans, including activities that could make the Company vulnerable to any type of public or private litigation or enforcement that could be damaging to the Company’s reputation and cause deterioration of relationship with regulators;
   4. To avoid or seize any activity/service towards which the Company’s management believes that the Company’s control mechanisms cannot protect the Company from risks that exceed the tolerance threshold;
   5. To regularly perform enterprise-wide risk assessment aiming to identify changes within the Customers’, products’, geographics’ and distribution channels’ base and verify whether existing control measures are sufficient to make the residual risk low;
   6. The Company aims to have strong and sufficient control measures mitigating ML / TF risks so that the residual risk would always be low; etc.;
3. Company managers at all levels are particularly responsible for evaluating their risk environment, implementing appropriate controls, and monitoring the effectiveness of those controls. The risk management culture emphasizes careful analysis and management of risk in all business processes.

3. CRYPTOCURRENCIES ACCEPTED. DEALING WITH ANONYMITY 
   
   1. The Company services the following cryptocurrencies: USDC, EUROC, SOL, TON, and BNB. In time, the Company may start servicing other cryptocurrencies as well. 
   2. The Company does not provide any Services involving cryptocurrencies that prioritize anonymity. The Company will apply a wallet screening function, both in deposit and withdrawal cases,  which will allow identification of risky wallets and any exposure to tainted funds in the wallet (e.g. related to sanctioned jurisdictions, dark market, child abuse tumblers, mixers, etc.).
   3. The Company will not accept transactions or send transactions involving self-hosted addresses. 
   4. This means that the Company will not process any transactions that cannot be traced back to a specific individual or entity.
4. ACCEPTABLE CLIENTS’ SEGMENT 
   
   1. The Company shall offer and provide Services for both individual and corporate Clients. 
   2. In the case of individuals, any user over 18 years of age is an acceptable Client (below 18 years – not accepted). The upper age limit is 60 years of age for Europe and 70 years of age for other countries we work in (older natural persons are not accepted).
   3. In the case of legal entities, we engage with trusted Customers who are identified and verified thoroughly through the KYB process where we not only verify the documents but also do a thorough internet profiling to know about any online footprint. Additionally, the business relationship is established after several rounds of conversations, which establishes trust. 
5. SERVICE PROVIDERS AND TOOLS
   
   1. The Company leverages certain third-party tools for our Compliance framework:
      
      1. KYC / KYB verification (identity verification) – SumSub (www.sumsub.com);
      2. Crypto transaction monitoring – Chainalysis (https://app.chainalysis.com/); 
      3. Wallet monitoring – Chainalysis (https://app.chainalysis.com/);
      4. Sanctions screening – SumSub (www.sumsub.com);
      5. Internet profiling – With Accend (withaccend.com);
      6. Email risks check – At data (https://instantdata.atdata.com/);
      7. Device and behavior biometrics – Sardine (www.sardine.ai)
6. RESPONSIBLE PERSONS
   
   1. The following bodies and officers are involved in the AML / CTF implementation functions within the Company:
      
      1. the Board;
      2. Responsible AML Board member;
      3. MLRO (2^nd line officer);
      4. CEO (to a certain extent);
      5. Compliance Officer ( 2nd line officer).
   2. The Board shall have the following responsibilities in the AML / CTF area:
      
      1. Approve the AML / CTF Policy and other Policy level documents;
      2. Review quarterly compliance reports submitted by the MLRO. Provide feedback and recommendations; 
      3. Reviewing, giving comments, and approving annual Enterprise-Wide Risk Assessment and its methodology;
      4. Overview the entire AML / CTF framework, decide on the provision of the required budget for AML / CTF measures implementation;
      5. Hear out the Responsible AML Board member and the MLRO, when necessary;
      6. Discuss AML / CTF matters during the Board meetings (based on the prepared agenda), decide on the required actions and measures;
      7. Perform other duties and functions assigned to the Board by this Policy as well as other internal documents of the Company and laws.
   3. The Responsible AML Board member shall have the following responsibilities in the AML / CTF area:
      
      1. Supervise activities of the MLRO, advise and/or give assistance when required by the MLRO; 
      2. Organize the implementation of the AML / CTF framework within the Company. This involved being the first point (with the MLRO) in addressing and highlighting the main AML / CTF aspects that require improvement, change, etc. Such highlighting should be made to the Senior Management; 
      3. If requested by the MLRO, review quarterly compliance reports prepared by the MLRO (prior to the review of the Board as a body);
      4. Perform other duties and functions assigned to the Responsible AML Board member by this Policy as well as other internal documents of the Company and laws.
   4. The MLRO shall have the following responsibilities in the AML / CTF area:
      
      1. Implementing the AML / CTF framework within the Company;
      2. Ensuring timely and proper communication with and timely reporting to FCIS; 
      3. Reporting every quarter to the Senior Management of the Company regarding the Company’s activity data, including the number of Customers onboarded by the Company during the relevant quarter, profiles of such Customers (i.e. how many natural persons and how many legal entities were onboarded during the relevant quarter, from what jurisdictions they are, to which risk groups they were assigned, number of Customers with whom Business Relationship was terminated, etc.). Template of such Quarterly Report is provided as Annex No. 8 to this Policy;
      4. Approving/rejecting high-risk customers; 
      5. Organizing and ensuring ongoing Company employee education in the ML/TF area, including organization of training for employees related to identifying suspicious activity, understanding customer identification, and record-keeping requirements;
      6. Ensuring that all employees working with the Customers and their onboarding, risk assessment, monitoring, etc. are familiarized with this Policy and annexes thereof, and all related Company’s internal documentation;
      7. Ensuring the proper implementation of Know Your Customer requirements in the Company’s activities, including proper assessment of Customer’s identification documents, collection of their copies, record keeping, etc.; 
      8. Ensuring implementation of transaction monitoring procedures;
      9. Ensuring that the Policy and annexes thereof are revised and updated (if needed) regularly (at least once per year);
      10. Ensuring that the Company keeps and maintains all the required records and logs; 
      11. Ensuring that ML/TF prevention measures applied by the Company are properly integrated in the Company’s internal control system; 
      12. Be responsible for writing, updating, and maintaining the Company’s procedures and other documents related to ML/TF prevention area;  
      13. Preparing the annual Enterprise-Wide Risk Assessment and presenting it to the Senior Management; 
      14. Perform other duties and functions assigned to the MLRO by this Policy as well as other internal documents of the Company and laws.
   5. The CEO’s responsibilities shall include, but shall not be limited, to:
      
      1. Ensuring that the Company’s UBOs data are provided to the JANGIS (Centre of Register of Lithuania) in time;
      2. Getting familiar with all documents, reports, and information submitted by the MLRO and/or the Board of Directors; 
      3. Approving the Procedure, Rules, Methodology, and Description level documents (the Board shall also have a right to approve such level documents);
      4. Implement Board of Directors decisions to the extent requiring the CEO’s involvement; 
      5. Perform other duties and functions assigned to the CEO by this Policy as well as other internal documents of the Company and laws.
   6. The Compliance Officer shall have the following responsibilities in the AML / CTF area:
      
      1. Ensure that the risk of non-compliance with Applicable Laws is properly managed, that ongoing monitoring of non-compliance risk is performed, non-compliance risks are identified and assessed and measures of managing such risks are planned and implemented;
      2. Identify the need for changes in the regulation of the Company’s activities, identify regulation gaps, including gaps arising from amendments to Applicable Laws, inform the Management Bodies of these gaps and required changes, draft compliance-related documentation, and participate in the development of internal rules and procedures of the Company related to the compliance risks;
      3. Prepare, on the basis of elements provided in Annex no. 1 to this Policy, an annual Compliance Monitoring Programme and implement supervision of compliance based on this programme;
      4. Oversee compliance monitoring activities across the Company, ensure that identified gaps are corrected, implement relevant recommendations, and provide updates to the Management Bodies. Analyze proposed amendments to legal acts, inform the Management Bodies and employees of upcoming requirements, and ensure the Company is prepared for these changes;
      5. Organize and direct investigations in situations where non-compliance with Applicable Laws is suspected, examine all cases of non-compliance, determine the level of risk in each case, and implement urgent measures to ensure compliance in the future;
      6. Participate in the decision-making process to ensure compliance requirements are met, provide advice on risks related to new services, and substantial changes in existing services, and offer input on legal requirements related to business decisions, license updates, or renewals;
      7. Set compliance principles, rules, and procedures, monitor the efficiency of risk management measures related to compliance with Applicable Laws, and make proposals for the regulation of the Company’s compliance processes;
      8. Provide information and assist in organizing training for employees on compliance-related areas and changes in compliance-related Applicable Laws, participate in the process of conducting compliance training for new employees, and inform the team leads of Functions about changes in legal provisions on a regular or ad hoc basis. The team leads of structural units must pass the information to their subordinates;
      9. Inform the Management Bodies of any breaches of Applicable Laws, prepare and submit reports on their activities, record situations where deviations from the Compliance Officer’s recommendations are observed, and take part in the meeting of the Management Bodies at which the compliance risk assessment reports and/or the reports on the implementation of compliance function are considered;
      10. Liaise with the Supervisory Body, Financial Crime Investigation Service of the Republic of Lithuania (FCIS), perform the function of a contact person or coordinate the relationships with them, and provide information to the Supervisory Body and other competent institutions about incidents and other significant circumstances, take part in the investigations, checks, inspections, and other actions taken by supervisory authorities to the extent not covered by the Money Laundering Reporting Officer;
      11. Receive information about important customers’ complaints, take part in the complaints handling process, where required, and supervise complaints’ handling process in case of need;
      12. Undertake any other duties as assigned by the Board or derived from internal documentation.
   7. Rights, functions, responsibilities, duties, etc. of the above-listed bodies and officers, as well as other positions formed within the Company, may be established in other internal documents as well. The above lists shall be read as initial (general) ones.
7. Customer IDENTIFICATION The Company’s Customers are legal entities and natural persons.
   
   1. The Company performs Customers’ identification procedures remotely. Physical identification measures are not applied by the Company.
   2. Detailed instructions on Customer identification procedures and applicable requirements are established under Annex No. 1 to this Policy.
8. RISK ASSESSMENT 

Risk groups 

1. To assess the ML/TF risks, the Company shall deploy a risk-based approach.
2. The Company recognizes the following types of risks relevant to its activities:

1. According to the nature:
   
   1. Customer risk;
   2. Country / geographical area risk;
   3. Product/services risk; 
   4. Delivery channel risk.
2. According to the risk level:
   
   1. Low;
   2. Medium;
   3. High.
   4. Unacceptable

Individual risk assessment

3. The Company shall perform an individual risk assessment of each Customer:

1. Before entering into the Business Relationship with the Customer; or

Client

2. In case the Company becomes aware of certain circumstances indicating the possible change in Customer’s risk group;
3. In case of concerns regarding the correctness of previously collected Customer’s KYB / KYC data or when there are concerns that possible ML / TF activity may be taking place. 

4. Each Customer of the Company shall always be assigned to the relevant risk group. The Company must maintain a tool for Customer risk segmentation which allows, after assessing relevant individual circumstances of the Customer, to assign the Customer to a relevant risk group as listed under Section 8.2 above.

5. The Company shall at least once a year perform Enterprise-Wide Risk Assessment of all risks relevant to its activities (Clause 8.2(i) of this Policy). The purpose of such assessment is to establish the risk level to which the Company is exposed to be able to assess how relevant risk criteria and risk levels evolved over time and to decide whether identified changes require putting in place additional measures or to re-consider set risk tolerance levels. 
6. Enterprise-Wide Risk Assessment shall be performed in a written format. The MLRO is responsible for the performance of the Enterprise-Wide Risk Assessment which shall be prepared and submitted to the Senior Management of the Company. The Enterprise-Wide Risk Assessment shall be performed by the MLRO of the Company following the risk assessment methodology to be approved by the Board.

9. MONITORING OF BUSINESS RELATIONSHIP 

1. The Company shall carry out ongoing monitoring of the Business Relationship and wallets. This includes transaction monitoring and keeping the underlying Customer’s information up to date.
2. The Company shall ensure and apply both the instant and retrospective monitoring procedures. The difference between them is that:

1. Instant monitoring – following criteria and scenarios set by the Company, the system „catches” potentially suspicious transactions or operations and does not release them until the MLRO or other authorized compliance employee looks into it and ascertains that the transaction/operation is not suspicious and may be released. Such an assessment shall be started by the MLRO or other authorized compliance employee within 1 (one) business day as of the day when the alert is generated. The alert assessment time should be reasonable, and the MLRO or other authorized compliance employee should take appropriate and timely measures to ascertain whether the transaction/operation is suspicious or not. If the Customer is requested to provide additional information needed for the assessment, the overall alert assessment term may be extended, however, in such a case the Customer needs to be informed that the Customer’s transaction/operation will not be executed until the Customer provides sufficient information. The term shall not be extended for more than 4 days in total (except for very specific situations when there is a reasonable ground to extend the term more). If the Customer fails to provide requested information and/or if the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Suspicious Operation Report to FCIS as specified under Section 13 of this Policy. 

‍

2. Retrospective monitoring – there are two types of retrospective monitoring to be applied by the Company:

‍

1. Following criteria and scenarios set by the Company, the system „catches” activities that are not standard for the particular Customer, but which are executed and not blocked on a real-time basis. Such „caught” transactions or operations shall be assessed by MLRO or other authorized compliance employee no later than within 30 calendar days period from the moment the relevant transaction or operation was flagged in the retrospective monitoring system. If the assessment shows that the transaction or operation is suspicious, the MLRO of the Company shall submit a Report to FCIS;
2. On a regular basis but not less frequently than once per half a year the MLRO may decide to check historical transactions of a relevant type of Customer which would serve as a secondary measure in addition to the main retrospective monitoring procedure described in item (a) above. The aim of such additional checks is to ascertain that all potentially suspicious or non-standard transactions were found and assessed by the Company. MLRO shall be responsible and shall decide what type of Customers should be checked (e.g. 10 biggest Customers according to the amount of their payments; Customers whose payments are related to high-risk geographical regions, etc.).

3. The Company shall monitor transactions to ensure that they are in line with the Customer’s risk, and examine the source of funds when required (Annex No. 7 to this Policy) to detect possible ML / TF. The Company shall also keep the documents, data, or information it holds up to date, with a view to understanding whether the risk associated with the Business Relationship has changed.
4.            The Company collects source of funds documents under the following circumstances: 
   
   1. All types of Customers: when they are high risk are subjected to EDD;
   2. All types of Customers: when they reach daily / monthly transaction thresholds;
   3. All types of Customers: when the Client’s transaction behavior shows major changes (e.g. order size is significantly bigger than the average order size of previous transactions);
   4. Only legal entity Customers: All businesses that fall under our requirements of EDD are required to submit these documents. EDD kicks in when the business falls under the following criteria:

• Provide custodial crypto / digital assets services 

• Provide other crypto / digital assets services that are not non-custodial 

• Provide money services/payments / other financial services 

• Are regulated gambling services 

• Any Customer with a politically exposed beneficial owner 

5. Individuals: All individuals that are PEP are required to submit these documents 

‍

5. Monitoring (instant and/or retrospective) might be carried out by using the services of third parties. In such a case the Company shall ensure that third parties would follow requirements specified in this Policy and the Law and would align their IT systems and platforms so that all monitoring criteria and scenarios set by the Company would be properly covered.
6. The Company will use a risk-based matrix that will define various risk levels, namely, high, medium, and low. All the risk categories will be subjected to transaction thresholds which are based on various qualifiers in the case of an individual or a legal entity:
   
   1. Individual: the Company will categorise the Client in various risk categories and impose transaction thresholds based on the selection of payment methods and jurisdictions along with user behaviour.
   2. Legal entity: The Company will categorise the Client into various risk categories and impose transaction thresholds based on various risk factors like the pedigree of the company, Internet risk profiling score, onboarding tenure, and geographical risks.
7. The Company will use a comprehensive approach to transaction monitoring including, but not limited to screening i.e., monitoring transactions in real-time, and monitoring i.e., analyzing transactions later. The objective of screening is to identify: 
   
   1. Suspicious and unusual transactions and transaction patterns; 
   2. transactions exceeding the provided thresholds.
8. The screening of the transactions is performed automatically and includes the following measures: 
   
   1. Established thresholds for transactions, depending on the user/Client's risk profile and the estimated transaction turnover declared by the user/Client; 
   2. The scoring of virtual currency wallets where the virtual currency shall be sent in accordance with the user / Client’s order; 
   3. The scoring of virtual currency wallets from which the virtual currency is received.
9. General requirements applicable to monitoring procedures are established under Annex No. 3 to this Policy.

10. SCREENING AGAINST PEP, INTERNATIONAL SANCTIONS AND ADVERSE MEDIA

1. The Company deploys automatic solutions for political exposure, international sanctions, and adverse media screening.
2. Such screening is performed: 
   
   1. Prior to entering into a Business Relationship;
   2. Daily during Business Relationship;
   3. In addition, crypto wallet screening is performed both prior to entering into a Business Relationship as well as prior to each transaction and on an ongoing basis.     
3. Screening against international sanctions is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
4. Screening against PEP exposure is performed for the following persons: 
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
5. Screening against adverse media is performed for the following persons:
   
   1. Customer itself;
   2. Representative of the Customer;
   3. UBOs of the Customer;
   4. Customer
6. At least the following data shall be screened: 
   
   1. For natural persons: full name and surname, date of birth (or personal code), citizenship, residence country. 
   2. For legal entities: full title,      registration country, legal entity code, country of actual address or address (if relevant). 
7. If the screening indicates: 
   
   1. That the Client is a PEP – Business Relationship may be started, however, prior to this the Client must undergo enhanced due diligence procedure as specified under Annex No. 1 to this Policy.

2. That the Client is subject to international sanctions – the Client cannot be onboarded, transaction cannot be executed, Services cannot be provided to the Client. The MLRO must notify the FCIS as specified under Section 13 of this Policy. 

3. That the Client is subject to adverse media: 

1. If adverse media indicates that the Client is involved in financial crime, ML/TF cases – the Client must be rejected, Services cannot be provided;
2. If adverse media indicates that the Client is sanctioned –an  assessment regarding the  relevance of international sanctions must be performed and if it is confirmed, then measures listed above under point (ii) must be followed;
3. If adverse media indicates other criteria – the MLRO shall be informed and shall take a decision on whether the Client can be onboarded and if “yes”, which risk group shall be assigned to the Client. 

8. Screening data (evidence proving data screening is/was performed) must be available to the Company. The Company should be able to prove when and how screening was performed, if required (e.g. if requested by the regulator). Such data may be available in the IT systems and tools. 

11. IMPLEMENTATION OF TRAVEL RULE

1. The Travel Rule, as implemented by EU Regulation 2023/1113 and EBA Travel Rule Guidelines, requires that all crypto-asset transfers be accompanied by information on the originator and beneficiary of the crypto-transfer transaction.
2. Crypto-asset transfers conducted by the Company include the following information: 

About the originator of the transfer: 

1. The name of the originator;
2. the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;
3. the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. the originator’s address, including the name of the country, official personal document number, and customer identification number, or, alternatively, the originator’s date and place of birth; 
5. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the originator.

About the beneficiary of the transfer:

1. The name of the beneficiary;
2. the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction;
3. the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology (if not available – the transfer of crypto-assets is accompanied by a unique transaction identifier);
4. subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI, or, in its absence, any other available equivalent official identifier of the beneficiary.

3. The Company shall not allow for the initiation, or execute any outgoing transfer, of crypto-assets before ensuring that all the originator’s information is available and verified. 
4. For the incoming transfers, the Company shall check prior to the acceptance of the transfer whether it maintains all the necessary information and verify whether the beneficiary data accompanying the transfer is verified based on the information maintained by the Company about the beneficiary. If not (e.g. the data is inaccurate, incomplete, etc.), the transaction shall be suspended, until the verified information is received after was requested by the Company, or rejected.

12. RENEWAL OF INFORMATION ABOUT THE Customer (ODD)

1. Information collected about the Customer shall be renewed by the Company within the below timeframes:

‍

2. Review and renewal of information shall cover:
   
   1. Information about the Customer collected during the onboarding process (all KYC information); 
   2. Review of Customer’s identity document – it should be checked whether the ID document is still valid and if valid – additional documents are not required, however, if the ID document is no longer valid – a valid ID document should be required in addition;
   3. Check historical transactions with an aim to determine whether they indicate additional risks or a need to update the Customer’s risk profile. 
3. All data reviewed, updated, collected, and assessed must be stored in the Customer’s file with dates evidencing when the document was collected/assessed.

13. REPORTING TO FCIS (AML / CTF MATTERS)

List of reports:

1. The Company is required to report to FCIS in case of:

1. Suspicious Operations or Transactions (SARs submission).
2. Knowledge or suspicion that the transaction is directly or indirectly related to criminal activity or is intended to be used for such a purpose.
3. Knowledge or suspicion that the Customer will try to perform a suspicious operation/transaction.
4.      Report on virtual currency exchange transactions or transactions with virtual currency only if the transaction is suspicious and the MLRO has reasons to believe and the value of such transaction is equal or exceeds 15.000 Eur (or equivalent in another currency, including virtual currency),     Annual report on Company’s activity.

2. Details of each report are the following:

‍

Key communication with FCIS timelines and requirements

1. FCIS shall within 10 business days of the receipt of the report's performance assessment take necessary actions if a basis for this is established (e.g. notify the Police and initiate a pre-trial investigation). FCIS must notify the Company accordingly. 
2. If the Company does not receive a response from the FCIS within 10 business days of the submission of reports listed under Clause 13.2 of this Policy or where the Company is not obligated by FCIS to temporarily restrict the ownership rights in accordance with the procedure established by the Code of Criminal Procedure of Lithuania, this is the basis for the Company to consider that FCIS did not determine any illegal activity and restrictions should be eliminated. However, if the MLRO has doubts regarding the renewal of the suspended transaction/activity of the Customer, the MLRO shall contact the FCIS in addition, and ask for their guidance with respect to the renewal and/or possible institutional actions.
3. The Company shall not be responsible to the Customer for the non-fulfillment of contractual obligations and for the damage caused in the course of performing the duties and actions specified in this Section (as long as they are performed in line with legal requirements). Immunity from legal proceedings shall also apply to the directors or other employees of the Company who report, in good faith, information about suspected ML / TF or Suspicious Operations or transactions carried out by the Customer to the MLRO; they also may not be subject to disciplinary sanctions because of such actions.
4. The Company must ensure that it maintains internal systems enabling MLRO to respond rapidly, through secure channels and in a manner that ensures full confidentiality of inquiries, to the inquiries from the FCIS concerning the submission of the information related to AML / CTF and ensure the submission of this information within 14 working days from the receipt of the inquiry, unless a shorter period is set by the FCIS, this Policy or the Law.
5. All information submitted to the FCIS and/or received from the FCIS shall be considered confidential and not subject to disclosure to third persons, including employees of the Company who are not involved in handling the particular case reported to the FCIS or informed by the FCIS. The MLRO shall be the key contact point for communication with the FCIS and the MLRO shall ensure the confidentiality of FCIS-related information, the email of the MLRO shall be used for communication with FCIS. In addition, information to the FCIS shall be always submitted via a dedicated FCIS information system while email dokumentas@fntt.lt should be used only in exceptional cases (e.g. where the FCIS information system is now available due to technical reasons). Tipping-off prohibition shall be ensured in all cases meaning that information about suspicious Client’s transactions or behaviour and/or a fact that SAR was submitted to the FCIS as well as what exact information led to suspicious cannot be disclosed to the Customer, the Company’s employees who do not have a right to possess such data (i.e. who are not working with the Customer’s case, investigation, etc.) and to third parties, unless exemptions are allowed following legal requirements, including exemptions under Article 23 of Lithuanian AML Law.

Report on 15.000 EUR virtual currency transactions

6. The MLRO is responsible for the submission of information to FCIS regarding virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR “15,000” (irrespective of whether the transaction was carried out as a single or multiple transaction) and considered suspicious by the MLRO. Information about such transactions shall be submitted to FCIS within 7 business days of their performance day. 

Report on suspicious activity/transaction

7. Suspicious Operations or Transactions are those that, by virtue of their nature, in the opinion of the Company, may be related to ML/TF or fraud cases. If it is determined that the relevant transaction or operation is a Suspicious Operation or Transaction, the MLRO of the Company shall report it to FCIS as specified below in this Section.
8. The Company welcomes all applicants unless they are citizens or were born in or reside within the countries under the prohibited countries or are otherwise prohibited persons under applicable AML/CFT legislation. If born in prohibited countries, they may still register if they provide evidence of renouncing their original nationality and taking citizenship of a non-prohibited country.
9. High-risk jurisdictions and other jurisdictions monitored by the FATF, as described in Annex No. 6 to this Policy.
10. The Company shall also screen each applicant/user and, where applicable, associated persons, authorized persons, and BOs of the applicant/user for compliance with sanctions as described in Annex No. 6 to this Policy.
11. The Company engages third-party service providers who provide tools/databases to screen for compliance with the aforementioned sanctions, PEP lists, and money laundering databases.
12. In all cases, the company must complete the verification before accepting the applicant as a user. Any Applicant (or their Related Persons, Authorized Persons, and BOs) who has/have a positive match to the verification list (which after investigation and assessment by Compliance cannot be rejected) and is on a prohibited list (e.g. Applicant in a prohibited country or business) cannot be accepted as a User of the Company and will be rejected from becoming a User.
13. For Applicants (or their Related Persons, Authorized Persons, and BOs) who have/had a positive result (which after investigation and assessment by Compliance cannot be rejected) and are not on the Prohibited List, but have received adverse information as a result of the review, the Company will consider whether the Applicant falls into a high-risk group where ECDD is required before the Applicant can be accepted as a User.
14. The Compliance Service shall keep a record of the results of the screening and the carried-out assessment.
15. A suspicion may be caused by various objective and subjective circumstances, for example, the Customer performs transactions or operations that are not typical to its activities, provides incorrect data on themselves or the operation, is reluctant to provide additional information (documents) about the Customer, the operation being assessed by the Company, etc.
16. When assessing relevant transaction or operation from the suspicious Customer’s activity perspective, the MLRO of the Company shall obtain sufficient information on the ground and purposes of the Suspicious Operation or Transaction, as well as the origin of funds, in order to properly examine the activities and/or operations and transactions carried out by the Customer and must provide their conclusions on that in writing. 
17. The Company is not obliged to find out whether the activity of the Customer contains a composition of crime. If the Company knows or suspects that the transaction or operation is a Suspicious Operation or Transaction, it must:
    
    1. Suspend the transaction/operation (if possible); and 
    2. Notify the FCIS within 3 business hours of the suspension moment.

18. The list of criteria applied when recognizing Suspicious Operations or Transactions is presented in Annex No. 2 to this Policy.
19. Where the transaction/operation fails to meet any criteria specified in Annex No. 2 to this Policy and yet a suspicion arises to an employee of the Company with regard to the operation or transaction and/or the Customer’s activity, such transaction or operations must be regarded as Suspicious Operations or Transactions and shall be reported to FCIS within 3 business hours.
20. The Company is subject to “tipping off” prohibition. This means that the Company is prohibited by law from disclosing (“tipping-off”) to the Customer or other persons (except for the responsible internal team members and relevant authorities) a fact that a suspicious transaction report or related information is being filed or was filled with the FCIS.

14. TERMINATION OF TRANSACTIONS OR BUSINESS RELATIONSHIP 

General requirements

2. If the Customer is reluctant or refuses to provide additional information at the request of the Company, the Company, depending on the nature and importance of such information as well as on the reasons why such information is not provided, may refuse to carry out operations or transactions, terminate their execution or Business Relationship with the Customer.
3. The Company shall not be liable to the Customer for failure to fulfill contractual obligations or damage incurred due to failure to carry out the Customer’s operations or transactions provided that the Company did not carry out the Customer’s operations or transactions on the basis of reasons laid down in below Clause 14.4 of the Policy.
4. The Company shall be prohibited from executing transactions, establishing or maintaining Business Relationships if the Customer:
   
   1. Fails to provide information verifying their identity or is reluctant to provide information necessary to establish his identity or the provided information is insufficient;
   2. Provides incomplete data or it is incorrect;
   3. Are subject to international sanctions;
   4. Do not meet the risk tolerance limits set by the Company;
   5. Requests to provide anonymous services. 
5. In cases specified in Clause 14.4 and after identifying that the relevant operation, transaction, or behavior of the Customer is suspicious (irrespective of whether such operation or transaction was performed or not), the Company shall report the Suspicious Operation or Transaction to FCIS.
6. If during the identification of the Customer the Company has a reason to believe that the ML/TF offense is taking place, and the further process of identification of the Customer may raise suspicions to the Customer that information about him/her may be transmitted to competent law enforcement authorities, the Company may discontinue the process of identifying the Customer and may not establish Business Relationship with the Customer. In these cases, the information shall be transmitted to FCIS as soon as possible but not later than within 1 business day.  

Termination of Business Relationship based on Customer’s initiative

7. The Customer has a right to terminate the Business Relationship with the Company without specifying any reason and unilaterally without applying to court. Particular terms for implementation of such right may be applied based on the Company’s T&Cs.  

Termination of the Business Relationship with the Customer on the Company’s initiative or where so required under legal acts

8. The Company has the right to terminate the Business Relationship with the Customer without any notification in advance and without applying to court, where the legal basis agreed between the Parties via the BSA agreement is met, or where other legal grounds exist. 
9. The Client must immediately (the same business day) be notified via e-mail about the termination of the Business Relationship unless notification is prohibited under the legal acts. If there is a suspicion of ML/TF, the Company shall notify FCIS and until the assessment on suspicious activity is performed by FCIS, termination may be postponed, and the Client cannot be informed about ongoing investigation or application to the FCIS.‍

15. LOGS. RECORD KEEPING. DATA STORAGE

1. The Company shall keep at least the following logs:

1. Log of Suspicious Operations or Transactions and reports submitted to FCIS; 
2. Log of virtual currency exchange or other virtual currency transactions if the amount of such transaction is equal to or above EUR 15.000, only when considered suspicious by the MLRO (irrespective of whether the transaction was carried out as single or multiple transactions), including data about such transaction reporting to FCIS;
3. Log of Clients with whom transactions or Business Relationships have been terminated due to circumstances related to infringements of the procedure for the prevention of ML / TF, including cases when Business Relationships were terminated because Clients or their representative(s) tried to conceal information about themselves or Beneficial Owners, did not provide all required information, etc.;

‍

2. The templates of the above-mentioned logs to be kept by the Company are provided in Annex No. 4 of this Policy. 
3. Data shall be entered in the logs in chronological order, on the basis of the documents supporting the operation or transaction or other documents with legal effect related to the performance of the operations or conclusion (or termination) of transactions, or termination of Business Relationship, immediately but no later than within three business days as of the performance of the operation or conclusion of the transaction, or the date when the specified circumstances occurred or were established.
4. The following data storage requirements shall be ensured:

The time limits for record keeping may be additionally extended for no longer than two (2) years upon a reasoned instruction of a competent authority.

1. The Company shall ensure that the documents and information referred to in Clause 15.4 of the Policy would be stored irrespective of whether: (i) transactions are local or international; and/or (ii) the Business Relationship with the Client continues or has ended.
2. The Company shall ensure that the documents referred to in Clause 15.4 of the Policy would be stored so that it would be possible: (i) to restore information about the specific transaction; and (ii) upon necessity, to provide them and information set out therein to FCIS.

16. EMPLOYEE TRAINING 

4. Ongoing employee training programs related to ML/TF prevention requirements shall be prepared and conducted in the Company under the leadership of the MLRO. The training log shall be prepared by the MLRO each year and shall contain information about training (to be) performed, participants, training dates, titles of the training, organizer, certificates issued, and other relevant information, if any. A training log is provided as Annex No. 9 to this Policy. 

‍

1. The training shall be performed at least annually (on a calendar year basis). It shall be based on the Company’s business activity and shall be updated as necessary to reflect any new developments in the laws and risks faced by the Company in accordance with the annual risk assessment.
2. Employees’ training program shall ensure that all Company employees who face ML/TF prevention measures in dealing with their functions would be properly educated to identify the Client, notice Suspicious Operations or Transactions, perform an assessment of alerts received during the monitoring procedure, etc. 
3. All new employees shall be trained for the prevention of ML/TF risks purposes prior to engaging in any Client-facing activity as part of the boarding and reimbursement process. The MLRO of the Company shall be responsible for ensuring training for new employees. The MLRO himself shall undergo annual AML/CTF training. 

17. FINAL PROVISIONS

Annual audit

1. The Company shall at least once per year perform an audit over AML / CTF measures and their implementation within the Company. The Senior Management is responsible for ensuring that the audit takes place while the MLRO is responsible for organizing the audit. 

Approval, review

2. This Policy (and annexes thereof) shall enter into force from the day of their approval and may be abolished, amended, and/or supplemented only by a decision of the Board.
3. Amendments and/or supplements to the Policy shall enter into force on the following day after its approval. 
4. The MLRO shall periodically (at least once a year) or upon the occurrence of important events or changes (for instance, in case of changes in legal acts or in case of new risk relevant to the Company arises) revise the Policy and update it, if needed. A review of the Policy shall be also ensured in the following cases:
   
   1. When the European Commission published a supranational risk assessment (published on https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022DC0554);
   2. When the National Risk Assessment is published by FCIS (published on www.fntt.lt); 
   3. When the FCIS issues an order to the Company to make the internal controls stronger and stricter; 
   4. When important changes are made within the Company’s management and activity organization; 
   5. When audit results or other activity indicators dictate a need to change internal controls. 

Employee acquaintance 

5. The MLRO is responsible for the acquaintance of the Company’s employees with the Policy (and annexes thereof) and its later versions, if any. Such acquaintance shall be made by providing the Company’s employees with the Policy (and annexes thereof) and after that by requiring each employee to confirm his / her acquaintance with the Policy (and annexes thereof) by signing in the table provided in Annex No. 5 of the Policy.

Assessment of knowledge and experience of the responsible personnel 

6. The Company shall ensure that, prior to the appointment of the MLRO, CEO, Board members, Senior Officer, and other employees responsible for the AML/CTF framework within the Company, a thorough assessment of their competence, work experience, and qualifications is conducted. This assessment shall take into account their education, professional development, relevant work experience (including its duration and nature), and other criteria that may impact their suitability and qualifications. Such assessments shall be completed in writing before their appointment or hiring.

Requirements for Senior Management members and UBOs of the Company

7. A person cannot be a member of Senior Management or Ultimate Beneficial Owner of the Company if at least one of the following criteria exist: 
   
   1. A person is found guilty of having committed a serious or very serious crime provided for in the Criminal Code of the Republic of Lithuania or a criminal act corresponding to any of these crimes according to the criminal laws of other states, regardless of whether the person's criminal record has disappeared or been annulled; 
   2. A person is found guilty of having committed a minor or aggravated crime against property, property rights and property interests, economy and business order, financial system, public service and public interests, public safety, or a criminal act corresponding to any of these crimes under the criminal laws of other countries, provided for in the Criminal Code and 5 years have not passed since the disappearance or annulment of the person's criminal record; 
   3. A person is found guilty of having committed a criminal act other than that specified in points 1 and 2 of this part, provided for in the Criminal Code or in the criminal laws of other states, and 3 years have not passed since the date of execution of the sentence, postponement of the execution of the sentence or release from the execution of the sentence.
8. If the circumstances listed in above Clause 16.7 are determined, the Company must take measures to notify the FCIS accordingly and ensure the fulfillment of the requirement (e.g. to change manager, etc.).

18. ANNEXES  

1. The following is the list of documents which are an integral part of the Policy: 

Annex No 1 – Client Identification Procedure

Annex No 2 – Criteria for Identifying Suspicious Operations or Transactions

Annex No 3 – Relationship Monitoring Policy

Annex No 4 – The Forms of Logs

Annex No 5 – The Form of Employees’ Acquaintance with the Policy

Annex No 6 – Prohibited Countries List

Annex No 7 – Acceptable Evidence of Sources of Wealth and Sources of Funds

Annex No 8 – Template of the MLRO quarterly report

Annex No 9 – Training Log

‍

2. Annex No. 1 

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

3.      CUSTOMER IDENTIFICATION PROCEDURE

‍

1. INTRODUCTION

1. The Company is a B2B2C business and shall provide Services to Business. The end users can be both natural persons and legal entities. The Company provides services primarily to the business who are Customers-Clients, Merchants, and end users. Both the Merchants and the End Users receive Services and both these subjects are considered as Customers of the Company, who shall be identified accordingly.

Trans-Fi UAB’s current product suite is described below. All of these products are available as both a solution and as a single Application Programming Interface (“API”) and provide a dashboard or other solution for monitoring transactions and orders:

• Payins: Enabling our Clients/their Merchants to collect payments in fiat currency (e.g. the US Dollar or Euro) or stablecoins from their counterparties (both businesses or individuals) by sending a payment link and settling in stablecoins or fiat, as desired, with ease from anywhere across the world. Stablecoins used in our products are reserve-backed crypto-assets pegged to a fiat currency, notably the EUR and USD stablecoins issued by Circle:  EURC and USDC. Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 

‍

• Payouts: Enabling our Clients/their Merchants to pay their employees, vendors, freelancers, and trade partners globally in fiat or stablecoins across the world by exchanging crypto-assets for fiat (stablecoin-to-fiat) or exchanging fiat for crypto-assets (fiat-to-stablecoin) or crypto-assets for crypto-assets (crypto-to-stablecoin). Within this product, the following MiCA services will be used: 
  
  1. Transfer services for crypto-assets on behalf of clients 
  2. Custody and administration of crypto-assets on behalf of clients 
  3. Exchange of crypto-assets for funds 
  4. Exchange of crypto-assets for other crypto-assets 

‍

• Ramp: Enabling our Clients to offer the exchange of fiat to crypto-assets (fiat-to-crypto “onramp”) and the exchange of crypto-assets to fiat (crypto-to-fiat “offramp”) to their Merchants and/or End Users. Within this product, the following MiCA services will be used: 
  
  1. Exchange of crypto-assets for funds 

‍

• Wallet issuance as a service (“WIaaS”): Enables our Clients to issue custodial wallets (using Circle as a provider) for themselves, their Merchants, or their End Users to pre-fund transactions for seamless payouts, or to collect payins from their counterparties, or to offer top-ups and refunds to the wallets & gaming accounts of their End Users, by offering the fiat-to-stablecoin and stablecoin-to-fiat transfers, and subsequent settlements with gaming Customers. TransFi will be enabling an “earn feature” on these wallets shortly, leveraging third-party providers, so that wallet owners earn returns (using staking). Within this product, the following MiCA services will be used: 
  
  1. Custody and administration of crypto-assets on behalf of clients 

2. The Company applies remote Customer identification methods following requirements of Article 11(1)(4)(b) of Lithuanian AML Law.
3. The Company shall ensure that identification is performed for the Customer in the following cases:

1. Prior to establishing a Business Relationship with the Customer;
2. When doubts about the Customer’s identification data and documents, collected earlier, occur;
3. When there are doubts that ML / TF activity may take place. 
4. When there is a change in the transaction patterns of the Customer

4. In cases listed under Clause 1.3 above, the Company shall at least:

1. Identify the Customer (its representative, UBOs, determine directors and ownership structure);
2. Collect KYC / KYB data about the Customer;
3. Check PEP status;
4. Check international sanctions application status;
5. Check adverse media status;
6. Check if there are any circumstances requiring applying enhanced due diligence;
7. Re-assess the information collected with data received from official sources.

8. Collect information about the purpose and nature of the Business Relationship.
9. Collect information about Customer’s sources and funds (for high-risk Customers);

9. Receive MLRO’s approval (for high-risk Customers).

‍

1.5 As described in Clause 1, all our Customers are subjected to KYC and KYB in the case of individuals and legal entities respectively 

1.6  Having such information, the Company shall assess it and, following the assessment, assign the Customer to the relevant risk group. All this shall be done until the moment when Business Relationships are started 

2. TYPES OF CUSTOMER DUE DILIGENCE 
   
   1. The Company shall recognize the following types of Customer’s risk: 

1. Low;
2. Medium;
3. High;
4. Unacceptable/Prohibited. 

2. The Company applies two types of Customer due diligence:
   
   1. Standard Due Diligence (SDD), also known as Ordinary Due Diligence: SDD is applied where the Customer’s risk profile indicates low or medium risk and where, in accordance with the risk assessment of the Company, it has been identified that in such circumstances the risk of ML / TF is low or medium.
   2. Enhanced Due Diligence (EDD): EDD is applied for Customers that are flagged as high-risk Customers. EDD requires the application of additional Customer due diligence measures in comparison to SDD.

‍

3. In case of unacceptable/prohibited risk Customer – no due diligence can be applied as the applicant shall be rejected. 
4. In order to determine to which risk group each Customer is exposed, the Company shall perform an individual risk assessment of each Customer before entering them into a Business Relationship.   
5. SDD procedure is established in Section 4 (for individual Customers) and Section 5 (for Business Customers) of this Annex. 
6. EDD procedure is established in Section 6 of this Annex. 
7. The Company will have the below as prohibited Customer types:

1. Known beneficiaries of corruption or illegal activities; 
2. Shell companies/shell banks; 
3. Unregulated casinos or unlicensed gambling companies; 
4. Incomplete or failed KYB (Know your business); 
5. Unlicensed money transmitters/payments/financial services companies; and 
6. Customers with bearer shares in the ownership structure. 
7. Marijuana/cannabis; 
8. Guns, Arms and ammunition, and Military; 
9. Precious metals; 
10. Adult content or Pornography. 

3. GENERAL REQUIREMENTS FOR THE REAL-TIME PHOTO (VIDEO) TRANSMISSION 
   
   1. Real-time photo (video) transmission is a method for Customer (natural person) or representative (legal entity) identification and identity verification.
   2. The following principles shall be applied and ensured during the remote Customer identification procedure via real-time photo (video) transmission:
      
      1. Only one person (Customer or its representative) can participate in the remote Customer identification process;
      2. The quality of the internet connection shall be sufficient, no interruptions should occur;
      3. The Company shall be entitled and have the technical possibility to provide the Customer with additional instructions if it is needed for identification;
      4. Quality of photos/video taken during the Customer’s identification procedure shall allow the Company to identify the person in the photos easily;
      5. The remote Customer identification process shall be carried out uninterruptedly and must be a part of a single Customer identification process;
      6. The screen used by the Customer shall be big enough to ensure that the Customer’s face is visible and identifiable throughout the session;
      7. All recordings and photos have to contain a mark with the Customer’s name, surname, personal code, and IP address (in the event the latter is applicable) and the date of recording;
      8. The Company shall use special programs, applications, or other means which shall ensure that the process of photo recording is continuous and the transmission of photos otherwise than in real-time would be impossible;
      9. Upon completion of actions referred to above, the Customer shall be informed that by providing data the Customer also confirms the authenticity of that data;
      10. Photos/video transmitted shall be of a quality allowing to read the information easily from the ID documents provided and to clearly see the features of the particular person and the person captured in the photo of the identity document.
   3. The Company shall ensure that its IT systems are capable and adapted to remote Customer identification as per the above requirements. 
   4. The Customer’s identification process shall be considered failed if any of the below occur:
      
      1. The Customer has deliberately submitted data that does not match the identification data of the ID document received from the official database or does not match information or data collected through other procedures;
      2. The session expires during verification, and the Customer does not initiate the identification process from the beginning;
      3. Image (video) of the ID document or the Customer is not clearly visible; 
      4. The Customer did not provide the required information and data;
      5. The Customer refuses to follow instructions to comply with the requirements set for framing the Customer’s face and ID document;
      6. The Customer uses the assistance of another person during verification without permission from the Company (permission might be issued only in exclusive cases);
      7. Circumstances arise that indicate suspected ML / TF. The Company shall immediately submit a notification of suspicion to FCIS;
      8. The Company received information that the Customer is subject to financial sanctions which shall be immediately notified to FCIS;
      9. The Customer has not completed any activities in the Customer identification module for more than 15 minutes in a row;
      10. The real-time photo (video) transmission is terminated or problems regarding the real-time photo (video) transmission arise;
      11. The quality of the real-time photo (video) transmission does not allow clearly the face of the Customer or Customer/s representative (if any) and (or) to establish the identity of the Customer or representative (if any) from the photo (video) of the face image in the identity document;
      12. The quality of the real-time photo (video) transmission is poor;
      13. The Customer’s identity document is being captured without adhering to the requirements laid down in this annex;
      14. The Customer does not perform the actions required for their identification appropriately and on time;
      15. It is established that the document provided by the Customer is impaired, fake or there are other circumstances that raise doubts due to the authenticity of such an identity document (for example, the copy of the document is being shown). In such case, the identification process may be continued, and the information necessary to establish the identity of the Customer or the representative (if any) may be collected only with the purpose, having assessed the ML / TF threat, to immediately notify the FCIS as suspicious activity no later than within 3 business hours;  
      16. It is established that the identity document provided by the Customer does not correspond to the requirements of information content applicable to such document;
      17. The Company has reasonable doubts that the Customer, the identity of which is being established, and the owner of the provided identity document, proving the Customer’s identity, are not the same person. This should be immediately reported to FCIS;
      18. If more than one person participates in the process of Customer identification;
      19. The Customer disagrees with remote Customer identification.
   5. Having assessed the ML / TF threat, the Company has the right to suspend or terminate the process of the identification due to any other reasons.
4.      IDENTIFICATION OF A CUSTOMER ( NATURAL PERSON )
   
   1. The Customer (natural person) identification and ID document validity verification shall be performed following these steps:
      
      1. Registration: The Customer shall enter First name, Last name, Date of Birth, Email, the country of citizenship on the web page      dedicated to onboarding;
      2. Identification: The Company applies remote identification – via real-time selfie and ID document photo (video) transmission. Namely:

In case of a photo transmission: 

1. The Customer shall take a photo of his / her ID document. 

Only the following ID documents can be accepted for Customer due diligence purposes. The Company shall accept only those ID documents that are valid and only if there are no circumstances showing possible forgery of the ID document:

• Passports,
•  ID cards, 
• Lithuanian Residence permits 
• Any other acceptable ID allowed by regulation

The collected ID document shall contain the following information about the Customer:

• Name(s);
• Surname(s);
• Personal code (for foreigners – date of birth or personal code or any other personal number);
• Photo;
• Signature (unless it is not required to be placed in the driver’s license based on the country’s requirements);
• Citizenship (unless it is not required to be recorded in the driver’s license based on the country’s requirements).

If the collected ID document does not contain citizenship data, the Company must collect additional ID documents of the Customer maintaining citizenship data.

Taking a photo of the ID document shall proceed by holding the ID document up in front of the mobile phone/computer camera in the area specified on the screen in a manner that the image of the ID document fits into the frame displayed on the screen. 

If the Customer uses a passport, a photo must be taken of the page with the Customer’s facial image and the back of the image.

If the Customer uses an ID card Lithuanian Residence Permit, or any other acceptable ID allowed by the regulation, a photo must first be taken of the front of the document and then of the back. 

The Customer shall click the relevant button for capture displayed on the screen and the device will capture a photo of the ID document. If the photo is not of the best resolution, the Customer shall be asked again to capture a picture. The Company shall use the photo with the best resolution. If the photo is suitable, the relevant message shall appear on the screen and the Customer shall click on the button which allows proceeding. If the photo is not suitable for identification purposes, the Customer shall be requested to take a new photo;

2. After the ID document photo has been confirmed (it takes a few seconds), the Customer shall be re-directed to and shall take a Live selfie of himself/herself. When taking the photo, the Customer shall look straight into the camera, with the head visible and in the frame. The Customer shall remove any head or face covering and not wear glasses with dark or darkening lenses. The Customer’s facial expression shall be easily recognizable, there cannot be any shadows around the Customer’s eyes, and background lighting cannot disturb reading the Customer’s facial expression. The Customer shall click on the capture button displayed on the mobile phone/computer screen, and the device shall automatically take a live photo of the Customer. If the live photo is suitable, the Customer shall click the continue button; if the portrait photo is unsuitable, the Customer will be required to click on the try again button and take a new photo. Both photos shall be saved by the Company. The Company shall conduct a visual verification of the portrait photos taken by the Customer. The Customer’s live photo shall permit the Company to verify the person depicted in the portrait photo. After the live photo has been confirmed by the Customer, the Customer shall be directed to the module, where the Company will be able to collect additional information about the Customer.

NOTE: the order of capturing of Customer’s ID document and facial image may differ depending on the platform used (i.e. firstly the photo of the ID document may be taken and only then the facial image or otherwise).

The live selfie session should be uninterrupted and of good quality.

3. Collection of additional KYC data: The Customer is required to provide a few information The customer is required to provide a few additional details, including but not limited to the following:

1. Nature and purpose of Business Relationship;
2. Country of residence;
3. Sources of funds (Annex No 7); only in case of EDD (Enhanced due diligence)
4. When the Customer is KYC-ed he is screened for adverse media, sanctions, and PEP screenings through an automated solution, if flagged for PEP, the Customer needs to confirm if he is a PEP or not. In case of a PEP, he is subjected to EDD, In case of false hits, the Customer is required to share a declaration over email that he is not a PEP.

4. Informing the Customer: After the Customer provides all the above-requested information, he/she is asked to confirm it and submit it. After the submission, the customer is informed in some time (ranging from a few seconds to a few minutes) that the KYC is approved, rejected, or in manual review with Compliance. Basis the results of the manual review, the Compliance team clears the onboarding of the Customer in no later than 2 business days. 
5. Verification of data by the Company: All the data submitted by the Customer is assessed through an automated system and the KYC is approved, rejected, or goes in manual review with the Compliance team.

• Application data (name, surname, personal code, citizenship of the Customer, application date, etc.);
• Validity and authenticity of ID document. – whether the ID document’s validity date is still valid (not expired), etc.). 

NOTE: data should be stored as evidence in the Customer’s file (with a clearly visible date when and based on what data the check was performed).

• Proof of Address, data extraction, and data verification. For Proof of Address purposes, the Company shall request the Customer to provide a utility bill or rent agreement, rent registration extract, or employment agreement with a clear reference to the residence address, etc. 
• Live photo of the Customer. The Company shall conduct an automatic check on the Customer’s portrait photo against the facial image contained in the ID document. This is done automatically using a service provider;
• Customer’s device data (for instance, IP address, etc.);  
• Identity verification – The company shall check whether the Customer’s live photo matches the facial image on the ID document photo in conjunction with algorithms. This is done automatically by the selected service provider;
• ID document data. The Company shall check the following data of ID document in external official databases: surname, first name, personal identification code, sex, date and place of birth, ID document number, document date of issue and expiry, citizenship;
• The Company shall also check the Customer’s background, including, but not limited to political exposure, possible application of financial sanctions, 
• Verification of Customer data shall be made by making a search in reliable external databases,      which allows checking whether the person is PEP, whether financial sanctions are applied with respect to the Customer, etc. The Company in addition might also conduct research on official websites, like Google, etc.
• In case of manual reviews, the Company shall review the results of the review and verification of the Customer’s data; 
• The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 

5. IDENTIFICATION OF A CUSTOMER- LEGAL ENTITY
   
   1. Real-time photo (video) transmission, as Customer’s identification method for the legal entity, shall be applied in the following manner: 
      
      1. The Customer is requested to provide information about the legal entity (potential Customer), including but not limited to the following:

1. Legal entity’s details, including the following: full name, legal form, legal code, establishment country, registered and actual business address;
2. Details of UBOs, including the following: full name, personal code (if not available – date of birth), citizenship, percentage of shares held in the legal entity of each Beneficial Owner, residing address;
3. Details of Key Directors, including the following: full name, personal code (if not available – date of birth), citizenship;
4. Nature and purpose of Business Relationship;
5. Sources of funds of the legal entity, only in case of EDD (Enhanced due diligence);
6. Whether the UBO Owner and/or a Representative is PEP;
7. Expected amount (in EUR) of monthly and yearly operations and countries to which/ from which operations will be initiated/received.
8. Whether the customer is a PEP

‍

2. The identity of Customer’s representative/UBO shall be established by applying all measures that are listed in clauses 4.1(i)-(ii) above in this Annex and that are applicable to the identification of a Customer – a natural person using real-time photo (video) transmission;
3. After the representative of the legal entity (potential Customer) provides all the above-requested information, he/she is asked to confirm it and submit it. After this session is over, the Customer by automatic message is informed that his / her information will be assessed, and the Customer will be informed about the decision of the Company to onboard the Customer as soon as possible but in any case no later than within 2 business days. 
4. After actions above are performed, the Company shall check the correctness and validity of the information provided by the representative of the Customer by performing actions indicated in clause 4.1(v) above.
5. The Company shall collect documents about the Customer that confirm the existence of the Customer, as a legal entity, and other Customer’s KYC information provided by its representative in the course of a real-time photo transmission session. The Company shall collect such documents itself from public registries, available online.
6. The Company shall collect at least the following official documents:

1. Power of Attorney, if a representative of the Customer is not the UBO; 
2. Memorandum of Associations or Articles of Association of the Customer;  
3. Self-certified shareholders’ registry (not older than 6 months);
4. A document that sets out how the prospective Customer is operated, governed, and owned and the extent of Authority/ powers key executives hold in the due diligence form (SDD form for low-risk customers and EDD form for high-risk customers)
5. Proof of official address; 
6. EIN / TIN number; 
7. Additional documents that may be required considering the specifics of certain Customers and/or in case a need to apply enhanced due diligence is determined (e.g. financial statements or key agreements in order to ascertain sources of funds, etc.).

7. All Customer’s UBOs are required to perform identification measures (the same as are applied for an individual Customer as per clause 4.1(ii) of this Annex. 
8. The Company, based on risk segmentation criteria, shall decide whether the Customer may be accepted or not; 
9. The Company, after completing the Customer’s verification, shall make a decision to “approve” the Customer or “decline” the Customer. In both cases, the Customer should be informed about the final decision. The decision of the Company shall be made within 4 business days as of the moment when the Customer performs identification actions. 

6. ENHANCED DUE DILIGENCE (EDD)
   
   1. EDD shall be conducted for the Customers who are:
      
      1. PEPs (incl. when the Customer himself, Customer’s representative, and/or director, and/or UBO are PEPs);
      2. Assigned to a high-risk category based on risk segmentation criteria established by the Company (see a separate internal document, Customer risk matrix);
      3. When the activity of the Customer hits established daily/monthly thresholds;

‍

4. Only for Customers legal entities – when the main activity of the Customer in one of the following business areas:

• Custodial crypto / digital assets services;
• Other crypto / digital assets services (non-custodial);
• Money services, payments, and other financial services;
• Licensed Gambling services. 

2. In situations described under clause 6.1 above, the Company shall:

1. Perform all identification measures established for ordinary due diligence; and 
2. Obtain written consent of the MLRO of the Company to enter into or continue Business Relationships with such Customers; and 
3. Ask for additional documents from the Customer that would help to identify the source of the property and funds relating to the Business Relationship or a transaction, in accordance with Annex No. 7; and
4. Ask for additional information regarding reasons for the transactions and Services; and
5. Ask for additional information regarding expected volumes of transactions within the Company; and
6. Ask for additional information, if any documents that are indicated by the MLRO in his/her consent  to enter into a Business Relationship with such a Customer (if any); and
7. Perform enhanced ongoing monitoring of the Business Relationship with such Customers, inter alia by establishing more sensitive operations thresholds and monitoring rules; and
8. In case when the Customer is subject to EDD due to the fact that its business area is the one as per the list under clause 6.1 (iv) – in addition to the above EDD measures, the Company shall collect and assess:

• Customer’s AML Policy; 
• Relevant license
• Financial statement or source of funds 
• any other document that may be necessary to further assess.
• This may also include other details like the below if needed: the customer’s latest ML and TF risks assessment (EWRA); the customer’s latest audit report, covering ML and TF risks;
• Details about the main person responsible for AML / CTF matters within the Customer (e.g. Customer’s MLRO, etc.);

(ix)  In case the Customer is established in countries like Bulgaria, Cameroon, Croatia, Kenya, Nigeria,Philippines, South Africa, Tanzania, Uganda, United Arab Emirates and Vietnam are the countries, that are not subject to enhanced due diligence, but subject to differential scrutiny are treated in this manner because

• Bulgaria and Croatia are part of the European Union
• The remaining jurisdictions are fast growing developing economies and house many global financial institutions such as HSBC, Standard Chartered, Wells Fargo and Citibank. 

‍

All users in these jurisdictions are subject to robust checks including sanctions & adverse media screening, ID verification, liveness test, PEP screening, transaction monitoring, browser & behaviour checks, email risks related checks, social media profiling, name matching and crypto monitoring.  EDD (Enhanced due diligence) checks will be triggered in the event of:

• Regulated business activities
• Transaction thresholds being exceeded
• Suspicious events;
• High risk customers.

‍

In addition to the above, transaction limits post KYC and KYB limits in these jurisdictions are lower than those for TransFi users from non-high risk countries.

‍

(x) In case the Customer is established in countries like Barbados, Burkina Faso, Gibraltar,Jamaica, Monaco, Mozambique, Namibia, Panama, Senegal and Trinidad and Tobago, we ask for additional information, if required 

• To apply increased timelines for transaction monitoring; 
• To apply increased number of internal control measures;
• To assess and decide on types of transactions which require more deep internal investigation and performing such investigations;

‍

3. The Company shall not provide Services to Customers from Lithuania state sanction list,  European Union Sanctions Lists, United Nations Sanctions lists (UN), United Nations Security Council resolution 1373 (2001) Sanctions List, Office of Foreign Assets Control (OFAC) (as described in Annex No 6 of the Policy).

‍

4. Annex No. 2

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍

5. CRITERIA FOR IDENTIFYING SUSPICIOUS OPERATIONS OR TRANSACTIONS

1. Suspicious operations or transaction criteria are established by FCIS Resolution No V-240. The list constantly changes and the MLRO’s duty is to check such changes and implement them in the activity of the Company. 
2. The below reflects some criteria from the mentioned FCIS Resolution. However, the MLRO must consider additional relevant criteria to the Company and adapt the below list accordingly. 
3. The Company does not engage in cash-related services. Therefore, cash-related criteria are not listed below. 
4. The criteria for recognizing Suspicious Operations or Transactions related to the behavior of the Customer are as follows: 

1. At the time of entering into a Business Relationship or during the Business Relationship, the Customer is reluctant to provide information necessary to identify the Customer, providing documents that raise doubts as to their genuineness, authenticity, etc.
2. It is difficult to obtain from the Customer information or documents necessary for the monitoring of the Business Relationship: it is difficult to contact the Customer, their place of residence/registration as well as contact details often change; nobody answers the phone number provided by the Customer is always disconnected; the Customer fails to respond when addressed via e-mail.
3. The Customer is unable to answer questions regarding ongoing/planned financial activity and the nature thereof, cannot provide relevant documents, and is excessively nervous.
4. The Customer cannot explain the sources of funds used for the transactions. 
5. The Customer connects to the Customer’s custodian virtual currency wallet, using services of the TOR network and the IP address is constantly different.
6. The Customer does not have sufficient knowledge about virtual currency, and cannot explain why certain transactions are performed (although the activity of the Customer in virtual asset transactions is high).
7. Several companies are registered at the address of the Customer.
8. The same person is the manager of several unconnected companies. 

5. The criteria for recognizing Suspicious Operations or Transactions related to operations or transactions carried out by the Customer are as follows:
   
   1. The operations or transactions of the Customer are not in line with the types of activities indicated by the Customer during the Customer’s identification process or reflected in the publicly available information. 
   2. The nature of the operations or transactions that are being conducted by the Customer raises a suspicion that the Customer is seeking to avoid entering the operations and transactions into the registration logs maintained by the Company.
   3. The Customer carries out a transaction (transactions) which is (are) beyond the Customer’s possibilities known to the Company.
   4. The Customer or the owner of the Property requests to pay the amount belonging to them to persons who are clearly unrelated to the Customer’s normal activity.
   5. The Customer is continuously engaged in transactions in property where the value is clearly not in line with the average market value.
   6. The Customer carries out operations or concludes transactions without any apparent economic justification.
   7. The age, current position, and financial status of the Client are objectively not in line with the activity conducted by this Customer (e.g. the Customer’s income is small compared to the scope of his / her activity in relation to Services).
   8. The Customer uses mixer/tumbler services. 
   9. The Customer executes operations in the dark net using virtual currency addresses that are connected to illegal activity.
   10. Virtual currency exchange to fiat currency (and vice versa) is not consistent with the Customer profile, or previous activity.
   11. The performance of virtual currency-related transactions is connected to IP addresses that are related to the countries where ML / TF activity is high. 
   12. Loss-making exchange of virtual currency into fiat currency.
   13. The Customer’s operations may potentially be related to fraud.
6. The criteria for recognizing Suspicious Operations or Transactions related to the geographical aspect of the operations or transactions carried out by the Customer are as follows:

1. Operations or transactions are carried out with natural and legal persons located in sanctioned jurisdictions as stated in Annex 6 of the policy.

2. The Customer permanently resides in a country that is not a member of the FATF or does not have observer status with the FATF and is not a member of the international organization combating the ML/TF, whereas the economic justification of the operations or transactions carried out by the Client is unclear.

3. The Client's operations with virtual currency are initiated from Internet Protocol (IP) addresses located in sanctioned countries as stated in Annex 6 of the policy.

7. The e criteria for recognizing Suspicious Operations or Transactions related to the possible corrupt activities of the Client are as follows:
   
   1. An individual participating in politics, their close associate, or family member receives an unusually high compensation that does not align with market value for participation in seminars, conferences, or as a consultant on projects.

‍

2. Operations are conducted for an individual participating in politics, their close associate, or family member from a foreign country with a corruption perception index (CPI) score below 50.

3. A legal entity conducting business in a foreign country with a CPI score below 50 performs business-related financial operations of excessive value for individuals under consultancy, legal, or similar service agreements.

4. International financial operations are conducted for an individual participating in politics, their close associate, or family member without a clear economic basis.

5. A physical or legal entity grants a loan to an individual participating in politics, their close associate, or family member under unusually favorable conditions (no repayment term specified, favorable repayment conditions, low interest rates, etc.) or without a contract or other documentation.

6. A physical or legal entity pays for travel and accommodation services for an individual participating in politics both in Lithuania and abroad if such payments are not typical for the financial activities of the paying entities.

7. An individual participating in politics transfers funds to countries where they do not conduct professional activities.

8. Funds are transferred to targeted territories when the transaction is related to government contracts.

‍

9. The beneficiary, founder, authorized person, or otherwise related person of a preferential tax company is an individual participating in politics in Lithuania or abroad, their close associate, or family member.

8. In the assessment of the alleged connection of the property with the TF, the following aspects must be taken into consideration: 
   
   1. Funds shall mean any type of intangible virtual currency or tangible fiat currency
   2. The funds may be of either legal or illegal origin – it is important that it is being collected, accumulated, or provided for purposes of the TF.

‍

3. Both direct and indirect collection, accumulation, or provision of the property (funds) shall be treated as the TF activity.

4. Collection, accumulation, or provision of the property (funds) shall be regarded as an intentional deliberate activity where it is seeking or knowing that this property (funds) or only a part thereof will be aimed at the TF, i.e. mere perception of a person that the property might be aimed at the TF is sufficient, even if he/she does not have an intentional pursuit thereof.

5. TF includes collection, accumulation, provision of the property (funds) for committing particular terrorist crimes (e.g. to perform a terrorist attack), training of terrorists (e.g. inciting crimes of terrorism, recruiting, training terrorists, creating terrorist groups, etc.), and also supporting individual or several terrorists or terrorist groups even if this property will not be aimed at committing particular terrorist crimes (e.g. for the rent of premises, material support, healthcare, relief, etc.). It is not necessary to establish a connection between the collected, accumulated, the provided property (funds) with a particular terrorist crime. 

9. Final Provisions
   
   1. The above-listed criteria shall not be assessed as exhaustive and the Company shall take into consideration other criteria that may be implicating suspicion with respect to operations and transactions of the Client, including but not limited to criteria established by FCIS. 

‍

2. The above-listed criteria indicating Suspicious Operations or Transactions should be assessed in each case separately and should not be applied in a formal way, i.e. the Company should always assess whether concrete criteria (even though listed above) could be justified or not in a concrete case and to consider it as suspicious only if any circumstance that could justify it cannot be found.  

‍

7. Annex No. 3

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB  

‍

8. RELATIONSHIP MONITORING POLICY

‍

1. INTRODUCTION

1. All transactions conducted by the Customer shall be constantly monitored by the Company. 
2. The Company shall perform and ensure instant and retrospective monitoring. 
3. Monitoring shall cover:
   
   1. Transactions;
   2. Wallet; 
   3. Customer-individual;
   4. Customer-legal entity;
4. Monitoring procedures will be performed both manually and by using automatic means. Regardless of the method selected by the Company, the Company shall ensure that the selected method allows to properly monitor all transactions and to identify Suspicious Operations or Transactions in due time. 
5. The purpose of monitoring is to ensure proper and timely identification of unusual transactions, patterns, and activity as well as to ensure the relevance of the information of the Client, its representative (if any), and the relevance of the assigned risk level to the Client. It also involved the monitoring of Client profiles (both the Individual and Businesses), whether they are exposed to any adverse media, or sanctions hit. 
6. The monitoring shall be performed by assessing the factual transactions made by each Customer, information received by the Company during the Customer’s identification procedure as well as other information received/collected by the Company, if any.

2. CUSTOMER’S FILE
   
   1. Monitoring procedures shall cover the assessment of information about the Customer. All information about a particular Customer shall be kept in the Customer’s file.
   2. The Customer’s file shall consist, as a minimum, of the following documents:

1. Proof of Customer’s identification and collection of relevant information about the Customer(i.e. sources of funds in case of EDD, the purpose of Business Relationship, services intended to be used by the Customer, etc.);
2. Proof of verification of the identity of the Customer, the Customer’s representative (if any), Beneficial Owners (if any) in public and independent sources of data;
3. Proof of verification of the political exposure of the Customer, the Customer’s representative, and Beneficial Owners (if applicable) in public and independent sources of data;
4. A description of the Customer's risk profile;
5. A description of the Customer’s assignment to a risk group;
6. Information about the Services provided to the Customer;
7. Information about cases when the Customer made Suspicious Operations or Transactions;
8. PEP and sanctions check data and evidence;
9. In the case of high-risk Customers – approval for entering/continuing Business Relationships alongside issued by the Company’s MLRO;
10. Corporate documents of the Customer;
11. Other documents and information indicated in this Policy and/or that the Company considers as important for the Client’s file. 

‍

3. The Customer’s file shall be stored in an electronic form.

‍

4. Information obtained in the process of identifying the Client and Client’s representative (if any) shall be continuously documented and shall be kept in written or electronic form.

3. MONITORING OF BUSINESS RELATIONSHIP / OPERATIONS 
   
   1. The Company shall exercise an ongoing monitoring of operations and ongoing monitoring of the Business Relationship of the Customer, including:

1. Investigation of transactions to make sure that transactions that are being carried out are in line with information available to the Company about the Customer, his / her / its activities (types and nature of activities, nature of transactions, business partners, and so on), risk nature, and knowledge about the source of funds in case of EDD;
2. Principles of assigning the Customer to the relevant risk group, establishing the procedures of Collecting and storing information about the operations performed by the higher-risk Clients.

‍

2. During the monitoring, particular emphasis shall be placed on the following:

1. Operations that, by virtue of their nature, may be related to ML / TF, and complicated and unusually large transactions; 
2. Any unusual transaction structures that do not have an evident economic or visible legal goal;
3. Every ML / TF threat that may arise due to the usage of products of any nature, other results of usage of the services provided, or transactions being carried out, when efforts are made to conceal the identity of the Customer or Customer’s representative (if any) (leaning towards anonymity), as well as due to Business Relationship or transactions with the Customer who was not identified being present in person, and, where applicable, shall immediately take measures in order to prevent the property from being used for ML / TF purposes;
4. Operations when efforts are made to conceal the identity of the Customer or Customer’s representative (if any), as well as the Business Relationship or transactions with the Customer whose identity was not established with being him/her/its representative in person;
5. Whether the Customer is not included on the general list of persons or groups of persons or companies and institutions that are subject to financial sanctions by the EU, UN, OFAC;

‍

3. If the monitoring of the Business Relationship indicates that the Business Relationship entails a higher risk, then the Company shall assign a particular Customer to the higher-risk group (if he/she/it was not assigned to a high-risk group before).

4. The Company shall document the results of the investigation in writing (electronically or in paper form).

‍

4. ENHANCED MONITORING OF BUSINESS RELATIONSHIP
   
   1. In the course of the enhanced monitoring of Business Relationships, the Company shall maintain a risk matrix that monitors the operations by keeping transaction thresholds at different KYC levels. 
5. FINAL PROVISIONS
   
   1. The MLRO of the Company shall prepare and present to the Senior Management a monitoring summary in his quarterly report (Annex No. 8 to the Policy), which would include the main findings that were identified during the relevant quarter. Such a summary should include information about transactions that were identified as suspicious and submitted to the FCIS. 

‍

2. The monitoring of Business Relationships shall be exercised on a regular basis, keeping information on measures applied in the process of monitoring and information collected in the process of taking such actions, keeping information on the purpose and nature of Business Relationships, and making reviews and updates of such information on a regular basis.

9. Annex No. 4

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB

‍‍

10. FORM OF LOGS

/Attached as a separate Excel file/

‍

12. THE FORM OF EMPLOYEES’ ACQUAINTANCE WITH THE POLICY

Employees of the Company who sign the below table confirm that they are acquainted with the Policy of the Implementation of Prevention Measures on Money Laundering and Terrorist Financing of the Company (including annexes thereof). 

In case the Policy (and annexes thereof) are amended, employees of the Company shall be properly acquainted with the amendments. Employees shall confirm their acquaintance with all amendments by providing information indicated in the table below and by signing it each time.

‍

13. Annex No. 6

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

14. PROHIBITED COUNTRIES LIST ALONG WITH HIGH RISK COUNTRY LISTS WITH TREATMENT

All below countries are considered as prohibited by the Company: 

1. Prohibited by the Company;
2. Sanctioned countries by EU and UNO, except for China
3. Sanctioned countries by OFAC except for China and Hong Kong.

‍

Countries prohibited for transactions by TransFi include the following: (Sanctioned countries by EU and UNO, including TransFi)

‍

15. Annex No. 7

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

16. ACCEPTABLE EVIDENCE OF SOURCES OF WEALTH AND SOURCES OF FUNDS

‍

Annex No. 8

to the Policy for the Implementation of the Prevention Measures 

on Money Laundering and Terrorist Financing of 

TRANS-FI UAB 

‍

22. TEMPLATE OF THE MLRO QUARTERLY REPORT

‍

MLRO REPORT FOR [Q1 2025]