Rules of Procedure for prevention of money laundering and terrorist financing
Rules of Procedure for prevention of money laundering and terrorist financing
Approved by a resolution of the management board on 22.02.2020
- These rules of procedure lay down internal security measures for conducting due diligence and detecting suspicious and unusual transactions in all areas of activity of our company.
- All relevant employees should know and strictly follow the requirements set out in the Money Laundering and Terrorist Financing Prevention Act, the guidelines on the characteristics of suspicious transactions possibly involving money laundering and terrorist financing, other guidelines on compliance with the Money Laundering and Terrorist Financing Prevention Act (MLTFPA) pertaining to the activities of the company as well as these Rules of Procedure.
- All relevant employees should must keep themselves up to date with any amendments to the legislation and with other legal acts published on the website of the Financial Intelligence Unit at http://www.politsei.ee/et/organisatsioon/rahapesu/.
- A copy of these Rules of Procedure shall be available to all relevant employees.
What is money laundering?
- Conversation or transfer of property derived from criminal activity, or, property obtained instead of such property, knowing that such property is derived from criminal activity, or, from an act of participation in such activity, for the purpose of concealing, or disguising the illicit origin of the property, or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions.
- The acquisition, possession or use of property derived from criminal activity, or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein.
- The concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such an activity.
What is terrorist financing?
- The allocation or raising of funds to plan or perform acts which are deemed to be acts of terrorism or to finance operations of terrorist organisations, or in the knowledge that the funds allocated or raised will be used for the aforementioned purposes.
What is a risk country?
- Countries or regions of interest where the risk of money laundering or terrorism are high. A risk country is a country or jurisdiction that:
- According to credible sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML/CFT systems.
- According to credible sources has significant levels of corruption or other criminal activity.
- Is subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations.
- Provides funding or support for terrorist activities, or that has designated terrorist organisations operating within their country, as identified by the European Union or the United Nations.
What is a high–risk country?
A country specified in a delegated act adopted on the basis of Article 9(2) of Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. The current list is available here:
Who is a politically exposed person (PEP)?
- A natural person who performs or performed prominent public functions as well as their family members and close associates. Persons who, by the date of entry into a transaction, have not performed any prominent public functions for at least one year, as well as their family members or close associates shall not be considered politically exposed persons.
- For the purposes of these Rules of Procedure, the following persons shall be persons performing prominent public functions:
- State, head of government, minister and deputy or assistant minister;
- a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors, or of the board of a central bank;
- an ambassador, a chargé d’affaires or a high-ranking officer in armed forces;
- a member of an administrative, management or supervisory body of a State-owned enterprise;
- a director, deputy director or member of the board, or equivalent function, of an international organisation, except middle-ranking or more junior officials.
- The following persons are considered family members of a person performing prominent public functions:
- the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or a local politically exposed person;
- a child and their spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person;
- a parent of a politically exposed person or local politically exposed person.
- The following persons are considered close associates of a person performing prominent public functions:
- a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a politically exposed person or a local politically exposed person;
- a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person or local politically exposed person.
- The following persons shall be local politically exposed person:
- a person who is or who has been entrusted with prominent public functions in Estonia, another contracting state of the European Economic Area, or in an institution of the European Union.
What is the MLTFPA?
- The legal act that regulates the activities of credit and financial institutions, other undertakings and institutions specified in the Money Laundering and Terrorist Financing Prevention Act and the Financial Intelligence Unit which involve the prevention of money laundering and terrorist financing. In Estonian: Rahapesu ja terrorismi rahastamise tõkestamise seadus (RT I, 17.11.2017, 2)
Who is a Contact Person (Compliance Officer)?
- A person who acts as the contact person for the Financial Intelligence Unit ensuring the compliance with the measures put in place to prevent money laundering and terrorist financing at our company. The contact person (compliance officer) appointed in our company is: Boaz Amir, tel. +40774079740, email firstname.lastname@example.org
Who is a customer?
- A person or a legal entity who uses, or has used, one or several services offered by our company.
Who is a relevant employee?
- A person who is conducting KYC/AML measures about the customer in our company.
What is a business relationship?
- For the purposes of these rules of procedure, a business relationship is a continued contractual relationship with a customer.
What is a transaction monitoring?
- Every single investigation conducted by an employee about a customer.
Who is an ultimate beneficial owner of a legal entity (UBO)?
- Ultimate beneficial owner refers to the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal entity or arrangement. Reference to “ultimately owns or controls” and “ultimate effective control” refer to situations in which ownership/control is exercised through a chain of ownership or by means of control other than direct control. This definition should also apply to beneficial owner or a beneficiary under a life or other investment-linked insurance policy. An UBO is a private individual owning or controlling more than 25% of a legal entity.
What is the Financial Intelligence Unit
- A separate structural unit of the Estonian Police and Border Guard Board that exercises supervision and uses enforcement powers of the state on the grounds and pursuant to the procedure prescribed by law.
- Postal address: Rahapesu andmebüroo (RAB), Tööstuse 52, 10416 Tallinn; e-mail: email@example.com
- Web-based reporting form: https://www.politsei.ee/et/organisatsioon/rahapesu/saada-teade.dot
Standard procedure for customer identification and verification (on-boarding customers)
- The relevant employee must identify all customers who wants to use our company’s services on the basis of an identity document and shall record the identification and transaction data regardless of whether the customer is a regular customer or not.
- A person must be identified:
- prior to establishing a business relationship;
- upon suspicious customer behaviour;
- upon verification of information or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered beforehand while updating relevant data.
- If the customer is a private individual, he or she must provide:
- their full name;
- their personal identification code or, if none, the date and place of birth and the place of residence;
- if the customer is in fact representing another private individual being the real customer (under a power of attorney, or in the case of inheritance, or any other way) information on the identification and verification of the right of representation and scope thereof and, where the right of representation does not arise from law, the name of the document serving as the basis for the right of representation, the date of issue, and the name of the issuer;
- whether the customer is a politically exposed person (PEP), a family member of a PEP or a person known to be a close associate with a PEP.
- The following valid documents serve as basis for identification:
- an identity card;
- an Estonian citizen’s passport;
- a diplomatic passport;
- a seafarer’s discharge book;
- an alien’s passport;
- a temporary travel document;
- a travel document for a refugee;
- a certificate of record of service on ships;
- a certificate of return;
- a permit of return;
- a foreign citizen’s passport;
- an ID card of a citizen of the European Union;
- a driving licence if the document shows the name, photo or face image, signature or signature image and date of birth or personal identification code of its holder.
- In identifying a person, the relevant employee is obliged to check the validity of the identity document, make sure the person matches the information on the document and check the age of the person. If in doubt about the identity of the person, the relevant employee is obliged to request additional information about the person. Upon sending a document that does not match the person or is invalid, the relevant employee must refuse the customer registration and notify the Compliance Officer.
- The relevant employee verifies the correctness of the customer data, using information originating from a credible and independent source for that purpose. Where the identified person has a valid document specified in 3.3 or an equivalent document, the person is identified and the person’s identity is verified on the basis of the document or using means of electronic identification and trust services for electronic transactions, and the validity of the document appears from the document, or can be identified using means of electronic identification and trust services for electronic transactions, no additional details on the document need to be retained.
- If the customer is an Estonian legal entity (for example a company), it must provide:
- the name or business name of the legal person;
- the registry code or registration number and the date of registration;
- the names of the director, members of the management board or other body replacing the management board, and their authorization in representing the legal person;
- the details of contact information to the legal person.
- The relevant employee identifies a legal person based on a registry card of a relevant register; or a registration certificate of a relevant register, or another document equal to such card or certificate.
- The relevant employee must identify the beneficial owners (UBOs) and, for the purpose of verifying their identities, taking measures to the extent that allows the relevant employee to make certain that he/she knows who the beneficial owners are, and understands the ownership and control structure of the customer, or of the person participating in the transaction.
- The relevant employee verifies the correctness of the information of a legal entity, using the information originating from a credible and independent source for that purpose. When the relevant employee is able to verify the information through such direct access, the submission of the documents specified in 3.7 does not need to be demanded from the customer.
- If the customer is a foreign legal entity (for example a company), it must provide in addition to the information in section 3.6, a Commercial Registry (or Company House or similar, depending of the country of origin) extract for the legal entity authenticated by a public notary and/or legalised and/or certified with an Apostille, unless otherwise provided for in an international agreement also showing the rights of representation for that legal entity.
- A representative of a legal person of a foreign country must, at the request of the relevant employee, for example when the right of representation does not appear in the submitted document/s, submit a document certifying his or her powers (a power of attorney), which has been authenticated by a public notary and/or legalised and/or certified with an Apostille, unless otherwise provided for in an international agreement
- The relevant employee may ask additional information about the customer in case of any suspicion about the customer’s identity information or the customer’s behavior. Such additional information asked should be relevant to the raised risks which, when obtained, may prove that the risks are in fact explainable.
- The relevant employee shall also collect information about the devices the customer uses and their location and add this to the customer KYC file.
Simplified and Enhanced Due Diligence Procedure
- The company does not apply a simplified due diligence procedure in its’ activity.
- The relevant employee shall undertake enhanced due diligence (EDD) if there is a higher risk of money laundering or terrorist financing such as:
- there are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner;
- the customer is a politically exposed person (except for a local politically exposed person, their family members or a close associates);
- the customer is from a high-risk third country or their place of residence or seat or the seat of the payment service provider of the payee is in a high-risk third country;
- the customer is from a risk country, or from a territory that is considered a low tax rate territory.
- Other factors that are referring to a higher risk pertaining to the customer:
- When there are unusual factors in the customer onboarding, or when there are unusual transactions patterns without clear economic or lawful purpose;
- Customer is a legal person or a legal arrangement, which is engaged in holding personal assets;
- Customer is a cash-intensive business;
- The customer is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;
- The ownership structure of the customer company appears unusual or excessively complex, given the nature of the company’s business.
- Other factors that are referring to a higher risk pertaining to the product, service, transaction or delivery channel:
- Products/services that favours anonymity;
- Payments received from unknown or unassociated third parties;
- A business relationship is established without the customer or the customer’s representative being physically met in the same place except when a document issued by the Republic of Estonia for digital identification of a person or another electronic identification system with assurance level ‘high’;
- new products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products.
- The relevant employee must identify what the risks are in every particular case and undertake all appropriate measures to mitigate those risks. Depending on the case, the relevant employee may apply one or several of the following due diligence measures:
- verification of information additionally submitted upon identification of the person based on additional documents, data or information originating from a credible and independent source;
- gathering additional information on the purpose and nature of the business relationship, transaction or operation and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source;
- gathering additional information and documents regarding the actual execution of transactions made in the business relationship in order to rule out the ostensibility of the transactions;
- gathering additional information and documents for the purpose of identifying the source and origin of the funds used in a transaction made in the business relationship in order to rule out the ostensibility of the transactions;
- making of the first payment related to a transaction via an account that has been opened in the name of the customer participating in the transaction in a credit institution registered or having its place of business in the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force;
Collecting data and record-keeping
- Our company is obliged to keep all records about our customer and our customers’ behaviour in such a way that it can always be presented to inspectors checking the recorded transactions.
- The relevant employee shall put his or her name and, if the document is in a paper format, his or her signature at the end of each entry.
- The Compliance Officer is responsible for keeping all relevant data.
- The personal data of a customer, a customer’s transaction and other relevant information must be stored for no less than 5 years after termination of the business relationship.
- If a customer fails to submit all necessary documents and relevant information, or, if on the basis of the documents provided the relevant employee has a suspicion that money laundering or terrorist financing might be involved, the relevant employee shall not make a transaction with that customer and shall immediately inform the Compliance Officer and record as many customer details as possible that will later help to identify the customer.
Risk based approach
- The relevant employee analysing the customer and his/her behaviour should undertake investigative efforts that are proportional to the risk and complexity of the case and collect evidence using observations gathered in the case.
- If the relevant employee identifies any additional risks, they will need to conduct investigative research to understand these risks in the context of the case.
- Additional evidence will be needed to support the review and understanding if additional risks are identified.
- The following questions may help to determine whether a transaction is suspicious or whether there is a risk of money laundering or terrorist financing:
- Is it inconsistent with the customer’s known activities?
- Is the size of the transaction inconsistent with the normal activities of the customer as determined at the initial identification stage?
- Are there any other transactions linked to the transaction in question of which our company is aware of and which could be designed to disguise money and divert it into other forms of other destinations or beneficiaries?
- Is the transaction rational for the customer?
- Has the customer’s pattern of the transactions changed?
- Is the customer’s proposed method of payment unusual?
Interaction with the customer
- The relevant employee may always contact the customer to clarify the information given or ask for additional information which is needed for the customer identification, or to address the risks of the case.
- The relevant employee should not request unnecessary or irrelevant information. A request for additional information must be related to the risks of the case that after the customer’s response, the relevant employee may close or report the case to the Compliance Officer. If the risk of money laundering or terrorist financing is very high, the relevant employee shall report the case to the Compliance Officer without asking additional information from the customer.
- The relevant employee shall never express themselves using words that give a reason for the customer to understand that his/her activity is suspicious and may be a subject for further report to the Compliance Officer.
Monitoring the business relationship
- A transaction monitoring case shall be initiated based on a behaviour trigger of the customer or manually by the relevant employee or by the Compliance Officer. A relevant employee must investigate every initiated case.
- The relevant employee cannot be working on a case if the customer in question is a close person to that relevant employee, or a customer that is in any other way connected with that relevant employee.
- The relevant employee should determine what the risks of the case are. Each risk should be addressed and documented.
- The relevant employee must conduct a pre-research and check whether the customer was checked previously and what were the concerns earlier.
- The relevant employee must conduct customer research to determine the customer’s profile and identify the source and origin of the funds used in a transaction.
- The relevant employee must conduct an activity research of the customer and determine whether it is in line of the customer profile or if the behaviour seems suspicious. Activity research includes all observations about the customer’s behaviour and any red flags in the activity.
- The relevant employee must conduct research on all the counterparties if it is applicable in the case.
- The case review may vary on the evidence needed to collect about the customer and his/her activity. The relevant employee should use a risk-based approach to address the risks proportionally.
- The relevant employee must document all the findings about the customer and customer’s behaviour which support the decision of the relevant employee about closing or reporting the case to the Compliance Officer.
Understanding the customer, the customer’s activity and the customer’s counterparties
- During the transaction monitoring case review, the relevant employee must collect enough evidence to mitigate the risks alerted. For this reason, the relevant employee should research and use the following information:
- Source of wealth or the source of fund of the transaction (employment status, role or title in a company, employer, approximate salary, additional source of income, industry type etc.);
- The customer’s age;
- Location of the customer and the customer’s counterparties;
- The history of the customer’s transactions;
- The type of transactions;
- Any negative information associated with the customer;
- Any factors that cause the customer to be considered a high risk;
- The relationship between the customer and the customer’s counterparties;
- The relationship between the customer and customer’s place of residence.
- Other information which helps to understand the customer, the customer’s activity and its counterparties.
- After each case review, the relevant employee will make a final decision about whether to report the case to the Compliance Officer or close the case, based on the evidence collected for the case, and provide a final conclusion that supports the decision made.
- While making a final decision, the relevant employee should:
- Finish the research about the customer, the customer’s behaviour and the customer’s counterparties;
- Understand the evidence collected and look for indications of unusual activities;
- Consider each piece of evidence on its own and consider all evidence at the same time;
- If two pieces of evidence contradict each other, look at them together;
- Identify which pieces of evidence have the greatest impact on your analysis;
- Identify each piece of evidence that has at least impact on your analysis;
- Determine which theory is most strongly supported by the evidence.
Risk appetite and PEP’s requirements
- In order to allow a PEP to be the customer of ours, the following must be fulfilled:
- A approval from our company’s management board for establishing a business relationship with that person.
- Take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship.
- Where a business relationship is entered into, conduct enhanced ongoing monitoring of the relationship.
- The relevant employee shall refuse to onboard the customer or, if an account is already opened, block the account and report to the Compliance Officer in case the relevant employee finds out that:
- a) the customer is accessing the service from the high-risk country;
- b) the customer is under sanctions in the European Union or USA;
- c) the customer is known to be accused with money laundering or terrorist financing;
Reporting procedure of suspicious and unusual transactions
- If the relevant employee has a suspicion that he or she may be dealing with a suspicious or unusual transaction, the employee shall promptly report this to the Compliance Officer. In addition to the above-mentioned transaction and customer data, the Compliance Officer should also receive the reason for reporting and identification information about the customer.
- The relevant employee is not allowed to notify the customer about the fact that the customer has been reported to the Compliance Officer.
- In case of any suspicion, the relevant employee must notify the Compliance Officer by filling out the special notification form. The Compliance Officer must consider each report to determine whether it gives rise to grounds for knowledge or suspicion. Where such suspicion is determined, a suspicious transaction report made by the Compliance Officer shall be sent to the Financial Intelligence Unit.
- The relevant employee must report to the Compliance Officer when he or she discovers any suspicious customer’s behaviour related to money laundering, including, but not limited to:
- The customer makes transfers to other persons in different countries that do not conform to the person’s usual activities;
- The customer informs that the funds will be withdrawn by a third party acting on his/her behalf and on his/her account;
- The customer’s profile does not conform to the nature of the transaction being executed by him/her.
- In case of suspicion of terrorist financing, the relevant employee must identify the risk customer and report to the compliance officer if the risks belonging to a customer cannot be reasonable mitigated or explained.
- The risks of terrorist financing include, but are not limited to:
- The individual was born in a high-risk country;
- The individual is a citizen of a high-risk country;
- The individual has a place of residence in a risk country or the legal entity is incorporated in a high-risk country;
- The natural person is associated with a legal person or another entity registered in a high-risk country.
- The Compliance Officer shall have the following duties:
- Checking compliance with the money laundering prevention requirements in our company and carrying out training for the employees.
- Carrying out preliminary analysis of submitted reports about suspicious transactions and deciding whether or not to refer a report to the Financial Intelligence Unit.
- Sending information to the Financial Intelligence Unit in the case of suspected money laundering and responding to queries and precepts made by the Financial Intelligence Unit.
- Gathering information received from employees about suspicious and/or unusual actions, processing such information and keeping records pursuant to the prescribed procedure.
- Notifying the management board in writing of any problems with compliance with these internal Rules of Procedural, guidelines and other legal acts and making periodic submission of written statements on compliance with the requirements arising from the MLTFPA.
- The rights of the Compliance Officer:
- Making proposals for amending these Rules of Procedure, AML policy, and any other policies of our company that are related to anti-money laundering and the prevention of terrorist financing;
- Monitoring the activities of the employees in pursuing the measures to prevent money laundering and terrorist financing.
- Receiving data and information required for performance of the duties of the Compliance Officer.
- Making proposals for re-organising the process of submission of notifications of suspicious and unusual transactions.
- Receiving training in the field.
- The Compliance Officer may send the information or data that have become known to him or her in connection with suspected money laundering only to:
- The management board of the company or to an employee especially appointed by the management board.
- The Financial Intelligence Unit.
- A preliminary investigating authority in connection with criminal proceedings;
- The court on the basis of a court ruling or judgement.
- In the event of a well-founded suspicion concerning money laundering or terrorist financing, the Compliance Officer shall promptly report it to the Financial Intelligence Unit.
- A report shall be sent to the Financial Intelligence Unit using the web-based reporting form at https://www.politsei.ee/et/organisatsioon/rahapesu/saada-teade.dot, in writing, orally or through electronic means of communication. If a report is communicated orally, the Compliance Officer shall duplicate it in writing during the next day at the latest. Copies of the documents that serve as the basis for a transaction, as well as the data or copies of the documents used as the basis for identifying a person, shall be enclosed with the filled-in reporting form.
- The customer shall never be notified about any report sent about him or her to the Financial Intelligence Unit.
- If the activities of a customer are not, in accordance with these Rules of Procedure, fully classifiable as activities which are to be reported to the Financial Intelligence Unit, any future activities of such customer shall be under increased scrutiny. The Financial Intelligence Unit shall be notified immediately if there is a well-founded suspicion about the behaviour of the customer.
- No company, employee, compliance officer or any other person acting on behalf of our company shall be liable for any damage which may arise from non-completion or late completion of a transaction that is incurred by the customer because of suspicions about terrorist financing or money laundering that have been reported in good faith to the Financial Intelligence Unit.
- Reporting to the Financial Intelligence Unit and sending relevant information shall not be deemed to be a violation of the duty of confidentiality laid down by law or a contract and no liability prescribed by legislation or a contract shall be attributed to those persons for disclosure of such relevant information.
Internal control rules of the relevant employees
- The Compliance Officer is responsible for checking the work done by the relevant employee.
- The Compliance Officer shall check the work of the relevant employee in accordance with the following criteria:
- the work of the relevant employee does not breach this Rules of procedure;
- the relevant employee has done sufficient research on the customer;
- the relevant employee has documented all the evidences about the customer;
- the relevant employee has made a decision relaying on the evidences collected and documented.
- The relevant employee may get a low-quality notification from the Compliance Officer if the relevant employee constantly breaches the criteria set forth in 14.2. In case the quality of the employee’s work has not been improved after the first notification, this may lead to extraordinary termination.
Training for employees
- The Compliance Officer or other expert in the field of anti-money laundering shall carry out the money laundering and terrorist financing prevention training for the employees of our company.
- The Compliance Officer is responsible for carrying out regular training. Each employee shall confirm their participation with their signature. It is recommended to organize trainings when necessary, but not less than once per year.
- The Compliance Officer is obligated to provide instructions and an introduction training to all new relevant employees pursuant to the prescribed procedure following the signing of the employment contract no later than within one week after the commencement of employment by the relevant employee and to make the new relevant employee familiar with these Rules of Procedure against signature.
- The Compliance Officer has the right to submit proposals concerning what trainings should be made to the management board.
Violation of duty to register information and keep records
Any violation of the duty to register information and to keep records as prescribed by these Rules of Procedure and in the Money Laundering and Terrorist Financing Prevention Act shall be disciplined in accordance with the law.
Requests from the Financial Intelligence Unit
Upon the request of a supervision officer of the Financial Intelligence Unit all necessary documents and information shall be provided to the inspectors immediately.