Purpose of this Document

This document is a general guide defining Anti-Money Laundering (AML), Counter Terrorist Finance (CTF), Counter Fraud Procedures, regulations and our Risk-Based approach in light of the above LAWS. It further gives you an idea of what XPESA does and how we protect ourselves and our customers from Money Laundering and Terrorist Financing threats, through thorough due diligence.

Why do I need to read this guide?

This guide is for all staff members of XPESA (employees and senior management). Our Staff is contractually bound to familiarise themselves and comply with the content of this policy. Failure to comply with the requirements of this policy would be considered a serious offence and disciplinary action may be taken including dismissal.

Why is AML and CTF important to Xpesa Limited?

The anti-money laundering (AML) and counter-terrorist financing (CTF) regime is designed to prevent our services from being used by criminals. Our obligations under the AML/CTF regime are to spot and report money laundering and terrorist financing. Failure to meet these obligations can lead to criminal penalties, substantial fines and damage to our reputation.

Will this guide help me?

The law does not specify the measures you must take to comply with its requirements, but rather sets rules within which organisations must operate. This document therefore offers information and guidance on the ways that you can perform your duties effectively and fulfil your legal obligations.

Very simply, it will help you follow the law!

(Note: Also see Annex 2, and familiarise yourself with the Bribery Act and offences)

What is Money Laundering (ML) and Terrorist Financing (TF)?

Money laundering is the process through which proceeds of crime and their true origin and ownership are changed so that the proceeds appear legitimate.

Terrorist financing is providing or collecting funds, from either legitimate or illegitimate sources, to be used to carry out acts of terrorism.

Before starting at XPESA, it is important you have a basic understanding on what Money Laundering is, why it is important to prevent it, and how we go about doing that on a daily basis.

Money laundering

Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origin of criminally derived proceeds so that the unlawful proceeds appear to have been derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages:

• Placement: The process of placing criminal property into the financial system. Cash generated from criminal activities is converted into monetary instruments, such as money orders or traveller’s checks, or deposited into accounts at financial institutions.
• Layering: Multiple transactions are undertaken designed to hide the source and ownership of the funds. Funds are transferred or moved into other accounts or other financial institutions to further separate the money from its criminal origin. This is sometimes achieved through multiple complex transactions often involving complicated offshore company structures and trusts.
• Integration: Laundered Funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.

What is criminal property?

Criminal property is the proceeds of criminal conduct. This includes any type of conduct, wherever it takes place, which would constitute a criminal offence. It includes drug trafficking, terrorist activity, tax evasion, corruption, fraud, forgery, theft, counterfeiting, black mail and extortion. It also includes any other offence that is committed for profit.

Money Laundering Offenses

The principal money laundering offences detailed in the Proceeds of Crime Act 2002 (POCA) are:

1. Concealing – a person commits an offence if they conceal, disguise, convert, transfer or remove the proceeds of crime which the person knows, or suspects, represents the proceeds of crime. (concealing or disguising its: Nature, Source, Location, Disposition, Movement, Ownership)
2. Arranging – a person commits an offence if they enter into or becomes concerned in an arrangement which they know, or suspect, facilitates (by whatever means) the acquisition, retention, use or control of criminal property

3. Acquisition – a person commits an offence if they acquire, use or has possession of criminal property which they know, or suspect, represents the proceeds of crime.

There are also secondary offences:

1. Failure to disclose – is committed when a person, knows or suspects, or has reasonable grounds to know or suspect, that another individual is participating in money laundering yet does not make a disclosure to the MLRO.
2. Tipping off – when a person knows or suspects that a disclosure has been made or that an investigation is being contemplated and yet still discloses such information to any other person which is likely to prejudice any investigation which may take place following the disclosure..

The principal and secondary money laundering offences carry a penalty of imprisonment, a fine or both. You will have a defence to a principal money laundering offence if you submit a Suspicious Activity Report (SAR) to the MLRO.

Tipping off and prejudicing an Investigation

It is an offence for someone to tip off (inform) a person suspected of money laundering that a Suspicious Activity Report has been made or there is a money laundering investigation taking place. In general a tipping off offence would occur when the action is likely to

prejudice an investigation that’s taking place.

Further, you will commit an offence if you know or suspect that an investigation is being or is about to be conducted and you interfere with documents which are relevant to the investigation.

The existence of these offences does not prevent you from making normal enquiries about your clients’ instructions. You are able to make enquiries in order to:

• Obtain further information to help you decide whether you have a suspicion, and/or
• Remove any concerns that you have

Your enquiries will only constitute an offence if you disclose that SAR has been made or that an investigation is being carried out or contemplated. It is also not tipping-off to warn your clients of your duties under the AML/CTF regime by providing them with our terms of business or our standard client care letter.

. Note:

• A tipping off offence cannot be committed if a report has not been submitted and you liaise with clients or colleagues as part of your enquiries into an unusual activity. However, you cannot mention the word suspicious.
• Tipping-off can only be committed after a SAR (including an internal SAR to the MLRO) has been made. You will not commit tipping-off by discussing your concerns with or submitting a SAR to the MLRO.

Terrorist Financing 

Terrorist Financing is Funds, however acquired, which are used to fund terrorism. Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal the origin and/or intended use of the funds.

Terrorists need funds to plan and carry out attacks. The law criminalises both participation in terrorist activities and terrorist financing.

In general terms, terrorist financing is:

• The provision or collection of funds
• From legitimate or illegitimate sources
• With the intention or in the knowledge
• That they should be used in order to carry out any act of terrorism
• Whether or not those funds are in fact used for that purpose

Terrorist Financing Offences establishes a similar pattern of offences to those contained in Money Laundering offenses, i.e:

1. Principal offences:
   • Fundraising
   • Use or possession
   • Arrangements
   • Money laundering
2. Secondary offences:
   • Failure to disclose
   • Tipping-off

All offences carry heavy criminal penalties. While the terrorist financing and money laundering regimes are different, they share similar aims and structures and run together in EU legislation. Many of the provisions mirror one another and the definitions are deliberately matched.

The Money Laundering Reporting Officer (MLRO) / Nominated Officer

A Nominated Officer is the person within an organisation (part of senior management team) who is responsible for overseeing all activity related to anti-money laundering matters.

• The MLRO has overall responsibility in ensuring compliance with the applicable AML/CTF laws and
• The MLRO will compile a report to the Board and Senior Management, which assesses the operation and effectiveness of the firm’s systems and controls in relation to managing money laundering risk. This report will be compiled
• It is the responsibility of the MLRO to maintain, update, and redistribute this document on a regular basis and following any significant regulatory changes. Responsibility for final approval of new editions lies with the

XPESA’s Nominated Officer (MLRO) is Mr. Aditya Oberoi.

XPESA’s Deputy Nominated Officer is Mr. Mohammed Sarfraz Khan.

In the absence of the Nominated Officer, the Deputy Nominated Officers will take his/her place.

The Nominated Officer’s responsibilities include:

• Deciding if disclosures should be passed on to the
• Reviewing all new laws and deciding how they impact on the operational process of the
• Preparing a written procedures manual and making it available to all staff and other stakeholders, including regularly updating this policy as and when
• Making sure appropriate due diligence is carried out on customers and business partners.
• Receiving internal Suspicious Activity Reports (SARs) from staff and
• Deciding which internal SAR’s need to be reported on to FIAU. (Also, if applicable, making a judgement call as to whether if delaying a transaction while ‘seeking consent’ from the FIAU, the customer would inadvertently be Tipped-off).
• Recording all decisions relating to SAR’s
• Ensuring staff receive anti-financial crime training when they join and that they receive regular refresher training.
• Monitoring business relationships and recording reviews and decisions
• Making decisions about continuing or terminating trading activity with particular customers.
• Making sure that all business records are kept for at least five years from the date of the last customer transaction as per
• The Nominated Officer should also keep senior management updated about SAR’s.

The nominated officer is a person who has sufficient authority and autonomy in order to make the decisions required above. The Deputy Nominated Officer shall replace the Nominated Officer when he/she is unavailable.

SAR (Suspicious Activity Report) or STR (Suspicious Transaction Report)

This is a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) which institutions must make if they suspect that a certain customer activity might indicate money laundering or terrorist financing. Institutions are required to register with their relevant authority and submit the STR when they suspect suspicious activity. Law enforcement will make a decision after an STR has been submitted. Note: Once a suspicious activity has been reported to the FIAU, until ‘consent’ is given, the transaction cannot proceed – it is frozen.

Only the MLRO can file an STR with the FIAU (Financial Intelligence Analysis Unit) via their online process. For information on the responsibilities and procedures for filing an STR with the FIAU, see http://www.fiumalta.org. An STR can be submitted online at any time of the day and an email confirmation will be received for each submission.

Employees must fill and complete the Internal STR and email it to the MLRO. Employees will have the protection of the law as soon as an STR has been submitted to the MLRO.

(see Annex 5 for the format and requirements of the Internal STR)

Once the MLRO receives the STR from a staff member, the MLRO has two options:

• Report the STR on to the FIAU
• File an internal note indicating reasons, on the basis of review of the circumstances around the transaction, it is judged not necessary to make a report to the FIAU

Note: Information that an STR has been made should never be placed on a client file

The Financial Intelligence Analysis Unit (FIAU) is a government agency established under the Prevention of Money Laundering Act (Cap 373 of the Laws of Malta). It is the entity responsible for the collection, collation, processing, analysis and dissemination of information with a view to combating money laundering and the funding of terrorism. The Unit is also responsible for monitoring compliance with the relevant legislative provisions. Financial intelligence agencies are required to treat any SARs confidentially. Where information from a SAR is disclosed for the purposes of law enforcement, care is taken to ensure that the identity of the reporter and their firm is not disclosed to other persons.

What is Suspicious Activity?

Any client activity outside the normal or expected activity should be considered unusual and must be investigated. Understanding the business or client profile is crucial. Unusual activity or transactions outside the established profile should be considered as a potential indicator of suspicious activity. Investigations should establish the reasons for the unusual activity or transaction. This may either remove or confirm your suspicion.

Identifying Suspicious Activity

Look out for any suspicious actions or activity at every dealing stage with the customer. For example, this can be an unusual remittance or a transaction amount that is not in normal line of activity.

The following list provides several types of behaviour or activity that may be suspicious and are typical signs of ML/TF. The list is not exhaustive and not conclusive. Rather employees who have contact with customers, intermediaries or counterparties should use the list as a guide for inquiry and follow up:

• Obstructive or secretive clients. The customer exhibits unusual concern for secrecy, particularly with respect to his identity, type of business or dealings with companies.
• Upon request, the customer refuses to identify or fails to indicate a legitimate source for his
• The customer exhibits an unusual lack of concern regarding risks, commissions, or other transaction costs.
• Loss-making transactions where the loss is avoidable
• The customer wishes to engage in transactions that lack business sense, or are

inconsistent with the client’s stated business/strategy.

• Transactions with no apparent logical, economic or legal purpose
• The customer appears to operate as an agent for an undisclosed principal, but is reluctant to provide information regarding the
• The customer has difficulty describing the nature of his business. The customer lacks general knowledge of his
• For no apparent reason the customer has multiple accounts under a single name or multiple names, with a large number of inter-account or third-party
• The customer is from, or has accounts in, a country identified as a haven for money
• Movement of funds between accounts, institutions or jurisdictions without reason
• Money transfers where there is a variation between the account holder and signatory (or details mismatch)
• The customer, or a person publicly or known to be associated with the customer, has a questionable background including prior criminal
• The customer account has unexplained or sudden extensive activity, especially in accounts that had little or no previous
• The customer    account    shows  numerous   currency                                  or cash transactions aggregating to significant
• The customer account has a large number of wire transfers to unrelated third parties where there is no logical connection to the client
• Complex or unusually large transactions
• The customer account has wire transfers to or from a bank-secrecy haven country or country identified as a money laundering
• Involving high risk jurisdictions
• The customer account has unusual transactions or transactions that are

disproportionate to the customer’s known business.

• Cases or instructions that change unexpectedly or at the last moment or for no logical reason, especially where:
  • The client has deposited funds with us
  • The source of funds changes at the last moment
  • You are asked to return funds or send funds to a third party Criminals are always developing new techniques so this list can never be exhaustive

Role of the Employee

If you have “reasonable grounds for knowing or suspecting money laundering”, you must report this to your Nominated Officer “as soon as is practicable”. By failing to report a suspicion an employee may be committing an offence. Do not carry out the transaction or proceed unless you have consent from the MLRO. The MLRO will review the suspicion and, if required, submit a Suspicious Activity Report (SAR) to the relevant authority. Only the MLRO or deputy may submit an external SAR. Once you have reported your suspicion to the MLRO, they will send you an acknowledgement within 24 hours. If more information is required, the MLRO will request it from you.

Note: DO NOT raise any concerns with the customer or use words to suggest you are not happy with anything as that may tip them off.

Please familiarise yourself with the below personnel as you should be working closely with them:

Nominated Officer (MLRO) is Mr. Aditya Oberoi.

In the absence of the Nominated Officer, the Deputy Nominated Officers will take his/her place.

Deputy Nominated Officer is Mr. Mohammed Sarfraz Khan.

Under what circumstances could I commit an Offence?

You could commit an offence if, when your suspicions are aroused, you:

• Wilfully turn a blind eye to the obvious, or Fail to adequately ascertain the facts, or Fail to make adequate enquiries to assure yourself of the legitimacy of the transaction.
• Fail to report your suspicions to the MLRO
• Tip-off any

What do you mean by ‘Suspicion’?

Suspicion can occur in circumstances that suggest to a reasonable individual that a person might be laundering money. Suspicion must be more than a mere hunch. Any activity that does not fit with the normal course of business, or is not normal for a particular client should be regarded as suspicious.

What do you mean by a Transaction?

A transaction is anything you carry out by way of business. Suspicion indicators for new customers can include:

• Checking their identity is proving difficult,
• The customer is reluctant to provide details of his/her identity,
• There is no genuine reason for the customer to use the services of a merchant, and
• Where transactions involve international transfers or foreign currency, the explanation for the business and the amount involved is

Suspicion indicators for regular and established customers include the:

• Transaction is different from the normal business of the customer,
• Size and frequency of the transaction is not consistent with the normal activities of the customer, and
• Pattern of transactions has changed since the business relationship was

How do I report my suspicion to the Nominated Officer?

You should report the grounds for your suspicion to your Nominated Officer by filling out the internal SAR form. You should include full details of the identification you have and any other customer information you have.

When should I report my knowledge or suspicion to the Nominated Officer?

You must do this as soon as is practicable after you have reasonable grounds for suspicion.  If you do not do this you may be committing an offence. This may mean either before the transaction takes place or immediately afterwards

What does “as soon as is practicable” mean?

This means as soon as you reasonably can. Internal reporting lines to your Nominated Officer should be short in order to avoid delay.

What if I become suspicious before I complete the transaction?

You should make an internal report before the transaction is completed and wait for consent from your Nominated Officer before you complete the transaction.

What should I say to delay the transaction without “tipping off” the customer?

Give the customer an excuse that fits the circumstances. In difficult cases speak to your Nominated Officer or manager.

If I think delaying the transaction would “tip-off” the customer, can I go ahead?

Ask your Nominated Officer. They may let you proceed with the transaction, but this should not be done routinely. The reason why you think delaying the transaction would “tip off” the customer must be included in your report. If the MLRO gives you consent to proceed with a transaction, then that consent only applies to that specific transaction. If the client requests further activities or transactions, further consent is required from the MLRO even if you do not have a suspicion.

What should I do if the customer asks for his money back before I get consent from the Nominated Officer?

Seek advice from the Nominated Officer urgently.

What if I become suspicious after the transaction has taken place?

Make an internal report to your Nominated Officer as soon as you can.

What if I refuse the business?

If you refuse the business because you are suspicious, you must still make a disclosure to the Nominated Officer. You must obtain evidence and keep records of the customer’s identification as soon as you become suspicious.

Seeking ‘Consent’

‘Consent’ means either that the staff member has sought approval from the MLRO, or that the company has sought and obtained approval from the Financial Intelligence Analysis Unit to process the transaction.

NOTE: If in doubt about whether to proceed with a transaction, the employee should contact the MLRO for advice. All staff members will have fully discharged their duties, and will have the full protection of the law, once a report of their suspicions has been made to the company MLRO or to the FIAU.

Where can I find more information?

Industry guidance aimed at combating money laundering and terrorist financing places various obligations on firms and individuals. These include, but are not limited to, all or parts of the following:

Check out the following website that contain the details of different issues discussed in this document and is likely to be useful during your time with us:

1. Joint Money Laundering Steering Group Guidance Notes: jmlsg.org
2. Financial Action Task Force (“FATF”): http://www.fatf-gafi.org/
3. Office of Foreign Assets Control (OFAC):treasury.gov/ofac
4. Financial Conduct Authority(FCA) issued guidance and FCA Senior Management Systems and Controls (SYSC) Handbook: fca.org.uk
5. HM Revenue & Customs (HMRC): hmrc.gov.uk which has detailed information on anti-money laundering regulations.
6. HM Treasury: hm-treasury.gov.uk
7. FinCEN advisory list: https://www.fincen.gov/
8. MFSA: https://www.mfsa.com.mt/pages/viewcontent.aspx?id=488
9. FIAU: http://www.fiumalta.org/report-suspicious-transaction for Suspicious Transaction Reporting (STR)

See also:

• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
• The Terrorism Act 2000 (as amended by the Anti-Terrorism Crime and Security Act 2001)
• Proceeds of Crime Act 2002 (as amended by the Serious Organised Crime and Police Act 2005 and the Criminal Finances Act 2017)
• The Serious Crime Act 2007

Due Diligence

Satisfactory Client Due Diligence (CDD) must be completed prior to the establishment of a business relationship. Such CDD measures include:

• Identifying the customer and verifying that customer’s identity
• Identifying the beneficial owner and taking reasonable measures to verify the identity of the beneficial owner. For legal persons and arrangements this includes understanding the ownership and control structure of the customer
• Understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship
• Obtaining information on the source of funds/wealth to be used in the business relationship

Enhanced Due Diligence (EDD) means applying additional due diligence measures to customers that pose a higher risk of ML/TF and monitoring the customer’s transactions more frequently.

EDD must be applied during the following situations:

• Where there is a high risk of money laundering/terrorist financing
• In any business relationship with a client established in a high risk country
• If the client is a Politically Exposed Person (PEP), or a family member or known close associate of a PEP
• In relation to a correspondent relationship with a credit or financial institution from a third country
• In cases where the client has entered into transactions that are complex and unusually large, or there is an unusual pattern of transactions, or transactions have no apparent economic or legal purpose

All applications deemed high risk must be referred to the Compliance department for approval

‘KYC’ – What does ‘Know Your Customer’ mean?

KYC means obtaining information about a customer over and above the required ID.

The purpose of this is to reduce the risk of your business being used for money laundering. Asking your customers questions such as their reason for establishing business with you, the source of their funds and the anticipated level and nature of the activity to be undertaken can increase the likelihood that you will detect suspicious activity.

Under the MLR 2017, due diligence must be conducted not only on all new customers but also at appropriate times to existing customers on a risk sensitive basis, or when relevant customer change, or when the obliged entity has any legal duty. Moreover, Simplified DD will no longer be applicable in the vast majority of cases – all transactions/clients require a degree of risk assessment to demonstrate that it presents a lower risk and requires sufficient on-going monitoring. CDD represents the base level of due diligence that must be taken under the MLR. EDD must be undertaken for a complete and verified onboarding process.

‘UBO’ – Ultimate Beneficial Owner

Is the person or entity that is the ultimate beneficiary of the company.

The beneficial ownership term is used to help recognise situations where the person in whose name an account is opened is not necessarily the person who ultimately controls the account. Therefore, one of the focal points of XPESA’s AML processes is to focus on identifying people who have beneficial ownership of a XPESA account.

For natural person applicants, applying for an account in their own name, it is reasonable to presume that he or she is the beneficial owner. There are circumstances when this presumption may become inconsistent with the original information provided and activity anticipated on the account. In these circumstances closer investigation into the mechanics of the accounts operation will be carried out.

For corporate applicants it is very important to establish who the beneficial owners are. A beneficial owner is any natural person either owning or controlling 25% or more of the shares or voting rights in the legal person; or any natural person who exerts ultimate control over the legal person through its management or otherwise.

In relation to a legal arrangement that is a trust, a beneficial owner is the settlor, trustees, beneficiaries (or class of beneficiaries if no named beneficiaries) and any individual who has control over the trust.

Nominee Director(s) & Nominee Shareholder(s)

A person or entity that holds the position or shares on behalf of the UBO

Generally, XPESA should not accept any clients where it is evident from the structure, or when the client discloses, that they have a nominee director(s) and/or nominee shareholder(s).

Any exceptions must be approved by the MLRO/Compliance team who will review each request on a case by case basis. Factors taken into consideration will include country of incorporation, nature of business, ability to identify the nominator(s), whether the nominee is licensed and whether the relevant company registry has been notified of the nominee structure.

Customer Due Diligence (CDD) Process:

CDD is the process identifying and verifying customers. It is designed to make it more difficult for the financial service industry to be used for money laundering or terrorist financing. Having sufficient information about your customer and making use of that information is one of the most effective defences against being used to launder the proceeds of crime.

XPESA needs to carry out CDD in order to satisfy themselves that customers are who they say they are and know if they are acting on behalf of another. It will then assist in determining that there are no legal barriers to providing the customer with the product or service requested, and to enable XPESA to assist law enforcement by providing available information on customers or activities being investigated.

For Business clients, we also check their details against the Registered Companies database in the country of incorporation. For example ‘Registry of Companies’ in Malta and ‘Companies House’ in the UK.

The following procedures will be helpful in identifying prospective customers who may present money-laundering risks. While not all of these procedures are necessary in every instance, they should be considered and documented as part of standard account opening procedures.

In all cases, prior to taking on a new customer or engaging in a transaction with a customer with whom you do not have well-established relationship, you need to complete sufficient due diligence to have confidence in the integrity of the customers and the lawfulness of the proposed transaction.

1. Make reasonable efforts to determine the true identity of all customers and the legal and beneficial ownership of all accounts
2. Determine the customer’s citizenship, home and business addresses, occupation or

type of business. Where appropriate, obtain supporting documentation

3. Inquire whether the customer will have the sole interest in the account or whether there will be other persons who will have access to it. Verify the identity of all such persons and engage in any necessary due diligence regarding such other persons
4. If the customer is not an individual;
   1. Determine the legal status (e.g., corporation, partnership or other form of entity)
   2. Determine whether the customer is regulated, either in the UK or a foreign country
   3. Determine all principal persons of the customer, such as officers and directors, or persons who have a substantial beneficial interest (i.e. own more than 25% share in the company). As per the MLR, XPESA shall ensure that for corporate and other legal entities, we obtain and hold adequate, accurate and current information on their beneficial ownership. This includes details of beneficial interests held
   4. Obtain copies of all relevant organisational documents
5. Identify the source of the customer’s funds
6. Screen the customer for; (Persons holding over 25% equity are subject to screening)
   1. Matches under the OFAC list, FinCEN advisory list, HM Treasury list
   2. The FATF or OECD black/grey list which has been issued by the Financial Action Task Force since 2000 and lists countries which it judges to be non- cooperative in the global fight against money laundering and terrorist financing, calling them “Non-Cooperative Countries or Territories” (NCCT)
7. Where appropriate, obtain information regarding the frequency with which the customer expects to transact funds, i.e. weekly, monthly, quarterly
8. Where appropriate, obtain and contact reputable references, such as professionals and other members of the financial industry, banks, securities companies,
9. Government Officials and Foreign Bank Accounts;

Special procedures apply for accounts for the benefit of senior government and political figures (Politically Exposed Persons or PEP), particularly from certain

countries, and for accounts opened by or through foreign banks. You must consult the Compliance Officer if a customer is a possible PEP.

Under the 2017 MLR, the definition of PEP has now been widened to include domestic individuals occupying prominent public positions. Firms need to assess the risks posed by PEPs, their family members and their known close associates on a case-by-case basis and tailor the extent of enhanced measures accordingly (please see below). EDD is a sliding scale and it is right that low-risk PEPs should be treated at the lowest level, just as it is right for high-risk customers to face more stringent measures. A full risk assessment should be undertaken as usual. Currently XPESA is not opening accounts for high-risk PEP’s. (See Annex 3)

10. Accounts through an Intermediary;

Where accounts come through an intermediary, XPESA must either perform due diligence with respect to the account or satisfy itself that the intermediary has performed the type of due diligence with respect to the account that would satisfy the XPESA’s “Know Your Customer” policy.

1. The scope of this due diligence will vary depending upon XPESA’s historical relationship with the intermediary, whether the intermediary is itself a regulated entity and the jurisdiction in which the intermediary is located. The Compliance Officer should be consulted as to the type of due diligence necessary for a specific
2. At a minimum, due diligence of an intermediary should include a review of the intermediary’s anti-money laundering procedures. Where appropriate, representations from the intermediary as to its compliance with its procedures may be
3. Generally speaking, except for intermediaries who are regulated in an appropriate jurisdiction or are well-known by XPESA to have proper anti- money laundering procedures in place, you should perform reference checks through published sources and

11. Counterparties;

The same rules set out in item 10 above also apply to transactions with counterparties on behalf of our customers. For this purpose, counterparties include private transaction counterparties and banks and other dealers, agents and intermediaries. While a relatively low level of due diligence will be required for counterparties who are regulated within a country known to have appropriate and well-enforced anti-money laundering regulations, other counterparties will require the same level of due diligence as clients.

Enhanced Due Diligence (EDD) Process:

EDD refers to the additional measures to be taken on top of, and in addition to, CDD measures as explained above. XPESA must apply EDD measures on a risk-sensitive basis in any situation which may present a higher risk of money laundering or terrorist financing.

As part of this, you may conclude, under the risk-based approach (RBA), that the standard evidence of identity is insufficient in relation to the money laundering and terrorist  financing risk, and that you must obtain additional information about a particular customer. The extent of additional measure taken and information sought, will depend on the money laundering or terrorist financing risk that the customer, or category of customer, present to the business.

Examples of when EDD need to be applied:

• Any transaction where there is a high risk of money laundering or terrorist financing
• Any transaction with a person established in a high-risk third country
• Transactions involving PEPs,
• Where a product or transaction is considered by its nature to be higher risk
• in any case where the relevant person discovers that a customer may have provided false or stolen identification documentation or information and the relevant person proposes to continue to deal with that customer
• in any other case which by its nature can present a higher risk of money laundering or terrorist financing

Additional measure under EDD may also include, among other things:

• seeking additional independent, reliable sources to verify information provided or made available to the relevant person;
• obtaining and verifying proof of the customers or beneficiaries source of funds
• taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;
• taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
• increasing the monitoring of the business relationship, including greater scrutiny of transactions.

Transaction Thresholds (Tier System)

XPESA implements financial transaction thresholds and specifies the level of DD which must be applied. For HNWI and Corporates, the thresholds will be decided on a risk-based approach and therefore will vary depending on the client. But as a default, we all must adhere to the thresholds stipulated within this policy.

DD               (level of Due Diligence applied) M         (Account Monitoring)

+  (Supplemented/Enhanced)

Note:

• CDD is the minimum requirement for an Account to be activated.
• The above table only takes into account the ‘Transaction size’. There are many other factors which determine the level of DD and Monitoring that will be applied to an account. (Risk Based Approach)

Note: For Information on Monitoring, please refer to the separate section within this document.

Account Opening Process

There are two ways to open an account with XPESA.

1. The Xpesa App. This is for Individuals; the app is available for download on The App Store and the Google Play
2. Contacting us through our website (Xpesa.io). This method is for corporate clients.

Individual Account

Tier 0 (Account Sign up)

A Customer can sign up via our app by entering the following information:

• Email
• Mobile number

Both are verified by sending a link to the email address and an SMS to the mobile number. An account number is assigned, login credentials are created, however Customers can only browse the app – no funding (fiat or crypto) or trading is permitted.

Tier 1 (Basic Account)

After browsing the app, a customer can proceed with the on-boarding process by submitting the following:

• Screen 1: Personal ID
  • Citizenship
  • Full name
  • DOB
  • Proof of ID –valid, in colour, with photo (document is uploaded via app)
• Screen 2: Address
  • Country of Residence
  • Complete Address
  • Proof of Address -dated within last 3 months (document is uploaded via app)
• Screen 3: Bank Account information
  • Account details
  • Bank Account Statement (document is uploaded via app)

All individual account holders would have to provide the above. Once all fields have been filled and documents uploaded, our back office will carry out all relevant DD checks mentioned throughout this document and approve successful customers- only then will the accounts to be activated and operational.

Note:

• Sanctioned, blacklisted and other countries that XPESA has chosen not to operate in due to high ML/TF and other risks will not be available from the drop- down list of countries and hence customers will not be able to open
• Customers may be asked for more information via email before approval, due to insufficiency of proofs submitted and/or other risk factors, geographic location etc.

Tier 2 (Higher Limits)

Due to increased limits, customers are subjected to:

• Additional CDD
• Verification of information provided through independent, reliable sources
• AML/CTF screening
• Enhanced monitoring

Additional information may be requested with supporting documentation (proof) regarding the following (but not limited to):

• Occupation, CV/Resume
• Source of Funds (proof or declaration)
• Professional References
• Certified documents (or certification of documents already provided)
• Sending post to customer address and verifying contents in letter
• details regarding the nature of certain transactions

Note: Customers can request to increase their tier by contacting to us on Support@xpesa.io

Tier 3 (HNWI)

Full measures of EDD will be applied, including all available tools to monitor all transactions. In addition to the above, the following may be required (but not limited to):

• second proof of ID (or certification of first ID)
• additional proof of address (or certification of first PoA)
• Greater scrutiny of transactions
• Blockchain activity monitoring Limits will be based on a risk analysis

Note: Requests to increase limits can be made by contacting the customers’ account manager or by writing to us on Compliance@xpesa.io

Refer to Annex 4 for types of acceptable verification evidence.

Payments: We only accept funds from the verified bank details in the customers’ name provided by the customer. Similarly we only transfer out to the same verified bank account. We do not make or receive any 3^rd party fiat transfers. If a customer changes his bank details, the new account is verified beforehand and/or a deposit from the new account is required prior to a withdrawal. (currently XPESA does not accept cards)

Corporate Account

Customers wishing to open a corporate account with us will need to download our ‘Registration Form’ from our website. After filling it in, they will need to email it to us at Compliance@xpesa.io, and within 48 hours of submitting it they will be contacted by telephone or email by a member of our team who will provide further information on what details need to be submitted before the account can be approved.

Details will include:

• A completed XPESA Corporate Account Application Form with signed T&Cs

• Certificate of Incorporation (Registered name, number, date, registered address)
• Any other DBA / Trading
• Memorandum and Articles of Association or equivalent
• Certificate of Good Standing and Certificate of Incumbency (where applicable)
• Proof of registered address and business address (if different) – recent utility bill, rental agreement, bank statement or similar dated within the last three months
• Extract from appropriate company register (showing Directors and Shareholders)
• Details of all relevant persons (i) Shareholders/Beneficial Owners structure (those persons or entities which hold 25% or more shares), (ii) Directors and (iii) personnel who will be operating the account on behalf of the business, including proof of Identity and proof of address for all relevant individuals. (Note: full KYC must be carried out on all individuals listed)
• Letter or sign off from the directors confirming which named individuals have authority to act on behalf of the company
• Where a Power of Attorney exists, KYC must be carried out on that individual/entity.
• Where immediate beneficial ownership of a company is another corporate entity, further documentation will be required for that entity (and any further entities) in order to establish ultimate control and/or beneficial ownership (i.e. identifying natural persons)
• Information regarding the nature of their business; including the amounts of money involved and the expected frequency of transactions. During this stage, the reason for using the services, the nature and level of the activity to be undertaken and the origin and destination of the funds should be clarified and noted.
• Any business related certification
• Length of establishment
• Turnover of the business, its size and number of employees
• Organisational Structure Chart
• Company bank statement
• Latest Annual Return (where available)
• If necessary, history of any changes to company structure (Directors, UBO)
• AML Policy if relevant
• Any other relevant information regarding the business operations relating to use of our interface/platform,
• If necessary additional information may be requested by XPESA depending on

clients’ risk rating.

• If deemed necessary, it may be requested that all or select KYB/KYC information to be certified as a true copy of the original by, especially if they are required to be translated into

Please note, Individual and Business account limits can be negotiated and tailored to the customers’ requirements. A risk based assessment will be made to determine the level of DD and monitoring that should be applied.

Note: Sanction and PEP checks must be carried out on all individuals / company and all key controllers/owners of company. Also refer to XPESA’s restricted country / client type list.

Note: If it is proving difficult to identify a new customer or questionable ID is provided, be on guard and refer the case to the Nominated Officer for guidance, who will either advise you on how to proceed or decide to generate an STR.

Note: All hard and soft copies of documentation from Individual/corporate customers will be retained for a minimum period of five years after account closure. All verified documents should be reviewed annually, (as well as random and systematic checks throughout the year) to ensure that they are:

1. still relevant to the activity being carried out by the customer and
2. still valid (i.e. the ID/company documents provided have not expired, the company registered details and key company personnel details are still the same).

Documentation requiring Certification

In Certain cases, certified copies of the original may be required, for example:

• Corporates incorporated in a high risk jurisdiction must provide certified copies of their corporate
• High Risk individuals who are unable to provide TWO proofs of identity must also provide certified copies of their KYC documentation as detailed
• Certification of documentation must also be requested when there is doubt on the client’s reliability or the veracity of the information supplied
• If a document is translated into English (original must also be provided)

NOTE:

1. Where copies of documentation require certification, the person giving certification must be either:
   • An authorised representative of an EU regulated financial institution (at least level of director, or equivalent), or;
   • A notary public, lawyer, attorney, accountant or a bank which is subject to anti money laundering regulation or;
   • An official of an embassy, consulate or high commission of the country of

1. Documents must be signed and dated by the person who sighted the original, and accompanied by the following statement:

”Having seen the original I certify that this is a true copy”.

The name and contact details of the individual undertaking the certification must be provided as well as a company stamp. Where a company stamp is not available (e.g. independent professionals), evidence that the individual certifying the documentation is authorised to do so must be requested. Such evidence may include, for example, a practising certificate.

1. Where documents have been translated into English, translated transcripts must be signed, stamped, and dated by an official independent translation service provider and accompanied by a copy of the original foreign language document. The name and contact details of the person/company translating the documents must be clear and in

Compliance Approval

Once all relevant documentation has been obtained, all applicants that are deemed high risk must be referred to the compliance department. All high risk applications must be approved by the compliance department with the MLRO having oversight, before an account can be opened.

The compliance department may request certain applicants or existing clients provide additional documentation and information in order to satisfy (or continue to satisfy) both internal procedures and/or regulatory requirements. The compliance department reserves the right both to refuse an application at any point in the account opening process, and to suspend or close the account of an existing client.

Where a member of the compliance department provides discretionary approval for an application that does not satisfy the relevant requirements in KYC documentation, a written explanation of the rationale used for the approval must be saved in the client file.

Reliance on Third Parties

XPESA is able to place reliance on the CDD conducted by a third party where the third party is;

• A person who carries on business in the UK who is subject to the requirements of the ML Regulations
• A person who carries on business in another EEA State who is subject to, and supervised for compliance with, the requirements of 4MLD
• A person who carries on business in a third country who is subject to, and supervised for compliance with, CDD and record keeping requirements equivalent to those laid down in 4MLD

There must be a written agreement that confirms that the firm being relied on will provide the relevant CDD documentation immediately on request. The firm being relied upon must also retain copies of the CDD conducted for at least 5 years.

Where XPESA relies on a third party to carry out CDD measures, XPESA must immediately obtain from the third party all the information needed to identify the customer or beneficial owner

Compliance and Monitoring Software/Tools

AML Screening:

XPESA uses a combination of leading electronic identity verification & financial sanctions and adverse media screening service providers, which help companies meet their AML compliance obligations to the standards outlined by the Joint Money Laundering Steering Group (JMLSG) guidance.

They ensure that we are fully AML compliant and keep a paperless audit trail (for 5 years) of our compliance checks as evidence.

They assist us in managing and mitigating AML risks and allow us to perform enhanced due diligence checks by cross referencing hundreds of global databases that help us:

• Verify customers ID and address
• Verify corporate details
• screen potential and existing customers against global and domestic PEPs and Sanctions databases
• screen against adverse media and other sources
• Enable on-going monitoring of existing clients

Their software incorporates screening of names against a full array of lists published by financial sanction authorities such as OFAC, HM Treasury etc. and relevant watch lists, as well as capturing adverse media information.

Their databases are maintained and updated whenever there is a change in circumstances regarding an individual, entity, country or changes in regulations and laws

An Existing client list (individuals and corporations) can be provided to them, and through their on-going monitoring feature, instantly alert us to any change in circumstances regarding our clientele. Where an existing client is highlighted, the MLRO will be informed immediately, and where the name match is confirmed the account will be closed and funds in the account treated as per regulatory guidance.

We also keep an eye on general information and news available on broadcasting media and the internet. If there is a reference to a client, or a country is added or removed from a sanctions list, appropriate action is immediately taken.

Note: More information on checks and compliance can be found in Annex 1 & 3.

Blockchain Monitoring:

XPESA understands the inherent risks posed by cryptocurrencies and how they can be used to facilitate financial crime. In order to mitigate some of those risks, XPESA will be using a monitoring tool software provided by a leading company in this arena, which analyses and reports activity on the blockchain, and helps us comply with AML and compliance regulations.

Ongoing Monitoring

Once a business relationship is established XPESA must conduct ongoing due diligence on the business relationship and scrutinise the transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with our knowledge of the customer, their business and risk profile, including, where necessary, the source of funds. This includes:

• Transaction Monitoring
• KYC/KYB refresh – ensuring client information is up to date

Transaction Monitoring

All clients will be subject to monitoring in order to detect suspicious activity relating to ML and TF. At all times, relevant staff members should be alert to questionable activities, such as large transactions, as well as to high volume and seemingly inconsistent transactions

• The daily deposits and withdrawals reports are used to identify ML or KYC anomalies. Daily deposits and withdrawals over a certain threshold are compared to the KYC and appropriateness information supplied at account registration. Where an anomaly is identified, further investigation is undertaken by the Compliance department.
• Similarly, deposits followed by withdrawals with minimal trading activity will be looked at in more

If required, appropriate measures will be taken:

• Where appropriate, enhanced monitoring of particular accounts is undertaken
• Where the activities are considered potentially suspicious, they will be referred to the MLRO / Deputy MLRO for account

KYC/KYB Update and Review

To ensure customer information is kept up to date, XPESA undertakes periodic review of client information. The frequency in which client information is reviewed is dependent on client risk rating. High risks clients are reviewed every 12 months, Medium risk clients every 24 months and Low risk clients every 36 months.

A review of the account involves clients confirming their registration details and the compliance department reviewing the account activity to determine whether the client has funded and traded in line with our expectations.

All High risk clients are to be reviewed on a yearly basis to determine whether the account is be retained or exited. The review takes into account a range of factors including the risk profile, KYC refresh, transaction patterns and screening results.

Existing accounts will be screened against negative media, new notices, bulletins or additions to the list of countries, entities or individuals on the OFAC and other relevant web sites (such as HM Treasury, FATF and FinCEN) to determine if any current customer appears on those lists and to take appropriate action if a match occurs.

Further to this and in addition to monitoring of accounts as outlined above, certain clients may be required to provide additional information and documentation on a more frequent basis. Such clients will include, but not be limited to, certain higher risk clients, and those who may give cause for concern as to their activities. Where requests for documentation and information are refused, the Compliance department / MLRO reserve the right to suspend or close any account.

In the event an active client alters their address details, a documentation request for proof of the new residence will be made. Similarly, if the customer wishes to amend, update his status or change any other details, proof will need to be obtained and verified.

All customers should be made aware that information is held for 5 years as per MLR guidelines – random checks may be made on information supplied and if any details are incorrect, customers will be suspended from the system until the customer supplies the updated personal information. Staff should particularly take care to make sure that customer ID information previously supplied is still valid (and that ID documents have not expired).

KYC refresh will also be required if:

1. Account is dormant (inactive for six months)
2. Account is closed (inactive for 12 months and has zero balance)

Staff Training and Reporting

The effectiveness of the AML Procedures is dependent on all employees following the basic rules. XPESA and its MLRO are required to take appropriate measures so that all relevant employees are made aware of the law relating to money laundering and terrorist financing (and their obligations), and that they are given regular training on how to recognize and deal with transactions and other activities which may be related to money laundering or terrorist financing.

The MLRO has full responsibility for oversight of the firm’s AML systems and controls, which

include appropriate training for the firm’s employees in relation to money laundering.

All new employees must be made aware of their own responsibilities at the start of their employment during induction. Frequency of training will be undertaken on a risk sensitive basis. Higher risk and higher responsibility employees i.e. those dealing with customer applications authorisation and transactions will receive role specific refresher training regularly. Others will be given basic training and will be repeated every 12 months as a refresher. We will also carry out training where there has been a substantial change in the law, and there will be monthly training sessions on various other relevant topics.

Training will also be provided by an AML specialist and/or an external training course provided by money laundering training specialists to relevant staff. These types of training will be for staff directly dealing with KYC/AML such as client on-boarding, compliance and payments team.

All awareness training activity shall be recorded and filed by the Nominated Officer. The Nominated Officer will provide a monthly review of business activity with the staff, to ensure all procedures and processes have been adhered to with all customer registrations and ensuring that business transactions have been completed correctly.

Employee Screening

All staff are screened prior to commencement of their employment. Screening includes undertaking criminal and credit checks as well as verifying a prospective employees’ employment history, academic and professional qualifications. These checks are to ensure that the employee has the skills, knowledge and expertise to carry out their functions effectively. All staff are also assessed for competence, conduct and integrity on a regular basis during their employment.

Internal Controls and Communication

The MLR require businesses to have appropriate systems of internal control and communication in order to prevent activities related to money laundering and terrorist financing. In simple terms this means that businesses must ensure that management controls are put in place that will alert the relevant people in the business to the possibility that criminals may be attempting to use the business to launder money or fund terrorism, so as to enable them to take appropriate action to prevent or report it.

Systems of internal control and communication must be capable of identifying unusual or suspicious transactions or customer activity, and enabling prompt reporting of the details to the Nominated Officer/Money Laundering Reporting Officer (MLRO), who is responsible for making a disclosure to the Financial Intelligence Agency

The nature and extent of systems and controls that the business needs to put in place will depend on a variety of factors, including the:

• Degree of risk associated with each area of its operation
• Nature, scale and complexity of the business
• Type of products, customers, and activities involved
• Diversity of operations, including geographical diversity
• Volume and size of transactions
• Distribution channels

XPESA periodically carries out and records checks to ensure their systems are working in practice. Where systems are found not to meet with the needs of the business or at worst they are not working in practice, we will record the action we are going to take to rectify the problem. We will also look at ways to ensure that we review the systems and processes to ensure that they are fit for purpose.

AML Assurance Testing

To ensure that the CDD and KYC procedures are being adhered to, each month a random sample of all new accounts are checked by the compliance department. Any deficiencies in the KYC documentation will be highlighted to the relevant staff with further training provided if required. Senior management are informed of this monitoring through the monthly Management Information reports.

Record Keeping

XPESA will retain all records of Individuals and business customers for at least five years

from the date that the business relationship ends.

Why do we have to keep records for five years from the end of a business relationship? It’s the law. The purpose of keeping records is to enable law enforcement to reconstruct business transactions; often well after the original business has been concluded. In making and retaining records you should have in mind the need to provide a clear audit trail of the business you have conducted.

The records that must be kept are:

• A copy of, or the references to, the evidence (documents) of the customer’s identity

obtained and verification evidence (checks) obtained.

• The supporting records in respect of the business relationships or occasional transactions that are the subject of customer due diligence measures or on-going monitoring.

Transaction and business relationship records (KYC, account files, relevant business correspondence etc.) should be maintained in a form from which a satisfactory audit trail may be compiled, and which may establish a financial profile of any suspect account or customer.

What is an audit trail?

An audit trail is a step by step record by which financial data can be traced to its source. In the case of money laundering the aim of establishing an audit trail is to trace the funds through to the first transaction (the placement) to identify the launderer.

What records do I have to keep?

The records that we keep must be sufficient enough to form a complete audit trail for law enforcement to follow from the start of the transaction to the end; this is particularly important should the transaction later become part of an on-going investigation.

There are several different types of records we should keep:

• A copy of the evidence of identification presented. Photographic evidence is particularly
• Details of where the copies of identification can be found, which should be filed and easily recoverable. You must keep these records for at least five years from the date when the relationship with your customer
• Business records. You must keep a record of all transactions, regardless of whether the ID of the customer or client needed to be verified, for five
• All records of disclosures. Letters received from NCIS or any other correspondence with a law enforcement agency should be retained for at least five

Why is it important to document everything?

Supporting documentation is a cornerstone of our anti-money laundering procedures. Unrecorded steps are soon forgotten. Records assist in tracking relevant information and in demonstrating that the company/individual has conducted our business responsibly and with integrity. All interviews, searches and activities undertaken to verify integrity of transactions and persons must be documented and stored for reference by XPESA in the event that there is an internal audit or if they are required to be provided to law enforcement.

Note: It is the sole responsibility of the Compliance department to approve of and manage the disposal of client identification records. Under no circumstances is any other department or individual permitted to dispose of client identification documentation.

Data Protection

XPESA ensures that all personal data is kept safe and secure, and is only used for the purpose for which it was obtained and is not used for other purposes without prior consent. Note: If an employee receives a request to provide information regarding a current, previous or prospective client from any law enforcement agency, regulatory authority or financial institution, the request must be forwarded to the Compliance team. For further information please refer to the Privacy Policy.

Annex 1: Risk Based Assessment

MLR require that all businesses must adopt a ‘Risk Based Approach’ to its customers, products and business practices. Risk may be established both on the basis of objective criteria and subjective criteria. A ‘risk rating’ is given to each criterion.

XPESA uses the following grading system:

XPESA adopts a risk based approach to AML. In practical terms this means assessing the ML/TF risks associated with a customer and applying DD measures on a risk-sensitive basis. Risk factors pertaining to each client need to be assessed as part of the DD process and a risk rating given to each client.

The risk rating determines the level of due diligence to undertake for each prospective client. A client that is deemed high risk will need to undergo enhanced due diligence (EDD) and, if accepted as a client, enhanced monitoring.

Risk Rating Clients.

During the customer onboarding stage various risk factors must be considered to determine the overall risk rating of the client.

• Geographic risk – i.e. country of residence and/or country of incorporation and/or country of operation
• Country of residence of the beneficial owners and the directors
• Nature of business (e.g. a cash intensive business will be regarded as higher risk)
• Type of corporate structure (e.g. unduly complex structures would be higher risk)
• Any adverse information gleaned from name screening
• Occupation of the customer
• Source of funds/ wealth (are funds derived from third parties? Are we reasonably satisfied that the source of funds/wealth are legitimate?)

1.  General Risk Factors

The below indicators are provided to help clarify what level of money laundering/terrorist financing risk an applicant may present. These indicators should not be considered either exclusive or exhaustive and should be read in conjunction with CDD and the Country Risk Matrix.

Low Risk:

• Customers subject to a regime with a high standard of regulatory oversight (i.e. EU/ EEA)
• Customers who are employment-based with a regular source of income which supports the activity being undertaken

• Publicly quoted company on a regulated market
• Products with restricted ability to make or receive payments to or from third parties
• Customers that are resident in geographical areas of lower risk (as per the country risk matrix)

Medium / Higher Risk:

• Unnecessary breadth, complexity and/or geographical spread of ownership structure
• Complex ownership structures, which can make it easier to conceal underlying beneficiaries, where there is no legitimate commercial rationale
• An individual in a public position and/or location which carries a higher exposure to the possibility of corruption
• Customers based in the Medium and High category in the Country Risk Matrix
• Requests to associate undue levels of secrecy with a transaction
• Situations where the origin of wealth and source of funds cannot easily be verified or where the audit trail has been deliberately broken and/or unnecessarily layered
• Customers with a known criminal history
• Customers with a history of opaque transactions
• Requesting electronic funds transfer to third parties
• Customers who are unwilling to give names of real owners or controllers
• Particularly high value transactions
• Sectors considered high risk for ML/TF such as: certain money service businesses, casinos or dealers in precious metals
• Sectors considered high risk for corruption such as: construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement

2.  Reputational Risk

All applicants for business must also be exposed to a reputational risk assessment. For individuals, this risk assessment consists of a check against a PEP list, sanctions list and adverse media searches as mentioned above. For corporate applications not flagged on a sanctions list, the check is more subjective. Guidance is given below and where this guidance is insufficient, referral should be made to the MLRO/ Compliance department. Companies that are involved with the following would be examples of where a reputational risk exists:

• Weapons or arms manufacture or supply
• Production or supply of material of an explicitly sexual nature
• Environmental damage
• Production of atomic energy
• Extreme religious or ethnic groups
• Political groups
• High profile individuals

For the purposes of ‘a risk-based approach’, individuals or entities that are (or appear to be) involved with any of the above would represent a ‘higher risk’.

NOTE: All High Risk cases must be referred to and approved by the MLRO and compliance department.

Country Risk

Country risk measures the risk of ML & TF of countries based on publicly available sources. Country Risk Matrix provides an analysis of jurisdictions based on various risk factors, such as:

• EU/EEA countries who are subject to the 4th Money Laundering Directive
• High risk third countries identified by the European Commission
• FATF uncooperative nations / AML deficient nations list
• Compliance with the FATF Recommendations
• Countries with significant levels of corruption or other criminal activity
• Countries subject to sanctions or embargoes issued by the UN, EU, UK or US
• Countries with Offshore Financial Centres
• US Dept. of State Money Laundering assessment (INCSR)
• US Sec of State list of jurisdictions – supporters/safe havens of International Terrorism

Countries are rated according to our ‘Grading’ (L to H), based on their overall score taking account the above risk factors. Countries that have material ML/TF deficiencies have a serious negative weighting. Where customers come from jurisdictions deemed high risk, additional measures, including EDD, are required.

The assessments are used as an indicator – they enable us to determine when we should place closer scrutiny. This does not mean that customers who send to these locations are transacting illegally or are suspected of illegal activity, only that enhanced scrutiny and monitoring are required. XPESA does not conduct any business with customers from Sanctioned countries.

Information and data used in the risk ranking matrix is gathered from a subscription based risk rating tool which uses governmental and institutional agency websites, such as:

• CIA Factbook
• FATF
• Federal Bureau of Investigation
• FinCEN
• OECD
• HM Treasury
• The Egmont Group of Financial Intelligence Units
• Transparency International
• US Department of State
• US State Treasury
• United Nations
• World Bank Group

The list is updated throughout the year with the view to update any changes as and when they occur.

Restricted Countries

The ‘Country Risk Matrix’ also includes a restricted countries list. XPESA DOES NOT open accounts for residents from, or companies incorporated in and/or operating in, the countries on this list which is based on the following sources:

• OFAC Sanctions List
• EU Sanctions List
• HM Treasury Sanctions List
• HM Treasury Advisory Notices
• FATF Public Statement which lists jurisdictions of concern
• Subscription based risk rating tool

Restricted Clients / Business Relationships

• Shell banks
• Unlicensed Banks
• Unlicensed Money Service Business
• Individuals who are known (or suspected) to have derived their wealth from such businesses
• Sanctioned entities
• Businesses involved in weapons or arms manufacture or supply

Sanctioned Country/Customer:

Sanctions can take the form of any of a range of restrictive/coercive measures. They can include arms embargoes, travel bans, asset freezes, reduced diplomatic links, reductions/cessation of any military relationship, flight bans, suspension from international organisations, withdrawal of aid, trade embargoes, restriction on cultural /sporting links and other.

It is an offence to directly or indirectly provide financial services or any provision of funds to sanctioned entities. Failure to comply with the sanctions regime can result in criminal penalties being sought against the firm and, in certain circumstances, against the management of the firm. XPESA is committed to compliance with the financial sanctions regime and does not conduct business with, nor maintain relationships with, entities listed on the UN, EU, UK and US sanctions lists.

All New clients will be screened. Existing clients will also be screened regularly against updated lists.

‘Higher Risk’ Requirements:

Where a company is deemed higher risk or where any shareholders or directors are located (or appear to be located) in a high risk country, as per the Country Risk Matrix, the following additional documentation will be required:

• Last 3 months company bank statements
• Declaration of Source of Funds

All high risk corporates are required to complete the KYB questionnaire before their accounts can be opened. A declaration of sources of funds will also be required to complement the KYB questionnaire to expand our knowledge of the clients. This gathering of information on the entity’s business operation, trading links and clientele etc. as well as their sources of funds and wealth will allow us to monitor and assess whether the activities of the account are in line with our expectation.

For individuals deemed high risk, their source of funds AND source of wealth must be fully documented. On a risk based approach source of funds/wealth may need to be evidenced and verified.

Risk Matrix – MLRO to Focus on high risk customers

It is the responsibility of the Money Laundering Reporting Officer (MLRO) to oversee all transactions which are processed. They will focus attention on high risk transactions/ customers (with risk rating of H).

Examples:

1. Offences of bribing another person:
   • A person (“P”) is guilty of an offence if either of the following cases
   • Case 1 is where—
     • P offers, promises or gives a financial or other advantage to another person, and
     • P intends the advantage—
       • To induce a person to perform improperly a relevant function or activity, or
       • To reward a person for the improper performance of such a function or
     • Case 2 is where—
       • P offers, promises or gives a financial or other advantage to another person, and
       • P knows or believes that the acceptance of the advantage would itself constitute the improper performance of a relevant function or
     • In case 1 it does not matter whether the person to whom the advantage is offered, promised or given is the same person as the person who is to perform, or has performed, the function or activity
     • In cases 1 and 2 it does not matter whether the advantage is offered, promised or given by P directly or through a third

2.           Offences relating to being bribed

3. Function or activity to which bribe relates
4. Improper performance to which bribe relates
5. Expectation test
6. Bribery of foreign public officials
7. Failure of commercial organisations to prevent bribery:
   • A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C bribes another person intending—
     • To obtain or retain business for C, or
     • To obtain or retain an advantage in the conduct of business for
   • But it is a defence for C to prove that C had in place adequate procedures designed to prevent persons associated with C from undertaking such
   • For the purposes of this section, A bribes another person if, and only if, A—
     • Is, or would be, guilty of an offence under section 1 or 6 (whether or not A has been prosecuted for such an offence), or
     • Would be guilty of such an offence if section 12(2)(c) and (4) were omitted.
   • See section 8 for the meaning of a person associated with C and see section 9 for

a duty on the Secretary of State to publish guidance.

• In this section—

“Partnership” means—

• A partnership within the Partnership Act 1890, or
• A limited partnership registered under the Limited Partnerships Act 1907, or a firm or entity of a similar character formed under the law of a country or territory outside the United Kingdom,

“Relevant commercial organisation” means—

• A body which is incorporated under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere),
• Any other body corporate (wherever incorporated) which carries on a business, or part of a business, in any part of the United Kingdom,
• A partnership which is formed under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere), or
• Any other partnership (wherever formed) which carries on a business, or part of a business, in any part of the United Kingdom, and, for the purposes of this section, a trade or profession is a business.

Penalties

• An individual guilty of an offence under section 1, 2 or 6 is liable—
  • on summary conviction, to imprisonment for a term not exceeding 12 months, or to a fine not exceeding the statutory maximum, or to both,
  • On conviction on indictment, to imprisonment for a term not exceeding 10 years, or to a fine, or to
• Any other person guilty of an offence under section 1, 2 or 6 is liable—
  • On summary conviction, to a fine not exceeding the statutory maximum,
  • On conviction on indictment, to a
• A person guilty of an offence under section 7 is liable on conviction on Indictment to a

[For details:

http://www.legislation.gov.uk/ukpga/2010/23/pdfs/ukpga_20100023_en.pdf

Annex 2: Bribery Offences as per Bribery Act 2010 and Penalties

1. Offences of bribing another person:
   • A person (“P”) is guilty of an offence if either of the following cases
   • Case 1 is where—
     • P offers, promises or gives a financial or other advantage to another person, and
     • P intends the advantage—
       • To induce a person to perform improperly a relevant function or activity, or
       • To reward a person for the improper performance of such a function or
     • Case 2 is where—
       • P offers, promises or gives a financial or other advantage to another person, and
       • P knows or believes that the acceptance of the advantage would itself constitute the improper performance of a relevant function or
     • In case 1 it does not matter whether the person to whom the advantage is offered, promised or given is the same person as the person who is to perform, or has performed, the function or activity
     • In cases 1 and 2 it does not matter whether the advantage is offered, promised or given by P directly or through a third

2.           Offences relating to being bribed

3. Function or activity to which bribe relates
4. Improper performance to which bribe relates
5. Expectation test
6. Bribery of foreign public officials
7. Failure of commercial organisations to prevent bribery:
   • A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C bribes another person intending—
     • To obtain or retain business for C, or
     • To obtain or retain an advantage in the conduct of business for
   • But it is a defence for C to prove that C had in place adequate procedures designed to prevent persons associated with C from undertaking such
   • For the purposes of this section, A bribes another person if, and only if, A—
     • Is, or would be, guilty of an offence under section 1 or 6 (whether or not A has been prosecuted for such an offence), or
     • Would be guilty of such an offence if section 12(2)(c) and (4) were omitted.
   • See section 8 for the meaning of a person associated with C and see section 9 for

a duty on the Secretary of State to publish guidance.

• In this section—

“Partnership” means—

• A partnership within the Partnership Act 1890, or
• A limited partnership registered under the Limited Partnerships Act 1907, or a firm or entity of a similar character formed under the law of a country or territory outside the United Kingdom,

“Relevant commercial organisation” means—

• A body which is incorporated under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere),
• Any other body corporate (wherever incorporated) which carries on a business, or part of a business, in any part of the United Kingdom,
• A partnership which is formed under the law of any part of the United Kingdom and which carries on a business (whether there or elsewhere), or
• Any other partnership (wherever formed) which carries on a business, or part of a business, in any part of the United Kingdom, and, for the purposes of this section, a trade or profession is a business.

Penalties

• An individual guilty of an offence under section 1, 2 or 6 is liable—
  • on summary conviction, to imprisonment for a term not exceeding 12 months, or to a fine not exceeding the statutory maximum, or to both,
  • On conviction on indictment, to imprisonment for a term not exceeding 10 years, or to a fine, or to
• Any other person guilty of an offence under section 1, 2 or 6 is liable—
  • On summary conviction, to a fine not exceeding the statutory maximum,
  • On conviction on indictment, to a
• A person guilty of an offence under section 7 is liable on conviction on Indictment to a

[For details:

http://www.legislation.gov.uk/ukpga/2010/23/pdfs/ukpga_20100023_en.pdf

Annex 3: Politically Exposed Persons Check

The definition of ’PEP’ is set out below:

• Is or has, at any time in the preceding year, been entrusted with a prominent public function by –
  • Any state; or
  • The European Community; or
  • An international body
• Is an immediate family member of such a person
• Is a known associate of such a person

Please note: An immediate family member or a known close associate of a person referred to in the paragraph immediately above does not necessarily qualify as a PEP without the appropriate risk assessment.

In cases where a PEP is identified:

• Senior management approval should always be sought before establishing a business relationship with a PEP
• The source of funds should be established
• The business relationship should be subject to enhanced and constant monitoring.

A Politically Exposed Person (PEP) is an individual entrusted with a prominent public function. This does not include middle-ranking or more junior officials. Individuals entrusted with prominent public functions include:

• Heads of state, heads of government, ministers and deputy or assistant ministers;
• Members of parliament or of similar legislative bodies;
• Members of the governing bodies of political parties;
• Members of supreme courts, of constitutional courts or of any judicial body the decisions of which are not subject to further appeal except in exceptional circumstances;
• Members of courts of auditors or of the boards of central banks;
• Ambassadors, charges d’affaires and high-ranking officers in the armed forces;
• Members of the administrative, management or supervisory bodies of State- owned enterprises
• Directors, deputy directors and members of the board or equivalent function of an international organisation;

PEPs pose a heightened bribery and corruption risk due to their position. There is the risk that a PEP may abuse their public office for private gain and use the financial system to launder the proceeds of this abuse of office. Similarly, a PEP’s family or close associate may help facilitate, or may also benefit from, the PEP’s abuse of public funds. For this reason, XPESA is required to undertake EDD when transacting with a PEP or family member or known close associate of a PEP.

It is XPESA’s policy to screen all prospective clients against various PEP databases using compliance software tools. Where an applicant is highlighted as being a politically exposed person, the application must be referred immediately to the MLRO/ Head of Compliance Oversight. All such applicants will be considered higher risk and therefore exposed to a

higher level of due diligence and the decision to open the account will be made on a case by case basis. This decision will involve Senior Management approval.

Existing clients will also be screened regularly against updated lists, senior management approval must also be sought when deciding to continue a relationship with a PEP, or family member or known close associate of a PEP when undertaking a periodic review of the account

Establishing the source of funds

It is important that before a business relationship is entered into with a PEP their source of funds is established and XPESA is satisfied that there are no indications that funds that will be used for transactions to be carried out are derived from corruption (i.e. receipt of bribes), fraud or an attempt by the PEP to remove/hide assets from their home country.

The source of the PEP’s funds may be established by asking the individual concerned a series of questions to determine from where they receive their money. These questions could include confirmation of the main source of income; salary, any business interest or investments from which funds are/will be received.

Making a decision to transact with the PEP

In order to be satisfied, below are areas on which questions can be asked of the PEP to determine whether a business relationship should be established- information from this can be presented to Senior Management of XPESA for them to make an informed decision:

• What is the position and the duties of the PEP- (please note that a less ‘senior’ PEP is

less of a risk than heads of states, MP’s, members of the Judiciary, Ambassadors)

• Are there any family members/close associates that are PEP’s also?
• Identify the customer and the beneficial owner of the
• Know the customer’s country of
• Know the objective of opening the account and the volume and nature of the activity expected for the
• Obtain information on the occupation and the other income
• Obtain information about the direct family members or associates who have the power to conduct transactions on the

Note: XPESA’s policy is to not open an account for any High Risk PEPs.

Annex 4: KYC/KYB Checklist

Overview

For every prospective customer, XPESA must:

• Determine if the customer is from the list of excluded jurisdictions where XPESA deemed that it would not undertake to provide services to persons resident in that jurisdiction because of the existence of imposed sanctions, unacceptable AML/CFT risks or other regulatory reasons which may restrict the services that XPESA can provide or willing to provide;
• Screen the customer and connected parties for higher risk indicator, such as those that can be categorised as Politically Exposed Persons (PEPs), or whether they are subject to any Sanctions/Prohibitions/adverse media
• Assess and allocate a risk rating for the customer in line with the risk assessment carried out
• Collect the sources of funds/wealth information and where appropriate and applicable, supporting documents and information
• Apply appropriate CDD verification requirements for different type of customers such as individuals, corporates, partnerships

This section covers:

• Acceptable Identification Documents (ID)
• Acceptable Proof of Address (PoA)
• Country Specific acceptable proofs

Acceptable proof of ID

• Passport
• Driving Licence
• Other Government issued ID (National ID card )
• Certified copies of above (where applicable)

Note: ID must be: valid, have a photo, be in colour, front & back where applicable.

Acceptable Proof of Address

• Bank statement
• Credit card statement
• Mortgage statement from a recognised lender
• Utility Bill (water, gas, electric, TV, cable, landline, internet service provider)
• Driving Licence showing address
• Government issued document (tax credit, pension, other benefits, property tax )
• Certification by an XPESA employee that they have visited and met the client at their address

Note: proof must contain full name matching the ID provided, and be dated within last 3 months.

Unacceptable Proof of Address

• Provisional Driving Licence
• Mobile bill

• Insurance bill
• Screenshot of Bank statement (only a scanned copy or photo image of a statement received by post is acceptable. If customer receives paperless statements, it must be provided in PDF format which was either emailed to customer or downloaded from the internet)
• Second proof cannot be from the same source (example a Bank statement and a credit card statement from the same bank. If a second proof is not available, then a certified copy of the first proof can be accepted)

In situations where an individual is unable to provide an acceptable proof of address listed within this section, compliance approval must be requested in order to make an exemption. (example, home/car insurance, mobile bill, letter from a University that states student is residing on campus, lease or rental agreement, if they live with or share accommodation with someone else (parents, house mate) then an affidavit and valid proof of address from that person will be required etc.). Exemptions will only be given in cases of low risk situations. More so, request approval when dealing with unfamiliar foreign proofs.

PO Box Address

Where an individual resides in a country where they are unable to provide proof of residential address and all mail goes to a P.O. Box, the individual must provide:

• A proof of postal address showing PO BOX number (bank statement / utility bill) And
• A letter from the bank stating their physical address or
• A tenancy contract or similar agreement showing the address where they actually reside or
• Letter from employer detailing address

Country Specific Proof / Checks

Dubai

EJARI is a system for landlords and tenants to register their tenancy agreements / ID / passport / Visa details / mobile numbers in case of dispute. EJARI is operated by the Real Estate Regulatory Agency (RERA) which is a government agency in Dubai.

For Dubai residents, the ‘Tenancy Contract Registration Certificate’ must be cross referenced against EJARI: http://ejari.ae/PublicPages/TenancyCertificate/PrintTC.aspx

Nigeria

• Electronic ID card (MasterCard-integrated e-ID)
• BVN (Bank Verification Number) – A biometric identification system implemented by the Central Bank of

South Africa

• National Identity Book