Under the Fifth EU Anti-Money Laundering Directive (AMLD 5) which extends the scope to virtual currency platforms and wallet providers, and entered into force on July 9th 2018, Xpesa Limited is required to put in place effective systems and controls to detect, prevent and deter financial crime (money laundering and terrorist financing). This policy contains the procedures that we have developed in order to comply with these obligations.
Xpesa Limited (hereinafter referred to as XPESA) has notified the MFSA (Malta Financial Services Authority) of its business (Exchange, Products and Services) through its Memorandum & Articles of Association as well as through an official Notification process (25th Oct 2018), and is seeking to be licensed and regulated in Malta under the new VFAA (Virtual Financial Assets Act) which came into effect on 1st November 2018 which sets out to regulate the field of Virtual Financial Assets. This Notification allows XPESA to continue to operate its business for a period of time (“Transitionary Period”) until it gets its Licence. During this transitionary period, XPESA is expected to voluntarily comply with all the rules and regulations set forth by the MFSA and the VFAA (in regards to VFA’s) up until it is licenced after which point full compliance will be mandatory. Voluntary compliance will assist XPESA to achieve its goal of being approved by the MFSA and in acquiring its Licence; therefore XPESA is committed to being compliant during the transitionary period. In order to continue operations in Malta after 1st November 2019, all Exchanges must be licensed by the MFSA.
This voluntary compliance is only in respect to some aspects of the MFSA/VFAA rules in regards to VFA’s and DLT, however, as an EU entity, XPESA must comply with AMLD 5 in regards to ML/TF. Compliance is also necessary for XPESA in order to conduct business with regulated international financial institutions and other regulated entities.
XPESA is a Maltese entity and primarily operates under the laws, rules, regulations, policies & procedures (collectively “LAWS”) of Malta, which in turn is primarily subject to EU LAWS. However, XPESA conducts its business internationally and therefore to a certain extent, is also subject to international as well as the local LAWS of the countries in which it does business. For the purpose of this document (AML/CTF/Compliance), XPESA holds itself to very high standards and has opted to use the United Kingdom as the baseline. The UK is considered to have the necessary LAWS in place which would make most companies/FI’s compliant with the internationally recognised LAWS to mitigate ML/TF, and are in par (if not above par) with most European and North American standards (including LAWS set out in EU AMLD 4). We have therefore heavily relied on, referred to and adopted the LAWS of UK in this policy, in particular The MLR 2017 and the TA 2000 as highlighted below. If there are additional LAWS eventually imposed by the MFSA, XPESA will adopt and adhere to them once the licence is received.
MLR 2017 refers to the “Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017”. These came in to force on 26 June 2017, implementing the 4th Money Laundering Directive (4MLD), which aims to give effect to the updated Financial Action Task Force Standards. The overall objective of transposition is to ensure that the UK’s anti-money laundering and counter terrorist financing (AML/CTF) regime is kept up to date, is effective and is proportionate. This will enable the UK to have a comprehensive AML/CTF regime and ensure that the UK’s financial system is an increasingly hostile environment for ML/TF.
The MLR require relevant businesses to have:
It also requires relevant businesses to establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified. In particular, these policies, controls and procedures must include:
These policies and procedures must be proportionate with regard to the size and nature of the relevant person’s business and approved by its senior management. They must also include:
The Money Laundering and Terrorist Financing Regulations require that an organisation has a Nominated Officer (MLRO – Money Laundering Reporting Officer) to ensure that there is up-to-date knowledge of issues relating to Anti-Money Laundering and Counter-Terrorist Financing throughout the organisation, implement appropriate policies and procedures and disclose any suspicious activity to the relevant authority.
The main principles encompassed by the MLR 2017 can be described as Risk Based Approach (RBA). RBA requires a number of steps to be taken to determine the most cost- effective and proportionate way to manage and mitigate the money laundering and terrorist financing risks faced by the business. The steps are to:
Under the Terrorism Act 2000 it is a criminal offence in the UK to finance or facilitate the financing of terrorism. In general terms, terrorist financing (TF) is the provision or collection of funds from legitimate or illegitimate sources with the intention, or in the knowledge, that they should be used to carry out any act of terrorism, whether or not those funds are in fact used for that purpose. A key difference between money laundering and terrorist financing is the source of funds for terrorist financing need not be from the proceeds of crime.
The rest of the document will give you further details, and an overview of our compliance procedures that are applied to meet the above criteria.
This document is a general guide defining Anti-Money Laundering (AML), Counter Terrorist Finance (CTF), Counter Fraud Procedures, regulations and our Risk-Based approach in light of the above LAWS. It further gives you an idea of what XPESA does and how we protect ourselves and our customers from Money Laundering and Terrorist Financing threats, through thorough due diligence.
This guide is for all staff members of XPESA (employees and senior management). Our Staff is contractually bound to familiarise themselves and comply with the content of this policy. Failure to comply with the requirements of this policy would be considered a serious offence and disciplinary action may be taken including dismissal.
The anti-money laundering (AML) and counter-terrorist financing (CTF) regime is designed to prevent our services from being used by criminals. Our obligations under the AML/CTF regime are to spot and report money laundering and terrorist financing. Failure to meet these obligations can lead to criminal penalties, substantial fines and damage to our reputation.
The law does not specify the measures you must take to comply with its requirements, but rather sets rules within which organisations must operate. This document therefore offers information and guidance on the ways that you can perform your duties effectively and fulfil your legal obligations.
Very simply, it will help you follow the law!
(Note: Also see Annex 2, and familiarise yourself with the Bribery Act and offences)
Money laundering is the process through which proceeds of crime and their true origin and ownership are changed so that the proceeds appear legitimate.
Terrorist financing is providing or collecting funds, from either legitimate or illegitimate sources, to be used to carry out acts of terrorism.
Before starting at XPESA, it is important you have a basic understanding on what Money Laundering is, why it is important to prevent it, and how we go about doing that on a daily basis.
Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origin of criminally derived proceeds so that the unlawful proceeds appear to have been derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages:
Criminal property is the proceeds of criminal conduct. This includes any type of conduct, wherever it takes place, which would constitute a criminal offence. It includes drug trafficking, terrorist activity, tax evasion, corruption, fraud, forgery, theft, counterfeiting, black mail and extortion. It also includes any other offence that is committed for profit.
The principal money laundering offences detailed in the Proceeds of Crime Act 2002 (POCA) are:
There are also secondary offences:
The principal and secondary money laundering offences carry a penalty of imprisonment, a fine or both. You will have a defence to a principal money laundering offence if you submit a Suspicious Activity Report (SAR) to the MLRO.
Tipping off and prejudicing an Investigation
It is an offence for someone to tip off (inform) a person suspected of money laundering that a Suspicious Activity Report has been made or there is a money laundering investigation taking place. In general a tipping off offence would occur when the action is likely to
prejudice an investigation that’s taking place.
Further, you will commit an offence if you know or suspect that an investigation is being or is about to be conducted and you interfere with documents which are relevant to the investigation.
The existence of these offences does not prevent you from making normal enquiries about your clients’ instructions. You are able to make enquiries in order to:
Your enquiries will only constitute an offence if you disclose that SAR has been made or that an investigation is being carried out or contemplated. It is also not tipping-off to warn your clients of your duties under the AML/CTF regime by providing them with our terms of business or our standard client care letter.
Terrorist Financing is Funds, however acquired, which are used to fund terrorism. Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal the origin and/or intended use of the funds.
Terrorists need funds to plan and carry out attacks. The law criminalises both participation in terrorist activities and terrorist financing.
In general terms, terrorist financing is:
Terrorist Financing Offences establishes a similar pattern of offences to those contained in Money Laundering offenses, i.e:
All offences carry heavy criminal penalties. While the terrorist financing and money laundering regimes are different, they share similar aims and structures and run together in EU legislation. Many of the provisions mirror one another and the definitions are deliberately matched.
A Nominated Officer is the person within an organisation (part of senior management team) who is responsible for overseeing all activity related to anti-money laundering matters.
XPESA’s Nominated Officer (MLRO) is Mr. Aditya Oberoi.
XPESA’s Deputy Nominated Officer is Mr. Mohammed Sarfraz Khan.
In the absence of the Nominated Officer, the Deputy Nominated Officers will take his/her place.
The Nominated Officer’s responsibilities include:
The nominated officer is a person who has sufficient authority and autonomy in order to make the decisions required above. The Deputy Nominated Officer shall replace the Nominated Officer when he/she is unavailable.
This is a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) which institutions must make if they suspect that a certain customer activity might indicate money laundering or terrorist financing. Institutions are required to register with their relevant authority and submit the STR when they suspect suspicious activity. Law enforcement will make a decision after an STR has been submitted. Note: Once a suspicious activity has been reported to the FIAU, until ‘consent’ is given, the transaction cannot proceed – it is frozen.
Only the MLRO can file an STR with the FIAU (Financial Intelligence Analysis Unit) via their online process. For information on the responsibilities and procedures for filing an STR with the FIAU, see http://www.fiumalta.org. An STR can be submitted online at any time of the day and an email confirmation will be received for each submission.
Employees must fill and complete the Internal STR and email it to the MLRO. Employees will have the protection of the law as soon as an STR has been submitted to the MLRO.
(see Annex 5 for the format and requirements of the Internal STR)
Once the MLRO receives the STR from a staff member, the MLRO has two options:
Note: Information that an STR has been made should never be placed on a client file
The Financial Intelligence Analysis Unit (FIAU) is a government agency established under the Prevention of Money Laundering Act (Cap 373 of the Laws of Malta). It is the entity responsible for the collection, collation, processing, analysis and dissemination of information with a view to combating money laundering and the funding of terrorism. The Unit is also responsible for monitoring compliance with the relevant legislative provisions. Financial intelligence agencies are required to treat any SARs confidentially. Where information from a SAR is disclosed for the purposes of law enforcement, care is taken to ensure that the identity of the reporter and their firm is not disclosed to other persons.
Any client activity outside the normal or expected activity should be considered unusual and must be investigated. Understanding the business or client profile is crucial. Unusual activity or transactions outside the established profile should be considered as a potential indicator of suspicious activity. Investigations should establish the reasons for the unusual activity or transaction. This may either remove or confirm your suspicion.
Look out for any suspicious actions or activity at every dealing stage with the customer. For example, this can be an unusual remittance or a transaction amount that is not in normal line of activity.
The following list provides several types of behaviour or activity that may be suspicious and are typical signs of ML/TF. The list is not exhaustive and not conclusive. Rather employees who have contact with customers, intermediaries or counterparties should use the list as a guide for inquiry and follow up:
inconsistent with the client’s stated business/strategy.
disproportionate to the customer’s known business.
If you have “reasonable grounds for knowing or suspecting money laundering”, you must report this to your Nominated Officer “as soon as is practicable”. By failing to report a suspicion an employee may be committing an offence. Do not carry out the transaction or proceed unless you have consent from the MLRO. The MLRO will review the suspicion and, if required, submit a Suspicious Activity Report (SAR) to the relevant authority. Only the MLRO or deputy may submit an external SAR. Once you have reported your suspicion to the MLRO, they will send you an acknowledgement within 24 hours. If more information is required, the MLRO will request it from you.
Note: DO NOT raise any concerns with the customer or use words to suggest you are not happy with anything as that may tip them off.
Please familiarise yourself with the below personnel as you should be working closely with them:
Nominated Officer (MLRO) is Mr. Aditya Oberoi.
In the absence of the Nominated Officer, the Deputy Nominated Officers will take his/her place.
Deputy Nominated Officer is Mr. Mohammed Sarfraz Khan.
You could commit an offence if, when your suspicions are aroused, you:
Suspicion can occur in circumstances that suggest to a reasonable individual that a person might be laundering money. Suspicion must be more than a mere hunch. Any activity that does not fit with the normal course of business, or is not normal for a particular client should be regarded as suspicious.
A transaction is anything you carry out by way of business. Suspicion indicators for new customers can include:
Suspicion indicators for regular and established customers include the:
You should report the grounds for your suspicion to your Nominated Officer by filling out the internal SAR form. You should include full details of the identification you have and any other customer information you have.
You must do this as soon as is practicable after you have reasonable grounds for suspicion. If you do not do this you may be committing an offence. This may mean either before the transaction takes place or immediately afterwards
This means as soon as you reasonably can. Internal reporting lines to your Nominated Officer should be short in order to avoid delay.
You should make an internal report before the transaction is completed and wait for consent from your Nominated Officer before you complete the transaction.
Give the customer an excuse that fits the circumstances. In difficult cases speak to your Nominated Officer or manager.
Ask your Nominated Officer. They may let you proceed with the transaction, but this should not be done routinely. The reason why you think delaying the transaction would “tip off” the customer must be included in your report. If the MLRO gives you consent to proceed with a transaction, then that consent only applies to that specific transaction. If the client requests further activities or transactions, further consent is required from the MLRO even if you do not have a suspicion.
Seek advice from the Nominated Officer urgently.
Make an internal report to your Nominated Officer as soon as you can.
If you refuse the business because you are suspicious, you must still make a disclosure to the Nominated Officer. You must obtain evidence and keep records of the customer’s identification as soon as you become suspicious.
‘Consent’ means either that the staff member has sought approval from the MLRO, or that the company has sought and obtained approval from the Financial Intelligence Analysis Unit to process the transaction.
NOTE: If in doubt about whether to proceed with a transaction, the employee should contact the MLRO for advice. All staff members will have fully discharged their duties, and will have the full protection of the law, once a report of their suspicions has been made to the company MLRO or to the FIAU.
Where can I find more information?
Industry guidance aimed at combating money laundering and terrorist financing places various obligations on firms and individuals. These include, but are not limited to, all or parts of the following:
Check out the following website that contain the details of different issues discussed in this document and is likely to be useful during your time with us:
Satisfactory Client Due Diligence (CDD) must be completed prior to the establishment of a business relationship. Such CDD measures include:
Enhanced Due Diligence (EDD) means applying additional due diligence measures to customers that pose a higher risk of ML/TF and monitoring the customer’s transactions more frequently.
EDD must be applied during the following situations:
All applications deemed high risk must be referred to the Compliance department for approval
KYC means obtaining information about a customer over and above the required ID.
The purpose of this is to reduce the risk of your business being used for money laundering. Asking your customers questions such as their reason for establishing business with you, the source of their funds and the anticipated level and nature of the activity to be undertaken can increase the likelihood that you will detect suspicious activity.
Under the MLR 2017, due diligence must be conducted not only on all new customers but also at appropriate times to existing customers on a risk sensitive basis, or when relevant customer change, or when the obliged entity has any legal duty. Moreover, Simplified DD will no longer be applicable in the vast majority of cases – all transactions/clients require a degree of risk assessment to demonstrate that it presents a lower risk and requires sufficient on-going monitoring. CDD represents the base level of due diligence that must be taken under the MLR. EDD must be undertaken for a complete and verified onboarding process.
Is the person or entity that is the ultimate beneficiary of the company.
The beneficial ownership term is used to help recognise situations where the person in whose name an account is opened is not necessarily the person who ultimately controls the account. Therefore, one of the focal points of XPESA’s AML processes is to focus on identifying people who have beneficial ownership of a XPESA account.
For natural person applicants, applying for an account in their own name, it is reasonable to presume that he or she is the beneficial owner. There are circumstances when this presumption may become inconsistent with the original information provided and activity anticipated on the account. In these circumstances closer investigation into the mechanics of the accounts operation will be carried out.
For corporate applicants it is very important to establish who the beneficial owners are. A beneficial owner is any natural person either owning or controlling 25% or more of the shares or voting rights in the legal person; or any natural person who exerts ultimate control over the legal person through its management or otherwise.
In relation to a legal arrangement that is a trust, a beneficial owner is the settlor, trustees, beneficiaries (or class of beneficiaries if no named beneficiaries) and any individual who has control over the trust.
A person or entity that holds the position or shares on behalf of the UBO
Generally, XPESA should not accept any clients where it is evident from the structure, or when the client discloses, that they have a nominee director(s) and/or nominee shareholder(s).
Any exceptions must be approved by the MLRO/Compliance team who will review each request on a case by case basis. Factors taken into consideration will include country of incorporation, nature of business, ability to identify the nominator(s), whether the nominee is licensed and whether the relevant company registry has been notified of the nominee structure.
CDD is the process identifying and verifying customers. It is designed to make it more difficult for the financial service industry to be used for money laundering or terrorist financing. Having sufficient information about your customer and making use of that information is one of the most effective defences against being used to launder the proceeds of crime.
XPESA needs to carry out CDD in order to satisfy themselves that customers are who they say they are and know if they are acting on behalf of another. It will then assist in determining that there are no legal barriers to providing the customer with the product or service requested, and to enable XPESA to assist law enforcement by providing available information on customers or activities being investigated.
For Business clients, we also check their details against the Registered Companies database in the country of incorporation. For example ‘Registry of Companies’ in Malta and ‘Companies House’ in the UK.
The following procedures will be helpful in identifying prospective customers who may present money-laundering risks. While not all of these procedures are necessary in every instance, they should be considered and documented as part of standard account opening procedures.
In all cases, prior to taking on a new customer or engaging in a transaction with a customer with whom you do not have well-established relationship, you need to complete sufficient due diligence to have confidence in the integrity of the customers and the lawfulness of the proposed transaction.
type of business. Where appropriate, obtain supporting documentation
Special procedures apply for accounts for the benefit of senior government and political figures (Politically Exposed Persons or PEP), particularly from certain
countries, and for accounts opened by or through foreign banks. You must consult the Compliance Officer if a customer is a possible PEP.
Under the 2017 MLR, the definition of PEP has now been widened to include domestic individuals occupying prominent public positions. Firms need to assess the risks posed by PEPs, their family members and their known close associates on a case-by-case basis and tailor the extent of enhanced measures accordingly (please see below). EDD is a sliding scale and it is right that low-risk PEPs should be treated at the lowest level, just as it is right for high-risk customers to face more stringent measures. A full risk assessment should be undertaken as usual. Currently XPESA is not opening accounts for high-risk PEP’s. (See Annex 3)
Where accounts come through an intermediary, XPESA must either perform due diligence with respect to the account or satisfy itself that the intermediary has performed the type of due diligence with respect to the account that would satisfy the XPESA’s “Know Your Customer” policy.
The same rules set out in item 10 above also apply to transactions with counterparties on behalf of our customers. For this purpose, counterparties include private transaction counterparties and banks and other dealers, agents and intermediaries. While a relatively low level of due diligence will be required for counterparties who are regulated within a country known to have appropriate and well-enforced anti-money laundering regulations, other counterparties will require the same level of due diligence as clients.
EDD refers to the additional measures to be taken on top of, and in addition to, CDD measures as explained above. XPESA must apply EDD measures on a risk-sensitive basis in any situation which may present a higher risk of money laundering or terrorist financing.
As part of this, you may conclude, under the risk-based approach (RBA), that the standard evidence of identity is insufficient in relation to the money laundering and terrorist financing risk, and that you must obtain additional information about a particular customer. The extent of additional measure taken and information sought, will depend on the money laundering or terrorist financing risk that the customer, or category of customer, present to the business.
Examples of when EDD need to be applied:
Additional measure under EDD may also include, among other things:
XPESA implements financial transaction thresholds and specifies the level of DD which must be applied. For HNWI and Corporates, the thresholds will be decided on a risk-based approach and therefore will vary depending on the client. But as a default, we all must adhere to the thresholds stipulated within this policy.
DD (level of Due Diligence applied) M (Account Monitoring)
Note: For Information on Monitoring, please refer to the separate section within this document.
There are two ways to open an account with XPESA.
Tier 0 (Account Sign up)
A Customer can sign up via our app by entering the following information:
Both are verified by sending a link to the email address and an SMS to the mobile number. An account number is assigned, login credentials are created, however Customers can only browse the app – no funding (fiat or crypto) or trading is permitted.
Tier 1 (Basic Account)
After browsing the app, a customer can proceed with the on-boarding process by submitting the following:
All individual account holders would have to provide the above. Once all fields have been filled and documents uploaded, our back office will carry out all relevant DD checks mentioned throughout this document and approve successful customers- only then will the accounts to be activated and operational.
Tier 2 (Higher Limits)
Due to increased limits, customers are subjected to:
Additional information may be requested with supporting documentation (proof) regarding the following (but not limited to):
Note: Customers can request to increase their tier by contacting to us on Support@xpesa.io
Tier 3 (HNWI)
Full measures of EDD will be applied, including all available tools to monitor all transactions. In addition to the above, the following may be required (but not limited to):
Note: Requests to increase limits can be made by contacting the customers’ account manager or by writing to us on Compliance@xpesa.io
Payments: We only accept funds from the verified bank details in the customers’ name provided by the customer. Similarly we only transfer out to the same verified bank account. We do not make or receive any 3rd party fiat transfers. If a customer changes his bank details, the new account is verified beforehand and/or a deposit from the new account is required prior to a withdrawal. (currently XPESA does not accept cards)
Customers wishing to open a corporate account with us will need to download our ‘Registration Form’ from our website. After filling it in, they will need to email it to us at Compliance@xpesa.io, and within 48 hours of submitting it they will be contacted by telephone or email by a member of our team who will provide further information on what details need to be submitted before the account can be approved.
Details will include:
clients’ risk rating.
Please note, Individual and Business account limits can be negotiated and tailored to the customers’ requirements. A risk based assessment will be made to determine the level of DD and monitoring that should be applied.
Note: Sanction and PEP checks must be carried out on all individuals / company and all key controllers/owners of company. Also refer to XPESA’s restricted country / client type list.
Note: If it is proving difficult to identify a new customer or questionable ID is provided, be on guard and refer the case to the Nominated Officer for guidance, who will either advise you on how to proceed or decide to generate an STR.
Note: All hard and soft copies of documentation from Individual/corporate customers will be retained for a minimum period of five years after account closure. All verified documents should be reviewed annually, (as well as random and systematic checks throughout the year) to ensure that they are:
In Certain cases, certified copies of the original may be required, for example:
”Having seen the original I certify that this is a true copy”.
The name and contact details of the individual undertaking the certification must be provided as well as a company stamp. Where a company stamp is not available (e.g. independent professionals), evidence that the individual certifying the documentation is authorised to do so must be requested. Such evidence may include, for example, a practising certificate.
Once all relevant documentation has been obtained, all applicants that are deemed high risk must be referred to the compliance department. All high risk applications must be approved by the compliance department with the MLRO having oversight, before an account can be opened.
The compliance department may request certain applicants or existing clients provide additional documentation and information in order to satisfy (or continue to satisfy) both internal procedures and/or regulatory requirements. The compliance department reserves the right both to refuse an application at any point in the account opening process, and to suspend or close the account of an existing client.
Where a member of the compliance department provides discretionary approval for an application that does not satisfy the relevant requirements in KYC documentation, a written explanation of the rationale used for the approval must be saved in the client file.
XPESA is able to place reliance on the CDD conducted by a third party where the third party is;
There must be a written agreement that confirms that the firm being relied on will provide the relevant CDD documentation immediately on request. The firm being relied upon must also retain copies of the CDD conducted for at least 5 years.
Where XPESA relies on a third party to carry out CDD measures, XPESA must immediately obtain from the third party all the information needed to identify the customer or beneficial owner
XPESA uses a combination of leading electronic identity verification & financial sanctions and adverse media screening service providers, which help companies meet their AML compliance obligations to the standards outlined by the Joint Money Laundering Steering Group (JMLSG) guidance.
They ensure that we are fully AML compliant and keep a paperless audit trail (for 5 years) of our compliance checks as evidence.
They assist us in managing and mitigating AML risks and allow us to perform enhanced due diligence checks by cross referencing hundreds of global databases that help us:
Their software incorporates screening of names against a full array of lists published by financial sanction authorities such as OFAC, HM Treasury etc. and relevant watch lists, as well as capturing adverse media information.
Their databases are maintained and updated whenever there is a change in circumstances regarding an individual, entity, country or changes in regulations and laws
An Existing client list (individuals and corporations) can be provided to them, and through their on-going monitoring feature, instantly alert us to any change in circumstances regarding our clientele. Where an existing client is highlighted, the MLRO will be informed immediately, and where the name match is confirmed the account will be closed and funds in the account treated as per regulatory guidance.
We also keep an eye on general information and news available on broadcasting media and the internet. If there is a reference to a client, or a country is added or removed from a sanctions list, appropriate action is immediately taken.
Note: More information on checks and compliance can be found in Annex 1 & 3.
XPESA understands the inherent risks posed by cryptocurrencies and how they can be used to facilitate financial crime. In order to mitigate some of those risks, XPESA will be using a monitoring tool software provided by a leading company in this arena, which analyses and reports activity on the blockchain, and helps us comply with AML and compliance regulations.
Once a business relationship is established XPESA must conduct ongoing due diligence on the business relationship and scrutinise the transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with our knowledge of the customer, their business and risk profile, including, where necessary, the source of funds. This includes:
All clients will be subject to monitoring in order to detect suspicious activity relating to ML and TF. At all times, relevant staff members should be alert to questionable activities, such as large transactions, as well as to high volume and seemingly inconsistent transactions
If required, appropriate measures will be taken:
To ensure customer information is kept up to date, XPESA undertakes periodic review of client information. The frequency in which client information is reviewed is dependent on client risk rating. High risks clients are reviewed every 12 months, Medium risk clients every 24 months and Low risk clients every 36 months.
A review of the account involves clients confirming their registration details and the compliance department reviewing the account activity to determine whether the client has funded and traded in line with our expectations.
All High risk clients are to be reviewed on a yearly basis to determine whether the account is be retained or exited. The review takes into account a range of factors including the risk profile, KYC refresh, transaction patterns and screening results.
Existing accounts will be screened against negative media, new notices, bulletins or additions to the list of countries, entities or individuals on the OFAC and other relevant web sites (such as HM Treasury, FATF and FinCEN) to determine if any current customer appears on those lists and to take appropriate action if a match occurs.
Further to this and in addition to monitoring of accounts as outlined above, certain clients may be required to provide additional information and documentation on a more frequent basis. Such clients will include, but not be limited to, certain higher risk clients, and those who may give cause for concern as to their activities. Where requests for documentation and information are refused, the Compliance department / MLRO reserve the right to suspend or close any account.
In the event an active client alters their address details, a documentation request for proof of the new residence will be made. Similarly, if the customer wishes to amend, update his status or change any other details, proof will need to be obtained and verified.
All customers should be made aware that information is held for 5 years as per MLR guidelines – random checks may be made on information supplied and if any details are incorrect, customers will be suspended from the system until the customer supplies the updated personal information. Staff should particularly take care to make sure that customer ID information previously supplied is still valid (and that ID documents have not expired).
KYC refresh will also be required if:
The effectiveness of the AML Procedures is dependent on all employees following the basic rules. XPESA and its MLRO are required to take appropriate measures so that all relevant employees are made aware of the law relating to money laundering and terrorist financing (and their obligations), and that they are given regular training on how to recognize and deal with transactions and other activities which may be related to money laundering or terrorist financing.
The MLRO has full responsibility for oversight of the firm’s AML systems and controls, which
include appropriate training for the firm’s employees in relation to money laundering.
All new employees must be made aware of their own responsibilities at the start of their employment during induction. Frequency of training will be undertaken on a risk sensitive basis. Higher risk and higher responsibility employees i.e. those dealing with customer applications authorisation and transactions will receive role specific refresher training regularly. Others will be given basic training and will be repeated every 12 months as a refresher. We will also carry out training where there has been a substantial change in the law, and there will be monthly training sessions on various other relevant topics.
Training will also be provided by an AML specialist and/or an external training course provided by money laundering training specialists to relevant staff. These types of training will be for staff directly dealing with KYC/AML such as client on-boarding, compliance and payments team.
All awareness training activity shall be recorded and filed by the Nominated Officer. The Nominated Officer will provide a monthly review of business activity with the staff, to ensure all procedures and processes have been adhered to with all customer registrations and ensuring that business transactions have been completed correctly.
All staff are screened prior to commencement of their employment. Screening includes undertaking criminal and credit checks as well as verifying a prospective employees’ employment history, academic and professional qualifications. These checks are to ensure that the employee has the skills, knowledge and expertise to carry out their functions effectively. All staff are also assessed for competence, conduct and integrity on a regular basis during their employment.
The MLR require businesses to have appropriate systems of internal control and communication in order to prevent activities related to money laundering and terrorist financing. In simple terms this means that businesses must ensure that management controls are put in place that will alert the relevant people in the business to the possibility that criminals may be attempting to use the business to launder money or fund terrorism, so as to enable them to take appropriate action to prevent or report it.
Systems of internal control and communication must be capable of identifying unusual or suspicious transactions or customer activity, and enabling prompt reporting of the details to the Nominated Officer/Money Laundering Reporting Officer (MLRO), who is responsible for making a disclosure to the Financial Intelligence Agency
The nature and extent of systems and controls that the business needs to put in place will depend on a variety of factors, including the:
XPESA periodically carries out and records checks to ensure their systems are working in practice. Where systems are found not to meet with the needs of the business or at worst they are not working in practice, we will record the action we are going to take to rectify the problem. We will also look at ways to ensure that we review the systems and processes to ensure that they are fit for purpose.
To ensure that the CDD and KYC procedures are being adhered to, each month a random sample of all new accounts are checked by the compliance department. Any deficiencies in the KYC documentation will be highlighted to the relevant staff with further training provided if required. Senior management are informed of this monitoring through the monthly Management Information reports.
XPESA will retain all records of Individuals and business customers for at least five years
from the date that the business relationship ends.
Why do we have to keep records for five years from the end of a business relationship? It’s the law. The purpose of keeping records is to enable law enforcement to reconstruct business transactions; often well after the original business has been concluded. In making and retaining records you should have in mind the need to provide a clear audit trail of the business you have conducted.
The records that must be kept are:
obtained and verification evidence (checks) obtained.
Transaction and business relationship records (KYC, account files, relevant business correspondence etc.) should be maintained in a form from which a satisfactory audit trail may be compiled, and which may establish a financial profile of any suspect account or customer.
An audit trail is a step by step record by which financial data can be traced to its source. In the case of money laundering the aim of establishing an audit trail is to trace the funds through to the first transaction (the placement) to identify the launderer.
The records that we keep must be sufficient enough to form a complete audit trail for law enforcement to follow from the start of the transaction to the end; this is particularly important should the transaction later become part of an on-going investigation.
There are several different types of records we should keep:
Supporting documentation is a cornerstone of our anti-money laundering procedures. Unrecorded steps are soon forgotten. Records assist in tracking relevant information and in demonstrating that the company/individual has conducted our business responsibly and with integrity. All interviews, searches and activities undertaken to verify integrity of transactions and persons must be documented and stored for reference by XPESA in the event that there is an internal audit or if they are required to be provided to law enforcement.
Note: It is the sole responsibility of the Compliance department to approve of and manage the disposal of client identification records. Under no circumstances is any other department or individual permitted to dispose of client identification documentation.
MLR require that all businesses must adopt a ‘Risk Based Approach’ to its customers, products and business practices. Risk may be established both on the basis of objective criteria and subjective criteria. A ‘risk rating’ is given to each criterion.
XPESA uses the following grading system:
|Medium – High Risk||M+|
XPESA adopts a risk based approach to AML. In practical terms this means assessing the ML/TF risks associated with a customer and applying DD measures on a risk-sensitive basis. Risk factors pertaining to each client need to be assessed as part of the DD process and a risk rating given to each client.
The risk rating determines the level of due diligence to undertake for each prospective client. A client that is deemed high risk will need to undergo enhanced due diligence (EDD) and, if accepted as a client, enhanced monitoring.
During the customer onboarding stage various risk factors must be considered to determine the overall risk rating of the client.
The below indicators are provided to help clarify what level of money laundering/terrorist financing risk an applicant may present. These indicators should not be considered either exclusive or exhaustive and should be read in conjunction with CDD and the Country Risk Matrix.
All applicants for business must also be exposed to a reputational risk assessment. For individuals, this risk assessment consists of a check against a PEP list, sanctions list and adverse media searches as mentioned above. For corporate applications not flagged on a sanctions list, the check is more subjective. Guidance is given below and where this guidance is insufficient, referral should be made to the MLRO/ Compliance department. Companies that are involved with the following would be examples of where a reputational risk exists:
For the purposes of ‘a risk-based approach’, individuals or entities that are (or appear to be) involved with any of the above would represent a ‘higher risk’.
Country risk measures the risk of ML & TF of countries based on publicly available sources. Country Risk Matrix provides an analysis of jurisdictions based on various risk factors, such as:
Countries are rated according to our ‘Grading’ (L to H), based on their overall score taking account the above risk factors. Countries that have material ML/TF deficiencies have a serious negative weighting. Where customers come from jurisdictions deemed high risk, additional measures, including EDD, are required.
The assessments are used as an indicator – they enable us to determine when we should place closer scrutiny. This does not mean that customers who send to these locations are transacting illegally or are suspected of illegal activity, only that enhanced scrutiny and monitoring are required. XPESA does not conduct any business with customers from Sanctioned countries.
Information and data used in the risk ranking matrix is gathered from a subscription based risk rating tool which uses governmental and institutional agency websites, such as:
The list is updated throughout the year with the view to update any changes as and when they occur.
The ‘Country Risk Matrix’ also includes a restricted countries list. XPESA DOES NOT open accounts for residents from, or companies incorporated in and/or operating in, the countries on this list which is based on the following sources:
Sanctions can take the form of any of a range of restrictive/coercive measures. They can include arms embargoes, travel bans, asset freezes, reduced diplomatic links, reductions/cessation of any military relationship, flight bans, suspension from international organisations, withdrawal of aid, trade embargoes, restriction on cultural /sporting links and other.
It is an offence to directly or indirectly provide financial services or any provision of funds to sanctioned entities. Failure to comply with the sanctions regime can result in criminal penalties being sought against the firm and, in certain circumstances, against the management of the firm. XPESA is committed to compliance with the financial sanctions regime and does not conduct business with, nor maintain relationships with, entities listed on the UN, EU, UK and US sanctions lists.
All New clients will be screened. Existing clients will also be screened regularly against updated lists.
Where a company is deemed higher risk or where any shareholders or directors are located (or appear to be located) in a high risk country, as per the Country Risk Matrix, the following additional documentation will be required:
All high risk corporates are required to complete the KYB questionnaire before their accounts can be opened. A declaration of sources of funds will also be required to complement the KYB questionnaire to expand our knowledge of the clients. This gathering of information on the entity’s business operation, trading links and clientele etc. as well as their sources of funds and wealth will allow us to monitor and assess whether the activities of the account are in line with our expectation.
For individuals deemed high risk, their source of funds AND source of wealth must be fully documented. On a risk based approach source of funds/wealth may need to be evidenced and verified.
It is the responsibility of the Money Laundering Reporting Officer (MLRO) to oversee all transactions which are processed. They will focus attention on high risk transactions/ customers (with risk rating of H).
|Risk Ranking||Summary of red flags||Action of MLRO|
|H||Sanctions list match||Freeze all activity on account and report to FIAU|
|H||Customer was previously reported to a
Financial Intelligence Agency (like FIAU or NCA) and consent was witheld
|Freeze all activity on account and report to FIAU|
|H||Customer provides fake ID||Freeze all activity on account pending EDD check|
|H||Customer uses unusual ID to identify
|H||Customer previously reported to an Agency and consent given||EDD required|
|H||Customer is a PEP||EDD required|
|H||High Volume Transactions||EDD required|
|H||Customer is processing level of transactions incompatible with work status or information previously provided||EDD required|
|H||Customer is demonstrating unusual
behaviour (which may be suspicious)
|M+ or Less||No immediate action required|
a duty on the Secretary of State to publish guidance.
“Relevant commercial organisation” means—
a duty on the Secretary of State to publish guidance.
“Relevant commercial organisation” means—
Please note: An immediate family member or a known close associate of a person referred to in the paragraph immediately above does not necessarily qualify as a PEP without the appropriate risk assessment.
A Politically Exposed Person (PEP) is an individual entrusted with a prominent public function. This does not include middle-ranking or more junior officials. Individuals entrusted with prominent public functions include:
PEPs pose a heightened bribery and corruption risk due to their position. There is the risk that a PEP may abuse their public office for private gain and use the financial system to launder the proceeds of this abuse of office. Similarly, a PEP’s family or close associate may help facilitate, or may also benefit from, the PEP’s abuse of public funds. For this reason, XPESA is required to undertake EDD when transacting with a PEP or family member or known close associate of a PEP.
It is XPESA’s policy to screen all prospective clients against various PEP databases using compliance software tools. Where an applicant is highlighted as being a politically exposed person, the application must be referred immediately to the MLRO/ Head of Compliance Oversight. All such applicants will be considered higher risk and therefore exposed to a
higher level of due diligence and the decision to open the account will be made on a case by case basis. This decision will involve Senior Management approval.
Existing clients will also be screened regularly against updated lists, senior management approval must also be sought when deciding to continue a relationship with a PEP, or family member or known close associate of a PEP when undertaking a periodic review of the account
It is important that before a business relationship is entered into with a PEP their source of funds is established and XPESA is satisfied that there are no indications that funds that will be used for transactions to be carried out are derived from corruption (i.e. receipt of bribes), fraud or an attempt by the PEP to remove/hide assets from their home country.
The source of the PEP’s funds may be established by asking the individual concerned a series of questions to determine from where they receive their money. These questions could include confirmation of the main source of income; salary, any business interest or investments from which funds are/will be received.
In order to be satisfied, below are areas on which questions can be asked of the PEP to determine whether a business relationship should be established- information from this can be presented to Senior Management of XPESA for them to make an informed decision:
less of a risk than heads of states, MP’s, members of the Judiciary, Ambassadors)
Note: XPESA’s policy is to not open an account for any High Risk PEPs.
For every prospective customer, XPESA must:
This section covers:
Note: ID must be: valid, have a photo, be in colour, front & back where applicable.
Note: proof must contain full name matching the ID provided, and be dated within last 3 months.
In situations where an individual is unable to provide an acceptable proof of address listed within this section, compliance approval must be requested in order to make an exemption. (example, home/car insurance, mobile bill, letter from a University that states student is residing on campus, lease or rental agreement, if they live with or share accommodation with someone else (parents, house mate) then an affidavit and valid proof of address from that person will be required etc.). Exemptions will only be given in cases of low risk situations. More so, request approval when dealing with unfamiliar foreign proofs.
Where an individual resides in a country where they are unable to provide proof of residential address and all mail goes to a P.O. Box, the individual must provide:
Country Specific Proof / Checks
EJARI is a system for landlords and tenants to register their tenancy agreements / ID / passport / Visa details / mobile numbers in case of dispute. EJARI is operated by the Real Estate Regulatory Agency (RERA) which is a government agency in Dubai.
For Dubai residents, the ‘Tenancy Contract Registration Certificate’ must be cross referenced against EJARI: http://ejari.ae/PublicPages/TenancyCertificate/PrintTC.aspx
© Xpesa Limited 2019 to 2021