AML CTF Policy

1. UAB Multi Asset Solutions Digital (hereinafter – the Company) is a virtual currency exchange operator established in Lithuania which is subject to the requirements of the Republic of Lithuania for the prevention of money laundering and terrorist financing.
2. This Money Laundering and Terrorist Financing Prevention Policy (hereinafter – the Policy) applies to all employees of the Company.
3. The definitions used in this Policy correspond to the terms defined in the Money Laundering and Terrorist Financing Prevention Law of the Republic of Lithuania.

4. The company, while implementing money laundering and/or terrorist financing prevention measures, follows:
   • the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania (hereinafter – the AML Law)
   • Director of the Financial Crimes Investigation Service (hereinafter – the FCIS) order no. V-131 “On the approval of the description of the procedure for approval and presentation of a copy of a personal identity document”
   • Director of the FCIS order no. V-314 “On the approval of the Technical Requirements for the customer identification process, when identification is established remotely using electronic means that allow live video transmission” (hereinafter – the Technical Requirements)
   • Director of the FCIS order no. V-273 “On the approval of the supervision instructions in the field of regulation of the proper implementation of international financial sanctions by the FCIS”
   • the FCIS Director’s order no. V-5 “On Approval of Instructions for Custodian Virtual Currency Wallet Operators and Virtual Currency Exchange Operators, Aimed at Preventing Money Laundering and/or Terrorist Financing”
   • Industry best practice, such as The Financial Action Task Force (FATF) Recommendations.
5. The company must establish internal control procedures which would ensure that the activities and/or services provided in another country are not of such a scale that only functions or services that are not essential according to the nature of their activity remain in the Republic of Lithuania and services are not provided exclusively to customers of another country.

DEFINITIONS

6. Business relations – business, professional or commercial relations between the customer and financial institutions or other obliged entities, related to their professional activities, which were intended to continue for a certain period of time at the time of establishing the relations.
7. Custodian virtual currency wallet shall mean virtual currency addresses generated with the public key for storing and managing virtual currencies entrusted to other natural or legal persons (third parties) but remaining their property.
8. Custodian virtual currency wallet operator shall mean a legal person who is established in the Republic of Lithuania or a branch, established in the Republic of Lithuania, of a legal person of a Member State of the European Union or a foreign state and who provides services of management of custodian virtual currency wallets on behalf of the customers.
9. Suspicious transaction – a transaction related to assets that are suspected to be directly or indirectly obtained from a criminal act or through participation in such an act and/or are suspected to be related to terrorist financing.
10. The customer – a natural or legal person or a collective investment entity performing transactions with a financial institution or other obligated entity.
11. Beneficial owner – a natural person who owns or controls the customer (a legal entity or a foreign state company) and/or a natural person on whose behalf the transaction or activity is carried out. The beneficial owner is considered to be:
    • in a legal entity:
      1. a natural person who owns a legal entity or controls it directly or indirectly, having a sufficient percentage of the shares or voting rights of that legal entity, including management through bearer shares, except for joint-stock companies or collective investment entities whose securities are traded on regulated markets, which apply requirements to disclose information about their activities in accordance with European Union legislation, or equivalent international standards, or by controlling it in other ways. A natural person who owns 25% and one share or more than 25% of the customer’s ownership is considered a direct owner. A natural person controlling a company or several companies that has 25% and one share or more than 25% of the customer’s ownership is considered an indirect owner;
      2. a senior manager in a legal entity, if the person referred to in sub-paragraph a has not been identified or if there is doubt that the identified person is a beneficial owner;
    • in trust funds – all the following persons:

(a) settlor(s); (b) trustee(s);

1. protector(s), if any;
2. natural persons receiving benefits from a legal person or entity without legal person status, or, if these persons have not yet been identified, persons whose interests are represented by that legal person or entity without legal personality status;

(e) any other natural person effectively controlling the trust by direct or indirect ownership or other means;

• in a legal entity that administers and distributes funds, in an entity similar to a trust – a natural person holding positions equivalent to the positions specified in point 11.2.

12. Monetary transaction – any payment, transfer or receipt of money.
13. Money laundering:
    • the conversion or transfer of property, in the knowledge that such property is derived from a criminal act or from involvement in such an act, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such a criminal act to evade the legal consequences of this act;
    • the concealment or disguise of the true nature, origin, source, location, disposition, movement, rights with respect to, or ownership of property, in the knowledge that such property is derived from a criminal act or from involvement in such an act;
    • the acquisition, possession or use of property, in the knowledge, at the time of acquisition/transfer, that such property was derived from a criminal act or from involvement in such an act;
    • preparation, attempts to commit and association to commit any of the acts referred to in points 1, 2 and 3 of this paragraph.
14. Politically vulnerable (affected) persons – natural persons who are or have been entrusted with important public duties (such as Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials) and their close family members or close assistants (hereinafter – PEP).
15. Terrorist financing – any act which constitutes an offence within the meaning of Article 2 of the International Convention for the Suppression of the Financing of Terrorism of 9 December 1999.
16. Public key – a code of letters, numbers and/or symbols to identify the customer and generate the address of the customer’s virtual currency.
17. Virtual currency – a digital representation of value that does not possess a legal status of currency or money, that is not issued or guaranteed by a central bank or any other public authority, is not necessarily attached to a currency, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically.
18. Virtual currency address – an address/account generated from letters, numbers and/or symbols in the blockchain, by which the blockchain allocates the virtual currency to the owner or recipient.
19. Virtual currency exchange operator – a legal person who is established in the Republic of Lithuania or who is a branch, established in the Republic of Lithuania, of a legal person of a Member State of the European Union or a foreign state and who provides services of virtual currency exchange, purchase and/or sale for remuneration.
20. Senior Manager – an officer or employee with sufficient seniority, possessing sufficient knowledge of the institution’s or undertaking’s money laundering and/or terrorist financing risk exposure and responsible for taking decisions affecting its risk exposure.

21. MAS Digital implements the following measures to prevent money laundering and/or terrorist financing:

21.1. Identification of the customer and beneficiary:

21.1.1. determining whether the customer is acting on its own behalf or under control;

21.1.2. if the customer acts through a representative, identification of the customer’s representative;

21.1.3. identification of the customer – natural person;

21.1.4. identification of the customer – a legal entity;

21.1.5. identification of the beneficial owner of the customer – legal entity;

21.1.6. collection of information about the director of the customer – legal entity;

21.1.7. collection of information about the ownership and control structure and nature of activities of the customer – a legal entity;

21.1.8. collection of information about the purpose and expected nature of business relations with the customer – a natural or legal person;

21.1.9. customer and beneficial owner identity verification based on documents, data or information obtained from a reliable and independent source;

21.1.10. continuous monitoring of the customer’s business relations;

21.1.11. continuous review and updating of documents, data or information provided during customer and beneficiary identification;

21.2. when it is not possible to fulfil the requirements for the identification and verification of the customer and the beneficial owner – non-execution of transactions, refusal to establish or continue business relations;

21.3. application of customer and beneficial owner identification measures not only to new but also to existing customers;

21.4. suspension of a suspicious monetary transaction or transaction;

21.5. notification of suspicious transactions;

21.6. notification of virtual currency exchange transactions or transactions in virtual currency, if the value of such transaction is equal to or exceeds 15,000 euros or an equivalent amount in foreign or virtual currency, regardless of whether the transaction is concluded by performing one or several interconnected operations;

21.7. investigation of complex or unusually large transactions and unusual transaction structure;

21.8. storage of information for a specified period of time;

21.9. appointment of employees responsible for the implementation of money laundering and/or terrorist financing prevention measures;

21.10. employee training;

21.11. implementation of internal systems that allow prompt response to the FCIS through secure channels and ensuring complete confidentiality of requests;

21.12. confidentiality of information provided to the FCIS;

21.13. establishing internal policies and internal control procedures;

21.14. submission of information about the Company’s beneficial owners to the administrator of the Legal Entities Participants Information System (JADIS).

IDENTIFICATION AND VERIFICATION OF CUSTOMER AND BENEFICIAL OWNER

22. The company must take measures to establish and verify the identity of the customer and the beneficial owner:
    • before starting a business relationship;
    • before performing one-time virtual currency exchange operations or transactions in virtual currency for the amount which is equal to or exceeds 700 euros or the equivalent amount in foreign or virtual currency, or making a one-time deposit of virtual currencies or one-time withdrawal of virtual currency, the amount of which is equal to or exceeds 700 euros or the equivalent amount in a foreign or virtual currency, regardless of whether the transaction is concluded by performing one or several interrelated operations (the value of the virtual currency is determined at the time of execution of the transaction), except in cases where the identity of the customer and beneficial owner has already been established.
    • when there are doubts about the veracity or authenticity of previously received customer and beneficial owner identity data;
    • in any other case where there are suspicions that money laundering and/or terrorist financing is, has been or will be carried out.
23. The company carries out the identification of the customer and the beneficial owner in accordance with the provisions of Articles 9-15 of the AML Law, applying risk-based approach, and using:
    • standard customer due diligence;
    • enhanced customer due diligence.
24. In such cases when the Company does not have the ability to fulfil the requirements set out in clauses 20.1.1-20.1.10 of this Policy, it is prohibited to establish or continue business relations, to carry out transactions, and it is mandatory to carry out money laundering and/or terrorist financing risk assessment. After carrying out money laundering and/or terrorist financing risk assessment, the Company might consider reporting suspicious activity to the FCIS.
25. It is forbidden to open anonymous accounts or accounts under fictitious names, as well as to open accounts or otherwise start business relations without requesting data confirming the identity of the customer or if there is a reasonable suspicion that the data recorded in these documents are fake or falsified.
26. The company verifies the documents and information provided by the customer based on documents, data or information obtained from a reliable and independent source. Such actions of the Company may include the request to the customer himself to indicate public sources where the information could be confirmed.
27. The company identifies and verifies the customer by using third-party information about the customer or beneficial owner in the manner established in Article 13 of the AML Law.
28. The company, applying remote customer identification, complies with the FCIS Technical Requirements.

STANDARD CUSTOMER DUE DILIGENCE

THE CUSTOMER IS A NATURAL PERSON

29. When establishing the identity of a customer – a natural person, the company may accept the following type of identity document from the customer:
    • Passport;
    • Identity Card;
    • residence permit issued in the Republic of Lithuania;
    • A driver’s license that corresponds to the 2006 December 20 requirements set out in Annex I of Directive 2006/126/EC of the European Parliament and of the Council on driving licenses (new version) and is issued in a country of the European Economic Area.
30. The personal identity document must contain the following data confirming the customer’s identity:
    • name(s);
    • surname (surnames);
    • personal code (for a foreigner – date of birth (if available – personal code or other unique sequence of characters given to this person, intended to identify the person), number and validity period of the residence permit in the Republic of Lithuania, place and date of its issuance (applies to foreigners);
    • photo;
    • signature (unless it is optional in the identity document);
    • citizenship (unless it is optional in the identity document), if the person is stateless, the state that issued the document confirming the identity of the person.
31. If the identity document does not indicate the customer’s citizenship data, the Company must request the customer’s citizenship data.
32. If the customer – a natural person is represented by another natural person, the Company must request a power of attorney from him and verify its validity (that is, the right of the person who issued it to issue such a power of attorney), the validity period of the power of attorney, what actions to perform are specified in the power of attorney (the power of attorney must meet the requirements of the Civil Code of the Republic of Lithuania). A power of attorney issued abroad must be legalized or confirmed by a document approval certificate (apostille). The representative’s identity is determined in the same way as the customer – a natural person.

THE CUSTOMER IS A LEGAL ENTITY

33. When establishing the identity of a customer – a legal entity, the company requires documents confirming its identity or copies of these documents with a notary’s certificate confirming the authenticity of the copy of the document, which contains the following data:
    • name;
    • legal form, registered office (address), address of actual activity;
    • code (if such a code is provided);
    • certificate of registration and its date of issue.
34. When the customer is a legal entity represented by a natural person, the identity of this representative is determined in the same way as for a natural person.
35. The customer must provide information about the director of the legal entity:
    • manager’s name, surname;
    • personal code (for a foreigner – date of birth (if available, – personal code or other unique sequence of characters given to this person for personal identification);
    • citizenship (if a person is stateless, the country that issued the document confirming the identity of the person).
36. When establishing the identity of the customer – a legal entity, it is mandatory to identify the beneficial owner (owners) in all cases. Beneficial owner identification in all cases means identification of a natural person or group of natural persons.
37. When establishing the identity of the beneficial owner, the company must request the identity data of the beneficial owner:
    • name(s);
    • surname (surnames);
    • personal code (for a foreigner – date of birth (if available, – personal code or other unique sequence of characters given to this person, intended for identifying the person, number and validity period of the residence permit in the Republic of Lithuania, place and date of its issuance);
    • citizenship (if a person is stateless, the country that issued the document confirming the identity of the person).
38. The data provided by the customer is confirmed using electronic identification means issued by the European Union, operating according to electronic identification schemes with a high or sufficient level of security assurance, or with a qualified electronic signature, using a qualified electronic signature certificate that complies with Regulation (EU) No. 910/2014, either using electronic means that allow direct video transmission, or by signing a written document.
39. The company must collect and submit the following data on the beneficial owner at the request of the FCIS:
    • beneficial owner identity data;
    • evidence of verification of the information provided by the customer in reliable and independent sources;
    • data on the ownership and control structure of the customer (legal entity).

GENERAL REQUIREMENTS

40. Before establishing a business relationship, the company follows a risk-based approach and conducts a risk assessment for all customers by assessing at least the following criteria:
    • customer risk;
    • product, service risk and/or transaction risk;
    • country and/or geographic region risk.
41. When determining the identity of the customer and the beneficial owner remotely, the Company must use additional data, documents or additional information to establish the identity of the customer and the beneficial owner, which would allow the Company to verify the authenticity of the customer’s identity, to check whether there are circumstances to apply enhanced due diligence.
42. If a higher risk of money laundering and/or terrorist financing is identified, the Company applies enhanced due diligence.

ENHANCED DUE DILIGENCE

43. Enhanced due diligence (EDD) is performed by applying additional customer and beneficial owner identification measures when:
    • transactions or business relations are conducted with PEP;
    • when transactions or business relations are conducted with natural persons living legal entities established in high-risk third countries identified by the European Commission (hereinafter – EC);
    • transactions or business relations are carried out with natural persons living or legal persons established in high-risk third countries identified by the Financial Action Task Force on Combating Money Laundering and Terrorist Financing (hereinafter referred to as FATF) there;
    • If the Company assesses the customer’s money laundering/ terrorist financing (hereinafter – ML/TF) risk as high.

PEP

44. When the customer – a natural person or the beneficial owner of the a legal person is a PEP (Politically Exposed Person), the Company must:
    • establish and implement internal PEP procedure;
    • obtain the approval of a senior manager to establish or continue business relations with PEP;
    • identify the source of wealth and funds of a PEP;
    • carry out enhanced continuous monitoring of business relations.
45. In order to check whether the customer is a PEP, the Company searches the customer’s name and surname and the name and surname of the beneficial owner of the legal entity in the PEP lists using third-party solutions.
46. When a PEP ceases to hold a prominent public position, the Company must within a period of at least 12 months continue to take into account the risk still posed by that person and apply appropriate measures adapted to the level of risk until it is determined that that person no longer poses a threat specific to a PEP.

EC HIGH-RISK THIRD COUNTRIES

47. When the customer – a natural person or the beneficial owner of a legal entity lives in an EC high-risk third country or when the customer – a legal person is established in an EC high-risk third country, the Company must:
    • obtain additional information about the customer and the beneficial owner;
    • obtain additional information about the intended nature of the business relationship;
    • obtain information about the source of funds and wealth of the customer and beneficial owner;
    • to receive information about the reasons for expected or completed transactions;
    • obtain senior management approval to establish or continue a business relationship;
    • carry out enhanced continuous monitoring of business relationships by increasing the number and timing of controls and selecting the typologies of transactions that will require further investigation;
    • to ensure that the customer’s first payment is made from the customer’s account held at a credit, payment or electronic money institution, when the credit, payment or electronic money institution is registered in a member state of the European Union or in a third country established equivalent to AML Law requirements, and the competent authorities supervise its compliance with these requirements.
48. If the Company applies exceptions established in Article 14, Paragraph 1, Point 3 of the AML Law to branches or subsidiaries of financial institutions or other obligated entities established in the European Union, the Company must perform a risk assessment and have evidence that the identified risk is not high. Risk assessment data is stored in the same manner as other data obtained during customer identification.

FATF HIGH-RISK THIRD COUNTRIES

49. When the customer – a natural person or a beneficial owner of a legal entity lives in a FATF high-risk third country or when the customer – a legal person is established in a FATF high-risk third country, the Company takes one or more additional customer and beneficial owner identification measures to reduce the ML/TF risk and must:
    • obtain the approval of a senior manager to establish or continue a business relationship;
    • take appropriate measures to identify the source of wealth and funds related to the business relationship or transaction;
    • to carry out enhanced continuous monitoring of business relations.

INCREASED RISK OF MONEY LAUNDERING AND/OR TERRORIST FINANCING

50. When the Company determines a higher risk of ML/TF in accordance with customer risk assessment procedure, the Company takes one or more additional customer and beneficial owner identification measures to reduce the emerging ML/TF risk and must:
    • obtain the approval of a senior manager to establish or continue a business relationship;
    • take appropriate measures to identify the source of wealth and funds related to the business relationship or transaction;
    • to carry out enhanced continuous monitoring of business relations.
51. The company determines in its internal policy and internal control procedures what one or more additional customer and beneficial owner identification measures to use while performing enhanced due diligence, for example:
    • obtain additional information about the customer and the beneficial owner;
    • obtain additional information about the intended nature of the business relationship;
    • obtain information about the source of funds and wealth of the customer and beneficial owner;
    • to obtain information about the reasons for expected or completed transactions.
52. Customer risk assessment data is stored in the same manner as other data obtained during customer identification.

UPDATE OF CUSTOMER IDENTIFICATION INFORMATION

53. In order to ensure that the documents, data or information provided during the identification of the customer and beneficial owner are appropriate and relevant, the Company must review and update them.
54. When determining the periodicity of data updates, it is necessary to rely on a risk-based approach, i.e. data for higher risk customers needs to be reviewed and updated more frequently.

TERMINATION OF BUSINESS RELATIONSHIPS

55. The company may refuse to carry out transactions or terminate business relations with the customer, if the customer:
    • does not provide data confirming his/her identity;
    • provides incomplete or incorrect data;
    • avoids providing information necessary to identify him/her;
    • hides the identity of the beneficial owner or avoids providing the information necessary to determine the identity of the beneficial owner, or the data provided is insufficient for this.

TRANSACTION MONITORING

56. When a business relationship is started with a customer, the Company monitors the business relationship in order to ensure that the executed transactions correspond to the Company’s information about the customer, its business, the nature of the ML/TF risk and the source of funds/wealth.
57. The company must pay attention to such activities, which in its opinion and due to their nature may be related to money laundering and/or terrorist financing, and in particular to:
    • complex transaction;
    • unusually large transactions;
    • transactions that are conducted in an unusual manner;
    • any unusual transaction structures that have no apparent economic or visible legitimate purpose;
    • business relations or transactions with customers from third countries, where, according to information officially published by international intergovernmental organizations, the measures to prevent money laundering and/or terrorist financing are insufficient or do not meet international standards.
58. The Company uses third-party solutions for transaction monitoring.\
59. While performing transaction monitoring, the Company must notify the FCIS:
    • about suspended suspicious transactions carried out by the customer (within 3 working hours);
    • data confirming the identity of the customer and information about the completed virtual currency exchange transaction (buying or selling virtual currency in fiat) or transaction in virtual currency (payments in virtual currency for assets), if the value of such monetary transaction is equal to or exceeds 15,000 euros or an amount corresponding to it foreign or virtual currency, regardless of whether the transaction is concluded in one or several interconnected operations. The value of the virtual currency is determined at the time of the execution of the transaction;
    • if it is known or suspected that property of any value is directly or indirectly obtained from a criminal act or participation in such an act, as well as if it is known or suspected that this property is intended to support one, several terrorists or a terrorist organization (within 1 working day)
    • upon receiving information that the customer intends or will attempt to perform a suspicious monetary transaction (immediately);
60. Suspicious monetary transactions are identified by:
    • taking into account the criteria for identifying suspicious monetary transactions approved by the Director of the FCIS by order no. V-240 “On Approval of the List of Criteria for Identifying Money Laundering and Suspicious Transactions”;
    • drawing attention to such customer activities which by their nature may be related to money laundering and/or terrorist financing;
    • during customer and beneficial owner identification;
    • continuous monitoring of the customer’s business relationship, including the investigation of transactions that were concluded during this relationship.
61. The company, after suspending the customer’s transaction, must conduct an internal investigation and determine that the customer’s activity is potentially suspicious, and must then submit a suspicious activity report (SAR) to the FCIS no later than within 3 working hours.
62. SAR is submitted regardless of the value of the transaction.

SUBMITTING INFORMATION AND SAR TO THE FCIS

63. In the event that the customer’s transaction complies with both Policy 59.1. and 59.2. points, the Company must submit both reports to the FCIS – a SAR and a notification on a virtual currency exchange transaction or transaction in virtual currency, if the value of such transaction is equal to or exceeds 15,000 euros or the equivalent amount in foreign or virtual currency, regardless of whether the transaction was concluded through one or several interconnected operations.
64. Notifications to the FCIS are submitted in accordance with the order no. 1V-701 “Regarding the suspension of suspicious monetary transactions and the submission of SAR to the the FCIS, the description of the procedure and Information on cash transactions in the amount of equal to or exceeding 15,000 euros or an amount corresponding to it in foreign currency, approval”.
65. Notifications are provided by logging into the FCIS information system.
66. The data for connecting to the the FCIS information system is provided by authorized employees of the the FCIS after receiving the Company’s notification about the appointed employees and board member who would organize the implementation of the money laundering and/or terrorist financing prevention measures established by the AML Law, or after receiving a separate request by e-mail dokumentas@the FCIS.lt and ppps@the FCIS.lt.
67. Company’s employees are prohibited from informing the customer that a suspicious activity report has been submitted to the FCIS about his/her operations or transactions (tipping-off).

STORAGE OF INFORMATION AND DOCUMENTS, TERMS

68. The company must maintain the following information logs:
    • SAR;
    • transactions performed by the customer;
    • the registration log of virtual currency exchange transactions or transactions in virtual currency, if the value of such transaction is equal to or exceeds 15,000 euros or an amount equivalent to it in foreign or virtual currency, regardless of whether the transaction is concluded by performing one or several interconnected operations;
    • customers with whom transactions or business relations were terminated due to ML/TF reasons;
    • Employee training.

69. Data is recorded in chronological order immediately, but no later than within 3 working days from the completion of the transaction.
70. The company gives priority to the storage of logbook data in electronic format.
71. Information logs are managed under the guidance of the FCIS Director order no. V-129 “On Approval of the Rules for Managing Cash Transactions, Transactions and Information Logs”.
72. Information stored by the company about customers:
    • ID document
    • beneficial owner identity data
    • remote identification record
    • KYC data
    • contract documents
    • correspondence
    • documents and data confirming a transaction or other legally valid documents and data related to the execution of transactions
    • internal investigations
    • information according to which the virtual currency (hereinafter – VC) address can be associated with the identity of the VC owner.
73. The information specified in clauses 68 and 72 of the Policy is stored under the following terms:

EMPLOYEES

74. The company appoints MLRO who will organize the implementation of money laundering and terrorist financing prevention (hereinafter – AML) measures and maintain relations with the FCIS.
75. The Company must notify by e-mail (dokumentas@the FCIS.lt) the FCIS about MLRO appointment and share full name, e-mail and phone number number.
76. The company must ensure that for the AML measures implementation responsible employee has access to all information necessary to perform their functions, including access to information related to customer and beneficial owner identification, monitoring transactions and business relationships.
77. The MLRO who implements the AML measures can be considered a senior manager, if he/she meets the definition specified in Article 2, paragraph 23 of the AML Law.
78. The Company must appoint a senior manager (MLRO) who is a permanent resident of Lithuania, as defined by the Personal Income Tax Law of the Republic of Lithuania.
79. The Company must ensure that the competence, work experience and qualification of the company’s director, Board Members (if applicable) and the senior manager (MLRO) are assessed before their appointment.
80. When assessing the competence, experience and qualification of these persons, it is necessary to take into account the level and nature of the person’s education, qualification, the nature and duration of professional activity or work experience, other factors that may affect the competence, experience and qualification of the person, as well as whether the person who is to be appointed as a director, Board Member (if applicable) or senior manager (MLRO) has knowledge of risk management related to the implementation of measures to prevent money laundering and terrorist financing.
81. The company must organize specialized training on money laundering and/or terrorist financing prevention measures for its employees, especially those who work directly with customers and their transactions.

EMPLOYEE TRAINING

82. The company’s internal procedures must outline the training process for employees and must at least specify:
    • organization of training for employees whose work functions are related to AML;
    • organization of trainings for managers responsible for making decisions related to AML;
    • adaptation of the training content to different employees, taking into account the functions they perform and regularly reviewing the training content;
    • periodicity of the training, control of training organization and knowledge testing;
    • data storage – registration of the employees who participated in the training, the results of the knowledge check, the content of the training materials.
83. The company must store data about the organized training and the employees who participated in them, the results of the knowledge check, the content of the training materials, etc. no less than five years after the end of training.

INTERNAL CONTROL PROCEDURES

84. The company must have the following control procedures:
    • identification and verification of customers and beneficial owners;
    • risk assessment and risk management (hereinafter – EWRA);
    • monitoring of business relations and transactions;
    • implementation of international financial sanctions, restrictive measures;
    • submitting information and SAR to the FCIS;
    • managing information logs;
    • storage of information;
    • updating customer and beneficial owner identification information;
    • organization of training for employees in order to properly acquaint them with the AML requirements..
85. The Company’s internal control procedures are approved by the senior manager or a management body that approves internal control procedures (the Board, head of department, etc.).
86. The company must establish compliance and/or audit procedures for internal policy and internal control procedures to ensure the provisions of AML requirements and conduct an assessment of compliance and/or audit of internal control procedures at least once a year.
87. The Company must provide AML reports to the FCIS until March 31 of each year.

EWRA

88. In order to effectively manage the risk of money laundering and terrorist financing, the Company must perform a money laundering and terrorist financing enterprise-wide risk assessment (hereinafter – EWRA) at least once a year.
89. All EWRA assessments performed by the Company and subsequent changes related to this document must be formalized in writing.
90. EWRA shall be carried out taking into account at least the following risk factors:
    • customers;
    • country and/or geographic region;
    • services and products provided, operations performed;
    • delivery channels.
91. The company, taking into account the scale and nature of its activities, can also distinguish other risk factors.

UPDATE OF INTERNAL CONTROL PROCEDURES

92. The company must review and, if necessary, update its internal control procedures:
    • After the European Commission published the results of the money laundering and terrorist financing risk assessment carried out at the level of the European Union (SNRA) (published on the website of the European Commission http://ec.europa.eu);
    • after the results of the National Money Laundering and Terrorist Financing Risk Assessment (NRA) (published on the website the FCIS.lt in the subsection “Prevention of Money Laundering” under “National Risk Assessment of Money Laundering and Terrorist Financing”);
    • upon receipt of an instruction from the FCIS to tighten the applied internal control procedures;
    • upon the occurrence of important events or changes in the Company’s management and operations;
    • periodically while monitoring the implementation and adequacy of internal control procedures.

93. In each case before establishing a relationship with a customer or executing a transaction, the Company must make sure that the customer, beneficial owner and/or customer’s representative is not on the lists of persons subject to international financial sanctions (hereinafter – Sanctions Check).
94. Sanctions checks also apply to customer transactions.
95. For sanctions checks the Company uses third-party solutions.
96. When carrying out the Sanctions check, the Company uses at least the following sanctions lists:
    • European Union;
    • United Nations.
97. The company also checks the FCIS public list of legal entities which are owned or controlled by the sanctioned person/entity.
98. If the company determines that international sanctions are applied to its customer, the Company must freeze the customer’s account and inform the FCIS about within 2 working days by the email sankcijos@fntt.lt.
99. The Company must comply with the Law of the Republic of Lithuania on International Sanctions, the resolutions of the Government of the Republic of Lithuania on the implementation of the Law on International Sanctions, the regulations of the European Union on international sanctions and exceptions to their implementation, and the FCIS Director’s order no. V-273 “Regarding the approval of supervision instructions in the field of regulation for the Proper Implementation of International Financial Sanctions”.

100. It is necessary to follow the provisions of the changed laws of the Republic of Lithuania, Government resolutions and other legal acts immediately.
101. Violations of the AML Law may be subject to sanctions from the regulator – a warning, a fine (for both the Company and its managers), removal of managers, restriction of disposal of funds, cancellation of permission to operate, temporary ban on providing one or more services might be applied.