1. Policy on Anti-Money Laundering and Countering the Financing of Terrorism
I .GENERAL PROVISIONS
1. Speedy AG sp z o.o. (the Company) as a national payment institution within the meaning of the Payment Services Act, being an obliged institution within the meaning of the Anti-Money Laundering and Counteracting the Financing of Terrorism Act (AML Act), is obliged to establish an internal procedure in the area of anti-money laundering and counteracting the financing of terrorism, concerning, in particular, the principles for the application of financial security measures, including, among other things, the identification and verification of the customer's identity, as well as the ongoing monitoring of the customer's business relationship, including the analysis of transactions carried out within the framework of the business relationship. This Policy is established in fulfilment of the above statutory obligation.
2. The Company provides payment services in the European Economic Area. The services are directed in particular to micro, small and medium-sized entrepreneurs - although the Company does not exclude servicing consumers as well as large entrepreneurs. The key services provided by the Company are:
2.1. payment account (enabling payment transactions, e.g. receiving payments to customers and business partners, paying obligations to counterparties, currency exchange),
2.2. payment instruments (payment card and application, used to dispose of/manage funds held on a payment account),
2.3. money transfer service (which allows the transfer of payments without the need for a payment account),
2.4. the user's payment account information service (AIS) enabling access to data on the user and the payment account held with another payment service provider.
3. Definitions
3.1. AML - Anti-Money Laundering and Countering the Financing of Terrorism.
3.2. AML Policy - this Policy.
3.3. AML Act - Act of 1 March 2018 on the prevention of money laundering and the financing of terrorism (i.e. Journal of Laws 2022, item 593 as amended).
3.4. Ultimate beneficial owner - any natural person as defined in Article 2(2)(1) of the AML Act
3.5. Money laundering - Money laundering (ML) is a method used by criminals to give illegal economic gains the appearance of legitimacy. The Fifth EU Anti-Money Laundering Directive contains a definition of money laundering which refers, inter alia, to the transfer, concealment or possession of property (or participation in such activities) in the knowledge that the property is derived from the activities of the criminal activity. The characteristics of money laundering therefore include (i) activities related to the laundering of property, namely assets or funds, and (ii) knowledge (or suspicion) of the origin of the property. In practice, money laundering can therefore be carried out, for example, by a drug trafficker depositing cash into a bank account, a cybercrimina receiving a wire transfer into an account as a result of online fraud or hacking, and a individual or legal entity carrying out a tax avoidance scheme.
3.6.Terrorist financing - Terrorist financing (TF) refers to the accumulation or possession of funds (directly or indirectly) with the intention that these funds will be used (or aresuspected to be used) to carry out activities defined as acts of terrorism. There may also be evidence of terrorist financing where a person is involved in an arrangement where property rather than cash is used. The funds or property involved in terrorist financing may come from a legitimate source, such as remuneration paid to an individual's account from their employment or the sale of an asset, such as a vehicle. This makes terrorist financing potentially difficult to detect and the Company is committed to implementing appropriate procedures and measures to identify, prevent and eliminate possible terrorist financing.
3.7.Financial sanctions - Financial sanctions are measures imposed by national governments and multinational bodies to change the behaviour and decisions of other national governments or non-state actors that may threaten the security of the global community or violate international norms of behaviour (e.g. human rights violations). In short, financial sanctions are a form of inter-state intervention and are generally seen as a cheaper and less risky alternative to military action.
3.8.Proliferation financing - Proliferation financing is the provision of funds or financial services used for the production, acquisition, possession, development, export, transhipment, brokering, transportation, transfer, stockpiling or use of nuclear, chemical or biological weapons and their means of delivery and related materials (including both technology and dual-use goods used for illicit purposes), in violation of national laws or, where applicable, international obligations.
4. The implementation of this AML Policy involves:
4.1. Board of Directors and the Designated Member of the Board of Directors (designated in accordance with Article 7 of the AML Act),
4.1.1. The Board is responsible for:
●approving this Policy and other internal regulations of the Company in AML,
●Implementing an appropriate organisational and operational structure and providing adequate resources necessary to ensure compliance with the AML Policy and the AML Act,
●regular review of the MLRO activity report,
●timely and appropriate periodic reporting as required by the AML Policy, the AML Act and other laws,
●supervision of outsourcers entrusted with AML tasks,
●to assess whether the candidate for the MLRO position meets the criteria of reputation, integrity and ethics to warrant the proper performance of this function, knowledge and skills in the AML area, including knowledge of the law, also in the implementation of AML policies (strategies), controls and procedures, sufficient knowledge and understanding of the risks associated with the Company's business model and experience in identifying, assessing and managing risks, adequate seniority and responsibilities to perform the assigned functions in an effective and independent manner.
4.1.2.The designated Board Member is responsible for:
●Ensure that the Board is aware of the impact of AML risks on the risk profile across the Company's operations, ●Ensure the adequacy and proportionality of the AML policies (strategy), procedures and internal control system, taking into account the specific nature of the Company's activities and risks, ●Ensure that the MLRO provides the Board with regular and timely comprehensive reports and information on AML compliance risks necessary for the Board's decision-making process,
●Ensure that the MLRO has direct access to the information necessary to carry out its tasks, including information on Company-wide AML/CFT incidents and irregularities and deficiencies identified by the internal control system and by national supervisory authorities, and has sufficient human and technical resources and tools to adequately perform its tasks,
●the appropriate response of the Company's bodies to the MLRO's requests, including on the Board,
●Liaise with the Head of Compliance and AML, the Head of Risk Management and the first pillar in the drafting and implementation of the obligations set out in the AML Act, procedures, as well as standards of behaviour in respect of anti money laundering and terrorist financing,
●performs the duties of the MLRO and the Director of the Compliance and AML Unit in his/her absence.
4.2. MLRO - Director of the Compliance and AML Department (designated employee in accordance with Article 8 of the AML Act), who is responsible for:
● develop and implement a framework for assessing the risks of money laundering and terrorist financing, covering the Company's entire operations, and presents the results of this assessment, together with risk mitigation mechanisms, to the Board of Directors,
● Introduce appropriate AML policies (strategies) and procedures (including for the process of establishing business relationships with customers without their physical presence), keep them up-to-date and effectively implemented with appropriate controls, and ensure that they are regularly reviewed and amended or updated as necessary,
● making proposals to adapt policies and procedures to regulatory changes or changes in AML risks,
● monitoring whether the policies, controls and procedures implemented by the Company comply with its AML obligations,
● overseeing the effective application of controls by the first line of defence,
● recommending to the Board of Directors appropriate corrective actions to address deficiencies in the AML process, including those identified by financial information and supervisory authorities and audits,
● informing the Board of Directors what measures should be taken to ensure the Company's compliance with laws, rules, regulations and standards,
● identifying areas that require the implementation of new controls or the improvement of existing controls, monitoring and reporting on the progress of significant remediation programmes at least annually as part of the annual activity report and on an ad hoc or periodic basis, the adequacy of human and technical resources allocated to the Compliance and AML Department. ,
● for preparing a comprehensive report on its activities at least once a year by 31 January of the year in question for the preceding calendar year in addition to periodic and ad hoc management reports,
●informing the Company's employees about the AML risks to which the Company is exposed, including the methods, trends and typologies of money laundering and terrorist financing,
●the preparation and implementation of the training programme and its documentation (in this respect, it liaises with the HR Department to ensure that confirmation of the individual employee's completed training is submitted to the employee's personal file),
●Ensure that training is differentiated and tailored to the profile and level of AML risk for a given group of Employees,
●accepting or refusing to accept the Company's establishment or continuation of a business relationship with a customer in accordance with the internal regulations in force in this respect,
●the transmission on behalf of the Company of the notifications referred to in Articles 74()1, 86(1), 89(1) and 90 of the AML Act,
●ensuring correct external reporting as required by law in accordance with the Reporting Procedure in force,
●Ensuring that the Company's activities and those of its Employees and others performing activities for it comply with AML laws and regulations,
●drawing up (at least every 2 years) and presenting to the Board of Directors for approval a risk assessment of the Company,
●analysis of legislative changes (this includes recommendations, standards and guidelines from international and national bodies (GIIF, FSC, EU) and organisations (FATF, Transparency International, EBA)) and communication of these changes to the Company,
●supervision and management of the Compliance and AML Unit,
●keeping an internal register of identified impediments and, once a year or whenever necessary, updating the standards of communication with the customer in order to minimise the occurrence of impediments to the verification of the identity of the Beneficiary.
4.3.Compliance and AML Department, responsible for:
●Supporting the MLRO in fulfilling its AML/CFT obligations,
●Carrying out the MLRO's instructions related to the implementation of the AML Policy and tasks in this area.
4.3.2 The Risk Management Department, responsible for the ongoing monitoring of the level of the Company's exposure to money laundering and terrorist financing, including the adequacy and effectiveness of the implementation of the risk-based approach and the AML Policy, taking into account the specific nature of the Company's risks, and oversees the degree of implementation of the corrective actions and measures appropriate to the deficiencies identified.
4.4.Each employee of the Company, is responsible for:
●Carrying out the MLRO's instructions related to the implementation of the AML Policy and tasks in the AML area,
●to be familiar with the AML Policy and other internal regulations in the AML area and to participate in all mandatory training in this area organised in the Company,
●keep confidential all information relating to AML activities undertaken by the MLRO and the Company,
●Compliance with and performance of obligations under the AML Policy and other internal regulations in the AML area.
4.5.Internal Control Department, responsible for internal audit in the area of anti-money laundering and terrorist financing.
5.In the event of the MLRO's temporary absence or unavailability (including, in particular, those related to annual leave, illness, emergencies), the MLRO's duties may be temporarily taken over by a deputy MLRO appointed in advance by resolution of the Board of Directors.
6.The Management Board must inform the nominee without delay of
6.1.the fact that the resolution of the Management Board referred to above has been adopted and any amendment thereto,
6.2.the occurrence of a situation of temporary absence or unavailability of the MLRO respectively.
7.In the event of the temporary absence or unavailability of a Designated Member of the Management Board (including, in particular, those related to holidays, illness, emergencies), his/her duties shall be temporarily taken over by a person appointed from the composition of the Management Board by a resolution of the Management Board. In the absence of a relevant resolution of the Management Board or in the absence of such persons in the composition of the Management Board, the President of the Management Board shall assume the duties. In the event of the temporary absence or unavailability of the President of the Management Board, another available member of the Management Board shall take over the duties.
8.The Company's organisation within the internal AML system is based on 3 lines of defence: 8.1.The first line is made up of the employees directly responsible for contact with the customer (in particular the Customer Service Department). They implement the Company's policies and procedures with due diligence and in accordance with the risk-based approach. In the Company, the first line is additionally formed by other operational employees and their Directors (from the IT, HR, Business Development and Operations, Liquidity and Finance, Planning and Analysis Departments). Any issues that affect the risk of money laundering and terrorist financing and breaches of sanctioning obligations are communicated directly to the MLRO (in particular, reports indicated in the Company's AML/CFT Policy are sent to it, as well as issues that are outside the knowledge, skills or responsibilities of the First Line Employees). The Directors of the First Line Departments participate in the development of the Company's procedures and ensure their effective enforcement;
8.2.The second line of defence is the Compliance and AML Department (including the MLRO), as well as the Risk Management Department and the Responsible Person. The Compliance and AML Department assists the MLRO in ensuring that the Company's activities comply with the applicable regulations and guidelines of the supervisory authorities, in particular with regard to AML. The Compliance and AML Department performs tasks strictly related to AML and terrorist financing, including, in particular, assessing the risks of the Client, monitoring the Business Relationship with the Client on an ongoing basis, preparing documentation, verifying the Client for sanctioning restrictions and cooperating with the MLRO in the case of identifying Suspicious Transactions. The MLRO shares information on policy and regulatory requirements, advises other departments in this regard and answers questions related to AML/CFT and sanctions. The Risk Management Department monitors the level of the Company's AML/CFT exposure risk on an ongoing basis, including the adequacy and effectiveness of the implementation of the risk-based approach and this Policy taking into account the specificity of the Company's ML/FT risks, and oversees the degree of implementation of corrective actions and measures appropriate to the identified irregularities;
8.3.the third line of defence is the Internal Audit Department, which is responsible for internal audit - i.e. independently checks and monitors all policies and procedures. The main task of the third line is to ensure that the first two lines are operating effectively and in accordance with applicable regulations and good practices. The Internal Audit Department assesses whether the actions taken by the Company to date are reasonable, justified and appropriate to the circumstances, i.e. it examines whether the Company properly implements the risk- based approach (independently of the Risk Management Department). It forwards any recommendations and recommendations to the Board of Directors and the units subject to the audit. The audit is carried out once a year or whenever there are significant legislative changes, interpretation of regulations by supervisory authorities, changes in the Company's operations (introduction of new products) and on the occasion of updating the Company's risk assessment.
9.The Company applies the financial security measures set out in the AML Act to its Clients.
10.The Company identifies the money laundering and terrorist financing risks associated with its business relationships and assesses the level of risk identified.
11.The Company applies financial security measures to an extent and intensity that takes into account the identified risks of money laundering and terrorist financing related to the business relationship and its assessment.
12.Financial security measures include in any case:
12.1.identifying the customer, its representatives and persons acting on its behalf and verifying their identity, as well as identifying the beneficial owner and taking reasonable steps to verify its identity and establish ownership and control, in the case of a customer other than a natural person,
12.2.to assess t h e business relationship and, as appropriate, obtain information on its purpose and intended nature,
12.3.ongoing monitoring of the client's business relationships, including:
1.1.1.analysing transactions carried out within the business relationship to ensure that such transactions are consistent with the Company's knowledge of the customer, the nature and extent of the customer's business and consistent with the money laundering and terrorist financing risks associated with that customer,
1.1.2.investigation of the source of assets at the client's disposal, where justified by the circumstances,
1.1.3.ensuring that the documents, data or information in their possession regarding the business relationship are kept up to date.
13.The entirety of the Company's internal regulations in the area of AML includes:
13.1.Updated at least annually (or as required by a change in legal or factual circumstances) and approved by resolution of the Board of Directors:
13.1.1.AML policy,
13.1.2.The Company's statement on risk appetite,
13.2.Updated at least once every 2 years (or as required by a change in legal or factual circumstances) and approved by a resolution of the Board of Directors, the Company's General Risk Assessment,
13.3.Updated at least once every 2 years (or as required by a change in legal or factual circumstances) and approved by the MLRO:
13.3.1.List of countries with assigned risk values and countries considered unacceptable
13.3.2.List of industries with assigned risk values and industries deemed unacceptable
13.3.3.Procedure for the Individual Assessment of a Client
13.3.4.Customer identification procedure (KYC)
13.3.5.A procedure for monitoring transactions and customers
13.3.6.Periodic review procedure
13.3.7.Procedure for notifications to authorities
13.3.8.Reporting procedure
II. RISK ASSESSMENT OF THE INSTITUTION AND RISK ASSESSMENT OF THE CUSTOMER
1.The Company assesses money laundering and terrorist financing risks relating to:
1.1.the general activities of the obligated institution - in isolation from the specific and individual economic relationship and the specific and individual occasional transaction (General Assessment of the Company), and
1.2.related to a specific and individual business relationship of the obliged institution with the customer or to a specific and individual occasional transaction (Individual Customer Assessment).
2.In carrying out the Company's Overall Assessment, consideration is given, in particular, to:
2.1.Assessments made by FIUs or other bodies authorised to make risk assessments under generally applicable legislation, where such assessments may be applicable to the scope and focus of the Company's activities,
2.2.the scope and object of the Company's activities,
2.3.statistical data on customers and their transactions,
2.4.statistical data in the area of anti-money laundering and terrorist financing relating to the Company's activities, including data contained in reports and statements produced in this area,
2.5.the technical and organisational solutions applied in the area of AML.
3.The Individual Customer Assessment is carried out:
3.1.prior to the establishment of a business relationship,
3.2.when establishing a business relationship, if a prior risk assessment is not possible,
3.3.in the event of a change in customer data,
3.4.in the event of a change in the previously established nature or circumstances of the business relationship with the client,
3.5.in the event that the client is entered/removed from the sanction lists (monitoring in this respect is carried out on an ongoing basis, each time the sanction lists are updated),
3.6.upon verification of the information referred to in Article 35(2)(3) of the AML Act,
3.7.periodically, as part of the ongoing monitoring of the business relationship with the client.
4.The Company carries out an Individual Client Assessment taking into account, in particular, factors relating to:
4.1.type of client,
4.2.geographical area (country of residence or domicile, country of residence),
4.3.the products requested by the customer
4.4.purpose of the account,
4.5.distribution channels,
4.6.value of transactions carried out,
4.7.purpose, regularity or duration of the Business Relationship,
4.8.sector of activity,
4.9.unusual customer behaviour for a given situation,
4.10.presence of the client on sanction lists,
4.11.status as a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person,
4.12.other unusual customer characteristics.
5.A lower risk of money laundering and terrorist financing may be evidenced in particular by the fact that the client is:
5.1.individual client (natural person, freelancer), fully identified and does not carry out transactions of a suspicious nature,
5.2.a unit of the public finance sector referred to in Article 9 of the Act of 27 August 2009 on public finance (i.e. Journal of Laws of 2021, item 305, as amended),
5.3.a state-owned enterprise or a company with a majority shareholding of the State Treasury, local government units or their associations,
5.4.a resident of a Member State [of the European Union, a Member State of the European Free Trade Association (EFTA) - a party to the Agreement on the European Economic Area (the Company enters into business relations exclusively with natural persons residing in Poland)],
5.5.a resident of a third country described by reliable sources as having a low level of corruption or other criminal activity,
5.6.a resident of a third country where, according to reliable sources, AML and CFT legislation complies with the requirements of European Union AML and CFT law,
6.A higher risk of money laundering and terrorist financing may be evidenced in particular:
6.1.establishing business relationships in unusual circumstances,
6.2.the subject of the client's business involving the carrying out of a significant number or high volume of cash transactions,
7.Assessment is carried out at four levels:
7.1.Unacceptable
7.2.High
7.3.Standard
7.4.Low
III CUSTOMER IDENTIFICATION PRINCIPLES
1.The Company applies financial security measures when establishing business relationships. Customer identification includes the identification of the customer itself, the persons representing the customer and, where applicable, the beneficial owner of the customer.
2.Identifying the customer involves identifying and recording the following data:
1.1.for individuals:
1.1.1.NAME,
1.1.2.nationality,
1.1.3.the Universal Electronic System for Population Registration (PESEL) number or, if no PESEL number has been assigned, then both the date of birth and the country of birth,
1.1.4.the series and number of the person's identity document,
1.1.5.residential address,
1.1.6.name (business name), tax identification number (TIN) and address of the main place of business - in the case of a natural person running a business,
1.1.7.the purpose and intended nature of the economic relationship;
1.2.for institutional clients (legal persons and organisational units without legal personality):
1.2.1.name (company),
1.2.2.organisational form,
1.2.3.registered office or business address,
1.2.4.TIN, or in the absence of such a number, the country of registration, the name of the relevant register and the number and date of registration,
1.2.5.first name, surname and PESEL number (or, if no PESEL number is assigned, then both the date of birth and country of birth of the person representing that legal person or unincorporated entity),
1.2.6.purpose and intended nature of the Economic Relationship;
1.3.for the actual beneficiaries:
1.3.1.NAME,
1.3.2.nationality,
1.3.3.the Universal Electronic System for Population Registration (PESEL) number, or if no PESEL number has been assigned, then both the date of birth and the country of birth,
1.3.4.residential address.
1.4.for authorised persons (i.e. persons entering into an agreement on behalf of the client and giving instructions regarding client funds) to act on behalf of the client:
1.4.1.NAME,
1.4.2.nationality,
1.4.3.the Universal Electronic System for Population Registration (PESEL) number or, if no PESEL number has been assigned, then both the date of birth and the country of birth, series and number of the person's identification document,
1.4.4.the series and number of the person's identity document.
1.5.for client representatives (a person other than the one authorised to act on behalf of the client):
1.5.1.NAME,
1.5.2.the Universal Electronic System for Population Registration (PESEL) number or, if no PESEL number has been assigned, then both the date of birth and the country of birth.
2.Verification of a customer's identity (or that of another person, e.g. a representative or a beneficial owner) involves confirmation of established identification data on the basis of a document confirming the identity of the natural person, a document containing up-to-date data from an extract from the relevant register or other documents, data or information from a reliable and independent source (including: the Register of Entrepreneurs KRS, CEiDG, PESEL register), as well as (where available) from electronic identification means, or trust services (as defined in Regulation 910/2014), i.e. electronic signatures, seals and certificates.
3.When verifying the identity of a client (beneficial owner/representative), the Company uses remote verification software (which allows identification of the person and verification of the identity document) or accepts copies of original documents (including identity cards, passports, certificates, account statements, utility bills, register extracts).
4.In addition, the software used allows the use of biometrics to verify the identity of the customer, the Company shall ensure that the biometrics are unique enough to be uniquely associated with a single individual. The Company shall use strong and reliable algorithms to verify that the biometric data provided in the submitted identity document matches the Customer being deployed.
5.To the extent that the Company uses remote verification software, the Company:
5.1.ensures that any photographs or films are taken under appropriate lighting conditions and that the required characteristics are recorded with the necessary clarity to allow proper verification of the customer's identity (photographs and films are verified by a company employee);
5.2.ensures that any photos or videos are taken while the client is carrying out the verification process;
5.3.performs activity detection verification, which may include procedures that require a specific action on the part of the customer to verify that he or she is present in a communication session, or which may be based on an analysis of the data received and do not require a specific action on the part of the customer.
6.In addition to the data and information indicated above, the Company collects other documents and information, the detailed scope of which (depending, inter alia, on the customer's risk assessment) is governed by the Customer Identification Procedure (KYC), but may include in particular:
6.1.for all clients:
6.1.1.financial documents, e.g. financial statements or tax declarations,
6.1.2.invoices from suppliers or invoices issued to customers,
6.1.3.contracts concluded with suppliers or customers,
6.1.4.internal regulations, including those on AML,
6.1.5.legal opinions, reports and reports prepared by the auditors,
6.1.6.business documents (licences, concessions, etc.),
6.1.7.statements and agreements relating to payment accounts,
6.1.8.statement of PEP status.
6.2.in the case of clients who are not natural persons:
6.2.1.articles of association or statutes,
6.2.2.shareholder registers, information on the ownership structure,
6.2.3.extracts from the commercial register, extract from the register of beneficial owners,
6.2.4.resolutions of the bodies, minutes of their meetings.
6.3.in the case of natural persons (clients, representatives, beneficial owners):
6.3.1.statement of PEP status,
6.3.2.documents such as driving licences, ID cards, etc,
6.3.3.utility bills,
6.3.4.contracts, tax declarations, statements of payment accounts.
7.In addition, as part of customer identification and verification, the Company may verify databases providing information on customer reputation (so-called adverse media), verifying customer reliability and financial standing (business intelligence agencies, business information bureaus,scoring agencies), verifying PEP status, verifying economic, personal and organisational relationships.
8.The Company shall ensure that (i) all images, video, audio and data are captured in a readable format and of sufficient quality so that the Customer is unambiguously identifiable, and (ii) the identification process does not continue if technical faults or unexpected interruptions in the connection are detected.
9.The Company shall ensure that documents and information collected during the remote identification process, which must be retained, should be time-stamped and securely stored by the Company. The content of the stored records, including images, video, audio and data, should be available in a readable format and allow for ex-post verification.
10.All functions and activities related to remotely establishing business relations with customers are performed by the company and its employees - this means that the company does not use outsourcing in this regard. The company uses technology solutions provided by external providers to carry out identification and identity verification of customers.
11.An employee who has encountered difficulties in the course of verifying the identity of the Beneficiary of the real customer shall draw up an official note in electronic form. The note shall include in particular:
11.1.the name of the client,
11.2.the date on which verification of the identity of the customer's beneficial owners was carried out,
11.3.a brief description of the difficulties identified in connection with the identity verification,
including in particular:
11.4.to indicate deficiencies with regard to an individual's identity documents, documents containing up-to-date data from an extract from the competent register or means of electronic identification,
11.5.inability to establish or doubt as to the identity of individuals,
11.6.the suspicion that a document submitted to the employee for verification is not genuine,
11.7.ticking the absence of the information specified in Article 38(1) of the AML Act,
11.8.a description of the steps the employee took to overcome the difficulties mentioned, including, inter alia, details and results of the contact with the client.
12.The service note, together with a scan of the documents and explanations received from the customer, is sent by the verifying employee to the MLRO's e-mail address.
IV RULES CURRENT MONITORING RELATIONS ECONOMIC RELATIONS (CUSTOMER AND TRANSACTION MONITORING)
1.The ongoing monitoring of the client's business relationship is divided into three core processes:
1.1.Ongoing monitoring of transactions (so-called transactional monitoring):
1.1.1.Ongoing monitoring of transactions is performed automatically using a dedicated IT solution. In addition, the MLRO's designated Employee performs an ongoing analysis of the Client's transactions and activity to identify suspicious transactions or suspicious activity. Ongoing Transaction monitoring is carried out for all Transactions ordered, regardless of their actual execution.
1.1.2.Ongoing monitoring includes verification of the circumstances of the transaction, the amount, as well as other factors, in particular whether:
1.1.2.1.The transaction is for a significantly higher amount than the client has made to date,
1.1.2.2.Transactions take place at an unusual frequency with regard to the specifics of the client in question,
1.1.2.3.Transactions take place with a different average Transaction value than before during the period of the Business Relationship with the respective Client,
1.1.2.4.There are trading 'peaks' that are unnaturally deviated from the client's average, which the client is unable or unwilling to justify,
1.1.2.5.The transaction in the title contains words that may indicate a risk of money laundering or terrorist financing;
1.1.2.6.The transaction is carried out in the currency of a high-risk third country;
1.1.2.7.The transaction originates from an entity other than the one indicated in the contract;
1.1.2.8.The Transaction is unnaturally complex - made up of several smaller Transactions from different people;
1.1.2.9.There is no business case for the transaction;
1.1.2.10.Transactions taking place at high frequency taking into account the declared needs of the client;
1.1.2.11.The transactions amount to very large sums;
1.1.2.12.The transaction sets are for very small amounts from one person;
1.1.3.Details of the transaction monitoring rules are set out in the Transaction and Customer Monitoring Procedure.
1.1.4.In the event of the disclosure of transactions that are unusual, abnormally complex and involving large amounts of money that do not appear to have legal or economic justification, the Company:
1.1.4.1.takes steps to clarify the circumstances under which these transactions were carried out,
1.1.4.2.intensifies the application of the financial security measure referred to in Article 34(1)(4) of the AML Act with respect to the business relationships under which these transactions were carried out,
1.1.4.3.make appropriate notifications as necessary and take other actions as provided for in the AML Policy and the AML Act.
2.Ongoing customer monitoring ("screening") involves the ongoing continuous analysis of customers through verification:
2.1.Presence on sanctions lists - i.e. sanctions imposed on a customer or person in direct or indirect control of a customer in connection with suspected money laundering or terrorist financing or economic sanctions as defined in EU or national legislation, including, but not limited to, Regulation 765/2006, Regulation 269/2014, Regulation 833/2014j; sanctions list databases used to assess customer risk; databases are automatically updated by their provider,
2.2.the presence in databases of media reports (so-called adverse media) - i.e. media information about a client's actions or the actions of others towards the client which may affect the business relationship with the client or the client's risk assessment.
2.3.Details of the customer monitoring rules are set out in the Transaction and Customer Monitoring Procedure.
3.The periodic review of customers (so-called periodic review) consists of a repetition of the customer risk assessment activities, customer identification and business relationship analysis in accordance with the established Periodic Review Procedure, which should include, inter alia, an in-depth analysis of the customer's transaction activity and an analysis of the interaction with the customer, in particular complaints made, enquiries received (including enquiries from other obliged institutions or authorities).
4.A periodic review shall be carried out:
4.1.on a cyclical basis, according to a schedule set out in the procedure, taking into account the client's risk assessment,
4.2.at the request of the MLRO or a Designated Board Member,
4.3.due to suspicion of money laundering or terrorist financing, suspicion of obtaining incomplete or false information from the customer, change in the previously established nature or circumstances of the business relationship; change in previously established customer or beneficial owner details.
V PRINCIPLES FOR ESTABLISHING CUSTOMER RELATIONSHIPS
1.Where the Company is unable to apply one of the financial security measures referred to in Article 34(1) of the AML Act:
1.1.does not establish a business relationship,
1.2.does not carry out transactions, including the occasional transaction,
1.3.dissolves economic relations.
2.The Company shall assess whether the inability to apply financial security measures constitutes grounds for providing the GIIF with the notification referred to in Article 74 or Article 86 of the AML
Act or the obligation to promptly provide the information required under Art. 4(2) or 5 of Regulation 765/2006 or pursuant to Article 7(1) or 8 of Regulation 269/2014.
3.The Company has the following controls in place to ensure that the first transaction with a new customer is only completed after all necessary security measures have been applied to the customer:
3.1.upon completion of the remote onboarding procedure, the responsible employee (or MLRO if necessary) approves the risk assessment and client profile,
3.2.Once the customer profile is approved, the Company signs a payment services agreement with the customer and activates the customer's payment account.
3.3.upon signing the contract, the customer gains access to the full functionality of the payment instrument (application) provided by the Company, including the possibility of ordering transactions.
.Details of the controls are described in the relevant internal procedures, in particular the Procedure for the Application of Financial Security Measures (KYC).
VI PRINCIPLES FOR ESTABLISHING RELATIONSHIPS WITH PEP
5.In the case of a Business Relationship with a Politically Exposed Person, a family member of a Politically Exposed Person or a close associate of a Politically Exposed Person (PEP) within the meaning of the AML Act, the Company shall apply financial security measures to such persons and take the following actions:
5.1.obtains the approval of the Designated Member of the Management Board for the establishment or continuation of a business relationship with the client, failing which the business relationship is not established or the existing business relationship is terminated accordingly,
195.2.applies appropriate measures to establish the source of the client's assets and the source of the assets at the client's disposal in the course of the business relationship or transaction,
5.3.intensifies the application of the financial security measure referred to in Article 34(1)(4) of the AML Act, which includes, inter alia, analysis of transactions, which is carried out on an ongoing basis, in accordance with the Policy, examination of the source of the client's assets and updating documents and information on business relations with the client, with these activities being carried out by the Company on an ongoing basis, immediately and each time it identifies a factor qualifying the application of intensified financial security measures.
6.During the period between the date on which the client ceases to hold PEP status and the date on which it is determined that there is no higher risk associated with that person, but for no less than 12 months, the Company shall apply measures to such person to address that risk.
VII PRINCIPLES FOR CLARIFYING CONCERNS WITH CUSTOMERS
1.If the Company becomes aware at any time of possible irregularities in the identification, verification or activity of a customer in the course of using the Company's services, and if a discrepancy is noted between the information collected in the Central Register of Beneficial Owners and the information on the beneficial owner established by the Company, an employee shall request the customer to clarify the irregularity or discrepancy.
2.In the absence of receipt of an explanation within a set period (not exceeding 30 working days - the set period should take into account the nature of the case and the doubts and the provisions of the contract concluded with the client), the client's execution of the transaction shall be suspended, informing the client accordingly.
3.In the absence of clarification of the irregularities / discrepancies or suspicion of the possibility of money laundering or terrorist financing, the Company shall not execute the transaction ordered by such Client or shall not establish a business relationship with such entity or shall terminate the business relationship with such Client.
4.If the non-performance of a transaction, the failure to establish a Business Relationship with a customer or the termination of a Business Relationship with a customer has occurred for reasons that may be related to money laundering or terrorist financing, the Company shall notify the GIIF.
VIII RULES ON NOTIFICATIONS TO AUTHORITIES
1.The Company, its Employees and other persons acting for and on behalf of the Company shall keep confidential the fact that they have provided the GIIF or other competent authorities with the information set out in this Chapter with the information set out in Chapters 7 and 8 of the AML Act; information about the planning of the initiation and the conduct of the analysis of money laundering or terrorist financing.
2.The obligation to keep the information referred to above confidential does not apply to the transmission of information between:
2.1.obliged institutions and their branches and subsidiaries which a r e part of a group and which apply the rules of conduct set out in the group procedure, including branches and subsidiaries established in a third country;
2.2.mandatory institutions referred to in Article 2(1)(13) to (15a) and (17) of the AML Law, and third-country persons who are subject to the requirements of Directive 2015/849 or equivalent and perform their professional activities within the same legal entity or within a structure with common ownership, common management or common control of AML and terrorist financing compliance, which includes the legal entity within which that mandatory institution performs its professional activities;
2.3.obliged institutions referred to in Article 2(1)(13)-(15a) and Article 2(1)(17) of the AML Act and their clients with regard to the information provided in order to stop the client from engaging in illegal activities or to prevent the client from engaging in such activities;
2.4.mandatory institutions referred to in points 1 to 5, 7 to 11, 13 to 15a, 17 of Article 2(1), 24 and 25 of the AML Act, and between those obliged institutions and their counterparts established in a Member State or in a third country that are subject to the requirements set out in Directive 2015/849 or equivalent and apply the relevant rules on professional secrecy and personal data protection, in cases involving the same client and the same transaction.
3.The GIIF may, in justified cases, require the obliged institutions referred to above to keep secret the fact that they have provided the GIIF or other competent authorities with information, in accordance with the principles set out in chapter 9 of the AML Act (art. 96-116 of the AML Act).
4.In order to perform for the first time the obligations referred to in Article 72, Article 74, Article 76, Article 86, Article 89(8) and Article 90 of the AML Act, the Company shall submit to the GIIF a form identifying the Company containing the following information:
4.1.the name (business name) together with an indication of the organisational form of the Company,
4.2.Company TIN,
4.3.identification of the type of business carried out by the Company,
4.4.registered or business address,
4.5.name, position, telephone number and electronic mailbox address of the MLRO,
4.6.names, surnames, positions, telephone numbers and electronic mailbox addresses of other Employees responsible for the implementation of the provisions of the AML Act whom the Company wishes to designate to contact the GIIF,
4.7.the name and Tax Identification Number (NIP) or the first name, surname and Personal Identification Number (PESEL) of the intermediary entity referred to in Article 73(1) of the AML Act, if the intermediary entity is used.
5.If the data referred to above changes, the Company shall update them without delay.
6.The information referred to above shall be transmitted to the GIIF by means of electronic communication, using a model form made available by the minister in charge of public finance.
7.The company provides the GIIF with information on:
7.1.the receipt or withdrawal of funds with an equivalent value of more than €15,000,
7.2.the executed transfer of funds with an equivalent value of more than €15,000, with the exception of:
7.2.1.domestic transfer of funds from another obliged institution,
7.2.2.a transaction relating to the Company's own management, which was carried out by the Company in its own name and on its own behalf,
7.2.3.a transaction carried out in the name or on behalf of entities of the public finance sector referred to in Article 9 of the Public Finance Act of 27 August 2009,
7.2.4.transfer for security of assets executed for the duration of the transfer agreement concluded by the customer with the Company,
7.3.a purchase or sale of foreign exchange, the equivalent of which exceeds EUR 15,000, or to act as an intermediary in such a transaction.
7.4.The obligation to provide information referred to above also applies to the transfer of funds from outside the territory of the Republic of Poland.
7.5.Conversion of amounts expressed in euro shall be made at the average exchange rate of the currency announced by the National Bank of Poland (NBP) in force on the day the transaction is carried out or on the day the transaction is ordered.
8.The company shall provide information within 7 days of:
8.1.accept a deposit or make a withdrawal of funds, or
8.2.to execute a payment transaction for the transfer of funds, or
8.3.make the means of payment available to the payee, or,
8.4.carrying out or intermediating in the carrying out of transactions for the purchase or sale of foreign exchange.
9.The information provided includes:
9.1.Unique transaction identifier in the Company's records,
9.2.the date or date and time of the transaction,
9.3.the identity of the customer giving the instruction or order to execute the transaction:
9.4.name,
9.5.nationality,
9.6.the Universal Electronic System for Population Registration (PESEL) number or, if no PESEL number has been assigned, then the date of birth and country of birth, series and number of the person's identification document,
9.7.residential address,
9.8.name (business name), tax identification number (NIP) and address of the main place of
business - in the case of a natural person running a business,
9.9.analogous identification data held, of the other parties to the transaction,
9.10.the amount and currency of the transaction,
9.11.type of transaction,
9.12.Title of the Transaction,
9.13.the manner in which the instruction or order to execute the Transaction is given,
9.14.the account numbers used to carry out the transaction identified by the International Bank Account Number (IBAN) identifier or an identifier containing the country code and the account number in the case of accounts not identified by IBAN.
10.The information shall be transmitted to the GIIF by means of electronic communication, using a model information provided by the minister responsible for public finance.
11.The Company shall notify the GIIF, by means of electronic communication, of circumstances that may indicate a suspicion that a money laundering or terrorist financing offence has been committed.
12.The notice shall be given immediately, but no later than 2 working days after the Company confirms the suspicion.
13.The notice shall state:
13.1.Customer identification data:
13.2.name,
13.3.nationality,
13.4.the Universal Electronic System for Population Registration (PESEL) number or, if no PESEL number has been assigned, then the date of birth and country of birth, series and number of the person's identification document,
13.5.residential address,
13.6.name (business name), tax identification number (NIP) and address of the main place of business - in the case of a natural person running a business,
13.7.the identification data referred to above held by natural persons, legal persons and unincorporated organisational entities that are not customers of the Company,
13.8.the type and size of Property Values and where they are stored,
13.9.the number of the account held for the customer, indicated by the IBAN identifier or an identifier containing the country code and the account number in the case of accounts not marked with IBAN,
13.10.information in their possession as referred to above in respect of transactions or attempts to do so,
13.11.indication of the country of the European Economic Area to which the transaction relates, if carried out in the context of cross-border activity,
13.12.information in their possession about an identified risk of money laundering or terrorist financing and about a criminal act from which assets may be derived,
13.13.rationale for giving notice.
14.Notifications shall be submitted to the GIIF by electronic means of communication, using a model notification provided by the minister responsible for public finance.
15.The Company shall immediately notify the GIIF, by means of electronic communication, if it has a reasonable suspicion that a specific transaction or specific assets may be related to money laundering or terrorist financing.
16.In the notification, the Company shall provide the information in its possession relating to the suspicion and information on the expected timing of the transaction referred to above.
17.The notice shall state:
17.1.Customer identification data:
17.1.1.name,
17.1.2.nationality,
17.1.3.the Universal Electronic System for Population Registration (PESEL) number or, if no PESEL number has been assigned, then the date of birth and country of birth, series and number of the person's identification document,
17.1.4.residential address,
17.1.5.the name (business name), tax identification number (TIN) and address of the main place of business - in the case of a natural person running a business,
17.2.the identification data referred to above held by natural persons, legal persons and unincorporated organisational entities that are not customers of the Company,
17.3.the type and size of the assets and where they are stored,
17.4.the number of the account held for the customer, indicated by the IBAN identifier or an identifier containing the country code and the account number in the case of accounts not marked with IBAN,
17.5.information in their possession as referred to above in respect of transactions or attempts to do so,
17.6.indication of the country of the European Economic Area to which the transaction relates, if carried out in the context of cross-border activity,
17.7.information in their possession about an identified risk of money laundering or terrorist financing and about a criminal act from which assets may be derived,
17.8.rationale for giving notice. 18.The Company shall promptly notify the GIIF, by means of electronic communication, of the execution of the transaction, where the transmission of the notification was impossible before the execution of the transaction. In the notification, the Company shall justify the reasons for the earlier failure to provide the notification and shall provide the information in its possession confirming the suspicion.
19.Upon receipt of a notice, the GIIF shall immediately acknowledge its receipt, in the form of an official acknowledgement of receipt, containing in particular the date and time of receipt of the notice.
20.Until the Company receives any request from the GIIF, but no longer than for 24 hours, counting from the moment of confirmation of acceptance of the notification referred to above, the Company shall not carry out the transaction referred to in the notification or other transactions debiting the account in which the assets referred to in the notification have been accumulated. Saturdays and public holidays shall not be included in the period referred to in this paragraph.
21.The GIIF, in the event that it considers that a Transaction, may be related to money laundering or terrorist financing, shall forward to the Company a request to stop the Transaction or to block the account for a period not exceeding 96 hours, counting from the date and time indicated in the confirmation of receipt of the request. Immediately upon receipt of this request, the Company shall stop the transaction or block the account. In the request, the GIIF shall specify the asset values covered by the request. Saturdays and public holidays shall not be included in the period referred to in this paragraph.
22.The GIIF may exempt the Company from the obligation referred to above where the information in its possession does not provide grounds for notifying the public prosecutor of a suspicion that a money laundering or terrorist financing offence has been committed, or where it considers that the suspension of transactions or the blocking of the account could hinder the performance of the tasks of law enforcement authorities and services or institutions responsible for the protection of public order, the security of citizens or the prosecution of perpetrators of crimes or fiscal offences.
23.The Company, at the request of a client issuing an instruction or order to carry out a transaction or who is the holder or owner of the property values referred to above, may inform that client that it has received an appropriate request from the GIIF concerning that transaction or property values.
24.The Company shall immediately notify the competent public prosecutor if it has a reasonable suspicion that the assets traded or held in the account are the proceeds of, or are connected to, a criminal offence other than money laundering or terrorist financing or a fiscal offence.
25.In the notification, the Company shall provide the information in its possession relating to the suspicion and information on the expected timing of the transaction.
26.Until the receipt of the public prosecutor's order, and for no longer than 96 hours from the time of transmission of the notification, the Company shall not carry out transactions or other transactions debiting the account in which the assets referred to in the notification have been accumulated. Saturdays and public holidays shall not be included in the period referred to in this paragraph.
27.Within the time limit specified above, the public prosecutor shall issue a decision to initiate or refuse to initiate proceedings, of which he shall immediately notify the Company. In the event that proceedings are initiated, the public prosecutor shall, by order, suspend the transaction or block the account for a period of no more than 6 months from the date of receipt of the notification.
28.An order to stop a transaction or block an account may also be issued despite the Company's failure to notify.
29.The order shall specify the extent, manner and timing of the suspension of the transaction or blocking of the account. The order may be appealed to the court having jurisdiction to hear the case.
30.Immediately upon receipt of the public prosecutor's order, the Company shall provide the GIIF, by means of electronic communication, with information on the notifications filed and copies of such orders.
31.The Company shall notify the competent public prosecutor without delay of a transaction where notification of that transaction could not have been given before the transaction took place. In the notification, the Company shall justify the reasons for the early non-transmission of the notification and shall provide the information in its possession confirming the suspicion.
32.At the request of the GIIF, the Company shall immediately provide or make available the information or documents in its possession, necessary for the performance of the tasks of the GIIF specified in the AML Act, including those relating to:
32.1.customers,
32.2.transactions carried out,
32.3.the type and size of assets and where they are stored,
32.4.application of a financial security measure,
32.5.IP addresses from which connections were made to the Company's ICT system, and the
connection times to that system.
33.The GIIF may indicate in the request:
33.1.the time limit and the form in which the information or documents are to be provided or made available,
33.2.the scope of the information and the timeframe for obtaining it by the Company in connection with the application of the financial security measure referred to in Article 34(1)(4) of the AML Act or in connection with certain occasional transactions.
34.The GIIF, in the event that the GIIF considers that a specific transaction or specific Asset Values may be related to money laundering or terrorist financing, shall transmit to the Company, by means of electronic communication, a request to stop the transaction or block the account. In the request to block the account, the GIIF shall specify the Asset Values covered by the request.
35.The Company shall suspend the transaction or block the account for a period not e x c e e d i n g 96 hours from the receipt of the request referred to above. Saturdays and public holidays shall not be included in the period referred to in this paragraph.
36.In the event that discrepancies are identified and noted between the information collected in the Central Register of Beneficial Owners and the information on the customer's beneficial owner established by the Company, the Company shall provide the Minister responsible for public finance with verified information on such discrepancies, together with justification and documentation of the discrepancies noted.
37.The details of making notifications to authorities are governed by the Procedure for making notifications to authorities.
X RULES ON THE APPLICATION OF ECONOMIC SANCTIONS
1.The Company applies the specific restrictive measures set out in the sanctioning regulations issued by the European Union (Regulation 765/2006, Regulation 269/2014, Regulation 833/2014, Regulation 881/2002 Regulation 753/2011 Regulation 2580/2001, among others) to persons and entities placed on the lists established under these regulations and to persons and entities placed on:
1.1.lists promulgated by the GIIF on the basis of United Nations Security Council resolutions issued under Chapter VII of the Charter of the United Nations concerning threats to international peace and security caused by terrorist acts, in particular the lists referred to in para. 3 of United Nations Security Council resolution 2253 (2015) or in para. 1 of United Nations Security Council resolution 1988 (2011),
1.2.list maintained by the GIIF in accordance with Article 120(1) of the AML Act- published in the Public Information Bulletin on the subject website of the minister responsible for public finance,
1.3.list maintained by the Minister of the Interior and Administration in accordance with the Act of 13 April 2022 on special solutions to prevent support for aggression against Ukraine and to protect national security,
1.4.and all other lists that the Company may be obliged to apply by generally applicable laws. consisting of:
1.5.freezing of funds/financial resources owned, held or controlled, directly or indirectly, by persons or entities included in the list of persons and entities on the Polish Sanctions List and in the lists annexed to the Sanctions Regulations. Freezing of funds means preventing any move, transfer, alteration, use of, access to, or dealing with funds in any way that would result in any change in their volume, value, location, ownership, possession, character, destination or other change that would enable the use of the funds, including portfolio management,
1.6.freezing of economic resources owned, held or controlled, directly or indirectly, by persons and entities listed in the Polish sanctions list or included in lists attached to sanctions regulations. Freezing of economic resources means preventing the use of economic resources to obtain funds, goods or services in any way, including, but not limited to, by selling, renting or encumbering them.
1.7.Failure to make any funds / financial resources / economic resources available directly or indirectly.
2.The company freezes assets and does not make them available without prior information to the persons and entities affected.
3.All information in its possession relating to the freezing or withholding of assets shall be provided by the Company to the GIIF immediately, but no later than within 2 working days of the freezing or withholding of assets.
4.Deliberate and conscious participation in activities the object or effect of which is directly or indirectly to circumvent the measures referred to above shall be prohibited.
5.In addition to the sanction letters referred to above, the Company may use by MLRO decision other sanction letters, in particular:
5.1.United Nations Security Council sanctions list,
5.2.OFAC list of Specially Designated Nationals and Blocked Persons (SDN list),
5.3.list of entities subject to financial sanctions in the UK,
5.4.lists maintained by individual EU member states,
to verify the actual ownership structures and corporate affiliations of clients.
6.The detailed rules for verifying the presence of clients on sanction lists and the list of sanction lists used are set out in the Transaction and Client Monitoring Procedure.
XI RULES ON INFORMATION ACCOMPANYING FUND TRANSFERS
1.In the situations set out in Regulation 2015/847, the Company shall ensure that the Transfer of Funds is accompanied by the following customer information:
1.1.surname or name,
1.2.payment account number,
1.3.address,
1.4.the number of the official personal document,
1.5.identification number or date and place of birth.
2.In the situations set out in Regulation 2015/847, the Company shall ensure that transfers of funds are accompanied by the following information about the recipient (whereby, as defined in Article 3(4) of Regulation 2015/847, recipient means the person who is the intended recipient of the relevant transfer of funds):
2.1.surname or name,
2.2.payment account number,
3.In the case of a transfer that is not made from or to a payment account, the Company shall ensure that the transfer of funds in question is accompanied - instead of the payment account number or numbers - by a unique transaction identifier.
4.Prior to the transfer of funds, the Company verifies the veracity of the information referred to above, on the basis of documents, data or information obtained from a reliable and independent source.
5.The verification referred to above shall be deemed to have been carried out w h e r e :
5.1.the Client's identity was verified in accordance with Article 13 of Directive (EU) 2015/849 implemented into the Polish legal order in Article 34 and Article 37 of the AML Act, and the information obtained as part of the verification of the Client's identity was retained in accordance with Article 40 of Directive (EU) 2015/849 , or
5.2.Article 14(5) of Directive (EU) 2015/849 applies to the client.
6.In the case of a batch transfer carried out by a single customer where the PSPs of the payees are located outside the Union, the requirements set out above shall not apply to individual transfers bundled together in a batch transfer, provided that the batch transfer contains the required information, which has been verified, and the individual transfers carry the customer's payment account number or, where no payment account is used for the transaction, a unique transaction identifier.
7.The Company may not make any transfer of funds until it has complied with the requirements of this Chapter.
8.Where all PSPs involved in the payment chain are established in the European Union, transfers of funds shall be accompanied by at least the payment account number of both the customer and the payee or, where the transaction is carried out without payment accounts, a unique transaction identifier, without prejudice, where applicable, to the information requirements set out in Regulation (EU) No 260/2012.
9.Independently, the Company shall make the information available within 3 working days of receiving a request for information from the payee's PSP or intermediary PSP:
9.1.in the case of transfers of funds the amount of which exceeds EUR 1,000, regardless of whether the transfers are carried out as one or several Transactions which appear to be linked, information on the Client or the Recipient in accordance with the scope set out above,
9.2.in the case of Cash Transfers that do not exceed EUR 1,000 and that do not appear to be linked to other Cash Transfers that together with the transfer in question amount to more than EUR 1,000, at least:
9.2.1.the name or business name of the customer, the name or business name of the recipient, and
9.2.2.the payment account numbers of the customer and the payee or, where applicable, the unique identifier of the transaction.
9.3.In the case of money transfers where all payment service providers involved in the payment chain are located in the European Union, the Company does not need to verify the Customer's information unless the Company:
9.3.1.has received the funds to be transferred, either in cash or in the form of anonymous e- money, or
9.3.2.has reasonable grounds to suspect money laundering or terrorist financing.
9.4.By way of derogation, where applicable, for the information required under Regulation (EU) No 260/2012, where the payment service provider of the payee is located outside the Union, transfers of funds the amount of which does not exceed EUR 1,000 and which do not appear to be linked to other transfers of funds which together with the transfer in question exceed EUR 1,000 shall be accompanied by at least the following information:
9.4.1.the name of the customer, the name of the recipient, and
9.4.2.the payment account numbers of the customer and the payee or, where applicable, the unique identifier of the transaction.
And in that case, the Company does not need to verify the information about the Customer referred to in this paragraph unless the Company:
9.4.3.has received the funds to be transferred, either in cash or in the form of anonymous e- money, or
9.4.4.has reasonable grounds to suspect Money Laundering or Terrorist Financing.
XII PRINCIPLES OF INTERNAL CONTROL
1.Internal audit, i.e. an independent examination of the Company's compliance with the AML Act, other laws and internal regulations in the AML area, including in in particular with the AML Policy is carried out by the Internal Control Department (under the third line of defence).
2.The study referred to above takes the form of:
2.1.constant control in all areas of the Company's activities,
2.2.annual report presented to the Board,
2.3.where necessary, additional reports, guidelines, resolutions or orders to subordinate units of the Company.
3.Control audits of the Company's activities as a payment institution are carried out by the Internal Control Department. The Head of the Internal Control Department may designate one or more employees from among its staff to carry out the audit or specific activities thereof. The Internal Control Department may outsource part or all of the audit to an external entity that has the appropriate experience and qualifications to conduct such an audit.
4.The Board of Directors or the Shareholders' Meeting of the Company by resolution may instruct the Internal Control Department to carry out audits in the area of AML.
5.The Internal Control Department prepares a report on its audit, indicating in particular whether the Company's activities are conducted in accordance with the provisions of the law and internal regulations. If the auditors find any irregularities or inconsistencies, the report should include:
5.1.a list of suggested corrective actions to remedy the deficiencies or non-conformities identified,
5.2.a list of suggested preventive actions and remedial measures to eliminate or minimise the future occurrence of the deficiencies or non-conformities identified in the report,
5.3.suggest the persons or units of the Company responsible for carrying out the various activities.
6.Approval of the suggestions of the Internal Control Department as set out above falls within the competence of the Board of Directors and should take the legal form of a resolution of the Board of Directors. If the recommendations concern the Board of Directors, the approval of the suggestions is the competence of the Shareholders' Meeting and should take the legal form of a resolution of the Shareholders' Meeting.
7.Auditees (including members of the Company's bodies) are obliged to make available to the members of the Internal Audit Department all documents and instruments as well as to provide explanations necessary for the audit.
8.The audit carried out by the Internal Audit Department includes, in particular:
8.1.the Company's performance of the obligations set out in Articles 6 to 8 of the AML Act,
8.2.making and updating risk assessments in a timely manner,
8.3.the correct application of financial security measures,
8.4.the correctness of the classification of customers into different risk groups,
8.5.The degree of compliance with the AML Policy and its compliance with the law,
8.6.the correctness of the Company's storage of documents and information,
8.7.implementation of the obligation to ensure that Employees participate in training programmes,
8.8.ensuring that an anonymous whistleblowing procedure is in place,
8.9.Timeliness of notifications and notifications to the GIIF,
8.10.examination of the quality, timeliness, completeness, accuracy and relevance of the data collected in the course of remotely establishing business relations with clients,
8.11.an examination of whether the MLRO carried out and documented performance audits of how business relationships were established in a timely manner,
8.12.to investigate whether circumstances had arisen during the audit period that would require an ad hoc review of the provisions of the AML Policy on remote client relationships and, if so, whether such ad hoc reviews had been carried out and what the outcome had been.
9.Internal Audit also undertakes any other activities aimed at determining whether the Company is properly applying the applicable laws and internal regulations.
XIII PRINCIPLES FOR THE DISSEMINATION OF KNOWLEDGE IN THE AML
1.The Company is committed to an adequate level of AML/CFT awareness and therefore:
1.1.Each employee of the Company is required to familiarise himself/herself with the AML Policy and other internal regulations in this respect within the first week of his/her employment.
1.2.Every employee of the Company is required to receive basic AML/CFT training within the first week of their employment.
1.3.Each employee of the Company is required to undergo periodic AML/CFT training organised by the MLRO if he/she is referred to it by the MLRO or his/her supervisor.
2.The AML Policy and other internal regulations in the area of AML are subject to regular review and update - any update should be communicated to the Company's employees, e.g. by circulating an e-mail so that all employees are aware of the changes.
3.The MLRO and the employees of the Compliance and AML Department, as well as all other employees involved in the performance of tasks under the AML Act and the AML Policy, are obliged to regularly improve their qualifications and update their knowledge, in particular by participating in the following w training courses specialised training organised by Company or specialised training courses to which the Company refers them.
4.Any employee has the right to address questions or concerns in the area of AML directly to the MLRO or the Board.
XIV DOCUMENT AND DATA RETENTION RULES
1.The company shall keep the necessary documents and information in a manner:
1.1.so that their content cannot be consulted by unauthorised persons:
1.1.1.traditional documents are stored securely (e.g. locked room, locked filing cabinet); in addition, the documents are scanned and stored electronically,
1.1.2.electronic documents and information are stored securely, the Company backs up each original electronic document and electronic information at an appropriate frequency.
1.2.to be made available without delay to the supervisory authorities in accordance with their respective competences, with a view to their use as evidence in criminal, civil or administrative proceedings.
1.3.The details of the storage, security and backup rules may be governed by other internal Company regulations in the area of data protection and information security.
2.The company documents in particular:
2.1.identified risk of money laundering,
2.2.financial security measures applied,
2.3.the results of the ongoing analysis of the transactions carried out,
2.4.any difficulties in establishing and verifying the customer's identity,
2.5.all impediments related to reasonable steps taken to verify the identity of the Ultimate Beneficiary.
3.The company retains documents and information for a period of time:
3.1.5 years, counting from the date of termination of the business relationship with the client or from the date of the occasional transaction, whereby this period applies:
3.1.1.copies of documents and information obtained as a result of financial security measures,
3.1.2.evidence of the transactions carried out and the records of the transactions, including original documents or copies of documents necessary to identify the transactions,
3.2.5 years, counting from the date of the transaction, and this period applies to the results of the ongoing analysis of the transaction as referred to in Article 34(3) of the AML Act. 4.The retention periods for documents and information indicated above may be extended upon the GIIF's request formulated pursuant to Article 49(3) of the AML Act. 5.In the event of liquidation, merger, demerger or transformation of the Company, the provisions of Article 76 (1) of the Accounting Act of 29 September 1994 shall apply to the retention of records.
XV RULES ON WHISTLEBLOWING
1.Every employee has the right to report actual or potential violations of laws, internal procedures and ethical standards, including, in particular, AML laws. Reports may be made by name or anonymously.
2.The informant has the right to:
2.1.free access to Board Members and the MLRO,
2.2.keep their identity confidential.
3.The Company encourages the Whistleblower to report an identified or potential breach directly to the Board Member or, if the matter involves a Board Member, to the MLRO.
4.Wherever in the following reference is made to a Responsible Person, it shall be understood to mean the Designated Board Member or alternatively the MLRO, if the application relates to a Board Member, unless the wording of the relevant provision indicates otherwise.
5.If the whistleblower fears retaliation or there are other reasonable grounds then The whistleblower may use the channel of anonymous reporting of an identified or potential breach.
6.Whistleblowers are encouraged to disclose their identity when reporting violations, although they may remain anonymous in all cases.
7.The identity of the informer - if disclosed by the informer - is known only to the Responsible Person except in the following cases:
7.1.it is necessary for one or more authorised persons, in particular the MLRO, to be aware of the case and to take action in the notified area,
7.2.The Company is legally obliged to disclose the identity of the Informer, including at the request of a court, law enforcement or other public administration authority.
8.A whistleblower involved in a breach does not have automatic immunity excluding participation in the investigation or liability (disciplinary, administrative, civil or criminal) for the breach. In the case of disciplinary liability, the Company will take into account the fact of reporting the breach as a relevant mitigating circumstance.
9.The informant shall:
9.1.Consider contacting the Responsible Person directly before u s i n g the anonymous
channel to report an identified or potential breach,
9.2.make the notification only in good faith,
9.3.include in the notification all relevant information on the identified or potential breach,
9.4.provide the necessary explanations to the Responsible Person during the investigation.
10.The informant should include in the notification in particular (if applicable):
10.1.a detailed description of the identified or potential breach,
10.2.date of infringement,
10.3.data of persons involved in the infringement,
10.4.data of witnesses to the infringement,
10.5.evidence of infringement.
11.At the request of the Responsible Person, the informer should provide additional explanations or evidence where possible.
12.Informants or persons participating in the investigation are prohibited from discussing reported violations in public, unless otherwise required by common law or the Informant has been instructed to do so by the Responsible Person.
13.The company provides:
13.1.to any potential whistleblower: simple and anonymous access to the person responsible for receiving reports and reporting violations of applicable laws and Company regulations,
13.2.any Employee or other person performing activities for the Company making the notification:
13.3.protection against retaliation by the Informant and others providing evidence or information for the investigation,
13.4.protection against actions of a repressive nature or affecting the deterioration of their legal or factual situation, or involving the directing of threats,
13.5.to any potential informant: protection against actions taken against him/her that are repressive or that worsen his/her legal or factual situation or that involve the use of threats.
13.6.to any potential whistleblower: to ensure that, in the circumstances of reporting violations of applicable laws and Company regulations, they do not face threats, deterioration of working or employment conditions from either the Company or its employees,
13.7.to any employee or other person performing activities for the Company making the notification and to the person alleged to have committed the breach: the protection of their personal data, in accordance with data protection legislation,
13.8.confidentiality as to the identity of the informer and the information about the information made notification.
14.The Company shall ensure that the identity of the Informer and of the person alleged to have committed the breach is protected against retaliation in particular by:
14.1.an absolute prohibition on providing unauthorised persons with information about the identity of the Informer and the person alleged to have committed the infringement, as well as the fact that a report has been made,
14.2.enabling a report to be made through the anonymous reporting channel of an identified or potential breach,
14.3.absolute prohibition of retaliation and reprisals - these actions are prohibited even if the violation was reported in good faith and if the investigation carried out shows that the violation did not occur,
14.4.An absolute prohibition on threatening or taking, or refraining from taking, actions that have the direct or indirect effect of worsening working conditions or conditions of employment, including, in particular, remuneration, the workplace, the technical resources made available for use by Informants, the limitation of development paths, discrimination or unfair treatment,
14.5.to make the Company's employees aware of the applicable prohibition on retaliation, reprisals, threats or conduct/abandonment resulting in the deterioration of the working or employment conditions of the Informers or the persons alleged to have committed the violation
14.6.instituting disciplinary, civil or criminal proceedings, as appropriate, against any person who attempts or solicits retaliatory action against the whistleblower or anyone who provides information about the breach, contributes to the information to be provided or who otherwise assists in the investigation and the person alleged to have committed the breach.
15.Any whistleblower who has been subjected to certain retaliatory actions or suspects that he/she may be the target of such actions should report this fact to the Responsible Person.
16.Any whistleblower who has been exposed to the actions referred to in the previous point is entitled to report instances of such actions to the GIIF. The notification shall be made in accordance with the procedure provided for by the Regulation of the Minister of Finance, Funds and Regional Policy on the receipt of reports on actions of a repressive nature against employees and persons acting on behalf of the obliged institution. The notification may be made electronically or on paper. In the event of transmission by of the notifier's contact address, the Inspector General shall forward information on the follow-up to that address within no more than 30 working days of receipt of the notification.
17.Eligible persons must protect the identity of Informants and other details of violations, as well as details of the investigation, by sharing information about violations only with other eligible persons and only to the strict extent relevant to the case.
18.An exception to the principle of confidentiality is where the Company's obligation to disclose the relevant information arises from a law, decision or ruling of a competent court or public administration authority.
19.A person found to have violated any law or regulation applicable to the Company, including a member of the Company's governing body, an employee, who is found to have violated any provision of the AML Policy or applicable law, may be subject to disciplinary, criminal, administrative or civil liability.
20.A Whistleblower who has acted in bad faith in reporting an alleged violation of applicable laws and Company regulations and a Whistleblower who intentionally fails to maintain confidentiality may lose the rights and protections provided in the AML Policy and may be subject to disciplinary, criminal, administrative or civil liability.
21.The Responsible Person shall, where possible:
21.1.acknowledge receipt of the notification of violation to the informer,
21.2.inform the Informer of the extent of his/her rights and obligations under this Policy and of the subsequent steps of the procedure initiated as a result of the notification made. This information shall include, in particular, provisions on the confidentiality and anonymity of the notification received.
22.The Responsible Person shall inform the MLRO of the receipt of a report of a breach without disclosing the identity of the Informer. The MLRO shall not be informed if the MLRO may be directly affected by the matter.
23.The Responsible Person may instruct the MLRO to investigate the case.
24.If the reported breach concerns an MLRO, then the Responsible Person shall take the action himself. The Responsible Person may authorise another person to take all or part of the action, and in particular may use external independent experts with relevant experience and competence in this area.
25.Upon being informed of an identified breach, the Responsible Person is required to conduct a preliminary investigation.
26.The preliminary investigation should, as far as possible, be conducted jointly with the MLRO. The purpose of the preliminary investigation is to verify the accuracy of the notification received, including the basis for action in a full investigation.
27.The acceptance of a breach by the Responsible Person shall, where possible, result in the Informer being informed that a preliminary investigation has been initiated.
28.The preliminary investigation must be carried out within a period not exceeding 14 working days of informing the Informer of the acceptance of the report.
29.The Responsible Person should, unless it conflicts with the reported breach, consult with the Board as part of the initial investigation.
30.If the preliminary investigation has shown that further action is warranted, the Responsible Person shall carry out a full investigation consisting of a detailed review of the breach of the law and the Company's regulations by the person named in the report.
31.As part of a full investigation, the Responsible Person interviews persons who are suspected of violating laws or regulations applicable to the Company, witnesses to violations and Informants.
32.A full investigation may not take more than one month after the conclusion of the preliminary investigation, unless the complexity of the identified breach requires it.
33.Once a full investigation has been carried out, the Responsible Person shall inform the Board of Directors of the results. If the investigation concerned the conduct of a Board Member, the results shall be presented by the MLRO.
34.The Board of Directors, on the basis of the results of a full investigation received, shall draw consequences against those who have committed violations of laws or regulations applicable to the Company.
35.Any Whistleblower who sees obstacles to making a direct report of a breach to the Responsible Person should and may use the anonymous channel.
36.The anonymous channel consists of two e-mail boxes, which can be used by entering the following e-mail address: plwhistleblowing@speedy.io or plmlro@speedy.io (in cases where the application should go directly to the MLRO).
37.Access to the email box plwhistleblowing@speedy.io is exclusively held by the Board of Directors. Theplmlro@speedy.io email box can only be accessed by the MLRO.
38.The Company shall keep a register of all actions, reports and information received pursuant to the provisions of this Chapter. The register shall include, in particular: the content of reports received, reports, transcripts of meetings and minutes of oral discussions of alleged or committed violations.
39.All documents received from whistleblowers must be classified and treated as confidential, in accordance with the applicable information security policy and security standards.
XVI RULES ON THE PROTECTION OF AML STAFF
1.The Company shall ensure that employees and other persons performing activities related to the performance of the duties referred to in Articles 74, 86, 89 and 90 of the AML Act (hereinafter - the "Notifiers") are protected against actions taken against such persons of a repressive nature or affecting the deterioration of their legal or factual situation, or involving the directing of threats. This protection is implemented by:
1.1.Absolute prohibition to provide unauthorised persons (in particular customers, counterparties or other entities outside or within the Company) with information on the identity of the Submitters, as well as on the fact of submitting a notification pursuant to Articles 74, 86, 89, 90 of the AML Act. An exception to the principle of confidentiality is when the Company's obligation to disclose the relevant information arises from the provisions of law, a decision or ruling of a competent court or public administration authority,
1.2.To make Company employees aware of the applicable prohibition of repressive actions, threats or behaviour/abandonment resulting in the deterioration of working conditions or employment conditions of the Submitters,
1.3.An absolute prohibition on threatening or taking, or refraining from taking, any action resulting directly or indirectly in the deterioration of the working or employment conditions of the Submitters, including, in particular, remuneration, workplace, technical resources made available for the use of the Submitters, restriction of the path of advancement, discrimination or unfair treatment,
1.4.instituting disciplinary, civil or criminal proceedings, as appropriate, against any person who attempts to do or solicits the acts set out above against the Submitters,
1.5.internally restricting access to documentation relating to reports filed under Articles 74, 86, 89, 90 of the AML Act only to a circle of persons to whom such access is necessary for the performance of their official duties or those arising directly from the law.
2.The Company, its managers, employees of the Company and other persons performing activities for the Company are prohibited from taking any actions towards the Notifying Parties of a repressive nature or affecting the worsening of their legal or factual situation, or involving threats against them, in particular actions adversely affecting their working or employment conditions. The prohibition in force is communicated to the above-mentioned persons before they start working / undertaking activities for the Company as part of the communication of organisational information and, in addition, as part of the need for the above-mentioned persons to familiarise themselves with this Policy and to sign a declaration that they have familiarised themselves with its contents. The prohibition is also communicated to the persons covered by it as part of training on the Policy and A M L / C F T issues.
A breach of this prohibition will result in disciplinary action by the Company against the person who has breached the prohibition covered by this section.
1.Notifiers who have been exposed to the activities referred to above (respectively, Article 53a(1) and (2) of the AML Act) are entitled to report instances of such activities to the GIIF. The notification shall be made in accordance with the procedure provided for by the Regulation of the Minister of Finance, Funds and Regional Policy on receiving reports of violations of AML and terrorist financing regulations of 16 May 2018. Notifications may be made in the form of: –by e-mail to: sygnalisci.GIIF@mf.gov.pl, –or on paper to the correspondence address: General Inspector of Financial Information, Money Laundering and Terrorist Financing Signals Team, 12 Świętokrzyska St., 00-916 Warsaw with an annotation: "in the chancellery do not open".
2.As part of the notification to the GIIF, the Submitter indicates a correspondence address or an e-mail address for contact. The GIIF may request clarification from the notifier on the information provided, which may be held by the Notifier, using the contact address. The GIIF shall provide the Submitter with information on actions that may be taken after the receipt of the notification, using the contact address, within a period not longer than 30 working days from the date of receipt of the notification.
3.Notwithstanding the right to report a breach to the GIIF, the Reporting Party may use the Company's anonymous breach reporting channel or report the breach directly to the Company's Board of Directors. This policy shall enter into force on the date of its adoption by the Board of Directors in the form of a resolution.
Annex 1 - Risk appetite
Statement on risk appetite in the area of money laundering and terrorist financing
- Speedy AG sp. z o.o. (Speedy).
Speedy's risk appetite identifies the risks in the area of money laundering and terrorist financing (ML/TF) that Speedy, as a licensed domestic payment institution, is willing to tolerate. It applies to all areas of the Company's business and plays a key role in decision-making as it helps Speedy not to take unacceptable risks.
Speedy will not enter into relationships with clients subject to international sanctions or embargoes, in particular those imposed by the Polish Ministry of the Interior and Administration, the European Union, the United Nations or the US Office of Foreign Assets Control (OFAC). Speedy will not establish relationships with customers who:
●engage in illegal activities (e.g. drug trafficking, human trafficking, slavery),
●carry out activities without proper registration, concession or licence,
●function as so-called shell banks, i.e. banks based in countries where they do not have a physical presence, which are not linked to wider regulated financial groups,
●operate as so-called shell companies, i.e. companies with no physical presence at the place of registration, no real activities and no assets other than cash or cash equivalents,
●function as companies with bearer shares. Speedy does not establish a customer relationship if:
●The customer will not provide data or documents to establish and confirm identity,
●The customer has deliberately provided incomplete or false data or submits false documents,
●it appears from the data provided by the Client that the Client is not acting on his own behalf or is controlled by undisclosed persons,
●The client conceals the identity of the beneficial owner or avoids providing the data or documents required to establish the identity of the beneficial owner or the data provided is insufficient for this purpose,
●Speedy cannot ensure that the requirements of its AML Policy are adequately implemented in terms of establishing the identity of the customer and monitoring the business relationship on an ongoing basis,
●it is not possible to verify the identity of the customer and the beneficial owner on the basis of documents, data or information obtained from a reliable and independent source,
●The client fails to provide data confirming the purpose and intended nature of the business relationship with Speedy, as well as confirming the source of the funds, or there is a reasonable suspicion that the information provided is false, or it is not possible to verify the legality of the actions taken, or the actions may raise doubts as to their legality,
●it is not possible to understand the management structure and nature of the client's business,
●if there are reasonable grounds, knowledge or suspicion of money laundering or terrorist financing.
Speedy will not enter into or maintain business relationships with clients whose business exceeds Speedy's defined ML/TF risk appetite. Industries that are considered prohibited and unacceptable are indicated in the List of Industries with assigned risk values and industries considered unacceptable. Speedy is interested in establishing relationships with clients within the European Union and the European Economic Area, in particular sole traders and entrepreneurs operating in industries considered to be low or standard risk industries. It is acceptable to establish relationships with clients operating in high-risk industries, but their share of Speedy's client portfolio should not exceed 20%.
Speedy will not establish or maintain business relationships with clients domiciled or registered in jurisdictions that have been deemed unacceptable by an internal risk assessment. Speedy will also not establish or maintain business relationships with clients domiciled or registered in high-risk countries, but allows relationships to be established with nationals of these countries if they are residents of low- risk or standard-risk countries. Speedy also permits the establishment of relationships with businesses whose representatives, persons authorised to act on behalf of the client or beneficial owners are nationals or residents of high-risk countries. Countries that 43are considered high-risk or prohibited and unacceptable are indicated in the List of Countries with Assigned Risk Values and Countries Deemed Unacceptable.
Speedy takes steps to eliminate the risk of fraud and therefore implements procedures to both protect Speedy's customers from fraud and takes steps to actively eliminate attempts to use Speedy's activities in committing fraud. In this area, Speedy's Management Board has adopted a zero-tolerance approach to fraudulent activities both against Speedy's customers and those carried out by those customers or Speedy employees.