Anti-money laundering and Counter-terrorist financing control framework

1. General Framework
We have no tolerance for money laundering, the financing of terrorism and other illicit activity. Our policies, procedures and controls have been developed to prevent the product from being used to facilitate these crimes.

The company understands Money Laundering (ML) and Terrorist Financing (TF) as:

the process by which one integrates funds generated from criminal activities into the financial system and Terrorist Financing describes the processes by which terrorist organizations fund their activities. ML and TF are serious crimes that inflict harm on many areas of society, being used by illicit organisations and organised crime groups.

The firm operates from the entity UAB Belela and under the laws of Lithuania. It is authorised to provide digital currency to fiat exchange, or vice versa and to provide wallets to store cryptocurrency (UAB Belela, registry number 305982313) For the purposes of this document, certain words may be interchangeable, such as where firm is used for the purposes of UAB Belela, ‘our’ or ‘we’ refers to UAB Belela.

The purpose of this AML and CTF framework Policy is to provide to the token.com customers, providers, partners, vendors and other relevant stakeholders a high-level and summarised overview of token.com’s main AML & CTF Policies and Procedures. It illustrates our broader Policy set forming Anti-Money laundering and Counter-terrorist financing program aimed at compliance with the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing. It also channels learnings from the regulatory guidelines which include FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Assets Service Providers.

2. Approach to AML and CTF
To meaningfully combat ML and TF, we have adopted a risk-based approach. Our policies are informed by the Enterprise-Wide Risk Assessment which guides our strategy, resourcing and consequently policies and procedures. It factors recognised typologies found in the EU risk assessment of Money Laundering and Terrorist Financing as well as the Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing.

AML & CTF sits within the larger set of financial crime risks any financial firm faces. Where possible we have sought to identify our financial crime risks through the recognised typology in the EU risk assessment of Money Laundering and Terrorist Financing as well as the Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing and as identified by FCIS.

As we operate in a fast-paced cryptocurrency industry where new products, technologies and risks emerge on a daily basis our policies and procedures are constantly reviewed and influenced by industry reports, FATF recommendations and guidelines. The compliance and comprehensive approach to risk are integral to our business to achieve desired credibility and growth.  Our approach is conscious of risks presented by: new products, services, instruments, jurisdiction or customer types, the tools and controls we have to mitigate the risks.

WIth regards to our overall AML and CTF approach, the desired outcomes are to:
1. Prevent where possible the firm from being used for ML and TF so as to comply with all applicable legal and regulatory requirements;
2. Ensure that the most appropriate action is taken by the firm to manage the risks associated with AML and CTF;
3. Establish and maintain effective and appropriate policies, procedures ensuring that its business is conducted in compliance with legal and regulatory requirements.
4. Ensure we adhere to the target risk as set out in the risk tolerance
5. We have carried out due diligence on 3rd party providers to ensure parity with our procedures and compliance with relevant regulations

Our overall AML approach is constantly measured and risk assessed. Our Policies, including this Policy, are reviewed on an annual basis or sooner if relevant changes are made to our framework.

3. Simplified Due Diligence
The firm may conduct simplified due diligence (SDD) where a risk assessment determines that, in the case of related jurisdictions, activity or transaction amounts the risk of money laundering or terrorist financing is not higher than usual.

Before the application of these measures to a customer, an employee of the Company assesses that the business relationship, transaction or activity does not meet high risk indicators.

The application of SDD is in conjunction with ensuring sufficient transaction and overall business relationship monitoring, in order to allow the identification of unusual transactions and notification of suspicious transactions in line with this procedure.4.

4. Customer Due Diligence
For the purpose of Customer Due Diligence (CDD), we may require during the application process, but is not limited to:
1. Proof of identity (selfie, credible ID (which matches selfie) and liveness checks)
2. Proof of address (bank statement, utility bill or government issued document within 3 months of issuing)
3. Screening using provided details

Care must be taken that all documents provided are true copies of the original. Providing false, forged, modified or documents meant to deceive will be considered fraud and treated as such.

The company may use recognised and specialised electronic providers for the technical acquisition of the identity data. The company may also decide to use the following non-documentary methods of verifying identity

Periodical updating of KYC records will take place every 3 years after a customer is onboarded or sooner if change of circumstances present themselves

5. Enhanced Due Diligence
We apply enhanced due diligence (EDD) in order to mitigate higher risk activity or customers based on their assigned risk.

In situations where customers present a higher risk, additional information may be collected to give us a more detailed understanding of the particular customer’s profile.

This may be where but is not limited to:
• The customer is engaged in a high risk occupation
• The customer is involved with a high risk jurisdiction (as designated by FATF, EU, HMT, UN, OFAC)
• The customer’s transactional value exceeds an assigned threshold
• The pattern of behaviour is suspicious or not consistent with the customer’s intended use of our product

Source of funds and wealth checks
If we ask for a source of funds we ask for a source of wealth be that crypto appreciation, salary, sale of securities, inheritance. We seek to substantiate any salary claims through professional and social media presence in the first instance or a payslip bank statement should the risk be higher. We seek to validate claims of crypto wealth through evidence of coin purchases and timing and sale of securities or inheritance by notarised or official accountant’s documents

6. Sanctions
We have no risk tolerance for on-boarding any sanctioned individual so this is a critical part of our controls. If an existing customer becomes sanctioned the relationship must cease immediately. We would prevent the customer from carrying out prohibited activities and contact OFAC.

Through our active relationship and contract management we ensure our lists are fit for purpose.  We ensure they check against EU Consolidated List, HMT (OFSI) Consolidated List, OFAC Consolidated Lists and United Nations Security Council Committee.

7. Politically Exposed Persons (PEP)
PEP means a natural person who is or who has been entrusted with prominent public functions including:
• head of State;
• head of government;
• minister and deputy or assistant minister;
• a member of parliament or of a similar legislative body;
• a member of a governing body of a political party;
• a member of a supreme court;
• a member of a court of auditors or of the board of a central bank;
• an ambassador, a chargé d’affaires and a high-ranking officer in the armed forces;
• a member of an administrative, management or supervisory body of a State-owned enterprise;
• a director, deputy director and member of the board or equivalent function of an international organisation.

This applies to those who:
• they are themselves a PEP
• they are a close family member
• they are a known associate

8. On-going Due Diligence and Transaction Monitoring
Our understanding of our customers is kept sufficiently up to date, including checking:
1. Whether they are subject to sanctions
2. Their PEP status
3. Customer identification information - We update our records based on any new information on the customer provided OR where we proactively seek updated information
4. Transaction monitoring

Transaction monitoring allows us to understand how customers are using our product. This in turn allows us to understand whether or not customers are behaving as expected and allows us to identify suspicious activity.

When purchasing and selling assets a customer must confirm the transaction with 3DS to ensure the payment method belongs to them, reducing the risk of transactions involved in fraud and muling.

Where transaction monitoring flags a particular transaction or pattern of behaviour, as high risk it will be investigated to understand it further. This may entail contacting the customer and/or requesting additional documentation for enhanced due diligence.

An investigation into suspicious activity assesses the intended nature of transactions and origin of funds. This suspicion may be confirmed or remain cogent. If suspicious activity is confirmed, this will be subject to internal and external escalation where necessary. When such suspicious activity is detected, the Compliance Officer will evaluate whether it is necessary to report to law enforcement and FCIS

When a report is filed the firm and all its employees, officers and directors are restrained from  informing the customer, including any intention to submit a report or the commencement of criminal proceedings.

9. Use of third-parties
We use external suppliers to support our CDD and on-going monitoring processes. Ultimately, the judgement about whether to on-board or not is ours and they can only provide certain information to feed our decisions.  

Where we use third parties to fulfil some aspect of our AML and CTF approach we do the following:
1. Perform due diligence to ensure they adhere to their compliance obligations and meet best industry standards
2. Review their performance against our expectations and the contract. We take action if we are concerned about their performance.
3. Document the relationship, including:
a. What role they perform
b. How they perform it

10. Staff Training
Appropriate staff training is an essential component of our ML and TF approach. Training ensures that relevant staff understand their roles and responsibilities and are equipped to recognise ML and TF.

Its purpose is to ensure:
1. employees understand the requirements of this framework
2. employees are able to carry out their duties under the financial crime policy
3. employees are able to recognise ML and TF

All new employees, including contractors are expected to complete their training modules within 3 months of joining. Thereafter, training is carried out and reviewed annually. Training is kept up-to-date and relevant and the training results are properly recorded.

Role specific training
• Senior Management are expected to complete additional modules on all areas of financial crime which is renewed annually
• Compliance staff are expected to complete additional modules on all areas of financial crime.

11. Suspicious Activity Report  
Where we know, suspect, or have reason to know or suspect a customer is involved in money laundering or terrorist financing, we will submit a Suspicious Activity Report (SAR) to the relevant authority.

12. Nominated Officer / MLRO
The Nominated Officer is responsible for the overall establishment and management of our AML and CTF approach. These responsibilities include:
1. Identify, assess and manage the AML and CTF risks in conjunction with senior management
2. Maintain an appropriate risk-based approach towards assessing and managing money laundering and terrorist financing risks;
3. Keeping the Senior Management team informed on the effectiveness of the controls (annual report, quarterly updates and monthly MI)
4. Ensure relevant employees possess adequate skills, are aware of their obligations and receive appropriate AML and CTF training is on a recurring basis;
5. Maintain risk-based and effective customer due-diligence, identification, verification and know your customer (KYC) procedures, including enhanced due diligence for those customers presenting higher risk, such as Politically Exposed Persons (PEPs);
6. Assess and assign customer risk ratings to approve onboarding and continuing a business relationship
7. Maintain risk-based and effective systems to monitor ongoing customer activity (where applicable);
8. Produce an annual report detailing the firm’s AML framework and compliance with, or not, of AML and CTF requirements and risk tolerance;
9. Monitor compliance with, and testing the effectiveness of the above systems and controls;
10. Serve as a point of escalation in high risk situations or cases where appropriate action isn’t clear;
11. Stay abreast of relevant industry and regulatory developments;
12. Ensure adequate resources are being deployed to implement the program; and
13. Receive internal reports and raising of SARs.

13. Changes to the Business
One of Senior Management’s core responsibilities is to ensure that as the business evolves, it does so in a way that remains in compliance with the principles of a Risk Based Approach. This regards, for example, the introduction of new products, the servicing of new markets or other developments that alter the nature of the business.

We ensure that any new technology adopted by the firm is assessed and, if necessary, steps are taken to mitigate any ML or terrorist financing risk.

In practice, this ultimately means we continually satisfy ourselves that under a risk based approach we have:
1. Adequately identified and assessed the ML and TF risks our business faces and to any new products
2. Appropriate policies for addressing and mitigating those risks in a proportionate manner
3. Appropriate procedures inline with stated policies

14. Termination of the Business Relationship
The business relationship may be terminated at our discretion should activity be deemed outside our risk tolerance or if suspicious activity mandates a SAR or sanctions have been implemented. The customer may also request to close their account for any reason. In all cases, the account will be assessed for any suspicious activity and the account closed in all systems. We retain customer data as specified below in the Record Keeping section

15. Record Keeping
We retain all documentation pertaining to the customer for AML / Financial crime checks for a period of 8 years after the cessation of the business relationship or the last transaction whichever is the latest. The communication with the client is stored for 5 years after the end of the business relationship or the last contact whichever is the latest. It aligns with the requirement in Article 19 of Lithuanian law on the prevention of Money Laundering and Terrorist Financing. The only exception to the retention period is where a law enforcement agency, regulator or court order instructs the firm to hold for an additional period – maximum additional period of five years – total period must not exceed ten 10 years.

16. Cooperation and Information Requests
The firm is committed to cooperate with law enforcement agencies in preventing money laundering and terrorist financing. We are open to hear questions about this Policy or queries from enforcement agencies addressed to compliance@token.com

AML Website Policy version 1.0

Last updated: 17 November 2022