Anti-Money Laundering and Counter-Terrorist Financing Policy

1. Introduction

This policy details how MinitePay will manage the risks posed by Money Laundering and Terrorist Financing to ensure a consistency of approach within the company. MinitePay is authorised by theEstonian Financial Intelligence Unit (FIU) and, as such, will act in accordance with the Anti-Money Laundering and Counter Terrorist Financing rules as defined in the following legislation and guidance:

2. Risk Appetite Statement

MinitePay considers money laundering and terrorist financing to be both unacceptable and unethical. MinitePay has no appetite for such criminal activity and will take timely, proper and proportionate actions to minimise, manage and control the associated risks.

In promoting the company's risk appetite, the following statements apply:

  • MinitePay will not tolerate Money Laundering or Terrorist Financing and we will not knowingly conduct business with individuals believed to be engaged in any type of criminal behavior
  • MinitePay will not deal with parties in breach of financial sanctions
  • MinitePay will subject identified PEPs to Enhanced Due Diligence
  • MinitePay will not do business with any customer(s) who pose an elevated Money Laundering or Terrorist Financing risk (as mandated by our customer risk assessment) which cannot be mitigated by our current systems and controls
  • MinitePay will not enter into a business relationship with anyone who has links to illicit activity
  • MinitePay will not enter into a business relationship with any person who does not pass our CDD checks
  • MinitePay will not provide services to unknown third parties
  • MinitePay will not provide services for anything other than the purchase of products

MinitePay will apply this risk appetite across all business areas.

2.1 Statement of Intent

Through this statement the Board instruct management and staff to avoid risks that could interfere with the firm’s strategic plans, including activities that could involve MinitePay in any type of enforcement action. The Board also acknowledges the damage that an enforcement action would cause to MinitePay’ reputation and regulatory relationship.

3. Responsibilities

3.1 Senior Management Responsibilities

The senior management of MinitePay are responsible for implementing an effective AML/CTF framework. They are also responsible for assessing Money Laundering and Terrorist Financing risk, ensuring the implementation of this policy to minimise the risk and providing the appropriate employee training. Senior management has appointed a Money Laundering Reporting Officer (MLRO) to ensure an effective implementation of this framework.

They will ensure that the MLRO has a sufficient level of authority and independence within the company and that they have access to sufficient resources and information to carry out their responsibilities. The MLRO will be subject to MinitePay’ performance management process to ensure ongoing competence in the role of MLRO.

Senior management will review the management information on Money Laundering and Terrorist Financing provided to them to enable them to appropriately manage the Money Laundering and Terrorist Financing risks and will take any necessary actions.

Senior management commits to provide the necessary authorities with the required access or information in the case of a Money Laundering and Terrorist Financing investigation.

Mustansar Iqbal is the Senior Manager ultimately responsible for MinitePay’ adherence to MLR2017.

3.2 Money Laundering Reporting Officer (MLRO)

The MLRO has responsibility for oversight of MinitePay’ AML/CTF framework. The MLRO will act as a focal point within MinitePay for all activity relating to AML/CTF.

The Compliance Officer and MLRO are responsible for keeping up to date with changes in laws and regulations in relation to Money Laundering and Terrorist Financing and making use of findings from national and international bodies tasked with combating Money Laundering and Terrorist Financing in order to update MinitePay’ systems and controls where necessary.

The MLRO is responsible for oversight of the company’s compliance with its requirements in respect of staff training.

The MLRO is the point of contact for all employees to raise any reports or concerns relating to any suspected or actual Money Laundering and Terrorist Financing and is responsible for recording, investigating and reporting this to the authorities as necessary. Where reporting to the authorities is not deemed necessary, the MLRO will document the reason for this course of action.

The MLRO is responsible for liaison with the law enforcement authorities as required.

The MLRO will provide management information to senior management regarding compliance with the policy, operation and effectiveness of the systems and controls in place to combat money laundering, and recommendations or enhancements required on at least an annual basis. The MLRO will also escalate Money Laundering and Terrorist Financing issues to senior management as considered necessary.

3.3 Employee Responsibilities

All employees are expected to attend and complete the appropriate Money Laundering and Terrorist Financing training.

Employees are expected to be alert to Money Laundering and Terrorist Financing, and they are responsible for reporting any actual or suspected Money Laundering and Terrorist Financing to the MLRO in a timely manner.

If suspicious signals of Money Laundering or Terrorist Financing are identified, the transaction should be frozen and should not proceed without the authorization of the MLRO. All suspicious signals of Money Laundering and Terrorist Financing are reportable, even if it comes to the employees’ attention after the trade has been undertaken or the account is closed, or the trade has been conducted by another person.

Employees are expected to co-operate fully with any reviews or investigations into Money Laundering and Terrorist Financing.

Failure to notify an appropriate person about criminal actions of which employees are aware, in breach of this policy, may be considered to be a contractual breach leading to disciplinary actions.

4. Definition of Money Laundering and Terrorist Financing

Money laundering is the process by which criminals attempt to conceal the true origin and ownership of the proceeds of their criminal activities. If undertaken successfully, it also allows them to maintain control over those proceeds and, ultimately, to provide a legitimate cover for their source of income. The risks to the financial sector primarily involve being used to facilitate this process, whether knowingly or unwittingly.

Terrorist Financing is all dealings with funds or property which are, or are likely to be, used for the purposes of terrorism, even if the funds are “clean” in origin.

For the purpose of this policy, money laundering also includes any activities relating to terrorist financing.

4.1 Key stages of money laundering

Money laundering is generally broken down into in three distinct stages:

  • Placement – this is the first stage in the money laundering operation and involves the physical disposal of the initial proceeds derived from illegal activity, e.g. placing cash in the conventional financial system
  • Layering – this second stage involves separating the illicit proceeds from their source by creating complex layers of financial transactions designed to disguise the audit trail and provide anonymity
  • Integration – the final stage involves providing an apparent legitimacy to the criminally derived wealth. If the layering process has succeeded, integration schemes place the laundered proceeds back into the economy in such a way that they re-enter the financial system appearing as normal business funds.

4.2 Money Laundering and Terrorist Financing Offences

A money laundering offence may be committed if a person:

  • Conceals, disguises or transfers criminal property
  • Enters into or becomes involved in an arrangement which he knows or suspects facilitates the acquisition, retention, use or control of criminal property on behalf of another person
  • Acquires, uses or has possession of criminal property

A person may commit Terrorist Financing if they are involved in the following:

  • Fund raising, which covers inviting other people to provide money or other property to support terrorism
  • Use and possession, which covers using money or other property for the purpose of terrorism
  • Funding arrangements, if a person knowingly enters into an arrangement whereby, they provide funding for terrorists

The definition of 'terrorist property' means that all dealings with funds or property (which are likely to be used for the purposes of terrorism) even if the funds are 'clean' in origin, it is a terrorist financing offence

Failure to disclose

Employees working for a regulated firm such as MinitePay would commit an offence if they fail to make a disclosure to the authorities, or in the form of an internal report to the MLRO, in cases where they have knowledge or suspicion that money laundering or terrorist financing is occurring.

Tipping Off

An offence of “Tipping off” is committed when anyone discloses to a person who is the subject of a suspicious report, or a third party, that a disclosure has been made to the MLRO or the authorities or that an investigation is being carried out, as this could prejudice the investigation.

Making enquiries to a client to verify identity or to ascertain the source of funds for a particular transaction will not trigger a tipping off offence before a suspicious activity report has been submitted in respect of that client. If a suspicious activity report has been made, great care should be taken to ensure the client does not become aware of that fact.

Consequences of non-compliance

Non-compliance with the money laundering obligations by employees is considered a serious offence and disciplinary actions may be taken by MinitePay, including immediate dismissal.

Failure to comply with the money laundering obligations may also result in a criminal penalty (including imprisonment).

The penalties for those found guilty of assisting or failing to report money laundering are severe:

  • Up to 14 years in prison, a fine, or both for knowingly assisting in money-laundering
  • Up to 5 years in prison, a fine, or both for failing to report any knowledge or suspicions of money-laundering
  • Up to 5 years in prison, a fine, or both for alerting a suspected money launder that a report has been made to the MLRO or the authorities, or that the authorities are investigating or proposing to investigate

In addition to these criminal penalties, a breach of these rules could cause significant damage to the reputation of MinitePay and its employees. Failure to comply by an employee may also expose MinitePay to penalties, censure and enforcement action (including the impositions of fines) by the FCA.

5. Risk Management Controls

MinitePay has implemented the following controls to manage the risks posed by Money Laundering and Terrorist Financing

5.1 Risk Assessment

MinitePay has conducted the following risk assessments to ensure adequate controls are in place:

Business Wide Financial Crime Risk Assessment (BWRA)

The Business Wide Risk Assessment focuses on the following risks:

  • Customer Risk: The customer risk relates to the risk that is posed by the company’s customer base. It identifies the risk that they may present and the necessary controls.
  • Products Risk: The characteristics of the product offering and the specific risks they pose are considered
  • Transaction Risk: The specific types of transaction processed by the firm, and the risks they pose, are considered
  • Geographical Risk: The geographical risk relates to the risks posed by external jurisdictions (outside the UK) and any customers who have business dealings there. This increases the risk of exposure to global sanctions, as well as other global aspects of financial crime.
  • Distribution Channel: This relates to the internal factors that may increase the risk of money laundering and terrorist financing. This can include bad management or employees being unaware of their obligations. The way the services are sold are also considered

When considering the Business Wide Risk Assessment, several risk items are identified under the above areas, with each individual item having its risk determined in two ways:

  • Inherent risk: The risk that would exist if no controls were in place
  • Residual risk: The risk that remains after controls are implemented

Inherent Risk

Inherent risk focuses on the natural risk that is present before any sort of control is implemented. To understand the inherent risk, a series of questions have been asked which will determine if there is an underlying risk to the business. This is followed by an explanation of what the inherent risk is and whether the rating is high, medium or low.

The rating has been achieved by considering the probability of that risk occurring and the impact the risk would have if it were to be realised.

Both probability and impact are scored from 1 (low probability/impact) to 3 (high probability/impact).

These scores can then be multiplied together to get an overall risk rating score. The higher the overall score, the higher the risk rating. The risk score can be broken down into the following:

  • 1-2 = Low Risk
  • 3-4 = Medium Risk
  • 6-9 = High Risk

This is highlighted by colour in the tables below:

Residual Risk

The residual risk is used to assess the risk that is left after all controls have been implemented.

MinitePay has carried out a business wide financial crime risk assessment and established the controls required to reduce the residual risk to low.

5.2 Procedures

MinitePay has deployed a number of procedures which implement the controls identified in the business wide risk assessment:

Know Your Customer (KYC) Procedure

MinitePay has defined 2 separate procedures for private individual and corporate customers which has been documented in the CDD Know Your Customer Process

KYC for private customers entails:

  • Identification and Verification
  • PEP and Sanctions Screening
  • Understanding the nature of the relationship
  • Customer Risk Assessment
  • Enhanced Due Diligence for high risk customers

All corporate customers are subjected to enhanced due diligence

Ongoing Monitoring Process and Procedures

This procedure outlines the Customer Due Diligence process for continually monitoring business relationships. It details controls for the following:

  • Transaction Monitoring
  • KYC Renewals

Suspicious Activity Reporting

MinitePay has documented its approach to reporting suspicious activity. The procedure focuses on the following:

  • Responsibilities of employees and the MLRO
  • The reporting process and response programme

Valid Merchants (Partners)

The firm will only advertise and allow customers to purchase products from genuine merchants, that is has vetted to ensure no fake transactions occur. To that end, customers cannot use MinitePay services to purchase any product from a merchants it does not know

5.3 Governance

MinitePay has the following governance controls in place:

Management Information

Management information will be provided to senior management regarding compliance with the policy, operation and effectiveness of the systems and controls in place to combat money laundering and terrorist financing, and recommendations or enhancements required. It will include information on clients, transactions, suspicious transaction reports, training and breaches. Issues will be escalated to senior management as considered necessary. Senior management will use this information to review the provisions for preventing money laundering and terrorist financing and will plan to enhance the systems and controls where considered necessary.

Monitoring of Systems and Controls

MinitePay will regularly monitor the systems and controls in place to combat money laundering and terrorist financing to ensure that they manage the risks effectively. Policies and procedures will be updated to reflect the current legal and regulatory developments. MinitePay will ensure that enough resources are allocated to combat the risks.

Monitoring of Controls

MinitePay will ensure that a monitoring function will be in place that will be structured as follows:

An independent audit function designed to do the following:

  • To examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the company in relation to Anti-money Laundering and Counter Terrorist Financing
  • To make recommendations in relation to those policies, controls and procedures
  • Monitor compliance with those recommendations

A Compliance Monitoring Plan will be in place to monitor the company’s compliance with existing policies and procedures.

Monitoring of Systems

It is vital that the AML software screening system is reviewed to ensure that it is fit for purpose. All reviews are to be conducted periodically by the MLRO and the following should be reviewed:

  • Is the logic applied to the systems still valid and does it continue to generate appropriate alerts?
  • What databases does the system screen against and how up to date are they?
  • How often is the data refreshed and when was it last refreshed?
  • Who is responsible for updating the data (is it done internally or externally)?
  • How are updates recorded and what reports are produced on this?
  • If there is a sudden global sanction alert how is this uploaded into the system?
  • Who is responsible for ensuring this happens?

This is monitored via the Compliance Monitoring Plan with the results reported back to Senior Management

Training

MinitePay understands the importance of training and ensuring that the appropriate training delivered to all relevant employees is vital in ensuring that this policy is delivered effectively.

Training is provided to all relevant staff, including senior management, to enable them to understand and recognise the risks. The training will include:

  • How to recognise and deal with potential money laundering or terrorist financing transactions or activity
  • Red flags
  • Details of relevant legislation and employee obligations under that legislation
  • How to report suspicious activity
  • Details of the MLRO’s identity and responsibilities
  • Case studies, practical examples of the risks and how to comply with MinitePay’ policies
  • A test of employees’ understanding

The content of the training will be updated as changes in regulation, risks or procedures occur.

Training records are maintained, and form part of the management information produced for the company’s senior management. This training will be refreshed on an annual basis, or more frequently as required, over the duration of an employee’s contract with the company.

Escalation and Exit

The two controls of escalation, reporting an issue to senior management for review and approval, and decisions to exit a relationship or a transaction, are key controls within the financial crime prevention framework.

In circumstances where a customer is deemed to be outside the company’s risk appetite it may be necessary to exit that particular business relationship. Given the particularly sensitive nature of such an event, it is essential that an effective exit strategy be put in place.

This process highlights the principles that MinitePay will adhere to when escalating issues relating to financial crime.

Escalating issues to senior management

When to escalate

MinitePay has defined the following circumstances where it will be necessary to escalate issues to senior management:

  • An existing customer has been identified as being on a Financial Sanctions list
  • A new/existing customer has been identified as being a Politically Exposed Person
  • New legislation or financial crime typologies have been identified that may impact on the firm’s risk appetite
  • An event has occurred in which an existing customer has been found to be linked to money laundering or terrorist financing

Escalation Process

MinitePay has defined the following as being key to an effective escalation process:

  • Where necessary, the MLRO will conduct independent due diligence on the issue at hand to ensure all aspects are fully understood and that they are in position of the full facts to allow senior management to make an informed decision
  • Each step that must be taken is clearly defined and there is a requirement to document each step taken in each case
  • Roles and responsibilities are clearly identified so that decisions made by the escalation process are implemented smoothly, minimising the risk of reputational and legal risk
  • Where escalation processes are initiated internally via email or voicemail, there are processes in place to ensure that multiple people have access to these to avoid messages being missed owing to staff absences
  • The information that is provided to senior management adequately covers the possible risks
  • The decisions made are clearly documented, including the reasons for them
  • Where the decision involves the application of specific controls to mitigate the high risks being accepted, there is a follow-through process to ensure that the controls are instigated and maintained
  • Periodic reports about the trigger events that have been escalated and their resolution are lodged with senior risk managers

Exiting Customer Relationships

Requirement for an exit strategy

MinitePay needs processes for exiting relationships with customers where:

  • Laws and regulations prohibit the provision of financial or other regulated services to a customer because of some characteristic of that customer, e.g. they may be the subject of a general or specific domestic, UN or relevant foreign sanction
  • An existing customer has developed characteristics where they are deemed to be not acceptable or outside MinitePay risk appetite

Objectives of an exit strategy

The exit process will have the following objectives:

  • Ensuring that relationships with customers who are subsequently deemed not acceptable are terminated lawfully while managing business risk and reputational and legal impacts
  • Ensuring that relationships with customers that exceed the firm’s risk appetite are terminated lawfully while managing business risk and reputational and legal impact

Exiting Process

  • MinitePay has defined the following as being key to an effective exiting strategy:
  • The MLRO will escalate the matter to senior management for them to decide on whether a relationship needs to be exited
  • Staff know when a potential customer, a proposed transaction or other circumstance (a ‘trigger event’) meets criteria that require exiting
  • Each step that must be taken is clearly defined and there is a requirement to document each step taken in each case
  • Roles and responsibilities are clearly identified so that exit decisions are implemented smoothly, minimising the risk of reputational and legal risk
  • Where exit processes are initiated internally via email or voicemail, there are processes in place to ensure that multiple people have access to these in order to avoid messages being missed owing to staff absences
  • An internal communications plan is prepared where the customer has a high profile or is a significant revenue generator to assist staff in managing any communications that they may have with third parties about the relationship or the decision
  • The exit decision that is communicated to the customer provides a period of time for the customer to find an alternative financial services provider, at the end of which the account will be closed and funds forwarded to the last known address of the customer (unless prohibited by law from doing so)
  • The exiting and risk management decisions made are clearly documented, including the reasons for the decisions.
  • Legal and regulatory issues encountered with exiting decisions are addressed systemically for the future, to avoid repetition of these problems with other customers who must be exited in the future

Record Keeping

Records relating to the verification of a client’s identity required for the due diligence process will be retained for a period of 5 years after the relationship has ended, after which the personal data will be destroyed in order to uphold the client’s data protection rights. A further period of retention, not exceeding 5 years, will be permitted if after a thorough assessment, MinitePay believe this is justified for the prevention, detection or investigation of money laundering or terrorism financing.

MinitePay will keep the following records for a period of at least 5 years:

  • Transaction records (carried out with or for a client)
  • Records of any internal reports made to the MLRO and of any external reports made by the MLRO
  • Where the MLRO has considered information or other matter concerning knowledge or suspicion that another person has engaged in money laundering, but has not made a report to the National Crime Agency, a record of that information or other matter
  • Training records
  • Monitoring records
  • Records of actions taken to identify and verify beneficial owners of body corporates
  • All records stated above are kept at MinitePay’ offices and the MLRO is responsible for ensuring that these records are complete and up to date.

Regulations on Record Keeping for Virtual Asset Service Providers (VASPs)

The firm has assessed the legal requirement to record the following:

  • The originating customer’s name
  • The originating customer’s wallet number
  • The originating customer’s address and identifying information
  • The beneficiary customer’s name
  • The beneficiary’s wallet number
  • It should be noted that this only applies where an originating VASP’s customer is sending funds to a counterpart at another VASP or regulated business.

This does not apply to MinitePay as the firm is not sending funds on to another VASP or regulated business. Therefore, the firm will not maintain such records

6. Internal Controls

The following internal controls have been applied in relation to this process and procedure:

  • Senior manager review and approval
  • Annual review
  • Second-line oversight via the compliance monitoring plan
  • Independent audit to ensure controls remain appropriate
>