EASYEX OÜ

RULES OF PROCEDURE ON PREVENTION OF MONEY LAUNDERING AND TERRORIST FINANCING

APPLICATION OF INTERNATIONAL SANCTIONS INTERNAL CONTROL RULES

Approved by the Management Board of EasyEX OÜ on April 30th, 2022.

Present Rules of Procedures on Prevention of Money Laundering and Terrorist Financing and Application of International Sanctions (hereinafter Instruction) have been prepared in accordance with:

  • Money Laundering and Terrorist Financing Prevention Act (RahaPTS);

  • The common guidelines, on the basis of Articles 17 and 18 (4) of the EU Directives 018/843 and

    2015/849;

  • International Sanctions Act (RsanS);

  • The Estonian National Risk Assessment 2020 of Money Laundering and Terrorist Financing and the

    Financial Intelligence Unit Guidelines;

  • Guidance on Determining Countries with a higher risk of terrorist financing (risk countries) issued by

    Financial Intelligence Unit;

  • Guidance on the characteristics of suspicious transactions issued by Financial Intelligence Unit;

  • Risk management of money laundering and terrorist financing and application of due diligence

    measures to the supervised entities of the Financial Intelligence Unit ant other sources listed in this document.

    DEFINITIONS

    The following terms are used in this Instruction with the following meanings:
    The Company–EasyEX OÜ, a company duly incorporated under the laws of the Republic of Estonia.

    Money laundering–the property obtained from criminal activity or property obtained in its place in one of the below meaning:

  • conversion or transfer for the aim of concealing the illegal source of the property or supporting a person who has conducted criminal activity so that person can avoid the legal consequences of the taken actions;

  • obtaining, possession or use of the property, if upon receipt it is determined that it has been obtained from criminal activity directly or participation therein;

  • concealing of the true nature, origin, location, method of disposal, transfer or right of ownership or hiding of other rights related to property.

    Money laundering is also participation in the mentioned before activities, relation to them, potential attempts to perform the acts mentioned, supporting directly or with the indirect facilitating or advising on the matters above.

    It also occurs if the illegal activity resulting into property used for money laundering was obtained took place in the territory and legal field of another jurisdiction. Money laundering occurs even if the information of the illegal activity which resulted in the acquisition or use of the property used for money laundering have not been determined.

    A suspicion of money laundering–any circumstance or knowledge, which assumes that a transaction or activity is aimed at money laundering or concealment of criminal assets and the application of due diligence measures has not removed the initial doubt.

    Unusual financial transactions or activities–economically unusual or illogical circumstances and activities or non-viable circumstances or activities that indicate on possible links to money laundering, illegal concealment of incomes or other criminal activities (such as terrorism, financing of weapons of mass destruction, supporting war actions etc.).

    Terrorist financing–financing in any form of material support, the activity of a terrorist organization, its members or persons whose activities aimed at the commission of a terrorist offense.

    Financial Intelligence Unit (FIU)–is an independent government body under the administration of the Ministry of Finance, the key task of which is prevention of money laundering and terrorist financing in

the Republic of Estonia. Main tasks of the FIU are:

  • analyzing data and information received from the supervised (obliged) entities and other persons regarding cases of money laundering and terrorist financing or suspicion regarding them;

  • verification of data and information received from the supervised (obliged) entities and other persons regarding cases of money laundering and terrorist financing or suspicion regarding them;

  • implementing measures to preserve the assets and consumers commercial interests;

  • escalation and forwarding information and materials upon detection of criminal offenses to the

    competent authorities of the Republic of Estonia.

    AML compliance officer (the Contact person)is the Contact person of FIU appointed by the Management Board of the Company. The Company can appoint only a person complying with the below criteria:

•working and residing permanently in Estonia;

  • dedicated to the Company and able to spend reasonable amount of time for the Company’s operational activities;

  • having the necessary education, professional suitability, necessary abilities, personal qualities and experience;

  • having an impeccable reputation to perform the duties of a Contact person.
    The Contact person appointed by the Management Board of EasyEX OÜ is also the person responsible

    for the implementation of the international financial sanction.

    A beneficial owneris a natural person who has the ultimate control over a natural or legal person through ownership or otherwise, or on whose behalf, for whose benefit a transaction or act is made. In cases the beneficial owner cannot be identified according to the description above, the beneficial owner of the company shall be considered the natural person whose direct or indirect holding of all direct and indirect assets in the company exceeds 25 per cent (taking into account bearer shares or otherwise).

    A politically exposed person–is a natural person who performs or has performed important functions of public authority and who is still exposed to the risks associated with it, as well as family members and close associates of such a person. Officials of middle and lower level are not considered as politically exposed persons. Politically exposed person include:

  • the head of state or government, minister, deputy or assistant minister;

  • member of the legislature;

  • member of the party’s governing body;

  • judge of the Supreme Court;

  • auditor general or member of the supervisory board or board of the central bank;

  • the Chancellor of Justice;

  • ambassador, envoy or chargé d’affaires;

  • a member of the administrative, management or supervisory body of an affected company;

  • a head of an international organization, a deputy director and a member of the management body;

  • a person who, according to a list published by the European Commission, is considered to perform

    essential public authority functions by a Member State of the European Union, the European Commission or an international organization accredited in the territory of the European Union.

    A family member of a politically exposed person is:

  • the person's spouse;

  • a partner equivalent to a spouse in accordance with the law of the person's country of residence or a

    person who has used a common household with that person for at least one year from the date of the

    transaction;

  • the person's children and children's spouses or partners within the meaning of the express clause;

  • the person's parent

    A local politically exposed person–is a person who performs or has performed important functions of public authority in Estonia, another Contracting State of the European Economic Area or an institution of the European Union.

A low-tax territoryis a territory in which the tax liability of persons registered there is minimal or non- existent. There is no official list of countries considered to be low-tax territories. When defining low-tax areas,the Regulation No. 55 of the Minister of Finance of 18 December 2014 “List of Territories Not Considered Low-Tax Territories”is applicable.

EEA–European Economic Area.
Third country–a country that is not a member state of the European Union or the European Economic

Area.

High risk third countrymeans a high risk third country as defined in a delegated act adopted pursuant to Article 9 (2) of Directive (EU) 2015/849 of the European Parliament and of the Council. A list of high- risk third countries adopted in accordance with the Guidelines of FIU is the following:

Country

Basis

Afghanistan
Algeria
United Arab Emirates
Burkina Faso
Egypt
Iraq
Iran
Yemen
Jordan
Democratic Republic of Kongo
Lebanon
Libya
South Sudan
Mali
Morocco
Mozambique
Nigeria
Niger
Pakistan
Palestinian Authority
Democratic People’s Republic of Korea(DPRK)
Saudi Arabia
Russian Federation, the Northern Caucasus regionUN, national competent authorities

EU, UN, national competent authorities national competent authorities
FATF
national competent authorities

national competent authorities
EU, UN, national competent authorities
EU, UN, national competent authorities
EU, UN, FATF, national competent authorities FATF, national competent authorities
UN, national competent authorities
UN, national competent authorities
UN, national competent authorities
UN, national competent authorities
UN, FATF, national competent authorities FATF, national competent authorities
national competent authorities
national competent authorities
national competent authorities
EU, FATF, national competent authorities National competent authorities
EU, UN, national competent authorities national competent authorities

Somalia Sudan Syria Tunisia Turkey Uzbekistan

UN, national competent authorities
UN, national competent authorities
EU, UN, FATF, national competent authorities UN, national competent authorities
UN, FATF, national competent authorities national competent authorities

The Company also monitors the below sources for change is the high-risk countries:

  • EU–EU policy on high-risk third countries;

  • UN–Restrictive measures, UN Security Council resolution;

  • FATF–Jurisdictions under Increased Monitoring.

    Equivalent third countrymeans a country which is not a Member State of the European Economic Area, but which maintains an equivalent and sufficient regime and legislation to the corresponding European Union (AML) framework.

    A reliable source–is the data retrieved from the governmental registers and their equivalent of the respective country or documentation issued by state authorities. The main criterion for the reliability of a document is its originality or notarization of a copy of the original, and the time and / or place of its issue or preparation may be an indicator of the reliability of the document. Electronic online or other public sources may be used to identify or verify the beneficial owner (s) of the transaction, as well to confirm the structure, signature rights, good standing etc.

    A cryptocurrency walletcan be considered as a device, physical medium, program, or service that stores public and / or private keys that can be used to track ownership, receive, or spend of virtual currencies (cryptocurrencies). The cryptocurrency itself cannot be considered a wallet. The cryptocurrency is held and stored in a decentralized general ledger called a block chain.

    Risk assessment–the risk assessment of money laundering and terrorist financing prepared annually by the Management Board on the basis of a risk analysis–documented procedure of defining the risks of money laundering and terrorist financing, their mitigation measures and risk appetite. Risk assessment is aimed to solve several key tasks: identifying, assessing and analyzing the money laundering, terrorist financing and risks associated with weapons of mass destruction separately and identify and clearly define what products and services are used and how they can be exploited in money laundering, terrorist financing or the financing of weapons of mass destruction (i.e., risks). It also includes strategic analysis to understand what vulnerabilities the Company has.

    A business relationshipthat arises between EasyEX OÜ and the Customer upon concluding an agreement (in the reproducible form, acknowledged both by the Company and Customer and updated in a timely manner) for the provision of services by the Company.

    A customeris a person in a business relationship with EasyEX OÜ.

    Virtual currency–a digitally presented value which is digitally transferable, stored or traded and which is accepted by natural or legal persons as a means of payment, but which is not a legal tender or a financial instrument according to the Directive 2015/2366 of the European Parliament and of the Council on the internal market.

    Services–in accordance withCompany’s business plan and operation, the below are services provided by the Company: Virtual currency exchange services–a service within the framework of which a customer exchanges a virtual currency for money or money for a virtual currency or one virtual currency for another.

1.PRINCIPLES OF BUSINESS CONDUCT AND BASIS OF THE INTRNAL RULES

  1. 1.1. The organizational structure of the Company must comply with the terms of risk management, its size and the nature, scale and complexity of its activities and services, including risk appetite and associated risks. The risk management approach of the Company person must comply with the principle of

    proportionality.

  2. 1.2. The organizational structure of the Company must correspond to the understanding of what is claimed

    in regard to risks and their management. Risk management must be comprehensive and cover the

    entire Company’s activity.

1.3.The Company’s board shall ensure that all employees and related outsourced third parties operate in

an environment of anti-money laundering and fully aware of the requirements and obligations involved in anti-money laundering andpreventing the financing of terrorism and the Company’s decision- making processes take due account of relevant risk considerations degree.

1.4.TheCompany’s board, directly involved in the implementation of the RahaPTS and the Guidelines, and the employees involved into Company’s of anti-money laundering work, must have the knowledge, skills and experience to be comprehensive and expected comply with legislation and instructions with precision according to the scope of the task. In addition, they must pass the appropriate training or have otherwise received the necessary experience and practical knowledge from the other obligated persons.

1.5.The separation of functions and principles of avoiding conflicts of interest must be observed while establishing risk management approach (including risk matrix, risk appetite etc.).

2.LINES OF DEFENCE AND STRUCTURAL ORGANIZATION OF THE ANTI-MONEY LAUNDERING ACTIVITY IN THE COMPANY
2.1.The organizational structure of the Company for the purposes of the risk management is built by the

three lines of defense principle.
2.2.Each line of defense has a separate task (based on the principle of avoiding conflict of interests) with

the goal to prevent money laundering and terrorist financing and each line of defense has certain

independence and adequate resources for an effective operation.
2.3.The first line of defense has the function of applying due diligence measures upon business

relationship establishing between the Company and Customer.
2.3.1.This line as well is applying due diligence measures during the business relationship and

conducts ongoing monitoring. First line of defense on a daily basis works with risks related to customers and geographical risk factors and must identify and assess the risks, their specific features and scope and that mitigate these risks by way of their ordinary activities, primarily by way of application of due diligence measures. The risks arising from the activities of and provision of services by the obliged entity belong to the first line of defense. They are the managers (owners) of these risks and responsible for them.

2.3.2.The first line of defense must have good knowledge of the Customers, services provided by the Company, ways of these services distribution (understanding technical features of the solutions used by the Company) and the specific features of their activities and business activities. The aim of this line is to identify transactions in the customer’s activities that are suspicious or unusual or transactions that refer to such circumstances, so they can be referred to the second line of defense for analysis.

2.3.3.First line of defense can include outsourced employees and solution providers, which are aimed to conduct initial identification, verification, screening and onboarding of the Customer. When explaining work tasks to the employee, the Company notifies the person whether he or she is part of the first line of defense.

2.3.4.Activities of first lines are tightly connected to the use of technical tools and IT and specific software solutions, therefore management of the Company must ensure employees have a complex understanding of the tools used, standards of work with data and its collection and storing, ensure that implemented IT and software solutions are compliant, reliable, reduce human error to minimum and provide first line will all the required features for performing expected from them duties.

2.4.The second line of defense consists of the risk management and compliance functions.
2.4.1.The objective of the compliance function is to ensure that the Company complies with effective legislation and its changes and amendments, issued guidelines and other documents and to assess the possible effect of any changes in the legal or regulative environment on theCompany’s

business activity and on the compliance framework.
2.4.2.The task of second line is to help the first line of defense as the owners of risk, to define the

places where risks manifest themselves (e.g., analysis of suspicious and unusual transactions, for which compliance employees have the required professional skills, personal qualities, etc.) and to help the first line of defense manage these risks efficiently. The second line of defense does not engage in taking risks.

  1. 2.4.3. Second line of defense is considered as a contact person for FIU in the Company.

  2. 2.4.4. Company ensures that the contact person complies with the below criteria:

  • Person with relevant education, professional attitude, abilities, personal qualities and experience required to perform compliance and risk management functions;

  • An impeccable professional and business reputation and reputation;

  • Person with the permanent place of work in Estonia;

  • Person that is provided with the freedom of case management and risk assessment conducted

    independently from the other structural units of the Company;

  • Person having the necessary competence, resources and access to relevant information in all

    structural units of the Company with the possibility to receive further training and education in accordance to changes in Company’s business operations or related to the changes of economic environment, implementation of new products and services, channels of sales or other involved technological solutions and developments.

2.4.5.Contact person in the Company has the following areas of activity:

  • organizes the collection and analysis of information or circumstances that indicate unusual or

    suspected money laundering or terrorist financing. To that end, it shall keep, in a form that can be reproduced in writing, all reports of suspicious and unusual transactions received from employees, as well as information and other related documents collected for the purpose of analyzing those reports;

  • provides information to the FIU in case of suspicion of money laundering or terrorist financing. This includes the obligation to keep notices to the RAB in a form that can be reproduced in writing, together with the time of transmission of the notice and the details of the employee who transmitted it;

  • provides the Board with written reviews of compliance with the requirements for the prevention of money laundering and terrorist financing.

2.4.6.The appointment of a contact person shall be coordinated with the FIU in accordance with recommendations and requirements of FIU regarding notifications about intended changes.

2.4.7.Risk policy is implemented, and the risk management framework is controlled via the risk management function. The performer of the risk management function ensures that all risks are identified, assessed, measured, monitored and managed, and informs the appropriate units of the obliged entity about them. The performer of the risk management function for the purposes of money laundering and terrorist financing prevention primarily performs the supervision over adherence to risk appetite, supervision over risk tolerance, supervision over identification of changes in risks, performs the overview of associated risks, and performs other duties related to risk management.

2.4.8.The compliance and risk control employees involved in the prevention of money laundering and terrorist financing (if they are not parts of the function of the compliance officer of the Financial Intelligence Unit) must also comply with the same requirements set for the compliance officer of the Financial Intelligence Unit.

2.5.The third line of defense is comprised by the independent and effective internal audit function. The internal audit function may be performed by one or several employees and/or a structural unit with the relevant functions. In the case of a structural unit, the entire unit must comply with the requirements set out below and the head of the structural unit is responsible for the performance of the functions.

2.6.The Company can address the third-party service provider in order to ensure internal audit function in the Company (outsource the internal auditor).
2.6.1.Either person or legal entity involved to the internal audit function must:

  • have the required competency;

  • have access and knowledge of use of the tools for performing duties;

  • have full access to the relevant information in all structural units of the Company;

  • be aware of the size of the Company and the nature, scope and level of complexity of the

    activities and services provided, (including among others the risk appetite and risks arising

    from activities of the obliged entity);

  • be informed by the Company’s board about changes in the Company’s business activities;

  • have the required education, suitability, necessary capabilities, personal qualities, knowledge

    and experience, and impeccable professional and business reputation have the relevant

    professional standard (attestation) for the performance of their duties;

  • always be informed about the risks and trends of money laundering and terrorist financing both

    at the general level and in the context of the Company in particular.

2.6.2.The internal audit methods must comply with the size of the Company and the nature, scope

and level of complexity of the activities and services provided, incl. the risk appetite and risks

arising from activities of the obliged entity.
2.6.3.The internal audit proceeds from the risk-based and proportionality principle and Company

sets minimum requirement for the internal audit reports as once per twelve months.
2.7.The decision to conduct an internal audit is made by a resolution of the management board of the Company. The management board must regularly assess the need to conduct an internal audit as well evaluate whether ongoing functions of internal audit comply with the changes in Company’s business

operations scale in a quantitative or quality estimation.
2.8.The Board of the Company must update the internal auditor about changes in Company’s business

strategies, adding new products or services, new sales channels or other new IT and software solutions to ensure that internal audit functionis compliant with the Company’s scale and specific operations.

3.CUSTOMER PROFILE EXCLUSIONS
3.1.Despite basing on the principle of non-discrimination of the customers and treating them with the same

good conduct, EasyEX OÜ does not establish business relationship and refuses to provide services to persons who meet the following characteristics:
3.1.1.persons for whom due diligence measures cannot be performed or after performing of due

diligence the suspicion about customer’s relation to the money laundering andterrorist financing

is not eliminated;
3.1.2.persons with whom money laundering and/or terrorist financing is known or suspected in the

course of the application of due diligence measures;
3.1.3.anonymous and/or fictitious persons and straw men and other cases that may leg to anonymity

in case of operations with the virtual currencies;
3.1.4.shell banks and credit or financial institutions that are known to allow shell banks to use their

accounts (no correspondent relationship is established);
3.1.5.subjects of sanctions–persons who are included in the UN, OFAC and EU or other lists of

sanctions that are revised regularly,
3.1.6.natural or legal persons who are from high-risk countries determined by the FIU in accordance

with FATF, UN and other international organizations (with insufficient measures for prevention

of money laundering and terrorist financing);
3.1.7.providers of tumbler/mixer services in relation to virtual currencies–services that provide

specific technical and financial tools that can lead to concealment of the source legitimacy of

virtual currencies;
3.1.8.persons whose bearer shares or other bearer securities represent more than 10 per cent of the

capital;
3.1.9.partnerships, trusts, trust service providers;
3.1.10.customersforwhomitisnotpossibletoidentitytheultimatebeneficialownerwiththereliable

sources and with help of open registers or their equivalent;
3.1.11.customers who fail to provide requested documentation and data and/or unable to conduct

remote verification procedure established by the Company with the technological means and

according to Company’s onboarding requirements;
3.1.12.customersforwhomfactsofmisconductornegativebusinessreputationweredeterminedfrom

the reliable sources, including adverse media;
3.1.13.customers without establishing business relations (no occasional transactions are accepted by

the Company).
3.2.EasyEX OÜ does not create correspondent relationships, including not offering the possibility to open

a correspondent account.
3.3.The Company adopts the below list of prohibited jurisdictions with Customers residing there, that

can’t be entitled of Company’s services:

  • Afghanistan;

  • Algeria;

  • American Samoa;

  • Barbados;

  • Cambodia;

  • Guam;

  • Guatemala;

  • Tuvalu;

  • Uzbekistan;

  • Russia;

  • Singapore;

  • Saudi Arabia;

  • Ecuador;

  • China;

  • Indonesia;

  • Taiwan;

  • Philippines;

  • The Central African Republic;

  • The Democratic People's Republic of Korea;

  • The Democratic Republic of the Congo;

  • The Republic of the Congo;

  • The Republic of Guinea-Bissau;

  • The Republic of Iraq;

  • The Federal Republic of Somalia;

  • The Republic of Mali;

  • The State of Libya;

  • The Republic of South Sudan;

  • The Republic of the Sudan;

  • The Republic of Yemen;

  • The Republic of Belarus;

  • The Republic of Burundi;

  • The Republic of Cuba;

  • The Islamic Republic of Iran;

  • The Lebanese Republic;

  • The Republic of Nicaragua;

  • The Syrian Arab Republic;

  • Ukraine;

  • The Bolivarian Republic of Venezuela;

  • The Republic of Zimbabwe.

4.CUSTOMER VIDEO IDENTIFICATION
4.1.The Company implemented mandatory video identification for all the Customers, willing to use

services of the Company.
4.2.Video identification is conducted within due diligence measures while establishing business relations

between the Company and customer.
4.3.Video identification is conducted with the technological means of the IT solutions implemented by

the company.
4.4.Video identification requires check of identification documents provided by customer for validity,

check of the true likeness of customer with the provided by him/her identification documents and identification whether the customer is performing actions in the scope of his/her business relations in the real time.

4.5.In case the Company offers services to legal person, the authorized representative (member of the board, director etc.) and the ultimate beneficial owner of the customer will be requested to conduct

video identification.
4.6.The Company set the same requirements for video identification of customers from the EEA and from

the third countries.
4.7.In addition, video identification should be implemented by the Company for cases where:

  • the total amount of payments made by a natural person who resides in the EEA exceeds EUR 15,000 per calendar month;

  • the total amount of payments made by a legal person who resides in the EEA exceeds EUR 25,000 per calendar month.

    4.8.EasyEX OÜ follows the regulation“Technical requirements and procedures for identification and verification of data by means of information technology”of the Minister of Finance of the Republic of Estonia when performing video identification.

    4.9.The Company is constantly monitoring the results of video identification and controls that used technical and software solutions comply with the current requirements of the Estonian guidance and regulations. The Company must ensure the compliance of third parties and technological providers involved into video identification of customers at all times.

    5.ESTABLISHING BUSINESS RELATIONSHIP WITH PERSONS FROM HIGH-RISK THIRD COUNTRIES
    5.1.In course of business activity, the Company is not accepting clients or transactions from / to high-risk

    third countries. The Company establishes the below rules for cases where it was found out during the

    ongoing due diligence, customer’s relation to thehigh-risk third countries.
    5.2.The Company determines persons from high-risk countries in the risk appetite as the least favorable

    for operations and their part in the overall customers pool should not exceed the set limits.
    5.3.The Company always applied enhanced due diligence measures while establishing business

    relationship with customers from high-risk third countries.
    5.4.The Company must request additional identity proof documents from the customer and / or his / her

    beneficial owner, legal representatives and must verify the data from reliable and independent sources. 5.4.1.The Company must obtain additional information on the beneficial owner, including

    identification of the origin of assets used in the transaction.

5.4.2.Each case of establishing business relationship with the customers from high-risk countries

must be approved by the management board before entering into a transaction.
5.4.3.The Company is required to identify the origin of wealth of the customer and/or beneficial

owner at all times.
5.4.4.Each customer from high-risk countries is subject to frequent and detailed ongoing monitoring

to the business relationship.

6.CUSTOMER RISK PROFILE DETERMINATION
6.1.The Company sets separate risk assessment in the documented form to ensure that customers entering

into business relationship are compliant with the Company’s risk appetite.
6.2.Guidelines for establishing a business relationship or entering into a transaction with different risk

profilesare based on the Company’s approved risk categories (risk related tocustomer, risk related to Company’s servicesetc.) and criteria determining risk profile.

6.2.1.Low risk customer–an employee can establish a business relationship and execute the transaction immediately after conducting required due diligence;

6.2.2.Medium risk customer–an employee undertakes to analyze whether it is necessary to apply additional due diligence measures, if there is no need to so, the business relationship can be entered, or the transaction can be executed. If the need for additional due diligence measures arises, the employee must apply additional measures and based on their results, decide whether to establish a business relationship, execute the transaction or not.

6.2.3.High risk customer–if the risk profile of the customer or transactions is high, enhanced due diligence measures must be applied before executing the transaction, including, if necessary, obtaining the permission of the management board to establish a business relationship or enter into a transaction.

7.GENERAL IDENTITY VERIFICATION REQUIREMENTS

  1. 7.1. IdentityverificationisthepartofduediligenceoftheCompanyandappliestoeachpotentialcustomer

    interested in entering into business relationship with the Company.

  2. 7.2. The following details must be assessed when an identity document is presented for verification by

    Customer:

    • the validity of the document according to the expiry dates;

    • the person ́s external resemblance and age suitability to the person depicted on the photograph;

    • no visible signs of forgery or damage on the document;

    • the full size of the document, including all needed pages;

    • signature of the customer;

    • details about date of birth, place of birth, personal identification number and document number are

      present.
      7.3.The Company cannot accept for identity verification purposes documents the are expired, have

      indication of forgery, damaged documents, documents without photo of the applicant customer,

      documents without proper translation or transliteration to Latin letters.
      7.4.The Company is reporting regarding each case of unsanctioned use of identity documents of another

      person, presented by customer for the identification to the FIU and prohibits these cases for

      establishing business relationship.

  1. 7.5. The identity of natural person who is a representative to a legal person must be verified under the same

    conditions as the natural person.

  2. 7.6. EasyEX OÜ accepts notarized documents authenticated by persons who are entered in the respective

    list of foreign officials accepted by the Republic of Estonia.

8.PROCEDURES FOR APPLYING DUE DILIGENCE MEASURES
8.1.When providing financial services, the employees of EasyEX OÜ apply the following due diligence

measures:
8.1.1.Identification of the customer or person participating in the transaction based on the provided

documents and data and verification of the provided information from a reliable and independent

source;
8.1.2.Video identification with help of technical and software solutions;

8.1.3.Identification and verification of the identity and right of representation of the representative of a natural or legal person;

8.1.4.Identification of the beneficial owner and verification his/her identity to an extent that enables EasyEX OÜ to ensure that it is known who the beneficial owner is, and the ownership and control structure of the customer are clear and understandable;

8.1.5.Understanding the business relationship or transaction and confirming its economical reasonability to ensure that the transaction is not suspicious;

8.1.6.Obtaining additional information (the customer’s permanent location, activity, residence, professional activity, field of activity, major transaction partners, payables and, in case of a legal person, experience and other details the Company can consider reasonable for each particular case);

8.1.7.Checking each customer for being a politically exposed person, a member of the family or a person considered to be their close associate;

8.1.8.Checking each customerwithin the sanctions lists and ensuring that person or legal person’s representatives are not subjects to international or local sanctions;

8.1.9.Checking each customer within screening programs to determine whether customer has any adverse media associated with him/her;

  1. 8.1.10. Business relationship monitoring;

  2. 8.1.11. When applicable, the collection of information on the origin of the Customer ́s wealth;

  3. 8.1.12. The Company shall apply the due diligence measures specified above at least when:

  • establishing a business relationship;

  • executing transactions;

  • in case of suspicion of money laundering or terrorist financing, notwithstanding any

    concession , exemption or limit specified in the RahaPTS;

  • in case of suspicion of inadequacy or inaccuracy of documents or data previously collected in

    the course of identity verification or in the course of updating of the relevant data;

  • in case of detection of suspicious transactions.

8.2.EasyEX OÜ applies all due diligence measures to the Customer that are provided above but determines the scope and exact manner of their application and the need to apply them based on the money laundering and terrorist financing risks previously assessed or related to a specific business relationship or person.

8.3.The Company identifies a person and verifies the data by means of information technology, if a business relationship has been established with a person is a) personal meeting and on-site verification in the same place and time is not possible b) customers originates from, or is domiciled in, a country outside the European Economic Area, or c) originates from or is domiciled in a Contracting State of the European Economic Area and whose total outgoing payments related to a transaction or a service contract exceeds EUR 15,000 per calendar month or, in case of a legal person, EUR 25 000 per calendar month.

9.IDENTIFICATION OF A NATRUAL PERSON WHILE ESTABLISHING A BUSINESS RELATIONSHIP

9.1.EasyEX OÜ identifies the customer and, where applicable, its representative and retains the following information about the person and, if applicable, the person ́s representative:
9.1.1.first name and surname;

  1. 9.1.2. personal identification code, in the absence thereof, date and place of birth;

  2. 9.1.3. residence or location;

  3. 9.1.4. identification and validation of information on the right of representation and its scope, and if

the right of representation does not arise from law, the name of the document on which the right

of representation is based, the date of issue and the name or title of the issuer;

  1. 9.1.5. activity profile (for customers of Medium and High risk);

  2. 9.1.6. profession and field of activity (for customers of Medium and High risk);

  3. 9.1.7. the purpose and nature of the business relationship (for customers of Medium and High risk);

  4. 9.1.8. the beneficial owner, if necessary, in accordance with clause 8.9 of the Instruction.

9.2.The identification and verification of a natural person is carried out based on the identity document. The identification and verification of identity is performed by the employees of EasyEX OÜ who are in direct contact with the customer with the help of technology means.

9.3.The Company records the data based on information and documents provided by the customer and stores them for future ongoing monitoring.

9.4.Documents accepted for identification:

  1. 9.4.1. identity card;

  2. 9.4.2. digital identity card;

  3. 9.4.3. residence permit card;

  4. 9.4.4. Estonian citizen passport;

  5. 9.4.5. alien ́s passport;

  6. 9.4.6. a valid travel document issued abroad;

  7. 9.4.7. driver ́s license bearing the user ́s name, photograph or facial image, signature or signature

image and date of birth or personal identification number;
9.4.8.The Company has the right to request from the customer more than one identification

document in case of any suspicion arising during the due diligence or in case provided by customer identification document does not comply with the Company’s requirements and it is not possible to validate and verify in with the technological means Company implemented.

9.5.The responsible employee of EasyEX OU evaluates the submitted documents:

  1. 9.5.1. validity by expiration dates;

  2. 9.5.2. the external similarity of the person and the age suitability of the person depicted in the

document;

  1. 9.5.3. validity of the personal identification code with gender and age;

  2. 9.5.4. no visible signs of forgery or damage on the document;

  3. 9.5.5. the full size of the document, including all needed pages;

  4. 9.5.6. signature of the customer;

  5. 9.5.7. details about date of birth, place of birth, personal identification number and document number

are present.
9.6.In case of doubt as to the authenticity or identity of the document regarding the information contained

in the codes given to foreign natural persons, a foreign embassy or other competent authority shall be

consulted
9.7.The Company makes a copy of the personal data and photo pages of the submitted document and

registers other data received about the person in the information system of EasyEX OÜ with help of technological and software solutions implemented and in case of such need, requesting the data in the recordable and official form of e-mails or support tickets inside of the Company’s platform environment.

9.8.No other communication channels except mentioned in point 8.7 are considered official

communication between Company and customers.
9.9.An employee shall not make a copy of the document if EasyEX OÜ has entered into a data exchange

agreement with the Police and Border Guard Board, on the basis of which EasyEX OÜ can make

inquiries to the identity documents database.
9.10.Politically exposed person, sanctioned person and person exposed in the adverse media

9.10.1.In addition to verifying the identity, the Company also finds out when applying due diligence measures whether or not the person is a politically exposed person.

9.10.2.In order to verify and confirm if the person is a politically exposed, a member of the family or a person considered to be their close associate the Company uses technological and software solutions and can address to other reliable open sources.

9.10.3.If the ethe Company suspects that, despite the customer ́s claims for not being a politically exposed, a member of the family or a person considered to be their close associate, the customer is a politically exposed person, then the employee performs an initial check using Internet search engines or relevant databases.

9.10.4.If the suspicion continues, the Company will contact the supervisor for further instructions, who will consult the Contact person or the Management Board of EasyEX OÜ if necessary.

9.10.5.EasyEX OÜ also identifies close associates of the politically exposed person, and family members if there is a reason to believe that such connection exists.

9.10.6.The Company considers a politically exposed persons, a member of the family or a person considered to be their close associate high-risk customers, therefore takes decision to refuse to provide any services to them.

9.10.7.The Company conducts ongoing monitoring of all registered customers to ensure that none of the customers entered into business relationship in time becomes a politically exposed persons, a member of the family or a person considered to be their close associate.

9.10.8.The Company must ensure that the external providers and technical and software solutions used for identifying politically exposed persons, a member of the family or a person considered to be their close associate is compliant with the Company’s Internal Rules and updates its sources and technologies to that extent, that data about all new politically exposed persons, a member of the family or a person considered to be their close associate is added to the data bases in a timely manner.

9.10.9.The Company checks each customer for being not related to the international sanctions imposed by the EU, UN or other international organizations with the technological and software solutions together with checking open sources.

9.10.10.The Company is not providing services to the customers that are subject to sanctions of any level and does not enter into business relationship with then.

9.10.11.The Company checks each customer for adverse (negative) media associated with the customer.

9.10.12.In case of confirmed fact of customer being exposed in adverse media, the Company has the right to refuse to establish business relationship with the customer.

9.10.13.Cases of customers being confirmed as politically exposed persons, a member of the family or a person considered to be their close associate, subject to international sanctions or exposed in the adverse media should be treated with the high attention involving reporting to the FIU and are reasonable ground to not enter into business relationship with the potential customer or stop the established business relationship in case the mentioned facts were determined within ongoing monitoring measures.

9.10.14.In case of doubt if the employee feels that the natural person has been asked, lured, threatened,

bribed or otherwise inclined to enter into a business relationship or enter into a transaction, the

beneficial owner of a natural person must be identified.
9.10.15.In this case, the person who exercises control over a natural person is considered to be the

actual beneficiary of the natural person and also a straw man with whom the establishment of the

business relationship is not permitted. 9.11.Verification of documents and data

9.11.1.The employees of EasyEX OÜ checks the data and references submitted for identification through reliable and independent information sources, including public registers and public authorities.

9.11.2.The responsible employees of EasyEX OÜ are responsible for the regular verification of the data.

9.11.3.The Company relays on the technical tools and software for verification of submitted documents and data.

9.11.4.As part of verification, for each customer the Company is collecting contact and communication details, with the minimum extend of e-mail address.

9.11.5.E-mail addresses provided by the customers must be verified and checked according to the Company’s technical and software solutions capabilities.

9.11.6.It is prohibited to enter into business relationship with the customer who did not verify his/her e-mail address.

10.IDENTIFICATION OF LEGAL PERSONS WHILE ESTABLISHING A BUSINESS RELATIONSHIP

10.1.The Company does not consider legal persons as significant part of the potential customers, however in case of changes in the business strategy the Company is required to conduct relevant identification measures for legal persons on the stage of establishing business relationship.

10.2.Upon identification of a legal person, the following must be ascertained:

  1. 10.2.1. full business name;

  2. 10.2.2. registry code, or registration number and time;

  3. 10.2.3. country of registration;

  4. 10.2.4. location and actual place of business;

  5. 10.2.5. information on the legal form and legal capacity of the person;

  6. 10.2.6. the name of the director or the names of the members of the management board or other bodies

and their powers to represent the legal person;
10.2.7.the names of shareholders, secretaries, treasurers, presidents and other bodies of the legal

entity that have influence on business operations of the legal entity;

  1. 10.2.8. data on means of communication;

  2. 10.2.9. existence of politically exposed persons;

10.2.10.open debts, tax obligations and other obligations that can be determined for the legal entity

from the open reliable sources;
10.2.11.legal entity’s legal structure, including holding companies, subsidiaries, foreign branches,

representative offices etc.;
10.2.12.information about business activity conducted by legal entity as primary activity and

additional if applicable;
10.2.13.information about the licenses or other governmental permissions from the country of

registration of the legal entity, in case such permissions are applicable to the legal entity’s business

activity;
10.2.14.details of the beneficial owners, subject to the provisions of Section 9.6 below.

  1. 10.3. The identity of a legal person is established based on the information from data registries.

  2. 10.4. If EasyEX OÜ has access to the data of commercial register, register of non-profit organizations

or register of foundations or relevant registries of a foreign country via the Internet, then the customer does not have to submit the registry card to EasyEX OÜ. The responsible employee records the data of the legal person based on the questionnaire survey, the data of which the representative of the legal

person confirms with a signature.
10.5.In case the customer is a legal entity registered in the jurisdiction where open-source registry is

not available, the Company must request the governmentally issued documentation in order to verify

the details and data mentioned above.
10.6.The responsible employee shall make copies of the identity documents of the person ́s

representative and registers the data of the legal person in the information system of EasyEX OÜ. The employee also must store copies of the registry extracts (cards) and other documentation submitted by customer for the purposes of onboarding and establishing business relationship.

10.7.Identification of the beneficial owner 10.7.1.A beneficial owner is a natural person:

  • who, through ownership or other type of control, has ultimate control over a natural or a legal person; or

  • in whose interest, benefit or on whose behalf the transaction or act is made;

  • where such person cannot be identified, the beneficial owner of the company shall be the natural person whose direct or indirect holding or the sum of all the direct or indirect holdings in the company exceed 25 per cent, including holdings in the form of bearer shares or other

    forms of bearer securities;

  • where the shareholding or identifiable level of control of any natural person does not exceed

    25 per cent, information on shareholders who have control or other significant influence over

    the activities of the legal person shall be required.

10.7.2.If the documents and information submitted for identification do not allow to determine

directly who the actual beneficiary of the legal person is, this shall be registered on the basis of the

handwritten confirmation of the authorized representative of the legal person.
10.7.3.For cases of the handwritten confirmation, the accuracy of the provided shall be verified by

putting reasonable measures:

  • inquiries to the relevant registers;

  • the submission of the legal person ́s annual report or other relevant documents.

    10.7.4.If discrepancies are found in the data provided by the registry and in the data submitted by the customer, the customer shall be asked for written explanations and the registry shall be notified of the actual beneficiary of the company.

10.8.Identification and verification of the right of representation
10.8.1.The Company determines whether the person is acting on his or her behalf or on behalf of

another person (natural or legal). If a person acts on behalf of another person, the employee must

also identify the person on whose behalf the transactions are made.
10.8.2.The Company identifies the basis, scope and period of validity of the representative’s right of

representation.
10.8.3.In the case of authorized and legal representatives, it must be made clear whether the

representative knows the person being represented. The below must be checked regarding

representative’s knowledge:

  • the content and purpose of the declarations of intent of the person he or she represents; the

    economic and professional activities of the represented person;

  • the purpose of the transactions;

  • business partners;

  • the source and origin of the funds used in the transaction;

  • the ownership circle of the legal person.

10.8.4.The representative confirms with own signature that he /she is aware of the source of funds of the represented person and is convinced that the funds used by the represented person in the transaction are of legal origin.

10.8.5.Procedure for updating data / documents used for identification
10.8.6.The Company shall update the data obtained during the identification and verification of

identity at least once a year, every six months in case of an increased level of risk.

11.APPLICATION OF DUE DILIGENCE MEASURES
11.1.The Company shall apply the simplified due diligence measures in case of low risk of money

laundering or terrorist financing, if the customer’srisk profile is low and the risk assessment prepared

by EasyEX OÜ indicates that such circumstances are lower than usual.
11.2.Before applying the simplified due diligence measures the Company must ensure that the business

relationship, transaction or operation is of lower risk. In this case to such transaction, operation or

customer a lower level of risk than usual can be assigned.
11.3.EasyEX OÜ applies simplified due diligence only to the extent that sufficient monitoring of

transactions and business relationships is ensured in order to be able to identify unusual transactions

and enable the reporting of suspicious transaction.
11.4.When applying the due diligence measures, the identity of the customer and the customer ́s

representative may be verified on the information obtained from a reliable and independent source during the business relationship establishment, if it is necessary in order not to disturb the normal course of business.

11.5.When applying the simplified procedure in clauses, the Company chooses the extent of the fulfillment of the obligation and the need to verify the source of information and the data used for this purpose from a reliable and independent source.

11.6.The due diligence measure set may be applied in a simplified manner if a lower risk characteristic is identified and at least the following conditions are met:

11.7.A long-term agreement in written, electronic or in a form that can be reproduced in writing has been entered into with the customer.

11.8.Payments made to EasyEX OÜ during a business relationship have to come only from an account located in a credit institution that is entered into the Estonian Commercial Registry or from a branch of a foreign credit institution established or having its place of business in a Contracting State or country where equivalent requirements apply; a limit has been established on the total value of incoming or outgoing transaction payments;

11.9.The simplified due diligence shall not be applied if the Company has any suspicion of money laundering or terrorist financing on any grounds or a suspicion that the customer ́s activities are in any way illegal.

12.APPLYCATION OF ENHANCED DUE DILIGENCE
12.1.EasyEX OÜ applies enhanced due diligence measures in order to properly manage and mitigate

the higher than usual risk of money laundering and terrorist financing. 12.2.Enhanced due diligence must be applied be applied when:

12.2.1.during establishing the identity or verification the information submitted by the customer, there is a doubt as to the truthfulness of the submitted data;

12.2.2.during establishing the identity or verification the information submitted by the customer, there is a doubt to the authenticity of the document or the identification of the actual beneficiary or beneficiaries;

12.2.3.during video identification customer is not able submit the data and documents in accordance withCompany’s requirements;

12.2.4.during video identification customer has significant technical problems and not able to conduct video identification in a manner requested by the Company;

12.2.5.during the establishing of business relationship, it is determined that the participant in the transition is a politically exposed person (except a local Estonian politically exposed person) a member of the person ́s family or a close associate;

12.2.6.during the establishing of business relationship, it is determined that the participant in the transition is subject to international sanctions;

12.2.7.during the establishing of business relationship, it is determined that the participant in the transition is exposed with the adverse media;

12.2.8.the participant in the transaction is from a high-risk country, its place of residence or domicile or the location of the payee ́s payment service provider is in a high-risk third country;

12.2.9.the participant in the transaction originates from or is domiciled in such a country or the payee ́s payment service provider is from such a country where, according to reliable sources such as peer reviews, reports or published follow-up reports, effective anti-money laundering and anti- terrorist financing systems that are in line with the recommendations of the Anti- Money Laundering Council are not in place or are considered a low-tax territory;

12.2.10.according to EasyEX OÜ ́s risk appetite or risk profile assigned to the Customer, it is established that in such circumstances there is a higher than usual risk of money laundering or terrorist financing;

12.2.11.the participant in the transaction cannot subject economical reasonability, intents to exceed stated normal transactions thresholds, is not able to provide sufficient evidence of the legitimacy of the assets intended to participate in the transaction.

12.3.Before applying enhanced due diligence measures to the customer, the Company determines that the business relationship, transaction or operation is subject to a higher risk, and such a transaction or the Customer must be assigned a higher than usual risk level.

12.4.Before applying the enhanced due diligence measures, the Company must assess the existence of circumstances referring to the higher risk specified in the Risk Assessment documentation.

12.5.At least one of the following additional due diligence measures, shall apply as enhanced due diligence on identification and verification of submitted information on the basis of additional documents, data or information from:

  • a reliable and independent source;

  • a credit institution registered in Estonia;

  • a branch of a foreign credit institution registered or having its place of business in a Contracting

State of the EEA or a country where the requirements equivalent to those set out in the RahaPTS

apply.
12.6.Taking additional measures to verify the authenticity of the submitted documents and the accuracy

of the information contained therein:
12.6.1.requesting their notarial or official certification of the submitted documents;
12.6.2.confirmation of the informational accuracy by the credit institution specified in the previous

clause;
12.6.3.obtaining additional details about the purpose and nature of the business relationship or

transaction and verifying the information provided on the basis of additional documents, data or

information acquired from a reliable and independent source;
12.6.4.collecting additional information and documents on the actual execution of transactions and

identification of the source and origin of the funds used in transactions in order to exclude the

ostensibility of transactions;
12.6.5.makingthefirstpaymentrelatedtoatransactionthroughanaccountinthenameoftheperson

participating in the transaction or the Customer, which is opened with a credit institution registered or having its place of business in a Contracting State of the EEA or in a country equivalent to that specified in the RahaPTS;

12.6.6.establishing a business relationship or conducting a transaction with the permission of the Management Board;

12.6.7.applying enhanced due diligence to the customer or its representative while physically being in the same place as the customer or its representative;

12.7.If enhanced due diligence measures are applied, EasyEX OÜ shall monitor the business relationship more frequently than usual and re-evaluate the Customer ́s risk profile no later than six (6) months after the establishment of the business relationship.

13.ADDITIONAL DUE DILIGENCE MEASURES FOR TRANSACTIONS WITH CUSTOMERS ACTING FROM HIGH-RISK THIRD COUNTRIES

13.1.EasyEX OÜ prohibits transactions and provision of its services to individuals or legal entities from high-risk third countries.

13.2.If EasyEX OÜ, in course of its business or professional activities, comes into contact with a high- risk third country through its transactions or through the customer, then the following due diligence measures must be applied:
13.2.1.collecting additional information about the customer ́s actual beneficiary (including source of

wealth, occupation, screening for being politically exposed persons, a member of the family or a person considered to be their close associate, subject to international sanctions or exposed in the adverse media and other measures respectively);

13.2.2.obtaining additional information about the planned content of the business relationship, its continuity, understanding economic reasonability of it;

13.2.3.obtaining additional information on the funds of the actual beneficiary of the customer and the origin of the wealth,

13.2.4.obtaining information on the reasons for planned or performed transactions;
13.2.5.obtaining permission from the Management Board to establish or continue a business

relationship with the customer in question;
13.2.6.enhancing the ongoing business relationship monitoring by increasing the number and

frequency of controls applied and selecting transaction indicators to be further monitored;
13.2.7.requesting payments only from an account in the name of the Customer with a credit institution of Contracting State of the EEA or a third country that applies equivalent requirements. 13.3.Company applies all measures to prevent contact with customers from the high-risk third countries.

14.ESTABLISHING A BUSIENSS RELATIONSHIP WITH A POLITICALLY EXPOSED PERSON

14.1.If in course of simplified, normal or enhanced due diligence it was determined by the Company that the customer is a politically exposed persons, a member of the family or a person considered to be their close associate or subject to international sanctions business relationship cannot be established with such customer.

14.2.The Company’s employees must inform the Management Board about the cases described above and store the data about attempts of politically exposed persons, a member of the family or a person considered to be their close associate or subject to international sanctions to establish business relationship with the Company.

14.3.The employee controlling the data shall inform the Management Board if the customer or the actual beneficiary turns out or, later, during the business relationship, becomes a politically exposed person. 14.4.In case the existing customer during the business relationship, becomes a politically exposed person, a member of the family or a person considered to be their close associate or subject to international sanctions business relationship with a politically exposed person shall be subject to

regular and enhanced due diligence.
14.5.Regular enhanced inspections shall be applied even after the termination of the activities of a

politically exposed person if, due to the principle of a risk-based approach, there is still an increased

risk associated with said person.
14.6.In this case Company should apply at least below measures:

14.6.1.askingthecustomerforadditionalinformationnecessarytodeterminethesourceofwealthand the origin of funds used in the business relationship or transaction;

14.6.2.checking data or making queries to the databases of state agencies of the respective country and researching and checking the information obtained from the open sources;

14.6.3.makinginquiriesorcheckingdataonthewebsitesofthesupervisoryauthoritiesorinstitutions of the respective country where the Customer or the person is located.

14.7.If a politically exposed person no longer performs important public functions, the monitoring of the business relationship shall, for a period of at least twelve (12) months, take into account the risks that remain with that person and take appropriate and risk-sensitive measures until it is certain that the risks inherent in politically exposed person no longer exist for that person.

15.PURPOSE AND NATURE OF THE BUSINESS RELATIONSHIP AND THE TRANSACTION, BUSINESS RELATIONSHIP MONITORING

15.1.When EasyEX OÜ is establishing a business relationship with a customer who is a legal person, then the responsible employee must identify the field of activity and activity profile of the customer, which would allow assessing the circumstances indicating money laundering or terrorist financing in the Customer ́s activities.

15.2.The Company, among other things, identifies the customer ́s permanent establishments in a third country, most important business partners and payees, taking into account the specificity of EasyEX OÜ ́s activities.

15.3.The responsible employee shall determine the nature and the purpose of the business relationship and transaction based on the following information:
15.3.1.confirmations given by the Customer upon establishing a business relationship or executing

a transaction;
15.3.2.data obtained from public sources (registry of economic activity, commercial registry,

published annual reports, Internet search engines, information registries etc.) regarding the customer`s activity profile and field of activity.

16.THE PRINCIPLE OF“KNOW YOUR CUSTOMER”OR KYC
16.1.The“Know Your Customer”principle means collecting relevant information and data about the

customer:

  1. 16.1.1. identifying the customer ́s business profile;

  2. 16.1.2. the purpose of its activities;

  3. 16.1.3. the actual beneficiary;

  4. 16.1.4. identification of the sources and origin of wealth, used int the transactions, which enable the

Company to assess whether the transactions performed by the customer correspond to its core business and / or payment practices and to decide whether it is a normal, suspicious or an unusual transaction.

16.2.The Company selects, according to the principle of risk-based approach, the appropriate scope of KYC application based on the risk assigned to a particular business relationship or a transaction.

16.3.The Company shall use appropriate technical and software solutions, websites and databases in order to determine effectively and expeditiously whether it is:

  1. 16.3.1. a politically exposed person;

  2. 16.3.2. a person who is domiciled in a high-risk third country or a low-tax territory;

16.3.3.a person whose activities are priorly known to be associated with money laundering or terrorist financing;

16.3.4.a person subject to international sanctions or (v) a person with whom a transaction is made by means of communication;

16.3.5.a person exposed with the adverse media.
16.4.The Management Board Member who is responsible for the prevention of money laundering and

terrorist financing must ensure the availability and use of the necessary databases (incl. ensuring access

and necessary training).
16.5.In order to apply the KYC principle, the Company must:

16.5.1.implement measures to determine the customer ́s field of activity and activity profile;
16.5.2.requesting data from the customer upon establishing a business relationship or concluding a

transaction;

  1. 16.5.3. inspection of public databases and registries, special technical and software solutions;

  2. 16.5.4. monitor, analyze and differentiate made by the customer in EasyEX OÜ;

  3. 16.5.5. if necessary, enhanced due diligence measures shall be applied to the customer or the

transaction in accordance with the provisions.
16.6.Monitoring of the business relationship shall include at least the following:

16.6.1.checking the transaction made during the business relationship between Company and customer to ensure that the transactions are in accordance with EasyEX OÜ ́s knowledge of the customer, its activities and risk profile;

16.6.2.regular updating of relevant documentation, data and information retained in the course of the due diligence measures application;

16.6.3.identification of the source and origin of funds used in the transaction;
16.6.4.paying more attention to transactions made in a business relationship, the customer activities and circumstances that indicate or are likely to be involved in criminal activity, money laundering or terrorist financing, including complex, high-value and unusual transactions and transaction patterns which do not have a reasonable or apparent economic or legitimate purpose or which are not specific to a particular business, including identifying the nature, cause and background of those transactions, as well as gathering other information to understand the content of the

transactions;
16.6.5.pay more attention to the business relationship or transaction if the customer ́s representative

or beneficial owner is from a high-risk country or has the citizenship or residence of that country

or the payee ́s payment service provider is located in that country or territory. 16.7.When monitoring the business relationship, Company must:

16.7.1.monitor and take into account the signs of suspicious transactions specified in the instructions of the Financial Intelligence Unit;

16.7.2.checkthetransactionsmadebytheCustomerwithafrequencythatcorrespondthecustomer ́s risk level;

  1. 16.7.3. conduct inspections for the low-risk customers at least every two years;

  2. 16.7.4. conduct inspections for medium-risk customers once a year;

  3. 16.7.5. conduct inspections of hirh0risk customers every six months;

  4. 16.7.6. notify the management Board and the FIU of any transactions suspected of money laundering

or terrorist financing;
16.7.7.changethecustomer ́srisklevel,ifnecessary,withthechangesofhis/herbusinessrelationship

with the Company.

17.TRANSACTIONS MONITORING AND PRINCIPLES OF DETERMINING SUSPICIOUS TRANSACTIONS

17.1.The Company in accordance with the guidance of the FIU in required to report to the FIU about the suspicious transactions in the form determined by the FIU.

17.2.Company’s AML officer (contact person) is required to file the relevant reports to theFIU and keep Management Board of the Company always updated regarding any suspicious transaction detected.

17.3.The Company sets the following indicators of the suspicious transactions:
17.3.1.The customer requests to buy virtual currencies in one transaction worth more than EUR

32,000;
17.3.2.A single large purchase or sale of virtual currencies using a service that makes it difficult to

identify one or more transactions in virtual currencies, such as a drum or mixing service (tumbler,

mixer).
17.3.3.A person with a politically exposed background has bought or sold virtual currencies worth

more than EUR 10,000.

17.3.4.A virtual currency transaction uses the services of intermediaries that guarantee / complicate the impossibility or difficulty of identifying a person (for example, service providers who allow personal data not to be passed on to law enforcement authorities).

17.3.5.Assets worth more than EUR 32,000 are purchased for virtual currency.
17.4.The Company as a virtual assets service provider (VASP) is aware of the below indicators of the

suspicious and unusual transactions:
17.4.1.The IP address of the customer's communication device indicates the country of risk (when

making payments, logging in to the account) or unusual use of the VPN connection, other

concealment of location or identity, or changes unusually often;
17.4.2.The transfer party is a credit or financial institution registered in the country of risk or entitled

to provide services there (e.g., payment institution, paying agent) or is known to be a user of a

virtual IBAN account;
17.4.3.The establishment of a customer relationship and / or the first transaction indicates an

association with the country of risk (e.g., place of birth, address, telephone number, e-mail address,

IP address);

  1. 17.4.4. Purchase or sale of virtual currency in cash, regardless of amount;

  2. 17.4.5. In a transaction in virtual currency, the asset is sent to or received from the high-risk country;

  3. 17.4.6. Use of dark web or mixer transactions for virtual currencies;

  4. 17.4.7. During due diligence measures, the customer refuses to provide additional documents, data or

information (incl. On the origin of funds);
17.4.8.When establishing a customer relationship, there is doubt as to the accuracy of the identity

document or the identity document is not legible in the Latin alphabet;
17.4.9.Virtualcurrencymonitoringsoftware(blockchainanalyticaltool)referstothepriormovement

of assets through a platform registered or operating in a high-risk country;
17.4.10.Virtual currency monitoring software (block chain analytical tool) refers to the intended

transfer of assets through platform registered or operating in a high-risk country; 17.4.11.Forwarding of funds derived from virtual currencies to a non-profit association, foundation or other association / organization operating in a country at risk or providing assistance or services to

persons related to the country at risk;
17.4.12.A non-profit association, foundation or other association uses a combination of complex10

chains of transactions (cash, payment institutions, virtual currencies, etc.) to conduct transactions; 17.4.13.Sending funds in virtual currency to a non-profit association, foundation or other association / organization operating in a country at risk or providing assistance to persons related to the country

at risk.

18.REFUSAL OF TRANSACTION AND EXTRAORDINARY TERMINATION OF A BUSINESS RELATIONSHIP

18.1.It is prohibited to establish a business relationship or to allow the conclusion or completion of an occasional transaction or during the business relationship if at least one of the following circumstances occur:

  1. 18.1.1. it is not possible to apply the required due diligence measures;

  2. 18.1.2. there is a suspicion of money laundering or terrorist financing;

  3. 18.1.3. there is a suspicion that the person is the subject of an international sanction.

18.2.EasyEX OÜ does not establish a business relationship (establishing a business relationship and

concluding a transaction is prohibited) if the person participating in the transaction or official activity, despite the relevant request, fails to submit the documents and relevant information required for compliance, on the basis of the provided documents, the employee suspects acts of money laundering or terrorist financing.

18.3.EasyEX OÜ is obliged to terminate the business relationship in an extraordinary manner without prior notice if the person participating in the transaction or the customer, despite relevant requests, fails to submit the documents and relevant information required or fails to present data and documents proving the legal origin of the funds used in the transaction, or if the Company suspects money laundering or terrorist financing.

18.4.It is prohibited to enter into a business relationship or enter into a transaction with a person whose bearer shares or other bearer securities represent more than ten (10) per cent of the capital.

18.5.In case of refusal to enter into a transaction or to establish a business relationship and in the event of an extraordinary termination of the long-term agreement underlying the business relationship, the responsible employee must record and retain an explanation of the more specific circumstances of the refusal or cancellation and other information on which the notification obligation is based in accordance with procedure of collection and storage of data.

18.6.If EasyEX OÜ refuses to establish a business relationship or enter into a transaction or extraordinarily terminates the long-term agreement on which the business relationship is based on the grounds above, instruction and the person has transferred funds to EasyEX OÜ ́s account then the Customer ́s assets may only be transferred to the Customer ́s own account which is opened in a credit institution registered or domiciled in a Contracting State of EEA or in a country whit requirements equivalent to those of Directive 2015/849 of the European Parliament and Council.

18.7.In exceptional cases, the property may be transferred to an account other than the Customer ́s own account. In such cases the FIU must be notified at least seven (7) workdays in advance and provided that the FIU does not give different orders.

19.APPLICATION OF INTERNATIONAL FINANCIAL SANCTIONS
19.1.The Company defines the subject of an international sanction as a natural or a legal person,

institution or any other form of entity that is directly named in the law establishing or enforcing the international sanction and in respect of which the measures provided for in the law imposing the international sanction are taken.

19.2.The Contact person appointed by the Management Board of EasyEX OÜ is the person responsible for the implementation of the international financial sanctions and observe their implementation.

19.3.The management of EasyEX OÜ or another person authorized for this purpose shall forward the contact details of the Contact person to the FIU with the reasonable time of notification.

19.4.Upon adopting guidance in the Company regarding international financial sanction, all involved employees shall take measures to comply with the obligations arising therefrom and shall exercise due diligence to ensure that the objective of the international financial sanction is achieved and to prevent any breach of the sanction.

19.5.The Contact person shall pay special attention to the activities and circumstances of a person who has a business relationship with EasyEX OÜ or is performing a transaction or act, as well as a person who intends to establish a business relationship or perform a transaction or act.

19.6.If the responsible employee has a suspicion or knows that a person in a business relationship with EasyEX OÜ or performing a transaction or act, as well as a person planning to establish a business

relationship or a transaction or act, is subject to international financial sanction, the employee shall

immediately inform the Financial Intelligence Unit of the measures taken.
19.7.If a person with the established relationship with EasyEX OÜ or performing a transaction or act,

as well as a person planning to establish a business relationship or a transaction or act refuses to provide requested additional information or it is not possible to identify whether the person is the subject of an international financial sanction, the person responsible shall notify the Contact person, who shall take the measures provided for in the legislation establishing or implementing the international financial sanction and shall immediately notify the Financial Intelligence Unit of the suspicion and the taken measures.

19.8.The Contact person is required to regularly monitor the official portal of the Financial Intelligence Unit at https://www.politsei.ee/en/organisatsioon/rahapesu/finantssanksioon- subjekti-otsing-ja- muudatused-sankcijuide-nimekirjas/ to monitor for changes in the list of subjects of financial sanctions and legislations imposing financial sanctions. The Contact person shall immediately take the measures provided for in the law establishing or implementing the international financial sanctions in order to ensure the achievement of the objective of international financial sanctions and to prevent violations of international financial sanctions.

19.9.Upon entry into force, amendment, revocation or expiry of legal acts establishing or implementing an international financial sanction, the Contact person or a person authorized by the Contact person shall immediately check whether a person in a business relationship with EasyEX OÜ or performing a transaction or act, as well as a person planning to establish a business relationship or perform a transaction or act, is the subject of an international financial sanction against which the financial sanction is established, amended or terminated.

19.10.The responsible employee shall pay attention to the factors that possibly could distort personal data. The following errors or differences in the translation or processing of personal data and names may lead to personal data being distorted:
19.10.1.transcription of foreign names, including differences in the Latinization of Slavic and

Scandinavian names;
19.10.2.a different order of words in a name or title consisting of several words, e.g., AS TOOMAS

RAMM or RAMM TOOMAS AS;
19.10.3.replacement of letters with accents (letters with dots or accents) with other letters or their

(partial) omission;
19.10.4.replacing double letters with one (and vice versa) e.g., METAL or METAL; 19.10.5.replacement of the letters F, Š, Z, Ž, C ... with other letters or letter compounds,e.g., FARMA

or PHAR-MA, CRISTAL or KRISTAL;
19.10.6.Replacement of foreign letters W, Q, X, Y ... with other letters, e.g., WOX QYIT or VOKS

KÜIT.
19.11.Replacement of double letters and foreign letters with other letters or their (partial) omission:

19.11.1.use of abbreviations;
19.11.2.spelling numbers in the text, e.g., 2 FAST 4 YOU or TWO FAST FOUR / FOR / YOU; 19.11.3.use / non-use of adjectives and prepositions (letters, appendixes);
19.11.4.other factors:
19.11.5.errors due to human error;
19.11.6.switching between loud and soft sounds, e.g., AS GAASI KÜTE or AS KAASI GÜTE; 19.11.7.the presence of a name or part of it within or as part of another name.

19.12.The Contact person appointed by the Management Board shall collect and store the following data for a period of five years:

19.12.1.time of inspection;
19.12.2.the name of the person who inspected; 19.12.3.the results of the inspection; 19.12.4.measures taken.

19.13.The Company determines imposing sanctions and reporting in regard to them in Annex 3 of this document.

20.OUTSOURCING OF ACTIVITY
20.1.EasyEX OÜ may outsource the obligation of identity establishment to a third party who is:

20.1.1.an obliged entity within the meaning of the RahaPTS;
20.1.2.an organization, association or a union of which the obliged entity within the meaning of

RahaPTS are members; or
20.1.3.another person who applies the due diligence measures and data retention requirements

provided for in the RahaPTS and who is or is prepared to be subject to anti-money laundering or financial supervision in a Contracting State of the European Economic Area with regard to compliance with the requirements.

20.2.The Company does not outsource activities to a person established in a third country with a high risk.

20.3.Activities shall be outsourced only from third parties:

  1. 20.3.1. who have the necessary knowledge and skills;

  2. 20.3.2. have prerequisites for the acquisition of such knowledge;

  3. 20.3.3. skills and who are able to perform the obligations prescribed in the RahaPTS and the

Guidelines.
20.4.Upon outsourcing, EasyEX OÜ notifies the third party of all laws, other legislation issued on the

basis of law, the relevant instructions of the Financial Inspection and the Financial Intelligence Unit and the requirements arising from the Instructions and reserves the right to check for compliance with the above-mentioned. EasyEX OÜ reserves the right to cancel the contract entered into with the third party in the event of deficiencies in the performance of its duties.

20.5.If necessary, EasyEX OÜ shall provide third party (and its employees) training in the prevention of money laundering and terrorist financing, which shall be conducted by the responsible employee or another expert in the relevant field appointed by EasyEX OÜ. EasyEX OÜ may allow a third party (and its employees) to participate in the training organized for the employees of EasyEX OÜ if the parties agree on it. If the need to train a third party in the field of prevention of money laundering and terrorist financing is small, EasyEX OÜ must explain to the third party at least the requirements set out in the Instruction and notify the third party if the Instruction are amended, international practice or legislation changes.

20.6.The assessment of both the suitability of the third party and the need for training shall be based on its normal professional and economic activities and the main duties, education and other circumstances of the third party or its staff that may indicate a person's lack of knowledge or ability to perform outsourced activities.

20.7.EasyEX OÜ shall outsource its activities only in a manner that does not harm the legitimate interests of itself or its customers, its own activities or the performance of its obligations under the RahaPTS and these Instructions, as well as the exercise of State supervision over it. The outsourcing of EasyEX OÜ tasks shall be guided by at least the following conditions:

20.7.1.The managers of EasyEX OÜ cannot delegate their responsibilities upon outsourcing to any party;

20.7.2.The outsourcing must not harm the interests of EasyEX OÜ customers and the relations with the customers and the obligations to the customers may not change due to the outsourcing;

20.7.3.The outsourcing must not be in conflict with the conditions that EasyEX OÜ must meet in order to obtain an activity license and remain in compliance with the activity license;

20.7.4.The outsourcing may not revoke or change any other conditions on the basis of which the license of EasyEX OÜ was granted.

20.8.In order to outsource the activities, EasyEX OÜ enters into a written agreement with a third party, which ensures:

20.8.1.thattheoutsourcingofactivitiesdoesnothindertheactivitiesofEasyEXOÜorthefulfillment of the obligations provided in the RahaPTS or the Guidelines;

  1. 20.8.2. thatthethirdpartyfulfillsallobligationsofEasyEXOÜrelatedtotheoutsourcingofactivities;

  2. 20.8.3. that the outsourcing of activities does not prevent the supervision of EasyEX OÜ;

  3. 20.8.4. thattheFIUisabletosupervisethepersonperformingtheoutsourcedactivitythroughEasyEX

OÜ, including through an on-site inspection or other supervision measure;
20.8.5.the existence of the necessary knowledge and skills of the person performing the activity and

the ability to meet the requirements provided for in the RahaPTS and the Guidelines;
20.8.6.therightofEasyEXOÜtocheckcompliancewiththerequirementsprovidedinRahaPTSand

the Guidelines without restrictions.
20.9.Preservation of documents and data collected for the fulfillment of the requirements arising from

the RahaPTS and the Guidelines and, upon request of EasyEX OÜ, immediate transfer or submission to the competent authority of copies of documents or other relevant documents related to the identification of the Customer and its beneficial owner.

20.10.Upon identification, the third party shall immediately notify the Contact person of the suspicion of money laundering and terrorist financing, who shall notify the Financial Intelligence Unit accordingly. 20.11.In performing the duties delegated to it, the third party is obliged to apply the due diligence measures set out in the Instructions and the data collection and storage requirements, which are also

applied by the responsible employee of EasyEX OÜ.
20.12.These Instructions shall be applied by the third party to whom the activity has been delegated on

the same basis as the responsible employee. The third party (or its employees) confirms the reading of

the Instruction with a signature.
20.13.Information on the conclusion and cancellation of a contract for the outsourcing of activities must

be made available to the Financial Intelligence Unit in advance. When transmitting information, the obliged entity shall, inter alia, indicate the extent of the outsourced activity. At the request of the Financial Intelligence Unit, the obliged entity shall submit a contract for the outsourcing of activities.

21.PROCEDURES ON DATA COLLECTION AND RETENTION 21.1.Retention of Collected Data

21.1.1.The responsible employee shall store the data and documents used to establish the identity of the Customer in such a way that they can be reproduced in writing at least to the following extent:

  • first and last name of the person;

  • personal identification code or date and place of birth;

  • residential address (actual residence of the person, mailbox number is not acceptable);

  • citizenship;

  • activity profile, profession or field of activity;

  • means of communication (telephone number and e-mail address);

  • whether the person is a politically exposed person or a person close to him or her;

  • information on all actions taken to identify the beneficial owner of the transaction or customer;

  • the name and number of the document used to establish and verify the identity, the date of

    issue and the name of the issuing authority;

  • a copy of the document used to establish identity;

  • the manner, time and place of submission or updating of data and documents;

  • other personally identifiable information collected and an indication of whether the

    information was collected for the purpose of establishing a business relationship, including in connection with the opening of an account, or for the use of another service that does not require account opening;

  • information about the circumstances of refusal to establish a business relationship or a transaction or termination of a business relationship;

  • circumstances of refusal to enter into a transaction or establish a business relationship at the initiative of the customer, if the waiver has been related to the application of due diligence measures;

  • the name and job title of the employee who identified, verified or updated the information.

21.2.Registration of data

21.2.1.The content of the transaction or operation as well as the time or period of the transaction or operation shall be recorded for all transactions or operations. Upon identification and verification of the information provided, the relevant action shall be recorded as of the date or period of verification

21.2.2.The following shall be registered for the transaction:

  • when opening a virtual currency wallet, its type, number and essential features of the currency;

  • the date of the transaction and a description of the content of the transaction (amount of the

    transaction, currency, basis / explanation).

21.2.3.EasyEX OÜ registers and stores the following additional information:

  • all identity verification data and documents collected in the course of establishing a business relationship, including questionnaires and e-mail correspondence, including information on all operations performed to identify the actual beneficiary of the customer;

  • information on cases where it was not possible to apply due diligence measures by means of information technology;

  • the results of checks carried out to identify politically exposed persons;

  • the results of inspections of the subjects of international financial sanctions;

  • data and documents collected in the course of business relationship monitoring and transaction

    monitoring, including e-mail correspondence;

  • documents and explanations proving the source of funds used in the transaction;

  • the date of the transaction and a description of the content of the transaction;

  • the circumstances in which the person withdrew from the transaction because he or she was

    subject to due diligence measures;

  • the circumstances due to which the transaction was refused;

  • information and circumstances regarding cases where the transaction was refused because due

    diligence measures could not be applied;

  • information and circumstances regarding cases when the business relationship was terminated

in an extraordinary manner without observing the notice period;

  • when opening a virtual currency account, the essential characteristics of the account type,

    account number and currency;

  • information on making an electronic request to the database of identity documents and an audio

    and video recording of the procedure for identification and verification of identity;

  • information on suspicious or unusual transactions or circumstances of which the FIU was not

    notified.

21.3.Method and duration of data retention

21.3.1.The data listed above shall be stored electronically in a manner that allows for an exhaustive and immediate response to inquiries from the FIU or other supervisory authorities, investigative bodies or courts in accordance with legislation, including whether EasyEX OÜ has or has had the business relationship with the person named in the request during the previous five years and what the nature of that relationship is or was.

21.3.2.Data on the business relationship (incl. correspondence related to the application of due diligence, documents collected during the monitoring of the business relationship, and data on suspicious or unusual transactions or circumstances that were not reported to the FIU) shall be kept for five years from the end of the business relationship.

21.3.3.Data on a transaction shall be kept for five years as of the conclusion of the transaction. 21.3.4.The documents and data on which the notification obligation is based shall be stored for at least five years after the fulfillment of the notification obligation, the proper registration of the respective information and documents shall be ensured and the Contact person of EasyEX OÜ

shall be responsible for the storage.
21.3.5.The time of the inspection of the subjects of the international financial sanction, the name of

the person performing the inspection and the results of the inspection shall be recorded and kept

for five years as of the performance of the inspection.
21.3.6.EasyEX OÜ shall ensure the deletion of the collected data after the expiry of the term of their

storage, unless a longer term of storage arises from law, other legislation or a precept of supervision. Data relevant to the prevention, detection or investigation of money laundering or terrorist financing may be kept for a longer period, but not more than five years after the expiry of the initial period, by order of the competent supervisory authority.

21.4.Protection of personal data
21.4.1.The data collected during the establishment of a business relationship and during it shall be

used only for the purpose of preventing money laundering and terrorist financing and for fulfilling the obligations provided by RahaPTS and shall not be used in any other way or for purposes not provided for in this Procedure.

21.4.2.Beforeestablishingabusinessrelationship,informationconcerningtheprocessingofpersonal data by EasyEX OÜ shall be provided to the potential Customer. This information includes general information on the obligations of EasyEX OÜ in the processing of personal data for the purpose of preventing money laundering and terrorist financing.

21.4.3.EasyEX OÜ shall apply all personal data protection rules provided in the General Data Protection Act when applying the requirements arising from this Procedure.

22.REPORTING OBLIGATION PROCEDURES
22.1.In a situation where circumstances appear in the relationship with the Customer that are unusual or

in which the employee of EasyEX OÜ has a suspicion of money laundering or terrorist financing, the Contact person appointed by the Management Board of EasyEX OÜ shall be notified immediately. The Contact person must report the FIU immediately, but not later than within two working days as of the detection of the suspicion of money laundering.

22.2.Among other things, the FIU must be notified if the establishment of a business relationship or the conclusion of a transaction has been refused or has been terminated due to a refusal or failure to provide information necessary for the application of business due diligence measures, regardless of the relevant requirement.

22.3.The FIU shall also be notified in accordance with the procedure if the following circumstances occur:

22.3.1.the establishment of a business relationship, transaction or act or provision of a service is cancelled because of the suspicion of money laundering or terrorist financing or not sufficient application of the due diligence measures;

22.3.2.theestablishmentofabusinessrelationshiportheconclusionofatransactionisrefuseddueto the impossibility of applying due diligence measures;

22.3.3.the establishment of a business relationship or the conclusion of a transaction is refused because the person's capital consists of the bearer's shares or other bearer securities;

22.3.4.thecustomerdoesnotsubmit,despitetherelevantrequest,documentsandrelevantinformation or data or documents proving the source of funds that is the object of the transaction, or on the basis of the submitted data and documents there is a suspicion of money laundering or terrorist financing.

22.4.The main conditions to be followed in analyzing suspicious and unusual transactions are following:

  1. 22.4.1. Is there a suspicious circumstance in the acts, transactions or other circumstances?

  2. 22.4.2. Is EasyEX OÜ convinced that it knows the Customer to the necessary extent or is it necessary

to collect additional information about him?
22.4.3.EasyEX OÜ must make sure that it has complied with the prescribed procedure when

performing a transaction or operation to establish the identity of the Customer or its representative. Was all the necessary information provided or was the data incomplete, did the data need to be requested or otherwise specified?

22.4.4.Find out if there have been repeated occurrences of suspicious transactions.
22.5.The collection of information means the collection of all suspicious or unusual messages received from EasyEX OÜ employees, agents (if any) and contractual partners and the systematization and

analysis of the information contained therein.
22.6.The main factors to consider when analyzing suspicious and unusual transactions are:

22.6.1.what is the suspicious circumstance in the transactions or other circumstances;
22.6.2.whether the employee of EasyEX OÜ is convinced that the knowledge about the Customer meets the necessary extent, or it is necessary to collect additional information about the Customer; 22.6.3.the responsible employee must make sure that the prescribed procedure has been complied with when performing the act of establishing the identity of the Customer or his/her representative. It must be ascertained whether all the necessary information was provided or whether additional information had to be requested or otherwise specified and to clarify whether there have been

repeated occurrences of suspicious activities.
22.7.The Management Board of EasyEX OÜ shall have a form that can be reproduced in writing all

notices received from employees about suspicious and unusual transactions, as well as information

and other related documents collected for analysis of these notices and reports sent to the FIU.
22.8.It is not allowed by any means notify the customer or a person participating in the transaction (incl. customer ́s representative and other related persons) about whom the Financial Intelligence Unit is

informed of the suspicion.

23.FIU CONTACT PERSON (AML COMPLIANCE OFFICER)
23.1.An employee of EasyEX OÜ who meets the requirements for a Contact person according to

RahaPTS shall be appointed as a Contact person.

  1. 23.2. The Contact person reports directly to the Management Board of EasyEX OÜ.

  2. 23.3. The tasks of the Contact person are:

23.3.1.organizingandanalyzingthecollectionofinformationreferringtounusualorsuspectedmoney laundering transactions or terrorist financing in the activities of EasyEX OÜ;

23.3.2.forwarding information to the Financial Intelligence Unit in case of suspicion of money laundering or terrorist financing;

23.3.3.once in 6 months submission of written reviews to the Management Board of EasyEX OÜ on compliance with the Instructions;

23.3.4.performance of other obligations assigned to the Contact person by the Instructions or by any law.

23.4.The Contact person is guaranteed access to the information that is the basis or prerequisite for establishing a business relationship, including information, data or documents reflecting the identity of the Customer and Customer ́s economic activities.

23.5.The Contact person has the right to:
23.5.1.makeproposalstotheManagementBoardfortheamendmentandsupplementationoftherules

of procedure containing the requirements for the prevention of money laundering and terrorist

financing and for the organization of training;
23.5.2.require the structural units to eliminate the deficiencies identified in the compliance with the

requirements for the prevention of money laundering and terrorist financing within a reasonable

time;
23.5.3.receive the data and information necessary for the performance of the duties of the Contact

person;
23.5.4.make proposals for the organization of the process of submission of suspicious and unusual

notifications;
23.5.5.receive training in the field.

24.TRAINING OBLIGATION
24.1.The Management Board shall provide training on the performance of the obligations arising from

RahaPTS to employees whose duties include the establishment of business relationships or the conclusion of transactions, which shall take place when the employee starts performing these duties and thereafter on a regular basis or as required.

24.2.The training shall provide, inter alia, information on the responsibilities set out in this Instruction, state-of-the-art methods and risks of committing money laundering and terrorist financing, personal data protection requirements, how to identify possible money laundering or terrorist financing

activities, and instructions on how to deal with such situations.
24.3.As per outsourcing policies, the Company can involve specialized third parties with the relevant

knowledge, experience and official acknowledgment (in form of certification etc.) into training

process to provide employees with the extensive knowledge.
24.4.The Contact person shall introduce the Instructions to the new employee who must be trained

within at least one week as of the commencement of employment. The employee confirms the reading

of the instructions with his/her signature.
24.5.The task of the Management Board is to ensure the annual training of employees. The exact time

and place of the training is determined by the board. The time between two trainings shall not exceed

12 months.
24.6.The Management Board may ask the Contact person to conduct the training. The board may also

invite another person who has sufficient knowledge to conduct the training as a trainer. The Contact

person has the right to submit proposals to the Management Board regarding the training providers. 24.7.Upon the proposal of the Contact person, the Management Board may organize trainings more frequently, in particular to introduce and explain the innovations arising from the change in RahaPTS,

changes in technological and software solutions, international sanctions etc.
24.8.The Management boardshould arrange additional trainings in case of change in the Company’s IT systems, implementation of new products and services, in case of involving new third-parties whose involvement can create any changes in the ordinary workflow and process related to anti-money

laundering and terrorist financing.

25.EMPLOYEE PROTECTION
25.1.EasyEX OÜ shall establish an appropriate system of measures to ensure that employees and

representatives who report suspected money laundering or terrorist financing or a breach of RahaPTS to EASYEX OÜ can do so anonymously and are protected from threats by other employees, members of the management body or customers. or hostile acts and unfavorable or discriminatory treatment at work.

26.PROCEDURES FOR INTERNAL CONTROL
26.1.Internal control is aimed to ensure the control of compliance with the instructions and procedures

regulating the prevention of money laundering and terrorist financing approved by the Management

Board of EasyEX OÜ.
26.2.The Management Board of EasyEX OÜ is responsible for compliance and updating of instructions

and procedures with legislation and supervision instructions. The Management Board shall review the

instructions and procedures at least annually and update them as necessary.
26.3.At least once a year, the Contact person shall check the work of the responsible employees in complying with the requirements arising from the procedures related to money laundering and terrorist

financing:

  1. 26.3.1. identification and verification of identity (incl. by means of information technology);

  2. 26.3.2. conducting video interviews and using online verification tools;

  3. 26.3.3. identifying and verifying the right of representation;

  4. 26.3.4. identifying the actual beneficiaries;

  1. 26.3.5. identifying politically exposed person;

  2. 26.3.6. identifying the subjects of sanctions;

  3. 26.3.7. when registering data;

  4. 26.3.8. identifying the source of funds;

  5. 26.3.9. identifying suspicious and unusual transactions and complying with the reporting obligation;

26.3.10.collecting and storing information and documents; 26.3.11.monitoring the business relationship.

26.4.The internal control report prepared by the Contact person shall contain at least the following information:

  1. 26.4.1. the purpose of the internal control;

  2. 26.4.2. the time of the internal control;

  3. 26.4.3. the name and official title of the internal control body;

  4. 26.4.4. a description of the inspection performed;

  5. 26.4.5. an analysis of the internal control results or the general conclusions of the inspection carried

out.
26.5.If the internal control reveals deficiencies in the Instructions or its practical application, the internal

control report shall be accompanied by descriptions of the deficiencies together with an analysis of the possible risks associated with it. It also sets out the time to rectify the deficiencies, the measures to be taken to remedy the deficiencies and the time to carry out the follow-up.

26.6.When performing an ex-post internal control, the internal control report shall be accompanied by an analysis of the results of the ex-post internal control and a list of the measures used to eliminate the deficiencies, indicating the time actually spent to eliminate the deficiencies.

26.7.In order to ensure proper compliance with the Instructions, the Management Board of EasyEX OÜ undertakes to ensure sufficient resources for the implementation of internal control procedures, to ensure the regularity of these activities, to assess the training needs of employees, to assess inspection reports submitted to the Management Board and to take measures to eliminate deficiencies.

ANNEX 1
CHARACTERISTICS OF SUSPICIOUS AND UNUSUAL TRANSACTIONS

The Company in the course of setting up internal rules, determines the below STR and UTR characteristics as valuable for assessing during Company’s business activity, and focus only on those which directly or indirectly can influence business relationship with customers. The Company does not deal with loans and credits, cash withdrawals, bank services, issuing debit or credit cards, actions with movable and immovable property, lotteries and other betting activities, insurance services and pension funds.

However, Company finds it reasonable to make the responsible employees acquainted with some of the STR and UTR characteristics that may directly or indirectly influence business relationship of Company with customers.

The Company’s responsible employees can meet the described indicators not related to virtual currencies in course of conducting due diligence in the following cases:

  • When analyzing legal entities in case of decision to establish business relationship with those;

  • When analyzing in course of enhanced due diligence source of wealth and financial background of the customer;

•When analyzing economical reasonability of the requested transactions with virtual currency from the customers to understand customer’s request and justification of transactions etc.

A. STR or suspected money laundering or other money laundering-related criminal offense (reasonable suspicion) - it is prohibited to enter into a transaction or establish a business relationship.

STR INDICATORS

1. Suspicion of money laundering during the establishment of a business relationship / conclusion of a customer agreement.

1.1. A person is previously known or has a suspicion of money laundering during implementing the due diligence:

- It has been known in the past or by checking his or her background in establishing a business relationship that the person has engaged in money laundering or other criminal offenses and other indications of a negative background that significantly increase the risk of purposes.

- During the due diligence, suspected that a business relationship is being established for the purpose of committing criminal activities, money laundering or other criminal offenses.

- Prior information received from law enforcement about suspicious transactions.

1.2. Doubt as to the veracity of the information provided by the person:

- There are grounds for suspecting that the person has provided forged documents about himself or herself or the principal, incorrect or incomplete material information or concealed the actual beneficiaries of the principal.

- The person unreasonably uses assistance in answering simple questions.

- The person is not acting in his or her own name or is under the control of a third party.

- The person's behavior is monitored or otherwise controlled remotely.

- There is a suspicion that the person is acting on behalf of someone else.

- There is a suspicion that a person is trying to establish a business relationship with an invalid power of attorney or identification document.

- Suspected forgery of documents submitted.

- The business model presented by the person is not understandable and justified, and as a result there is a suspicion that the purpose of establishing a business relationship or occasionally a transaction is to commit money laundering or other criminal activities.

1.3. Impossibility of performing due diligence measures:

- It is not possible to identify or verify identity or right of representation.
- The person refuses to provide additional information or requested documents. - It is not possible to identify the actual beneficiary.
- Bearer securities representing the person, or the capital represented.
2. When performing transactions
2.1. Suspected money laundering in a cash transaction:

- A case in which a person with whom no business relationship has been established pays in cash in the amount of more than EUR 10,000 into another person's account or sends cash through a payment institution abroad to another person's account without a credible explanation or tries to remain anonymous.

- Rapid cash withdrawals on a large scale, compared to normal activities that are not in line with economic interests or the normal activities of a particular person. It is possible to use several bank cards at an ATM or payment institution.

- As a result of monitoring the transactions, there is a suspicion that the person provides a so-called money defrost service for at least EUR 100,000.

- The person refuses to answer the question about the origin of the property and the purpose of the transaction.

2.2. A person is previously known or has a suspicion of money during due diligence:

- It is known that a natural person has engaged in money laundering or related criminal offenses or there are other indications of a criminal background, and the transaction also raises suspicions of money laundering.

- A person with a suspected criminal offense sells real estate, movable property or securities (including company shares).

- Suspicion has arisen during the implementation of due diligence measures and the transaction indicates money laundering.

2.3. Suspicion of money laundering during due diligence against a transaction partner of a person in a business relationship or occasionally wishing to enter into a transaction:

- A transaction partner of a person in a business relationship or a person who occasionally wishes to make a transaction is a person who is known to be involved in criminal groups or on the person's website or other public data referring to the provision of criminal services.

- The other party to the transaction or its bank is a shell bank.

- In the case of an unusual transaction, it is not possible to apply due diligence measures to the business partner's business partner.

- The transaction with real estate is anonymous - the transaction is performed by lawyers - the participating account is a lawyer's deposit account, the buyer is a non-resident legal entity.

2.4. Suspicion of money laundering in connection with transactions in accounts:

- In the case of an incoming payment of more than EUR 1,000, the name of the payee does not correspond to the name of the account holder and the transaction is suspected of money laundering.

- It is known in advance or there is reason to believe that the money in the account was obtained because of a criminal offense.

- Doubts about a network of accounts aimed at obscuring the origin of assets.
- The incoming payment was revoked due to a suspected criminal offense.
- Incoming payment of more than EUR 32,000 for a natural person and more than EUR 100,000 for a

legal person, there is no explanation of the payment, or the nature of the transaction and the person does not provide sufficient explanations or documents.

- Payments are made repeatedly between legal entities with the same explanation, for example referring to the same contract, which is not viable, and the nature of the transaction is not clear from the explanation, or the person does not provide sufficient explanations or documents.

- The account of the person in the business relationship has the characteristics of a so-called transit account.

- The company's transactions have the characteristics of providing financial services, but there is no necessary activity license and the place of provision of the service is Estonia.

- The service provided is used by an unauthorized person (the service is used with a false identity or the user IDs, passwords issued to the person are misused).

- There are signs of a money laundering scheme.

2.5. The person does not submit explanations or documents regarding the transaction to the extent necessary for the performance of due diligence measures or the submitted information is not viable:

- The person's transaction is in doubt or the transaction is sufficiently unusual to request additional information and documents about the transaction and the origin of the property. The person refuses to provide explanations or documents, or his / her explanations are not viable, or the documents show a suspicion of forgery.

- The decision of the foreign civil court or arbitral tribunal under which the transfers are made is not viable or is likely to be fictitious.

2.6. Assessing the circumstances of a person's transaction, having a suspicion that the property which is the object of the transaction is the object of money laundering:

- A person with suspected limited legal capacity sells his or her valuable movable or immovable property significantly cheaper than the market price.

- The full price of the property is paid by the offshore company.

- A company whose beneficial owners cannot be unambiguously identified purchases shares in an existing company to the extent that it ensures control over that company.

2.7 Suspicion that the object of the transaction is fraudulent or used for money laundering (misleading transactions):

- A person's explanations of the content of his or her unusual transaction indicate participation in a known fraudulent scheme (fake lottery, pyramid scheme, huge inheritance, social scams, high-income investors, takeover of e-mail traffic, etc.).

- A person donates / transfers / transfers his or her property to an NGO or foundation whose activities are known to the public to be fraudulent.

- The person refuses to return the money withdrawn due to the suspicion of a crime.

2.8 Suspicion that the property or service that is the object of the transaction (e.g., provision of technical assistance) is related to strategic goods:

- Transactions in strategic goods without a license or the provision of services (including intermediation, technical assistance) to support such transactions. Also, other transactions prohibited by the Strategic Goods Act, except for weapons of mass destruction.

B. UTR–Unusual Transaction Notification - The transaction may be completed, but a notification may be submitted to the FIU

UTR INDICATORS

1. When identifying a customer, product or service contract

- Unusual circumstances in identifying a customer or service / product contract that indicate possible criminal intent or misrepresentation.

1.1 The person is previously known, or circumstances have become known during the due diligence that allow to doubt the person's reliability:

- The identity of the person is known in advance or arises during the implementation of due diligence measures.

- The legal entity is registered in a jurisdiction where are serious shortcomings in the implementation of national anti-money laundering and anti-terrorist financing measures.

- The number of employees of the legal entity is clearly economically unjustified in view of this activity.

- The person does not want correspondence sent to the home address or the address of the legal entity is a mailbox.

- Documentation to identify the customer and verify the profession or activity is provided by an intermediary who has no clear reason to participate in the transaction.

- The ownership structure of a legal entity is not transparent.

1.2 A person behaves abnormally:

- The person's appearance and behavior are not in accordance with the customer's desired business

relationship and / or ordered services.
- The person uses outside assistance to complete the documents or is unable to complete them.

- The person does not know the nature of the activity of the represented person, cannot justify the necessity of the ordered services, contradictions appear in the explanations.

- The person does not know or tries to hide information about the represented person.

- The person is not able to describe his / her potential partners and / or areas of activity.

- The person has an unusually high interest in implementing anti-money laundering measures.

- The person is proposing or trying to avoid due diligence.

1.3 Unusual documents submitted by a person:

- The person provides incorrect or non-existent contact ;

- Legal entity does not have a contact telephone.

- The documents certifying the person's right of representation are invalid.

- The person is using a non-existent address in the documents.

- There are inconsistencies in the documentation of the legal entity or other association.

- The size or date format of the paper in the submitted documents does not meet the standards of the place where the document was made.

- A person applies for unusually high limits that are not commensurate with the person's appearance, ability and experience to operate in the field, the expected turnover or, in the case of a legal entity, the volume of economic activity.

- At the time of concluding the contract, the person has an unusually high interest in the termination of the contract, the amount and probability of payment of the insurance indemnity, if an event of loss occurs soon after the conclusion of the contract.

- The seller requests that the amount received from the sale of the real estate be credited to a third party, unless it involves the performance of a debt obligation of the seller, or a person related to the seller or performance of another obligation specified or agreed in the contract.

- Documentation to identify the customer or to verify the profession / location is provided by an intermediary who has no clear reason to participate in the operation.

- At least one of the parties is in suspicion.

- The person turns to a lawyer or another person providing counseling with a proposal that is money laundering in nature.

- The person asks a lawyer or other person providing advice to introduce himself or herself to financial institution.

- The person wishes to use the account of a lawyer or other legal person for the purpose of depositing or settling money, thereby ensuring his or her anonymity.

- A foreign resident who has no connections with Estonia or who comes from a country or territory with a higher risk of money laundering wishes to use the service of trust funds or companies.

2. Execution of transactions:

- A company with a clear risk of bankruptcy sells its assets for the purpose of defaulting on its obligations to creditors.

2.1. Unusual cash transaction:

- Unusually large depending on the risk-based approach and context, compared to normal operation) cash transaction compared to normal turnover.

- Purchase of financial products with a cash value of more than EUR 10,000 if it does not correspond to the customer's profile or if there is no logical explanation or if the customer is unable to explain / prove the origin of the cash.

- A person wants as much money as possible when exchanging currency (banknotes worth more than EUR 200).

- Exchanging small banknotes worth more than EUR 10,000 for larger ones.

- Exchanging cash worth more than EUR 10,000 from one or more currencies to another without reasonable justification.

- After exchanging more than EUR 10,000 in cash, you will be asked to transfer money to another person or to an account in another country.

- Exchange of damaged banknotes with a value of more than EUR 10,000.
- Purchase of assets worth more than EUR 10,000 in cash without a clear economic justification.
- A person makes a payment in cash below the identification threshold in order to avoid identification. 2.2. Unusual account transaction:
- A single payment of an unusually large amount not corresponding to normal turnover and not sufficiently

substantiated.
- Transaction with an offshore location of more than EUR 10,000 without economic justification.

- The legal entity pays for the various consultancy services that are not economically justified and / or unrelated to the person registered in the offshore area.

- Payment is made through a front company or a bank established in an offshore area.

- The person is paid for the virtual currency in a third-party account (except for a payment service provider or a provider of services related to the exchange and brokering of virtual currencies whose business is to broker such payments).

- There are indications of an unusual transaction in the account that are not mentioned in the instructions, which may indicate illegal activity.

2.3. An unusual transaction in virtual currency:

- The customer buys virtual currencies in one transaction worth more than EUR 32,000.

- A single large purchase or sale of virtual currencies using a service that makes it difficult to identify one or more transactions involving virtual currencies, such as a drum or mixing service (tumbler, mixer).

- A person with a national background (PEP) has bought or sold virtual currencies worth more than EUR 10,000.

- A virtual currency transaction uses the services of intermediaries that guarantee / complicate the impossibility or difficulty of identifying a person (for example, service providers who allow personal data not to be passed on to law enforcement authorities).

- Assets worth more than EUR 32,000 are purchased for virtual currency.

2.4. An unusual transaction in securities:

- The customer pays for the securities in cash, virtual currency or through an offshore account.

- The customer transfers, pledges or lends the purchased securities to a third party.

- Participant securities participating in the transaction.

- Securities transactions where the payment is not made against the person who sold the securities or a person unrelated to that person and there is no logical economic or other viable justification for this.

- Making more and more transactions in securities without a clear economic rationale.
- An unusual transaction in securities, the transaction is not in line with the general practice of transactions

in securities and there is not economically or viable justification for this.

2.5. Unusual transaction:

- The customer authorizes a person unrelated to the legal entity (suspicion of an undercover agent) to enter into a transaction that is different from the usual economic activity, unusual or large-scale.

- The customer provides confusing information about the transaction or changes the explanations or does not know the details about the purpose of this and the origin of the funds used in it.

- The customer is in an unreasonable hurry to complete the transaction.

- The customer changes or wishes to change the transaction after asking for additional documents or additional explanations.

- The person pays for personal consumption needs with a credit and debit card of a legal entity or a government agency or an institution managed by a government agency, or a card that does not have personal data.

- The person declares that the funds must be issued to a third party acting in his name and on his behalf. - The person is trying to make a fictitious transaction.
2.6. Unusual real estate transaction

- Real estate is paid for through a financial institution located in an offshore area or in an area where, according to reliable sources such as peer reviews, reports or published follow-up, effective anti-money laundering and anti-terrorist financing systems are not in place or systems are not implemented.

- A person unrelated to the transaction pays for the real estate or pays a commission. - Real estate is paid to a person not involved in the transaction.

- In a short period of time, a new transaction with the same real estate is made at a significantly different price from the previous transaction, unless it is related to a change in the general real estate price.

- Acquisition of real estate by persons with a national background (PEP) with funds not related to known legal sources of property.

C. UAR–Unusual Activity Message - Customer relationship may continue UAR INDICATORS

Unusual activity–a longer-term activity where the recurrence of circumstances raises suspicion, which under certain conditions may indicate a criminal offense - the act / transaction is completed but reported to the FIU. If there is a reasonable suspicion of a criminal offense, the STR will be notified of the last or ongoing transaction and, if possible, the transaction will be suspended and feedback from the FIU is awaited.

1. Unusual behavior of a person:

- Creating an unreasonably large number of accounts.

- Significant increase in unexpected and unreasonable account limits.

- The customer's lifestyle and expenses do not correspond to his legal income.

2. Unusual cash transactions not related to a person's ordinary course of business:

- The customer often makes cash deposits in excess of EUR 10,000.

- The customer repeatedly makes transfers in cash worth more than EUR 10,000 to a foreign account.

- The customer often makes transfers in cash of more than EUR 10,000 to the account of another person unrelated to him.

- Cash deposits of more than EUR 10,000 by a customer who may be involved in criminal activities.

- The customer visits the safe deposit box immediately before cash deposits of more than EUR 10,000 or after cash withdrawal.

- Frequent deposits to the customer's account are withdrawn via ATM abroad.

- The customer regularly withdraws more than EUR 10,000 in cash from the company's account, which behavior cannot be explained by this person and the general business activities in this field.

- Withdrawal of amounts received in installments at different points of issue (ATMs, offices).

- The customer often buys investment gold for cash.

- A person wants to transfer money to many different parties.

- Cash contributions to a person's account from which loan and lease payments and other property obligations are paid, with or without the usual activity in that account.

3. Characteristics of the provision of unlicensed financial services:

- The person's transactions have the characteristics of providing a financial service, but do not have the necessary activity license.

- The Customer provides a virtual currency service that requires an activity license without holding an activity license.

- An initial coin offering (ICO) essentially meets the definition of a security, but there is no corresponding activity license.

- Transactions with securities without a corresponding activity license / registration.

4. Unusual transactions in virtual currencies:

- The customer purchases virtual currencies in the value of more than EUR 32,000 in several related transactions.

- The customer sells virtual currencies worth more than EUR 32,000 in several consecutive transactions, the origin of the virtual currencies is unknown.

- Regular buying and selling of virtual currencies through intermediaries guaranteeing / making it impossible or difficult to identify a person (for example, service providers who allow personal data not to be passed on to law enforcement).

- Regular buying and selling of virtual currencies using a service that makes it difficult to identify the person making one or more transactions in virtual currencies, such as a drum or mixing service (tumbler, mixer).

5. Unusual transactions on the account:

- The customer often makes large transactions that do not correspond to his legal income.

- A number of unrelated persons make payments to a single account within a short period of time, followed by cash withdrawals or transfers of assets or other activities that do not meet the intended purpose for which the assets were collected.

- There are frequent and unjustified transactions between natural and legal person accounts. - A debit or credit card is used by someone unrelated to the cardholder.
- Frequent purchase or sale of checks that do not match the customer's profile.
- Funds are placed in several accounts, then pooled and transferred abroad.

- An inactive account receives a transfer or series of transfers, followed by frequent cash withdrawals until the funds transferred have been withdrawn.

- Large-scale financial transactions in a company's account are not in a logical business relationship (for example, incoming funds for one group of goods and outgoing funds for another group of goods that are not economically logical or not economically / viable).

- Account activity is contrary to general business practices.

- Frequent expenses of a legal entity for food, accommodation, transport, tourism companies, hotels that are not in line with the company's normal economic activities.

- Payments and receipts made frequently by a person in an amount immediately below the amount involved in the application of due diligence or notification to the FIU.

- The person wishes to divide the transaction into several cash transactions in order not to exceed the threshold for the amount-based notification obligation.

6. Unusual transactions in securities:

- Securities are often used as a means of payment for goods or services. - Transactions in bearer shares are made.

- Acquisition of securities by persons with a national background (PEP) with funds not related to known legal sources of assets.

- The customer directs the funds received from securities transactions to a person unrelated to the person.

7. Unusual currency exchange transactions:

- A non-resident repeatedly exchanges large amounts of the currency of the host country for euros or dollars.

8. Unusual business practices:

- The provision of an accounting service or the auditing of accounts reveals indications of misappropriation of assets.

- A person often turns to different accounting service providers, either for reasons that are unclear or to avoid correct and fair reporting.

- Loans between the company and shareholders are not in line with business. - Examination of the underlying documents reveals business misstatements.

- The company pays invoices to legal entities located in a country where there are no adequate anti-money laundering measures or in the offshore area.

- An enterprise acquires large items of personal consumption if such transactions are incompatible with the enterprise's ordinary course of business or its particular industry.

- Persons with a national background (PEP) or persons associated with them who receive or receive

unusually large amounts by transfer or cash.

- The company is an obligated person within the meaning of RahaPTS but does not perform sufficient due diligence obligations.

- The company is an obligated person within the meaning of RahaPTS but does not comply with the notification obligation.

- The person, with the assistance of or on behalf of a lawyer, wishes to carry out transactions for which there is no economic justification.

ANNEX 2

CASES WHEN TFR MUST BE SUBMITTED

TFR–Terrorist Finance Suspicion Alert

The Terrorist Financing Risk Statement (TFR-1) must be provided when the counterparty (natural person, legal entity or other entity) is associated with the country of risk and there is a risk indicator. The transaction or operation may continue if enhanced due diligence measures are applied. All known risk indicators must be provided as an additional incentive.

  • The execution of a transaction and / or operation shall be supervised by an unauthorized person.

  • Insufficient or viable explanation of the origin of the money.

  • First transaction with a natural / legal person or other entity in a country at risk.

  • Insufficient awareness of the customer about the transaction partner.

  • Unusual transaction with a natural / legal person or other entity in a country at risk.

  • Receipt shall be followed by the systematic withdrawal and / or forwarding of cash.

  • Frequent cash deposit to current account.

  • The transaction contains indications of possible money laundering or other illegal activities.

  • The amount of cash withdrawal or deposit is not in accordance with the previous pattern of behavior

    of a natural or legal person and person cannot provide an exhaustive explanation during the due

    diligence.

  • The nature of the transaction is incompatible with the economic activity of the legal person or other

    entity.

  • The disclosure of the transaction is inconsistent with the economic activities or customary practices of

    the legal entity or other entity.

  • The transaction has an explanation that may refer to the ideology of violent extremism or support for

    or donation of terrorism, or not translatable or comprehensible.

  • The nature of international transactions refers to the pooling and transfer of funds from different

    sources when it is not related to the sale of goods or the rendering of services.

  • Simultaneous or close-to-use of bank cards (additional card) linked to the account in different

    countries or regions, if it is not realistic to physically cover the distance during this period.

  • The customer's bank card / account is linked to the service of another payment service provider (e.g.,

    connection to an international financial services platform).

  • The pattern and volume of transactions of a non-profit association, foundation or other association is

    not in accordance with the field of activity of the non-profit association or the number of its employees

    and / or members.

  • Use of a paying agency or paying agent to send funds to a non-profit association, foundation or other

    entity, an association / organization operating in a country at risk or providing assistance or services

    to persons involved in a country at risk.

  • The IP address of the customer's communication device refers to the country of risk (when making

payments, logging in to the account) or unusual use of the VPN connection, other concealment of

location or identity, or changes unusually often.

  • The transfer party is a credit or financial institution registered in the country of risk or entitled to

    provide services there (for example, a payment institution, a paying agent) or is known to be a user of

    a virtual IBAN account.

  • Establishing a customer relationship and / or a first-time transaction indicates an association with the

    country of risk (e.g., place of birth, address, telephone number, e-mail address, address, IP address).

  • Purchase or sale of virtual currency in cash, regardless of amount.

  • In a transaction in virtual currency, the asset is sent to or received from the country at risk.

  • Use of dark web or mixer transactions for virtual currencies.

  • In the course of applying due diligence measures, the customer refuses to provide additional

    documents, data or information (incl. On the origin of the assets).

  • When establishing a customer relationship, there is doubt as to the accuracy of the identity document

    or the identity document is not legible in the Latin alphabet.

  • Virtual currency monitoring software (block chain analytical tool) refers to the previous movement of

    assets registered or through the platform operating there.

  • Virtual currency monitoring software (block chain analytical tool) refers to the intended transfer of

    assets in a country at risk through a VVTP (platform) registered or operating there.

  • Forwarding of funds derived from virtual currencies to a non-profit association, foundation or other association / organization operating in a country at risk or providing assistance or services to persons

    related to the country at risk.

  • A non-profit association, foundation or other association uses a combination of complex10 chains of

    transactions to conduct transactions (cash, payment institutions, virtual currencies, etc.).

  • Sending funds in virtual currency to a non-profit association, foundation or other association / organization operating in a country at risk or providing assistance to persons related to the country at

    risk.

  • Other cases.

    A suspected terrorist financing alert (TFR-2) must be issued when a suspected indicator is present. The transaction must be suspended until further instructions from the competent authority and the obligated person is prohibited from making any funds available to the customer.

  • The collection, transmission or receipt of funds or virtual currencies by an extremist natural person or by a legal person or organization that supports or conducts violent extremism and / or terrorism. The information comes from the competent authority or is in doubt on the basis of public sources.

  • The collection and / or transfer of funds or virtual currencies to a natural person or an organization that supports or carries out violent extremism and / or terrorism. The information comes from a competent authority or is based on suspicion from public sources.

  • The name of a natural or legal person or other organization passes a criminal case initiated on the grounds of a terrorist offense. The information comes from the competent authority or from public sources.

  • Any other indication of terrorism or terrorist financing. For example, a reference to violence in the explanation of the transaction.

All known risk indicators (listed under TFR-1) must be provided as an additional incentive.

Factors requiring higher attention in relation to TFR are the relations of the customer to the risk countries (stated in the Rules previously).

Relation of the counterparty to the risk country (at least one of the lists):

  • the natural person was born in the country at risk;

  • the natural person has the citizenship of the country at risk;

  • the natural person has a residence in the country at risk or the data on the means of communication

    used (telephone number, e-mail address) indicate a stay in the country at risk;

  • the natural or legal person enters into the transaction through a financial institution of the country of

    risk;

  • the legal person or other association is registered in the country at risk or holds an activity license of

    the country at risk;

  • the enterprise belonging to the same group as the legal person is registered in the country of risk;

  • the member of the management body of the legal person or other association and / or the beneficial

    owner is related to the country of risk.

ANNEX 3

INTERNATIONAL FINANCIAL SANCTION NOTICE

The ISR–International Financial Sanctions Notice–transaction may not be completed without the permission of the FIU.

The role of the indicator is to further subdivide the type of message by specifying the reason for the notification.

ISR INDICATORS:

1. Application of an international financial sanction:

- The subject of the sanction has been identified and the transaction violates the financial sanction, the restriction or prohibition provided by the sanction has been applied.

2. Suspicion of an international financial sanction:

- The person or entity is suspected of being the subject of a financial sanction and the transaction may violate the financial sanction (the restriction or prohibition provided by the sanction has been applied) if it has not been possible to determine whether it is a sanctioned person.

3. Application of activity-based sanction and suspicion of application of activity-based sanction:

- Activity-based financial sanctions - financing of goods, services or financial services, granting of loan and credit, opening and use of deposit, payment, securities or other account, securities transactions, conclusion of insurance contract, investment or activities listed above prohibition of territories, persons and entities, including financing of weapons of mass destruction, etc.

- Restrictions on deposits and cash, including cryptographic wallet, account or custody services - acceptance of deposits up to a certain amount, sale, delivery, transfer or export of cash related to a ban on certain territories, persons and entities, etc.

4. Application of a non-binding international sanction”

- If a person is the subject of a sanction that is not binding on Estonia and the transaction violates a sanction that is not mandatory in Estonia. Estonia is obliged to comply with the sanctions of the United Nations,

the EU and the Government of the Republic. The notifier has applied sanctioning measures, such as refusing a transaction.

5. Application of other types of sanctions (other than financial sanctions) or suspicion of the application of another type of sanction:

- Transport of strategic goods and a service or transaction related to strategic goods, if the prohibition is provided by legislation establishing an international or Government of the Republic sanction or the provision of services (incl. Brokerage, technical assistance) supporting the performance of such transactions.

- Purchase, sale, transport, (re) export, (re) import or service of goods prohibited by international or Government of the Republic sanctioning legislation.

6. Circumvention of an international sanction:

- It is the intentional avoidance or circumvention of a sanction in order to conceal a prohibited activity that makes it impossible or significantly more difficult to detect. There are indications (typologies and signs) of a person's possible evasion of financial sanctions or concealment of a person, but there is no direct link to the application of sanctions. In most cases, this involves attempts to remove or conceal the participation of prohibited locations, entities or persons in a transaction or group of transactions. Circumvention of a sanction can be legal or illegal. Legal circumvention is when the transaction appears to be legally correct and permissible, but there are indications of circumvention, such as a recent change in ownership and control. Illegal circumvention is the deliberate use of undercover agents, altered data, the origin of a disguised person or good, and the end use of a good or service.

In the case of ISR indicators 1–3, the notifier has the right to inform the person about the submission of the notification. This is not allowed for ISR indicators 4-6.

Situation description

Obligation to apply due diligence

Obligation to impose a sanction

Duty to notify

Transaction or operation found to be in breach of the financial sanction

No

Yes, apply the financial sanction

Immediately inform the FIU thereof

Doubt as to the identificatio n of the subject of a financial sanction or a transaction or act in

Yes:

1) collect additional information or the person proposing it is the subject of a financial sanction or the proposed or performed transaction or activity violates the financial sanction and controls it on the basis of additional documents, data or information from a reliable and

Yes, apply the financial sanction

If, as a result of application of due diligence measures, the Company identifies a subject of the financial sanction or that the transaction or act which is planned or carried out by them violates financial

breach of a financial sanction related to him or her

independent source;

2) collect additional information concerning the purpose and nature of the business relationship, transaction or act and verifies it on the basis of additional documents, data or information which comes from a reliable and independent source.

sanctions, or if additional information obtained upon application of due diligence measures does not enable to identify it, as well as in the case of the suspicion of violation of financial sanction, Company shall inform the Financial Intelligence Unit thereof and of the financial sanction applied.

Risk of a transaction or operation violating a financial sanction

Yes:

1) collect additional information or the person proposing it is the subject of a financial sanction or the proposed or performed transaction or activity violates the financial sanction and controls it on the basis of additional documents, data or information from a reliable and independent source;

2) collect additional information concerning the purpose and nature of the business relationship, transaction or act and verifies it on the basis of additional documents, data or information which comes from a reliable and independent source.

Once the risk has materialized into suspicion, the suspicion cannot be ruled out, Company shall inform the Financial Intelligence Unit thereof and of the financial sanction applied.

If the risk has materialized into a suspicion that remains, Company shall inform the Financial Intelligence Unit thereof and of the financial sanction applied.

Suspicion of a transaction or operation violating a financial sanction

Yes:

1) collect additional information or the person proposing it is the subject of a financial sanction or the proposed or performed transaction or activity violates the financial sanction and controls it on the basis of additional documents, data or information from a reliable and independent source;

2) collect additional information concerning the purpose and nature of the business relationship, transaction or act and verifies it on the basis of additional documents, data or information which comes from a reliable and independent source.

If the doubt cannot be ruled out, Company shall inform the Financial Intelligence Unit thereof and of the financial sanction applied.

If the suspicion cannot be ruled out, Company shall inform the Financial Intelligence Unit thereof and of the financial sanction applied.

ANNEX 4

LIST OF SOURCES AND LEGISTATIVE ACTS FOR THE PURPOSES OF THIS RULES OF PROCEDURE ON PREVENTION OF MONEY LAUNDERING AND TERRORIST FINANCING

  • Money Laundering and Terrorist Financing Prevention Act (RahaPTS);International Sanctions Act (RsanS);

  • The common guidelines, on the basis of Articles 17 and 18 (4) of the EU Directives 018/843 and 2015/849;

  • The Estonian National Risk Assessment 2020 of Money Laundering and Terrorism Financing and the Financial Intelligence Unit Guidelines;

  • Guidance on Determining Countries with a higher risk of terrorist financing (risk countries) issued by Financial Intelligence Unit;

  • Guidance on the characteristics of suspicious transactions issued by Financial Intelligence Unit;

  • Risk management of money laundering and terrorist financing and application of due diligence

    measures to the supervised entities of the Financial Intelligence Unit;

  • The Regulation No. 55 of the Minister of Finance of 18 December 2014 “List of Territories Not

    Considered Low-Tax Territories;

  • Directive 2015/849 of the European Parliament and Council;

  • Technical requirements and procedures for identification and verification of data by means of

    information technology of the Minister of Finance of the Republic of Estonia;

  • EU–EU policy on high-risk third countries (https://ec.europa.eu/info/business-economy- euro/banking-and-finance / financial-supervision-and-risk-management / anti-money-laundering-and-

    countering-financing-terrorism / eu-policy-high-risk-third countries_en);

  • UN–Restrictive measures, UN Security Council resolution (https://www.sanctionsmap.eu/#/main);

  • FATF–Jurisdictions under Increased Monitoring (https://www.fatf-gafi.org/publications/high-risk-

    and-other-monitored-jurisdictions),