Anti-Money Laundering and Anti-Terrorism Financing Policy (Lithuania)

System Services are provided, where applicable, by PAYEAN UAB (hereinafter — the Company), company number 306061130, registered at Gedimino Ave., 44A-201, Vilnius, Lithuania, is a registered as Depository virtual currency wallet operator and Virtual currency exchange operator, regulated by the Financial Crime Investigation Service under the Ministry of the Interior of the Republic of Lithuania.

The Company shall comply with the requirements contained in the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania and associated Regulations, as well as the requirements of other laws and regulations to the extent in which they relate to the Company’s operations.

The Company adheres to the policies and procedures outlined in this document (hereinafter – the AML Policy (LT)).

The Company develops this AML Policy, introduces amendments and additions to it at its own discretion, and oversees compliance with its provisions and requirements. The Company also adopts internal policies and procedures to ensure compliance with anti-money laundering and terrorist financing laws.

The current version of the AML Policy is always available on the website at: https://rocken.com/en/aml.

The Customer shall read the AML Policy before accepting the Rocken System Terms and Conditions (hereinafter – Terms and Conditions), published at: https://rocken.com/en/agreement. Acceptance by the Customer of the Terms and Conditions, as well as the performance by the Customer, who previously accepted the Agreement, of transactions in the Rocken System, means the Customer's consent to all the provisions of the current version of this AML Policy (LT).

The Company appoints a designated Compliance Officer (MLRO) to implement and monitor performance of the procedures reflected in the AML Policy. The Compliance Officer is responsible for the direction of the AML Policy, and for ensuring that all existing and future employees and business affiliates of the Company adhere to the policy and procedural standards outlined in this document.

The Compliance Officer is responsible for the collection, analysis, and investigation of information on any suspicious activities and the training of the Company’s employees pertaining to the relevant procedures; the Compliance Officer shall determine the procedures and rules for carrying out Customers’ identification, reviewing and monitoring unusual transactions and technical features of the Company’s implementation of this AML Policy; assessing the adequacy of system resources, including those required to identify and report suspicious and attempted suspicious transactions; ensuring that customer due diligence (“CDD”) and enhanced due diligence (“EDD”) is conducted.

The Company uses specific procedures for identification and verification of Customers.

From Customers who request demo access to Rocken (financial transactions are not available), the Company requests only the name and email address.

In order to get full access to Rocken services, Customers are subject to identification procedure. For the purposes of Customers’ identification, the Company requests the following:

• proof of identity document (passport, driving license, national identity card, etc.);
• proof of address (bank statement, utility bill, etc.);
• phone number verification by receiving a code via SMS;
• requires to undergo a liveness check via KYC service provider.

The Company places transaction limits on all individual transactions. For customers with higher limits, the Company requires that customers provide the additional information and documents to fulfill the enhanced KYC requirements, including, but not limited to, confirmation of source of funds (i.e.: income statement, tax receipt, inheritance proof form, bank statement, etc.). All requests for higher limits are reviewed on a case-by-case basis with a focus on validating source of wealth.

When the Company is required to verify the identity of an individual, the government photo identification document method must be used. The Company relies on valid, current, and authentic photo identification documents (“ID”), issued by a federal, provincial, or territorial government to verify the identity of an individual. An ID issued by a municipal government (either Canadian or foreign) is not acceptable.

The Company does not accept an ID when:

• it does not indicate the individual’s name, or the name that the individual provided does not match the name appearing on the ID;
• it does not have a photo, or the photo on the ID provided does not match the likeness of the individual presenting it;
• the ID does not have a unique identifier; or
• the ID is expired.

When verifying the identity of an individual remotely, the Company relies on a third-party provider that verifies the authenticity of the ID, conducts “liveness testing”, and confirms that the ID belongs to the individual whose identity is being verified.

The Company conducts CDD and EDD procedures to avoid the risk of being held liable and to protect Customers and itself from a Customer’s attempts to use the services for carrying out illegal activities.

As part of the CDD procedures, the Company evaluates Customers’ transactions, as well as collects and stores information on the essential facts pertaining to Customers, potential Customers, and their transactions.

After carrying out the identification procedures pertaining to a Customer, the Company stores the information obtained in this Customer’s file. The Company retains information on potential Customers to whom access to the services was denied due to AML policy and procedures.

The Company is committed to protecting Customers’ privacy rights and the confidentiality of their personal data. The Company collects personal data from Customers only to the extent necessary to ensure the Company is properly providing services to Customers and to comply with the applicable laws. Such personal data of Customers and former Customers may be disclosed to third parties only in a limited number of circumstances, in accordance with the applicable laws and agreements between the Company and the Customer. Privacy Notice is available here: https://rocken.com/en/privacy-notice.

The Company shall carefully maintain at head office Customers’ files, including statements, transaction reports, receipts, notes, internal correspondence, and any other documents related to the Customer in a machine-readable or electronic form for a period of 8 (eight) years as of the end of the Transaction or Business relationship with the Client.

The Company will review the information, data and documents obtained from the Customer together with the risk assessment periodically to ensure that the information and the assessment are up-to-date and remain relevant. The frequency of such reviews shall be determined by the level of risk the Customer poses or at trigger events.

Information about the Customer must be updated according to the following frequency:

• information about the High Risk Clients must be updated periodically and no less than once every 12 months;
• information about the Averager Risk Clients must be updated periodically and no less than once every 24 months.
• information about the Low Risk Clients must be updated periodically and no less than once every 36 months.

When the following, but not limited triggers occurs, AML officer shall also take actions to review and update information on the Customer:

• Client acts unusually or performs Suspicious Activity;
• Client or his Close family members or Close associates are newly identified as PEPs;
• requests from the competent authorities are received;
• when there is a concern arising from the outcome of the internal investigation;
• when there are doubts about the veracity or adequacy of previously obtained identification data of the Client and/or the Beneficial owner and/or the representative of the Client (where applicable);
• in any other case when there are suspicions that the act of ML or TF is, was or will be performed.

The Company conducts and documents a risk assessment of the relationship with the Customer and conducts due diligence measures consistent with the Company’s risk assessment to ensure that enhanced measures are put in place for high-risk relationships.

The Company uses an industry recognized software provider to assist in the risk assessment process. Risk ratings are applied in a manner that is consistent with the Company’s risk assessment.

The Company assigns a risk rating to each customer. A classification of high risk is determined by several factors including transaction type, certain patterns of transaction activity, and customer specific characteristics. Customers are assessed as low risk if they are not assessed as high risk.

All information collected as part of the customer risk assessment, including if a Customer is rated high risk, becomes part of the customer profile.

Excessive risk occurs in situations where the risk of dealing with a certain individual, entity, or customer type is too high for the Company to accept the relationship with the Customer.

Risk ratings are updated on an ongoing and periodic basis and are based on factors that include, but are not limited to:

• transaction activity; and
• characteristics, including PEP and sanctions status.

A reassessment of customer risk may also be triggered by:

• becoming aware of illegal or illicit activities;
• a change in characteristics, including PIN or other risk factors for assessing customer risk; and
• submitting a report to intelligence or enforcement agencies with respect to suspicious transactions or terrorist property.

Company’s monitoring software assists in its ongoing assessment of relationship-based risk by adjusting a customer’s numerical risk score whenever there is a change to the customer information, or as a result of transaction activity. The numeric score is updated for a variety of attributes and related formulas which are associated with higher ML/TF risk in publications issued by FINTRAC and FATF and Company’s risk assessment.

The Company applies various checking and monitoring algorithms to make sure all required CDD procedures are executed in a timely manner, persons with limitations (sanctions list and politically exposed persons screening) are detected, and comprehensive automated online monitoring is carried out.

Financial data analysis includes several major components:

• Monitoring of sanctions lists;
• Monitoring of user activity and user system environment;
• Transaction monitoring;
• Analysis of remaining balances, exchange rate fluctuations and other aspects;
• Tools enhancing manual data analysis possibilities.

The Company applies risk-based approach to define account and transaction risk level. The Company has implemented automated risk assessment system (RAS) to analyse the risk profile of the users and ongoing transactions to prevent illegal and fraudulent activities. However, any significant decisions that may impact the Customer are subject to a manual review.

Transaction monitoring is conducted systematically by the Company’s third-party systems both in real-time and historically by generating alerts for transactions and transaction patterns that meet a series of rules within the system.

The Company understands the importance of identifying and detecting suspicious activity through monitoring and reviewing the activity of customer transactions. The Company has a process for reviewing transactions to identify potentially suspicious activity and takes reasonable measures to identify individuals and entities who conduct or attempt to conduct a suspicious transaction. The Company monitors the transactions for evidence of certain patterns of activity that could be indicative of suspicious activity, such as whether the transactions are consistent with the information known about the Customer or the transactions are demonstrative of known suspicious indicators. Monitoring is also conducted to determine whether a customer’s current risk rating needs to be adjusted. Any financial transaction that may be related to money laundering activities shall be considered to be suspicious activities.

Grounds for determining that a specific transaction is suspicious may be personal observations and experience of the Company’s employees, as well as information received or identified. Suspicious activity includes a transaction that any employee knows or suspects to: involve proceeds from an illegal activity; evade currency transaction reporting requirements; vary significantly from the customer’s normal transactions; a third party gained access to the customer's account or the activities are performed under instructions of a third party; or has no business or apparent lawful purpose and the Company knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

The Company will apply enhanced scrutiny to manually monitor customer transactions, in a manner reasonably designed to detect money laundering and suspicious activity. To identify suspicious transactions, the Company is entitled to perform enhanced due diligence measures and request additional information from the Customer confirming the economic purpose of the transaction and the origin of funds. Any potentially suspicious activity is escalated to the MLRO for investigation. In conducting their assessment as to whether there are reasonable grounds to suspect, the MLRO must consider additional information sources such as the customer’s transaction history, as well as customer characteristics and information that are contained in the customer’s file. If required, the MLRO may elect to contact the customer or employee to obtain additional information about the transaction.

In accordance with the applicable laws of Lithuania and the requirements of international organizations, the Company may, where appropriate and without the obligation of obtaining the Customer’s approval or notifying the Customer, notify regulating and/or law enforcement agencies of any suspicious transactions.

Different requirements for reporting suspicious transactions may depend on the nature and amount of a transaction.

The Company shall continuously conduct due diligence procedures pertaining to its Customers and scrutinize transactions carried out by them to ensure these transactions’ compatibility with the Company’s knowledge of its Customers, their business and, when necessary, their source of funds.

The Company shall comply with the requirements contained in the Lithuania’s legislative measure against terrorists, terrorist groups, and other listed and sanctioned individuals and entities Specific measures vary depending on the relevant legislation, but broadly include:

• prohibitions in dealing with property owned or controlled by any person or entity listed on a government created list, or one created by a relevant regulatory body, of those individuals or entities associated with or suspected of being associated with terrorism (“Designated Persons”);
• prohibitions on providing any financial or related services in respect of property owned or controlled by Designated Persons; and
• prohibitions on entering or facilitating transactions with, or making available property or financial services to, Designated Persons.

The Company does not knowingly enter into transactions with, or provide or assist transfers to, or for the benefit of, governments, entities, charities, organizations, and individuals targeted by required sanctions, including, but not limited to, Canadian anti-terrorism measures and Canadian economic sanctions. To that end, the Company screens its customer database and payments records for the names of Designated Persons.

The Company is required to determine if a customer is a politically exposed person (“PEP”). Reasonable measures to make a PEP determination include:

• asking the Customer if they are a PEP and documenting their response; and/or
• independently confirming the customer’s PEP status by using an industry-recognized database.

The Company does not knowingly enter into transactions with, or provide or assist transfers to, or for the benefit of the Politically Exposed Persons.

The Company uses an external industry recognized software provider for PEPand Sanctions screening, which automatically scans names in the system to find potential name matches.

Scans are conducted at onboarding and every transaction for all names collected as part of that transaction, including counterparties and any known third parties.

The Company shall periodically refer to and consult the lists published by the authorities of the Republic of Lithuania, other countries and international organizations that contain lists of known terrorists or persons suspected of terrorist activities, terrorist organizations, high-risk countries, a limited list of countries subject to the OFAC sanctions, jurisdictions that do not provide sufficient level of anti-money laundering procedures, as well as countries subject to sanctions to determine whether the Company’s Customer or potential Customer, and/or such Customer’s country of jurisdiction is included in the above lists.

The Company continuously conducts check against the Sanctions lists and the lists promulgated pursuant to the laws listed below:

• Criminal Code;
• United Nations Act;
• Justice for Victims of Corrupt Foreign Officials Act;
• Freezing the Assets of Corrupt Foreign Officials Act;
• UN Sanctions;
• Interpol Red List;
• HM Treasury;
• US OFAC Sanctions;
• UK Sanctions;
• EU Consolidated list of Sanctions.

To adjudicate a potential name match, common differentiators such as date of birth or country of origin are compared to identification information collected to determine the veracity of the match. If the match is a true match, any customer funds in possession are held and no transactions are processed (regardless of the status of the transactions) without an evidence-based discount of the match, or written judicial, law enforcement, or ministerial direction.

To perform some services and conduct business activities, the Company uses third-party service providers. The company shall try to determine, during the initial and ongoing due diligence process, to the extent possible whether there are any initiated investigations and filed lawsuits against any such third-party service providers. The company shall also determine whether a third-party provider has obtained all the necessary licenses, permits, and approvals before establishing a business relationship with such third-party service provider.

Regarding its own staff, the Company shall carefully review all candidates for employment and determine whether the activities of a new employee fall in the category that is susceptible to money laundering activities. In addition, the Company has prepared and implements a number of personnel training programs on customer identification procedures and prevention of money laundering activities.

The Customer certifies that he/she has read and understood this AML Policy, and that they shall operate in full compliance with the requirements and standards outlined in the AML Policy and comply with all applicable laws and other regulations and requirements governing its activities as a customer.

The Customer acknowledges that he/she is responsible for his/her actions in accordance with the effective laws in the field discussed in this AML Policy and shall bear responsibility pertaining to failure to comply with such laws.