KYC and AML policy

1. General Framework

This Policy establishes the principles, standards and procedures applied by the Company for the prevention and combating of money laundering ("ML"), terrorist financing ("TF"), and the implementation of international sanctions, in connection with the Company`s activities as a Virtual Asset Service Provider ("VASP").

1.1. Objectives

  • Presentation of the legal and regulatory framework applicable to the Company in matters of AML/CFT/PF.
  • Definition of the Know Your Customer (KYC) measures applied to individual and legal entity customers.
  • Establishment of the rules for ongoing monitoring of business relationships and transactions.
  • Definition of the roles and responsibilities of persons involved in the compliance process.
  • Ensuring a level of transparency toward the Company`s customers, particularly those resident in the European Union, regarding the manner in which their data and documents are processed during the identity verification process.

1.2. Legal Framework

This Policy has been prepared in accordance with the following legal and regulatory framework:

  • Law No. 23 of April 27, 2015 of the Republic of Panama on the prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction;
  • Executive Decree No. 35 of May 5, 2022, approving the implementing regulations of Law No. 23/2015;
  • UAF Resolution No. 02-2019 of the Unidad de Análisis Financiero (Panama Financial Analysis Unit) on suspicious transaction reporting and record keeping for designated non-financial businesses and professions (DNFBPs);
  • Law No. 14/2010 of the Republic of Panama on the criminalization of terrorist financing;
  • The Recommendations of the Financial Action Task Force (FATF), as adopted and applied in Panama;
  • United Nations Security Council Resolutions, including those concerning applicable sanctions regimes;
  • European Union sanctions regulations, applicable to the extent that the Company maintains business relationships with counterparties in the European Union;
  • Regulation (EU) 2016/679 (GDPR), applicable to the processing of personal data of customers resident in the European Union, to the extent that the Company offers them services or monitors their behavior, pursuant to Article 3(2) GDPR.

1.3. Scope

This Policy applies to all activities of the Company and covers:

  • the governing bodies of the Company and its employees, regardless of position, role, or seniority;
  • contractors, subcontractors, consultants, and suppliers involved in the Company`s activities, including Globe Monnaie SRL in its capacity as technical support provider;
  • all customers of the Company, whether natural persons or legal entities, regardless of jurisdiction of residence, subject to the Company`s list of accepted and non-accepted jurisdictions;
  • business partners and other persons through whom the Company conducts business.

1.4. Definitions

  • "Money Laundering" (ML) — any act or omission by which proceeds derived from criminal activity are processed, converted, transferred, or concealed with the intent of disguising their illicit origin and making them appear as legitimate assets, including the three classic stages: placement, layering, and integration;
  • "Terrorist Financing" (TF) — the provision or collection, by any means, directly or indirectly, of funds or other assets, knowing that they are to be used, in whole or in part, to finance a terrorist act, a terrorist organization, or an individual terrorist;
  • "Proliferation Financing" (PF) — the provision of financial support to any person or entity involved in the development, manufacture, acquisition, possession, transport, transfer, or use of nuclear, chemical, biological, or radiological weapons capable of mass destruction;
  • "Customer" — any natural person or legal entity with whom the Company establishes or contemplates establishing a business relationship, or with whom it carries out occasional transactions, including the beneficial owner, the representative, and any person acting on behalf of the customer;
  • "Business Relationship" — the professional, commercial, or financial relationship between the Company and a customer, established with the expectation of duration and recurrence, initiated upon acceptance of the customer following completion of the onboarding process;
  • "Virtual Asset" (VA) — a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes, excluding digital representations of fiat currencies or financial instruments already regulated elsewhere;
  • "Virtual Asset Service Provider" (VASP) — any natural or legal person who, as a business, carries out one or more of the following activities: exchange between virtual assets and fiat currencies; exchange between different forms of virtual assets; transfer of virtual assets; safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
  • "Beneficial Owner" (BO) — the natural person(s) who ultimately own or control the customer and/or the natural person on whose behalf a transaction or activity is being conducted, directly or indirectly. For legal entities, the 25% threshold of share capital or voting rights applies; where no natural person is identified at this threshold, the person(s) exercising effective control through management functions shall be identified;
  • "Politically Exposed Person" (PEP) — a natural person who holds or has held prominent public functions, members of their family, and known close associates. PEP status is maintained for at least 18 months following the cessation of the prominent public function;
  • "Source of Funds" (SoF) — the origin of the specific funds or other assets used in the course of the business relationship or a particular transaction;
  • "Source of Wealth" (SoW) — the origin of the customer`s total net worth and all assets accumulated over time;
  • "Suspicious Transaction Report" (STR) — a report submitted to the Panama Financial Analysis Unit (UAF) whenever the Company knows, suspects, or has reasonable grounds to suspect that a transaction or activity is related to ML/TF/PF;
  • "KYC" (Know Your Customer) — the process of identifying and verifying the identity of the customer;
  • "KYB" (Know Your Business) — the process of identifying and verifying the identity of legal entity customers, their ownership structure, and beneficial owners;
  • "CDD" (Customer Due Diligence) — standard due diligence measures applied to all customers;
  • "EDD" (Enhanced Due Diligence) — enhanced due diligence measures applied to high-risk customers;
  • "SDD" (Simplified Due Diligence) — simplified due diligence measures applied exclusively to low-risk customers, evidenced by a formal risk assessment;
  • "UAF" — Unidad de Análisis Financiero, the Panama Financial Analysis Unit, the competent authority for the prevention and combating of money laundering and terrorist financing;
  • "FATF" — Financial Action Task Force, the international body that sets global standards in AML/CFT/PF;
  • "Compliance Officer" or "MLRO" (Money Laundering Reporting Officer) — the person designated by the Company with supervisory and reporting responsibilities in AML/CFT matters.

2. Governance and Responsibilities

2.1. Compliance Officer (MLRO)

The Company has designated a Compliance Officer (MLRO) with exclusive responsibilities for the implementation of this Policy and the AML/CFT/PF legislation applicable in Panama. The Compliance Officer reports directly to the Company`s executive management and has full authority to block, suspend, or terminate any business relationship or suspicious transaction.

2.2. Role of Globe Monnaie SRL

Globe Monnaie SRL acts exclusively as a technical support provider and holder of intellectual property rights over the Platform. Globe Monnaie SRL does not participate in decisions to accept or reject customers, does not process customers` identification documents except to the extent strictly necessary for maintaining the technical infrastructure, and acts, in this regard, exclusively as a data processor on behalf of the Company.

2.3. Know Your Customer (KYC) Measures

The customer due diligence measures, applied prior to establishing any business relationship, include:

  • identification of the customer and verification of their identity on the basis of reliable and independent documentary, electronic, or other sources;
  • identification of the beneficial owner and, where applicable, verification of their identity using a risk-based approach;
  • understanding the nature and purpose of the intended business relationship and, where necessary, obtaining additional information thereon;
  • ongoing monitoring of the business relationship, including scrutiny of transactions to ensure consistency with the customer`s profile, and updating documents, data, and information on a risk-proportionate basis.

TOKERO performs real-time identity verification of all customers through an automated process that includes identity document verification and liveness detection. This process ensures that the customer`s identity is valid and that the documents provided are authentic. Without completion of this process through the remote identification provider, the Company does not accept any customer.

The customer onboarding process for natural persons and legal entities, including the remote verification process, can be consulted on the website www.tokero.com or directly via the following links:

https://tokero.com/ro/kb/pasii-pentru-deschiderea-unui-cont-tokero-8/ — natural persons and https://tokero.com/ro/corporate/ — legal entities.

TOKERO screens international databases for PEP status, including membership on international sanctions lists, through dedicated third-party providers.

PEP classification also applies to:

  • first-degree relatives of PEPs, the spouse/partner of the PEP, and the spouse/partner of the PEP`s children;
  • legal entities whose de facto beneficial owners are PEPs or first-degree relatives of PEPs, the spouse/partner of the PEP, or the spouse/partner of the PEP`s children;
  • persons known as associates of PEPs, whether acting as intermediary natural persons or as beneficial owners of a legal entity.

For the purpose of opening a customer account on the TOKERO platform, the identity documents accepted for individual customers are:

  • a) national identity card issued in the countries accepted by the Company;
  • b) passport issued in the countries accepted by the Company;
  • c) residence document (residence permit) issued in the countries accepted by the Company;
  • d) bank statement in the name of the natural person.

For the purpose of opening a customer account on the TOKERO platform, the documents accepted for legal entity customers are:

  • a) constitutional documents (e.g. articles of incorporation, statutes, as applicable);
  • b) tax registration certificate (VAT/tax ID number) or equivalent for sole traders and foreign legal entities;
  • c) certificate of incorporation / extract from the commercial register / extract from the register of associations and foundations / extract issued by the competent authority in the country where the legal entity was registered or authorized, subject to a maximum age of 90 days from issuance for documents issued in Romania and 6 months from issuance for documents issued by another member state;
  • d) bank statement in the name of the legal entity;
  • e) power of attorney or shareholders` resolution for the legal representative;
  • f) identity document of the legal representative / authorized legal representative and of the identified beneficial owner(s).

The Company screens all customers, beneficial owners, authorized representatives, and counterparties against applicable international sanctions lists, including at minimum: the UN Security Council consolidated sanctions list, the OFAC SDN list, the EU consolidated sanctions list, HM Treasury (UK) sanctions lists, Panama`s national designated persons list, and the FATF list of high-risk jurisdictions. Screening is performed both at the time of onboarding and on an ongoing basis throughout the business relationship.

2.4. Monitoring and Control

For the prevention of money laundering and terrorist financing, TOKERO conducts a monitoring and control process covering at minimum: high-risk customers and transactions, transactions with high-risk countries, and complex or unusual transactions.

A key element of the customer transaction monitoring process is the verification of source of funds. When a transaction is identified as requiring additional scrutiny, the customer is requested to provide relevant documents and information evidencing the source of funds or source of wealth.

Proof of Source of Funds (POSOF) is any document or collection of documents that explains the origin of the funds used for a fiat deposit and the origin of the crypto assets used for a fiat withdrawal. Any POSOF document presented must cover all deposits or withdrawals made through the respective funding method.

Acceptable individual POSOF:

  • Tax return (last two taxable years);
  • Letter from a bank or accountant attesting to the assets;
  • Bank statement and/or brokerage account statement;
  • Pay slips showing income from the last two years;
  • A letter from an accountant attesting to real estate holdings and inheritance is sufficient for net worth purposes.

Acceptable corporate POSOF:

  • Audited financials;
  • Tax return (last two taxable years);
  • Letter from a bank or brokerage firm referencing assets;
  • Standardized statement from a digital asset exchange;
  • Proof of balance at a cryptocurrency exchange(s);
  • Message signed on the cryptographic wallet.

Customer documents, data, and information are updated periodically, in proportion to the risk profile of the customer, and whenever deemed necessary. Regardless of the reason for initiating the update process, it mandatorily requires the customer or legal representative to undergo a new identification process, including both a new verification through the remote identification provider (KYC/PEP screening) and the updating of all documents, data, and information required by the Company in the identification flow. Until the data update process is completed, the customer may not carry out transactions in or from their account.

2.5. Suspicious Transaction Reporting

Any employee of the Company who identifies a transaction, activity, or circumstance giving rise to knowledge or suspicion — or reasonable grounds for suspicion — that ML/TF/PF may be involved is obligated to immediately report this to the Compliance Officer through the internal reporting channel.

The Compliance Officer assesses the internal report and, where the suspicion is not dispelled following analysis, files a Suspicious Transaction Report (STR) with the UAF within the timeframe specified by Law No. 23/2015 and UAF regulations. STRs are filed without prior notification to the customer or any third party (tipping-off prohibition).

The Company will not carry out a transaction it considers suspicious until the STR has been filed and, where required, clearance has been obtained from the UAF. Where delaying the transaction would alert the customer, the Compliance Officer determines the course of action, documents the reasoning, and files the STR as soon as possible.

2.6. Record Keeping

The Company retains, in a form admissible in judicial proceedings, all records obtained through the application of customer due diligence measures (copies of identification documents, monitoring and verification results, customer files, related correspondence) and all documents necessary for the reconstruction of transactions, for a minimum period of five (5) years from the date of the transaction or the date of termination of the business relationship, as applicable.

Upon request from the UAF or competent law enforcement authorities, the Company promptly transmits the relevant information and records, in accordance with applicable legal timeframes.

For customers resident in the European Union, the processing and retention of personal data collected during the KYC process is carried out in compliance with GDPR principles, including the principle of storage limitation, with data deleted upon expiry of the legal retention period, except where other legal provisions require continued retention. The transfer of personal data from the European Union to the Company, as a controller established in Panama, is carried out on the basis of appropriate safeguards, in particular through the use of Standard Contractual Clauses approved by the European Commission, in accordance with Article 46 GDPR, Panama not being subject to an adequacy decision.

2.7. Final Provisions

All documents related to AML/CFT/PF and international sanctions are confidential and constitute the property of the Company. This Policy enters into force on the date of approval by the Company`s executive management and supersedes any prior policy on the matter. The Policy shall be reviewed at least annually or whenever material changes occur in applicable legislation, regulatory guidance, or the Company`s activities.

For any questions regarding this Policy, customers may contact the Company at the dedicated compliance email address: [email protected].