SharkPay OÜ is a legal entity incorporated under the laws of Estonia, with registry code 14897034 and registered at Vaike-Paala, 2, Tallinn, Estonia, 11415 (hereinafter “SharkPay” or “Company”). SharkPay has obtained an operating license (License No. FVT000364) from the Financial Intelligence Unit of Estonia (“FIU”) with the following types of activities: providing services of exchanging virtual currency against a virtual currency or fiat currency, and providing a virtual currency wallet service.
As a provider of virtual currency service SharkPay is required to comply with Money Laundering and Terrorist Financial Prevention Act of Estonia and International Sanctions Act and provide due diligence obligations to its Customers, register and retain Customer’s data and comply with reporting obligations to authorities.
SharkPay is committed to implement best practices and procedures that have been worked out for the detection and prevention of illicit activities in the course of conducting its business, and to comply in full with all legal, regulatory and other requirements applied in the Republic of Estonia and worldwide.
These rules of procedure for prevention of money-laundering and financial terrorism (“Rules”) provide guidelines for the Company and its employees to perform due diligence obligations pursuant to Money Laundering and Terrorist Financial Prevention Act of Estonia and International Sanction Act.
The basis of these Rules comprises International Sanctions Act, Money Laundering and Terrorist Financing Prevention Act (“Act”) and Directive (EU) 2015/849 of the European Parliament and of the Council.
The purpose of these Rules is, by increasing the trustworthiness and transparency of the business environment, to prevent the use of the financial system and economic space of the Republic of Estonia for money laundering and terrorist financing (“ML/TF”).
These Rules regulate and provide:
a procedure for the application of due diligence measures regarding a customer, including a procedure for the application of simplified due diligence measures specified;
a model for identification and management of risks relating to a customer and its activities and the determination of the customer’s risk profile;
the methodology and instructions where the Company has a suspicion of ML/TF or an unusual transaction or circumstance is involved as well as instructions for performing the reporting obligation;
the procedure for data retention and making data available;
instructions for effectively identifying whether a person is a politically exposed person or a person subject to international sanctions or a person whose place of residence or seat is in a high-risk third country or country that, according to credible sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, (i) has not established effective AML/CFT systems; or (ii)has significant levels of corruption or other criminal activity; or (iii) that is subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations; or (iii) that provides funding or support for terrorist activities, or that has designated terrorist organisations operating within their country, as identified by the European Union or the United Nations;
the procedure for identification and management of risks relating to new and existing technologies, and services and products, including new or non-traditional sales channels and new or emerging technologies;
The provisions of these Rules apply to all business relationships and transactions related to customers pursuant to the procedure provided by Act.
The employees of the company must be familiar with and strictly follow the requirements provided for in the Act, the instructions for identifying the characteristics of a transaction suspected of ML/TF issued by the FIU and these Rules.
A regular review is performed whether the Rules are up to date and they will be supplemented and updated as necessary, but not less frequently than once per year.
To follow the rules of procedures, the Company has developed and implemented internal rules and procedures pursuant to the Act.
The Company cooperates with other obliged entities and with state supervisory and law enforcement authorities in preventing ML/TF, including communicating information available to them and replying to queries within a reasonable time, following the duties, obligations and restrictions arising from legislation.
Money laundering means:
Money laundering also means participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the activities referred to in section 2.1.
Money laundering is regarded as such also where a criminal activity which generated the property to be laundered was carried out in the territory of another country.
Money laundering is regarded as such also where the details of a criminal activity which generated the property to be laundered have not been identified.
Terrorist financing means the financing and supporting of an act of terrorism and commissioning thereof as well as the financing and supporting of travel for the purpose of terrorism within the meaning of §§ 2373 and 2376 of the Penal Code.
The beneficial owner (UBO) means a natural person who, via ownership or other type of control, has the final dominant influence over a natural or legal person, or in whose interests, for the benefit of whom or in whose name a transaction or operation is made. In the case of companies, the beneficial owner of a company is a natural person whose direct or indirect shareholding or the total shareholding of all of the direct and indirect shareholdings in the company exceeds 25 per cent, including shareholdings in the form of bearer shares or otherwise
Politically exposed person (“PEP”) means a natural person who performs or has performed prominent public functions and with regard to whom related risks remain, incl. a head of State or head of government; minister, deputy minister or assistant minister; member of a legislative body; member of a governing body of a political party; judge of the highest court of a country; auditor general or a member of the supervisory board or executive board of a central bank; ambassador, envoy or chargé d’affaires; high-ranking officer in the armed forces; member of an administrative, management or supervisory body of a state-owned enterprise; director, deputy director and member of a management body of an international organisation, and other persons as prescribed by the Act (except middle-ranking or more junior officials).
Family member of PEP means the spouse, or a person considered to be equivalent to a spouse; a child and their spouse, or a person considered to be equivalent to a spouse; a parent.
A person known to be close associate of PEP means a natural person who is known to have joint beneficial ownership of a legal person or trust with a PEP; known to have close business relations with a PEP; the beneficial owner of a legal person or trust set up in the interests of a PEP;
Virtual currency means a value represented in the digital form, which is digitally transferable, preservable or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, pp. 35–127) or a payment transaction for the purposes of points (k) and (l) of Article 3 of the same Directive;
Virtual currency exchange service means a service with the help of which a person exchanges a virtual currency against a fiat currency or a fiat currency against a virtual currency or a virtual currency against another virtual currency;
Virtual currency wallet service means a service in the framework of which keys are generated for customers or customers’ encrypted keys are kept, which can be used for the purpose of keeping, storing and transferring virtual currencies;
High-risk third country means a country specified in a delegated act adopted on the basis of Article 9(2) of Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of ML/TF, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141/73, 05.06.2015, pp 73–117).
Compliance officer means an employee appointed by the resolution of the management board of the company who shall act as the compliance officer for the Financial Intelligence Unit and who regulates and supervises the fulfilment of measures for the prevention of ML/TF. If no specific compliance officer has been appointed by the resolution of the management board, the obligations of the compliance officer shall be fulfilled by the member of the management board of the legal entity.
International sanctions means an essential tool of foreign policy aimed at supporting the maintenance or restoration of peace, international security, democracy and the rule of law, following human rights and international law or achieving other objectives of the United Nations Charter or the Common Foreign and Security Policy of the European Union.
The Company shall regularly prepare and update the risk assessment in order to identify, assess and analyse the risks of ML/TF related to its activities.
The Company identifies the risks associated with its activities, as well as the risks that may arise in the near future, that is foreseeable risks, and assesses and analyses their significance and impact. The risks are identified and assessed on a case-by-case basis as of the moment of the risk assessment and separately considering the situation where the Company should take the risks to the maximum extent permitted by the risk appetite. The Company identifies, assesses and analyses at least the following risks:
risks relating to customers;
risks relating to products, services or transactions, including risks relating to new and/or future products, services or transactions;
risks relating to communication, mediation or products, services, transactions or delivery channels between the Company and customers including if the above mentioned is new and/or provided in the future;
risks relating to countries, geographic areas or jurisdictions.
The Company identifies risk factors for the risks specified in clauses 3.2.1-3.2.4 that increase or decrease the risk of ML/TF.
As a result of the risk assessment, the Company establishes:
the risk factors which may affect the risk;
the risk appetite, including the volume and scope of products and services provided in the course of business activities;
the risk management model, including simplified and enhanced due diligence measures, in order to mitigate identified risks.
The risk assessment and the establishment of the risk appetite is documented, the documents are updated where necessary and based on the published results of the national risk assessment.
The Company shall update or renew the risk assessment and the related documents on an annual basis.
The economic activity of the Company as the provider of a virtual currency service is primarily related to the handling and storage of currencies presented in a digital form. The provision of a service of exchanging a virtual currency against a fiat currency and a virtual currency wallet service primarily requires the use of new and evolving technologies, which may involve the implementation of new or non-traditional sales channels in the economic activities of the Company.
The Company should identify and assess the ML/TF risks that may arise in relation to
The management board of the Company appoints a person who acts as the compliance officer of the FIU. The compliance officer reports directly to the management board of the Company and has the competence, means and access to relevant information across all the structural units of the Company.
The duties of a compliance officer include, inter alia:
organisation of the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of ML/TF, which have become evident in the activities of the Company;
reporting to the FIU in the event of suspicion of ML/TF;
periodic submission of written statements on compliance with the requirements arising from this Act to the management board of the Company;
performance of other duties and obligations related to compliance with the requirements of the Act.
The compliance officer may deliver information or data which has become known to him or her in connection with a suspicion of money laundering only to FIU, a pre-trial investigation authority in connection with criminal proceedings and to the court on the basis of a court order or decision.
Each employee of the Company must inform the compliance officer of all cases of refusal to establish a business relationship on the basis of Act, suspicious or unusual transactions, cases of extraordinary termination of the long-term contract and other circumstances that may affect the performance of the obligations of the Company under Act.
The Company applies the following due diligence measures:
identification of the customer (it’s representative) and verification of submitted information;
identification of the beneficial owner and, for the purpose of verifying their identity, taking measures to the extent that allows the Company to make certain that they know who the beneficial owner is, and understands the ownership and control structure of the customer;
understanding of business relationship or conducting a financial transaction;
gathering information on whether a person is a PEP, their family member or a person known to be a close associate;
business relationship monitoring.
The due diligence measures mentioned above must be applied before establishing the business relationship or, if not in business relationship, before the transaction.
The Company may apply simplified due diligence (SDD) measures when it is identified according to the risk assessment prepared that in the case of the economic or professional activity, field or factors, the risk of ML/TF is lower than usual.
Before the application of SDD measures to a customer, the Company establishes that the business relationship, transaction or act is of a lower risk.
The application of SDD measures is permitted to the extent that the Company ensures sufficient monitoring of transactions, acts and business relationships, so that it would be possible to identify unusual transactions and allow for notifying of suspicious transactions in accordance with the procedure established in the Act.
The Company applies enhanced due diligence (EDD) measures in order to adequately manage and mitigate a higher-than-usual risk of ML/TF.
Enhanced due diligence measures are applied always when:
upon identification of a person or verification of submitted information, there are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner;
the customer is a PEP, their family member or a close associate;
the customer is from a high-risk third country or their place of residence or seat or the seat of the payment service provider of the payee is in a high-risk third country;
the customer is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the Financial Action Task Force, or that is considered a low tax rate territory;
a complex, high-value or unusual transaction or transaction pattern takes place that does not have a reasonable or apparent economic or legitimate purpose or is not characteristic to a particular business field;
in other cases provided by the Act.
The Company applies EDD measures also where a risk assessment prepared by the Company identifies that, in the case of the economic or professional activity, field or factors, the risk of ML/TF is higher than usual.
The Company may apply additional due diligence measures in order to manage and mitigate an established risk of ML/TF that is higher than usual, by choosing at their own discretion one or several due diligence measures.
If the data are insufficient or untrue or if there are suspicions of ML/TF, the Company must apply due diligence measures for as long as they have collected sufficient data, they are convinced that the data are true or until the suspicions of ML/TF, are eliminated.
The Company documents and, upon the demand of the supervisory authority, demonstrates why, in respect of what and which type of due diligence measures the Company has applied to the customer upon the establishment of the business relationship or in respect of transactions during the business relationship.
Upon the establishment of a business relationship and as in the course of a business relationship or if a certain trigger event occurs, the Company will take measures to ascertain whether the customer or the person who wants to conclude an occasional transaction and the beneficial owner or representative of these persons is a politically exposed person, their family member or close associate, or if the customer has become such a person.
In a situation where the person participating in a transaction made in economic or professional activities is a PEP, their family member or close associate, in addition to the relevant due diligence measures the Company applies the following additional due diligence measures:
obtains approval from the Company’s management board to establish or continue a business relationship with the person;
requests necessary information from the customer, including applying measures to establish the sources of the wealth and financial means of the person that are used in the business relationship or upon executing transactions;
verifies data or making inquiries in relevant databases or public databases or making inquiries or verifying data on the websites of the relevant supervisory authorities or institutions of the country in which the customer or person is located.
monitors the business relationship in an enhanced manner.
Where a PEP no longer performs important public functions placed upon them, the Company must at least within 12 months take into account the risks that remain related to the person and apply relevant and risk sensitivity-based measures as long as it is certain that the risks characteristic of PEP no longer exist in the case of the person.
Where the Company comes in contact with a high-risk third country via a person participating in a transaction made in the Company’s economic or professional activities, via a person participating in a professional act, via a person using a professional service or via a customer, the Company applies the following due diligence measures:
gathering additional information about the customer and its beneficial owner;
gathering additional information on the planned substance of the business relationship;
gathering information on the origin of the funds and wealth of the customer and its beneficial owner;
gathering information on the underlying reasons of planned or executed transactions;
receiving permission from the Company’s management board to establish or continue a business relationship;
improving the monitoring of a business relationship by increasing the number and frequency of the applied control measures and by choosing transaction indicators that are additionally verified.
In addition to the aforementioned, the Company may demand that a customer make a payment from an account held in the customer’s name in a credit institution of a contracting state of the European Economic Area or in a third country that implements requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council.
The Company must observe the business relationship with the customer established in the course of economic or professional, i.e. perform the monitoring of the business relationship.
The objective of monitoring is to identify suspicious and unusual transactions and transaction patterns; transactions exceeding the provided thresholds; PEP and circumstances regarding international sanctions.
The Company must regularly check and update the documents, data and information collected in the course of the application of due diligence measures. The regularity of the checks must be based on the risk profile of the customer.
The relevant employee must document all the findings about the customer and it’s behaviour which support the decision of the relevant employee about closing or reporting the case to the Compliance Officer.
The monitoring of business relationships must include at least the measures envisaged by the Act.
The Company is prohibited to establish a business relationship or allow to execute an occasional transaction or conclude it if:
the Company suspects ML/TF or it is impossible for the Company to apply the due diligence measures taken upon the establishment of business relationships, because the customer does not submit the relevant data or refuses to submit them or the submitted data give no grounds for reassurance that the collected data are adequate;
a person whose capital consists of bearer shares or other bearer securities wants to establish a business relationship or conclude an occasional transaction;
a person who does not have the authorisation to operate as a credit or financial institution, but whose main and permanent economic activities via the Company are similar or correspond to the provision of financial services subject to authorisation, wants to establish a business relationship or conclude an occasional transaction;
this would require the opening of an anonymous account or savings book, as well as the opening of an account clearly in the name of the wrong person;
a natural person behind whom is another, actually benefiting person, wants to establish a business relationship or conclude an occasional transaction (suspicion that a person acting as a front is used).
the Company is not allowed to establish or continue correspondent relationships with shell banks and such credit institutions or financial institutions that knowingly allow shell banks use their accounts.
In respect of the circumstances of refusal to establish a business relationship or conclude an occasional transaction, the Company performs the reporting obligation, registers and retains the data of the refusal to establish a business relationship or conclude an occasional transaction as well as of the performance of the reporting obligation.
The Company has the right to refuse to make a transaction within the scope of a business relationship where a person participating in a transaction or a customer, in spite of a respective request, does not submit documents and relevant information or data or documents proving the origin of the assets constituting the object of the transaction or the purpose of the transaction or where the data and documents submitted make the Company suspect ML/TF or the commission of related crimes or an attempt at such activity. 11.4. If the data are insufficient or untrue or if there are suspicions of ML/TF , the Company must apply due diligence measures for as long as they have collected sufficient data, they are convinced that the data are true or until the suspicions of ML/TF are eliminated.
Upon the entry into force of an act establishing or implementing an international financial sanction, the Company shall take measures to fulfill the obligations arising therefrom and shall show the necessary diligence to ensure the achievement of the objective of the international financial sanction and to prevent violation of the sanction.
The subject of international sanctions is any natural or legal person, entity or body, designated in the legal act imposing or implementing international sanctions, with regard to which the international sanctions apply.
The duties of the person liable for applying the international sanctions are performed by the compliance officer of the Company, or if not available, the management board of the Company.
The Company must report to the FIU on the activity or the circumstances that they identify in the course of economic activities and whereby:
the characteristics indicate the use of criminal proceeds or the commission of crimes related to this (this is primarily a report on a suspicious and unusual transaction or activity);
in the case of which they suspect or know or the characteristics of which indicate the commission of money laundering or related crimes (this is primarily a report on a transaction or activity whereby money laundering is suspected);
in the case of which they suspect or know or the characteristics of which indicate the commission of terrorist financing or related crimes (this is primarily a report on a transaction or activity whereby terrorist financing is suspected);
in the case of which an attempt of the activity or circumstances specified in clause 13.1.1 to 10.1.3 is present.
The FIU must be notified:
by the Company also about the circumstances of refusal of establishment of a business relationship or completing an occasional transaction;
by the Company, also about each transaction that has become known whereby a pecuniary obligation of over 32 000 euros or an equal sum in another currency is performed in cash, regardless of whether the transaction is made in a single payment or in several linked payments over a period of up to one year.
In any case (i.e. also in the situation where an activity or circumstance is identified after the completion of the transaction), the reporting obligation must be performed immediately, but not later than two working days after the identification of the activity or circumstance or the emergence of the actual suspicion (i.e. the situation where the suspicion cannot be dispelled).
The Company, a structural unit of the Company, a member of a management body and an employee is prohibited to inform a person, its beneficial owner, representative or third party about a report submitted to them to the FIU, a plan to submit such a report or the occurrence of reporting.
The reporting obligations should be made in terms and in compliance with the procedure established by the Act.
The Company must register all the Сustomer’s information and documents obtained during due diligence process, including information about the circumstances of refusal of the establishment of a business relationship or to conclude a transaction, data and documents collected in the course of monitoring the business relationship, data related to the performance of the reporting obligation. This information must be retained for at least 5 (five) years after the expiry of the business relationship or the completion of an occasional transaction or after the performance of the reporting obligation.
Documents and data must be retained in a manner that allows for exhaustive and immediate response to the queries made by the FIU or, pursuant to legislation, other supervisory authorities, investigation authorities or the court.
The Company deletes the retained data after the expiry of the time period, unless the legislation regulating the relevant field establishes a different procedure. On the basis of a precept of the competent supervisory authority, data of importance for prevention, detection or investigation of ML/TF may be retained for a longer period, but not for more than five years after the expiry of the first time period.
The Company is allowed to process personal data gathered upon implementation of the Act only for the purpose of preventing ML/TF and the data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.
The Company ensures the training of the employees involved in the prevention of ML/TF as well as of the senior management, incl. the management board.
Training must take place when the employee commences the performance of said duties and thereafter regularly or as necessary. The Company combines explanatory and informational parts with possible assessments of knowledge during training if necessary.
The regularity of training depends on the size of the Company and the nature, scope and level of complexity of the activities and services provided, incl. the risk appetite and risks arising from activities of the Company, but it usually takes place at least once a year. If necessary, employees are trained or informed more frequently, incl. when the rules of procedure change, there are significant changes in the risks arising from activities, new trends and methods of ML/TF are detected, etc.
The Company retains the details of the person that carried out the training in a format that can be reproduced in writing for at least two years after the training took place.
The Company is obligated to prepare a risk assessment in order to identify, assess and analyse the risks related to their activity in regard to ML/FT and financial sanctions. The steps taken to identify, assess and analyse risks must be proportionate to the nature, size and level of complexity of the economic and professional activities of the Company.
The Company use the following risk scale:
A - low risk
No influential risk factors exist in any risk category, the customer itself and the customer’s activities are transparent and do not deviate from the usual activities, i.e. the activities of a reasonable and average person, in that field of activity, and there is no suspicion that the risk factors as a whole could lead to the realisation of the risk of ML/FT.
B - usual risk
One or several risk factors exist in the risk category that deviate from the usual activities of a person acting in that field of activity, but the activity is still transparent and there is no suspicion that the risk factors as a whole could lead to the realisation of the risk of ML/FT.
C - high risk
One or several risk factors exist in the risk category that as a whole grows suspicion of the transparency of the person and their activities, which causes the person to deviate from persons usually acting in that field of activity and it is at least possible that ML/FT is taking place.
Taking into account the above risk categories, the Company must determine the risk level of the person involved in the transaction or the customer, for example whether the customer's ML/FT risk is low, normal or high or corresponds to other risk levels specified and used by the Company.
In order to determine the impact of each risk category, the Company must assess the probability of the occurrence of risk factors in that risk category. To determine the impact of a particular risk category, a qualifying amount of the presence of risk factors that characterise it can be used to consider a particular risk factor as having “impact” or “no impact” for a given person when a certain threshold is exceeded.