1.1. The Anti-Money Laundering and Combating the Financing of Terrorism Policy (hereinafter referred to as the «Policy») of Cronex OÜ (hereinafter referred to as the «Company»), registered at Maakri tn 19/1, Kesklinna Linnaosa, Tallinn, Harju Maakond, 10145, Estonia under the company number 16298148, outlines the measures implemented by the Company for the prevention of money laundering and terrorist financing (hereinafter referred to as «ML/CTF»).
1.2. Despite the absence of a legal mandate requiring the Company to comply with AML/CTF regulations, we acknowledge the critical importance of establishing robust measures to avert any potential involvement in money laundering and terrorist financing activities. This proactive stance underscores our dedication to upholding international best practices and fortifying the integrity of our operations.Cronex OÜ is committed to the highest standards of ML/CTF compliance and requires management and employees to adhere to these standards to prevent the use of our services for money laundering and terrorist financing. This policy outlines the Company's commitment to detecting, preventing, and reporting any suspicious activities.
1.3. Cronex OÜ understands the concept of money laundering in accordance with the Estonian Money Laundering and Terrorist Financing Prevention Act. In accordance with this Act, money laundering is defined as intentional conduct involving:
1.3.1. The conversion or transfer of property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions;
1.3.2. The acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein;
1.3.3. The concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such an activity.
1.3.4. Participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counseling the commission of any of the activities referred to in subsection 1 of this section.
1.3.5. Money laundering is regarded as such also where a criminal activity which generated the property to be laundered was carried out in the territory of another country.
1.3.6. Money laundering is regarded as such also where the details of a criminal activity which generated the property to be laundered have not been identified.
1.4. This policy applies to all employees, officers, and directors of the Company. It delineates our approach to identifying, mitigating, and managing the risks associated with money laundering and terrorist financing, thereby ensuring that our operations remain compliant with ethical standards and resilient against financial crimes. Cronex OÜ is committed to ensuring that its employees are well-versed in these regulations and that their compliance is regularly monitored and enforced. This comprehensive approach ensures that the company not only meets legal obligations but also upholds the highest standards of financial integrity and transparency.
2.1. The purpose of this Policy is to establish a comprehensive framework for Cronex OÜ to prevent and detect activities related to money laundering and terrorist financing. This policy outlines the procedures, controls, and responsibilities that the Company will implement to ensure that its operations are conducted with the highest standards of integrity and compliance.Key objectives of this policy include:
2.1.1. Prevention:
• Implement robust risk management practices to safeguard the Company against exploitation for money laundering or terrorist financing.• Develop and maintain procedures that identify and mitigate potential risks associated with financial crimes.• Ensure that the Company's services and products are not used for illicit activities.2.1.2. Compliance:
• Adhere to international best practices and standards in AML and CFT, even in the absence of a legal mandate.• Maintain updated knowledge of relevant laws and regulations to ensure ongoing compliance.• Document and regularly update the Company's AML and CFT policies and procedures.2.1.3. Education and Training:
• Provide comprehensive training programs for employees, officers, and directors on AML and CFT responsibilities.• Ensure that all staff are aware of the latest trends, techniques, and regulatory changes related to money laundering and terrorist financing.• Foster a culture of vigilance and responsibility throughout the organization.2.2. Protection Against Illicit Use: Cronex OÜ will take all necessary measures to protect the Company from being used by criminal elements for illicit purposes. This involves:
• Conducting thorough risk assessments of customers.• Implementing internal controls to prevent money laundering and terrorist financing.• Training employees to recognize and respond to potential AML and CFT risks.• Ensuring that all employees understand and comply with the Company's AML and CFT policies and procedures.2.3. Cronex OÜ is committed to conducting its business with integrity and in an ethical manner. This policy reinforces the Company's commitment to preventing financial crime and ensuring that its services are not used to facilitate illegal activities. Cronex OÜ's management and employees are expected to uphold these values and act in accordance with the highest standards of professional conduct.
2.4. Cronex OÜ will fully cooperate with regulatory and law enforcement authorities in their efforts to combat money laundering and terrorist financing. This includes providing timely and accurate information when requested and assisting in investigations as required by law.
3.1. Given that Cronex OÜ is not obligated to adhere to regulatory requirements for Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT), the company voluntarily implements the following due diligence measures to proactively mitigate potential risks associated with financial crime:
3.2. Diligence measures that employees must apply include:
• Establishing a business relationship: Employees must conduct thorough checks and assessments when establishing a business relationship to ensure compliance with regulations. This includes verifying the identity of the parties involved and assessing the nature of the relationship to determine any potential risks of money laundering or terrorist financing.• Verification of collected information: Employees must verify the information collected during the application of due diligence measures or when there is suspicion regarding the adequacy or truth of previously collected documents or data during the updating of relevant data.3.3. Employee Training and Awareness:
a. Regular Training Sessions:
• Conduct training sessions at least annually to ensure all employees are up-to-date with the latest AML/CFT regulations, emerging trends, and typologies in money laundering and terrorist financing.• Utilize a mix of training methods such as workshops, e-learning modules, and scenario-based training to cater to different learning preferences and to simulate real-life situations.• Include case studies of recent money laundering incidents to help employees recognize and understand potential red flags.b. Roles and Responsibilities:
• Clearly outline the specific roles and responsibilities of each employee in detecting and reporting suspicious activities.• Provide detailed guidelines on the procedures for identifying and reporting unusual or suspicious transactions, including the use of internal reporting systems.• Emphasize the importance of timely and accurate reporting to the designated compliance officer or relevant authorities.3.4. Record Keeping:
a. Comprehensive Transaction Records:
• Maintain detailed records of all customer transactions, including the date, amount, currency, and purpose of each transaction.• Ensure all account opening documents, such as identification documents, proof of address, and KYC forms, are accurately recorded and securely stored.• Use digital record-keeping systems with robust security measures to protect sensitive customer information from unauthorized access.b. Retention Period:
• Adhere to internal policies and legal requirements regarding the retention period of records, typically at least five years from the date of the transaction or the end of the customer relationship.• Regularly review and update record-keeping policies to ensure compliance with any changes in legal requirements or industry standards.• Implement procedures for the secure disposal of records that are no longer required to be retained, ensuring they cannot be reconstructed or misused.3.5. Compliance Oversight:
a. Dedicated Compliance Oversight:
• Assign a dedicated compliance officer or establish a compliance committee responsible for overseeing the implementation and adherence to AML/CFT measures.• Ensure the compliance officer or committee has direct access to the board of directors and sufficient authority to enforce compliance policies across the organization.• Provide regular training and resources to the compliance team to keep them informed of the latest regulatory developments and best practices.b. Periodic Reviews and Audits:
• Conduct internal audits and independent reviews of AML/CFT controls and procedures at least annually to assess their effectiveness and identify areas for improvement.• Implement a risk-based approach to auditing, focusing on high-risk areas and transactions that warrant closer scrutiny.• Document the findings of audits and reviews, and develop action plans to address any identified deficiencies or gaps in the AML/CFT framework.3.6. Enhanced Due Diligence (EDD):
a. Enhanced Due Diligence Procedures:
• Apply EDD measures to customers or transactions identified as higher risk, such as politically exposed persons (PEPs), high-value transactions, or transactions from high-risk jurisdictions.• Perform in-depth background checks and obtain additional information on the customer's business activities, ownership structure, and source of funds.• Use external databases and third-party services to verify customer information and identify any potential red flags or adverse media.b. Additional Information and Documentation:
• Require customers to provide additional documentation, such as financial statements, business plans, and contracts, to support their claimed source of funds.• Conduct regular monitoring and reviews of high-risk customer accounts and transactions to detect any unusual or suspicious activity.• Document all findings from the EDD process and ensure they are readily accessible for review by regulatory authorities or during internal audits.4.1. When identifying clients, whether natural persons or legal entities, employees must collect specific information to ensure compliance with regulations and to establish the identity of the client or their representative. For natural persons, this includes:
• Name: Employees must record the client's full name.• Personal identification code: If available, the client's personal identification code should be collected.• Information on the right of representation: Employees must gather information on the client's right to establish and control the right of representation. If the right of representation is not provided by law, employees should record the name, date of issue, and the name or title of the issuer of the document on which the right of representation is based.4.2. For legal entities registered in Estonia or branches of foreign companies registered in Estonia, as well as foreign legal entities, the following information should be collected and stored:
• Business name or name of the legal entity.• Registry code or registration number and the date and time of registration.• Name of the manager or members of the management board or another body replacing it, along with their powers in representing the legal person.• Data of legal means of communication, such as contact details.• Right for representation: This should be provided through, for example, a power of attorney. This should include the name, date of issue, and details of the issuer of the representation document.• Beneficial owner: The beneficial owner of the company must be established and recorded. Employees should gather details on the beneficial owner’s identity, including their full name, date of birth, nationality, and the extent of their ownership or control.By collecting and storing this information, employees can ensure compliance with regulations and help prevent money laundering and terrorist financing activities.
5.1. When a worker encounters a person involved in an economic or professional transaction or a professional act with a third party that poses a high risk in the service of the client, they must apply specific due diligence measures to mitigate these risks. These measures include:
• Obtaining additional information about the client and their beneficial owner: This helps in understanding the nature of the transaction and identifying any potential risks associated with it.• Obtaining additional information about the planned actions of the business: Understanding the planned actions helps in assessing the potential risks and determining the appropriate due diligence measures to be applied.• Obtaining information about the financial resources of the client and their beneficial owner and the source of wealth: This helps in assessing the legitimacy of the financial resources and identifying any potential money laundering or terrorist financing activities.• d.Obtaining information about the reasons for any planned or executed transactions: Understanding the reasons for the transactions helps in assessing their legitimacy and identifying any potential risks associated with them.• Obtaining senior management permission to create a business relationship or continue to do so: Senior management approval ensures that the decision to establish or continue a business relationship in high-risk circumstances is made at an appropriate level within the organization.5.2. In addition to the above measures, the employee must also apply one or more of the following precautionary measures:
• Termination of activities in a high-risk country: If the branch or agency of the company is operating in a high-risk country, the activities should be terminated to mitigate the associated risks.• Conducting an extraordinary audit: An extraordinary audit should be conducted in a subsidiary or branch of a credit institution or financial institution in a high-risk third country to assess and mitigate any potential risks.• Assessment and, if necessary, termination of correspondent relationships: Correspondent relationships with persons in high-risk third countries should be assessed, and if necessary, terminated to mitigate the associated risks.•By applying these enhanced due diligence measures, companies can effectively manage and mitigate risks associated with high-risk transactions and clients, ensuring compliance with regulations and preventing money laundering and terrorist financing activities.
6.1. To mitigate risks associated with money laundering and terrorist financing, certain prohibitions and obligations are imposed on employees and the company as a whole:
6.1.1. Prohibited Actions:
• It is prohibited to establish a business relationship or allow an occasional transaction if there is a suspicion of money laundering or terrorist financing.• Transactions cannot proceed if it is impossible to confirm the identity of a person participating in a client or occasional transaction, or if the information provided for identification cannot be verified from a reliable or independent source.6.2. Understanding Business Relationships: Employees must understand the purpose of the business relationship or occasional transaction, identify the customer's place of business or residence, professional or trade activity, major trading partners, and payment methods.
6.3. Business Relationship Monitoring:
• Transactions must be monitored to ensure they align with the client's activities and risk profile.• Relevant documents and information collected during due diligence must be regularly updated.• The source of funds used in transactions must be identified.• d.Special attention must be paid to transactions that may indicate criminal activities, money laundering, or terrorist financing, including complex, high-value, and unusual transactions.• Extra scrutiny is required for transactions involving clients from high-risk third countries or territories.6.4. Diligence Measures: The purpose of diligence measures is to identify the customer, the origin of funds used in transactions, and the actual beneficiary. This involves gathering information about the client to understand their background and financial activities.
6.5. Obligation to Notify:Employees must fulfill their obligation to notify authorities about suspicions of money laundering or terrorist financing. This obligation does not breach confidentiality laws or contracts, and the notifier is not held liable for disclosing information.
6.6. Protection of Reporting Employees: The company must establish measures to protect employees and representatives who report suspicions of money laundering or terrorist financing from threats, hostile acts, or unfavorable treatment.
These measures are crucial for ensuring compliance with regulations and preventing money laundering and terrorist financing activities. Compliance is regularly monitored through state supervision to ensure diligence measures are effectively implemented.
7.1. Cronex OÜ is committed to maintaining accurate and up-to-date records, such as:
• Customer Identification Records: The Company shall keep copies of identification documents of its customers, including passports or other government-issued identification documents. These records shall be kept for a period of at least five years from the date of the transaction or the end of the business relationship with the customer.• Internal Checks and Reviews: If the Company conducts internal checks on customers or monitors transactions for suspicious activity, it shall maintain records of these actions and their outcomes. These records shall include details of the checks conducted, the reasons for conducting them, and any actions taken as a result.• Retention Period: All records shall be retained for a minimum of five years from the date of the transaction or the end of the business relationship with the customer, whichever is later. Records shall be kept in a secure and accessible manner, and shall be made available to regulatory authorities upon request.• Training Records: The Company shall maintain records of AML/CFT training provided to its employees. These records shall include details such as the date of the training, the topics covered, and the names of the employees who attended.• Compliance Reports: The Company shall maintain records of any reports submitted to regulatory authorities regarding its compliance with AML/CFT regulations. These records shall include details such as the date of the report, the nature of the report, and any actions taken as a result.• Audit Trails: The Company shall maintain audit trails of its AML/CFT compliance activities, including details of any audits conducted and the findings of those audits.8.1. This policy will be reviewed annually. The review will be conducted by the Compliance officer to assess the policy's suitability, adequacy, and effectiveness in preventing money laundering and terrorist financing activities.
8.2. Updates to this policy may be made as required to reflect changes in regulations, business practices, or other relevant factors. Updates will be implemented promptly after approval by the management board and communicated to all employees. Any changes in AML/CFT regulations or guidelines issued by regulatory authorities will be promptly reviewed, and this policy will be updated accordingly to ensure compliance with the latest requirements.
8.3. Changes in business practices that may impact the effectiveness of this policy in preventing money laundering and terrorist financing activities will be assessed, and updates to the policy will be made as necessary.
9.1. Mandatory Training Programs: All employees of Cronex OÜ will undergo mandatory AML/CFT training upon hiring and annually thereafter. This training will cover the identification, prevention, and reporting of money laundering and terrorist financing activities.Employees in key roles, such as those handling high-value transactions or in compliance positions, will receive additional, specialized training tailored to their responsibilities.
9.2. Regular Updates: The Company will provide regular updates and refresher courses to employees to ensure they are aware of the latest developments in AML/CFT regulations and best practices.Training records will be maintained, documenting the dates, content, and participants of all training sessions.
10.1. Cronex OÜ will implement manual systems to monitor transactions for unusual or suspicious activity.
10.2. The Compliance Department will conduct detailed reviews of flagged transactions to determine if further investigation is needed, ensuring that any potential risks are promptly addressed and mitigated. Regular audits will be performed to ensure the effectiveness of the manual monitoring process, to capture any anomalies, and to continuously improve the monitoring framework based on the latest regulatory requirements and industry best practices.
11.1. Data Security:
11.1.1. Cronex OÜ is committed to implementing robust data security measures to protect customer information and transaction records from unauthorized access, alteration, or destruction.
11.1.2. Access to sensitive data will be restricted to authorized personnel only, who will undergo regular training on data protection and security practices.
11.1.3. Employees with access to sensitive data will be required to sign confidentiality agreements, outlining their responsibilities and obligations regarding data protection.
11.1.4. The Company will conduct periodic background checks on employees with access to sensitive data to ensure their continued trustworthiness and reliability.
11.1.5. Regular security audits and assessments will be conducted to identify and address potential vulnerabilities in the data protection system.
11.2. Record Retention:
11.2.1. All transaction records and customer identification documents will be retained for a minimum of five years from the date of the transaction or the termination of the business relationship, whichever is later.
11.2.2. Records will be stored securely in electronic format, with access restricted to authorized personnel through secure authentication methods.
11.2.3. Physical records, if maintained, will be stored in locked and secure locations, accessible only to authorized personnel.
11.2.4. Records will be regularly backed up to prevent loss due to hardware failure or other unforeseen events.
11.2.3. In the event of a data breach or security incident, Cronex OÜ will promptly notify affected parties and regulatory authorities in accordance with applicable laws and regulations.
11.2.4. Records will be made available to regulatory authorities upon request, with proper authorization and in compliance with relevant data protection laws.
11.3. Data Retention Policy:
11.3.1. Cronex OÜ will establish and maintain a data retention policy that outlines the procedures for retaining and disposing of customer information and transaction records.
11.3.2. The policy will specify the types of data that must be retained, the retention period for each type of data, and the procedures for securely disposing of data that is no longer required.
11.3.4. The policy will be regularly reviewed and updated to ensure compliance with applicable laws and regulations and to reflect changes in business practices.
11.4. Data Access Controls:
11.4.1. Access to customer information and transaction records will be restricted to authorized personnel only, based on the principle of least privilege.
11.4.2. Access permissions will be regularly reviewed and updated to ensure that only authorized personnel have access to sensitive data.
11.4.3. Strong authentication measures, such as multi-factor authentication, will be implemented to prevent unauthorized access to sensitive data.
11.4.4. All access to sensitive data will be logged and monitored to detect and prevent unauthorized access attempts.
11.5. Data Encryption:
11.5.1. Cronex OÜ will encrypt all sensitive data, both in transit and at rest, to protect it from unauthorized access or interception.
11.5.2. Strong encryption algorithms will be used to ensure the confidentiality and integrity of the data.
11.6. Data Disposal:
11.6.1. When customer information or transaction records are no longer required, Cronex OÜ will ensure that they are securely disposed of to prevent unauthorized access or disclosure.
11.6.2. Secure data disposal methods, such as shredding or secure erasure, will be used to permanently delete data from storage devices.
11.6.3. Records of data disposal activities will be maintained to demonstrate compliance with data protection laws and regulations.
12.1. Cronex OÜ recognizes the critical importance of confidentiality in safeguarding client information and transactional data as part of its Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) Policy. This section outlines the measures and principles Cronex OÜ adheres to in maintaining the confidentiality of sensitive information.
12.2. Cronex OÜ implements robust data protection measures to ensure the confidentiality and integrity of client information and transactional data:
12.3. Access to sensitive information is restricted to authorized personnel only, based on the principle of least privilege. Employees are granted access only to the extent necessary for their roles, and access permissions are regularly reviewed and updated.
12.4. All sensitive data, both in transit and at rest, is encrypted using strong encryption algorithms. This ensures that data remains secure and unreadable to unauthorized parties, mitigating the risk of data breaches.
12.5. Cronex OÜ collects and retains only the necessary amount of client information required for legitimate business purposes. Unnecessary or excessive collection of personal data is avoided to minimize privacy risks.
12.6. Client information and transaction records are stored in secure, access-controlled environments. Physical records, if maintained, are stored in locked and secure locations to prevent unauthorized access.
12.7. All employees undergo regular training on data protection principles and practices. Training includes awareness of the importance of confidentiality, handling of sensitive information, and adherence to company policies and legal requirements.
12.8. Access to Cronex OÜ's systems and databases containing sensitive information is protected by strong authentication mechanisms, such as passwords and multi-factor authentication (MFA). Access permissions are assigned based on job responsibilities and the principle of least privilege.
12.9. Cronex OÜ employs industry-standard encryption protocols for data transmission (in transit) and data storage (at rest). This ensures that client information and transactional data are protected from unauthorized access or interception.
12.10. Cronex OÜ complies with all applicable legal and regulatory requirements concerning the confidentiality and protection of client information. This includes adherence to data protection laws, regulations governing financial institutions, and guidelines set forth by regulatory authorities.
12.11. Cronex OÜ is committed to maintaining the highest standards of confidentiality in handling client information and transactional data. This commitment extends to ensuring that client trust and privacy are prioritized in all business operations and interactions.