THIS POLICY COVERS: 

• GOVERNING LEGISLATION
• CUSTOMER DUE DILLIGENCE (CDD) / ENHANCED DUE DILLIGENCE (EDD) PROCESS
• ONBOARDING AND KNOW YOUR CLIENT/ BUSINESS (KYC, KYB)

Last review: March 3, 2025

 

1. POLICY AFFIRMATION AND UPDATES:

1.1 This following policy is reviewed by the company’s board on a quarterly basis at which point it is either re-affirmed or modified as required.

 

1.2 The policy is also reviewed and modified based upon:

• changes in regulatory requirements in Switzerland or in any other jurisdictions at which the company provides its services.
• changes in the company’s risk classification methodology or targeted client jurisdictions.

2. INTRODUCTION & AML OBLIGATIONS

2.1 FUNDFLEX  operates under the regulatory supervision of d’Organisme de Surveillance pour Intermédiaires Financiers & Trustees (“SOFIT”), holding membership number 1268, a supervisory body officially recognized and authorized by the Swiss Financial Market Supervisory Authority (“FINMA”). Registration and licensing scope, provisions and responsibilities as relating to financial intermediaries as listed on Article 3, Paragraph 3:

 

2.2 “Financial intermediaries are also persons who on a professional basis accept or hold on deposit assets belonging to others or who assist in the investment or transfer of such assets; they include persons who:

• Carry out credit transactions (in relation to consumer loans or mortgages, factoring, commercial financing or financial leasing).
• Provide services related to payment transactions, by carrying out electronic transfers on behalf of other persons, or who issue or manage means of payment such as credit cards and travelers’ cheques.
• Trade for their own account or for the account of others in banknotes and coins, money market instruments, foreign exchange, precious metals, commodities and securities (stocks and shares and value rights) as well as their derivatives.
• Make investments as investment advisers.
• Hold securities on deposit or manage securities.
  • Reference: https://www.fedlex.admin.ch/eli/cc/1998/892_892_892/en

2.3 When carrying out activities which constitute “relevant activity” FUNDFLEX  is required to comply with the requirements of the Prevention of Money Laundering Act, 1994 (Chapter 373 of the laws of Switzerland) (the “Act”) and the Regulations which require FUNDFLEX  to adhere to the provisions contained in the Act, the Regulations and the Swiss Financial Market Supervisory Authority (“FINMA”) Implementing Procedures.

 

2.4 FUNDFLEX  compliance personnel and others using these procedures should also refer, where relevant, to the Act, the Regulations, the provisions of the Sub-Title, Of Acts of Terrorism, Funding of Terrorism and Ancillary Offences of Title IV A of Part II of Book First of the Criminal Code and any relevant measures/ guidelines which may be issued from time to time by the Swiss Financial Market Supervisory Authority (“FINMA”) and/or any relevant authority or agency.

 

2.5 The procedures set forth herein are intended to assist FUNDFLEX  in compliance with its obligations at law by taking all reasonable steps and exercising all due diligence to avoid the commission of an offence of money laundering or funding of terrorism.

 

2.6 FUNDFLEX  supports Switzerland’s commitment within the Financial Action Task Force (“FATF”) to achieve greater harmonization of national regulations to combat money laundering and terrorist financing and is committed to the highest standards of Anti-Money Laundering (AML) compliance. As such, FUNDFLEX  has put in place the AML Manual to identify, assess, and mitigate possible risks of FUNDFLEX  being involved in any kind of illegal activity.

 

2.7 The measures applied by the Company are proportionate to the degree of identified risk. In the course of a risk-based approach, FUNDFLEX  assesses the probability of the risks becoming real and the consequences of such an event. When assessing the probability, the possibility the occurrence of the relevant circumstances must be taken into account, including the possibility of potential risks that may affect the activities of both the customer and FUNDFLEX , and the possibility that the probability of the occurrence of this risk increases.

 

3. GOVERNING LEGISLATION, DIRECTIVES & RELEVANT REGULATROY/ CIVIC BODIES

 

 This policy was constructed in accordance with the regulatory frameworks set out firstly by Swiss law, however, adheres to requirements set forth by other regulatory bodies and frameworks as relating to the jurisdiction at which the onboarded customer resides, registered in or conduct its activities from.

 

In case of conflicting guidance by either regulatory framework, the company will firstly obey the Swiss regulatory frameworks. In cases where prevailing regulation at the client’s jurisdiction warrants further elements which are absent under Swiss law, the company will supplement such elements especially relating to:

• Appointment of MLRO, compliance staff, training and certification of such employees or service providers.
• Implementation of controls policies and procedures as relating to KYC and AML screening, customer onboarding, client monitoring, transaction monitoring, CDD and EDD, identification flagging and reporting thresholds, SAR definition and reporting.
• Adherence and clarity of the risk classification of prospective and current clients.
• Independent, internal, external, regulatory audit scope and functions, time frames etc.

 

• SWITZERLAND

3.1.1 Acts, Directives and Legislation:

 

Federal Act on Combating Money Laundering and Terrorist Financing (Anti Money Laundering Act, AMLA) specifically:

• Articles 95 and 98 of the Federal Constitution
• Prevention of Money Laundering Act, 1994 (Chapter 373 of the laws of Switzerland) (the “Act”) and the Regulations which require the company to adhere to the provisions contained in the Act, the Regulations and the Swiss Financial Market Supervisory Authority (“FINMA”) Implementing Procedures.
• The Act its regulations, provisions and sub sections, of the “Acts of Terrorism, Funding of Terrorism and Ancillary Offences” Title IV A of Part II of Book First of the Criminal Code and any relevant measures/ guidelines which may be issued from time to time by the Swiss Financial Market Supervisory Authority (“FINMA”) and/or any relevant authority or agency.
• Article 305 of the Swiss Criminal Code (SCC), the combating of terrorist financing as defined in Article 260 paragraph 1 SCC, and the due diligence required in financial transactions.

3.1.2 Supervising and reportable entities, civic regulatory and external agencies:

• FINMA – Swiss Financial Market Supervisory Authority (http://finma.ch/)
• SO-FIT – Organisme de Surveillance pour Intermédiaires Financiers & Trustees (https://so-fit.ch/)
• The Financial Action Task Force (FATF) , information sharing, publications and recommendations
• (https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html)

3.2 EUROPEAN UNION ECONOMIC AREA MEMBER STATES SUBJECTED TO MiFiiD DIRECTIVES

 

3.2.1 Acts, Directives and Legislation:

 

• Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU
• https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018L0843
• MiFiD || Money Laundering and Terrorist Financing Prevention Act, the International Sanctions Act, and the Directive (EU) 2015/849 of the European Parliament and of the Council and includes:
• the model for the identification and management of the risks arising from the customer and their activities and the determination of the risk profile of the customer, the model for the identification and management of the risks arising from the activities of the company, including the procedure of identification and management of the risks related to new and available technologies and services and products, including new or nontraditional sale channels and new or developing technologies.
• REGULATION (EU) 2024/1620 of the European Parliament and of the council; establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
• The Financial Action Task Force (FATF) and information sharing publications.
• https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html
• Regarding Virtual Asset activity:
• MiCAR (Regulation (EU) 2023/1114), the regulation on markets in crypto-assets.
• https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica

 

 

3.3 THE UNITED KINGDOM

 

3.3.1 Acts, Directives and Legislation:

·       The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017(MLR 2017); https://www.legislation.gov.uk/uksi/2017/692/contents

·       Proceeds Of Crime Act (POCA) 2002 mainly Section 7 which includes UK anti-money laundering and counter-terrorism financing laws;  https://www.legislation.gov.uk/ukpga/2002/29/contents

·       Financial Services and Markets Act 2000 (FSMA 2000): https://www.legislation.gov.uk/ukpga/2023/29/contents

·       Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023)

·       Terrorism Act 2000 (TACT) – https://www.legislation.gov.uk/ukpga/2000/11/contents

·       The Fifth & Sixth Anti-Money Laundering Directive (5AMLD, 6AMLD) in the United Kingdom and the European Union.

§  https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/945411/NRA_2020_v1.2_FOR_PUBLICATION.pdf

 

3.3.2 Supervising and reportable entities, civic regulatory and external agencies:

·       Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) (https://www.handbook.fca.org.uk/handbook/FCG/3/2.pdf)

·       HM Revenue & Customs agency

§   (https://www.gov.uk/government/collections/anti-money-laundering-supervision-detailed-information)

·       National Crime Agency (NCA);

https://www.nationalcrimeagency.gov.uk/who-we-are/publications/499-guidance-for-aml-supervisors-v1-0/file

 

3.4 CANADA 

3.4.1 Acts, Directives and Legislation:

• Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
  • https://lois-laws.justice.gc.ca/eng/acts/p-24.501/
• Fintrac AML gudance;
  • https://fintrac-canafe.canada.ca/guidance-directives/guidance-directives-eng
• The Financial Action Task Force (FATF) and information sharing publications.
  • https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html

 

3.4.2 Supervising and reportable entities, civic regulatory and external agencies:

• FINTRAC Canada.

https://fintrac-canafe.canada.ca/intro-eng

 

4. CUSTOMER DUE DILLIGENCE (CDD) PROCESS:

 

4.1 ONBOARDING PROCESS & KYC/B (KNOW YOUR CUSTOMER)

 

4.1.1 CUSTOMER IDENTIFICATION & ADDRESS VERIFICATION

 

• Scope of Policy:

Retail customers: As a part of the Customer Due Diligence (“CDD”) conducted (for retail customers), FUNDFLEX will verify the prospective customer’s identity and residential address.

Corporates and other legal entities seeking onboarding will be required to provide information, documents and to verify the identity and address for all the following individuals connected directly or indirectly to the legal entity:

• Shareholders holding 10% or more of the issued share capital of the corporation.
• Ultimate Beneficial Owners (UBOs) regardless of their direct holding of company shares or equity.
• All directors
• All authorized signatories.

 

• Proof of Identification (POI) document:

The prospective customer will be requested to show their POI and face during a liveness test. SUM&SUB will compare the biometric signature or the customer’s face and the picture in the presented POI document. FUNDFLEX reserves the right to request a second piece of ID at its own discretion as a pre-condition to onboarding and/or account standing.

POI documents must adhere to the following guidelines:

• POI Document must be government issued, valid, and must not expire in the next 3 months.
• All the data must be presented and transmitted in a way that is legible, in high quality.
• The presented POI must be the ORIGINAL document and in color. Images of the original document will not be accepted upon the live video identification.
• For Canada, the European Economic Area (EEA), Switzerland or the United Kingdom the following may be used as a POI: Passport or Driver’s License or Identity Card.
• For all other countries/jurisdictions, the only acceptable POI document is a valid Passport.

In case of POI rejection by SUM& SUB and/or mismatched biometric features, FUNDFLEX ’s compliance team will manually check the document’s validity and will either reject the customer for onboarding, request another POI /further documents, or approve the customer’s POI.

 

The provided customer name on the application must be identical to the name presented in the POI and POA provided by the customer. FUNDFLEX will allow an 85% accuracy “fuzzy match” between the two as well as to known abbreviations. E.g. accepting POI under first name “William Scott” despite the customer application spells “William Scot” (missing T).

 

• Proof of Address (POA) Document:

To verify the customer’s account, FUNDFLEX will also collect a Proof of Identification (POA document) from all of its prospective customers and /or affiliated individuals to a legal entity seeking onboarding as described above.

POA may include the following documents:

• Rent/lease/ownership agreement
• Utility bills that are address fixed: such as gas, electricity, LAND LINE telephone, or internet bill that was paid, bank account statement sent directly to the verified address (no electronic copies).
• Governmental/Municipality MAIL correspondence such as municipality fees/taxes payment or invoice, pension, social welfare etc.
• ***Mobile phone bills will not be accepted as a Proof of Address***
• POA must have been issued in the last 90 days from the time it is first used to verify your account with FUNDFLEX.
• The provided customer name on the application must be identical to the name presented in the POA provided by the customer. FUNDFLEX will allow an 85% accuracy “fuzzy match” between the two as well as to known abbreviations. E.g. Accepting POA under “Bill Scott” while the application is submitted under “William Scott”

• Know Your Business (KYB) – Documents collected Onboarding of legal entities:
• Certificate of incorporation
• Proof of Operational Business Address
• Articles of association
• Business license or proper registration with authorities when applicable
• Certified register of directors
• Certified register of shareholders (with percentage ownership)
• Ultimate Beneficial Ownership (UBO) declaration
• Organizational structure chart
• Latest audited financial statements
• Provisional Balance Sheet and Income Statement for the current fiscal year, showing the company’s revenue generating clients.
• Most recent internal AML audit / External AML Audit / Regulator Audit *When applicable.
• Swiss Form A
• Swiss Form K
• United States Form W-8BEN-E
• Information regarding counterparties currently transacting or expected to transact with the customer.
• Supporting documents for business relationships such as past invoices, service agreements, ownership structure etc.
• UBO and Shareholder declaration detailing direct or indirect holdings of 25% or more in any other legal entity locally or abroad.

• POI, POA Update Requirements:
• The company will require its onboarded retail customers to update their KYC POI and POA documents on a scheduled, yearly basis.
• The company reserves the right to request updated documents at its discretion alone and as it sees fit, not limited by specific time frames.
• The company’s CRM will automatically issue a sequence of emails, time triggered, to the customers requesting the renewal of KYC documents. The company’s CRM will then place it in queue to be completed by a compliance agent.
• Corporate clients are required to update the KYC documents of all directors, shareholders, signatories and UBOs in 6 months intervals from the time of successful onboarding.

 

• Use of Automatic / AI Driven Compliance and AML tools:

 

SUM & SUB:

• Identity Verification with SUM & SUB video verification verifies the customer’s Identification and validity of POI. Uses liveliness test.
• Verification of POA and validity of POA document.
• Technologically related mismatches such as Customer IP screening for VPN connections and/or VPN IPs that have appeared or access the company’s website and/or platform in the past.
• Customer Screening against sanctions lists, PEP, criminal record, adverse media etc.
• LSGE WorldCheck One:
• Customer Screening against sanctions lists, PEP, criminal record, adverse media etc.
• The company’s CRM platform which collects information regarding the customer and account activity to flag suspicious transactions and/or customer accounts. Mainly used during Ongoing Transaction Monitoring.

 

4.1.2 INFORMATION & DOCUMENTS RE PROSPECTIVE ACCOUNT ACTIVITY & SOURCE OF FUNDS (SOF)

 

4.1.2.1 Upon each customer application, they will have to fill in a questionnaire regarding anticipated account activity and provide proof for their declarations. Questionnaire content includes but not limited to:

anticipated account monthly total volumes incoming and outgoing.

• monthly transactions count incoming and outgoing, average transaction amount.
• anticipated top 3 senders and top 3 beneficiaries to which funds will be received/sent to and their country of residence.
• country at which the counterparty financial institution is incorporated/operates from.

4.1.2.2 Depending on the answers provided by the customer re account activity, FUNDFLEX may require the customer to provide evidence to the above for example by a bank statement showing similar activity in an external account. For corporate customers it may include financial statements showing counterparties or related invoices/ service agreements etc.

 

4.2.1.3 Source of Funds (SOF) / Source of Wealth (SOW):

Depending on the answers provided by the customer re account activity, FUNDFLEX may require the customer to provide explanation and proof as to the Source of Funds that are expected to transact with the customer’s prospective account with FUNDFLEX.

Acceptable SOF/SOW documentation may include:

• Inheritance
• Salary
• Pension redemption
• Savings
• Retained earnings
• Salary Bonuses
• Dividends
• Selling of different assets such as real estate etc.

*The company reserves the right to seek further evidence at its own discretion relating to the prospective customer’s SOF/SOW. Rejection of SOF/SOW documentation or failure to provide such documentation upon request may be regarded as sufficient grounds for rejecting customer onboarding.

 

 

4.1.3 AML RELATED CUSTOMER SCREENING PRIOR TO ONBOARDING

 

4.1.3.1 SCREENING PRIOR TO ONBOARDING:

 

Upon onboarding and following a successful POI and POA verification, the company will screen each prospective customer and their related information for PEP, sanctions and adverse media using the following tools and lists:

 

• SUM&SUB will screen against lists and online findings as described below. The process is completed via an API call that is automatically sent to SUM&SUB. The screening results in SUM&SUB are fed back to FUNDFLEX’ CRM and is later used to determine the customer’s risk score and classification (among many other factors).
• LSGE WorldCheck One – Screen against more than 57’000 active sanction records; https://www.lseg.com/en/risk-intelligence/financial-crime-risk-management/sanctions-screening
• Independent screening against EEA, UK, SWISS and Canadian regulator updates, PEP and sanction lists.
• Independent screening against Financial Action Task Force (FATF) publications, FATA blacklist, FATA Grey List and UN Sanctioned list: http://www.fatf-gafi.org/countries/# High-Risk
• https://www.un.org/sc/suborg/en/sanctions/un-sc-consolidated-list;

• International organization of securities commissions:
• https://www.iosco.org/i-scan/
• Independent screening against warnings issued by the following financial regulators: Financial Conduct Authority (FCA), FINMA and SO-FIT (d’Organisme de Surveillance pour Intermédiaires Financiers & Trustees), FINTRAC Canada, EEA financial regulators.
• g.: https://www.fca.org.uk/consumers/warning-list-unauthorised-firms
• For corporates: Screening against local company register to verify proper corporate governance (no owed taxes, unfiled reports, collection actions etc.)
• For corporates: Screening all of the relevant individuals associated with the legal entity: Directors, Shareholders, UBOs and Authorized Signatories.
• If the client declares any Virtual Assets activity, FUNDFLEX will collect, analyze and flag the client’s existing wallets address as well as counterparty addresses related to the client’s wallet in the past. FUNDFLEX uses BitFury (Crystal) blockchain monitoring platform to flag relation to criminal activity, “coin mixers”, involvement in anonymous coins, high risk address, addresses known to be related to illegal or forbidden industries (based on FUNDFLEX’ customer acceptance policy)

4.1.3.2 FUNDFLEX’ customer acceptance policy rejects onboarding for prospective customers flagged for, or matched with PEP, sanctions, regulator warnings, Virtual Asset addresses or counterparty addresses which relate to individuals or entities under sanctions, PEP etc.

 

4.1.3.3 Adverse media matches will be considered on a case-by-case basis by the company’s MLRO.

*More information regarding customer approval/rejection can be found in in The Company’s customer acceptance policy.

 

4.2 ENHANCED DUE DILIGENCE (EDD)

 

In certain cases, retail customers will go through an additional screening process of Enhanced Due Dilligence (EDD) either upon onboarding or during the duration of the account activity. During the EDD process, customers be required to provide further information and/or documentation to successfully complete the onboarding process, or to keep the account in good standings and active if the EDD process triggers post onboarding.

 

Prospective corporate customers will be subjected to Enhanced Due Dilligence requirements upon onboarding regardless, although the company may trigger an additional EDD process following a successful onboarding by a legal entity, while the account is already active.

 

*More information regarding EDD post onboarding can be found in CYBERBLCOKS’ “Client & Transaction Monitoring Policy”

 

4.2.1 Triggers for Enhanced Due Diligence:

 

The company’s CRM will flag specific transaction/s, clients, senders or beneficiaries that exceeds the determined threshold for EDD set out by the company and/or exceed the calculated “medium risk” classification.

 

*For further information regarding FUNDFLEX’ client risk classification and risk appetite refer to the company’s “Risk Classification Methodology” section and FUNDFLEX’ customer acceptance policy.

 

• EDD triggers for prospective customers prior to onboarding:

• Prospective customer declares an anticipated monthly transaction volume of 15,000 EUR or more.
• Prospective customer declares an average anticipated single transaction amount of 9’001 EUR or more.
• Prospective customer provides conflicting or mismatched information on their application.
• Documentation provided by customer are suspected as not genuine or altered.
• Refusal/ failure to provide reasonable explanations and documentation upon request and in a reasonable time frame.
• Any true match during the AML screening process for PEP, Sanctions, adverse media, financial background etc.
• Prospective customer declares that anticipated activity largely involves cryptocurrency.
• Screening of Virtual Asset declared addresses reveals “High Risk” activity / counterparties not consistent with the information provided by the customer.

• EDD triggers for prospective customers prior to onboarding:

• Change in the customer’s calculated risk classification provided by the CRM.
• Significant deviation in total and/or single transaction amounts.
• Significant deviation in transaction count within a given time frame.
• Deviation in percentage of amount or count payments allocated to new beneficiaries.
• Introduction to new counterparties at High-Risk and/or engaging in activity related to High-Risk counterparties/business sectors. *See more regarding risk classification methodology herein.
• Transaction monitoring and/or customer monitoring resulting in a positive match for any AML element such as Sanctions, PEP, Adverse Media, Known Criminal Record etc.)
• Transaction monitoring and/or customer monitoring resulting in a positive match for any AML element such as Sanctions, PEP, Adverse Media, Known Criminal Record etc.) for any known counterparties that have transacted with the customer.
• New online footprint information such as mismatched IPs to country or inconsistent out of range IP use, frequent VPN use.

 

 

• CDD to EDD Escalation Process:

 Identification:

• The company’s CRM re-calculates the customers risk score based on activity taking place on the account. Such activity includes incoming / outgoing transactions, exchange transactions, screening events etc. which relate to the triggers mentioned above.
• Manual identification of qualifying events by the company’s compliance staff.

Flagging:

• The CRM will flag the customer/transaction/counterparty for evaluation and place it in queue for evaluation.
• The Compliance agent receiving the CRM notification will review the qualifying events and collect any required documentation if applicable.

Escalation:

• The responsible Compliance agent passes the case in the CRM for the evaluation of the MLRO. Considering the evidence at hand, the MLRO will either:
• request more information.
• Reject EDD process.
• Approve EDD process and instruct the responsible compliance agent to collect any the relevant information or documents for EDD.

• EDD review and Decision:
• MLRO will evaluate the information collected during the EDD process and will either request for further information or will end the EDD process.
• When applicable: Submission of a Suspicious Activity Report (SAR) by the MLRO to the relevant authorities.
• More information regarding SAR can be found in FUNDFLEX Suspicious Activity Report (SAR) Policy.
• Failure to provide the requested EDD info may result, amongst others in suspension of a certain transaction/counterparty/account and up to account termination.

 

 

 

4.3 ACTIONS AND DOCUMENTS COLLECTED DURING THE EDD PROCESS

 

Collection of further documentation related to the client and its activities. The requests may include (but are not limited to) the following:

 

4.3.1 For legal entities:

• Audited annual financial reports and most current balance sheet of the client or its counterparties.
• Audited Income (P&L) Statement
• Absence of criminal record, absence and history of legal proceedings that were filed against the legal entity and/or its shareholders, directors or executives which hold signatory rights.
• Second piece of Identification and Proof of Address for the legal entity’s shareholders, diretors and executives who hold signatory rights.
• Source of Wealth (SOW) of the onboarded legal entity and of its shareholders and/or investors.
• Most recent bank statement showing
• Submitting a Suspecious Activity Report by the MLRO to the appropriate authorities.
• FUNDFLEX’s MLRO may, at its own discretion, submit a suspicious transaction report in the client’s domiciled jurisdiction.
• Proof of control over external Cryptocurrency wallets that the client had engaged with. (Travel Rule)
• Second Video Identification for the legal entity’s shareholders, directors and executives who hold signatory rights and a detailed information interview regarding the background of the suspicious transaction/new findings.
• History of legal proceedings that were filed against the legal entity and/or its shareholders, directors or executives which hold signatory rights.
• MLRO live video interview with the one or more of the legal entity’s senior executives.

 

4.3.2 For individual retail clients or individuals associated with the onboarding of a legal entity:

• Second POI document.
• Absence of criminal record, history of legal proceedings that were filed against shareholders, directors or executives which hold signatory rights.
• Individual tax returns
• Individual tax audits when applicable
• Proof of Source of Funds covering at least the projected account volume or account activity up to the commencement of the EDD process.
• Additional Video Identification and interview verification of any reasoning behind the suspicious or flagged transactions.
• Client video confirming account activity in question
• Proof of control over external Cryptocurrency wallets that the client had engaged with. (Travel Rule)
• Proof of a Tax identification number (TIN) or Social Security Number (SSN)

4.4 SUSPECIOUS ACTIVITY REPORT (SAR) POLICY- IDENTIFICATION, FLAGGING & REPORTING                         PROCEDURES

Last reviewed/ updated: 20 MAR 2025

4.4.1 This Suspicious Activity Reports (SAR) Flagging and Reporting Policy outlines the responsibilities, procedures, and controls established by FUNDFLEX  (HEREIN: “the Company” or “FUNDFLEX”), as a Swiss-regulated money remitter and Virtual Asset exchange platform. The policy outlines the identification, escalation, documentation, and reporting of activities suspected to be linked with money laundering, terrorist financing, fraud, or other criminal conduct.

The policy reflects the legal requirements of the Swiss Anti-Money Laundering Act (AMLA), the guidelines and directives of the Swiss Financial Market Supervisory Authority (FINMA), and other relevant local and international standards, including the recommendations of the Financial Action Task Force (FATF).

• Purpose and Objectives:
• Ensure full legal and regulatory compliance with applicable Swiss AML/CFT obligations.
• Ensure a robust internal framework for detecting and reporting suspicious activity and foster a culture of compliance and due diligence among employees.
• Define the process of internal escalation and external reporting to the MLRO.
• Protect the Company, its clients, and the financial system from exploitation by illicit actors.

• Legal and Regulatory Framework – This policy is designed in alignment with, and must be read in conjunction with:
• The Swiss Anti-Money Laundering Act (AMLA; SR 955.0)
• The Swiss Anti-Money Laundering Ordinance (AMLO-FINMA)
• FINMA Circular 2016/7 (Video and online identification)
• FINMA Risk-Based AML/CFT Supervision Requirements
• Financial Action Task Force (FATF) Recommendations
• Federal Act on the Implementation of Recommendations of the Global Forum on Transparency and Exchange of Information for Tax Purposes

• Scope of Application – This policy applies and relates to:
• Executive management and Board of Directors.
• Compliance and risk management departments.
• Customer onboarding and transaction monitoring teams.
• Technology platforms and tools used to facilitate ongoing company activity.
• External vendors or outsourced compliance services where applicable.

• Definitions:

• Suspicious Activity: Any transaction or pattern of behavior that raises reasonable grounds for suspecting that assets involved are linked to criminal conduct, terrorist financing, or attempts to hide or disguise the nature, source, location, ownership, or control of such assets.
• SAR: A Suspicious Activity Report is a formal submission made by the MLRO detailing suspicions related to criminal financial conduct.
• MLRO: The Money Laundering Reporting Officer is the designated individual responsible for handling all AML/CFT-related investigations and reporting obligations.

• Identification of Suspicious Activity:

The company will identify an event that requires SAR evaluation either by:

• CRM platform which continuously gathers data based on client behavior and use of the account. Much of the data gathered is used to identify an event which needs to be evaluated for SAR process and will be used to flag the event for the company’s compliance staff and MLRO’s evaluation.
• Manual review of a SAR event which is escalated internally.

• Flagging:
• The CRM will flag the SAR event and place it in queue for evaluation by the company’s compliance staff.
• The Compliance agent receiving the CRM SAR notification will review the qualifying events and collect any required documentation if applicable, for the use of the MLRO.

 

4.4.2 Automatically generated SAR notification triggers

 

4.4.2.1 The following events will be identified and flagged by the company’s CRM for compliance evaluation and possible SAR submission:

 

• Activity volume of over 15,000 EUR per month for an individual retail customer.
• Single transaction for 10,000 EUR or more.
• Attempts to evade transaction monitoring thresholds e.g. multiple transactions for 9,001 EUR each attempting to evade the 10,000EUR EDD and/or SAR thresholds
• Behavior that is meant to conceal certain activities such as compliance documents deemed as not genuine or altered, activity explanations contradicting account activity, failure to provide requested compliance documents within a specified time frame.
• Customer or transaction screening resulting in a positive match for PEP, Sanctions, adverse media, criminal history etc.
• Elevated risk classification calculated by the CRM.
• Significant deviation in total and/or single transaction amounts.
• Significant deviation in transaction count within a given time frame.
• Deviation in percentage of amount or count payments allocated to new beneficiaries.
• Introduction to new counterparties at High-Risk and/or engaging in activity related to High-Risk counterparties/business sectors.
• Positive screening match by the customers, its counterparties, its associated individuals (e.g. directors, shareholders in corporate accounts)
• Transaction monitoring and/or customer monitoring resulting in a positive match for any AML element such as Sanctions, PEP, Adverse Media, Known Criminal Record etc.)
• Transaction monitoring and/or customer monitoring resulting in a positive match for any AML element such as Sanctions, PEP, Adverse Media, Known Criminal Record etc.) for any known counterparties that have transacted with the customer.
• FUNDFLEX doesn’t handle cash activity without exceptions. Therefore, the SAR policy omits a process for Cash transactions and handling of Cash.
• Blockchain monitoring tools (BitFury) returns a “High-Risk” result for the customer’s address as well as for any external addresses associated with the customer’s account.
• Positive blockchain screening result flagging external address which have transacted
• Use of crypto mixers or tumblers to obscure transaction trails.
• Use of privacy-enhancing coins (e.g., Monero, ZCash).
• Transfer requests to or from high-risk or sanctioned jurisdictions.
• Use of multiple accounts or wallets without legitimate reason.
• Source of funds that cannot be clearly established or verified.
• Travel rule for Virtual Assets cannot be satisfied – i.e. Customer can’t or won’t prove ownership over a Virtual Asset address associated with their activity.

• Escalation:

 The responsible Compliance agent reviews the SAR notification, collects any required documents required for an evaluation and escalated the case to the MLRO.

Considering the evidence at hand, the MLRO will either:

• Request more information internally or from the customer.
• Reject the SAR notification as one that does not require reporting with a detailed explanation regarding the reasoning behind their decision.
• Submit a Suspicious Activity Report (SAR) with the information at hand to the relevant authorities.

• SAR submission:

Once a SAR event was confirmed, the MLRO will compile a report (generated automatically by the company’s CRM based on So-FIT’s reporting standards and submit it electronically to (i) SO-FIT’s online SAR Reporting Platform. (ii) By email to both SO-FIT (Swiss Regulator) and to relevant regulator email address at the customer’s residential jurisdiction.

 

 

 

4.5 ONGOING TRANSACTION AND CUSTOMER MONITORING

 

4.5.1 Ongoing Customer /Account monitoring:

 

The company’s monitoring policy relies on the customer’s ongoing risk score calculation and classification.

FUNDFLEX’ CRM will continuously calculate each customer’s risk score and classification. The CRM will trigger a screening request to all 3 automated tools used by the company – LSGE WorldCheck One, SUM&SUB and Crystal (Blockchain monitoring system) upon occurrence of one or more of the events listed below:

 

• Periodic customer screening, based on pre-scheduled intervals.
• Customer request to send out fiat funds and/or Virtual Assets.
• Incoming transactions of fiat funds or Virtual Assets.
• Screening match of counterparties previously transacted with the customer.
• Detection of digital anomalies such as IP geolocation account access missmatch, Frequent or unusual VPN use, meaningful changes in user agent data.

4.5.2 Ongoing Transaction Monitoring Policy and Customer Screening

The company conducts continuous transaction monitoring to detect, prevent, and report potentially suspicious activities involving fiat currency and virtual assets. All customers are required to provide documentation substantiating the nature, purpose, and legitimacy of both incoming and outgoing transactions. Enhanced due diligence (EDD) may be applied to transactions deemed high risk.

• Fiat Transactions: Consumer-to-Consumer (C2C) Transactions:
• Sender/Beneficiary Name Match:
  C2C incoming transactions are restricted to first party only; the name on the sending bank account must closely match (up to 15% deviation when compared to the account holder’s name on file.
• Transfers will be rejected by the compliance engine (FUNDFLEX) if the name mismatch exceeds 15% between the bank account and the customer’s profile.

• Required Documentation:
  • Proof of ownership of the sending bank account (e.g., recent bank statement).
  • Proof of virtual asset wallet ownership (if converting from Virtual Assets).
  • Proof of source of funds (e.g., payslip, sale agreement, loan documents, inheritance letter, etc.).

4.5.2.3. Consumer-to-Business (C2B) Transactions- Required Documentation:

• Proof of ownership of the sending account and the geographic location of the financial institution.
• Commercial invoice, service contract, or price quotation referencing specific goods or services.
• Digitally signed “Declaration of Deposit” (DoD) specifying the purpose and nature of the transaction.
• Evidence of source of funds.

4.5.2.4 Business-to-Business (B2B) Transactions- Required Documentation:

• Invoice, tax receipt, or formal payment request.
• Dated and signed service agreement or contract outlining the commercial relationship, expected deliverables, and payment terms.
• Proof of source of funds (e.g., audited financials, bank statements, corporate income proof).
• Additional scrutiny may be applied to cross-border transactions, high-risk jurisdictions, and politically exposed persons (PEPs).

4.5.2.5 Virtual Asset Transactions

The company implements specialized blockchain intelligence tools to assess and monitor all crypto-related transactions, leveraging tools such as SUM&SUB and Crystal Blockchain (Bitfury).

4.5.2.6 Escalation and Reporting

• Suspicious Activity Reports (SARs) will be filed with relevant Financial Intelligence Units (FIUs) in accordance with jurisdictional AML laws.
• Repeated high-risk activity or refusal to provide documentation may result in:
• Account suspension or closure.
• Regulatory reporting and law enforcement liaison.

4.5.2.6 Review and Recordkeeping

• All transaction monitoring records, including documentation and review logs, will be retained for a minimum of 5 years in accordance with regulatory obligations.
• Monitoring rules and thresholds are reviewed quarterly and updated to reflect evolving typologies and risk profiles.

4.6 Ongoing Transaction Monitoring

 The company will request all customers to substantiate and provide supporting documentation for all incoming and outgoing transactions in fiat currency or in Virtual Assets.

 

4.6.1 Fiat Transactions: C2C incoming transactions are restricted to 1st party only.

 

Eligible supporting documents: 

• Proof of account ownership over the sending bank account.
• C2C transfers will be rejected by FUNDFLEX if sending account name and beneficiary name in FUNDFLEX are mismatched at a level of more than 15%.
• Proof of Virtual Asset wallet ownership.
• Proof of source of funds.

4.6.2 C2B transactions:

• Proof of ownership of the sending account and confirmation of the location of the sending financial institution.
• Invoice / request for payment / services price quote.
• “Declaration of Deposit” (DOD) signed digitally confirming specific account activity.
• Proof of source of funds.

4.6.3 B2B Transactions:

• Invoice / Tax Receipt / Request for payment.
• Service Agreement signed and dated, detailing the business relationship between the parties and the scheduled consideration for which the payment is submitted.
• Proof of source of funds for the sending party.

4.6.4 Virtual Assets transactions:

• Incoming transactions are screened and whitelisted prior to crediting the coins to the customer’s account. The company uses using SUM& SUB as well as Crytal (BITFURY) – a dedicated blockchain monitoring platform.
• Sending addresses categorized by the company’s monitoring systems as “High Risk” will be transferred to a manual review by a compliance agent prior to crediting the customer’s account.
• Similarly, outgoing transactions in Virtual Assets will trigger an automatic screening for both sending and receiving addresses.
• Address flagged as high risk will be reviewed manually by a compliance agent and will be either credited to the customer’s account or will be escalated to the MLRO for a final decision.

5. Training

The Compliance Training Program ensures that all employees handling compliance responsibilities are equipped with the necessary knowledge, skills, and regulatory understanding to effectively uphold the company’s compliance obligations.

 The program was developed internally and overseen by the appointed Money Laundering Reporting Officer (MLRO), and it also includes mandatory certification by the So-FIT.

5.1 Objectives

• To ensure all compliance staff understand and adhere to applicable regulatory requirements and the company’s internal processes regarding AML activity.
• Evaluate the company’s internal AML procedures and processes.
• To stay up to date with emerging regulatory changes, evolving compliance risks especially as relating to Sanctions or PEP risks.
• AML Accreditation of compliance staff by the regulator.

5.2 The training program will apply to the following:

• The training will be delivered by the company’s MLRO through In-person sessions and online modules.
• All personnel working in the Compliance Department including the MLRO.
• When relevant: Risk, Legal, tech teams interacting with compliance matters.
• Materials: Internal compliance manual, regulatory guidelines, industry case studies

5.3 Training Timeline

Training Type	When Conducted
Onboarding Compliance Training	Upon hiring of compliance staff
Annual Refresher Training	Annually for all compliance staff
Event-Driven Training	Upon changes in laws, regulations, or internal policies
	As determined by the MLRO based on risk assessment or incidents
Regulatory Certification Training	After internal training and before taking regulator’s certification

5.4 During training the following core content modules are taught and rehearsed:

• Overview of Regulatory Environment (FATF, local regulator, etc.).
• AML/CFT obligations and reporting requirements.
• KYC and Customer Due Diligence, Recordkeeping and audit trails.
• Transaction monitoring and suspicious activity reporting (SARs).
• Sanctions, PEP and High Risk compliance and screening methodology.
• Technical use of the company’s Compliance tools
• Case studies and red flags

5.5 Program Review

• Review Frequency: Annually or after major regulatory changes
• Responsibility: MLRO conducts an effectiveness review and updates content as necessary
• Feedback Collection: Post-training evaluations are conducted to improve program quality

5.6 Introduction to Compliance and Regulatory Framework

• Role and importance of compliance in financial services and crypto industries
• Overview of global regulatory bodies (e.g., FATF, FinCEN, SEC, ESMA, FCA)
• Overview of national regulatory requirements (e.g., registration, licensing)
• Responsibilities of the Compliance Department and the MLR

5.7 Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF)

• Definitions and stages of money laundering
• CTF: Understanding terrorism financing methods and typologies
• AML/CTF lifecycle: Identification, verification, monitoring, reporting
• Overview of risk-based approach to AML
• Enhanced Due Diligence (EDD)
• Red flag indicators and suspicious behavior pattern.

 

5.8 Know Your Customer (KYC), Customer Due Diligence (CDD) and EDD Escalation

• Customer identification requirements (CIP)
• Verification methods for individuals and legal entities
• Ongoing due diligence: monitoring for behavioral changes and anomalies
• Ultimate Beneficial Ownership (UBO) and corporate structures
• Remote onboarding and biometric verification in digital platforms
• Case examples of identity fraud and document forgery.

5.9 Sanctions and PEP Screening

• Understanding global and local sanctions regimes (OFAC, UN, EU)
• Politically Exposed Persons (PEPs): Identification and monitoring
• Sanctions list screening tools and escalation protocols
• Handling false positives and adverse media checks
• Real-world case studies on sanctions violations

5.10 Transaction Monitoring and Reporting

• Monitoring tools: automated vs. manual
• Identifying unusual patterns in fiat and crypto transactions
• SARs/STRs: When and how to file
• Geo-location risks, high-risk jurisdictions, cross-border transactions
• Chain analysis and blockchain forensics in crypto transactions

5.11 Regulatory Reporting and Interaction

• Timelines and procedures for mandatory regulatory reporting
• Recordkeeping standards
• Liaising with regulators: audits, investigations, and inspections
• Responding to information requests

5.12 Data Protection, Privacy & Cybersecurity

• Compliance with GDPR, CCPA, and other data protection laws
• Confidentiality obligations of compliance staff
• Cybersecurity threats and internal access controls
• Handling data breaches and reporting obligations

5.13 Internal Policies and Procedures

• Review of the company’s Compliance Manual
• Internal escalation procedures and exception handling
• Interaction with other departments: Legal, Risk, Operations, Tech

5.14 Case Studies and Real-World Scenarios

 

5.15 Testing and Certification

Following training, the compliance agent will be certified internally by the MLRO and will then (within 4 months of hiring) need to complete their accreditation with the regulator.

 

6. AUDITING

 

6.1 Internal auditing: Internal review and evaluation of the following policies:

• The internal policy review is completed by the MLRO and any relevant legal advisors to the company.
• Regular policy reviews are held on a quarterly basis.
• The company’s board will reaffirm the policy or instruct to implement any required modifications proposed. The company’s CEO and MLRO will then sign off on the policies following each affirmation cycle.
• Reviews and changes to internal policies are also triggered independently by the company’s MLRO based on regulatory changes pertaining to the company’s activities and require a change in policy or internal processes within the company.

6.2 External auditing and certification: AML and risk audit:

• The company is evaluated and audited for AML and risk assessment purposes.
• The audit is done by an external auditor, authorized by the Swiss regulator (FINMA / SO-FIT) and on a yearly basis.
• Upon hire of AML and/or Compliance staff each employee will be formally accredited by the Swiss regulator (SO-FIT) within 6 months from the commencement of their employment with the company.

6.3 Financial Audit:

• The company is audited on a yearly basis for its report submission and bookkeeping.
• Audit is completed prior to submitting yearly fiscal reports to relevant authorities.

 

7. CALCULATION OF THE OVERALL CUSTOMER RISK SCORE AND CLASSIFICATION

 

FUNDFLEX will assess and classify its customers to one of the following risk levels at any given time:

 

A – Low risk

B – Medium risk

C – Banned/High risk

 

As part of its on-going monitoring activities, FUNDFLEX performs all due diligence measures as required by law. The extent of the implementation of the measures depends on the nature of the specific business relationship/transaction or the level of risk of the person or customer participating in the transaction or act, i.e., the “know your customer” principle must be followed.

 

When determining and defining the risk levels of the customer or a person participating in the transaction, the FUNDFLEX shall take into account, inter alia, the following risk categories:

 

 

7.1 CUSTOMER RELATED RISK

 

7.1.1 RISK RELATED TO LEGAL NATURE OF CUSTOMER AND IDENTIFICATION OF BENEFICIAL OWNERS

 

Below are examples of FUNDFLEX ’s risk levels assessments as relating to customer-related risk:

7.1.1.1 Low risk:

• a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner.
• a legal person as governed by Swiss Public Law.
• a governmental authority or another authority performing public functions in Switzerland or a contracting state of the European Economic Area or the United Kingdom
• an institution of the European Union.
• a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area, Canada or the United Kingdom, or a third country, which in its country of location is subject to requirements equal to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;

7.1.1.2 Medium risk:

• a natural person.
• a company with a firm and transparent structure and data of management bodies and beneficial owners.

     7.1.1.3 High risk:

• the beneficial owner of the natural person is some third party.
• the customer is a legal entity of any form whose structure of the management bodies and/or beneficial owners are segregated and nestled. The relevant data is verified on the basis of the statement of the customer’s representative and/or internal or non-public documents provided by the customer.
• the customer is a company, or the company related to the customer, has shareholders acting as a front or bearer shares.
• the ownership structure of the customer company seems, when considering the activities of the company, unusual or too complicated.
• the customer is a foundation, civil law partnership, trust, or common fund.
• the customer is a person registered in a low tax territory.
• the customer is a subject of European Union or UN sanctions.

 7.1.2. RISK RELATED TO COUNTRIES, TERRITORIES & JURISDICTIONS

 

A full list of FUNDFLEX ’s customer acceptance policy and acceptable jurisdictions by risk levels can be found in the following link and is updated regularly:  https://FUNDFLEX.IO/acceptance-policy/

 

Below are examples of FUNDFLEX ’s risk levels assessments as relating to jurisdiction risk:

 

7.1.2.1 Low risk:

• The customer is from, or their place of residence or location (hereinafter location) is in Canada.
• the location of the customer is in another country of the European Union or the European Economic Area.
• the location of the customer is included within the list of jurisdictions a third equivalent country which is provided by the common position adopted by the European Union (Appendix 16), which including Australia, Canada, Japan, South Korea, Singapore, Switzerland.

7.1.2.2 Medium risk:

• The location of the customer is in a third country not listed above, excluding a third High-Risk country.

7.1.2.3  High risk: 

• The risk is primarily increased in such an event where the customer, person participating in a transaction, or the transaction itself is related to a country or jurisdiction which, based on the trustworthy sources in the country like mutual assessments, detailed assessment reports or published follow-up reports, has no valid and efficient systems of the prevention of money laundering and terrorist financing.
• The list of countries deemed as High-Risk – Black or Grey List – or under sanctions are determined by the Financial Action Task Force (FATF). The updated list appears on and updated on the following webpage:
  • http://www.fatf-gafi.org/countries/# High-Risk.
  • https://www.un.org/sc/suborg/en/sanctions/un-sc-consolidated-list;

7.1.2.4 Additionally, the following clients may also be considered High-Risk or Banned:

• Client is subjected to sanctions, embargo or similar measures issued by, for example, the European Union or the United Nations.
• The list of EU sanctions for countries is available online: https://sanctionsmap.eu; the list of UN sanctions is available online: https://www.un.org/sc/suborg/en/sanctions/un-sc-consolidated-list;
• This is cross-referenced against tools such as Refinitiv WorldCheck ONE and other screening systems employed by FUNDFLEX such as Sum&Sub.
• That provide funding or support for terrorist activities. These countries include DPR Korea, Syria, Sudan and Iran and they are primarily defined by the data of the United States State Department. This is cross-referenced against tools such as Refinitiv WorldCheck ONE.
• That have designated terrorist organizations operating within their territory, as identified by Canada, United States, The European Union or the United Nations. These countries primarily include Syria, Iraq, Libya, Sudan, Somalia, Nigeria, Pakistan, India, Lebanon, Palestine, Sri Lanka, Philippines, Tajikistan, Uzbekistan, Yemen.

7.1.3 RISK RELATED TO CLIENT ACTIVITY OR BUSINESS SECTOR

 

A full list of FUNDFLEX ’s customer acceptance policy and acceptable jurisdictions by risk levels can be found in the following link and is updated regularly: https://FUNDFLEX.IO/acceptance-policy/

 

Below are examples of FUNDFLEX ’s risk levels assessments as relating to activity or business sectors risk:

 

7.1.3.1 Low risk:

• Client is a person performing usual and normal economic and professional activities and the turnover of the financial instruments of the customer, or the planned turnover of the financial instruments, is significantly small and does not exceed 40,000 EUR per one year.

7.1.3.2 Medium risk:

• Client is a person performing usual and normal economic and professional activities and the turnover of the financial instruments of the customer, or the planned turnover of the financial instruments, exceeds 40 000 EUR per one month.

7.1.3.3 High risk: 

• The business relationship takes place under unusual circumstances, including when the transactions are complicated and have unusually large scale, when the transaction patterns are unusual.
• The client is a legal entity or another association of persons that does not have the status of a legal entity.
• Client’s economic activity does not have a reasonable and clear economic or lawful objective or it is not characteristic of a specific business field or if the customer’s activity includes any of the following, regardless of the amount of the turnover:
• private or personal banking.
• providing or intermediating a product or service which may promote anonymity.
• personal asset holding.
• undertaking handling large amounts of cash.
• currency exchange, conversion transactions.
• providing a service of exchanging a virtual currency against a fiat currency or a virtual currency wallet service.
• providing gambling services (in a casino, on the internet or at sports events).
• purchasing and selling gold (incl. scrap gold), other precious metals or gemstones.
• purchasing and selling luxury goods.
• providing internet advertising.
• providing innovative services.
• establishing, selling, and managing companies.
• other activities with a higher than medium risk of money laundering or terrorist financing.
• customer is providing services via untraditional sales channels.
• there is a constant change of customers.
• the person’s customer base has grown rapidly.

 

 

7.1.4. RISK RELATED TO BILLING & ONGOING TRANSACTIONS

 

7.1.4.1 Low risk:

• A long-term contract is entered into with the customer that is in a written or electronic format or in a format that can be reproduced in writing.

• the client receives payments within the scope of the business relationship only via an account located in a credit institution entered in the Commercial Register in Canada or in a branch of a foreign credit institution or in a credit institution that has been established or whose place of business is in Canada, the European Economic Area (EEA) or in a state where requirements equal to those established in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations.
• the total value of the incoming or outgoing payments of transactions made in the business relationship does not exceed $15,000 EUR per year and less than 20 transactions per month.

7.1.4.1 Medium risk: 

• the customer uses the following during transactions with the Company:
• a limited amount of cash that does not exceed $50,000 EUR or the equal amount in another currency, regardless of whether the transaction is made as one payment or as several connected payments within a period of up to one year.

7.1.4.2 High risk: 

• the customer uses the following during transactions with the Company:
• credit institution, financial institution, paying institution or tax system that promotes anonymity.
• credit institution, financial institution, paying institution or tax system that is located in a High-Risk third country.
• settlement channels and accounts belonging to unknown or unrelated third persons.
• settlement channels and accounts belonging to third persons who are unknown or unrelated.
• large amounts of cash that exceeds 50,000 EUR or the equivalent sum in another currency, regardless of whether the transaction is made as one payment or as several connected payments within a period of up to one year.
• a credit institution, financial institution, payment institution or a payment system that is not located in a High-Risk third country or promoting anonymity and that is, according to its own experience or independent sources, reliable, and performs controls against money laundering and terrorist financing.

7.1.5 RISK ARISING FROM POLITICALLY EXPOSED PERSONS (PEP) 

 

7.1.5.1 Low risk:

• the customer is not a politically exposed person, the family member of the politically exposed person or a person known to be the close associate of the customer who is a politically exposed person.

7.1.5.2 Medium risk (Refused onboarding under the current risk appetite policy):

• The customer is not a politically exposed person or the family member of the politically exposed person, however the client is personally familiar with a low-level PEP.

7.1.5.2 High Risk (Refused onboarding under the current risk appetite policy):

• The customer is a politically exposed person and/or the family member of the politically exposed person and/or a person known to be the close associate/has close familiarity with a politically exposed person. In such a case, as per the company’s risk appetite, the client will be denied of service.

7.1.5.3 The background of the customer is verified primarily by:

• The information, documents and statements received from the customer.
• Using the Refinitiv WorldCheckOne database scan for PEP, negative media, known criminal record, sanctions lists etc.
• Using Sum&Sub screening tool for PEP.
• Using Google and the local search engine of the customer’s country of origin, if any, by entering the customer’s name in both Latin and local alphabet with the customer’s date of birth.

7.1.6. RISK RELATED TO CLIENT IDENTIFICATION

 

7.1.6.1 Low risk:

• the natural person who is the resident of Canada, the European Economic Area (EEA), Switzerland and the United Kingdom who is identified face to face or by a video identification service.
• the customer who is a legal entity entered in the commercial register of Canada, or the register of non-profit associations and foundations, is identified on the basis of original documents provided.

7.1.6.2 Medium risk:

• a foreign natural person customer is identified face-to-face or through a video identification service.
• the foreign customer who is a legal entity is identified on the basis of original documents provided and on the basis of the public information of the commercial register, or the register of non-profit associations and foundations face-to-face with the customer or the representative of the customer by identifying the representative on the basis of documents provided on the basis of a notarized or equivalent document certifying their authority, which has been legalized or certified by a certificate (apostille) replacing legalization, unless otherwise determined.
• The identity of a natural person or legal entity is verified by a notary or officially certified copy of the documents provided.

7.1.6.3 High Risk:

• during establishing the identity or verifying the information provided, suspicion has arisen as to the truthfulness, accuracy, integrity or completeness of the information provided or the authenticity of the documents or the identification of the natural person or beneficial owner / Director/ legal entity executive especially relating to AML reporting Know your customer (KYC) and Know Your Business (KYB) screening.
• the person is identified on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.
• the representative of the customer is a legal entity.

 

7.1.7. RISK RELATED TO CHANNELS OF COMMUNICATION OR TRANSMISSION BETWEEN THE COMPANY AND THE CUSTOMER

 

7.1.7.1 Low risk:

• the customer is communicated through a communication or mediation channel that is agreed upon at the start of the business relationship or transaction or reliably changed during the course of the business relationship.
• products or services are delivered to the customer through a reliably modified delivery channel during the business relationship or at the initiative of the transaction.

7.1.7.2 Medium risk:

• at the start of the business relationship or transaction, the customer is communicated with through a temporary communication or mediation channel.
• the products or services are delivered to the customer through another temporary product or service delivery channel transmitted through an agreed communication or intermediation channel initiated by the business relationship or transaction.

7.1.7.3 High risk:

• the customer is communicated through an accidental, unreliable, or unusual communication or mediation channel.
• products or services are delivered to the customer through an accidental, unreliable, or unusual delivery channel.
• the existence and nature of a risk factor associated with the service provider used to deliver the service or product being sold.
• the distance between the location of the customer and the service provided or product offered is significantly high.

7.1.7.4 Taking into account the above risk categories, FUNDFLEX determines the risk level of the person involved in the transaction or the customer, for example whether the customer’s money laundering or terrorist financing risk is low, normal, or high or corresponds to other risk levels specified and used by the Company.

In order to determine the impact of each risk category, FUNDFLEX assesses the probability of the occurrence of risk factors in that risk category. To determine the impact of a particular risk category, a qualifying amount of the presence of risk factors that characterize it can be used to consider a particular risk factor as having “impact” or “no impact” for a given person when a certain threshold is exceeded.

 

7.1.7.5 Instructions for defining low/medium level of risk:

Generally, the customer’s level of risk is low if there is no influential risk factor in any of the risk categories so it can be concluded that the customer and their activities do not have different characteristics from normal and transparent activities, and there is no reason to suspect that the customer’s activities may bear an increased risk of money laundering or terrorism financing.

In the situations where due diligence is required by legal acts, and the information about the customer and its beneficial owner is publicly available, where the person’s activities and transactions are consistent with their usual economic activity and do not differ from other similar customers’ payments practices and behavior, or where there are quantitative or other absolute restrictions, the Company may consider the customer‘s expected risk of money laundering or terrorist financing to be low.

In the situation where at least one risk category qualifies as high, the risk of money laundering or terrorist financing cannot generally be low. On the contrary, low risk does not necessarily mean that the customer’s activities cannot be linked to money laundering or terrorist financing.

If the risk arising from the business relationship, the customer or the party to the transaction or the transaction is low, based on the risk levels assigned to the party or customer and other conditions provided for are met, the Company may apply simplified due diligence measures.

 

7.1.7.6 Instructions for defining high level of risk:

Generally, the customer’s risk level can be considered high if, when assessing the risk categories as a whole, there is a suspicion that the customer’s activities are not usual or transparent, incl. there are influential risk factors, and it can be assumed the risk of money laundering or terrorist financing is high or significantly increased. The customer’s risk level is also high if it is indicated by some separate feature of the risk factor. However, High-Risk does not necessarily mean that the customer is engaged in money laundering or terrorist financing.

 

If the Company considers the risk of the customer or the person involved in the transaction to be high, the Company must apply enhanced due diligence measures in order to properly manage the respective risks. The due diligence measures must be applied in accordance with the provisions warranted.

FUNDFLEX shall document, update, and disclose the determination of the level of risk to the competent authorities if necessary.

 

The services of FUNDFLEX are primarily related to the handling and storage of currencies presented in a digital form. The provision of a service of exchanging a virtual currency against a fiat currency and a virtual currency wallet service primarily requires the use of new and evolving technologies, which may involve the implementation of new or non-traditional sales channels within the economic activities of the Company. The vast majority of virtual currencies are comprised of different cryptocurrencies and related tokens, built on a new and rapidly evolving blockchain technology and a distributed database that is updated through a mathematical consensus algorithm.

 

7.1.7.7 This assessment is mainly the result of the following factors:

 

• Blockchain technology is new and evolving, so the mechanisms and algorithms for its occurrence, existence, transfer, and trading are not constant and may be too complex to understand. This encourages the involvement and use of virtual currencies, including cryptocurrency, in various fraudulent schemes and scams.
• Blockchain technology promotes anonymity (cryptocurrency wallet addresses are not personalized and exist usually in large quantities), which may involve the use of virtual currencies, including cryptocurrency, in money laundering, tax evasion, terrorist financing or criminal schemes.
• Blockchain technology is based on a P2P network and is not governed by any central organizations, which may facilitate the manipulation of the value of virtual currencies, including cryptocurrency.
• This risk analysis, risk mitigation method and the definition of risk appetite defined by FUNDFLEX as a provider of service of exchanging a virtual currency against a fiat currency and a virtual currency wallet service have been prepared in order to fulfil the obligation arising from the in view of the general risk associated with the Company’s activities.

18.8 FUNDFLEX is obliged to inform the employees of the company on an ongoing basis about changes in the risk assessment arisen from the Company’s activities and changes in the company’s long-term and short-term doctrine and separate viewpoints and instructions (according to the market situation, the political and economic situation, the arrangements of the supervisory authorities, etc.) in order to comply with the provisions of the PCMLTFA. This information and these notices do not necessarily have to be in the form of appendices to these guidelines and may be provided at meetings, through the heads of structural units, via e-mail or orally, but regardless of the method of transmission, it is mandatory to comply with and follow this information and these notices.

 

 

 

 

 

 

 

 

 

7.1.8 . RISK RELATED TO ACTIVITIES OF THE COMPANY & NATURE OF SERVICES PROVIDED

 

The following lists the risk factors and circumstances related to the customer’s degree of risk arising from the nature and volume of services provided by FUNDFLEX to the customer.

 

7.1.8.1 Low risk:

• FUNDFLEX sells any virtual currency to the customer and the customer pays for it through a payment account located in a credit institution, electronic money institution or payment institution established in Canada or within the European Economic Area (EEA), The United Kingdom or Switzerland.
• FUNDFLEX provides the customer with a virtual currency wallet service and the customer keeps in FUNDFLEX ’s virtual currency wallet his/her own virtual currency, which was purchased from the Company does not transfer these virtual currencies to third parties or receive virtual currency transfers from third parties; the total value of incoming or outgoing payments for business transactions does not exceed 15 000 EUR per year.

 

7.1.8.2  Medium risk:

• FUNDFLEX sells any virtual currency to the customer and the customer pays for it through a payment account located in a credit institution, electronic money institution or payment institution established in Canada or in a contractual state of the European Economic Area.
• FUNDFLEX provides the customer with a virtual currency wallet service and the customer keeps their virtual currency in the virtual currency wallet and makes virtual currency transfers to virtual currency wallets opened in an institution subject to requirements equivalent to.
• the total amount of incoming or outgoing payments related to business transactions or service contract in one calendar month does not exceed 15 000 EUR for a natural person and 25 000 EUR for a legal entity.

7.1.8.3 High risk:

• FUNDFLEX sells any virtual currency to the customer and the customer pays for it through a payment account located in a credit institution, electronic money institution or payment institution established outside of a contractual state of the European Economic Area.
• the customer sells virtual currency for money which promotes anonymity.
• FUNDFLEX provides the customer with a virtual currency wallet service and the customer keeps their virtual currency in the virtual currency wallet and transfers virtual currencies to virtual currency wallets opened in an institution for which no requirements equivalent to have been established.
• FUNDFLEX provides the customer with a virtual currency wallet service and the customer keeps the virtual currency of third parties in the virtual currency wallet.
• the total amount of incoming or outgoing payments related to business transactions or service contract in one calendar month exceeds 15 000 EUR for a natural person and 25 000 EUR for a legal entity.

 

 

7.1.9. RISK RELATED TO IDENTITY THEFT AND ANONYMOUS VERIFICATION ATTEMPTS

 

As a part of its AML obligations, FUNDFLEX will verify the identity of any prospective client.

Due to breaches in security of numerous websites (unrelated to FUNDFLEX in any way) a wide variety of personal, sensitive information can be obtained through the “Dark Net” and may be used to steal individual identities. It may also be used by criminals to attempt and onboard with FUNDFLEX to commit other crimes, amongst others related to Money Laundering and terrorist financing, all the while acting anonymously and maintaining the criminal’s true identity hidden.

 

7.1.9.1 Examples for client documents and information that is susceptible to identity theft and misuse:

• Compromised images of Proof of Identity (POI) documents. E.g. Passport, Driver’s License, National ID
• Compromised images of Proof of Address (POA) documents. E.g. Utility bills, tax returns, bank statements etc.
• Credit Score information
• Credit/Debit card images and information such as numbers, expiry dates and CVV codes
• Social Insurance numbers
• National ID or Driver’s License numbers
• Full and/or maiden names
• Dates of birth etc.
• Residential address information
• Compromised email addresses

 

 

7.1.10. RISK OF HACKS IN ONLINE SERVICES, END DEVICES AND GENERAL ONLINE SCAMS

 

FUNDFLEX is aware that online scams frequently make use of Cryptocurrency exchanges with lax security measures to accept payments from their victims in Cryptocurrencies.

7.1.10.1   The scammers will try and persuade the victim to either:

• Voluntarily purchase Cryptocurrency and send it to an externally controlled wallet.
• Take control over the victim’s end device and payment information (for example Credit Card) to purchase Cryptocurrency without the victim’s full knowledge or agreement and send the coins to an external wallet.

Due to the technological nature of all Blockchain protocols, once a transfer transaction was finalized it cannot be cancelled, rejected or refunded. Furthermore, no regulatory body exists that can technically govern the movement of Cryptocurrencies within the Blockchain, thus leaving the victim without any recourse to re-claim their stolen funds.

 

7.1.10.2 The scammers will often try:

• To persuade their victims to hand over usernames and passwords for existing accounts including for Cryptocurrency Exchanges, Banks, Email accounts etc.
• To directly obtain authentication codes to complete money related activities such as account withdrawals.
• Take control over the victim’s end device (phone, tablet, or computer) via means of brute force, malware and malicious links.
• “Spoof” E-mails asking the victim for their login information pretending and impersonating to a body that the client is well familiar with like a bank or email provider.
• Take control over the victim’s end device (phone, tablet, or computer) via means of remote controlling software such as AnyDesk, Team Viewer and others.

 

7.1.11. RISK APPETITE

 

FUNDFLEX shall not enter into business relations with natural persons and/or legal entities who are Categorized by one or more factors as “High Risk” or “Banned” or prohibited by these guidelines and its appendices or laws, directives or policies that FUNDFLEX is obliged by.

FUNDFLEX shall avoid business relations in particular with the following categories of customers:

• It is not possible to identify the customer (legal or natural entity).
• The end risk level upon onboarding is determined as “High Risk” or “Banned” by FUNDFLEX ’s compliance team and AMLRO for any of the risk assessment categories mentioned above. For example:
• Customer is located in a High-Risk third country, subjected to sanctions.
• The customer is a subject of the European Union or UN sanctions.
• The customer has previously been convicted of money laundering, tax evasion, terrorist financing or any criminal activities, or is under criminal proceedings.

 

8. 8. MITIGATION OF RISKS

The following describes FUNDFLEX’s risk mitigation practices in place:

 

8. 1 Identification and KYC procedures upon onboarding:

• Upon onboarding, the prospective client must be identified by a video identification call rather than relying on static files uploaded online and containing the required KYC documentation. Currently FUNDFLEX uses Sum&Sub platform to perform its video verification.
• In order to mitigate the risk for identity theft or anonymous registration, Sum&Sub will also compare the biometric information on the submitted Proof of Identification (the client’s photo in their Proof of Identity) against the biometric information gathered during the video identification and will detect and reject mismatches.
• Client Screening: Client assessment with at least two database aggregators to screen for PEP, negative media, criminal activity, pending or past legal cases against a legal entity (and its shareholders, directors, and company executives which hold signatory rights in the account or with the client as a whole), or an individual.
• Currently FUNDFLEX uses (i) Sum&Sub (ii) LGSE Worldcheck One to screen its prospective clients and monitor their ongoing activity. The search or the legal entity/individual names within the databases is set to 85% deviation sensitivity for the name collected upon onboarding or during transaction monitoring.
• Upon registration FUNDFLEX will verify the client’s email and phone details by a 2-FA (Two Factor Authentication) code.

 

8.2 Collection of the client’s online footprint:

FUNDFLEX screens and collected clients’ IP, user agent information as well as last known web address visited upon onboarding, registration and login.

• Attempts to register or access the platform via VPN will be blocked.
• Mismatched Client country / phone number country and IP will flag the client for further review.
• Web referrals from known online scams, for example unlicensed trading, will also suspend the account pending further review.

 

8.3 Ongoing transaction monitoring:

Upon each incoming or outgoing fiat transactions:

• Proper documentation justifying the transaction will be collected (invoice, agreements etc.) prior to finally crediting or debiting the transaction. The documents will then be approved, lead to a request for more information, or be rejected by FUNDFLEX’s compliance team.
• Sender and beneficiary screening. The process is automatic via API, and FUNDFLEX platform will suspend transactions that exceed its defined thresholds and place it in line for a manual review and release.
• All client deposits MUST originate from a bank account under the name of FUNDFLEX’s registered client ONLY. Funds sent from accounts under other names will be rejected unless a Power of Attorney can be provided.

8.3.1 For transactions involving deposits or withdrawals of cryptocurrency:

Prior to withdrawing outgoing or credit incoming coins, a blockchain monitoring system will screen the sending and/or receiving Cryptocurrency address and its associated risk. The risk measured by the Blockchain monitoring system will also be factored into FUNDFLEX’s overall client risk assessment and determined levels. The process is automatic via API and FUNDFLEX platform will simply suspend transactions that exceed its defined thresholds pending a manual review.

 

8.3.2  Collection of client waivers – Declaration of Deposit & Release of Claims (DOD) for transactions:

Suspicious transactions by amount, count, deviation from client usual activity, suspicious web referrals or IPs will require the client to sign an online form “Declaration of Deposit and Release of Claims” (DOD). The DOD will include the following waiver clauses:

• Risk warning by FUNDFLEX as to the dealing in Cryptocurrency as well as caution from online scams.
• Client approval that the purchase of cryptocurrency is not being used as a form of payment for any unlicensed activity such as online trading.
• Confirmation of both the fiat deposits and conversions to Cryptocurrency that were done on the client’s account.
• Confirmation by the client that they have purchased the cryptocurrency out of their own free will and were not coerced in any way by a third party, nor were solicited to purchased cryptocurrency by FUNDFLEX or by any third party.

8.4 Ongoing Client monitoring and screening:

• Collection of updated, recent Proof of Address (POA) and Proof of Identification or an additional Video Identification.
• LSEG WorldCheck and Sum&Sub client Screening for every incoming and outgoing transactions via API.

 

8.5 Activity Verification by a 2 Factor Authentication tools:

To ensure that clients themselves are the only ones that access and use the account, FUNDFLEX will require TWO  2-FA (2 Factor Authentication) for all sensitive activity on FUNDFLEX’s platform. FUNDFLEX will send 2 authentication codes to the client (to their original registration email and phone number) prior to executing any of the following activity:

• Upon login
• Change of personal details
• Change of registered bank account
• Withdrawals of both Fiat and Cryptocurrency

8.6 Account restrictions:

• Upon flagging of a suspicious transaction based on the criteria introduced above, account restrictions may be applied to the account:
• Restrictions on deposit amount or deposit count in fiat or cryptocurrency within a specific time frame.
• Restrictions on / disable permitted activity in terms of jurisdictions, business sectors or specific beneficiaries or senders.