The purpose of these Guidelines for Anti-Money Laundering (AML), Combating Terrorist Financing (CFT) and Sanctions measures is to ensure that: ICB TRANSFER LTD (Company) has internal guidelines to prevent the use of its business for Money Laundering and Terrorist Financing and internal guidelines for implementation of international sanctions.
These Guidelines have been adopted to ensure that the Company complies with the rules and regulations set out in the Criminal Code and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTA) (Law) and other applicable legislation.
These Guidelines are subject to a review by the Management Board at least annually. Proposal for a review and the review of these Guidelines may be scheduled more frequently by the decision of the Company’s Money Laundering Reporting Officer (MLRO).
These Guidelines shall be accepted and approved by the resolution of the Company’s Management Board.
Beneficial Owner means a natural person who, taking advantage of their influence, makes a transaction, act, action, operation or step or exercises control in another manner over a transaction, act, action, operation or step or over another person and in whose interests or for whose benefit or on whose account a transaction or act, action, operation or step is made. In the case of a legal entity, the Beneficial Owner is a natural person whose direct or indirect holding, or the sum of all direct and indirect holdings in the legal person, exceeds 25 percent, including holdings in the form of shares or other forms of bearer.
Business relationship shall mean a business, professional or commercial relationship between a customer and financial institutions or other obliged entities which are connected with their professional activities and which is expected, at the time when the contact is established, to have an element of duration.
Company means legal entity with following data:
Custodian Virtual Currency Wallet means Virtual Currency Address(es) generated with the public key for storing and managing Virtual Currencies entrusted to the Company but remaining their property.
Customer means a natural person or a legal entity which has the Business Relationship with the Company or a natural person or legal entity with which the Company enters into the Occasional Transaction.
Employee means the Company´s employee and any other person who is involved in application of these Guidelines in the Company.
Guidelines – this document including all annexes as provided above. The Guidelines include inter alia the Company’s internal control procedure regarding the Guidelines and the Company’s risk assessment policy regarding risk-based approach for ML/TF risks.
Management Board means management board of the Company. If the Company has no management board – the manager of the Company shall be considered as the Management Board member and he or she shall be responsible for the Management Board duties in the context of the Guidelines.
MLRO means Money Laundering Reporting Officer, who is appointed to the Company as a person responsible for receiving internal disclosures and making reports to the FINTRAC and other duties as described above.
Monetary Operation means any payment, transfer or receipt of money.
Money Laundering (ML) means the concealment of the origins of illicit funds through their introduction into the legal economic system and transactions that appear to be legitimate. There are three recognized stages in the Money Laundering process:
Occasional Transaction means the transaction performed by the Company in the course of economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner to the Customer outside the course of an established Business Relationship.
PEP means a natural person who performs or has performed prominent public functions and with regard to whom related risks remain.
Sanctions mean an essential tool of foreign policy aimed at supporting the maintenance or restoration of peace, international security, democracy and the rule of law, following human rights and international law or achieving other objectives of the United Nations Charter or the common foreign and security Policy of the European Union. Sanctions include:
Terrorist Financing (TF) means the financing and supporting of an act of terrorism and commissioning thereof as well as the financing and supporting of travel for the purpose of terrorism in the meaning of applicable legislation.
Equivalent Third Country – a country, which is not a Member State of European Economic Area but applying an equivalent regime to the EU and UK corresponding (AML) framework and is consistent with FINTRAC.
Virtual Currency means a value represented in the digital form, which is digitally transferable, preservable or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Proceeds of Crime (Money Laundering) and Terrorist Financing Act of Canada (S.C. 2000, c. 17); Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, pp 35–127) or a payment transaction for the purposes of points (k) and (l) of Article 3 of the same Directive.
Virtual Currency Address means address/account generated from letters, numbers and/or symbols in the blockchain, by which the blockchain allocates the Virtual Currency to the owner or recipient.
FINTRAC- Financial Transactions and Reports Analysis Centre of Canada.
Customer due diligence (CDD) measures are required for verifying the identity of a new or existing Customer as a well-performing risk-based ongoing monitoring of the Business Relationship with the Customer. The CDD measures consist of 2 levels, including standard and enhanced due diligence measures, as specified below.
Main Principles
The CDD measures are taken and performed to the extent necessary considering the Customer’s risk profile and other circumstances in the following cases:
In the case of receiving information in foreign languages within the framework of CDD implementation, the Company may request to demand translation of the documents to another language applicable for the Company. The use of translations should be avoided in situations where the original documents are prepared in a language appliable for the Company.
Achieving CDD is a process that starts with the implementation of CDD measures. When that process is complete, the Customer is assigned documented individual risk level which shall form the basis for follow-up measures, and which is followed up and updated when necessary.
The Company has applied CDD measures adequately if the Company has the inner conviction that they have complied with the obligation to apply due diligence measures. The principle of reasonability is observed in the consideration of inner conviction.
This means that the Company must, upon the application of CDD measures, acquire the knowledge, understanding and assertation that they have collected enough information about the Customer, the Customer’s activities, the purpose of the Business Relationship and of the transactions carried out within the scope of the Business Relationship, the origin of the funds, etc., so that they understand the Customer and the Customer’s (business) activities, thereby taking into account the Customer’s risk level, the risk associated with the Business Relationship and the nature of such relationship. Such a level of assertation must make it possible to identify complicated, high-value and unusual transactions and transaction patterns that have no reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features of the business in question.
The Services Provided
The Company’s main economic activity is the provision of exchange services. For this reason, the Company offers to their Customers the following transaction types:
The Company provides the aforementioned services including but not limited to virtual currencies: BTC; USDT (ERC20); USDT (TRC20); TRX; ETH; DOGE; LTC.
The Verification of Information used for the Customer’s Identification
Verification of the information for the Customer’s identification means using data from a reliable and independent source to confirm that the data is true and correct, also confirming, if necessary, that the data directly related to the Customer is true and correct. This, inter alia, means that the purpose of verification of information is to obtain reassurance that the Customer, who wants to establish the Business Relationship is the person they claim to be.
The reliable and independent source (must exist cumulatively) is verification of the information obtained in the course of identification:
Application of Standard Due Diligence Measures (level 1)
Standard due diligence (SDD) measures are applied to all Customers where CDD measures must be applied in accordance with the Guidelines.
SDD measures must not be carried out in the circumstances where enhanced due diligence measures (as described below) must be carried out.
Where, in the course of performing ongoing monitoring of the Customer’s Business Relationships, it is established that the risk of ML and/or TF is no longer low, the Company must apply the relevant level of CDD measures.
When applying SDD measures, the Company must obtain the following data of the Customer who is a natural person:
Standard due diligence measures are mandatory for legal person verification entities regardless of the amount of the transaction for which the Company must obtain the following data of the Customer:
The Customer is also required to upload to the system:
The following standard due diligence measures should be applied:
The CDD measures specified above must be applied before establishing the Business Relationship or performing transaction. The exact instruction for application standard due diligence measures is provided in the Guidelines.
Application of Enhanced Due Diligence Measures (level 2)
In addition to standard due diligence measures, the Company applies enhanced due diligence (EDD) measures in order to manage and mitigate an established risk of Money Laundering and Terrorist Financing in the case where the risk is established to be higher than usual.
The Company always applies EDD measures, when:
Prior to applying EDD measures, the Company’s Employee ensures that the Business Relationship or transaction has a high risk and that a high-risk rate can be attributed to such Business Relationship or transaction. Above all, the Employee assesses prior to applying the EDD measures whether the features described above are present and applies them as independent grounds (that is, each of the factors identified allows application of EDD measures with respect to the Customer).
When applying EDD measures where a single transaction of natural person or several transactions in an amount equal to or exceeding EUR 10,000, the Company must apply the following measures:
When applying EDD measures where the Customer is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the FINTRAC, the Company must apply the following measures:
In any other cases when EDD measures must be applied, the amount of EDD measures and the scope shall be determined by the Employee, who is applying such measures. The following additional and relevant due diligence measures may be followed:
In the case of application of EDD measures, the Company reassesses the Customer’s risk profile no later than every six months.
The identification of the Customer’s representative and their right of representation
The representative of the Customer shall be identified as the Customer, who is a natural person in accordance with these Guidelines. The Company must also identify and verify the nature and scope of the right of representation of the Customer. The name, date of issue and name of issuer of the document that serves as a basis for the right of representation must be ascertained and retained, except in case, when the right of representation was verified using information originating from the relevant register.
The Company must observe the conditions of the right of representation granted to the legal entity’s representatives and provide services only within the scope of the right of representation.
In case the right of representation of the Customer (legal person) is evident from the registry extract, Articles of Association or equivalent documents evidencing the identity of the Customer (legal person), a separate document of authorisation (e.g. a Power of Attorney) should not be required.
Requirements for documents to be submitted by the Сustomer
All documents provided by the Сustomer must be checked for compliance with the following criteria:
By uploading a selfie with an identity document, the Customer must ensure that the photo of the uploaded document and the document on the selfie must match; the photo is not blurred, the user's face on the photo and on the document is clearly visible and matches; all characters of the identity document on the selfie are legible; the document is fully visible on the photo, the edges are not cropped.
The Company shall regularly check and update the documents, data and information collected within the course of the implementation of CDD measures and update the Customer´s risk profile. The regularity of the checks and update must be based on the risk profile of the Customer and the checks must take place at least:
The collected documents, data and information must also be checked if an event has occurred which indicates the need to update the collected documents, data and information.
The Company shall monitor the Customer’s Activity to ascertain the activities or facts that indicate criminal activities, Money Laundering or Terrorist Financing or the relation of which to Money Laundering or Terrorist Financing is probable, incl. complicated, high-value and unusual transactions and transaction patterns that do not have any reasonable or obvious economic or legitimate purpose or that are uncharacteristic of the specific features of the business in question. In the course of monitoring the Customer's activities the Company shall constantly assess the changes in the Customer’s activities and assess whether these changes may increase the risk level associated with the Customer, giving rise to the need to apply EDD measures.
In the course of the ongoing monitoring of the Suspicious Transactions, the Company applies the following measures:
The objective of screening is to identify suspicious and unusual transactions and transaction patterns.
The screening of the transactions is performed automatically and includes the following measures (including but not limited):
If the Customer gives request for transaction to the Virtual Currency wallet with high-risk score (e.g. wallets related to fraud, crime, etc.), the transaction shall be manually approved by the Employee, who shall assess, before the approval, the necessity to apply any additional CDD measures (e. g. applying EDD measures, asking source and origin of funds or asking additional information regarding the transaction).
When monitoring transactions the Employee shall assess transaction with a view to detect activities and transactions that:
In the case, where the aforementioned fact is detected, the AML Officer shall postpone any transaction of the Customer until further review and decision regarding this.
In addition to aforementioned, the Employee shall review the Company's transactions regularly (at least once per week) to ensure that there are no transactions and transaction patterns that are complicated, high-value and unusual and that have no reasonable or obvious economic or legitimate purpose or are uncharacteristic of the specific features.
The Company identifies the source and origin of the funds used in transaction(s) if necessary. The need to identify the source and origin of funds depends on the Customer’s previous activities as well as other known information. Thereby the identification of the source and origin of the funds used in transaction shall be performed in the following cases:
Red Flags
The Company shall monitor the Customer’s Activity for unusual size, volume, pattern or type of transactions, taking into account risk factors and red flags that are appropriate to our business. Red flags that signal possible money laundering or terrorist financing include, but are not limited to:
Potential Red Flags in Customer Due Diligence and Interactions with Customers
The Customer provides the firm with unusual or suspicious identification documents that cannot be readily verified or are inconsistent with other statements or documents that the Customer has provided. Or, the Customer provides information that is inconsistent with other available information about the Customer. This indicator may apply to account openings and to interaction subsequent to account opening.
Potential Red Flags in Money Movements
The Customer “structures” deposits or purchases of monetary instruments below a certain amount to avoid reporting or recordkeeping requirements, and may state directly that they are trying to avoid triggering a reporting obligation or to evade taxing authorities.
Other Potential Red Flags
The Customer is reluctant to provide information needed to file reports to proceed with the transaction.
Upon detection of any red flag, or other activity that may be suspicious, AML Officer shall determine whether or not and how to further investigate the matter. This may include gathering additional information internally or from third-party sources, contacting the government, freezing the account and/or filing an appropriate report to FINTRAC.
Upon the entry into force, amendment or termination of Sanctions, the Company shall verify whether the Customer, their Beneficial Owner or a person who is planning to have the Business Relationship or transaction with them is a subject of Sanctions. If the Company identifies a person who is a subject of Sanctions or that the transaction intended or carried out by them is in breach of Sanctions, the Company shall apply Sanctions and inform the FINTRAC
Procedure for identifying the subject of Sanctions and a transaction violating Sanctions
The Company shall use at least the following sources (databases) to verify the Customer´s relation to Sanctions:
In addition to aforementioned sources, the Company may use any other sources by the decision of the Employee who is applying CDD measures.
To verify that the persons’ names resulting from the inquiry are the same as the persons listed in a notification containing Sanction(s), their personal data shall be used, the main characteristics of which are, for a legal entity, its name or trademark, registry code or registration date, and for a natural person, their name and personal identification or date of birth.
In order to establish the identity of the persons specified in the relevant legal act or notice being the same as those identified as a result of the inquiry from databases, the Company must analyze the names of the persons found as a result of the inquiry based on the possible effect of factors distorting personal data (e. g. transcribing foreign names, different order of words, substitution of diacritics or double letters etc.).
The Company shall perform abovementioned verification on an ongoing basis in the course of an established Business Relationship. The frequency of the ongoing verifications depends on the Customer’s risk profile:
If the Employee has doubts that a person is a subject of Sanctions, the Employee shall immediately notify the Management Board member. In this case the Management Board member shall decide whether to ask or acquire additional data from the person or notify the FINTRAC immediately of their suspicion.
The Company shall primarily acquire additional information on their own about the person who is in Business Relationship or is performing a transaction with them, as well as the person intending to establish the Business Relationship, perform a transaction or an act with them, preferring information from a credible and independent source. If, for some reason, such information is not available, the Company shall ask the person who is in the Business Relationship or is performing a transaction or an act with them, as well as the person intending to establish a Business Relationship, perform a transaction or an act with them, whether the information is from a credible and independent source and assess the answer.
Actions when identifying the Sanctions subject or a transaction violating Sanctions
If the Employee of the Company becomes aware that the Customer which is in Business Relationship or is performing a transaction with the Company, as well as a person intending to establish the Business Relationship or to perform a transaction with the Company, is the subject of Sanctions, the Employee shall immediately notify the Management Board member, about the identification of the subject of Sanctions, of the doubt thereof and of the measures taken.
The Management Board member shall refuse to conclude a transaction or proceeding, shall take measures provided for in the act on the imposition or implementation of the Sanctions and shall notify immediately the FINTRAC of their doubts and of the measures taken.
When identifying the subject of the Sanctions, it is necessary to identify the measures that are taken to Sanction this person. These measures are described in the legal act implementing the Sanctions, therefore it is necessary to identify the exact sanction what is implemented against the person to ensure legal and proper application of measures.
The Company is prohibited to establish a Business Relationship and the established Business Relationship or transaction shall be terminated (unless it is objectively impossible to do) in case when:
Prohibited business activities
Prohibited countries
The unsupported countries or territories are Afghanistan, Albania, Angola, The Bahamas, Barbados, Belarus, Botswana, Burundi, Cambodia, Central African Republic, the Democratic Republic of Congo, Cote D'Ivoire, Crimea (Ukrainian Territory, Occupied), Cuba, Democratic People's Republic of Korea (DPRK), Donetsk region (Ukrainian Territory, Occupied), Eritrea, Gaza Strip, Ghana, Guinea Bissau, Jamaica, The Islamic Republic of Iran, Iraq, Lebanon, Liberia, Libya, Luhansk region (Ukrainian Territory, Occupied), Mali, Mauritius, Mongolia, Myanmar, Nicaragua, North Korea, Pakistan, Panama, Russian Federation, Sierra Leone, Somalia, South Sudan, Sudan, Syria, Trinidad and Tobago, Uganda, Vanuatu, Venezuela, West Bank (Palestinian Territory, Occupied), Yemen and Zimbabwe.Prohibited Transactions
The Transaction may be carried out only with the consent of the MB if:
The Customer does not have sufficient authorizations to carry out the Transaction, or the authorizations are unclear,
The Customer’s need to carry out the Transaction has not been reasonably justified,
The management, ownership and control structure of the Customer being a legal person is unclear and/or it is structured in an unreasonably complicated way from the economic point of view, or it has changed frequently without justification,
Economic activities of a legal person or its accounting or payment practices are not transparent, the Customer may be a fictitious company or a fictitious person,
The Beneficial Owner of the Customer being legal person cannot be established,
The Customer being a legal person uses an agent or another legal person as its representative without clear authorizations (i.e. during pre-contract negotiations),
The Customer or the representative of the Customer refuses to provide information for the purposes of establishing the substance of the Transactions and assessment of the risks,
The Customer has not presented sufficient data or documents to prove legal origin of the assets and funds, after having been asked to do so,
The Customer, the Beneficial Owner of a Customer being a legal person, or another person associated with the Customer is or has been linked with organized crime, ML or TF,
The Customer, the Beneficial Owner of a Customer being a legal person, or another person associated with the Customer is or has been linked with traditional sources of income of organized crime,
International Sanctions are being applied against the Customer, the Beneficial Owner of a Customer being a legal person, or another person associated with the Customer,
The Customer has nominee shareholders or shares in bearer form.
The Company must suspend the transaction disregarding the amount of the transaction (except for the cases where this is objectively impossible due to the nature of the Monetary Operation or transaction, the manner of execution thereof or other circumstances) and through its MLRO must report to the FINTRAC on the activity or the circumstances that they identify in the course of economic activities and whereby:
The minimal characteristics of suspicious transactions are provided in the guidelines made by the FINTRAC.
The reports specified above must be made before the completion of the transaction if the Company suspects or knows that Money Laundering or Terrorist Financing or related crimes are being committed and if said circumstances are identified before the completion of the transaction.
If the necessity of abovementioned report arises, the Employee to whom such necessity became known must immediately notify the Management Board and the MLRO about this.
Suspicious Transaction Report
The MLRO is required to submit Suspicious Transaction Reports (STR) when he/she has reasonable grounds to suspect that a transaction is related to the commission or the attempted commission of an ML/TF offence.
Pursuant to subsection 9(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations, the MLRO "shall send the report to the Centre as soon as practicable after they have taken measures that enable them to establish that there are reasonable grounds to suspect that the transaction or attempted transaction is related to the commission of a money laundering offence or a terrorist activity financing offence."
The measures mentioned in point 9.2. include:
As soon as practicable is interpreted to mean that MLRO have completed the measures that have allowed he/she to determine that the RGS threshold has been reached and as such the development and submission of that STR must be treated as a priority
A STR paper form is sent to FINTRAC in two ways:
All the reports described in this chapter shall be sent in accordance with the Company’s reporting guidelines through a secure channel ensuring full confidentiality.
The Company, a structural unit of the Company, a Management Board member, MLRO and the Employee is prohibited to inform a person, its Beneficial Owner, representative or third party about a report submitted on them to the FINTRAC, a plan to submit such a report or the occurrence of reporting as well as about a precept made by the FINTRAC or about the commencement of criminal proceedings.
Large Virtual Currency Transaction Reporting
Large virtual currency transaction reporting requirements under the Proceeds of Crime (Money laundering) and Terrorist Financing Act (PCMLFTA) and associated Regulations are applicable to all reporting entity sectors. The MLRO is responsible for meeting the Large Virtual Currency Transaction Reporting.
Company sends LVCTR to FINTRAC when receiving virtual currency equivalent to 10,000 CAD or more per transaction.
In the case of multiple transactions conducted within 24 consecutive hours that total 10,000 CAD or more, which meet one of the following conditions: Conducted by the same individual or legal entity; Conducted on behalf of the same individual or legal entity; Intended for the same beneficiary, Comopany sends LVCTR to FINTRAC within the next 24 hours.
To determine if a transaction is reportable, MLRO must first determine when the Company is in receipt of virtual currency, and then determine if the amount of virtual currency received meets the reporting threshold of 10,000 CAD.
As the Bank of Canada does not publish exchange rates for virtual currency, the Company must use the rate established in the normal course of business to determine whether the reporting threshold amount has been reached.
The LVCTR report shall be sent to FINTRAC within five working days after the date of receipt of the amount. A copy of the LVCTR sent shall be retained by the Company.
The LVCTR paper form is sent to FINTRAC in two ways:
The Company ensures that its MLRO and Employee (s) have the relevant qualifications for their work tasks. When an Employee is recruited or engaged, his/her qualifications are checked as part of the recruitment/appointment process by carrying out background checks.
In accordance with the requirements applicable to the Company on ensuring the suitability of Employees, the Company makes sure that such persons receive appropriate training and information on an ongoing basis to be able to fulfil the Company’s obligations in compliance with the applicable legislation. It is ensured through training that such persons are knowledgeable within the area of AML/CFT to an appropriate extent considering the person’s tasks and function. For new Employees, the training comprises a review of the content of the applicable rules and regulations, the Company’s risk assessment policy, these Guidelines and other relevant procedures.
The training for MRLO and Employee (s) must provide, first and foremost, information on all the most contemporary money laundering and terrorist financing methods and risks arising therefrom. It refers to relevant parts of the content of the applicable rules and regulations, the Company’s risk assessment, the Company’s Guidelines and procedures and information that should facilitate such MRLO and Employee (s) detecting suspected Money Laundering and Terrorist Financing. The training is structured on the basis of the risks identified through the risk assessment policy.
This training programme should therefore include, at a minimum:
(1) how to identify red flags and signs of money laundering that arise during the course of the employees’ duties;
(2) what to do once the risk is identified (including how, when and to whom to escalate unusual customer activity or other red flags for analysis and, where appropriate, the filing of FINTRAC);
(3) what employees' roles are in the firm's compliance efforts and how to perform them;
(4) the firm's record retention policy; and
(5) the disciplinary consequences (including civil and criminal penalties) for non-compliance with applicable law.
Training will occur on at least an annual basis. The content and frequency of the training is adapted to the person’s tasks and function on issues relating to AML/CFT measures. If the Guidelines is updated or amended in some way, the content and frequency of the training is adjusted appropriately.
The Company develop training in our firm, or contract for it. Delivery of the training may include educational pamphlets, videos, intranet systems, in-person lectures and explanatory memos.
The training held is to be documented electronically and confirmed with the signature. This documentation should include the content of the training, names of participants and date of the training.
The Company automatically or through the person (incl. Employees, Management Board members and MLRO) who firstly receives the relevant information or documents shall register and retain the following data:
The data specified above shall be retained for 5 years.
Documents and data must be retained in a manner that allows for exhaustive and immediate response to the queries made by the FINTRAC or, pursuant to legislation, other supervisory authorities, investigation authorities or the court.
The Company implements all rules of protection of personal data upon application of the requirements arising from the applicable law. The Company is allowed to process personal data gathered upon CDD implementation only for the purpose of preventing Money Laundering and Terrorist Financing and the data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.
The Company deletes the retained data after the expiry of the time period, unless the legislation regulating the relevant field establishes a different procedure. On the basis of a precept of the competent supervisory authority, data of importance for prevention, detection or investigation of Money Laundering or Terrorist Financing may be retained for a longer period, but not for more than two years after the expiry of the first time period.
The storage of log data shall be completed and kept on an electronic medium by the Management Board member, if he/she is on a business trip, or is otherwise unavailable for other valid reasons, another Employee, as indicated in the special order of the director, setting out the scope of duties and responsibilities assigned to an individual acting as a substitute.
The Employees of the Company shall be prohibited to inform, or otherwise let know, any Customer or other individuals that information on the Monetary Operations taking place, or transactions conducted by a Customer, or resulting investigation is communicated to the FINTRAC.
The performance of the Guidelines shall be internally controlled by the Management Board member, the MRLO or the Employee appointed by the MRLO or the Management Board for performing relevant functions (hereinafter in this chapter – Internal Control Officer). The Internal Control Officer must have the required competency, tools, and access to the relevant information in all structural units of the Company.
The Internal Control Officer shall perform internal control functions at least in the following fields:
The exact measures for performing internal control shall be determined by the Internal Control Officer and must correspond to the Company’s size and their nature, scope and level of complexity of the activities and services provided. The Internal Control Offices must consider at least examination fields specified above. The internal control measures shall be performed at the time determined by the Internal Control Officer with the frequency set by him or her, at least once per year, if the nature of measure does not expressly provide otherwise.
The results of internal control measures implementation (hereinafter in this chapter – the Internal Control Data) shall be saved separately from other data and retained within 3 years. Only Management Board members and Internal Control Officer may have access to the Internal Control Data. Internal Control Officer may provide access to the Internal Control Data to other Employees or third parties (e. g. advisors, auditors, etc.) only with prior consent of Management Board. The persons have access to the Internal Control Data must not disclose it to anyone without prior consent of the Management Board.
The Management Board and the MRLO shall review the internal control report provided and make resolution regarding it. The Internal Control Officer shall be notified about the essence of such resolution in format which can be reproduced in writing. For this reason, the Management Board and the MRLO is obliged to:
The Company must review and, if necessary, update internal control procedure at least annually and in the following cases: