Anti Money Laundering standards
Note:
“PRYPCO Mint” is hereby referred to as “PRYPCO FZE”
To submit suspicious activity:
This Anti-Money Laundering (“AML”) and Combating the Financing of Terrorism (“CFT”) Policy outlines the framework that PRYPCO FZE (“the Firm” or “PRYPCO Mint”) follows to prevent money laundering and terrorist financing activities. This policy is designed to ensure compliance with applicable regulations and guidelines, including those issued by the Dubai Virtual Assets Regulatory Authority (VARA). The primary objective is to protect the integrity and reputation of PRYPCO FZE while fostering a secure and compliant operating environment.
The Company and all its employees are subject to anti-money laundering and counter-terrorism finance laws. This policy is designed to ensure that every aspect of the Company's operations is conducted in compliance with AML/CFT regulations. The AML/CFT policy and procedures are reviewed and audited regularly to ensure their effectiveness and compliance with applicable regulations. The MLRO is responsible for maintaining and updating this policy as needed.
The purpose of this policy is to establish the procedures that PRYPCO FZE follows to detect, prevent, and report money laundering and terrorist financing activities. This Policy is provided to all employees of PRYPCO FZE as well as any third parties acting on behalf of PRYPCO FZE. All employees are required to acknowledge receipt and confirm understanding by signing the Confirmation Statement (refer to Appendix 3). The AML/CFT policy and procedures are reviewed and audited regularly to ensure their effectiveness and compliance with regulations. Updated versions of this Policy shall be issued following any amendments, and staff members will be required to provide renewed acknowledgement through a subsequent Confirmation Statement. The Compliance Officer is responsible for maintaining and updating this Policy as necessary. Any revisions to the AML Manual shall require approval by the Board of Directors.
This policy is grounded in the regulatory requirements set forth by the Virtual Assets Regulatory Authority (VARA), including the guidelines and mandates outlined in VARA's Compliance and Risk Management Rulebook, the laws of the UAE, and other relevant international AML & CFT and sanctions laws, rules, and regulations. It ensures that we have robust systems and controls in place to mitigate risks to the Company and its clients, including stringent verification and due diligence checks on customers, transactions, and third parties with whom we conduct business.
This Policy offers clear guidance and a structured approach for our Company to ensure that all personnel maintain exemplary knowledge and understanding of financial crime regulations. It defines our expectations and their responsibilities under these regulations, aligned with our internal objectives. We provide a comprehensive and effective training program focused on money laundering regulations and associated regulatory requirements, accompanied by regular reviews and monitoring to assess and demonstrate employee understanding and adherence to these standards.
The Company is fully committed to safeguarding itself, its employees, and its clients from the risks associated with money laundering and terrorist financing, by implementing a company-wide risk-based approach to prevent financial crime.
SECTION 1:
Policy Objectives
This policy ensures that:
Every staff member shall meet their personal obligations as appropriate to their role and responsibilities;
Commercial considerations cannot take precedence over PRYPCO FZE’s AML commitment;
PRYPCO FZE will strictly comply with all applicable AML rules and regulations with specific emphasis on:
A culture of compliance is to be adopted and promulgated throughout the Company towards the prevention of financial crime;
A commitment to ensuring that clients' identities will be satisfactorily verified before the firm accepts them;
A commitment to “knowing its client” appropriately - both at acceptance and throughout the business relationship - through taking appropriate steps to verify the client’s identity and business, and the reasons and purpose of their business relationship with PRYPCO FZE
A commitment to ensuring that staff are adequately trained and made aware of the law and their obligations under it, and to establishing procedures to implement these requirements; and
Recognition of the importance of staff promptly reporting their suspicions internally.
Refrains from opening or conducting any financial or commercial transaction under an anonymous or fictitious name or by pseudonym or number, and from maintaining a relationship or providing any services under such conditions;
Ensures prompt application of directives issued by the competent authorities in the UAE for implementing United Nations Security Council Resolutions related to the suppression and combating of terrorism, terrorist financing, and the proliferation of weapons of mass destruction and its financing, along with compliance with all other applicable laws, regulatory requirements, and guidelines related to economic sanctions;
Maintains all records, documents, and data for all transactions, whether local or international, and makes this information available to VARA upon request; and
Ensures full compliance with any other AML/CFT requirements and applicable laws, regulatory requirements, and guidelines as may be promulgated by VARA, UAE federal government bodies or FATF.
SECTION 2:
This policy is based on the regulatory stipulations of the Virtual Assets Regulatory Authority (“VARA”), the laws of the UAE, and other relevant international AML & CFT and sanctions laws, rules, and regulations.
Applicable Laws & Regulations
The Federal AML-CFT Laws;
The Financial Action Task Force’s (FATF) 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers (June 2020);
FATF’s Second 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers (July 2021);
FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (October 2021);
The International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, The FATF Recommendations (March 2022);
Cabinet Resolution No. 74 of 2020 regarding the Terrorist List System and the Implementation of Security Council Resolutions Related to Preventing and Suppressing Terrorism and its Financing, Counter of Proliferation and its Financing, and the Relevant Resolutions;
The UAE Executive Office for Control & Non-Proliferation (EOCN) Guidance on Counter Proliferation Financing for FIs, DNFBPs, and PRYPCO FZE’s (March 2022);
The EOCN’s Local Terrorist List, as may be amended from time to time.
Any other applicable laws and regulations.
To ensure compliance with the Federal AML-CFT Laws, PRYPCO FZE employs a risk-based approach (RBA) to allocate resources efficiently by focusing on higher-risk areas. To ensure that, PRYPCO FZE:
Refrains from opening or conducting any financial or commercial transaction under an anonymous or fictitious name or number, and from maintaining a relationship or providing any services under such conditions.
Ensures prompt application of directives issued by the competent authorities in the UAE for implementing United Nations Security Council Resolutions related to the suppression and combating of terrorism, terrorist financing, and the proliferation of weapons of mass destruction and its financing, along with compliance with all other applicable laws, regulatory requirements, and guidelines related to economic sanctions.
Maintains all records and data for all transactions, and makes this information available to VARA upon request; and
Ensures full compliance with AML/CFT applicable laws, regulatory requirements, and guidelines as may be promulgated by VARA, UAE federal government bodies, FATF, or the Middle East and North Africa Financial Action Task Force from time to time.
PRYPCO FZE employs screening rules and procedures in order to screen clients as required. This is with the aim to:
Identify potential illicit activities, potentially adverse information in higher-risk situations (e.g., criminal history), and the applicability of targeted or other international financial sanctions; and
Alert operation and compliance teams to impose relevant restrictions and conduct further investigations.
All policies and procedures established and implemented regarding AML/CFT will be attested by a competent third party and submitted to VARA during the licensing process.
SECTION 3:
Effective governance and oversight are fundamental to the successful implementation of this Policy. The roles and responsibilities outlined below have been established to ensure clear accountability in managing and mitigating the risks associated with money laundering and the financing of terrorism.
Senior Management
holds critical responsibilities in the development, implementation, and oversight of the organisation's AML and CFT policy. Their leadership role ensures a strong compliance culture and the alignment of business activities with regulatory expectations.
MLRO Responsibilities
The Money Laundering Reporting Officer (“MLRO”) is responsible for developing and implementing Anti-Money Laundering (“AML”) and Counter Financing of Terrorism (“CFT”) policies and procedures. This includes ensuring that the Board and staff receive appropriate training to understand and comply with all relevant AML/CFT laws. The MLRO also conducts regular AML/CFT risk assessments, monitors and reports suspicious transactions, and ensures the timely submission of reports, as well as providing reports to the Dubai Virtual Assets Regulatory Authority (VARA) upon request.
Furthermore, the MLRO is responsible for ensuring that appropriate corrective actions are taken in response to any non-compliance with Federal AML-CFT Laws. Accordingly, PRYPCO FZE has implemented clear reporting mechanisms to ensure the timely identification and remediation of any compliance failures.
To strengthen oversight, PRYPCO FZE ensures that AML/CFT reporting obligations go beyond regulatory submissions, requiring the MLRO to report directly to the Board on the effectiveness of the VASP’s AML/CFT policies and procedures. This includes:
Quarterly reports to the Board, detailing the performance of AML/CFT controls, risk exposure, and any identified compliance deficiencies.
Immediate escalation of any non-compliance issues, ensuring prompt remedial action is taken.
Comprehensive analysis of AML/CFT policy effectiveness, identifying gaps, failures, or weaknesses that require corrective measures.
Board-level oversight and accountability, ensuring that AML/CFT policies remain aligned with Federal AML-CFT Laws and VARA directives.
In the event PRYPCO FZE delegates AML/CFT activities to appropriately considered third-party entity, this will be only be done provided that:
The MLRO remains fully accountable for all AML/CFT responsibilities and obligations related to the implementation, oversight, and enforcement of AML/CFT policies and procedures.
All applicable requirements outlined in the Company Rulebook, including those related to Outsourcing Management, are strictly adhered to.
Delegated entities must comply with all relevant AML/CFT laws, regulations, and directives, ensuring that due diligence, transaction monitoring, and reporting obligations are met.
PRYPCO FZE shall conduct ongoing assessments of outsourced AML/CFT functions to ensure that delegation does not compromise compliance, risk management, or regulatory obligations.
The MLRO shall maintain direct oversight of all outsourced AML/CFT activities, ensuring that PRYPCO FZE retains full control and accountability over its regulatory compliance framework.
Compliance Team Responsibilities
The Compliance Team supports the Money Laundering Reporting Officer (MLRO) in the implementation and maintenance of the AML/CFT framework. Their key responsibilities include:
Continuously monitoring transactions and investigating alerts.
Conducting regular risk assessments and ensuring adherence to regulatory requirements.
Providing training and support to employees on AML/CFT policies and procedures.
Assisting in the development and regular updating of AML/CFT policies and procedures.
Collaborating with other departments to ensure comprehensive AML/CFT compliance across the organisation.
Actively participating in internal and external AML/CFT audits and examinations.
Employees Responsibilities
All employees are required to comply with the AML/CFT policies and procedures and play a crucial role in identifying and reporting suspicious activities. Employees are expected to:
Participate in AML/CFT training programs.
Report any suspicious activities to the MLRO or the Compliance Team.
Ensure that all customer interactions meet the requirements of Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD).
Maintain the confidentiality of information related to AML/CFT activities.
Stay informed about the latest developments in AML/CFT regulations and best practices.
Company employees must not, without the consent of the MLRO:
put him or herself, or the Company, at risk of committing one of the money laundering offences set out above;
handle or deal with any property that is “criminal property”, including:
accepting or making payments of funds suspected to be “criminal property”;
agreeing to enter into transactions or other arrangements that are known or suspected to involve “criminal property”;
attempt to handle “criminal property”;
agree with anyone to handle “criminal property”;
encourage or assist someone else to handle “criminal property”;
disclose to anyone else the fact that they have approached the MLRO about a potential money laundering issue;
disclose to anyone else the fact that a Suspicious Activity Report (“SAR”) has been made to the MLRO or to the authorities (tipping-off);
disclose to anyone else the fact that a money laundering investigation is being contemplated or carried out (tipping-off);
make any disclosure that might prejudice a money laundering investigation; or
falsify, conceal, destroy or otherwise dispose of (or cause the falsification, concealment, destruction or disposal of) documents likely to be relevant to a money laundering investigation.
Doing any of the above could constitute a criminal offence by the Company employee and potentially by the Company.
Any Company employee who knows or suspects that anyone (in any capacity, including an employee of the Company, an individual customer, a corporate customer or an employee of a corporate customer) is or may be involved in using the Company’s business for money laundering must:
Contact the MLRO immediately to seek advice and, if appropriate, report the matter. Do not delay, as to do so may make it impossible for the individual concerned and the Company to obtain a defence to a money laundering offence;
Keep good records of the information that has caused them to become concerned, e.g. any notes made during a meeting or call where relevant information is discussed; and
Obey any instructions given by the MLRO with respect to the matter, including any instruction not to proceed with the relevant activity or transaction that may involve money laundering until consent has been granted by the authorities.
Procedures for dealing with suspicions of money laundering
From time to time:
The Company’s KYC processes may identify suspicious behaviours or transactions.
The Company’s customer service representatives may develop suspicions from dealings with a customer; or
A company employee may, through the course of assisting with an account or transaction, develop his or her own knowledge or a suspicion of money laundering.
In such circumstances:
the general requirements for AML risk management set out in this Policy continue to apply, in particular the Company employee(s) concerned must contact the MLRO immediately to make a report and must not to disclose to others (including other parties to the transaction) the fact that a report has been made unless the MLRO authorises this; and
it may be necessary for the MLRO to obtain the authorities’ consent for the transaction to proceed, without informing any other party to the transaction (or allowing others to do so). Company employees must obey instructions from the MLRO in that regard.
SECTION 4:
Given the specific nature of the services provided and the assets transacted, PRYPCO FZE utilises a variety of onboarding tools to identify, mitigate, and prevent financial crime. These tools include and other investigative capabilities to monitor and screen transactions. The tools utilised can be found in the outsourcing register:
The performance and capabilities of technical solutions service providers are reviewed at least once annually or on an ad hoc basis, such as when significant changes occur, like the introduction of new privacy features in the native blockchain of a specific virtual asset or updates to the regulatory framework. During these reviews, PRYPCO FZE evaluates the service provider’s technological advancements, system stability, and the effectiveness of their monitoring and surveillance tools to ensure they remain aligned with PRYPCO FZE’s compliance requirements.
PRYPCO FZE also performs a detailed evaluation and documentation of any tools used for ongoing monitoring. This assessment includes verifying the accuracy and granularity of data captured, evaluating the effectiveness of risk-based alerts generated, and ensuring that the tools can seamlessly adapt to any emerging threats or regulatory changes. By conducting these periodic and event-driven reviews, PRYPCO FZE ensures that its technical solutions are not only effective and reliable but also continuously evolving to meet industry standards and regulatory expectations. Review results can be shared with VARA upon request.
The Company and its employees are subject to specific AML reporting obligations.
SECTION 5:
To address financial crime (FC) risks, PRYPCO FZE has adopted a risk-based approach (RBA) that considers its business activities, client types, geographies, and engagement methods. PRYPCO FZE is committed to setting clear client acceptance standards, applying Enhanced Due Diligence (EDD) as needed, implementing client identification, screening, and profiling procedures, and providing guidance on reliance upon AML/KYC processes by affiliates or third parties. It also establishes controlled procedures for existing client relationships and appoints a Money Laundering Reporting Officer (MLRO) to oversee FC activities. The RBA includes two key elements:
Business AML Risks
The initial step in evaluating PRYPCO FZE’s financial crime (FC) risk involves conducting a comprehensive review of its business practices in relation to AML/CFT risks and documenting the findings annually. This analysis culminates in the creation of a Business Risk Assessment, prepared by the MLRO and approved by senior management. The assessment is based on specific criteria, which include:
types of clients and their activities.
Geographical areas in which it conducts business.
distribution channels and business partners.
complexity and volume of transactions.
development of new products and new business practices, including new delivery mechanisms, channels and partners.
tax crime risk.
use of new or developing technologies for both new and pre-existing products.
The UAE Executive Office for Control & Non-Proliferation (“EOCN”) has issued Guidance on Combating Proliferation Financing (“CPF”), requiring financial institutions to assess and document their PF risks based on the nature, size, and exposure of their business. The guidance emphasizes evaluating threats and vulnerabilities in geographic, customer, and product/service risks. The Firm’s AML business risk assessment incorporates these factors, assigning risk weightings proportional to their significance for money laundering and terrorism financing risks. Higher weightings are given to customer, jurisdiction, and product/service risks compared to others, like tax crime risks. Each business area is rated as low, medium, or high risk, and these findings are integrated into the Firm’s AML framework, including policies, procedures, and controls. The results are also recorded in each Customer Due Diligence (“CDD”) form to ensure identified risks are effectively mitigated.
Customer risk assessment
During the onboarding process, every customer—defined as a buyer, seller, or business partner on the platform—undergoes a risk-based assessment. Using the Customer Risk Rating Matrix, customers are classified as low, medium, or high risk based on predefined criteria. This assessment is conducted through the Focal system, a third-party compliance software integrated into PRYPCO FZE platform.
Risk Scoring
The risk rating considers multiple factors, weighted according to their relevance to money laundering risks. The MLRO regularly reviews these weightings to ensure the scoring system effectively allocates compliance resources to higher-risk cases.
Scoring Process
The Focal system calculates, generates, and records final risk scores. During onboarding, the compliance team reviews each rating to determine the appropriate level of due diligence and its frequency of updates. High-risk scores require MLRO review and approval. The risk factor weighting system in Focal is demonstrated in the picture below:
If a higher or lower risk rating is assigned due to additional KYC findings, the rationale is documented, including the MLRO’s conclusion before final approval.
Politically Exposed Persons (PEPs)
PEP risk must be assessed for every customer during onboarding. Individuals with significant political positions or who have held public office may present higher AML risks due to potential corruption or bribery. However, holding PEP status alone does not automatically classify someone as high risk, and each case must be evaluated individually.
Jurisdictional risk
The location of customers can impact their risk rating. PRYPCO FZE considers risks from countries with inadequate AML measures, those relying on cash transactions, politically unstable regimes, drug-related issues, or illicit weapons programs. The Firm mitigates these risks by gathering additional documentation or extending review periods as needed, with all actions documented during onboarding. The Firm uses the KnowYourCountry database, which aggregates global AML, financial crime, and corruption data, to assess country risk.
The Company relies on the database, ISO 9001:2015 for evaluating jurisdictional risk. The Firm also reviews FATF Public Statements to assess risks from high-risk jurisdictions.
Prohibited Customers
The Firm is prohibited from:
Establishing correspondent banking relationships with shell banks.
Opening or maintaining anonymous accounts or accounts under false names.
Keeping nominee accounts where the actual controller is not disclosed.
SECTION 5:
Customer Due Diligence (“CDD”) is the process of identifying and verifying the identity of customers to ensure they are who they claim to be. This process is essential to prevent PRYPCO FZE from being used for money laundering or terrorist financing. PRYPCO FZE is required to adopt a risk-based approach when conducting Client Due Diligence (CDD) procedures prior to establishing a business relationship or executing transactions.
CDD involves collecting information and documentation regarding the client's existence, business or occupation, ownership and control structure, expected activity, and purpose of the account. The aim is to identify the client, their Ultimate Beneficial Owners (UBOs), and any other related persons, as well as to understand the nature of the client's activities and the intended purpose of the business relationship. This information also helps identify any risk factors that inform the risk assessment scoring, creating a comprehensive client profile that serves as the foundation for an effective monitoring plan. CDD is not simply a documentation process but is a crucial step in managing financial crime risks and ensuring that the client's profile aligns with PRYPCO FZE’s risk appetite. The extent of documentation and information required varies depending on the client's risk rating and is determined by the level of ML, TF, and PF risks that the client may pose. PRYPCO FZE acknowledges that while it may rely on third parties for CDD, it remains fully liable for ensuring compliance with all relevant VARA Rules.
To meet these obligations, PRYPCO FZE has implemented robust oversight measures to ensure that any third-party CDD providers adhere to AML/CFT requirements. These measures include:
Strict vendor due diligence before onboarding any third-party CDD providers to assess their regulatory compliance, policies, and controls.
Ongoing monitoring and periodic audits of third-party CDD processes to verify adherence to AML/CFT standards and risk-based assessment frameworks.
Clear contractual obligations requiring third parties to comply with VARA’s AML/CFT Rules, including provisions for reporting, record-keeping, and regulatory cooperation.
Internal escalation and oversight mechanisms, ensuring that PRYPCO FZE’s Compliance team retains full control over the due diligence process and can intervene if deficiencies are identified.
PRYPCO FZE ensures that third-party reliance does not compromise its regulatory obligations, and ultimate responsibility for AML/CFT compliance remains with PRYPCO FZE.
Components of CDD:
Client Identification and Verification (ID&V): Gather and verify the client’s identity using reliable sources such as government IDs, passports, or electronic methods. Identify and verify the beneficial owners to understand the client’s ownership and control structure.
Know Your Client (KYC): Collect information on the client’s business activities, ownership, country of residence or operation, and the sources of wealth (SoW) and funds (SoF). Confirm the account's intended purpose aligns with the client’s declared intentions.
Enhanced Due Diligence (EDD): Apply EDD for high-risk clients, including thorough verification and frequent reviews. Conduct ongoing monitoring and update their profiles and due diligence information every six months.
Ongoing Review (Periodic and Event-Driven): Regularly monitor transactions to ensure they align with the client’s profile. Update CDD records when there are significant changes or events that affect the client’s risk level.
Client Exit Process: Establish procedures for ending relationships if CDD is incomplete or risks cannot be mitigated, including maintaining an internal blacklist to prevent re-onboarding of rejected clients.
This process is not limited to new clients only; existing clients are also subject to CDD measures when deemed necessary, particularly when there are changes in their circumstances or when specific events occur that may impact their risk level.
PRYPCO FZE is legally required to review client and UBO information at a predefined frequency based on risk classification throughout the year. These reviews apply to transactions of AED 3,500 or more, suspected suspicious transactions, doubts about the adequacy of previously collected identification, or transactions involving high-risk clients as defined by Federal AML-CFT laws. PRYPCO FZE must also monitor ongoing business relationships, auditing transactions to ensure they align with the client’s profile and associated risks, including verifying the source of funds when necessary. Additionally, PRYPCO FZE is responsible for keeping CDD records up to date, especially for high-risk clients.
PRYPCO FZE assesses each client using a risk-based approach, assigning a risk score of low, medium, high, or non-acceptable. This score is determined during onboarding based on the client and their associated parties, using the risk factors from ID&V and KYC. The score may change over time as the client relationship evolves. PRYPCO FZE applies appropriate measures to manage and mitigate risk, including verifying identity, gathering economic profile information, and monitoring transactions. Higher-risk clients undergo more frequent reviews, with the extent of checks varying based on the perceived risk level.
For potential high-risk clients, Enhanced Due Diligence (EDD) is conducted before establishing a business relationship, with approval from the CO and senior management. The same process applies when reviewing existing high-risk clients, with the CO approving any reclassification to a lower risk level. PRYPCO FZE may also reassess the risk status of low or medium-risk clients suspected of money laundering or terrorist financing, leading to stricter due diligence and identification procedures.
PRYPCO FZE does not:
Establish or maintain relationships with shell banks or anonymous accounts.
Engage with clients whose ownership or control prevents identification of beneficial owners.
PRYPCO FZE will not engage with clients outside its risk appetite, including:
Known criminals, those convicted or suspected of money laundering, terrorism financing, or other illegal activities.
Clients listed on UN, UAE, US and UK sanctions lists or involved with sanctioned entities.
Clients transacting in Darknet markets or those posing reputational risk to PRYPCO FZE.
Clients from countries listed as unacceptable or those refusing to submit required identity verification data.
Financial institutions without a physical presence in their country of incorporation or those not part of a regulated financial group.
Entities with complex or opaque structures, trusts, unlicensed counterparts, or clients insisting on anonymity.
Clients involved in controversial activities like arms dealing, non-medical drugs, or morally unacceptable industries.
It is the Company’s policy not to enter into any transaction or arrangement with links to certain countries which are identified as ‘high risk third countries’ under the AML/CFT Regulations, without prior written permission from the MLRO.
Identification & Verification (ID&V)
ID&V aims to identify and verify clients by collecting and confirming their identity using reliable, independent sources. Proper client and beneficial owner information is essential for preventing money laundering and terrorism financing. This data is used to assess and verify the client's economic profile, enabling the early detection of suspicious transactions. PRYPCO FZE verifies client identities through documents, data, or information from trusted sources, such as:
PRYPCO FZE verifies whether any entity acting on behalf of a client is authorised and confirms its identity. It also understands the nature and purpose of the business relationship with the client, collecting relevant information when necessary. If the client is a business or serves other clients, PRYPCO FZE assesses the client’s operations, ownership, and control structure, including identifying UBO(s), determining if DAOs are involved and their purpose, and reviewing the type and nature of the client's clientele. Due diligence is carried out to ensure compliance with AML-CFT laws.
For all clients, PRYPCO FZE ensures:
Sanctions compliance by screening against domestic and international lists (UAE, UN, OFAC SDN).
Collection of information to assess politically exposed persons (PEPs) and related parties.
Completion of a Client Risk Assessment (CRA).
If mandatory documents are not provided by the customer, the MLRO will assess whether this constitutes suspicious behaviour, potentially leading to a SAR. If not deemed suspicious, it will be considered a breach of VARA AML requirements. The non-compliance must be recorded in the Firm’s Breaches Register and reported to VARA’s regulations as a material breach.
Furthermore, PRYPCO FZE shall verify the constitutional documents of all entity clients as part of its CDD procedures. This includes obtaining and validating the following:
Memorandum and Articles of Association, duly attested by the relevant UAE authorities.
Trade license and commercial registration documents, confirming the entity’s legal standing and authorisation to operate.
Proof of ownership and control structure, ensuring transparency regarding Ultimate Beneficial Owners (UBOs) and key stakeholders.
Additional supporting documents, as required, to verify the authenticity and legitimacy of the entity.
PRYPCO FZE shall ensure that these documents are reviewed, authenticated, and retained in accordance with AML/CFT regulatory requirements. Ongoing monitoring shall be conducted to identify any changes in corporate structure or governance that may impact risk assessment and compliance obligations.
SECTION 7:
EDD measures are applied to high-risk customers, including politically exposed persons (PEPs), customers from high-risk jurisdictions, and those involved in complex or unusually large transactions. EDD procedures include:
Obtaining additional information on the customer and beneficial owners.
Conducting more frequent and in-depth monitoring of transactions.
Implementing additional controls to mitigate risks.
Verification of the client's source of wealth through additional documentary evidence.
Verification of the client's source of funds with further documentary evidence.
Verification of the client's address and source of funds with further documentary evidence.
Internet searches to corroborate activity information that aligns with the client's transaction profile.
Adverse media checks and online research regarding the customer's business operations.
Enhanced verification of an individual's identity by obtaining extra documents from a reliable and independent source (e.g., both a passport and a national identity card, along with proof of address for an individual).
Adverse media checks and online research on individuals exercising control over the institution.
SECTION 8:
A Politically Exposed Person (“PEP”) is defined as “an individual who is or has, at any time in the preceding year, been entrusted with prominent public functions and an immediate family member, or a known close associate, of such a person”.
The AML/CFT Regulations have provided lists of those legal persons which fall within this definition:
heads of state, heads of government, ministers and deputy or assistant ministers;
members of parliament or of similar legislative bodies;.
members of the governing bodies of political parties;
members of supreme courts, of constitutional courts or of any judicial body the decisions of which are not subject to further appeal except in exceptional circumstances;
members of courts of auditors or of the boards of central banks;
ambassadors, charges d’affaires and high-ranking officers in the armed forces;
members of the administrative, management or supervisory bodies of State-owned enterprises; and
directors, deputy directors and members of the board or equivalent function of an international organisation.
In addition to this, the following also class as PEPs:
family members, meaning:
a spouse or civil partner of the PEP;
children of the PEP and the spouses or civil partners of the PEP’s children; or
parents of the PEP.
known close associates, meaning:
an individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relations with a PEP; or
an individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP.
PEP status itself does not incriminate an individual or entity. It does however, put the applicant or an existing customer, or a beneficial owner, into a higher risk category. They present a higher risk of financial crime, such as bribery and corruption, due to their access to and/or influence over public decision-making processes (including funding and procurement of contracts).
The risk of handling the proceeds of corruption or becoming involved in an arrangement that is designed to facilitate corruption is generally increased where a PEP is involved. Where the PEP also has connections to countries or business sectors where corruption is widespread, the risk is further increased. Corrupt persons also tend to abuse third-party connections to shield the proceeds of corrupt activities from enquiry, and close family members and business associates are most vulnerable to influence in this context and may be used to assist, knowingly or otherwise.
Due to their inherent risk exposure, entities and arrangements that have a PEP or PEP associations (no matter how minor or major) must always be researched thoroughly prior to on-boarding on a risk based approach, have EDD applied to them and then continually monitored and scrutinised with enhanced monitoring, such as source of wealth (SOW) and source of funds (SOF) information being obtained and substantiated on an ongoing basis.
Financial Action Task Force Context
The FATF defines a PEP as an individual who is or has been entrusted in a prominent public function. This includes:
Foreign PEPs: individuals who are or have been entrusted with prominent public functions by a foreign country, for example, Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials.
Domestic PEPs: individuals who are or have been entrusted domestically with prominent public functions, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials.
International organisation PEPs: persons who are or have been entrusted with a prominent function by an international organisation, refers to members of senior management or individuals who have been entrusted with equivalent functions, i.e. directors, deputy directors and members of the board or equivalent functions.
Family members are individuals who are related to a PEP either directly (consanguinity) or through marriage or similar (civil) forms of partnership.
Close associates are individuals who are closely connected to a PEP, either socially or professionally (and for the purpose of deciding whether a person is a close associate of a person, a relevant person need only have regard to information which is in that person’s possession or is publicly known).
A PEP is an individual who is or has been entrusted with a prominent function and as such could potentially abuse such a position or function for the purposes of laundering or other predicate offences, such as corruption or bribery. Owing to the high risks associated with PEPs, FATF recommends that additional AML and due diligence controls and measures are put into place when entering into a business relationship with a PEP.
Policy on PEPs
Currently the Company applies EDD to PEPs and seeks approval from the MLRO and CEO prior to onboarding a PEP. Our KYC provider matches all customer names against the PEP list and any customer classified as a PEP will have its application reviewed accordingly.
Every relationship with PEP shall be approved by the Board after prior consultation with the MLRO. In addition, yearly senior management approval for continuing relationships with PEPs is obligatory.
SECTION 9:
PRYPCO FZE regularly reviews client information to ensure that the client's KYC profile is accurate and up to date. This involves scrutinising various documents, data, and information at different frequencies, including reviewing transactions, business risk profiles, and sources of funds (SoF). The objective is to ensure that transactions align with what is known about the client, their business, and their risk profile, and to identify any suspicious transactions.
Special attention is given to activities involving complex transactions, unusually large transactions, transactions conducted in an unusual pattern, those without an apparent economic or lawful purpose, and transactions to or from high-risk jurisdictions. The frequency of periodic reviews depends on the client's risk level:
Low Risk: Every 3 years.
Medium Risk: Every 2 years.
High Risk: Annually.
PRYPCO FZE facilitates periodic reviews of client information by requesting confirmation from clients through relevant communication channels (including email or via the company’s website) as per the specified frequency to ensure that the details held in the system are accurate and up to date. Any changes to a client's information, such as their name or address, are reflected in their CDD profile and records. If there are material changes, such as a new country of residence or a change of nationality, the client's risk assessment is refreshed, and screening is re-run. If a client's risk rating increases and they are classified as high risk, Enhanced Due Diligence (EDD) is conducted in accordance with their risk rating.
PRYPCO FZE continuously monitors client fiat and VA transactions to detect unusual transactions or patterns and to ensure that any unusual or suspicious activities are identified and investigated immediately. While doing so, PRYPCO FZE ensures that no “tipping-off” or similar offence occurs. These methods also ensure that all suspicious transactions are immediately reported to the MLRO. PRYPCO FZE documents these methods, obtains Senior Management approval, and periodically reviews and updates them to ensure their effectiveness.
Based on PRYPCO FZE’s knowledge of the client and the implementation of internal controls to address the FATF Report Virtual Assets Red Flags Indicators of Money Laundering and Terrorist Financing (September 2020), the monitoring system is designed with specific scenarios and thresholds to monitor clients’ interactions with their VA activities.
The monitoring system typically looks for the following:
Unusual behaviour in terms of the frequency and value of fiat and VA deposits, transfers, and withdrawals.
VA transactions attempted to high-risk wallet addresses or service clusters.
VA transactions that deviate from the client's normal transactional behaviour.
Multiple high-value transactions in short succession (e.g., within a 24-hour period), in a staggered and regular pattern with no further transactions for a long period (common in ransomware-related cases), or to a newly created or previously inactive account.
Acceptance of funds suspected as stolen or fraudulent.
Depositing funds from VA addresses identified as holding stolen funds or linked to holders of stolen funds.
Large initial deposits to open a new relationship when the amount funded is inconsistent with the client's profile.
A new user attempting to trade or withdraw the entire balance of VAs.
Frequent transfers in a certain period (e.g., a day, a week, a month) to the same VA account by more than one person, from the same IP address, or concerning large amounts.
Incoming transactions from many unrelated wallets in relatively small amounts (accumulation of funds), followed by a transfer to another wallet or full exchange for fiat currency. Such transactions may initially use VAs instead of fiat currency.
Moving a VA from a public, transparent blockchain (e.g., Bitcoin) to a centralised exchange and then immediately trading it for an anonymous or privacy coin.
Transactions using mixing and tumbling services suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces.
Funds deposited or withdrawn from a VA address or wallet with direct and indirect exposure links to known suspicious sources, including darknet marketplaces, mixing/tumbling services, questionable gambling sites, illegal activities (e.g., ransomware), and theft reports.
Receiving funds from or sending funds to PRYPCO FZE with demonstrably weak or non-existent CDD or KYC processes.
Significant increases in activity or consistently high levels of activity with higher-risk geographies and/or entities.
Indications of possible money laundering, such as structuring transactions under reporting thresholds, transactions in round amounts, overly complex transactions, round trips, or transactions without a commercial basis.
Dormant accounts that become active after a full year without any activity. Monitoring processes and alerts are set up to identify new activity breaking the dormant status of the account.
These typologies are incorporated into PRYPCO FZE’s customer review arrangements, and these indicators are regularly reviewed and updated to identify possible suspicious transactions.
SECTION 10:
International terrorism is one of the most serious contemporary threats to security in the global dimension. Countries and regions struggling with the problems of respecting democracy and human rights as well as free market economy are particularly at risk of terrorism. Often the scale of the phenomenon goes beyond the borders of individual countries or regions, becoming a global threat. Terrorism, due to the complexity of the problem, becomes a permanent element of international politics in the foreseeable future perspective.
Terrorist organisations vary widely, ranging from large, state-like organisations to small, decentralised and self-directed networks. Terrorists financing requirements reflect this diversity, varying greatly between organisations. Financing is required not just to fund specific terrorist operations, but to meet the broader organisational costs of developing and maintaining a terrorist organisation and to create an enabling environment necessary to sustain their planned activities.
Any crime which results in a profit can be used to finance terrorism. This means that a country may face terrorism financing risks even if the risk of a terrorist attack is low.
There can be considerable similarities between the movement of terrorist property and the laundering of criminal property- some terrorist groups are known to have well-established links with organised criminal activity. However, there are two major differences between terrorist property and criminal property. More generally:
often only small amounts are required to commit individual terrorist acts, thus increasing the difficulty of tracking the terrorist property;
terrorists can be funded from legitimately obtained income, including charitable donations, and it is extremely difficult to identify the stage at which legitimate funds become terrorist property; and
Terrorist financing presents a threat to a person or group of people with the potential to cause harm by raising, moving, storing or using funds and other assets (whether from legitimate or illegitimate sources) for terrorist purposes.
The Company’s Risk Assessment assesses its exposure to terrorist financing as low. Company staff members must note the following key points:
Federal Law No. 7 of 2014 on Combating Terrorism Offences contains a series of criminal offences which make it illegal to fund terrorism and to use or possess “terrorist property”. These apply in addition to the money laundering offences set out above;
“terrorist offences” is defined widely to include, but not limited to:
Facilitating Transactions: Facilitating or executing financial transactions that are intended to, or have the effect of, supporting terrorism.
Providing Financial Services: Offering financial services, such as banking or insurance, knowing or intending that these services will support terrorist activities.
Possessing or Handling Funds: Possessing, using, or handling funds or assets with the knowledge or intent that they will be used for terrorism.
Failing to Report: Failing to report suspicious financial activities related to potential terrorist financing to the relevant authorities.
The Company and Company employees are obligated to report suspicions of terrorist activity or dealings in “terrorist property”. Failure to do so could lead to serious repercussions in line with the jurisdiction it is operating under.
If any Company employee has any concerns whatsoever that the Company’s activities could in any way be linked to terrorism or the funding of terrorism, that is a matter of utmost seriousness. The individual concerned must approach the MLRO immediately to report the matter and seek further advice. The MLRO may seek specific legal advice as required.
Financial Crime
The Company has certain obligations to its clients, to prevent its services from being used for the purposes of a wider range of financial crimes than just money laundering – for example, the Company should not allow its services to be used to commit fraud on investors. Other financial crimes can be associated with, or exist in parallel with, money laundering, for example, fraud, tax evasion, market abuse, bribery, etc. Furthermore, very often, tax evasion is an underlying crime and is present in most money laundering schemes. Generally, criminals are not paying or underpaying taxes since they are afraid to alert the government.
Where the Company and its services are used as an accessory for a financial crime, in addition to the Company potentially breaching its obligations to its clients, the proceeds from the wider financial crimes are very likely to fall within the definition of ‘criminal property’ for the purposes of the money laundering regime.
Given that the Company is involved in converting crypto assets for fiat and vice versa, there is a risk that the entities receiving the funds via the platform may be misrepresenting their identity, activities and/or financial position, and/or may misappropriate the investment they receive. The Company has an obligation to mitigate this risk as much as possible.
Consequently, the Company has incorporated elements into its Know Your Customer Procedures that will allow it to consider the risk that it may be used for fraudulent purposes by a prospective client. When considering money laundering and terrorist financing issues, PRYPCO FZE considers our procedures against other financial crimes and how these might reinforce each.
SECTION 11:
Reporting obligations
Employees must make reports to the MLRO where they:
know or suspect, or have reasonable grounds to know or suspect, that anyone else is engaged in money laundering; and
can identify the person doing the money laundering or the whereabouts of the laundered property; or
have information which they believe, or it is reasonable to expect them to believe, will or may assist in identifying the other person or the whereabouts of the laundered property.
Where these conditions are met, employees must make a report to the MLRO of:
the identity of the person known or suspected to be engaged in money laundering; or
the whereabouts of the property, as far as they know it; and
the other information they have that may assist in identifying the person or the property.
‘Knowledge’ and ‘Suspicion’ – knowledge generally means actually knowing something to be true, i.e., that an individual, in fact, knew that someone was engaged in money laundering or financial crime. Knowledge can be inferred from surrounding circumstances. The knowledge must, however, have come to the Company during the course of its business. Information that comes to the Company’s knowledge in other circumstances does not come within the obligation to report.
Suspicion is a more subjective test and falls short of proof based on firm evidence but has been defined as being beyond mere speculation and based on some foundation. This can be described as ‘a degree of satisfaction not necessarily amounting to belief but at least extending beyond speculation as to whether an event has occurred or not’; and ‘Although the creation of suspicion requires a lesser factual basis than that of knowledge, it must nonetheless be built upon some foundation.’
Employees in particular must not:
disclose to anyone else the fact that they have approached the MLRO about a potential money laundering issue;
disclose to anyone else the fact that a SAR has been made to the authorities;
disclose to anyone else the fact that a money laundering investigation is being contemplated or carried out; or
make any disclosure likely to prejudice an investigation, as to do so may involve the commission of the criminal offence of ‘tipping off’.
In practice, employees should be able to meet these obligations by complying with this Policy and keeping all communications with the MLRO, or relating to AML or a SAR, strictly confidential.
Separately the firm requires employees to report other instances of breaches of financial crime such as terrorism breaches, organised crime and sanction breaches.
The MLRO receives and investigates information on suspicious transactions that could indicate money laundering (ML), terrorist financing (TF), proliferation financing (PF), or any other illegal activity. These details are compiled into an Unusual Activity Report (UAR) and stored for future reference. The MLRO evaluates the information received, cross-referencing it with other available sources. Consultations with the reporter and their supervisors may occur to determine whether the information should be disclosed to the relevant Reporting Authority. If disclosure is warranted, the MLRO prepares and submits a Suspicious Activity Report (SAR). If disclosure is not warranted, the MLRO provides a detailed explanation in an internal evaluation report.
The MLRO is required to file a SAR with the competent authority if, after careful evaluation, they know, suspect, or have reasonable grounds to suspect that a transaction or activity may be linked to ML, TF, PF, or any other illegal activity. All reports regarding Suspicious Transactions can be made to the UAE FIU and VARA on the GoAML platform or by any other means approved by the UAE FIU and/or VARA. The MLRO is responsible for:
Immediately reporting to the UAE FIU and VARA such Suspicious Transactions,
Responding to all additional information requests from the UAE FIU and/or VARA promptly, within forty-eight [48] hours,
Undertaking any additional actions requested by the UAE FIU and/or VARA within the specified timeframe,
If the MLRO is not the same individual as the CO, immediately reporting to the CO that a Suspicious Transaction report has been made, ensuring this report does not constitute “tipping-off” or a similar offence under any applicable laws or regulations.
Given below is a flowchart that depicts a typical decision-making process when it comes to deciding to file an SAR with the FIU2:
SECTION 12:
PRYPCO FZE is committed to complying with all applicable sanctions laws, rules, and regulations in every jurisdiction where it operates. PRYPCO FZE maintains appropriate controls to detect, investigate, escalate, take necessary actions, and report on any relationships, accounts, and transactions identified as potentially relating, directly or indirectly, to applicable sanctions targets as outlined in this policy.
Both PRYPCO FZE and its employees are required to comply with the UAE’s Targeted Financial Sanctions (TFS) regime, including any communications, guidance documents, and circulars on TFS published by the UAE’s Executive Office of the Committee of Goods Subject to Import and Export Control. Additionally, PRYPCO FZE adhered to the sanction’s programs of the UN Security Council and OFAC. Clients are screened during the onboarding process and are subject to ongoing screening once onboarded onto the platform. World-Check conducts comprehensive name searches on all clients against sanctions, PEP, and adverse media lists on an ongoing basis. These lists are derived from various national and international economic and non-economic sanctions programs, including those of the UAE, HMT, UAE, UN, and US (OFAC, BIS, ISN, etc.).
Required Measures for Compliance
Authorised Firms must implement measures to comply with findings, including but not limited to:
Enhanced Due Diligence (EDD): Conducting specific elements of EDD as required.
Enhanced Reporting: Establishing systematic financial transaction reporting mechanisms.
Restricting Relationships: Limiting business relationships or transactions with specified individuals, entities, or jurisdictions.
Prohibited Reliance: Avoiding reliance on third parties in specified jurisdictions for customer due diligence.
Review of Correspondent Banking: Revisiting or terminating correspondent relationships in designated jurisdictions.
Prohibited Transactions: Restricting specified electronic fund transfers.
Increased Audit Requirements: Implementing stricter external audit measures for financial groups with branches or subsidiaries in specified jurisdictions.
Firms must also adhere to UAE Cabinet Decision No. 74 of 2020 on sanctions compliance.
Screening Processes and Tools
To fulfil obligations, the Firm utilises Onfido, an automated screening tool integrated with its platform. Screening is conducted at the following stages:
Onboarding: Parameters like customer name, trading name, shareholders, UBOs, and directors are assessed for sanctions matches.
Ongoing Monitoring: Customers cleared during onboarding are subject to daily screening to detect sanctions updates.
If a sanctions match is detected, and action on matches: Appropriate freezing or reporting measures must be implemented.
Targeted Financial Sanctions (TFS)
The UAE, as a member of the United Nations, is mandated to implement UNSC Resolutions (UNSCR), including those related to the UN’s sanctions regimes. Consequently, through the Cabinet Resolution No. 74 of 2020, the UAE is implementing relevant UNSCRs on the suppression and combating of terrorism, terrorist financing and countering the financing of proliferation of weapons of mass destruction, in particular relating to targeted financial sanctions (TFS). The UAE Government also applies TFS by publishing a Local Terrorism List in accordance with UNSCR 1373 (2001).
The term ‘targeted sanctions’ means that such sanctions are imposed against specific individuals or groups, or undertakings. The term TFS includes both asset freezing without delay and prohibitions to prevent funds or other assets from being made available, directly or indirectly, for the benefit of individuals, entities, groups, or organisations who are sanctioned.
Financial sanctions could be by way of ‘asset freezing’ or ‘prohibition to offer funds and services. Once implemented, these have no time limit – the freeze must remain until the concerned party is removed from the list or an authority approves freezing cancellation.
The freezing measures, including the prohibition of making funds available, apply to:
Any individual, group, or entity listed in the Local (UAE) Terrorist List or listed by the UNSC.
Any entity, directly or indirectly owned or controlled by an individual or entity listed under A.
Any individual or entity acting on behalf of or at the direction of any individual or Entity listed under A & B.
Required Actions
All UAE Financial Institutions including the Firm must:
Register at the Executive Office for Control and Non-Proliferation (“EOCN”) website to receive automated email notifications https://www.uaeiec.gov.ae
Upon registration, automated emails will be received as and when there are updates to the UN List or the UAE Local Terrorist List. The Firm relies on these updates to check its customer database for matches
When updates are announced, firms are required to review their customer database to see if there are any matches. The emails received from EOCN also require firms to complete a TFS Survey confirming whether a match (full or partial) was found. These surveys are typically completed and submitted by the MLRO, and evidence of the same is retained as part of the Firm’s records
Undertake ongoing and daily checks to the following databases to identify possible matches with names listed in the Sanctions Lists issued by the UN List or the UAE Local Terrorist List:
Existing customer databases.
Names of parties to any transactions.
Potential customers.
Beneficial owners.
Names of individuals or entities with direct or indirect relationships with them.
Customers before conducting any transactions or entering a business relationship with any Person.
Directors and/or agents acting on behalf of customers (including individuals with power of attorney)
Apply TFS (i.e. freezing measures) immediately and without delay (within 24 hours) if a match with the UN List or the Local Terrorist List is identified
Immediately notify VARA as Supervisory Authority about having applied TFS (this requirement is as per Art. 21 of the Cabinet Resolution No. 74 of 2020).
Cooperate with the EOCN and VARA in verifying the accuracy of the submitted information
Implement the freezing cancellation or lifting decision, when appropriate, and/or upon receiving communication from the EOCN via GoAML, without delay (within 24 hours).
Handling Matches
Confirmed Match: When a Confirmed Match to a designated individual, group, or entity to the UAE Local Terrorist List or UNSC Consolidated List is identified, the Firm is required to take the following actions:
Freeze without delay and prohibition of making funds or other assets available or provide services
Report measures via the GoAML platform within five business days by selecting the Fund Freeze Report (FFR).
Ensure all the necessary information and documents regarding the Confirmed Match are submitted along with the FFR, and any requests received for additional information/documents are promptly responded to, within the stipulated timelines
Ensure freezing measures remain in effect until the person is de-listed.
Potential Match: When a Potential Match to a designated individual, group, or entity to the UAE Local Terrorist List or UNSC Consolidated List is identified, the Firm is required to take the following actions:
Suspend without delay any transaction and refrain from offering any funds or services.
Report the Potential Match via GoAML platform by selecting the Partial Name Match Report (PNMR) within five business days
Ensure all the necessary information and documents regarding the name match are submitted, and any requests received for additional information/documents are promptly responded to, within the stipulated timelines
Screening Obligations
The Firm must undertake regular and ongoing screenings of the UAE Local Terrorist List and UN Consolidated List. Screening is conducted in the following scenarios:
When updates are made to the sanctions lists.
Prior to onboarding new customers.
During KYC reviews or when customer information changes.
Before processing any transactions.
Risk-Based Approach
The Firm applies a risk-based approach to screening:
For higher-risk customers or transactions, enhanced screening measures are applied to mitigate risks effectively.
For lower-risk scenarios, appropriate screening measures proportionate to the risks are implemented.
In all cases, the Firm must ensure full compliance with TFS requirements, ensuring immediate and effective actions are taken in response to any matches or potential matches.
SECTION 13:
In addition to the mandatory SAR form, the Company will also use our own internal SAR form to ensure that all information is correctly recorded at the time of the suspicion and to enable us to retain our own record for analysis and pattern tracking (see Annex 1).
All staff will be made aware of their obligation to report any suspicious or suspected inconsistent activities to the MLRO with immediate effect.
Any SAR will always contain detailed, relevant and informed information alongside a summary for the ease of the persons reading the report. Contact details and reasons for suspicions are noted and where applicable, we will also inform any law enforcement or government agency who may be best placed to utilise or act on the information provided.
The MLRO is required to file a SAR with the competent authority if, after careful evaluation, they know, suspect, or have reasonable grounds to suspect that a transaction or activity may be linked to ML, TF, PF, or any other illegal activity. All reports regarding Suspicious Transactions will be made to the UAE FIU and VARA on the GoAML platform or by any other means approved by the UAE FIU and/or VARA. The MLRO is responsible for:
Immediately reporting to the UAE FIU and VARA such Suspicious Transactions,
Responding to all additional information requests from the UAE FIU and/or VARA promptly, within forty-eight [48] hours,
Undertaking any additional actions requested by the UAE FIU and/or VARA within the specified timeframe,
If the MLRO is not the same individual as the CO, immediately report to the CO that a Suspicious Transaction report has been made, ensuring this report does not constitute “tipping-off” or a similar offence under any applicable laws or regulations.
SAR Procedures
All staff are made aware via induction information and ongoing training sessions of the importance of reporting any suspicious activity to the MLRO. All employees must, as soon as practicable report any knowledge of or suspicion of (or where there are reasonable grounds to suspect) suspicious activity to the MLRO in the prescribed form as set out in the Policy document.
Once the matter has been reported to the MLRO, the employee must follow the directions given to them and must not make any further inquiry into the matter.
The employee must not voice any suspicions to the person(s) whom they suspect of money laundering, as this may result in the commission of the offence of ‘tipping off’. They must not discuss the matter with others or note in the file that a report has been made to the MLRO in case this results in the suspect being aware of the situation.
Where the MLRO concludes there are no reasonable grounds to suspect money laundering, then consent will be given for ongoing or imminent transaction(s) to proceed.
Where consent is required from the UAE FIU and/or VARA for a transaction to proceed, then the transaction(s) in question must not be undertaken or completed until the UAE FIU and/or VARA has given specific consent, or there is deemed consent through the expiration of the relevant time limits without objection from the UAE FIU and/or VARA
All disclosure reports referred to the MLRO and reports made to the UAE FIU and/or VARA will be retained by the MLRO in a confidential file kept for those purposes, for a minimum of 8 years.
The MLRO must also consider whether additional notifications and reports to other relevant enforcement agencies should be made.
Procedures and Controls
The AML/CFT Regulations and those supervising money laundering within organisations require that all firms have robust and dedicated policies, procedures and controls in place to combat money laundering.
These controls are detailed in this AML Policy and include:
business risk assessment;
customer due diligence;
customer risk assessment;
monitoring, management and internal communication of policies and controls;
record keeping;
staff awareness and training; and
reporting suspicious activity.
SECTION 14:
PRYPCO FZE maintains all books and records in their original form, including transaction details, client and counterparty information, compliance records, general ledgers, financial statements, board meeting minutes, communication records, and a conflict-of-interest register. These records are retained for a minimum of eight years or indefinitely if they pertain to UAE national security.
Copies of these records must be provided to relevant authorities as required by applicable regulations, rules, or directives. Records of evidence obtained for client identification purposes, or information enabling the retrieval of such evidence, are retained accordingly.
Additionally, all transaction records conducted during business are preserved for a minimum of eight years following the completion of relevant actions. This retention period is calculated from the date of the transaction or the conclusion of the business relationship.
Documents and data, including original documents or their certified true copies in hard copy, may be stored in alternative formats, such as electronic form, provided they can be retrieved without undue delay and presented to relevant authorities upon request.
The following documents and information are retained to support investigations or analysis of potential money laundering or terrorist financing by national authorities:
Copies of documents and information required for compliance with client due diligence requirements, including those obtained via electronic identification methods or other secure, remote, or electronic processes accepted by relevant national authorities.
These records are kept for eight years following the end of the client relationship or the date of an occasional transaction.
Relevant evidence and transaction records necessary for transaction identification.
Correspondence documents with clients and other parties with whom a business relationship is maintained.
Documents and data associated with ongoing investigations are retained until the AML Reporting Authority confirms the investigation is complete and the case is closed.
Documents and data, whether in original or certified copy form, may be stored electronically, provided they can be promptly retrieved and presented to authorities when requested.
SECTION 15:
To maintain an effective financial crime program, it is essential that all staff, Senior Management, and the Board understand this Policy and are trained to identify and report suspicious transactions. To achieve these goals, the organisation provides FC training to all relevant personnel within 30 calendar days of joining and at least annually thereafter.
AML training is mandatory for all employees, including Directors. The MLRO ensures that the training remains up to date with FC trends and techniques and is appropriately tailored to the organisation's various activities, services, clients, and levels of FC risk and vulnerabilities.
The training covers the following topics:
Applicable UAE laws and VARA Rules and Directives relating to FC;
Relevant policies and procedures of the organisation;
Different types of financial crimes;
Anti-Bribery and Corruption;
Understanding the types of activity that may constitute suspicious transactions or activity;
Why and how to make notifications to the MLRO;
Avoiding tipping off;
Prevailing techniques, methods, and trends in financial crime;
Roles and responsibilities in combating financial crime, including the identity and responsibilities of the MLRO and Deputy MLRO;
Potential consequences on the organisation, its employees, and its clients of breaches of laws, Rules, or Directives relating to financial crime;
The organisation's systems and controls, and any changes to these; and
Requirements relating to client identification and ongoing due diligence and scrutiny of transactions.
SECTION 16:
Each quarter the MLRO shall perform an assessment of the performance of PRYPCO FZE against this Policy to ascertain that the company is complying with internal policies and procedures. The MLRO shall document the compliance of the company and specifically assess the following:
Number of applications submitted;
Number of customers onboarded;
Overview of the new applications decline reasons;
Number of terminated customers (together with the reasons for the termination);
Number of ISARs received;
Number of SARs filed;
Statistics on the RFIs received from regulators, banks, payment service providers and other crypto asset firms;
Quarterly scan of all customers against sanctions, prosecutions, negative media, etc;
Number of transactions that were processed;
Number of transactions that were declined for compliance reasons;
Training that was carried out;
Whether there were any changes to the company’s policies and procedures;
New legislation, trends, emerging risks and developments, related to AML.
Subsequently to the performed review, the MLRO shall present his/her findings to the Board.
Annual Compliance Review and MLRO Annual Report
Each year the MLRO shall perform an overall review of the AML/CFT compliance and collate the Annual Report. The Annual Report will be submitted to the Board (or a managing director if only one person is appointed) to VARA. The report shall cover at least the following points:
Overview of the key highlights and concerns from the reporting period;
Key updates on regulatory changes that have occurred over the reporting year;
Summary of key AML/CFT performance metrics and targets;
Details of any changes to AML/CFT policies and procedures in the reporting period together with reasons for changes and their expected impacts;
Risk assessment and management;
Details about AML/CFT training programs, participation rates, and feedback;
Summary of monitoring and testing activities, including scope, frequency, and results;
SARs;
Details of any AML/CFT incidents or breaches, their impact, and remedial actions taken;
Overview of major regulatory developments relevant to AML/CFT;
Details of interactions with regulatory bodies, including audits and their outcomes;
Plans for enhancing the institution's AML/CFT framework in the coming year.
External Audit
At least once every two years, PRYPCO FZE shall engage an accredited external auditor to perform an external company-wide AML/CFT compliance review. The audit shall be carried out as directed by the auditors, however, it should cover at least the following points:
Review of internal systems and controls;
Adherence of the policies and procedures to the relevant legislation;
New legislation, trends, emerging risks and developments related to AML;
AML/CFT risk assessment and appetite;
CDD/EDD measures;
Sanctions, prosecutions, adverse media and black lists;
Staff training and company-wide understanding of the risks;
Interviews of the relevant staff members;
Internal governance and role of senior management;
Role and responsibilities of MLRO;
Review of the statistics on filed SARs;
Review of the company’s liaison with law enforcement agencies;
Review of the reports produced by MLRO;
Ongoing monitoring of customers and their activity;
Documents retention practices.
Subsequently to the performed audit, the MLRO shall correct all of the identified deficiencies (if any).
The MLRO shall ensure that AML/CFT policies, procedures and controls are updated on an ongoing basis. Whenever performing a review of internal controls, the MLRO shall take into account any of the deficiencies identified by the undertaken reviews and shall make sure that PRYPCO FZE implements mitigating measures.
SECTION 17:
The Company is required to comply with the UAE’s FIU’s regime and recognises its responsibility to deny services and products to individuals who pose a significant money laundering and terrorist financing risk to the UAE and the international financial system.
PRYPCO FZE has also developed a further level of screening through an internal blacklist. This blacklist comprises of previous interactions with customers (complaints, information on hacks and so forth).
If the Company freezes a client’s account under the financial sanctions regime, it must make a report to the UAE’s FIU and VARA.
The Company pays close attention to jurisdictions which have been earmarked by international organisations, such as FATF, as having AML/CTF regimes considered to be strategically deficient. FATF frequently publishes documentation available on its websites, which identifies and evaluates such jurisdictions.
FATF uses these publications to signal to its members and other jurisdictions to apply countermeasures to protect the international financial system from the ongoing and substantial money laundering and terrorist financing risks emanating from these countries.
FATF publishes a list of jurisdictions which have strategic AML/CFT deficiencies for which they have developed an action plan with FATF. This list can be found at: Higher Risk Countries | AML-CFT.
Staff are required to discuss any clients that appear on the sanctions list with the MLRO in the first instance. If a prospective client is on the sanctions list and the Company does not hold a relevant licence to proceed, then the Company will halt further account set up and report the matter to the UAE FIU and VARA. The Company has registered with the UAE FIU on the Go-AML Platform for STR Reporting and with the UAE EOCN (Executive Office for Control and Non-Proliferation) for Sanctions Alerts.
The Company will continually monitor its client lists against the sanctions list and any positive matches will be reported to the UAE FIU and VARA immediately.
Additionally, the Company will:
Update its business-wide and customer risk assessments to account for changes in the nature and type of sanctions measures;
Ensure that customer onboarding and due diligence processes identify customers who make use of corporate vehicles to obscure ownership or source of funds;
Ensure that customers are screened against relevant updated sanctions lists and that effective re-screening is in place to identify activity that may indicate sanctions breaches;
Identify activity that is not in line with the customer profile or is otherwise suspicious and ensure that these are reported quickly to the nominated officer for timely consideration;
Engage with public-private partnerships and private-private partnerships to gather insights on the latest typologies and additional controls that might be relevant and share our own best practice examples.
Ongoing Due Diligence
The MLRO will be responsible for the ongoing due diligence checks for the life of the customer account, ensuring that all information is kept up-to-date and that no adverse information has arisen since the last KYC check was performed. Such checks are to be performed on all existing active customers.
Re-verification of identification will be performed as follows:
High Risk Clients – on a yearly basis, all clients who have been classed as high risk will undergo a complete review and re-approval (or otherwise) by the MLRO and the Board.
Medium Risk Clients – medium risk customers will undergo a full review every two years and are subject to MLRO approval.
Low Risk Clients – low risk customers will be reviewed every 36 months by the MLRO or when trigger events occur, such as:
The customer is looking to take out a new product or service, or when a certain transaction threshold is reached;
The Company comes into possession of news or information that brings doubt to the accuracy of the current CDD information held;
When the Company identifies activity deemed to be suspicious.
Trigger events - All customers of the Company must notify the Company when there are changes to their statuses, such as address, name, beneficial owner, directors, bank, offered product, legal form, etc. Customers must then follow up to provide the Company with the relevant/updated documents to update its database. Customers are made aware of this requirement during onboarding and the obligations are included in the terms and conditions. In addition to the scheduled reviews above, if the Company, through the course of its daily activities, obtains information that brings question to the accuracy of the client due diligence information collected, or if a suspicion arises, then the client will be undergo an immediate review by the MLRO, irrespective of their risk status.
SECTION 18:
The key business and financial crime risk in any organisation lies with the people hired to operate the business and promoted into positions of trust and authority. For that reason, PRYPCO FZE needs to know staff members to evaluate their credentials and competence, match skills to the job requirements, check their fitness and probity and be aware of any issues of personal integrity that may impact their suitability for the position. Much can be learned about an individual through the confirmation of work history and education presented on a job application or résumé or in a follow-up with references provided. It is possible to find false or embellished information or undisclosed history and adverse data that may represent increased, and possibly unacceptable, risk.
The nature and extent of information that can be requested from a prospective or existing staff member or obtained independently are governed by applicable laws and regulations. Further or enhanced background checks of a criminal record or personal financial situation may only be possible upon receiving the individual’s consent.
Background checks of staff members are not a one-time exercise and should be carried out throughout the whole duration of the relationship. Specifically, staff members should be rescreened, and their suitability assessed in the following situations:
Change in the status:This could include transfer to another department, change in responsibilities or even return from a leave of absence.
When a staff member is being considered for promotion: Additional checks such as employment and education verification will confirm if the employee has met the criteria for the new position.
As part of a staff member investigation: There are always potential risks when a staff member’s behaviour changes since the time of hire. Negligent retention could make the organisation directly liable for retaining a staff member when it should have known about the staff member’s potentially dangerous behaviour but kept that person employed.
After a merger or acquisition: Companies need to be aware of the risks that could exist in their newly acquired staff since background screening policies vary per industry and company.
Background and DBS checks are carried out as standard along with specific skills screening assessments of:
The skills, knowledge and expertise of the individual to carry out their functions effectively;
The conduct and integrity of the individual;
An understanding of the identification or mitigation of the risks of money laundering and terrorist financing as applicable to our business;
Knowledge and skills to ensure prevention or detection of money laundering and terrorist financing as applicable to our business.
SCHEDULE 1:
Anti-money laundering
Customer due diligence
Enhanced customer due diligence
Simplified customer due diligence
Counter-financing of terrorism
Counter proliferation financing
Financial Action Task Force
Financial Reporting Authority
Financial service provider
Know Your Client
Money laundering
Money Laundering Reporting Officer
Politically exposed person, including (for the purposes of this Manual) a family member or close associate of a politically exposed person
Proliferation financing
Suspicious activity report
Terrorist financing
Targeted financial sanctions
APPENDIX 1:
Money Laundering, Terrorist, and Proliferation Financing Law and Regulation
The Criminality
Money laundering involves processes by which criminals disguise illicit gains to make them appear legitimate. Criminal funds are moved in various ways to integrate them into the financial system discreetly, concealing ownership and origins.
Terrorist financing refers to the provision of funds for acts of terrorism. Unlike money laundering, terrorism can be financed from lawful sources, such as earnings from regular jobs. However, once money is handed over with the intent to fund terrorism, it becomes criminal. These funds support unlawful activities and thus transform into criminal assets.
The Law and Regulations
The Firm operates from the Dubai International Financial Centre (DIFC), a financial free zone in the UAE. All free zones adhere to UAE Federal Law, with violations potentially resulting in custodial or financial penalties for employees and the Firm.
VARA, the supervisory authority of Dubai, UAE, ensures compliance with Federal laws, international AML standards, and the VARA Rulebooks, which include the AML and CTF requirements. The Rulebook outlines specific Federal offences the Firm and employees must avoid, including:
Money laundering
Financing terrorism
Financing illegal organisations
Proliferation financing
‘Tipping off’
Sanctions violations
Failure to declare currency or precious metals upon entry or exit from the UAE
AML Procedures, Systems, and Controls
Management and External/Group Controls
Senior management oversees the effectiveness of AML compliance through regular assessments. Employees are required to contribute to this effort by:
Participating in the Compliance Monitoring Programme
Attending compliance and risk meetings with the MLRO
Escalating red flags to the MLRO
Assisting with internal audits and reviews
Supporting management in annual AML compliance assessments
AML Controls
Customer Onboarding
Prior to engaging with a new customer, the Firm’s AML obligations require collection of sufficient information to satisfy the Know Your Customer (“KYC”) process. This information ensures the Firm has:
Verified customer identity;
Evidenced the business activities of that customer; and
Assessed any potential AML risks to the Firm through engaging with that customer.
The steps in the onboarding process are summarised below:
Sanctioned countries are blocked from signing up on the platform by blocking international dialling prefixes.
Clients that do not verify will not progress.
-
-
-
Prospective Clients may be asked to reupload documents in case of any inconsistencies. Any issues are flagged to Compliance who will review within 1 business day.
-
Prospective Client may be asked to reupload document in case of any inconsistencies. Any issues are flagged to Compliance who will review within 1 business day.
Prospective Client may be asked to redo the liveness scan in case of inconsistency.
-
Compliance Team may ask client to upload another PoA in case address is not consistent with information provided above.
If possible or true match, escalate to the Compliance team who have one business day to review. Genuine matches are reported on GoAML and to VARA.
If true match, approval from MLRO required.
If High Risk scores are escalated to the Compliance Team to co- ordinate the manual EDD process. The Compliance Team will inform the Prospective Client to upload additional documentation (SoF & SoW).
High Risk Rated clients will only be onboarded with approval by MLRO.
Alerts generated in ongoing screening are escalated to Compliance who have 1 business day to review them.
If the ongoing process is not completed within 30 days, the client will lose access to view open investment opportunities.
-
-
Customer Onboarding
If the customer was onboarded successfully and a transactional relationship established, it is The Company should not solely rely on the original on boarding process as the business association progresses. Depending upon the customer risk profile (covered below), employees will be required to revisit this material on a periodic basis (KYC review) to account for any changes and to monitor the relationship for any unusual or suspicious activity. The Onfido tool will be used for ongoing screening purposes as mentioned above.
Effective CDD measures taken both before and during a customer relationship will help to confirm the identity of your customer, but also to establish what their normal pattern of transactional behaviour is. Once benchmarked, the KYC team will be better placed to identify any behaviour which deviates from this and be able to assess whether this constitutes suspicious activity or not. Therefore, effective CDD helps the Company to safeguard its reputation by reducing its risk of being used to launder money and avoiding subsequent regulatory or legal breaches.
Once the CDD Form has been completed, it must be submitted to the MLRO along with relevant supporting documentation. The MLRO will then review the CDD Form and will let the relevant team know if any of the mandatory documents are missing (for e.g. Articles of Association, Certificate of Incorporation) for you to follow up with the customer.
Once all information has been collected, it should be sent to the MLRO who will process the information and onboard the customer. The MLRO will confirm in writing to you either that the process has been completed, in which case you may proceed, or that an issue has been discovered during the processing phase in which case, you may not proceed. The MLRO will then either ask you for additional information from the customer in order to resolve the concern or, if the issue is so serious it cannot be rectified, they will tell you that a relationship must not be established with this customer.
KYC review
The MLRO maintains a KYC tracker document which tracks the validity period of the KYC material for each customer which has been onboarded. This period is calculated by the MLRO based on the risk profile of each customer.
When the KYC material is coming up for review, the MLRO will establish internally whether the customer is still active. If so, the MLRO will obtain up-to-date information for the KYC refresh to be processed.
Annual AML Training
The MLRO will deliver AML training to the Company when a new joiner first starts their employment with the Firm and then annually thereafter with the wider group. The MLRO will also maintain a Training Log and Training Register to note down what trainings have been held and who attended these sessions.
The MLRO will at a minimum cover the following matters:
any relevant legislation relating to money laundering, including Federal AML legislation;
the Firm’s policies, procedures, systems and controls which deal with money
laundering and any changes to these;
how to recognise and handle transactions and other activities which may be related to money laundering;
the types of activity that may constitute suspicious activity in the context of the business in which an employee is engaged and that may warrant a notification to the MLRO;
how to make an internal SAR notification to the MLRO;
the prevailing techniques, methods and trends in money laundering relevant to the business of the Firm, including sanctions evasion typologies;
the roles and responsibilities of the Firm’s employees in combating money laundering, including the identity and responsibility of the MLRO and deputy MLRO;
the Firm’s TFS-related obligations;
any relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other regulatory guidance provided by VARA.
basic principles of WMD proliferation and proliferation financing.
As this is a mandatory regulatory requirement, continuous failure to attend this training may be considered grounds for disciplinary action.
APPENDIX 2:
APPENDIX 3:
