KNOW YOUR CLIENT/ BUSINESS & RISK BASED ASSESSMENT POLICY
Last modified: May 15, 2024
-
INTRODUCTION
-
KYC & RISK BASED ASSESSMENT
-
CLIENT IDENTIFICATION SPECIFICATIONS
-
RISK ASSESSMENT METHODOLOGY
-
CUSTOMER RELATED RISK
-
COUNTRIES, TERRITORIES & JURISDICTIONS
-
CLIENT ACTIVITY OR BUSINESS SECTOR
-
BILLING & ONGOING TRANSACTIONS
-
POLITICALLY EXPOSED PERSONS
-
CLIENT IDENTIFICATION
-
CHANNELS OF COMMUNICATION
-
NATURE OF SERVICES
-
IDENTITY THEFT
-
HACKS & SCAMS
-
RISK APPETITE
-
MITIGATION OF RISKS
-
ENHANCED DUE DILIGENCE
INTRODUCTION
As a virtual currency provider, UPAY Finance Ltd (“UPAY“, the “Company”) must identify, assess, and understand the risks related to money laundering and terrorist financing. In addition, the Company reviews and examines each of its activities and applies measures to mitigate these risks.
The applied measures by the Company are proportionate to the degree of identified risk. In the course of a risk-based approach, UPAY assesses the probability of the risks becoming real and the consequences of such an event. When assessing the probability, the possibility the occurrence of the relevant circumstances must be taken into account, including the possibility of potential risks that may affect the activities of both the customer and UPAY, and the possibility that the probability of the occurrence of this risk increases.
UPAY is a Canadian, FINTRAC registered MSB (Money Service Business) and as such, adheres to the required obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations. The governing framework includes but is not limited to the following procedures as set fourth by FINTRAC and updated on FINTRAC’s website:
REF: https://fintrac-canafe.canada.ca/guidance-directives/guidance-directives-eng
UPAY is obligated to prepare a risk assessment in order to identify, assess and analyze the risks related to its client’s activity in regard to money laundering and terrorist financing and financial sanctions.
KYC & RISK BASED ASSESSMENT
Legislation and directives:
This model for the identification and management of risks relating to the customer and its activities was constructed in accordance with the regulatory framework provided by:
FINTRAC under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
MiFiD || Money Laundering and Terrorist Financing Prevention Act, the International Sanctions Act, and the Directive (EU) 2015/849 of the European Parliament and of the Council and includes:
the model for the identification and management of the risks arising from the customer and their activities and the determination of the risk profile of the customer;
the model for the identification and management of the risks arising from the activities of UPAY , including the procedure of identification and management of the risks related to new and available technologies and services and products, including new or nontraditional sale channels and new or developing technologies.
CLIENT IDENTIFICATION SPECIFICATIONS:
UPAY will identify its prospective customers by live electronic verification system – “SUM&SUB” –and create the initial customer onboarding and screening file.
In order to successfully verify your identify and approve your account with UPAY, all customers must submit:
Proof of Identification (POI) document.
The prospective customer will be requested to show their POI and face during a liveness test. SUM&SUB will compare the biometric signature or the customer’s face and the picture in the presented POI document. UPAY reserves the right to request a second piece of ID at its own discretion.
POI documents must adhere to the following guidelines:
POI Document must be government issued, valid, and must not expire in the next 3 months.
All the data must be presented and transmitted in a way that is legible, in high quality.
The presented POI must be the ORIGINAL document and in color. Images of the original document will not be accepted upon the live video identification.
For Canada, the European Economic Area (EEA), Switzerland or the United Kingdom the following may be used as a POI: Passport or Driver’s License or Identity Card.
For all other countries/jurisdictions, the only acceptable POI document is a valid Passport.
In case of POI rejection by SUM& SUB and/or mismatched biometric features, UPAY ’s compliance team will manually check the document’s validity and will either reject the customer for onboarding, request another POI /further documents, or approve the customer’s POI.
Proof or Address (POA) Document:
In order to verify the customer’s account, UPAY will also collect a Proof of Identification (POA document) from all of its prospective customers.
POA may include the following documents:
Rent/lease/ownership agreement
Utility bills that are address fixed: such as gas, electricity, LAND LINE telephone, or internet bill that was paid, bank account statement sent directly to the verified address (no electronic copies).
Governmental/Municipality MAIL correspondence such as municipality fees/taxes payment or invoice, pension, social walefare etc.
***Mobile phone bills will not be accepted as a Proof of Address***
POA must have been issued in the last 90 days from the time it is first used to verfiy your account with UPAY.
The procedures containing additional details for the customer identification based on the information from other reliable and independent sources shall be established in the rules of procedure.
RISK ASSESSMENT METHODOLOGY:
UPAY will assess and classify its customers to one of the following risk levels at any given time:
A – Low risk
B – Medium risk
C – Banned/High risk
As part of its on-going monitoring activities, UPAY performs all due diligence measures as required by law. The extent of the implementation of the measures depends on the nature of the specific business relationship/transaction or the level of risk of the person or customer participating in the transaction or act, i.e., the “know your customer” principle must be followed.
When determining and defining the risk levels of the customer or a person participating in the transaction, the UPAY shall take into account, inter alia, the following risk categories:
CUSTOMER RELATED RISK
RISK RELATED TO LEGAL NATURE OF CUSTOMER AND IDENTIFICATION OF BENEFICIAL OWNERS
Below are examples of UPAY ’s risk levels assessments as relating to customer-related risk:
Low risk:
a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
a legal person as governed by Canadian Public Law;
a governmental authority or another authority performing public functions in Canada or a contracting state of the European Economic Area;
an institution of the European Union;
a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area, Canada or the United Kingdom, or a third country, which in its country of location is subject to requirements equal to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
Medium risk:
a natural person;
a company with a firm and transparent structure and data of management bodies and beneficial owners.
High risk:
the beneficial owner of the natural person is some third party;
the customer is a legal entity of any form whose structure of the management bodies and/or beneficial owners are segregated and nestled. The relevant data is verified on the basis of the statement of the customer’s representative and/or internal or non-public documents provided by the customer.
the customer is a company, or the company related to the customer, has shareholders acting as a front or bearer shares;
the ownership structure of the customer company seems, when considering the activities of the company, unusual or too complicated;
the customer is a foundation, civil law partnership, trust, or common fund;
the customer is a person registered in a low tax territory;
the customer is a subject of European Union or UN sanctions.
RISK RELATED TO COUNTRIES, TERRITORIES & JURISDICTIONS
A full list of UPAY ’s customer acceptance policy and acceptable jurisdictions by risk levels can be found in the following link and is updated regularly: https://Whitelabel Exchange Demo.NET/acceptance-policy/
Below are examples of UPAY ’s risk levels assessments as relating to jurisdiction risk:
Low risk :
The customer is from, or their place of residence or location (hereinafter location) is in Canada;
the location of the customer is in another country of the European Union or the European Economic Area;
the location of the customer is included within the list of jurisdictions a third equivalent country which is provided by the common position adopted by the European Union (Appendix 16), which including Australia, Canada, Japan, South Korea, Singapore, Switzerland.
Medium risk:
The location of the customer is in a third country not listed above, excluding a third High-Risk country;
High risk:
The risk is primarily increased in such an event where the customer, person participating in a transaction, or the transaction itself is related to a country or jurisdiction which, based on the trustworthy sources in the country like mutual assessments, detailed assessment reports or published follow-up reports, has no valid and efficient systems of the prevention of money laundering and terrorist financing.
The list of countries deemed as High-Risk – Black or Grey List – or under sanctions are determined by the Financial Action Task Force (FATF). The updated list appears on and updated on the following webpage:
http://www.fatf-gafi.org/countries/# High-Risk.
Additionally, the following clients may also be considered High-Risk or Banned:
Client is subjected to sanctions, embargo or similar measures issued by, for example, the European Union or the United Nations.
The list of EU sanctions for countries is available online: https://sanctionsmap.eu; the list of UN sanctions is available online: https://www.un.org/sc/suborg/en/sanctions/un-sc-consolidated-list;
This is cross-referenced against tools such as Refinitiv WorldCheck ONE and other screening systems employed by UPAY such as Sum&Sub.
That provide funding or support for terrorist activities. These countries include DPR Korea, Syria, Sudan and Iran and they are primarily defined by the data of the United States State Department. This is cross-referenced against tools such as Refinitiv WorldCheck ONE.
That have designated terrorist organizations operating within their territory, as identified by Canada, United States, The European Union or the United Nations. These countries primarily include Syria, Iraq, Libya, Sudan, Somalia, Nigeria, Pakistan, India, Lebanon, Palestine, Sri Lanka, Philippines, Tajikistan, Uzbekistan, Yemen.
RISK RELATED TO CLIENT ACTIVITY OR BUSINESS SECTOR
A full list of UPAY ’s customer acceptance policy and acceptable jurisdictions by risk levels can be found in the following link and is updated regularly: https://Whitelabel Exchange Demo.NET/acceptance-policy/
Below are examples of UPAY ’s risk levels assessments as relating to activity or business sectors risk:
Low risk:
Client is a person performing usual and normal economic and professional activities and the turnover of the financial instruments of the customer, or the planned turnover of the financial instruments, is significantly small and does not exceed 40,000 CAD per one year.
Medium risk:
Client is a person performing usual and normal economic and professional activities and the turnover of the financial instruments of the customer, or the planned turnover of the financial instruments, exceeds 40 000 CAD per one month.
High risk:
The business relationship takes place under unusual circumstances, including when the transactions are complicated and have unusually large scale, when the transaction patterns are unusual.
The client is a legal entity or another association of persons that does not have the status of a legal entity.
Client’s economic activity does not have a reasonable and clear economic or lawful objective or it is not characteristic of a specific business field or if the customer’s activity includes any of the following, regardless of the amount of the turnover:
private or personal banking;
providing or intermediating a product or service which may promote anonymity;
personal asset holding;
undertaking handling large amounts of cash;
currency exchange, conversion transactions;
providing a service of exchanging a virtual currency against a fiat currency or a virtual currency wallet service;
providing gambling services (in a casino, on the internet or at sports events);
purchasing and selling gold (incl. scrap gold), other precious metals or gemstones;
purchasing and selling luxury goods;
providing internet advertising;
providing innovative services;
establishing, selling, and managing companies;
other activities with a higher than Medium risk of money laundering or terrorist financing;
customer is providing services via untraditional sales channels;
there is a constant change of customers;
the person’s customer base has grown rapidly;
RISK RELATED TO BILLING & ONGOING TRANSACTIONS
Low risk:
A long-term contract is entered into with the customer that is in a written or electronic format or in a format that can be reproduced in writing;
the client receives payments within the scope of the business relationship only via an account located in a credit institution entered in the Commercial Register in Canada or in a branch of a foreign credit institution or in a credit institution that has been established or whose place of business is in Canada, the European Economic Area (EEA) or in a state where requirements equal to those established in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations.
the total value of the incoming or outgoing payments of transactions made in the business relationship does not exceed $15,000 CAD per year and less than 20 transactions per month.
Medium risk:
the customer uses the following during transactions with the Company:
a limited amount of cash that does not exceed $50,000 CAD or the equal amount in another currency, regardless of whether the transaction is made as one payment or as several connected payments within a period of up to one year;
High risk:
the customer uses the following during transactions with the Company:
credit institution, financial institution, paying institution or tax system that promotes anonymity;
credit institution, financial institution, paying institution or tax system that is located in a High-Risk third country;
settlement channels and accounts belonging to unknown or unrelated third persons;
settlement channels and accounts belonging to third persons who are unknown or unrelated;
large amounts of cash that exceeds 50,000 CAD or the equivalent sum in another currency, regardless of whether the transaction is made as one payment or as several connected payments within a period of up to one year;
a credit institution, financial institution, payment institution or a payment system that is not located in a High-Risk third country or promoting anonymity and that is, according to its own experience or independent sources, reliable, and performs controls against money laundering and terrorist financing;
RISK ARISING FROM POLITICALLY EXPOSED PERSONS (PEP)
Low risk:
the customer is not a politically exposed person, the family member of the politically exposed person or a person known to be the close associate of the customer who is a politically exposed person.
Medium risk (Refused onboarding under the current risk appetite policy):
The customer is not a politically exposed person or the family member of the politically exposed person, however the client is personally familiar with a low-level PEP.
C. High Risk (Refused onboarding under the current risk appetite policy):
The customer is a politically exposed person and/or the family member of the politically exposed person and/or a person known to be the close associate/has close familiarity with a politically exposed person. In such a case, as per the company’s risk appetite, the client will be denied of service.
The background of the customer is verified primarily by:
The information, documents and statements received from the customer;
Using the Refinitiv WorldCheckOne database scan for PEP, negative media, known criminal record, sanctions lists etc.;
Using Sum&Sub screening tool for PEP;
Using Google and the local search engine of the customer’s country of origin, if any, by entering the customer’s name in both Latin and local alphabet with the customer’s date of birth.
RISK RELATED TO CLIENT IDENTIFICATION
A. Low risk:
the natural person who is the resident of Canada, the European Economic Area (EEA), Switzerland and the United Kingdom who is identified face to face or by a video identification service.
the customer who is a legal entity entered in the commercial register of Canada, or the register of non-profit associations and foundations, is identified on the basis of original documents provided.
B. Medium risk:
a foreign natural person customer is identified face-to-face or through a video identification service;
the foreign customer who is a legal entity is identified on the basis of original documents provided and on the basis of the public information of the commercial register, or the register of non-profit associations and foundations face-to-face with the customer or the representative of the customer by identifying the representative on the basis of documents provided on the basis of a notarized or equivalent document certifying their authority, which has been legalized or certified by a certificate (apostille) replacing legalization, unless otherwise determined.
The identity of a natural person or legal entity is verified by a notary or officially certified copy of the documents provided.
C. High Risk:
during establishing the identity or verifying the information provided, suspicion has arisen as to the truthfulness, accuracy, integrity or completeness of the information provided or the authenticity of the documents or the identification of the natural person or beneficial owner / Director/ legal entity executive especially relating to AML reporting Know your customer (KYC) and Know Your Business (KYB) screening;
the person is identified on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event;
the representative of the customer is a legal entity.
RISK RELATED TO CHANNELS OF COMMUNICATION OR TRANSMISSION BETWEEN THE COMPANY AND THE CUSTOMER
A. Low risk:
the customer is communicated through a communication or mediation channel that is agreed upon at the start of the business relationship or transaction or reliably changed during the course of the business relationship;
products or services are delivered to the customer through a reliably modified delivery channel during the business relationship or at the initiative of the transaction.
B. Medium risk:
at the start of the business relationship or transaction, the customer is communicated with through a temporary communication or mediation channel;
the products or services are delivered to the customer through another temporary product or service delivery channel transmitted through an agreed communication or intermediation channel initiated by the business relationship or transaction.
C. High Risk:
the customer is communicated through an accidental, unreliable, or unusual communication or mediation channel;
products or services are delivered to the customer through an accidental, unreliable, or unusual delivery channel;
the existence and nature of a risk factor associated with the service provider used to deliver the service or product being sold;
the distance between the location of the customer and the service provided or product offered is significantly high.
Taking into account the above risk categories, UPAY determines the risk level of the person involved in the transaction or the customer, for example whether the customer’s money laundering or terrorist financing risk is low, normal, or high or corresponds to other risk levels specified and used by the Company.
In order to determine the impact of each risk category, UPAY assesses the probability of the occurrence of risk factors in that risk category. To determine the impact of a particular risk category, a qualifying amount of the presence of risk factors that characterize it can be used to consider a particular risk factor as having “impact” or “no impact” for a given person when a certain threshold is exceeded.
Instructions for defining low/medium level of risk:
Generally, the customer’s level of risk is low if there is no influential risk factor in any of the risk categories so it can be concluded that the customer and their activities do not have different characteristics from normal and transparent activities, and there is no reason to suspect that the customer’s activities may bear an increased risk of money laundering or terrorism financing.
In the situations where due diligence is required by legal acts, and the information about the customer and its beneficial owner is publicly available, where the person’s activities and transactions are consistent with their usual economic activity and do not differ from other similar customers’ payments practices and behaviour, or where there are quantitative or other absolute restrictions, the Company may consider the customer‘s expected risk of money laundering or terrorist financing to be low.
In the situation where at least one risk category qualifies as high, the risk of money laundering or terrorist financing cannot generally be low. On the contrary, low risk does not necessarily mean that the customer’s activities cannot be linked to money laundering or terrorist financing.
If the risk arising from the business relationship, the customer or the party to the transaction or the transaction is low, based on the risk levels assigned to the party or customer and other conditions provided for are met, the Company may apply simplified due diligence measures.
Instructions for defining high level of risk:
Generally, the customer’s risk level can be considered high if, when assessing the risk categories as a whole, there is a suspicion that the customer’s activities are not usual or transparent, incl. there are influential risk factors, and it can be assumed the risk of money laundering or terrorist financing is high or significantly increased. The customer’s risk level is also high if it is indicated by some separate feature of the risk factor. However, High-Risk does not necessarily mean that the customer is engaged in money laundering or terrorist financing.
If the Company considers the risk of the customer or the person involved in the transaction to be high, the Company must apply enhanced due diligence measures in order to properly manage the respective risks. The due diligence measures must be applied in accordance with the provisions warranted.
UPAY shall document, update, and disclose the determination of the level of risk to the competent authorities if necessary.
The services of UPAY are primarily related to the handling and storage of currencies presented in a digital form. The provision of a service of exchanging a virtual currency against a fiat currency and a virtual currency wallet service primarily requires the use of new and evolving technologies, which may involve the implementation of new or non-traditional sales channels within the economic activities of the Company. The vast majority of virtual currencies are comprised of different cryptocurrencies and related tokens, built on a new and rapidly evolving blockchain technology and a distributed database that is updated through a mathematical consensus algorithm.
This assessment is mainly the result of the following factors:
Blockchain technology is new and evolving, so the mechanisms and algorithms for its occurrence, existence, transfer, and trading are not constant and may be too complex to understand. This encourages the involvement and use of virtual currencies, including cryptocurrency, in various fraudulent schemes and scams;
Blockchain technology promotes anonymity (cryptocurrency wallet addresses are not personalized and exist usually in large quantities), which may involve the use of virtual currencies, including cryptocurrency, in money laundering, tax evasion, terrorist financing or criminal schemes;
Blockchain technology is based on a P2P network and is not governed by any central organizations, which may facilitate the manipulation of the value of virtual currencies, including cryptocurrency.
This risk analysis, risk mitigation method and the definition of risk appetite defined by UPAY as a provider of service of exchanging a virtual currency against a fiat currency and a virtual currency wallet service have been prepared in order to fulfil the obligation arising from the in view of the general risk associated with the Company’s activities.
UPAY is obliged to inform the employees of the company on an ongoing basis about changes in the risk assessment arising from the Company’s activities and changes in the company’s long-term and short-term doctrine and separate viewpoints and instructions (according to the market situation, the political and economic situation, the arrangements of the supervisory authorities, etc.) in order to comply with the provisions of the PCMLTFA. This information and these notices do not necessarily have to be in the form of appendices to these guidelines and may be provided at meetings, through the heads of structural units, via e-mail or orally, but regardless of the method of transmission, it is mandatory to comply with and follow this information and these notices.
RISK RELATED TO ACTIVITIES OF THE COMPANY & NATURE OF SERVICES PROVIDED
The following lists the risk factors and circumstances related to the customer’s degree of risk arising from the nature and volume of services provided by UPAY to the customer.
A. Low risk:
UPAY sells any virtual currency to the customer and the customer pays for it through a payment account located in a credit institution, electronic money institution or payment institution established in Canada or within the European Economic Area (EEA), The United Kingdom or Switzerland.
UPAY provides the customer with a virtual currency wallet service and the customer keeps in UPAY ’s virtual currency wallet his/her own virtual currency, which was purchased from the Company does not transfer these virtual currencies to third parties or receive virtual currency transfers from third parties; the total value of incoming or outgoing payments for business transactions does not exceed 15 000 CAD per year.
B. Medium risk:
UPAY sells any virtual currency to the customer and the customer pays for it through a payment account located in a credit institution, electronic money institution or payment institution established in Canada or in a contractual state of the European Economic Area.
UPAY provides the customer with a virtual currency wallet service and the customer keeps their virtual currency in the virtual currency wallet and makes virtual currency transfers to virtual currency wallets opened in an institution subject to requirements equivalent to ;
the total amount of incoming or outgoing payments related to business transactions or service contract in one calendar month does not exceed 15 000 CAD for a natural person and 25 000 CAD for a legal entity.
C. High Risk:
UPAY sells any virtual currency to the customer and the customer pays for it through a payment account located in a credit institution, electronic money institution or payment institution established outside of a contractual state of the European Economic Area.
the customer sells virtual currency for money which promotes anonymity;
UPAY provides the customer with a virtual currency wallet service and the customer keeps their virtual currency in the virtual currency wallet and transfers virtual currencies to virtual currency wallets opened in an institution for which no requirements equivalent to have been established;
UPAY provides the customer with a virtual currency wallet service and the customer keeps the virtual currency of third parties in the virtual currency wallet;
the total amount of incoming or outgoing payments related to business transactions or service contract in one calendar month exceeds 15 000 CAD for a natural person and 25 000 CAD for a legal entity.
RISK RELATED TO IDENTITY THEFT AND ANONYMOUS VERIFICATION ATTEMPTS:
As a part of its AML obligations, UPAY will verify the identity of any prospective client.
Due to breaches in security of numerous web-sites (unrelated to UPAY in any way) a wide variety of personal, sensitive information can be obtained through the “Dark Net” and may be used to steal individual identities. It may also be used by criminals to attempt and onboard with UPAY to commit other crimes, amongst others related to Money Laundering and terrorist financing, all the while acting anonymously and maintaining the criminal’s true identity hidden.
Examples for client documents and information that is susceptible to identity theft and misuse:
Compromised images of Proof of Identity (POI) documents. E.g Passport, Drivers License, National ID
Compromised images of Proof of Address (POA) documents. E.g Utility bills, tax returns, bank statements etc.
Credit Score information
Credit/Debit card images and information such as numbers, expiry dates and CVV codes
Social Insurance numbers
National ID or Drivers License numbers
Full and/or maiden names
Dates of birth etc.
Residential address information
Compromised email addresses
RISK OF HACKS IN ONLINE SERVICES, END DEVICES AND GENERAL ONLINE SCAMS
UPAY is aware that online scams frequently make use of Cryptocurrency exchanges with lax security measures to accept payments from their victims in Cryptocurrencies.
The scammers will try and persuade the victim to either:
Voluntarily purchase Cryptocurrency and send it to an externally controlled wallet.
Take control over the victim’s end device and payment information (for example Credit Card) to purchase Cryptocurrency without the victim’s full knowledge or agreement, and send the coins to an external wallet.
Due to the technological nature of all Blockchain protocols, once a transfer transaction was finalized it cannot be cancelled, rejected or refunded. Furthermore, no regulatory body exists that can technically govern the movement of Cryptocurrencies within the Blockchain, thus leaving the victim without any recourse to re-claim their stolen funds.
The scammers will often try:
To persuade their victims to hand over usernames and passwords for existing accounts including for Cryptocurrency Exchanges, Banks, Email accounts etc.
To directly obtain authentication codes to complete money related activities such as account withdrawals.
Take control over the victim’s end device (phone, tablet, or computer) via means of brute force, malware and malicious links.
“Spoof” E-mails asking the victim for their login information pretending and impersonating to a body that the client is well familiar with like a bank or email provider.
Take control over the victim’s end device (phone, tablet, or computer) via means of remote controlling software such as AnyDesk, Team Viewer and others.
RISK APPETITE
UPAY shall not enter into business relations with natural persons and/or legal entities who are Categorized by one or more factors as “High Risk” or “Banned”, or prohibited by these guidelines and its appendices or laws, directives or policies that UPAY is obliged by. UPAY shall avoid business relations in particular with the following categories of customers:
It is not possible to identify the customer (legal or natural entity);
The end risk level upon onboarding is determined as “High Risk” or “Banned” by UPAY ’s compliance team and AMLRO for any of the risk assessment categories mentioned above. For example:
Customer is located in a High-Risk third country, subjected to sanctions.
The customer is a subject of the European Union or UN sanctions;
The customer has previously been convicted of money laundering, tax evasion, terrorist financing or any criminal activities, or is under criminal proceedings.
MITIGATION OF RISKS
The following describes UPAY’s risk mitigation practices in place:
Identification and KYC procedures upon onboarding:
Upon onboarding, the prospective client must be identified by a video identification call rather than relying on static files uploaded online and containing the required KYC documentation. Currently UPAY uses Sum&Sub platform to perform its video verification.
In order to mitigate the risk for identity theft or anonymous registration, Sum&Sub will also compare the biometric information on the submitted Proof of Identification (the client’s photo in their Proof of Identity) against the biometric information gathered during the video identification and will detect and reject mismatches.
Client Screening: Client assessment with at least two database aggregators to screen for PEP, negative media, criminal activity, pending or past legal cases against a legal entity (and its shareholders, directors, and company executives which hold signatory rights in the account or with the client as a whole), or an individual.
Currently UPAY uses (i) Sum&Sub (ii) LGSE Worldcheck One to screen its prospective clients and monitor their ongoing activity. The search or the legal entity/individual names within the databases is set to 85% deviation sensitivity for the name collected upon onboarding or during transaction monitoring.
Upon registration UPAY will verify the client’s email and phone details by a 2-FA (Two Factor Authentication) code.
Collection of the client’s online footprint:
UPAY screens and collected clients’ IP, user agent information as well as last known web address visited upon onboarding, registration and login.
Attempts to register or access the platform via VPN will be blocked.
Mismatched Client country / phone number country and IP will flag the client for further review.
Web referrals from known online scams, for example unlicensed trading, will also suspend the account pending further review.
Ongoing transaction monitoring:
Upon each incoming or outgoing fiat transactions:
Proper documentation justifying the transaction will be collected (invoice, agreements etc.) prior to finally crediting or debiting the transaction. The documents will then be approved, lead to a request for more information, or be rejected by UPAY’s compliance team.
Sender and beneficiary screening. The process is automatic via API, and UPAY platform will suspend transactions that exceed its defined thresholds and place it in line for a manual review and release.
All client deposits MUST originate from a bank account under the name of UPAY’s registered client ONLY. Funds sent from accounts under other names will be rejected unless a Power of Attorney can be provided.
For transactions involving deposits or withdrawals of cryptocurrency:
Prior to withdrawing outgoing or credit incoming coins, a blockchain monitoring system will screen the sending and/or receiving Cryptocurrency address and its associated risk. The risk measured by the Blockchain monitoring system will also be factored into UPAY’s overall client risk assessment and determined levels. The process is automatic via API and UPAY platform will simply suspend transactions that exceed its defined thresholds pending a manual review.
Collection of client waivers – Declaration of Deposit & Release of Claims (DOD) for transactions:
Suspicious transactions by amount, count, deviation from client usual activity, suspicious web referrals or IPs will require the client to sign an online form “Declaration of Deposit and Release of Claims” (DOD). The DOD will include the following waiver clauses:
Risk warning by UPAY as to the dealing in Cryptocurrency as well as caution from online scams.
Client approval that the purchase of cryptocurrency is not being used as a form of payment for any unlicensed activity such as online trading.
Confirmation of both the fiat deposits and conversions to Cryptocurrency that were done on the client’s account.
Confirmation by the client that they have purchased the cryptocurrency out of their own free will and were not coerced in any way by a third party, nor were solicited to purchased cryptocurrency by UPAY or by any third party.
Ongoing Client monitoring and screening:
Collection of updated, recent Proof of Address (POA) and Proof of Identification or an additional Video Identification.
LSEG WorldCheck and Sum&Sub client Screening for every incoming and outgoing transactions via API.
Activity Verification by a 2 Factor Authentication tools:
To ensure that clients themselves are the only ones that access and use the account, UPAY will require TWO 2-FA (2 Factor Authentication) for all sensitive activity on UPAY’s platform. UPAY will send 2 authentication codes to the client (to their original registration email and phone number) prior to executing any of the following activity:
Upon login
Change of personal details
Change of registered bank account
Withdrawals of both Fiat and Cryptocurrency
Account restrictions:
Upon flagging of a suspicious transaction based on the criteria introduced above, account restrictions may be applied to the account:
Restrictions on deposit amount or deposit count in fiat or cryptocurrency within a specific time frame.
Restrictions on / disable permitted activity in terms of jurisdictions, business sectors or specific beneficiaries or senders.
ENHANCED DUE DILIGENCE (EDD) POLICY:
Triggers for Enhanced Due Diligence:
Flagging of a specific transaction, client, sender or beneficiary that exceeds the threshold of Medium Risk scoring set forth by UPAY and its risk assessment policy.
Triggers include (but are not limited to):
Transaction amounts.
Transaction count in a given time frame.
Deviation from usual activity (for example changes in transactions amount, transaction count, new counterparties at High-Risk, new online footprint information such as mismatched IPs to country or inconsistent out of range IP use, VPN use.
Engaging with known High-Risk counterparties/business sectors.
New negative screening results from WorldCheck One or Sum&Sub for the client of its counterparties.
Enhanced Due Diligence Measures:
Collection of relevant information and documentation to better understand the nature or the flagged transactions and/or client.
Collection of further documentation related to the client and its activities. The requests may include (but are not limited to) the following:
For legal entities:
Submitting a suspicious transaction report by UPAY’s MLRO to the appropriate authorities in Canada FINTRAC.
UPAY’s MLRO may, at its own discretion, submit a suspicious transaction report in the client’s domiciled jurisdiction.
Audited annual financial reports and most current balance sheet of the client or its counterparties.
Absence of criminal record, absence and history of legal proceedings that were filed against the legal entity and/or its shareholders, directors or executives which hold signatory rights.
Proof of control over external Cryptocurrency wallets that the client had engaged with. (Travel Rule)
Second piece of Identification and Proof of Address for the legal entity’s shareholders, directors and executives who hold signatory rights.
Second Video Identification for the legal entity’s shareholders, directors and executives who hold signatory rights and a detailed information interview regarding the background of the suspicious transaction/new findings.
For individuals:
Absence of criminal record, absence and history of legal proceedings that were filed against the legal entity and/or its shareholders, directors or executives which hold signatory rights.
Individual Tax returns.
Proof of control over external Cryptocurrency wallets that the client had engaged with. (Travel Rule)
Additional Video Identification and interview verification of any reasoning behind the suspicious or flagged transactions.