INTERNAL AML AND CTF POLICY
Last updated: March, 27th 2019
In common with many other countries, Estonia has passed legislation designed to prevent money laundering and to combat terrorism. This
legislation, together with regulations, rules and industry guidance, forms the cornerstone of AML/CTF obligations for Estonian companies
and outlines the offences and penalties for failing to comply.
FlashXchanger OÜ is committed to meet regulatory demands and adhere AML/CTF Policy to current legislation requirements.
FlashXchanger OÜ may have additional policies and procedures designed to comply with legislation, regulations and any other policies.
Definition of money laundering and terrorist financing
‘Money laundering’ means:
- the conversion or transfer of property derived from criminal activity or property obtained instead of such property, knowing that such
property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the
illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal
consequences of that person’s actions;
- the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at
the time of receipt, that such property was derived from criminal activity or from an act of participation there in; and,
- the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of,
property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from
criminal activity or from an act of participation in such an activity.
‘Terrorist financing’ means the financing and supporting of an act of terrorism and commissioning thereof within the meaning of § 2373 of
the Penal Code of Estonia.
‘Politically exposed persons’ (English abbreviation PEP) means a natural person who performs or has performed essential functions of public
authority, including the head of state, the head of government, the minister and the Deputy Minister of Assistance, a Member of Parliament or
a legislator similar to Parliament, a member of a political party, a Supreme Court and a Supreme Court member of the supervisory board and
a central bank supervisor, an ambassador, an attorney general and a senior officer of the armed forces, a member of the management board
and administrative or supervisory body of the state company, an international organisation leader, a deputy leader and a member of the
governing body or an equivalent person who is not an officer of middle or lower level. In addition, a person with a national background is a
person who performs or has performed essential functions of public authority in Estonia, another Contracting State of the European
Economic Area or an institution of the European Union.
means a natural person who, by exploiting his or her influence, uses a transaction or transaction, or otherwise controls the
transaction, or other person, and in whose interest, benefit or on account the transaction or operation is performed. In the case of a company,
the beneficial owner is a natural person who ultimately owns or controls a legal entity through a sufficient number of shares, shares, voting
rights or ownership, whether directly or indirectly, including in the form of bearer shares or shares, or by any other means.
‘Beneficial owner’ means a natural person who, by exploiting his or her influence, uses a transaction or transaction, or otherwise controls the
transaction, or other person, and in whoseinterest, benefit or on account the transaction or operation is performed. In the case of a company,
the beneficial owner is a natural person who ultimately owns or controls a legal entity through a sufficient number of shares, shares, voting
rights or ownership, whether directly or indirectly, including in the form of bearer shares or shares, or by any other means.
‘Direct ownership’ is the way in which a natural person holds a 25% stake in a company, plus one share or more than 25% of ownership.
Indirect ownership is the type of control in which a company owns a 25% stake plus one share or more than 25% ownership of a company
controlled by a natural person or several companies under the control of the same natural person.
means an employee appointed by the decision of the Management Board of FlashXchanger OÜ who is a contact person of
the Financial Intelligence Unit and regulates and controls the implementation of measures for combating money laundering and terrorist
‘Business relationship’ means the relationship between FlashXchanger OÜ and customer resulting from the conclusion of a durability
contract in economic or professional activities or which is based on economic, vocational or professional activities and not on a contract of
‘Customer’ means a person who uses or has used one or more services offered by FlashXchanger OÜ and is identified by FlashXchanger OÜ
employee or service provider.
‘Employee’ means a person who works in FlashXchanger OÜ and is responsible for the execution of a specific transaction.
‘Financial Intelligence Unit’ means an independent structural unit of the Police and Border Guard Board, which supervises and applies
national rules on the basis and pursuant to the procedure prescribed by law. Postal address: Tööstuse 52, 10416 Tallinn; e-mail
Scope and objectives of the policy
This Policy applies to all employees, all functions, all units in FlashXchanger OÜ. The aim of FlashXchanger OÜ is to comply with relevant
laws and regulations, as well as to mitigate and reduce the potential risk of customers using our products and services. The main objectives
of this Policy are:
- to prevent FlashXchanger OÜ from being used for financial crime so as to comply with all applicable legal requirements; and,
- to ensure that the most appropriate action is taken by FlashXchanger OÜ to mitigate the risks associated with financial crime.
FlashXchanger OÜ, all its managers, officers and employees shall comply with the relevant laws and regulations in the market in which
FlashXchanger OÜ operates. Based on it, the following laws and regulations should serve as the basis to this AML Policy:
- european Union Directive on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
as amended from time to time;
- money Laundering and Terrorist Financing Prevention Act of Estonia as amended from time to time;
- instructions issued by the Financial Intelligence Unit to identify money laundering and terrorist financing suspicious transaction patterns;
- other instructions for compliance with the Money Laundering and Terrorist Financing Prevention Act;
- any other national or international law or regulation applicable to FlashXchanger OÜ operations.
The employees of FlashXchanger OÜ must independently review the amendments to laws and other legal acts that appear on the website of
the Financial Intelligence Unit at https://www.politsei.ee/en/organisatsioon/rahapesu/index.dot.
CEO of FlashXchanger OÜ who is responsible for AML and CTF compliance is required to present this Policy to all employees that have to
read, understand and confirm their familiarization with this Policy by handwritten signature (Annex 3).
The employees of FlashXchanger OÜ are personally liable for compliance with the requirements of the Money Laundering and Terrorist
Financing Prevention Act pursuant to the procedure provided by law.
Reporting to Financial Intelligence Unit
FlashXchanger OÜ is obliged to report to the Financial Intelligence Unit in the event of suspicion of money laundering or terrorist financing.
If an employee of FlashXchanger OÜ identifies activities or circumstances in the course of an economic or professional activity or an official
transaction whose characteristics indicate money laundering or terrorist financing or if he is suspicious or knows that money laundering or
terrorist financing is involved, the employee shall immediately inform FlashXchanger OÜ contact person who will transmit the information to
the Financial Intelligence Unit, in accordance with the regulations of the Minister for the Interior.
Any employee is forbidden to inform the person about whom the information is forwarded to the Financial Intelligence Unit.
The contact person will complete notification form and enclose copies of the underlying documents of the transaction, as well as copies of
the documents on which the identification of the person is based. Copies of other documents characterizing the nature of the transaction
may be attached to the notification.
The form for the notification to the Financial Intelligence Unit is located at: https://www.riigiteataja.ee/tolkelisa/5240/9201/4022/a1.pdf#
Instructions for the compliance of the form for notification is located at:
It is preferred to send the message encrypted by e-mail to: [email protected]
At the first request of the Financial Intelligence Unit, FlashXchanger OÜ contact person will send all necessary documents and information.
FlashXchanger OÜ is committed to identify and assess any money laundering or terrorist financing risks as well as to mitigate these risks to
an acceptable level. As part of the risk assessment, we perform the following:
- validation of risks is done every time before the customer makes a transaction or establishes a business relationship
with FlashXchanger OÜ
- risk assessment must operate with existing clients at least once a year, or if the transaction has signs of money or terrorist financing,
or if the employee has legitimate doubts about the content of the transaction.
- risk assessment shall be conducted if the transaction exceeds EUR10,000 or equal amount in foreign currency or equal amount in
In assessing risks, an employee of FlashXchanger OÜ must fill in risk assessment forms and assess potential risks based on this Policy.
The management board of FlashXchanger OÜ has instructed FlashXchanger OÜ CEO to develop and implement this Policy to prevent money
laundering, terrorist financing and breaches of financial sanctions. CEO shall be responsible for ensuring that FlashXchanger OÜ, its
employees and officers complies with the measures set forth in this Policy. CEO is responsible for implementing this Policy and may
delegate its responsibilities, including outsourcing to external suppliers at its own discretion.
If CEO delegates the authorities on customer verification, it shall ensure that the service provider will comply with this Policy.
FlashXchanger OÜ does not accept any breach of this Policy. Any breaches, either material or systematic, should be reported to the CFO.
FlashXchanger OÜ refuses to work or accept natural person or legal entities as customers (both existing and new customers) if they are
subject to financial sanctions.
In order to comply with financial sanctions regulations, FlashXchanger OÜ will verify customers’ identities.
There are several other legal regulations which impact upon this area in relation to, for example, data and consumer protection.
FlashXchanger OÜ will examine all legal possibilities to satisfy the legal requirements above and, at the same time, comply with data and
consumer protection regulations.
FlashXchanger OÜ will take all relevant steps to discontinue the provision of products and services to natural persons and/or legal entities
where FlashXchanger OÜ has a reason to believe that the natural person and/or the legal entity is or will use FlashXchanger OÜ products
and/or services for financial crime.
Customer status can be as follows:
- Politically Exposed Person (PEP)
- Service Intermediary
- Private Person
- Legal Entity
Strong care should be taken if the customer is a political background or a service intermediary with whom FlashXchanger OÜ has not
previously cooperated. The employee must immediately inform the contact person if the customer is politically exposed person (PEP) or
Attention must be paid to a customer who is a legal entity and whose registration or establishment has been less than 365 days prior to the
In the case of a legal entity, it is important to check the members of the governing bodies to make sure they are not on the sanctions list.
In the case of individuals, it is necessary to pay attention to non-compliance with the name, appearance and behaviour.
The risk associated with customer countries or geographic areas or jurisdictions.
The risk of customers or geographic areas or jurisdictions is due to the fact that some countries and/or geographic areas or jurisdictions
may be less vulnerable to money laundering and terrorist financing than in the European Union.
As a result, all countries or geographic regions or jurisdictions are divided into low risk, medium risk and high risk groups.
Low risk countries or geographic areas or jurisdictions
- Low risk countries or geographic areas or jurisdictions are countries where, according to the Financial Intelligence Unit, money laundering
and terrorist financing are subject to requirements equivalent to those of the European Union.
- Low risk countries are all Member States of the European Union and the European Economic Area. The countries of the European Union
and the European Economic Area can be verified at: https://europa.eu/european-union/about-eu/countries_en.
- Low risk countries, in addition to this section, include: Argentina, Australia, Brazil, Canada, Hong Kong, Japan, Mexico, New Zealand,
Singapore, Switzerland, South Africa, United States of America.
Medium Risk Countries or Geographic Areas or Jurisdictions
- Medium risk countries or geographic areas or jurisdictions are countries other than those mentioned in list of low risk countries or
geographic areas or jurisdictions mentioned above and which belong to the list published by the Estonian Tax and Customs Board in the
territories that are not considered to be a low-tax territory (https://www.riigiteataja.ee/akt/ 129122016034).
- An overview of the list published by the Estonian Tax and Customs Board in the territories that are not considered to be low-tax territory is
published on the website of the Estonian Tax and Customs Board at: https://www.emta.ee/et/ariklient/tulud-kulud-kaive-kasum/
High risk countries or geographic areas or jurisdictions
High risk countries or geographic areas or jurisdictions are those countries for which the European Union has initiated sanctions. A detailed
overview of the sanctions launched by the European Union can be obtained at: https://www.sanctionsmap.eu/#/main.
Risk due to customer communication
The risk arising from the communication channel with customers is due to the fact that communication with the customer takes place
through communication channels and FlashXchanger OÜ may not have the opportunity to spot signs of money laundering or terrorist
financing right now.
Risk levels depending on the communication channel
- if the communication takes place personally, at FlashXchanger OÜ office and the customer is identified by the employee, then the risk is
- the employee must make sure that the customer understands the transaction that he wants to make and that the customer will be able
to carry out promises made in the future.
- if the communication takes place through information technology channels, the employee must be attentive, since the communication
with the customer via IT tools allows the customer to conceal his or her real desires.
- in case the customer interacts with the employee through IT tools both orally and in writing, when answers to the questions submitted
are given in a reasonable time, and the customer knows the nature of the activity being represented, and the customer knows the data
about his / her business (eg, actual beneficiaries, owners, location, contact details, etc.) and the customer is able to describe its potential
partners and / or areas of activity, the given risk is assessed as average.
- in case the customer communicates with the employee only in writing and the answers are delayed over a reasonable period of time, and
there are reasons to believe that this is fraud and / or money laundering risk is judged to be high.
- in view of business risks, due diligence may be carried out in the absence of the same person in the transaction if all the following
conditions are met:
a a written durability agreement has been concluded with the customer;
b no doubts arose in creating a customer relationship when performing diligence;
c when making a transaction, it can be verified that it is the same person;
d transactions are normal and economically justified;
e if the total value of incoming or outgoing payments in a business-to-business relationship between a customer and FlashXchanger OÜ
does not exceed EUR 3 000 per year.
Customer due diligence
FlashXchanger OÜ (including its responsible external service providers) requests and obtains the following documents and information from
For natural person:
- full name; and
- personal identification code; and
- date and place of birth; and
- place of residence or seat; and
- if the person is not the customer, the person's relationship to the customer.
For legal person:
- name or business name of the legal person; and
- registry code or registration number and the date of registration; and
- names of the director, members of the management board or other body replacing the management board, and their authorisation in
representing the legal person; and
- details of the telecommunications of the legal person.
In order to verify the above mentioned information FlashXchanger OÜ will require submitting the following
For natural person (one of the following documents – as applicable):
- identity card;
- Estonian passport;
- diplomatic passport;
- seafarer’s discharge book;
- alien’s passport;
- temporary travel document;
- travel documents for refugee;
- certificate of record of service on Estonian ships;
- certificate of return;
- permit of return;
- valid travel document issued in a foreign country; or
- driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act of Estonia.
An employee of FlashXchanger OÜ is prohibited from performing a transaction and concluding a contract:
- if the customer refuses to provide the requested information and if the customer is in the black list;
- if the customer fails to submit required documents and relevant information, or if, on the basis of the documents submitted,
the employee suspects that such customer is involved in money laundering or terrorist financing.
In the situations mentioned above, the contact person shall promptly inform the Financial Intelligence Unit about such facts.
For legal entity:
- registry card of the relevant register;
- registration certificate of the relevant register, or
- document equal to the document specified in clause 1 or 3 above.
The basis for identifying a legal person is the following documents:
- an extract from the register card of the relevant register issued by the competent authority or body not earlier than six months before it is
submitted (in the case of a legal entity registered in Estonia and a branch of a foreign company registered in Estonia);
- an extract from the relevant foreign registry or a copy of the registration certificate or equivalent, issued by the competent authority or
body not earlier than six months before it is submitted (in the case of a foreign legal person).
An employee of FlashXchanger OÜ registers the following information in relation to the legal entity:
- names of management board members or other body replacing it and their powers in representing a legal person;
- names of beneficial owners of the legal entity;
- field of activity of the legal person;
- telecommunication numbers;
- in the case of a legal person, a member of the management board or any other body replacing it, it is necessary to collect all the
information described in sections 1) and 2).
- the basis of the right of representation as mentioned below.
A representative of the person participating in the transaction shall submit a document certifying his right to act on behalf of a legal person (a
power of attorney).
The power of attorney given to the representative of a legal person must include at least:
- details of the principal (name of the competent body, location and registry code);
- details of the representative (name, surname, personal identification code or date of birth, and place of residence);
- date of issue of the document;
- validity of the mandate;
- scope of the mandate;
- right of sub-delegation, if given to the representative.
A representative of a foreign legal person registered in Estonia submits a notarised power of attorney for the performance of operations.
In case of a non-resident natural person, the following information is fixed:
- first and last name;
- personal identification code and date of birth and place;
- name, number, date of issue of the travel document, name of the issuer;
- residential address;
- location address when creating a contact;
- occupation or field of activity;
- information on whether the person is performing or has fulfilled the essential functions of the public authority or is a close associate or a
family member of the public authority (i.e. a political background in the sense of RTRTS);
- contact phone number.
If necessary, it is also required to request a notarized copy of the travel document with photo as well as a visa or temporary residence permit.
In the case of a non-resident legal person, the following information shall be fixed:
- legal entity name and registry code;
- name of the register and web address;
- all necessary documents from the offshore regions according to the region;
- actual beneficiary information;
- postal address;
- place of business address;
- field of activity;
- details of the bank account (s);
- contact telephone number;
- power of attorney, if applicable;
The power of attorney shall be notarized and apostilled, unless otherwise provided by an international agreement.
Notarised copies of the aforementioned documents must be received by post.
The employee of FlashXchanger OÜ is prohibited from performing the transaction and concluding a contract and shall promptly inform the
Financial Intelligence Unit:
- if the customer refuses to provide the requested information in accordance with this Policy;
- if the customer fails to submit the required documents and relevant information or if, on the basis of the documents submitted, the
employee suspects that money laundering or terrorist financing.
The employee of FlashXchanger OÜ shall also search for information on the Internet.
In case of doubt, the customer or representative will be questioned on the basis of the data collected through a contact telephone or Skype
(or equal) video call.
In the case of a durability relationship, the data collected is reviewed and, if necessary, updated, at least twice a year.
In addition, if the person or client involved in the transaction is affiliated with another contracting state of the European Economic Area or is a
national of a third country, information shall also be given on whether the person is performing or has fulfilled the essential functions of the
public authority or is a close associate or a family member of the public authority.
Simplified procedures for diligence measures
In case, the employee is convinced that:
- on the basis of the documents obtained from the identification of the customer, it can be verified that it is a person whose suspicion of a
person does not exist;
- customer's promissory note or other documents certifying the right of representation do not present any serious defects that give rise to
doubt as to their authenticity;
- customer's right of representation or identity documents are valid;
- documents submitted by the customer do not at least suspect that they have been falsified;
- customer will provide editorial responses to all questions, including the establishment of a legal person, to the service provider, its actual
beneficiaries, the origin of the capital used or the capital used for business purposes;
- customer has filled out the forms correctly and sent all additional documents.
If customer scoring allows the employee to implement Simplified Due Diligence, then the following due diligence measures shall be carried
- on the basis of the existing documents, the employee verifies that the customer's identity has been identified and is valid.
- the employee makes the necessary copies of the documents.
- the employee monitors this Policy and the applicable recommendations for detecting suspicious transactions.
- the employee checks that the customer is not included in the list of sanctions.
In some situations, FlashXchanger OÜ shall conduct Enhanced Customer Due Diligence.
These situations are:
- upon identification of a person or verification of submitted information, there are doubts as to the truthfulness of the submitted data,
authenticity of the documents or identification of the beneficial owner;
- the customer is a politically exposed person, except for a local politically exposed person, their family member or a close associate;
- the customer is from a high-risk third country or its place of residence or seat or the seat of the payment service provider of the payee is
in a high-risk third country;
- the customer is from such country or territory or its place of residence or seat or the seat of the payment service provider of the payee is
in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not
established effective AML/CFT systems that are in accordance with the recommendations of the Financial Action Task Force, or that is
considered a low tax rate territory;
- any other situation where there is a higher risk of money laundering as defined by applicable laws and regulations.
Currently, in accordance with EU laws and regulation, high-risk third countries are Afghanistan, Guyana, Iraq, Lao PDR, Syria, Uganda, Vanuatu
and Yemen, the Democratic People’s Republic of Korea.
The enhanced due diligence measures for customers in high-risk third country include:
- gathering additional information about the customer and its beneficial owner;
- gathering additional information on the planned substance of the business relationship;
- gathering information on the origin of the funds and wealth of the customer and its beneficial owner;
- gathering information on the underlying reasons of planned or executed transactions
- receiving permission from the senior management of FlashXchanger OÜ to establish or continue a business relationship;
- improving the monitoring of a business relationship by increasing the number and frequency of the applied control measures and by
choosing transaction indicators that are additionally verified;
- demanding a customer make a payment from an account held in the customer’s name in a credit institution of a contracting state of the
European Economic Area or in a third country that implements requirements equal to those of Directive (EU) 2015/849 of the European
Parliament and of the Council.
The enhanced due diligence measures when FlashXchanger OÜ deals with a politically exposed person are:
- obtaining approval from the management board of FlashXchanger OÜ to establish or continue a business relationship with the person
and making sure that only senior management of FlashXchanger OÜ gives approval for a new business relationship;
- applying measures to establish the origin of the wealth of the person and the sources of the funds that are used in the business
relationship or upon making occasional transactions;
- monitoring the business relationship in an enhanced manner.
FlashXchanger OÜ shall take all necessary steps and request necessary documents in order to clarify and control structure of legal entities.
In cases where controls and/or ownership exceeds 25% for given natural persons, the identity of this beneficial owner must be verified.
FlashXchanger OÜ will send a questionnaire on funds source to the customer if such customer wishes to make a transaction in the amount
exceeding EUR10,000 or equal amount in foreign currency or equal amount in virtual currency.
Based on the verification and due diligence of customer’s identity, FlashXchanger OÜ decides on a level of risk and whether the customer
may use services and/or products of FlashXchanger OÜ.
Monitoring customer activity
FlashXchanger OÜ conducts ongoing monitoring of customer activity in order to:
- identify any unusual activity, flagging up transactions/activities for further examination;
- check transactions made in a business relationship in order ensure that the transactions are in concert with the obliged entity’s
knowledge of the customer, its activities and risk profile;
- regularly update relevant documents, data or information gathered in the course of application of due diligence measures;
- identify the source and origin of the funds used in a transaction;
- pay more attention to high-risk transactions.
FlashXchanger OÜ ongoing monitoring of customer activity comprises:
- “Real-time” monitoring of activities/transactions as they arise or are about to take place;
- “Post-event” monitoring within defined parameters.
With real-time monitoring FlashXchanger OÜ will screen transactions on all cross-border payments, swifts and cheques in relation to relevant
lists of named terrorist and sanctioned entities.
FlashXchanger OÜ will develop and implement internal IT systems and software to comply with this Policy.
FlashXchanger OÜ may also use services of external service providers that have the same approach and compliance with the applicable laws
Anti-Money laundering (AML) Policy ans Principles:
FlashXchanger OÜ sets these minimum standards and principles:
- establishing and maintaining a Risk Based Approach towards assessing and managing the money laundering and terrorist financing risks
to the company;
- establishing and maintaining risk-based customer due diligence, identification, verification and know your customer procedures,
including enhanced due diligence;
- establishing and maintaining risk based systems and procedures to monitor on-going customer activity;
- procedures for reporting suspicious activity internally and to the relevant law enforcement authorities as appropriate;
- maintenance of appropriate records for the minimum prescribed periods;
- training and awareness for all relevant employees.
FlashXchanger OÜ is prohibited from transacting with individuals, companies and countries that are on prescribed Sanctions lists.
FlashXchanger OÜ shall comply with the following sanctions measures:
- the United Nations (UN) Security Council consolidated sanctions list;
- the EU’s consolidated list of persons, groups and entities;
- the US Department of the Treasury, Office of Foreign Assets Control (OFAC) sanctions lists:
- the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) list;
- the UK HM Treasury (HMT), Office of Financial Sanctions Implementation, “consolidated list of targets”; and
- flashXchanger OÜ internal list of natural persons and legal entities;
- other lists as required by applicable law.
The screen of the above mentioned list shall be conducted by FlashXchanger OÜ service provider and relevant restrictive measures shall be
Anti-Money laundering responsible person
The management board of FlashXchanger OÜ appoint the Anti-Money Laundering Responsible Person who is CEO of FlashXchanger OÜ with
the responsibility to ensure that FlashXchanger OÜ complies with the legal requirements.
Training and awareness
FlashXchanger OÜ requires that all employees are familiar with this Policy and possess adequate awareness.
FlashXchanger OÜ will also conduct training through e-learning courses targeted towards the employees not less than once per year.
FlashXchanger OÜ will retain documents related to identification information which serve the basis for identification and verifications of
persons, and the documents serving as the basis for the establishment of a business relationship as well as certain other documents and
information as per AML laws and regulations no less than five years after termination of the business relationship.
Changes to this policy
This Policy shall be reviewed annually or as required by applicable laws and regulations.
FlashXchanger OU Ravals pulesee 5
Tallin Harju Maakend 10143 Estonia
FlashXchanger OU has an operating license issued by Politsei- ja Piirivalveamet for Financial services, Providing services of exchanging a virtual currency against a fiat currency under the Number FVR000830.
FlashXchanger OU has also an operating license for Financial services, Providing a virtual currency wallet service under the number FRK000726 issued by the same Estonian entity.
Copyright © 2019 FLASHXCHANGER