## Law no. 129/2019 for the prevention and combating money laundering and terrorism financing, as well as for amending and completing some legal acts;
## no. 37/2021 regarding the approval of the Norms for the application of the provisions of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for amending and supplementing some normative acts for the reporting entities supervised and controlled by the National Office for Prevention and Combating Money Laundering.
## Order no. 47/2021 for the approval of the Regulation on the registration of the reporting entity in the records of the National Office for Prevention and Combating Money Laundering.
## Order no. 14/2021 for the approval of the form and content of the reports provided in art. 6 and 7 of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for modifying and completing some normative acts and the methodology for their transmission.
## Establishing a system of policies, procedures and internal controls designed to combat any attempted use of the Company for illegal or illicit purposes;
## Designating a Compliance Officer/Money Laundering Reporting Officer (MLRO) to be responsible for the implementation and oversight of the Company’s AML Program and complying with the applicable regulations and guidance set forth by the ONPCSB;
## Executing Know Your Customer (“KYC”) procedures on all customers;
## Filing Suspicious Transaction Reports (“STRs”) and Suspicious Activity Reports (“SARs”);
## Following record retention requirements;
## Performing independent audits of the company’s AML Program;
## Implementing a formal and ongoing compliance training program for all employees.
## Training Policy which includes AML training for relevant Employees.
## Asset Management Policy which includes controls to prevent Money Laundering.
## Incident Management and Response Program.
Compliance Officer’s principal duties are:
## acting as a contact person of the ONPCSB;
## monitoring compliance with applicable legislation and procedures established by the AML Program;
## managing the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the customer;
## reporting to the ONPCSB in the event of suspicion of money laundering or terrorist financing;
## reporting and submitting written statements on compliance with the requirements arising from the AML/CFT regulation;
## performing any other duties and obligations related to compliance with the requirements of the AML/CFT regulation.
The contact person can transfer the information or data that has become known to him in connection with the suspicion of money laundering only:
## the ONPCSB;
## authority conducting an investigation in connection with the criminal case;
## the court on the basis of a court order or a court decision.
The company has issued appropriate internal regulations that promote high standards of customer knowledge and has defined the key elements regarding:
1.- Customer acceptance rules.
2.- Due diligence measures with respect to the client.
3.- Customer identification.
4.- Risk-based customer assessment.
5.- Continuous monitoring of high-risk clients.
6.- Supervise the activity in the accounts from the perspective of the fight against money laundering and the financing of terrorism.
7.- Termination of relationships
8.- Training programs on “Know your clientele”
For this purpose, the company will contract the services of a recognized platform in the evaluation of clients apart from the internal system for such action.
The company will enter into correspondent relationships, or continue these relationships, with entities that have implemented appropriate know-your-customer and anti-money laundering policies and practices. The correspondent relationship will not be established with financial institutions or SPAM platforms of which there is any doubt about the possibility that the FI or the platform is fraudulent.
The company will not open or operate in anonymous accounts or with fictitious names for which the identity of the owner is not known and is not adequately declared.
The company’s customer identification process is defined by the internal know-your-customer procedure or guides and includes the following:
1. Identification of the client.
2. Customer identity verification:
a. Establish the commercial profile of the client.
b. Determine the source of the client’s funds
c. Monitoring of customer business activity
The Geo-restriction Measure is applied to the following list of Customers:
## Customers outside Romania; (in some cases, outside the EU region)
## Customers from state jurisdictions that are being banned by internal policies from the company or regulations;
XCAO is actively blocking users from restricted jurisdictions from using its services, by implementing IP-blocking tools to deny access of users from the restricted jurisdictions.
In order to avoid circumvention of this tool with VPN, the company employs certain VPN detection tools which identify IP addresses and block IPs suspected as VPN.
A Individuals:
## Full legal name
## Date of birth
## Email address;
## Mobile phone number;
## Acceptable and valid government-issued identification document (e.g., driver’s license, passport, national identification card)
## Residential address
B. Institutions:
## Institution name
## Address (principal place of business and/or other physical location);
## Employer Identification Number (“EIN”) or any comparable identification number issued by the government;
## Proof of legal existence (e.g., state-certified articles of incorporation or certificate of formation, unexpired government-issued business license, trust instrument, or other comparable legal documents as applicable);
## Proof of identity (e.g., driver’s license, passport, or government-issued ID) for each individual beneficial owner that owns 25% or more, as well as all account signatories;
## All identifying information with respect to each beneficial owner will use risk-based procedures to verify the identity of such beneficial owners (see individual customer information collected above for more details).
When the company is not satisfied with the verification details, they will do the following:
## Not establish any business relationship;
## Impose terms under which a customer may conduct transactions while XCAO attempts to verify the customer’s identity;
## Determine whether it is necessary to file a SAR in accordance with applicable laws and regulations.
XCAO will not open a new business establishment for a potential or existing customer who refuses to provide the information when requested, or provides any misleading information. Hence, the company’s AML Compliance officer will be reviewing the scenario so that they can come to a decision whether they should report the situation to ONPCSB on a SAR.
It is important that the XCAO’s principals and personnel adopt and implement the policies contained in this manual. However, it is recognized that a prescriptive approach in certain circumstances might prevent financial service providers from engaging in some legitimate businesses.
A risk-based approach is one of the most effective ways to protect against money laundering. It is essential to understand that certain risks associated with the various elements of a customer profile may be indicative of potential criminal activity, such as geographic and jurisdictional issues, business and product types, distribution channels and prevailing transaction types and amounts.
Customers will be reviewed, assessed and allocated with an appropriate level of risk of money laundering. Customers will be designated as High, Medium or Low risk.
## High-risk customers will be subject to enhanced levels of due diligence that go beyond the core policies and principles contained in this manual;
## Medium-risk customers will be subject to the core policies and procedures contained within this manual;
## Low-risk customers may be subject to certain flexibility within the policies and procedures contained within this manual, however, great care should be exercised to ensure that the company continues to meet its legal obligations.
All customers are subject to a risk assessment in order that likely future monitoring levels are anticipated and reasonable. Risk ratings will be recorded in the file. Due diligence requirements and future planned monitoring must be commensurate with the risk level associated with the customer and enhanced due diligence will be necessary for all higher-risk customers.
When deciding to enter into any type of correspondent business relationship, you will have enough information to fully understand the nature of the business being conducted by the entity. Information is required on management, main economic activities, level of AMl/ CFT.
The company will establish correspondent relationships only with entities abroad that are effectively supervised by the competent authorities and that have effective customer due diligence programs in place. The Company must refuse to establish correspondent relationships or to continue such relationships with a commercial entity, registered in a jurisdiction in which it does not have a physical presence, that is, the development of the activity and the official documents of the entity are not located in said jurisdiction and pay special attention regarding the knowledge of the clientele or that has been identified as non-cooperative in the fight against money laundering. When establishing correspondent, franchise or other relationships, the company must take into account certain factors, including, but not limited to, the following:
1. Information on the management of the correspondent commercial entity, on the basic activity, where it is located, and its efforts to prevent and detect money laundering.
2. The purpose for which the correspondent point is installed.
3. The identity of any third party that will use the correspondent services.
4. The situation of the regulation and the supervision system in the country of origin of the correspondent commercial entity.
5. Approval of the XCAO SYSTEM GROUP Management regarding the opening of the commercial correspondent relationship.
The company will not enter into a correspondent relationship with commercial institutions, or individuals located in countries under the international sanctions regime and/or that are directly related to or under the control of persons/entities mentioned in the international sanctions lists.
All officers and employees of the company receive AML training as well as position-specific training. XCAO repeats this training at least once every twelve (12) months to ensure employees are knowledgeable and in compliance with all pertinent laws and regulations. New employees receive training within thirty (30) days of their start date. All documentation related to compliance training including materials, tests, results, attendance and date are maintained and tracked. In addition, our compliance training program will be updated as necessary to reflect current laws and regulations.
The training programs will include information on the requirements of the legislation in terms of know your customer (KYC) as well as specific practical aspects, in particular in order to enable staff to recognize suspicious transactions related to money laundering and terrorist financing operations and to take appropriate measures.
All personnel will be trained to ensure they are aware of their responsibilities and will be informed of any news related to compliance. The main objective of the training programs is to develop the skills of the employees of the XCAO SYSTEM GROUP company, promote high ethical and professional standards, and prevent the use of the company to carry out criminal activities or other activities.
Don’t hesitate to subscribe to latest news about ICo markets as well as crucial financial knowledge to become successful investors globally