Procedures to prevent money laundering and terrorist financing

Methodology and common overarching procedures

The risk-based approach and the Group’s risk assessments

As an obliged entity under the AML Act, Exuprio S.r.l., with registration number 12346490969 (hereinafter ”Gainpay”), is required to establish common policies and procedures regarding measures against money laundering and terrorist financing.

The Group applies a risk-based approach in its measures against money laundering and terrorist financing. This means that the extent of measures, procedures, internal controls and resource allocations shall be appropriate and proportionate to the perceived risk of money laundering and terrorist financing. 

Local differences in the type of operations conducted, how operations are conducted, typical customers, etc. can have the effect that the risk exposure is not identical across the Group. On the contrary, regional differences are expected to exist at any given time. Accordingly, the Group carries out several risk assessments, each relating to the operations and circumstances of one or more Gainpay Businesses. These risk assessments constitute the fundamental outset for the measures against money laundering and terrorist financing applied within each Gainpay Business.

Each risk assessment serves to identify and assess the threats against the operations to which the risk assessment relates, and to assess the level of risk of money laundering and terrorist financing in the relevant operations. When carrying out a risk assessment applicable to one or more Gainpay Businesses, four primary risk factors are considered:

1. the products and services offered by the Gainpay Business,

2. the customers of the Gainpay Business,

3. the delivery channels used by the Gainpay Business to distribute its products and services, and

4. the geographical areas in which the Gainpay Business operates.

Each of these risk factors is assessed both individually and together. A risk factor may comprise several parameters to be considered when assessing the risk factor.

When assessing each risk factor individually, each product or service, each category of customers, each delivery channel and each geographical area is attributed an individual risk level based on the perceived risk of money laundering and terrorist financing. Thereafter, information regarding the individual customer is obtained in order to establish the customer’s Risk Profile, taking into account customer-specific information and whether it justifies a different assessment of the risk level than the typical risk level.

In assessing the risk factors together, a holistic perception of the overall risk level in a Gainpay Business’ operations is obtained.

Determining individual customers’ Risk Profiles

Based on its risk assessment, a Gainpay Business is given tools to assess which measures for customer due diligence are required and appropriate in light of the risk that each specific customer is associated with (the customer’s Risk Profile). An individual customer’s Risk Profile is determined on the basis of both risks that have been identified in the Gainpay Business’ risk assessment and information attributable to the individual customer collected in the onboarding process.

For purposes of determining an individual customer’s Risk Profile (as well as for the purpose of carrying out risk assessments) customers are divided into numerous customer categories, each of which reflects a typical customer type.

Each risk assessment comprises a description of the customer categories applicable to the relevant Gainpay Business. Each customer category is assessed and attributed a risk level. After taking into account this individual customer information, each customer is attributed a Risk Profile. As an individual customer’s circumstances may deviate from the typical circumstances of customers belonging to the relevant customer category, it is possible for individual customers within a customer category to be attributed a different Risk Profile than the preliminary typical risk profile of the relevant customer category.

As a cautionary measure, customers who qualify within more than one customer category, or in none of the categories, are treated as belonging to the customer category associated with the highest risk (out of the qualifying categories), in order to ensure that no customer is attributed a lower than accurate risk level.

Determining customer due diligence measures for individual customers

A customer’s Risk Profile determines the extent of customer due diligence measures to be taken in relation to each individual customer and the business relationship with such customer, in order to appropriately manage the risk associated with the customer/business relationship.

Ongoing monitoring

In order to detect and report suspected money laundering or terrorist financing activities within the operations of the Group, all customers and their transactions are subject to ongoing monitoring throughout the duration of the customer relationship.

The tools and procedures applied in, as well as the intensity of, ongoing monitoring of customers and their transactions shall be appropriate and proportionate to the risk in the relevant Gainpay Business (i.e., considering both the level of risk and the type of threats that form the basis of the risk) as well as the risk associated with the individual customer.

Other measures for prevention of money laundering and terrorist financing

Based on the assessed risk exposure of a Gainpay Business across its operations, a Gainpay Business may implement risk mitigation in order forms than customer-specific measures. These may take the form of organisational changes, such as increased staffing in certain areas or employee training regarding money laundering and terrorist financing awareness and prevention.

Procedures for information sharing

In order to promote effective risk management within the Group, Gainpay Businesses strive to share information to the extent permitted by the External Regulatory Framework.

The information to be shared within the Group is information that is relevant to the Group’s, as a whole, ability to identify, manage and mitigate the risk of money laundering and terrorist financing.

In particular, the following information is to be shared, to the extent that it has been collected and subject always to the permissibility of doing such collection and sharing pursuant to the External Regulatory Framework and in particular the GDPR.

• Customer information,

• Beneficial Owner information,

• Transaction information, and

• Information regarding suspicion

To the extent that a Gainpay Business is restricted or prohibited, under local rules in the External Regulatory Framework, from sharing such information as set out above, the Gainpay Business shall consider whether consent from the customers of the Gainpay Business can be obtained and used to legally overcome such restrictions or prohibitions.

Authorities and responsibility

The Compliance Function is responsible for ensuring compliance with the Policy. The Compliance Function’s responsibilities include monitoring and adopting the Policy.

The CEO shall evaluate the Policy regularly, at least once a year and, if necessary, propose updates to the Policy and present these to the Board.

The Board shall, following proposed amendments to the Policy from the CEO, assess such proposals and, if it sees fit, adopt an updated version of the Policy.

Local policies

Local procedures and guidelines are subsumed under the overarching Policy and shall be consistent with the Policy. Local policies shall, however, always comply with the External Regulatory Framework. If local rules under the External Regulatory Framework prevent a Gainpay Business from applying the Policy, partly or fully, the Managing Director (or equivalent) of the Gainpay Business may adopt a local policy with alterations in relevant parts as necessary. Any local policy deviating from the overarching Policy must be drafted in co-operation with the Chief Compliance Officer.

Know your customer (KYC)

Level 1 SDD

• An assurance that the application is only for own use.

• First name and surname

• E-mail address

• Country of domicile

Level 2 CDD

• An assurance that the application is only for own use.

• First name and surname

• E-mail address

• Country of domicile.

• Mobile number

• Date of birth.

• Place of birth.

• Citizenship.

• A copy of a passport or public authority-approved ID card with photo.

• Permanent address.

• A household invoice or similar, in the customer's name, e.g. an utility bill must be uploaded to prove the correctness of the address.

• The customer must declare if the person concerned considers himself/herself to be a PEP.

Level 3 - EDD

• An assurance that the application is only for own use.

• First name and surname

• E-mail address

• Country of domicile.

• Mobile number

• Date of birth.

• Place of birth.

• Citizenship.

• A copy of a passport or public authority-approved ID card with photo.

• Permanent address.

• A household invoice or similar, in the customer's name, e.g. an utility bill must be uploaded to prove the correctness of the address.

• The customer must declare if the person concerned considers himself/herself to be a PEP.

• The customer must state where the money comes from, which is verified through documentation.

• An analysis of the customer's digital imprint on the Internet is carried out.