I. Definitions

I.1. Introduction

Meaning of the document

Within the scope of its business activities, the Company provides services that may be abused by a customer for legalization of revenues from criminal activities or for terrorism financing.
So, as it is possible to efficiently reduce, aggravate or eliminate such illegal activities in full, the valid legal regulations of the Czech Republic impose fulfilment of many obligations on the Company. For that purpose, the Company issues this binding document – the System of Internal regulations, Procedures and Control Measures, transposing the obligatory obligations into the environment of services provided by the company.
In a simplified way: legalization of revenues from criminal activities (in laic terms: „money laundering“) means an activity when a customer uses the services of the Company for covering illegal origin of his property or to make its back tracking difficult. So as to legalize the revenues from criminal activities, the offenders use similar methods like for terrorism financing and that is why abatement of the two illegal activities was joined and it is performed simultaneously, using nearly identical methods. Similar rules as those applied in CRP Unio Limited s.r.o. are binding for similar types of business in the Czech Republic as well as in other countries, because money laundering and terrorism financing is nearly always performed on international level.
More, the Company must also apply sanction measures (similarly to anyone else) applied by the Czech Republic in relation to quite a wide group of natural persons and legal entities. That means permanent checks whether a customer is subject to international sanctions or not, respectively fulfilment of other procedures as described here below.
In practice, it is highly probable that non-fulfilment of procedures as per this document will cause a breach or omission of statutory obligations with all and any consequences.

I.2. General Terms

AML Act

(1) For the purposes of this document, the AML act means Act No. 253/2008 Coll. on some measures against legalization of revenues from criminal activities and terrorism financing, as amended.

Legalization of revenues from criminal activities

(1) According to the AML act, legalization of revenues from criminal activities means activities that are to cover illegal origin of any economic benefit emerging from criminal activities with the aim of establishing an appearance that the property benefits were obtained in compliance with law; the above stated activities include for example:

(a) change or transfer of property while knowing that it originates from criminal activities for the purpose of its secrecy or hiding its origin or with the purpose of helping a person participating in such illegal activities to avoid legal consequences of his behaviour,
(b) keeping secret or hiding the real character, source, movement of property or its handling or change of rights related to property while knowing that it originates from criminal activities,
(c) obtaining, keeping, using the property or its handling while knowing that it originates from criminal activities, or
(d) criminal conspiracy of persons or any other form of unification with the purpose of activities specified in previous points.

Terrorism Financing

(1) According to the AML act, terrorism financing includes:

(a) collection or provision of financial means or other property while knowing that it will be used – even partially – for committing a crime of terror, terrorist attack or a criminal act that should allow or assist in committing of such a criminal act or that should support a person or a group of persons preparing for committing such a criminal act, or
(b) behaviour leading to provision of remuneration or compensation of an offender of a criminal act of terror, terrorist attack or a criminal act that should allow or help in such a criminal act commitment, or persons close to the offender according to penal law, or collection of means for such a remuneration or compensation.

(2) Terrorism financing also means financing of mass destruction weapons distribution, i.e., collection or provision of financial means or any other property while knowing that it will be used – even partially – by the distributor of mass destruction weapons or for such weapons distribution in contradiction with international law requirements.

Obliged person

(1) According to the AML Act, an obliged person means the company CRP Unio Limited s.r.o., with its registered seat in Říční 456/10, Malá Strana, 118 00 Praha 1, company ID: 216 05 688 (the “Company”) for activities of providing of services related to a Virtual assets.

Customer

(1) For the purposes of this document, a customer means any natural person or legal entity:

(a) which the Company established business relation with, or
(b) which started negotiations with CRP Unio Limited s.r.o. on business relation establishment (i.e., it showed interest in a business relation establishment), or
(c) which the Company already finished business relations with
(d) which becomes a virtual assets service user of the Company
(e) a person being an agent of services of another customer (e.g., it is entitled – on the basis of a power of attorney that the company must keep – to issue Virtual assets).

(2) It is not decisive whether it is a natural person or a legal entity carrying business or not. In case of a legal entity, it is supposed that one concrete natural person always acts on behalf of it (e.g., a member of the statutory authority, an employee, etc.).

Virtual Assets Service

(1) For the purpose of this document, the virtual assets service means any handling of customer’s property or provision of a service to a customer as mentioned in §4(8) of AML Act, and contain next services:

(a) Virtual assets wallet service:

(i) means a service in the framework of which keys are generated for customers or customers’ encrypted keys are kept, which can be used for the purpose of keeping, storing and transferring virtual assets;

(b) Virtual assets exchange service:

(i) means a service with the help of which a person exchanges virtual assets against a fiat currency or a fiat currency against virtual assets or virtual assets against another virtual assets;

According to §4(9) of AML Act, virtual asset means an electronically storable or transferable unit that is capable of performing a payment, exchange or investment function, unless it is excluded by specific criteria under the Act on Payments.

(2) A virtual assets service also means any service provided without appropriate authorization, registration or license, even though it would be in contradiction with law.

Business relation

(1) A business relation means a contractual relation by and between the customer and the company CRP Unio Limited s.r.o., based on which the customer is provided with virtual assets service. A business relation is usually established on the basis of a frame contract on provision of virtual assets service. The Company provides virtual assets service on the basis of business relations only, not on the basis of an agreement on a lump-sum payment transaction.

Customer’s instruction

(1) Customer’s instruction means any instruction issued by the customer or by a person authorized to act in this matter on customer’s account, requiring for the Company to provide a virtual assets service or to make another act within the scope of the virtual assets service provided, e.g., a Virtual asset order.

(2) It is not important in which way was the customer’s instruction handed over to CRP Unio Limited s.r.o. (electronically, by phone, personally or in any other way). It is also not important whether the customer’s instruction was accepted or not.

Staff setting

(1) The obligations set out in this document apply to certain groups of employees - in particular the employees, the AML officer and the responsible person. They also apply to any person who may encounter a suspicious transaction (Chapters IV1. – IV.3) or perform any of the activities described in this document, as well as other persons. All of these people may potentially encounter trade suspected of attempting ML-FT.

(2) It is irrelevant whether it is a direct employee or a work performed on the basis of another relationship or without any relationship (even as a free aid).

(3) Unless the Company is capable of ensuring the full and error-free performance of its obligations under this document and the Risk Assessment, it must reduce or even suspend virtual assets service activity until such a defect ceases, unless this is in conflict with the obligations under the legal regulations. This is the case, for example, in the event of a sudden failure of employees and replacement by temporary underexperienced assistance. Thus, ML-FT prevention activities must at all times be adequately staffed (both qualitatively and quantitatively). Responsibility for meeting this obligation lies with the responsible person.

(4) Furthermore, the responsible person is responsible for selecting the persons who are bound by this document. The responsible person shall always verify that the employee is able to fulfil the obligations laid down in this document before recruiting a new employee for the position concerned by this document or before transferring an existing employee to that position. These abilities / skills include:

(a) sufficient language skills of the employee to handle communication with a typical customer
(b) sufficient employee awareness of the management and ownership structures of the customer, which is a legal entity, so that he / she can perform his / her duties perfectly for this type of customer
(c) sufficient computer skills and software that is used to enable the employee to make full use of these resources to fulfil their duties
(d) sufficient and professional ways and integrity in dealing with the customer to be able to correctly communicate the requirements for identification and possible control of the customer (to explain to the customer the reasons for the requested information and insist on it, not to be “persuaded” by the customer)
(e) sufficient knowledge of all procedures set out in this document and the Employee Risk Assessment achieved by the training under Chapter V.3, which must be carried out no later than the first act mentioned in this document or the Risk Assessment

Employee

(1) For the purposes of this document, an employee means any person who is – in the course of fulfilment of its work tasks – in the name of the company CRP Unio Limited s.r.o.:

(a) authorized to negotiate regarding establishment of a business relation with a potential customer, or
(b) authorized to establish business relation with a customer, or
(c) negotiates with the customer on provision of virtual assets service or receives customer’s instructions, or
(d) performs individual acts in provision of virtual assets service to a customer (even partial ones), or
(e) participates in any way in negotiations with a customer or in activities connected with provision of virtual assets service.

(2) An employee is a direct employee as well as a person performing such activities on the basis of another relation than the employment contract, including a negotiator.

(3) An employee is also a person who is not an employee at the present moment, but he/she was authorised (even though just temporarily) to perform an activity, the realisation of which is set to an employee by this document.

Personnel related to the Customer

(1) For the purposes of this document, persons related to customers mean all and any of the following persons (natural persons or legal entities):

(a) statutory authority of the customer or a member of it
(b) beneficial owner or controlling person of the customer
(c) a person authorised to negotiate with the Company on behalf of the customer
(d) a person authorised by the customer to make business (to enter virtual asset orders).

AML officer

(1) A person identified in this document as an AML officer means a person authorised to arrange compliance of business activities of the Company with legal regulations in the field of avoidance of proceeds from criminal activities, terrorism financing and application of international sanctions. It concerns mainly arrangement of compliance with the following regulations:

(a) AML Act
(b) Act No. 69/2006 Coll. on realisation of international sanctions
(c) Regulation No. 67/2018 Coll. on selected requirements towards system of internal regulations, procedures and control measures against legalization of proceeds from crime and financing of terrorism
(d) approved AML standards communicated by the Czech National Bank.

(2) Generally, it is supposed that the AML officer is a person directly governing.

(3) The person appointed in the Company and authorised to execute the position of an AML officer is specified in Annex No. 2.

Responsible person

(1) The responsible person of the obliged person means – for the purposes of this document – any member of the statutory authority of the obliged person.

Virtual assets service value

(1) For the purposes of this document the virtual assets service value means the general value of property being a subject of the virtual assets service. It is the value of the property as made available by the customer to the Company for the purpose of the virtual assets service provision respectively the value that is to be transferred, exchanged or otherwise used. In case of mutually related virtual assets service, the virtual assets service value is the sum of the services.

Conversion of sums

(1) For the purposes of this document, the sum which is set in Euro (EUR) means an equal value in any currency converted based on the exchange rate announced by the Czech National Bank and valid for the day. If the exchange rate is not available that day yet, the exchange rate for the previous day applies. For current Exchange rates list of the Czech National Bank see https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/.

Binding force for third persons

(1) The procedures set forth in this document are also binding on persons acting in the performance of virtual assets service or in establishing business relationships on behalf of or for the account of the Company mainly for authorized representatives (hereinafter referred to as “representative”). The responsible person shall ensure that the representative accepts and / or fully integrates these procedures into his / her own internal procedures. The responsible person shall also ensure compliance with the obligations set out in this document in the representative's environment.

Politically Exposed Person – definition

(1) According to the AML Act, a Politically Exposed Person („PEP“) means a natural person who is or was in an important public function with regional, national or even higher importance, for example:

(a) chief representative of municipal authorities – major of a town or village, chief magistrate, region commissioner,
(b) chief representative of municipal authorities for a foreign country with federative organization – chief representative of country authorities, members of country government and parliament, etc.,
(c) head of state, prime minister, head of central authority of state administration (e.g., a minister) and his/her representative (deputy minister or secretary of state),
(d) member of the Parliament, member of the control authority of a political party,
(e) judge of the supreme court, constitution court or another supreme judicial authority,
(f) member of the banking council of a central bank,
(g) high officer of armed forces,
(h) member of the statutory authority or representative of a member (in case of a legal person to be a member of the statutory authority) of a business corporation controlled by state,
(i) ambassador or head of a diplomatic mission,
(j) or a natural person performing or having performed any similar function in another country, EU authority or in an international organization.

(2) A PEP is also considered to be a person close to the above stated person, mainly:

(a) relatives in direct line – parents, grandparents, etc., children, grandchildren, grand grandchildren, etc.
(b) siblings, wife, husband, partner
(c) relatives of wife, husband, partner – son in law, daughter in law, father in law, mother in law
(d) a person who lives with him/her on a permanent basis
(e) a person in family relation or similar relation to him/her, in case of any detriment suffered by one person to be justifiably considered as own detriment by the other person.

(3) A PEP is also considered to be a person from the "business surroundings", being:

(a) a partner or beneficial owner of the same legal entity or trust fund as the person in the first paragraph,
(b) known by the obligated person to be in close business relation with the person as per the first paragraph; that means material inter-relations within the scope of business activities, when the success or detriment of one person could be justifiably considered to be own benefit or detriment by the other person,
(c) a beneficial owner of a legal entity or trust fund, which is the obligated person aware of the fact that they were developed in favor of the person specified in the first paragraph.

Beneficial owner of a legal entity

(1) A beneficial owner is always related to a legal entity only. According to the AML Act, a beneficial owner means a natural person with factual or legal possibility of direct or indirect application of decisive influence in a legal entity, in a fiduciary fund or in any other legal organisation without legal personality. It is supposed that in case of fulfilment of conditions contained in previous sentence, the following person is a beneficial owner:

(a) In case of a business corporation (usually a limited liability company, a joint stock company, etc.), the beneficial owner is a natural person who:
1. independently or together with persons acting in compliance manages more than 25 % of voting rights of the business corporation or has a share in basic capital above 25 %, or
2. independently or together with persons acting in compliance controls the person specified in the previous point, or
3. is a recipient of at least 25 % of profits of the business corporation, or
4. is a member of the statutory authority, representative of a legal person in the authority or in the position similar to the position of a statutory authority member, if he is not a beneficial owner or if it is not possible to set him according to previous points.
(b) In case of an association, a non-profit organization, association of unit owners, church, religious association or any other legal entity according to the act dealing with the position of churches and religious associations, the beneficial owner is a natural person:
1. who manages more than 25 % of its voting rights, or
2. who is recipient of at least 25 % of the means distributed by it, or
3. who is a member of the statutory authority, representative of a legal person in the authority or in the position similar to the position of a statutory authority member, if he is not a beneficial owner or if it is not possible to set him according to previous points.
(c) In case of foundation, institution, endowment fund, trust fund or any other legal organization without legal personality a natural person or a beneficial owner of a legal entity, the beneficial owner is a person being in position of:
1. a founder, and then
2. trustee, and then
3. beneficiary, and then
4. a person, in the interest of whom there was established or works the foundation, institution, endowment fund, trust fund or any other legal organization without legal personality, unless the fiduciary is appointed, and then
5. persons entitled to perform supervision over the administration of the foundation, institution, endowment fund, trust fund or any other legal organization without legal personality.

Controlling person

(1) According to Section 74 et conseq. Act No. 90/2012 Coll., on Commercial Companies and Cooperatives (Business Corporations Act), a controlling person means a natural person or legal entity who may directly or indirectly apply decisive influence in a business corporation. The indirect corporation means the influence executed through another person or other persons.

(2) The controlling person(s) is/are:

(a) always a person who is a majority owner, unless specified otherwise in the points below, and then
(b) always a person who is a controlling person of the concern (Section 79 Act No. 90/2012 Coll.), and then
(c) a person who may appoint or remove most of the persons being members of the statutory authorities of the business corporation or persons in similar position or members of a control authority of the business corporation, which he/she is a partner of, or he/she may push such an appointment, or
(d) the person who manages the share in voting rights representing at least 40 % of all the votes in the business corporation, unless the same or higher share is managed by another person or persons, acting in conformity, or
(e) persons acting in conformity, who jointly manage a share in voting rights representing at least 40 % of all the votes in the business corporation unless the same or higher share is managed by another person or persons, acting in conformity, or
(f) a person who independently or together with other persons, acting in conformity, obtains a share in voting rights representing at least 30 % of all the votes in the business corporation and the share represented more than one half of voting rights of present persons during 3 recent consequent meetings of the supreme authority of the person.

(3) For better understanding of conditions under which a natural person or a legal entity may be considered a controlling person, we recommend studying relevant stipulations of the Act on business companies and co-operatives (Business Corporations Act).

II. Business Relation Establishment

II.1. Procedure before Business Relation Establishment

Procedure before business relation establishment

In case of a customer to show his interest in establishment of business relations with the company CRP Unio Limited s.r.o., there must always be performed the following procedure. The employee authorized to negotiate the business relation establishment with the customer:
1. establishes a file (as a physical and virtual space) to keep all and any information and documents according to the system of internal rules related to the business relation or customer (unless it has been established earlier), and
2. according to Chapter II.2 he performed the initial identification of the customer (unless it has been performed earlier) – applying the procedure dependent on whether the customer is a natural person or a legal entity, and
3. according to Chapter II.5 performs the first check of the customer
4. according to Chapter II.6 sets up the risk profile of the customer based on risk assessment
5. provides this information to the AML officer, who will assess it and decide whether or not the business relationship will be established; The AML officer shall take into account, in particular, the obligations under Chapter II.8 and the customer's risk profile, in particular if it is of type B, C, D or even E.
Only after full performance of the above stated procedure (and depending on its results) an employee may be entitled to act on behalf of the Company so as to establish a business relation and CRP Unio Limited s.r.o. may start provision of services within the frame of the business relation.
If it is proved that the customer is a PEP, the establishment of the business relation must be approved by the statutory authority of the Company (including the case when the customer is a legal entity, towards which obligations are applied as well as towards the PEP).

Persons authorised to act on customer’s behalf in the matter of business relation establishment

Only a customer is entitled to act in the matter of a business relation establishment (i.e., the customer himself or his statutory authority or member of the statutory authority) or a person authorised by the customer to do so, customer’s statutory representative or guardian.
The authorization is proved by a power of attorney with legalised signature of the donor or by its legalised copy, containing identification data of the donor of power and the deputy and also the extent in which the deputy may act on behalf of the donor of the power. Original copies of the power of attorney or its legalised copy must be maintained. For detailed information on data recording and keeping see Chapter V.5.
Statutory representation is proved by a deed indicating it – for example a certificate of birth of a child, represented by a parent. In case of a different statutory representative or guardian the right to represent a customer is proved by a court resolution. The company does not have to keep such documents – in case of a court resolution it must only record the file number.

Customer’s obligation to provide cooperation

The customer is obliged to submit in full extent to the initial identification and provide information necessary for performance of all and any other acts mentioned in this chapter and to prove them with necessary documents (if required).

Check of information in case of any doubts

Whenever doubts arise as to the information or data (obtained as part of customer identification or control), the employee shall verify this information without undue delay. This is done by verifying the information either from publicly available sources or by contacting the customer to provide him with appropriate explanations and possibly documents.

Assessment of customer’s behaviour

In the course of fulfilment of procedures set in this chapter as well as in the course of any other negotiations with the customer, the employee makes permanent assessment on whether the customer’s behaviour does not indicate features of a suspect business. The employee performs such an assessment in compliance with Chapter IV.1.

When the customer conceals acting on behalf of a third person

In case of an employee to suspect for the customer not to act on his own behalf while negotiating on business relation establishment (i.e., that the purpose of the business relation is to provide services to a different person but the customer) or that he conceals that he acts on behalf of a third person, the employee refuses to establish the business relation.

Simplified identification and check of the customer

The AML act sets a group of persons generally considered to be of a low risk due to supervision executed over them. In relation to such persons, the Company does not have to perform identification and checks using the procedures specified in Chapters II.2 and II.5.
It concerns the following persons:
1. Clients without the national risk factors, and
2. Clients who are not showing the factors for EDD.
National risk factors are as following:
1. Client risk factors:
  1. The business relationship is conducted under unusual circumstances,
  2. The client is located in a geographic area of heightened risk as set out in point 3,
  3. The legal entity or trust is a personal asset holding vehicle,
  4. The client is a business corporation in which there may be authorized shareholders or partners or which issues shares in bearer form,
  5. The client uses cash extensively in its business activities,
  6. The ownership structure of the client appears unusual or overly complex given the nature of its business,
  7. The client is a beneficiary of a life insurance policy,
  8. The client's business involves increased risk.
2. Factors relating to products, services, transactions or distribution channels:
  1. Use of private banking services,
  2. The use of products or transactions that could facilitate anonymity,
  3. Business relationships or transactions without the personal presence of the customer or the natural person acting on his behalf and without certain security measures such as electronic signatures,
  4. Incoming payments from unknown or unrelated third parties; or
  5. New products and new business practices, including new distribution systems, and the use of new or emerging technologies for new or existing products.
3. Geographic risk factors:
  1. Countries that have been identified by European Union authorities or international institutions dealing with measures against money laundering, terrorist financing or proliferation of weapons of mass destruction as lacking effective systems to combat money laundering and terrorist financing or engaging in illicit proliferation of weapons of mass destruction,
  2. Countries that have been identified by credible sources as having significant levels of corruption or other criminal activity,
  3. Countries subject to sanctions, embargoes or similar restrictive measures imposed, for example, by the European Union or the United Nations; or
  4. Countries that provide funding or support for terrorist activities or in which identified terrorist organisations operate.
In case that the employee supposed that the customer belongs to the list of such persons, it is necessary for him to apply the following procedure:
1. He clearly verifies whether the client fulfills the criteria;
2. On the basis of information having available, the employee makes an assessment whether the customer or the intended business relation does not represent an elevated risk of abuse for legalization of proceeds from crimes or financing of terrorism; in the course of assessment, the employee uses all the information that the company has available and it is also allowed for him to arrange other supporting or missing information by himself; in case of any doubts it is not possible to use simplified identification and control;
3. The employee makes an assessment whether – based on information available to CRP Unio Limited s.r.o. - the customer does not fall within a risk group based on risk assessment (i.e., he was assigned the risk profile of B, C, D or E type); if so, it is not possible to use simplified identification and control;
4. The employee finds out whether the customer is a PEP or not; if the customer is a PEP there will not be used the procedure of simplified identification and control;
5. The employee establishes and records in a suitable way the identification data of the customer; it is not necessary to check the customer and set up the risk profile.
It is necessary to write a record about the whole checking procedure, clearly indicating also who, when and on the basis of what performed the checks. The record is maintained and kept as a part of documentation related to the customer or to the business relation.
Moreover, in the course of the business relation duration, the employee must periodically check whether there persist all the conditions for use of simplified verification and check of the customer. In case of any of the conditions to be broken, the customer is considered to be not allowed to be applied the simplified identification and check of customer and the procedures must be immediately performed before provision of any other services to the customer.
Application of the procedure of simplified identification and control / check does not affect other obligations set in this document, mainly the obligation of assessment whether the service provided to the customer does not indicate features of a suspect trade according to Chapter IV.1 List of features and suspect trades and their assessment.
The document Risk Assessment may set for individual types of customers, services and methods of their use that it is prohibited to apply the exception from identification and control. The employee must respect such a limitation.

Enhanced identification and check of the customer

The AML act sets a group of factors that can mean a high risk of a client. In relation to such persons, the Company has to perform stronger identification and checks.
Enhanced identification and check should happen in the following cases:
1. During establishment and during the course of a business relationship with a person established in a high-risk third country (as per FATF and EU lists that can be found in the Annex 5),
2. Prior to the execution of a transaction relating to a high-risk third country (as per FATF and EU lists that can be found in the Annex 5),
3. Prior to or when entering into a business relationship with a politically exposed person.
In enhanced identification and control, CRP Unio Limited s.r.o. shall, to the extent necessary to effectively manage the identified risk, go beyond the measures applied in client identification and control:
1. Obtain additional documents or information about:
  1. The beneficial owner,
  2. The intended nature of the business relationship, and
  3. The source of the client's and beneficial owner's funds and other assets,
2. Verify the documents or information obtained from multiple credible sources,
3. Regularly and intensively monitor the business relationship and the transactions within the business relationship,
4. Obtain the consent of a member of its statutory body or the person authorised by it to manage the measures against money laundering and terrorist financing to enter into or continue the business relationship,
5. Require the first payment under the business relationship or a trade outside the business relationship to be made from an account held in the name of the client with a credit institution or a foreign credit institution which is subject to customer identification and control requirements at least equivalent to those of European Union law, or
6. Implement other measures taking into account the nature of the obliged person, its activities and its own risk assessment.

Initial Identification Procedure

The initial customer identification means the procedure, when the identity card (as specified here below) is used for check and recording of identification and other data of the customer (for specification see below).
The initial identification of a customer is performed by one of the following ways:
1. So called "face to face" – a personal meeting with the customer or with a person representing him/her
2. So called "remote" – the customer sends the documents and the customer is checked by the first payment without necessity of a personal meeting with the customer.
3. So called "technical" – the customer sends the documents and is checked by video verification.
Moreover, the initial identification of a customer always includes:
1. Establishment whether the customer is a PEP or not using the procedure according to Chapter II.3 and also
2. Establishment whether the Czech Republic applies international sanctions towards the customer according to Chapter II.4.
In case of the customer’s initial identification to be performed just earlier, it is not necessary to repeat the process. But it is necessary to check thoroughly whether all and any registered identification data are current and whether the company has all the documents that are to be obtained during the identification (for example the power of attorney) and it is also necessary to check whether the Czech Republic does not apply international sanctions towards the customer.

Identification of a natural person "face to face"

The "face to face" identification is performed in physical presence of the customer or a person that represents the customer in the course of the business relation establishment (in case of a customer – a legal entity). On the basis of the identity card presented, the employee checks "face to face" the compliance of customer’s appearance (or the person representing the customer) with the image in the identity card and more, he/she checks and records identification data from the identity card.
More, in case of a legal entity to be the customer, it is also necessary to perform identification of the legal entity and to find out whether the "face to face" identified natural person is entitled to act on behalf of the customer, respectively let him/her prove it by a power of attorney.

"Remote" identification of a customer

An employee may perform identification even without physical presence of the customer who is a natural person or a natural person acting on behalf of the customer when establishing the business relation in case of the customer to be a legal entity (i.e.,, without presence of the person signing the contract). The procedure replaces identification of only the specific acting natural person and that is why it is necessary to make other steps in identification as usual (to establish PEP, to check sanctions, respectively to identify a legal entity, to check the right to act on behalf of the customer, etc.).
If it is not possible to apply the complete procedure as specified here above or there are any doubts regarding real identity of the customer, the employee will not use the identification procedure and he will use some other method.
The identified natural person will send (by e-mail or by post) to the Company a copy or a scan or photo of two different types of IDs (belonging to the identified person; he follows the list of accepted identity cards), while:
1. If it is an ID of the identification card type, the customer sends copies, scans or photos of the front and rear side of the card;
2. If it is an ID of a plate type (i.e.,, a "booklet"), the customer will send a copy, scan or a photo of the identification spread respectively also of the page with required data (for example address of stay inside of the residence permit);
3. The customer may hide the data that are not required for the identification performance (e.g., wife’s name, etc.);
4. Both of the IDs must clearly indicate not only the identification data, but also the type and number of the identity card, country and possibly the authority issuing it and the term of validity;
5. The copy and the scan may be black-and-white, but there must not emerge any doubts regarding genuineness of the identity cards or the person’s identity.
More, the customer will send to the Company a proof, confirming existence of an account kept at the customer’s name in a bank or in a savings and loan co-operative or in a foreign bank or in a savings and loan co-operative operating in the territory of a member state of the European Economic Area, while:
1. There is accepted a copy, scan, PDF file or a photograph containing the agreement on account keeping or customer’s account statement (that also means a common account of a married couple in case of the customer being a natural person);
2. We do not accept images from Internet banking (so called "Print Screens");
3. The customer may hide the data that we do not require, but it must be always seen that the account is kept to customer’s name (i.e., in case of a legal person not to the name of the acting natural person, but beneficiary person in the name of the legal entity).
More, there must be arranged that the first payment from the contract concluded will be performed through the customer’s account from the previous point:
1. The first payment means a payment from the customer of the company CRP Unio Limited s.r.o.; in such a case the sum of the payment is not significant.
2. A payment to the account is not supposed to be a cash deposit to the account or payment by a postal order.
3. The employee is obliged to supervise for the first payment to be done in compliance with the condition; if it is not done so or if the payment is not successfully performed (e.g., it returns back), it is necessary to immediately terminate services provision and perform the identification in a different way.
Except for the above stated conditions, the employee will assess – based on information available to CRP Unio Limited s.r.o. whether the customer, product or concrete business relation does not represent an elevated risk of abuse for legalization of proceeds from crimes or terrorism financing – otherwise he will not use this way of identification. He will also use risk assessment.

„Technical“ identification of a customer

An employee may perform identification even without physical presence of the customer who is a natural person or a natural person acting on behalf of the customer when establishing the business relation in case of the customer to be a legal entity (i.e., without presence of the person signing the contract). The procedure replaces identification of only the specific acting natural person and that is why it is necessary to make other steps in identification as usual (to establish PEP, to check sanctions, respectively to identify a legal entity, to check the right to act on behalf of the customer, etc.).
If it is not possible to apply the complete procedure as specified here above or there are any doubts regarding real identity of the customer, the employee will not use the identification procedure and he will use some other method.
The identified natural person must use the following:
1. A document according to the §33 is used for identification of a person and verification of data with the help of information technology means;
2. An information technology tool with a working camera, microphone and necessary hardware and software for digital identification, as well as internet connection with adequate speed.
Tools provided for in section 3 (b) must meet the technical specifications, standards and procedures for a high level of assurance laid down by a directly applicable regulation of the European Union governing minimum technical specifications, standards and procedures for levels of assurance for electronic identification devices and which is issued and used within a qualified system under the Electronic Identification Act.
The client sends the KYC questionnaire and any other required papers to the CRP Unio Limited s.r.o..
A third-party firm that provides video identification of clients can be used by the CRP Unio Limited s.r.o..

Accepted identity cards (certificates of identity)

The employee of CRP Unio Limited s.r.o. will accept for identification purposes mainly the following type of identity cards (certificates of identity):
1. passport issued by any country
2. identity card issued by a member state of the European Union and Iceland, Norway, Switzerland and Liechtenstein;
3. driving license issued by a member state of the European Union and Iceland, Norway, Switzerland and Liechtenstein;
4. residence permit proof issued by a member state of the European Union and Iceland, Norway, Switzerland and Liechtenstein.
In addition to the types of identity cards listed here, an employee may also use another identity card issued by a public authority for identification, is valid at the moment of identification, includes images and at least some of the authorized holder's identification data.

Features of an identity card not suitable for identification

In case that the customer presents an identity card that shows any of the below stated features, the employee will refuse to make the identification on its basis and he will ask the customer for a different identity card:
1. identity card not showing any marks of credibility (mainly in case of identity cards issued abroad)
2. identity card, which the employee does not believe to be issued by a public administration authority (mainly in case of identity cards issued abroad)
3. identity card after its validity term expiration (if specified)
4. identity card which is excessively damaged (i.e., unreadable, overwritten, glued, without pages to be fixed, with missing pages or additionally glued)
5. identity card without photograph or with a photograph that was adjusted or changed or that cannot be used for sufficient check of compliance of the photograph and the customer’s appearance
6. identity card in which the appearance on the photograph does not correspond with the customer’s appearance
7. identity card from which it is not possible to clearly set the authority and the state of the card issue
8. identity card which is just a black-and-white or colour copy of the original identity card.
In case of the employee not to be sure whether the identity card presented is valid or authentic, it is possible to check authenticity and protective elements against forgery using the on-line system „PRADO – public registry of valid identity cards and passports“. The system is available for free at http://prado.consilium.europa.eu/. More, the system provides references to national sites of document issuers, where it is possible to check whether the document has not been marked as stolen, missing or otherwise excluded from the evidence.

Identification data of a natural person

On the basis of the identity card presented or delivered, the employee checks and records all of the below stated identification data:
1. all the names and surnames of the customer (if there may appear any doubts – in case of foreigners – which is the name and which is the surname, the surname is written in capital letters)
2. personal number; if it was not assigned, then the date of birth
3. place of birth (including the country in case of the place of birth to be outside the Czech Republic)
4. sex
5. permanent or other residence
6. citizenship
7. type and number of identity card
8. country, respectively authority issuing the identity card
9. term of validity of the identity card.

Absence of identification data of a natural person

In practice, there may occur a situation when some required data are not apparent from the identity card presented or sent, because they are not contained there. In such a situation the employee directly asks the identified person about the missing data and asks the person to communicate the data in written or oral form (unless it has already been done so e.g., in an application for use of services) and to be supported by a supporting document. In case the person does not have the supporting document, there is no other possibility but to rely on the statement. This procedure mainly applies to permanent or other residence which is usually not specified in a passport.
Regarding the individual identification data established only on the basis of oral communication (and possibly verified from some supporting document only), it is necessary to note that they were verified on the basis of an identity card – it is done by writing "not verified" or the abbreviation "not verif." at a specific data.

Initial identification of a natural person - entrepreneur

In case the customer conducts business as a natural person – entrepreneur, it is necessary – together with the above stated process of identification of a natural person – to record and check all the following data:
- trade name, differing amendment or other marking
- place of business
- identification number of the person.
The employee will verify the above stated data on the basis of a document presented by the customer regarding registration of the natural person in the evidence of natural persons – entrepreneurs or the employee may arrange such a document by himself. The document is most frequently an original or a legalised copy of an extract from the trade registry or commercial registry or some similar evidence. The document must contain currently valid data.
Even those identification data are recorded in the contractual documentation.

Procedure for the initial identification of a legal entity

In case the customer is a legal entity, the identification of each person acting on its behalf in business relation establishment must be performed, while the employee also identifies the legal person (i.e., the customer himself). Moreover, it is also necessary to identify every person to act on behalf of the customer in the course of the business relation duration (so called agent / managing clerk).
The employee proceeds as follows: the customer presents a proof on existence of a legal entity or the employee obtains it by himself. The document includes mainly:
- original or certified copy of an extract from the trade register in case of legal entities registered in such a registry (mainly business corporations)
- record from initial session of the municipal council in case of a municipality
- extract from the registry of churches and religious organizations as issued by the Ministry of Culture of the Czech Republic
- similar evidences abroad
- in case there is no such evidence in the country of headquarters of a foreign entity, then an officially legalised Articles of incorporation or some other document establishing the foreign entity and containing all the changes.
The employee must always have available an original copy or certified copy of the proof of existence of the foreign entity. In case of a legal entity registered in the trade register in the Czech Republic, the employee may make an extract from the trade register by himself from the address or.justice.cz, because they are signed by a guaranteed electronic signature and they are considered to be an original.
The document on existence of a legal entity must contain currently valid data and may not be older than 6 months. Using the presented or obtained document, the employee will check and record the below stated identification data of the legal entity.
In case the customer presents a proof of existence of the legal entity issued in another country, it is necessary to pay extra attention to whether it was issued by an entitled authority. A private subject cannot be considered an entitled authority – only the public administration authority of the foreign country. If the document is issued in a language that the employee does not know, the employee will require an official translation to Czech Language. In case of doubts regarding the credibility of the document presented, the employee will refuse performance of the identification and ask the customer for a credible document.

Identification data of a legal entity

Identification data of a legal entity include all of the below stated data:
- trade name or name, including the differing amendment or other marking
- headquarters of the company (address and country)
- identification number of the company or similar number assigned abroad
- data of each natural person being a statutory authority or its member and allowing its clear identification; it concerns the following data as a minimum: all the names and surnames, dates of birth, permanent or other residence, and citizenship.
In case another legal entity is the statutory authority, its member, or controlling person (see the definition in Chapter I.5), their identification data as specified above will also be recorded.
In case the customer is a trust fund or another legal organization without legal personality, the identification data include its marking and the identification data of its administrator, manager, or person in a similar position according to this chapter (these may be natural persons or legal entities).
The document Risk Assessment may (to eliminate ML-FT risks) set additional identification data that must be obtained, recorded, and possibly checked. The treasurer must adhere to the extended list.

Initial identification of a customer on the basis of a power of attorney

In case the customer (a natural person or a legal entity) is represented based on a power of attorney, the employee proceeds as follows:
- The attorney must present or deliver to the employee the power of attorney they act upon always before the establishment of the business relationship. Only the original of the power of attorney or its legalized copy is accepted, not a standard scan or plain copy. The signature of the donor of powers need not be legalized, but it is recommended for higher business safety. The employee will keep the document permanently.
- The employee performs identification of the attorney using the procedure as described in this chapter. The attorney and the donor of powers may be a natural person or a legal entity, and identification may be performed "face to face" or remotely.
- The attorney will prove the identification data of the donor of powers. It is not necessary to identify the donor of powers "face to face"; their clear identification should emerge from the power of attorney.
- The employee states in the record of identification data of the attorney and the donor of powers that it is representation based on the power of attorney. Only then is the identification considered complete.

Initial identification of the represented customer

In case the customer is represented by a legal representative or a custodian, the employee proceeds as follows:
- The statutory representative must prove to the employee an appropriate legal relation on the basis of which they act, always before the realization of the transaction. The statutory representative is responsible for the correct identification of the represented person. Only an original or certified copy of the document is accepted, not a standard scan or ordinary copy. The employee does not need to keep the document; a plain copy is sufficient, or in the case of a court resolution, recording the file number is enough.
- Then, the employee performs identification of the statutory representative. It may be a natural person or a legal entity, and identification may be performed "face to face" or remotely.
- The statutory representative then proves the identification data of the donor of powers. It is not necessary to identify the represented person "face to face". A suitable form of proof could be the fact that identification data of the customer emerge from the document on representation, or a written declaration of the statutory representative on such data is also acceptable.
- The employee states in the record with identification data of the statutory representative and the represented person that the customer is represented by a statutory representative. Only then is the identification considered complete.

Initial identification of the customer on the basis of the deed of identification

The initial identification of the customer (including a customer represented on the basis of the power of attorney or by a legal representative) may also be performed by the notary public or contact point of public administration (so-called CZECH point) by writing a deed on identification. The deed contains – in the form of a non-detachable appendix – the documents on the basis of which the identification was performed and that clearly depict the customer.
In such a case, the employee checks the presented original of the identification deed and its appendices, then verifies completeness and readability of data. The employee then performs the initial identification without physical presence of the customer in such a way as if the original document is presented. The original of the identification deed must be permanently kept. Only then is the initial customer’s identification considered complete.

II.3. Procedure for Establishment of a Politically Exposed Person

Establishment of a politically exposed person

In case of the customer to be a natural person, the fact whether it is a PEP or not is established only at the customer himself (i.e., the natural persons) and not at possible attorney, statutory representative or a guardian.
If the customer is a legal entity, the fact whether it is a PEP or not is established for the following persons:
1. any person acting on behalf of the customer in the matter of trade or business relationship (acting person) and then
2. each statutory representative of the customer - including those who do not act in the matter of business (members of the statutory body and further, if the member of the statutory body of the customer is a legal entity and its representative)
3. any beneficial owner of the customer.
The PEP definition is contained in Chapter I.3.
The customer that has PEP in its structure is subject of EDD.

Establishment procedure

PEP establishment is performed by declaration of the customer or a person acting on customer’s behalf (statutory representative, proxy, attorney, legal representative, guardian, etc.) or by searching of the fact in the commercially distributed system for control and search for „risk“ customers, based on information from public resources and provided in the form of a paid service by some specialised business subjects. It is also allowed for the employee to perform own investigations, e.g., while using open sources of information (Internet, etc.). The employee uses websites such as Facebook, LinkedIn, Instagram, Twitter, Forbes, Google, and others, as well as the national list of PEP functions, to collect information, analyze it, and make a decision. The employee always uses a combination of at least two methods of PEP research.
In case of the explanation or definition of PEP not to be placed directly in the declaration or if the declaration is obtained orally, it is necessary for the customer to have a possibility to get acquainted with definition of the term. That is why it is recommended to publish the PEP term definition visibly, directly in the shop or in the place of negotiations with the customer, so as the customer may get acquainted with it, ideally in a language comprehensible for him/her.
In case of the customer to make the PEP declaration (in written or oral form) in the past, it is advisable to get it repeatedly, due to the fact that it may change. It is also recommended to check the fact with some periodicity in the course of the business relation duration.
In case of the customer to state to be a PEP or in case of the employee to know that from another source, the employee must establish (from the customer or in a different way) the following information:
1. identification of function respectively even other details about it
2. respectively description of relation to a person in leading position (if it is a person from his/her „family“ or „business“ environment, who is not in any leading position
3. respectively at least approximately date of finishing the function (if the function has been terminated).

II.4. Procedure for Verification of International Sanctions

International Sanctions

International sanctions are a set of restrictive measures that the international communities (UN, EU) use as a tool to maintain or restore international peace and security, protect fundamental human rights, and fight terrorism. They are accepted by the competent authorities (UN Security Council, EU Council or European Commission) in the form of resolutions or decisions and regulations. In addition, the Czech Republic has a local individual list of 'intra-European terrorist groups'.
The Czech Republic applies two types of sanctions:
1. sanctions, which it applies towards specific natural and legal persons, listed on the sanction lists (so called sanctioned persons)
2. sanctions, which it applies towards certain types of goods (so called sector sanctions).
The following types of sanction regulations are legally binding (directly applicable) in the Czech Republic:
1. resolutions of the United Nations Security Council
2. resolutions of the EU Council or Commission (see https://sanctionsmap.eu)
3. resolution of the Czech Republic government (see http://www.amlsystems.cz/AML-dokumenty).
Carrying out of international sanctions in the Czech Republic is partially regulated by the AML Act and also by Act No. 69/2006 Coll., on Carrying out of International Sanctions.
For more information on the application of international sanctions, please consult the Financial Analytical Office website at: http://www.financnianalytickyurad.cz/mezinarodni-sankce.html.
The obligation to enforce international sanctions also applies to any other activities of CRP Unio Limited s.r.o., not only to those covered by this document.

Sanction lists

Two groups of sanction lists are legally binding for the Czech Republic:
1. sanction regulations coming out from EU law accessible through EUR-Lex - access to European Union law at http://eur-lex.europa.eu.
2. Government Decree No. 210/2008 Coll., On Implementation of Special Measures to Combat Terrorism, as amended, located eg at http://www.amlsystems.cz/AML-documents.
The responsible person shall give employees access to these lists.

Screened persons

Prior to establishing each business relationship and then with the specified periodicity, the employee must verify whether the Czech Republic does not apply international sanctions against the customer or the persons associated with the customer. The verification periodicity of international sanctions should be set so that no service is ever provided to a customer that is subject to international sanctions - i.e., ideally prior to the provision of each virtual assets service or at least once a day, or possibly whenever the sanction lists are updated.
If the customer is a natural person, the screening includes the customer himself / herself and, if applicable, also all the persons acting on behalf of the customer (proxy, legal representative, guardian).
If the customer is a legal person, this screening includes the following persons (both natural and legal):
1. the customer itself (a legal person in this case); and also
2. all members of the statutory body (these may be natural or legal persons); and
3. all controlling persons (see the definition in the Chapter I.5); and
4. all persons that are the beneficial owners of the legal person (which is identified during the initial check of the customer, according to the Chapter II.5, these may be natural persons only); and
5. possibly also an agent, proxy, legal representative, and guardian
6. with all the persons the identity of which the company established within the scope of identification or control (mainly all the persons from the management and control structure of the customer).
Furthermore, in the duration of the business relationship, it is always necessary to verify the international sanctions against the counterparty of the customer's transaction (if the counterparty of the company is known), especially if CRP Unio Limited s.r.o. ensures the execution of payments, taking into account all the information accompanying these transactions (e.g., the requisites of SWIFT messages, SEPA payments and letters of credit etc.)

II.4. Procedure for Verification of International Sanctions

International Sanctions

International sanctions are a set of restrictive measures that the international communities (UN, EU) use as a tool to maintain or restore international peace and security, protect fundamental human rights, and fight terrorism. They are accepted by the competent authorities (UN Security Council, EU Council or European Commission) in the form of resolutions or decisions and regulations. In addition, the Czech Republic has a local individual list of 'intra-European terrorist groups'.
The Czech Republic applies two types of sanctions:
1. sanctions, which it applies towards specific natural and legal persons, listed on the sanction lists (so called sanctioned persons)
2. sanctions, which it applies towards certain types of goods (so called sector sanctions).
The following types of sanction regulations are legally binding (directly applicable) in the Czech Republic:
1. resolutions of the United Nations Security Council
2. resolutions of the EU Council or Commission (see https://sanctionsmap.eu)
3. resolution of the Czech Republic government (see http://www.amlsystems.cz/AML-dokumenty).
Carrying out of international sanctions in the Czech Republic is partially regulated by the AML Act and also by Act No. 69/2006 Coll., on Carrying out of International Sanctions.
For more information on the application of international sanctions, please consult the Financial Analytical Office website at: http://www.financnianalytickyurad.cz/mezinarodni-sankce.html.
The obligation to enforce international sanctions also applies to any other activities of CRP Unio Limited s.r.o., not only to those covered by this document.

Sanction lists

Two groups of sanction lists are legally binding for the Czech Republic:
1. sanction regulations coming out from EU law accessible through EUR-Lex - access to European Union law at http://eur-lex.europa.eu.
2. Government Decree No. 210/2008 Coll., On Implementation of Special Measures to Combat Terrorism, as amended, located eg at http://www.amlsystems.cz/AML-documents.
The responsible person shall give employees access to these lists.

Screened persons

Prior to establishing each business relationship and then with the specified periodicity, the employee must verify whether the Czech Republic does not apply international sanctions against the customer or the persons associated with the customer. The verification periodicity of international sanctions should be set so that no service is ever provided to a customer that is subject to international sanctions - i.e., ideally prior to the provision of each virtual assets service or at least once a day, or possibly whenever the sanction lists are updated.
If the customer is a natural person, the screening includes the customer himself / herself and, if applicable, also all the persons acting on behalf of the customer (proxy, legal representative, guardian).
If the customer is a legal person, this screening includes the following persons (both natural and legal):
1. the customer itself (a legal person in this case); and also
2. all members of the statutory body (these may be natural or legal persons); and
3. all controlling persons (see the definition in the Chapter I.5); and
4. all persons that are the beneficial owners of the legal person (which is identified during the initial check of the customer, according to the Chapter II.5, these may be natural persons only); and
5. possibly also an agent, proxy, legal representative, and guardian
6. with all the persons the identity of which the company established within the scope of identification or control (mainly all the persons from the management and control structure of the customer).
Furthermore, in the duration of the business relationship, it is always necessary to verify the international sanctions against the counterparty of the customer's transaction (if the counterparty of the company is known), especially if CRP Unio Limited s.r.o. ensures the execution of payments, taking into account all the information accompanying these transactions (e.g., the requisites of SWIFT messages, SEPA payments and letters of credit etc.)

Search for a person in sanction lists

The fact whether the Czech Republic applies international sanctions against the customer or the persons associated with the customer is found out by the employee by looking all the aforementioned persons (both natural and legal) up in the currently valid and available sanction lists.
The contents of these two lists differ. If the person is found in any of these sanction lists, it means that the Czech Republic applies international sanctions against this person. In the case that the person is not in one of the mentioned sanction lists, the Czech Republic is considered not to apply any sanctions against this person.
The employee has the obligation to create a record about the screening and the result, which corresponds to the requirement of reconstructability according to Chapter V.6, i.e., it contains at least the following information:
1. date of verification and name of the person who performed the verification (if performed by a specific employee and not automated)
2. a list of natural and legal persons that have been reviewed in the sanction lists
3. information on the sanction lists under which the verification was carried out
4. result of verification (negative or positive finding).

Sanction programs

In addition to verification of the persons' presence on the sanction lists, the AML officer and the employee must be familiar with the currently effective EU sanction programs. The Czech Republic, as a member country of the EU, does not only apply sanctions to certain persons only, but also to certain types of goods or services. It may happen (even during a business relationship) that the inspection of the customer indicates, based on the customer's communication or based on the submitted documents, that the customer uses the services of the company to trade or transfer (on the customer's own behalf or on another person's behalf) goods or services subject to international sanctions, e.g., the customer states that the payment relates to the movement of the goods and it turns out that it concerns so called dual-use goods that can also be used for military purposes and the expedition of such goods to some countries is forbidden.
The list of currently applicable sanctions is included in the "Consolidated list of sanctions" section: https://eeas.europa.eu/topics/sanctions-policy/8442/consolidated-list-of-sanctions_en.

Procedure in case of a person to which the international sanctions apply

In case the Czech Republic applies international sanctions against the customer or the persons associated with the customer or if the virtual assets service are in any way related to international sanctions, such negotiation regarding establishment of a business relationship or provision of virtual assets service is inevitably a suspicious transaction, and it is necessary to take all the steps listed in the Chapter IV.2.
It is also necessary for the employee to ensure that the company proceeds in accordance with the specific sanction and in accordance with Act No. 69/2006 Coll., on Carrying out of International Sanctions. For this purpose, contact both the AML officer and the statutory body of CRP Unio Limited s.r.o. and coordinate the next step with it.

Procedure in case of a person to which the international sanctions apply

In case the Czech Republic applies international sanctions against the customer or the persons associated with the customer or if the virtual assets service are in any way related to international sanctions, such negotiation regarding establishment of a business relationship or provision of virtual assets service is inevitably a suspicious transaction, and it is necessary to take all the steps listed in the Chapter IV.2.
It is also necessary for the employee to ensure that the company proceeds in accordance with the specific sanction and in accordance with Act No. 69/2006 Coll., on Carrying out of International Sanctions. For this purpose, contact both the AML officer and the statutory body of CRP Unio Limited s.r.o. and coordinate the next step with it.

Procedure during the Initial Customer Check

Initial customer check

The purpose of the initial customer check is to obtain information about the customer, necessary for the assessment, in particular:
- (a) whether the customer does not represent any risk for CRP Unio Limited s.r.o. from the point of view of money laundering and financing of terrorism and in the preparation of its risk profile;
- (b) whether the customer meets the customer's eligibility criteria (i.e., whether CRP Unio Limited s.r.o. will provide any services for the customer at all);
- (c) whether the services provided subsequently during the duration of the business relationship do not show signs of suspicious trade, which would be subject to the notification obligation under according to the Chapter IV.2.

Procedure in case of a person to which the international sanctions apply

In case the Czech Republic applies international sanctions against the customer or the persons associated with the customer or if the virtual assets service are in any way related to international sanctions, such negotiation regarding establishment of a business relationship or provision of virtual assets service is inevitably a suspicious transaction, and it is necessary to take all the steps listed in the Chapter IV.2.
It is also necessary for the employee to ensure that the company proceeds in accordance with the specific sanction and in accordance with Act No. 69/2006 Coll., on Carrying out of International Sanctions. For this purpose, contact both the AML officer and the statutory body of CRP Unio Limited s.r.o. and coordinate the next step with it.

Procedure during the Initial Customer Check

Initial customer check

The purpose of the initial customer check is to obtain information about the customer, necessary for the assessment, in particular:
- (a) whether the customer does not represent any risk for CRP Unio Limited s.r.o. from the point of view of money laundering and financing of terrorism and in the preparation of its risk profile;
- (b) whether the customer meets the customer's eligibility criteria (i.e., whether CRP Unio Limited s.r.o. will provide any services for the customer at all);
- (c) whether the services provided subsequently during the duration of the business relationship do not show signs of suspicious trade, which would be subject to the notification obligation under according to the Chapter IV.2.

Procedure during the Initial Customer Check

The initial customer check is performed by the employee, who will:
- (a) find out and record what is the purpose of the intended business relationship (the purpose for which the customer will use the services); and
- (b) find out, verify, and record the source of funds or other assets that will be the subject of the business relationship; and
- (c) if the customer is a natural person, find out and record the list of all countries where the customer has a nationality and also a permanent or other stay; and
- (d) if the customer is a legal entity, find out and record the list of all countries where the customer has its registered office, branches; and
- (e) if the customer is a legal entity, find out and record information about the customer's ownership and management structure and further identify and record its beneficial owner so that it can be identified and always record the method and source of the findings of the beneficial owner, unless this is clear from the documents or records kept;
- (f) if the customer is a legal entity or a natural person doing business, it also detects and records a detailed description of all the customer's activities (not only those related to virtual assets service) - in order to fully understand his / her activities.
In addition, the employee will also find out whether the customer will act or act solely on his / her own behalf or whether he / she represents or will represent another person (especially the so-called Agency Agreement). If this is the case, the employee will perform a review to identify, understand and document the activities of the represented person, their ownership and management structure, and the beneficial owner as if they were the customer himself. In addition, the employee obtains representation documents.

Procedure for finding and verification of data

The employee finds out the data necessary for the check primarily by the means of his / her own investigation and from the available documents and also from the customer's statement.
The purpose of the business relationship is often understood from the interview with the customer, or the customer declares it.
The source of funds is often implied by the accounting documents entered into the collection of documents of the customer registered in the Commercial Register in the Czech Republic, by the published annual reports, and by the trade licenses that the customer has and through which the customer generates funds. The source means a one-time event (e.g., inheritance, sale of real estate, winnings, sale of other assets, etc.) or continuous activity (funds from the customer's business, from his employment, etc.). The employee must always obtain sufficient information in order to verify the source of funds, i.e., to assess whether such sources are possible and possibly also legal. In the case of one-time sums, the employee must find out more details (such as from whom the inheritance was inherited and in what amount, which property and for what amount was sold, the amount of the winnings and by which game operator it was paid). In the case of repeated income, its source, i.e., denomination of the business or the employer, and the approximate amount of such regular income.
The list of all countries where the customer (natural person) has a nationality and a permanent or other residence, as well as the list of all countries where the customer (legal person) has its registered office, branches, organizational units, or premises, from the customer's website, or from the customer's statement.
Information about the ownership and management structure and about the beneficial owner of the customer, legal persons will be found by the employee, in particular, by his / her own research of publicly available information (information contained in the extract from the Commercial Register, documents from the of the General Meetings based on the collection of documents kept by the registry court, etc.). If this information cannot be found, the employee will ask the customer for his statement and possibly a proof. The method of obtaining the ownership and management structure data and the beneficial owner will also be recorded by the employee (i.e., the source and the procedure by which the employee obtained the information). The management structure is determined by the employee to the second level: the first level is the management structure of the customer itself; the second level is the management structure of the controlling person (the parent company). Identification of the management structure does not apply to "sister" companies, unless it is necessary from the risk assessment point of view.

Verification of the data obtained during the check

If the employee assesses that there are doubts about the truthfulness or completeness of the data that the customer has stated during the check, he / she will ask the customer to prove the data obtained during the check by the relevant documents:
- (a) The source of funds and the purpose of the business relationship can usually be verified from accounting documents, statements from the person managing the customer's accounts, statements from the statutory body (in case of a legal person), confirmation issued by a bank or other third party, etc.
- (b) The beneficial owner of the legal person can be verified, in particular, from the last minutes of the general meeting. Only originals or certified copies of the submitted documents are accepted.
Only originals or certified copies of the submitted documents are accepted. The employees will make regular copies of these documents and he / she will keep them permanently.

Application of risk-based approach

The Risk Assessment document may specify the level of detail of the information that the cashier will require about the management structure for the types of customers, services, or methods of providing them. In addition, it can determine the degree of reliability of the documents that the cashier will require when acquiring them (e.g., a mere statement or declaration from the customer will be insufficient, etc.).

II.6. Creation of Customer’s Risk Profile

Creation of the Customer’s risk profile

(1) Prior to establishing the business relationship, the employee will create a risk profile of the customer. This is a characteristic of the particular customer.

(2) If a business relationship has been established in the past and it lasts (the customer uses other company services), the risk profile will be updated when establishing any further business relationship.

(3) The risk profile is compiled with respect to all the information that CRP Unio Limited s.r.o. has about the customer, i.e., not only the information obtained during the initial identification and check but also other information that the employee acquires and also with regard to the information that the company possibly has from previous business relationships that have been terminated.

Risk profile

(1) The customer's risk profile means the assessment of the customer that represents a potential risk that the services of CRP Unio Limited s.r.o. may be misused by the customer for the purpose of legalizing proceeds of crime or for financing of terrorism. As part of the risk profile, the customers are classified into the following groups according to the risk factor that has occurred in their case:

(a) a customer with the type A risk profile – i.e., a customer without an identified risk factor
(b) a customer with the type B risk profile – i.e., a customer with a low identified risk factor
(c) a customer with the type C risk profile – i.e., a customer with an identified risk factor
(d) a customer with the type D risk profile – i.e., a customer with a high identified risk factor
(e) a customer with the type E risk profile C – i.e., an unacceptable customer.

(2) The risk profile is crucial in two respects:

(a) influences the periodicity and intensity of the actions performed under this document
(b) serves as an essential piece of information when assessing suspicious transactions.

Risk factors

(1) The risk factor means the characteristic of the customer, the product provided to the customer, or the way it is provided to the customer, which increases the risk that the services of CRP Unio Limited s.r.o. may be misused by the customer for the purpose of legalizing proceeds of crime or for financing of terrorism.

(2) Due to the presence or absence of the risk factors, the customer is assigned the type A, B, C, D or E risk profile.

Risk profile - type A

(1) The customer is assigned the risk profile of the type A if there are no known risk factors which would assign the customer the risk profile of type B, C, D or E.

(2) A customer with a risk profile of type A does not represent for the Company no, or only very small (negligible) risk in terms of money laundering and terrorism financing, in case of:

(a) The jurisdiction of the client is low risk (as per Annex 5),
(b) The country of origin of the beneficial owner and representative is low risk (as per Annex 5),
(c) The monthly turnover of the client is less than 5 000 EUR,
(d) The client's business activity is low or medium risk (as per Annex 6).
(e) Where there are no known risk factors to assign a risk profile of type B, C, D or E

Risk profile - type B, C, D

(1) The customer is assigned the risk profile of the type B, C or D if there are no known risk factors which would assign the customer the risk profile of type E and at the same time, any of the risk factors listed in the Risk Assessment document as risk factors of the type B, C or D are found.

(2) A client with a Type B risk profile poses a low risk to the CRP Unio Limited s.r.o. in terms of money laundering and terrorist financing. To obtain this risk profile, the client must meet the following conditions:

(a) The client's jurisdiction is low risk (as defined in Annex 5),
(b) The customer's monthly turnover is less than 10 000 EUR,
(c) The client's business is low or medium risk (as set out in Annex 6),
(d) Where there are no known risk factors to assign a C or D risk profile.

(3) A client with a Type C risk profile poses a money laundering and terrorist financing risk to the Company. To obtain this risk profile, the client must meet the following conditions:

(a) The customer's monthly turnover is less than 15 000 EUR,
(b) There are no known risk factors to be assigned a Type D risk profile.

(4) A customer with a Type D risk profile poses a high risk to the Company in terms of money laundering and terrorist financing. He is always an EDD subject.

(5) A customer with the risk profile of the type B, C or D represents for CRP Unio Limited s.r.o. the potential risk from the point of view of legalization of proceeds from crime and financing of terrorism and therefore all employees, including the AML officer, must:

pay high attention when assessing any suspicious behaviour of this customer according to Chapter IV.1,
to place increased demands on the accuracy of information provided by the customer within the framework of the initial or continuous check, or possibly to substantiate the declared information by means of a specific document;
to carry out a continuous check of the customer at least once in a certain time period specified in the Risk Assessment
check for each transaction that exceeds the amount specified in the Risk Assessment
carry out a continuous check of a certain number of transactions selected at random over a certain amount of time; the time interval, the number of transactions selected at random and the minimum amount are set by the Risk Assessment
obtain AML, KYC and other similar regulations from the Customer if the Customer's activity requires them to be processed and to assess whether they are sufficient.

Risk profile - type E

(1) The customer is assigned the risk profile of the E type in the event that any of the risk factors listed in the Risk Assessment document is found with the customer, making the customer unacceptable.

(2) A customer with the risk profile of the type E represents for CRP Unio Limited s.r.o. extremely high risk from the point of view of the legalization of proceeds from crime and the financing of terrorism. In the event that the customer is assigned the type E risk profile, the business relationship will not be established with the customer, or the business relationship with the customer will be terminated and no other service will be provided for the customer. It is assumed that the customer in this situation no longer meets the customer's eligibility conditions.

(3) In this case, the termination of the business relationship or refusal to provide any service will be ensured by the AML officer. Without unnecessary delays, the AML officer will take all necessary steps to ensure that the business relationship is effectively and legally discontinued. The AML officer will also prevent any new services from being provided to the customer until the business relationship is terminated.

(4) In addition, it is necessary to pay close attention when assessing whether the customer's behaviour does not show signs of suspicious trade under the Chapter IV.1

II.7. Establishing a Business Relation

Establishing a business relationship

(1) A business relationship can only be established with the customer if all three of the following conditions are met:

(a) the operations preceding the establishment of the business relationship under the Chapter II.1 have been fully performed; and
(b) the AML officer has approved the establishment of the business relationship if required by it in the Risk Assessment; and
(c) if the customer is a PEP, a consent to the establishment of the business relationship must be issued by the statutory body of CRP Unio Limited s.r.o. or a person appointed by it; there must be a record written about the consent issued; and
(d) none of the facts mentioned in the Chapter II.8 has occurred.

(2) The business relationship is established by signing the documents on the basis of which the business relationship is established, or when the services are made available for the customer, whichever comes first.

Instructing the customer about the need to report changes of the data

(1) In addition, when establishing the business relationship, the customer will be obliged to notify all changes to the data the customer has provided during the establishment of the business relationship. These include in particular:

(a) the data provided at initial customer identification
(b) changes in the fact that the customer or the customer's beneficial owner is or is not a PEP
(c) changes in the list of people who are considered to be the beneficial owner of the customer
(d) the data provided during the customer control, etc.

(2) The Customer must make the notification of the change of the data or of its completion without any delay, but not later than prior to being provided with the next virtual assets service. The customer will also be informed that failure to notify a change may be a reason for termination of the business relationship.

II.8. Ban to Enter a Business Relationship

Ban to establish a business relationship

(1) The Company rejects to enter into a business relationship with a customer if:

(a) the customer does not provide us with required cooperation within the performance of the verification and initial identification – i.e., does not provide with the information and data required or does not support these with relevant documents (if required), or
(b) if there have emerged any doubts related to the correctness and completeness of the information provided to us by a customer within the initial identification or initial verification, or
(c) if there was established any suspicion that a customer has provided us with untrue, distorted or incomplete information or in the event when a customer submitted false, altered or untrustworthy documents,
(d) due to any other reason is not possible to perform the initial identification or initial verification of a customer, or
(e) it is clear at the customer that the intended business relationship is intended to provide services to a person other than himself (i.e., he acts solely as an intermediary or identity provider) and the customer does not present a power of attorney; or
(f) the customer is subject to EDD and the statutory body CRP Unio Limited s.r.o. or the person authorized by it has not consented to the establishment of a business relationship,
(g) the customer is PEP and CRP Unio Limited s.r.o. does not know the origin of the property that the customer will use for each service,
(h) the customer has been, pursuant to its risk rate, ranked within a group of customers with which the company shall not establish any business relationship.

(2) In the event when the establishment of business relationship is refused, a closer attention of employees shall be focused on the facts, whether the behaviour of a customer, due to which such a situation emerged, is typical of suspicious business characteristics, pursuant to the Chapter IV.1.

(3) The document titled Risk Assessment may determine for individual types of the customers, services or services provision methods even other circumstances, under which the business shall not be performed. Next, it can determine the rules of customer acceptance – i.e., features of a customer who is not allowed to be provided with the services (or certain type of service). Our employee is obliged to respect the extended list.

III. Business Relation with Client

III.1. Obligations in the Course of the Business Relation Duration

List of obligations

(1) Within the duration of the business relationship entered into with a customer, the Company is obliged to perform, in particular, the following:

(a) if the customer appoints a new joint holder, i.e., a person who will newly execute trades on behalf of the customer (e.g., enter virtual asset orders for transfers), he / she will also identify him / her; the joint holder may act on behalf of the customer only after the company receives the power of attorney to represent the customer in the execution of transactions or has the right to represent the customer as a statutory body or its member or is the legal representative of the customer
(b) check the validity and completeness of the data obtained in the framework of the customer's identification (when establishing a business relationship, also continuous, including the status of PEP) and record their changes and additions
(c) continuously verify whether the Czech Republic is applying international sanctions against the customer or a related person, including those who are a counterparty to the trade, if the company becomes aware of them
(d) carry out a continuous check of the customer
(e) continuously update the customer's risk profile (categorize the customer according to risk factors) - if there is a change, the AML officer must be informed and the customer must assess whether the business relationship is terminated; The AML officer shall take into account, in particular, the obligations under Chapter III.2 and the customer's risk profile, in particular if it is of type B, C, D or even E; this must be done by the AML officer no later than before the next transaction (especially before the next virtual assets service is provided)
(f) to continually assess whether the behaviour of the customer or of the persons acting on his / her behalf shows any signs of suspicious trade or whether the services provided to the customer indicate this
(g) refuse to provide a service in certain situations and possibly terminate the business relationship
(h) if the customer is a PEP, all substantial changes to the framework virtual assets service contract that have been triggered by the customer's request (egg request to increase limits, new joint holder, etc.) must be approved by the statutory body of CRP Unio Limited s.r.o. and the approval to create an alert; The risk assessment may be determined by other groups of risk customers for whom the AML officer approves these significant changes in the business relationship.

(2) The Risk Assessment document may determine, for each customer risk group, the frequency or circumstances that trigger the need to meet individual obligations during the business relationship, as well as the intensity with which those ongoing obligations need to be met. It is the fulfilment of a risk-oriented approach to monitoring and managing the business relationship.

Check of information in case of doubts

(1) Whenever doubts arise as to the information or data (obtained as part of customer identification or control), the employee shall verify this information without undue delay. This is done by verifying the information either from publicly available sources or by contacting the customer to provide appropriate explanations and possibly documents.

Assessment of customer's behaviour

(1) Within the duration of the business relationship, all the employees shall assess whether the behaviour of a customer or the persons acting on behalf of a customer is not typical of suspicious business. This kind of behaviour is understood as the behaviour related to the services, as well as the behaviour of a customer towards the company CRP Unio Limited s.r.o., which is not directly related to the provision of services.

(2) This assessment shall be performed by the employee, according to Chapter IV.1.

Updates of customer's risk profile

(1) Throughout the business relationship, all employees continually update the customer's risk profile. This means that if there is a circumstance that causes a worsening of the customer's risk profile, there will be a change, or vice versa - if circumstances worsening the customer's risk profile disappear, it will change in the opposite direction, if permissible. The rules and factors set out in Chapter II.6 and in the Risk Assessment will be used to update the risk profile.

(2) The frequency of updating the customer's risk profile is determined by the Risk Assessment.

(3) The employee always keeps a record of changes in the customer's risk profile, which enables the situation to be reconstructed - i.e., it includes information on the reason for the change, the method of finding, source and eventual verification of the circumstances, date and information on the currently valid risk profile data. The history of changes in the risk profile must show all its changes, i.e., previous information is not deleted, only new one is added.

III.2. Data Updates

Customer's data changes and information added

(1) In the course of the business relation duration, the employee must check the validity and completeness of the customer's data, which is stored in the customer's file. In particular the following ones:

(a) Validity and completeness of the identification data, including changes in the personal composition of Customer's statutory body – a legal person
(b) Information whether any facts have not been changed, whether any of persons is a PEP person or not
(c) Information whether the Czech Republic has not applied international sanctions towards a customer
(d) Validity and completeness of the data sourced within the verification of a customer, in particular the information whether the intended purpose of business relationship still persists, whether the source of financial funds used by a customer is still up to date, whether in case of that customer – a legal person – has not been changed the ownership and management structure or beneficial owners, a list of all countries in which the company has its registered office, branches, business divisions or establishments, and if that customer is a natural person, then information on a list of countries in which that customer is having a citizenship, as well as permanent or other kind of residence
(e) Reasoning why the simplified identification and verification was applied to a customer (where applicable).

(2) In the event, when customer's identity card validity has expired, i.e., the identity card, on the basis of which a customer, a natural person, was verified, there is no need to have the data on new identity card. However, if customer's identification data has been changed, there is necessary to verify the new data from his/her identity card and record even the information on his/her identity card in which the new data is stated. The data on original identity card shall not be deleted.

(3) Every change or data added shall be recorded by the employee. The record shall be entered by the employee who found out such a data change or who found out the information which shall be necessarily added, or who was given such information on change from a customer.

(4) A change or completion shall be performed as follows: the originally recorded information shall be supplemented with the new one. It is necessary to proceed in such a way which allows us to distinguish whether this is the case of a data change or just a data completion (i.e., whether the originally recorded data stays valid or not). Moreover, it shall be apparent who from our employees and when (date) has entered the data change or data completion, or the source of data verification shall be identified.

(5) If this is the case of data change, the originally recorded data cannot be deleted, in spite of the fact such data is not valid anymore; it is necessary to keep it stored as the data which was valid in the past (including the documents which supported the data – if required).

(6) Furthermore, if it is required during the procedure of changed or supplemented data sourcing to support such a new information with any document or verification upon any kind of declaration, power of attorney or other document, then it is necessary to submit such a document or perform its verification within its full scope.

III.3. Verification of a Customer in the Course of the Business Relation Duration

Continuous verification of a customer

(1) The continuous verification of a customer is aimed to trace the services provided to a customer during the business relationship in order to be able to verify whether the transactions and acts were in compliance with the facts known to the Company about the customer.

(a) The services used are consistent with the client's financial circumstances and economic activity
(b) The services used are consistent with the originally intended purpose of the business relationship (product used)
(c) The services are not used by a person other than the client, i.e. whether they serve as an instrument for the transfer or storage of funds to a person other than the client.

(2) This monitoring is essential to assess whether the services provided to the client do not exhibit the characteristics of suspicious business under Chapter IV.1. In particular, the automated system assesses the following information:

(a) The volumes of funds that the client transfers using the services of the company or accumulates with the company
(b) The type of payments made, destinations, recipients, volumes, etc.

(3) Continuous verification shall be understood as an assessment procedure focused on whether a customer was provided with services that correspond with his/her property relations and with the intended purpose of a service (related to a product provided to a customer). If a customer uses the services from company CRP Unio Limited s.r.o. beyond the declared property relations or contrary to the intended purpose of the business relationship (i.e. the product), it warrants further investigation to determine if it constitutes suspicious business.

(4) Customer's risk profile is also a key factor in continuous verification. If a customer has a Type B, C, D risk profile, the assessment increases:

(a) The frequency of continuous verification performance
(b) The intensity under which continuous verification is performed
(c) The requirement for information reliability, where information submitted by the customer's statements or declarations is not sufficient, and third-party verified documents are required (e.g., state administration bodies, auditors, etc.).

(5) Special attention is focused on PEPs active outside the EU or within the EU, where risk factors are identified. Such persons are considered risky due to potential property of corruption origins or other suspicious behaviors. Alerts are preset in the system based on regularly received income for PEPs, including reserves from savings. If such a customer uses services beyond known financial means, documentation of fund sources is required.

(6) If an employee suspects a customer has provided false, distorted, or incomplete information, relevant documents must be requested from the customer for verification (e.g., account statements, accounting records, declarations from responsible accounting personnel, etc.). Only original documents or certified copies are accepted. Once submitted, continuous verification may be considered passed.

Customer’s Business Control

(1) Customer’s business control involves additional monitoring during the business relationship.

(2) In particular, this procedure monitors:

(a) Whether the services provided to a customer comply with the customer's property relations and economic activities
(b) Whether the services sourced by a customer comply with the originally intended purpose of the business relationship (used product)
(c) Whether the services are not used by any person other than the customer, i.e. whether the service is not used as a transfer tool or whether financial funds are not kept for another person other than the customer.

(3) This monitoring is essential to assess whether the services provided to a customer do not exhibit characteristics of suspicious business under Chapter IV.1.

(4) Customer’s Business Control is triggered when a customer exceeds the initially set limit during the initial control. This procedure is performed by the employee monitoring services provided to the customer. The automated system assesses:

(a) The volumes of financial funds transferred using company services, or accumulated with the company
(b) Types of payments made, payment destinations, payees, volumes, etc.

(5) If a customer is assigned a new risk profile during business control, the employee relies on the Risk Assessment document, which outlines processes and intensity of obligations for each customer risk group. In this case, the employee requests:

(a) Information about the customer’s economic activity
(b) Documents confirming the customer’s income

How to proceed in case of suspicion

(1) If suspicion arises, particular attention is given to assessing whether customer behavior exhibits suspicious features, in accordance with Chapter IV.1.

Records of continuous and business control

(1) A record must be made and kept of each continuous check, ensuring all events can be reconstructed (including periodic scans, issued alerts, handling personnel, data obtained, and any other relevant documents).

Customer's obligation to provide us with cooperation

(1) Customers are obligated to undergo continuous verification, providing all required information and supporting declared facts with documents (if required by the employee). Failure to provide sufficient cooperation results in denial of service (i.e., no transfer of financial funds with the Company), termination of the business relationship (per Chapter III.2), and is considered suspicious business per Chapter IV.1, requiring adherence to the procedure outlined in Chapter IV.2, with mandatory reporting of suspicious business.

Applying the risk-oriented approach

(1) The Risk Assessment document determines information details and document reliability levels required for each customer type, service, or method of service provision. These requirements are enforced at the cash counter. The document also specifies the level of document reliability accepted during verification procedures (e.g., excluding simple customer declarations).

III.4. Ban to Provide Service and the Obligation to Terminate a Business Relation

Ban to provide service

(1) A customer will not be provided with the service and the business relationship with a customer will be terminated if any of the following facts emerge:

(a) A customer rejects to undergo identification when its performance becomes obligatory (e.g., due to changes or additions to identification data).
(b) A customer rejects to submit a power of attorney when required (e.g., when an executive's tenure ends but the legal person still requires representation, or if there are suspicions that the funds do not belong to the customer).
(c) A customer rejects cooperation during verification, including refusal to submit or complete requested data or documents.
(d) A customer who was not initially a PEP becomes one during the business relationship, particularly if identified as a risk factor, without clarity on the origin of financial funds or without consent from the statutory body of CRP Unio Limited s.r.o.
(e) Doubts arise whether information provided by the customer is true and remain unrefuted by the customer.
(f) The customer's risk assessment worsens, moving them to the E risk profile group, prohibiting business relations with the company and necessitating termination of existing relationships.
(g) Initial identification was performed remotely, and the first payment fails to match the customer's designated account. Services are halted until a face-to-face identification is completed.
(h) During risk assessment, sanctions are found against the customer without permission from relevant authorities.

(2) When any of these situations arise, the employee must promptly report it to an AML officer and ensure that the customer is denied services by the Company. The AML officer will oversee the termination of the business relationship both de facto and de jure. Additionally, the employee must exercise heightened attention to assess whether the customer's behavior exhibits suspicious business characteristics as per Chapter IV.1.

IV.Suspicious Business

IV.1. List of Suspicious Business Features and Their Assessment

Suspicious business in general

(1) Suspicious business shall be understood as a service provided under circumstances suggesting money laundering or terrorism financing.

(2) It can also refer to customer behavior not directly aimed at receiving a service, but raising suspicion of illegal activity or an attempt to establish a business relationship.

(3) Features and circumstances indicating suspicious business:

(a) Payments credited from accounts not owned by the customer, with no apparent connection.
(b) Customer from a country where the company doesn't typically offer services (refer to Annex No. 5 for list).
(c) Customer using services across multiple countries for virtual asset orders.
(d) Customer's purchase of goods or services inconsistent with financial means or usual behavior.
(e) Customer requesting virtual asset services with cash payments or vice versa.
(f) Reselling goods or services purchased with no economic rationale.
(g) Depositing funds without apparent reason, followed by requests for redemption.
(h) Requesting transfers to accounts not belonging to them.
(i) Fictitious or difficult-to-verify business or fund usage locations.
(j) "Sleeping" customers not using services or suddenly altering usage patterns without justification.
(k) Using services contrary to declared purpose.
(l) Service volumes not commensurate with known financial conditions.
(m) Possible use of company virtual asset services by others.
(n) Multiple transfers just below monitoring thresholds (1,000 EUR or 15,000 EUR).
(o) Offering money for non-standard services or to establish relationships without required particulars.
(p) Claiming funds have illegal origins or are for terrorism financing.
(q) Unreasonably assuring legality of funds or their intended use.
(r) Unusual interest in company policies, procedures, or measures.
(s) Extensive knowledge of money laundering or terrorism financing.
(t) Unusually nervous behavior or being coached during interactions.
(u) Unusual focus on money laundering or terrorism financing topics.
(v) Attempting to build a personal relationship with employees.
(w) Accompanied by someone who monitors their actions.
(x) Using services of multiple companies without clear reason.
(y) Opting for more expensive services without justification.
(z) Introducing non-relevant countries into transfers to obscure financial flows.
(aa) Engaging in activities to conceal identity or that of beneficial owners.
(bb) Providing identity documents with unsuitable features for identification (refer to Chapter II.2).
(cc) Providing only copies or unverified documents.
(dd) Requesting identification with improper documents.
(ee) Circumstances necessitating refusal of service or business relationship termination (Chapter III.4).
(ff) Persuading employees not to request necessary data.
(gg) Asking questions indicating avoidance of identification and control.
(hh) Providing confusing, deceptive, or contradictory information.
(ii) Limited knowledge about business relationship purpose or fund origin.
(jj) Over-explaining fund origin or transaction purpose.
(kk) Large transactions unrelated to business and refusal to disclose details.
(ll) Counterparty activity in countries with weak anti-money laundering measures (refer to Annex 5).
(mm) Publicly known involvement in illegal activities or criminal history.
(nn) Unusually high transaction volumes in a short period.
(oo) Transactions incompatible with customer's usual activity.
(pp) Non-profit or charitable organizations with stated purposes contradicting activities.

(2) This list is non-exhaustive; practical experience may include other circumstances suggesting money laundering or terrorism financing.

(3) Presence of these features does not definitively indicate suspicious business.

Assessment of the features and circumstances

(1) Assessment is conducted by employees:

(a) Individually for each situation and business relationship.
(b) Before, during, and after the business relationship, considering all services provided or negotiated.
(c) Incorporating all customer-related facts known to CRP Unio Limited s.r.o.
(d) Considering customer risk rate and profile.

(2) Factors include information provided during initial or continuous verification; AML officers may consider additional relevant circumstances not directly listed here.

(3) Employees cannot state to customers whether their assessment concludes suspicious business.

Point of view of Customer’s risk profile

(1) When identifying and evaluating a suspicious transaction, the employee also takes into account the customer's risk profile, which has been assigned or updated according to Chapter II.6.

(2) Customers with a risk profile of type B require careful assessment when evaluating potential suspicious transactions. Customers with a risk profile of type E will not receive services, and their business relationship will be terminated.

(3) Customers with a risk profile of type B must provide credible documents to substantiate claimed facts.

Business that is always suspicious

(1) Always suspicious business includes:

(a) Customer refusal or insufficient cooperation during verification (e.g., refusing to discuss or abruptly stopping dialogue).
(b) Customer refusal to submit identification data of a represented person.
(c) Beneficial owner (in case of legal person) subject to international sanctions applied by the Czech Republic.
(d) Business involving goods or services subject to Czech Republic international sanctions.

Procedure in case of suspicious business

(1) Steps in case of suspicious business:

(a) Follow Chapter III.4 if initial customer identification has not been completed.
(b) Follow Chapter IV.1 if initial verification has not been completed.
(c) Follow Chapter III.3 if continuous verification has not been completed.
(d) Follow Chapter IV.2 procedure.

(2) If customer identification or verification cannot be completed due to non-cooperation, report suspicious business per Chapter IV.2, if some customer information is available.

Access to the information necessary for the assessment

(1) Ensure employees have unlimited access to customer information, business relationships, services provided, and related documents and internet sources for assessing suspicious business. Information retrieval must be automated.

IV.2. Suspicious Business Reporting

Procedure in case of suspicious business reporting

If the case has been assessed by the employee as a suspicious business, immediately after the performance the employee contacts an AML officer (see the Annex 2), and
1. Shall report he/she found out a suspicious business,
2. Shall submit all the data and all the printed documents related to a suspicious business (in particular the data and documents obtained during the customer's identification and verification procedure),
3. Shall state the reasons why the business was assessed as suspicious one,
4. Shall inform an AML officer on other facts which the employee considers essential in relation to this business,
5. Next, the employee shall cooperate with an AML officer upon officer's requirements

Activity of an AML officer

An AML officer shall start to be focused immediately on the case when it was reported by the employee, and shall perform all the steps in order to assess the business. In the event when an AML officer has assessed the business as suspicious one, an officer shall decide whether there have arisen the grounds for the postponement of customer's order, in accordance with Chapter IV.3. Next, the suspicious business shall be reported to FAU without undue delay, however, not later than within 5 days from the moment when the suspicious business was found out.

Notification of a suspicious business

A notification on a suspicious business to the FAU may be filed by one of the following ways:
1. On the basis of the information obtained, an AML officer shall draw up a notification on suspicious business. A form titled „OPO“ should be filled in for these purposes, i.e., to announce a suspicious business, the form is stated in the Annex 4 hereto. To notify this kind of business also other form may be used, but all the required legal particulars shall be included (for more information see the Annex 4). This document should include the copies of all the documents there are available in relation to the suspicious business. Such well documented business is to be announced by an AML officer in writing, using a registered letter with a form and shall be sent to the address: Finanční analytický úřad, Poštovní přihrádka 675, Jindřišská 14, 111 21 Praha 1.
2. The notification on a suspicious business may be submitted also orally, which shall be recorded in the protocol in the place determined after previous agreement speaking to a phone number operator: +420 257 044 501.
An AML officer shall complete the notification (if available):
1. Further information found out about a customer,
2. Information whether a customer was in the past provided also with other services and the details should be added,
3. Visual, audio or audio-visual record of a customer, if any of these exists.
If any such document exists, an AML officer shall keep a receipt on filed notification on a suspicious business (advice of delivery of a registered letter, etc.).

Evidence of filed notifications

In addition, the AML officer keeps a record of all reports of suspicious transactions submitted for CRP Unio Limited s.r.o. filed, it is necessary to respect the obligation of confidentiality according to Chapter V.2. This documentation also includes copies of all reports of suspicious transactions submitted.

Obligation to provide the AML officer with cooperation

In the event when an AML officer requires so, all the employees are obliged to provide him/her with a cooperation in the course of fulfilment of the obligations resulting from the present document, as well as from the law. The employees and an AML officer shall act in the matter of filed notification on a suspicious business without unreasonable delays.

Policy on Postponement of Customer's Order Fulfilment

Decision making on postponed of the customer’s order fulfilment

AML officer shall, without delay, when he/she receives a notification on a suspicious business from the employee, and when he makes its own decision whether this is the case of suspicious business or not, decide, whether the customer's order should be postponed or not, i.e., regarding that customer who has been stated in respective notification. In particular, this shall be understood as a blocking of Virtual asset order performance.
AML officer is obliged to make a decision on the postponement of the customer's virtual asset order if, due to its immediate performance could result in a frustration or significant complications in the field of securing of the proceeds of crime or funds designated for terrorism financing.
An AML officer shall decide whether the customer's order shall be fulfilled in such a case when both the following conditions are met:
1. There is no threat that the immediate fulfilment of the customer's order could result in a frustration or significant complication in the field of securing of the proceeds of crime or funds designated for terrorism financing.
2. An AML officer is not aware of the fact that such a postponement could result in a frustration or otherwise jeopardise the investigation of suspicious business.

Procedure in case of order fulfilment postponement

Next, an AML officer shall instruct all the employees, who are authorised to receive and perform the customers' orders, not to fulfil any other orders of that customer. All the employees are obliged to adhere to such an instruction. If the performance of the order is provided by an automatic data-processing system, then it is necessary to implement changes into the system which ensures the customer's order will be postponed.
Furthermore, an AML office shall keep with care:
1. the information on postponed fulfilment of customer's order
2. precise information on the date and time, when the FAU has received the notification on a suspicious business, in accordance with Chapter IV.2.
If the funds, to which is the postponed customer's order related, is being kept by the company CRP Unio Limited s.r.o., then an AML officer shall ensure such funds against any possible transactions.

Postponement period of customer’s order fulfilment

A fulfilment of the order shall be postponed for the period of 24 hours, since the moment when the FAU (the Financial Analytical Office) has received the notification on a suspicious business.
The FAU may then adopt a decision to extend this period even by up the next three working days. The FAU shall inform the Company on such extended period in its notice, which may be performed orally, by phone, via a fax message or electronically. Once the notice is received, an AML officer shall inform the FAU by return, that the Company will extend the period for which is the customer's order postponed, and confirms the time when such a notice was received. The period of three working days starts to be counted from the moment, when the extended period was noticed by the FAU.
If the FAU notifies the company CRP Unio Limited s.r.o., within the period, for which the customer's order is postponed, on the fact that the FAU has filed a notification to the competent law enforcement authority, then CRP Unio Limited s.r.o. may fulfil the customer's order at the earliest after three working days from the date on which the criminal complaint was lodged, unless up to the end of this period the competent law enforcement authority adopts decision on the withdrawal or confiscation of the subject matter of that suspicious business.

Customer’s order fulfilment

If the Company has not received from the FAU, within the period for which is the customer's order postponed, any notice that the FAU has filed a notification to the competent law enforcement authority, then the company shall fulfil the customer's order. The same procedure is applied by the Company in the event, when a criminal complaint was lodged and no decision was made up to the end of the period extended by three working days, i.e., in case of the withdrawal or confiscation of the subject matter of that suspicious business.
In this case, an AML officer shall promptly ensure that the customer's order will be fulfilled.

Confidentiality obligation

All the employees (including an AML officer) are obliged, in the event when the customer's order fulfilment was postponed, follow the confidentiality obligation, i.e., under no circumstances a customer cannot be informed, nor any other unauthorised person, on the fact, the notification on a suspicious business was filed, nor on any detailed information, even not after the moment, when the FAU adopts decision not to lodge a criminal complaint.
For more information on the confidentiality obligation see Chapter V.2

V. Other Obligations

V.1. Information Obligation

(1) The Company shall communicate, at the FAU's request, information on the services or trade relations for which the FAU is investigating within a specified period. The responsible person shall ensure the submission of documents on these transactions or give them access to authorized employees of the FAU.

(2) In case of personal contact, the authorized employees of the FAU shall produce a service card issued pursuant to the Act on Implementation of International Sanctions. The model of this card is a part of Decree No. 53/2017 Coll. FAU employees are not obliged to give their name.

(3) If requested by the AML officer or responsible person, each employee is obliged to provide assistance to him in the performance of this duty.

V.2. Confidentiality Obligation

(1) The employees, a person responsible, and an AML officer are obliged to follow the confidentiality obligation on the facts related to:

(a) Notifications and investigation of a suspicious business
(b) Acts performed by the FAU
(c) Performance of information obligation (see Chapter V.1).

(2) Everyone who becomes aware of these facts is obliged to keep them confidential.

(3) The confidentiality obligation shall not be extinguished upon termination of employment or contractual relationship.

V.3. Obligation to Train Employees

(1) The responsible person is obliged to ensure all employees undergo training, including those who may encounter suspicious business. The training shall cover rules, procedures, risk assessment, the AML Act, and other relevant regulations.

(2) Training must occur at least once every 12 months and before new or transferred employees start their positions.

(3) The responsible person maintains and archives attendance and training content records.

V.4. Obligation to Draw Up the Assessment Report

(1) The responsible person shall prepare a report evaluating CRP Unio Limited s.r.o.'s activity in preventing money laundering and terrorism financing at least once every 12 months.

(2) The report includes:

(a) Assessment of effectiveness of prevention measures
(b) Identification of weaknesses in internal policies and procedures
(c) Statistics on suspicious transactions notifications
(d) Proposals to remedy identified shortcomings

(3) Conclusions and assessments must be justified.

(4) If prepared by someone other than the AML officer, the report must include the officer's view on completeness and correctness.

(5) The report is reviewed by the company statutory body within 4 months after the assessed period.

(6) Evaluation details must be traceable.

(7) The assessment report is archived for 5 years.

Information and Documents Keeping and Archiving

Way of data recording

(1) All the data and documents related to the business relationship shall be archived. In particular, this is the case of filled in forms, original documents or copies of documents submitted by a customer, and other company internal records. All the data and documents related to a specific service shall be archived analogically.

(2) A part of these documents may be also in a digital form. Any other way of data and documents archiving may be decided by a person responsible.

Making copies

(1) The employee shall, pursuant to the AML Act, be authorised to make and keep the copies of identity cards or other documents records, upon which the identification is performed.

(2) In the event when from a copy made and archive is apparent the data which shall be otherwise obligatory recorded applying the way described herein, then it is not necessary to enter the data into the form. It is sufficient when the data is clear from the copy which was made.

Way of data and documents keeping

(1) From each recorded information and archived documents shall be apparent:

(a) To which business relationship they are linked
(b) The employee who entered the data, amended the data or verified the data, and archived the documents
(c) The date on which was the data entered, amended or verified or when the documents were archived.

(2) Next, an AML office shall ensure safe archiving of the copies of filed notifications on a suspicious business, a document on their lodging, eventually an advice on their delivery.

Digital data

(1) If the data or documents are recorded in a digital form, then the back-up shall be performed by a person responsible or by a person authorised to do so.

(2) Archiving some documents in a digital form is not allowed, which results from the provisions of the AML Act that prescribes some documents to be archived only as the original documents or certified copy – this is, in particular, the case of the powers of attorney and identification documents.

Period for which the information and documents shall be archived

(1) Pursuant to the AML Act the Company is obliged to archive the data and documents for the following period:

(a) All the information and documents related to the business relationships and services defined herein shall be archived for the period of 10 years. This period starts to be counted by the first day of a calendar year which follows the year in which specific relationship was terminated.
(b) The employee training report (see Chapter V.3) shall be archived at least for the period of 5 years after the date when the training was performed.
(c) The assessment report (see Chapter V.4) shall be archived for the period of 5 years as a minimum.

V.6. Requirement for Traceability

Traceability

(1) The term of traceability stated herein shall be understood as the state when it is possible, in case of certain procedure, determine retrospectively, why a specific action was performed (what was the reason), in what circumstances, what preceded that action, and eventually what followed that action, what exactly was done, and who and when performed the steps.

(2) What shall be also traceable retrospectively:

(a) All the approval and decision-making procedures (incl. the evaluation procedure of customer's risk profile), in accordance with the present document, and also
(b) All the control and verification activities, in accordance with the present document, including related responsibilities, and also
(c) All the background documents and evaluation of the assessment report, and also
(d) All the findings which resulted from the verification of a customer, pursuant to Chapter II.4, and within the reviewing procedure of the businesses, and eventually a correspondence related to specific business, customer or business relationship, and also
(e) All the assessment procedures of possibly suspicious business, which resulted in the fact that none suspicious business was notified.

(3) Due to this reason is necessary that all the records (digital or documentary), which are made in accordance with the present document and archived, contain at least the following information (if this kind of information is not apparent or cannot be deduced from other documents):

(a) To which business relationship, customer or case these are related
(b) The employee who entered the data, amended the data or completed the data, etc.
(c) Date and eventually time when it was performed
(d) All the other relevant information (reason, background documents supporting the decision, references to external data, etc.).

V.7. Automated Performance of Rules, Procedures and Measures

Activities performed in an automated way

(1) If any of the procedures stated herein or procedures related to the establishment and administration of business relationships are performed in an automated way, especially using computers, then it is necessary to ensure that all the obligations, procedures and measures resulting from the present document and other legal regulations are being adhered to within their full scope. This is the responsibility of a person responsible, an AML office, and the employee who controls, checks, sets and tests the automated system.

(2) Information or other systems that perform the automatic data-processing shall be developed, calibrated and shall have sufficient capacity to be able to react correctly in each situation which may be assumed, however, only with a low probability. This includes, in particular, immediate alerts and reporting, correct hardware setting, regular backups, testing and system maintenance.

V.8. Obligation to Assess Regulations and Update Them

Frequency of assessment of AML rules and updates

(1) The responsible person shall assess, at least every 12 calendar months, whether the provisions set out in this document and in the Risk Assessment document are current, proportionate to the nature, scale and complexity of currency exchange services and related activities. If necessary, it performs or arranges for updates to keep the regulations current and in line with the actual situation.

(2) In addition to this regular 12-month interval, the responsible person shall, without undue delay (ideally in advance), review and update this document and the Risk Assessment if any such need arises:

(a) the conclusion made in the Risk Assessment; or
(b) information provided by CRP Unio Limited s.r.o. obtains and leads to the conclusion that the Risk Assessment or the supporting documents used for it are no longer up-to-date, or
(c) a change in the business or strategy of CRP Unio Limited s.r.o., or
(d) amendments to legal regulations published especially on the website of the Financial Analytical Office http://www.financnianalytickyurad.cz/, on http://www.amlsystems.cz/AML-documents and on the website of the Czech National Bank https://www.cnb.cz/cs/dohled-financni-trh/legislativni-zakladna/legalizace-vynosu-z-trestne-cinnosti/; these pages are informative only and the responsible person is supposed to be active

(3) The responsible person will always create a written record of the assessment result and any further steps (whether the update and other details have been made).

(4) If there is a change in the Risk Assessment, the responsible person shall record the procedures used to draw up or update the Risk Assessment and shall also record the reasons on which it has drawn the conclusions contained therein.

(5) Furthermore, if the procedures set out in this document or in the Risk Assessment are substantially changed, the responsible person will organize training for the staff affected. It will record the content and attendance of the training according to the Chapter V.4.

(6) Changes in this document and in the Risk Assessment are approved by the Company's statutory body.

Customer´s data updates

(1) If the procedures set out in this document or in the Risk Assessment are changed, the responsible person shall verify that the information provided by CRP Unio Limited s.r.o. about customers (information obtained during the identification and control of the customer and any other information used to prevent ML-FT), its content and scope correspond to new obligations. If not, the responsible person will oblige the employees to supplement or update this information. The employee shall always do so at the latest before making another trade with the customer.

VI. Internal verification

VI.1. Monitoring and Sanctions

(1) Monitoring of the compliance with rules and procedures stated herein shall be performed by a person responsible. A person responsible may forward a partial monitoring towards an AML officer or other person. All the employees and an AML officer are obliged to undergo such a monitoring. The monitoring is to be performed in place, analysing the data and documents, or applying other ways of monitoring.

(2) The monitoring shall be performed regularly, ideally once a month. A person performing the monitoring selects a control sample, on which he/she checks whether the procedures stated herein and prescribed by legal regulations were adhered to. The ideal situation is when a control sample is in compliance with all the business relationships or services provided within the monitored period, however, this is not possible due to capacity reasons, thus a random selection is sufficient.

Report on internal monitoring performance

(1) A person that performs the internal monitoring shall, when the monitoring is finished, draw up a report. This report sample is shown in the Annex No. 1.

Infringement’s detection

(1) Each person that has found out any infringement shall report this state immediately to a person responsible, also in the case when the infringement was caused by this person.

Evaluation of infringements and further procedure

(1) In the event when a breach of rules and procedures prescribed herein are found out from the monitoring or notification, such a breach shall be assessed individually, in particular upon the level of seriousness and the extent, up to which these could jeopardize the effectiveness of measures applied against the legalization of the proceeds of crime and terrorism financing. A personal responsibility shall be then inferred on employees within the scope of applicable labour legal regulations. A person responsible shall, within the scope of his/her possibilities, simultaneously adopt the measures to prevent a repeated breach (repeated training of the employees, approval of additional measures, etc.).

Advice of consequences of rules infringement

(1) All the persons to which is the present document shall be aware of the fact that any breach (infringement) of the rules and procedures stated herein would most probably result also in a breach of the provisions stated within the AML Act, and therefore the Company may be subject to a sanction or even the withdrawal of business license may be applied.

VI.2. Amendments to Regulations

Monitoring of Amendments to Regulations

(1) Persons responsible, i.e., an AML officers, are obliged to perform permanent monitoring of the development in the field of measures against legalization of proceeds of crime and financing of terrorism (i.e., the Acts, Decrees, Notices, etc.). Relevant regulations are published by the FAU (Financial Analytical Office) on its websites www.financnianalytickyurad.cz, and also on the websites of the Czech National Bank at: CNB Legalization of Proceeds of Crime. The websites shall be understood as information source only, and a person responsible shall be actively involved in this kind of activity.

Implementation of the Present Document Amendments

(1) In the event when the mentioned regulations are amended, or the new regulations come into force, the person responsible, i.e., an AML officer, shall implement such amendments to the present document to ensure the compliance of the present document with these regulations, a AML officer is also obliged to ensure the training of all the persons who shall be familiarized with such amendments.

This Policy is approved by Senior Management of the company.

Effective from May 2024