Company

General Points

Introduction

§1. Meaning of the document

(1) This Risk Assessment identifies and assesses risks arising from the legalization of proceeds of crime and financing of terrorism that may potentially occur in the company of CRP Unio Limited s.r.o. within the scope of provision of virtual assets services.

(2) This risk assessment forms part of the System of Internal Rules, Procedures and Measures for the fulfilment of obligations arising from Act No. 253/2008 Coll., on selected measures against legalization of proceeds of crime and financing of terrorism, as amended. Definitions and abbreviations used throughout this document are explained in the System of Internal Rules.

§2. Explanation of the Purpose of the Risk Assessment

(1) The norm in the fight against ML-FT has been the application of the so-called riskbased approach (abbreviated as RBA in English). The AML Act prescribes the required minimum of obligations that must be fulfilled; however, it does not prescribe their intensity, frequency of fulfilment or the degree of detail (e.g., of client check performance). Section 21(a) of the AML Act ordains CRP Unio Limited s.r.o. the obligation to identify and assess ML-FT risks, which arise in association with the provision of services, and based on that clearly determine groups of clients, services and distribution channels that represent elevated risk from the ML-FT point of view. With these elevated risk groups, CRP Unio Limited s.r.o. must increase the intensity, frequency and the degree of detail in fulfilling certain obligations. The purpose is to reduce the risk of the services being abused for the purposes of ML-FT to a minimum.

§3. Basic Obligations

(1) In relation to this Risk Assessment and pursuant to the AML Act, CRP Unio Limited s.r.o. is obligated to fulfil the following obligations:

  1. (a) to prepare and approve this Risk Assessment
  2. (b) to apply measures to reduce the ML-FT risks listed in this Risk Assessment (Chapter II)
  3. (c) to carry out internal supervision and monitoring of compliance with legal regulations (Chapter II.3)
  4. (d) to check employees (Chapter II.4)
  5. (e) to update this Risk Assessment periodically (Chapter II.5)

Starting points

§4. Information Sources

(1) The following sources were used in the process of ML-FT risk identification and assessment:

  1. (a) Sector analyses from the sphere of ML-FT (especially by FATF-GAFI)
  2. (b) National risk assessment processed in compliance with Section 30a of the Act No. 253/2008 Coll., on Certain Measures Against Money Laundering and Terrorism Financing, as amended
  3. (c) European risk assessment processed by the European Commission
  4. (d) Sources considered by the Czech National Bank to be so called approved standards
  5. (e) Methodological and explanation materials and resolutions of the Czech National Bank and FAU
  6. (f) Information provided by the FAU and law enforcement authorities
  7. (g) Information obtained during identification and check of clients

Threats and Vulnerability Identification

§5. Threats
  1. CRP Unio Limited s.r.o. has identified and assessed the following threats (i.e., crimes or other unlawful acts that a client may commit):
    1. High risk: abuse of the virtual assets services as a technique for the legalization of resources originating from criminal activity, especially resources originating from tax fraud, subsidy fraud, corruption activity, breach of trust in administration others´ property, etc.
    2. Medium risk: international sanction evasion (i.e., changing the nature of and transferring property of persons subject to international sanctions)
    3. Medium risk: financing of terrorism
    4. Low risk: all other threats.
§6. Vulnerabilities
  1. In connection with the above listed threats, CRP Unio Limited s.r.o. has identified the following vulnerabilities (i.e., "weak spots" that may facilitate a client's abuse of the services for ML-FT):
    1. Client identification: a person who does not wish to be associated with the virtual assets service is interested in the services and therefore another person (appearing to be the client), who is only the identity provider, acts on his behalf and conceals that he is acting on behalf of another person who does not actually wish to be associated with the virtual assets service.
    2. Client check: a client provides false, superficial or incomplete information about the source of the financial resources because the client expects that reviewing the source of the financial resources is a very difficult or impossible process and expects the employee to neglect this obligation or fail to perform it appropriately.
    3. Persons against whom the Czech Republic applies international sanctions (including persons involved in terrorism) are hidden in complex and non-transparent ownership and management structures of legal entities; such client expects that to uncover the ownership and management structure of the client-legal entity and expects the company to neglect this obligation or to perform it incompletely.
§7. Risk Factors
  1. The risk factor is the characteristics of the client, the product provided to him/her, or the way in which it is provided, which increases the risk that services of the company CRP Unio Limited s.r.o. might be misused by the client for the purpose of money laundering or terrorism financing.
  2. Due to the presence, respectively absence of risk factors, the client is assigned a risk profile of the type A, B, C, D or E.
§8. Risk profile - type A
  1. The client is assigned a type A risk profile (client with no risk or with minimal risk) in the absence of known risk factors to be assigned a type B, C, D or E risk profile. These are therefore clients with no or only very small and negligible risk that they could use the services of the company CRP Unio Limited s.r.o. for ML-FT purposes. This is a risk the company is willing to accept.
§9. Risk Profile - Type B, C or D
  1. The client is assigned a risk profile of the type B, C or D (an increased risk client) if there is no known risk factor for assigning a type E risk profile and at the same time any of the following risk factors appear with the client.
  2. A client with a risk profile of the type B, C or D represents for the company CRP Unio Limited s.r.o. a potential risk from the ML-FT perspective and therefore all the employees, including the AML Officer, must pay close attention to the assessment of any suspicion character of this client's behaviour and place increased demands on the accuracy of the information provided by the client during the first or ongoing review, where appropriate, to substantiate the information disclosed by a specific document.
  3. The following risk factors relate to the type B, C or D risk profile, while on the fact whether a risk profile of type B, C or D will be assigned to the client based on the risk factors described here the employee will decide in accordance with a special document for a risk assessment profile of the client annexed to this Risk Assessment:
    1. the client uses services that include transaction to or from a country or territory that is identified as risky from the ML-FT perspective; a list of these countries is given in Annex 5 of the Internal Rules System;
    2. the client requires a transaction that is unusually complex or large-volume, or involves an unusual way of trading, or the economic and legal purpose of which is not obvious;
    3. the client or its beneficial owner engages in a business or other activity that is "cash intensive" - that is, an activity that generates large amounts of cash or other valuable commodities of a purely anonymous nature, including virtual currencies (e.g., currency exchange, trade in precious metals, virtual currency, etc.);
    4. the client or its beneficial owner carries on business or other activity in the field of gambling, military industry and services, nuclear energy;
    5. in the course of business, the client or its beneficial owner handles content accessible only to adults, with the exception of products designed for direct consumption, such as cigarettes, alcohol, etc.;
    6. the client is a non-entrepreneurial legal entity whose activity is not traceable in trustworthy sources and the client has difficulty to prove its activity or proves it in such a way that doubts arise;
    7. a client who has previously been the subject of a suspicious transaction notification;
    8. a client whose behaviour has previously shown some signs of a suspicious transaction but ultimately has not been classified as a suspicious transaction, although doubts remain;
    9. the client or its beneficial owner is a PEP, or the client is a person acting in the interest of such a PEP;
    10. any country of origin (including the registered office or residence) of the client, its beneficial owner or the person authorized to act on behalf of the client is a risk country from the ML-FT perspective; the list of these countries is given in Annex 5 of the System of Internal Rules;
    11. the country of origin of the person having direct or indirect participation in the client is a risk country from the ML-FT perspective; the list of these countries is given in Annex 5 of the System of Internal Rules;
    12. the country of origin of a person who is a member of the statutory body of a client, a representative of a legal entity in that body, or is in a position similar to that of a member of a statutory body or otherwise has the possibility to apply influence at the client, being a legal entity, is a risk country from the ML-FT perspective; the list of these countries is given in Annex 5 of the System of Internal Rules;
    13. the client is a trust fund;
    14. the ownership structure of the client is non-transparent;
    15. the behaviour of the client or the person representing it is abnormal in or during the establishment of a business relationship compared to a typical client similar to it (e.g., non-standard requirements, unusual ways of transaction performance, requirements for special or complex types of representation, etc.);
    16. uncertainties arise as to the origin of the client's property or the beneficial owner's property or the funds held by the client or the beneficial owner of the client;
    17. open trusted sources (e.g., news media) indicate that the client or related persons have been or are involved in criminal or other unfair activities;
    18. there is a suspicion that the client is not acting on his / her own name, i.e., the property that is the subject of the service actually belongs to someone else and the client is only an intermediary or identity provider;
    19. the client or a related person (member of the statutory body, the beneficial owner) is linked to another client (factually or legally) whose risk profile is of the type B;
    20. another fact that, according to the information held by CRP Unio Limited s.r.o. available, there is an increased risk of money laundering or terrorist financing associated with the client's business activity and its beneficial owner;
    21. according to the information held by CRP Unio Limited s.r.o. available, there is an increased risk of money laundering or terrorist financing related to the high client’s turnover;
    22. the payment or other service used by the client, or its nature or the nature of individual transactions, is non-standard for the given type of client;
    23. any of the factors listed above, if it occurs in a legal entity in which the client has a direct or indirect participation, or otherwise has the opportunity to exercise influence over it.
  4. A risk country in this chapter is a country included in a list of countries where measures against money laundering or terrorist financing are not being applied to any extent or insufficiently. This list is included in Annex 5 to the System of Internal Rules and it is necessary to keep it up to date.
  5. The country of origin is understood in this chapter:
    1. for a natural person, any state of which he or she is a national and, at the same time, all other states in which he / she is registered for a residence of more than 1 year or for permanent residence, if known,
    2. for a legal entity that is a bank or financial institution, the state in which it has its registered office,
    3. for a legal entity that is not a bank or financial institution, the state in which it has its registered office and simultaneously all the states in which it has a branch.
  6. The non-transparent ownership structure in this chapter means a situation where the beneficial owner or ownership and management structure of the client cannot be established based on:
    1. a public register, records of trust funds or records of beneficial owners kept by a public authority of the Czech Republic, or
    2. a similar register or register of another state, or
    3. any other source or combination of sources that the company reasonably believes to be trustworthy and which it reasonably believes to provide, in its entirety, complete and up-to-date information on the beneficial owner and ownership and management structure of the client, in particular when issued by a public authority or officially legalized.
  7. The ownership structure is not non-transparent if the client is a company whose securities are admitted to trading on a European regulated market or a foreign market similar to that of a European regulated market if it is subject to disclosure requirements equivalent to those of European Union law.
§10. Risk profile - type E
  1. The client is assigned an E-type risk profile (unacceptable client) if any of the risk factors listed below are present.
  2. A client with a risk profile of the type E represents for CRP Unio Limited s.r.o. a high risk in terms of money laundering and terrorist financing. If the client is assigned a risk profile of the type E, the client will not be provided with a virtual assets service or a business relationship with the client, or the business relationship with him will be terminated and no other service will be provided. In this situation, the client is considered to no longer meet the client's acceptability criteria.
  3. In this case, termination of the business relationship or failure to provide service will be ensured by the AML officer. It shall take all necessary steps without undue delay to ensure that the business relationship is effectively and legally terminated. In addition, it will prevent the Client from being provided with any new services until the business relationship is terminated.
  4. Furthermore, great care must be taken when assessing whether the client's conduct is showing signs of a suspicious transaction.
  5. The following risk factors relate to the type E risk profile:
    1. there is a reasonable suspicion that the purpose of the business relationship is to provide services to a person other than himself (i.e., the client acts only as an intermediary or identity provider) and the client does not refute the suspicion;
    2. the client or a person associated with it (a member of the statutory body, beneficial owner, etc.) or another payment recipient (if known) is a person against whom the Czech Republic applies international sanctions;
    3. information provided by the client about himself / herself and his / her activities are grossly contrary to the reality, which was found from credible sources and the client did not justify the non-compliance;
    4. there is a reasonable suspicion that the client is providing false, misrepresented or incomplete information in the course of duration of the business relationship or that he is submitting false or altered documents;
    5. business relationship with this client has been terminated in the past due to the initiative of the company CRP Unio Limited s.r.o. and the client tries to establish it repeatedly;
    6. the client or a person associated with it (a member of the statutory body, the beneficial owner, etc.) is connected with another client with whom the business relation was terminated in the past due to the initiative of the company CRP Unio Limited s.r.o.;
    7. for other reasons, the client represents a significant risk to the company in terms of money laundering or terrorism financing;
    8. any of the factors listed above, if it occurs with a legal entity in which the client has a direct or indirect participation, or otherwise has the ability to exercise influence over it.

II. Measures adopted to mitigate threats

II.1 Measures for Client Identification

§11. Expansion of PEP Risk Status
  1. Certain source crimes listed in the threat identification are unique in that often PEPs are involved in them (acts of corruption, subsidy frauds etc.) Therefore, CRP Unio Limited s.r.o. extends the period following the termination of the performance of the exposed activity for which the PEP is considered a high-risk PEP, from a period of 1 year (prescribed by the AML Act) to double the time - 2 years following the termination of holding the exposed office.
§12. Exclusion of simplified identification and control
  1. If a client has been assigned a risk profile of the type B, C or D, the employee will not use the simplified identification or control of the client. In addition, if a client with a type A risk profile that has been simplified with identification and control has been assigned a type B, C or D risk profile, the employee must perform – before the next deal performance - full identification and control as if establishing a new business relationship.
§13. Interval of identification data update, update of PEP status and check of international sanctions
  1. The employee will update the identification data, information on whether or not the client is a PEP, whether the Czech Republic applies international sanctions against him or his related persons whenever the company CRP Unio Limited s.r.o. gets to know about any change and at least once in the following time intervals:
    1. every 12 calendar months for a client with a risk profile of the type A
    2. every 9 calendar months for a client with a risk profile of the type B,
    3. every 6 calendar months for a client with a risk profile of the type C and D.
  2. The update is done by searching for identification and other data in public trusted sources or by asking the client if the identification and other data (PEP flag) are still current. In the case of a client with a risk profile of type B, C or D, it is not always sufficient within the framework of the update to provide written confirmation of the timeliness of the identification data, which CRP Unio Limited s.r.o. keeps about the client.
  3. The employee is obliged to create a record on the verification of international sanctions and on the result, which always corresponds to the requirement of retrospectibility according to chapter V.6 of the System of Internal Rules, i.e., it contains at least the following information:
    1. date of verification and name of the person who performed the verification (whether performed by a specific employee or automated);
    2. a list of natural and legal persons that have been checked in the sanction lists;
    3. information on the sanction lists under which the verification was carried out;
    4. result of verification (negative or positive finding).

II.2 Measures during Client’s Control/Check

§14. Increase of intensity of the first control/check of the client
  1. If the client is assigned a risk profile of the type B, C or D, at the first check of the client before establishing a business relationship:
    1. the employee must check the source of client's financial resources from an independent source, as opposed to only relying on the client's oral or written statement (i.e., from bookkeeping records, third party issued documents, audited documents etc.); the employee shall obtain and keep a copy of such document (a simple Xerox copy shall suffice) or shall keep the original document; otherwise the employee will not execute the transaction with all the consequences (the client is obliged to comply with such a request and if he refuses it, it is a suspicious transaction that must be reported)
    2. if the employee is not able to establish the controlling and ownership structure of the client – a legal entity (up to the beneficial owner) from public trustworthy sources (e.g., extracts from the register of persons), he will require from the client not only to declare, but also to demonstrate the control and ownership structure to the beneficial owner;
    3. if the client is a legal entity or a natural person doing business, the employee will find out and record a detailed description of all the client's activities in a really detailed way and he will verify it from publicly available information (existence of appropriate business licenses, officially available service offerings on the website, publicly available client references, etc.) and if this information is not available, it will request the client to evidence the activities.
§15. Approval of a business relation and its changes by an AML officer
  1. If the client is assigned a risk profile of the type B, C or D, the establishment of a business relationship must be approved by the AML officer or the Managing Director of the company CRP Unio Limited s.r.o. and creates a record of approval. Similarly, the AML officer or Managing Director of the company CRP Unio Limited s.r.o. must approve all and any substantial changes in the framework contract for the provision of virtual assets services that have been triggered by the client's request (e.g., request to increase limits, a new joint holder, etc.) and on approval to create a record.
§16. Circumstances causing continuous re-viewing of trades and intensity of re-views
  1. In the course of duration of the business relationship, the company CRP Unio Limited s.r.o. must perform continuously:
    1. reviewing trades performed to determine whether trades are in compliance with what is known to the company CRP Unio Limited s.r.o. about the client and his / her business and risk profile and also
    2. reviewing the sources of funds used in trade.
  2. Business control of the client is focused on comparison of the real business activity of the client to the one that was declared. It is performed based on the amount of funds transferred through account during a month. During the onboarding process, monthly limit of funds is set, with the buffer of 50% for each type of the risk profile. If set limit with buffer is not exceeded, the business control is not performed.
  3. In case the criteria for the mentioned business control were met, it is necessary to ask the client to submit confirmation of income and business activity (in case of using services for business purposes). Once the business control happened, the new limits should be set for funds.
  4. Furthermore, the following documents will be checked as part of the business control:
    1. for a client with risk profile of the type A – of other 3 randomly selected transaction of any volume. The employee may also request additional proof of economic activity in the form of 2 invoices from the suppliers.
    2. for a client with risk profile of the type B – of 5 other randomly selected transaction of any volume. An employee may also request additional proof of economic activity in the form of 2 invoices from the suppliers.
    3. for a client with risk profile of the type C – and of 10 other randomly selected transaction of any volume. An employee may also request additional proof of economic activity in the form of 4 invoices from the suppliers and 4 actual contracts.
    4. for a client with risk profile of the type D – of 20 transactions exceeding 15 000 EUR and of other 20 randomly selected transactions of any volume. An employee may also request additional proof of economic activity in the form of 4 invoices from the suppliers and 4 actual contracts.
    5. To verify the validity of the documents provided, an employee may also request proof of payment for the documents received.
  5. If a client has been assigned a risk profile of the type D, the client's source of funds must be verified from an independent source, not simply relying on the client's oral or written statement (i.e., accounting documents, third party documents, audited documents, etc.); the employee shall make and keep a copy of such a document (a standard copy is sufficient to be kept) or keep the original of the document; otherwise the employee will not execute the transaction with all the consequences (the client is obliged to comply with such a request and if he refuses, it is a suspicious transaction that must be reported).
  6. Furthermore, in case of a client with a risk profile of the type B, C or D, when:
    1. the client uses services that include payment to or from a country or territory that is identified as risky from the ML-FT perspective; the list of these countries is given in Annex 5 to the System of Internal Rules;
    2. the client requires a transaction that is unusually complex or large-volume, or involves an unusual way of trading, or the economic and legal purpose of which is not obvious;
    3. the client or its beneficial owner engages in a business or other activity that is "cash intensive" - that is, an activity that generates large amounts of cash or other valuable commodities of a purely anonymous nature, including virtual currencies (e.g., currency exchange, trade in precious metals, virtual currency, etc.);
    4. the client or its beneficial owner carries on business or other activity in the field of gambling, military industry and services, nuclear energy;
    5. in the course of business, the client or its beneficial owner handles content accessible only to adults, with the exception of products designed for direct consumption, such as cigarettes, alcohol, etc.;
  7. The employee will always ask the client for a wider range of the required information (if it does not already have it) and will always investigate the background and purpose and method of performing such transactions.
§17. Interval for update of information on purpose and character of business relation
  1. The employee shall update the information on the purpose and nature of the business relationship whenever the company CRP Unio Limited s.r.o. gets to know about the change of purpose and nature, and at least once in subsequent time intervals:
    1. every 12 calendar months for a client with a risk profile of the type A
    2. every 9 calendar months for a client with a risk profile of the type B
    3. every 6 calendar months for a client with a risk profile of the type C and D
§18. Interval for update of data on ownership and controlling structure of the client and its beneficial owner
  1. If the client is a legal entity, the employee will update the ownership and controlling structure of the client and its beneficial owner whenever the company CRP Unio Limited s.r.o. gets to know about the change and at least once in the following time intervals:
    1. every 12 calendar months for a client with a risk profile of the type A
    2. every 9 calendar months for a client with a risk profile of the type B
    3. every 6 calendar months for a client with a risk profile of the type C and D
  2. If the employee is unable to identify a change in the controlling and ownership structure (up to the beneficial owner) from publicly credible sources (such as extracts from the register of persons), he will require from a client with a risk profile of the type B, C or D not only to disclose, but also to demonstrate the control and ownership structure up to the beneficial owner.
§19. Interval of client’s risk profile update
  1. The employee updates the client's risk profile whenever CRP Unio Limited s.r.o. gets to know about a change in the occurrence of a new or removal of the original risk factor at the client, and at least once in the following time intervals:
    1. every 12 calendar months for a client with a risk profile of the type A
    2. every 9 calendar months for a client with a risk profile of the type B
    3. every 6 calendar months for a client with a risk profile of the type C and D

II.3 Measures for Internal Supervision and Monitoring of Compliance with Legal Regulations

  1. These measures are determined by the System of Internal Rules, Procedures and Monitoring (Control) Measures. CRP Unio Limited s.r.o. considers them adequate.
  2. The organizational structure, scale of business activities of CRP Unio Limited s.r.o. does not, at the moment, allow for the creation of an independent division for the testing of AML measures, strategies and procedures.

II.4 Measures for Employees Screening

§20. Requirements towards Employees
  1. Increased requirements in terms of having no criminal record are placed on employees and contact persons. An executive staff member shall screen and permit only such employee or contact person to perform the job that has no record in the Czech Republic Criminal Register.

II.5 Obligation to Periodically Update This Document

§21. Updates and frequency
  1. An executive staff member shall ensure that this Risk Assessment be periodically updated at least once in two years. The Risk Assessment shall also have to be updated especially in case that:
    1. notice is approved about the next round of the national risk assessment process in the sphere of ML-FT
    2. a significant change occurs in the manner services are provided and new services are introduced, or potentially a new client group is targeted
    3. new threats are discovered, especially following a notice of a suspicious business transaction related to a situation not covered by this Risk Assessment.

This Policy is approved by Senior Management of the company. Effective from May 2024.