INTERNAL POLICIES AND PROCEDURES, AS WELL AS INTERNAL CONTROLS OF THE VIRTUAL CURRENCY SERVICE PROVIDER

TOKENSPOT

Kyrgyz Republic

Publication date: 10th April, 2024 year

 

1. BASIC PROVISIONS

1.1. These guidelines contain internal rules of procedure and internal control rules for the company's compliance with due diligence obligations under the Law of the Kyrgyz Republic on Combating the Financing of Terrorist Activities and Legalization (Laundering) of Criminal Proceeds (hereinafter - the KR OPFTDILPD Law) and International Sanctions Legislation.

1.2. These guidelines are based on the International Sanctions Legislation, the CR OPFTDILPD Act.

1.3. The underlying purpose of these guidelines is to prevent the use of the financial system and economic space of the Kyrgyz Republic (KR) to counter the financing of terrorist activities and money laundering by enhancing the reliability and transparency of the business environment.

1.4. The real job of the guidelines is to evaluate and regulate:

1.4.1. Principles of assessment in managing and mitigating the risks associated with money laundering and terrorist financing;

1.4.2. The procedure for applying due diligence measures to the client, including the procedure for applying simplified and enhanced due diligence measures;

1.4.3. Procedures for collecting, storing and reporting data;

1.4.5. Instructions on how to effectively determine whether a person is a politically exposed person or a local politically exposed person, or a person subject to international sanctions, or a person whose residence or location is in a high-risk third country;

1.4.6. Procedures for identifying and managing risks associated with new and existing technologies, services and products, including new or non-traditional sales channels and new or emerging technologies.

1.4.7. Methodology and instructions when the "obliged" person has suspicions of money laundering and terrorist financing or when an unusual transaction or circumstance is involved, as well as instructions on how to fulfill the reporting obligation and procedures for informing management.

1.5. The provisions of these guidelines apply to all business relationships and transactions related to customers, including transactions made through agents and transfer of business activities to a third party in accordance with the procedure stipulated by the current legislation of the Kyrgyz Republic.

1.6. The management of the legal entity that is the obligated person, the director or general manager of the affiliate that is the obligated person, or, in their absence, the obligated person, shall ensure that employees whose job responsibilities include establishing business relationships or performing transactions shall be provided with training on the fulfillment of duties and obligations arising from the current legislation of the Kyrgyz Republic and recommended norms of international law, and such training shall be provided when the employee starts to fulfill the specified employment duties, and then regularly or as needed. The training shall provide information, in particular, on the duties and obligations stipulated by the regulation, modern methods of money laundering and terrorist financing and related risks, requirements for the protection of personal data, how to recognize actions related to possible money laundering or terrorist financing, and instructions on the necessary actions in such situations shall be provided.

1.7. The present management of the company is obliged to bring these instructions with appendices to the attention of all employees upon employment and thereafter as necessary, but at least once a year.

1.8. All employees and management are required to acknowledge familiarization with this instruction by their handwritten signature.

1.9. All employees and management of the company or company are personally responsible for compliance with the requirements of the applicable laws of the Kyrgyz Republic.

1.10. The management shall regularly check the relevance of the rules of procedure, which will be supplemented and updated as necessary, but at least once a year.

1.11. Employees of the company must be familiarized with and strictly comply with the requirements stipulated by the current legislation of the Kyrgyz Republic, in particular, the instruction on detecting signs of a transaction suspected of money laundering and terrorist financing issued by the Financial Intelligence Unit and this manual.

1.12. Employees of this company must familiarize themselves with changes in applicable laws and other regulations.

1.13. The obliged persons shall cooperate with each other, as well as with state supervisory and law enforcement authorities in the field of combating money laundering, terrorism financing and financing of proliferation of weapons of mass destruction, including reporting available information to them and responding to requests within a reasonable time, complying with the duties, obligations and restrictions arising from the legislation of the Kyrgyz Republic.

 

2. DEFINITIONS.

2.1. "Company/Platform Operator" - Closed Joint Stock Company "TokenSpot" TIN 01701202410289 Registration number 226197-3301-ZAO having the license for the right to carry out activities of virtual asset service provider of the Kyrgyz Republic № 008 series VA dated February 07, 2024.

2.2. "Platform" means Token Spot's digital platform on the Internet https://tokenspot.com, providing services to Users, which is an aggregate of data, software, websites, mobile applications, domain names, including any sub-domains, digital content, intellectual property objects;

2.3. Legalization (laundering) of proceeds of crime - giving a lawful appearance to possession, use or disposal of money orother property obtained as a result of committing a crime;

2.4. Financing of terrorism is the provision or collection of funds or provision of financial services with the knowledge that they are intended to finance the organization, preparation and commission of at least one of the offences provided for in Section 8 of the Criminal Code of the Kyrgyz Republic, or to finance or otherwise materially support a person for the purpose of committing at least one of these offences, or to support an organized group, illegal armed formation or criminal association (criminal organization).

2.5. Transactions with cash or other property shall mean actions of individuals and legal entities with cash or other property, regardless of the form and manner of their realization, aimed at establishment, change or termination of civil rights and obligations related thereto;

2.6. Authorized Body - an executive authority of the Kyrgyz Republic that takes measures to counteract legalization (laundering) of proceeds of crime, financing of terrorism and financing of proliferation of weapons of mass destruction in accordance with the current legislation;

2.7. Mandatory control is a set of measures taken by the authorized body to control transactions with cash or other property on the basis of information submitted to it by organizations conducting such transactions, as well as to verify this information in accordance with the legislation of the Kyrgyz Republic;

2.8. Internal control means the activity of organizations conducting transactions with cash or other property to detect transactions subject to mandatory control and other transactions with cash or other property related to legalization (laundering) of proceeds of crime and terrorism financing;

2.9. Organization of internal control is a set of measures taken by organizations conducting transactions with cash or other property, including the development of internal control rules and target internal control rules for combating legalization (laundering) of proceeds of crime, financing of terrorism and financing of proliferation of weapons of mass destruction (hereinafter referred to as target internal control rules), as well as the appointment of special officials, in accordance with the legislation in force, for the prevention of money laundering, financing of terrorism and financing of proliferation of weapons of mass destruction (hereinafter referred to as target internal control rules).

2.10. The Financial Intelligence Unit is an independent structural unit of the Militia and Border Guard Service, as well as bodies of the Kyrgyz Republic, which supervises and applies coercive measures against persons who have committed an economic illegal act on the basis and in accordance with the procedure established by the current legislation.

2.11. Cash - the currency of a country in some physical representation with a particular individual or legal entity for payments for goods and services purchased.

2.12. Property - a set of things owned by a natural person, legal entity or public-law entity, as well as their property rights to receive things or property satisfaction from other persons, which are of any utility for the owner.

2.13. Obligated person - a person of the company who is involved in the economic and professional activities of the following persons: credit institutions; financial institutions; gambling operators, except for organizers of commercial lotteries; persons mediating transactions related to the acquisition or granting of the right to use immovable property; traders within the meaning of the current legislation of the Kyrgyz Republic, where a cash payment of at least 10,000 euros or an equal amount in another currency is made to or through a trader, regardless of the amount of money paid to or through the trader.

2.14. Business Relationship - means the relationship that is established by entering into a long- term contract with an obligated person to conduct a business or professional activity for the purpose of providing a service or selling or distributing goods.

2.15. Buyer - means a person who has a business relationship with the obligated entity;

2.16. Financial institution - a provider of foreign currency exchange services; a provider of payment services dealing with electronic money, except for a provider of payment initiation services and an account information service provider; an insurance company in terms of providing services related to life insurance, except for services related to mandatory accumulative pension insurance contracts; an insurance broker (hereinafter referred to as insurance broker) insofar as it is engaged in marketing of life insurance and provides other services; a management company; an insurance company in terms of providing services related to life insurance, except for services related to mandatory accumulative pension insurance contracts; an insurance broker (hereinafter referred to as insurance broker) insofar as it is engaged in marketing of life insurance and provides other services. All defined concepts are incorporated and in terms of meaning do not contradict and comply with the current legislation of the Kyrgyz Republic.

2.17. Virtual currency - means value represented in digital form that is digitally transferable, stored or traded and that is accepted as an instrument of payment by natural or legal persons, but that is not legal tender of any country or fund.

2.18. Virtual currency exchange service - means a service by which a person exchanges virtual currency for fiat currency or fiat currency for virtual currency or virtual currency for another virtual currency;

2.19. Virtual currency wallet service -means a service within which keys generated for customers or stored encrypted customer keys that can be used to store, hold and transfer virtual currencies;

2.20. Virtual Currency Service - means the service specified in clauses 2.18 or 2.19.

2.21. International Sanctions - means an essential instrument of foreign policy aimed at supporting, maintaining or restoring peace, international security, democracy and the rule of law, respect for human rights and international law, or achieving other objectives of the Charter of the United Nations or the Common Foreign and Security Policy of the entire world community.

2.22. High risk third country - means a country specified in a delegated act adopted pursuant to Article 9(2) of Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for money laundering or terrorist financing amending Regulation (EU) No 648 /2012 of the European Parliament and of the Council and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141/73, 05.06.2015, pp. 73- 117). These acts of the European Parliament have been adopted and approved, incorporated and are not contrary to the current legislation of the Kyrgyz Republic.

2.23. Compliance Officer CR OPFTDILPD- means an employee appointed by a resolution of the company's management board to act as a financial intelligence officer who regulates and monitors the implementation of measures to prevent money laundering and terrorist financing. If a specific compliance officer is appointed by a decision of the management board, the duties of the compliance officer shall be performed by a member of the management board of the legal entity.

 

3. PRINCIPLES OF REGULATION AND MANAGEMENT OF RISKS

3.1. The obliged person must regularly prepare and update a risk assessment in order to identify, assess and analyze the money laundering and terrorist financing risks associated with its activities.

3.2. The obliged person identifies and identifies risks/threats related to its activities, as well as risks/threats that may arise in the near future, i.e. foreseeable risks/threats, assesses and analyzes their significance and impact. Risks/threats shall be identified and assessed in each specific case at the time of risk assessment and separately consider the situation when the obliged person shall assume the risks to the maximum extent of risk appetite. The obliged person shall identify, assess and analyze at least the following risks.

3.3. Risks related to products, customers, transactions, services, in particular new and/or future products, services, transactions, or operations, risks, related to communications, intermediation or products, services, transactions or delivery channels between the obligated person and customers, including, if the foregoing is new and/or provided in the future, risks relating to particular countries, geographic areas or jurisdictions.

3.4. As a result of risk assessment activities, the obligated person establishes risk factors that may affect the risk, risk appetite, including the scope and volume of products and services provided in the course of business activities, risk management model, including simplified and enhanced due diligence, measures aimed at mitigating the identified risks.

3.5. Risk assessment and determination of the level to risk are documented, if necessary the documents are updated and based on the published results of the national risk assessment. Upon request of the competent supervisory authority, the obliged person shall submit the prepared documents to the supervisory authority in accordance with the current legislation of the Kyrgyz Republic.

3.6. The obligated person undertakes to update and refresh risk assessments and related documents as necessary, but at least annually.

 

4. THE PRINCIPLES OF OPERATION AND STRUCTURE OF THE OBLIGATED PERSON IN THE ORGANIZATION.

4.1. The obligated person's organizational structure should be appropriate to its size, nature, scope and level of complexity of its activities and services, including risk levels and associated risks, and should be structured according to the so-called three lines of defense. The organizational structure of the obliged person is consistent with a full understanding and management of potential risks. The chains of command and subordination of the obliged person should be ensured in such a way that all employees know their place in the organizational structure and are aware of their employment duties and rights, in accordance with the current legislation of the KR.

4.2. The board of the obliged entity is the bearer of obligations in the field of compliance with the requirements on prevention of money laundering and terrorist financing, ensuring that the managers and employees of the obliged entity work in an environment in which they are fully aware of the requirements on prevention of money laundering and terrorist financing and related obligations, guided by the applicable legislation of the Kyrgyz Republic, relevant risk factors are taken into account to an appropriate extent in the decision-making processes on the prevention of money laundering and terrorist financing of terrorism.

4.3. Employees of the obliged entity shall act with the prudence and competence expected of them and in accordance with the requirements of their positions, based on the interests and objectives of the obliged entity, and shall ensure that the financial system and economic space of the Kyrgyz Republic is not used for money laundering and terrorist financing. The obliged entity shall take measures to assess the suitability of employees prior to their employment duties.

4.4. The entire organizational structure of the obligated person for the purpose of risk management is built on the principle of three lines of defense, where each line of defense has a separate task of preventing money laundering and terrorist financing, and Also, each line of defense has a certain independence and sufficient resources to operate effectively.

4.5. The first line of defense has the function of applying due diligence to business, relationships to one-off transactions and applying due diligence in the course of business relationships. The first line of defense includes the structural units and employees of the obligated person whose activities involve risks, who must identify and assess these risks, their characteristics and magnitude, and manage these risks in the course of their normal activities, primarily through the use of due diligence measures. Risks arising from the activities and services provided by the obligated person fall under the first line of defense. They are the managers (owners) of these risks and are responsible for them.The first line of defense must have a good knowledge of the customer and the specifics of its activities and business operations. Thus, the employees of the first line of defense must be aware of and knowledgeable about the specifics of the various activities of the customers and the associated risks if the obliged person has decided to provide services to such customers. The objective is to identify transactions in the customer's activities that are suspicious or unusual or inconsistent with a reasonable economic purpose, or transactions that relate to such circumstances so that they can be referred to the second line of defense for analysis. The first line of defense primarily includes all employees who are authorized to execute transactions on behalf of the obligated person. When explaining the work tasks to an employee, the obligated entity notifies the individual whether he or she is in the first line of defense.

4.6. The second line of defense consists of risk management functions as well as compliance functions. These functions may also be performed by the same person or structural unit depending on the size of the obligated person and the nature, scope and level of complexity of the work and services provided, including the risk appetite and risks associated with the activities of the obligated person. The main task of the compliance function is to ensure that the obligated person complies with applicable laws, guidelines and other documents, and to assess the possible impact of any changes in the legal or regulatory environment on the activities of the obligated person and on the compliance system. Compliance's task is to help the first line of defense as risk owners to identify where risks manifest themselves (e.g., analyzing suspicious and unusual transactions for which compliance officers have the necessary professional skills, personal qualities, etc. and to help the first line of defense effectively manage these risks. A risk management policy is implemented and the risk management framework is monitored by the risk management function. The performer of the risk management function ensures that all risks are identified, assessed, measured, monitored and managed and communicated to the relevant departments of the obligated person. The executor of the risk management function for the purpose of preventing money laundering and terrorist financing primarily supervises risk appetite, supervises risk tolerance, supervises the identification of changes in risks, reviews associated risks and performs other duties related to risk management.

Compliance and risk control officers involved in the prevention of money laundering and terrorist financing must also meet the same requirements as a compliance officer in the Financial Intelligence Unit.

4.7. The third line of defense consists of an independent and effective internal audit function. The internal audit function may be performed by one or more employees and/or a structural unit with a corresponding function. If a structural unit is formed, then the entire unit must comply with the requirements set out below and the head of the structural unit is responsible for the function.

The person performing the internal audit function must have the necessary competence, tools and access to relevant information in all structural units of the obligated person. The person performing the internal audit function shall also be aware of the size of the obligated person and the nature, scope and level of complexity of the activities and services provided, including the risk appetite and risks associated with the activities of the obligated person. The person performing the internal audit function, or his/her immediate supervisor, if it is a structural unit, must have an appropriate professional standard, i.e. appropriate attestation for the performance of his/her duties and, among other things, the necessary education, professional suitability, necessary abilities, personal qualities, knowledge and experience, impeccable professional and business reputation. The person performing the internal audit function should always be informed about risks and trends and familiar with the practices in the field of money laundering and terrorist financing both at a general level and by obliged entity. The internal audit methodology shall be appropriate to the size of the entity requested and the nature, scope and level of complexity of the activities and services provided, including the risk appetite and risks associated with the activities of the obliged entity. This means that the regularity of the audits and the areas assessed must take into account the circumstances specified in this paragraph. Internal audit also proceeds from the risk-based and proportionality-based principles.
The internal audit function may be outsourced to a third party. The obligated entity shall continuously assess the justification for outsourcing the internal audit function and the effectiveness of the internal audit function.
The decision to conduct an internal audit shall be made by a resolution of the management board of the obligated person. The Company's Management Board shall regularly assess the need for internal audit.

 

5. THE DIRECTION OF THE BOARD'S ACTIVITIES.

5.1. The board of the obliged person should act with the prudence and competence expected of it and in accordance with established requirements, taking into account the interests of the obliged person and its customers, and ensure that the financial system and economic space of the Kyrgyz Republic is not used for the purpose of money laundering and terrorist financing.

5.2. The obligated person's management board determines the risk appetite of the obligated person. For this purpose, the obligated person's management board shall, among other things, ensure that risk appetite and risk assessment documents are prepared and regularly reviewed and updated, and shall ensure that risk management measures are in place to assess compliance with the risk appetite document and identify related risk changes within a reasonable period of time. The management board of the obligated person or the responsible person(s) appointed at the management board level shall take immediate action when a deviation occurs and shall modify accordingly organizational decision and, if necessary, suspend the provision of services in the relevant part. in whole or in part until the organizational decision is changed.

5.3. An organization's board should establish and regularly review policies and procedures related to the acceptance, management, monitoring, and mitigation of money laundering and terrorist financing risks that cover both existing and potential risks. The board of the organization must also continuously identify and assess all money laundering and terrorist financing risks arising from its activities and ensure that their size is monitored and verified, thereby also ensuring that adequate staff and other compensation mechanisms are in place to manage the risks. To this end, the board of the required organization shall take the following measures:

5.3.1. Measures for ongoing awareness of the risks and threats faced by the obligated entity in the course of its business activities. To this end, the board of the obligated entity receives regular reviews of the organization's associated risks and resilience and is self-trained to review new trends in money laundering and terrorist financing, updated legislation or international practices or financial inspection and monitoring guidelines and other documents;

5.3.2. Takes steps to establish rules of procedure for compliance with internal regulations, instructions and legislation directly related to it, and ensures that employees directly involved in meeting the requirements of this document act in an environment where they are fully familiar with the requirements, instructions, regulations and this document.

5.3.3. Takes measures to establish organizational solutions (including those with appropriate IT capacity) and includes sufficient human resources to ensure its compliance with the maximum acceptable risk appetite and its ability to confront and mitigate the risks and threats associated with this maximum risk appetite. The obligated entity may decide to conduct tests to determine the compensation mechanisms to be used to cover the maximum risk appetite. If the management board of the obligated person is not prepared to find an organizational solution that corresponds to the size of the permitted maximum risk appetite and the associated risks and threats, the management board of the obligated entity shall adopt an organizational solution and include sufficient human resources that always correspond to the size of the accepted risks. In such a case, the board of the obligated entity shall also create a solution that assesses the magnitude of the associated risks at short intervals and assesses the adequacy of the organizational solution to the accepted risks, and in the event of a conflict shall immediately react by replenishing the relevant organization and deciding, if necessary, not to take any additional risks or to reduce the existing risks until an appropriate solution is found;

5.3.4. Assures that their designated person or persons ensure or ensure compliance with due diligence measures in accordance with the provisions of the legislation and the recommendations contained in these guidelines and ensure that the measures implemented are appropriate, consistent with the service provider's business profile and appropriate to the client, the nature, size and the volume of the transaction, as well as the associated risks of money laundering or terrorist financing.

 

6. COMPLIANCE- OFFICER

6.1. If the obligated person has more than one member of the management board, the obligated person shall appoint a member of the management board who is responsible for the implementation of measures in the field of combating money laundering and terrorist financing and compliance with the legislation of the Kyrgyz Republic and the guidelines adopted on their basis.

6.2. An obliged person that is not a credit institution or a financial institution may appoint a compliance officer to fulfill the duties and obligations to prevent money laundering and terrorist financing. If a compliance officer is appointed, the duties of the compliance officer shall be performed by management.

6.3. The duties of a compliance officer may be performed by an employee or a structural unit. If a structural unit performs the duties of a compliance officer, the head of the relevant structural unit is responsible for the fulfillment of these obligations. The Financial Intelligence Unit and the competent supervisory authority of the CD are informed about the appointment of the compliance officer.

6.4. A compliance officer may only be appointed as a person who possesses the appropriate education, professional aptitude, abilities, personal qualities, experience and impeccable reputation necessary to fulfill the duties of a compliance officer. The appointment of a compliance officer shall be coordinated with the financial intelligence unit.

6.5. Compliance Officer Responsibilities:

6.5.1. Organizing the collection and analysis of information on unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing manifested in the course of the obliged person's activities; reporting to the financial intelligence unit in case of suspected money laundering or terrorist financing; periodically submitting written statements on compliance with the requirements arising from this Law to the board of the credit or financial institution; performing other duties and responsibilities related to the requirements of this Law; and performing other duties and responsibilities related to the requirements of this Law.

6.6. Compliance Officer's Rights:

6.6.1. To submit proposals to the Management Board of a credit or financial institution on amendments and additions to the regulations containing requirements for prevention of money laundering and terrorism financing and organization of training provided for by the current legislation of the Kyrgyz Republic.

6.6.2. Obtain data and information necessary to fulfill the goals, objectives, and responsibilities of the Compliance Officer.

6.6.3. To make proposals on the organization of the process of filing notifications on suspicious and unusual transactions, to demand from the structural subdivision of the obliged person to eliminate within a reasonable period of time the shortcomings revealed during the execution of the notification on suspicious and unusual transactions requirements to prevent m o n e y laundering, money laundering, money laundering and terrorist financing;

6.7. Each employee of the company is obliged to inform the Compliance Officer about all cases of refusal to establish business relations on the basis of the KR legislation, suspicious or unusual transactions, cases of termination of a long-term contract on an emergency basis and other circumstances that may affect the fulfillment of the obligation of the obliged organization in accordance with the applicable KR legislation.

6.8. If, in the course of economic or professional activities or official business, an employee identifies activities whose characteristics indicate money laundering or terrorist financing, or which the employee suspects or knows are related to money laundering or terrorist financing, he or she shall immediately report them to the compliance officer. In identifying suspicious transactions, the officer relies on, among other things, the Financial Intelligence Unit's guidance on suspected money laundering and the Financial Intelligence Unit's guidance on suspected terrorist financing transactions.

 

7. DUE DILIGENCE MEASURES

7.1. Customer due diligence measures applied:

7.1.1. Measures to identify the customer or person involved in a one-off transaction and verify the information provided against information obtained from a reliable and independent source, including the use of electronic identification tools and trust services for electronic transactions;

7.1.2. Measures to identify and verify a customer representative or person involved in a one-off transaction and their rights of representation;

7.1.3. Measures to identify the beneficial owner and, for the purpose of verifying his or her identity, taking measures to the extent that it enables the obligated person to ensure that it knows who the beneficial owner is and understands the ownership and control structure of the customer or person involved in a one-off transaction;

7.1.4. Measures to understand a business relationship or incidental transaction or action and, if necessary, gather additional information about it;

7.1.5. Measures to collect information on whether a person is a politically exposed person, a member of their family, or a person known to be a close associate;

7.1.6. Measures to monitor business relationships.

7.2. The obliged person has properly applied due diligence if the obliged person has an internal conviction that it has fulfilled the obligation to apply due diligence. The principle of reasonableness is met when considering internal conviction. This means that the obligated entity must, after applying due diligence measures, obtain knowledge, understanding and confirmation that they have gathered sufficient information about the customer, the customer's activities, the purpose of the business relationship and the transactions carried out within the scope of the business relationship, the origin of funds, etc. so that they understand the customer and its (business) activities, thereby taking into account the level of risk of the customer, the risk associated with the business relationships, and the nature of those relationships. This level of approval should allow for the identification of complex and unusual transactions and patterns of transactions that have no reasonable or demonstrable economic reason or legitimate purpose, or that are not characteristic of the particular characteristics of the business under review.

7.3. In applying clause 7.1.4, the obligated entity shall understand the purpose of the business relationship or one-off transaction to determine, among other things, the fixed place of business or residence of the customer or person involved in the one-off transaction, their professional or commercial field, important transaction partners, payment(s) practice.

7.4. Upon the request of the obligated person, the person or client involved in a transaction in the course of business or professional activities shall be obliged to submit documents and provide information required for the purposes of applying due diligence measures provided for in subparagraphs "1-5" of clause 7.1. of this clause. The person or client involved in a transaction carried out in the course of business or professional activities shall, upon request of the requested person, confirm by their signature the authenticity of the information and documents submitted for the application of due diligence measures.

7.5. Due diligence measures stipulated in subparagraphs "1-5" of paragraph 7.1. Shall be applied prior to establishing a business relationship or, if not in a business relationship, prior to the transaction.

7.6. Due diligence measures shall be applied by the obliged person:

7.6.1. Measures in establishing business relationships and ongoing monitoring of business relationships;

7.6.2. Measures when performing or brokering individual transactions outside business relationships, when the value of the transaction exceeds EUR 15,000 or an equivalent amount in another currency, regardless of whether the financial obligation under the transaction is fulfilled in a single lump sum or in several linked payments over a period of up to one year, unless otherwise established by the legislation of the KR. Thus, due diligence measures should be applied as soon as the excess amount becomes known or, if the excess amount depends on the execution of several linked payments, as soon as the amount is exceeded; when verifying the information obtained when applying due diligence measures, or when doubts arise as to the sufficiency or reliability of previously collected documents or data when updating the relevant data;

7.6.3. Upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or thresholds provided for by the KR legislation.

7.7. If necessary, the obligated entity will reapply due diligence measures to existing customers if it finds that due diligence measures have not been adequately applied to existing customers to meet the requirements set out in these guidelines. In assessing the need to apply due diligence, the obligated person will also consider the significance and risk profile of the customer and the time elapsed since the previous application of due diligence measures or the extent of their application.

Responsibility for the application of due diligence measures is imposed on an employee of the obligated person who performs a transaction on behalf of the obligated person. In all other cases, due diligence measures of the obligated person shall be imposed on the highest governing body of the obligated person.

 

8. SIMPLIFIED VERIFICATION MEASURES

8.1. An obliged person may apply simplified due diligence measures if it has determined, in accordance with a risk assessment prepared by the obliged person, that in the case of economic or professional activities, areas or factors, the risk of money laundering or terrorist financing is lower than usual.

8.2. Before applying simplified due diligence measures to a customer, the obligated entity determines that the business relationship, transaction or action has a lower risk.

8.3. The application of simplified due diligence measures is permitted to the extent that the obliged entity provides sufficient control over transactions, actions and business relations to enable identification of unusual transactions and to allow notification of suspicious transactions in accordance with the procedure established by the current legislation of the KR.

8.4. In a simplified due diligence exercise, the identity of the customer or the customer's representative may be verified on the basis of information obtained from a reliable and independent source, also at the time the business relationship is established, provided that this is necessary in order not to disrupt the normal course of business. In such a case, the identity verification shall be carried out as soon as possible and before taking mandatory measures. In a simplified implementation, the obliged entity may choose the scope of the duty and the need to verify information and data with the help of a reliable and independent source.

8.5. Due diligence measures may be applied in a simplified manner, provided that a lower risk factor is established and at least the following criteria are met:

• the long-term contract is entered into with the customer in written, electronic or reproducible form;
• payments accrue to the obliged entity in the business relationship only through an account opened with a credit institution or branch of a foreign credit institution, or with a credit institution established or domiciled in a contracting state of the European Economic Area or in a country that applies requirements equal to those of International Law.
• the total amount of incoming and outgoing payments for transactions made under the business relationship does not exceed €15,000 per year.

8.6. Simplified due diligence measures for business relationships and one-off transactions include, among others;

• Verifying the identity of the customer or the customer's representative on the basis of information obtained from a reliable and independent source, also during the establishment of the business relationship, provided that this is necessary in order not to disrupt the normal course of business.
• Obtaining information from the client when verifying the beneficial owner rather than from an independent source.
• Adjusting the frequency of updating and reviewing the due diligence measures applied to the customer in the business relationship, for example, doing so only when a particular trigger event occurs (but this may not remove the duty to update or monitor data);
• Setting the frequency and intensity of transaction monitoring, tracking transactions that have exceeded a certain threshold (the threshold should be set at a reasonable level, and identification of related transactions should be ensured).

8.7. The obliged person shall document and, if requested by the supervisory authority, demonstrate why, with respect to what and what simplified due diligence measures were applied by the obliged person to the buyer when establishing the business relationship or with respect to transactions in the course of business.

 

9. MEASURES OF IMPROVED VERIFICATION.

9.1. The obliged person shall apply enhanced due diligence measures to adequately manage and mitigate the higher-common risk of money laundering and terrorist financing.

9.2. Enhanced due diligence measures are always applied, in cases:

• when identifying a person or verifying the information provided, doubts arise as to the truthfulness and correctness of the submitted data, authenticity of documents or identification of the beneficial owner;
  -when a person involved in a transaction or professional act performed in a business or professional activity, a person using a professional service, or a customer is a politically exposed person, except for a local politically exposed person, a member of their family, or a close associate;
  -when the customer involved in an economic or professional transaction is located in a high-risk third country, or his residence or location, or the location of the recipient's payment service provider is located in a high-risk third country;
• Where the customer or the person involved in the transaction is from such a country or territory, or their residence or place of business, or the location of the recipient's payment service provider is in a country or territory that, according to credible, trusted sources such as mutual evaluation, reports or published subsequent reports, does not have in place effective systems to combat money laundering, money laundering, terrorist financing that are consistent with the recommendations of the Financial Action Task Force or that are considered to be a terrorist organization.
• complex, high-common risk occurs, an unusual value or unusual transaction or pattern of transactions that has no reasonable or demonstrable economic or legitimate purpose or is not typical of a particular line of business.

9.3. The subject entity shall apply enhanced due diligence measures also when the risk assessment prepared by the subject entity establishes that, in the case of economic or professional activities, the area of risk factors for money laundering or terrorist financing is higher than usual.

9.4. Enhanced due diligence measures in monitoring business relationships include, but are not limited to:

• identification of all beneficial owners of the company, including those whose share is less than 25%;
• Conducting an independent customer assessment and, where appropriate, obtaining senior management approval for new and existing customers based on risk sensitivity;
• Identifying the reasons and circumstances why the customer utilizes complex ownership structures and/or has incorporated a company in a particular country;
• obtaining information on the source and/or origin of the client's funds and their beneficial owner;
• effective control of business relationships by increasing the quantity and quality of verification activities;
• collection of additional information and documents related to the actual execution of transactions in order to exclude sham transactions.

9.5. The obliged person shall document and, at the request of the supervisory authority, demonstrate and provide, within the terms and in accordance with the procedure stipulated by the current legislation of the Kyrgyz Republic, why and in relation to what and what enhanced due diligence measures were applied by the obliged person to the buyer when establishing business relations or in relation to transactions in the course of economic activity.

 

10. OPTIONAL MEASURES VERIFICATION.

10.1. An obliged person shall apply additional due diligence measures to manage and mitigate an identified higher than normal risk of money laundering and terrorist financing by selecting, at its discretion, one or more of the following due diligence measures:

• verification of information additionally provided when identifying a natural person on the basis of additional documents, data or information obtained from a credible and independent source;
• systematizing and collecting additional information about the purpose and nature of the business relationship, transaction or operation and verifying the information provided on the basis of additional documents, data or information from a reliable and independent source;
• collection of additional information and documents on the actual execution of transactions made within the framework of business relations in order to exclude sham transactions;
• collection of additional information and documents in order to establish the source and origin of funds used in a transaction entered into within the framework of a business relationship in order to exclude sham transactions;
• making the first payment related to the transaction through an account opened in the name of the person or customer involved in the transaction with a credit institution registered or domiciled in a contracting state or in a country with requirements equal to those of international law.
• application of due diligence measures with respect to a person or his/her representative when in the same place as the person or his/her representative.

10.1 When applying enhanced due diligence, the obliged person shall apply monitoring of the business relationship more frequently than usual, including reassessing the customer's risk profile no later than six months after the establishment of the business relationship.

10.3 The obligated person shall document and, upon request of the supervisory authority, demonstrate why and what additional due diligence measures the obligated entity has applied to the buyer in establishing the business relationship or in relation to transactions arising in the course of the business relationship.

 

11. IDENTIFICATION: BASIC PRINCIPLES

11.1. If due diligence is not necessary, the obligated entity should obtain at least the following information from the customer:

• customer's name;
• in case of a natural person - his/her personal code, if it is absent, place and date of birth, place of residence or location;
• in case of a legal person and legal entity - the name of its director and information confirming his/her right of representation, registration code or other relevant registration number and the date of registration of the person;
• purpose of the transaction.

11.2. The obliged person shall ensure the reliability of the information provided for in clause 11.1.

11.3. Transactions or business relations with a person who has not disclosed the information provided for in clause 11.1 are prohibited.

11.4. The customer confirms the correctness of the information provided with his/her handwritten signature.

11.5. Simplified identification measures are applied for identification of a natural person permanently residing in the territory of the Kyrgyz Republic.

11.6. Before entering into a client relationship with a politically exposed person, a family member of a politically exposed person, or a person known to be a close associate of a politically exposed person, an employee must obtain authorization from management, which decides on the purposefulness of the client relationship and provides guidance on monitoring further client relationships.

11.7. Before entering into a client relationship with a legal entity of which a politically exposed person is a beneficial owner, a family member of the politically exposed person of a politically exposed person or a person known to be a close associate of a politically exposed person in a contracting state of the European Economic Area or in a third country, the employee must obtain authorization from management, which decides whether it is appropriate to establish a customer relationship and provides guidance on monitoring further customer relationships.

11.8. Before entering into a client relationship with a legal entity, if there is a suspicion that its activities, persons authorized to represent it, or its beneficial owners may be related to money laundering or terrorist financing, the employee must obtain authorization from management, which decides on the appropriateness of establishing a client relationship and provides guidance on monitoring further client relationships.

11.9. If, in identifying a person, there is a reasonable suspicion that he or she is not acting for his or her own account or for his or her own account, the employee must identify the person on whose account or behalf he or she is acting.

11.10. If it is impossible to identify the person on whose behalf or account another person is acting, the employee is prohibited from entering into a transaction with that person. The employee shall also be obliged to inform the financial intelligence unit of the person's declaration of intention to enter into a transaction or of a transaction that has already taken place.

11.11. When using the service provided for the first time or establishing a business relationship, it is recommended that you identify the person by being in the same place as them.

11.12. If the employee has suspicions about the identification of the client, the employee is obliged to request for identification an additional photo document to verify the correctness of identification.

11.13. When a document is suspected to be a forgery, it is strongly recommended:

keep the document, call the police and give them the suspicious document. If possible, enlist the help of a security officer or other citizens.

11.14. An officer of the company determines the purpose and nature of the transaction and business relationship.

11.15. An employee is prohibited from entering into a transaction or contract with a person who refuses to provide the information required by the previous paragraph, or with a person who the employee suspects is acting as a front man; when the customer fails to provide the necessary documents and relevant information or when the employee suspects, based on the documents provided, that there may be a case of money laundering or terrorist financing.

11.16. Information about the events stipulated in paragraph 10.3 of this Regulation shall be immediately reported to the compliance officer of the financial intelligence unit (company board) and as much information about the client as possible shall be recorded, which will later help to identify the client.

11.17. A company employee is required to apply these rules of procedure every time until incidental transactions or a business relationship is established with a customer.

 

12. VERIFICATION OF INFORMATION OBTAINED IN THE COURSE OF IDENTIFICATION OF AN INDIVIDUAL.

12.1. Verification of information obtained during the identification of an individual means using data from a reliable and independent source to confirm the reliability and correctness of data directly related to the person. This means that the purpose of information verification is to obtain assurance that the person who wishes to establish a business relationship or enter into a casual transaction is the person he or she claims to be.

12.2. The accredited organization and financial institution shall identify the person and verify the data using Information Technology (hereinafter referred to as IT), which means that the business relationship is established with an electronic resident or a person from a state that is NOT part of the European Economic Area or whose residence or place of business is in such a country, or with a person from a contracting state of the European Economic Area or whose residence or place of business is in such a country and whose total amount of the business relationship is established with an electronic resident or a person from a contracting state of the European Economic Area or whose residence or place of business is in such a country and whose total amount of the business relationship is established with an electronic resident or a person from a contracting state of the European Economic Area or whose residence or place of business is in such a country.

12.3. The information obtained in identification should be verified against information obtained from a reliable and independent source.

12.4. Personal identification or credentialing using an IT device is considered to be a reliable and independent verification of the information obtained during the identification process, since a valid identity document issued by an independent public authority is visible.

12.4.1. Personal identification means that the customer or his representative and the representative of the required organization are in the same place within a specific meeting. It means that the potential customer or their representative has direct contact with representatives of the obliged person, during which the obliged person verifies with a reliable and independent source by comparing the biometric data of the person (facial image) with the image of the person on the document specified in paragraph 14.3. Direct contact requires direct communication between the representative of the obliged person and the customer or their representative to assess the consistency of the content of their statements of intent and purpose with the actual intent. The experience of obtaining information through direct contact enables the customer's risk level to be detected and more accurately determined. Contact may take place outside the obligated entity's fixed place of business if at least the same due diligence obligations are met as in normal, routine cases.

12.5. In situations not specified in clause 12.4, a reliable and independent source of information is a background check that originates from two different sources, where, if the customer's money laundering and terrorist financing risk and the level of the business relationship is medium or

higher than usual, the customer sends a photograph of the person for a particular financial service immediately prior to sending the data, and the obligated person verifies that the photograph was taken recently and meets the following characteristics, i.e., the information is reliable and independently sourced:

• what, where, by whom, when the document was issued (identity documents) or received from a third person or place that has no interest in or relationship to the customer or obligated person;
• neutral information (e.g., information obtained from the Internet is not such information because it often comes from the customer himself or its reliability and independence cannot be verified);
• reliable and independent information can be determined without objective obstacles, and reliability and independence are also understandable to a third party not involved in the business relationship;
• data included in or obtained through which are current and the obligated entity can obtain confirmation of this (confirmation in certain cases may also be obtained on the basis of the two above-mentioned paragraphs).

12.6. Regardless of the selected reliable and independent source, the obliged person must ensure that the identity document is valid, current and complies with the requirements stipulated by the KR legislation on identity documents and that the person resembles the person depicted in the photograph of the document in terms of appearance and age and the data included in the document.

12.7. The obliged person is ready, if necessary, to explain and explain the choice of identification measure and supervisory measure to the supervisory authority authorized for such activities in accordance with the applicable legislation of the Kyrgyz Republic, including demonstrating why the source is reliable and independent, what two different sources represent (if two sources are used) and justify why one or another chosen measure corresponds to the required risk profile and risk level of the client and the business relationship with the client.

 

13. IDENTIFICATION OF IDENTITY THROUGH THE USE OF INFORMATION TECHNOLOGY.

13.1. When using information technologies for means of identification of a person and verification of the identity of a person who wants to establish business relations or conclude a casual transaction, guided by the current legislation of the Kyrgyz Republic it is necessary to use the following:

• a document issued on the basis of the current legislation of the Kyrgyz Republic in the field of documents, identity documents, for digital identification of a person or other electronic identification system with a high level of guarantee is used for identification of a person and data verification by means of information technologies;
• an information technology tool with a working camera, microphone and the necessary hardware and software for digital identification, as well as an Internet connection with adequate speed.

13.2. The tools stipulated in clause 13.1. shall comply with the following requirements:

13.2.1. the information system should provide digital identification of a person and digital signature;

13.2.2. the obliged person must check the quality of the customer's own and, if possible, the customer's information flow and ensure that the transmission is clear, recordable and reproducible, with guaranteed synchronization of sound and image, sufficient for an unambiguous and reliable understanding of the transmitted content;

13.2.3. The information stream containing image and sound is transmitted in real time;

13.2.4. the information stream containing image and sound shall be recorded with a time stamp, the IP address of the client, the personal code of the identified person, if there is a personal code, the date, place and country of residence, while the time stamp shall be linked to the data concerning it, so that it is possible to identify any subsequent changes to the data, the person who made the changes, as well as the time, manner and reason for making them;

13.2.5. When identifying a person and verifying identity data by IT means, a person's head and shoulders shall be visible and framed. The face shall be clear of shadows and uncovered, clearly stand out against the background and other objects and be recognizable.

13.2.6. the person must be able to change body position and place themselves and the document in a frame to allow for facial identification and verification of identity, including viewing data or images in the document.

13.3. The obliged person shall have the right to request a change of body position and removal of objects covering the head or face and glasses, or fulfill any other instructions of the obliged person given to ensure the identification of the person and to verify the person's identity and obtain the necessary data.

13.4. The obliged person shall be obliged to publish information on technical conditions of identification of identity and identity verification by means of information technologies on its website or in the specified information system. The published information shall present at least the following facts:

13.4.1. Reference to applicable statutory provisions of the CD or International Law;

13.4.2. Information that identification of a person and verification of identity by means of information technologies are carried out in accordance with the proper procedure provided for by the legislation of the Kyrgyz Republic and international legislation.

13.4.3. A warning that identification of a person and verification of identity does not obligate the service provider to establish a business relationship or guarantee the availability of services;

13.4.4. Conditions under which identification of a person and verification of identity by means of information technologies are recognized as failed.

13.5. Before identifying a person and verifying his/her identity by IT means, the obliged person is obliged to notify the person of the provisions set out in paragraph 13.4. and to obtain confirmation that the person has received the notification. Additionally, the person to be identified shall be obliged to agree to the conditions of identification and verification of the person's identity by confirming the following;

• the person carries out the procedure in person, except when the participation of third parties is necessary to resolve technical issues;
• the information provided by him/her during the interview referred to in paragraph 13.14 is correct and complete and he/she is aware of the consequences of providing incorrect, misleading or incomplete information when establishing a business relationship;
• he or she meets the conditions set by the service provider for establishing a business relationship and entering into transactions on an ad hoc basis

13.6. In addition to the obligations set out in paragraph 13.5, a natural person or legal representative of a legal entity using a digital resident ID card or other highly secure electronic identification system shall also be obliged to:

13.6.1. Agree with the application of the legislation of the KR;

13.6.2. Show to the obliged person in front of the camera the personal data page of a valid travel document issued in a foreign country.

13.7. Identification of a person and verification of identity by means of information technology tools in establishing a business relationship shall be deemed to have failed if:

• a natural person or legal representative of a legal entity has intentionally submitted data that do not correspond to the identification data entered in the database of identity documents or do not match the information or data obtained through other procedures;
• the session expires or is interrupted during the identification of a person, identification questionnaire or interview, or the information stream transmitting synchronized sound and image does not meet the requirements set forth in clause 13.2. The session is terminated if a natural person or legal representative of a legal entity has not performed any actions in the information system of the service provider within 15 minutes;
• a natural person or legal representative of a legal entity has not given the confirmations provided for in Articles 13.4 and 13.5;
• natural person or legal representative of a legal entity refuses to comply with the instructions of the obligated person specified in Section 13.3;
• a natural person or legal representative of a legal person uses the assistance of another person without the authorization of the obliged person;
• circumstances exist that give rise to suspicion of money laundering or terrorist financing.

13.8. When the circumstances under paragraphs 13.7 occur, the obliged person shall give notice thereof to the financial intelligence unit.

13.9. Identification of a person and verification of identity through IT tools takes place in the form of passing/completing an identification questionnaire or an interview. On the basis of the collected data, the obliged person prepares a customer profile of the person to be identified and a risk profile as part of it. The client profile and risk profile shall be prepared by the obliged person in a form reproducible in writing.

13.10. Execution of the identification procedure and verification of the identity data and the identity questionnaire shall be carried out by an employee of the authorized body of the obliged person's partner or by the automated system. The obliged person is obliged to take measures to prevent the risks of manipulation of the automated system.

13.11. The Customer Identification Questionnaire serves to establish the following data: Individual:

• last name, first name, middle name;
• residential address;
• Profile of activities;
• field of endeavor;
• the purpose and nature of establishing a business relationship;
• man's connection to the CR;
• expected volume of services;
• whether the person is a politically exposed person;
• other information.
  Legal Entity:
• name of the legal entity;
• registration code;
• legal and actual address;
• availability of branches;
• legal form;
• legal capacity;
• beneficiaries;
• affiliation of the beneficiaries to a group of politically exposed persons;
• belonging to the ROC and links to third countries;
• profile of activity and main directions of the legal entity;
• the purpose and nature of establishing a business relationship;
• other important information.

13.12 An officer of the obliged person should evaluate the answers given in the identifier questionnaire and record his or her opinion and the circumstances underlying it.

13.13. The obligated person may refuse to fill out a separate identification questionnaire if the information specified in paragraphs 13.1. and

13.11. and the requirements specified in Section 13.12. are met.

13.14. In order to collect and verify the information and data necessary to determine the client profile, an employee of the obligated person conducts an interview, during which the employee asks partially structured questions based on the results of the survey. identity card questionnaire. If the interview is conducted by means of a questionnaire, at least the data specified in paragraph

13.11 must be obtained together with the questions.

13.15. An employee of the obligated entity shall conduct the interview required to establish the business relationship in real time. An employee of the obliged entity shall assess the customer's response during the interview, the reliability of the information and data obtained and the consistency of the information and data obtained with other procedures, and record his or her opinion and the circumstances underlying it in the customer profile and risk profile.

13.16. Information obtained through questionnaires and interviews should be verified and stored in accordance with the requirements established for the application of due diligence measures and the procedures established in the rules of procedure related to data recording, verification and storage.

 

14. IDENTIFICATION OF A NATURAL PERSON AND HIS/HER REPRESENTATIVE.

14.1. The obligated person shall identify the customer and, if necessary, his representative and shall store the following data about the person and, if necessary, his representative:

14.1.1. first and last name;

14.1.2. personal identification number or, in its absence, date and place of birth and residence or location;

14.1.3. Information on the identification and verification of the right of representation and its scope and the name of the document serving as the basis for the right of representation, the date of issue and the name of the issuing authority.

14.2. The employee shall make a copy from the personal data and photo page of the identification document for retention, and the copy shall be accompanied by the signature of the person who made the copy, indicating the current date. If the identified person has a valid document as specified in Section 14.4 or an equivalent document, the person is identified and the person's identity is verified against the document or using electronic identification and trust services for electronic transactions, and the validity of the document can be identified using electronic identification and trust services for electronic transactions, no additional information about the document need be retained.

14.3. As a basis for identification of a physical person, the following valid identity documents provided for by the current legislation of the Kyrgyz Republic may be used, which are:

• Passport of a citizen of the Kyrgyz Republic;
• Border passport of a citizen of the Kyrgyz Republic;
• Temporary identity card of a citizen of the Kyrgyz Republic, issued for the period of registration of a passport of a citizen of the Kyrgyz Republic; -Birth certificate of a citizen of the Kyrgyz Republic;
• Another document certifying the identity of a citizen of the KR in accordance with the legislation of the KR;
• Passport of a foreign citizen or other document established by law or recognized in accordance with an international treaty of the Kyrgyz Republic as a document certifying the identity of a foreign citizen;
• A document issued by a foreign state and recognized in accordance with an international treaty of the Kyrgyz Republic as a document certifying the identity of a stateless person;
• Another document recognized as a document certifying the identity of a stateless person in accordance with the legislation of the KR;
• Refugee ID;
• Certificate of an internally displaced person;
• Certificate on granting temporary asylum in the territory of the Kyrgyz Republic;

14.4. If the original document referred to in Section 14.4 is not available, identity may be verified on the basis of a document referred to in Section 14.4. that has been authenticated before a notary public or notarized or formally certified, or on the basis of other information coming from a trusted and independent source, including electronic identification means and trusted services for electronic transactions, thereby using at least two different sources for data verification in such a case.

14.5. The obligated entity shall verify the accuracy of the data referred to in paragraph14.1, subparagraphs 1 to 3, using information obtained from a reliable and independent source for this purpose.

14.6. During the verification of data from a reliable and independent source obtained during the identification of the individual and the representative, in accordance with clause 12.5.

14.6.1. One of the sources is always:

14.6.1.2. an identity document with the photo specified in clause 14.4. or a color and legible copy/image of this document, or

14.6.1.2. Data on a photograph of a person on the same document obtained from reliable and independent sources or the

14.6.1.3. Information (at least name and personal identification code or date and place of birth if no personal identification code is available) obtained through strong authentication carried out with a digital identity identification tool, if the money laundering and terrorist financing risk associated with the customer and business relationship is lower than normal, and an audit trail confirming that this has been done.

14.6.2. The following information from a reliable and independent source can act as a second source:

• other document from clause 14.6.1;
• information obtained (at least name and personal identification code, or date and place of birth if no personal identification code is available) in the course of a strong authentication conducted through a digital means of personal identification and an audit trail confirming that this has been done;
• verification of data directly linked to the individual through the Census Register or a similar register, provided that the source is a reliable and independent source within the meaning of paragraph 12.5 of these guidelines;
• other biometric data (fingerprint, facial image) or other information;
• information to verify data directly related to the person (e.g. place of work, residence or study).

14.7. In the case of representation, the obligated entity shall also determine and verify the nature and extent of the right of representation. Unless the right of representation is derived from law, the name, date of issue and the name of the person who issued the document serving as the basis for the right of representation shall be established and preserved. The obligated person shall comply with the terms and rights of the representation and shall only provide services within the scope of the right of representation.

14.8. A representative of a foreign legal entity shall submit, upon request of the obliged person, a document certifying their powers and certified by a notary or equivalent procedure, legalized or certified by a certificate replacing legalization (apostille), unless otherwise provided for by an international treaty.

14.9. When it comes to the right of representation of authorized and legal representatives, it must be ascertained whether the representative knows his client. To establish the nature of the factual relationship between the representative and the represented person, the representative must know the content and purpose of the wills of the person he or she represents, as well as answer other relevant questions about the represented person's location, field of activity, turnover and transaction partners, other related persons and beneficial owners. The representative should also confirm that he or she is aware of and convinced of the source and legitimate origin of the funds used by the represented person in the transaction.

 

15. IDENTIFICATION OF LEGAL PERSON

15.1. The obligated person shall identify the legal person and store the following data about the legal person:

• company name or name (with the legal form) of the legal entity;
• registration code or registration number and date;
• the name of the director or the names of the members of the board or members of another equivalent body and their authority to represent the legal entity, whereby the representative who wishes to create a customer relationship is identified and the data obtained is verified in accordance with the requirements of these guidelines;

15.1.4. also collection and storage of other data directly related to the organization, such as:

• location of the legal person, and the theory of the country of establishment should be followed;
• location of the legal entity;
• data on the means of communication of the legal entity;
• The following documents shall be used to identify the legal entity:
• the registration card of the relevant registry;
• certificate of registration of the relevant registry;
• a document equivalent to the above document or the relevant document on the establishment of a legal entity.

15.3. The organization shall verify the accuracy of the data referred to in paragraph 15.1, using information from a reliable and independent source for this purpose. If the obligated person has access to a trade register, a register of non-profit associations and foundations, or data from the relevant registers of a foreign country, the submission of the documents specified in section 15.2 is not required.

15.4. In the absence of the original document referred to in Section 15.2, identities may be verified on the basis of the document referred to in Section 15.2, notarized or notarized or officially authenticated, or on the basis of other information originating from a reliable and independent source, including means of electronic identification and trust services for electronic transactions, thus using at least two different sources for data verification in such a case.

15.5. In the course of verification of data from a reliable and independent source obtained when identifying a legal entity in accordance with paragraph 12.5, the source shall be considered reliable and independent when the obligated person:

• sees the original document specified in clause 15.2;
• sees the composition of the document referred to in clause 15.2. notarized, notarized or officially certified;
• has access to data in the register of commercial and non-commercial associations and foundations or relevant registers of foreign countries via a computer network.

15.6. The documents specified in clause 15.2. shall be issued by the competent authority or body not earlier than six months prior to their submission to the authorized person on the basis of international and KR legislation.

15.7. In situations not specified in paragraph 15.5, a reliable and independent source is verification of information obtained during the identification process that comes from two different sources and meets the requirements specified in paragraphs 12.5. The provisions of paragraph 15.5 shall apply in cases where a representative of a legal entity must be personally identified in accordance with paragraph 12.2.

15.8. Within t h e meaning of paragraph 12.5, two different sources in identifying a legal person means that the data medium, method or measure of obtaining the information must be different (i.e. it cannot be the same data medium).

15.9 In addition to the document referred to in paragraph 15.2 (unless the obliged person selects two different customer identification documents for verification), the second source may also be information obtained from a third-party and independent source. to verify data directly related to the individual (such as location, etc.).

15.10 Public documents used to identify a legal entity issued in a foreign state must be legalized or confirmed by a certificate replacing legalization (apostille), unless otherwise provided for by an international treaty and the current legislation of the Kyrgyz Republic.

15.11. In the case of documents in foreign languages, the obligated entity has the right to request that the documents be translated into a language it understands. The use of translations should be avoided in situations where the original documents have been prepared in a language understood by the obligated entity.

 

16. STATUS OF THE BENEFICIAL OWNER AND ITS IDENTIFICATION.

16.1. When establishing a business relationship or engaging in a one-off transaction, the obligated person must identify the beneficial owner of the customer or the person involved in the one-off transaction and take steps to verify the identity of the beneficial owner, to the extent that the organization allows, to ensure that they know who the beneficial owner is.

16.2. A beneficial owner is defined as a natural person who, through the exercise of influence, engages in a transaction, act, deed, transaction or step or otherwise exercises control over a transaction, act, transaction or step or over another person and over whose interests or in whose favor or for whose account a transaction or act, transaction or step is carried out. In the case of companies, a beneficial owner is a natural person who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or interest in that entity, including through bearer shares or through control by other means.

16.3. The obligated person should understand the ownership and control structure of the customer or person involved in a one-off transaction when establishing a business relationship or completing a one-off transaction.

16.4. The beneficial owner should not be identified in the case of a company listed on a regulated market that is subject to disclosure requirements under European Union law or equivalent international standards that ensure sufficient transparency of ownership information.

16.5. The beneficial owner of a legal entity shall be determined in stages, with the obliged person proceeding to each subsequent stage if the beneficial owner of the legal entity cannot be determined in the case of the previous stage.

16.6. Stages:

• whether it is possible to identify, in relation to a customer that is a legal entity or a person involved in a transaction, the individual or individuals who effectively ultimately control, or otherwise exercise influence or control over, the legal entity, irrespective of the size of the shares, voting or ownership rights or their direct or indirect nature;
• whether the customer, which is a legal entity, or the person involved in the transaction is a natural person or persons who own or control the legal entity through direct or indirect shareholding. Family ties and contractual relationships should also be taken into account here; who is the individual in senior management that should be identified as the beneficial owner because the answers to the previous two questions did not allow the responsible person to identify the beneficial owner.

16.7. Direct ownership is a method of control whereby an individual owns 25 percent of the shares plus one share or ownership of more than 25 percent in an entity. Indirect ownership is a method of control whereby 25 percent of the shares plus one share or ownership of more than 25 percent in a company is held by a company controlled by an individual or by several companies controlled by the same individual.

A member of senior management, is a person who: makes strategic decisions that have a significant impact on the business activities and/or practices and/or general (business) direction of the company; or in his/her absence, carries out the day-to-day or full-time management functions of the company under executive authority (chief executive officer, chief financial officer, director or president, etc.).
If, after exhausting all possible means of identification, a person cannot be identified and there is no doubt that such a person exists, or if there is doubt that the identified person is the beneficial owner, the natural person who holds the position of senior manager. The obliged person may consider the beneficial owner to be the natural person of a son who otherwise exercises control over a company without owning a 25 percent interest in that company. This situation also arises when the obliged person suspects that a third person exercises significant control over the company whose connections to the company cannot be legally proven or such proof is difficult to obtain. In such a situation, information on shareholders, associates and other persons exercising control or other significant influence over the legal entity should be requested.

16.10. In the case of a trust, civil partnership, community or other unincorporated association of persons, the beneficial owner is the individual who ultimately controls the association through direct or indirect ownership or otherwise:

• The founder or the person who transferred the property to the property pool;
• trustee, asset manager or owner;
• the person who secures and controls the safeguarding of assets, if such a person has been appointed, or the beneficiary or, if the beneficiary or beneficiaries have not yet been identified, the class of persons for whose benefit the association is formed or acts.

16.11. In the case of a company whose securities are traded on a regulated securities market, it is not necessary to identify the beneficial owners of such a company.

16.12. The obliged person shall take measures to verify the identified beneficial owner and shall do the same to such an extent that the obliged person can conclude that it knows who the beneficial owner is. In the case of legal persons, this is required where the purpose and nature of the business relationship has been established so that it can be concluded that the beneficial owner of the customer, if the latter is actively involved in the business of the company, works in the declared field of activity, with the declared field of activity and with the declared business partners and experience is available and required and that the obliged person:

• sees the original document referred to in paragraph 15.2;
• has access to data from commercial registers and verifies the data of the beneficial owner in the said register;
• acquainted with the composition of the document referred to in paragraph 15.2, notarized or officially certified;
• Uses other publicly available and/or reliable sources sufficient to conclude who is the beneficial owner.

16.13. If the legal entity's identity documents or other submitted documents do not explicitly state who is the actual owner of the legal entity, the relevant data (including data on group membership and the ownership and management structure of the group) shall be recorded on the basis of a statement by the legal entity's representative or a handwritten document by the legal entity's representative. Reasonable steps should be taken to verify the accuracy of information established on the basis of statements or a handwritten document (e.g., by making inquiries to the relevant registries) that require the submission of the legal entity's annual report or other relevant document.

16.14. If the obliged person has doubts about the reliability or completeness of the relevant information, the obliged person shall verify the information provided from publicly available sources and, if necessary, request additional information and data from the person.

16.15. When determining the beneficial owner, special attention should be paid to companies established in low-tax zones whose legal capacity is not always clear.

16.16. In the case of a trust, civil partnership, partnership or other similar legal entity, confirmation of the character of the beneficial owner should be obtained on the basis of a civil partnership agreement, letter of wishes, trust deed and other documents in addition to. publish data and/or trust. The provisions of paragraph 16.14 should apply if the obliged person wishes to use a statement or handwritten document of the beneficial owner.

16.17. If another legal entity controls a legal entity in accordance with the definition of beneficial owner, the obligated person must assess the risk of the person or customer and collect data on other legal entities related to other persons to identify the beneficial owner.

16.18. An authorized person is not obliged to independently verify the ownership and control structure of a customer or a person entering into a one-off transaction and may rely on statements or written explanations of a representative of a legal person or trust, civil partnership, community or other person. similar legal person. This does not apply if the obligated person has information that casts doubt on the specified fact, including that contradicts the data obtained during the identification of the beneficial owner and data verification.

16.19. In identifying the natural person, the obliged person must also identify the beneficial owner of the natural person, that is, the person who controls and benefits from the activities of the natural person. Suspicion of the existence of a beneficial owner may arise primarily if, after exercising due diligence, the obliged person believes that the natural person has been influenced to create a business relationship or to enter into a transaction. In such a case, the person exercising control over the natural person should be considered the beneficial owner of the natural person.

16.20. If the obliged person establishes that the transactions or actions are actually carried out on behalf of a third party and the content of the activity suggests a possible trust activity, the obliged person must take all measures to identify the beneficial owner of the trust and perform all actions to ascertain the actual purpose of the business relationship.

16.21. The obliged person must record and keep information on all transactions carried out to identify the beneficial owner.

16.22. The obliged person is ready, if necessary, to explain the choice of the measure applied to identify the beneficial owner and the ownership and control structure and verification to the financial intelligence and control authorities authorized in accordance with the current legislation of the Kyrgyz Republic.

 

17. STATUS OF POLITICALLY EXPOSED PERSONS AND THEIR IDENTIFICATION.

17.1. When establishing a business relationship, as well as in the course of the business relationship or in the event of a particular "trigger" event, the obligated entity shall take steps to ascertain whether the customer or the person seeking to enter into a one-off transaction and the beneficial owner or representative of those persons is a politically exposed person (including a high-risk politically exposed person), a member of their family or a close associate, or if the customer has become such a person.

17.2. Politically exposed person means at least an individual who is or has been entrusted with prominent public functions, including a head of state, head of government, minister and deputy or assistant minister; a member of parliament or similar legislative body, a member of the governing body of a political party, a member of the supreme court, a member of the audit chamber or the board of a central bank; an ambassador, chargé d'affaires and high-ranking officer of the armed forces; a member of an administrative, managerial or supervisory The obliged person has the right to decide on the renewal of politically sensitive official positions as a result of a risk-based approach and thus also to take additional measures for other official positions.

17.3. In the case of a customer that is a legal entity or a person entering into a casual transaction, such a person should be considered a politically exposed person if its representative or beneficial owner is a politically exposed person, a family member or close associate of the politically exposed person. person. person. In the case of a public customer that is a legal entity or a person entering into a one-time transaction, such person should be considered a politically exposed person if the politically exposed person holds a significant and prominent position in the company and the government owns at least 50% of that company. When assessing such a significant and prominent function, it should also be assessed whether the politically exposed person has any (significant) authority over state assets, funds, policies or activities, whether they have the power to grant licenses or permits, make exceptions, whether they have control or influence over the accounts or funds of the state or the company, etc.

17.4. Local politician - a person referred to in paragraph 17.2 who is or has been entrusted with important public functions in the KR, in another Member State of the European Economic Area or in an institution of the European Union or in other third states.

17.5. Family member means the spouse or person equivalent to a spouse of a politically exposed person or local politically exposed person; child and their spouse or person equivalent to a spouse of a politically exposed person or local politically exposed person; parent of a politically exposed person or local politically exposed person.

17.6. A person known as a close associate means an individual who is known to be a beneficial owner of, or has joint beneficial ownership of, a legal person or legal entity, or any other close business relationship with a politically exposed person or local politically exposed person. exposed person; and an individual who has sole beneficial ownership of a legal person or legal entity that is known to have been established for the actual benefit of the politically exposed person.

17.7. Obliged persons should identify close partners and family members, political exposure of persons only if their connection with the performer of essential functions of public authority is known to the public or if the obliged person has reason to believe that such a connection exists.

17.8. If a politically exposed person is longer performing the important public functions assigned to him or her, the obligated entity shall, for at least 12 months, take into account the risks that remain associated with the person and apply appropriate measures based on risk sensitivity until it is beyond doubt. that the risks specific to politically exposed persons no longer exist in the case of the person.

17.9. An obligated entity is not required to apply the due diligence measures provided for in this section to a local politically exposed person, a member of their family, or a person known to be a close associate of theirs, if there are other factors relating to a higher level of liability than the level of ordinary risk.

17.10. In addition to appropriate due diligence measures, the obligated entity shall apply, among other things, the following additional measures with respect to politically exposed persons:

• requesting necessary information from the client, including the application of measures to identify the sources of wealth and financial means of the person used in business relations or transactions;
• checking data or performing queries in relevant databases or publicly available databases or performing queries or checking data on the websites of the relevant supervisory authorities or institutions of the country in which the client or person is located. Data shall be primarily verified as follows both local and foreign politically exposed persons should be further verified using Google and the local search engine of the client's country of origin, if any, by entering the client's name in both Latin and local alphabet with the client's date of birth.

17.11. In addition to the general due diligence measures specified in paragraph 17.10, the obligated person shall apply the following measures to high-risk politically exposed persons:

• obtains approval from senior management to establish or continue a business relationship with the individual;
• Applies measures to establish the source and/or origin of a person's wealth and the sources of funds that are used in the business in one-off transactions;
• monitoring business relationships in an enhanced manner, as outlined in these recommendations.

17.12. Senior management within the meaning of paragraph 17.11 is a person in a sufficiently senior position, with decision-making authority and in-depth knowledge of the organization and its capabilities to make informed decisions on matters directly affecting the risk profile of the company and who knows whether the tax-obligated entity's compensation arrangements are adequate for that risk.

 

18. IDENTIFYING THE SOURCE OF MONEY FUNDS/INCOME.

18.1. The obliged person collects information on the source and/or origin of the client's funds:

-when establishing a business relationship, determine the purpose and nature of the business relationship, as appropriate;
-when entering into a one-off transaction outside the business relationship, if necessary, to determine the purpose and nature of the business relationship;
-the obligated entity knows or suspects that the customer or the person entering into the casual transaction is a high-risk politically exposed person, a member of their family, or a close associate.

18.2. Establishing the source and/or origin of wealth means that the obligated entity determines the broader and overall picture of the client's wealth, i.e., the source of all assets. Typically, this will indicate how much wealth the customer may hold in general and where the customer obtained that wealth from. In addition to requesting relevant information from the client, it may also be possible to collect such information from publicly available databases and other publicly available or non-public data such as land registries, registers of other assets, declarations of economic interests, company registers, etc. Data on the source and/or origin of wealth shall be verified on the basis of reliable and independent data, documents and information if the risk associated with the client is particularly high, the obliged person shall not settle the client's general answers or make unreasonable assumptions (e.g. that employees with significant functions have higher salaries and more assets, etc...)and the obliged person shall be convinced that it knows the source and/or origin of the client's wealth. If the client refuses to disclose the source and/or origin of their wealth, or gives generic answers, or the data differs from data that is publicly or privately available, this may be a situation that indicates a higher risk that needs to be given increased attention, i.e. for which enhanced measures should be taken.

 

19. DETERMINING THE NATURE AND PURPOSE OF BUSINESS RELATIONSHIPS AND ONE-OFF TRANSACTIONS.

19.1. In the case of a business relationship or a one-off transaction, the obligated entity shall understand the purpose and nature of the business relationship or transaction. If appropriate, the obligated entity shall take additional steps and gather additional information to determine the purpose and nature. This appropriate situation arises primarily when: a situation arises that is of high value or is unusual and/or when the risk and/or risk profile associated with the customer and the nature of the business relationship warrant additional actions to be taken in order to be able to properly monitor the business relationship at a later date.

19.2. The obligated entity shall ensure that the service provided is consistent with the content of the customer's actual statements of intent (why it needs the service), is consistent with the nature and purpose of the specific contract and is appropriate for the level of risk assigned to the customer. The obligated entity shall assess, on the basis of the aforementioned information, what are the expected actions of the customer, on the basis of this information the obliged person will be able to subsequently assess the activities of the customer on the basis of the information already collected (continuous observation/monitoring of transactions concluded within the business relationship, including identifying the source and origin of the funds used in the transaction).

19.3. The additional measure referred to in paragraph 19.1 means, inter alia, making inquiries in publicly available sources and the additional information is to establish the regular line of business, payment practices, principal transaction partners and, in the case of a legal person, the experience of the customer or person involved in the occasional transaction. The above list is not exhaustive and, where necessary, the obliged person shall take additional measures to understand the purpose and nature of the business relationship, including, in the first instance, determining the source and/or origin of wealth where necessary and making site visits prior to establishing the business relationship and applying other necessary measures.

19.4. In order to determine the scope of the business relationship, the obligated entity must understand what the customer deals with and intends to deal with in the course of the business relationship and how it is consistent with the purpose and nature of the business relationship as a whole and whether it is reasonable, understandable and plausible.

19.5. After determining the scope of the business, the obligated entity must also determine whether authorization to provide a financial service is required to provide the service and whether the service is actually provided through the obligated entity to the customers of the customer, i.e., the ultimate beneficial owners to whom the obligated entity must apply due diligence.

19.6. In the case of payment practices, it is important to determine how financial services are consumed (e.g., in the case of a bank account, the approximate number, volume, purpose and frequency of transactions made per month and per year, the countries from which payments are received and to which payments are made, the expected duration of the business relationship, the extent and channels of cash use, payment channels (branch, internet banking, card payments), etc.; the frequency, amount and repayment time associated with a loan taken out as part of the business relationship, which should be used as a means of payment; and the frequency, amount and time of repayment associated with a loan taken out as part of the business relationship, which should be used as a means of payment.

19.6.1. Thus, the obligated entity must determine whether, why and on what terms the customer even intends to enter into such transactions, and whether this is consistent with the customer's knowledge in other respects, as well as with the customer's risk profile and the business relationship as a whole. Fulfilling this obligation often requires a more general identification of the source and/or origin of the customer's wealth.

19.7. In the case of main business partners, the obliged person must determine who are the main partners of the customer with whom transactions will be concluded in the declared field of activity and with the declared scope of activity, i.e. who are the persons for the realization of the purpose of establishing a business relationship.

19.7.1. Core business partners are defined as those who make inbound and outbound transactions possible, i.e. core business partners should be divided into two separate categories.

19.7.2. The obligated person must, where relevant, but above all in the case of a higher risk than usual, also establish how these main business partners are related to the field of activity, i.e. whether information is publicly available that also confirms the activity in the said field of activity. The obliged person must also establish in the relevant case why these main business partners agree or are willing (including on what preconditions) to do business with the customer, and this obligation primarily arises in a situation where the customer is a newly established company or a so-called shell company that was established earlier but starts doing business at a certain point in time.

19.7.3. If the service provided by the customer is the purchase or sale of goods, the inquiry about the main business partners covers, in the appropriate case, but primarily in the case of a risk that is higher than usual, the inquiry about the service providers who transport the goods.

19.7.4. When appropriate, it is important, but higher than usual risk, to look at the locations of these key business partners and ensure that this coincides with the payment practices previously stated by the customer (especially in terms of the countries from which funds are sourced and to which funds are transferred).

19.7.5. The obliged person must ensure, when establishing the business relationship, that the transactions will actually be concluded with the main business partners. The obliged person will verify this fact later in the course of the business relationship.

 

20. A PERSON WORKING IN A COUNTRY WITH A HIGH RISK INDEX.

20.1. The countries with a high risk index are: Afghanistan, Albania, Afghanistan, Cayman Islands, Barbados, Burkina Faso, Cambodia, Cayman Islands, Haiti, Jamaica, Jordan, Mali, Malta, Morocco, Myanmar, Nicaragua, Panama, Philippines, Senegal, Bahamas, Barbados, Botswana, Cambodia, Canada, Ghana, Iraq, Jamaica, Mauritius, Nicaragua, Panama, Trinidad and Tobago, Japan, Mongolia, Taiwan, Vanuatu, Venezuela.

20.2. When an obliged entity comes into contact with a high-risk third country through a person involved in a transaction entered into as part of the obliged entity's economic or professional activities, through a person involved in official acts, through a person using professional services, or through a client, the obliged entity shall apply the following due diligence measures:

• collection of additional information and data on the client and its beneficial owner;
• gathering additional information about the planned business content and business relationships;
• collection of information on the origin of funds and property of the client and its beneficial owner;
• gathering information on the main reasons for planned or implemented transactions;
• obtaining authorization from senior management to establish or continue a business relationship;
• Improving controls over business relationships by increasing the number and frequency of controls applied and selecting indicators of transactions that are additionally audited.
• In addition to the above, the obliged person may require the customer to make the payment from an account opened in the name of the customer in a credit institution of a contracting state of the European Economic Area or third countries, which implements requirements equal to those of the EU Directives and other international regulations.

 

21. MEASURES TO VERIFY BUSINESS RELATIONSHIPS.

21.1. The obliged person must respect the business relationship with the customer established in the course of economic or professional, i.e. monitoring the business relationship.

21.2. The obligated person shall implement the following measures as part of the monitoring of the business relationship:

• Ensuring that documents, data or information collected in the course of due diligence measures are regularly updated and in the event of trigger events, i.e. primarily data relating to the person, their representative (including the right of representation) and beneficial owner, and the purpose and nature of the business relationship;
• Continuous monitoring of the business relationship, which covers transactions carried out within the business relationship to ensure that transactions are consistent with the obliged person's knowledge of the customer, its activities and risk profile; identification of the source and origin of funds used in the transaction.

21.3. The obliged person should regularly review and update the documents, data and information collected in the course of due diligence. The regularity of the checks should be based on the risk profile of the customer, and the checks should not be less than:

• one every six months for high-risk clients;
• once a year for medium-risk clients;
• once every two years for low-risk clients.

21.4. The collected documents, data and information should also be reviewed if an event occurs that indicates the need to update the collected documents, data and information. In the ongoing monitoring of the business relationship, the obligated entity should monitor transactions entered into in the course of the business relationship so that the latter can determine whether the transactions entered into are consistent with previously known information about the customer (i.e., what the customer stated when establishing the business relationship or what became known in the course of the business relationship). The obligated entity shall also monitor the business relationship to identify customer activity or facts that indicate criminal activity, money laundering or terrorist financing, or including

complex, costly and unusual transactions and model transactions that have no reasonable or demonstrable economic or legal purpose or that are not characteristic of the particular features of the business in question. In the course of the business relationship, the obligated entity should continually evaluate changes in the customer's business and assess whether those changes may increase the level of risk associated with the customer and the business relationship, which may result in the need for additional or enhanced due diligence measures.

21.5. In the course of ongoing monitoring of the business relationship, the obligated person shall apply the following measures:

• Screening, i.e. real-time monitoring of transactions;
• Monitoring, i.e., analyzing transactions;

21.6. The purpose of screening is to detect:

21.6.1. suspicious and unusual transactions and transaction patterns;

21.6.2. transactions that exceed the established thresholds;

21.6.3. politically exposed persons and circumstances related to international sanctions.

21.7. Measures taken for screening should be risk-based, i.e., appropriate to the size of the obligated entity and the nature, scope and level of complexity of the work and services provided, including the risk appetite and risks associated with the activities of the obligated entity.

21.8. If obliged entities use automatic systems to detect suspicious and unusual transactions carried out within a specific business relationship, they should ensure that these systems are appropriate, i.e. they should be appropriate to the size of the obliged entity the nature of the scope and level of complexity of the work and services provided, including the risk appetite and risks associated with the obliged entity's activities. Automated system parameters/scenarios should:

21.8.1. Really cover the risks and threats that the obligated person primarily faces in its business to identify suspicious and unusual transactions;

21.8.2. Ensure that it is possible to identify transactions (including card transactions, if possible) that are made, transferred or received from countries or, if possible, from countries neighboring those countries that are associated with a higher risk of terrorism, including conflict areas, or from countries with other important links to the above-mentioned countries;

21.8.3. Also cover transaction descriptions and the information they contain;

21.8.4. In order to identify the subject of international sanctions, covering the possibility of verifying the compliance of data in relation to the client, its representative and beneficial owner;

21.8.5. in order to identify politically exposed persons, provide for the possibility of verifying the correspondence of the data of the client, his representative and beneficial owner;

21.8.6. Guarantee the identification of persons (covering the person itself, its representative and beneficial owner) with respect to whom the obligated person has previously had suspicions or with whom it has refused to establish a business relationship or whose business relationship has been terminated on an emergency basis (including, where technically feasible and not too burdensome for the obligated person, verification of the IP addresses used by those persons). The purpose of this is to allow the obligated entity to take action if the same persons wish to re- establish the business relationship;

21.8.7. Ensure that the obliged person can identify latent or overt (business) connections between different customers (belonging to the same group) of which the obliged person was previously unaware.

21.9. If an automated IT system is selected, the obliged entity shall ensure that such monitoring takes place at least once a week, except for subparagraphs 1 to 3 of paragraph 19.8, which shall take place in real time, also except for subparagraph 4, which shall also take place in real time if the obliged entity does not take action every time international financial sanctions are amended.

21.10. If the requested organization does not select a suitable IT system, its manual monitoring systems shall comply with the principles set out in article 19.

21.11. The purpose of monitoring is to identify transactions and circumstances that could not be identified in real time (could not be intervened in, e.g. ATM transactions) or that, due to the nature of the transaction, did not appear in the real-time transaction monitoring parameters in the case of the IT solution or in the acts in the case of manual monitoring (e.g. larger transactions by amount, currency or customer type).

21.12. Monitoring may be accomplished through parameters determined by the obligated person, a sample list of which is as follows:

21.12.1. Accounts (private and corporate) with large turnovers for the period under review, borrowers, users of investment services, buyers of fund units, etc. in currency (individuals and legal entities);

21.12.2. Larger transactions (individuals and legal entities) in the period under review by currency (individuals and legal entities) and service;

21.12.3. Transactions made through ATMs exceeding a certain threshold during the period under review;

21.12.4. Cash withdrawals and deposits at branches and ATMs exceeding a certain threshold (by individuals and legal entities);

21.12.5. Transactions of a particular customer (type).

21.12.7. The number of accounts the customer uses for transactions;

21.12.8. The number of high-risk customers and their connections to each other;

21.13. The obliged person should pay heightened attention, i.e., apply enhanced due diligence, to transactions and patterns of transactions that are complex, costly and unusual and that are not reasonably or demonstrably economic or legitimate purpose or are not characteristic of the particular features of the business in question.

21.14. In addition to the application of enhanced verification measures, the background of each individual transaction referred to in Article 19 shall be investigated to the extent reasonably necessary, including clarifying the details of the transaction and analyzing the circumstances that arose in order to identify the most characteristic features of the most frequent transactions. These data must be preserved. The main circumstances to which attention should be paid when analyzing such transactions are as follows:

• circumstance - actions, transactions or other circumstances that gave rise to the suspicion;
• Whether the obligated person is satisfied that it knows the customer to the extent necessary and whether the customer's activities are consistent with previously known information about the customer or whether it has become necessary to gather additional data about the customer and the need to take reasonable and appropriate steps to understand the background and purpose of the transaction, for example, by determining the source and destination of funds or seeking additional information about the customer's activities, in order to establish that such a transaction is true;
• Whether there have been repeated indications of suspicious acts and transactions (including in relation to similar situations or circumstances);
• Whether more attention to the customer's activities and the business relationship in general, including details, is needed in the future;
• Whether the obligation to report to the financial intelligence unit must be fulfilled.

21.15. A representative of the obligated organization may make monitoring visits to the client to verify that the client's explanation of their capacity and capability is correct.

21.16. In the course of the business relationship, the obligated entity shall determine the source and origin of funds used in the transaction, if necessary. A request for the source and origin of funds used in a transaction is essentially equivalent to monitoring the business relationship within the meaning and purpose of paragraph 21.2, with the difference that, while monitoring the business relationship covers the customer's entire business relationship and life cycle, the source and origin of funds used in a transaction relate only to incoming transactions. However, the objective is still the same - to get an adequate overview of the customer and to find out whether it corresponds to previously known information about the customer. This is why all explanations under the general principles of paragraph 21.4 refer to the source and origin of funds used in the transaction.

21.16.1. The source of the funds used in the transaction is the reason, explanation and basis (legal relationship and its content) for which the funds were transferred.

21.16.2. The origin of the funds used in the transaction is the activity by which the funds were earned or obtained, and this is closer to determining the source and/or origin of wealth.

21.17. The source and origin of funds used in a transaction should be identified when necessary. The need to identify the source and origin of funds depends on the customer's previous activities and other of known information. Thereby increasing the need to identify the source and origin of funds:

• in proportion to the amount of funds;
• if the transactions do not match previously known information about the customer;
• if the obliged person wishes or should reasonably consider it necessary to assess whether the transactions are consistent with previously known information about the customer;
• if the obligated person suspects that transactions indicate criminal activity, money laundering or terrorist financing or that transactions may be linked to money laundering or terrorist financing, including complex, costly and unusual transactions and transaction patterns that have no reasonable or demonstrable economic or legal purpose or that are not specific to the business in question.

21.18 Provenance is broader and includes the activities through which funds were earned or obtained, and is closer to the definition of the source and/or origin of wealth (see also section 18).

 

22. TRANSFER OF ACTIVITIES TO ANOTHER PERSON.

22.1. The obliged person shall have the right, subject to special requirements and restrictions provided for by the legislation of the Kyrgyz Republic, to use the services of another person on the basis of a contract, the content of which is the continuation of activities and actions necessary for the provision of services provided by the obliged persons to clients and which would normally be provided by the obliged persons themselves. The other person within the meaning of this paragraph is, for example, an agent, subcontractor or other person to whom the obliged entity outsources activities related to the provision of these services that the obliged entity normally performs independently in its economic activity. The obligated entity outsources activities in a situation where another person performs requirements arising from the laws of the ROC and international law and/or these guidelines on behalf of and at the expense of the obligated entity. This obligation is different from relying on another person when the other person implements the requirements arising from the KR Legislation and/or these Guidelines to fulfill its obligations arising from the law, after which the obliged entity uses them in fulfilling its obligations and relies on these data.

22.2. To outsource activities within the meaning of paragraph 22.1, the obligated entity shall implement an outsourcing policy/risk assessment approved by the board of the obligated entity. This document shall, at a minimum, analyze, review and describe the following:

22.2.1. the impact of outsourcing on the taxable entity's business operations and possible risks (e.g., operational risk, including IT and legal risk, reputational risk and concentration risk);

22.2.2. The reporting and oversight procedure carried out from the beginning to the end of the outsourcing contract (including preparation of the outsourcing description, conclusion of the outsourcing contract, execution of the contract before its expiration, situation plans and termination strategies);

22.2.3. in case of outsourcing of internal activities of the consolidation group, the outsourcing procedure, including services provided by a legal entity belonging to the consolidated tax-obligor group and specifics of the consolidation group;

22.2.4. the procedure and methodology for selecting and evaluating another person.

22.3. The obligated entity may outsource all or part of the due diligence measures set out in sections 11-20 (i.e. identification of the customer, beneficial owner, politically exposed person, source and/or origin of wealth, and purpose and nature of the business relationship) only:

• to another obligated person;
• organization, association or union whose members are obliged persons;
• to another person who applies the due diligence measures and data retention requirements provided for in the KR legislation in the field of the KR OPFTDIILPA Law and in these Recommendations, and who is subject or willing to be subject to financial supervision in a contracting state with respect to compliance with the requirements.

22.4. The obligation to apply due diligence measures not specified in paragraph 22.3 cannot be outsourced. This restriction does not apply to outsourcing activities related to the identification and implementation of international sanctions.

22.5. The obliged person shall select another person specified in clause 22.1 with due diligence to ensure the ability of this person to comply with the requirements of the KR legislation in the field of the KR OPFTDILPD Law and these guidelines, as well as to ensure the reliability and necessary qualifications of this person. When outsourcing the activity(s) of the obliged person, the obliged person shall ensure that the other person has the necessary knowledge and skills, primarily to identify suspicious and abnormal situations, as well as its inattention to comply with all money laundering measures and terrorist financing prevention requirements of the legislation. In order to comply with the provisions of this paragraph, the obliged organization shall make sure that the managers of the other organization are informed of the relevant requirements and ensure that the employees are trained on money laundering and terrorist financing prevention to the necessary extent.

22.6. To outsource an activity, the obligated person enters into a written contract with another person. The contract shall provide for:

22.6.1. Compliance with rights and responsibilities associated with outsourcing activities, including data storage, reporting to financial intelligence departments, etc.;

22.6.2. That the outsourcing of activities does not interfere with the activities of the obligated entity or the fulfillment of obligations under the KR legislation in the field of the KR OPFTDIILPD Law and these guidelines;

22.6.3. That the other person performs all of the duties of the authorized person associated with the outsourced activity;

22.6.4. That the outsourcing of activities does not interfere with the supervision of the obligated person;

22.6.5 That the competent authority may supervise a person who performs outsourcing activities through an obliged person, including by means of an on-site inspection or other supervisory measure;

22.6.6. The level of knowledge and skills required, as well as the capacity of the other person and the range of measures taken to achieve this, including regular training;

22.6.7. That the obliged organization has an unlimited right to verify compliance with the requirements stipulated by the KR legislation in the field of the KR OPFTDIILPD Act and these guidelines;

22.6.8. That the documents and data collected for compliance with the requirements arising from the KR legislation in the field of the KR OPFTDILPD Act and these guidelines are retained and, upon request of the obliged person, copies of documents relating to the identification of the client and its beneficial owner or copies of other relevant documents are immediately transferred or submitted to the competent authority. The contract shall guarantee that any information relevant in the course of the application of due diligence measures shall be communicated to the requested person and/or the relevant data and documents shall be archived in the manner prescribed by their regulations;

22.6.9. The right of an obliged person to terminate an outsourcing contract with another person, if necessary, if the latter has failed to fulfill its contractual obligations or has fulfilled them improperly.

22.7. The obliged entity shall immediately inform the competent supervisory authority about the conclusion of an agreement serving as a basis for outsourcing its activity(s). When providing information, the obliged entity shall indicate, inter alia, the scope of the transferred activity. Upon request of the competent supervisory authority, the obliged entity shall provide the contract for outsourcing of activities.

22.8. An obliged legal entity is not allowed to outsource activities to a legal entity that has been established in a high-risk third country.

22.9. All statutory requirements for the prevention of money laundering and terrorist financing apply to another person in relation to the outsourced activity(s) within the meaning of clause

20.10. The obliged person who has outsourced the activity is responsible for compliance and therefore also for any violations.

 

23. RELIANCE ON THIRD PERSONS.

23.1. The obligated entity relies on a third party in a situation where the third party implements the requirements arising from the KR legislation in the field of the KR OPFTDIILPD Law and/or these guidelines to fulfill its obligations arising from the law, after which the obligated entity uses them in fulfilling its obligations. and relies on this data. This obligation is different from outsourcing, where a third party implements the requirements arising from the KR legislation in the field of the KR OPFTDIILPD Act and/or these guidelines on behalf of and at the expense of the obligated entity.

23.2. The obliged person may rely on data and documents collected by another person after partial or full application of due diligence measures, i.e. identification of the customer, beneficial owner and politically exposed person, if the obliged person:

23.2.1. Collects from the third party, at a minimum, information about who the person establishing the business relationship or transaction is, their representative and beneficial owner, and what the purpose and nature of the business relationship or transaction is;

23.2.2. Ensured that all data and documents in which he relied on data collected by another person were immediately available, if necessary;

23.2.3. Established that the other relied upon person is required to comply with, and in fact complies with, requirements equal to those set forth in relevant International Community directives, including due diligence, identification of politically exposed persons, and data retention, and is under, or is willing to be under, governmental supervision with respect to compliance.

23.3. The obligated person shall take appropriate measures to ensure the fulfillment of the obligations under clause 23.2, conclude a contract for this purpose, if necessary, and apply other measures.

23.4. An obliged legal entity is not permitted to rely on a legal entity established in a high-risk third country.

23.5. An obliged person who relies on a third party is liable for compliance and therefore also for any breaches.

 

24. REFUSAL TO TRANSACT AND CONDUCT BUSINESS.

24.1. The obligated person is prohibited from establishing a business relationship or authorizing the performance of a one-time transaction or entering into a one-time transaction if:

24.1.1. the obliged person suspects money laundering or terrorist financing, or the obliged person is unable to apply due diligence measures taken when establishing the business relationship because the customer fails or refuses to provide relevant data, or the data provided does not give no reason to believe that the data collected is adequate;

24.1.2. a person whose capital consists of bearer shares or other bearer securities wants to establish a business relationship or enter into a one-off transaction;

24.1.3. a person who is not authorized to operate as a credit or financial institution, but whose primary and continuing business activity, through an authorized person, is similar to or consistent with the provision of financial services subject to the authorization, wishes to establish a business relationship or enter into a one-time transaction;

24.1.4. it would also require opening an anonymous account or savings book as opening an account clearly in the wrong person's name;

24.1.5. an individual, who is backed by another person of actual benefit, wants to establish a business relationship or enter into a casual transaction (suspicion that a front person is being used).

24.2. The duty under paragraph 24.1 shall not be discharged if the obliged person has informed the Financial Intelligence Unit of the establishment of a business relationship, a one-off transaction or an attempt to enter into a transaction in the manner provided for in Article 26 and/or has received a specific instruction from the Financial Intelligence Unit to proceed with the establishment of a specific business relationship or the conclusion of individual transactions.

24.3. With respect to circumstances of refusal to establish a business relationship or enter into a casual transaction, the obligated person shall comply with the reporting obligation in accordance with the requirements set forth in section 26 and shall record and retain data on the refusal to establish a business relationship or enter into a casual transaction and the fulfillment of the reporting obligation in accordance with the requirements set forth in section 27.

24.4. In a situation where an obliged person continuously refuses to establish a business relationship or enter into a one-off transaction on the basis of paragraph 24.1, or if it is refused before due diligence measures are applied, the obliged person should conduct periodic analyses to determine:

24.4.1. Who are those employees or other contractual partners who primarily solicit customers with whom the breached entity refuses to establish a business relationship or casual transaction;

24.4.2. Who is the agency, representative office, or other person soliciting customers with whom the obligated person refuses to establish a business relationship or enter into a casual transaction.

24.5. The obliged person shall have the right to refuse to execute a transaction within the framework of business relations where the person involved in the transaction or the customer, despite appropriate requests, fails to submit documents and relevant information or data or documents confirming the origin of the assets constituting the subject of the transaction or the purpose of the transaction, or if the data and documents submitted make the obliged person suspect money laundering or terrorist financing or the commission of related offenses or an attempt at such activities.

24.6. If the data are insufficient or inconsistent, or if money laundering or terrorist financing is suspected, the obligated entity should apply due diligence measures as long as they have collected sufficient data, they are satisfied that the data are correct, or the suspicion of money laundering or terrorist financing has been excluded.

24.7. If the obliged person has still failed to apply appropriate due diligence measures within a reasonable time to exhaustively collect data, verify the accuracy of the data, or address suspicions of money laundering or terrorist financing, the obliged person shall terminate the business relationship on an emergency basis. in accordance with the requirements set out in paragraph 24.10.

24.8. The obligated person has the right to terminate the long-term contract that is the basis for the business relationship on an emergency basis and without prior notice if:

24.8.1. the person has not been issued an electronic identity card of an electronic resident, its validity has been suspended or it has been recognized as invalid on the grounds stipulated by the current legislation of the Kyrgyz Republic.

24.8.2. the person is suspected of money laundering, except for the situation referred to in clause 24.7.

24.9. The required organization is required to terminate a long-term contract serving as the basis for a business relationship on an emergency basis without prior notice if the business relationship has been established and due diligence measures cannot be reapplied because the circumstances specified in paragraph 24.7 exist, or because the customer fails or refuses to provide relevant data, or the data provided does not give reason to believe that the data collected is adequate.

24.10. In the event of an emergency termination of the business relationship within the meaning of clauses 24.8 and 24.9, the obliged person shall transfer the customer's assets within a reasonable time, but preferably not later than within one month of the emergency termination of the business relationship and generally to an account opened with a credit institution or branch of a foreign credit institution or credit institution which is incorporated or whose place of business is located in a contracting state of the European Economic Area or in a country where requirements equal to those applicable to the European Economic Area apply. In exceptional cases, assets may be transferred to an account other than the client's account or given in cash, by notifying the financial intelligence unit with all relevant and sufficient information at least 7 working days in advance and provided that the financial intelligence unit does not order otherwise. Regardless of the recipient of the funds, the minimum information provided is in English, the payment details of the transfer of the client's assets indicate that the transfer is related to the extraordinary termination of the client relationship.

24.11. With respect to circumstances of mandatory emergency termination of the business relationship, the obligated person shall fulfill the reporting obligation in accordance with the requirements set out in section 26 and shall record and retain the emergency termination of the business relationship and fulfill the reporting. obligation in accordance with the requirements set out in section 27. obligation.

24.12. The right arising from Clauses 24.5 and 24.8 shall not be exercised and the obligation arising from Clause 24.9 shall not be fulfilled if the obligated person has informed the Financial Intelligence Unit of the establishment of a business relationship, transaction or attempted transaction in accordance with the procedure provided for in Article 26 and a specific instruction is received from the Financial Intelligence Unit to proceed with the business relationship or transaction. The right may also not be exercised,

If the obligated person has received instructions from the financial intelligence unit without first making an appropriate report.

24.13. In a situation where the obligated person permanently terminates the business relationship on an emergency basis under paragraph 24.9, the obligated person should conduct a periodic analysis to identify:

24.13.1. Who are the employees or other counterparties that primarily bring in customers whose business relationships have been terminated on an emergency basis, and whether these individuals have failed or improperly performed their duties;

24.13.2. Who is the agency, representative, or other person soliciting clients whose business relationship has been terminated on an emergency basis, and whether those persons have failed or improperly discharged their duties;

24.13.3. Which employees serve the customers with whom business relationships are most likely to be terminated and for what reason, and whether these individuals have failed or improperly performed their duties;

24.13.4. Whether it would have been possible to identify grounds for terminating the business relationship on an emergency basis at the establishment of the business relationship or at an earlier point in the life cycle of the business relationship and why these circumstances were not then identified.

 

25. INTERNATIONAL SANCTIONS.

25.1. When an act establishing or giving effect to an international financial sanction enters into force, the obliged person shall take measures to comply with the obligations arising therefrom and shall exercise the necessary diligence to ensure that the purpose of the international financial sanction is achieved and to prevent a breach of the sanction.

25.2. Definition of an international sanction:

25.2.1. International sanctions are an essential instrument of foreign policy aimed at maintaining or restoring peace, international security, democracy and the rule of law, following human rights and international law or achieving other objectives of the Charter of the United Nations or the Common Foreign and Security Policy of the European Union.

International sanctions are imposed on a state, territory, territorial unit, regime, organization, association, group or person by a decision of the UN Security Council, a decision of the Council of the European Union or any other legislation imposing obligations on the ROC.
International sanctions may prohibit the entry of the subject of international sanctions into a state, restrict international trade and transactions, and impose other prohibitions or obligations.
The sanctions of the KR government are an instrument of foreign policy that may be imposed in addition to the purposes stated in the previous paragraphs to protect the security or interests of the KR.
The subject of international sanctions is any natural or legal person, organization or body specified in the legal act on the imposition or application of international sanctions, against whom international sanctions are applied.
Within the meaning of these guidelines, financial sanctions are international sanctions that:

• To oblige to freeze the monetary funds and economic resources of the subject of international financial sanctions;
• Prohibit the provision of financial and economic resources to the subject of financial sanctions;
• Prohibit the granting of loans and credits under the terms of international sanctions legislation;
• Prohibit the opening and use of a deposit, payment, depo or other account under the conditions provided for by international sanctions legislation;
• Prohibit securities transactions under the conditions provided for in international sanctions legislation;
• Prohibit the conclusion of an insurance contract under the terms of international sanctions legislation;
• Prohibit investment under the conditions provided for in the international sanctions implementing legislation; or prohibit, under the conditions provided for in the international sanctions implementing legislation, the commencement or continuation of a business relationship, counseling or other financial services related to the activities listed above.
  A person with certain responsibilities is:
• A credit organization within the meaning of the Law on Prevention of Money Laundering and Terrorism Financing;
• Financial Institution;
• A person having the status of an account operator within the meaning of the Securities Register Law and the Central Securities Depository, if the person organizes opening of depo accounts and provides services related to register operations without the intermediation of an account operator;

25.6. In economic or professional activities, the obligated entity shall pay particular attention to such activities and to the circumstances of a person who has a business relationship with, engages in a transaction or act with, or who intends to establish a business relationship with, engage in a transaction or act with, a person that indicates that the person may be subject to international financial sanctions.

25.7. When entering into, modifying or terminating a financial sanction, the person with specific duties has a duty to check whether the person who has or planning to have a business relationship with him or her, the subject of the financial sanctions. If a person with special responsibilities identifies a person subject to financial sanctions, or that a transaction or action planned or carried out by him or her violates financial sanctions, the person with special responsibilities shall impose financial sanctions and immediately report it to the Financial Intelligence Service.

25.8. If a person with specific duties doubts that a person, has or is only planning a business relationship with them and is subject to financial sanctions, or that a transaction or action planned or carried out by them violates financial sanctions, shall apply financial sanctions and due diligence measures as follows:

25.8.1. Gather additional information regarding whether a person who has or intends to have a business relationship with them is subject to financial sanctions, or a transaction or action that is planned or carried out violates financial sanctions, and verify this with supporting documents, data or information from a reliable and independent source;

25.8.2. Gather additional information about the purpose and nature of the business relationship, transaction or action and verify it with additional documents, data or information from a trusted and independent source.

25.8.3. A person with certain duties must also apply due diligence measures when there is a risk or suspicion of a breach of financial sanction.

25.8.4. If, as a result of the application of due diligence measures, the person with specific responsibilities identifies the subject of a financial sanction or that a transaction or action planned or carried out by him or her violates a financial sanction, or if additional information obtained during the application of due diligence measures does not identify him or her, as well as in the case of a suspected violation of a financial sanction referred to in paragraph 25.8..3, the person with specific responsibilities shall inform the financial intelligence unit and the financial intelligence unit of the financial sanction applied.

25.9. The obliged person shall regularly visit the website of the financial intelligence unit and shall promptly take the measures provided for in the legislation establishing or implementing international financial sanctions to ensure that the purpose of the international financial sanctions is achieved and to prevent a violation of the international financial sanctions.

25.10. When a law establishing or giving effect to an international financial sanction enters into force, the employees of the obligated entity shall exercise the necessary diligence to ensure that the purpose of the international financial sanction is achieved and to prevent a breach of the sanction.

25.11. Employees of the obligated person must exercise additional diligence when establishing business relationships and entering into transactions with respect to the buyer and the circumstances of the transaction (including the other party to the transaction).

25.12. The employees, board and compliance officer of the obligated person shall pay particular attention in the course of the obligated person's business activities to such acts and circumstances of a person who has a business relationship with, does a transaction or act with, or who intends to establish a business relationship with, a transaction or act with, or who intends to transactions or acts that indicate that the person may be subject to international financial sanctions.

25.13. Under the International Sanctions Act, a person with specific duties is required to apply additional due diligence measures to verify the events to which international sanctions are to be applied. To do so, designated persons must:

• Notify the financial intelligence unit of the subject matter of the international sanction and the application of the financial sanction based on it;
• If the target of a financial sanction is suspected, gather additional information and, if the suspicion persists, notify the Financial Intelligence Unit;
• Notify the Financial Intelligence Unit of a refusal to establish a business relationship or enter into a transaction if the basis for the refusal was the possibility that the person, country, transaction or goods on which the transaction is based may be involved in an international sanctions regime.

25.14. Procedures for identifying the subject of the financial sanction and the transaction or action that violates the financial sanction:

25.14.1. The obligated person shall verify that a person with whom it has a business relationship or intends to establish a business relationship is not subject to international sanctions. The obligated person shall also verify whether the person with whom it has a business relationship transacts with international sanctions entities.

25.14.2. In order to identify persons designated in international sanctions legislation, the obligated person's internal databases and databases managed by third parties are consulted to determine the existence of or transactions with such persons.

25.14.3. In order to verify that the names of the persons obtained as a result of the request match the names of the persons listed in the international sanction notification, their personal data are mainly used, the main characteristics of which are, for a legal entity, its name or trademark, registration code or date of registration, and for a natural person, its name and identity card or date of birth.

25.14.4. Inquiries should be made primarily on the basis of the personal data specified in the relevant sanction notice of the individual subject to the sanction. When preparing an inquiry, factors that misrepresent personal data should be taken into account when describing the parameters of the investigation.

25.14.5. Factors that distort personal data include circumstances that may alter the written representation of personal data. Depending on the manifestation of factors distorting personal data, the data in databases (mainly names of individuals) may differ from the actual name of the person and/or data (name) of the person, as well as notifications containing an international sanction.

25.14.6. In order to establish the identity of the persons referred to in the relevant legal act or notification as persons identified as a result of a request from databases, the obliged shall the person must analyze the names of the individuals identified as the results of the request based on the possible impact of factors that distort personal data.

25.14.7. Factors that misrepresent personal data include the following errors or discrepancies arising from the translation, processing or handling of personal data and names:

• Transcription of foreign names, including differences arising due to Latinization Russian and Scandinavian names;
• a different word order in a name made up of several words, such as AS JAAN TAMM or TAMM JAAN;
• Replacing diacritical marks (letters with dots or accents) with other letters or omitting them (partially);
• Replacement of double letters and foreign letters with other letters or their (partial) omission:
• Replacing double letters with a single letter (and vice versa), e.g. METAL or METAL;
• Replacing the letters F, S, Z, Z, S. with another letter or letter, e.g. FARMA or PHARM A, CRYSTAL or CRYSTAL;
• Substitution of the foreign letters B, W, H, U ...with other letters. WOX QYIT or WOX QYIT;
• Use of abbreviations;
• Enter numbers as words in text, for example.2 FAST 4 YOU or TWO FAST FOUR/FOR YOU;
• Use/non-use of additional and preceding words (and letters, prefixes);
• Other factors:
• Arising from human error;
• Substitution of hard and soft consonants, e.g. AS GMSI KUTE or AS KAASI GUTE;
• A name or part of a name appearing before or as part of another name.
• If a person with certain responsibilities cannot uniquely identify individuals from a background check, taking into account factors that distort personal data, being the same person as the individuals identified in the notification, the financial institution shall notify the notifying agency and the financial intelligence unit of all identified individuals.

25.15. Actions taken when there is suspicion of identifying the subject of financial sanctions or a transaction or action that violates financial sanctions:

25.15.1. If an employee of the obligated person becomes aware that a person engaged in a business relationship or transaction or act with them, or a person intending to engage in a business relationship, transaction or act with them, is subject to international financial sanctions, the employee must immediately notify the compliance officer or the board of the person with specific duties of the the definition of the object of international financial sanctions, the doubts about it and the measures taken.

25.15.1.1. The Compliance Officer or the board of a person with certain duties refuses to conclude a transaction or proceeding, takes action under the act to impose or implement international financial sanctions, and must immediately notify the financial intelligence unit of their doubts and the action taken.

25.15.1.2. When identifying the subject of an international financial sanction, it is necessary to identify the measures that are taken to penalize that person. These measures are described in the legal act implementing the sanction, so it is necessary to accurately identify the sanction that applies to the person to ensure that the measures are lawfully and appropriately applied.

25.15.2. If an employee of a person with special duties has any doubt that a person who has a business relationship or engages in a transaction or act with the person, or a person intending to establish a business relationship or engage in a transaction or act with the person, is subject to international financial sanctions, the employee shall immediately notify the compliance officer or the board of the person with special duties.

25.15.2.1. The compliance officer or the board of the person with special responsibilities should decide whether to request or obtain additional data from the person or immediately notify the financial intelligence unit of their suspicions.

25.15.2.2. If no suspicion remains after the person has received additional data and/or transmitted the data, the person with certain responsibilities should not create additional obstacles for customers for whom no suspicion exists or remains.

25.15.2.3. If a person who has a business relationship or engages in a transaction or act with a person with specified obligations, or a person who intends to establish a business relationship or engage in a transaction or act with them, refuses to provide additional information or it cannot be used to determine whether the person is subject to international financial sanctions, the person with specified obligations or their representative shall refuse to engage in the transaction or act, take action under the act to impose a sanction, or take measures to prevent the person from doing so.

25.16. Actions taken by a person with specific responsibilities in relation to the identification of a risk of breach of financial sanctions and actions to be taken in the event of such a finding:

25.16.1. In the view of the obliged person, there is a higher risk of a breach of international sanctions if a person who is in a business relationship with the obliged person or who wishes to establish a business relationship with the obliged person, or who transacts with the obliged person during the course of the business relationship:

• From a country subject to European Union and/or UN sanctions;
• Insufficient data are available or the data are presented in abbreviated form;

25.16.1.3. When describing the parameters of the request made during identification, some factors that distort personal data exist.

25.16.2. When these circumstances arise, the obligated person shall conduct additional due diligence by applying enhanced due diligence measures.

25.17. Actions of a person with certain responsibilities in the event that additional information is obtained:

25.17.1. A person with certain duties shall first of all independently obtain additional information about the person who has a business relationship with or is entering into a transaction or action with him or her, as well as about the person intending to establish a business relationship, enter into a transaction or action. with them, preferring information from a reliable and independent source.

25.17.2. If the information referred to in the preceding paragraph is not available for any reason, the person with certain duties shall contact the person who has a business relationship or transaction or act with him or her, or the person who intends to establish a business relationship, transaction or act with them, whether or not the information is obtained from a reliable and independent source, and evaluate the response.

25.18. Actions taken by a person with specific duties in discharging the duty to inform:

25.18.1. A person with certain duties is obliged to immediately report to the financial intelligence unit any person identified as a result of an audit if they have reason to believe, or have a continuing suspicion, that the person identified is the same person identified in the international sanction notice.

25.18.2. A person having certain obligations or a person authorized to represent them shall refuse to conclude a transaction or act with the specified persons and shall take measures provided for in the legal acts establishing or enactinginternational financial sanctions.

25.18.3. The decision to impose sanctions on designated persons shall be made by the compliance officer or the board of the person with specific responsibilities upon receipt of appropriate confirmation or direction from the Financial Intelligence Unit.

25.19. Retention and provision of data by a person with certain obligations.

25.19.1. A person with special responsibilities must collect and retain the following data for five years:

-inspection time;
-name of the person who conducted the inspection;
-results of the inspection;
-taken action.

25.19.2. The person with special responsibilities shall store the data on an electronic data carrier and apply appropriate security measures for the safe storage of the stored data. The management board of the person with special responsibilities is responsible for the storage of the data.

25.19.3. The management board of the person with special responsibilities shall make the stored data available upon receipt of the relevant request within the same working day or, in the case of weekends, within 24 hours at the latest.

25.20. If the act imposing or implementing an international financial sanction is revoked, terminated or modified in such a way that the performance of the international financial sanction with respect to the subject matter of the international financial sanction ceases in whole or in part, the employees of the person with certain responsibilities are obliged to immediately cease the performance of the measure to the extent provided for in the act imposing or implementing the international financial sanction.

25.21. Upon receipt of the notification, the Financial Intelligence Service shall verify the correctness of the determination of the subject of the financial sanction and the legitimacy of the application of measures and shall immediately, but not later than two working days, provide a corresponding response.

25.22. The duties of the person responsible for the application of international sanctions shall be performed by the compliance officer of the obligated person, or in his/her absence, by the board of the obligated person.

25.23 In addition to the provisions of "25.1- 25.22" provided herein, the requirements of the U.S. Office of Foreign Assets Control (OFAC) shall be taken into account and addressed, in particular, special attention shall be paid to the application of Section 311 procedures in order to maximize the adaptation and most effective targeting of specific money laundering and terrorist financing risks. In carrying out the activities of the Compliance Officer in the field of supervision and application of international sanctions, is authorized, within the framework of internal activities, to provide written information to the U.S. Department of the Treasury, upon finding that there are reasonable grounds to conclude that a foreign jurisdiction, institution, class of transaction or type of account is a "major money laundering concern", as well as to inform domestic and international financial institutions and financial institutions to take certain "special measures" against the subject entity.

25.24. Compliance - An officer, in carrying out his or her activities, is authorized under section 311 of OFAC's regulations to take special measures.

These special measures range from requiring additional due diligence and special attention to specific transactions. The following special measures may be imposed individually, jointly, in any combination and in any sequence:
• Record keeping and reporting of certain transactions; (to the extent possible and available)
• Collection of information related to beneficial ownership; (to the extent possible and available)
• Collection of information related to specific payment accounts; (to the extent possible and available)
• Collection of information related to certain correspondent accounts; (to the extent possible and available)
• Prohibition or conditions opening or servicing correspondent or payable accounts. (to the extent possible and available)

25.25. When a situation arises that is contrary to the rules of "Section 311" of the U.S. Office of Foreign Assets Control, the Compliance Officer, accepts and agrees to be guided by sections "25.23", "25.24" of these internal rules.

 

26. REPORTING OBLIGATION ON THE PART OF PERSONS.

26.1. The obligated person must report to the financial intelligence unit activities or circumstances that they identify in the course of business operations and through the following indications:

26.1.1. indications point to the use of the proceeds of crime or the commission of related offenses.

26.1.2. in a case that they suspect or know of, or whose characteristics indicate the commission of money laundering or related offenses.

26.1.3. where they suspect or know or whose characteristics indicate the commission of terrorist financing or related offenses.

26.1.4. in the event that the attempted activity or circumstances specified in 26.1.1 from 1 to

26.1.3 are present.

26.2. the financial intelligence unit must be notified:

26.2.1. to the obligated person also of the circumstances of refusal to establish a business relationship or a one-off transaction pursuant to Clause 24.1 and of termination of the business relationship on an emergency basis pursuant to Clause 24.9.

26.2.2. to an obliged person, other than a credit institution, also about each transaction that becomes known, in which a monetary obligation of more than EUR 32,000 or an equivalent amount in another currency is executed in cash, regardless of whether the transaction is made in a single payment or in several related payments within a period of up to one year.

26.2.3. credit institutions also about each foreign currency cash exchange transaction in an amount exceeding 32,000 euros, if the credit institution does not have a business relationship with the person involved in the transaction.

26.3. The reports referred to in paragraphs 26.1 and 26.2 must be made before the completion of the transaction if the obliged person suspects or knows that money laundering or terrorist financing or related offenses have been committed (see also paragraph 24.12) and, if the circumstances are identified before the completion of the transfer transaction. If delaying the transaction would cause significant harm, it is not possible to skip the transaction, or it would prevent the capture of the perpetrator of possible money laundering or terrorist financing, the transaction will be concluded and the report will then be submitted to the Financial Intelligence Unit. The obligated person shall contact the Financial Intelligence Unit to identify such circumstances.

26.4. In any case, the reporting obligation must be fulfilled immediately, but no later than two business days after the transaction. authentication of the act or circumstance or the occurrence of an actual suspicion (i.e., a situation where the suspicion cannot be dispelled).

26.5. In addition to the situation referred to in paragraph 26.3, the obligated person shall also wait for a response from the Financial Intelligence Unit in other appropriate cases before refusing to establish a business relationship or before terminating the business relationship on an emergency basis.

26.6. In a situation where the need to report arises in connection with the establishment or emergency termination of a business relationship and, in relation to a customer or circumstances related thereto, the obliged person has identified the activities or circumstances referred to in paragraph 26.1, the obligation to report shall also be fulfilled within the meaning of paragraph 26.1, whereby this may also occur within the same report but with reference to different indicators.

26.7. If the basis for compliance with the reporting obligation by the obliged entity is not suspected money laundering or terrorist financing, but-among other things-a suspicious or unusual transaction, and there are many such suspicious and unusual transactions, and based on these or reports continue to be made, the obliged entity should suspect money laundering or terrorist financing, after which other due diligence measures should be applied in addition to the relevant report and refusal to enter into a transaction

26.8. The obliged person shall immediately provide the financial intelligence unit with all information available to the obliged person that the financial intelligence unit has requested in its request.

26.9. Where appropriate, the Financial Intelligence Unit provides feedback to obligated entities on their compliance with the reporting obligation and on the use of the information obtained.

26.10. Place and form of performance of the duty to report:

• The report shall be filed with the Financial Intelligence Unit of the contracting state in the territory of which the obliged person is established, located or provides services.
• The report is filed through the online form of the Financial Intelligence Unit or through a special service

26.10.3 The data used to identify and verify the information provided and, if available, copies of documents shall be added to the report.

26.10.4 Requirements for the content and form of the notice to be submitted to the Finance Department

An intelligence unit and instructions for reporting have been developed. by a decree of the Minister responsible for the sphere, which is added as an annex to these guidelines.

26.11. The duty to report arising under this section shall not apply to a notary public, bailiff, bankruptcy trustee, auditor, attorney or other legal service provider, accounting service provider or accounting or tax advisory service provider where they assess a client's legal position, defend the client's interests in court, intra-departmental or other similar proceedings, including when they advise a client on the initiation or prevention of litigation or other similar proceedings.

26.12. The authorized person, structural subdivision of the obliged legal entity, member of the management body and employee are prohibited to inform the person, his/her beneficial owner, representative or third party about the report submitted about them to the financial authority by the Financial Intelligence Unit, the plan of submission of such report or the fact of reporting, as well as about the prescription made by the Financial Intelligence Unit on the basis of the current legislation of the Kyrgyz Republic in the field of the KR OPFTDIILPD Law or on initiation of criminal proceedings. After complying with an order of the Financial Intelligence Unit, the obliged person may inform the person that the Financial Intelligence Unit has restricted the use of the person's account or that another restriction has been imposed.

26.13. The prohibition under 26.12 does not apply to the submission of information:

• Competent supervisory authorities and law enforcement agencies;
• Credit institutions and financial institutions among themselves if they are part of the same group;
• Institutions and branches belonging to the same group as the person specified in subparagraph 2 of this paragraph, if the group applies group-wide procedural rules and principles in accordance with the regulatory legislation of the Kyrgyz Republic;
• A third person who acts in the same legal entity or structure as the obligated person who is a notary public, bailiff, bankruptcy trustee, auditor, attorney or other legal service provider, accounting service provider or accounting consulting service provider. or taxation, and the legal entity or structure has the same owners and management system where joint compliance is practiced.

26.14. The prohibition provided for in paragraph 26.12 shall not apply to the exchange of information in a situation where it concerns the same person and the same transaction involving two or more obliged persons who are credit institutions, financial institutions, bailiffs, bankruptcy trustees. , auditors, lawyers or other providers of legal services, providers of accounting services or providers of consulting services in the field of accounting or taxation, located in a contracting state of the European Economic Area or in a country where requirements equal to those of international law are in force, operate in the same professional field, and for the preservation of their professional secrecy and protection of personal data the requirements equal to those in force in the CR shall apply.

26.15. If a notary public, bailiff, bankruptcy trustee, auditor, attorney or other provider of legal services, provider of accounting services or provider of consulting, accounting or tax services persuades a customer to refrain from unlawful conduct, it shall not be deemed a violation of the prohibition under this section.

26.16. The exchange of information governed by this section shall be maintained in writing or in a form reproducible in writing for the next five years, and the information shall be provided to the competent supervisory authority upon request.

 

27. CHECKING, STORING AND LOGGING DATA.

27.1. The obligated person must register and retain:

27.1.1. Information on the circumstances of the refusal to establish a business relationship or a one-off transaction by the obliged person;

27.1.2. Information in case of impossibility to take due diligence measures using information technology tools;

27.1.3. Circumstances of refusal to establish a business relationship or conclude a transaction, including a one-off transaction - at the initiative of the person involved in the transaction or the customer, if the refusal is related to the application of due diligence measures by the obliged person;

27.1.4. Originals or copies of documents serving as a basis for identification and verification of the submitted information. If the person is identified digitally, i.e. without being in the same place as the person, the data of the document for digital identification, information on the entry of the electronic request in the database of identification documents and sound and video recordings of the identification and verification procedure, as well as other data (logs, etc.) evidencing the verification of the information obtained during the identification (including the existence of two separate sources) shall be recorded and retained in accordance with the chosen measure. Data shall not be recorded and retained to the extent that the obliged organization cannot reproduce the aforementioned data within the five-year data retention period. The obliged entity shall demonstrate at all times that it has verified the data obtained in the course of the identification and shall indicate a reliable and independent source of the data as well as the origin of the two sources;

27.1.5. Documents that serve as a basis for establishing a business relationship but are not specified in clause 26.1.4, incl. documents collected in the course of due diligence;

27.1.6. The date or period of the transaction and a description of the contents of the transaction;

27.1.7. Also the following transaction data:

27.1.7.1. When making transactions with a representative of a civil partnership, community or other association of persons that does not have the status of a legal entity, trust fund or trustee, the fact that the person has such status, an extract from the registration card or certificate of the registrar of the register in which the association of persons that does not have the status of a legal entity is registered;

27.1.7.2. When opening an account, the type of account, number, currency, and significant characteristics of the securities or other property;

27.1.7.3. When accepting property into escrow, the escrow number and the market value of the property on the date of escrow or a detailed description of the property if the market value of the property cannot be determined;

27.1.7.4. When renting or using a safe deposit box or safe deposit box at a bank - the number of the safe deposit box or safe deposit box;

27.1.7.5. When making a payment on shares, bonds or other securities - type of securities, monetary value of the transaction, currency and account number;

27.1.7.6. At the conclusion of insurance contracts, the debt on the account number in the amount of the amount of the first insurance premium;

27.1.7.7. When making a payment under the insurance contract, the number of the account to which the amount of the payment has been credited;

27.1.7.8. In the case of payment intermediation, information on which is mandatory under international legal norms;

27.1.7.9. In case of another transaction, the transaction amount, currency and account number;

27.1.8. Data and documents collected in the course of monitoring business relationships, including documents collected in the course of applying due diligence measures (covering all analyses related to understanding transactions and measures to identify the background and purpose of complex, costly and unusual transactions and patterns of transactions that have no basis or obvious economic or legitimate purpose or are uncharacteristic of the specific nature of the business in question);

27.1.9. all correspondence related to the fulfillment of obligations arising from these guidelines and the applicable CR OPFTDILPD Act.

27.1.10. Information giving rise to a duty to report to the Financial Intelligence Unit;

27.1.11. Data on suspicious or unusual transactions or circumstances that have not been reported to the financial intelligence unit;

27.1.12. Information on the circumstances in which the business relationship was terminated due to failure to apply due diligence.

27.2. Data arising from clause 24.1 (except for clause 24.1.10) must be kept for 5 years after the expiry of the business relationship or the completion of a one-off transaction. Data relating to the fulfillment of a reporting obligation arising from clause 24.1.10 must be kept for 5 years after the fulfillment of the reporting obligation.

27.3. If the obliged person, in order to apply due diligence measures, makes a request to a database that is part of the state information system, the data retention obligations will be considered fulfilled if the information on the sending of an electronic request to the specified address of the registry can be reproduced within five years after the expiration of the business relationship or the completion of an occasional transaction.

27.4. The obliged person shall delete the stored data upon expiry of the term, unless the legislation governing the relevant field establishes a different procedure. On the basis of a prescription of the competent supervisory authority, data important for the prevention, detection or investigation of money laundering or terrorist financing may be retained for a longer period, but not more than five years after the expiration of the first period.

27.5. Records and data should be maintained in such a way as to provide comprehensive and immediate responses to requests from the Financial Intelligence Unit or, in accordance with the law, other supervisory authorities, investigative bodies or a court. This also includes whether the obligated entity has had a business relationship with the person named in the request within the last five years and the nature of that relationship.

27.5.1. The method of storing documents and data also includes systematically storing the data. This includes, for example, separating documents and data collected during due diligence measures applied in the course of establishing a business relationship into chronological order, among other things, and storing documents and data collected during due diligence. measures applied in the course of monitoring a business relationship in such a way that it is possible to quickly and clearly link them to the transactions entered into (if necessary, naming the documents and storing them in chronological order).

27.6. After the implementation carried out on the basis of the KR legislation in the field of the KR OPFTDIILPD Law, the obliged person shall retain the data of the document provided for the digital identification of the person, information about the electronic inquiry into the database of identity documents, as well as audio and video recordings of the procedure of identification and verification of the person's identity for at least five years after the termination of the business relationship.

27.7. The obliged person implements all rules of personal data protection when applying the requirements arising from the applicable legislation of the KR in the field of the Law of the KR OPFTDIILPD.

27.8. The obligated person is allowed to process personal data collected in the implementation of the applicable legislation of the KR in the field of the KR OPFTDILPD Act. And exclusively only for the purpose of preventing money laundering and terrorist financing, and the data shall not be subjected to additional processing in a manner inconsistent with the purpose, e.g. for marketing purposes.

27.9. The obliged person shall provide information on the processing of personal data before establishing a business relationship or conducting a one-off transaction with them. This information includes general information on the obliged person's duties and obligations when processing personal data for AML/CFT purposes.

 

28. AVOIDING CONFLICTS OF INTEREST.

28.1. The obliged person and the employees of the obliged person shall avoid conflicts of interest and, if they arise, shall immediately notify the superior management body or the compliance officer of the obliged person.

28.2. A conflict of interest means all circumstances known to the obliged person or his/her employees that may influence the decision to commit a transaction or business relationship and that is not in the best interests of the obligated person or its customer.

28.3. In order to achieve the objective of preventing conflicts of interest, the obligated entity shall collect and regularly update data on its employees to identify their interests in the context of preventing money laundering and terrorist financing. The obliged organization shall collect the following data on each employee:

• The place of birth and residence of the employee;
• Other positions and contracts the worker has in the context of the economic sphere;
• Details of the employee's close relatives (spouse, parents, children, siblings and their child) for each person, place of birth, place of residence and place of work.
• Other data known to the employee that may indicate an interest in the context of preventing money laundering and terrorist financing.

28.4. Failure by the employee to provide the information specified in clause 28.3 shall be considered a material breach of the employment contract and may result in the termination of the employment contract on an emergency basis for good cause by the employee.

28.5. The obliged entity shall identify and analyze, in particular, whether persons referring customers to the obliged entity (e.g. agents, resellers, etc...)have any interests in relation to the customer (e.g. to provide them with legal services, accounting services, company formation services and other legal structures, etc...) that give rise to a conflict of interest between the person referring customers to the obliged entity and the customer.

28.6. If a conflict of interest or circumstances indicating a conflict of interest are identified, the obliged person shall take all necessary measures to prevent it. If it is impossible to prevent a conflict of interest, the obliged person shall not enter into any transactions or establish business relations.

 

29. EDUCATION AND TRAINING.

29.1. The authorized organization shall ensure training of employees involved in the prevention of money laundering and terrorist financing, as well as senior management, including the Management Board of the Company. The persons to whom the violated organization has outsourced activities shall also be guaranteed to undergo training, meaning employees of all risk management protection lines.

29.2. First of all, training subjects should be informed about the requirements governing the prevention of money laundering and terrorist financing in terms of due diligence and reporting suspicions of money laundering. The training should provide information on, inter alia, the following:

• Principles specified in the obligated person's risk appetite document;
• Risks arising from the activities and services provided by the obligated person, including risks expected in the future;
• Obligations specified in the rule of procedure;
• Current money laundering and terrorist financing techniques and specific typologies/cases and their associated risks;
• How to recognize activities related to possible money laundering or terrorist financing and advice on how to deal with such situations.

29.3. The training shall take place when the employee starts work and the formation and implementation of the specified duties, and then regularly or as needed. The obliged person shall combine the explanatory and informative parts with a possible assessment of knowledge during the training, if necessary.

The frequency of training depends on the size of the requested entity and the nature, scope and level of complexity of the work and services provided, including the risk appetite and risks arising from the activities of the obliged person, but usually it is at least once a year. If necessary, employees are trained or informed more frequently, incl. when the rules of procedure are changed, significant changes in the risks arising from the activity occur, new trends and methods of money laundering and terrorist financing are identified, etc.

29.4. Training and knowledge testing of employees and other responsible persons shall be conducted at least once a year for each employee or responsible person.

29.5. The obligated person shall retain data on the training provider and participants, the training materials and, if applicable, the results obtained from the training (e.g. test results) in a format that can be reproduced in writing for at least two years after the training.

 

30. MONITORING COMPLIANCE WITH REGULATIONS AND PROCEDURES.

30.1. The Financial Intelligence Unit and/or other competent authorities and institutions designated by the relevant legislation shall supervise the compliance of the obliged person's management board with the Law on Prevention of Money Laundering and Terrorist Financing and legal acts issued on its basis in the territory of the Kyrgyz Republic.

30.2. The Management Board of the company, the responsible member of the Management Board or, if available, the Compliance Officer shall supervise and control the compliance of employees, structural units and the Compliance Officer of the obligated person with the AML requirements and the Law of the KR OPFTDILPD and the legal acts issued on its basis.

30.3. The competence of the employees of the imputed entity to comply with the requirements of the Law on Prevention of Money Laundering and Terrorist Financing and the legal acts issued on its basis:

30.3.1. Only employees who have been authorized by the board or a responsible board member and who have thoroughly reviewed the relevant legislation, information disclosed by the competent authorities, these guidelines and have sufficient knowledge of AML/KYC, engage in and have decisive authority to with respect to actions related to the fulfillment of the requirements of the KR OPFTDILPD Act and the legal acts issued thereunder, including engaging in and having decisive authority over the establishment and continuation of business relationships.

30.3.2. Employees and heads of structural subdivisions of the obligated person communicate, first of all, with the compliance officer, and in his/her absence - with the responsible member of the Management Board on issues related to the fulfillment of the requirements of the KR OPFTDILPD Law and legal acts issued on their basis. The responsible member of the Management Board always has the right to control the activities of employees, heads of structural subdivisions and compliance officer of the entrusted person.

30.4. The essence of due diligence obligations of employees and heads of structural subdivisions of the obliged person arising from the legislation in the field of combating money laundering and terrorist financing in the territory of the Kyrgyz Republic, internal regulations established by the board of the obliged person, and the nature of services provided by the obliged person are as follows:

30.4.1. employees and heads of structural subdivisions of the obliged person shall strictly comply:

• International sanctions legislation;
• Legislation on prevention of money laundering and terrorism financing on the territory of the Kyrgyz Republic;
• International legal norms and customs;
• Relevant instructions and orders of the financial intelligence unit and other competent authorities;
• Internal regulations and internal control rules issued by the governing board of the required organization;
• Appropriate and lawful orders of the board, the responsible board member and the compliance officer of the person in violation;

30.4.2. If an employee (or the head of a business unit) has any doubts regarding the fulfillment of any due diligence criteria or related criteria (or whether it is permissible to conclude a transaction or establish a business relationship) - the employee (or the head of a business unit) shall immediately contact his/her immediate superior (head of a business unit, compliance officer, responsible member of the management board), terminate the transaction or business relationship until a response is received and the procedure

30.5. The obliged person shall apply the following system of internal control over the fulfillment of the requirements of the KR legislation in the field of the KR OPFTDIILPD Law, legal acts issued on their basis, internal regulations and internal control:

30.5.1. The activities of the employees of the obligated organization are monitored and controlled:

• By the head of the employee's structural unit;
• In the absence of the head of the structural subdivision of the employee of the responsible member of the Management Board and/or Compliance Officer;

30.5.1.2.the employee shall be obliged to transfer all relevant data concerning the obliged person's customers and the nature of business relations established with them, including the customer's personal data, data on the customer's transactions, results of due diligence application and other important information to the head of the employee's structural unit, and in his/her absence - to the responsible member of the management board and/or compliance officer not later than the next business day after the data collection and the end of due diligence application;

30.5.2. The activity of the head of the structural subdivision of the obliged person is controlled and monitored by the responsible member of the Management Board and/or compliance officer;

30.5.2.1. The head of the structural unit of the obligated person shall forward all relevant data collected by him or the employees of his structural unit concerning the customers of the obligated person and the nature of the business relations established with them to the Compliance Officer and/or the responsible member of the Management Board with relevant reports at least once a month;

30.5.3. The compliance officer of the obligated person, if any, is supervised and controlled by a responsible member of the board or management board;

30.5.3.1. The Compliance Officer shall verify the relevant information provided by the employees and heads of structural subdivisions of the obliged person about the clients of the obliged person and the nature of business relations established with them, and shall organize the preservation of this information in accordance with the legislation of the KR in the field of the KR OPFTDILPD Law and these recommendations. The Compliance Officer is obliged to submit relevant reports to the responsible member of the Board at least once a quarter;

30.5.4. The obliged person and the responsible member of the management board shall be supervised and monitored by the management board or by a person, structural unit or institution temporarily or permanently appointed by the general meeting of shareholders;

30.6. The Compliance Officer, responsible member of the Management Board or the Management Board of the obligated person shall inform the company's employees on a continuous basis about changes in the legislation of the Kyrgyz Republic, new regulatory provisions of supervisory authorities, the activities of the obligated person, changes in risk assessments and criteria related to customers or certain groups of customers, changes in the short-term and long- term business doctrine of the company and individual points of view and guidelines (which are the result of the market situation, political and economic situation, race, etc.). The above-mentioned information and communications shall not be formalized as an appendix to these instructions and may be communicated at meetings, through the heads of business units, by e-mail or verbally, but regardless of the method of delivery, it is mandatory to follow them. and comply with them;

30.7. Violation of the duty to apply due diligence measures in accordance with the KR legislation in the field of the KR OPFTDILPD Act, failure to comply with the order of the Board or Compliance Officer, failure to notify the responsible member of the Board, In case of suspicion of money laundering or terrorism financing by the Management Board, Compliance Officer, or the Financial Intelligence Service directly or through the head of a structural subdivision, it is sufficient grounds for initiating disciplinary proceedings against the employee and/or the head of the structural subdivision and termination of employment;

30.8. The board of the obligated entity should ensure that the resources allocated to meet the obligations under the KR legislation on combating the financing of terrorist activities and money laundering and these guidelines are adequate, and that the staff directly involved in the performance of duties in such circumstances where the obligations arising from the above KR law and these guidelines are fully known.

30.9. An authorized person is not obliged to conduct an internal audit, except for cases when it is required by a responsible member of the Management Board, the Management Board, the General Meeting of Shareholders or if conducting an internal audit is stipulated by the legislation of the Kyrgyz Republic.

30.10. The internal audit assesses, among other things, the following:

• The governance structure of the obliged organization for the prevention of money laundering and terrorist financing is adequate;

• Existing policies and actions/procedures remain relevant and consistent with requirements arising from legislation and international practice, as well as regulatory requirements and the risk appetite and strategy of the obligated person;

• Activities/procedures are in compliance with the current KR legislation in the field of the KR OPFTDIILPD Law and regulations, decisions of the governing body;

• Actions/procedures are performed correctly and efficiently;

• The activities of the first line of defense and the second line of defense through the compliance and risk management functions that relate to the management of risks arising from the activities and services provided by the obligated person are appropriate, of high quality and effective;

• The obligated person's methods are appropriate and adequate to prevent money laundering and terrorist financing and are consistent with the needs of the organization and the expectations of supervisory authorities.

These internal regulations and guidelines for internal control in the field of anti-money laundering, countering the financing of terrorism and financing the proliferation of weapons of mass destruction have been adopted and approved.

Date: 10.02.2024.

General Director Morev R.V.

 

31. CONTACT INFORMATION.

Legal address: Kyrgyz Republic, Bishkek city, Pervomaisky district, 125/1 Tower B. Toktogul Street, Office 1006

Electronic address/email: [email protected]

Web resource: www.Tokenspot.kg, tokenspot.com

 

32. INSTRUCTION ON DETECTION, MANAGEMENT AND PREVENTION OF RISKS.

The obliged organization must identify, assess and understand the risks associated with money laundering and terrorist financing in its own activities, as well as in the activities of its customers, and apply measures to mitigate those risks.
The measures applied should be commensurate with the degree of risk identified. As part of the risk-based approach, the obligated entity should assess the likelihood of the risks materializing and the consequences of such an event. In assessing the likelihood, consideration should be given to the possibility of occurrence of relevant circumstances, including the possibility of occurrence of potential risks that may affect the activities of both the customer and the service provider, as well as the probability that the probability of occurrence of this risk increases. The obliged person shall be obliged to prepare a risk assessment in order to identify, assess and analyze the risks associated with its activities. on money laundering and terrorist financing, and financial sanctions. Measures taken to identify, assess and analyze risks shall be proportional to the nature, size and level of complexity of the obliged person's economic and professional activities.
This model for the identification and management of risks associated with the client and its activities is prepared to apply the obligations arising from the requirement of applicable international law and applicable KR legislation in the field of the KR OPFTDILPD Law and includes:

1. a model for identifying and managing risks arising from the customer and its activities and determining the customer's risk profile;
2. A model for identifying and managing risks arising from the obligated person's activities, including the identification and management of risks associated with new and available technologies, services and products, including new or non-traditional sales channels and new or emerging technologies.

The following risk scale is used in these instructions:

A-low risk (1 risk score)

There are no influential risk factors in any risk category, the client himself and his activities are transparent and do not deviate from normal activities, i.e. the activities of a reasonable and average person, in this field of activity, and there is no suspicion that the risk factors as a whole could lead to the realization of the risk of money laundering or terrorist financing.

B- normal risk I (2 risk points)
In the risk category, there are one or more risk factors that deviate from the normal activities of a person operating in this field of activity, but the activity is still transparent and there is no suspicion that the risk factors together could lead to the realization of a risk of money laundering or terrorist financing.
C- high risk (Z risk score)
In the risk category, there is one or more risk factors, which generally raises suspicion about the transparency of the person and their activities, which causes the person to deviate from persons normally operating in that area of activity, and it is at least possible that money laundering or terrorist financing is taking place.

Duty-bearers must perform all due diligence measures. The extent of the measures depends on the nature of the specific business relationship or transaction or the risk level of the person or customer involved in the transaction or action, i.e. the "know your customer" principle must be observed. In identifying and determining the risk levels of the customer or person involved in the transaction, the obliged person shall take into account, among other things, the following risk categories:

 

1. RISK ASSOCIATED WITH THE BUYER.

Low risk is when the client:
• a company listed on a regulated market that is subject to disclosure obligations that impose requirements to ensure sufficient transparency with respect to beneficial ownership;
• a legal entity governed by public law established in the KR;
• a government agency or other institution performing public functions in the ROC or a contracting state of the international community
• the establishment of the European Union;

A common risk is when a client:
• individual;
• a company with a solid and transparent structure and data of management bodies and beneficial owners, not listed on the market;
• nonprofit association (MTU);
High risk is when a customer:
• the beneficial owner of an individual is a third party;
• customer - a legal entity of any form, whose structure of management bodies and/or trust management is misleading for all owners, and the relevant data are verified on the basis of the statement of the customer's representative and/or internal or non-public documents provided by the customer;
• the customer company or a company related to the customer has shareholders acting as nominee or bearer shares;
• the ownership structure of the client company appears unusual or overly complex when considering the company's operations;
• the customer is a foundation, civil partnership, trust, or general fund;
• the customer is a person registered in a low-tax territory. A list of countries that are not considered low-tax territories is available at:
• the client is subject to European Union or UN sanctions, a list of which can be found on the Financial Intelligence Unit's homepage at:

 

2. RISK, RELATED WITH COUNTRIES OR GEOGRAPHIC TERRITORIES OR JURISDICTIONS.

Low risk is when the client:

• the client from the KR or his residence or location (hereinafter referred to as the location) is located in the territory of the KR;
• the client's location is in another country of the European Union or the European Economic Area;
• the location of the customer is in a third equivalent country, as provided for by the common position adopted by the European Union, which includes Australia, Hong Kong, India, Japan, South Korea, Singapore, Switzerland, USA;
Ordinary risk - when the client is located in a third country not listed above, except for a high risk third country;
High risk is considered in circumstances where the risk is primarily increased in such a case where the customer, the person involved in the transaction, or the transaction itself is associated with a country or jurisdiction that, based on reliable sources in the country, such as mutual evaluation, detailed evaluation reports, or published follow-up reports, has current and effective systems in place to prevent money laundering and terrorist financing. Third high-risk countries include Afghanistan, Albania, Burkina Faso, Barbados, Cayman Islands, Cambodia, Haiti, Jamaica, Jordan, Mali, Morocco, Myanmar, Nicaragua, Panama, Philippines, Senegal, Syria, Iran, DPRK, Bahamas, Barbados, Botswana, Cambodia, Ghana, Iraq, Jamaica, Mauritius, Nicaragua, Panama, Trinidad and Tobago, Vanuatu, Canada, Japan, Mongolia, Taiwan, Venezuela,. In addition, the following countries or jurisdictions indicate a high-risk customer, a person involved in the transaction or the transaction itself:
We do not provide our services to residents of the following countries: Countries of the European Union, USA, Belarus, Russia.
• that have a significant level of corruption or other criminal activity according to credible sources. The annual Corruption Perceptions Index (CPI) data published by Transparency International (TI) is used to assess this, with high risk indicated by a CPI score of 39 or below.
• subject to sanctions, embargoes or similar measures imposed, for example, by the European Union or the United Nations.
• that provide financing or support for terrorist activities. These countries include the DPRK, Syria, Sudan and Iran.
• that have designated terrorist organizations operating on their territory as designated by the European Union or the United Nations. These countries primarily include Syria, Iraq, Libya, Sudan, Somalia, Somalia, Nigeria, Pakistan, Lebanon, Palestine, Sri Lanka, the Philippines, and Syria.

 

3. THE RISK ASSOCIATED WITH THE CUSTOMER'S ACTIVITIES AND THE PRODUCTS OR SERVICES PROVIDED.

Low risk - when the customer is a person engaged in ordinary and usual business and professional activities and the turnover of the customer's financial instruments or the planned turnover of financial instruments is significantly low and does not exceed EUR 40,000 per year;
Ordinary risk - when the customer is a person engaged in usual and customary business and professional activities and turnover of financial instruments the client, or the planned turnover of financial instruments, exceeds 40,000 euros per year;
High risk - when the business relationship arises under unusual circumstances, including when transactions are complex and of an unusually large scale, when transaction patterns are unusual, or when the customer is a legal entity or other association of persons without legal personality, when their economic activities do not have a reasonable and clear economic or legal purpose or are not characteristic of a particular field of activity, or when the customer's activities include any of the following, regardless of the amount of turnover:
• private or personal banking;
• Providing or brokering a product or service that may contribute to anonymity;
• possession of personal property;
• carrying out transactions with large amounts of cash;
• currency exchange, conversion operations;
• providing a virtual currency exchange service for fiat currency or a virtual currency wallet service;
• Providing gaming services (in casinos, on the Internet or at sporting events);
• purchase and sale of gold (including scrap gold), other precious metals or precious stones;
• buying and selling luxury goods;
• providing online advertising;
• providing innovative services;
• Creation, sale and management of companies;
• other activities with a higher than normal risk of money laundering or terrorist financing;

 

4. THE RISK ASSOCIATED WITH BILLING AND TRANSACTION CALCULATIONS.

Low risk is when:
• a long-term contract with the customer is concluded in written or electronic form or in a form that can be reproduced in writing;
• the total value of incoming or outgoing payments for transactions concluded within the framework of the business relationship does not exceed €15,000 per year.
Ordinary risk - when a customer uses the following during transactions with an obligated person:
• a limited amount of cash not exceeding €32,000 or an equivalent amount in another currency, whether the transaction is made in a single payment or in several linked payments over a period of up to one year;
• a credit institution, financial institution, payment institution or payment system that is not located in a high-risk third country or that does not promote anonymity and that, according to its own experience or independent sources, is reliable and has controls against money laundering and terrorism. funding;
High risk - when a customer uses the following during transactions with an obligated person:
• a credit institution, financial institution, payment institution, or tax system that promotes anonymity;
• settlement channels and accounts belonging to unknown or unrelated third parties;
• settlement channels and accounts belonging to third parties that are unknown or unrelated;
• A large amount of cash exceeding €32,000 or an equivalent amount in another currency, regardless of whether the transaction is made in a single payment or in several linked payments over a period of up to one year;

 

5. RISK ARISING FROM A POLITICALLY EXPOSED PERSON

Low risk - where the client is not a politically exposed person, a family member of a politically exposed person, or a person known to be a close partner of the client who is a politically exposed person;
**Ordinary risk **- when the client is a politically exposed person, a family member of a politically exposed person or a person known to be a close partner of the client. In such a case due diligence measures stipulated by the KR legislation in the area of the KR OPFTDILPD Act are applied in addition to the usual due diligence measures. The client's biography is checked first of all with the help of:
• provision of information by the customer and their presentation;
• using the GOOGLE search engine, searching by the client's Latin name and date of birth;
• using information available on the Financial Intelligence Service web page.
High risk - when the client is a politically exposed person, a family member of a politically exposed person or a person known to be a close partner of the client. In such a case due diligence measures stipulated by the KR legislation in the area of the KR OPFTDILPD Act are applied in addition to the usual due diligence measures. The client's biography is checked first of all with the help of:
• information and statements received from the customer;
• using Google and the local search engine of the client's country of origin, if any, by entering the client's name in both Latin and local alphabet with the client's date of birth.
• using the local database of politically exposed persons, if it exists.

 

6. THE RISK ASSOCIATED WITH CUSTOMER IDENTIFICATION.

Low risk - when:
• a natural person who is a resident of the KR is identified person-to-person on the basis of documents stipulated by the KR OPFTDIILPD Law
A common risk is when:
• the client-foreign natural person is identified in person on the basis of the documents stipulated by the Law of KR OPFTDILPD;
• The identity of a natural or legal person shall be certified by an officially certified set of documents, in accordance with the KR OPFTDILPD Law High risk is when:
• during the identification or verification of the information provided, suspicions have arisen regarding the reality of the information provided or the authenticity of documents or the identity of the beneficial owner;
• A business relationship or transaction that is established or initiated in such a way that the customer, the customer's representative, or a party to the transaction does not physically meet at the same location;
• the person is identified on the basis of other information originating from a reliable and independent source, including electronic identification means and trust services for electronic transactions, thereby using at least two different sources for data verification.
• representative of the customer is a legal entity.

 

7. THE RISK ASSOCIATED WITH THE COMMUNICATION OR TRANSMISSION CHANNELS BETWEEN THE OBLIGATED PERSON AND THE CUSTOMER.

Low risk - when:
• the customer communicates through a communication or intermediary channel agreed upon at the beginning of the business relationship or transaction, or reliably changed over the course of the business relationship;
• products or services are delivered to the customer through a securely modified delivery channel in the course of a business relationship or transaction.
A common risk is when:
• At the beginning of a business relationship or transaction, the customer communicates through a temporary channel of communication or mediation;
• products or services are delivered to the customer through another temporary delivery channel for the products or services, transmitted through an agreed communication channel or intermediary channel initiated by a business relationship or transaction.
High risk is when:

• the client is communicated through a random, unreliable or unusual channel of communication or mediation;
• products or services are delivered to the customer through a random, unreliable or unusual delivery channel;
• the presence and nature of the risk factor associated with the service provider used to provide the service or product being sold;
• the distance between the customer's location and the service or product offered is considerably long;

Taking into account the above risk categories, the obliged person must determine the risk level of the person involved in the transaction or the customer, e.g., whether the customer's money laundering or terrorist financing risk is low, normal or high, or is consistent with other risk levels specified and utilized by the obliged person.
In order to determine the impact of each risk category, the obligated entity must assess the likelihood of the risk factors in that risk category occurring. To determine the impact of a risk category, the qualifying value of the presence of the risk factors that characterize it can be used to consider a particular risk factor as having an impact or 'no impact' on that individual above a certain threshold.

Instructions on how to determine low risk:
• Generally, a customer's risk level is low if there is no influential risk factor in any of the risk categories, so it can be concluded that the customer and its activities do not differ in characteristics from normal and transparent activities and there is no doubt that the customer's activities may facilitate money laundering and terrorist financing.
• In situations where due diligence is required by legal acts and information about the customer and its beneficial owner is publicly available, where the person's activities and transactions are consistent with its usual economic activities and do not differ from other similar methods of customer payment behavior, or where there are quantitative or other absolute limits, the obligated entity may consider the expected risk of money laundering or terrorist financing to the customer to be low.
• In a situation where at least one risk category qualifies as high, the risk of money laundering or terrorist financing generally cannot be low. On the contrary, a low risk level does not necessarily mean that the customer's activities cannot be associated with money laundering or terrorist financing.
• if the risk arising from the business relationship, customer or party to the transaction or transaction is low, based on the risk levels assigned to the party or customer, and other conditions stipulated by the KR OPFTDILPD Law are met, the obligated entity may apply simplified due diligence measures. In the case of simplified due diligence measures, the obligated entity may determine the extent of compliance with the due diligence measures.

Instructions for determining high risk:
• In general, a customer's risk level may be considered high if, when assessing the risk categories as a whole, there is a suspicion that the customer's activities are not usual or transparent, including influential risk factors, and it can be assumed that the risk of money laundering or terrorist financing is high or significantly increased. The customer's risk level is also high if a particular feature of the risk factor indicates this. However, a high risk does not necessarily mean that the customer is engaged in money laundering or terrorist financing.
• If the obligated person believes that the risk of the customer or the person involved in the transaction is high, the obligated person should apply enhanced due diligence.
Measures for proper management of relevant risks. Due diligence measures should be applied in accordance with the provisions of the KR OPFTDILPD Law.
The obligated body should document, update and disclose the determination of the level of risk to the competent authorities, as appropriate. These internal regulations and guidelines for internal control in the field of anti-money laundering, countering the financing of terrorism and financing the proliferation of weapons of mass destruction have been adopted and approved.

Date: 01.02.2024