Policy on prevention of money laundering and terrorist financing (hereinafter – the Policy) establishes the procedures of Qmall (hereinafter – the Company) for implementation and daily compliance of the legal requirements on prevention of money laundering and terrorist financing (hereinafter – ML/TF).

The Company applies a risk-based approach when implementing measures to mitigate the risk of ML/TF.

The Company continually assesses and manages the ML/TF risks. The Company’s risk assessment consists of:

• Risk assessment at the Company level, which covers all activities of the Company, helps identify areas in which the Company has to implement priority risk management measures commensurate with the risks and the business specificities of the Company, the scope of its activities;
• Risk assessment of relationships and transactions with customers and transaction validation, which includes identification, other KYC procedures and ongoing monitoring;
• Continuous monitoring of the level of risk arising from the ongoing monitoring of customer transactions, monetary operations and status to match the Company’s customer profile and be not suspicious, ensuring that the information available to the Company is relevant, allowing an assessment of whether the level of risk has remained unchanged.

Comprehensive measures are to determine the risk of ML/TF both before and after establishing a business relationship with the customer, by analyzing the customer’s behavior and operations, transactions carried out and provided information/documents.

Customers are assigned to one of the identified risk groups: low, medium, high when establishing business relationships. Subsequently, the risk profile of the customer may be changed in the light of the results of the monitoring of business relationship.

The customer risk assessment is built on the principle that higher risk is given a bigger risk score.

Low-risk customers are those who carry extremely low risk of ML/TF, including low risk to the Company’s reputation.

Medium-risk customers rated as being at risk for some ML/TF by one or more attributes, but their status or operations carried out by them would not have the same impact on the Company’s reputation as high-risk customers or activities thereof. Medium-risk group customers include all those who does not fall under either low or high-risk customer categories.

High-risk customers are those in respect of whom the Company has a reasonable suspicion that they may significantly adversely affect the Company’s reputation.

High-risk customer is an individual who resides in a high-risk country or monitored jurisdictions as indicated by European commission and FATF; resides in a country included in a sanction list by European Union, United Nations Security Council, OFAC, HMT (UK); is political exposed person (PEP), family member or close associate of PEP, resides or is a citizen of USA, as well as legal entity that: is registered in a high-risk country or monitored jurisdictions as indicated by European commission and FATF; is registered in country included in a sanction list by European Union, United Nations Security Council, OFAC, HMT (UK); has  shareholder(-s) and/or UBO(-s) that are included in sanction list by United Nations Security Council, OFAC, HMT (UK); are citizens/residents of USA or country included in a sanction list by European Union; has formal shareholders, directors acting on behalf of another person or bearers shares; the ownership structure seems unusual or too complex depending on the nature of the its activities; legal form is association, partnership, trust, foundation or equivalent; business is cash-intensive; a sufficient number of companies have been registered at the Legal entity registered office address.

High-risk customers are outside of the Company`s risk appetite.

The Company does not establish business relationship with high-risk customers.

Customer due diligence (CDD) is a key responsibility of the Company in the implementation of the prevention of ML/TF.

The data provided by the customer must be verified on the basis of documents, data or information obtained from a reliable and independent source.

The information must be verified by various means and sources available by using a special tool.

In case of establishing a relationship with the customer, the customer’s business relationships, including transactions and operations, are monitored on an ongoing basis- ongoing customer due diligence (ODD) is applied. This shall ensure that transactions and operations are consistent with the Company’s information of the Customer, its business, risk profile and source of funds. The Company maintains real–time and retrospective monitoring of business relationships and operations.

Employees of the Company (incl. the CEO and the AML officer) must monitor customer’s transactions on an ongoing basis for any unusual operations or activities. Unusual features may be related to the size of the transaction, which is inconsistent with the customer’s financial position or past known business, the customer’s knowledge or experience, the unusual nature of the transaction as distinguished from other customer’s methods of operation or similar usual business practices, the complex structure of the transaction as compared to similar transactions in a similar profile of the customer or the market. ODD also means that the Company periodic updates of customer’s information.

In the event of any employee of the Company having any doubts about the legality, economic or legal validity of the customer’s activities or of any particular operation or transaction, its non-consistence with customer’s personal or business profile, sources of funds or financial capacity, the employee must immediately notify the AML Officer, who must then investigate further and determine decide on the necessity of reporting to the relevant control authority of the customer’s activity or transaction.

All communications to the relevant control authority are provided by the Company’s CEO or the AML Officer who are assigned to perform this function.

The Company or its employees are not liable to the customer for failure to perform their obligations or for damage if this occurs as a result of suspending an operation or transaction and reporting to the relevant control authority or because of failure by the customer to provide data to confirm his identity, or providing incomplete or incorrect information, or if customer or his representative avoids providing the information necessary to identify him/her.

Copies of the customer’s identity documents, beneficial owner’s identity data, other data received during the customer’s identification, documentation shall be retained for 8 years from the date of termination of transactions or business relationships with the customer.

Business correspondence with the customer must be stored for 5 years from the end of transactions or business relationship with the customer in paper or electronic form.

Documents or information supporting operation or transaction or other legal instruments relating to the performance of operations or transactions must be stored for 8 years from the date of operation or transaction.

Documents analyzing the results of the transaction investigation are stored in electronic database for 5 years.

Retention periods may be further extended additionally for a period not exceeding 2 years, upon motivated instruction of the competent authority.

All employees of the Company shall be introduced to the Policy upon their appointment. The CEO of the Company also identifies the need for internal training of the Company’s employees. In any case the training must be conducted at least once per year.