EnglishPortugueseSpanish

INTERNAL CONTROL GUIDELINES

INTRODUCTION

These Internal Control Guidelines (hereinafter the Internal Control Guidelines) establish the internal control principles of the Company for compliance with the obligations provided for in the Guidelines and related to the prevention of money laundering and terrorist financing and implementation of international sanctions.

These Internal Control Guidelines have been adopted to ensure that the Company complies with the rules and regulations set out in:

  • the Estonian Money Laundering and Terrorist Financing Prevention Act (MLTFPA);
  • the Estonian International Sanctions Act (ISA);
  • the Estonian Financial Supervision Authority and the Estonian Financial Intelligence Unit’s general guidelines regarding measures against money laundering, terrorist financing and regarding implementation of international sanctions;
  • DIRECTIVE (EU) 2018/843 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (AMLD5).

These Internal Control Guidelines regulate and establish internal control principles in the following fields:

  • the Company´s compliance with established risk assessment policy and risk appetite;
  • customer due diligence measures implementation;
  • implementation of Sanctions;
  • the Company´s obligation to refusal to the transaction or business relationship and their termination;
  • the Company´s reporting obligation to the FIU;
  • the Company´s training obligation regarding the AML/CFT requirements;
  • the Company´s obligation for collection and preservation of data, which arises from MLTFPA and ISA;
  • the Company compliance with established procedure for avoiding conflicts of interests.

The terms used in these Internal Control Guidelines shall be interpreted in accordance with definitions provided for in the Guidelines, which annex these Internal Control Guidelines is.

             

GENERAL PRINCIPLES OF PERFORMING INTERNAL CONTROL

The internal control obligations provided for in these Internal Control Guidelines shall be performed by the Internal Control Officer appointed by the Management Board to perform internal control (hereinafter – the Internal Control Officer). The Internal Control Officer must have the required competency, tools, and access to the relevant information in all structural units of the Company.

The Internal Control Officer must immediately inform the MLRO and the Management Board about all deficiencies determined when performing the internal control.

The Employees, MLRO and Management Board shall provide to the Internal Control Officer as soon as possible all requested information and data, which is necessary for performance of the internal control.

The internal control specified in the Internal Control Guidelines shall be performed with the following principles:

Professionalism: the persons performing the internal control shall:

  • perform their work ethically, with honesty and responsibility;
  • only undertake the internal control activities if competent to do so;
  • perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings;
  • be sensitive to any influences that may be exerted on their judgement while carrying out the internal control.

Fair presentation: the internal control observations, its conclusions and reports should reflect truthfully and accurately the internal control activities. Significant impediments faced during the internal control and unresolved diverging opinions between the parties should be reported. The communication should be truthful, accurate, objective, timely, clear and complete.

Due professional care: the persons performing the internal control should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by the Company. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgements in all internal control situations.

Confidentiality: the persons performing the internal control should exercise discretion in the use and protection of information acquired in the course of their duties. The internal control information should not be used inappropriately for personal gain, or in a manner detrimental to the legitimate interests of the Company. This concept includes the proper handling of sensitive or confidential information.

Independence: the persons performing the internal control should be independent of the controlled activity wherever practicable and should in all cases act in a manner that is free from bias and conflict of interest. The persons performing the internal control should be independent from the function being controlled if practicable. The persons performing the internal control should maintain objectivity throughout the internal control process to ensure that the internal control observations and conclusions are based only on the data obtained when performing the internal control functions. For small organizations, it may not be possible for such persons to be fully independent of the activity being controlled, but every effort should be made to  encourage objectivity and to remove bias.

Evidence-based approach: the internal control data should be verifiable. It should in general be based on samples of the information available, since the internal control is conducted during a certain period and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the internal control conclusions.

Risk-based approach: the risk-based approach should substantively influence the planning, conducting and reporting of the internal control in order to ensure that the internal control is focused on matters that are significant for the Company.

INTERNAL CONTROL MEASURES

The internal control measures specified above shall be performed at the time determined by the

Internal Control Officer with the frequency set by him or her, at least once per month, if the Internal Control Guidelines does not expressly provide otherwise.

The results of implementation of above-mentioned internal control measures shall be saved by the Internal Control Officer in accordance with the Internal Control Guidelines.

If it is required to choose number of Customers or transactions for implementing internal control measures, its number shall be at least 10 (if the total number of Customers or transactions exceeds 10). Half of the Customers or transactions shall be chosen randomly and the other half shall be chosen by the criteria check (e. g. high risk level, largest transactions, non-EU residents etc.). The exact criteria shall be determined by the Internal Control Officer.

When internal control measures were implemented regarding the information (e. g. regarding the Customer or transaction), the repeated review shall be performed only if it’s reasonable in the Internal Control Officer’s opinion (e. g. if data may be changed after the previous review).

The list of internal control measures specified above is non-exhaustive and any other internal control measure may be performed by the Internal Control Officer with prior consent of Management Board.

Risk assessment and risk appetite

The target of the implementation of internal control measures for Company’s compliance with established risk assessment policy (incl. established risk appetite) is examination of the following circumstances:

  • Company establishes and uses risk-based approach when providing services to the Customers (e.g., CDD implemented in accordance with risk level);
  • Company determined factors which affecting the arise of ML/TF risks and determined factors are relevant;
  • Company determined and assessed ML/TF of all services which Company provides;
  • Company composed the risk profile of the Customer prior the performing transactions or creating business relationship;
  • Company updates risk profile of the Customer on regular basis;
  • Company follows established risk appetite;
  • Company keeps records of all incidents in accordance with established risk assessment policy;
  • risk assessment policy was reviewed during the last year and there is no information that MLRO had required earlier review.

To examine the listed above circumstances the Internal Control Officer shall perform at least the following actions:

  • to examine the Customer´s profiles, on the presence of the risk levels set for the Customers;
  • to verify for the compliance of the established risk factors of the certain number of Customers’ risk profiles;
  • to examine data collected by MLRO, which may show the changes of the set risk factors (not more often than quarterly);
  • to receive from the Management Board confirmation that services description (annex of risk assessment policy) is relevant (not more often than quarterly);
  • to verify for the presence of the established services risks and such risks mitigation measures (not more than once per 3 months or in case of updates in related document);
  • to compare the date of the first transaction with the certain number of Customers with the date of CDD measures implementation against these Customers;
  • to compare the onboarding date of the certain number of Customers with its risk level to determine the necessity of the risk level update and to check for the compliance with the requirements on the risk level update;
  • to compare the transactions and data of certain number of Customers with risk appetite and factors determining the risk appetite of the Company;
  • to control the Company´s incidents register and other relevant data;
  • to receive from the Management Board confirmation that risk assessment policy was reviewed during the last year (not more often than quarterly);
  • to receive from the MLRO confirmation that risk assessment policy didn´t have required earlier review (not more often than quarterly);
Customer due diligence measures implementation

The target of the implementation of internal control measures for Company’s compliance with CDD measures implementation is an examination of the following circumstances:

  • the Company apply CDD measures prescribed by the Guidelines to all relevant Customers;

 

the Company collects proper documents and information when applying CDD measures;

  • the Company properly verifies data and documents collected when applying CDD measures;
  • the Company applies the relevant level of CDD measures (e. g. EDD measures, etc.);
  • the Company applies proper EDD measures to specific Customers (e. g. PEP, high-risk country, etc.);
  • the Company performs Customers´ identification in accordance with established procedure;
  • the Company properly identifies Customers´ representative(s);
  • the Company properly identifies Customers´ beneficial owners;
  • the Company properly identifies Customers´ PEP status;
  • the Company properly identifies purpose and nature of business relationship or transaction;
  • the Company properly monitors business relationships with Customers.

To examine of the listed above circumstances the Internal Control Officer shall exercise at least the following actions against a certain number of Customers in accordance with the Guidelines:

  • to check existence of all information and documents required;
  • to check that information and documents are collected;
  • to check the existence of data regarding verification of information and sources used for verification;
  • to check applying of EDD measures;
  • to ask MLRO for information regarding the number of Customers with EDD measures applied and check certain number of this Customers to verify, that EDD measures were applied in accordance with the Guidelines (incl. the chosen measures and this amount);
  • to check of performance of the onboarding procedure;
  • to check of implementation of CDD measures (incl. Customer´s onboarding procedure).
Implementation of Sanctions

The target of the implementation of internal control measures for Company’s compliance with implementation of Sanctions is an examination of the following circumstances:

  • the Company applies procedure for identification of a subject of Sanctions or transaction violating Sanctions;
  • the Company performs actions if identifies a subject of Sanctions or transaction violating Sanctions.

To examine of the listed above the Internal Control Officer shall perform at least the following actions:

  • to check of performance of the identification procedure for of a subject of Sanctions or transaction violating Sanctions regarding the certain number of Customers;
  • to ask MLRO for information regarding the number of Customers and transactions where requirement of the Sanctions´ implementation was determined and check these transactions and Customers to verify, that Sanctions were implemented in accordance with applicable legislation;
  • to ask MLRO for information about notification regarding Sanctions implementation and check this information to verify, that relevant authorities were notified and Sanctions were applied.

Obligation to refusal of transaction or business relationship and their termination

The target of the implementation of internal control measures for Company’s compliance with obligation to refuse the transaction or business relationship and their termination is an examination of the following circumstances:

  • the Company refuses transaction or business relationship if it´s obligatory in accordance with the Guidelines;
  • the Company refuses or terminates transaction or business relationship if it´s obligatory in accordance with the Guidelines.

To examine of the listed above circumstances the Internal Control Officer shall perform at least the following actions:

  • to check of performance of the procedure for refusal or termination of transaction or of business relationship in compliance with the Guidelines regarding the certain number of Customers;
  • to ask MLRO for information regarding the Customers or transactions which were refused or terminated and check these transactions or Customers to verify, that they were refused or terminated in accordance with the Guidelines.

Reporting obligation

The target of the implementation of internal control measures for Company’s compliance with reporting obligation is an examination of the following circumstances:

  • the Company sends reports to the FIU, if it’s required by the Guidelines (incl. relevant FIU’s guidelines);
  • the reports sent to FIU are filled in accordance with the FIU’s guidelines.

To examine of the listed above the Internal Control Officer shall perform at least the following actions:

  • to check of performing the reporting obligation in compliance with the Guidelines and the applicable legislation regarding the certain number of Customers;

asking MLRO for information regarding performance of reporting obligation and check these transactions or Customers to verify, that reporting obligation was performed in accordance with the Guidelines.

Training obligation

The target of the implementation of internal control measures for Company’s compliance with training obligation in AML/CTF field is an examination of the following circumstances:

  • all Employees (incl. MLRO and Management Board members) have relevant training;
  • each Employee (incl. MLRO and Management Board members) has been training for the last 360 days.

To examine of the listed above the Internal Control Officer shall perform at least the following actions:

  • asking Management Board for latest version of the list of the Employees and their responsibilities and checking this list, to verify, that they have been training for the last 360 days.

Obligation of collection and preservation of data

The target of the implementation of internal control measures for Company’s compliance with obligation of collection and preservation of data is an examination of the following circumstances:

  • all data which shall be saved in accordance with the Guidelines (hereinafter in this chapter – the Saved Data) have been properly saved in chronological order with format, which allows to analyze this and understandable connect the Saved Data to other relevant data;
  • only Employees (incl. MLRO and Management Board members) or authorized third parties have access to the Saved Data;
  • the Saved Data in electronic format has backup no older than 2 days;
  • the Saved Data in other formats (e. g. on paper) has backup in electronic format;
  • the Saved Data is irrevocably deleted in accordance with the Guidelines.

To examine of the listed above the Internal Control Officer shall perform at least the following actions:

  • to review the Saved Data to verify that it has relevant structure, format and in the chronological order;
  • to review of persons who have access to the Saved Data, to verify, that they´re only Employees (incl. MLRO and Management Board members) or authorized third parties. In case of authorized third parties – control of their authorization for access;
  • to verify the existence of the backup(s) for the Saved Data;
  • to verify that the Saved Data that to be deleted (e. g. 5 years after termination of business relationship etc.) is deleted irrevocably (incl. backups).

Avoiding conflicts of interests

The target of the implementation of internal control measures for Company’s compliance with requirement to avoid conflict of interests is an examination of the following circumstances:

  • all Employees (incl. MLRO and Management Board members) have declared their interests which may potentially conflict with the Company’s interests;
  • the Company and this Management Board takes measures to avoid conflict of interests if it occurs.

To examine of the listed above circumstances the Internal Control Officer shall perform at least the following actions:

  • to verify the existence of Employee questionnaires and control data provided by the certain number of Employees (incl. MLRO and Management Board members);
  • to ask Management Board if conflict of interests was caused and control measures implemented to avoid or prevent this.

REGISTRATION AND RETENTION OF DATA

The results of internal control measures implementation (hereinafter in this chapter – the Internal Control Data) shall be saved separately from other data and retained within 5 years. 

Only Management Board members and Internal Control Officer may have access to the Internal Control Data. Internal Control Officer may provide access to the Internal Control Data to other Employees or third parties (e. g. advisors, auditors, etc.) only with prior consent of Management Board. The persons have access to the Internal Control Data must not disclose it to anyone without prior consent of Management Board.

The Internal Control Data shall be saved in chronological order with format, which allows to analyze this and understandable connect this to other relevant data.

REPORTING TO THE MANAGEMENT BOARD

The Internal Control Officer shall provide the internal control report to the Management Board at least quarterly. The provided internal control report shall include at least the following:

  • period of exercising the internal control;
  • name and position of the person executing the internal control;
  • description of the internal control measures that has been performed;
  • results of the internal control;
  • general conclusions from the exercised internal control;
  • determined deficiencies, which were eliminated in the period of exercising the internal control;
  • determined deficiencies, which were not eliminated at the end of period of exercising the internal control;

measures that are required to implement for elimination of determined deficiencies.

The Management Board shall review the internal control report and make resolution regarding it. The Internal Control Officer shall be notified about the essence of such resolution in format which can be reproduced in writing.

ANNEXES

Annex title

Document description

Internal control report form

The report form, which Internal Control Officer shall provide to the Management Board quarterly.