COMPLIANCE POLICY

(Anti-Money Laundering and Combating Financing Terrorism Policy)

1.INTRODUCTION

Money laundering and terrorist financing ultimately impact the wellbeing of every person in the world. The founders, executives and employees of Stablex Bilişim Teknoloji  A.Ş. (hereinafter “Stablex” or “The Company”) are committed to join the efforts of the international community and authorities to prevent and counter such illicit activities. 

Stablex will establish and adhere to effective measures, codes of conduct, policies and procedures to ensure that:

All employees are aware of their responsibilities and obligations towards fulfilling the Company’s commitment.

Technology is utilized to the best capability to verify and authenticate the identities of customers and ensure that their transactions are suspicion free.

Suspicious or fraudulent activities or transactions are immediately and swiftly dealt with and reported to the concerned bodies.

This manual will describe the minimal internal policies and procedures that will be adhered to in the running of Stablex business. Compliance with it is mandatory for all Stablex employees and where possible, Stablex will choose suppliers and vendors who adopt similar measures to prevent and combat money laundering and the financing of terrorists.

2.SCOPE

This manual applies to Stablex head office, branches, country offices, brokers, agents, while labels, and any other arrangement, that entails the use of Stablex platform. 

3.RELATED DOCUMENTS/REFERENCES

Our company also observes the effective execution of legal compliance activities in its subsidiaries.

For Turkey, where the company's center of regulatory and supervisory agencies;

Turkey Financial Intelligence Unit (MASAK): It carries out the task of determining the fight strategy for the prevention of money laundering and financing of terrorism and establishing the policies and legislation to be implemented.

Regulatory and supervisory authority for our future Estonian affiliate:

Estonia Financial Intelligence Unit: A unit of the Estonian Police & Border Guard Board that exercises supervision and uses enforcement powers of the state on the grounds and pursuant to the procedure prescribed by law.

Please find the details in Table-1.

4.TERMS & DEFINITIONS

a)What is money laundering? 

Conversion or transfer of property derived from criminal activity, or, property obtained instead of such property, knowing that such property is derived from criminal activity, or, from an act of participation in such activity, for the purpose of concealing, or disguising the illicit origin of the property, or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions.

The acquisition, possession or use of property derived from criminal activity, or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein.

The concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property derived from criminal activity or property obtained instead of such property, knowing that such property is derived from criminal activity or from an act of participation in such an activity.

b)What is terrorist financing? 

The allocation or raising of funds to plan or perform acts which are deemed to be acts of terrorism or to finance operations of terrorist organizations, or in the knowledge that the funds allocated or raised will be used for the aforementioned purposes.

c)What is a risk country?

Countries or regions of interest where the risk of money laundering or terrorism are high. A risk country is a country or jurisdiction that: 

According to credible sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective anti-money laundering and combating the financing of terrorism (AML/CFT) systems.

According to credible sources has significant levels of corruption or other criminal activity.

Is subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations.

Provides funding or support for terrorist activities, or that has designated terrorist organizations operating within their country, as identified by the European Union or the United Nations.

d)What is a high-risk country? 

A country specified in a delegated act adopted on the basis of Article 9(2) of Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. The current list is available here: 

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.254.01.0001.01.ENG

e)Who is a politically exposed person (PEP)?

A natural person who performs or performed prominent public functions as well as their family members and close associates. Persons who, by the date of entry into a transaction, have not performed any prominent public functions for at least one year, as well as their family members or close associates shall not be considered politically exposed persons.

For the purposes of these Rules of Procedure, the following persons shall be persons performing prominent public functions:

a)State, head of government, minister and deputy or assistant minister; 

b)A member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors, or of the board of a central bank; 

c)An ambassador, a chargé d'affaires or a high-ranking officer in armed forces; 

d)A member of an administrative, management or supervisory body of a State-owned enterprise; 

e)A director, deputy director or member of the board, or equivalent function, of an international organization, except middle-ranking or more junior officials.

The following persons are considered family members of a person performing prominent public functions:

a)The spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or a local politically exposed person; 

b)A child and their spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person; 

c)A parent of a politically exposed person or local politically exposed person.

The following persons are considered close associates of a person performing prominent public functions:

a)A natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a politically exposed person or a local politically exposed person; 

b)A natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person or local politically exposed person.

The following persons shall be local politically exposed person:

a)Republic of countries’ heads of government, the judiciary and senior government officials, military officials, senior executives of public organizations, people who are in public office and positions, such as political party officials.

f)What is the applicable legislation?

•It is the law that regulates the activities of credit and financial institutions and other institutions determined by the Law on Prevention of Money Laundering and Terrorist Financing and the Financial Intelligence Unit and deals with the prevention of money laundering and terrorist financing. (Law No. 5549 on Prevention of Laundering Proceeds of Crime and Law No. 6415 on Prevention of Financing of Terrorism.)

g)What is the International Sanctions Act?

Decisions and regulations issued by international authorities regarding countries, persons, institutions or ships subject to sanctions due to laundering proceeds of crime, terrorist activities or anti-democratic practices.

h)Who is a customer? 

A person or a legal entity who uses, or has used, one or several services offered by the Company.

i)Who is a relevant employee? 

A person who is conducting KYC/AML measures about the customer in the Company. 

j)What is a business relationship?

For the purposes of these Rules of Procedure, a business relationship is a continued contractual relationship with a customer.

k)What is a transaction monitoring? 

Every single investigation conducted by an employee about a customer.

l)Who is an ultimate beneficial owner of a legal entity (UBO)?

Ultimate beneficial owner refers to the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal entity or arrangement. Reference to “ultimately owns or controls” and “ultimate effective control” refer to situations in which ownership/control is exercised through a chain of ownership or by means of control other than direct control. This definition should also apply to beneficial owner or a beneficiary under a life or other investment-linked insurance policy. Without derogating from the above, UBO is a private individual owning or controlling more than 25% of a legal entity.

5.CUSTOMER IDENTIFICATION AND VERIFICATION 

a)Stablex uses best-practice procedures for KYC, compliance and anti-fraud, to ensure that every customer we allow to register has been vetted to the best of our capabilities and that every transaction that is processed on our platform is clear of any suspicious behavior. This is done by using the reputable 4STOP platform that is integrated with our exchange platform. 

b)Customers wishing to use Stablex platform for trading must register online and provide electronic copies of the required documents through the document upload facility, as part of the KYC process.

c)The platform allows Single User accounts and doesn’t allow for Corporate accounts. 

d)Customers are not allowed to open multiple accounts using their name or credentials.

e)Using the system OCR capability, the uploaded identification documents (passport, ID, etc.) are verified for quality and formatting while also checked for scrapped data. The verification process is delivered through a reputable 3-party provider.

f)The following valid documents serve as basis for identification:

i.Driver’s license;

ii.Identity card;

iii.Passport;

iv.Residence permit;

v.Travel documents;

g)The provided information such as name, date of birth, address, etc., are verified across 172 countries and are matched to the information on the identification documents. 

h)Information is checked real-time across the following compliance watchlists: FATF, OFAC, AML/CTF, PEP, RCA, SIP.

i)The KYC system conducts the following additional verifications:

i.GEO Check: verify the authenticity of customer coordinates and provide ISP details;

ii.Bin check: verify the first 6 digits of credit, debit, or prepaid card if provided;

iii.Email verification: type of email address, age of account, domain intelligence and email reputation standing;

iv.Breached email check;

v.Phone ID check: phone type and carrier and compare to GEO results;

vi.Selfie check against photo in ID documents.

j)The KYC verification engine uses a “waterfall logic” approach when analyzing the customer data. Customers that do not pass an authentication level, continue to the next level and are checked against other parameters.

k)The verification engine assigns a KYC score for each applicant and based on the score the system either rejects and application.

l)Customers who are approved for account opening will need to login to their account and complete necessary steps. Customers who are rejected by the KYC system regardless of the rejection reason will receive a notification accordingly and will not be allowed to register again. Data of rejected customers will be stored in the database.

m)The internal audit department will conduct random testing of system rejected and approved applications to ensure system reliability.

n)The KYC system is available independent of the online registration process and can be accessed by relevant employees, audit and compliance departments through the internet to manually verify and authenticate registration applications when needed.

o)Affiliates or Brokers (corporate accounts) wishing to use Stablex platform, must contact the Company as indicated in the web site. If initial discussions with the company are favorable, the interested party will need to apply and provide the necessary documents and guarantees to be processed and verified manually. 

p)The Broker must provide the following in English (notarized and Apostilled):

i.the business name of the legal person;

ii.commercial registry showing the registry code or registration number and the date of registration;

iii.the names of the beneficial owners, board of directors or other authorized bodies acting in such capacity, senior executive or general manager or director, and other executives who have authorization to represent the legal person;

iv.the details of contact information to the legal person.

v.Proof of business address.

vi.Corporate bank account.

q)The relevant employee verifies the correctness of the information of a legal entity, using the information originating from a credible and independent source for that purpose.

r)As a general policy, the Company reserves the right to reject any corporate account application that seems risky or suspicious without having to justify to the applicant. However, if any suspicions arise from such applicants, the relevant employee will seek approval to request any additional information that may alleviate any risks or concerns. Possible risk issues are detailed in section 4 below.

6.RISK LEVELS & RISK ASSESSMENT 

FOR CORPORATE ACCOUNTS:

a)Low Risk Level is assigned if the following apply to an applicant:

i.The customer can be identified on the basis of publicly available information,

ii.The ownership and control structure of the customer is transparent and constant,

iii.The operations of the customer and their accounting or payment policies are transparent,

iv.customer reports to and is controlled by an authority of executive power of Estonia or a contracting state of the European Economic Area, another agency performing public duties, or an authority of the European Union.

b)Enhanced Due Diligence (EDD) are enforced for an applicant if any of the following apply: 

i.There are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner,

ii.The applicant is a politically exposed person,

iii.The applicant is from a high-risk third country or their place of residence or seat or the seat of the payment service provider of the payee is in a high-risk third country,

iv.The applicant is from a risk country, or from a territory that is considered a low tax rate territory.

c)High Risk Level is assigned if the following apply to an applicant: 

i.When there are unusual factors in the applicants onboarding, or when there are unusual transactions patterns without clear economic or lawful purpose,

ii.Applicant is a legal person or a legal arrangement, which is engaged in holding personal assets,

iii.Applicant is a cash-intensive business,

iv.The applicant is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;,

v.The ownership structure of the applicant’s company appears unusual or excessively complex, given the nature of the company’s business.

d)Other factors that are referring to a higher risk pertaining to the applicant’s product, service, transaction or delivery channel:

i.Products/services favors anonymity,

ii.Payments received from unknown or unassociated third parties,

iii.New products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products.

e)The relevant employee must identify what the risks are in every particular case and undertake all appropriate measures to mitigate those risks. Depending on the case, the relevant employee may apply one or several of the following due diligence measures:

i.Verification of information additionally submitted upon identification of the person based on additional documents, data or information originating from a credible and independent source,

ii.Gathering additional information on the purpose and nature of the business relationship, transaction or operation and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source,

iii.Gathering additional information and documents regarding the actual execution of transactions made in the business relationship in order to rule out the ostensibility of the transactions,

iv.Gathering additional information and documents for the purpose of identifying the source and origin of the funds used in a transaction made in the business relationship in order to rule out the ostensibility of the transactions, 

v.Making of the first payment related to a transaction via an account that has been opened in the name of the applicant participating in the transaction in a credit institution registered or having its place of business in the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force.

f)Under the Company Zero Tolerance Policy, a Fraud Monitoring Engine is running 24/7 as a background process checking every transaction in real time. Based on the defined rules of this engine, any transaction flagged as suspicious will be immediately frozen and the originating account will be immediately flagged inactive. The account holder will be contact to initiate the account closing procedure.

g)The following issues may be considered suspicious, but not limited to them:

i.If the size of the transaction is inconsistent with the normal activities of the customer,

ii.If other transactions are linked to the transaction in question of which the Company is aware of and which could be designed to disguise money and divert it into other forms of other destinations or beneficiaries,

iii.If the transaction is irrational for the customer,

iv.If the customer’s pattern of the transactions changed suddenly,

v.If the customer deposits funds from accounts that don’t have his name or were not declared by him previously, or wishes to transfer funds to an account which is not in his name or not previously disclosed by him, or to and from accounts opened in high-risk countries,

vi.If the size of deposits or withdrawals differs significantly from his pattern.

General

a)Crypto currencies that are transferred from outside the platform will be checked with ChainAnalysis service. If marked by ChainAnalysis as suspicious, the Company will call the relevant authorities to report the crypto(s) and execute any instructions given by the authorities.

b)Deposits or crypto transfers exceeding $15,000 per transaction will prompt an enhanced due diligence process to validate the source of funds. 

7.DATA AND RECORD-KEEPING

a)The Company is obliged to present personal or transactional data about account holders to official inspectors when conducting site visits or audits or other official procedures. Under such conditions, the Company will not be held liable for disclosing such information otherwise deemed private by regulations or general privacy laws.

b)All customer information, documents and transactions records will be kept electronically and accessed only by authorized company officials. Any forms or documents provided by customers under special conditions will be stored at the Company’s main office and can be accessed by authorized company officials.

c)Electronic data and documents will be stored in the Company’s main servers hosted on the cloud through a 3rd party provider. Under the hosting agreement, backup, maintenance, duplication, retrieval, disaster recovery procedures are conducted by the service provider within agreed service levels.

d)Access to such data is available to inspectors from any company computer that is logged in to the Company secured network, using a correct username and password that belong to the privileged access group.

e)Electronic data will be kept in the server for 8 years beginning with the date of account termination. The company reserves the right to keep the data in a backup server after the end of the 8-year period.

f)Customer data will be used in procedures related to their agreement with us. Customer data will never be provided to 3-parties unless with the consent of the customer.

g)The company and its subsidiaries will fully abide by personal data law and related regulations regarding where they are operating. For details of laws and regulations please follow Table-2.

8.INTERACTION WITH THE CUSTOMER

a)If a relevant employee is to be assigned to a case, he must declare that he is not related to the customer in any way beyond his job responsibilities.

b)The relevant employee may contact the customer to clarify the information given or ask for additional information, which is needed for the customer identification, or to address any identified risks or concerns.

c)The relevant employee should not request unnecessary or irrelevant information. A request for additional information must be related to the risks of the case, and after receiving the customer’s response, the relevant employee may close or report the case to the Compliance Officer. If the risk of money laundering or terrorist financing is very high, the relevant employee shall report the case to the Compliance Officer without asking additional information from the customer.

d)The relevant employee shall never express themselves using words that give a reason for the customer to understand that his/her activity is suspicious and may be a subject for further report to the Compliance Officer.

9.DECISION-MAKING

a)Where possible, and by using reliable and supporting technologies or services, decisions to approve or reject applications, or to flag a transaction to be fraudulent or suspicious, will be automated to the highest possible degree.

b)In cases where relevant employees are assigned to verify information or analyze any suspicious behavior, the relevant employee will document his findings and recommend proper actions. The report will be forwarded to the Compliance Officer for review and decision.

10.RISK APPETITE 

a)The Company adopts a Zero Tolerance Policy with customers, employees, and service providers.

b)Applications rejected by the KYC system, or transactions that are flagged as suspicious and terminated by the anti-fraud system, will not be reversed unless proven to be due to a technical or system related issue.

c)Automated around the clock monitoring system will check for suspicious or fraudulent transactions in real time to ensure maximum compliance.

d)The Company will run security tests and ethical hacks using independent 3rd party providers to detect possible security threats.

11.REPORTING PROCEDURE

a)All transactions flagged for fraudulent or suspicious behavior will be immediately terminated. The Compliance Officer will receive a system generated email or report on daily basis of such transactions. Account owners will be notified of the Company decision to terminate their transactions and/or accounts by email.

b)Reports pertaining to fraudulent or suspicious transactions will provide the time of transaction, type of transaction, buyer and/or seller details depending on whether they are registered with the Company and reason for termination.

c)Based on the reason of termination, the Compliance Officer will discuss with the Company Lawyer and Management whether or not the incident needs to be reported to an authority in the country where the Company is licensed or in the country where the customer is residing.

12.DESIGNATED OWNER

a)The designated management board member shall be in charge of the compliance with the applicable legislation and relevant guidelines.

b)The management board may appoint a Compliance Officer for performance of AML/CFT duties and obligations. The management board shall co-ordinate the appointment of the Compliance Officer.

c)Compliance Officer is a person who acts as the contact person for the Financial Intelligence Unit ensuring the compliance with the measures put in place to prevent money laundering and terrorist financing at the Company. 

d)Compliance Officer shall have the following duties:

i.Checking compliance with the money laundering prevention requirements in the Company and carrying out training for the employees.

ii.Carrying out preliminary analysis of submitted reports about suspicious transactions and deciding whether or not to refer a report to the Financial Intelligence Unit.

iii.Sending information to the Financial Intelligence Unit in the case of suspected money laundering and responding to queries and precepts made by the Financial Intelligence Unit.

iv.Gathering information received from employees about suspicious and/or unusual actions, processing such information and keeping records pursuant to the prescribed procedure.

v.Notifying the management board in writing of any problems with compliance with these internal Rules of Procedural, guidelines and other legal acts and making periodic submission of written statements on compliance with the requirements arising from the applicable legislation.

e)Rights of the Compliance Officer: 

i.Making proposals for amending these Rules of Procedure, AML policy, and any other policies of the Company that are related to anti-money laundering and the prevention of terrorist financing, 

ii.Monitoring the activities of the employees in pursuing the measures to prevent money laundering and terrorist financing,

iii.Receiving data and information required for performance of the duties of the Compliance Officer,

iv.Making proposals for re-organizing the process of submission of notifications of suspicious and unusual transactions,

v.Receiving training in the field.

f)The Compliance Officer may send the information or data that have become known to him or her in connection with suspected money laundering only to:

i.The Financial Intelligence Unit.

ii.A preliminary investigating authority in connection with criminal proceedings,

iii.The court on the basis of a court ruling or judgement.

g)In the event of a well-founded suspicion concerning money laundering or terrorist financing, the Compliance Officer shall promptly report it to the Financial Intelligence Unit.

h)A report shall be sent to the Financial Intelligence Unit using the web based platform, in writing, orally or through electronic means of communication. If a report is communicated orally, the Compliance Officer shall duplicate it in writing during the next day at the latest. Copies of the documents that serve as the basis for a transaction, as well as the data or copies of the documents used as the basis for identifying a person, shall be enclosed with the filled-in reporting form.

i)The customer shall never be notified about any report sent about him or her to the Financial Intelligence Unit.

j)If the activities of a customer are not, in accordance with the Company policies, and are fully classifiable as activities to be reported to the Financial Intelligence Unit, any future activities of such customer shall be under increased scrutiny. 

k)No company, employee, the Compliance Officer or any other person acting on behalf of the Company shall be liable for any damage which may arise from non-completion or late completion of a transaction that is incurred by the customer because of suspicions about terrorist financing or money laundering that have been reported in good faith to the Financial Intelligence Unit.

l)Reporting to the Financial Intelligence Unit and sending relevant information shall not be deemed to be a violation of the duty of confidentiality laid down by law or a contract and no liability prescribed by legislation or a contract shall be attributed to those persons for disclosure of such relevant information.

13.INTERNAL CONTROL RULES 

a)The Compliance Officer is responsible for checking the work done by the relevant employee.

b)The Compliance Officer shall check the work of the relevant employee on a quarterly basis in accordance with the following criteria:

i.The work of the relevant employee does not breach this Rules of procedure,

ii.The relevant employee has done sufficient research on the customer,

iii.The relevant employee has documented all the evidences about the customer,

iv.The relevant employee has made a decision relaying on the evidences collected and documented.

c)The relevant employee may get a low-quality notification from the Compliance Officer if the relevant employee constantly breaches the criteria set forth in 14.2. In case the quality of the employee’s work has not been improved after the first notification, this may lead to extraordinary termination. 

14.TRAINING FOR EMPLOYEES

a)The Compliance Officer or other expert in the field of anti-money laundering shall carry out the money laundering and terrorist financing prevention training for the employees of the Company.

b)The Compliance Officer is responsible for carrying out regular training. Each relevant employee shall confirm their participation with their signature. It is recommended to organize trainings when necessary, but not less than once per year.

c)The Compliance Officer is obligated to provide instructions and an introduction training to all new relevant employees pursuant to the prescribed procedure following the signing of the employment contract no later than within one week after the commencement of employment by the relevant employee and to make the new relevant employee familiar with these Rules of Procedure against signature. 

d)The Compliance Officer has the right to submit proposals to the management board concerning what trainings should be made. 

15.VIOLATION OF POLICY

a)Any violation of the duty to register information and to keep records as prescribed by these Rules of Procedure and in the Money Laundering and Terrorist Financing Prevention Act shall be disciplined in accordance with the law.

16.OUTSOURCING

a)Outsourcing of any obligation under these Rules is allowed only upon respective resolution by the management board. Outsourcing is allowed only to a party that applies due diligence measures similar to those stipulated in these Rules and the applicable legislation and provided the respective party is ready to be subject to supervision similar to one exercised over the Company in accordance with the applicable legislation.

17.REQUESTS FROM THE FINANCIAL INTELLIGENCE UNIT 

a)Upon the request of a supervision officer of the Financial Intelligence Unit all necessary documents and information shall be provided to the inspectors immediately.

18.ANNEX

Table 1

Please click to go back.

Operating Country

Regulatory and Supervisory Authority

Address of the Relevant Institution and Website Link

Turkey

Turkey Financial Intelligence Unit (MASAK)

Postal address: Ministry of Finance, N Blok Dikmen Cad. 06100, Turkey

URL : http://www.masak.gov.tr/

Estonia

Estonia Financial Intelligence Unit

Postal address: Rahapesu andmebüroo (RAB), Tööstuse 52, 10416 Tallinn

URL: https://www2.politsei.ee/en/organisatsioon/rahapesu-andmeburoo/

Estonia

European Parliament and the Council of Europe

Postal address: 7 Place Adrien Zeller, Allée du Printemps B.P. 1024, 67070 Strasbourg, France

URL:

https://gdpr-info.eu/

Table 2

Please click to go back.

Operating Country

Regulatory and Supervisory Authority

Related Personal Data Law Name and Number

Turkey

Turkey Financial Intelligence Unit (MASAK)

Law No. 5549 on Prevention of Laundering Proceeds of Crime

Estonia

Estonia Financial Intelligence Unit

Money Laundering and Terrorist Financing Prevention Act (Consolidated text as of 1 January 2014)

Estonia

European Parliament and the Council of Europe

GDPR (The General Data Protection Regulation 2016/679)