SIRIUS FINANCE SP. Z O.O. AML Policy ENG

PROCEDURE FOR COUNTERACTING MONEY LAUNDERING AND TERRORISM FINANCING

(AML/CFT procedure)

1. Activities and actions to mitigate the risk of money laundering and terrorism financing and to properly manage the identified risk of money laundering or terrorism financing:
The purpose of the procedure is to introduce financial security measures and other obligations specified in the regulations in the obligated institution, in accordance with the Act on Counteracting Money Laundering and Terrorist Financing. The procedure contains a set of internal regulations that are undertaken in the obligated institution in cooperation with dedicated state and international bodies to combat and prevent the above crimes. Given that the purpose of the obligated institution is to operate transparently, in accordance with the law and the principles of social coexistence, this procedure is to prevent the use of the services it offers in a manner inconsistent with the law. Therefore, the procedure applies to employees, collaborators as well as contract, temporary or agency workers, interns, volunteers and trainees (hereinafter all jointly referred to as "collaborators"). The basic activities and actions in order to fulfill the statutory obligations are the application of financial security measures and ongoing risk analysis in order to prevent the phenomenon of money laundering or terrorism financing. The internal procedure is subject to ongoing verification and, if necessary, update.

The procedure has been developed and is applied in the entity indicated below, which is also referred to as the OBLIGED INSTITUTION:

Name:	SIRIUS FINANCE SP. Z OO
Address:	ul. Hoża 86/210, 00-682 Warsaw
Tax identification number:	7011192745
Procedure update date:	31/05/2024

This procedure for combating money laundering and terrorism financing is based on applicable legal provisions, recommendations and guidelines of relevant national and international authorities supervising the activities of the Institution and competent for combating money laundering and terrorism financing, including in particular:

Act of 1 March 2018 on Counteracting Money Laundering and Terrorism Financing (hereinafter referred to as the AML/CFT Act);
Act of 19 August 2011 on payment services;
Commission Delegated Regulation (EU) 2023/1219 of 17 May 2023 amending Delegated Regulation (EU) 2016/1675, as regards adding Nigeria and South Africa to the table in point I of the Annex and removing Cambodia and Morocco from that table (Text with EEA relevance);
Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (Text with EEA relevance);
Announcements and guidelines from supervisory authorities – the General Inspector of Financial Information and the Position of the Polish Financial Supervision Authority.

1) Definitions

AML(anti-money laundering) – Anti-Money Laundering – a set of activities, procedures and regulations designed to prevent criminal activities related to money laundering;

Beneficial owner – a natural person who directly or indirectly controls a client through the powers they hold, which result from legal or factual circumstances, enabling them to exert decisive influence on the actions or activities undertaken by the client, or any natural person on whose behalf business relations are established or an occasional transaction is carried out (general part of the definition), including (specific part of the definition):

a) in the case of a legal person other than a company whose securities are admitted to trading on a regulated market subject to disclosure requirements under European Union law or the corresponding law of a third country:
– a natural person who is a shareholder or stockholder who has the right to own more than 25% of the total number of shares or stocks of that legal person,
– a natural person holding more than 25% of the total number of votes in the decision-making body of this legal person, also as a pledgee or user, or on the basis of agreements with other persons entitled to vote,
– a natural person exercising control over a legal person or legal persons who jointly have the right to own more than 25% of the total number of shares or stocks or who jointly hold more than 25% of the total number of votes in the decision-making body of that legal person, also as a pledgee or user, or on the basis of agreements with other persons entitled to vote,
– a natural person exercising control over a legal person by having the powers referred to in Article 3, paragraph 1, point 37 of the Act of 29 September 1994 on Accounting, or
– a natural person holding a senior management position in the event of documented inability to determine or doubts as to the identity of the natural persons referred to in the first to fourth indent and in the event of failure to confirm the suspicions of money laundering or terrorism financing,

b) in the case of a trust:
– founder, including the founder within the meaning of the Act of 26 January 2023 on family foundations,
– a trustee, including a member of the management board within the meaning of the Act of 26 January 2023 on family foundations,
– supervisor, if appointed, including a member of the supervisory board within the meaning of the Act of 26 January 2023 on family foundations,
– beneficiary, including a beneficiary within the meaning of the Act of 26 January 2023 on family foundations or – if the natural persons benefiting from a given trust have not yet been determined – a group of persons in whose main interest the trust was established or operates,
– another person exercising control over the trust, – another natural person with powers or obligations equivalent to those referred to in the first to fifth indent,

c) in the case of a natural person conducting business activity in respect of whom there are no grounds or circumstances that could indicate the fact of exercising control over him or her by another natural person or natural persons, it is assumed that such a natural person is also the beneficial owner.

Close collaborator of PEP – individual being the beneficiary a real beneficiary of a legal person, an organizational unit without legal personality or a trust together with a PEP or maintaining other close relations with it related to the conducted business activity, as well as a natural person who is the sole real beneficiary of legal persons, organizational units without legal personality or a trust that are known to have been established for the purpose of obtaining an actual benefit by the PEP.

Account blocking – temporary blocking of use and disposal from all or part of the property values accumulated in the account (if the obligated institution provides services consisting in maintaining accounts);

PEP family member – spouse or person in common cohabitation, child of PEP or his spouse or person remaining in cohabitation, parents.

CFT (combathing the financing of terrorism) - counteracting financing terrorism - a set of actions, procedures and regulations created to prevent criminal activities related to terrorism;

Financing terrorism - a crime against security general offence of collecting, transferring or offering property values in order to finance a terrorist offence or making property values available to a person or an organised group aimed at committing such an offence (in detail, the act specified in Article 165a of the Act of 6 June 1997 – the Penal Code);

GIFI – General Inspector of Financial Information, government administration body competent in matters of counteracting money laundering and terrorism financing;

Obligated institution – entrepreneurs, companies and institutions that are obligated to analyse transactions and provide information on suspicious transactions to GIIF;

Senior Management - board member, director or employee an obligated institution possessing AML/CFT knowledge related to the organisation’s activities and making decisions affecting the risk and, as such, persons responsible for the implementation of statutory obligations;

Client – a natural person, a legal person or an organizational unit that does not have a legal entity to which the organisation provides services or for which it performs activities falling within the scope of its professional activity (including with which the organisation establishes business relations or on whose behalf it conducts an occasional transaction);

Politically exposed person (PEP) – in particular, excluding groups of middle and lower-level positions, persons holding significant public positions or performing significant public functions, including:

a) heads of state, heads of government, ministers, deputy ministers and secretaries of state,
b) members of parliament or similar legislative bodies,
c) members of the governing bodies of political parties,
d) members of supreme courts, constitutional courts and other high-level judicial bodies whose decisions are not subject to appeal, except in extraordinary procedures,
e) members of courts of auditors or boards of central banks,
f) ambassadors, chargés d'affaires and senior officers of the armed forces,
g) members of administrative, management or supervisory bodies of state-owned enterprises, companies with State Treasury participation, in which more than half of the shares or stocks belong to the State Treasury or other state legal persons,
h) directors, deputy directors and members of bodies of international organisations or persons performing equivalent functions in these organisations,
i) directors general in the offices of the supreme and central state bodies and directors general of voivodship offices,
j) other persons holding public positions or performing public functions in state bodies or central government administration bodies,
as well as persons from the Regulation of the Minister of Finance, Funds and Regional Policy of 27 July 2021 on the list of national public positions and functions that are exposed political positions.

Employee - a natural person performing duties for the institution obligated, regardless of the legal form on the basis of which the cooperation was established (employment contract, contract of mandate, cooperation contract, etc.).

Money laundering - an action aimed at introducing money from illegal sources or used to finance illegal activities into legal circulation (detailed act specified in Article 299 of the Act of 6 June 1997 – the Penal Code);

Information processing – any operation performed on information, in in particular their acquisition, collection, recording, storage, editing, sharing and deletion (the term also includes information stored in an IT system);

Business relations – the relationship between an organization and a customer related to the professional activity of the company, which at the time of establishment demonstrates the characteristic of permanence;

Transaction – a legal or factual act on the basis of which a transaction is made. the transfer of ownership or possession of property values, or a legal or factual act performed for the purpose of transferring ownership or possession of property values;

Occasional transaction – a transaction carried out not within the framework of economic relations;

Act – Act of 1 March 2018 on counteracting money laundering and terrorism financing;

Property values – property rights or other movable property, real estate, means of payment, financial instruments, other securities, foreign exchange values, virtual currencies (including cryptocurrencies)

Transaction hold – temporary restriction of use and disposal property values consisting in preventing the execution of a single transaction or a larger number of transactions;

2) Division of responsibilities of responsible persons referred to in Articles 6, 7 and 8 of the AML/CFT Act

This division of competences defines the tasks and roles of a member of the management body, a member of senior management and an employee holding a managerial position responsible for ensuring compliance of the activities of the obligated institution performing activities on behalf of the obligated institution in the scope of ensuring compliance with the provisions of the law in the field of counteracting money laundering and terrorism financing (AML/CFT).

Tasks and role of the management body in the AML/CFT process:

- approval of the general AML/CFT procedure (policy) applicable in the institution and its implementation;
- implementing an organisational and operational structure ensuring compliance with the AML/CFT procedure, including granting appropriate authorisations and ensuring adequate human and technical resources allocated to individual responsible persons;
- implementation of internal regulations related to the AML/CFT procedure;
- periodic review of the activity report of the AML/CFT department consisting of senior management and designated staff (AMLRO);
- reporting to supervisory authorities;
- evaluation of internal control results;
- ensuring that designated responsible persons have the knowledge, skills and experience necessary to identify, assess and manage risks relevant to the institution and granting access to information on decisions potentially affecting the risks to which the institution is exposed;

Responsibilities and roles of senior management responsible for AML/CFT compliance:

- implementing the obligations set out in the relevant AML/CFT regulations
- supervision and monitoring of the adequacy and effectiveness of the implementation of the AML/CFT strategy and procedure, taking into account the risks to which the institution is exposed,
- taking corrective actions appropriate to identified irregularities;
- supervision and review of reports on AMLRO activities and assessment of the effectiveness of AML/CFT activities, taking into account the conclusions of the internal audit conducted
- management of internal control systems (audit);
- access to information, inspection results and correspondence with authorized state authorities;
- managing access to information for the AMLRO, which is to ensure continuous and unrestricted access to information necessary to perform its tasks, including information on AML/CFT-related incidents and irregularities;
- appointment of a deputy AMLRO;

Tasks and role of an employee holding a managerial position responsible for ensuring compliance of the obligated institution’s activities with AML/CFT regulations (AMLRO):

- ensuring compliance of the activities of the institution and its employees and other persons performing activities for that institution with AML/CFT regulations;
- providing information on behalf of the institution to supervisory authorities (including, in particular, notifications referred to in Article 74 paragraph 1, Article 86 paragraph 1, Article 89 paragraph 1 and Article 90 of the Act);
- delegating and assigning AML/CFT tasks to other employees of the institutions operating under his management;
- developing and implementing an AML/CFT risk assessment framework and communicating the results of that assessment, along with risk mitigation mechanisms, to senior management;
- ensuring that appropriate AML/CFT policies and procedures are in place and updated on an ongoing basis, along with appropriate control mechanisms;
- regulatory monitoring of policies and control mechanisms
- supervising the effectiveness of the application of control mechanisms by the first line of defence
- recommendations to the management body of appropriate remedial actions to eliminate deficiencies in the AML/CFT process identified during internal or external supervision;
- assessing changes in the legal environment affecting the institution’s operations and notifying the management body of appropriate measures taken to ensure compliance;
- preparing activity reports at least once a year, regardless of periodic and ad hoc management reports;
- ensuring that other employees reporting to the AMLRO have the knowledge and experience required to comply with the obligation of confidentiality and protection of personal data;
- knowledge of the internal transaction monitoring system;
- receiving reports from employees, intermediaries, and cooperating entities about questionable transactions, entities, and individuals
- considering the above-mentioned reports, taking into account the established priorities (in terms of the importance of the report);
- keeping a record of all analyses carried out on reports and feedback received from the supervisory authority;
- ensuring immediate reporting of suspicious transactions to the supervisory authority, together with the necessary data and justification;
- responding to questions from the supervisory authority;
- implementation of the training obligation and raising awareness of employees in the field of AML/CFT (informing about risks, supervising and preparing the training program, ensuring the appropriate quality and currency of training and checking the level of knowledge mastery;

3) Collaborators of the obligated institution:

- comply with the AML/CFT rules and procedures implemented within the organisation;
- they actively participate in assessing the client’s risk and apply financial security measures to them;
- ensure that the operations carried out by the company comply with legal regulations and meet AML/CFT security standards;
- inform the person responsible for the compliance of the obligated institution with AML/CFT regulations and provide all data in their possession on the circumstances of the transaction indicating a connection with money laundering or terrorism financing – regardless of the size of the transaction;
- take part in training on counteracting money laundering and terrorism financing.

In connection with the above, when taking up employment/cooperation with an obligated institution, these persons and persons performing AML/CFT-related duties will familiarise themselves with this procedure and receive training on counteracting money laundering and terrorism financing (possibly in the form of an online video).

4) The scope of the internal procedure of the obligated institution

This internal procedure of the obligated institution specifies, taking into account the nature, type and size of the business activity conducted, the rules of procedure applied in the obligated institution and includes in particular the determination of:

a) activities or actions taken to mitigate the risk of money laundering and terrorist financing and to properly manage the identified risk of money laundering or terrorist financing;
b) principles for recognising and assessing the risk of money laundering and terrorism financing related to a given business relationship or occasional transaction, including principles for verifying and updating the previously conducted assessment of the risk of money laundering and terrorism financing;
c) measures applied to appropriately manage identified money laundering or terrorist financing risks associated with a given business relationship or occasional transaction;
d) principles of applying financial security measures;
e) rules for storing documents and information;
f) principles of performing duties including providing the Inspector General with information on transactions and notifications;
g) principles of disseminating knowledge of the provisions on counteracting money laundering and terrorism financing among employees of obligated institutions;
h) rules for reporting by employees of actual or potential breaches of anti-money laundering and counter-terrorism financing regulations;
i) principles of internal control or supervision of compliance of the activities of an obligated institution with the provisions on counteracting money laundering and terrorism financing and the rules of conduct specified in the internal procedure;
j) principles for recording discrepancies between the information collected in the Central Register of Beneficial Owners and the information on the client’s beneficial owners established in connection with the application of the Act;
k) principles for documenting difficulties identified in connection with the verification of the identity of the beneficial owner and actions taken in connection with the identification of a natural person holding a senior management position as the beneficial owner.

2. Principles for recognising and assessing the risk of money laundering and terrorism financing associated with a given business relationship or occasional transaction, including the principles for verifying and updating a previously conducted assessment of the risk of money laundering and terrorism financing.

Turning off cookies via your web browser
Most web browsers will provide you with some general information about cookies, enable you to see what cookies are stored on your device, allow you to delete them all or on an individual basis, and enable you to block or allow cookies for all websites or individually selected websites. You can also normally turn off third party cookies separately. Please note that the settings offered by a browser or device often only apply to that particular browser or device.

1) Recognition

It means gathering information about the client based on own sources, publicly available information and based on information and documents provided by the client, as well as information received from law enforcement agencies, GIIF, PFSA, NBP. Information from other sources should also be used to verify information received from the client. The obligated institution documents the identified risk of money laundering and terrorism financing related to business relations or an occasional transaction and its assessment, taking into account in particular factors related to: type of client; geographical area; purpose of the account; type of products, services and methods of their distribution; level of property values deposited by the client or value of transactions conducted; purpose, regularity or duration of business relations. The level of identified risk affects, among other things, the intensity of application of financial security measures towards the client. The obligated institution identifies the risk at every stage of the business relationship. This means that in connection with the receipt of additional information about a client during the business relationship, the obligated institution should re-identify and assess the risk related to a given client and take appropriate actions to adjust the documents, information and knowledge it holds about the client to the identified risk.

2) Risk assessment and risk documentation

It means classifying the client into the appropriate risk category (low, standard, high acceptable or high unacceptable) based on the methodology developed and applied in the organization. Before entering into an agreement with the client, the collaborator or client service assesses the client's risk by filling in a risk assessment card, the template of which is an appendix to this procedure and assigns the client to one of three groups of client risk assessment related to the possibility of this client participating in money laundering or terrorism financing.
Documentation of the client’s risk along with its assessment in the form of a so-called Client File (may be kept in electronic form), which must include:

a) Type of customer,
b) Geographical area,
c) Purpose of the account,
d) Type of products, services, services provided and their distribution channels,
e) The level of assets held by the client or the value of the transaction,
f) Purpose, regularity or duration of business relations.

During the business relationship, the obligated institution documents each fact of receiving information about the client and assesses whether the information affects the previously made assessment of the risk associated with the given client. If in a given situation a change in the assessment leads to an increase in the risk for the given client, in relation to the previously identified risk, then in accordance with art. 33 sec. 4 of the AML Act, the obligated institution is obliged to apply financial security measures in a new, broader scope resulting from the newly identified risk of money laundering and terrorism financing. The obligated institution documents the fact of receiving any information about the client, and stores the received documents concerning the client (after their analysis) in the Client File.

3) Risk Assessment Verification Principles

In order to determine the client's risk, the following criteria in particular should be taken into account:

a) Economic – assessment of the client in terms of the purpose of his business,
b) Geographic – analysis of the client's transactions, their economic relations with entities from third countries where there is an increased risk of money laundering and terrorism financing. Here, the client's place of residence or place of business should also be assessed.
c) Subject matter – what type of business does the client conduct, is it a high-risk activity from the point of view of AML/CFT regulations?
d) Behavioral – unusual behavior of the client in a given situation.

Risk analysis takes into account:

a) KNF announcements and training,
b) GIIF annual reports,
c) National risk assessment,
d) Report of the European Commission,
e) Corporate memory and experience of the obligated institution,
f) Media reports.

4) Updating a previously performed risk assessment

Customer Risk Assessment Update Frequency :

a) In the case of a low risk client – once every 3 years,
b) In the case of a client with a standard risk level – once every 2 years,
c) In the case of a high-risk client – once every 1 year
d) And also each time the obligated institution learns about a change in significant matters that may affect the client’s risk level.

Risk identification, assessment and updating are performed on the basis of forms completed for each client who meets the conditions for applying financial security measures to them. Based on the established information, the client is assigned points, which are used to assign the client to a specific risk group, including the identification and assessment of the level of the identified risk. This activity is documented by completing the Client Assessment Card. In this Card, by creating a scoring system, the weight assigned to individual risk assessment criteria/factors has been determined, influencing the final result of the analysis, as well as a list of alarm signals, arousing vigilance, which translates into actions towards the client or transactions in order to prevent incidents of money laundering or terrorism financing. The previously performed risk assessment may be updated at any stage of cooperation with the client in connection with the information received about the client, which affects the previously identified level of risk associated with a given client. In particular, the previously performed risk assessment may be updated in the event of receiving letters from public administration bodies (such as GIIF, KNF), banks, law enforcement agencies, border guards, etc.

3. Measures to appropriately manage identified money laundering or terrorist financing risks associated with a business relationship or occasional transaction, including actions or activities undertaken to mitigate the risk of money laundering and terrorist financing

Characteristics of factors related to customer risk analysis (sample calculation):

a) Customer type:
- natural person,
- a natural person running a business activity,
- commercial law company,
- a commercial law company admitted to trading on a regulated market,
- non-profit organization.
b) Scope of activity:
- scrap trade,
- fuel industry,
- car dealerships,
- entities providing virtual currency exchange services,
- pawn shops,
- entities involved in fuel trading,
- entities trading in fuel materials,
- intermediaries trading in luxury goods, e.g. works of art, antiques.
- casino games,
- companies providing financial services,
- real estate agents.
- arms dealers,
- night clubs,
- foreign entities based in tax havens.
c) Client domicile - verification of the country of residence of the registered office in terms of:
- degree of corruption (collision with corruption maps),
- the place of residence or registered office differs from the usual customer,
- headquarters in a tax haven (countries applying harmful tax competition)
- originating from high-risk countries indicated by the European Commission (understood as countries listed in Directive (EU) 2015/849 of the European Parliament and of the Council or other currently applicable legal act) or recognised as such by an obligated institution, where on the day of introducing the procedure this means at least:

1	Afghanistan
2	Barbados
3	Burkina Faso
4	Cayman Islands
5	Democratic Republic of the Congo
6	Gibraltar
7	Haiti
8	Jamaica
9	Jordan
10	Little ones
11	Mozambique
12	Myanmar/Burma
13	Nigeria
14	Panama
15	Philippines
16	Senegal
17	South Africa
18	South Sudan
19	Syria
20	Tanzania
21	Trinidad and Tobago
22	Uganda
23	United Arab Emirates
24	Vanuatu
25	Yemen

d) Customer behavior – behavioral factor
In the case of assessing the risk of a client, the employees of the obligated institution take into account the client's behavior and assess it in terms of deviating from the norm. In such a situation, the employee of the obligated institution should take this factor into account in the risk assessment. A situation that should draw the attention of the employee is the presence of an additional person during the transaction, especially when this person instructs the client on what to do.
e) Customer Transactions (Size and Geography)
Assessing the client in terms of concluded contracts and transactions that are inconsistent with the profile of his business – if his behaviour cannot be rationally explained, this should be taken into account in the risk assessment.
f) Customer presence
The absence of the client at the conclusion of the contract and during the duration of the relationship is considered a high-risk factor.
g) New products, channels, technologies
If the client intends to provide new services, offer new products or distribution channels or technologies, this may lead to increased AML/CFT risk. This risk will not always relate directly to the client, but requires an assessment in terms of the security of the obligated institution.
h) Customer Status
If a client has the status of a politically exposed person, a family member of such a person, or is a person known to be a close associate, or the person is on a warning list or sanctions list, the risk associated with serving that client is recognized at a high level.

Lower risk may be indicated by the fact that the client is:

a) A unit of the public finance sector,
b) A state-owned enterprise or a company with a majority shareholding of the State Treasury, local government units or their associations,
c) A company whose securities are admitted to trading on a regulated market subject to requirements to disclose information about the beneficial owner or a company with a majority shareholding in such a company,
d) A resident of a Member State of the European Union, an EFTA Member State - a party to the EEA Agreement,
e) A resident of a third country defined by credible sources as a country with a low level of corruption or other criminal activity,
f) A resident of a third country where, according to data from reliable sources, anti-money laundering and anti-terrorist financing regulations are in force that meet the requirements of European Union anti-money laundering and anti-terrorist financing regulations.

Lower risk may also be indicated by linking a business relationship or occasional transaction with:

a) A Member State of the European Union, an EFTA Member State – a party to the EEA Agreement,
b) a third country identified by credible sources as having a low level of corruption or other criminal activity,
c) a third country where, according to data from reliable sources, there are regulations in force on counteracting money laundering and terrorism financing that meet the requirements resulting from European Union regulations on counteracting money laundering and terrorism financing.

In particular, higher risk may be indicated by:

a) establishing business relationships in unusual circumstances;
b) unjustified reluctance by the Client to provide the required information or documents;
c) that the client is:
- a legal person or an organizational unit without legal personality whose activities serve to store personal assets,
- a company in which bearer shares have been issued, whose securities are not admitted to organised trading, or a company in which the rights attached to shares are exercised by entities other than shareholders or stockholders,
- a resident of the country referred to in letter k below,
d) the subject of the client’s business activity involves conducting a significant number or high amounts of cash transactions or transactions that are inconsistent with the profile declared by the client,
e) an unusual or overly complex ownership structure of the client, taking into account the type and scope of its business activities,
f) the customer’s use of services or products offered within the framework of private banking;
g) the customer’s use of services or products that promote anonymity or make it difficult to identify him,
h) establishing or maintaining business relations or carrying out an occasional transaction without the physical presence of the client – if the associated higher risk of money laundering or terrorism financing has not been otherwise limited, or the client's use of services or products that promote anonymity or make identification difficult,
i) ordering of transactions by unknown or unrelated third parties, the beneficiary of which is the client;
j) extending business relationships or transactions to new products or services or offering products or services using new distribution channels;
k) linking a business relationship or an occasional transaction with:
- a high-risk third country,
- a country identified by credible sources as a country with a high level of corruption or other types of criminal activity, a country financing or supporting the commission of terrorist acts, or with which the activities of terrorist organisations are linked,
- a country against which the United Nations or the European Union has decided to impose sanctions or specific restrictive measures
i) other circumstances indicating that the Client's actions may be related to money laundering or terrorism financing,
j) The client uses the services of a virtual office,
k) the same person acts as a representative of different entities or as a person with whom the details of transactions concerning different entities are agreed,
l) The Client has a registered office or place of business at an address where there are no signs of conducting business activity,
m) The client does not have the organizational and technical resources appropriate to the type and scale of the business activity conducted.

Absolutely high AML/CFT risk exists especially when the client has PEP status.

The risk is reduced by completing the customer assessment card, including the introduced scoring, which helps to determine the level of recognized risk and, in accordance with the established level of risk, the application of additional financial security measures in order to obtain more information about the customer. Additionally, with the intention of reducing the risk, the obligated institution uses the documentation presented in the Model of general principles functioning in its activity, completing the introduced solutions and applies the procedure for monitoring transactions and reporting suspicious transactions (STR).

Therefore, in order to limit the risk of money laundering and terrorism financing and properly manage the identified risk, the obligated institution shall take the following actions:

1) Identifying risk by collecting information about the client based on public sources as well as information provided by the client; 2) Risk assessment and documentation by completing a client risk assessment card;
3) Analysis of client information from the perspective of possible factors increasing or decreasing the risk associated with the client, including the type of business activity conducted, client’s domicile, etc.;
4) Applying appropriate financial security measures, taking into account the degree of identified risk associated with the client;
5) Ongoing analysis of business relations with the client in order to determine whether the client's previously identified risk level has not changed, and also to ensure that the obligated institution's knowledge of the client's activity and the client is up-to-date.

4. Principles of applying financial security measures

1) Financial security measures are applied in the case of:

a) establishing economic relations (which are durable);
b) carrying out an occasional transaction:
- the equivalent of EUR 15,000 or more, regardless of whether the transaction is carried out as a single operation or as several operations that appear to be linked, or
- which constitutes a transfer of funds exceeding the equivalent of EUR 1,000;
c) suspicions of money laundering or terrorism financing;
d) doubts as to the veracity or completeness of customer identification data obtained so far.

Simplified financial security measures may be used in where the risk assessment confirms a lower risk of money laundering or terrorism financing. Simplified financial security measures shall not be applied in cases referred to in Article 35 paragraph 1 points 5 and 6 of the Act (in the event of) suspicion of money laundering or terrorism financing or in the event of doubts as to the veracity or completeness of the customer identification data obtained so far).

Enhanced security measures are applied in case of higher risk of laundering money or terrorism financing, in particular in the case of clients originating from or having their registered office in a high-risk third country, as well as in the cases referred to in Articles 44-46 of the Act, including in relation to persons with PEP status . Enhanced protection measures may consist in particular in verifying the client with more than one of the required documents.

The obligated institution also applies financial security measures in relation to clients with whom it maintains business relations, taking into account the identified risk of money laundering and terrorism financing, in particular when:

a) there has been a change in the previously established nature or circumstances of the economic relationship;
b) there was a change in the previously established data relating to the customer or beneficial owner;
c) the obligated institution was obliged under the law to contact the client during a given calendar year in order to verify information concerning beneficial owners, in particular when such an obligation resulted from the provisions of the Act of 9 March 2017 on the exchange of tax information with other countries.

2) How to apply financial security measures

Financial security measures include:

a) Identification of the client and verification of his or her identity, in particular whether he or she is a politically exposed person;
b) identifying the beneficial owner and taking reasonable steps to:
- verification of his identity,
- determining the ownership and control structure - in the case of a client who is a legal person, an organizational unit without legal personality or a trust;
c) assessing the business relationship and, where appropriate, obtaining information about its purpose and intended nature;
d) ongoing monitoring of the client’s economic relations, including:
- analysis of transactions carried out within the framework of business relations in order to ensure that these transactions are consistent with the obligated institution’s knowledge of the client, the type and scope of the business activity conducted by the client and the risk of money laundering and terrorism financing associated with the client,
- examination of the source of the property values at the client's disposal - in cases justified by the circumstances,
- ensuring that documents, data or information relating to business relations are kept up to date.

The above financial security measures are implemented manually. The practical method of applying financial security measures is established based on AML/CFT documentation used to fulfill the obligations of the Act, including introduced cards, forms and notes. The above measures are implemented practically using these documents based on the principles established in these documents. Each person acting on behalf of the Obligated Institution in fulfilling the obligations related to counteracting money laundering and terrorism financing should use these forms when serving customers.

The obligated institution, applying the financial security measures referred to in letters a and b above, shall identify the person authorised to act on behalf of the client and verify his or her identity and authorisation to act on behalf of the client if it is identified that this person is acting on behalf of a third party.

institution documents the applied financial security measures and the results of the current analysis of the transactions carried out. At the request of the authorities referred to in Article 130 of the Act, the obligated institution demonstrates that, taking into account the level of the identified risk of money laundering and terrorism financing related to the given business relationship or occasional transaction, it has applied appropriate financial security measures.

Before establishing business relations or carrying out an occasional transaction, the obligated institution shall inform the customer about the processing of his or her personal data, in particular about the obligations of the obligated institution arising from the Act in the scope of processing such data.

3) Customer identification involves acquiring:

a) natural person:
I. name and surname,
II. citizenship,
III. the Universal Electronic System for Registration of the Population (PESEL) number or date of birth - if no PESEL number has been assigned, and the country of birth,
IV. series and number of the document confirming the person’s identity,
V. address of residence - if the obligated institution has this information,
VI. name (company), tax identification number (NIP) and address of the principal place of business activity - in the case of a natural person conducting business activity;
b) a legal person or an organizational unit without legal personality:
I. names (companies),
II. organizational form,
III. registered office address or business address,
IV. Tax Identification Number (NIP), and in the absence of such a number - the country of registration, the name of the relevant register and the number and date of registration,
V. identification data referred to in point 3 letter a subpoints I and III, of the person representing that legal person or organizational unit without legal personality.

The determination of whether the client is a person holding a politically exposed position is made by submitting a declaration before using the service and ongoing verification of the information obtained in order to identify and verify the person. The client submits a declaration that he or she is not a person holding such a position with the clause "I am aware of criminal liability for submitting a false declaration".

4) Identification of the beneficial owner and authorized person:

This includes determining his/her first and last name, and in the case of the data being held by the obligated institution, also the data indicated in point 3 above, letter a, items II-V. For this purpose, the obligated institution uses a form concerning the identification of the beneficial owner.

Identification of the person authorized to act on behalf of the client includes determining the data referred to in point 3 above, letter a, items I-IV.

5) Verification:

Verification of the identity of the client, the person authorised to act on their behalf and the beneficial owner involves confirming the established identification data based on:

a) an identity document of a natural person;
b) driving license (as an auxiliary document);
c) passport;
d) a document containing current data from an extract from the relevant register;
e) or on the basis of another document, data or information from a reliable and independent source , including, where available, electronic identification means or relevant trust services as defined in Regulation 910/2014.

In the case of identification of a beneficial owner who is a person referred to in art. 2 sec. 2 item 1 letter a fifth indent of the Act (beneficiary who is a natural person holding a senior management position), the obligated institutions shall document:

а) all difficulties resulting in the inability to determine or doubts as to the identity of natural persons specified in Article 2, paragraph 2, point 1, letter a, first to fourth indent of the Act;
b) all difficulties related to legitimate actions taken to verify the identity of the beneficial owner.

The principles of conduct in the case of identifying a beneficial owner who is a person referred to in Article 2 section 2 point 1 letter a, fifth indent of the AML Act (a beneficiary who is a natural person holding a senior management position) are described in point 12 of this procedure.

The identity of the customer and the beneficial owner is verified before establishing a business relationship or carrying out an occasional transaction.

Verification of the identity of the customer and the beneficial owner may be completed during the establishment of the business relationship if it is necessary to ensure the continuity of the business activity and when there is a low risk of money laundering and terrorism financing. In such cases, verification is carried out as soon as possible after the establishment of the business relationship.

In the case of establishing business relations or conducting an occasional transaction with a client who is an entity referred to in Art. 58 of the Act (entities obliged to report information on beneficial owners and update it, in particular: general partnerships; limited partnerships; limited joint-stock partnerships; limited liability companies; simple joint-stock companies; joint-stock companies, with the exception of public companies within the meaning of the Act of 29 July 2005 on public offering and conditions for introducing financial instruments to an organised trading system and on public companies; trusts whose trustees or persons holding equivalent positions: a) have their place of residence or registered office in the territory of the Republic of Poland or b) establish business relations or acquire real estate in the territory of the Republic of Poland on behalf of or for the benefit of the trust; professional partnerships; European economic interest groupings; European companies; cooperatives; European cooperatives; associations subject to entry in the National Court Register; foundations ), or an entity subject to the obligation to register information on beneficial owners resulting from the provisions of a Member State issued pursuant to Article 30 or Article 31 of Directive 2015/849, obligated institutions shall obtain confirmation of registration or an extract from the Central Register of Beneficial Owners or a register maintained in the appropriate Member State. These entities, at the request of the obligated institution applying financial security measures towards them, shall provide information or documents allowing the identification of the identity of their beneficial owners.

6) Assessment of economic relations and their ongoing monitoring consists in taking actions leading to the assessment of whether:

a) The transactions made by the person/entity do not demonstrate the characteristics of durability (especially repetition and regularity);
b) Transactions are consistent with original declarations and established customer profile;
c) The transactions carried out by the client do not violate the regulations related to the Money Laundering and Terrorist Financing Act;
d) Funds used for transactions do not come from undisclosed or illegal sources;
e) Identification data and verification documents are updated on an ongoing basis;
f) There are no other irregularities resulting in a possible violation of applicable regulations.

An important role here is played by the declaration submitted by the client to the obligated institution, related to the purpose of establishing a business relationship or carrying out a transaction, the presented model of the client's business activity including the established risk related to this activity, the declaration submitted during the business relationship and the unusual behavior of the client deviating from the originally declared nature and purposes of establishing a business relationship or carrying out a transaction. The purpose of the declarations submitted by the client is to precisely define the subject of the client's business activity and the business relationships concluded in connection with it. The obligated institution documents the use of this financial security measure by completing the "Assessment of the business relationship" form.

When establishing a relationship, as well as during the duration of the relationship with the client, the obligated institution determines (updates) the client’s profile, which consists in particular of the following elements:

• value of transferred funds (the obligated institution ensures that the value of actual transactions does not differ from the client’s declaration or documents submitted by him, and therefore collects a declaration from the client regarding the value of the transactions carried out, e.g. PLN 5,000-10,000),
• frequency of transactions (the obligated institution ensures that the frequency of actual transactions does not differ from the client's declaration or documents submitted by him, and therefore collects a declaration from the client about the frequency of transactions performed, e.g. 3-4 transactions per day),
• type of transaction (the obligated institution ensures that the transactions carried out by the client are consistent with the type of transaction indicated in the client's declaration, and therefore collects a declaration of the type of transaction from the client)
• subject of the transaction (the obligated institution ensures that the transactions carried out by the client are consistent with the business profile declared by him/her, and therefore the obligated institution collects a declaration of the business activity performed),
• direction/country of the transaction (the obligated institution ensures that the direction/country of transactions carried out through the account is consistent with the directions/countries of transactions indicated in the client's declaration, and therefore collects an appropriate declaration from the client, e.g. that the client serves foreign entities and therefore often receives foreign transfers).

In order to fulfil the obligation referred to in Art. 43 sec. 3 of the Act, the obligated institution conducts an ongoing analysis of transactions, which process in practical terms has been included in the procedure for monitoring transactions and reporting suspicious transactions (STR).

The obligated institution documents the results of the current transaction analysis in a note in the form of a table, where it enters the individual transaction amounts, the date of the transaction, with the signature of the person making the entry, analysing whether these transactions significantly differ from the obligated institution's knowledge about the client, the type and scope of the business conducted by him, and whether the transactions are consistent with the risk of money laundering and terrorism financing associated with this client.

In order to conduct analyses, the obligated institution obtains information both from the client and about the client from other sources (public databases, open sources of information).

The assessment of the business relationship is updated on an ongoing basis, and in the event of a departure from the business profile originally declared by the client, the obligated institution updates the information about the client by documenting the application of financial security measures, including the reassessment of the business relationship, as well as the information obtained about their purpose and intended nature.

In the event of a transaction being disclosed:

1) complicated or
2) involving high amounts that are not justified by the circumstances of the transaction, or
3) carried out in an unusual way, or
4) that seem to have no legal or economic justification
- The obligated institution shall take action to clarify the circumstances in which these transactions were carried out and, in the case of transactions carried out within the framework of economic relations, shall intensify the application of the financial security measure referred to in Article 34 paragraph 1 item 4 of the Act (as part of the ongoing monitoring of economic relations), in relation to the economic relations within the framework of which these transactions were carried out.

If the information collected does not allow determining that the transactions correspond to the established client profile, the obligated institution should take steps to limit the risk. If the obligated institution is unable to determine the justification for the transactions carried out by the client, in particular when these are complicated transactions or transactions involving high amounts, or carried out in an unusual manner, or appearing to have no legal or economic justification, this means that it is not possible to apply financial security measures. It is therefore necessary to take the actions indicated in Article 41 of the AML Act (referred to in the next point 7). If the obligated institution obtains information that is insufficient to determine the nature of the transaction, it should take steps due to the impossibility of applying financial security measures.

Customer service cannot continue until the customer provides explanations that demonstrate the economic justification for the customer's transaction. Simply attempting to contact the customer, e.g. sending a letter, is not an application of financial security measures or establishing the justification for the transactions being conducted.

After re-applying financial security measures and updating documents, data and information about the client, as well as providing all necessary explanations by the client, the obligated institution may resume customer service. The obligated institution is guided by the principle that it should know and understand the economic justification for the transactions made by the client.

In order to ensure that the documents, data or information held regarding business relations are updated on an ongoing basis, the person acting on behalf of the obligated institution completes the "Note on updating data and information about the client".

7) What does the obligated institution do if it is not possible to apply one of the financial security measures?

a) does not establish economic relations;
b) does not conduct an occasional transaction;
c) does not conduct transactions through a bank account;
d) dissolves economic relations.

The obligated institution shall assess whether the inability to apply financial security measures constitutes a basis for submitting to the Inspector General the notification referred to in Article 74 or Article 86 of the Act.

8) Business relations or transactions with a politically exposed person and the application of enhanced financial security measures

In order to determine whether a client or beneficial owner is a politically exposed person, the obligated institution shall accept a declaration from the client in writing or in documentary form that he or she is or is not a person holding such a position.

In accordance with applicable regulations, if a risk analysis shows that a business relationship will be established or a transaction will be carried out with a politically exposed person (as a client or beneficial owner) or a family member of such a person or a person known to be a close associate of such a person, the obligated institution MAY carry out such a transaction. In such a case, however, the person carrying out the transaction shall obtain the approval of senior management for such action, and the obligated institution:

1) apply appropriate measures to determine the source of the client’s assets and the source of the assets at the client’s disposal within the framework of the business relationship or transaction;
2) intensify the use of financial security measures;
3) intensifies the application of the financial security measure referred to in Article 34 paragraph 1 point 4 of the Act.

In the period from the date on which a politically exposed person ceases to hold a politically exposed position until the date it is determined that such person is not associated with a higher risk, but for no less than 12 months, the obligated institution shall apply measures towards such a person that take into account that risk.

The above regulations apply accordingly to family members of a politically exposed person and persons known to be close associates of a politically exposed person.

The obligated institution determines whether the beneficial owner is a politically exposed person by receiving a written declaration using the customer identification form.

The obligated institution applies enhanced financial security measures in cases of higher risk of money laundering or terrorism financing, as well as in cases referred to in Art. 44-46 of the Act.

The use of enhanced security measures involves:

a) obtaining additional information about:
- the client and the actual beneficiary,
- the intended nature of the economic relations;
b) obtaining information on the source of the client’s and beneficial owner’s assets and the source of the assets held by the client and beneficial owner within the framework of business relations or transactions;
c) obtaining information about the reasons and circumstances of intended or carried out transactions;
d) obtaining approval from senior management to establish or continue business relationships;
e) intensification of the application of the financial security measure referred to in Article 34 paragraph 1 point 4 of the Act, by increasing the number and frequency of monitoring of business relationships and increasing the number of transactions selected for further analysis.

In the case of a transaction involving a high-risk third country identified by the European Commission, the obligated institution, in addition to applying the financial security measures referred to in Article 44 paragraph 1 of the Act, shall take at least one of the following actions to limit the risk associated with such transaction:

a) takes additional actions as part of the enhanced financial security measures applied;
b) introduces intensified obligations related to the provision of information or reporting of transactions;
c) limits the scope of economic relationships or transactions.

Enhanced customer due diligence measures are applied in situations referred to in paragraph 3 of this procedure if a higher and absolutely high risk associated with a client is identified.

9) Differentiation and intensity of financial security measures according to risk.

The institution applies financial security measures to Clients, to the extent and intensity taking into account the identified ML/FT risk related to business relationships or occasional transactions and their assessment. Depending on the identified and assessed risk of money laundering or terrorism financing, the following types of financial security measures are applied:

Type of risk	Type of financial security measures used
low	simplified (SDD) – only in the case of a low risk assessment of a given transaction or relationship;
Standard	standard (CDD)
high	increased (EDD), without the consent of management
high acceptable	Enhanced (EDD) + management approval
high unacceptable	Rejection of transaction, refusal to cooperate

5. Information accompanying transfers of funds to prevent ML/CT cases

The Institution applies the provisions of Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 in the event of transfers, if such are carried out by the Institution. The principles regarding the application of the aforementioned Regulation apply to transfers of funds in any currency, sent or received by the Institution, which participates in a given transfer as a payment service provider.

The rules set out in this section do not apply to transfers of funds:

- which involve the payer withdrawing cash from his payment account;
- to public authorities as payment of taxes, fines or other levies in a Member State;
- where both the payer and the payee are payment service providers acting on their own account;
- which are made through the exchange of digital images of checks, including checks converted to electronic form.

1) Obligations of the Institution as a provider of payment services to the payer.

The institution, acting as the payer’s payment service provider, executes the transfer of funds using at least the following information about the payer:

- payer's name/surname
- payer's payment account number
- payer's address, official personal document number, customer identification number or date and place of birth

The institution, acting as the recipient's payment service provider, shall carry out a transfer of funds using at least the following information about the recipient:

- name of recipient
- recipient's payment account number

By way of exception, if the transfer was not made from or to a payment account, the Institution shall use the unique transaction identifier in its internal record-keeping system instead of the payment account number.

The verification of the payer's identification data is carried out based on the principles specified in this Procedure, before the transfer of funds. If verification is not possible, the Institution does not carry out the transfer of funds.

Where all payment service providers involved in the payment chain are established in Poland, transfers of funds are accompanied by at least the payment account number (of the payer and the recipient) or a unique transaction identifier, by way of derogation from the rules set out above do not apply.

The institution, as the payer’s payment service provider, shall provide the following information within 3 business days of receiving a request for information from the payee’s payment service provider or intermediary payment service provider:

- for transfers of funds exceeding EUR 1,000, whether made as one or several transactions that appear to be linked, full details of the payer or payee
- for transfers of funds which do not exceed EUR 1 000 and which do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000 – at least: the name of the payer, the name of the payee and the payment account numbers of the payer and the payee, or a unique transaction identifier;

In the case of transfers made within the territory of Poland, not exceeding EUR 1,000, the Institution, by way of derogation, does not have to verify information about the payer, unless:

- he has received the funds to be transferred, either in cash or in the form of anonymous electronic money
- there is reasonable suspicion of money laundering or terrorism financing

3) Obligations of the Institution as a provider of payment services to the recipient

The institution shall implement supporting software and applications to detect whether the payer and payee information fields in the messaging or payment and settlement system used to execute the transfer have been entered using characters and data permitted under the conventions of the system used.

As part of the ongoing analysis of transactions, the institution ensures ex-post monitoring and real-time monitoring in order to detect any possible lack of information about the payer or recipient in the case of transfers exceeding EUR 1,000, i.e.:

- names of the payer and recipient
- payment account numbers or unique transaction identifier

Institution as a provider of payment services to the recipient:

- for transfers of funds exceeding EUR 1 000, irrespective of whether such transfers are made as one or several transactions which appear to be linked, before crediting the payee's payment account or making the funds available to the payee, the payee's payment service provider shall verify the accuracy of the information on the payee referred to above;
- for transfers of funds which do not exceed EUR 1 000 and which do not appear to be linked to other transfers of funds which, taken together with the transfer in question, exceed EUR 1 000, the payment service provider of the payee shall not be required to verify the accuracy of the information on the payee, unless the payment service provider of the payee withdraws the funds in cash or in the form of anonymous electronic money or has reasonable suspicion of money laundering or terrorist financing;

Verification of the payer and the payee is considered to have been carried out when it was carried out in accordance with the assumptions of this Procedure.

4) Funds transfers with missing or incomplete payer or recipient information

In the case of transfers with missing or incomplete information on the payer or recipient, the provisions of this Procedure regarding de-risking will apply, and the determination of whether to execute, reject or suspend a transfer of funds will be based on a risk assessment of the transfer in question, carried out in accordance with the guidelines of this Procedure.

If the payment service provider of the payee, when receiving transfers of funds, finds that the identification data referred to in this point is missing or incomplete, or that this information has not been provided using characters or inputs that are acceptable within the internal messaging or payment and settlement system, the Institution should reject such transfer or request the provision of the required information on the payer and the payee, before or after crediting the payee's payment account or making funds available to it, taking into account the risk.

If a payment service provider repeatedly fails to provide any of the required information on the payer or the payee, the payment service provider of the payee shall take steps, which may initially include issuing warnings and setting time limits, and then either reject any further transfers of funds from that payment service provider or restrict or terminate its business relationship with that payment service provider.

The institution, as a provider of payment services to the recipient, considers missing or incomplete information about the payer or recipient as one of the risk factors of whether a given transfer of funds or any transaction related to it raises suspicions and may be related to money laundering or terrorism financing. In the event of a justified suspicion, the institution notifies GIIF in the manner provided for in this Procedure and the relevant regulations.

5) Information exchange and data protection

The institution shall provide, without delay – also through the central contact point (if such a contact point has been designated) – and in accordance with the requirements set out in this Procedure and the AML/CFT Act, a full response solely to GIIF’s enquiries regarding the information required under Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015.

The collection, processing and sharing of personal data is carried out solely for the purposes of AML/CFT. The processing of such data for other purposes, including in particular commercial purposes, is prohibited.

Before establishing a business relationship or carrying out an occasional transaction, the Institution shall provide new customers with the information required under Article 10 of Directive 95/46/EC. This information shall include, in particular, a general notification of the legal obligations incumbent on the Payment Services Institution under the Regulation when processing personal data for the purposes of preventing money laundering and terrorist financing (the so-called GDPR clause).

Documents are stored in a manner that ensures their security and in accordance with the regulations on personal data protection in accordance with point 7 of this Procedure.

6. Principles of storing documentation and information.

The obligated institution and its employees are required to document the financial security measures applied, e.g. by making copies of documents, screenshots with the date or in any other way. The documentation is kept for a period of 5 years, counted from the date of termination of the business relationship with the client or from the date of conducting an occasional transaction. The documents are kept in a way that ensures their security and in accordance with the regulations on the protection of personal data. These issues are regulated by separate internal procedures. The General Inspector of Financial Information may request that the documentation be kept for another period of no longer than 5 years, counted from the date on which the 5-year period expires, if it is necessary to ensure the correctness of the proceedings conducted in cases concerning counteracting money laundering or terrorism financing or for the purposes of criminal proceedings.

The obligated institution stores for a period of 5 years, counted from the date of termination of the business relationship with the client or from the date of carrying out an occasional transaction:

a) copies of documents and information obtained as a result of the application of financial security measures, including information obtained using electronic identification means and trust services enabling electronic identification;
b) evidence confirming the transactions carried out and transaction records, including original documents or copies of documents necessary to identify the transactions.

The obligated institution stores the results of the current analysis of transactions carried out for a period of 5 years from the date they are carried out.

In the event of liquidation, merger, division or transformation of the institution obliged to store documentation, the provisions of Article 76 section 1 of the Act of 29 September 1994 on Accounting shall apply.

7. Principles for performing duties including providing the General Inspector with information on transactions and notifications and cooperation with the General Inspector of Financial Information

The purpose of the procedure is to determine events and situations that trigger the obligation of the obligated institution to report to GIIF. The reporting obligation of the obligated institution consists of:

a) Reporting of above-threshold transactions,
b) Reporting to GIIF about suspicious circumstances,
c) Notification to GIIF about a suspicion of committing a crime,
d) Providing information and carrying out activities at the request of GIIF.

In the event of a reasonable suspicion that a specific transaction or specific property values may be related to money laundering or terrorism financing, or in the event of a suspicion that these crimes (or other crimes) have been committed, notifications are submitted to the GIIF, fulfilling the obligation under Articles 74, 86, 89 and 90 of the Act on Counteracting Money Laundering and Terrorism Financing.

For example, notification to GIIF is submitted in the following cases:

• Lack of economic purpose to justify numerous transactions performed by the customer;
• Lack of documents confirming the source of the property values at the client’s disposal;
• Frequent and numerous transactions performed by a customer in one day;
• High transaction amounts;
• Splitting transaction amounts within one day;
• The entity's address is the address of the so-called virtual office, where other business entities are also registered;
• Connection of conducting non-registered business activity (without formal entry in the register).

Situations other than those mentioned above may also raise suspicion, in the case of justified circumstances, e.g. the convergence of IP addresses from which transactions are carried out, using an e-mail with the @protonmail.com domain, making transactions with the same user logging in from different accounts.

The notification is submitted electronically via the website https://www.giif.mofnet.gov.pl/#/glowna

The organization also cooperates with authorities in the event of a request for information.

1) Management:

a) accepts reports and assesses the justification for their further reporting to the supervisory authority,
b) is responsible for training employees in the field of information and reporting of necessary events,
c) cooperates with the authorities and provides them with the necessary documents and information.

2) Collaborators:

a) They report events described in the procedure,
b) in the event of obtaining information about the person who made the report, they ensure that their data is not disclosed to other employees and that the reporting person does not suffer any negative consequences related to the report,
c) in the event of obtaining information about a person who has been reported as potentially or actually responsible for a breach of AML/CFT regulations, they ensure that this information is kept confidential.

3) Situations in which the obligated institution provides information to GIIF:

a) a deposit received or a withdrawal made with a value exceeding EUR 15,000,
b) a transfer of funds with a value exceeding EUR 15,000, with exceptions specified by law.

The organization is required to immediately notify GIIF in the event of a reasonable suspicion that a given transaction or property values may be related to money laundering or terrorism financing. An employee, associate, intern and any other person who has a reasonable suspicion of the above shall provide the Management Board with information on this subject by e-mail or verbally. The deadline for providing information is immediate. The Management Board shall make a decision without undue delay on the further fate of the notification. After confirmation of receipt of the notification, the obligated institution shall not carry out the transaction.

4) Notifications to the General Inspector of Financial Information and the obligation to provide or make available documents or information and to perform activities at the request of the General Inspector of Financial Information

a) Notification to the Inspector General about circumstances that may indicate a suspicion of committing a crime of money laundering or terrorism financing (Article 74 of the Act)

In the event of grounds for notifying the General Inspector of circumstances that may indicate a suspicion of committing a crime of money laundering or terrorism financing, the institution shall make a notification. The notification shall be submitted immediately, but no later than within 2 business days from the date of confirmation by the obligated institution of the suspicion referred to in the previous sentence.

The notification shall state:

1) identification data referred to in Article 36 paragraph 1 of the Act of the client of the obligated institution;
2) identification data referred to in Article 36 paragraph 1 of the Act, of natural persons, legal persons and organizational units without legal personality that are not clients of the obligated institution;
3) the number of the account maintained for the client of the obligated institution, marked with the IBAN identifier or an identifier containing the country code and the account number in the case of accounts not marked with IBAN;
4) the type and amount of property values and the place where they are stored;
5) information in its possession, referred to in Article 72 paragraph 6 of the Act, in relation to transactions or attempted transactions;
6) an indication of the European Economic Area country with which the transaction is related, if it was carried out as part of cross-border activity;
7) information on identified risks of money laundering or terrorism financing and on prohibited acts from which property values may be derived;
8) justification for forwarding the notification.

The notification is made via the IT system of the General Inspector of Financial Information.

b) Providing the General Inspector of Financial Information with information on a deposit accepted or a withdrawal made of funds with a value exceeding EUR 15,000 and a transfer of funds with a value exceeding EUR 15,000 (Article 72 of the Act).

The obligated institution shall provide the General Inspector with information on the accepted payment or withdrawal of funds with an equivalent value exceeding EUR 15,000 and the executed transfer of funds with an equivalent value exceeding EUR 15,000. The entity shall provide information within 7 days from the date of acceptance of the payment, withdrawal, executed transfer of funds or making the means of payment available to the recipient.

The information provided includes:

1) a unique transaction identifier in the Entity’s records;
2) the date or date and time of the transaction;
3) identification data, referred to in Article 36 paragraph 1 of the Act, of the client issuing the instruction or order to carry out the transaction;
4) identification data, referred to in Article 36 paragraph 1 of the Act, of the other parties to the transaction;
5) the amount and currency of the transaction that is the subject of the transaction;
6) type of transaction;
7) transaction title;
8) the manner of issuing an instruction or ordering a transaction;
9) account numbers used to carry out the transaction, marked with the International Bank Account Number (IBAN) identifier or an identifier containing the country code and the account number in the case of accounts without IBAN.

The information is transferred in accordance with the Regulation of the Minister of Finance on the transfer of information on transactions and the form identifying the obligated institution of 4 October 2018 (Journal of Laws of 2018, item 1946) via the platform: https://www.giif.mofnet.gov.pl

c) Notification to the GIIF in the event of a reasonable suspicion that a specific transaction or specific property values may be related to money laundering or terrorism financing (Article 86 of the Act).

The obligated institution, in the event of the occurrence of grounds for notifying the General Inspector, by means of electronic communication, of a case of reasonable suspicion that a specific transaction or specific property values may be related to money laundering or terrorism financing, shall immediately notify the General Inspector. In the notification, the Entity shall provide the information in its possession related to the suspicion and information on the expected date of the transaction. The notification shall include:

1) identification data referred to in Article 36 paragraph 1 of the Act (paragraph 4 point 3 of this procedure) of the client of the obligated institution;
2) identification data referred to in Article 36 paragraph 1 of the Act (paragraph 4 point 3 of this procedure), of natural persons, legal persons and organizational units without legal personality that are not clients of the obligated institution;
3) the number of the account maintained for the client of the obligated institution, marked with the IBAN identifier or an identifier containing the country code and the account number in the case of accounts not marked with IBAN;
4) the type and amount of property values and the place where they are stored;
5) information in its possession, referred to in Article 72 paragraph 6 of the Act (paragraph 6 point 4 letter b of this procedure), in relation to transactions or attempted transactions;
6) an indication of the European Economic Area country with which the transaction is related, if it was carried out as part of cross-border activity;
7) information on identified risks of money laundering or terrorism financing and on prohibited acts from which property values may be derived;
8) justification for forwarding the notification.

The General Inspector, in the event of determining that the transaction referred to above may be related to money laundering or terrorism financing, shall forward to the obligated institution a request to suspend the transaction or block the account for a period of no longer than 96 hours, counted from the date and time indicated in the confirmation of receipt of the notification. Immediately upon receipt of this request, the obligated institution shall suspend the transaction or block the account. In the request, the General Inspector shall specify the property values covered by the request. Until receipt of the request referred to in the previous sentence or release from the obligation not to carry out the transaction, but no longer than for 24 hours, counted from the moment of confirmation of receipt of the notification, the obligated institution shall not carry out the above transaction, in respect of which there was a reasonable suspicion, or other transactions debiting the account in which the property values referred to above were collected.

The Inspector General may release the obligated institution from the obligation to suspend a transaction if the information held does not provide grounds for notifying the prosecutor of a suspicion of committing a money laundering or terrorism financing offence or if it is considered that suspending the transaction or blocking the account could make it difficult for the justice authorities and services or institutions responsible for protecting public order, the safety of citizens or prosecuting perpetrators of offences or fiscal offences to perform their tasks.

The Inspector General shall submit requests or exemptions by electronic means of communication.

Immediately after submitting a request to the Institution obliged to suspend a transaction or block an account, the General Inspector shall notify the relevant prosecutor of the suspicion of committing a crime of money laundering or terrorism financing. After receiving this notification, the prosecutor may, by means of a resolution, suspend the transaction or block the account for a specified period, no longer than 6 months, counted from the date of receipt of this notification. The resolution on suspending a transaction or blocking an account, referred to above, may also be issued despite the lack of notification made by the General Inspector. The prosecutor's resolution on suspending a transaction or blocking an account shall specify the scope, manner and deadline for suspending the transaction or blocking the account. The resolution may be appealed to the court competent to hear the case. The prosecutor may extend the suspension of the transaction or blocking of the account for a further specified period, no longer than another 6 months. In this case, the scope, manner and deadline for suspending the transaction or blocking the account shall also be specified, and the resolution may be appealed to the court competent to hear the case.

The obligated institution, at the request of a client issuing an instruction or order to carry out a transaction about which there is a reasonable suspicion, or being the possessor or owner of property values about which there is such a suspicion, may inform such client about the submission by the General Inspector of a request to suspend the transaction or block the account. In this case, the provision of art. 54 of the Act (section 13 of this procedure) shall not apply. The suspension of the transaction or the blocking of the account shall cease if, before the expiry of the period of their application, a decision on property security or a decision on material evidence is not issued.

The obligated institution shall immediately notify the General Inspector, by means of electronic communication, of the transaction in respect of which there is a suspicion, if it was impossible to provide the notification before it was carried out. In the notification, the obligated institution shall justify the reasons for the earlier failure to provide the notification and shall provide the information in its possession confirming the suspicion referred to in par. 1. The provisions of art. 74 par. 3 of the Act (par. 6 item 4 letter a of this procedure) shall apply accordingly.

Persons acting on behalf of and for the benefit of the Obliged Institution should familiarize themselves with the GIIF announcement before making the notification: https://www.gov.pl/web/finanse/komunikat-nr-22-w-sprawie-praktycznych-aspektow-stosowania-srodkow-bezpieczenstwa-finansowego-oraz-przekazywania-zawiadomien-o-ktorych-mowa-w-art-74-i-art-86-ustawy-aml2

d) Request to suspend a transaction or block an account by GIIF (Article 87 of the Act)

The Inspector General, in the event of determining that a specific transaction or specific property values may be related to money laundering or terrorism financing, shall submit to the obligated institution, by means of electronic communication, a request to suspend the transaction or block the account. In the request to block the account, the Inspector General shall specify the property values covered by the request.

The obligated institution shall suspend the transaction or block the account for a period not longer than 96 hours from the moment of receiving the request referred to above.

Immediately after forwarding the request to the obligated institution, the Inspector General notifies the competent prosecutor about the suspicion of committing an offence of money laundering or terrorism financing.

After receiving this notification, the prosecutor may issue a resolution to suspend the transaction or block the account for a specified period of time, no longer than 6 months from the date of receipt of this notification. The resolution to suspend the transaction or block the account referred to above may also be issued despite the lack of notification by the Inspector General. The prosecutor's resolution to suspend the transaction or block the account shall specify the scope, manner and deadline for suspending the transaction or blocking the account. The resolution may be appealed to the court competent to hear the case. The prosecutor may extend the suspension of the transaction or blocking of the account for a further specified period of time, no longer than another 6 months. In this case, the scope, manner and deadline for suspending the transaction or blocking the account shall also be specified, and the resolution may be appealed to the court competent to hear the case.

e) Notification to the prosecutor about the suspicion that property values originate from a crime other than money laundering or terrorism financing (Article 89 of the Act)

1) The obligated institution shall immediately notify the relevant prosecutor in the event of a justified suspicion that the property values that are the subject of the transaction or accumulated in the account originate from a crime other than money laundering or terrorism financing or a fiscal crime or are related to a crime other than money laundering or terrorism financing or a fiscal crime. In the notification, the obligated institution shall provide the information in its possession related to the suspicion and information on the expected date of the transaction.
2) Until receiving a decision to suspend a transaction or block an account, no longer than for 96 hours from the moment of submitting the notification referred to in point 1, the obligated institution shall not carry out the transaction referred to in point 1 or other transactions debiting the account in which the property values referred to in point 1 were accumulated.
3) Immediately after receiving the decisions referred to in art. 89 sec. 4 and 7 of the Act, the obligated institution shall provide the Inspector General, by means of electronic communication, with information on the notifications referred to in point 1, and copies of these decisions.
4) The obligated institution shall immediately notify the relevant prosecutor about the transaction referred to in point 1, if it was not possible to notify about this transaction before it was carried out. In the notification, the obligated institution shall justify the reasons for not notifying earlier and shall provide the information in its possession confirming the suspicion referred to in point 1. The provisions of point 3 shall apply accordingly.
5) When sending the notification, the obligated institution shall use the notification template referred to in paragraph 1. The template may be used in the situation indicated in point 4 after supplementing the notification with the reasons for not sending the notification earlier.

f) Obligation to provide or make available documents or information at the request of the Inspector General (Article 76 of the Act)

1) At the request of the GIFI, the obligated institution shall immediately transfer or make available the information or documents in its possession, necessary to carry out the tasks of the GIFI specified in the Act, including those relating to:
a) customers;
b) transactions carried out, within the scope of data specified in Article 72 paragraph 6 of the Act;
c) the type and size of property values and the place where they are stored;
d) applying the financial security measure referred to in Article 34 paragraph 1 point 4 of the Act;
e) IP addresses from which connections were made to the IT system of the obligated institution, and the times of connections to this system.
2) In the request referred to in point 1, GIIF may indicate:
a) the deadline and form of providing or making available information or documents;
b) the scope of information and the deadline for obtaining it by the obligated institution in connection with the application of the financial security measure referred to in Art. 34 sec. 1 item 4 of the Act, or in connection with specific occasional transactions.
3) The information and documents referred to in point 1 are provided and made available free of charge.

8. Principles of disseminating knowledge of the provisions on counteracting money laundering and terrorism financing among collaborators (employees) of the obligated institution.

Senior management ensures access to knowledge of AML/CFT regulations among their colleagues, including employees. This involves in particular:

a) Sending current guidelines and other directions for action,
b) Providing written, electronic and oral information and explanations,
c) Informing about changes in regulations,
d) Providing, at least at the outset, access to training (possibly in the form of an online video) on counteracting money laundering and terrorism financing.

The obligated institution shall ensure that employees participate in training programs regarding the implementation of AML/CFT obligations, taking into account issues related to personal data protection. The training programs referred to above take into account the nature, type and scale of the activities conducted by the obligated institution and provide up-to-date knowledge regarding the implementation of the obligations of the obligated institution, in particular the obligations referred to in Article 74 paragraph 1, Article 86 paragraph 1 and Article 89 paragraph 1 of the Act.

The completion of training by an employee is documented by the issuance of a certificate by the entity organizing the training and a declaration of completion of training signed by the employee. Each newly hired employee is required to familiarize themselves with this procedure and complete dedicated training before starting to perform their official duties.

9. Rules for reporting actual or potential violations of anti-money laundering and terrorism financing regulations by employees

The obligated institution has implemented a procedure that allows employees and other persons performing activities (hereinafter referred to as "other persons") on behalf of the obligated institution to actually report potential violations of the provisions on counteracting money laundering and terrorism financing. The procedure consists in providing these persons with an e-mail address to which they can submit reports. Reports can therefore also be submitted anonymously. In connection with the above:

a) Notifications are received by reading the email message and taking appropriate action;
b) The data of an employee or other person are subject to special protection, therefore the content of the report is not made available to anyone outside the management. The obligated institution is obliged to ensure such working conditions that the person making the report does not feel negative actions, including discriminatory, repressive, in connection with the report;
c) In the event of disclosure of the identity of the reporting persons or those concerned by the report, as well as the possibility of establishing the identity of these persons, senior management staff shall establish the circle of persons who may have had access to it and instruct them on the obligation to maintain confidentiality and the consequences of failure to comply with it;
d) After receiving the report, senior management staff will verify it and if it is deemed valid, will take appropriate actions, including:
- suspension of transactions,
- notification of suspicion of committing a crime,
- notifications to GIIF.

In the above respect, this procedure also refers to the introduced procedure anonymous reporting violations regulations With range counteracting washing money and financing terrorism.

The obligated institution shall provide employees and other persons performing activities related to the implementation by the obligated institutions of the obligations referred to in Article 74, Article 86, Article 89 and Article 90 of the Act with protection against actions of a repressive nature or actions affecting the deterioration of their legal or factual situation, or consisting in making threats.

The obligated institution, its employees and other persons performing activities for the obligated institution shall not take any actions against employees and other persons referred to above that are of a repressive nature or that contribute to the deterioration of their legal or factual situation, or that consist in directing threats against them, in particular actions that negatively affect their working or employment conditions.

Employees and other persons performing activities for the obligated institution exposed to the activities referred to above are entitled to report to the Inspector General cases of such activities. The provisions of art. 80 sec. 1 and 2 of the Act shall apply accordingly.

10. Principles of internal control or supervision of compliance of the activities of an obligated institution with the provisions on counteracting money laundering and terrorism financing and the rules of conduct specified in the internal procedure.

Senior management:

a) It regularly analyses changes in the regulations on counteracting money laundering and terrorism financing in order to ensure their compliance with the procedure,
b) In the event of changes or the observation of inconsistencies or lack of precision, they take action to correct the procedure,
c) On an ongoing basis, he supervises how the procedure is used in practical terms to ensure its maximum effectiveness.

For this purpose, the obligated institution may prepare a report on internal control and supervision in accordance with the requirements and development of the obligated institution. Also, no less than every 2 years, the obligated institution prepares a risk assessment referred to in Article 27 of the Act, with a detailed analysis of the entity's activities and the application of the provisions on counteracting money laundering and terrorism financing.

When assessing the risk associated with the activities of an obligated institution, the following are taken into account in particular:

a) the national risk assessment prepared by GIIF and the report of the European Commission;
b) results of individual risk assessments related to individual clients.

2. The risk assessment of the obligated institution shall include at least:

a) description of the methodology for assessing the risk of money laundering and terrorism financing,
b) a description of the system for controlling identified money laundering and terrorism financing risks;
c) risk assessment of the obligated institution;
d) implementing mitigations to reduce the risk of money laundering and terrorism financing;
e) an indication of the level of risk of money laundering and terrorism financing and conclusions resulting from the risk assessment.

11. Principles for recording discrepancies between information collected in the Central Register of Beneficial Owners and information on the client's beneficial owners established in connection with the application of the Act.

When applying a financial security measure in the scope of identification and verification of the beneficial owner (Article 34, paragraph 1, point 2 of the Act), the obligated institution shall not rely exclusively on information from the Central Register of Beneficial Owners or a register maintained in the relevant Member State.

In the case of risk analysis, as well as identification and verification of the client, if a discrepancy is noted between the information collected in the Central Register of Beneficial Owners and the information on the client's beneficial owners established in connection with the application of the Act, a note about this is made in the Client Profile.

In the event of discrepancies between the information collected in the CRBR and the established information on the beneficial owner from the client, there is an obligation to record these discrepancies and take steps to explain the reasons for the discrepancies. The obligated institution is obliged to contact the client, explain how the client determined the beneficial owner, explain how the client determined the ownership and control structure, explain whether the method of determining the beneficial owner and the ownership and control structure of the client by the obligated institution was correct, explain why the client recognized a given person as the beneficial owner, collect new information and documents.

The process of recording discrepancies and submitting the notification referred to in Article 61a paragraph 1 of the Act is divided into stages during which the obligated institution should:

• apply the financial security measure specified in Article 34 section 1 point 2 letter a of the Act, consisting in identifying the beneficial owner and taking reasonable steps to verify his identity,
• apply the financial security measure specified in Article 34 section 1 item 2 letter b of the Act, consisting in identifying the beneficial owner and taking justified actions to determine the ownership and control structure – in the case of a client who is a legal person, an organizational unit without legal personality or a trust,
• determine and record discrepancies between the information collected in the CRBR and the established information about the client’s beneficial owner,
• take steps to explain the reasons for the discrepancy (for example, contact the client, explain how the client determined the beneficial owner, explain how the client determined the ownership and control structure, explain whether the method of determining the beneficial owner and the ownership and control structure of the client by the obligated institution was correct, explain why the client recognized a given person as the beneficial owner, collect new information and documents),
• confirm the recorded discrepancies (for example, confirm that the obligated institution did not make an error when determining the beneficial owner and the ownership and control structure of the client, if possible, confirm that the information on beneficial owners in the CRBR is incorrect, confirm the reasons for the discrepancy, determine whether the discrepancy is apparent or actual),
• prepare a justification for the discrepancy (for example, indicate and document what actions the obligated institution took to identify and verify the beneficial owner and the ownership and control structure of the client, what information and documents were the basis for the institution to determine the beneficial owner of the client and the ownership and control structure of the client, what information or documents were the basis for finding the discrepancy, what actions the institution took to confirm the noted discrepancies, what information the institution received in the course of confirming the noted discrepancies, what conclusions result from the analysis of the information and documents collected, for what reasons the obligated institution considered that the discrepancy was factual),
• provide the competent authority with verified information on these discrepancies, together with justification and documentation regarding the noted discrepancies - the institution provides a justification prepared in accordance with the instructions indicated above and sends full documentation related to the identification of the beneficial owner and confirmation of the noted discrepancies.

In the event of confirmation of the noted discrepancies, it is necessary to provide the competent authority in matters of the Register with verified information on these discrepancies, together with justification and documentation concerning the noted discrepancies. The notification is made electronically via the website https://crbr.podatki.gov.pl/adcrbr/#/ in the tab "Report discrepancy".

One type of discrepancy is the failure to report information on beneficial owners in the CRBR . Failure to report information in the CRBR should be interpreted as a declaration by the client that a given natural person is not the beneficial owner of the entity obliged to report information to the CRBR.

Verification of the beneficial owner may take place not only on the basis of a document from the register, but also on the basis of, for example, a company agreement or an agreement transferring ownership of company shares.

The obligated institution shall make every effort not to provide the competent authority with:

• information about any minor clerical errors in the CRBR (for example, an obvious typo in the beneficiary’s name),
• information about any inaccuracies in the client’s KRS extract (for example, an insignificant error in the value of the client’s shares),
• information about the lack of reporting information in the CRBR by entities not obliged to make such reports (for example, an ordinary association),
• information about inaccuracies that do not affect the determination of the beneficial owner (for example, failure to enter the beneficiary's middle name).

The obligated institution, when fulfilling the reporting obligation, assumes that clients approach the issue of determining the beneficial owner in a reliable manner and does not assume in advance that clients have made mistakes when reporting information about beneficial owners to the CRBR. Therefore, the obligated institution will try to remove any ambiguities in connection with the application of financial security measures.

In order to fulfil the obligation under Article 61a of the Act, the obligated institution completes the form "Note regarding the identification of discrepancies under Article 61a of the AML Act". The note is also completed when no discrepancies are revealed, then the note documents the action of the analysis performed and the fulfilment of the obligations of the obligated institution regarding the fulfilment of the requirements under Article 61a of the Act.

12. Principles for documenting difficulties identified in connection with the verification of the identity of the beneficial owner and actions taken in connection with the identification of a natural person holding a senior management position as the beneficial owner.

In the event of difficulties in verifying the identity of the beneficial owner and the actions taken in connection with identifying a natural person holding a senior management position as the beneficial owner, a note is made in the Client Profile. This is an exceptional situation, therefore the principle is to determine the beneficial owner in accordance with the previous provisions of this procedure.

The obligated institution applies this method to determine the beneficial owner in the following situations:

1) where there is a complex and multi-level ownership structure and the analysis of the customer’s ownership structure leads to the conclusion that it is not possible to determine or there are doubts as to the identity of natural persons specified in Article 2 paragraph 2 item 1 letter a, first to fourth indent of the AML Act;
2) in which the ownership structure includes entities located in countries that do not publicly disclose detailed information – for example, on beneficial owners).

The obligated institution documents the following actions taken to verify the identity of the beneficial owner and actions taken in connection with the identification of a natural person holding a senior management position as the beneficial owner:

1) Actions taken to establish the identity of natural persons specified in art. 2 sec. 2 item 1 letter a, indents one to four of the AML Act (for example, obtaining an extract from the client’s National Court Register, the client’s company agreement, the client’s share transfer agreement, the employee writing down a note of a telephone conversation with the client’s representative) ;
2) Circumstances that have been recognized by the obligated institution as causing the inability to determine or doubts as to the identity of natural persons specified in Art. 2 sec. 2 item 1 letter a, indents one to four of the AML Act (for example, determining that each partner of the client - a natural person - holds 20% of the shares);
3) Difficulties related to justified actions taken to verify the identity of the beneficial owner, i.e. a natural person holding a senior management position (for example, failure to report information about the beneficial owner to the Central Register of Beneficial Owners, difficulties related to the lack of physical presence of the beneficiary, difficulties related to video verification) .

In order to meet the above obligation, the obligated institution has introduced a form to fulfill the obligation in question. It contains, among other things, a field to be filled in in connection with the identification of difficulties with the verification of the identity of the beneficial owner.

13. Obligation to maintain secrecy

The entity is obliged to keep confidential the fact of providing the General Inspector or other competent authorities with information specified in Chapters 7 and 8 of the Act and information on planning to initiate and conduct analysis concerning money laundering or terrorism financing. All documents and information related to the performance of obligations resulting from the Act are confidential and should be stored in a safe place ensuring confidentiality of data and access only by authorized persons. The employee is also obliged to keep confidential all information about concluded transactions.

Information on suspicion that specific property values may originate from criminal activity or be related to terrorism financing is transferred between entities in the group. The General Inspector may order an obligated institution in the group to keep the fact of such suspicion confidential.

14. Sanctions policy

In order not to carry out transactions or enter into business relations with persons who are on sanctions lists, as well as to fulfil the obligations under Articles 117-119 of the Act, the obligated institution checks the client's data in sources located at the following websites:

1) https://www.gov.pl/web/finanse/lista-osob-i-podmotywow-wobec-ktorych-stose-sie-szczegolne-srodki-zdrowiejace-na-podstawie-art-118-ustawy-z-dnia-1-marca-2018-ro-powiedzdzialaniu-praniu-pieniedzy-i-finansowania-terroristyczny
2) https://www.gov.pl/web/finanse/sankcje-miedzynarodowe-giif
3) https://www.gov.pl/web/mswia/lista-osob-i-podmotywow-objetych-sankcjimi

The client is checked against sanctions lists using one or more methods:

1) Designation in the electronic system of the obligated institution;
2) Confirmation on the risk assessment card;
3) Note (possible in individual or collective scope).

The obligated institution may keep a screenshot, but this is not required for verification purposes. The obligated institution may document the fulfillment of the obligation in question with a note.

Verification of the client on sanctions lists takes place at the time of establishing a business relationship/conducting a transaction in relation to which financial security measures are carried out. Updating information about the client in the above scope is carried out at the time of updating other information about the client related to the nature and purpose of the business relationship.

In the event of a client being disclosed on the above-mentioned lists (within the scope of specific restrictive measures), the following shall apply:

a) freezing of property values owned, held, controlled directly and indirectly by persons and entities, as well as benefits derived from these property values, which is understood as preventing their transfer, change or use, as well as carrying out any operation involving these values in any way that may result in a change in their size, value, location, ownership, possession, nature, purpose or any other change that may enable obtaining benefits from them;
b) not making property values available directly or indirectly to persons and entities or on their behalf, which means in particular not granting loans, consumer credit or mortgage credit, not making donations, not making payments for goods or services.

The obligated institution may simultaneously use a broader catalogue of sanction lists, especially in the event of the application of enhanced financial security measures or any other need in relation to the determination of such a need, in accordance with the circumstances or the established/established risk. The full catalogue of sanction lists (taking into account the above) includes:

1) Council Regulation (EU) No 833/2014 of 31 July 2014 concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine (OJ EU.L.2014.229.1, as amended),
2) Council Regulation (EU) No 269/214 of 17 March 2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine (OJ EU.L.2014.78.6, as amended),
3) Regulation (EC) No 765/2006 of the European Parliament and of the Council of 18 May 2006 concerning restrictive measures in view of the situation in Belarus and Belarus's participation in Russia's aggression against Ukraine (OJ EU.L.2006.134.1, as amended),
4) US BIS Denied Persons List - https://www.bis.doc.gov/index.php/the-denied-persons-list
5) Canada Sanctions List - https://www.international.gc.ca/world-monde/international_relations-relations_internationales/sanctions/consolidated-consolide.aspx?lang=eng
6) Australian DFAT Sanctions List - https://www.dfat.gov.au/international-relations/security/sanctions/consolidated-list
7) Polish sanctions list - https://www.gov.pl/web/mswia/lista-osob-i-podmiotow-objetych-sankcjami
8) polish list of restrictive measures - https://www.gov.pl/web/finanse/lista-osob-i-podmiotow-wobec-ktorych-stosuje-sie-szczegolne-srodki-ograniczajace-na-podstawie-art-118-ustawy-z-dnia-marca-2018-ro-przeciwdzialaniu-praniu-pieniedzy-i-finansowaniu-terroryzmu
9) EU Sanctions List - https://www.sanctions-intelligence.com/global-lists/
10) Sanctions Targets UK - https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets/consolidated-list-of-targets
11) French Freezing of Assets - https://www.opensanctions.org/datasets/fr_tresor_gels_avoir/
12) SDN List - https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists
13) UN Sanctions List - https://www.un.org/securitycouncil/content/un-sc-consolidated-list
14) Netherlands Sanctions List - https://www.sanctions-intelligence.com/global-lists/
15) World Bank Sanctions - https://www.sanctions-intelligence.com/global-lists/
16) EU Sanctions on Countries - https://www.sanctionsmap.eu/#/main

The obligated institution may select other lists on an ongoing basis, even if they are not part of the procedure (sanction policy), in accordance with existing risks and information obtained. The databases of sanction lists are updated by the Company, using a re-search for Clients with whom business relations have been established (during their duration).

If the Client appears on one of such lists, the Company:

1) does not establish business relations or conduct Transactions,
2) In the event that the Company is in the process of a Transaction, it applies a hold on funds,
3) Apply restrictive measures specified in the Act,
4) if the Company has relationships, it then terminates such business relationship.