Vallis Payments Ltd

Anti-Money Laundering and Counter Terrorist Financing Policy

Last updated: 01.02.2026 Vallis Payments Ltd (hereinafter referred to as “the Company”) is a Company incorporated in Canada under registration number BC1526121. The Company is registered and supervised by the Financial Transactions and Reports Analysis Centre of Canada (hereinafter referred to as “FINTRAC”) with registration number C10001567 to provide services of foreign exchange dealing, money transferring, dealing in virtual currencies and payment service provider. It is therefore considered as Money Services Business Company under FINTRAC (hereinafter referred to as “MSB”). 

MSBs are required by Law to have systems and controls in place in order to ensure compliance with all applicable anti-money laundering (AML) and counter-terrorist financing (CTF) Laws and Regulations, (together referred to as “AML Laws”). The procedures and policies detailed in this document (hereinafter referred to as “the Manual”) ensure compliance of all of the employees of the Company, and any other relevant persons, with the obligations of the Laws, and specifically compliance with Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations.

 

The Board acknowledges that the implementation, adherence and maintenance of this Manual is key to combat any exposures and/or risk of money laundering and terrorist financing. The Manual will be periodically reviewed (semi – annually) and updated when is deemed to be necessary by the AML Compliance Officer of the Company or following any amendments of the revenant Laws/and Regulations. Overview Objective

The purpose of this Manual is to ensure compliance with all applicable rules and/or regulations for anti-money laundering and terrorist financing so as to eliminate any exposure to money laundering and terrorist financing. In addition, the purpose of this Manual is to:

  • Prevent the Company for being used for the purposes of financial crime, money laundering or terrorist financing.
  • Prevent the Company or its customers from becoming victims of financial crime.
  • Prevent the Company from carrying out business outside of its risk appetite.

The Present Manual should be read in conjunction with the other polices of the Company. 

Document hierarchy

The Company has different compliance and risk documentation, and each document its for a specific role.

 

Type: High level policy documents

Example: AML and CTF Policy

Description: Policy documents give a high-level overview of Compsny’s risk and compliance framework and may include key processes but do not go in to detailed processes and procedures or include specific or confidential information. Policy documents can be shared with third parties.

Type: Process documents

Example: KYB Process map, Transactional Monitoring rule set

Description: Process documents provide guidance to Company’s staff on how to carry out specific

functions and activities. These documents may include sensitive and confidential details (such as screening rules or specifics of fraud controls) and are not suitable for general distribution to third parties.

Type: Supporting documents

Example: Data request templates, Customer IDs,

Description: Supporting documents include specific templates and work products from compliance processes. Any completed documents or templates (e.g., with customer data in) would be confidential.

Blank templates for completion by third parties are, by definition, suitable for sharing externally.

Applicability

Use and adherence to this Manual is required for all employees of the Company and other Company’s group companies as applicable. The Company may decide to share this policy with selected clients and partners and in some instances clients or partners may also be contractually committed to adhering to this policy. In jurisdictions where local laws and regulations are stricter than this policy, the local law prevails.

Legal Framework

Laws/Regulations

MSBs, on the course of their business are required to comply with the provisions of the Proceeds of Crime (Money Laundering) and Terrorist Financing Ac, the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, any Ministerial direction and transactions restrictions that the Ministry of Finance may issue  and any other applicable Laws/and or Regulations as applicable and or Laws or guidance issued by FINTRAC from time to time regarding the prevention of Money Laundering and terrorist financing.  The main purpose of the revenant Laws is to define and criminalize the laundering of proceeds generated from all serious criminal offences, aiming at depriving criminals from the profits of their crimes.   

Regulators/ Supervised Authorities

 

The following regulators are relevant to the Company:

  1. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)

Company is supervised by FINTRAC as an MSB and shall apply its regulations. Company must report MSB related activities to FINTRAC on a periodic basis and must also register the management and beneficial owners and controllers of the business and ensure they meet with the “fit and proper” standards. Company is also registered under the FINTRAC for supervision of Company’s AML controls.

  1. Global Affairs Canada (GAC)

Global Affairs Canada (GAC) is the competent authority for the purposes of administering financial sanctions in force in Canada. This means it administers the Canada, UN and other regimes that require the freezing of funds and economic resources that belong to or which are owned, held or controlled by persons who are subject to asset freezes, and also administers restrictions on transfers of funds and on the provision of certain financial services.

Penalties for Non-Compliance

There are a variety of criminal and civil penalties for non-compliance with AML Laws and Regulations. Corporate penalties include fines, impositions of internal monitors and/ or loss of licence to operate. Individuals may be subject to fines, restrictions on professional employment and/ or imprisonment.   Reputational damage that may occur from incidents of non-compliance can be substantial and irreparable.

Roles and Responsibilities

Governance

In application of the Risk Based Approach, the role and objectives of the Company Compliance Function occurs within the framework of the “three-lines-of-defence model” (3 LoD). The 3 LoD apportions responsibilities within Company’s compliance framework to certain contributors. Responsibilities for compliance sits, in some ways, with all employees.

Compliance function

Compliance & Risk Department performs the following functions:

  • Defining the necessary level of knowledge on existing and emerging regulatory compliance requirements across the firm.
  • Creation, implementation and monitoring of Company’s compliance program.
  • Maintaining company-wide compliance culture.
  • Providing guidance, advice, and/or training and educational programs to improve Company’s understanding of related laws and regulatory requirements.
  • Providing strategic direction to the Management Board on compliance.
  • Preparing and presenting clear and concise compliance reports to the Board.
  • Coordinating efforts related to audits, reviews, and examinations.
  • Developing policies and programs that encourage all staff to report suspected fraud and other improprieties, without fear of retaliation.
  • Developing compliance and AML/CTF policies and procedures.
  • Coordinating internal compliance review and monitoring activities, including periodic reviews of subordinate departments.
  • Investigating and acting on matters related to compliance.
  • Monitoring external audit processes.
  • Applying KYC and Due Diligence measures to new and existing customers.
  • Monitoring business relationships with customers.
  • Monitoring outsourcing functions.
  • Performing vendor due diligence.
  • Performing ongoing transaction monitoring for fraud, ML and TF patterns.
  • STR filing.
  • AML/CTF training program development and actualization.
  • Staff training on AML/CTF matters.

Compliance & Risk Department directly subordinates to the Compliance Director.

Management Board

The Board of Directors of the Company (referred to as the “board”) hereby recognizes its obligations under the AML Laws to prohibit and actively pursue the prevention of money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities. The Board is committed to ensure that the business operates in a compliant manner and maintains a comprehensive and robust risk-based regime to prevent the Company from being used for the purposes of financial crime.

The BoD of the Company has the following responsibilities:

  • The Board is responsible for appointing a Money Laundering Reporting Office (MLRO).
  • The Board delegates the supervision of financial crime risks and monitoring compliance with legal obligations to the       Risk     Committee      and      day-to-day      responsibility  to the MLRO.

The regulation widens this responsibility to “Senior Management” who are defined as an officer or employee with specific knowledge of the institution’s exposure to AML/ CTF risk and sufficient seniority to make decisions affecting its risk exposure. This definition will therefore not be restricted to members of the Board of Directors.

Risk Committee

Membership & Composition

The Risk Committee (RC) is comprised of a Compliance Director and at least one other member of the Management Board. It is supported by the company’s Compliance Department. The Management Board appoints RC Chairman annually at the first Board meeting or prolongs authority of existing Chairman.

Responsibility

The RC assists the Management Board in fulfilling its oversight responsibility over company’s compliance management to make sure that Company complies with legislative provisions in the sphere of AML/CFT as well as in implementation of required control mechanisms to the end that the Company shall not be used as a vehicle to legitimize the proceeds of unlawful activity or to facilitate or finance terrorism.

Coordination

The Chair of the Committee shall coordinate with the chairs of the other committees of the Board with respect to the responsibilities assigned by the Board or the Committee and by applicable regulatory requirements to each of the committees in assisting the Board in its oversight of the AML/CFT risk management.

Authority

The RC has explicit authority to cause the investigation of any matter within its terms of reference, full access to and cooperation by senior management and full discretion to invite any director or officer to attend its meetings, and adequate resources to enable it to effectively discharge its functions.

The Committee shall have available appropriate funding from the Company, as determined by the Committee, for payment of:

  • compensation to any advisers employed by the Committee; and
  • ordinary administrative expenses of the Committee that are necessary or appropriate in carrying out its duties.

Specific Duties and Responsibilities

In line with RC’s duty to assist the Management Board in fulfilling its oversight on Company’s compliance with requirements of applicable laws and regulations:

  • It shall provide oversight on AML policy development and execution such that AML Policies and Procedures established by the Compliance Director, approved by the Board, led by Compliance Department and assisted by RC are adequate to ensure compliance and are kept updated/remain relevant to best react on the changing AML regulatory scenarios and conditions.
  • As designed, updated/revised and recommended by the Compliance Department and RC, it shall review and endorse to the Board for approval the AML/CFT program, documenting the policies and procedures of Company’s compliance with core components of applicable regulations.
  • It shall receive from, review and take action (as necessary) on AML/CFT-related reports coming from the Compliance Department. It may also devise and require new/additional AML/CFT reports to ensure that Company’s compliance with relevant regulations as well as effective management of AML risks are duly monitored.
  • It shall oversee and ensure the effective performance of the AML/CFT functions of the Compliance Department.
  • It shall report to the Board significant developments, issues and concerns in the company’s AML/CFT compliance if necessary.
  • RC shall consider approval of risky business relationships, such as PEPs.
Reporting to the Board

The Committee shall report to the Board periodically. This report shall include a review of AML/CFT provisions, list of filed Suspicious Transaction Reports, problematic areas and any other matters that the Committee deems appropriate or are requested to include by the Board.

Meetings

Participation in RC meetings is mandatory for the Director and the Compliance Director whereas is not mandatory for other members of senior management and company employees. The RC will meet at least on the quarterly basis and as soon as the need arises.

Facilitator

As one of Compliance Department’s Board-level committee reporting line, Compliance Department assists the RC in fulfilling its AML/CFT compliance oversight functions.  The Compliance Director shall also serve as the RC Secretary and shall facilitate its meetings. As such, the Compliance Director or his designated officer shall prepare the agenda for each meeting, send out notices to the committee members at least two (2) working days before the scheduled meeting date and prepare and submit the report after the meeting. The Compliance Director or his designated officer shall likewise draft and distribute the RC’s meeting minutes for review and approval of the members as well as maintain on file such records e.g. minutes or summary of matters reviewed and decisions taken that document RC’s fulfilment of its responsibilities and facilitate the assessment of the effective performance of its functions.

 

The RC shall evaluate/assess its performance at least annually within the first quarter of the year, preferably during the January Board meeting. The results of which shall be submitted/reported to the Board for notation during the following month’s Board Meeting.  The duties of RC are subject to Compliance Department’s review at least annually and as soon as the need arises to ensure its continuous effectiveness, incorporate best practices and reflect relevant AML-related legal or regulatory updates subject to RC’s endorsement to the Management Board for approval.

The Role of Compliance Director (MLRO)

Compliance Director is responsible for managing all aspects of the AML/CFT Compliance Program. This includes but is not limited to designing and implementing the program, making necessary changes and updates, disseminating information about the program’s successes and failures to key staff members and senior management, constructing AML/CFT-related content for staff training programs and managing Company’s adherence to all applicable AML/CFT laws and regulations, including staying current on legal regulatory developments in the field.

Compliance Director is based in the Compliance Department and is also a member of the Anti-Money Laundering Committee (AMLC). Please refer to the relevant section for more information on the AMLC.

Communication and delegation of duties

Company makes sure that Anti Money Laundering Compliance Officer (AMLCO)has the means and ability to communicate at all levels of the organization from front-line staff to the Executive Director and Management Board as it is crucial for the AMLCO to be able to articulate important matters to senior management. For doing so, AMLCO is equipped with direct reporting line to the members of the Board. Such access allows AMLCO to undertake a compliance oversight role in an effective matter. Currently, the role of AMLCO is assigned to an employee of the Company who oversees operations of the Compliance Department and is responsible for development and implementation of company’s AML/CFT strategy.

Delegation of AML duties

Compliance Director is primarily responsible for overseeing the compliance function within the Company, and ensuring compliance with laws, regulatory requirements, policies and procedures. As the compliance leader and expert, the Compliance Director is responsible for establishing standards and implementing procedures to ensure that the compliance programs throughout the firm are effective and efficient in identifying, preventing, detecting and correcting noncompliance with applicable laws and regulations.

The Compliance Director provides reasonable assurance to senior management and other members of the Board that there are effective and efficient policies and procedures in place, which are well understood and respected by all employees, and that the company is compliant with all regulatory requirements.

Compliance Director reports directly to the Executive Director and the Management Board.

Some of the duties of the Compliance Director include the following:

  • Defining the necessary level of knowledge on existing and emerging regulatory compliance requirements across the firm.
  • Guiding in a productive, professional way, the compliance teams.
  • Overseeing and monitoring the implementation of Company’s compliance program.
  • Providing guidance, advice, and/or training and educational programs, to improve Company’s understanding of related laws and regulatory requirements.
  • Providing strategic direction to the Senior Management on compliance matters.
  • Preparing and presenting clear and concise compliance reports to the Board.
  • Coordinating efforts related to audits, reviews, and examinations.
  • Developing policies and programs that encourage all staff to report suspected fraud and other improprieties, without fear of retaliation.
  • Developing compliance and AML/CFT policies and procedures.
  • Preparing STR reports.
  • Coordinating internal compliance review and monitoring activities, including periodic reviews of subordinate departments.
  • Independently investigating and acting on matters related to compliance.
  • Monitoring external audit processes.
  • Authorization of account closure when required by the procedure.
  • on the annual basis reports the performance of the AML/CFT Compliance Program to the Management Board to assess if the monitoring and the business performance are satisfactorily measuring and ensuring compliance.

The Company is subject to an independent assurance regarding the design and operational effectiveness of the control framework and compliance issues through an annual external audit. Company’s regulators can audit/ visit/ engage the company at their will, providing another opportunity for scrutiny and potential improvement of the control framework, albeit on a less frequent and more ad hoc basis.

Risk Assessment

Company applies a Risk Based Approach across the business, this requires identification, assessment, understanding and mitigation of AML/ CTF risk including considering risk factors such as customer, product, geography and channel. There is a requirement to evidence this approach as instructed by the regulation and the evidence is readily available to FINTRAC upon request.

This section outlines the assessment the Company has made of the likelihood the business could be used for financial crime and the steps we take to mitigate risks. The assessment of the risk posed by a client is taken into consideration the following risk categories:

  • Type of client and the nature of the business
  • The services we offer
  • The delivery channels
  • The geographic location of the client and their beneficiary

The nature of our customers’ businesses

Our customers range from long-established corporations who have gone through a face-to-face direct sales process (which are low risk) to newly established businesses who have applied online for the service (which are higher risk). They also have various forms of corporate structure, including limited companies, partnerships and sole traders amongst others.

At the point of onboarding, Company collects all relevant information sufficient to perform full client due diligence and check identities of all associated natural persons. Only verified and fully checked clients are granted with access to financial functionality. For required client information and due diligence measures please refer to the AML Procedures and Controls document.

Onboarded clients with full access to functionality within their profile type receive an initial cumulative, annual top-up limit which goes in line with our strategy of controlling the risks from the very beginning of a business relationship.

Active client may request an increase of his/her annual cumulative limits by providing additional information about him/herself along with documentary evidence, which is subsequently evaluated by the Compliance Department staff. Please refer to AML Procedures and Controls document for detailed information on the procedure “Change Account Limit”.

Company denies access to its services to clients, which reside or are established in “prohibited” countries, as well as restricts certain transactions with:

  • Countries which are identified by a credible source as lacking AML/CTF controls;
  • Countries under sanctions or embargos issued by, for example OFSI, UN, EU or OFAC;
  • Countries which have significant level of corruption, tax evasion, drug production or other relevant criminal activity;
  • Countries which are identified by a credible source as providing funding or support to terrorism;
  • High intensity drug-trafficking areas.

High risk businesses

The following is a list of business activities that we consider to be high risk. The list is not exhaustive and is reviewed by the Risk Committee on a quarterly basis and the Board updated.

  • Financial Services businesses
  • Financial Technology businesses
  • Subsidiary businesses where we need to follow a chain including through businesses registered outside of the Canada to reach beneficial owners.
  • Unregistered charities
  • Defence and aerospace
  • Clients linked with Politically Exposed Persons (PEPs).
  • Clients linked to adverse press
  • Trusts

Applications from such businesses are referred to the manual process for deeper review and a decision from the MLRO as to whether they are acceptable or not on a case-by-case basis. Regarding Financial Services and Financial Technology businesses in particular, the following are examples of sub-sectors which would be of an acceptable risk level (though each business would still be subject to individual review).

Regarding Trusts in particular, these are assumed to be unacceptably high risk (including where a Trust is included in the beneficial ownership structure of a client) unless a clear rationale for the existence of the trust can be obtained, along with acceptable documentation providing complete clarity of the individuals involved in the trust. Such cases are subject to review and acceptance by the MLRO as with all high-risk businesses, as well as being subject to review and acceptance from relevant banking partners where required.

Unacceptable businesses

The following is a list of business activities that we consider to be unacceptably high risk. Company does not offer services to clients in these categories:

  • Online gambling
  • Adult entertainment
  • Unregulated entities conducting activities that require regulations
  • Sanctioned entities appearing in the OFSI, EU, UN or OFAC sanction lists
  • Shell companies and shell banks. Shell company is perceived to be a corporate entity which corresponds to at least one of the below mentioned criteria:
  • No connection to the real business activity;
  • Company is registered in jurisdiction with lack of reporting obligations;
  • The company has no factual business address in the company where it is registered.

In line with Canadian legislation and industry-wide best practices, Company identifies its potential clients and their ultimate beneficial owners (UBOs), verifies their identities and performs standard (CDD) or enhanced (EDD) due diligence measures before the start of a business relationship.

Every single customer is risk-ranked individually and in line with Risk-Based Approach which has been developed by the Company and tailored to its client profiles, products and services as well as delivery channels. Company batch-checks the whole database of its clients against sanction and PEP lists, criminal sources and adverse media on the daily basis.

Every single transaction is routed through the rule-based Transaction Monitoring Module which uses omnichannel paradigm to analyse and crossmatch data obtained through different channels at once. The module evaluates every transaction (including peer to peer transactions) based on AML/CTF and anti-fraud rules. Company keeps track of client information for ongoing monitoring of business relationships.  Some of the measures include, but are not limited to keeping track of identification document, power of attorney and other document expiry dates, sending out due diligence questionnaires, investigating the reason behind unusually large and/or complex transactions etc.

Client behaviour is analysed with the help of an automated, self-learning algorithm, which identifies and reports to compliance staff abnormalities in client behaviour, spending patterns, location and other patterns.

The services we offer

The services we offer (payments and holding funds, plus marketplace of related products and services) could be attractive to criminals. We do not focus on international payments, though we can enable them, nor do we focus heavily on enabling our clients to pull payments from their customers. These factors reduce the risk slightly.

Our delivery channels

Company service is applied for and delivered electronically to the customer, predominantly without face-to-face interaction. This gives rise to greater risk due to the need to remotely verify the business and individual we are dealing with and assess the authenticity of the of the person instructing us. The online nature of this increases the risk of identity fraud. Where we have gone through a face-to-face sales process, this risk is reduced. This is carried out with our larger or high-risk clients.

 

Vallis Payments Ltd. Risk Log

As per the Risk Management Policy, the Risk Committee produces and maintains a Risk Log which will reflect financial crime risk as well as broader business risks.

Customer identification

Corporate entities

At the Company, customer onboarding of corporate clients always involves face-to-face identification (or online identification via a reputable third-party provider of such client. At initial stage, Company requires an authorized person of the corporate entity to provide a predefined set of documents and information on its directors and beneficial owners. Some of the required documents include the following:

  • Full Legal Name, Incorporation number and date of Incorporation – Copy of Certificate of Incorporation and Confirmation from the company registry or the regulator’s website;
  • Registration number;
  • Trading name(s);
  • Date of incorporation;
  • Country of incorporation;
  • Company phone number;
  • Company email address;

It is crucial for the Company to achieve full understanding of applicant’s type business, expected activity, geography, existing and prospective clients, estimated number and value of financial transactions. Such information is gathered by the Compliance & Risk Department staff and entered into CRM client profile along with scans of verified company and identification documents.

Company identifies directors and beneficial owners of the corporate entity before onboarding takes place. Additional documentation required for due diligence purposes includes the following:

  • UBO, Director and Authorised Person’s Passport / ID card;
  • License (if applicable);
  • Registered Office and Business address (if different) – Printout from Commercial register or copy of annual return;
  • List of Directors – Copy of annual return/Register of Directors;
  • Financial Statements – Copy of the Last Audited Accounts/Accounts filed with the company registrar/Management accounts;

Depending on the type of client and his industry, a relevant set of documents will be requested from the client.

Identification of beneficial owners

Company utilises various Central Registers and our own verification checks to identify and record Beneficial Owners.

We seek to obtain and record at least the following: –

  • Names of beneficial owners;
  • Dates of birth;
  • Nationality;
  • Nature and description of the beneficial ownership;
  • Source of funds;
Private individuals

Company identifies natural persons which are related to one of our corporate clients on the basis of a valid, government-issued photo ID with the person’s name, dob and identification number on it. Acceptable forms of ID can include passport and ID card. In cases where EDD is being performed – also driver’s licence (with photograph and only as a second piece of ID), bank statement, utility bill (not older than 3 months depending on the risk level and sophistication of due diligence) and other documents in addition to the initial identification document.

Where a customer has been identified as high risk or for large transactions, where necessary, we carry out enhanced due diligence.

Images of identification documents are passed to KYC vendor for further analysis and validation. Some of the checks include, but are not limited to:

  • MRZ with checks sums;
  • Colour wave;
  • Font tampering;
  • Lost or stolen;
  • Mortality register;
  • Selfie match to the image on the document (with liveness test). Company relies only on the information included in the verified ID.

Customer due diligence

Company adheres to and complies with the principles of KYC and due diligence, established by applicable legislation with aim to prevent money laundering and terrorism financing through client identification and due diligence. We take a risk-based approach and perform strict due diligence checks and ongoing monitoring on all clients and their transactions.

Due diligence checks are obligatory in Canada when forming a new business relationship as well as for a single transaction which exceeds CAD 1 000, foreign currency exchange which exceeds CAD 3 000 or where doubt exists about the identity or reliability of the customer. EDD is being performed on single-standing transactions which exceed CAD 15 000. We always utilise reliable sources for all checks and verifications, independent of the customer.

As per AML/CFT legislation, we utilise 3 levels of due diligence checks, dependent on the risk, transactions and customer and always strive to be one step ahead of requirements:

  • CDD – Customer Due Diligence is the standard due diligence procedure used in most cases for verification and identification.
  • EDD – Enhanced Due Diligence is used for high-risk customers, large transactions or specialised instances such as PEP’s or those from the FATF and other high-risk countries.
  • Additional checks – for certain business relationships on top of standard EDD measures. Mostly applicable to specific industries (i.e., maritime).

In accordance with recommendations, given by Joint Money Laundering Steering Group (JMLSG), we adhere to the below core obligations with regards to due diligence.

By doing so, the Company –

  • Carries out prescribed CDD measures for all customers not covered by exemptions at the very beginning of a business relationship, before providing any financial functionality to the client;
  • Has systems in place to deal with identification issues in relation to those who cannot produce the standard evidence;
  • Applies enhanced due diligence to take account of the greater potential for money laundering in higher risk cases, specifically when the customer is not physically present for identification, and in case of PEPs and foreign correspondent banking;
  • Doesn’t deal with certain persons/entities;
  • Has specific policies in relation to the financially (and socially) excluded;
  • If satisfactory evidence of identity is not obtained, the business relationship is not being proceeded further;
  • Has a CRM system for keeping customer information up to date;
  • Goes extra mile in identifying corporate client’s ownership structure and main partners to mitigate risks associated with clients.

Compliance Director/MLRO is responsible for ensuring that due diligence checks, and anti-money laundering measures are being completed and are fit for purpose. Annual audits are conducted on the procedure of due diligence, company checks and customer identification procedures to ensure that staff are carrying out the due diligence and AML processes in accordance with:

  • This Policy;
  • Other internal policies and procedures;
  • Company risk-based approach;
  • Relevant legal requirements.

Politically exposed persons

Company sees a Politically Exposed Person (PEP) as an individual who is or in the last 12 months has been entrusted with a prominent function and as such could potentially abuse such position or function for the purposes of laundering or other predicate offences, such as corruption or bribery. Due to the high risk associated with PEPs, The Financial Action Task Force (FATF) recommends that additional AML and due diligence controls and measures are put into place when entering into a business relationship with a PEP.

 

Company utilises existing commercial resources and other databases for the identification of PEPs and always ensures that initial KYC and due diligence include reviewing individual names against these resources and databases to identify PEPs immediately. We also keep our own in-house list of PEPs with which to cross-check KYC data.

Company invokes additional due diligence measures for all identified PEPs. Where Company decides to form a business relationship with PEP, we always ensure that: –

  • Risk Committee (RC) approval for establishing the business relationship is obtained and recorded;
  • We take reasonable measures to establish the source of wealth and source of funds;
  • We conduct EDD on prospective client;
  • We conduct enhanced ongoing monitoring of the business relationship;
  • Due diligence is performed on PEPs who are not our clients but are connected to one of our corporate clients by statutes or via notion of control;
  • EDD is performed when dealing with those who are PEPs in a state other than the UK, as well as family members or close associates of those PEPs.

A person who is a PEP shall continue to be treated as such for at least 12 months after the date on which that person ceased to be entrusted with that public function; or for such longer period as Company considers appropriate to address risks of money laundering or terrorist financing in relation to that person. These provisions do not apply to family members who should be treated as ordinary customers, unless other risks are apparent, from the point that the PEP leaves office.

Company considers following persons to be “close associates” of a PEP:

  • An individual known to have joint beneficial ownership of a legal entity or a legal arrangement or any other close business relationship with a politically exposed person;
  • An individual who has sole beneficial ownership of a legal entity or a legal arrangement which is known to have been set up for the benefit of a PEP.

Monitoring

Real Time Monitoring

Vallis Payments Ltd has implemented ‘real time’ velocity alerts per client type & risk rating. The velocity alerts allow channel, fraud and AML& CTF risk to be mitigated. The velocity alerts are parameters set to alert the compliance function to behaviour outside the customers profile e.g. high value, volume or an increased number of pay-ins.

Transaction Monitoring

The Company utilises rules-based transaction monitoring and screening to raise flags for manual review. This monitoring is to enable the detection of potentially suspicious or fraudulent behaviour. Below is a high-level view of the rules, further detail can be found in the Transaction Monitoring Rule Set.

Rules are made up of a combination of:

Generic rules which are applied across all clients, such as those to identify:

  • Structuring, or entering multiple payments just below certain limits
  • Individual high value payments
  • High value of payments over a set period
  • Payments to/ from specific countries
  • High value payments to new beneficiaries
  • Payments where the reference information entered causes suspicion
  • Customer specific rules based on expected volumes and behaviour for different customer groups.
  • Higher than expected value of payments (individual and over a set period)
  • Higher than expected number of payments over a set period

Monitoring applies to both inbound and outbound payment flows.

Monitoring includes a combination of:

  • Retrospective monitoring where the payment is processed but may be subsequently investigated, for example
  • Where the flag is raised due to a pattern over a period of time
  • Where the flag is raised due to data which was not available to the Company at the point when the transaction was authorised, as may be the case on card payments
  • “In flow” screening where the payment is blocked pending investigation or confirmation from the customer, for example
  • High value payments, outside of a customer’s usual profile, to a new beneficiary, instructed through the Company’s platform
  • Payments where the reference information entered causes suspicion

The Company platform retains information on the details of very transaction (i.e., the customer and the beneficiary, including referencing).

Velocity Controls

The Company has implemented Monitoring Alerts, real time warnings that notify the compliance team to investigate. There are 3 types of Alerts; warn, hold and stop. These are built on parameters of velocity, client type and value to mitigate fraud, channel and AML risks.

Sanction Screening

The Company currently offers a service across various schemes. With inbound payments, the sender and with outbound payments the beneficiary will always be an account holder at another financial institution. This means that they will have undergone KYC at said financial institution, this reduces the risk of these individuals being a PEP or a sanctioned individual.

The Company does not have a regulatory obligation to complete KYC on these individuals. Sanction screening is implemented. All monitoring controls are assessed and developed monthly in order to mitigate the varying financial crime risks.

Suspicious Activity Reporting

As soon as any transaction was flagged by the Transaction Monitoring Module, the responsible Compliance & Risk Department employee reviews the flag and acts according to the procedure described in instruction. The staff member has an option to escalate the case to his manager at any time.

Compliance Officer performs an ongoing oversight function in line with established “four eyes” principle and assists Compliance & Risk Department staff in their daily duties.

As an authorized money service business, we are obliged to submit STR reports to FINTRAC in respect of any suspicious or inconsistent actions/information that may come to use or be known to us as part of our usual business. This includes where we suspect or have reasonable grounds to believe or suspect, that a person is engaged in, or is attempting, money laundering or terrorism financing.

MLRO is responsible for STR preparation and submission as soon as an incident or suspicion arises. MLRO candidature was accepted by the Management Board.

All documents relating to ML/TF reporting, business transactions, client identification and customer due diligence are retained for a minimum of five years.

The appointed MLRO ensures that the below minimums are met with regards to the information disclosed on any reports:

  • Full details of persons and entities involved;
  • Full details of the nature of their/our involvement;
  • The types of illicit activity involved;
  • The dates of such activities;
  • Whether the transactions have happened, are ongoing or are imminent;
  • Where they took place;
  • How they were undertaken;
  • The approx. and/or exact amount/s of money/assets involved;
  • What has given rise to the suspicion.

Using all the information available at the time, MLRO makes an informed decision using sound judgement as to whether there are reasonable grounds for knowledge or suspicion of money laundering / terrorism financing and to enable him to prepare the report, where appropriate.

In addition to the Suspicious Transaction Reporting (STR) preparation, Company also uses proprietary Internal Suspicion Report form to ensure that all information is correctly recorded at the time of suspicion and to enable us to retain our own record for analysis and pattern tracking.

All staff members are aware of their obligation to report any suspicious or suspected inconsistent activities to the MLRO with immediate effect.

Our STR always contains detailed, relevant and informed information alongside a summary for the ease of reading the report. Contact details and reasons for suspicions are duly noted and where applicable, we will also inform any law enforcement or government agency who may be best placed to utilise or act on the information provided.

Our dedicated MLRO (and the deputy in the MLRO’s absence) will prepare STR as soon as possible and will record this action in CRM system for audit trail and future analysis.

All Company employees are aware of the notion of “Tipping Off” which is an improper and illegal act of notifying a suspect that he or she is the subject of a Suspicious Transaction Report or is otherwise being investigated or pursued by the authorities.

Cases of fraud shall be reported to the FINTRAC.

Training

The Company has established and maintains ongoing compliance training program. The MLRO has overall responsibility for the establishment, maintenance and recording of training, including attendance. Training is undertaken at least once per annum by all Company’s employees. All employees take basic compliance training, to provide them with an appreciation and understanding of the regulations the Company operates under, including specifically the importance of the AML Manual and related anti-money laundering and counter terrorist financing procedures.

New employees complete their training upon joining the Company and their training is refreshed on an annual refresh basis. The content is provided below:

  • The Company’s obligations under the applicable financial crime laws and regulations,
  • including the MSB regulations and payment services regulations
  • The Company’s compliance and risk framework
  • The Company’s policies and procedures, including specifically the customer due diligence and
  • transaction monitoring procedures and the SAR process
  • reporting suspicious reports

Employees with responsibility for customer due diligence and transaction monitoring undergo additional training and certification where this is deemed necessary by the MLRO and Risk Committee. To ensure that learning is an on-going process, the Company has sessions where individuals present on various topics across the business.

Record Keeping Requirements 

Money service businesses have record keeping requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations.

The Company shall keep the following records|:

  • Copies of, or references to, the evidence obtained of a customer’s identity. Retained for five years after the end of the customer relationship.
  • Details of customer transactions retained for five years from the date of the transaction.
  • CDD documentation is retained for a maximum of 5 years after the business relationship has ended
  • Records of all AML and CTF training delivered includes dates and attendance.
  • Log of all internal and external SARs including dates and details of actions taken in respect of internal and external suspicion reports. Specifically including details of information considered by the MLRO in respect of an internal report where no external report was made.
  • Log of business risks including the likelihood and impact scores and any related mitigating actions taken.
  • Large cash transactions records;
  • Large virtual currency transaction records
  • Records of transactions of $3,000 or more
  • records of remitting and transmitting $1,000 or more in funds by means other than an electronic funds transfer
  • Records of electronic funds transfers of $1,000 or more
  • Records of virtual currency transfers equivalent to $1,000 or more
  • Foreign currency exchange transaction tickets
  • Virtual currency exchange transaction tickets
  • Service Agreement records 

Travel Rule 

The Company has in place procedures for the travel rule according to the relevant Laws.  The Company includes the travel rule information when it initiates an Electronic Funds Transfer (referred to as “EFT”) for which an EFT record must be kept.

The required travel rule information for EFTs is:

  • The name, address and account number or other reference number (if any) of the person or entity who requested the transfer (originator information);
  • the name and address of the beneficiary; and
  • if applicable, the beneficiary’s account number or other reference number.

According to the relevant Laws, the MSBs must also take reasonable measures to ensure that the travel rule information is included when they receive an EFT, either as an intermediary or as the final recipient. When sending an incoming or outgoing EFT (after receiving it as an intermediary). The MSBs must include the travel rule information they received or obtained through reasonable measures.

Third party information requests

The Company may from time to time receive requests for information relating to financial crime concerns from regulators, law enforcement or the compliance or fraud departments of third parties.  All such contact should be directed to the MLRO in the first instance. Any employees who receive such contact should:

  • Take the name and contract details of the person.
  • Not answer any questions or pass on any information.
  • State that the MLRO will contact the person back on an independently verified number.

Note that the Company will only release information with a court order or a request under the Data Protection Act. Where personal information is to be disclosed under a request, we will only disclose information for the stated purpose and only if not releasing it would be likely to significantly harm any attempt by police to prevent crime or catch a suspect.

 

Outsourcing

The Company uses reputable third parties to avoid certain risk in terms of compliance, AML and CTF related activities:

  • Technology and databases related to KYB/ KYC, AML and CTF procedures
  • Customer Due Diligence and on boarding
  • Transaction monitoring
  • Compliance advisors and consultants

Due diligence will be conducted on all providers of outsourced services.  The Risk Committee must approve all providers before to proceed to the establishment of business relationship with them.

Version History

Version 1.0

Date 01.02.2026