Dear Global XXKK Users,
Please carefully read XXKK's Anti-Money Laundering (AML) and Know Your Customer (KYC) policies.
XXKK's AML/KYC Policy and Procedures
This policy outlines XXKK's Anti-Money Laundering and Counter-Terrorism Financing (AML/KYC) policies and procedures. This policy is intended solely to provide general information and does not have any legal binding effect on XXKK and/or any other person (individual or otherwise).
A. Principles and Approaches of XXKK's AML/KYC Operations
XXKK is committed to supporting AML/KYC operations. In principle, we are dedicated to:
● Conducting due diligence when dealing with our customers or individuals acting on behalf of our customers;
● Developing business in accordance with high ethical standards and taking all possible measures to prevent the establishment of any business relationship that is related to or may facilitate money laundering or the financing of terrorism;
● Assisting relevant authorities to the greatest extent possible and cooperating with them to prevent the threat of money laundering and terrorism financing.
B. XXKK's Risk Assessment and Risk Mitigation Approach
a. Risk Assessment
We expect that most of our customers are retail customers. In this regard, we will record and/or collect documents related to the following aspects:
● The identity of our customers;
● The country or jurisdiction from which our customers originate or are located.
In accordance with our knowledge, skills, and capabilities, we ensure that the assessment and screening of our customers, their related parties, individuals appointed to act on behalf of our customers, and the beneficial owners of our customers are conducted with the help of designated individual and entity lists, including but not limited to the following categories:
● Democratic People's Republic of Korea (North Korea);
● Democratic Republic of the Congo;
● Iran;
● Libya;
● Somalia;
● South Sudan;
● Sudan;
● Yemen;
● UN1267/1989 Al-Qaeda List;
● UN1988 Taliban List;
● Individuals identified in Schedule 1 of the Terrorism (Suppression of Financing) Act (Chapter 325).
b. Risk Mitigation
If any individual or entity on the designated lists is identified, we will not engage with them.
C. New Products, Practices, and Technological Approaches
We will provide appropriate advice regarding the identification and assessment of potential money laundering and terrorism financing risks related to:
● The development of new products and business practices, including new delivery mechanisms;
● The use of new or developing technologies for new and existing products.
We will pay special attention to any new products and business practices that may facilitate anonymity, including new delivery mechanisms, as well as new or developing technologies such as digital tokens (whether securities, payment, and/or utility tokens) that facilitate anonymity.
D. Our Customer Due Diligence (CDD) Methodology
We do not open, maintain, or accept anonymous accounts or fictitious accounts.
If we have any reasonable grounds to suspect that the assets or funds of a customer are the proceeds of drug trafficking or criminal activity, we will not establish a business relationship with the customer or conduct transactions for the customer. We will file a Suspicious Transaction Report (STR) for such transactions and provide a copy to the relevant financial intelligence units.
We will perform Customer Due Diligence (CDD) in the following situations:
● When we establish a business relationship with any customer;
● When we conduct transactions for any customer who has not established a business relationship with us;
● When we receive cryptocurrency transfers on behalf of a customer with whom we do not have a business relationship;
● When we suspect money laundering or terrorism financing;
● When we suspect the authenticity or sufficiency of any information.
If we suspect that two or more transactions are related or connected, or that they have been deliberately restructured into smaller transactions to evade anti-money laundering and counter-terrorism financing measures, we should treat the transactions as a single transaction and aggregate their value to comply with anti-money laundering and counter-terrorism financing principles.
a. Customer Certification
We will certify each of our customers.
To certify our customers, we must at least know the following:
● Their full name, including aliases;
● Their unique identification number (e.g., ID card number, birth certificate number, or passport number, or if the customer is not an individual, their business registration number);
● Their registered address, or their registered business address (if applicable), and if the registered address differs from the business address, the primary place of business;
● Their date of birth, formation, or registration;
● Their nationality or place of registration.
If the customer is a legal entity, in addition to obtaining the above information, we must determine its legal form, charter, and the regulations governing and binding the powers of the entity. We will also identify its affiliates by obtaining at least the following information about each affiliate (e.g., directors, partners, and/or individuals with executive authority):
● Full name, including aliases;
● Unique identification number, e.g., affiliate's ID card number, birth certificate number, or passport number.
b. Verifying Customer Identity
We will use reliable, independent source data, documents, or information to verify the identity of our customers. If our customer is a legal entity or legal arrangement, we will use reliable, independent source data, documents, or information to verify its legal form, existence, articles of association, regulations, and powers binding the customer.
c. Identifying and Verifying the Identity of the Individuals Designated to Act
If the customer designates one or more individuals to act on their behalf in establishing a business relationship with us, or if the customer is not an individual, we will:
● Identify each individual acting on behalf of the customer by obtaining the following information:
● Full name;
● Unique identification number;
● Address;
● Date of birth;
● Nationality;
● Verify the identity of the individual using reliable, independent source data or documents.
We will also verify the appropriate authority of each individual acting on behalf of the customer by obtaining the following:
● Written evidence authorizing the customer to designate the individual;
● A sample of the individual’s signature.
If the customer is a government entity, we will only obtain the necessary information to confirm that the customer is the government entity it claims to be.
d. Identifying and Verifying the Beneficial Owner
We will inquire whether there are any beneficial owners associated with the customer.
If the customer has one or more beneficial owners, we will identify the beneficial owners and take reasonable measures using relevant information or data obtained from reliable, independent sources to verify the identity of the beneficial owners. We should:
If the customer is a legal entity:
● Identify the natural person(s) who ultimately own the entity (whether acting alone or jointly);
● If there is uncertainty regarding the natural person(s) who ultimately own the entity, or if there is no natural person who ultimately owns the entity, identify the natural person(s) who ultimately control or exercise effective control over the entity (if applicable);
● If no natural person can be identified, determine the natural person(s) with executive authority within the legal entity.
If the customer is a legal arrangement:
● For trusts, identify the settlor, trustee, protector (if applicable), beneficiary, and any natural person exercising ultimate ownership, control, or effective control over the trust;
● For other types of legal arrangements, identify the equivalent individuals in similar positions.
If our customer is not a natural person, we will determine the nature, ownership, and control structure of the customer’s business.
Beneficial owners will be identified and their identity verified for the following customers:
● Entities listed on a stock exchange;
● Entities listed on a stock exchange that are subject to regulatory disclosure requirements, and sufficient transparency requirements related to their beneficial owners;
● Financial institutions;
● Financial institutions subject to anti-money laundering and counter-financing of terrorism (AML/CFT) requirements in accordance with FATF standards;
● Investment vehicles for financial institutions or those subject to AML/CFT requirements in line with FATF standards.
Unless we suspect the authenticity of the CDD information or suspect that the customer's relationship with us or transactions may be related to money laundering or terrorism financing, we will also record the basis for our determination.
Regarding information and purpose of transactions in business relationships where accounts are not opened:
When processing applications to establish business relationships or conduct transactions without accounts, we will understand and, where appropriate, obtain information from the customer about the purpose and expected nature of the business relationship or transaction.
Reviewing Transactions Without Opened Accounts:
If we conduct one or more transactions for a customer without opening an account (current transaction), we will review the customer’s previous transactions to ensure that the current transaction aligns with our understanding of the customer, their business, risk profile, and source of funds.
When establishing a business relationship with a customer, the payment service provider should review all transactions before establishing the business relationship to ensure the business relationship is consistent with our understanding of the customer, their business, and risk profile, as well as the source of funds.
We will pay special attention to any complex, unusually large, or unusual transaction patterns where accounts are not opened and no obvious economic purpose is evident. We will investigate the background and purpose of such transactions as much as possible and document the findings for potential submission to the relevant authorities when necessary.
To review transactions conducted without opening accounts, we will establish and implement appropriate systems and processes in proportion to the scale and complexity of the payment service provider to:
● Monitor transactions conducted without opening accounts;
● Detect and report suspicious, complex, unusually large, or unusual transaction patterns occurring without accounts.
If there are reasonable grounds to suspect that transactions conducted without an account are related to money laundering or terrorism financing and we believe that the transaction is appropriate, the payment service provider should confirm and document the reasons for proceeding with the transaction.
e. Ongoing Monitoring
We will continuously monitor our business relationships with clients, particularly by reviewing the operation of client accounts and transactions to ensure that all transactions align with our understanding of the client, their business, and risk profile, and that the source of funds is in accordance with expectations.
If transactions involve transferring cryptocurrency to or receiving cryptocurrency from the following entities, we will implement our risk mitigation measures:
● Financial institutions;
● Financial institutions subject to AML/CFT regulations in accordance with FATF standards and under supervision.
We will pay particular attention to any complex, unusually large, or suspicious transactions throughout the business relationship that have no apparent economic or legal purpose. We will investigate the background and purpose of these transactions whenever possible and document the findings to provide to the relevant authorities when needed.
For ongoing monitoring purposes, we will establish and implement appropriate systems and processes proportionate to the scale and complexity of the payment service provider to:
● Monitor the business relationship with the client;
● Detect and report suspicious, complex, unusually large, or abnormal transaction patterns during the course of the business relationship.
We will review existing CDD data, documents, and information, particularly for higher-risk client categories, to ensure the relevance and currency of the CDD data, documents, and information obtained on the client, any appointed individuals acting on behalf of the client, the client’s affiliates, and the client’s beneficial owners.
If there is any reasonable suspicion that the existing business relationship with a client is linked to money laundering or terrorist financing, and we deem it appropriate to retain the client:
● We will confirm and record the reasons for retaining the client;
● The business relationship with the client will implement corresponding risk mitigation measures, including enhanced ongoing monitoring.
When assessing higher-risk clients or business relationships, the payment service provider should take enhanced CDD measures, including obtaining approval from senior management to retain the client.
f. CDD Measures for Non-Face-to-Face Business Relationships or Transactions
We will develop policies and procedures to address any specific risks associated with non-face-to-face business relationships or non-face-to-face transactions where an account has not been opened for the client (non-face-to-face business interactions).
During the establishment of the business relationship and ongoing due diligence, we will implement the policies and procedures.
When there is no face-to-face interaction, the payment service provider must perform CDD measures that are at least as stringent as those required for face-to-face contact.
When the payment service provider engages in the first non-face-to-face business interaction, the provider should hire an external auditor or an independent qualified consultant at its own cost to assess the effectiveness of the policies and procedures, including the effectiveness of any technological solutions used to manage impersonation risks.
We will appoint an external auditor or an independent qualified consultant to evaluate the new policies and procedures and submit the evaluation report to the authorities within one year after the implementation of any changes to the policies and procedures.
g. Reliance on Measures by Acquired Payment Service Providers
When we (the acquiring payment service provider) acquire all or part of another payment service provider’s business, we will review the measures taken by the acquired business on clients obtained through that acquisition unless the acquiring provider:
● Simultaneously obtains all corresponding client records (including CDD information) and has no doubts or concerns regarding the accuracy or adequacy of the information obtained;
● Conducts due diligence and raises no concerns regarding the adequacy of the AML/CFT measures taken by the acquired payment service provider for the business or parts of the business acquired, and records the process.
h. Measures for Non-Account Holders
If we conduct transactions for clients with whom we have no other business relationship, we will:
● Perform CDD measures as if the client has applied for a business relationship with the payment service provider
● Record full details of the relevant transaction to enable transaction reconstruction, including the nature and date of the transaction, the type and amount of currency involved, the value date, and details of the payee or beneficiary.
i. Timing of Verification
We will complete verification of the identity of the client, any designated representatives acting on behalf of the client, and the client’s beneficial owners prior to:
● Establishing a business relationship with the client;
● Conducting any transaction for the client when the client has not established a business relationship with the payment service provider;
● Transferring or receiving digital payment tokens on behalf of the client when the client has not established a business relationship with the payment service provider.
In the following cases, we may establish a business relationship with a client before completing the verification of the client, the designated representatives acting on behalf of the client, and the client’s beneficial owners:
● Delaying verification is essential to avoid disrupting normal business operations;
● The risk of money laundering and terrorist financing can be effectively managed by the payment service provider.
If we establish a business relationship before verifying the identity of the client, designated representatives acting on behalf of the client, and the client’s beneficial owners, we will:
● Develop and implement internal risk management policies and procedures specifying the conditions under which such a business relationship can be established prior to identity verification;
● Complete identity verification as soon as reasonably possible.
j. If Measures Are Not Completed
If we are unable to complete the required measures, we will not start or continue a business relationship with any client or conduct any transaction for any client.
If we are unable to complete these measures, the payment service provider should assess whether the situation is suspicious and whether it is necessary to submit a suspicious transaction report.
k. Definition of Completion of Measures
Completion of measures refers to the point at which the payment service provider has obtained, screened, and verified all necessary customer identification information required under paragraphs 6, 7, and 8 (including delayed verification as described in paragraphs 6.43 and 6.44), and the payment service provider has received satisfactory responses to all queries related to this necessary customer identification information.
l. Joint Accounts
For joint accounts, we will treat each account holder as an individual client of the payment service provider and perform CDD measures for each of them.
m. Screening
We will screen clients, any designated representatives acting on behalf of clients, the client’s affiliates, and the client’s beneficial owners against relevant sources of information related to money laundering and terrorist financing, and against lists and information provided by the regulatory authorities to determine whether any risks related to money laundering or terrorist financing exist.
We will screen in the following circumstances and for the following individuals:
● When we establish a business relationship with a client (or as soon as reasonably possible after establishing the relationship);
● Before conducting any transaction for a client who has not established a business relationship with the payment service provider;
● Before facilitating a transaction or receiving digital assets through value transfer for a client who has not established a business relationship with us;
● Regularly after establishing a business relationship with the client;
● When there are any changes or updates to:
● Lists and information provided by the regulatory authorities to the payment service provider;
● Any designated representatives acting on behalf of the client, the client’s affiliates, or beneficial owners.
We will screen all value transfer senders and recipients against the lists and information provided by the regulatory authorities to assess whether there are any risks related to money laundering or terrorist financing and will record the results of all screenings.
E. Our Enhanced Customer Due Diligence Methods
a. Politically Exposed Persons (PEPs)
We will make all reasonable efforts to determine whether the client, any individual acting on behalf of the client, any affiliates of the client, or any beneficial owners or their family members or close associates are politically exposed persons (PEPs).
If a client, any of the client's beneficial owners, or their family members or close associates are identified as a PEP, in addition to the regular customer due diligence measures, we will implement at least the following enhanced due diligence measures:
● Obtain approval from senior management for establishing and maintaining the business relationship with the client.
● Take reasonable steps to determine the source of wealth and funds for the client and any of its beneficial owners.
● Strengthen oversight of the business relationship with the client throughout the duration of the relationship. Any transactions that appear unusual will be subject to heightened monitoring, with escalated attention to the nature of the monitoring.
b. High-Risk Categories
We recognize that situations where a client may have a higher risk of money laundering or terrorist financing include, but are not limited to, the following:
● If the client or any of the client’s beneficial owners is from or located in a country/region or jurisdiction that the Financial Action Task Force (FATF) requires to implement anti-money laundering and counter-terrorism financing measures, the payment service provider should treat any business relationship or transaction with such clients as having a higher risk of money laundering or terrorist financing.
● If the client or any of the client’s beneficial owners is from or located in a country/region or jurisdiction identified by the payment service provider, or notified to the payment service provider by regulatory authorities or other foreign regulators, as having inadequate anti-money laundering or counter-terrorism financing measures, the payment service provider should assess whether any such client poses a higher money laundering or terrorism financing risk.
We will apply enhanced customer due diligence measures to clients who present a higher risk of money laundering or terrorist financing, or to any client identified by the regulatory authorities as presenting a higher risk in relation to money laundering and terrorism financing.
F. Handling of Bearer Negotiable Instruments and Cash Payment Restrictions
We will not make any payments in the form of bearer negotiable instruments.
We will not make any cash payments in the course of conducting business.
G. Value Transfer Procedures (To be implemented when necessary)
If we are a remittance institution, we must:
● Identify the remitter and take reasonable steps to verify their identity (if this has not already been done).
● Properly document the details of the value transfer, including but not limited to the date of the transfer, the type and value of the digital assets transferred, and the effective date.
If we are a remittance institution, we must include the following details in the memorandum or payment instructions attached to or related to the value transfer:
● The remitter's name.
● The remitter's account number (or unique transaction reference number, if applicable).
● The recipient's name.
● The recipient's account number (or unique transaction reference number, if applicable).
Value Transfers Exceeding a Specific Threshold
If we are a remittance institution, for value transfers exceeding a specified threshold, we must identify and verify the remitter's identity, including the memorandum or payment instructions attached to or related to the value transfer, along with the following:
● The remitter's address;
● The remitter's registered address or business address (if different, the primary business location should also be noted).
● The remitter's unique identification number;
● The remitter's date and place of birth, and the registration or filing of the value transfer.
We must securely submit all information related to the remitter and recipient of the value transfer to the receiving institution immediately and keep a record of all such information. If we, as a remittance institution, cannot fulfill these requirements, we will not proceed with the value transfer.
If we are a receiving institution, we must take reasonable steps to identify any missing information related to the remitter or receiving institution of the value transfer.
If, as a receiving institution, we make a cash or cash-equivalent payment to the recipient of the transferred digital assets, we must identify and verify the recipient's identity (if their identity has not previously been verified).
Before executing any value transfer, we must always review situations where information about the remitter or recipient of the value transfer is missing, and record our follow-up actions.
If we are an intermediary institution, we will retain all information related to the value transfer.
If we, as an intermediary institution, execute a value transfer to another intermediary institution or receiving institution, we must securely provide the information attached to the value transfer to the other intermediary institution or receiving institution immediately.
H. Record Keeping
We will retain appropriate records for at least 5 years as required.
I. Personal Data
We will protect the personal data of our clients in accordance with the regulations.
J. Suspicious Transaction Reports (STR)
We will notify the relevant authorities and submit suspicious transaction reports as required by law. We will also retain all records and transactions related to such transactions and suspicious transaction reports.
K. Our Compliance, Audit, and Training Policies
We will appoint an Anti-Money Laundering (AML) / Counter-Terrorism Financing (CFT) compliance officer at the management level, maintain independent audit capabilities, and take proactive measures to regularly train staff on AML/CFT matters.
Comprehensive Anti-Money Laundering / Counter-Terrorism Financing Risk Assessment for the Organization
We will conduct a comprehensive anti-money laundering / counter-terrorism financing risk assessment for the organization in three phases:
● Phase 1: Inherent Risk Assessment
We will assess the following inherent risks:
1. Clients or entities: We will assess the clients and/or entities we deal with.
2. Products or services: We will take note of those offering over-the-counter cryptocurrency services.
3. Geographical scale: We will not engage with clients listed on designated individual and entity lists.
● Phase 2: Assessment of Risk Control Measures
We will assess the risk control measures related to the above situations. We will monitor any and/or all clients we deem suspicious and conduct enhanced due diligence on them.
● Phase 3: Residual Risk Assessment
After assessing the risk control measures, we will evaluate the residual risk.