Procedures to prevent money laundering and terrorist financing
Methodology and common overarching procedures
The risk-based approach and the Group’s risk assessments
As an obliged entity under the AML Act and the ultimate parent company of a group of companies, Quickbit eu AB (publ) is required to establish common policies and procedures regarding measures against money laundering and terrorist financing within the Group.
The Group applies a risk-based approach in its measures against money laundering and terrorist financing. This means that the extent of measures, procedures, internal controls and resource allocations shall be appropriate and proportionate to the perceived risk of money laundering and terrorist financing.
Local differences in the type of operations conducted, how operations are conducted, typical customers, etc. can have the effect that the risk exposure is not identical across the Group. On the contrary, regional differences are expected to exist at any given time. Accordingly, the Group carries out several risk assessments, each relating to the operations and circumstances of one or more QB Businesses. These risk assessments constitute the fundamental outset for the measures against money laundering and terrorist financing applied within each QB Business.
Each risk assessment serves to identify and assess the threats against the operations to which the risk assessment relates, and to assess the level of risk of money laundering and terrorist financing in the relevant operations. When carrying out a risk assessment applicable to one or more QB Businesses, four primary risk factors are considered:
the products and services offered by the QB Business,
the customers of the QB Business,
the delivery channels used by the QB Business to distribute its products and services, and
the geographical areas in which the QB Business operates.
Each of these risk factors is assessed both individually and together. A risk factor may comprise several parameters to be considered when assessing the risk factor.
When assessing each risk factor individually, each product or service, each category of customers, each delivery channel and each geographical area is attributed an individual risk level based on the perceived risk of money laundering and terrorist financing. Thereafter, information regarding the individual customer is obtained in order to establish the customer’s Risk Profile, taking into account customer-specific information and whether it justifies a different assessment of the risk level than the typical risk level.
In assessing the risk factors together, a holistic perception of the overall risk level in a QB Business’ operations is obtained.
Determining individual customers’ Risk Profiles
Based on its risk assessment, a QB Business is given tools to assess which measures for customer due diligence are required and appropriate in light of the risk that each specific customer is associated with (the customer’s Risk Profile). An individual customer’s Risk Profile is determined on the basis of both risks that have been identified in the QB Business’ risk assessment and information attributable to the individual customer collected in the onboarding process.
For purposes of determining an individual customer’s Risk Profile (as well as for the purpose of carrying out risk assessments) customers are divided into numerous customer categories, each of which reflects a typical customer type.
Each risk assessment comprises a description of the customer categories applicable to the relevant QB Business. Each customer category is assessed and attributed a risk level. After taking into account this individual customer information, each customer is attributed a Risk Profile. As an individual customer’s circumstances may deviate from the typical circumstances of customers belonging to the relevant customer category, it is possible for individual customers within a customer category to be attributed a different Risk Profile than the preliminary typical risk profile of the relevant customer category.
As a cautionary measure, customers who qualify within more than one customer category, or in none of the categories, are treated as belonging to the customer category associated with the highest risk (out of the qualifying categories), in order to ensure that no customer is attributed a lower than accurate risk level.
Determining customer due diligence measures for individual customers
A customer’s Risk Profile determines the extent of customer due diligence measures to be taken in relation to each individual customer and the business relationship with such customer, in order to appropriately manage the risk associated with the customer/business relationship.
In order to detect and report suspected money laundering or terrorist financing activities within the operations of the Group, all customers and their transactions are subject to ongoing monitoring throughout the duration of the customer relationship.
The tools and procedures applied in, as well as the intensity of, ongoing monitoring of customers and their transactions shall be appropriate and proportionate to the risk in the relevant QB Business (i.e., considering both the level of risk and the type of threats that form the basis of the risk) as well as the risk associated with the individual customer.
Other measures for prevention of money laundering and terrorist financing
Based on the assessed risk exposure of a QB Business across its operations, a QB Business may implement risk mitigation in order forms than customer-specific measures. These may take the form of organisational changes, such as increased staffing in certain areas or employee training regarding money laundering and terrorist financing awareness and prevention.
Procedures for information sharing
In order to promote effective risk management within the Group, QB Businesses strive to share information to the extent permitted by the External Regulatory Framework.
The information to be shared within the Group is information that is relevant to the Group’s, as a whole, ability to identify, manage and mitigate the risk of money laundering and terrorist financing.
In particular, the following information is to be shared, to the extent that it has been collected and subject always to the permissibility of doing such collection and sharing pursuant to the External Regulatory Framework and in particular the GDPR.
Beneficial Owner information,
Transaction information, and
Information regarding suspicion
To the extent that a QB Business is restricted or prohibited, under local rules in the External Regulatory Framework, from sharing such information as set out above, the QB Business shall consider whether consent from the customers of the QB Business can be obtained and used to legally overcome such restrictions or prohibitions.
Authorities and responsibility
The Compliance Function is responsible for ensuring compliance with the Policy. The Compliance Function’s responsibilities include monitoring that each QB Business adopts the Policy and that each QB Business informs the Compliance Function thereof.
The CEO shall evaluate the Policy regularly, at least once a year and, if necessary, propose updates to the Policy and present these to the Board.
The Board shall, following proposed amendments to the Policy from the CEO, assess such proposals and, if it sees fit, adopt an updated version of the Policy.
Local procedures and guidelines are subsumed under the overarching Policy and shall be consistent with the Policy. Local policies shall, however, always comply with the External Regulatory Framework. If local rules under the External Regulatory Framework prevent a QB Business from applying the Policy, partly or fully, the Managing Director (or equivalent) of the QB Business may adopt a local policy with alterations in relevant parts as necessary. Any local policy deviating from the overarching Policy must be drafted in co-operation with the Chief Compliance Officer.