Financial Crime Policy and Know Your Customer (KYC) Procedure

1.    Introduction & Background

1.1 Scope & Purpose

The Financial Crime (“FC”) Policy (“Policy”) and the procedures outlined within apply to Bling Tech Ltd (“Bling Tech” or the “Company”) and Trinitydigi Ltd. (“Trinitydigi”) the commercial payment agent acting on behalf of Bling Tech.

The provisions of this Policy aim to reduce the possibility for the business and associated providers to be used for criminal purposes or violate the applicable regulations and therefore adhere to the requirements to obtain and maintain a Tobique gambling license.  The Policy covers the following key FC risk areas:

• Anti-Money Laundering (“AML”);

• Sanctions; and,

• Politically Exposed Persons (“PEPs”).

Defined as a remote gaming entity authorized by the Tobique Gaming Commission (“TGC”), Bling Tech is deemed to be carrying out “relevant financial business” in terms of the Prevention of Money Laundering (“ML”) and Funding of Terrorism and as such, Bling Tech is a subject to said Regulations. Therefore, Bling Tech is required to abide by the applicable legislation and guidance relating to the prevention of Money Laundering (“ML”) and Terrorist Financing (“TF”).

This Policy provides guidance detailing Bling Tech’s responsibility to prevent ML and outlines the compliance framework implemented in order to do so. The framework takes into consideration the relevant applicable regulations, in addition to industry best practice. This Policy includes (but is not limited to):

• Due diligence;

• Monitoring;

• Training;

• Record-keeping; and,

• Roles and responsibilities of the Senior Compliance Officer/Money Laundering Reporting Officer (“MLRO”).

1.2 Regulatory framework

Outlined below is a list of all relevant AML legislation, regulation, and codes that this Policy has been written in accordance with:

• The Regulations Concerning Anti-Money Laundering and Counter Terrorism Financing (the “Regulations”);

• The Tobique Gaming Act 2023 (“Gaming Act”);

• The Tobique General Code of Practice for Remote Gaming License (“General Code”);

• The Tobqiue AML Code of Practice for Remote Gaming License Holders (“AML Code”); and,

• International standards and recommendations as outlined by the Financial Action Task Force (“FATF”).

 1.3  Applicable definitions

1.3.1 Money Laundering

“Money laundering” means:

i)                   The activity whereby a person uses, transfers the possession of, sends or delivers to any person or place, or otherwise deals with, in any manner and by any means, any property or any proceeds of any property with intent to conceal or convert that property or those proceeds, knowing or believing that, or being reckless as to whether, all or a part of that property or of those proceeds was obtained or derived directly or indirectly as a result of criminal activity; or

ii)                 The activity whereby a person enters into, or becomes concerned in, an arrangement which he or she knows, or has reasonable cause to suspect, facilitates the acquisition, retention, use or control of criminal property by or on behalf of another person.

iii)                 the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect of, in or over, or ownership of property, knowing or suspecting that such property is derived directly or indirectly from criminal activity or from an act or acts of participation in criminal activity;

iv)                   the acquisition, possession or use of property knowing or suspecting that the same was derived or originated directly or indirectly from criminal activity or from an act or acts of participation in criminal activity;

v)                     retention without reasonable excuse of property knowing or suspecting that the same was derived or originated directly or indirectly from criminal activity or from an act or acts of participation in criminal activity;

1.3.2 Terrorist financing

“Terrorist financing” or “Financing of Terrorism” means an activity whereby:

i)               A person provides or collects funds, and intends or is negligent or reckless as to whether the funds will be used to facilitate or engage in a terrorist act; or

ii)              A person becomes involved in an arrangement which makes money or other property available to another if he or she knows, or has reasonable cause to suspect, it may be used for terrorist purposes.[1]

1.4  Client and Applicant for Business

The direct client of Bling Tech Ltd. and applicant for business shall be the player who enters into an agreement with the Company - or with a group company which who a service agreement is in place - by virtue of registration, agreeing to the Terms & Conditions, and funding the player account in order to utilize the Bling Tech Ltd. platform to play games remotely.

For the avoidance of doubt, a player who has registered and agreed to the Terms & Conditions but has not yet funded his player account is not considered to be an applicant for business.

In this scenario, an intermediary of Bling Tech Ltd., who shall enter into a business relationship with Bling Tech Ltd. for the purpose of attracting players to Bling Tech Ltd., shall also satisfy the definition of applicant for business.

2.    Document structure

Each section below is divided into the following parts:

a)     The applicable provisions in the AML Regulation, AML Code, and other legislation;

b)     Guidance on implementation (where applicable);

c)     Bling Tech’s policy in relation to the provisions; and,

d)     Procedures and Documentation – the processes by which the policy referred to will be implemented, including reference to other documents as appropriate.

3.    AML Systems and Controls – General

3.1 Provisions from AML Code and AML Regulation

Both the AML Code and the AML Regulation are applicable to entities which are offering the possibility to take part in offshore online interactive gaming in or out of First Nation Tobique, which is the case for Bling Tech Limited.[2] The AML Code stipulates when CDD should be applied:

i)      When establishing business relations

ii)     When carrying out occasional transactions

iii)    Where there is a suspicion of ML or TF

iv)    Where there is doubt about the veracity or adequacy of previously obtained customer identification data

The Company is obliged to apply the above measures and procedures including the cases when entering into or undertaking non-face-to-face relationships or transactions directly or indirectly through its affiliated group Company. [3]

In keeping with the requirements stipulated within the AML Regulations and Codes, the Company must ensure CDD measures are commenced at the point of account opening and must furthermore be completed within 30 days of the first deposit or before the Customer deposits more than an equivalent of EUR 2,000 of their own funds, prior to any money is paid out.

The Company is also obliged to establish policies and procedures on risk management practices, internal controls, record keeping, and the monitoring and management of compliance with the aforesaid policies, controls and procedures to adequately and appropriately mitigate risk and prevent the carrying out of operations that may be related to money laundering or the funding of terrorism.[4]

The Company must ensure that employees are made aware of applicable AML/CFT legislation as well as the subject person’s policies and measures in this regard. Employees of the Company must undergo appropriate due diligence procedures prior to their engagement, when transferred or when promoted. Employes are also expected to be provided with training regarding the recognition and handling of transactions carried out by, or on behalf of, any person who may have been, is, or appears to be engaged in money laundering or the funding of terrorism.[5]

3.2  Policy

Responsibility

The ultimate responsibility for the FC Policy of Bling Tech Ltd. is with the Senior Compliance Officer/MLRO. Day-to-day responsibility for the development and implementation of policies and procedures contained within this Policy is delegated to the Senior Compliance Officer/MLRO.

AML Policies and Procedures

The policies and procedures operated by Bling Tech in order to meet applicable FC regulations, including relevant AML and CFT requirements are documented in this Policy. Policies and procedures will be regularly reviewed to ensure that they continue to meet regulatory requirements and the changing risk environment as per Bling Tech as far as applicable.

AML Risk

The Senior Compliance Officer / MLRO will undertake regular assessments of the FC risks and Bling Tech’s strategy and success in mitigating those risks. Bling Tech will document its risk management policies and risk profile in relation to FC, including its application of such policies and in subsidiary documentation referenced herein.

Bling Tech uses the following guidance as a base for its FC risk model:

i.        A clear statement of the culture and values adopted towards the prevention of financial crime;

ii.       A commitment to ensuring that identity will be satisfactorily verified in all cases and in a risk based manner, before applicants for business are accepted as clients;

iii.      A commitment to ongoing customer due diligence throughout the business relationship;

iv.      A commitment to ensuring that staff are trained and aware of the law, their legal obligations, and how to meet those obligations; and,

v.       A clear allocation of roles, responsibilities and organizational structure, and recognition of the importance of staff promptly reporting their suspicions internally.

3.3  Procedures and documentation

Responsibility

The delegated day-to-day responsibility for the FC policy and operation of effective procedures is documented in the Senior Compliance Officer’s / MLRO’s Job Description in Annex I below.

Responsibility for the review and update of the FC Policy, and applicable sections, additionally rests with the Senior Compliance Officer / MLRO. Each version of the FC Policy will be reviewed and approved by the Board of the Company prior to being issued and will carry a review and approval date.

FC policies and procedures

The FC Policy is subject to Bling Tech Ltd.’s local and group policies and procedures regarding compliance monitoring, record keeping and reporting.

The FC Policy is reviewed periodically and, as necessary, updated in order to reflect changes in legislation, national and international findings, the profile of Bling Tech Ltd.’s customer base, and the services offered.

The procedures detailed within this Policy do not just reflect the AML obligations of the Company, but consider the regulatory requirements imposed by Tobique and suggested within the FATF Recommendations.  This Policy must be adhered to by all Company staff, including companies belonging to Bling Tech.

FC risk factors

An FC business risk assessment overview will be maintained in order to allocate and track the components of the separate risk classifications. Bling Tech Ltd. categorizes overall FC risk into:

·       Customer risk;

·       Product risk, service, and transaction risk;

·       Interface risk; and

·       Geographical risk.

As part of the periodic review of this FC Policy, the Senior Compliance Officer / MLRO will periodically assess the FC risk for each category in order to develop appropriate mitigating controls. See Annex II – Risk Assessment below:

4      Risk Assessment, Management and Risk-Based Approach

4.1 Provisions of the AML Code & AML Regulation

In accordance with Section 8 and 9 of Part 2 of the AML Code and of the AML Regulation, Bling Tech Ltd is required to have P&Ps in place to mitigate specific risks involved with business transactions or non- face-to-face transactions.

Based on the FATF recommendations, Bling Tech is allowed to apply an RBA. By adopting an RBA, it is possible for service providers such as Bling Tech to ensure that measures to prevent or mitigate ML and TF are commensurate with the risk identified. Although all customers are subject to minimum due diligence standards, customers identified as high risk must be subject to EDD, whilst low risk customers may be subject to the standard minimum prescribed customer due diligence.

4.2  Guidance on Implementation of Risk-Assessment Procedures

Risk Assessment

For the implementation of risk-assessment procedures, the AML Code recognizes the FATF Standards and that the Company should prepare a risk-assessment, as well as policies, controls, and procedures curated to manage and mitigate ML/FT risks.

The purpose of the risk-assessment procedures is to enable the Company to be in a position to identify and assess the ML/TF risks that the subject person is or may become exposed to and thereby determine:

a)     Whether the application of enhanced due diligence is necessary;

b)     The point in time when the application of CDD should be applied; and,

c)     Whether a customer presents a low risk of ML/FT for the purposes of delaying the performance of verification proceedings to after the commencement of a business relationship, as has been discussed above.

Monitoring Controls

The AML Code & AML Regulation state that it is essential that the controls to manage and mitigate the identified risks are constantly monitored. This should be done so that in the event of a change in circumstances, which might mitigate or exacerbate a particular risk, the respective control is modified accordingly.

For instance, it is important that the Company has a system in place to identify changes in customer characteristics, as this would obviously have a bearing on the risk profile of the customer. Similarly, the threat posed by a particular product or service may cease to exist, which would lead to a re- consideration of the risk scoring of the business relationship. In view of this, the Company must be in a position to identify such changes.

The Company should also carry out periodic internal audits or assessments to review the adequacy of the risk assessment, the internal controls and the compliance arrangements. Such audits or assessments should also review the effectiveness of liaison between the different departments of the organization, and the effectiveness of the balance between technology-based and people-based systems. The review should also consider the effectiveness and compliance of third parties used by Bling Tech.

4.3  Policy

Risk-Based Approach

Bling Tech operates a Risk-Based Approach (“RBA”) to develop and operate its systems and controls designed to prevent financial crime.

AML risk is analyzed, as applicable, into the following risk categories:

·       Customer risk;

·       Product risk;

·       Transaction risk; and

·       Geographical risk.

The Risk Assessment and Mitigation Matrix in Annex II to this Policy identifies and explains the risks inherent to the particular services provided by Bling Tech, as well as the actions taken by the Company to mitigate these risks.

The Risk Factor table also in Annex II to this Policy identifies risk factors relevant to Bling Tech’s business that indicate a risk of money laundering or terrorist financing.

Risk assessment for the customers (“CRA”) is initiated upon reaching the accumulative deposit sum of EUR 2,000 with accumulative withdrawal threshold and continuously monitored and reassessed within the high-risk category. The procedure for arriving at a risk category is set out in Annex II below.

Financial crime risk assessment

The Senior Compliance Officer / MLRO will perform regular assessments of the financial crime risks and Bling Tech’s strategy and success in mitigating those risks.

Where a new service, customer group or new geography is addressed by Bling Tech., the FC risk assessment will be updated during development/launch (to ensure that AML processes can support the new activities). The results of the FC risk assessment will be used to support the development of appropriate systems and controls (policies and procedures) designed to minimize the risk of Bling Tech, being used for the purposes of FC. All developments will be reported to the Board.

Risk Mitigation

In order to mitigate the risk of financial crime, Bling Tech will ensure that appropriate risk-based systems and controls are in place and operated for, amongst others, the Company as prescribed in Annex II below. Existing systems and controls will be reviewed and where necessary amended to reflect changes in assessed risk and identified vulnerabilities. Additional systems and controls will be implemented by the Senior Compliance Officer / MLRO where required.

Monitoring Controls

The FC Policy will be subject to Bling Tech’s policies and procedures regarding compliance monitoring. The Senior Compliance Officer / MLRO will ensure that the internal controls operated by Bling Tech are reviewed when there are changes to regulations or Bling Tech’s arrangements / products / markets.

When there is a change in Bling Tech’s FC policies or in the AML regulations governed by the TGC, this Policy, and associated materials, will be updated and details of the changes included in the Senior Compliance Officer / MLRO’s Annual Report.

4.4  Procedures & Documentation

Risk-Based Approach

The application of the RBA in the prevention of FC is reflected in Bling Tech’s approach to the operation and development of the systems and controls implemented and are designed to minimize the risk of Bling Tech from being used for the purposes of FC Risk is central to the development of the business, new products, development of product functionality or the operation in new markets. The RBA is referenced in all Bling Tech Ltd’s FC and AML documentation.

Financial Crime Risk Assessment

Financial crime risk assessments are undertaken on an ongoing basis, and in particular, applied when the business environment changes through, for example:

·       Entry into new markets; and

·       Development of new products or product features / functionality.

Risk mitigation activities, i.e. the development of appropriate internal controls, flow from the findings of the risk assessments.

Risk assessments and the development of mitigating actions are documented in Annex II below and are accordingly reported to the Board of the Company.

Risk Mitigation

Bling Tech seeks to minimize the opportunities for carrying out financial crime, i.e. money laundering or funding of terrorism, and to then address and mitigate any risks that remain as further set out in Annexes II and III below.

Internal controls focus on:

·       Due diligence of customers, including levels of enhanced due diligence (“EDD”) based on risk assessments of each customer;

·       Assessing risks and setting out measures to mitigate the said risks;

·       Monitoring key risk factors for reassessing a specific customer’s risk; and

·       Financial crime systems and controls will continue to be developed over time in order to adequately address the changing risk environment.

Monitoring Controls

This Policy is reviewed and, if necessary, updated continuously in order to reflect changes in the FC policies and procedures which affect the operations of Bling Tech Ltd. Consequently, the Senior Compliance Officer / MLRO’s regularly reviews the following areas:

a)     Developments in legislation, including the AML Code; and the AML Policy.

b)     The GA and the FC risk assessments – whose performed as part of the development of new products, services, functionality or addressing new customers / markets.

c)     The operation of periodic internal controls, including monitoring, investigation, and reporting of suspicious activity.

d)     New typologies for fraud or FC, including feedback from regulators or law enforcement.

e)     Feedback received following the provision of training or Compliance reports to the Board by the Senior Compliance Officer / MLRO.

5     Customer Due Diligence

5.1  Provisions from the AML Code

Casinos have the obligation to undertake Customer Due Diligence measures when:[6]

a)     Identification via the registration process and then verification of the Customer’s identity using reliable independent or primary source documents (such as government-issued photo ID documents) or other appropriate electronic ID&V software;

b)    Gathering of supporting information and accompanying proofs (such as date of birth and residential address);

c)     Standard screening checks against industry-standard databases to identify PEPs, sanctions, and other adverse media;

The AML Code states that, CDD measures are to be applied in the following cases:[7]

·       When establishing business relations;

·       When carrying out occasional transactions;

·       When the subject person suspects that a transaction may involve ML/FT; or

·       When the subject person doubts the veracity or adequacy of previously obtained customer identification data, for the purpose of identification or verification.

In accordance with the requirements of the AML Code, Section 18.2 of the AML Code stipulates that CDD can commence within the first thirty (30) days of the first deposit or before the Customer deposits more than the equivalent of EUR 2,000 of their own respective funds, or before the Customer’s first withdrawal.

5.2  Policy

Customers of the Company are subject to risk-based initial and ongoing due diligence procedures according to the risk categories outlined in Annex II below and the Customer due diligence procedures set out in Annex III below.

Initial due diligence seeks to obtain the identity of the customer and verify the identity prior to the establishment of the business relationship. Information on the purpose and intended nature of the business relationship, is also obtained, such that the Company is able to establish the business and risk profile of the customer and to accept or reject a client based on the Client Acceptance Policy set out in Annex IV below. Ongoing procedures ensure that the initial due diligence information remains up to date.

5.3  Procedures and Documentation

The detailed procedures for the performance of risk-based customer due diligence are detailed in section 5.4 and 5.5 and also in Annex III below relating to Customer Due Diligence and Enhanced Due Diligence.

5.4  Customer Due Diligence (CDD) Procedure

CDD standards are designed to protect the Company against fraud, corruption, money laundering and terrorist financing. CDD is a verification check carried out by the Company to:

·       Identify that the customer is who they say they are;

·       Verify that the customer is over 18;

·       Combat and reduce fraud;

·       Prevent money laundering; and

·       Confirm that the funds being used are genuinely the customers.

CDD Requests

The Company operates an automated system whereby a customer playing on one or more of the brands offered by the Company is flagged and sent an automated email when they reach the accumulative deposit threshold of  EUR 2,000 across the licensee brands requesting documentation.

Customer accounts are flagged until documents are received and authenticated. No withdrawals are processed from a customer’s account until the KYC verification is completed.

CDD Documents

To fulfil the company’s CDD obligations, the customer must submit a valid ID and POA document dated within the previous three (3) months.

What documents do we accept as a Proof of Identity?

·       current signed passport

·       current photo card driving license

·       national ID card

·       government-issued ID document with photo

We only list these as authenticity of some documents may be easier to assess/forge than that of others. For example, government-issued identification documents such as identity cards and passports can be checked against standard official templates.

What documents do we accept as Proof of Address?

·       Council tax bill;

·       utility bill (e.g.: water, heat, fixed line telephone, fixed line internet etc)* 

·       bank statement

·       insurance certificate

·       correspondence from government authority, department, or agency

*Note: (not a mobile bill as it is not tied to an address. A utility bill is tied to an address).

We only list these as authenticity of some documents may be easier to assess/forge than that of others.

We have received the documents. What next? What is the minimum quality standard?

The minimum quality standard for Proof of Identity:

·       Face match (where applicable);

·       must show full name (be careful with derivations, update as necessary);

·       date of birth;

·       photo;

·       all 4 corners have to be visible;

·       colored (not black & white);

·       both pages (e.g.: of passport in the UK - so we can see the signature);

·       in date (not expired);

·       signed;

·       clearly legible;

·       in a language that is understood by the Company; and

·       has to be a picture of the original document, no scans or screenshots.

The minimum quality standard for Proof of Address:

·       Must show full name (be careful with derivations);

·       address;

·       be no more than 3 months old;

·       with account/reference/utility number;

·       clearly legible;

·       in a language that is understood by the Company; 

·       has to be a picture of the original document, no scans; and

·       has to be a picture of the original document. (Alternatively, the PDF received by the player is acceptable).

What if players do not have the standard documents?

There are many other documents that can be sent in. The Company only states these ones as they are the most dependable and least risky. However sometimes, players may genuinely not be able to send in the standard documents. If players insist that they do not have the documents which has been listed, please contact the KYC & Risk Team.

Please note this should be a rare occurrence as alternative documents open us up to more risk. These cases will be dealt with on a case-by-case basis in a risk-based manner. It is not a guarantee that we will accept the player’s alternative document.

Acceptable forms of ID if player has no standard ID document:

·       Birth certificate + selfie; and/or

Document capture and verification

The Company partners with an Identification Verification provider to assist in the capture and verification of documents provided by its customers.

Included in the automated KYC email request the Company sends are links for the customer to upload or take pictures of the required documentation.

Document authentication

On receipt of the required documentation, the Company deploys a team of KYC & Risk Agents who are responsible for matching the customer details against those submitted at registration and authenticating the documents supplied.

Where documents are verified, the customer is emailed to confirm, and customer accounts are in a verified status.

Where documents are incomplete, KYC & Risk Agents will follow up with the customer.

Where documents are found to be falsified or a player identified as underage, account(s) are immediately restricted, and details escalated to AML & Risk or Management.

Failure to comply

Where the customer fails to submit documents within thirty (30) days of the initial request the KYC & Risk Agents are alerted and will request them again. In those cases, the account will be disabled (meaning the deposit, gameplay and withdraw options switched off).

5.5 EDD Procedure

The Company wants to ensure that it does not allow customers to launder criminal proceeds through the Company’s casinos and to ensure that customers can afford their gambling spending.

Therefore, at the end of the EDD (SOF/SOW) process, there may be several potential outcomes:

·       Company is either satisfied with the information provided, or otherwise more information is required;

·       Customer account may be suspended or limited;

·       An internal SAR is escalated to the Senior Compliance Officer / MLRO for review - if there is an AML concern;

·       An internal RG escalation has been made to the RG team for review - if there is a responsible gaming concern.

How do we check Source of Wealth?

Source of Wealth can be established through the following means:

·       Enhanced Due Diligence documentation

·       Social media & internet searches (from reputable sources)

·       Adverse media checks

·       Additional checks through player contact

·       Third party Enhanced Due Diligence reports

Methodology when establishing Source of Wealth

1.     Obtain information on net worth of the customer

2.     Obtain information on where that net worth came from

3.     Verify the information on a risk sensitive basis

Obtain information on the net worth of the customer

An indication of customer’s net worth should be obtained through information provided through the EDD form obtained from the customer. Employment details in conjunction with estimated discretionary income should give a sufficient estimate.

Obtain information on the source of the net worth of the customer

Once the customer’s net worth has been established, information should be obtained on where it came from, i.e. inheritance, employment, business, investment.

In general, no single source is likely to account for the total net worth of the customer. The aim is to obtain as much specific information as possible, however whenever this is not possible, the information should cover those aspects that form a major part of the net worth of the customer.

When evaluating the net worth of the customer, publicly disclosed information is used when available. This includes categories as values of income, stock holdings, source of income, positions on boards of companies, etc.

What to look out for when establishing Source of Funds

The source of funds will most often be a bank account or a payment method that can be related directly to the client but even then, this knowledge may not be sufficient to confirm that the funds are from a legitimate source and therefore appropriate due diligence procedures are applied, based on the customer’s risk profile.

Incoming funds / Outgoing Funds

Review the customer’s incoming transactions to assess whether there is a risk that the customer is using the gaming account for layering purposes or that the funds are being spent irresponsibly. Ideally, funds used on the customer’s account need to be shown to be originating from a legitimate activity such as employment or business income.

Other sources of income should be accepted only if they are backed by high quality and reliable documentation which can be documented independently, if possible.

Outgoing transfers from customer accounts as shown in SOF must be assessed to identify whether the customer is moving funds and/or profits to other accounts or third parties. On a risk-based approach, questions may need to be asked to the customer.

Gambling winnings should not be solely relied upon. Customer should be asked to provide origin of funds proof as otherwise; a customer may use several remote gaming companies to create layers to hide funds which originated from illicit activities. Document requests regarding recycled winnings should be assessed on a risk-based approach.

Third Party involvement

When assessing enhanced due diligence documentation, it is important to fully understand if such documentation indicates the potential of a customer using a shared account or the customer account being used by third parties.

A potential risk is that due to the non-face-to-face nature of our business, the customer’s identity might be in use by a third party, or for the customer to be using the facilities of other individual to fund his gaming account

Some examples may include:

·       Fraud;

·       Misappropriation of funds from relatives, spouse, friends, or business accounts;

·       Acting as a mule on behalf of others; and

·       Identity theft.

When do we request Source of Funds?

While source of wealth documentation is requested to establish the overall wealth of a customer, Source of Funds documentation is requested in order to verify the legitimacy of the funds should there be (single and cumulative) transactions within a short timeframe.

When do we request Source of Wealth?

Documentary evidence must be supplied when:

·       Customer reaches the EDD deposit threshold (or another trigger)

·       Customer is detected through the daily AML alerts and is perceived as being higher risk/or there is a divergence between the risk profile and the customer behavior

·       Customer is identified through KYCP as being a high/extreme risk individual

·       Customer is reported by the Payment & Fraud Department or Responsible Gaming Department due to high-risk transactions

·       Customer is identified as being a Politically Exposed Person (PEP)

·       Customer logs in from a non FATF compliant country

In all cases the AML, KYC & Risk Team will do a risk assessment and establish what the source of wealth of the customer is.

6.    Ongoing monitoring

6.1  Provisions from the Regulations

Article 25 of the AML Codes state that the Company must implement ongoing monitoring for the duration of the relationship and not just at the initial onboarding stage. Ongoing monitoring must include (but is not limited to):

·       Regular screening against PEP, sanctions, and adverse media databases.

·       Transaction Monitoring activities in terms of which the frequency, volume and value of bets placed by an individual Customer must be monitored and compared in accordance with Section 23 Part 3, Section 21(2), Section 24 Part 3, Section 21(1) and Section 23 (3)of the AML Code, to the applicable expected customer transactional profiles. Unusual activity must be investigated and, in the case of potentially suspicious activity, will be escalated to the Senior Compliance Officer / MLRO in the form of a Suspicious Activity Report.

·       The identification and monitoring of ‘linked’ accounts owned by the same player.

6.2  Policy

Ongoing monitoring processes will focus on ensuring that due diligence information provided is up to date and that no documentation is expired. On-going monitoring will also ensure that there have been no material changes to the Customer/Player that affects the risk profile of the individual.

On-Going Monitoring Measures

On-Going Monitoring will be conducted on a continual basis for all Customers/Players and applicable Third Parties. On-Going Monitoring will include:

·       Ongoing Screening: Daily/Weekly screening against all relevant sanctions, PEPs, and adverse media lists.

·       Periodic Review: Periodic Reviews will be commensurate to the ML/TF risk associated with the Customer

·       Event Driven Reviews (“EDR”): An EDR will be initiated on the identification of a high-risk factor or red flag during the ongoing monitoring process (including Transaction Monitoring).

Due Diligence information

Due diligence information will be reviewed as follows to ensure that it remains up to date.

Low Risk Customers:              Once every 2 years

Medium Risk Customers:  Annually

High Risk Customers:           Quarterly

6.3  Procedures and Documentation

The Company notes that it offers a single service to its customers whereby the applicant for business is affecting payments for remote gambling services. Therefore, in all cases, the Company understands the nature of the relationship with the customer and all payments received are sourced from this business.

Training will be provided to relevant staff to ensure that they are aware of the requirement to stay alert to the possibility of suspicious activity and what suspicious activity might comprise. Training is addressed in Section 9 below.

Customer initial due diligence information set out in Annex III will be periodically reviewed to ensure that it remains up to date as per the above. This review is recorded by way of assessing whether any due diligence information has expired.

The review will also assess whether any changes have been made to the company structure and/or the people involved. In such an instance, due diligence will be updated accordingly.

7.    Reporting

7.1  Provisions from the Regulations and Codes

7.1.1 External Reporting

The AML Codes (Section 29) provides that the Company:

·       Have an obligation to report to the Commission, or Direct Licensee on behalf of the Commission, on any identified instances of suspicious activity where the License Holder knows of or reasonably suspects that certain behavior on the part of the Customer may be related to money laundering activity or where such activity appears to be unusual or at variance with the usual behavior or transactional activity of the Customer. License Holders must share all Suspicious Activity Reports with the Commission; and/or,

·       May be required to report on request, to the Commission, or Direct Licensee on behalf of the Commission, on additional AML/CFT requirements as deemed appropriate.

7.1.2 Suspicious Activity Reporting:

As per the Regulations (Section 25) the Company must lodge a suspicious matter report if, at a particular time:

·       The Company suspects on reasonable grounds that a customer is not the person the customer claims to be;

·       The Company suspects on reasonable grounds that the provision, or prospective provision, of its services is related to a financing of terrorism offence, or a money laundering offence, or other criminal offence; and/or,

·       A transaction, for whatever reason, does not appear to have a lawful economic purpose.

A suspicious matter report concerning a possible money laundering offence or other criminal offence must be lodged with the Commission within 5 business days after the day on which the reporting entity forms the relevant suspicion.

A suspicious matter report concerning or in relation to possible financing of terrorism, must be lodged with the Commission within 24 hours after the time when the reporting entity forms the relevant suspicion.

A suspicious matter report must contain a statement of the grounds on which the reporting entity holds the relevant suspicion.

A reporting entity shall fully document the reasons for any decision regarding the submission or non-submission of a suspicious matter report

7.1.2.1 Tipping off

If a reporting entity forms:

a)     A reasonable suspicion under Section 25 (1);

b)    Lodges a suspicious matter report with the Commission, or,

c)     provides documents or other information to the Commission,

neither the reporting entity nor any person employed or associated with the entity may disclose to someone other than the Commission that the suspicion has been formed, report lodged, or information has been communicated to the Commission, as applicable.

7.2  Guidance on Implementation

Internal Reporting

If the Senior Compliance Officer / MLRO concludes, for justifiable reasons, that an internal report does not give rise to a suspicion, the Senior Compliance Officer / MLRO need not inform the FIU. In this case, the MLRO shall keep a written record of the internal reports received, the assessment conducted, the outcome and the reasons why the report was not submitted to the FIU. Upon request by the FIU or the relevant supervisory authority acting on behalf of the FIU, or in completing the Annual Compliance Report, the Senior Compliance Officer / MLRO will make such information available.

7.3  Policy

Annual Compliance Report and MLRO Report

The Senior Compliance Officer / MLRO shall also prepare an “MLRO Report” to be presented to the Directors to outline issues pertinent to the management of financial crime, of which the Board should be aware. This MLRO Report is for internal purposes and does not need to be submitted to the Commission.

Internal Reporting

Bling Tech’s reporting policy applies to the ‘relevant staff’ of Bling Tech Ltd., Providers and Distributors. Relevant staff are those that handle or who are managerially responsible for handling, or are otherwise ‘close’, to customer transactions or accounts (Consumers and Merchants).

Bling Tech Ltd. will generate two types of suspicious activity reports:

•      Internal STRs - Internal suspicious activity reports may be generated by all relevant staff. Internal STRs are used to report suspicious activity to the Senior Compliance Officer / MLRO, and

•      External STRs - External suspicious activity reports are produced by the Senior Compliance Officer / MLRO in the event of suspicious activity having been identified and confirmed through investigation. External STRs are submitted to the Commission.

Records relating to both Internal and External STRs are kept in accordance with Bling Tech’s record- keeping policy. External STRs are kept for a minimum period of 5 years.

All relevant staff will receive both initial and ongoing training on anti-money laundering, detection of suspicious activity and the internal reporting process.

Internal Reporting – Bling Tech Ltd. Staff

Where a Bling Tech Ltd. staff member knows or suspects, or has reasonable grounds for knowing or suspecting, that any customer is engaged in money laundering, they must report these suspicions to the Senior Compliance Officer / MLRO using the Internal Suspicious Transaction Reporting Form (please find it in Annex 5)

Any Bling Tech staff member that does not adhere to the internal reporting requirements will be subject to disciplinary process.

Internal Reporting – Providers and Distributors

Where any relevant staff member in a Provider or Distributor, knows or suspects, or has reasonable grounds for knowing or suspecting, that any customer is engaged in money laundering, they should report their suspicion directly to the Bling Tech Ltd.’s Senior Compliance Officer / MLRO.

External Reporting (Senior Compliance Officer / MLRO)

Where a suspicious transaction report has been made to the Senior Compliance Officer / MLRO he/she will conduct investigations and access information on the customer, or the transaction, as necessary.

Where appropriate, an STR/SAR will be made to the Commission by the Senior Compliance Officer / MLRO which will include the mandatory information regarding the player’s account and the transaction(s) involved.

7.4  Procedures and Documentation

Senior Compliance Officer / MLRO Role

The responsibilities associated with the Senior Compliance Officer / MLRO role are documented in the Senior Compliance Officer / MLRO Job description.

To ensure that Bling Tech Ltd. maintains an AML approach that meets regulatory requirements, the Senior Compliance Officer / MLRO will regularly review developments in legislation and their impact on the policies and procedures contained in this Policy, including:

1.     Tobique legislation;

2.     National and International Findings; and

3.     Local legislation in the countries of relevant Providers and Distributors.

If changes in the Tobique anti-money laundering legislation are found to contribute to an increased risk of money laundering, through the periodic performance of a financial crime risk assessment, the policies and procedures in this FC Policy will be updated by the Senior Compliance Officer / MLRO. The Senior Compliance Officer / MLRO communicates changes in policies and procedures to all relevant parties.

In order to ensure that Bling Tech AML approach addresses current AML risk, the Senior Compliance Officer / MLRO undertakes regular financial crime risk assessments and considers the Bling Tech strategy and success in mitigating those risks, using the risk categories detailed in Annex II. The performance of risk assessments is detailed in Section 3 above. The results of these periodic assessments will be regularly reported to the Board of the Company.

Internal Reporting

Relevant staff will receive initial and periodic training to ensure that their reporting obligations, and the method of making an Internal STR, are understood as well as to assist them to recognize suspicious activity. Typologies are maintained and will be used as part of the training provided.

Internal STRs should be sent to the Senior Compliance Officer / MLRO using the ‘Bling Tech Ltd. Internal Suspicious Transaction Reporting Form’. The Senior Compliance Officer / MLRO acknowledges the receipt of all Internal STRs and will provide a reminder regarding tipping off requirements to the person making the report.

The Senior Compliance Officer / MLRO will investigate all reported suspicious transactions in light of all available information and document the findings, regardless of whether or not an external STR/SAR is made. All documented information will be retained with the Suspicious Transaction Reporting Form and retained in order to provide documentary evidence of the investigation process. Any further attempted activity on an account where an internal STR/SAR has been made must be reported to the Senior Compliance Officer / MLRO to ensure that appropriate action is taken in order to avoid tipping off.

External Reporting

An external STR/SAR is triggered when, after investigation by the Senior Compliance Officer / MLRO, a transaction, transaction pattern or account activity is deemed suspicious and suggests potential criminal activity. External STRs/SARs will be sent to the Commission.

8.    Record-Keeping Procedures

8.1 Provisions from the Regulations

The Regulations and AML Codes provides that the following records are to be kept for a period of at least five years:

·       All necessary records on transactions, both domestic and international

·       Records of the originator/payer information, and required beneficiary/payee information, on wire transfers, electronic fund transfers and other electronic payments; and,

·      All records obtained through CDD including copies or records of official identification documents, account files and business correspondence, for at least five years after the business relationship is ended, or after the date of the occasional transaction.

The Company must provide the Commission with a copy of all records as specified by the Commission, whenever a reporting entity relocates the business or ceases business.

8.2  Guidance on Implementation

Records may be kept in any of the following forms:

·       in physical files;

·       in scanned form;

·       in computerized or electronic form.

Subject persons should use a standardized approach to record keeping and must ensure that the approach used enables the quick retrieval of records.

8.3  Policy

The Senior Compliance Officer / MLRO is responsible for specifying which AML records must be retained and for ensuring that all such records are retained in accordance with Bling Tech Ltd.’s record-keeping policy.

Records may be held in paper-based and/or electronic form and may be stored by the Company. The Company will ensure that all AML records are retrievable without undue delay.

Records must be kept for a minimum of 5 years (may be extended to 10 years if required by the Commission). The table below provides guidance on the types of records that must be retained and their respective retention periods.

8.4  Procedures & Documentation

According to the Tobique regulations records are maintained for a period of at least 5 years. These records are the following: Outsourcing, Records of Customer Due Diligence, Internal & external suspicious transaction reports, AML Training, FC Policy.

9.    Awareness and Training

9.1 Provisions from the AML Regulations and Code

In accordance with Article 14 of the AML Code, the Company must ensure that all staff receive adequate AML/CFT training in order that they might understand the risks and their own responsibilities as regards the prevention and mitigation of ML/TF risks. The training provided may include both general and role-specific training.

After the training each attendee must undergo an assessment to evaluate their recently acquired AML/CFT knowledge. If a score of at least 75% is not achieved, attendees will be required to re-sit the test and/or repeat the training.

Every year on the anniversary of their initial training and assessment all staff must attend refresher training. Any changes to relevant regulations, policies or procedures should be covered within the scope of this annual training.

9.2  Guidance on Implementation

The Codes state that all employees should be made aware of:

·       Risks of money laundering and terrorist financing relevant to the business, the applicable legislation and staff obligations and responsibilities under the legislation;

·       The Company’s Risk Assessment methodology and mitigating policies, controls, and procedures.

·       The identification of potentially suspicious transactions or activity; and,

·       Red flags or indicators of money laundering or suspicious activity appropriate to the remote gaming/ gambling sector.

Employees should also be made aware of the following:

·       The provisions of the Applicable Regulations and Codes; and,

·       The offences and penalties in relation to any breach.

All the above-mentioned information should be made readily available to all employees to enable them to refer to such information as and when appropriate throughout the conduct of their duties.

Additionally, training should be of a more practical nature rather than simply theoretical. This means that the training provided should make references to real-life situations such as, for instance, the steps to be followed when accepting customers, the handling of high-risk customers and the behavior to be adopted when faced with a request for a transaction which is suspicious. Typology reports prepared by the FATF, Moneyval or other FSRBs play an important role in preparing training material.

Subject persons need to determine the method in which training is to be delivered, as the most appropriate method may vary from one organization to the other. The method generally depends on the size of the organization. Online learning systems can often provide an adequate solution for general training to all employees who deal with clients, while focused classroom training for higher risk areas can be more effective.

It is vital to maintain comprehensive records of training sessions which, should include:

a)     the date on which the training was delivered;

b)     the nature of the training;

c)     the names of employees receiving the training;

d)    the results of any assessment undertaken by employees; and

e)    a copy of any handouts or slides.

9.3  Policy

Bling Tech’s Senior Compliance Officer / MLRO is responsible for ensuring that all relevant staff received training that effectively communicates Bling Tech’s AML and CFT responsibilities and the policies and procedures that are operated to ensure that those responsibilities are met.

Relevant persons

Relevant staff include the staff of the Company who handle or are managerially responsible for the handling of customer on-boarding and service provision.

 Training

Training will be designed to ensure that all relevant staff are made aware of the risk of the Company being used for the purposes of financial crime, the consequences for the firm (as well as staff personally), the requirement to operate systems and controls to mitigate such risk and the requirement to report suspicious activity / transaction to the Senior Compliance Officer / MLRO.

The frequency of the provision of AML training will be determined using a risk-based approach, with those who may be at greatest risk from handling suspicious transactions, or who need to be kept up- to-date with changing vulnerabilities and trends, receiving training at more frequent intervals; relevant staff who are close to transaction processing activity are prioritized for training which may be more detailed in content than the training provided for other staff.

Where applicable, provision for AML training will be made in the contractual arrangements, or Service Level Agreements, between Bling Tech Ltd. and its partners.

Senior Compliance Officer / MLRO Training

The MLRO will keep up to date with legislative changes in Tobique and on international level and industry standards in order to guide and develop appropriate training for relevant staff.

9.4  Procedures & Documentation

Relevant persons

The Senior Compliance Officer / MLRO will maintain a record of Bling Tech’s staff, and their positions within the company, for use when deciding which individuals are ‘relevant staff’ and, further, which will require more frequent and more detailed training due to the nature of their specific role.

 Training

All relevant staff will be provided with an awareness of Bling Tech’s FC policies and processes through the provision of AML training. Relevant staff will be provided with initial AML training within one month of their taking up relevant activities on behalf of Bling Tech’s. Priority is given to those staff responsible for handling or managing the handling of transactions or customer accounts.

All relevant staff must acknowledge that they have read and understood the training that is provided, to be recorded in the AML Staff Training Log.

The frequency of training provided to each staff member is determined by the Senior Compliance Officer / MLRO with reference to the staff member’s role. Refresher training is repeated at appropriate intervals. Relevant staff are assessed on the AML training received.

Training materials are updated by the Senior Compliance Officer / MLRO when required to reflect new developments. Training materials and records are retained in accordance with the Company’s record-keeping policy.

AML training will be delivered to relevant staff and will include the following elements:

1.     Legal and regulatory obligations under Tobique law;

2.     Practical means of identifying unusual and suspicious transactions; and

3.     Internal processes and advice on how to act when presented with suspicious activity.

 Senior Compliance Officer / MLRO training

The Senior Compliance Officer / MLRO will receive external training as appropriate and is required to evidence, to the Board, their further professional development (using the MLRO Annual Report).

9.5  Anti-Bribery & Corruption Policy

The Company has embedded this Anti-Bribery & Corruption (ABC) Policy within the main AML Policy under this section. It outlines the commitment of Bling Tech Ltd. to conducting its business activities in an ethical and lawful manner. The Company is dedicated to preventing bribery and corruption in all its operations and is committed to fostering a culture of integrity, transparency, and compliance.

The Company prohibits all forms of bribery and corruption, whether direct or indirect, and expects its employees, associates, contractors, and business partners to adhere to the highest standards of integrity and ethical behavior. This part of the policy applies to all employees, contractors, agents, suppliers, partners, and any individual or entity associated with the Company's operations, regardless of their role or position.

Definitions

Bribery: The offering, giving, receiving, or soliciting of any item of value (including but not limited to money, gifts, favors, entertainment, or services) to influence the actions of an individual in a position of trust or authority.

Corruption: The abuse of power or authority for personal gain, often involving bribery, embezzlement, fraud, or other unethical practices.

Associated Persons: Any individual or entity that has a business relationship with the Company, including employees, contractors, agents, suppliers, partners, and third-party intermediaries.

Prohibited Conduct

a)     Bribery and Corruption: No employee or associated person shall engage in any form of bribery, corruption, or unethical behavior. This includes offering, promising, giving, receiving, or soliciting bribes or other improper benefits.

b)     Gifts and Hospitality: Employees and associated persons must not offer or accept gifts, hospitality, or entertainment that could be seen as an attempt to influence business decisions or compromise the recipient's judgment.

c)     Facilitation Payments: Facilitation payments (small unofficial payments to expedite routine processes) are strictly prohibited. Employees and associated persons must not make or accept such payments.

The Company is committed to conducting thorough due diligence on all third parties before entering into business relationships with them. This includes assessing their integrity, reputation, and compliance with anti-bribery laws. Violations of this policy will not be tolerated and may result in disciplinary action, up to and including termination of employment or business relationships. In severe cases, legal action may be pursued. This policy will be reviewed periodically to ensure its effectiveness and relevance. Any necessary updates will be made to reflect changes in laws, regulations, and the Company's operations.

10. The Screening Process

The screening of potential customers against sanctioned persons, against PEPs and against adverse media is conducted by Bling Tech via a 3rd party tool, a holistic and seamless Customer Due Diligence software.

The Company can perform a new search by entering or indicating the:

•       Search Term (Name of individual);

•       Year of birth (optional);

•       Accuracy Level (the ‘fuzzy’ level depending on how broad or exact the search should be) - the accuracy level alters the way the entity is searched for;

•       Broad Match Parameters – will provide a list of possible matches with the searched name and similar names; and

•       Exact Match Parameters – will limit the list to more specific match.

Sanctions and PEP screening result: on each possible match by selecting the entity result, positive hits. Adverse Media screening result: links are provided for the Company to analyze and investigate. All links besides the first ones, are highlighted, implying that these links have not as yet been accessed. By selecting any link, the Company will be directed to the actual article.

To screen customers, the Company selects the screening icon and inserts the customer details requested. Once this is done, the Company will be presented with the possible results together with searches conducted via third party screening as well as targeted google searches. In addition to the identification and verification procedures, external search checks will be performed on the customer through the 3rd part tool’s platform. Selecting the search engine item link shall direct the Company to another screen providing the actual information found within that link. Furthermore, the Company is also able to label the article as adverse media etc. in order to highlight the article as an associated important piece of information alongside the third-party database searches.

The Company is obliged to undertake measures at law aimed at combating terrorism, terrorism financing and the financing of the proliferation of weapons of mass destruction. This includes obligations emanating from the National Interest (Enabling Powers) Act relating to sanctions screening, freezing of assets, and reporting.

11. Sanctions Lists

11.1 Guidance on Implementation

In accordance with Article 23 of the Regulations, the Company must ensure compliance with United Nations (“UN”) Security Council resolutions relating to the prevention and suppression of terrorism and terrorist financing and in particular must freeze without delay the funds or other assets of, and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of, any person or entity either:

(i)        designated by, or under the authority of, the UN Security Council under Chapter VII of the Charter of the UN, including in accordance with resolution 1267 (1999) and its successor resolutions; or,

(ii)       designated by that country pursuant to resolution 1373 (2001).

Further to this, the Company must ensure compliance with UN Security Council resolutions relating to the prevention, suppression and disruption of proliferation of weapons of mass destruction and its financing and, in particular, must freeze without delay the funds or other assets of, and to ensure that no funds and other assets are made available, directly or indirectly, to or for the benefit of, any person or entity designated by, or under the authority of, the UN Security Council under Chapter VII of the Charter of the UN.

The Company must ensure that adequate systems have been implemented in order to satisfy the requirements above, not only at the point of customer/player onboarding, but on an on-going basis.

11.2 Policy

Sanctions list screening is the responsibility of the Senior Compliance Officer / MLRO. The performance of the screening procedures may be delegated or outsourced.

In obtaining, applying, and disseminating government and FATF findings, the Senior Compliance Officer / MLRO ensures that all customers and business partners (e.g. 3rd parties) with whom a business relationship is established, are subject to due diligence procedures that ensure screening against relevant notices published by the OFAC, the UK and FATF.

Sanctions screening will form part of the initial due diligence procedures as well as the ongoing monitoring of customers and business partners as detailed in Annexes III and IV below. ‘False positives’ are investigated, and any true sanction matches reported to the Senior Compliance Officer / MLRO immediately. Staff are required to report where they have knowledge of or a suspicion that financial sanctions measures have been or are being contravened. Senior Compliance Officer / MLRO can be contacted through the following email address: [email protected]                                

11.3 Procedures and Documentation

All customers shall be subject to Sanctions screening once this is actively implemented as part of the initial due diligence procedures, with all customers being rechecked regularly as part of the ongoing monitoring of customers.

Staff responsible for performing Sanctions checks will receive specific training. Matches will be investigated by staff in order to identify true matches from those that are ‘false positive’. All true sanctions matches must be reported to the Senior Compliance Officer / MLRO immediately, using the Internal Suspicious Transaction Reporting Form and followed up by a phone call / email thereafter.

12. Politically Exposed Persons

12.1 Provisions from the Regulations

Article 21 of the Regulations state: ‘In addition to performing normal CDD measures, reporting entities must have appropriate risk-management systems to determine whether the customer or the beneficial owner is a Politically Exposed Person, (“PEP”) or an immediate family member or close associate of the PEP’.

12.2 Guidance on Implementation

As stated above, it is the responsibility of the Company to ensure that appropriate risk measures have been implemented to identify and manage the risk of any PEP relationship. Where a PEP connection has been identified, the Company must make reasonable efforts to ascertain the PEP’s Source of Wealth (“SOW”) and Source of Funds (“SOF”) / income is not from illegal activities and where appropriate review the customer’s credit and character and the type of transactions the customer would typically conduct. The Company must not accept or maintain a business relationship if the Company knows or must assume that the funds are derived from corruption or misuse of public assets.

Where a PEP connection is identified, the Company must ensure it has obtained approval from the Senior Compliance Officer / MLRO. Where a customer has been accepted and the customer or beneficial owner is subsequently found to be, or subsequently becomes a PEP, the Company must further obtain senior management’s approval to continue the business relationship.

Where the Company is in a business relationship with a PEP, it must conduct enhanced ongoing monitoring of that relationship.

12.3 Policy

When conducting risk assessments for new customers, products, or features, Bling Tech must evaluate several factors to identify potential risks associated with their use. One significant consideration is the possibility of these products being exploited for money laundering by PEPs.

New Customers:

·       Background Checks: Conduct thorough due diligence on new customers, particularly to determine if they are PEPs or have any associations with PEPs.

·       Enhanced Due Diligence (EDD): Implement enhanced scrutiny and monitoring for customers identified as PEPs due to their increased risk of involvement in money laundering.

·       Risk Profiling: Develop risk profiles for new customers, considering factors such as their source of wealth, geographical location, and business activities, especially focusing on those who are or may be PEPs.

New Products:

·       Product Vulnerability Assessment: Evaluate the inherent risks associated with new products, particularly how they might be misused for illicit activities, including money laundering by PEPs.

·       Control Measures: Design and implement control measures to mitigate identified risks, such as transaction limits, monitoring mechanisms, and reporting requirements.

·       Regulatory Compliance: Ensure that new products comply with anti-money laundering (AML) regulations and guidelines, including those specifically addressing the risks posed by PEPs.

New Features:

·       Feature Analysis: Analyse new features for potential vulnerabilities that could be exploited by money launderers, particularly PEPs.

·       Usage Monitoring: Develop systems to monitor the usage of new features to detect unusual or suspicious activities indicative of money laundering.

·       User Education: Inform and educate users about the proper use of new features and the importance of complying with AML regulations, especially regarding transactions involving PEPs.

12.4 Procedures and Documentation

All applicants for business shall be required to confirm whether they qualify as PEPs. The declaration shall be recorded upon registration. In addition, a third-party check shall be carried out on each person to assess whether the person in question is a PEP.

13. Persons Connected to Sporting Events

13.1 Provisions from the Regulations

In addition to performing normal CDD measures, the Company must have appropriate risk-management systems to determine whether a customer is a person, or a family member or close associate of such a person, who has a close connection to:

(iii)     A sporting event, team, sporting association or organization; and,

(iv)     The reporting entity accepts bets on that team, sport, or sporting event

13.2 Policy

The Company must therefore:

a)     Obtain senior management approval for establishing (or continuing, for existing customers) such business relationships;

b)     Take reasonable measures to establish the source of wealth and source of funds; and,

c)     Conduct enhanced ongoing monitoring of the business relationship.

13.3 Procedures and documentation

When the Company identifies that individuals connected to sporting events are engaging with their platform, several steps must be taken to ensure compliance with regulations, maintain integrity, and uphold ethical standards. These steps can include:

Reporting and Notification:

·       Notify relevant regulatory bodies, such as the gaming commission or sports governing authorities, about the presence of individuals connected to sporting events on our platform.

·       Inform the sports organization with which the individual(s) are affiliated.

Enhanced Monitoring:

·       Implement enhanced monitoring of the betting activities of these individuals to detect any unusual or suspicious betting patterns.

·       Employ specialized software and algorithms to flag and analyse betting activities that may indicate potential match-fixing or insider betting.

Access Restrictions:

·       Restrict or prohibit access to the betting platform for individuals directly involved in sporting events, such as athletes, coaches, referees, and officials, as they may have insider information that can unfairly influence betting outcomes.

Internal Investigations:

·       Conduct internal investigations to determine if the involvement of these individuals violates any terms of service, regulations, or laws.

·       Collaborate with external investigators if necessary to ensure a thorough examination of the situation.

Policy Enforcement:

·       Enforce policies and terms of service that prohibit betting by individuals with insider knowledge or connections to sporting events.

·       Ensure that all staff are aware of these policies through clear communication and regular updates.

Education and Training:

·       Provide education and training programs for staff to recognize and report suspicious activities.

Transparency and Communication:

·       Maintain transparency with regulators, sports organizations, and the public regarding the actions taken to address the situation.

·       Communicate the steps being taken to ensure the integrity of both the gaming platform and the sporting events.

Legal Compliance:

·       Ensure compliance with all local, national, and international laws and regulations related to sports betting and gaming.

·       Consult with legal experts to navigate complex regulatory environments and to stay updated on legal requirements.

By taking these steps, Bling Tech can help preserve the integrity of sporting events, prevent conflicts of interest, and ensure fair play within its platform.

Annex I – Senior Compliance Officer / MLRO Job Description

Senior Compliance Officer / MLRO

Responsibilities

Bling Tech Ltd. is responsible for appointing a Senior Compliance Officer / MLRO of appropriate seniority with access to the resources required to effectively perform the role. Resources include time, support staff, the freedom and independence to act on authority, and access to relevant data / information.

In summary, the Board of the Company delegates the following high-level responsibilities to the Senior Compliance Officer / MLRO:

●            Establishing and operating appropriate risk-based internal policies, procedures, and controls to prevent money laundering or terrorist financing, consistent with legal and regulatory requirements as set out in Tobique and international provisions.

●            Reviewing, updating, and approving AML and CFT policies based on an assessment of risk and its management, ensuring that such assessments are kept up to date.

●            Ensuring that priority is given to the implementation of AML and CFT policies and take ultimate responsibility for the development and operation of procedures that implement policy.

●            Maintain up-to-date documentation detailing the risk-based AML and CFT arrangements operated by the Company.

Senior Compliance Officer / MLRO Role

The Senior Compliance Officer / MLRO may delegate certain functions, in particular those related to the day-to-day monitoring of procedures and systems to detect suspicious activity, to suitable individuals in Bling Tech Ltd. (where resources are available).

It is the Senior Compliance Officer / MLRO’s ultimate managerial responsibility to ensure that the provisions of this Policy are enforced. Where the MLRO delegates any activities, they will remain accountable for the operation of the delegated functions. The Senior Compliance Officer / MLRO may hold other senior management responsibilities within entities of Bling Tech Ltd., to the extent that they do not interfere with their ability to conduct the Senior Compliance Officer / MLRO duties.

In the absence of the Senior Compliance Officer / MLRO for a period of less than 12 weeks, the Senior Compliance Officer / MLRO duties will be temporarily performed by a suitably experienced and qualified individual from within Bling Tech Ltd. The MLRO will always remain reachable and in close contact with the head office. Should the position of the Senior Compliance Officer / MLRO become vacant (i.e. the MLRO be absent for a period of 12 weeks or more in a consecutive 12-month period), the Board will appoint another suitably qualified individual as its MLRO / Senior Compliance Officer.

POSITION RESPONSIBILITIES

Annex II – Risk Mitigation Matrix and Risk Factors

Risk Assessment and Mitigation Matrix

Risk Factors Table

The following represent risk factors relevant to Bling Tech Ltd.’s current service offerings that could indicate Money Laundering or Funding of Terrorism as per the risks highlighted in the table above.

Process for Determining Customer Risk

The activities of each customer, the product, the interface, and the geographic area are assessed in relation to the risk factors above and the said assessment is recorded in the Registration Form. A proposed risk assessment of Low, Medium or High is recorded whereby a low risk assessment is awarded to a customer with a 0-risk score, a medium risk assessment to a customer with a 1-9 risk score and a high-risk assessment to a customer with a 10 or more-risk score.

Members of staff may take into account any applicable mitigation reasons set out in the table above, in which case the reasons for the mitigation are recorded in the said Client On-Boarding Form. The risk assessment may be revised on the basis of these mitigations subject to the consideration that a risk may never be assessed as low where:

i.       the client is non-face-to-face (save for those instances detailed in the section entitled “Simplified Due Diligence” a) or b))

ii.     the client is a PEP

iii.    the client is from or is active in a high-risk jurisdiction

Annex III – Customer Due Diligence

The Company has established systematic procedures for identifying an applicant for business and ensuring that such identity is verified on the basis of documents, data or information obtained from a reliable and independent source.

Persons subject to Identification and Verification

For the purposes of the gaming services provided the follow legal and/or natural persons shall be subject to identification and verification procedures as stipulated below.

i.       The Player being the natural person who is registered with the Company to which online gambling services are provided by the Company;

ii.     A company or legal entity which is considered to be an intermediary of the Company to which online gambling services are provided by the Company;

iii.    The Ultimate Beneficial Owners of a Company or legal entity which is considered to be an intermediary of the Company;

iv.    The Directors of a Company or legal entity which is considered to be an intermediary of the Company;

For the purposes of the above that the “ultimate beneficial owner” of a body corporate or a body of persons includes all natural persons who ultimately own or control, whether through direct or indirect ownership or control, 25% or more of the shares or voting rights in the Company or legal entity in relation to which services are or will be provided.

Provided that natural persons who ultimately own or control a company that is listed on a regulated market which is subject to disclosure requirements consistent with Community legislation, or equivalent international standards shall be excluded from verification requirements. In such a case Option B should be selected in Annex B on the Client On-boarding Form.

Provided further that in the case of a trust where beneficiaries have not been determined, due diligence will be carried out on any class of persons in whose main interest the trust is set up.

For the purposes of the above that the “beneficial owner” of a body corporate or a body of persons includes all legal persons who own or control, whether through direct or indirect ownership or control, 25% or more of the shares or voting rights in the Company or legal entity in relation to which services are or will be provided,

Provided that companies that are listed on a regulated market or otherwise subject to financial business regulation which are subject to disclosure requirements consistent with Community legislation, or equivalent international standards shall be excluded from verification requirements. In such a case Simplified Due Diligence should be followed for Client On-boarding.

Provided that for Directors, the Company shall only be required to identify such persons and hence, notwithstanding anything to the contrary, no verification shall be required to be collected.

Organogram

In order to be able to identify each of the persons subject to identification and verification as part of the on-boarding process, the applicant for business is to provide an up-to-date organogram to the Company which is to be signed by an authorized official of the applicant, both at on-boarding and each time that there is a significant change in ownership.

Due Diligence for Natural Persons

Where the persons subject to identification and verification are natural persons, the following information shall be obtained in all cases in relation to identification and verification:

OPTION A:

1.     Verification of Details - one of the following:

1.1.   a valid unexpired passport; or

1.2.   a valid unexpired national or other government-issued identity card; or

1.3.   a valid unexpired driving license.

2.     Verification of Residential Address - one of the following not older than six (6) months:

2.1.   a recent statement from a recognized credit institution;

2.2.   a recent utility bill;

2.3.   correspondence from a central or local government authority, department, or agency;

2.4.   any government-issued document where a clear indication of residential address is provided; or

2.5.   any other document as may be specified in sectoral implementing procedures issued by the FIU.

In addition to the above, one of the following Options shall be satisfied for the purposes of Enhanced Due Diligence where the Customer’s risk has been assessed as ‘Medium Risk’ and two of the following Options shall be satisfied for the purposes of Enhanced Due Diligence where the Customer’s risk has been assessed as ‘High Risk’ as follows:

OPTION 1: One of the following

1.     a professional reference (warranted lawyer or auditor)

2.     a bank reference

3.     an additional recent statement from a recognised credit institution;

4.     an additional recent utility bill;

5.     correspondence from a central or local government authority, department, or agency;

6.     any government-issued document where a clear indication of residential address is provided; or

7.     any other document as may be specified in sectoral implementing procedures issued by the FIU.

OPTION 2:

1.     The first payment be made from a bank set up in the EU or of a reputable jurisdiction with similar standards of banking regulation. For the purposes of this option ‘bank’ may also include financial institution, payment institution or electronic money institution.

OPTION 3:

1.     Determination of source of wealth and source of funds signed by a recognized accountant/auditor.

OPTION 4:

1.     Police conduct certificate

OPTION 5:

Require that the documentation provided in OPTION A.2 and A.3 above is certified by a legal professional, accountancy professional, notary, person undertaking relevant financial business or a person undertaking an activity equivalent to relevant financial business carried out in another jurisdiction. Such certification should be evidenced by a written statement stating that:

·       the document is a true copy of the original document;

·       the document has been seen and verified by the certifier; and

·       the photo is a true likeness of the applicant for business or the beneficial owner, as the case may be.

The certifier must sign and date the copy document (indicating his name clearly) and clearly indicate his profession, designation, or capacity on it and provide his contact details.

Provided that in all cases where the applicant, beneficiary owner or the ultimate beneficial owner is a PEP, Bling Tech Ltd. will proceed to end the relative business relationship.

Due Diligence for Legal Persons

Part A

Where the persons subject to identification and verification are legal persons, the following information shall be obtained in all cases in relation to identification and verification:

a)     to identify the following:

i)      the legal person’s official full name;

ii)     the legal person’s registration number (if applicable);

iii)    the legal person’s date of incorporation or registration; and

iv)    the legal person’s registered address or principal place of business.

b)     To verify the information and legal status mentioned under Part A(a), the most recently dated version of any of the following documents must be obtained:

i)      Memorandum and Articles of Association; or

ii)     Certificate of Incorporation; or

iii)    Signed declaration by an authorized official of the applicant for business; or

iv)    Company registry search, which includes confirmation that the private company has not been, and is not in the process of being dissolved, struck off, wound up or terminated; or

v)     Latest annual return; or

vi)    Other statutory document.

In relation to the above, the staff member must view the original document, a certified copy of the original or a downloaded copy from the official registry website. Certification should be carried out by the company secretary, a director or an officer occupying an equivalent position or by the Registrar of Companies or a person occupying an equivalent position in a foreign jurisdiction.

Alternatively, certification may be carried out by a legal professional, accountancy professional, notary, person undertaking relevant financial business or a person undertaking an activity equivalent to relevant financial business carried out in another jurisdiction.

The certifier must sign and date the copy document (indicating his name clearly) and clearly indicate his profession, designation, or capacity on it and provide his contact details.

The certified copy of the original or the copy downloaded from the official registry website shall be retained by Bling Tech Ltd. Where an original document is viewed, Bling Tech Ltd. shall keep a true copy of the document, signed, and dated by an officer of the subject person, on file.

Alternatively, identification and verification may be carried out by obtaining one or more additional (different) documents from amongst the list provided in Part A (b) above which verify the information obtained through the first set of documentation provided.

In addition to the above, one of the following Options shall be satisfied for the purposes of Enhanced Due Diligence where the Customer’s risk has been assessed as ‘Medium Risk’ and two of the following Options shall be satisfied for the purposes of Enhanced Due Diligence where the Customer’s risk has been assessed as ‘High Risk’ as follows:

OPTION I:

1.     The latest audited financial statements; provided that in the case of Enhanced Due Diligence, this shall only be required if allowed by the jurisdiction of the applicant for business.

OPTION II:

1. The first payment be made from a bank set up in the EU or in any other jurisdiction with similar standards of banking regulation. For the purposes of this option ‘bank’ may also include financial institution, payment institution or electronic money institution.

OPTION III:

1.  Certificate of good standing or a certificate of incumbency, not older than six (6) months.

OPTION IV:

1. A professional reference signed and duly dated by a legal professional, accountancy professional or notary.

Part B

Post identification and verification of the Legal Person, the Company shall also identify all the directors. This shall be done by either of the following:

i)            referring to the list of directors contained in the most recent version of the Memorandum and Articles of Association; or

ii)     by performing a company registry search provided that the officers of the company are listed therein; or

iii)   by obtaining a copy of the directors’ register of the company.

Part C

Upon the identification of the shareholders and Ultimate Beneficiary Owners’ details as a result of the Organogram and documentation provided as mentioned above, the staff member shall perform and record the Due Diligence provided for natural persons in respect of such Ultimate Beneficiary Owners with particular regard to non-face-to-face procedures if required:

Provided that should the applicant’s operations be regarded as high risk, shareholders having between 10% but less than 25% of the control in the applicant, may be required to provide for identification details including but not limited to First Name, Last Name and Date of Birth.

In instances where the documentation provided under Part A(b) does not identify the shareholders and the Ultimate Beneficiary Owners, the applicant for business has to supply any of the following documents:

i)      Latest share register; or

ii)     Signed declaration by an authorized representative of the applicant for business, which declaration should include sufficient details to enable the subject person to identify the shareholders and the Ultimate Beneficiary Owners.

For avoidance of doubt, no proof of address will be requested of shareholders holding an interest between 10%, but less than 25%.

Languages

All documents are to be provided in English (or any other language which any official of the Company understands). Certified translations are to be translated of documents in other languages.

Client Terms and Conditions

The Client Terms and Conditions includes a declaration by an authorized representative of the applicant for business as to whether they have:

a)     ever been convicted of an offence (other than a minor traffic offence);

b)     ever been adjudged bankrupt;

c)     ever been the subject of an investigation by a government, professional or other regulatory body;

d)     ever been a director, shareholder, officer or manager of a business entity which has been the subject of an investigation as aforesaid

e)     ever been a director, shareholder, officer, or manager of a business entity which has been adjudged bankrupt compulsorily would up or has made any compromise or arrangement where its creditors or has otherwise ceased trading in circumstances where its creditors did not receive or have not yet received full settlement of their claims; and

f)      unless otherwise disclosed in the terms and conditions, ever had, or currently has any direct or indirect beneficial interest in or whether he ever was or currently is a director of any other company registered in Tobique.

Customer Risk Assessment

Each customer is subject to a risk assessment and subsequently rated as Low Risk, Medium Risk or High Risk as set out in Annex II above.

For the purposes of such assessments additional information may be required from the customer.

Face-To-Face Transactions or Clients

In all instances of face-to-face onboarding, provided that the applicant does not provide certified true hardcopies or the originals of the documentations required as per the abovementioned procedures, the Company representative is to view the original document, make a hard copy of such document (printed scan/photograph etc.) and certify that this is a true copy of the original seen by him, while duly signing the document including the relevant date.

All instances of face-to-face clients will require any one of the following:

a)     Include an email on file confirming that a face-to-face meeting with the applicant for business duly occurred prior to onboarding;

b)     A certified true copy in original by an Bling Tech Ltd.’s representative of an identification document of the applicant for business’ representative, provided that such document was copied (scanned, photographed etc.) by a Company’s representative himself; or

c)     Minutes of the meeting with the applicant for business’ representative, signed and duly dated by the Company representative.

Timing of Due Diligence

Each client shall provide a copy of all documentation in order to assess that all the documentation is in order upon the first withdrawal and/or upon the sum of EUR 2,000 with accumulative withdrawal threshold reached by the player.

In some instances, a corporate client (intermediary) may select to sign the Services Agreement prior to the carrying out of on-boarding to provide a commitment to eventual onboarding. In this case, no services are permitted, and no services shall be provided to the client and no transactions entered into prior to the carrying out of all due diligence procedures and prior to on-boarding.

In the event that due diligence documentation is not provided within thirty (30) days from the initial request by the casino or it otherwise becomes obvious that the client is not able to satisfy due diligence requirements, the Service Agreement or player registration shall be terminated. The MLRO will consider the appropriateness of filing an STR.

Annex IV – Client Acceptance Policy

The Companies or intermediary of the Company policy for acceptance of customers takes into consideration the Risk Assessment and Mitigation measures as well as the Risk Factors indicated in Annex II above.

Client Acceptance

The Company or an intermediary of the Company shall not accept the following clients:

i.       Clients that fail the relevant due diligence identification and verification controls set out in Annex III above;

ii.     Clients who themselves or their ultimate beneficial owners are excluded customers listed below;

iii.    Clients who have in the past been reasonably associated or involved in criminal activities or other illegal activities may result from searches on the clients, beneficial owners and on any other person in relation to whom due diligence is carried out.

Excluded Activities

The Company or its intermediaries shall not accept the following types of business activities for any provision of services:

i.       Trading in Arms

ii.     Supplying Technology or Parts Connected with Defense

iii.    Providing Military Security Services

iv.    Clients resident in jurisdictions where the Company - or its affiliated Group Companies with whom service agreements are in place - are not authorized to provide gaming services.

Excluded Individuals

The Company or its intermediaries shall not accept the following persons:

i.       Sanctioned Individuals and/or entities;

ii.     Entities with bearer shares;

iii.    Entities where UBOs cannot be identified;

iv.    Persons who seek to set up a business relationship or conduct an occasional transaction in the name of third parties under an anonymous name or nickname;

v.     Customers having underlying customers

Risk-Based Approach for Accepting Clients

On the basis of the risk approach highlighted in Section 3 of the FC Policy and Annex II above, risk factors are taken into account to determine the risk of each customer (low, medium, or high). Different levels of Enhanced Due Diligence are applied in the event of Medium or High-risk assessments.

The manner in which the assessment is carried out is highlighted in Annex II above.

Annex V – Internal STR Form

Internal STR Form Template

The Suspicious Transaction Report (STR) should be a prompt report and escalated to the Commission in 5 business days
(Please send the Internal STR to the Senior Compliance Officer / MLRO and cc the Deputy MLRO if exist)

A record of this Suspicious Transaction Report (STR) together with all related documents will be kept by the Nominated Officer for at least five (5) years.

STR description

We are Bling Tech Ltd. We offer remote gaming services.

Player details:

• ID / Passport / Driving license number:

• Phone number(s):

• Payment method details:  

Here is a timeline of events:

·       xx/xx/2024: This player registered an online gaming account. The account lay dormant until xx/xx/2024: They proceeded to deposit and play. Their net deposits (deposits less withdrawals) over the lifetime of the account is £ xx. The account is now blocked. They can no longer deposit, gamble or withdraw.

An STR was considered. The player could not prove his SOW. We are reasonably suspicious that the proceeds of crime may be involved.

The information or other matter which gives the grounds for your knowledge, suspicion, or belief;

• Possible problem gambling signs

• No cooperation with our SoW request

• Etc.

A description of the property that you know, suspect, or believe is criminal property; and

·       His net deposits (deposits less withdrawals) over the lifetime of the account is EUR xx.

Consent request

·       The player has a pending withdrawal / account balance of EUR xx. We are seeking consent to pay this player his withdrawal / account balance. We intend to exit the relationship with this player. The account is currently blocked. They can no longer deposit, gamble or withdraw.

############################################

The date of transaction is the date of this STR. This player registered an online gaming account on xx/xx/xx. He proceeded to deposit and play. His net deposits (deposits less withdrawals) over the lifetime of the account is EUR xx. The account is now blocked. He can no longer deposit, gamble or withdraw. The player has a pending withdrawal of EUR xx. We are seeking consent to pay this player his withdrawal. We intend to exit the relationship with this player. The account is currently blocked. They can no longer deposit, gamble or withdraw.

Annex VI – Internal SAR Form

Internal SAR Form Template

The Suspicious Activity Report (SAR) should be a prompt report and escalated to the Commission in 5 business days.  
(Please send the Internal SAR to the Senior Compliance Officer / MLRO and cc the Deputy MLRO if exist)

A record of this Suspicious Activity Report (SAR) together with all related documents will be kept by the Senior Compliance Officer / MLRO for at least five (5) years.

SAR Description

We are Bling Tech Ltd. We offer remote gaming services.

Player details:

• ID / Passport / Driving license number:

• Phone number(s):

• Payment method details:  

Here is a timeline of events:

·       xx/xx/2024: This player registered an online gaming account. The account lay dormant until xx/xx/2024: They proceeded to deposit and play. Their net deposits (deposits less withdrawals) over the lifetime of the account is £ xx. The account is now blocked. They can no longer deposit, gamble or withdraw.

An SAR was considered. The player could not prove his Due Diligence Documentation / SOW. We are reasonably suspicious that the proceeds of crime may be involved.

The information or other matter which gives the grounds for your knowledge, suspicion, or belief;

• Possible problem gambling signs

• No cooperation with our due diligence documentation / SOW request

• Other factors: [Details]

Description of Attachments:

[Provide a brief description of each attached document and its relevance to the suspicious activity].

A description of the property that you know, suspect, or believe is criminal property; and

·       His net deposits (deposits less withdrawals) over the lifetime of the account is EUR xx.

Consent request (if applicable)

·       The player has a pending withdrawal / account balance of EUR xx. We are seeking consent to pay this player his withdrawal / account balance. We intend to exit the relationship with this player. The account is currently blocked. They can no longer deposit, gamble or withdraw. We are requesting consent to terminate the relationship with this player.

############################################ 

The date of the suspicious activity is reflected as the date of this SAR. This player registered an online gaming account on xx/xx/xx and exhibited unusual activity thereafter. These suspicious activities included [insert description]. Additionally, the player failed to comply with our requests for identity verification and source of funds documentation. The account is currently blocked. They can no longer deposit, gamble or withdraw.

Annex VII – Abbreviations

[1] AML Regulations, Section 4

[2] Section 2, Part 1 of the AML Code & Section 2, Part 1 of the AML Regulation

[3] Section 18, Part 3 of the AML Code, Section 18, Part 3 of the AML Regulation

[4] Section 11, Part 2 of the AML Code, Section 10, Part 2 of the AML Regulation

[5] Section 14/15, Part 2 of the AML Code, Section 14/15, Part 2 of the AML Regulation

[6] Section 20, Part 3 of the AML Code

[7] Section 18, Part 3 of the AML Code