Choose another country or region to see content specific to your location.

Singapore

Legal & Privacy

Part A – AML Program
1. Definitions

The definitions of words and phrases to be in this AML Program are set out in Schedule 1 of Part B.The definitions of words and phrases to be in this AML Program are set out in Schedule 1 of Part B.

2. Introduction

2.1 Business background
Genie Technologies Pte. Ltd Registration No: 201919382H (ZebPay) was established in 2019 to operate a digital payment token exchange business in Singapore. Digital payment token is not issued by or under the authority of a government. Digital payment token is also commonly referred to as cryptocurrency or virtual currency.

It is intended that ZebPay will initially offer the following digital payment tokens for exchange through its platform:

  • (a) Bitcoin
  • (b) Bitcoin cash
  • (c) Ethereum
  • (d) Litecoin
  • (e) Ripple
  • (f) Eos

ZebPay platform will allow for:

  • (g) Buying digital payment tokens;
  • (h) Selling digital payment tokens; and
  • (i) Facilitating the trading of digital payment tokens between our customers.

ZebPay’s model:

  • (j) includes holding digital payment tokens on trust or as custodian;
  • (k) involves ZebPay purchasing or selling digital payment tokens; or
  • (l) involves accepting fiat only through electronic funds transfer;
  • (m) does not involve accepting cash.

2.2 ZebPay’s AML Policy
ZebPay aims to prevent, detect and not knowingly facilitate money-laundering and terrorism financing. ZebPay does this to protect the company's reputation, to comply with relevant laws and to be a good corporate citizen. The purpose of this policy is to:

  • (a) make staff and management aware of the meaning of anti-money laundering and counter-terrorism financing (AML/CTF) and their responsibilites towards the same pursuant to MAS Notice No. PSN02 Notice to Holders of Payment Service License (Digital Payment Token Service) read with section 27B of the Monetary Authority of Singapore Act (Cap. 186) (collectively, the “AML/CTF Regulations”)];
  • (b) state ZebPay’s attitude towards money-laundering and the financing of terrorism;
  • (c) outline the key roles and responsibilities of ZebPay’s staff and management in relation to AML/CTF, and
  • (d) document requirements of anti-money laundering under the AML/CTF Regulations.

ZebPay faces risks of money laundering or terrorism financing if it (or its employees) knowingly facilitate or fail to put in place the appropriate training, processes and systems to prevent the facilitation of money-laundering or terrorism financing. The potential risks that could occur also include the following:

  • (e) reputation risk—customer loss of confidence in being associated with an entity perceived to be assisting criminals or terrorists, or not in compliance with the law. This loss of confidence could lead to a loss of business and revenue.
  • (f) personal risk—employees who facilitate money-laundering or terrorist activities, or fail to take appropriate steps to prevent these activities, could face personal criminal action, civil action or dismissal; and
  • (g) regulatory risk—potential for increased regulatory oversight if perceived to be facilitating money-laundering or terrorist financing, or negligent of legal requirements. This could be from regulators other than the Monetary Authority of Singapore (“MAS”). This could also result in possible fines or regulatory sanctions.

2.3 Regulatory Framework and the AML Program
The AML/CTF Regulations requires a licensee to adopt, maintain and comply with a Risk-Based Anti-Money Laundering and Counter Terrorist Financing program (AML Program).

ZebPay has adopted a AML Program that comprises a Part A (general) and Part B (customer identification) as prescribed by the AML/CTF Regulations..

The primary purpose of Part A is to identify, manage and mitigate any ML/TF risk ZebPay may reasonably face in relation to the provision by ZebPay of digital payment token services in SIngapore. Part A of ZebPay’s AML Program also provides all users with a map of all of the elements of the AML Program (see section 2.4).

Part B of this AML Program sets out the applicable customer identification and verification procedures for customers of ZebPay. ZebPay has different procedures with respect to the identification and verification of different customers depending on the type of customer, the jurisdiction in which the customer resides, the digital payment token services provided to the customer and the delivery method of the digital payment token services (Rule 8.1.4 of the AML Rules).

2.4 How does Part A (General) of the AML Program Work?
Part A is designed to identify, mitigate and manage the risk ZebPay may reasonably face by the provision of digital payment token services in Australia that might (whether inadvertently or otherwise) involve or facilitate:

  • (a) money laundering; or
  • (b) financing of terrorism.

This Part A describes the structure of the AML Program and is intended to:

  • (c) provide all users of this AML Program with a map of all of the elements of our AML Program;
  • (d) provide a brief summary of the legal and regulatory requirements relating to each of the elements of our AML Program; and
  • (e) provide details on ZebPay’s compliance policies which are contained in shaded text boxes.
Element Part A (Introduction and summary of legal requirements)
ML/TF Risk Assessment Section 3
Staff training and awareness Section 4
Board and management oversight policy Section 5
Role of Compliance Officer Section 6
Reporting Section 7
Ongoing customer due diligence including transaction monitoring and enhanced customer due diligence Section 8
Review of AML Program Section 9
MAS Feedback Section 10
Privacy Section 11
Breaches Section 12
Record Keeping Section 13
3. ML/TF Risk Assessment (Schedule 2 of Part B)

3.1 Risk assessment
As a part of Part A of ZebPay’s AML Program, ZebPay is required to prepare an assessment of the areas of money laundering and terrorism financing risk (ML/TF) which it is likely to face in the provision of its digital payment token services (i.e. operating a digital payment token exchange business).

Understanding the ML/TF) risks ZebPay faces is an important step in developing, implementing and maintaining effective and balanced controls, systems and procedures that mitigate and manage these ML/TF risks. In developing a risk assessment, ZebPay will ensure that

  • (a) the risk analysis should be solidly founded on reliable research and provide a true reflection of the inherent risks and the way your business mitigates those risks
  • (b) the risk criteria and categorisations chosen should be proportionate to the complexity of ZebPay’s products and services and be consistent with its risk analysis.

ZebPay Risk Assessment

Following an ML/TF risk assessment, ZebPay considers its overall risk rating to be medium on the basis that:

  • Service and Delivery
  • The digital payment token services provided by ZebPay is the operation of a digital payment token exchange business, as defined in the First Schedule of the Payment Services Act (Cap. ___)
  • ZebPay does not accept physical cash.
  • ZebPay only offers recognised digital payment tokens for exchange..
  • Customers
  • Customers include Individual as well as companies.
  • Customers may be domiciled in a foreign county.
  • Customers are first vetted through KYC & Customer screening checks before being able to utilise the exchange.
  • Customers accounts will be linked to a bank which is in the same name of the customer on the ZebPay exchange and the banks will have undertaken AML/CTF checks in opening the account.
  • On boarding of politically exposed persons is strictly prohibited
  • At the point of on boarding, customers will be required to make a declaration as to their source of funds. Further, when the aggregate funds or digital payment tokens deposited with ZebPay exceeds certain dollar value thresholds, the customers will be expected to provide some additional proof of their stated source of funds.

ZebPay’s risk assessment and risk assessment methodology are detailed in Schedule 2 of Part B.

3.2 Ongoing risk assessments
ZebPay conducts, at least annually, a business-wide ML/TF risk assessment as a part of ZebPay’s annual internal AML/CTF review (section 9.1).

In addition, ZebPay, through its Compliance Officer, also has procedures for identifying, recognising and assessing significant changes to its ML/TF risk (see Rule 8.1.5 of the AML Rules) including.

  • (a) subscribing to industry bulletins, attending industry events;
  • (b) monitoring trends/methods in ZebPay operating environment (e.g. review transaction monitoring triggers and hits);
  • (c) regularly review the MAS website.

Further, the Compliance Officer will conduct a risk assessment prior to the following:

  • (d) the provision of new digital payment token services, prior to introducing them to the market;
  • (e) the adoption of new methods of a digital payment token service delivery; and
  • (f) the adoption of new or developing technologies used for the provision of a digital payment token service.

If ZebPay’s ML/TF risk changes it will ensure that it implements appropriate policies, procedures and systems to reflect the new ML/TF risk.

See paragraph 9.1 for more details on the process for internal review. The annual review may be outsourced to a third party service provider.

4. Staff training and employee due diligence

4.1 Staff training
As is required under the AML Rules, ZebPay has designed a risk awareness training program (Training Program) to ensure that its employees have appropriate training, at appropriate interval, having regard to the ML/TF risk ZebPay faces (Rule 8.2.2 of the AML Rules).

ZebPay’s Training Program has been designed to enable its employees to understand:

  • (a) the obligations of ZebPay under the AML/CTF Regulations and AML Rules including highlighting the ML/TF Risks which are identified by ZebPay’s ML/TF Risk Assessment);
  • (b) the consequences of non-compliance with the AML/CTF Regulations and AML Rules (including legal, reputation and financial ramifications which may arise from non-compliance or ineffective management of ML/TF Risks);
  • (c) the type of ML/TF risk that ZebPay might face and the potential consequences of such risk;
  • (d) the processes and procedures provided for by this AML Program that are relevant to the work carried out by the employee (Rule 8.2.3 of the AML Rules); and
  • (e) the risk associated with “tipping off” a customer or prospective customer in relation to a suspicious matter and how to avoid tipping off offences.

TRAINING PROGRAM

  • 1 The Training Program is applicable to all employees of ZebPay who provide digital payment token services on behalf of ZebPay. The Training Program consists of the following:
    • (a) all employees of ZebPay who are involved in the provisions of digital payment token services must familiarise themselves with the AML/CTF compliance procedures contained in this AML Program;
    • (b) ZebPay’s Compliance Officer will provide at a minimum annual training (or within 1 month of commencement for new or transferred employees) on ZebPay’s AML/CTF requirements to these staff members, including providing information about updates to the AML/CTF Regulations, AML Rules and the AML Program, also updates on jurisdictional risks, AML case studies and other relevant matters. The training may be delivered in person or online.
  • 2 The Compliance Officer will also consider as a part of the annual AML Program to review whether the staff members have adequate AML/CTF training to complete their assigned functions and if any changes are required to be made to the training program
  • 3 The Compliance Officer will also deliver training if new and relevant AML/CTF issues arises during the year.

4.2 Employee due diligence program
ZebPay has established an Employee Due Diligence Program. In accordance with the Employee Due Diligence Program, ZebPay:-

  • (a) screens any prospective employee who, if employed, may be in a position to facilitate the commission of an offence in relation to money laundering or the financing of terrorism in connection with the provision of a digital payment token service that ZebPay provides;
  • (b) screens an employee where the employee is promoted or transferred to a position where they may now be in a position to facilitate the commission of a money laundering or financing of terrorism offence in connection with the provision of a digital payment token service by ZebPay; and
  • (c) incorporates into its employment agreement or induction processes compliance with this AML Program.

The Compliance Officer will monitor employee activity to ensure AML/CTF procedures are being followed properly and mitigate the risk of employees colluding with customers to facilitate ML/TF.

4 EMPLOYEE DUE DILIGENCE PROGRAM

  • 5 For new, transferred or promoted staff members, the screening process involves:
    • (a) step 1: the Compliance Officer verifies the ID of the employee, reference checks and AML/CTF identity in accordance with the standard KYC procedures for individuals as contained in section 4 of Part B of this AML Program; and
    • (b) step 2: Where the nationality of the employee permits, the Compliance Officer conducts a police check on the employee, and a record of the police check is kept on the relevant file of the particular employee and the AML/CTF identify check being kept with ZebPay’s AML/CTF employee identification files.
  • 6 For employees who have failed to comply with the AML/CTF Regulations or the AML Rules, of any system, control or procedure in this AML Program without reasonable excuse, the breach management procedure involves:
    • (a) step 1:the Compliance Officer investigating any alleged breaches or non-compliance and interviewing the relevant staff member to determine whether or not there is a reasonable excuse of the breach;
    • (b) step 2: the results of such an investigation will be raised with and considered by the Compliance Officer, pending the results of the investigation the employee may:
      • receive refresher training;
      • have his/her role reassigned; or
      • have their employment terminated; and
    • (c) step 3: the Compliance Officer, may, if appropriate, determine to communicate the breach to the relevant law enforcement agency.
5. Oversight by the Board and management

5.1 Board
The AML Program must be adopted by the ZebPay Board (Board). The Board will have ongoing oversight of the AML Program, via reports like number of suspicious transaction reported, number of political exposed person on boarded or trading on the ZebPay platform from the Compliance Officer.

5.2 Management
The Compliance Officer must ensure that this AML Program is appropriately designed and that there are adequate resources assigned to fully and continuously implement. ZebPay’s management is responsible for:

  • (a) implementing this AML Program;
  • (b) providing the support necessary for a successful AML Program;
  • (c) making provisions for adequate compliance resources sufficient to run this AML Program effectively having regard to the nature, size and complexity of ZebPay’s business;
  • (d) identifying, articulating, assigning, and communicating specific roles and responsibilities for employees of ZebPay who should have significant responsibility for carrying out and enhancing this AML Program; and
  • (e) ensuring that the Compliance Officer receives appropriate training.

The organisational structure of ZebPay is set out in Schedule 1 of Part A.

5.3 Resources
ZebPay may from time to time appoint individuals to carry out specific duties in respect of digital payment token services and AML/CTF matters. The individuals appointed to carry out specific duties in respect of different matters have the primary responsibility for the performance of those duties. Primary responsibility means that in the ordinary course of business the person with primary responsibility for a task would perform that task. However, if circumstances exist which prevent the person with primary responsibility from performing a particular task, then the task may be performed by a different person for the reporting entity.

Individuals with primary responsibility for AML/CTF duties must report to the Compliance Officer in respect of their duties and, in particular, any system breaches within the operations of the reporting entity which are discovered during the performance of those duties.

6. Compliance Officer

The Board will ensure that at all times a Compliance Officer is appointed, and a secondary person to act in the Compliance Officer’s absence.

In the event that the Compliance Officer is absent or is unable to perform their duties pursuant to this policy, MLRO (Money Laundering reporting officer) will assume the position Compliance Officer as Interim Compliance Officer. For the purposes of this policy, the Interim Compliance Officer is to be held to the same standard and accountability as the Compliance Officer normally performing his or her obligations pursuant to this Policy.

The Compliance Officer is responsible for managing the day-to-day operations of this AML Program. This includes, but is not limited to:

  • (a) conducting regular reviews of this AML Program (see section 8.3);
  • (b) ensuring ZebPay’s compliance with its obligations in respect of risk awareness training. The Compliance Officer is responsible for ensuring that the training is available, that the standards and scope of the training are appropriate, and that appropriate records are kept (see section 4);
  • (c) ensuring the maintenance of a continually high level of staff AML/CTF awareness even between training sessions;
  • (d) ensuring an awareness of countries that do not have adequate AML/CTF frameworks in place;
  • (e) ensuring an awareness of lists of suspects and sanctions issued by law enforcement and regulatory authorities;
  • (f) ensuring an awareness of exemptions and modifications for some reporting entities from AML/CTF obligations;
  • (g) receiving reports about unusual or suspicious activities that may be suspicious matters to determine if they should be reported to MAS and preparing suspicious matter reports for that purpose (see section 7);
  • (h) responding on behalf of ZebPay to requests for information from MAS under the AML/CTF Regulations (see section 10);
  • (i) filing internal disclosures that are not reported to MAS for future analysis in the event that a further internal disclosure is made about the same customer at a later date;
  • (j) documenting the evaluation of the determination process in respect of reports and investigations;
  • (k) maintaining a register of all reports;
  • (l) oversight of Part A, which includes:
    • (i) assessing the effectiveness of this AML Program; and
    • (ii) overseeing the establishment of appropriate risk-based systems and controls within ZebPay to manage its ML/TF risk and ensure compliance with the AML/CTF Regulations and the AML Rules (see section 3);
  • (m) monitoring ZebPay’s business in relation to its provision of digital payment token services;
  • (n) advising management on the AML/CTF Regulations, the AML Rules and relevant industry guidance and keeping them informed on developments in the laws and regulations and recent developments in relation to money laundering and the financing of terrorism;
  • (o) undertaking the ML/TF risk assessments (see section 3 and Schedule 2 of Part B);
  • (p) implementing this AML Program; and
  • (q) undertaking annual reviews of this AML Program which may be outsourced to a third party. Major changes arising from the annual review should be considered and approved by the Board, but other changes can be approved by the Compliance Officer.
7. Reporting

7.1 Suspicious matters
Under the AML/CTF Regulations, ZebPay’s obligation to report suspicious matters to MAS arises in the context of:

  • (a) ZebPay commencing to provide, or proposing to provide, a digital payment token service to a customer;
  • (b) a customer requesting ZebPay to provide a digital payment token service(of a kind ordinarily provided by ZebPay); or
  • (c) a customer inquiring of ZebPay whether it would be willing to provide a digital payment token service (of a kind ordinarily provided by ZebPay).

ZebPay acknowledges that suspicious matters may relate to any crime. ZebPay will treat suspicious matters that extend beyond the scope of money laundering and terrorism financing the same as if that suspicious matter were a money laundering and terrorism financing suspicious matter.

SUSPICIOUS MATTER REPORTING PROCEDURES

Where the suspicious matter relates to terrorism financing, it must be reported by the Compliance Officer to MAS within 24 hours. All other suspicious matters must be reported to MAS within 3 business days. The Compliance Officer will ensure these timeframes are complied with through a daily review of any suspicious matter internal reports.

Any employees of ZebPay must report any of the following suspicious matters to the Compliance Officer. The Compliance Officer upon forming a suspicion on reasonable grounds or confirming that one of the following suspicious matters have occurred, must report the following to MAS:

  • (a) A person is flagged as being a person who appears on the DFAT sanctions list.
  • (d) A person (or their agent) is not the person they claim to be.
  • (e) Information that ZebPay has which may be:
    • (i) relevant to the investigation or prosecution of a person for an evasion (or attempted evasion) of a tax law (including that of a state or territory), or an offence against a Commonwealth, state or territory law, or
    • (ii) of assistance in enforcing the Proceeds of Crime Act 2002 (or regulations under that Act), or
    • (iii) a state or territory law that corresponds to that Act or its regulations.
  • (f) The provision of digital payment token services may be:
    • (i) preparatory to the commission of an offence related to money laundering or the financing of terrorism, or
    • (ii) relevant to the investigation or prosecution of a person for an offence related to money laundering or the financing of terrorism.

In determining whether or not there are reasonable grounds for reporting a suspicious matter, the Compliance Officer should look at all relevant factors, including:

  • (a) whether or not the customer has withheld or provided false or inconsistent information;
  • (g) the behaviour of the person or persons receiving or requesting the digital payment token service (for example, unusual nervousness);
  • (h) whether or not the person is a foreign PEP;
  • (i) the known business background of the person;
  • (j) the use of aliases and a variety of similar addresses; and
  • (k) transactions involving known tax havens, narcotic source or transit countries.

No tipping off

Important: Employees, officers and directors of ZebPay may not disclose to someone other than MAS or a member of staff of MAS that a suspicious matter has been reported, a suspicion has been formed or information has been given under the AML/CTF Regulations. For example, a client or an external service provider must not be told that a report has been made to MAS about a suspicious matter.

7.2 Cash transactions
ZebPay has decided not to accept any cash from customers.

7.3 Compliance Reporting
The Compliance Officer, on behalf of ZebPay, prepares and submits an annual AML/CTF compliance report to MAS within 3 months of the end of the reporting period or as otherwise required by MAS.

The AML/CTF compliance report will cover ZebPay’s compliance with the AML/CTF Regulations and the AML Rules during the reporting period and take the form specified by MAS (if any).

7.4 International fund transfer instructions
ZebPay is not a sender or recipient of international funds transfer instructions (IFTI) within the meaning of the AML/CTF Regulations.

7.5 Changes to enrolment details
The Compliance Officer must also advise MAS of changes to ZebPay’s enrolment and business details, within 14 days of a change occurring (see Chapter 64 of the AML/CTF Rules). The Compliance Officer will work closely with the owners of ZebPay in relation to business ownership and control changes and/or other registration or licensing requirements with other regulators and will also work closely with human resource personnel in relation to staff movements and changes to key personnel details or circumstances.

ZebPay acknowledges that suspicious matters may relate to any crime. ZebPay will treat suspicious matters that extend beyond the scope of money laundering and terrorism financing the same as if that suspicious matter were a money laundering and terrorism financing suspicious matter.

SUSPICIOUS MATTER REPORTING PROCEDURES

Where the suspicious matter relates to terrorism financing, it must be reported by the Compliance Officer to MAS within 24 hours. All other suspicious matters must be reported to MAS within 3 business days. The Compliance Officer will ensure these timeframes are complied with through a daily review of any suspicious matter internal reports.

Any employees of ZebPay must report any of the following suspicious matters to the Compliance Officer. The Compliance Officer upon forming a suspicion on reasonable grounds or confirming that one of the following suspicious matters have occurred, must report the following to MAS:

  • (a) A person is flagged as being a person who appears on the DFAT sanctions list.
  • (d) A person (or their agent) is not the person they claim to be.
  • (e) Information that ZebPay has which may be:
    • (i) relevant to the investigation or prosecution of a person for an evasion (or attempted evasion) of a tax law (including that of a state or territory), or an offence against a Commonwealth, state or territory law, or
    • (ii) of assistance in enforcing the Proceeds of Crime Act 2002 (or regulations under that Act), or
    • (iii) a state or territory law that corresponds to that Act or its regulations.
  • (f) The provision of digital payment token services may be:
    • (i) preparatory to the commission of an offence related to money laundering or the financing of terrorism, or
    • (ii) relevant to the investigation or prosecution of a person for an offence related to money laundering or the financing of terrorism.

In determining whether or not there are reasonable grounds for reporting a suspicious matter, the Compliance Officer should look at all relevant factors, including:

  • (a) whether or not the customer has withheld or provided false or inconsistent information;
  • (g) the behaviour of the person or persons receiving or requesting the digital payment token service (for example, unusual nervousness);
  • (h) whether or not the person is a foreign PEP;
  • (i) the known business background of the person;
  • (j) the use of aliases and a variety of similar addresses; and
  • (k) transactions involving known tax havens, narcotic source or transit countries.

No tipping off

Important: Employees, officers and directors of ZebPay may not disclose to someone other than MAS or a member of staff of MAS that a suspicious matter has been reported, a suspicion has been formed or information has been given under the AML/CTF Regulations. For example, a client or an external service provider must not be told that a report has been made to MAS about a suspicious matter.

7.2 Cash transactions
ZebPay has decided not to accept any cash from customers.

7.3 Compliance Reporting
The Compliance Officer, on behalf of ZebPay, prepares and submits an annual AML/CTF compliance report to MAS within 3 months of the end of the reporting period or as otherwise required by MAS.

The AML/CTF compliance report will cover ZebPay’s compliance with the AML/CTF Regulations and the AML Rules during the reporting period and take the form specified by MAS (if any).

7.4 International fund transfer instructions
ZebPay is not a sender or recipient of international funds transfer instructions (IFTI) within the meaning of the AML/CTF Regulations.

7.5 Changes to enrolment details
The Compliance Officer must also advise MAS of changes to ZebPay’s enrolment and business details, within 14 days of a change occurring (see Chapter 64 of the AML/CTF Rules). The Compliance Officer will work closely with the owners of ZebPay in relation to business ownership and control changes and/or other registration or licensing requirements with other regulators and will also work closely with human resource personnel in relation to staff movements and changes to key personnel details or circumstances.

8. Ongoing customer due diligence

8.1 General
Under the AML/CTF Regulations, ZebPay is required to have an Ongoing Customer Due Diligence Program which covers:

  • (a) procedures for the collection or verification of additional KYC information or Beneficial Owner information;
  • (b) a Transaction Monitoring Program; and
  • (c) Enhanced Customer Due Diligence Program.

8.2 Ongoing Customer Due Diligence
Based on its ML/TF risk level, ZebPay has determined to implement the following ongoing customer due diligence measures. These measures are to be supervised by the Compliance Officer.

ONGOING CUSTOMER DUE DILIGENCE PROCEDURES

MEASURE IS THIS MEASURE TRIGGERED? WHAT IS THE RESPONSE?
Collect additional Customer Information
  • (a) A discrepancy in the KYC information that has been collected and verified becomes apparent in subsequent engagement with the customer compared to the information provided when the customer initially opened an account.
    Excluding changes of information e.g. address which have been previously notified.
  • (b) There are doubts to the customer’s identity, before, during and after any engagement of the customer by ZebPay.
  • (c) Client is identified as a high money laundering risk.
  • Clarify in case of discrepancy in customers information collected and verified then in such circumstances customers account will be on temporary hold till the collection and verification of required information.

    If the customer’s identity cannot be verified, Compliance Officer must consider whether or not the investment must be reported as a suspicious matter.

    Customer database will be checked semi-annually for collection of missing information/ documents if any.

    If any doubts arise, ZebPay will initiate further verification procedures such as: Enhanced due diligence.

    The staff performing the normal due diligence escalates the case to a supervisor for further validation.

    The supervisor/manager reviews the case and validates the high risk status or disapproves.

    If the manager disapproves a high risk status, supporting evidence and reasoning are documented and the client is downgraded to a low, normal, or medium risk status.

    In a situation of a validated, true high risk case, the client case is escalated to the firm’s Compliance Officer/MLRO using an “Escalation Form.” or via email.

    The Escalation form is normally accompanied by supporting client documentation.

    The Compliance Officer/MLRO or his/her designee reviews the Escalation Form and any attached documentation.

    If needed, the Compliance Officer/MLRO Officer or his/her designee will make a request for additional information.

    The Compliance/MLRO or his/her designee then conducts further investigation (i.e., reviews the account’s beneficial owners or conducts external non-documentary investigations).

    Upon completion of the enhanced investigation, the Compliance Officer/MLRO or his/her designee provides a recommendation (to terminate the relationship or accept the client).

    If the recommendation is to accept the client, there is normally an accompanying monitoring plan for the firm to implement in order to reduce its overall money laundering risk.

    8.4 Enhanced Customer Due Diligence
    ZebPay must have an enhanced customer due diligence program in place which sets out its procedures for situations where there is a high ML/TF risk, when a suspicious matter reporting obligation arises. Where a customer is a foreign politically-exposed person (PEP), ZebPay will decline to offer any digital payment token services.

    • (a) Triggers

      ZebPay will apply its customer due diligence program when:

      • (i) ZebPay has determined (under its risk-based systems and controls) that the ML/TF risk is high; or
      • (ii) ZebPay is provided digital payment token exchange services to a customer who is, or who has a beneficial owner who is, a PEP; or
      • (iii) ZebPay has formed a suspicion regarding the transaction; or
      • (iv) a party to the transaction (that its business has entered in or is proposing to enter into) is physically located in a prescribed foreign country.
    • (b) Processes
      • When the enhanced customer due diligence program is triggered, ZebPay will do one or more of the following:

      • (i) Seek further information from the customers or third party sources to:
        • (A) clarify/update the customer’s information;
        • (B) obtain further information about the customer including applying the Non-Standard Procedure;
        • (C) obtain information about the source of wealth or funds the customer is using to invest or transact in digital payment token;
      • (ii) Undertake more detailed analysis of the customer’s information and/or transaction history;
      • (iii) Verify or re-verify KYC information
      • (iv) Seek senior management approval for processing any future transactions; and
      • (v) Any other appropriate steps as determined by the Compliance Officer.

      The Compliance Officer will also determine whether a suspicious matter report needs to be lodged.

    • (c) Limitations on types of customers
    • ZebPay has identified the following customer types it will not engage with:

      Unregistered foreign companies, unincorporated associations, registered co-operatives, foreign government bodies, non-profit organization and politically exposed persons.

    9. AML Program and compliance review

    ZebPay has implemented a procedure for the regular internal and external review and updating of the AML Program.

    9.1 Internal reviews
    Having regard to ZebPay’s level of ML/TF risk, ZebPay has determined that an internal review of Part A of the AML/CTF compliance processes will be carried out:

    • (a) annually; and
    • (b) where there is a change to ZebPay’s ML/TF risk (see section 3.2 for triggers for reviews).

    7 This review process will involve:

    • (a)Step 1:an assessment of ZebPay’s ML/TF risk bearing in mind changes to its business and any new digital payment token services being provided by it during the year. If there are any changes to ZebPay’s ML/TF risk, the Compliance Officer will need to make an assessment as to whether current compliance measures are sufficient and, if not, recommend additional measures;
    • (b)Step 2:an assessment of whether ZebPay has been complying with:
      • (i) the compliance measures set out in this AML Program and the AML/CTF Regulations and the AML Rules (including any changes which may have been made from time to time); and
      • (ii) any feedback from an external review of ZebPay 's AML/CTF compliance;
    • (c)Step 3:making recommendations on additional measures to be incorporated into this AML Program to address any compliance deficiencies which have been detected; and
    • (d)Step 4:the results of the annual internal review will be summarised in an AML/CTF Compliance Report which will be presented to the Board each year. The Board is required to consider the finding and recommendations of the report and resolve to implement appropriate changes to this AML Program.

    8 Steps 1 to 3 of this process may be outsourced to a third party service provider.

    9.2 Independent reviews
    Part A of this AML Program must be regularly reviewed by an independent reviewer (Part 8.6 of the AML Rules).

    INDEPENDENT REVIEW PROCESS

    Having regard to ZebPay's ML/TF risk, ZebPay has determined that an independent review of the AML Program must be undertaken on a bi-annual basis.

    • (a)Step 1: Appointment of independent reviewer
      ZebPay must determine who is "independent" for the purposes of undertaking the review. For the purposes of undertaking the independent review, ZebPay has determined that the "independent" reviewer must have experience at least three out of the past five years of experience in AML/CTF legislation and/or reviewing AML Programs and must not have been involved in the preparation, review, approval, implementation, oversight or amendment of the AML Program.
    • (b)Step 2: Engagement, review and reporting
      ZebPay must enter into a formal engagement with the independent reviewer in respect of the independent review. The independent reviewer is required to provide an engagement letter which sets out the scope of review as follows:
      • (i) assess the effectiveness of Part A having regard to the ML/TF risk of ZebPay;
      • (ii) assess whether Part A complies with the AML Rules;
      • (iii) assess whether Part A has been effectively implemented; and
      • (iv) assess whether ZebPay has complied with Part A.

      The independent reviewer is required to prepare a report outlining the result of the independent review. The independent reviewer is also required to provide any work schedule(s), audit program(s) or compliance procedures prepared as a part of the independent review. The independent reviewer will be provided with requested documents and staff will be made available to undergo any required interviews.

    • (c)Step 3: Consideration by the BoardThe result of the review, including any report prepared, must be tabled at the next meeting of the Board. The Board may provide a written response to the independent reviewer's report, including any recommendations made in the report.
    10. MAS feedback

    ZebPay is required to have appropriate procedures in place with regards to any feedback provided by MAS in respect of ZebPay’s performance on the management of ML/TF risk (Rule 8.7.1 of the AML Rules).

    ZebPay has determined that the following procedures will apply:

    • (a) if MAS provides ZebPay with feedback regarding its performance in relation to the management of its ML/TF risk, the Compliance Officer must assess MAS’s feedback to determine if any changes to this AML Program are required and to implement any such changes as soon as reasonably practicable;
    • (b) the Compliance Officer is responsible for notifying Board and management about any MAS feedback;
    • (c) the Compliance Officer is responsible for collating and responding to MAS feedback if requested by MAS, with the required information and within the stipulated timeframes; and
    • (d) any MAS feedback should also be included in the annual ML/TF risk assessment review detailed in Schedule 2 of Part B.
    11. Privacy

    (a) ZebPay is considered to be a reporting entity for the purposes of the AML/CTF Regulations, and therefore has obligations under the Personal Data Protection Act 2012 (“the Privacy Act”).

    (b) ZebPay applies the Privacy Act to personal information collected or handled in relation to activities undertaken to comply with the AML/CTF Regulations. This personal information must be kept secure and destroyed or de identified when no longer in use.

    (c) ZebPay also takes reasonable steps to keep relevant personal information it holds accurate and up to date. If the personal information is found to be incorrect, ZebPay must take reasonable steps to correct it.

    12. Breaches

    12.1 Breaches
    Any breaches of the AML/CTF Regulations, AML Rules or this AML Program which may have a material adverse effect on ZebPay or its investors must be reported to the Compliance Officer by the individual responsible for the area in which the breach occurred. The officer will in turn report any material breach to the Board.

    The Board, or the Compliance Officer will then consider what action to take in respect of the breach including instigating further training or additional systems to prevent a similar breach occurring.

    12.2 Internal Reporting

    • (a) The standard reporting lines are shown in the flowchart in Schedule 1 of Part A Organisational structure chart—AML/CTF compliance.
    • (b) It is the responsibility of the Compliance Officer to ensure staff responsible for AML/CTF compliance are aware of these reporting lines as well as the process of reporting directly to the Compliance Officer.
    13. Record Keeping

    ZebPay has a number of record keeping obligations under the AML/CTF Regulations. These obligations and how ZebPay intends to comply with these obligations are set out below.

    Obligation Reference Retention
    Record of compliance activoty Section 13(b)(vi) of the Payment Services Regulations ZebPay will keep a written record of the steps taken to monitor compliance with its policies, its accounting and operating procedures, and the limits on discretionary powers;
    MPI
    Records of digital payment token services Sections 14(3) of the Payment Services Act Under sections 14(3), 72 of the Act, and 108 of the AML/CTF Regulations, ZebPay must:
    • books of all of ZebPay’s transactions in relation to digital payment token services provided by ZebPay;
    • make these books available to the relevant authorities for their inspection, but under conditions of secrecy;

    This shall include records received from customers or prospective customers relating to the provision or prospective provision of a digital payment token service, including:

    • (d) application forms;
    • (e) direct debit authority forms;
    • (f) certified copies of identification documents (where applicable); and
    • (g) records of transaction executed at the customers’ behest.

    ZebPay keeps records of its digital payment token services for a period of 5 years. The Compliance Officer ensures records are dated when filed and has established a storage system so that files and their age are tracked.

    Schedule 1 - Organisational Structure and reporting lines of ZebPay

    Awlencan Innovations Australia Pty Ltd.
    Part B – AML Program (Customer Identification)

    General
    The primary purpose of Part B of this Program is to set out ZebPay’s applicable customer identification procedures. This includes the Know Your Customer (KYC) identification and verification requirements and risk based systems and controls for determining whether any additional KYC information should be collected and/or verified for each customer, and how to respond to any discrepancies in the course of verifying KYC information or Beneficial Owner information.

    The different identification and verification requirements in relation to different customer types and scenarios are summarised in the table below.

    14. Our approach to Standard and Non-Standard Identification and Verification Procedures

    The procedures for identifying and verifying customers will ultimately depend on the ML/TF risks associated with a particular type of customer, the jurisdiction in which they are resident, the type of digital payment token service which is provided and the method of delivery of the digital payment token service.

    Broadly, standard identification and verification procedures are used where the ML/TF risk associated with a customer or scenario is assessed to be low or medium. Non-standard identification and verification procedures are used in conjunction with standard identification and verification procedures when the ML/TF risk in relation to a customer or scenario is assessed to be moderate to high. ZebPay’s standard and non-standard identification procedures for different types of entities are set out in sections 4 to 20 of Part B of this AML Program.

    15. Practical issues relating to identification and verification procedures

    1.2 How does ZebPay carry out identification and verification procedures?

    The customer identification and verification process may be performed by one of a number of people, including ZebPay or an agent of ZebPay.

    15.1 Reliance on third parties
    Third party AML service providers engaged by ZebPay (who do not personally know the client)

    ZebPay may also delegate to a third party service provider (e.g. financial planners or registry service provider) certain aspects of the customer identification and verification process, whilst retaining overall control and responsibility. Where a third party is engaged, ZebPay will ensure that the following processes are followed:

    • (i) a written agreement will be entered into between ZebPay and the third party service provider setting out the terms of the engagement and ZebPay seeks an indemnity for any breaches of the AML Regulations from the third party service provider;
    • (ii) the service provider will be provided with a copy of this AML Program and required to comply with the AML Program (or its own similar version) when carrying out customer identification and verification; and
    • (iii) ZebPay will undertake periodic reviews of the service provider’s identification and verification procedures, including reviewing any customer identification and verification records to ensure that these processes have been properly complied with.

    ZebPay appreciates that even where customer identification and verification procedures are delegated to a third party, the primary responsibility for conducting customer identification and verification under the AML Regulations remains with ZebPay.

    15.2 List checking of high risk countries
    An update of the list of high risk countries will be provided to relevant staff annually and whenever the Compliance Officer becomes aware of any change to that list.

    15.3 Electronic verification
    ZebPay has determined that the provision of its digital payment token services is subject to low ML/TF risk (see section 3.1 of Part A of the AML Program), provided always that the digital payment tokens in question are not intrinsically designed to frustrate electronic verification of users’ identity, transaction history etc. With that in mind, ZebPay will always decline to facilitate transactions involving digital payment tokens which features emphasise:-

    • (a) a high degree of anonymity for their users; or
    • (b) the record of transactions on their associated blockchain(s) is not accessible, not transparent and/or non-existent.

    Further, to the extent that ZebPay relies on third party service providers to carry out electronic verification of customers’ identity or transaction history, ZebPay will first determine:-

    • (c) what data will be used for verification;
    • (a) what are ZebPay’s pre-defined tolerance levels for matches and errors;
    • (b) which customer KYC and Beneficial Owner information the service provider will electronically verify, and how this is done.

    In conducting electronic verification, ZebPay will comply at all times with the requirements of the Personal Data Protection Act 2012, where applicable. In particular:-

    • (c) Disclosure of customer’s personal information (including the information of beneficial owners) to the electronic verification service provider will be limited to an individual customer’s name, residential address and date of birth, and information related to their declared source of funds;
    • (d) before undertaking electronic verification of any individual, ZebPay will, in its application forms, inform the customer of the reasons for making the request for personal information;
      • (i) that the personal information about customers may be disclosed to a credit reporting agency;
      • (ii) that ZebPay may request the credit reporting agency to provide an assessment of whether the personal information matches (in whole or part) personal information contained in the credit information file in possession or control of the credit reporting agency;
      • (iii) the credit reporting agency may prepare and provide to ZebPay such an assessment;
      • (iv) the credit reporting agency may use the customer’s personal information or the names, residential addresses and dates of birth contained in credit information files of other individuals, for the purpose of preparing such an assessment;
      • (v) the customer may request that their identity be verified by a different means (section 35A(2) of the AML/CTF Regulations);

    15.4 Records of identification and verification
    Irrespective of the actual customer identification procedure conducted, for each customer ZebPay identifies, ZebPay must make a record of:

    • (a) the document or data;
    • (b) the procedure used to identify the customer; and
    • (c) the information obtained in the course of carrying out the procedure.

    Such records may include a copy of the application form completed by the customer in anticipation of receiving the digital payment token services from ZebPay.

    The customer identification record should include the following details of the sources from which the customer identity was verified:

    • (a) name of the issuer of the document or data;
    • (d) date of issue;
    • (e) date of expiry (where applicable);
    • (f) document number (where applicable); and
    • (g) whether it was verified from an original or certified copy.

    ZebPay must retain this record, or a copy of this record, in respect of the customer being identified, for a minimum of 5 years after concluding the provision of a digital payment token service to that customer.

    15.5 Language
    Where any document relied on as part of the identification procedure is in a language other than English, it must be accompanied by an English translation prepared by an accredited translator.

    15.6 Copies of documents
    ZebPay will accept a copy of a reliable and independent document if the copy of the document has been certified by an appropriately authorised person.

    Identification Procedures
    16. Individuals - Standard procedure

    Care should be taken to differentiate between domestic and foreign customers as different standard customer identification procedures apply. Note, that in respect of individuals from foreign countries, this standard procedure only applies to a FATF Member Country (as listed in Schedule 2)

    16.1 Step 1 - Collection
    The information to be collected for individuals is their:

    • (a) name;
    • (b) residential address;
    • (c) date of birth; and
    • (d) PEP status, in accordance with section 20 of Part B..

    In addition, the following information must also be collected for sole traders:

    • (e) full business name (if any);
    • (f) full address of the principal place of business (if any); and
    • (g) ABN (if any).

    16.2 Step 2 - Verification
    The following information must be verified:

    • (a) the customer’s name; and
    • (b) the customer’s:
      • (i) date of birth; or
      • (ii) residential address; or
      • (iii) for a sole trader, address of principal place of business (only where the customer is investing as a sole trader).

    16.3 Method of verification
    ZebPay staff must verify the identity of the customer using either:

    • (a) 1 x Primary Photographic Identification Documents (see Note B.1) (e.g. a driver’s licence or passport);
    • (b) 1 x Primary Non-Photographic Identification Document (see Note B.1) and 1 x Secondary Identification Document (See Note B.2); or
    • (c) reliable and independent documentation or electronic data.

    Note B.1 Primary identification document

    Primary Photographic Identification Document means any of the following:

    • a licence or permit issued under a law of a State or Territory or equivalent authority of a foreign country for the purpose of driving a vehicle that contains a photograph of the person in whose name the document is issued;
    • a passport issued by the Commonwealth;
    • a passport or a similar document issued for the purpose of international travel, that:
      • contains a photograph and the signature of the person in whose name the document is issued;
      • is issued by a foreign government, the United Nations or an agency of the United Nations; and
      • if it is written in a language that is not understood by the person carrying out the verification - is accompanied by an English translation prepared by an accredited translator.
    • a card issued under a law of a State or Territory for the purpose of proving the person’s age which contains a photograph of the person in whose name the document is issued.
    • a national identity card issued for the purpose of identification, that:
      • contains a photograph and the signature of the person in whose name the document is issued;
      • is issued by a foreign government, the United Nations or an agency of the United Nations; and
      • if it is written in a language that is not understood by the person carrying out the verification - is accompanied by an English translation prepared by an accredited translator.
    • Primary non-photographic identification document means any of the following:

    • a birth certificate or birth extract issued by a State or Territory;
    • a citizenship certificate issued by the Commonwealth;
    • a citizenship certificate issued by a foreign government that, if it is written in a language that is not understood by the person carrying out the verification, is accompanied by an English translation prepared by an accredited translator;
    • a birth certificate issued by a foreign government, the United Nations or an agency of the United Nations that, if it is written in a language that is not understood by the person carrying out the verification, is accompanied by an English translation prepared by an accredited translator;

    Note B.2 Secondary identification document

    Secondary identification document (see Note B.2) means any of the following:

    • a notice that:
      • was issued to an individual by the Commonwealth, a State or Territory within the preceding twelve months;
      • contains the name of the individual and his or her residential address; and
      • records the provision of financial benefits to the individual under a law of the Commonwealth, State or Territory (as the case may be);
    • a notice that:
      • was issued to an individual by the Taxation Office of the relevant nationality within the preceding 12 months;
      • contains the name of the individual and his or her residential address; and
      • records a debt payable to or by the individual by or to (respectively) the Commonwealth under a Commonwealth law relating to taxation;
    • a notice that:
      • was issued to an individual by a local government body or utilities provider within the preceding three months;
      • contains the name of the individual and his or her residential address; and
      • records the provision of services by that local government body or utilities provider to that address or to that person.
    • In relation to a person under the age of 18, a notice that:
      • was issued to a person by a school principal within the preceding three months;
      • contains the name of the person and his or her residential address; and
      • records the period of time that the person attended at the school.

    16.4 Step 3 - Record of identification documents
    ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customer’s identity.

    16.5 Step 4 - Provide the digital payment token service
    If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

    17. Individuals - Non-standard procedure

    17.1 Step 1 - Collection
    Additional information to be collected for individuals as a part of non-standard procedures is:

    • (a) place of birth; and
    • (b) occupation.

    17.2 Step 2 - Verification: domestic individual
    An acceptable ‘non-standard procedure’ for a domestic individual would involve verifying the collected information based on original or certified copies of:

    • (a) a primary identification document (see Note B.1);
    • (b) a secondary identification document (see Note B.2);
    • (c) where appropriate, in the case of information relating to an individual’s occupation, documents issued by the individual’s employer, a professional/industry organisation or a service provider which identifies the individual’s occupation. ZebPay believes that, in light of its ML/TF risk, this information would be “reliable and independent” for the purpose of the AML Rules; or
    • (d) reliable and independent documentation or electronic data.

    17.3 Step 2 - Verification: foreign individual
    In general, ZebPay should be cautious about providing a digital payment token service for a customer that presents foreign based identification that is not a Passport.

    However, in the event the customer has not presented a Passport, acceptable documentation for a ‘non-standard procedure’ for a foreign individual would be:

    • (a) an original or certified copy of either:
      • (i) a foreign national identity card containing a photograph and signature of the person; or
      • (ii) a foreign driver’s licence that contains a photograph of the person in whose name it was issued.
    • (b) where the relevant document presented is in a language that is not understood by the person carrying out the customer ID procedure, it must be accompanied by an English translation prepared by an accredited translator.

    17.4 Other acceptable customer identification related documents
    In the event that a ‘non-standard procedure’ for a domestic or foreign individual is unable to be conducted, or ZebPay is still not reasonably satisfied as to the customers identity, ZebPay should consider whether to commence or continue to provide a digital payment token service to that customer.

    If ZebPay decides to proceed, the following domestic or foreign equivalent documents may be used to supplement available proof of identity to satisfy ZebPay that the person is who they claim to be:

    • (a) adoption or Marriage Certificate;
    • (b) tertiary education records;
    • (c) electoral Roll records;
    • (d) statement of Account from a financial Institution where account has been held for a minimum of 12 months;
    • (e) mortgage/Security documents over property;
    • (f) foreign citizenship certificate; and
    • (g) foreign birth certificate.
    • or, in relation to a person under the age of 18, a notice that:

    • (h) was issued to a person by a school principal within the preceding three months; and
    • (i) contains the name of the person and his or her residential address; and
    • (j) records the period of time that the person attended the school.

    17.5 Steps 3 and 4
    Same as ‘standard procedure’ for an individual.

    18. Companies - Standard Procedure

    18.1 Step 1 - Collection: Domestic company
    In the case of a domestic company, the following information must be collected:

    • (a) the full name of the company as registered by ACRA;
    • (b) the full address of the company’s registered office;
    • (c) the full address of the company’s principal place of business (if any);
    • (d) the company registration number;
    • (e) whether the company is registered as a proprietary company or a public company;
    • (f) if the company is registered as a proprietary company or private company, the name of each director of the company;
    • (g) the details of each Beneficial Owner of the company as required under section 19 of this Part B.
    • (h) if the company is a listed company, the name of the relevant market and details of its listing.

    18.2 Step 1 - Collection: Foreign company

    • (a) In the case of a foreign company registered in Singaporethe following information must be collected:
      • (i) the full name of the company as per its registration with ACRA;
      • (ii) the full address of the company’s registered office;
      • (iii) the full address of the company’s principal place of business in Singapore or the full name and address of the company’s local agent in Singapore;
      • (iv) the company registration number issued to the company;
      • (v) the country in which the company was formed, incorporated or registered;
      • (vi) whether the company is registered by the relevant foreign registration body and if so whether it is registered as a public or private company or some other type of company,
      • (vii) if the company is registered as a private/ or proprietary company, the name of each director of the company;
      • (viii) the details of each Beneficial Owner of the company as required under section 19 of this Part B.
    • (b) in the case of an unregistered foreign company the following information must be collected:
      • (i) the full name of the company;
      • (ii) the country in which the company was formed, incorporated or registered;
      • (iii) whether the company is registered by the relevant foreign registration body and if so:
        • (A) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration;
        • (B) the full address of the company in its country of formation, incorporation or registration as registered by the relevant foreign registration body; and
        • (C) whether it is registered as a private or public company or some other type of company by the relevant foreign registration body;
      • (iv) if the company is registered as a private/proprietary company,
        • (A) the name of each director of the company; and
        • (B) unless the company is licensed and subject to the regulatory oversight of a Commonwealth, State or Territory statutory regulator in relation to its activities as a company, the name and address of each Beneficial Owner of the company; and
      • if the company is not registered by the relevant foreign registration body, the full address of the principal place of business of the company in its country of formation or incorporation.

    18.3 Step 2 - Verification: Domestic company
    In the case of a domestic, unlisted company, the following information must be verified:

    • (a) the full name of the company as registered by ACRA;
    • (b) whether the company is registered by ASIC as a proprietary or public company; and
    • (c) the company registration number issued to the company.

    18.4 Method of verification

    • (a) Verification of a domestic, unlisted company must be by a search of the ACRA / BizProfile database;
    • (b) In respect of a domestic listed company or its majority owned subsidiary and in respect of a company licensed and subject to the regulatory oversight of a Commonwealth, State or Territory regulator in relation to its activities as a company, verification must be by:
      • (i) a search of the relevant stock exchange;
      • (ii) a public document issued by the customer; or
      • (iii) a search of the licence or other records of the relevant regulator.

    18.5 Simplified Company Verification Procedure
    Where ZebPay can confirm that the company is:

    • (a) a domestic listed public company;
    • (b) a majority owned subsidiary of a domestic listed public company; or
    • (c) licensed and subject to the regulatory oversight of a Commonwealth, State or Territory statutory regulator in relation to its activities as a company.
    • Verification of the details of a company can be undertaken by obtaining one or more of the following:

    • (a) a search of the relevant stock exchange;
    • (d) a public document issued by the relevant company;
    • (e) a search of the relevant ACRA database; or
    • (f) a search of the licence or other records of the relevant regulator.

    18.6 Step 2 - Verification: Foreign company

    • (a) In the case of a foreign company registered in Singapore the following information must be verified:
      • (i) the full name of the company as registered by ACRA;
      • (ii) whether the company is registered by the relevant foreign registration body and if so whether it is registered as a private or public company; and
      • (iii) the company registration number issued to the company;
    • (b) in the case of an unregistered foreign company the following information must be verified:
      • (i) the full name of the company; and
      • (ii) whether the company is registered by the relevant foreign registration body and if so:
        • (A) any identification number issued to the company by the relevant foreign registration body upon the company’s formation, incorporation or registration; and
        • (B) whether the company is registered as a private or public company.

    18.7 Method of verification

    • (a) In the case of a registered foreign company, verification must be by:
      • (i) a search of the relevant ACRA database;
      • (ii) a copy of the Certificate of Registration of a Foreign Company for the company;
      • (iii) reliable independent documentation,
      • (iv) reliable and independent electronic data; or
      • (v) a combination of (i)-(iv).
    • (b) In the case of an unregistered foreign company, verification must be by:
      • (i) reliable independent documentation;
      • (ii) reliable and independent electronic data; or
      • (iii) a combination of both.
    • (c) Where ZebPay assesses the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

    18.8 Step 3 - Record of identification documents
    ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

    18.9 Step 4 - Provide the digital payment token service
    If ZebPay is reasonably satisfied that the customer is the individual that they claim to be, it may provide the digital payment token service to the customer.

    19. Companies - Standard Procedure

    19.1 Step 1 - Collection: Domestic company
    In addition to the information collected under the ‘standard procedure’, the ‘non-standard procedure’ for a domestic company would involve collecting:

    • (a) the date upon which the company was registered by ACRA; and
    • (b) the name of any company secretary.

    19.2 Step 1 - Collection: Foreign company

    • (a) In the case of a registered foreign company:
      • (i) the name of each director of the company;
      • (ii) the full business name (if any) of the company as registered under any State or Territory business names legislation;
      • (iii) the date upon which the company was registered by ACRA;
      • (iv) the name of any company secretary (if any);
    • (b) In the case of an unregistered foreign company:
      • (i) the name of each director of the company; and
      • (ii) the name of any company secretary (if any).

    19.3 Step 2 - Verification: Domestic company
    In addition to the information verified under the ‘standard procedure’, the ‘non-standard procedure’ for a domestic company would involve verifying this information from:

    • (a) a business name search of the relevant State or Territory regulator;
    • (b) a public document issued by the customer;
    • (c) a search of the relevant ASIC database.

    19.4 Step 2 - Verification: Foreign company

    • (a) In the case of a registered foreign company, verify the information from:
      • (i) a business name search of the relevant State or Territory regulator;
      • (ii) a search of the relevant domestic stock exchange;
      • (iii) a public document issued by the customer; or
      • (iv) a search of the relevant ASIC database.
    • (b) In the case of an unregistered foreign company, verify the information from:
      • (i) reliable and independent documentation; or
      • (ii) reliable and independent electronic data; or
      • (iii) a combination of both.

    19.5 Further identification requirements
    In the event that a ‘non-standard procedure’ for a Company is unable to be conducted, or ZebPay is still not reasonably satisfied as to the customers identity, ZebPay should consider whether to commence or continue to provide a digital payment token service to that customer.

    If ZebPay decides to proceed, ZebPay must:

    • (a) collect the name and address of each shareholder of the company;
    • (b) verify:
      • (i) if the company has less than 4 shareholders, the name and address of each shareholder of the company; or
      • (ii) if the company has more than 4 shareholders, only the name and address of the 4 shareholders.
    • (c) from one of or a combination of the following documents:
      • (i) a copy of the Register of Members for the company;
      • (ii) a search of the relevant domestic stock exchange;
      • (iii) a public document issued by the customer; or
      • (iv) a search of the relevant ASIC database.

    19.6 Steps 3 and 4
    Same as ‘standard procedure’ for a company.

    20. Trusts - Standard Procedure

    20.1 Step 1 - Collection

    • (a) In relation to a trust the following information must be collected:
      • (i) the full name of the trust;
      • (ii) the full business name (if any) of the trustee in respect of the trust;
      • (iii) the type of the trust;
      • (iv) the country in which the trust was established;
      • (v) the full name of the settlor of the trust, unless the settlor is deceased;
    • (b) In relation to the trustees of the trust, the full name and address of each trustee must be collected;
    • (c) If any of the trustees is an individual - in respect of any one of those individuals, the information required to be collected from an individual (sections 4 or 5) (Identified Trustee); or
    • (d) If any of the trustees is a company - in respect of any one of those companies, the information required to be collected from a company (section 6 or 7) (Identified Trustee);

    20.2 Step 2: Verification (and method of verification)
    The following information must be verified:

    • (a) the full name of the trust, based on:
      • (i) an original, certified copy or certified extract of the trust deed;
      • (ii) a search of the relevant official database;
      • (iii) an original bank statement in the name of the trust issued within the last 12 months; or
      • (iv) an original letter from an accountant or solicitor confirming the name and existence of the trust dated within the last 12 months;
    • (b) the full name of the settlor of the trust, unless the settlor is deceased;
    • (c) in respect of the Identified Trustee, the applicable verification required for an individual (sections 4 or 5) or company (section 6 or 7).
    • (d) Where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

    20.3 Step 3 - Record of identification documents
    ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

    20.4 Step 4 - Provide the digital payment token service
    If ZebPay is reasonably satisfied that the customer is the individual that they claim to be, ZebPay may provide the digital payment token service to the customer.

    21. Trusts - Non-standard procedure (Including Superannuation Funds, investor directed portfolio services and wrap platforms)

    21.1 Step 1
    Same as ‘standard procedure’ for a trust.

    21.2 Step 2 - Verification

    • (a) In relation to the beneficiaries the following information must also be verified:
      • (i) the full name of any beneficiary in respect of the trust; or
      • (ii) if the terms of the trust identify the beneficiaries by reference to membership of a class – details of each class of beneficiary, from
    • (b) an original, certified copy or certified extract of the trust deed;
    • (c) reliable independent documentation relating to the trust;
    • (d) reliable and independent electronic data; or
    • (e) a combination of (a)-(c).

    21.3 Steps 3 and 4
    Same as ‘standard procedure’ for a trust.

    22. Partnerships - Standard Procedure

    22.1 Step 1 - Collection
    In relation to a partnership the following information must be collected:

    • (a) the full name of the partnership;
    • (b) the full business name (if any) of the partnership as registered;
    • (c) the country in which the partnership was established;
    • (d) in respect of one of the partners - the information required to be collected from an individual (sections 4 or 5) (Identified Partner); and
    • (e) the full name and residential address of each partner except where the regulated status of the partnership can be confirmed though reference to the current membership directory of the relevant professional association.

    22.2 Step 2 - Verification
    The following information must be verified:

    • (a) the full name of the partnership;
    • (b) if the partnership is regulated by a professional association, membership of that professional association; and
    • (c) in respect of the Identified Partner, the applicable verification required for an individual (sections 4 or 5).

    22.3 Method of Verification
    Verification of information about a partnership may be based on:

    • (a) a partnership agreement, certified copy or certified extract of a partnership agreement;
    • (b) a certified copy or certified extract of minutes of a partnership meeting;
    • (c) an original bank statement in the name of the partnership issued within the last 12 months;
    • (d) an original letter from an accountant or solicitor confirming the name and existence of the partnership dated within the last 12 months;
    • (e) a search of the relevant offocial database; or
    • (f) an original or certified copy of a certificate of registration of business name issued by a government or government agency.

    Where information to be verified is not otherwise reasonably available, ZebPay may determine to accept a disclosure certificate from a partnership which is considered to be a low to medium risk customer. The disclosure certificate must meet the requirements of the AML Rules.

    22.4 Step 3 - Record of identification documents
    ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customer’s identity.

    22.5 Step 4 - Provide the digital payment token service
    If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

    23. Partnerships - Non-standard Procedure

    23.1 Step 1 - Collection
    In addition to the information collected under the ‘standard procedure’, an acceptable ‘non-standard procedure’ for a partnership would involve collecting:

    • (a) each partner’s full name and residential address; and either
    • (b) each partner’s date of birth; or
    • (c) where applicable, documentation demonstrating that each partner has a transaction history within the partnership of at least the past three years.

    23.2 Step 2 - Verification
    Verify the information collected in Step 1 from an original or certified copy of:

    • (a) the partnership agreement or extract of the partnership agreement;
    • (b) reliable and independent documents relating to the partnership;
    • (c) reliable and independent electronic data; or
    • (d) a combination of (a) - (d)

    23.3 Steps 3 and 4
    Same as ‘standard procedure’ for a partnership.

    24. Associations - Standard Procedure

    24.1 Step 1 - Collection
    If the customer notifies ZebPay that it is an incorporated association:

    • (a) the full name of the association;
    • (b) the full address of the association’s principal place of administration or registered office (if any) or the residential address of the association’s public officer or (if there is no such person) the association’s president, secretary or treasurer;
    • (c) any unique identifying number issued to the association upon its incorporation by the Registrar of Societies or overseas body responsible for the incorporation of the association; and
    • (d) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association.
    • If the person notifies ZebPay that he or she is a customer in his or her capacity as a member of an unincorporated association:

    • (e) the full name of the association;
    • (f) the full address of the association’s principal place of administration (if any);
    • (g) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the association; and
    • (h) in respect of the member – the information required to be collected from an individual under the applicable customer identification procedure with respect to individuals set out in Part B (sections 4 or 5) (Identified Member).

    24.2 Step 2 - Verification
    The following information must be verified:

    • (a) If the customer is an incorporated association:
      • (i) the full name of the incorporated association; and
      • (ii) any unique identifying number issued to the incorporated association upon its incorporation; and
    • (b) if the customer notifies ZebPay that he or she is a customer in his or her capacity as a member of an unincorporated association:
      • (i) verify the full name (if any) of the association; and
      • (ii) verify information about the member in accordance with the applicable customer identification procedure with respect to Identified Member set out in Part B (sections 4 or 5).

    24.3 Method of Verification
    Verification of information about an association may be based on:

    • (i) information provided by Registrar of Societies or other overseas body responsible for the incorporation of the association;
    • (ii) the rules or constitution of the association or from a certified copy or certified extract of the rules or constitution of the association;
    • (iii) reliable and independent documents relating to the association; or
    • (iv) reliable and independent electronic data; and

    Where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

    24.4 Step 3 - Record of identification documents
    ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

    24.5 Step 4 - Provide the digital payment token service
    If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

    25. Association - Non-standard Procedure

    25.1 Step 1 - Collection
    Collect information about either one of the following individuals in relation to the association in accordance the applicable customer identification procedure with respect to individuals set out in Part B (sections 4 or 5):

    • (a) chairperson;
    • (b) treasurer; or ;
    • (c) secretary.

    25.2 Step 2 - Verification
    Verify information collected under Step 1 in accordance with customer identification procedure with respect to individuals set out in Part B (sections 4 or 5).

    25.3 Steps 3 and 4
    Same as ‘standard procedure’ for an association.

    26. Registered Cooperatives - Standard Procedure

    26.1 Step 1 - Collection
    If the customer notifies ZebPay that it is a registered cooperative:

    • (a) the full name of the cooperative;
    • (b) the full address of the cooperative’s registered office or principal place of operations (if any) or the residential address of the cooperative’s secretary or (if there is no such person) the cooperative’s president or treasurer;
    • (c) any unique identifying number issued to the cooperative upon its registration by the State, Territory or overseas body responsible for the registration of the cooperative; and
    • (d) the full name of the chairman, secretary and treasurer or equivalent officer in each case of the cooperative.

    26.2 Step 2 - Verification
    The following information must be verified:

    • (a) the full name of the cooperative; and
    • (b) any unique identifying number issued to the cooperative upon its registration.

    Where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

    26.4 Step 3 - Record of identification documents
    ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

    26.5 Step 4 - Provide the digital payment token service
    If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

    27. Registered Cooperative - Non-standard Procedure

    27.1 Step 1 - Collection
    Collect information about either one of the following individuals in relation to the registered cooperative in accordance the applicable customer identification procedure with respect to individuals set out in Part B (sections 4 or 5):

    • (a) president; or
    • (b) secretary.

    27.2 Step 2 - Verification
    Verify information collected under Step 1 in accordance with customer identification procedure with respect to individuals set out in Part B (sections 4 or 5).

    27.3 Steps 3 and 4
    Same as ‘standard procedure’ for a registered cooperative.

    28. Government bodies - Standard Procedure

    28.1 Step 1 - Collection
    If the customer notifies ZebPay that it is a government body:

    • (a) the full name of the government body;
    • (b) the full address of the government body’s principal place of operations;
    • (c) whether the government body is an entity or emanation, or is established under legislation, of the Commonwealth;
    • (d) whether the government body is an entity or emanation, or is established under legislation, of a State, Territory, or a foreign country and the name of that State, Territory or country; and
    • (e) where the government body is a foreign government body, information on who is the ultimate owner or controller of that government body.

    28.2 Step 2 - Verification
    The full name of the relevant government body must be verified.

    28.3 Method of Verification
    Verification of information about a registered cooperative may be based on:

    • (a) a public records search of the legislation under which the government body was established; or
    • (b) from reliable and independent documents relating to the government body or from reliable and independent electronic data.

    28.4 Step 3 - Record of identification documents
    ZebPay must make a record of the information obtained in the course of carrying out the procedure to verify the customers’ identity.

    28.5 Step 4 - Provide the digital payment token service
    If ZebPay is reasonably satisfied that the customer is the individual that they claim to be ZebPay may provide the digital payment token service to the customer.

    29. Government bodies - Non-standard Procedure

    29.1 Step 1 - Collection
    Not applicable.

    29.2 Step 2 - Verification
    Verify information about the full address of the government body’s principal place of operations from reliable and independent documents relating to the government body or from reliable and independent electronic data.

    29.3 Steps 3 and 4
    Same as ‘standard procedure’ for a government body.

    30. Agents of customers e.g. Financial planners

    30.1 Step 1 – collection

    • (a) Where an agent is authorised to act for or on behalf of the customer in relation to a digital payment token services, ZebPay must collect information about:
      • (i) full name of each individual who purports to act for or on behalf of the customer with respect to the provision of a digital payment token service by ZebPay;
      • (ii) evidence (if any) of the customer’s authorisation of any individual referred to in (i).
    • (b) Non-natural customers may appoint an employee, agent or contractor of the customer as verifying officer.
      • (i) the verifying officer may identify an agent of the customer.
      • (ii) the verifying officer will have identified an agent if he or she has collected the following:
        • (A) the full name of the agent;
        • (B) the title of the position or role held by the agent with the customer;
        • (C) a copy of the signature of the agent; and
        • (D) evidence of the agent’s authorisation to act on behalf of the customer.
      • (iii) The verifying officer is to make and for the customer to retain, a record of the information in (ii).
      • (iv) The verifying officer is to provide the following to ZebPay:
        • (A) the full name of the agent; and
        • (B) a copy of the signature of the agent.

    30.2 Step 2 – verification
    Where an agent is to be identified by a verifying officer, the verifying officer is to be identified and verified by ZebPay in accordance with the requirements in chapter 4 of the AML Rules.

    31. Beneficial Owners

    31.1 Step 1 - Collection
    Except for:

    • (a) a customer who is an individual;
    • (b) a customer who is a company verified under the simplified company verification procedure in section 6.5;
    • (c) a customer who is a trust verified under the simplified trustee verification procedure under section 8.3
    • (d) for a customer who is a Government Entity, and
    • (e) a customer who is a foreign listed public company subject to disclosure requirements (whether by stock exchange rules or by law or enforceable means) to ensure transparency of Beneficial Ownership which are, or are comparable to, the requirements in Singapore,
    • collect from the customer the following information in relation to each Beneficial Owner:

    • (f) full name;
    • (g) residential address;
    • (h) date of birth; and
    • (i) PEP status, in accordance with section 20 of Part B.

    31.2 Step 2 – verification
    For all Beneficial Owners, ZebPay must in accordance with the standard identification procedures for individuals in section 4 of Part B carry out verification in respect of each Beneficial Owner.

    However, where ZebPay assesses a the customer to be of medium or low risk, ZebPay may, at its absolute discretion allow the customer to provide a disclosure certificate verifying information relating to the company where such information is not otherwise available. The disclosure certificate must meet the requirements of the AML Rules.

    31.3 Responding to discrepancies
    Where information in relation to Beneficial Owners cannot be verified using standard identification procedures specified in section 4 of Part B, Beneficial Owner information must be verified using non-standard identification procedures specified in section 4 of Part B.

    31.4 Beneficial Owner unknown
    Where ZebPay is unable to ascertain a Beneficial Owner (e.g. if none has been nominated on the ID form), ZebPay must identify and take reasonable steps to verify the following individuals under procedures referred to in section 4 of Part B:

    • (a) for a company (other than a company which is verified under the simplified company verification procedure under section 6.5 of this Part B) or a partnership, any individual who:
      • (i) is entitled (either directly or indirectly) to exercise 25% or more of the voting rights, including a power of veto; or
      • (ii) holds the position of senior managing official (or equivalent);
    • (b) for a trust (other than a trust which is verified under the simplified trustee verification procedure under section 8.3), any individual who holds the power to appoint or remove the trustees of the trust;
    • (c) for an association or a registered co-operative, any individual who:
      • (i) is entitled (either directly or indirectly) to exercise 25% or more of the voting rights including a power of veto; or
      • (ii) would be entitled on dissolution to 25% or more of the property of the association or registered co-operative; or
      • (iii) holds the position of senior managing official (or equivalent).
    32. Politically exposed person

    32.1 Step 1 – identification by self-certification
    ZebPay identifies PEPs by requiring all investors to self-certify whether or not they are a PEP.

    The PEP self-certification may either be completed:

    • (a) via the application form; or
    • (b) where the existing application form does not contain the relevant section for foreign investors to self-certify whether or not they are a PEP, ZebPay staff will send an email or written request to the investor asking them to confirm whether or not they are a PEP before providing a digital payment token service.

    The PEP self-certification section of the application form or the email or written request for PEP self-certification will contain a description of PEPs along the lines of:

    “Please certify whether or not you are a Politically Exposed Person (PEP)

    You are a PEP if you:

    • hold a prominent public position or function in a government body or an international organisation, including:
      • Head of State or head of a country or government; or
      • government minister or equivalent senior politician; or
      • senior government official; or
      • Judge of the High Court of Singapore, or a Judge of a court of equivalent seniority in a foreign country or international organisation; or
      • governor of a central bank or any other position that has comparable influence; or
      • senior foreign representative, ambassador, or high commissioner; or
      • high-ranking member of the armed forces; or
      • board chair, chief executive, or chief financial officer of, or any other position that has comparable influence in, any State enterprise or international organisation; or
    • have an immediate family member of a person referred to in the first bullet point, including:
      • a spouse; or
      • a de facto partner; or
      • a child and a child's spouse or de facto partner; or
      • a parent; or
    • are a close associate of a person referred to in the first bullet point, which means any individual who is known (having regard to information that is public or readily available) to have:
      • joint Beneficial Ownership of a legal entity or legal arrangement with a person referred to in the first bullet point; or
      • sole Beneficial Ownership of a legal entity or legal arrangement that is known to exist for the benefit of a person described in the first bullet point.”

    32.2 Step 2 - Independent verification of PEPs
    ZebPay will independently verify whether a customer or Beneficial Owner is a PEP using a third-party service provider where:

    • (a) the customer or Beneficial Owner has self-certified that he or she is not a PEP (see Part B Section 3.1(b)); and
    • (b) the customer or Beneficial Owner is a foreign investor from a high risk country (see list of high risk countries in Section 3.2(b) of Schedule 2); or
    • (c) a ZebPay staff member suspects that the customer or a Beneficial Owner is a PEP (e.g. where, to the knowledge of the staff member, the investor is a PEP or where it is obvious to ZebPay staff member that the investor uses a government address or email address).

    The independent verification of PEP status will be conducted before any digital payment token service is provided to the customer.

    Before engaging a third party service provider for this purpose, the below must be completed:
    ZebPay will consider service providers, reputation in the market, and procedures and only use an appropriate and reputable organisation to conduct verification taking into account ZebPay’s ML/TF risk.

    ZebPay has determined that this approach is appropriate given ZebPay’s overall low-medium ML/TF risk. In particular, ZebPay notes that:

    • it does not receive cash directly from investors;
    • all funds deposited with ZebPay have been transferred through financial institutions which are required to comply with AML/CTF identification and verification requirements.
    • The Compliance Officer revisits these procedures on a regular basis to determine whether or not they remain appropriate given ZebPay’s reassessed ML/TF risk.

    32.3 Step 3 – Collection of information
    ZebPay will take reasonable steps to establish the Politically Exposed Person’s source of wealth and source of funds.

    32.4 Provision of services to Politically Exposed Persons
    ZebPay shall now establish or continue a business relationship with a foreign PEP or a PEP considered by the Compliance Officer to be high risk and before the provision, or continued provision, of a digital payment token service to the customer.

    Definitions and Interpretation.

    Beneficial Owner means an individual who ultimately owns or controls (directly or indirectly) the customer. In this definition:

    • (a) control includes control as a result of, or by means of, trusts, agreements, arrangements, understandings and practices, whether or not having legal or equitable force and whether or not based on legal or equitable rights, and includes exercising control through the capacity to determine decisions about financial and operating policies; and
    • (b) owns means ownership (either directly or indirectly) of 25% or more of a person.

    Business Day means a day on which banks are open for business in Melbourne, Victoria excluding Saturday and Sunday and public holidays.

    Beneficial Owner information means the information referred to in section 19 of Part B.

    certified copy means a document that has been certified as a true copy of an original document by one of the following persons:

    • (a) a person who, under a law in force in a State or Territory, is currently licensed or registered to practise in an occupation listed in Part 1 of Schedule 2 of the Statutory Declarations Regulations 1993;
    • (b) a person who is enrolled on the roll of the Supreme Court of a State or Territory, or the High Court of Australia, as a legal practitioner (however described);
    • (c) a person listed in Part 2 of Schedule 2 of the Statutory Declarations Regulations 1993. For the purposes of the AML Rules, where Part 2 uses the term ‘5 or more years of continuous service’, this should be read as ‘2 or more years of continuous service’;
    • (d) an officer with, or authorised representative of, a holder of an Australian financial services licence, having 2 or more years of continuous service with one or more licensees; or
    • (e) an officer with, or a credit representative of, a holder of an Australian credit licence, having 2 or more years of continuous service with one or more licensees.

    certified extract means an extract that has been certified as a true copy of some of the information contained in a complete original document, by one of the persons described in paragraphs (a)-(e) of the definition of ‘certified copy’ in paragraph 1.2.1 of the AML Rules.

    Customer refers to ZebPay’s investors or borrowers or both.

    digital payment token service means the operation of a digital payment token exchange and/or provision of facilities for the borrowing of digital payment tokens

    domestic company means a company that is registered with ACRA (other than a registered foreign company).

    domestic listed public company means a domestic company that is a listed public company.

    domestic unlisted public company means a domestic company that is not a listed public company.

    foreign listed public company means a foreign company that is a listed public company.

    high risk country see lists of high risk countries in paragraph 3.2 of Schedule 2.

    KYC information means ‘know your customer information’ and includes information in relation to different customer types as set out in Schedule 2.

    listed public company means:

    • (a) in the case of a domestic company, a public company that is included in an official list of a domestic stock exchange;
    • (b) in the case of a registered foreign company:
      • (i) a public company that is included in an official list of a domestic stock exchange; or
      • (i) a public company whose shares, in whole or in part, are listed for quotation in the official list of any stock or equivalent exchange;
    • (c) in the case of an unregistered foreign company, a public company whose shares, in whole or in part, are listed for quotation in the official list of any stock or equivalent exchange.

    ML/TF risk means the risk that ZebPay may reasonably face by the provision of digital payment token services that might (whether inadvertently or otherwise) involve or facilitate money laundering or the financing of terrorism.

    Part A means Part A of this AML Program.

    Part B means Part B of this AML Program.

    Politically Exposed Persons or PEP means an individual:

    • (a) who holds a prominent public position or function in a government body or an international organisation, including:
      • (i) Head of State or head of a country or government; or
      • (ii) government minister or equivalent senior politician; or
      • (iii) senior government official; or
      • (iv) Judge of the High Court of Australia, the Federal Court of Australia or a Supreme Court of a State or Territory, or a Judge of a court of equivalent seniority in a foreign country or international organisation; or
      • (v) governor of a central bank or any other position that has comparable influence to the Governor of the Reserve Bank of Australia; or
      • (vi) senior foreign representative, ambassador, or high commissioner; or
      • (vii) high-ranking member of the armed forces; or
      • (viii) board chair, chief executive, or chief financial officer of, or any other position that has comparable influence in, any State enterprise or international organisation; and
    • (b) who is an immediate family member of a person referred to in paragraph (a), including:
      • (i) a spouse; or
      • (ii) a de facto partner; or
      • (iii) a child and a child's spouse or de facto partner; or
      • (iv) a parent; and
    • (c) who is a close associate of a person referred to in paragraph (a), which means any individual who is known (having regard to information that is public or readily available) to have:
      1. (i) joint Beneficial Ownership of a legal entity or legal arrangement with a person referred to in paragraph (a); or
      2. (ii) sole Beneficial Ownership of a legal entity or legal arrangement that is known to exist for the benefit of a person described in paragraph (a).
    • primary non-photographic identification document see Note B.1

      Primary Photographic Identification Document see Note B.1.

      Program means the anti-money laundering and counter-terrorism financing program as required by section 83 of the AML/CTF Regulations and as adopted by ZebPay.

      public company means a company other than a proprietary company.

      registered co-operative means a body registered under legislation as a co-operative.

      registered foreign company means a foreign company that is registered under Division 2 of Part 5B.2 of the Corporations Act 2001.

      relevant foreign registration body means, in respect of a registered foreign company or an unregistered foreign company, any government body that was responsible for the formation, incorporation or registration of that company in its country of formation, incorporation or registration.

      reliable and independent documentation is defined in the AML Rules to include, but is not limited to:

    • (d) an original Primary Photographic Identification Document (see Note B.1);
    • (e) an original primary non-photographic identification document (see Note B.1);
    • (f) an original secondary identification document (see Note B.2).

    Reliable independent documentation must be current and not have expired (except in the case of a passport issued by the Commonwealth which may be used within 2 years after its expiration date).

    In determining what is reliable independent electronic data, ZebPay must assess:

    • (a) whether the electronic data is reliable and independent, taking into account the following factors:
      • (i) the accuracy of the data;
      • (ii) how secure the data is;
      • (iii) how the data is kept up-to-date;
      • (iv) how comprehensive the data is (for example, by reference to the range of persons included in the data and the period over which the data has been collected);
      • (v) whether the data has been verified from a reliable and independent source;
      • (vi) whether the data is maintained by a government body or pursuant to legislation; and
      • (vii) whether the electronic data can be additionally authenticated; and
    • (g) what reliable and independent electronic data ZebPay must use for the purpose of verification;
    • (h) ZebPay’s pre-defined tolerance levels for matches and errors (eg. spelling of names etc.); and
    • (i) whether, and how, to confirm KYC information or Beneficial Owner information collected from an customer by independently initiating contact with the person that the customer claims to be.

    Responsible Manager has the meaning given to it in ASIC Regulatory Guide 204.

    secondary identification document see Note B.2.

    senior managing official means an individual who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business of a customer of a reporting entity or who has the capacity to affect significantly the financial standing of a customer of a reporting entity.

    unregistered foreign company means a foreign company that is not a registered foreign company.

    Money Laundering and Terrorist Financing Risk Assessment and Controls

    1. Risk

    1.5 Risk and risk management
    Risk can be defined as the combination of the probability of an event and its consequences. In simple terms risk can be seen as a combination of the chance that something may happen and the degree of damage or loss that may result if it does occur.

    Risk management is the process of recognising risk and developing methods to both minimise and manage the risk. This requires the development of a method to identify, prioritise, treat (deal with), control and monitor risk exposures. In risk management, a process is followed where the risks are assessed against the likelihood (chance) of them occurring and the severity or amount of loss or damage (impact) which may result if they do happen.

    1.6 Which digital payment token services are provided by ZebPay?
    ZebPay intends to operate a digital payment token exchange and a facility for the lending of digital payment tokens, both of which businesses are designated as digital payment token services for the purposes of the Payment Services Act

    2. ML/TF Risk assessment process and methodology

    2.1 Which ML/TF risks have to be identified?
    ZebPay is required to identify and assess its ML/TF risks in the context of:

    • (a) the AML/CTF Regulations and the AML Rules; and
    • (b) the level of ML/TF risk the Board and management is prepared to accept.

    ZebPay has undertaken an assessment of both its Business Risk and its Regulatory Risk.

    Business risk is the risk that ZebPay’s business may be used for ML/TF. ZebPay has assessed the following business risks:

    • (a) customer risks (See 3.1 below);
    • (c) country or jurisdictional risks (See 3.2 below).
    • (d) products and services risks (See 3.3 below);
    • (e) business practices and/or delivery method risks (See 3.4 below); and

    The main regulatory risk is associated with ZebPay not meeting its obligations under the AML/CTF Regulations include:

    • (a) customer verification not done properly;
    • (f) failure to train staff adequately;
    • (g) not having an AML/CTF program;
    • (h) failure to report suspicious matters;
    • (i) not submitting an AML/CTF compliance report; and

    ZebPay regular monitors its obligations of AML Rules and has robust systems in place to ensure compliance. ZebPay’s regulatory risk is therefore low.

    2.2 Procedures for Risk Assessment
    A ML/TF risk assessment has been carried out and is reassessed on a regular basis:

    • (a) at least annually, as a part of the Annual Risk Assessment Review Process (see section 4 for further details); and
    • (b) when there are significant changes to ZebPay’s ML/TF risks (see section 4 for further details).

    All risk assessments are completed by the Compliance Officer with the assistance of other ZebPay staff members.

    The steps for the risk assessment are as follows:

    • (a) Step 1: Perform an analysis of ZebPay’s operations taking into account the nature, size and complexity of its business. The analysis is to be performed by the Compliance Officer with assistance from other staff members of ZebPay including management.
    • (i) Step 2: Identify ZebPay’s relevant ML/TF business risks and ML/TF regulatory risks.
    • (b) Step 3: Assess the ML/TF risks identified with particular regard to:
      • (i) Customer profile including:;
        • (A) likelihood of Politically Exposed Persons;
        • (B) they types of customers and thier sources of funds and wealth;
        • (C) the nature and purpose of the business relationships with its customers, including, as appropriate, the collection of information relevant to that consideration;
      • (ii) the types of digital payment token services it provides and the methods by which it delivers digital payment token services;
      • (iii) the nature and characteristics of foreign jurisdictions with which it deals or in which it has permanent establishment; and
      • (iv) the criminal threat environment and possible vulnerabilities of ZebPay’s business
      • Risk is measured in terms of the chance (likelihood) that they will occur and the severity or the amount of loss or damage (impact) which may result if the event occur. Each risk element is assigned with:

      • (i) A rating based on the likelihood of the risk element occurring (see Table 2.2.1 below)
      • Frequency Likelihood of a ML/TF risk
        Very likely Almost certain: it will probably occur several times a year
        Likely High probability it will happen once a year
        Unlikely Unlikely, but not impossible
      • (ii) A rating based on the impact of the risk element (see Table 2.2.2 below)
      • Consequence Impact – of a ML/TF risk
        Major Huge consequences – Serious terrorist act or large scale money laundering
        Moderate Moderate level of money laundering or terrorism impact
        Minor Minor or negligible consequence or effect

        A risk score is then determined by cross-referencing their likelihood and impact ratings according to the Table 2.2.3 below.

        Very likely Medium 2 High 3 Extreme 4
        Likely Low 1 Medium 2 High 3
        Unlikely Low 1 Low 1 Medium 2
        Minor Moderate Major

        Response: Okay to proceed.
        Rating Impact – of a ML/TF risk
        4 Extreme Risk almost sure to happen and/or to have very dire consequences.
        Response: Do not allow transaction to occur, or reduce the risk to acceptable level.
        3 High Risk likely to happen and/or to have serious consequences.
        Response: Do not allow transaction to occur until risk reduced.
        This will include implementing additional procedures including:
        • before providing services: non standard identification and verification of the customer; and
        • when providing services: conduct Enhanced Customer Due Diligence in respect of the customer.
        2 Medium Possible this could happen and/or have moderate consequences.
        Response: May go ahead but preferably reduce risk
        This may include implementing additional procedures including:
        • before providing services: non standard identification and verification of the customer; and
        • when providing services: conduct Enhanced Customer Due Diligence in respect of the customer.
        Low Unlikely to happen and/or have minor or negligible consequences.
    • (c) Step 4: Consider the effectiveness of currently implemented controls at mitigating the assessed risks.
    • (d) Step 5: Make recommendations, if necessary, in relation to further controls for addressing ZebPay’s ML/TF risks.

    The Compliance Officer must continue to monitor ZebPay’s ML/TF risks and the controls designed to mitigate those risks at all times.

    The Compliance Officer must prepare a report of the results of each risk assessment. The Compliance Officer is responsible for reporting to the Board on at least an annual basis.

    3. Risk Assessment - Business Risks

    ZebPay has performed an analysis of the business operations and identified and assessed its risk elements with respect to:

    • (a) customers;
    • (b) products and services;
    • (c) business practices/delivery methods (channels); and
    • (d) jurisdictions in which it does business.

    Each of these risk assessments are outlined in the tables below.

    3.1 Business Risk – Customer Risk (Table 3.1)

    Risk Group (a)(b) Customers:
    Risk Elements Likelihood Impact Risk Score Treatment/Action
    New Customer Unlikely Minor 1 Standard Identification and Verification Procedure
    Customer that wants to carry out a large transaction Likely Moderate 2 Standard Identification and Verification Procedure
    Consider also:
    1. Non standard identification and verification of the customer; and
    2. Conduct Enhanced Customer Due Diligence in respect of the customer.
    Customer who has a business which involves large amount of cash Unlikely Moderate 1 Standard Identification and Verification Procedure
    Customers whose identity is difficult to determine or suspicious information or information that cannot be verified Likely Major 3 Standard Identification and Verification Procedure
    Non-Standard Identification and Verification Procedure
    Enhanced Customer Due Diligence
    Customers or Beneficial Owners who are Politically Exposed Persons (whether domestic or foreign) Likely Major 3 Standard Identification and Verification Procedure
    Non-Standard Identification and Verification Procedure
    Enhanced Customer Due Diligence
    Customers who deposit cash with ZebPay NA NA NA ZebPay does not accept cash.
    Use of proxies, unverifiable IP address or geographical location, disposable email address or mobile number, ever changing devices used to conduct transactions Likely Major 3 Standard Identification and Verification Procedure
    Non-Standard Identification and Verification Procedure
    Enhanced Customer Due Diligence including for example:
    1. Collect IP addresses and other device identifiers
    2. Require the use of one time PINs sent to (Australian) mobile phone number to conduct digital transactions
    Customers or transactions in high risk locations (e.g. prescribed foreign countries and the application of sanctions laws) Likely Major 3 Screen customers against the DFAT Consolidated List for sanctions monitoring
    Procedures in place to undertake enhanced customer due diligence, in particular, where it determines the ML/TF risk is high or a party is present in a prescribed foreign country
    Procedures in place to identify suspicious matters and submit SMR to MAS
    Employee AML/CTF risk awareness training program implemented
    Unusual patterns of transaction activity (e.g. volumes, velocity, structuring to avoid detection/reporting obligations, source, destination) Likely Major 3 Standard Identification and Verification Procedure
    Non-Standard Identification and Verification Procedure
    Enhanced Customer Due Diligence including for example considering limiting the value of transactions that can be conducted in a day/week/month
    Transactions involving known blacklisted addresses such as ‘darknet’ market place transactions and tumblers Likely Major 3 Standard Identification and Verification Procedure
    Non-Standard Identification and Verification Procedure
    Enhanced Customer Due Diligence
    Ransom-ware Unlikely Moderate 1 Standard Identification and Verification Procedure
    Transactions in higher risk or anonymous digital payment tokens Very likely Major 4 Transaction not to be processed until risk level reduced.
    Employee collusion Unlikely Moderate 1 Standard Identification and Verification Procedure

    3.2 Business Risk – Jurisdiction/Country Risk (Table 3.2)

    Jurisdiction risk, in conjunction with other risk factors, provides useful information as to potential ML/TF risks. There is no universally agreed definition by either governments or institutions that prescribes whether a particular country represents a higher risk. ZebPay has determined the following impact ratings for the following jurisdictions.

    • (a) FATF member countries (Risk Rating Minor): The Financial Action Task Force (FATF) is an international body that evaluates the effectiveness of anti-money laundering controls around the world. FATF members are committed to implementing anti-money laundering measures, reviewing money laundering techniques and counter-measures, and promoting the adoption and implementation of anti-money laundering measures globally. The following is a list of FATF members (current as at January 2020):

      Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Denmark, Finland, France, Germany, Greece, Hong Kong (China), Iceland, India, Ireland, Israel, Italy, Japan, South Korea, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Portugal, Russian Federation, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom, United States

      This list is updated by the Compliance Officer at least annually.

    • (b) High risk and non-cooperative jurisdictions are countries whose citizens and entities, the FATF has identified as having strategic AML/CFT deficiencies. ZebPay has determined, the jurisdictions listed below must receive additional due diligence before receiving a digital payment token service and it is likely that that no digital payment token services will be provided:

    Democratic People’s Rebublic of Korea, Iran, Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, Zimbabwe, Cuba

    This list is updated by the Compliance Officer whenever he/she becomes aware of any change.

    All other countries (Impact Rating Moderate): All other countries have a moderate risk impact rating.

    Table 3.2: Jurisdictional Risk

    Risk Group Jurisdictional Risk
    Risk Elements Likelihood Impact Risk Score Treatment/Action
    Singapore and other FATF member countries Unlikely Minor 1 Standard Identification and Verification Procedure.
    High risk and non-cooperative jurisdictions Likely Moderate 3 Enhanced Identification and Verification Procedure
    All other countries Unlikely Minor 2 Standard Identification and Verification Procedure

    Table 3.5: Employees Risk

    Risk Group Employees
    Risk Elements Likelihood Impact Risk Score Treatment/Action
    Employees of ZebPay are largely responsible for carrying out the functions and processes of this AML Program. Without proper awareness training the employees of ZebPay will be unable to properly identify the ML/TF risks in a timely fashion. Unlikely Moderate 1 This AML Program has a policy in place to ensure employees are appropriately trained. Refer to Employee Risk Awareness Training. (see Part A section 4)
    AML/CTF Regulatory Risk (Table 4.1)
    Risk Group Regulatory Risk
    Risk Elements Likelihood Impact Risk Score Treatment/Action
    Failure to report suspicious matters Unlikely Major 2 This AML Program has a policy in place to facilitate compliance.
    (Please refer to Part A Section 7)
    Failure to report threshold transactions Unlikely Major 2 ZebPay will not be required to report threshold hold transactions as so long as it does not receive cash investments
    Failure to file AML/CTF Compliance Reports Unlikely Moderate 1 This AML Program has a policy in place to facilitate compliance.
    (Please refer to Part A Section 7)
    Failure to provide further Information to MAS Unlikely Moderate 1 This AML Program has a policy in place to facilitate compliance.
    (Please refer to Part A section 10)
    Failure to monitor cross border movements of physical currency and bearer negotiable instruments Unlikely Major NA It is ZebPay’s policy to not accept physical currency or bearer negotiable instruments.
    Failure to monitor electronic funds transfer instructions Unlikely Major NA As ZebPay is not an ‘institution’ for the purposes of Part 5 of the AML/CTF Regulations It has no obligations in respect of Electronic Funds Transfer instructions. 10
    Failure to adopt AML Program Unlikely Major 2 This AML Program has been adopted by the Board and management.
    Failure to monitor Correspondent Banking relationships Unlikely Major NA 11 As ZebPay is not a ‘financial institution’ it has no obligations in respect of Correspondent Banking relationships.
    Failure to comply with record keeping requirements Unlikely Moderate 1 This AML Program has a policy in place in place to facilitate compliance.
    (Please refer to Part A Section 13)
    Failure to comply with Customer Identification Requirements Unlikely Major 2 This AML Program has a policy in place to facilitate compliance.
    (Please refer to Part B Customer Identification Procedures)