Last update: March 2022

1. OBJECTIVE

This document applies to AI MALL LTD,  its subsidiaries or holding companies from time to time and any subsidiary of any holding Company from time to time (hereinafter the “AI Mall”, “AIM” or “We”), in relation to the adopted KYC guidelines.

2. SCOPE

The KYC guideline sets the requirements for determining and verifying the identity of any person who establishes a relationship with AIM. These requirements enable AIM to form a reasonable belief that it knows the true identity of each of its users

The KYC guidelines in this document are aimed at preventing AIM from being used, intentionally or unintentionally, by criminal elements for money laundering activities or terrorist financing activities. KYC procedures shall also enable AIM to know and understand its Users and its financial dealings better which in turn will help it to manage its risks prudently. Thus, the KYC policy has been framed by AIM for the following purposes:

• To prevent criminal elements from using AIM for money laundering activities;
• To enable AIM to know and understand its Users and their financial dealings better which, in turn, would help the AIM to manage risks prudently;
• To put in place appropriate controls for detection and reporting of suspicious activities in accordance with applicable laws/laid down procedures;
• To comply with applicable laws and regulatory guidelines;
• To ensure that the concerned staff are adequately trained in KYC/AML/CFT procedures

The target audience for this guideline is all AIM employees responsible for establishing user and user relationships, opening and maintaining accounts and processing transactions.

3. DEFINITIONS
4. DEFINITION OF USER AND OF ACCOUNT

• User(s): A user is defined as an individual seller or buyer or either business that uses AIM platform and services in accordance with AIM Terms of Use. A person that opens a new account for another person is not considered a user unless the person for whom the account is opened lacks legal capacity, as a minor.
• Account: An account is defined as a business relationship to provide AIM services and transaction in accordance with AIM Terms of Use

2. OTHER DEFINITIONS

• AIM: AI MALL LTD, its subsidiaries or holding companies from time to time and any subsidiary of any holding Company from time to time.
• Money Laundering: Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origins of criminally derived proceeds so that the proceeds appear to have derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages. Cash first enters the financial system at the “placement” stage, where the cash generated from criminal activities is converted into monetary instruments, such as money orders or traveller’s checks, or deposited into accounts at financial institutions. At the “layering” stage, the funds are transferred or moved into other accounts or other financial institutions to further separate the money from its criminal origin. At the “integration” stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.
• Terrorist Financing: Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal either the origin of the funds or their intended use, which could be for criminal purposes. Legitimate sources of funds are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership and personal employment. Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.

4. KEY ELEMENTS

AIM is prohibited from transacting business with individuals, companies and countries that are on prescribed sanctions lists. 

AIM will therefore screen against United Nations, European Union, UK Treasury and US Office of Foreign Assets Control (OFAC) sanctions lists in all jurisdictions in which AIM operates. Respective AIM’s AML policies, procedures and internal controls are designed to ensure compliance with all applicable regulations and rules, including, but not limited to FATF, OFAC, EU PSD2 and MLD5 Directives, other internationally accepted regulations, local and national regulations (Regulations),  and will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place to account for both changes in regulations and changes in our business. 

AIM operates so that it is compliant with ‘anti-money laundering’ (“AML”) and ‘know your user’ (“KYC”) rules and regulations in the jurisdictions it operates in or provides products or services to and has developed this KYC and AML Policy to protect itself from involvement in money laundering or suspicious activity as follows:

• AIM is performing an enterprise-wide risk assessment to determine the risk profile of the Company.
• AIM is implementing internal controls throughout its operations that are designed to reduce risks of money laundering, including designating a person responsible for AML compliance.
• AIM has systems to verify the identification of users.
• AIM has processes where any knowledge or suspicions of money laundering will be reported.
• AIM performing know your user (“KYC”) procedures on all users.

AIMis adopting the following KYC policies in compliance with applicable Regulations:

1. User Acceptance Program (“UAP”)
2. User Identification Program (“UIP”)
3. Monitoring of Transactions
4. Risk Management
5. Training Program
6. Recordkeeping
7. Appointment of principal officer
8. Reporting to Financial Intelligence Unit

Enhanced User review may be carried out periodically at AIM discretion as part of AIM ongoing risk assessment. In addition to this, any attempt to abuse AIM or its platform will result in immediate account suspension and reporting violations to respective authorities.

AIM insists on a comprehensive and thorough KYC and AML compliance framework. This includes monitoring of suspicious transactions and obligatory reporting to local regulators and other compliance bodies, and submitting documents and information to regulators as required and without prior notification to registered users. 

AIM reserves the right to refuse registration to persons from jurisdictions that do not meet international AML standards. AIM may at any time without liability and without disclosing any reason, suspend the operation of the respective user. 

5. USER ACCEPTANCE PROGRAM

AIM ’s User acceptance program (UAP) lays down the criteria for acceptance of Users. The guidelines in respect of user/user relationship in the AIM broadly includes verification in accordance with Annex I hereto.

Unless prohibited by local law, in order to verify the identity of new users, prior to account opening a new user notice should be provided (Refer to Annex 1). This notice must inform new users that to help prevent money laundering and terrorist financing. This notice should also inform new users of the specific information to be collected and any documentation required for verification of user identity.

6. USER IDENTIFICATION PROGRAM

AIM’s User Identification Program (UIP) sets forth the requirements for determining and verifying the identity of any person seeking to establish a relationship with AIM.

The user identification is a critical step. Verification of identity does not replace the requirement to conduct appropriate due diligence for users prior to establishing a user relationship and opening an account.

These requirements, which are consistent with international standards and satisfy AIM’s obligations under regulatory requirements, enable AIM to form a reasonable belief that it knows the true identity of each of its users.

Specific identification information must be obtained and some or all of this information must be verified by documentary and non-documentary methods in accordance with Annex I hereto.

Scope

AIM UIP requirements must be followed by all AIM businesses and legal entities. These requirements apply globally to achieve consistency and uniformity in the verification of identification of all AIM users.

Owner

The UIP is owned by the CEO or the Head of AML Compliance who is responsible for its day-to-day oversight and administration. 

Effective date

The UIP becomes effective to all AIM users.

Testing and quality assurance (QA) control assessment

Periodic testing of the requirement of the UIP and the other relevant implementing procedure are conducted by the Compliance Team.

The business is also responsible for developing a QA process to analyse and identify any control weaknesses with regards to the requirements of the UIP and opportunities for process and performance improvement.

User Identification Program

User Identification means identifying the User and verifying his/her identity by using reliable, independent source documents, data or information. AIM shall obtain sufficient information necessary to verify the identity of each new User along with brief details of its promoters and management, wherever applicable, whether regular or occasional and the purpose of the intended nature of business relationship. The requirement as mentioned herein may be moderated according to the risk perception.

Besides risk perception, the nature of information/documents required would also depend on the type of User (individual, corporate etc). 

For Users that are natural individuals, AIM shall obtain sufficient identification data to verify the identity of the User, his address/location, and also his recent photograph. 

For users that are legal individuals or entities, the AIM shall:

• verify the legal status of the legal person/ entity through proper and relevant documents
• verify that any person purporting to act on behalf of the legal person/entity is so authorized and identify and verify the identity of that person.
• Understand the ownership and control structure of the user and determine who are the natural persons who ultimately control the legal person. 

An indicative list of the nature and type of documents/information that may be relied upon for user identification is given in Annex II. AIM will frame internal guidelines based on its experience of dealing with such individuals/entities, normal prudence and the legal requirements.

The User Identification Program (UIP) must include reasonable and practical risk-based procedures for verifying the User identity. Where required by local law, a country or region may implement procedures that apply to a business or businesses within that specific region or country in accordance with Annex I hereto. 

The UIP procedure can be incorporated into other business-specific AML policies, programs and procedures in accordance for the effective implementation and requirements.

Gathering and verifying required user identification information

The first step in the UIP process is to gather the required user identification information in accordance with Annex I hereto. This information must be obtained prior to opening an account or otherwise establishing a relationship and before any transactions are permitted.

In accordance with the KYC principles, no transactions are permitted until the identification number has been received. 

User identification information that has been obtained from the prospective user has to be verified. A periodic review and client refresh have to be conducted. Depending on a user’s risk profile, activity in an account may be permitted before verification of identification has been completed. In this case approval is required by the AML Committee. If the identity of a user cannot be verified within 30 days of account opening, the account must be closed and the relationship terminated.

Furthermore, a business may rely on a third party to perform some or all of the AIM UIP requirements. In this case, verification has to be conducted whether a third party may be relied upon to perform some or all UIP on AIM’s behalf. In case of uncertainty matter must be referred to the AML Committee. 

Comparison with government list of known or suspected terrorists

An integration of activities for screening against any government issued list of known or suspected terrorists should be considered. This procedure may be integrated with those established to screen user names against government sanctions list.

Record Retention Requirements

All identification information collected must be retained in accordance with the AIM Records Management Policy for a period of five years after the user’s last account is closed unless otherwise required by local law. Procedures for retaining such records must be documented.

Roles and responsibilities

Responsibilities of the business include:

• Collecting and verifying information as set forth in the UIP and maintaining relevant UIP records.
• Screening User against government list of known or suspected terrorists.
• Closing accounts or existing relationships when a reasonable belief that the relevant AIM business knows the true identity of the user cannot be formed.
• Developing and implementing reasonable business/country specific risk-based UIP procedures.
• Escalating to the appropriate AML Committee for appropriate investigation in case of any potential suspicious situations or risk issues discovered during the identification information collection and verification process.
• Establishing and implementing a Quality and Assurance process and Manager Control procedures. 
• Conducting assessment and Periodic Review and Client Refresh cycle controls.
• Providing training to business and operations personnel involved in the UIP process.
• Documenting any local law deviations and peculiarities and monitoring changes to local laws.

Senior management is responsible for providing oversight of the UIP, in particular with regard to: 

• The review and approval of the relevant UIP results and any relevant exception requests.
• Consulting with the business to develop reasonable and practical risk-based procedures for implementing the UIP.
• Advising on policy and procedures requirements and QA reviews prepared by the business.
• Advising on the need to freeze or block accounts and/or exit relationships when identification information cannot be obtained and verified.
• Oversight on the need of training related to the requirements of the CIP and AML compliance roles and responsibilities.
• Evaluating needs of specific investigation activities when necessary.

7. MONITORING OF TRANSACTIONS

AIM will monitor transactions of Users in accordance with applicable laws and regulations. 

8. RISK MANAGEMENT

The Management of AIM shall ensure that an effective KYC program is put in place by establishing appropriate procedures and ensuring their effective implementation. It will cover proper management oversight, systems and controls, segregation of duties, training and other related matters. Responsibility will be explicitly allocated within the AIM  for ensuring that the policies and procedures as applicable to the Company are implemented effectively. AIM shall devise procedures for creating Risk Profiles of their existing and new Users and apply various Anti Money Laundering measures keeping in view the risks involved in a transaction, account or business relationship.

9. TRAINING PROGRAM

AIM will apply Employee Training Programs on a regular basis and as required by applicable international and national law and regulations, respectively.

10. RECORD KEEPING REQUIREMENTS

All identification information collected at account opening and user on-boarding must be retained in accordance with AIM policy for a period of five years after the user’s last account is closed, or for credit card accounts, for a period of five years after the account is closed, unless otherwise required by local law. ANNEXES

ANNEX 1- MODULE NOTICE

For natural and legal individuals 

IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT AT AIM portal

To prevent money laundering and terrorist financing, the laws of many jurisdictions and AIM procedures, require AIM to obtain, verify and record information that identifies each person who opens an account in the AIM portal.

What this means for you:

We will ask your name, address, date of birth and other information that will allow us to identify you. We may also ask to see a photo ID or other identifying documents to proceed with AML regulations.

If the identification information cannot be verified, AIM is not allowed to maintain user relationships which must be terminated as soon as possible in accordance with law and regulations. If, during the course of verifying AIM user’s identification information a suspicion is aroused, the issue can be escalated to our relevant AML Investigative Unit and a suspicious activity report must be filed in accordance with the AIM business’s policy.

We appreciate your understanding and cooperation to support high level of AIM reputational standards.

ANNEX 2 – SELLER IDENTIFICATION REQUIREMENTS (INDICATIVE GUIDELINES) 

1. For natural individual

Identification of individuals who are users or beneficial owners or authorised signatories

AIM should collect the following information for identification purposes from the user or any other available source, subject to GDPR consent, if the user is the resident of EU country:

Table 1: Identification information of natural individual                                                                                                   

At a minimum	Potential additional information (on the basis of risks)
Name (i.e. first and last name)	Any other names used (such as marital name, former legal name or alias)
Complete residential address	Business address, post office box number, e-mail address and landline or mobile telephone numbers
Nationality, an official personal identification number or other unique identifier	Residency status
Date and place of birth	Gender

When the account opening is the start of a user relationship, further information should be collected with a view to developing an initial user risk profile:

Table 2: Identification Information related to the user’s risk profile 

Key attributes	Potential additional information (on the basis of risks)
Occupation, public position held	Name of employer, where applicable;
Income	Sources of user’s wealth
Expected use of the account: amount, number, type, purpose and frequency of the transactions expected
Financial products or services requested by the user.	Destination of funds passing through the account.

Verification of identity of natural individual

The measures to verify the information produced should be proportionate to the risk posed by the user relationship and should enable AIM to satisfy itself that it knows who the user is.

1. Documentary verification procedures:

• confirming the  identity  of  the  user or the  beneficial  owner from an unexpired  official document (eg passport, identification  card, residence permit, social security records, driver’s licence) that bears a photograph of the user, matching this document with live selfie (face rec);
• confirming the date and place of birth from an official document (eg birth certificate, passport, identity card, social security records);
• in specific cases, confirming the validity of official documentation provided through certification by an authorised person (eg embassy official, public notary);
• confirming the residential address (eg utility bill, tax assessment, bank statement, letter from a public authority);
• confirming power of attorney of representative, if any.

2. Non-documentary verification procedures

• contacting the user by telephone, sms or via email to confirm the information supplied, after an account has been opened (e.g. a disconnected phone, returned mail etc should warrant further investigation);
• checking references provided by other institutions;
• utilising an independent information verification process, such as by accessing public registers, private databases or other reliable independent sources (e.g. credit reference agencies).

Further verification of information on the basis of risks

Users with high-risk profiles, such as PEPs, will be rejected by AIM as a rule.

However, if decided by authorized management particular attention needs to  be  focused on those  users assessed  as having  higher-risk profiles.  

Additional sources of information and enhanced verification procedures may include:

• confirming an individual’s residential address on the basis of official papers, a credit reference agency search;
• contact with the bank regarding the  user;
• verification of income sources, funds and wealth identified through appropriate measures; and
• verification  of employment and of public positions held;
• personal reference

2. Legal individual and arrangements and beneficial ownership

The procedures above should also be applied to legal business and arrangements. AIM should identify and verify the identity of the user and understand the nature of its business, and its ownership and control structure, with a view to establishing a user risk profile.

Legal individual includes any entity (e.g. business or non-profit organisation, distinct from its officers and shareholders) that is not a natural person or a legal arrangement.

In considering the user identification guidance for the different types of legal persons, particular attention should be given to the different levels and nature of risk associated with these entities.

Verification of identity of legal individual

For legal individual, the following information should be obtained for identification purposes:

Table 1: Identification information of legal individual                                                                                                   

At a minimum	Potential additional information (on the basis of risks)
Name, legal form, status and proof of incorporation of the legal person
Permanent address of the principal place of the legal person’s activities
Official identification number (company registration number, tax identification number, VAT VIES number, if applicable)	Legal entity identifier (LEI) if eligible
Mailing and registered address of legal person	Contact telephone and fax numbers
Identity of natural persons who are authorised to operate the account. In the absence of an authorised person, the identity of the relevant person who is the senior managing official	Identity of relevant persons holding   senior management positions
Identity of the beneficial owners
Powers that regulate and bind the legal person (such as the articles of incorporation for a corporation)

“Beneficial owner” is the natural person(s) who ultimately owns or controls a user and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.

When the account opening is the start of a user relationship, further information should be collected with a view to developing an initial user risk profile.

Table 2: Identification Information related to the user’s risk profile

At a minimum	Potential additional information (on the basis of risks)
Nature and purpose of the activities of the legal entity and its legitimacy;	Financial situation of the entity;
Expected use of the account: amount, number, type, purpose and frequency of the transactions expected.	Sources  of  funds  paid   into   the   account  and destination of funds passing through the account.

Verification of identity of legal individual

The measures to verify the information produced should be proportionate to the risk posed by the user relationship and should enable AIM to satisfy itself that it knows who the user is.

1. Documentary verification procedures:

• a copy of  the  certificate  of  incorporation  and memorandum and articles  of  association,  or partnership agreement (or any other legal document certifying the existence of the entity, eg abstract of the registry of companies/commerce);
• for established corporate entities – reviewing a copy of the latest financial statements (audited, if available).

2. Non-documentary verification procedures

• undertaking a company search and/or other commercial enquiries to ascertain that the legal person has not  been,  or is  not in  the process of being,  dissolved,  struck off, wound up or terminated;
• utilising an independent information verification process, such as by accessing public corporate registers, private databases or other reliable independent sources (eg lawyers, accountants);
• validating the data in the public access service;
• obtaining prior bank references;
• contacting the corporate entity by telephone, sms, mail or e-mail.

Verification of identity of authorised signatories and of beneficial owners of the users shall be conducted in accordance with the procedure for natural persons above.

Further verification of information on the basis of risks

As part of its broader user due diligence measures, AIM should consider, on a risk-sensitive basis, whether the information regarding financial situation and source of funds and/or destination of funds should be corroborated.