AML Policy

This AML Policy has been compiled to create a core policy document to govern the various developed procedures and principles of the Company’s AML/CTF compliance regime and KYC policy. By no means this document shall not be read as an entire set of all policies, procedures and controls in place implemented by the Company for prevention of money laundering, financing of terrorism and other forms of illicit activity. Terms and definitions used in this AML Policy are explained in Terms of Use.

XGateway operates under the laws of the Republic of Estonia. The Company has set out this anti-money laundering (AML) and counter-terrorism financing (CTF) policy and procedure that is applicable to all staff to help prevent and detect potential ML/FT. The Company takes a zero-tolerance approach to ML/FT and other such financial crimes.

The objective of this document is:

  • To provide a high-level assessment of the operations and services provided by the Company and the risk that they may pose to ML/FT; and
  • To set out the policies, procedures, systems and controls necessary for the Company to meet the obligations in Estonia.


The Company’s approach is based upon:

  • Money Laundering and Terrorist Financing Prevention Act of Estonia, as amended from time to time (“Act”);
  • International Sanctions Act of Estonia as amended from time to time; and
  • FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Assets Service Providers.


The Company is responsible for assessing its ML/FT risks and ensuring appropriate implementation of a risk-sensitive policy and procedure within the business.


It is the Company’s policy that the Estonian statutory and regulatory obligations to prevent ML/FT are to be met in full and the Company is committed to meeting and where possible exceeding such obligations.

The Company will not onboard or continue established relationships with customers whose conduct gives rise to suspicion of involvement with illegal activities. The Company will seek to suspend any customer relationship where the customer’s conduct gives reasonable cause to believe or suspect involvement with illegal activities. Upon identifying that any activity is being suspected to involve criminal/illegal activity, or there is knowledge to believe that the activity involves criminal/illegal activities, a Suspicious Activity Report (SAR) is to be completed and submitted to the Money Laundering Reporting Officer (MLRO). If the MLRO deems that a report needs to be filed with the Financial Intelligence Unit of Estonia (FIUE), the customer account needs to be suspended and no further transactions are to take place until further instructions are received from the FIUE.

The Company’s vigilance, policy and procedures are based upon the legislations and regulations referred to above and associated guidance issued by the Republic of Estonia and the FIUE.


The purpose of these procedures is to assist the officers and employees of the Company in fulfilling their obligations under the Estonian statutory and regulatory obligations, thus ensuring effective implementation of the AML/CFT measures and mitigating risks. These will be maintained to ensure the following:

  • The risk of the Company’s products or services used as a vehicle for ML/FT is minimized;
  • All customers are properly identified and verified when necessary;
  • New customers who do not appear to be legitimate are declined, and where there is suspicion relating to criminal conduct on the part of a declined participant, such suspicion is reported to the MLRO. Established participants’ activities are regularly monitored to ensure that they fit the customer’s profile, especially in respect of large or abnormal transactions;
  • Records are retained to provide an audit trail and adequate evidence to the law enforcement agencies in their investigations;
  • All knowledge and/or suspicions are noted down in an internal SAR and forwarded to the MLRO. In turn, the MLRO will review the report and gathered information and submit a SAR to the FIUE within five (5) days of having received the internal SAR;
  • Information on any SARs is to be kept confidential and all internal SARs and external SARs together with any correspondence with the relevant authorities is to be retained by the company in a confidential manner;
  • Full co-operation is provided to the law enforcement authorities to the extent required by statute/regulation. Furthermore, should a customer of the Company come under investigation by law enforcement, the Company should be able to provide its part of any relevant audit trail, in respect of transactions and/or information about the customer;
  • That the Company’s ongoing monitoring systems are implemented and regularly reviewed; and
  • Appropriate knowledge and awareness are maintained regarding Estonia’s statutory and regulatory obligations.


The Company’s board of directors and senior management are responsible for various matters such as:

  • Setting the principles for the prevention of ML/FT, policies and the supporting procedures;
  • Ensuring that the Company’s policies and procedures are designed and operate effectively to manage the risk of the business from being used for financial crime and to fully meet the requirements of the AML/CFT regime;
  • The appointment of an MLRO who holds a sufficiently senior management role and expertise;
  • Notifying the appointment of an MLRO and a designated employee (if any) to the FIUE and any other supervising authority as applicable;
  • Ensuring that the MLRO is promptly notified of unusual/suspicious transactions and other matters of significance;
  • Ensuring that the MLRO has complete autonomy in the suspicious activity report (SAR) evaluation process and unfettered access to information necessary to carry out the evaluation process; and
  • Ensuring that the MLRO is provided with or has access to the necessary resources (in terms of staff members and appropriate and up to date systems in place to detect suspicious activity and assist with conducting ongoing monitoring);
  • Reviewing any recommendations made by the MLRO concerning the Company’s compliance with the relevant legislative framework and taking any necessary decisions thereon; and
  • Approve the departments documented operational procedures which must be in line with the AML/CFT (among others) and as per requirements of the regulatory and supervisory authorities.


The MLRO is responsible for ensuring compliance to the AML/CFT law with the requirements of the legal framework governing the Company. The MLRO shall be afforded every assistance and cooperation by all members of staff in carrying out the duties to their appointment. The MLRO is responsible for:

  • Receiving reports from the employees of knowledge or suspicion of ML/FT, or that a person may have been, is or may be connected with ML/FT;
  • Considering these reports to determine whether knowledge or suspicion of ML/FT subsists or whether a person may have been, is or may be connected with ML/FT;
  • Reporting knowledge or suspicion of ML/FT or of a person’s connection with ML/FT to the FIUE;
  • Responding promptly to any request for information made by the FIUE; and
  • Reporting any AML/CFT issues and matters to the Board of Directors.

Importance of compliance culture

Detailed and comprehensive policy and procedures are not sufficient to forestall the facilitation of ML/FT. If the compliance culture of the Company is weak, then they will be ineffective.

The board of directors, senior management and MLRO are to encourage a compliance culture by:

  • Demonstrating support for compliance with these policies, procedures and with sound corporate ethics;
  • Providing support for staff in their AML/CTF efforts;
  • Demonstrating support to the MLRO;
  • Demonstrating no tolerance of customers and other external parties who are not transparent or are not cooperative in AML/CTF efforts;
  • Encouraging risk awareness in staff;
  • Encouraging a spirit of compliance;
  • Fostering awareness through training;
  • Taking appropriate action in respect of breaches;
  • Encouraging the raising of concerns by employees at all levels; and
  • Providing the necessary resources for proper application of procedures and to address concerns.

Review of effectiveness

The board of directors, senior management and MLRO are to review and assess the culture within the Company and the effect of human factors on the effectiveness of procedures as part of its risk review.

Risk assessment

Company will perform a risk-based due diligence and collect information and documentation on each prospective client in order to assess the risk profile associated. The Company’s employees will exercise care, due diligence and good judgment in determining the overall character and nature of all clients. Company conducts its business in accordance with the highest ethical standards and will not enter into business relationships with individuals or entities that may adversely affect Company’s reputation and compromise the virtual currency industry.

For the purpose of identification, assessment and analysis of risks of money laundering and terrorist financing related to its activities, the Company prepares a risk assessment, taking account of the following categories:

  • Customer risk;
  • Country and geographical risk;
  • Product risk; and
  • Delivery channel risk.


After the risk is assessed and attributed to a particular customer, depending on the degree of risk, it should be revised periodically upon knowledge of the customer and its activity.

Customer acceptance policy

The Company shall accept only those customers for business whose identity is established by conducting due diligence appropriate to the risk profile of the customer.

Broadly speaking, the Company shall not accept registrations from customers who:

  • Refuse or resist in providing the necessary documentation and/or information;
  • Provide fraudulent information upon registration;
  • Provide forged, invalid and expired verification documents;
  • Pose an extreme risk to the Company.

Country risk assessment

Country factors (amongst others) are identified as being relevant to assessing the financial crime risk of the customer. These factors could include a customer’s place of birth, citizenship, country of residence, country of tax residency and more. Therefore, when assessing a customer’s risk profile, the Company’s employees should not only consider the financial crime risk related to the customer and the customer’s source of funds/wealth, but also the legal frameworks and their effectiveness, as well as the political environment in the countries where the customer resides and his/her country of citizenship and/or nationality.

Hence, the Company shall carry out a country risk assessment.

The risk appetite of the company should also be considered. The company is also to consider who is responsible for completing and updating the country risk assessment (for example the MLRO and Senior Management). It is recommended that amongst the restricted/prohibited jurisdictions the company should take into account (amongst other factors):

1. Sanctions, embargoes or similar measures issued by, for example, the UN and EU

2. Jurisdictions which are non-collaborative, or which have been called to action by the FIUE

PEP definition and screening

Politically Exposed Person (PEP) – a natural person who performs or has performed significant duties of prominent public authority, other than middle ranking or more junior officials. Family members and known close associates of such a person are also considered as PEPs.

Persons carrying out significant duties of public authority are:

  • Heads of State, Heads of Government, Ministers, Deputy or Assistant Ministers and Parliamentary Secretaries;
  • Members of the Parliament or similar legislative bodies;
  • Members of the governing bodies of a political party;
  • Members of superior, supreme and constitutional courts or of other high-level judicial bodies whose decisions are not subject to further appeal, except in exceptional circumstances;
  • Members of courts of auditors, or of the boards of central banks;
  • Ambassadors, chargé d’ affaires or other high-ranking officers in the armed forces;
  • Members of the administrative, management or supervisory boards of state-owned enterprises; and
  • Anyone exercising a function equivalent to those set out above within an institution of the European Union or any other international body.


A ‘family member’ of a PEP means:

  • His/her spouse;
  • A partner equivalent to the spouse, in accordance with the law of the country of residence or a person who has had at least one year’s common household with him/her as at the date of conclusion of the transaction;
  • His/her children and their spouses or partners within the meaning of the preceding paragraph;
  • His/her parents.


A ‘known close associate’ of a PEP means:

  • a natural person who has close business relations with the person performing significant duties of public authority or who together with the person performing significant duties of public authority is the joint beneficial owner of a legal person or contractual legal entity;
  • a person who, as the beneficial owner, fully owns a legal person or contractual legal entity that is known to have been established for the benefit of a person performing significant duties of public authority.


Where a PEP is no longer entrusted with a prominent public function, the continuing risk posed by that person shall be taken into account and s/he is still deemed to be a PEP for at least 12 months from termination of such role.

Sanctions screening

Dealing with persons against which imposed international sanctions poses a great risk to the Company, its directors, officers and owners.

The Company will perform sanction screening of its customers on the same matching rules, as for PEP screening.

The Company will perform screening, at minimum, against the following sanctions lists:

  • UN Sanctions;
  • EU Sanctions;
  • Sanctions administered by the Office of Financial Sanctions Implementation (“OFSI-UK”)
  • Sanctions administered by the Office of Foreign Assets Control (“OFAC-US”);
  • Sanctions imposed under the International Sanction Act.
  • All matches (true hits) will be escalated to a MLRO for further action and processing.

On-going monitoring

On-going monitoring is conducted by the Company in order to ensure that the information collected about the customer at registration stage, is still current and valid and to determine whether there is any suspicious activity that requires further investigation. The on-going monitoring of a business relationship includes, but is not limited to:

  • The scrutiny of transactions undertaken throughout the course of the relationship to ensure that the transactions being undertaken are consistent with the Company’s knowledge of the customer and his/her risk profile, including the source of funds/wealth;
  • The scrutiny of the customer’s account/s; and
  • Ensuring that the documents, data or information held by the Company are kept up to date. Documents should be retained and updated as they expire for the whole duration of the business relationship. Upon termination of the relationship the documents should be retained for a period of five (5) years after the end of a business relationship or an occasional transaction, as per current regulatory requirements.

Timing of CDD/KYC measures

Customer Due Diligence (CDD) and Know Your Customer (KYC) measures are applied to all new customers and to existing customers on a risk-sensitive basis depending on the type of customer, business relationship and product or transaction.

Where, following the application of the CDD measures, in an established business relationship, doubts have arisen about the veracity or adequacy of the previously obtained customer identification information, or changes have occurred in the circumstances surrounding that established business relationship, then the Company shall ensure that the CDD measures be monitored, updated, and that such measures are appropriate to the risk that the customer is presenting.

Simplified due diligence

Several types of relationships in respect of which Simplified Due Diligence (SDD) measures may be applied. It is imperative to point out that the application of SDD does not exempt the Company from carrying out CDD, but merely varies the extent and timing of the application of CDD.

The employees shall still carry out initial and ongoing monitoring in order to ensure that during the existence of the relationship the customer does remain at all times eligible to SDD measures and that no changes necessitate the re-assessment of the customer’s risk profile.

Enhanced due diligence

In certain cases, certain customers may pose a higher risk of ML/FT. In these circumstances, Enhanced Due Diligence (EDD) measures will be applied and further documents will be requested and collected by the Company and ongoing monitoring carried out more frequently. Such circumstances, amongst others, may include:

  • Customers classified as high-risk customers after the completion of the customer risk assessment;
  • Business relationships or occasional transactions with a PEP;
  • Customers whose business/economic activity and/or source of wealth/funds originates from non-reputable jurisdictions;
  • Customers who are defined as High Net Worth Individuals;
  • Customers who are subject to warnings or notices issued by the FIUE
  • Customers who feature in adverse media; or
  • Customers who are reluctant in providing the identification documents.

Staff education and training

The Company is required to ensure that all of its employees are kept aware of the Company’s AML/CFT policies and procedures and the relevant legislation and to provide training in relation thereto, as well as in relation to the recognition and handling of transactions carried out by, or on behalf of, any person who may have been, is, or appears to be engaged in ML/FT.

Awareness of the Company’s AML/CFT procedures and training in relation to identification of unusual activities or suspicious transactions are key elements in the detection and deterrence of ML/FT activities. The Company endeavors to provide training to its employees in order to recognize and handle suspicious transactions carried out by, or on behalf of, any person who may have been, is, or appears to be engaged in ML/FT.

The awareness and training should be an ongoing exercise to ensure that all employees are constantly kept up to date with any developments or changes in the operations of the Company and any changes in the applicable laws. Training will take place at least once a year, although new members of staff must receive training as part of their on-boarding/enrolling program as managed by the Compliance function within 7 days of joining the Company.

Following the training workshop, the MLRO shall test the knowledge of employees, with the aim of ensuring staff members have absorbed all the necessary knowledge and awareness around AML/CFT activities. Any training and test participation together with the results shall be scheduled in advance, documented and kept on file. Amongst other information, training records should include a list of attendees and training material covered.

Cooperation and exchange of information

The Company cooperates with supervisory and law enforcement authorities in preventing money laundering and terrorist financing, thereby communicating information available to the Company and replying to queries within a reasonable time, following the duties, obligations and restrictions arising from legislation. For any relevant requests please contact us at [email protected]. Please note that in case you represent the law enforcement agency outside of the European Union, procedure under the Mutual Legal Assistance Treaty (MLAT) may apply.

Hence, the Company shall carry out a country risk assessment.

The risk appetite of the company should also be considered. The company is also to consider who is responsible for completing and updating the country risk assessment (for example the MLRO and Senior Management). It is recommended that amongst the restricted/prohibited jurisdictions the company should take into account (amongst other factors):

1. Sanctions, embargoes or similar measures issued by, for example, the UN and EU.

2. Jurisdictions which are non-collaborative, or which have been called to action by the FIUE