This document serves as the Risk Assessment for RockEx Limited s.r.o., focusing on the identification and evaluation of risks associated with money laundering (ML) and financing of terrorism (FT) within the provision of virtual asset services. Compliant with Act No. 253/2008 Coll., this assessment is an integral component of our Internal Rules, Procedures, and Measures framework.
Aligned with the risk-based approach mandated by the AML Act, our objective is to identify and evaluate ML-FT risks inherent in our services. By categorizing clients, services, and distribution channels according to risk levels, we aim to enhance due diligence efforts, mitigating the risk of our services being misused for illicit activities.
In adherence to AML regulations, RockEx Limited s.r.o. commits to:
The following sources were used in the process of ML-FT risk identification and assessment:
RockEx Limited s.r.o. recognizes threats such as abuse of services for ML purposes, evasion of international sanctions, and financing of terrorism. Vulnerabilities include challenges in client identification and verification, particularly concerning complex ownership structures and non-transparent activities.
Risk factors encompass the characteristics of the client, the product provided to them, or the manner in which it is provided, heightening the potential for the misuse of RockEx Limited s.r.o.'s services for money laundering or terrorism financing.
Clients are categorized into risk profiles—types A, B, C, D, or E—based on the presence or absence of risk factors.
Clients are assigned a type A risk profile (no or minimal risk) when no known risk factors warrant a type B, C, D, or E classification. These clients pose little to no risk of leveraging RockEx Limited s.r.o.'s services for illicit purposes, a risk the company is prepared to manage.
Clients receive a type B, C, or D risk profile (increased risk) when specific risk factors are present, barring a type E classification. These clients represent a potential risk for money laundering or terrorism financing. Consequently, all employees, including the AML Officer, must meticulously assess any suspicious behavior and rigorously verify provided information during initial or ongoing reviews.
Clients are assigned a type E risk profile (unacceptable) when any of the following risk factors are identified. Such clients pose a high risk of involvement in money laundering or terrorism financing. RockEx Limited s.r.o. will either refuse to establish a business relationship or terminate existing relationships with these clients promptly and prevent the provision of further services until resolution. The AML Officer is responsible for ensuring the swift and lawful termination of such relationships.
Moreover, careful scrutiny is essential in evaluating whether a client's behavior indicates potential involvement in suspicious transactions.
The following risk factors prompt a type E classification:
Any of these factors, when present in a legal entity where the client holds direct or indirect influence, warrants consideration.
RockEx Limited s.r.o. acknowledges that certain source crimes, such as acts of corruption or subsidy frauds, often involve politically exposed persons (PEPs). To address this, the company extends the period following the termination of a PEP's exposed activity—considered high-risk—from the standard 1 year prescribed by the AML Act to a period of 2 years.
Clients assigned a risk profile of type B, C, or D are excluded from simplified identification and control measures. Additionally, if a client initially classified as type A later receives a type B, C, or D risk profile, full identification and control procedures must be conducted before any subsequent transactions.
The frequency of updating client identification data, PEP status, and international sanctions checks varies based on the client's risk profile:
These updates involve searching public trusted sources or directly querying clients to confirm the accuracy of their information.
For clients with risk profiles of type B, C, or D, rigorous measures are implemented during the initial client check:
Establishment of a business relationship for clients with risk profiles of type B, C, or D requires approval from the AML officer or Managing Director. Similarly, any substantial changes to existing relationships must also be approved by these designated officers.
During the business relationship, RockEx Limited s.r.o. continuously monitors and reviews trades to ensure compliance and detect any anomalies. This includes reviewing the sources of funds used in transactions.
Business control procedures are implemented based on the client's risk profile:
Additional scrutiny is applied if clients engage in high-risk activities or transactions involving countries identified as risky from the ML-FT perspective. This includes requesting a wider range of information and investigating the background and purpose of such transactions.
The employee will update information on the purpose and nature of the business relationship whenever RockEx Limited s.r.o. becomes aware of changes and at the following intervals:
For legal entity clients, the employee will update ownership and control structure data whenever RockEx Limited s.r.o. becomes aware of changes and at the following intervals:
If publicly credible sources do not indicate changes in control and ownership structure, clients with risk profiles of type B, C, or D must demonstrate this structure upon request.
The employee will update client risk profiles whenever RockEx Limited s.r.o. becomes aware of new risk factors or the removal of original ones, and at the following intervals:
Internal supervision and compliance monitoring measures are established in the System of Internal Rules, Procedures, and Monitoring (Control) Measures, deemed adequate by CRP Unio Limited s.r.o.
Employees and contact persons must have a clean criminal record. An executive staff member ensures that only individuals with no record in the Czech Republic Criminal Register are permitted to perform relevant duties.
An executive staff member is responsible for periodically updating this Risk Assessment at least once every two years. Updates are also required in case of:
This Risk Assessment is approved by the corporate statutory body.