commit 0e515f4a5a45b9e0aba9725754194e6f0c6e297e
parent 6b606aa79fae08e9f2978a76932f7bc3b4d60b3f
Author: Florian Dold <florian@dold.me>
Date: Wed, 12 Mar 2025 00:45:31 +0100
-more TOPS
Diffstat:
| M | deployments/tops.rst | | | 104 | ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- |
1 file changed, 101 insertions(+), 3 deletions(-)
diff --git a/deployments/tops.rst b/deployments/tops.rst
@@ -19,6 +19,79 @@ Regulatory requirements are set by `VQF <https://www.vqf.ch/indexen.html>`_
and detailed in their SRO-Regulation document. Our AML processes
are based on their forms ("VQF Document Nr. 902.$x").
+High-Level Processes
+--------------------
+
+Establishing a Business Relationship
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. A business relationship must be established if the thresholds of 15,000 CHF
+ per year or 2,500 CHF per month are exceeded. The GNU Taler transaction
+ system automatically records the transaction volumes and notifies the
+ customer when a business relationship needs to be established. At this
+ point, transactions are then frozen until the business relationship is
+ established.
+
+2. To do this, the customer must complete the corresponding VQF forms online
+ and upload documents. The customer's address is then verified by sending a
+ PIN letter. The customer must also submit a certified copy of their ID by
+ postal mail. This is then digitally and physically filed. Alternatively, an
+ identity check can in principle also be carried out manually by TOPS
+ employees on site (in person) at the customer's premises. In this case, the
+ ID copies must be signed by the TOPS employee.
+
+3. New business relationships are checked against the current sanctions list.
+ An automatic preliminary check takes place first, and suspected cases are
+ then processed manually.
+
+4. When all the required data has been provided, it is in any case checked
+ manually by the AML officer. Finally, the AMLO officer must define
+ risk-based rules for monitoring the business relationship. The money
+ laundering reporting officer makes a recommendation to the management as to
+ whether the business relationship can be opened from the money laundering
+ reporting officer's point of view or not. The management decides on
+ acceptance or rejection."
+
+Monitoring a Business Relationship
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. For each business relationship, risk-based and customer-specific transaction
+ limits are defined. If these are exceeded, an "alert" is automatically
+ generated. These transactions must then be validated by the responsible
+ AML advisor. All validated alerts are checked by the AML
+ officer and either approved or returned to the advisor for further
+ validation, or escalated to management for final decision-making or
+ appropriate action.
+
+2. Business relationships are periodically reviewed and updated. The following rhythm applies:
+
+ * every 5-7 years for low-risk business relationships
+ * every 2 years for high-risk business relationships
+ * annually for PEP relationships"
+
+ The review includes the verification of identification documents and any
+ supporting documents submitted when the business relationship was
+ established. Likewise, the information in the customer profile and the
+ transaction behavior during the duration of the business relationship are
+ reviewed.
+
+3. All business relationships are continuously and automatically checked
+ against current sanctions lists, especially when a new sanctions list is
+ available, without delay.
+
+4. Regardless of the risk category and the corresponding review frequency, a
+ business relationship must be reviewed if special circumstances arise, such
+ as negative press reports, unusual transactions and activities, etc.
+
+FIXME: Further define AML officer vs AML advisor.
+
+Terminating a Business Relationship
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A business relationship is automatically considered terminated if no
+transactions have been processed with the GNU Taler system for over 12 months.
+
+
Threshold Rules
---------------
@@ -27,12 +100,28 @@ Initial Threshold Rules
TBD.
+Preset X1
+^^^^^^^^^
+
+TBD: Define the presets for rules that the AML officer has
+available from the AML SPA.
+
+
Measures
---------
-* ``sms-registration``
-* ``postal-registration``
-* ``accept-tos``
+Ask for information:
+
+* ``sms-registration``: Validate phone number of customer.
+* ``postal-registration``: Validate postal address of customer.
+* ``accept-tos``: Ask customer to accept terms of service.
+* ``kyx``: Allow customer to initiate KYC/KYC process via form ``vqf_902_1_customer``.
+* ``form-902.9``: Allow customer fill out form to determine beneficiary owner.
+* ``form-902.11``: Allow customer fill out form to determine controlling person.
+
+Other measures:
+
+* ... TBD ...
AML/KYC Forms
-------------
@@ -334,6 +423,15 @@ FIXME: Define our classification. Is the classification global or per-customer?
FIXME: Define how this is technically implemented
+Sanction Lists
+--------------
+
+When a new customer is onboarded, they are checked against a sanction list.
+
+FIXME: How is this refleced in the forms? Or is it a property?
+
+FIXME: Document how we ingest sanction lists.
+
Implementation Gaps
-------------------
