MIRAGE CORPORATION N.V.
Date created: June 2018
Purpose of Document: To outline the Anti-fraud & AML policies and procedures to be
followed for the detection and limitation of fraud & ML - CFT.
Security Class: Confidential
Being a remote gaming entity authorised under the Remote Gaming Regulations, Mirage Corporation N.V. is deemed to be carrying out “relevant financial business” in terms of the Prevention of Money Laundering and Funding of Terrorism Regulations and thus Mirage Corporation is a subject-person in terms of said Regulations. As such, it is required to abide by the applicable legislation and guidance relating to the prevention of money laundering and funding of terrorism and is subject to the supervision of the competent supervisory authority, the Financial Intelligence Analysis Unit.
The provisions in this Anti-Money Laundering Manual (this “Manual”) aim to reduce the possibility for the business of providing services by Mirage Corporation to be used for criminal purposes or in violation of regulations.
This Manual provides guidance detailing responsibility with regard to the prevention of money laundering and funding of terrorism from the perspective of the legal frame work of Curaçao and international accepted regulations in this area.
3 Law, Regulations and Rules
The Code of Criminal Law (Penal Code) of Curacao lays down the procedures for the prosecution of a money laundering offence as well as the measures for the confiscation of property upon a conviction of money laundering, measures for the freezing of assets when a person is charged with an offence of money laundering and measures for the issuance of an investigation and/or attachment order when a person is suspected of having committed an offence of money laundering.
The policies and procedures in this Manual aim to comply with both the rules and guidance contained in the NOPML, the NORUT and the NOIS which regulations themselves are referring to the Penal Code. In addition to these regulations the Central Bank of Curacao and Sint Maarten has introduced a comprehensive framework with provisions and guidelines to prevent and combat money laundering and terrorist financing (hereinafter: the “Provisions and Guidelines” or “P&G”). Curaçao - as a member of the FATF - has based these Provisions and Guidelines on, among others, the FATF recommendations.
Both the NORUT and the NOIS are applicable on entities which are offering the possibility to take part in offshore hazard games (online gambling) in or out of Curaçao which is the case for the Company. The NOIS prohibits subject persons from forming a business relationship or carrying out an occasional transaction with an applicant for business unless said subject person maintains the following measures and procedures established in relation to that business in accordance with the provisions of the NOIS:
• customer due diligence measures;
• record-keeping procedures; and
• internal reporting procedures.
The Company is obliged to apply the above measures and procedures including the cases when entering into or undertaking non face-to-face relationships or transactions directly or indirectly through its affiliated group Company.
The Company is also obliged to ensure that employees are made aware of applicable AML/CFT legislation as well as the subject person’s policies and measures in this regard. Employees must undergo appropriate due diligence procedures prior to their engagement and are also expected to be provided with training regarding the recognition and handling of transactions carried out by, or on behalf of, any person who may have been, is, or appears to be engaged in money laundering or the funding of terrorism.
The ultimate responsibility for the anti-money laundering policy of Mirage Corporation is with the Director.
AML policies and procedures
The policies and procedures operated by Mirage Corporation in order to meet applicable AML and CFT regulatory requirements are documented in this Manual. Policies and procedures will be regularly reviewed to ensure that they continue to meet regulatory requirements and the changing risk environment as per Mirage Corporation as far as applicable.
Mirage Corporation uses the following guidance as a base for its AML risk model:
• a clear statement of the culture and values adopted towards the prevention of financial crime;
• a commitment to ensuring that identity will be satisfactorily verified in all cases and in a risk-based manner, before applicants for business are accepted as clients;
• a commitment to ongoing customer due diligence throughout the business relationship;
• a commitment to ensuring that staff are trained and aware of the law, their legal obligations, and how to meet those obligations
• a clear allocation of roles, responsibilities and organizational structure, and recognition of the importance of staff promptly reporting their suspicions internally.
The procedures contained in this Manual reflect the Mirage Corporation AML Policy in general must be adhered to by all staff of Mirage Corporation.
AML risk factors
An AML business risk assessment overview will be maintained in order to allocate and track the components of the separate risk classifications. Mirage Corporation categorizes overall AML risk into:
• Customer risk
• Product risk
• Interface risk
• Geographical risk
6 Risk Assessment, Management and Risk-Based Approach
The Implementing Procedures state that the purpose of the risk-assessment procedures is to enable the Company to be in a position to identify and assess the ML/FT risks that the subject person is or may become exposed to and thereby determine:
• Whether the application of enhanced due diligence is necessary;
• The point in time when the application of customer due diligence in accordance with the NOIS to existing customers is to be carried out; and
• Whether a customer presents a low risk of ML/FT for the purposes of delaying the performance of verification proceedings to after the commencement of a business relationship.
Mirage Corporation operates a risk-based approach to developing and operating its systems and controls designed to prevent financial crime.
Risk assessment for the Company is carried out on at on-boarding stage (prior to engagement) and subsequently at periodic monthly intervals.
Customers of the Company are subject to risk-based initial and ongoing due diligence procedures.
Initial due diligence seeks to obtain the identity of the customer and verify the identity prior to the establishment of the business relationship. Information on the purpose and intended nature of the business relationship, is also obtained, such that the Company is able to establish the business and risk profile of the customer and to accept or reject a client. Ongoing procedures ensure that the initial due diligence information remains up-to-date.
The risk-based approach to the prevention of financial crime is reflected in the Mirage Corporation’s approach to the operation and development of the systems and controls designed to minimize the risk of the Mirage Corporation being used for the purposes of financial crime. Risk is central to the development of the business, new products, development of product functionality or the operation in new markets.
Financial crime risk assessment
Where a new service, customer group or new geography is addressed by Mirage Corporation, the financial crime risk assessment will be updated during development/launch (to ensure that AML processes can support the new activities).
Financial crime risk assessments are undertaken on an ongoing basis, and in particular, applied when the business environment changes through, for example:
• Entry into new markets; and
• Development of new products or product features / functionality.
The results of the financial crime risk assessment will be used to support the development of appropriate systems and controls (policies and procedures) designed to minimize the risk of Mirage Corporation, being used for the purposes of financial crime. Developments will be reported to the Board.
Mirage Corporation seeks to minimize the opportunities for carrying out financial crime, i.e. money laundering or funding of terrorism, and to then address and mitigate any risks.
Internal controls focus on:
• Due diligence of clients, including levels of enhanced due diligence based on risk assessments of each customer;
• Assessing risks and setting out measures to mitigate the said risks;
• Monitoring key risk factors for reassessing a specific customer’s risk;
• Financial crime systems and controls will continue to be developed over time in order to adequately address the changing risk environment.
Existing systems and controls will be reviewed and where necessary amended to reflect changes in assessed risk and identified vulnerabilities.
The Provisions and Guidelines state that it is essential that the controls to manage and mitigate the identified risks are constantly monitored. This should be done so that in the event of a change in circumstances, which might mitigate or exacerbate a particular risk, the respective control is modified accordingly.
When there is a change in the Mirage Corporation AML policies, or implementing procedures or AML rules in the National Ordinance on Hazard games of Curacao this Manual, and associated materials, will be updated. Consequently, Mirage Corporation regularly reviews the following areas.
a) Developments in legislation, including the NOIS; and the NORUST.
b) The Implementing Procedures and the Financial crime risk assessments – whose performed as part of the development of new products, services, functionality or addressing new customers / markets.
c) The operation of periodic internal controls, including monitoring, investigation and reporting of suspicious activity.
7 Know Your Customer (KYC)
Persons subject to Identification and Verification
For the purposes of the gaming services provided the layer being the natural person who is registered with the Company to which online gambling services are provided by the Company, shall be subject to identification and verification procedures as stipulated below.
As a general rule, players shall not be allowed to play if they are not registered with Mirage Corporation and if they do not hold a player account with Mirage Corporation. Registration of players shall be carried out in the way mentioned in the online Terms and Conditions.
The following information shall be requested from players who opt to play for real money upon registration:
- Email address;
- Security question;
- Security answer;
- First name;
- Last name;
- Date of birth;
- Mobile number;
Players who are not at least 18 years of age shall automatically not be allowed to register.
Upon providing all the registration details, players are sent a validation link to their email address. Players shall be required to validate their account via this link for registration to be complete. Unless the validation link is accessed, players shall not be able to log in to their account.
Mirage Corporation shall receive deposits from players via one of the means mentioned in the Terms and Conditions. Mirage Corporation does not accept cash deposits and does not process cash withdrawal requests. Remittance of funds shall be made to the same account from which the funds paid into the player’s account originated.
As a general rule no withdrawals shall be paid out in cash to any player.
KYC – Account Screening – All new accounts are visually inspected for integrity of data, with suspicious accounts being suspended.
KYC – Simplified Due Diligence - A Simplified Due Diligence process will be the first stage of a risk based process. Newly opened accounts will not be permitted to withdraw funds until basic identification has been verified by one of the following methods:
- Submission of an identity document (ID card, passport, bank statements, utility bills, etc.); or
- Independent third party verification (if available).
Payment Gateway Stage - The payment gateway that will be used will be integrating, Capture-Delay and Collaborative Anti-fraud functionality from its end that is at deposit stage. These three mechanisms will intertwine and provide the company with the first layer of protection against fraudsters and chargebacks.
KYC- Standard Due Diligence - This is achieved by the following thresholds triggering the Standard Due Diligence process:
- Attempt to add a second card or card that is not in the name of account holder;
- Attempt to make a name change;
Accounts that meet these triggers are verified to
- Submission of documents such as government issued ID/passport proving name and/or date of birth / evidence of address (utility bill or bank statement or similar).
Enhanced due diligence is achieved by the following processes:
- Validation of documents: request copies of documents to validate name, address, date of birth and source of funds;
- Internal corroboration of user identity: this could emanate from a variety of sources from customer monitoring, other databases, gaming activity etc.
8 Ongoing Monitoring
Ongoing monitoring processes will focus on ensuring that due diligence information provided is updated and that any documentation is not expired.
A relevant person must conduct ongoing monitoring of a business relationship. “Ongoing monitoring” of a business relationship includes:
• transactions being undertaken are consistent with the subject person’s knowledge of the customer and of his business and risk profile, including, where necessary, the source of funds; and
• ensuring that the documents, data or information held by the subject person are kept up to date.
Training will be designed to ensure that all relevant staff are made aware of the risk of the Company being used for the purposes of financial crime, the consequences for the firm (as well as staff personally), the requirement to operate systems and controls to mitigate such risk and the requirement to report suspicious activity.
Relevant staff include the staff of the Company who handle or are managerially responsible for the handling of customer on-boarding and service provision.
The frequency of the provision of AML training will be determined using a risk-based approach, with those who may be at greatest risk from handling suspicious transactions, or who need to be kept up- to-date with changing vulnerabilities and trends, receiving training at more frequent intervals; relevant staff who
are close to transaction processing activity are prioritized for training which may be more detailed in content than the training provided for other staff.
All employees are be made aware of the subject person’s:
• customer due diligence measures;
• record-keeping procedures;
• internal reporting procedures;
• policies and procedures on internal control;
• policies and procedures on risk assessment and risk management; and
• policies and procedures on compliance management and communication.
Employees should also be made aware of the following:
• the provisions of the NORUT and the NOIS;
• the provisions in the Criminal Code on ML & TF;
• the provisions of the P&G;
• the offences and penalties in relation to any breach of the NOIS or the NORUT
AML training will be delivered to relevant staff and will include the following elements:
1. Legal and regulatory obligations under Curacao law;
2. Practical means of identifying unusual and suspicious transactions; and
3. Internal processes and advice on how to act when presented with suspicious activity
Relevant staff will receive initial and periodic training to ensure that their reporting obligations, and the method of making an Internal STR, are understood as well as to assist them to recognize suspicious activity. Typologies are maintained and will be used as part of the training provided.
Records relating to both Internal and External STRs are kept in accordance with Mirage Corporation’s record- keeping procedures. External STRs are kept for a minimum period of 5 years in line with article 11a of the NORUT.
As regards external reporting, where a subject person knows, suspects or has reasonable grounds to suspect that a transaction may be related to money laundering or the funding of terrorism, or that a person may have been, is or may be connected with money laundering or the funding of terrorism, or that money laundering or the funding of terrorism has been, is being or may be committed or attempted, that subject person shall, as soon as possible, disclose that information, supported by the relevant identification and other documentation, to the Financial Intelligence Analysis Unit.
Where a Mirage Corporation staff member knows or suspects, or has reasonable grounds for knowing or suspecting, that any customer is engaged in money laundering, they must report these suspicions to the Director.
11 Record-Keeping Procedures
The Implementing Procedures provide that generally, records may be kept in any of the following forms:
• in physical files;
• in scanned form;
• in computerized or electronic form.
Subject persons should use a standardized approach to record keeping and must ensure that the approach used enables the quick retrieval of records.
Records may be held in paper based and/or electronic form and may be stored by the Company. The Company will ensure that all AML records are retrievable without undue delay.
Records must be kept for a minimum of 5 years (may be extended to 10 years).