Anti Money Laundering


1.1. Introduction

Canny Finance Ltd (Canny Finance) hereby certifies and adopts the policies and procedures contained in this document.

The Electronic Money Issuer of the Canny Finance programme is Transact Payments Limited (TPL or Issuer), under their status of an Authorised E-Money Institution, regulated and supervised by the Gibraltar Financial Services Commission (GFSC).

Canny Finance acts as program manager for the product and is responsible for the day to day operation and distribution of the program as agreed to by the Issuer.

Canny Finance has monitoring systems and controls in place to detect fraudulent activity and to help protect customer’s accounts from misuse.

If we detect a questionable transaction on an account, we will take measures to monitor the account and/or we may contact the customer to verify its legitimacy.

There are various different pieces of legislation and regulation that covers money laundering and terrorist financing, and these include:

  • EU Directive 2015/849 (the Forth Money Laundering Directive)*
  • EU Directive 2018/843 (the Fifth Money Laundering Directive)
  • Drug Trafficking Offences Act;
  • PROCEEDS OF CRIME ACT 2015 (As amended by the Criminal Justice (Amendment) Act 2007 and the PROCEEDS OF CRIME ACT –Amendment- Act 2018) (“CMLA”)
  • Criminal Finances Act 2017 – Section 3
  • Bribery Act 2010 – Section 7
  • Counter Terrorism Act 2010 and TERRORIST ASSET-FREEZING REGULATIONS 2011
  • The Terrorism (United Nations Measures)(Overseas Territories) Order 2001; and
  • The Al-Qaida and Taliban (United Nations Measures) (Overseas Territories) Order 2012


1.2. Money Laundering: a three-stage process

The money laundering cycle can be broken down into three distinct stages; however, it is important to remember that money laundering is a single process. The stages of money laundering include:


The Placement Stage

The placement stage represents the initial entry of the “dirty” cash or proceeds of crime into the financial system. Generally, this stage serves two purposes: (a) it relieves the criminal of holding and guarding large amounts of bulky cash; and (b) it places the money into the legitimate financial system. It is during the placement stage that money launderers are the most vulnerable to being caught. This is due to the fact that placing large amounts of money (cash) into the legitimate financial system may raise suspicions within financial services organisations.

The placement of the proceeds of crime can be done in a number of ways. For example, cash could be packed into a suitcase and smuggled into a country, or the launderer could use smurfs to defeat reporting threshold laws and avoid suspicion. Some other common methods include:

Loan Repayment Repayment of loans or credit cards with illegal proceeds
Gambling Purchase of gambling chips or placing bets on sporting events
Currency Smuggling   The physical movement of illegal currency or monetary instruments over the border
Currency Exchanges Purchasing foreign money with illegal funds through foreign currency exchanges
Blending Funds   Using a legitimate cash focused business to co-mingle dirty funds with the day’s legitimate sales receipts

This environment has resulted in a situation where officials in these jurisdictions are either unwilling due to regulations, or refuse to cooperate in requests for assistance during international money laundering investigations.

To combat this and other international impediments to effective money laundering investigations, many like-minded countries have met to develop, coordinate, and share model legislation, multilateral agreements, trends & intelligence, and other information.  For example, such international watchdogs as the Financial Action Task Force (FATF) evolved out of these discussions.



The Layering Stage

After placement comes the layering stage (sometimes referred to as structuring). The layering stage is the most complex and often entails the international movement of the funds. The primary purpose of this stage is to separate the illicit money from its source. This is done by the sophisticated layering of financial transactions that obscure the audit trail and sever the link with the original crime.

During this stage, for example, the money launderers may begin by moving funds electronically from one country to another, then divide them into investments placed in advanced financial options or overseas markets; constantly moving them to elude detection; each time, exploiting loopholes or discrepancies in legislation and taking advantage of delays in judicial or police cooperation.




The Integration Stage

The final stage of the money laundering process is termed the integration stage. It is at the integration stage where the money is returned to the criminal from what seem to be legitimate sources. Having been placed initially as cash and layered through a number of financial transactions, the criminal proceeds are now fully integrated into the financial system and can be used for any purpose.

There are many different ways in which the laundered money can be integrated back with the criminal; however, the major objective at this stage is to reunite the money with the criminal in a manner that does not draw attention and appears to result from a legitimate source.

For example, the purchase of property, art work, jewelry, or high-end automobiles are common ways for the launderer to enjoy their illegal profits without necessarily drawing attention to themselves.




2.1.       Description

Identification of the ML risks and TF risks associated with certain clients or categories of clients, and certain types of work will determine and implement reasonable and proportionate measures and controls to mitigate these risks.

It is recognised that no control system is able to detect and prevent all cases of money laundering or terrorist financing.

Measures and procedures:

  1. Identifying and assessing the money laundering and terrorist financing risks emanating from particular customers, financial instruments, services, and geographical areas.
  2. Documenting the policies, measures, procedures and controls to ensure their uniform application.
  3. Managing and mitigating the assessed risks by the application of appropriate and effective measures, procedures and controls;
  4. Continuous monitoring and improvements in the effective operation of the policies, procedures and controls.

2.2.       Identification, recording and evaluation of risks

The starting point for the application of the risk-based approach system is the identification, recording and evaluation of risk.

For example:

  • Complexity of ownership structure of legal persons,
  • Companies with bearer shares,
  • Companies incorporated in offshore centres,
  • Politically exposed persons, customers  engaged  in  transactions  which  involve  significant amounts of cash,
  • customers from high risk countries or from countries known for high levels of corruption or organized crime or drug trafficking;
  • customer transactions where there is no apparent legal financial/commercial rationale,
  • Situations where the origin of wealth and/or source of funds cannot be easily verified, unwillingness of customers to provide information on the beneficial owners of a legal person.

Country/Geographic Risk

There is no universally agreed definition that prescribes whether a particular country or geographic area represents a higher risk. Country risk, in conjunction with other risk factors, provides useful information as to potential money laundering and terrorist financing risks, such as the domicile of the client, the location of the transaction and the source of the funding. Countries that pose a higher risk include:

  • Countries subject to sanctions, embargoes or similar measures issued by, for example, the United Nations (UN). In addition, in some circumstances, countries subject to sanctions or measures similar to those issued by bodies such as the UN.
  • Countries identified by credible sources as generally lacking appropriate AML/CTF laws, regulations and other measures.
  • Countries identified by credible sources as being a location from which funds or support are provided to terrorist organizations.
  • Countries identified by credible sources as having significant levels of corruption or other criminal activity.

Client Risk

Categories of clients whose activities may indicate a higher risk include:

  • PEPs
  • Clients conducting their business relationship or requesting services in unusual or unconventional circumstances.
  • Clients where the structure or nature of the entity or relationship makes it difficult to identify in a timely fashion the true beneficial owner or controlling interests, such as the unexplained use of legal persons or legal arrangements, nominee shares or bearer shares.
  • Clients that are cash (and cash equivalent) intensive businesses including:
  1. Money services businesses (e.g. remittance houses, currency exchange houses etc.)
  2. Casinos, betting and other gambling related activities.
  3. Businesses that while not normally cash intensive generate substantial amounts of cash.
  • Where clients that are cash intensive businesses are themselves subject to and regulated for a full range of AML/CTF requirements consistent with the FATF Recommendations which may mitigate the risks.
  • Charities and other “not for profit” organisations that are not subject to monitoring or supervision by designated competent authorities.
  • Clients using financial intermediaries, financial institutions or lawyers that are not subject to adequate AML/CTF laws and measures and that are not adequately supervised by competent authorities.
  • Clients having convictions for proceeds generating crimes who instruct the lawyer to undertake specific activities on their behalf.
  • Clients who have no address, or multiple addresses without legitimate reasons.
  • Clients who change their settlement or execution instructions without appropriate explanation.

Service Risk

An overall risk assessment should also include determining the potential risks presented by the services offered by the company. When determining the risks associated with provision of services related to specified activities, consideration should be given to such factors as:

  • Companies acting as financial intermediaries, handling the receipt and transmission of funds through accounts they control in the act of closing a business transaction.
  • Transfer of real estate between parties in a time period that is unusually short for similar transactions with no apparent legal, tax, business, economic or other legitimate reason.
  • Payments received from unknown third parties and payments for fees in cash where this would not be a typical method of payment.
  • Transactions, when the client does not identify legitimate reasons for the amount of the consideration.
  • Administrative arrangements concerning estates where the deceased was known as being a person who had been convicted of proceeds generated from criminal activities.
  • Clients who offer to pay extraordinary fees for services which would not ordinarily warrant such a premium.
  • The source of funds and the source of wealth – the source of funds is the activity that generates the funds for a client, while the source of wealth describes the activities that have generated the total net worth of a client.
  • Unusually high levels of assets or unusually large transactions compared to what might reasonably be expected of clients with a similar profile may indicate that a client not otherwise seen as higher risk should be treated as such. Conversely, low levels of assets or low value transactions involving a client that would otherwise appear to be higher risk.
  • Services that deliberately have provided or purposely depend upon more anonymity in the client identity or participants than is normal.

Controls for Higher Risk Solutions

  • Targeted training for increased awareness of providing specified activities to higher risk clients or to companies undertaking higher risk work.
  • Periodic review of the services which are offered, determining whether the risk of ML & TF occurring has increased.
  • Reviewing client relationships from time to time to determine whether the risk of ML & TF occurring has increased.
  • Monitoring and improving the effective operation of internal procedures.
  • Appropriate procedures to identify changes in customer’s profile;
  • Reviewing ways in which new products and services may be used by criminals for money laundering or terrorist financing purposes, and how these ways may change;
  • Procedures for assessing the adequacy of staff training and awareness;
  • Introducing effective compliance monitoring arrangements (such as internal audit inspection and reviews by the compliance unit);


The person appointed as MLRO should be sufficiently senior to command the necessary authority within the company. The role and responsibilities of the Money Laundering Reporting Officer should  be  clearly  specified and  documented  in  appropriate  manuals  and/or  job  descriptions.  The MLRO should be allowed direct and timely access to all documents, data and information possessed which may assist him/her in carrying out his/her duties.  In the case of Canny Finance as a Program Manager of TPL, the official MLRO will be TPL’s MLRO, who has regulatory responsibility for the function, however Canny Finance may allocate the role internally purely as a reference point for staff.

As a minimum, the responsibilities of an MLRO should include the following:

  • To receive from the firm’s employees information which is considered by the latter to be knowledge of money laundering or terrorist financing activities or which is cause for suspicion connected with money laundering or terrorist financing.
  • To validate and consider the received information and discuss the circumstances of the case with the reporting employee concerned and, where appropriate, with the employee’s superior.
  • The evaluation of the information reported to the MLRO should be recorded and retained on file.
  • If MLRO decides to notify the GFIU, then  he/she  should  complete  a written  report  and  submit  it  to  the relevant authorities  as  soon as  possible.
  • All such reports should be kept on file. The Law stipulates specifically that the obligation  for  reporting  to  the relevant authorities  extends  to  any  attempt  by somebody to carry out suspicious transactions.
  • If the MLRO decides not to file a report then he/she should fully document the reasons for such a decision.
  • The  MLRO  acts  as  a  first  point  of  contact  with  the GFIU,  upon commencement  of  and  during  investigation  as  a  result  of  filing  a report under the aforementioned circumstances.
  • The MLRO responds to requests from the authorities and determines whether such requests are directly connected with the case reported and, if so, provides all the supplementary information requested and fully co-operates with the authorities.
  • The MLRO acquires the knowledge and skills required, which should be used to improve internal procedures for recognising and reporting money laundering and terrorist financing suspicions.
  • The MLRO determines whether the company employees need further training  and/or  knowledge  for  the  purpose  of  learning  to  combat money laundering or terrorist financing.
  • The  MLRO  is  expected  to  avoid  errors  and/or  omissions  in  the  course  of discharging  his/her  duties  and,  most  importantly,  when  validating  the  reports received on money laundering or terrorist financing suspicions, as a result of which a report to the relevant authorities may or may not be filed.
  • The MLRO is also expected to act honestly and reasonably and to make his/her determination in good faith.


4.1. Requirements

All staff, regardless of level, and whether permanent, temporary, contract or consultants, must receive training in their AML obligations under the law, POCA and GFSC guidelines.

Training should include a  general  appreciation  of  the  background  to  money  laundering  or  terrorist financing,  and  of  the  procedures  for  reporting  any  suspicious  transactions  to the MLRO.  Staff should be made aware of the importance placed by the firm on the reporting of suspicious activity, including consequences of non-reporting, and the fact that the obligation to report such activity rests on the appointed individual.

Training should include factors that may give rise to suspicious activities and procedures adopted when a transaction or activity is deemed to be suspicious.

In addition, the need to verify the identity of the client must be understood, and training should be given in the firm’s client verification procedures. Staff should be aware that the offer of suspicious funds or the request to undertake a suspicious transaction or  provide  a  service  in  connection  with  a  suspicious  activity  may  need  to  be reported to the MLRO, whether or not the funds are accepted or the transaction proceeded  with.

Other subject matter to be included in the training will include:

  • the offences and penalties arising from the legislation for non-reporting and for assisting money launderers or terrorist financers;
  • the recognition  of  a  valid  request from the authorities, i.e the GFIU,  requiring  information,
  • the circumstances when information should be declined without such an order; based on internal reporting procedures;
  • the  requirements for  verification  of  identity  and  the  retention  of documents.

4.2. Money Laundering Reporting Officer

In-depth training concerning all aspects of the legislation, the Directive and internal policies will be required for the MLRO. In addition, the MLRO will require extensive initial and on-going instruction on the validation and reporting of suspicious transactions, on the feedback arrangements and on new trends and patterns of criminal activity. The MLRO should have at least the level of knowledge identified above for partners and managers.

4.3. Refresher training

It will also be necessary to make arrangements for refresher training at regular intervals, to ensure that staff do not forget their responsibilities. The company will provide such training on an annual basis, or sooner should regulations and requirements fundamentally change.

4.4. Methods of providing training

There is no standard preferred way to conduct training for money laundering or terrorist financing purposes. The training will be tailored to meet the needs of the firm, when relevant.


5.1. Overview

Financial sanctions generally involve asset-freeze measures affecting the provision of funds and economic resources to certain entities or individuals (‘designated persons’). They may also include restrictions on the use of assets by designated persons, receipt and transfers of funds to particular types of persons, and prohibitions on the provision of financing or financial assistance connected to designated persons and prohibited transactions.

5.2. Sanction Procedure

Compliance with local and international law and obligations in relation to sanctions enforcement, supports internal or external regulatory lists, including:

  • Office of Foreign Assets Control (OFAC)
  • HM Treasury Sanctions List
  • EU Sanctions List
  • Consolidated Non-SDN Sanctions List
  • Consolidated SDN Sanctions List

Sanction checks must be done on all customers that contract with Canny Finance, to ensure that both potential and existing customers and other involved parties (such as beneficial owners, directors, guarantors and individuals with power of attorney) are always screened against the most up to-date lists.

Information leading to “fuzzy matches” will be investigated further, for example where the match was related to a name which can be deemed as popular, and this will be compared against the other information that is collected at point of registration. The full evaluation of the customer’s data will provide a result.

Any confirmed matches to sanctions lists will be declined or closed and the necessary reports will be made to the authorities.

5.3. International Global Organizations

competent authorities

Each country has a competent authority for the purpose of administering financial sanctions in force in that jurisdiction. They administer the regimes that require the freezing of funds and economic resources that belong to or which are owned, held or controlled by persons who are subject to asset freezes, and administer restrictions on transfers of funds and on the provision of certain financial services.

They are responsible for:

  • The implementation and administration of domestic and international financial sanctions in effect in country;
  • Licensing exemptions to financial sanctions; and
  • Issuing authorizations in respect of other financial restrictions.

The European Union applies sanctions in pursuit of the specific objectives of the Common Foreign and Security Policy (CFSP) as set out in the Treaty of the European Union.

Sanctions in the CFSP framework include the interruption or reduction of financial relations with third countries and restrictions against specific individuals or entities. They also include the interruption or reduction of diplomatic relations, restrictions on admission and other measures not affecting financial relations with third countries.

Financial sanctions invariably include an asset freezing regime. Asset freezes comprise of the following elements:

  • A prohibition on dealing with the funds or economic resources belonging to or owned, held or controlled by a designated person, and
  • A prohibition on making funds or economic resources available, directly or indirectly, to, or for the benefit of, a designated person.

Certain financial sanctions may also involve:

  • Prohibitions on providing or performing other financial services, or
  • Prohibitions on the provision of payment solutions to certain Governments or public bodies, or those acting on their behalf.



Low, Moderate, High Risk Customers

OFAC administers and enforces economic sanctions against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and persons engaged in activities related to the proliferation of weapons of mass destruction, among others. OFAC acts under Presidential national emergency authorities, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction.

Low Risk Customers

  • Stable, well-known customer base in a localized environment.
  • No overseas branches and no correspondent accounts with foreign banks.
  • No electronic banking (e-banking) services offered, or products available are purely for local use.
  • Informational or non-transactional.
  • Limited number of funds transfers for customers and non-customers, limited third-party transactions, and no international funds transfers.
  • No other types of international transactions, such as trade finance, cross-border ACH, and management of sovereign debt.
  • No history of OFAC actions. No evidence of apparent violation or circumstances that might lead to a violation.

Moderate Risk Customers

  • Customer base changing due to branching, merger or acquisition in the domestic market.
  • A moderate number of high-risk customers.
  • Overseas branches or correspondent accounts with foreign banks.
  • Limited e-banking products and services.
  • A moderate number of funds transfers, mostly for customers.
  • Possibly, a few international funds transfers from personal or business accounts.
  • Limited types of other international transactions.
  • A small number of recent actions (i.e., actions within the last five years) by OFAC, including notice letters, or civil money penalties, with evidence that the company addressed the issues and is not at risk of similar violations in the future.

High Risk Customers

  • A large, fluctuating client base in an international environment.
  • A large number of high-risk customers.
  • Overseas branches or multiple correspondent accounts with foreign banks.
  • A wide array of e-banking products and services (i.e. account transfers, e-bill payment, or accounts opened via the Internet). A high number of customer and non-customer domestic funds transfers, including international funds transfers. A high number of other types of international transactions.
  • Multiple recent actions by OFAC, where the company has not addressed the issues, thus leading to an increased risk of the company undertaking similar violations in the future.

Additional Factors

Low Risk         

  • Management has fully assessed the level of risk based on its customer base and product lines. This understanding of risk and strong commitment to OFAC compliance is satisfactorily communicated throughout the organization.
  • The board of directors has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate and consistent with the OFAC risk profile.
  • Staffing levels appear adequate to properly execute the OFAC compliance program.
  • Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer.
  • Training is appropriate and effective based on the risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance.
  • The institution employs strong quality control methods.
  • Compliance considerations are incorporated into all products and areas of the organization.
  • Effective policies for screening transactions and new accounts for Specially Designated Nationals and Blocked Persons (SDNs) and sanctioned countries is in place. These policies take into account the level of risk of the type of transaction being screened.
  • Compliance systems and controls effectively identify and appropriately report potential OFAC violations. Compliance systems are commensurate with risk. Records are retained that document such reporting.
  • On a periodic basis, determined by the level of risk, all existing accounts are checked to ensure that problem accounts are properly blocked or restricted, depending on the requirements of the relevant sanctions program.
  • Compliance systems and controls quickly adapt to changes in the OFAC SDN list and country programs, regardless of how frequently or infrequently those changes occur.
  • Independent testing of a compliance program’s effectiveness is in place. An independent audit function tests OFAC compliance with regard to systems, training and use.
  • Problems and potential problems are quickly identified and management promptly implements meaningful corrective action.
  • Overall, appropriate compliance controls and systems have been implemented to identify compliance problems and assess performance.

Moderate Risk

  • Management exhibits a reasonable understanding of the key aspects of OFAC compliance and its commitment is generally clear and satisfactorily communicated throughout the organization, but it may lack a program appropriately tailored to risk.
  • The board has approved an OFAC compliance program that includes most of the appropriate policies, procedures, controls, and information systems necessary to ensure compliance, but some weaknesses are noted.
  • Staffing levels appear generally adequate, but some deficiencies are noted.
  • Authority and accountability are defined, but some refinements are needed. A qualified OFAC officer has been designated.
  • Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program.
  • Quality control methods.
  • Compliance considerations were overlooked, but not in high-risk areas, and management promised corrective action when deficiencies were identified.
  • Policies for screening transactions and new accounts exist but are not properly aligned with the level of risk.
  • Compliance systems and controls generally identify potential OFAC violations, but the systems are not comprehensive based on risk or have some weaknesses that allow inaccurate reporting.
  • Accounts are periodically checked to ensure that problem accounts are properly blocked or restricted, but this does not occur often enough based on the level of risk.
  • Compliance systems and controls are generally adequate and adapt to changes in the OFAC SDN list and country programs.
  • Overall, independent testing is in place and effective, but some weaknesses are noted.
  • Problems are generally corrected in the normal course of business without significant investment of money or management attention. Management is reasonably responsive when deficiencies are identified.
  • In general, no significant shortcomings are evident in compliance controls or systems.

High Risk

  • Management does not understand, or has chosen to ignore key aspects of OFAC compliance risk. The importance of compliance is not emphasized or communicated throughout the organization.
  • The board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient.
  • Management has failed to provide appropriate staffing levels to handle workload.
  • Authority and accountability for compliance have not been clearly established. No OFAC compliance officer, or an unqualified one, has been appointed. The role of the OFAC officer is unclear.
  • Training is sporadic and does not cover important regulatory and risk areas.
  • Quality control methods.
  • Compliance considerations are not incorporated into numerous areas of the organization, or do not adequately cover high-risk areas.
  • Policies for screening transactions and new accounts do not exist.
  • Compliance systems and controls are ineffective in identifying and reporting OFAC violations and are not commensurate with the level of risk.
  • Existing accounts are not reviewed to ensure that problem accounts are properly blocked or restricted.
  • Compliance systems and controls are not current and are inadequate to comply with and adapt to changes to the OFAC SDN list and country programs.
  • Independent testing is not in place or is ineffective. Testing performed is not considered independent.
  • Errors and weaknesses are not self-identified. Management is dependent on regulatory findings or responds only when violations are cited or penalties assessed.
  • Significant problems are evident. The likelihood of continued compliance violations or non-compliance is high because a corrective action program does not exist, or extended time is needed to implement such a program.

5.4. Legal Bases for the adoption of EU restrictive measures

Within the framework of Common Foreign and Security Policy (CFSP), the EU may decide to impose restrictive measures against third countries, entities or individuals. These measures must be consistent with the EU’s common objectives, as set out in Article 21 of the Treaty on European Union (TEU).

The Council of the EU first adopts a CFSP Decision under Article 29 of the TEU. Measures such as arms embargoes or restrictions on travel bans are implemented directly by all Member States, which are legally bound to act in conformity with CFSP Council Decisions. Other measures interrupting or reducing, in part or completely, economic relations with a third country, including measures pertaining to the freezing of funds and economic resources are implemented by means of an EU Regulation, adopted by the Council of the EU on a proposal from the European Commission, after a common suggestion by the High Representative of the EU for Foreign Affairs and Security Policy and the European Commission, based on Article 215 of the Treaty establishing the European Community (TEC). The European Parliament is thereafter being informed of the adopted legal acts.


Canny Finance and its officers, directors, employees and any agents are committed to comply fully with the PEP Policies.

The Business supports the fight against bribery and corruption; it has adopted this PEP Program to prevent its financial services from being used to promote criminal activity.

The Business will fully comply with both the intent and letter of all laws and regulations relating to PEP regulations.

The Business will train its employees to comply with these laws and regulations.

A copy of this PEP Policy Program will be available to all staff when requested and or required.

6.1. PEP Description

A politically exposed person (PEP) is defined as an individual who is or has been entrusted with a prominent public function, their families or close friends and associates. Due to their position and influence it is recognized that many PEPs are in positions that can be abused for the purpose of committing money laundering offences including bribery and corruption.

PEPs are individuals who are or have been entrusted with prominent public functions, for example Heads of State, Senior Politicians, Senior Government, Judicial or Military Officials, Senior Executives of state owned businesses, Important Political Party Officials.

Family members are individuals who are related to a PEP either directly or through marriage or similar forms of partnership.

Close associates are individuals who are closely connected to a PEP either socially or professionally.

6.2. Monitoring Guidelines

The MLRO must establish procedures to review and monitor out-of-the-ordinary transactions involving bribery and corruption and identify situations that may require special record keeping or reporting.

Anti-bribery and anti-corruption monitoring should include reviewing of all staff and customer relationships over a given period of time.

The Customer monitoring is an ongoing procedure that shall be conducted periodically – every 3 months.

All transactions and activities that appear to be abnormal or suspicious must be reported to the MLRO.

The following guidelines are implemented:

  • Apply Enhanced Due Diligence to all PEPs
  • Request Asset and Income Disclosure Forms
  • Periodic Review of PEP Customers
  • Setting a twelve month limit on when a PEP remains a PEP after they cease to hold their relevant position

6.3. Procedure Requirements for Regulated Firms and Their Partners


In response to the above, this document has been designed to clearly establish and document the internal guidelines, procedures and controls in relation to TPL or their contractual partners dealing with any natural person who could be considered politically exposed.

Accordingly, once the consumer name data has been collected, all consumers applying for a TPL issued e-money product or payment service will be screened to ensure that they do not qualify under the legislation as a PEP. If a consumer is positively identified as being qualified as a PEP, the following procedures should be followed:

  1. A consumer registers for the product and is screened through an approved third party provider to identify whether the potential customer is entrusted with a prominent public position, i.e. a PEP. (please see full definition above)
  2. If flagged, the consumer application should be reviewed by the Program Manager’s (“PM”) nominated officer to confirm the positive PEP identification and that the alert is not a false positive.
  3. If positive, full due diligence should be obtained from the consumer including details of source of wealth and source of funds.
  4. Full details of the PEP should be supplied to the TPL Compliance Department as representatives of the issuer for internal approval prior to the consumer relationship being established.
  5. Upon confirmation of approval, the details of the PEP should be entered into a ‘PEP Log’ that is maintained by the PM documenting all active PEP relationships.
  6. Regular enhanced monitoring of transactional activity on the account to ensure that the nature of the transactions are in keeping with the programme type. For example, the account is to be monitored for load/spend transactions that would suggest the PEP is channelling funds from their publically entrusted position or using the account to conduct personal activities that may compromise their position given their public standing.  Please note:  any transactional activity identified that is not in keeping with the programme type should be reported to TPL as soon as practically possible.
  7. An enhanced due diligence file should be established containing the following information:
  • The due diligence collected including all identification documents and evidence of source of funds and source of wealth;
  • The research undertaken as part of the decision making process to submit this account for approval;
  • The approval notice from TPL to enter the business/consumer relationship; and
  • Copies of ongoing enhanced transaction monitoring and reports on findings.


Where Canny Finance enters into a third party contractual relationship either with a co-brander or client of the program, Canny Finance will also take steps to screen all Directors/Controllers and Shareholders of the firm they are contractually engaged with to identify those individuals who may qualify as a PEP.

If an individual of the third party contractual relationship is positively identified as a PEP, the procedure detailed above will be undertaken.  Enhanced due diligence should include the monitoring of loads received from a corporate client to identify whether these funds are genuinely being used for consumer loads or are potentially funds being channelled from the individual’s public position.

6.4. Management

The MLRO as well as the Senior Management’s responsibilities include:

  • Ensuring ongoing compliance with PEP regulations
  • Implementing the PEP Program
  • Reviewing and updating the PEP Program as necessary due to changes in laws or regulations and ensuring that all affected employees have been advised of these changes
  • Ensuring regular PEP training is conducted in an effective manner for all appropriate employees
  • Ensuring all training is documented, including the date of the training, name of the trainer/trainee and topics discussed
  • Monitoring day-to-day compliance with the related laws and regulations
  • Ensuring accurate record keeping and reporting as mandated by the GFSC and local specific regulations
  • Ensuring that the PEP Program is subjected to periodic independent reviews

6.5. Training requirements

Training must be provided to all employees who have access to or deal with customers of Canny Finance.

  • Identifying PEPs within the client base
  • How to identify that the funds received from a PEP do not derive from a corrupt source
  • Record keeping and reporting requirements
  • Verifying customer identification

Employees are required to understand and comply with the contents of this PEP Program and sign an acknowledgement declaration form that will be retained in their personnel file or with the PEP files.

Existing employees who have access to customer accounts and/or deal with Canny Finance customers, will receive periodic refresher PEP training that will be documented and retained in their personnel file or with the PEP files.

The MLRO will schedule and ensure that periodic employee PEP training is conducted annually or as needed to comply with newly enforced regulations.

6.6. PEPs Identification

There are many challenges and difficulties associated with identifying a PEP. Money laundering schemes are increasingly complex and opaque which makes the identification of a PEP increasingly difficult.

Those who benefit from corruption create a powerful constituency that discourages identifying or monitoring of PEP accounts and may attempt to discredit or silence anti-corruption organizations and leaders.

PEPs are considered high risk in today’s regulatory environment. Regulation requires enhanced due diligence when conducting business with a PEP.

Comprehensive Know Your Customer Procedures and enhanced due diligence processes are followed when dealing with PEPs. This must be done in conjunction with the AML policies.

Suspicious activity can vary from one transaction to another based on the circumstances. What is considered normal for one PEP may be considered suspicious for another.

Many factors are involved in determining whether transactions are suspicious, including, but not limited to the amount, the reason, comments made by the customer, and the customer’s behaviour.

Employees will report all suspected PEPs to the MLRO, regardless of who the PEP is.

The MLRO will investigate the client to determine if they are a foreign or local PEP.

7. Know Your Customer (KYC)

7.1. Individual Customer Requirements

For the purpose of identifying and ensuring that each Canny Finance cardholder undergoes a thorough KYC process, full procedures have been defined to aid all customer facing staff to carry out proper customer due diligence.  An overview of the information collected is provided in the table below, however further information may be collected on a case by case basis to satisfy Canny Finance that the customer can be serviced.

Each cardholder will be required to produce the necessary documents or information for the purpose of KYC depending on the level and value of transactions he/she wishes to be allowed to transact with or through a Canny Finance card.

Full Name
Current Residential Address
Telephone Number
Date of Birth
Place of Birth
Country of Residence
Proof of Identity and Proof of Address – documents will be validated.


7.2. Corporate Customer Requirements

Where Canny Finance deals with corporate customers, the specific type of information captured will depend on the type of organisation, and will be sufficient to fully identify the company and its relevant officers. An overview is provided in the table below.

All documentation supplied by a corporate customer must be certified as a true copy.

All Shareholders and Directors must be reviewed for PEP and Sanctions as per the procedures detailed above.

Shareholders / UBOs Corporate Customers
Full Name Full Legal/Business Name
Current Residential Address Registered Number
Date of Birth Registered Office
Place of Birth Business / Commercial Activity
Nationality Country of Registration
Country of Residence Countries of Operation or Entity’s Branches Locations
Proof of Identity and Proof of Address – documents will be validated. Company Organisation Chart (Certified by the Companies’ Auditors)
Occupation and Position Held Date of Registration
  Names of all Directors / Key Controllers / Signatories (or equivalent)
  Certificate of Incorporation and Memorandum and Articles of Association


In the case of an “Entity” being the shareholder, holding at least 25% of the contracted party/company, then the information ‘Corporate Customer’ information above will be collected, up to the point if an individual Ultimate Beneficial Owner (UBO).

7.3. Customer Verification Requirements

The schedule below describes the type of ID or documents which will be acceptable for KYC by Canny Finance for issuing a card, in terms of an individual.

Proof of Identity Proof of Address
 National Identity Card  Utility Bills (e.g. Electricity, Telephone, Water)
 Driver’s License  Government / Local Authority Bills
 Passport  Bank, Building Society or Credit Card Statement
   Driving licence (if not used as proof of ID)

4. Title Deed/ Right of Occupancy. (Home Owner)


   Letter from Public Authority or Embassy
   Tax Office Correspondence


Where a customer legitimately cannot provide a combination of the above documents, they will be dealt with on a case by case basis as authorised by the MLRO.

In addition, where Canny Finance services customers from different jurisdictions, the above requirements may be altered to facilitate the local requirements in each country.

The following standards must be adhered to in respect of documents:

  • Address verification documents must clearly reflect the residential address of the customer.
  • Mobile phone bills are not allowed.
  • Utility Bills should be less than three months old.
  • All proofs of address need to be copies of postal documents, not downloaded from the internet.


Canny Finance has monitoring systems and controls in place to detect fraudulent activity and to help protect accounts from misuse.

8.1. Suspicious transactions

Suspicious transactions are financial transactions that you have reasonable grounds to suspect are related to the commission of a money laundering offence. This includes transactions that you have reasonable grounds to suspect are related to the attempted commission of a money laundering offence.

8.2. Completed or attempted transactions

An attempted transaction is one that a client intended to conduct and took some form of action to do so. An attempted transaction is different from a simple request for information, such as an enquiry as to the fee applicable to a certain transaction. An attempted transaction includes entering into negotiations or discussions to conduct the transaction and involves concrete measures to be taken by either you or the client.

8.3. How to identify a suspicious transaction

Transactions, whether completed or attempted, may give rise to reasonable grounds to suspect that they are related to money laundering or terrorist activity financing regardless of the sum of money involved. There is no monetary threshold for making a report on a suspicious transaction. A suspicious transaction may involve several factors that may on their own seem insignificant, but together may raise suspicion that the transaction is related to the commission or attempted commission of a money laundering offence, a terrorist activity financing offence, or both.

As a general guide, a transaction may be connected to money laundering or terrorist activity financing when you feel that it (or a group of transactions) raises questions or gives rise to discomfort, apprehension or mistrust.

The context in which the transaction occurs or is attempted is a significant factor in assessing suspicion. This will vary from business to business, and from one client to another. You should evaluate transactions in terms of what seems appropriate and is within normal practice of our business, and based on your knowledge of the client. The fact that transactions do not appear to be in keeping with normal industry practices may be a relevant factor for determining whether there are reasonable grounds to suspect that the transactions are related to money laundering or terrorist activity financing.

An assessment of suspicion should be based on a reasonable evaluation of relevant factors, including the knowledge of the customer’s business, financial history, background and behaviour. Remember that behaviour is suspicious, not people. Also, it could be the consideration of many factors – not just one factor – that will lead you to  conclude that there are reasonable grounds to suspect that a transaction is related to the commission or attempted commission of a money laundering offence, a terrorist activity financing offence, or both. All circumstances surrounding a transaction should be reviewed.

8.4. Indicators of suspicious transactions

The indicators that follow are provided to help assess whether or not transactions might give rise to reasonable grounds for suspicion. They are examples of common and industry-specific indicators that may be helpful when evaluating transactions, whether completed or attempted. They include indicators based on certain characteristics that have been linked to money laundering or terrorist activities in the past.

The indicators are not intended to cover every possible situation and are not to be viewed in isolation. A single indicator is not necessarily indicative of reasonable grounds to suspect money laundering or terrorist financing activity. However, if a number of indicators are present during a transaction or a series of transactions, then you might want to take a closer look at other factors prior to making the determination as to whether the transaction must be reported.

The indicators have to be assessed in the context in which the transaction occurs or is attempted. Each indicator may contribute to a conclusion that there are reasonable grounds to suspect that the transaction is related to the commission or attempted commission of a money laundering offence or a terrorist activity financing offence. However, it may also offer no indication of this in light of factors such as the client’s business, financial history and past transaction pattern. Taken together, the presence of one or more indicators as well as your knowledge of the client’s history may help you identify suspicious transactions.

Some of the indicators provided could result in the transaction being aborted if the client requests a service that is prohibited by our business.

Becoming aware of certain indicators could trigger reasonable grounds to suspect that one or more transactions from the past (that had not previously seemed suspicious) were related to money laundering or terrorist financing. For example, this could happen if it were reported in the media or some other reliable source that one of the clients is suspected of being involved in illegal activity. If this amounts to suspicion regarding a previous transaction with this client, we will report it as required under our reporting process.

Examples of Common Indicators

  • Client admits or makes statements about involvement in criminal activities.
  • Client does not want correspondence sent to home address.
  • Client conducts transactions at different physical locations in an apparent attempt to avoid detection.
  • Client repeatedly uses an address but frequently changes the names involved.
  • Client shows uncommon curiosity about internal systems, controls and policies.
  • Client has only vague knowledge of the amount of a transaction.
  • Client presents confusing details about the transaction or knows few details about its purpose.
  • Client over justifies or explains the transaction.
  • Client is nervous, not in keeping with the transaction.
  • Client is involved in transactions that are suspicious but seems blind to being involved in money laundering activities.
  • Client’s telephone number has been disconnected or there is no such number when an attempt is made to contact the client shortly after opening an account.
  • Normal attempts to verify the background of a new or prospective client are difficult.
  • Client appears to be acting on behalf of a third party, but does not tell you.
  • Client is involved in an activity out-of-keeping for that individual or business.
  • Client insists that a transaction be done quickly.
  • Inconsistencies appear in the client’s presentation of the transaction.
  • The transaction does not appear to make sense or conform to usual or expected activity for that client.
  • Client attempts to develop close rapport with staff.
  • Client uses aliases and a variety of similar but different addresses.
  • Client spells his or her name differently from one transaction to another.
  • Client provides false information or information that you believe is unreliable.
  • Client offers you money, gratuities or unusual favours for the provision of services that may appear unusual or suspicious.
  • Client is the subject of a money laundering or terrorist financing investigation.
  • Client is suspected of being involved in illegal activity.
  • A new or prospective client is known to you as having a questionable legal reputation or criminal background.


Identity documents

  • Client provides doubtful or vague information.
  • Client produces seemingly false identification or identification that appears to be counterfeited, altered or inaccurate.
  • Client refuses to produce personal identification documents.
  • Client wants to establish identity using something other than his or her personal identification documents.
  • Client’s supporting documentation lacks important details such as a phone number.
  • Client inordinately delays presenting documents.
  • All identification presented is foreign or cannot be checked for some reason.
  • All identification documents presented appear new or have recent issue dates.
  • Client presents different identification documents at different times.
  • Client alters the transaction after being asked for identity documents.
  • Client presents different identification documents each time a transaction is conducted.

Economic purpose

  • Transaction seems to be inconsistent with the client’s apparent financial standing or usual pattern of activities.
  • Transaction appears to be out of the normal course for industry practice or does not appear to be economically viable for the client.
  • Transaction is unnecessarily complex for its stated purpose.
  • Activity is inconsistent with what would be expected from declared business.
  • No business explanation for size of transactions.

Transactions involving accounts

  • Opening accounts when the client’s address is outside the local service area.
  • Opening accounts in other people’s names.
  • Opening accounts with names very close to other established business entities.
  • Attempting to open or operating accounts under a false name.
  • Account with a large number of small cash deposits and a small number of large cash withdrawals.
  • Multiple transactions are carried out on the same day at multiple ATM’s.
  • Activity far exceeds activity projected at the time of opening of the account.
  • Establishment of multiple accounts, some of which appear to remain dormant for extended periods.
  • Account that was reactivated from inactive or dormant status suddenly sees significant activity.
  • Reactivated dormant account containing a minimal sum suddenly receives a deposit or series of deposits followed by frequent cash withdrawals until the transferred sum has been removed.
  • Unexplained transfers between the client’s products and accounts.
  • Large transfers from one account to other accounts that appear to be pooling money from different sources.
  • Multiple deposits are made to a client’s account by third parties.
  • Deposits or withdrawals of multiple monetary instruments, particularly if the instruments are sequentially numbered.

8.5. Fraud detection Flags

We detect potential fraud by flagging several different kinds of transactions. Among them are large purchases made just after small ones, online purchases and purchases that don’t fit a cardholder’s profile.

Standard behaviours for a criminal with a stolen card are, for example:

  • To make one small purchase to see if the card is still active and then make a major purchase.
  • Multiple attempts to withdraw funds from an ATM or different ATM’s with reducing values that are declined.
  • Attempting to commission transactions beyond the KYC level of the account on a repeated basis using the card, after the client has been notified that the KYC limit has been reached.
  • Carrying out multiple, successive online transactions.


9.1. Suspicious Activity Screening

Suspicious activity screening should include the following details:

  • Screen: screen the account for suspicious indicators and recognise a suspicious activity
  • Ask: Ask the client appropriate questions regarding the transaction or attempted transaction
  • Find: Find and review the client’s records. Review all information already known about the client when deciding if the transaction or attempted transaction is suspicious or the whether the activity is to be expected.
  • Evaluate: Evaluate all of the above information: Is the transaction or attempted transaction suspicious?

A suspicious transaction report should include the following details:

  • personal particulars (name, identity card or passport number, date of birth, address, telephone number, bank account number) of the person(s) or company involved in the suspicious transaction;
  • details of the suspicious financial activity.

9.2. Reporting of Suspicious Transactions

In terms of financial regulation, an unusual activity report (or UAR) is a report made by a financial institution about suspicious or potentially suspicious activity. The criteria to decide when a report must be made varies from country to country but generally is any financial transaction that does not make sense to the financial institution, is unusual for that particular client or appears to be done only for the purpose of hiding or obfuscating a transaction. Front line staff in the financial institution have the responsibility to identify transactions that may be suspicious. These are reported to a designated person that is responsible for the reporting of the transaction. The financial institution is not allowed to inform the client or the parties to the transaction that a UAR has been lodged. UARs include detailed information about transactions that are, or appear to be, suspicious.

The Law requires that a person having any knowledge or suspicion that  another  person  is  involved  in  a  money  laundering  or  terrorist financing  offence  and who has  become  aware of the information on which the knowledge or reasonable suspicion is based in the course of his occupation, profession  or  business,  commits  an  offence  in  the event  he  does  not  promptly disclose  such  information to the Gibraltar Financial Intelligence Unit (GFIU) as  soon  as  is reasonably  practicable.

Internal reporting

The Law requires that firms establish internal reporting procedures and that they identify a person to whom employees should report their knowledge or suspicion of transactions or activities involving money laundering or terrorist financing.  In case of a firm’s employees, the Law recognises that reporting to the MLRO will satisfy the reporting requirement imposed i.e. once the employee has reported his/her suspicion to the MLRO he/she is considered to have fully satisfied his/her statutory requirements.  In the case of Canny Finance, a report would be made to TPL’s MLRO for evaluation and potential external reporting.

External reporting

TPL’s MLRO will then conduct his own evaluation of the information provided within the report and decide whether or not to make a disclosure to the GFIU. The MLRO’s review, evaluation and decision will be recorded. Any internal enquiries made in relation to the report will be documented. If so deciding, the TPL MLRO will make the formal disclosure on behalf of Canny Finance.

The receipt of all disclosures will be acknowledged by GFIU.  In the majority of cases, written consent will also be given to continue processing the transaction.  However, in exceptional circumstances such as the imminent arrest of a customer and restraint of assets, consent may not be given. The reporting institution concerned will be made aware of the situation and should follow the directions of the Police or Customs Officer in charge of the investigation.

The central reception point for disclosure of suspicions is:

The Gibraltar Financial Intelligence Unit (GFIU)

Suite 832



Tel        200 70211

Fax       200 70233


The GFIU is integrated into the Government of Gibraltar Co-ordinating Centre for Criminal Intelligence and Drugs (‘GCID’).  It is staffed by officers seconded from HM Customs Gibraltar and the Royal Gibraltar Police and is a member of the Egmont Group of Financial Intelligence Units.  The GFIU is manned from 0800hrs to 1600hrs Mondays to Fridays.

An external template forms part of this policy as a separate document.

Tipping off

Following the submission of a disclosure report, Canny Finance is not precluded from subsequently terminating its relationship with a customer, provided it does so for normal commercial reasons. It must not alert the customer to the disclosure as to do so would constitute a “tipping-off” offence.

Personal data is exempt from disclosure under Data Protection Laws in any case where the application of that provision would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. However, even when relying on an exemption, Canny Finance should provide as much information as they can in response to a request.

Where Canny Finance withholds a piece of information in reliance on the exemption, it is not obliged to tell the individual that any information has been withheld. The information in question can simply be omitted and no reference made to it when responding to the individual who has made the request.

In the absence of evidence to the contrary the disclosure of a suspicion report is likely to prejudice an investigation and, consequently, constitute a tipping-off offence. In determining whether the exemption applies, it is legitimate to take account of the fact that although the disclosure does not, in itself, provide clear evidence of criminal conduct when viewed in isolation, it might ultimately form part of a larger jigsaw of evidence in relation to a particular crime. It is also legitimate to take account generally of the confidential nature of suspicious transaction reports when considering whether or not the exemption might apply.


Canny Finance will retain the following records for five years:

  • Copies of, or references to, the evidence obtained of a customer’s identity for five years after the end of the customer relationship;
  • Details of customer transactions for five years from the date of the relevant transaction;
  • Records of all AML/CTF training delivered;
  • Details of actions taken in respect of internal and external suspicion reports;
  • Details of information considered by the MLRO or his nominee in respect of an internal report where no external report is made.

Canny Finance will ensure that the above requirements are adhered to, and that the documents are able to be produced on request.


Registration available from February 2021

Check back in February to register for the app and order your CannyApp card.

CannyApp Wallet