22 June 2021

1. Purpose

The purpose of this document is to provide clients, banks and financial institutions, service providers, and other network partners with a description and overview of the core components of our financial crime compliance (FCC) framework in order to better understand how we operate.

2. Company information

3. Financial Crime Compliance organisation, roles, and responsibilities

INSTEX’s Chief Compliance Officer (CCO) is responsible for creating and implementing policies, procedures, and controls designed to ensure compliance with FCC laws, rules, and regulations in keeping with international best practice. The Head of KYC oversees Know your Client processes, including periodic client reviews. Further responsibilities by function are as follows:

• Employees and line management: All INSTEX personnel must comply with applicable FCC-related laws and regulations, adhere to and fully implement the policies laid out in INSTEX’s policies and procedures. This adherence includes a duty to escalate and report concerns and signs of suspicious activity or behaviour by clients and third parties we interact with. The CCO also acts as the Money Laundering Risk Officer (MLRO) for INSTEX.
• Relationship Managers (RMs): RMs and their line management are responsible for understanding the nature of their client’s business and, where appropriate, liaising with the Head of KYC, and escalating concerns to FCC and/or other risk functions, such as KYC. When an RM becomes aware of negative or otherwise adverse information about his/her client, there is a requirement to escalate it to the CCO’s office.
• Audit functions: Having been established in 2019, INSTEX does not currently have an internal audit function, but intends to create an independent Internal Audit function capable of performing risk-based assessments and adherence to process. Internal Audit will, when operational, audit all relevant operations within INSTEX. Our external auditor is Caderas Martin, a leading, French financial audit firm.
• Policies: Our policies are communicated to all INSTEX personnel and can be accessed by staff at any time. At present, INSTEX has the following FCC-related policies:
  • Sanctions and sensitive countries/parties
  • Anti-bribery and anti-corruption
  • Anti-money laundering
  • Anti-Fraud
  • Background check minimum standards
  • Conflict of Interests
  • Politically exposed persons
  • Removal of US nexus
  • Reputational risk
  • Export control compliance
  • Records management

4. Prohibited relationships and activities

INSTEX and its personnel are prohibited from engaging in or facilitating money laundering, terrorist financing or breaching sanctions. This means that INSTEX and its personnel do not:

• Accept funds that are known or suspected to be the proceeds of criminal activity, including tax offences considered predicate offences to money laundering
• Assist clients in activities intending to breach their tax obligations
• Engage in business relationships, directly or indirectly, with terrorists, criminals, or their financiers
• Engage in business relationships with sanctioned entities as defined by the INSTEX Sanctions and sensitive countries/parties policy
• Engage with financial institutions that are not subject to adequate regulatory supervision, including institutions whose AML controls do not meet internationally recognised standards and regulations
• Engage with financial institutions that use their relationships as payable-through accounts
• INSTEX and its personnel do not facilitate or promote business by US persons with or for Iran as this could be a breach of US laws applicable to US persons

5. Sanctions compliance

The key elements of INSTEX’s sanctions compliance programme includes these points:

• INSTEX has a sanctions compliance policy detailed in the Sanctions and sensitive countries/parties policy
• We abide by the these sets of sanctions laws, rules, and regulations: the European Union (EU, including our member states); United Kingdom (HMG); and United Nations (UN)
• We screen all clients’, client counterparties’, and third-party providers’ names, including beneficial owners’ names, against the lists of these three sanctions regimes – EU, HMG, UN
• As an EU-based entity, we are prohibited from implementing or adhering to third-party sanctions regimes and do not apply third-party lists to our business
• We have restrictions on transacting with sensitive parties and sanctioned parties based upon the materiality of the nexus; these restrictions are checked at client on-boarding, during client life-cycle renewal, and on a transactional basis

6. Know Your Client

In line with applicable policies, all new clients and are required to provide identifying information on their beneficial owners, which INSTEX verifies. This process is repeated periodically as part of the client review process (see Section Client reviews, below).

In addition, INSTEX gathers extensive information on its clients and their proposed counterparties. This includes information on the following:

• Nature and purpose of the proposed transaction via INSTEX
• Client and counterparty’s beneficial ownership structures as well controlling parties
• Where appropriate, the source of wealth behind the client and financial records of activity

The collation of this information allows INSTEX to evaluate the client and counterparty in greater detail, performing risk-based assessments on every proposed transaction.

7. Client Risk management Framework

As INSTEX builds its client portfolio, an AML risk rating will be applied to all client relationships. In the meantime, and given the nature of INSTEX’s business model and the jurisdictions of the non-European party of a transaction, INSTEX will consistently apply “Enhanced Due Diligence” to all client acceptances and transactions. Europe-based third-party service providers are typically required to undergo less extensive due diligence.

8. Politically Exposed Persons (PEPs)

Requirements for dealing with PEPs are detailed in the Politically Exposed Persons policy. In short, INSTEX may at times classify people as Lifetime PEPs, while others will be subject to 1-5 year ‘cooling’ periods after leaving office before de-PEPing; this process is at the discretion of the CCO. To date, INSTEX does not accept natural persons as clients, therefore the most prominent PEP-related risks arise when a PEP has material control of a client (company) and/or if the source of funds for the client company originates from a PEP. Beneficial owners, who have been identified as PEPs, are assessed for materiality, sanctions, sensitive party nexus as well as negative media.

9. Client Reviews

INSTEX performs periodic customer and third-party reviews:

• Client life cycle is between 3-6 months based upon size and volume of activity
• Client counterparty data is renewed every 3 months (if intended for reuse)
• Third-party providers are assessed every 12 months

In the coming years, INSTEX will also integrate event driven review to its client and third-party assessments; this review process will use industry best-practice approaches such as data analytics and transaction monitoring to assess the geography of a client’s business, client sector, behavioural analysis, and negative news alerts.

10. Monitoring and escalating client activity

All employees of INSTEX must be vigilant for potential warning signs of financial crime in our potential business activity and operations. All personnel are obligated to escalate and report suspicious activity or red flags by their client to the CCO as soon as they become aware of it. As necessary, the CCO will file a report to the regulator and take other steps as necessary; subject to applicable laws, INSTEX does not disclose the filing of a Suspicious Activity Report (SAR) to clients or third-parties.

11. Banking relationships and financial sector initiatives

With a view to transparency and a constructive working relationship with fellow financial sector entities, INSTEX will be building its FCC capabilities in accordance with Wolfsberg Group principles. INSTEX wishes to normalise its involvement in the European market and will be engaging in a spirit of good faith, transparency, and constructiveness.

INSTEX will, as resource capacity allows, be engaging in as many industry best practice initiatives and reach-outs as possible. Representatives will be actively participating in regional and international industry forums, seminars, and training initiatives.

For reasons of commercial privacy, we do not disclose our financial relationships.

12. Record retention

Records concerning client identification, Know your Client information, SAR filings, employee FCC training, as well as other FCC-related data are retained in accordance with local laws, rules, and regulations. Additionally, the INSTEX record retention policy ensures that records are kept and maintained for 10 years, except where local laws and regulatory requirements require a longer period. INSTEX is located within the European Union and adheres to GDPR as appropriate.

13. Financial Crime Compliance risk assessment and quality assurance

INSTEX will periodically engage external experts to conduct FCC risk analyses, FCC gap assessments, and FCC audits to ensure that we are a best-in-class organisation, outperforming pier European institutions. These exercises assess the adequacy, effectiveness, and implementation of all the FCC risk-mitigating infrastructure in place. Moreover, the results of such independent risk assessments will be learned from, absorbed and implemented in to our FCC framework to improve our policies and procedures in order to comply with applicable laws, rules, regulations, and industry expectations of us.

14. Training and communication

INSTEX personnel are trained on FCC topics upon joining INSTEX, as an annual refresher, and as the regulations or policies change. All personnel are required to complete training. Records of attendance shall be kept ensuring all employees have attended mandatory training sessions and to confirm they understand their obligations. The responsibility for training and communication rests with the CCO, who makes use of specialised external support when appropriate.

15. FCC Point of Contact and contact information

16. Disclaimer

This informational was produced by INSTEX with utmost care and aspirations of accuracy. Nonetheless, INSTEX provides no guarantees with regards to the content and completeness of this document, nor does it accept any liability for losses from use of information found within. This document was produced for informational purposes only and does not constitute legal or tax advice. Use of information from this document does not release the user from exercising their own judgement.