The purpose of this Risk Management Policy ("Policy") is to define the main steps for awareness, assessment, monitoring and management of risks involving Vixi Exchange, its Employees and Third Parties.
Applies to Vixi Exchange Employees, Third Parties and business partners, as of 06/03/2021 .
Contributor(s): all employees and officers of Vixi Exchange, as well as all those who have a corporate, employment, commercial, professional, contractual or trust relationship with Vixi Exchange, as well as interns and trainees;
Compliance Committee: The company was created with the attribution of entrenching the culture of compliance and ethics, the mitigation of risks and losses, and fostering the observance of the legislation in force;
Controls: any policies, standards, procedures, activities, and mechanisms designed to ensure that business objectives are met and that undesirable events are prevented, detected, and remedied;
Politics: the present Risk Management Policy.
Risk: is every potential event that can negatively impact the achievement of Vixi Exchange's objectives or specific business processes;
Third Parties: Suppliers and providers of goods and services, representatives, intermediary agents, attorneys-in-fact, technical consultants, expediters, external collaborators and/or any other third parties acting on behalf, benefit or interest of Vixi Exchange;
4.1.1. The Risk Management area reports to the Compliance Committee in quarterly meetings and aims to identify, assess and manage the Vixi Exchange's activities inherent risks , by mapping and assessing risks, identifying opportunities and providing support to the business in achieving its objectives.
4.1.2 Information regarding operational losses and risks to which Vixi Exchange is susceptible must be documented and stored.
4.1.3 Depending on the objectives of the work, the issues involved, and the relevance of the deficiencies identified, varying levels of risk assessment may be used.
4.1.4 The Risks capable of generating a positive impact on Vixi Exchange's activities, called opportunities, will be reported to the Compliance and Risk Management Committee on a quarterly basis.
4.2.1 The Risks are categorized as follows:
4.2.1.1. Source of Events: Determinant for defining the approach to be employed in responding to risk. External risks are associated with the macroeconomic, political, social, natural or sector environment in which the organization operates, but in general it is not possible to intervene on these events, which will therefore have a predominantly reactive action. Internal risks originate in the organization's structure, its processes, staff or environment, and the response will be proactive.
4.2.1.2. Nature of Risks: Allows the consolidation of risks according to their nature (strategic, operational, financial, compliance) and affected areas:
Strategic Risks: impact image, reputation, continuity of operations, community, socio-environmental issues, life and/or facilities, as well as risks related to IT controls, entity-level controls and the achievement of CP, MP, LP business objectives. Strategic risks also include anti-fraud controls related to Senior Management.
Financial/Operational Risks: related to the rational use of resources, functioning of internal controls, effectiveness of business processes and financial exposures, at the process level, including other anti-fraud controls.
Compliance Risks: directly impact the compliance with laws, manuals, rules and internal regulations and/or self-regulation of the sector in which Vixi Exchange operates, including, but not limited to anti-corruption, anti-bribery, suspicious transaction reporting, anti-money laundering and similar laws.
4.3.1 Vixi Exchange maintains management structures and Internal Controls for risk management and prevention. The internal areas of Vixi Exchange operate in conjunction with operational systems and security resources to carry out the maintenance and risk management structure.
4.3.2 The internal controls will be periodically reassessed to ensure consistency with the nature, complexity, and risk of the operations carried out by Vixi Exchange.
4.3.3 Risk assessment is performed jointly, involving the impacted areas and those responsible for the processes, evaluating the degree of impact versus probability of occurrence for each risk identified, to then define the best protection instrument, which can be:
Avoidance: when you eliminate the fact that generates the risk, for example, by discontinuing a certain process or leaving a specific market.
Reduce: when internal controls (e.g. approval, review, segregation of duties, reconciliation, access profiles, etc.) are applicable so that the potential damage of the risk is substantially reduced.
Sharing: when the risk is shared with an external counterparty. Examples of risk sharing are hedging transactions and insurance policies.
Accept: when the impact versus probability of the risk is considered irrelevant, the decision is made to accept the risk, since the cost of the control action would be greater than the potential risk itself.
4.4 For the establishment of an adequate Control mechanism for risk management, Vixi Exchange will have a procedure divided into lines of defense:
First line of defense - Administrative and Business Areas. Employees and Third Parties are responsible for mapping and managing the Risks linked to their activities, implementing preventive and detective controls in their work processes;
Second line of defense - Risk Management, Controls and Compliance. The areas of risk management and internal controls assist managers in identifying risks and developing controls to mitigate their consequences. This line of defense also includes Compliance, which is responsible for centralizing Compliance Risk management initiatives;
Third line of defense - Internal Audit. The third line of defense covers Vixi Exchange's Internal Audit, responsible for undertaking independent evaluations as to the effectiveness and efficiency of the administrative and business areas and risk management. The audits will be carried out annually or at intervals established by the Compliance Committee, and the conclusions will be substantiated in a specific report.
4.8. Risk management and the adoption of remedial measures in response is the responsibility of all managers.
4.9. Any questions about this Policy or risk management should be clarified with the Compliance area, by means of the e-mail: compliance@vixiexchange.com.br.
5.1. Vixi Exchange will define, among its Employees, a director responsible for risk management, as well as professionals responsible for each phase of assessment, monitoring and mitigation.
Establish standards of conduct and controls as to the prevention and combat of money laundering and the financing of terrorism, in line with the applicable legislation and the best market practices.
It applies to all Employees and Third Parties associated with Vixi Exchange, as of06/03/2021. This Policy shall be renewed annually.
BCB Circular 3.978: Circular 3.978, of January 23, 2020, of the Central Bank of Brazil;
Contributor(s): all the employees of Vixi Exchange, as well as all those who have a post, function, position, or corporate, employment, commercial, professional, contractual or trust relationship with Vixi Exchange, as well as interns and trainees;
Board of Directors: This is a group made up of the members of the Board of Directors of Vixi Exchange. The Executive Board has the function of monitoring the Company's projects and their respective results, as well as deliberating and directing the referred projects based on the Company's best interest;
Partner: individuals or companies that do business with Vixi Exchange;
PLD/CFT: preventing money laundering and combating the financing of terrorism;
Politics: this Policy on Preventing Money Laundering and Combating the Financing of Terrorism;
Third Party(ies): suppliers and providers of goods and services, representatives, intermediary agents, attorneys-in-fact, technical consultants, expediters, external collaborators and/or any other third parties acting on behalf, benefit or interest of Vixi Exchange.
4.1.1 The Board of Directors of Vixi Exchange is highly committed to the Compliance program and demonstrates its commitment to the fight against money laundering and the financing of terrorism by incorporating the subject in its speeches, as well as making the topic of compliance an agenda for its meetings and a guideline for decision-making.
4.1.2 This Policy aims to prevent any money laundering and terrorist financing practices, in any of the stages described below:
Placement: the stage at which the criminal introduces the illicitly obtained money into the economic system through deposits, purchase of negotiable instruments or goods. This is the removal of the money from the place where it was illegally acquired and its inclusion, for example, in the financial market;
Concealment: the moment in which the criminal conducts suspicious transactions that characterize the crime of laundering. In this phase, complex transactions are configured to disassociate the illegal source of the money, making it difficult for the authorities to trace its origin. The goal is to "break" the chain of evidence before the risk of investigations on the origin of the resources;
Integration: The assets are formally incorporated into the economic and financial system. From this moment on, the money is given a licit appearance.
4.1.3 [Crypto-active brokerages], such as Vixi Exchange, can be inadvertently used as intermediaries in some concealment process of criminal proceeds, especially in the second phase of the money laundering process, in which the goal is to "break" the chain of evidence about the origin of the money (traceability).
4.2.1 Terrorist financing is the financial support, by any means, of terrorism or those who encourage, plan, or commit it. It is intended to provide funds or capital for terrorist activities.
4.2.2. Essa arrecadação de fundos ou capital pode acontecer de diversas formas, tanto a partir de fontes legais (tais como contribuições associativas, doações ou lucros de atividades comerciais) ou a partir de fontes criminosas, como o tráfico de drogas, o contrabando de armas, a prostituição, bens e serviços tomados indevidamente, crime organizado, fraude, sequestro, extorsão etc.
4.2.3 The fight against terrorist financing is closely linked to the fight against money laundering, since the techniques used to launder money are essentially the same as those used to conceal the origin and destination of terrorist financing, so that the sources continue to send amounts without being properly identified.
5.1 The Executive Board is responsible for promoting and disseminating the Policy to the organizational structure, clients, Partners, partners and service providers of Vixi Exchange, as well as the good practices for monitoring and preventive identification of possible illicit acts.
5.2 The Executive Board shall adopt mechanisms for communication, information, and awareness of the importance of PLD/CFT within the organization, including providing the organizational structure and all the technological tools for the diligences arising from this Policy.
5.3 The Executive Board will be responsible for establishing the Compliance Committee, composed of professionals from the operational, legal, and Compliance areas.
5.4 The Compliance Committee is responsible for monitoring the activities outlined in this Policy and related procedures, as well as performing the necessary diligence to monitor and identify risks related to PLD/CFT.
5.5 The Compliance area is responsible for monitoring the operational and financial activities of Vixi Exchange. For any deviations and findings, the Compliance area shall timely notify the Compliance Committee, which shall deal with them accordingly.
5.6 If deviations and/or attempts of money laundering practices and terrorist financing structures are detected, it will be the Executive Board's responsibility, with the support of the Compliance area, to immediately notify the competent authorities.
5.7 All Vixi Exchange Collaborators are responsible for monitoring their risk activities through mitigation instruments. In cases where deviation and/or attempted money laundering actions and formation of terrorist structures are found, the Collaborator must immediately inform his or her leadership and Compliance area, which will initiate investigations.
6.1 The Board of Directors of Vixi Exchange is highly committed to its compliance program. The Board demonstrates its commitment to PLD/CFT by incorporating the subject in its speeches, as well as by making the topic of compliance an agenda for its meetings.
6.2 Compliance training covering topics such as PLD/CFT, ethics, corruption prevention, fraud prevention, information security, among others, will be given at least annually to Employees. For Third Parties, training will be given according to demand.
6.3 The aforementioned trainings are for the promotion of Vixi Exchange's ethical organizational culture and PLD/CFT.
6.4 All actions to engage the Vixi Exchange team are supported by compliance with the Code of Ethics, which is submitted for the knowledge of all Collaborators, Third Parties, leaders, and the Executive Board.
7.1 In order to ensure that Vixi Exchange is not used for money laundering and terrorist financing practices, Employees shall apply all possible efforts to determine the true identity of all customers/partners ordering Vixi Exchange products and/or services.
7.2 Business transactions with third parties who fail to present proof of identity or any other document and/or relevant information required by the company for their registration are strictly forbidden.
7.3 Vixi Exchange conducts its business in compliance with the highest ethical standards, observing all laws and regulations applicable to its activities and the best market practices, especially regarding PLD/CFT. To this end, the following aspects are always observed and enforced:
Responsibility matrix of the members of each hierarchical level;
Internal evaluation of the risks of occurrence of the aforementioned crimes in relation to clients, Collaborators and Third Parties;
Definition of the criteria and activities for selection, training, and periodic evaluation of Collaborators, in line with the guidelines established in this Policy;
Internal evaluation of the risks of occurrence of the aforementioned crimes regarding the products and services offered by Vixi Exchange;
Practices for analyzing operations and identifying suspicious transactions;
Confirmation of registration information and identification of final beneficiaries;
Procedures for the identification of Politically Exposed Persons - PEP, as well as the differentiation in their analysis, in accordance with article 19 of BCB Circular 3,978, as best practices;
Instructions for starting a relationship with financial institutions, representatives or correspondents abroad, especially in countries, territories and dependencies that do not adopt registration and control procedures similar to those defined in this Policy;
Reporting instructions to the competent bodies as to the information required in the regulations in force, especially as to suspicions related to money laundering and the financing of terrorist activities; and
Points of attention in the registration of customers and business partners, detailed in full at the time of registration and approval of proposals.
7.4 All PLD/CFT procedures will be treated in more detail in a separate formalized document.
8.1. Prevention controls only work properly if all employees are aware of their importance and how they should be operated. To this end, it is essential that everyone is aware of the external regulations, internal regulations and controls in operation relating to PLD/CFT.
8.2 The "know-your-employee (KYE)" procedures are work routines, including the respective tools necessary for their execution, which aim at providing the institution with an adequate knowledge about its Employees, mainly concerning the following aspects:
Focus on identifying fraud and collusion in the commission of crimes;
Unusual change in patterns of life and behavior;
Special attention to employees involved in more vulnerable processes; and
Unusual change in the Collaborator's operating result.
8.3 For each and every hiring, the procedure of analysis and collection of documentation by the HR area must be followed. For areas/processes of greater vulnerability, more detailed analyses of the professional should be carried out, under the terms of the Meet Your Employee Procedure. The analyses, as well as their results, are the responsibility of the Compliance area and must be kept confidential.
9.1 All products and services offered by Vixi Exchange will be analyzed according to their risk of use for money laundering and terrorism financing.
9.2 The risk of the product or service will be analyzed jointly with the risk of the customer and/or partner who uses it.
9.3 The KYPS Procedure will comprise the assessment and previous analysis of new products and services, as well as the use of new technologies, taking into account the risk of money laundering and terrorism financing. Within the scope of this analysis, the Compliance area will assess whether this Policy is appropriate and sufficient for the offer of the new product or service and/or use of the new technology intended.
10.1 Vixi Exchange establishes the Know Your Customer (KYC) and Know Your Partner (KYP) procedures as its main PLD/CFT procedures.
10.2 By means of the specific procedures, Vixi Exchange seeks not only to know the true identity of its clients and prospects, but also to trace the risk profile of each one, establishing a closer relationship, in order to understand their real expectations and needs for meeting demands.
10.3 This relationship concept allows us to identify the real purposes of the clients/partners in order to prevent the actions of those who seek the company with unreliable objectives.
10.4 All Collaborators must know the main market concepts and indications of the regulatory and self-regulatory bodies related to the identification, prevention, and fight against money laundering and financing of terrorism. Below are recommendations of extreme relevance:
Identify the customer/partner via documents, data, and information of reliable and independent origin;
Identify the beneficial owner and take steps to verify his or her real identity;
Maintain continuous vigilance over the business relationship and carefully examine the transactions performed in the course of that relationship, verifying that they are consistent with the institution's knowledge of the customer/partner, its business, risk profile, and source of funds, if applicable;
Examine with particular attention all complex transactions with significant amounts and all unusual types of transactions without apparent economic or lawful cause; and
Communicate to the Compliance area any and all signs of false information, operations diverging from the financial situation, operations diverging from the profile, or any atypical situation that generates suspicion of irregularity.
11.1 The following are considered PEPs in Brazil
Holders of elective mandates from the Executive and Legislative branches of government;
Occupants of positions, in the Executive Branch of the Union, of: (a) Minister of State or equivalent; (b) Special Nature or equivalent; (c) president, vice-president and director, or equivalent, of entities of the indirect public administration; and (d) Senior Management and Advisory Group (DAS), level 6, or equivalent;
Members of the National Council of Justice, the Federal Supreme Court, the Superior Courts, the Federal Regional Courts, the Regional Labor Courts, the Regional Electoral Courts, the Superior Council of Labor Justice and the Council of Federal Justice;
Members of the National Council of the Public Prosecutor's Office, the Attorney-General of the Republic, the Deputy Attorney-General of the Republic, the Attorney-General of Labor, the Attorney-General of Military Justice, the Deputy Attorneys-General of the Republic, and the Attorneys-General of the States and the Federal District;
Members of the Federal Audit Court, the Attorney General and the Deputy Attorneys General of the Public Prosecution Service before the Federal Audit Court;
Presidents and national treasurers, or equivalent, of political parties;
State and Federal District Governors and Secretaries, State and District Deputies, presidents, or equivalents, of state and district indirect public administration entities and presidents of Courts of Justice, Military Courts, Audit Courts or equivalents of the States and the Federal District; and
Mayors, Councilmen, Municipal Secretaries, presidents, or equivalents, of municipal indirect public administration entities and the Presidents of Audit Courts, or equivalents, of the Municipalities.
11.2 PEPs abroad are also considered:
Heads of state or government;
Politicians of higher echelons;
Occupants of upper echelon government positions;
General officers and high-ranking members of the judiciary;
Senior executives of public companies; and
Political party leaders.
11.3 Senior managers of public or private international law entities are also considered PEPs.
11.4 The PEP condition must be applied for the five (5) years following the date on which the person ceased to fit into the aforementioned positions.
11.5 The following are considered family members of PEP: relatives, in a direct or collateral line, up to the second degree, spouse, partner, stepchildren and step-daughters-in-law.
11.6 The following are considered close associates of PEP: (a) natural persons known to have any kind of close relationship with PEP, including by (i) having a joint interest in a legal entity under private law; (ii) acting as trustee, even if by private instrument of the person mentioned in item (i); (iii) having a joint interest in unincorporated arrangements; and (b) natural persons who have control of legal entities or unincorporated arrangements known to have been created for the benefit of PEP.
11.7 The transactions or proposed transactions that have PEP, its representative, family member or close associate as a party involved will always be considered as worthy of special attention under this Policy.
11.8 All registration documentation of clients classified as PEP, family member or close associate of PEP must be forwarded to the Compliance area, and in these cases, the performance of Third-Party Due Diligence (TDD), detailed in item 13 of this Policy, is mandatory.
11.9 When performing transactions for PEPs, relatives or close collaborators of PEPs, or in their names, Collaborators must be alert to any indication, even potential, of money laundering or financing terrorist activities, as per examples below:
Request to associate some form of secrecy with a transaction, such as registering the transaction in the name of another person or a company whose beneficiary does not have its identity revealed;
Directing transactions through multiple jurisdictions and/or financial institutions, with no obvious purpose except to conceal the nature, source, ownership, or control of the funds;
Rapid increase or decrease in the funds or value of assets in the account of a PEP, family member or close associate of PEP, that is not attributable to fluctuations in the market value of the investment instruments held in the account;
Frequent or excessive use of fund transfers or wire transfers to or originating from the account of a PEP, family member or close associate of PEP;
High value deposits or withdrawals that are not consistent and proportionate to the account type and legitimate assets or activities of the customer;
Existence of a pattern whereby, after a deposit or wire transfer is received by the account, funds are quickly transferred in the same amount to another financial institution, especially if the transfer is made to an account at an offshore financial institution or in a "secrecy jurisdiction"; and
Consultation by PEP regarding exceptions to recordkeeping or reporting requirements or other regulations requiring the reporting of suspicious transactions.
12.1. Media Persons" are those persons who are in the media spotlight such as entertainers, athletes, journalists, including members of their "immediate families" (parents, siblings, spouse, children and in-laws) and "close associates" (a person widely and publicly known to have an unusually close relationship with the Media Person, including a person who is in a position to transact financial transactions, nationally and internationally, on behalf of the Media Person) and partnerships, corporations, or other legal entities that have been formed by or for the benefit of a Media Person.
12.2 When a Collaborator identifies the actual or potential existence of business with a Media Person, he/she should immediately communicate the fact to the Compliance area for analysis. In case of proof, the same procedures shall be adopted for PEPs, as set forth above, except for self-declaration.
13.1 The Third-Party Due Diligence is a more detailed research of several information related to clients and partners that require differentiated attention by risk level, operation volumes, operation segment, residential or commercial address, relationship network, operation characteristics, communication by Employees, regulatory agencies or external personnel, suspicions of irregular transactions, information in the media or any other reason that justifies such research.
13.2 This is a specific procedure, with careful research, "in-loco" checking of addresses, including the country of origin and whether it appears on any specific list of entities in the prevention and fight against money laundering and terrorist financing (e.g.: COAF, FATF, UN, Transparency International, FBI, INTERPOL, and national police agencies).
13.3 All and any communication to the competent regulatory agencies shall be made exclusively by the Compliance area and preceded by the Third-Party Due Diligence of the involved party.
14.1 The Compliance area is responsible for monitoring routines to identify indications of money laundering and financing of terrorism. The routines aim to identify operations with recurrent counterparties, unjustified transfers, operations with asset incompatibility, among others.
14.2 For the management of occurrences and treatment of money laundering indications and control of transactions in order to curb abusive practices, Vixi Exchange uses research services and manual/computerized data crossing, in line with good practices and with recognized suppliers in the market. As part of the analysis, searches are also performed in tools that verify the client's involvement with negative news, behavior in social media or public sanction lists.
14.3 The money laundering prevention system collects daily registration, operational and financial movement information. Cases of incompatibility with the rules defined in the system will generate alerts, identifying which filters were activated for analysis.
14.4 Once the occurrence is generated, it is up to the Compliance area to analyze the client/partner and its operations to confirm or not the indications of money laundering and financing to terrorism.
14.5 The analyses consist in verifying the cadastral documentation, evolution of the financial/wealth situation, result of the operations (mainly repetitive transactions), high index of operations between the same parties, including those with the same client, compatibility between the operations, financial situation, professional occupation and age.
14.6 The following are measures that can be taken: demand for updating of the registry, request for clarifications, filing of the occurrence, or immediate communication to the competent bodies about the atypicality identified.
14.7 No partner or customer of Vixi Exchange shall do business with any person, entity, government, or region that is on the OFAC, UN Security Council, or Interpol restrictive lists, among others.
14.8 Vixi Exchange Employees may, at any time, contact compliance@vixiexchange.com.br to obtain clarification regarding the applicable PLD/CFT procedures and controls.
14.9 All data and information collected under the terms of this Policy will be kept by Vixi Exchange for a period of 5 (five) years.
15.1 The automatic communications are those that do not undergo value judgment analysis by Vixi Exchange and are communicated directly to COAF. They are the following:
Operations of deposit or contribution in kind or withdrawal in cash of an amount equal to or greater than R$50,000.00 (fifty thousand reais);
Operations concerning payments, receipts and transfers of resources, by means of any instrument, against payment in kind, in an amount equal to or greater than R$50,000.00 (fifty thousand reais); and
Request for provisioning cash withdrawals of R$50,000.00 (fifty thousand reais) or more.
15.2. Suspicious operations and situations refer to any operation or situation that presents indications of use of the institution for the practice of the crimes of money laundering and financing of terrorism. The following are considered suspicious operations:
The operations carried out and the products and services contracted that, considering the parties involved, the amounts, the ways of accomplishment, the instruments used or the lack of economic or legal grounds, may configure the existence of signs of money laundering or terrorism financing, including:
The operations performed or services provided that, due to their regularity, value or form, represent an artifice that aims to circumvent the identification, qualification, registration, monitoring and selection procedures;
The operations of deposit or contribution in kind, withdrawal in kind, or request for provisioning for withdrawal that present evidence of concealment or dissimulation of the nature, origin, location, disposition, movement or ownership of assets, rights and values;
The operations carried out and the products and services contracted that, considering the parties and the amounts involved, present incompatibility with the client's financial capacity, including income, in the case of a natural person, or billing, in the case of a legal entity, and assets;
Operations with PEPs of Brazilian nationality and with representatives, relatives or close associates of PEPs;
Transactions with foreign PEPs;
Customers and transactions for which it is not possible to identify the final beneficiary;
Operations originating from or destined for countries or territories with strategic deficiencies in implementing the recommendations of the Financial Action Task Force (FATF);
The situations in which it is not possible to keep the client's registration information updated; and
Operations and situations that may indicate suspicion of terrorist financing.
15.3 All transactions that pass through the Vixi Exchange platform are monitored. Suspicious transactions, defined in a specific procedure, generate special analysis. Suspicious transactions are analyzed and reported in a dossier that will conclude on the need to communicate said suspicious transaction to COAF.
15.4 The period for the execution of the analysis procedures of suspect operations will not exceed 45 (forty-five) days, counted from the date of the selection of the operation or situation.
16.1. In order to know the true identity, profile and aspirations of its clients, Vixi Exchange applies risk categorization that contemplates information on: Investment Profile (conservative, moderate or aggressive) and Susceptibility (high or low).
16.2. The Investment Profile is obtained by means of a questionnaire that the customer answers according to his or her understanding and reality as an investor. The result of this study is the definition of the Investment Profile, which will guide, among other actions, the offer of products and the categorization of risks, as follows:
Conservative: The main objective is security, with capital preservation and low risk tolerance. The conservative client has security as the decisive point for his investments, accepting even a lower profitability. He allocates his resources in Fixed Income securities (Investment Funds and Treasury Direct);
Moderate: The main objective is to obtain returns above the fixed income standards available in the market with minimized exposure to variable income risks. This is the investor who has a good part of his assets in fixed income, but also wants to participate in the profitability of variable income. Security plays an important role, as well as a return above the market average, and usually holds positions in the medium and long term. They tend to participate in Funds (Multimarket, Equity, and Real Estate), Letters of Credit (LCI and LCA), Investment Clubs, Stock Loans (BTC) as a donor, and the stock spot market, including day-trades; and
Aggressive: Its objective is to run a higher risk aiming at maximum profitability for its investments. He seeks the good profitability offered by variable income, reserving a minimum portion of his assets for safer applications. The aggressive investor seeks to be always up to date to take advantage of eventual investment opportunities and with the prospect of a short-term return. Their characteristic is to operate in all markets managed by stock exchanges and to invest in products that are exposed to exchange rate variations and inflation.
16.3 The degree of susceptibility of each client is defined based on its registration information, ratified according to analysis. To categorize susceptibility, three types of information are verified: (i) Business Segment, (ii) Client's Origin, and (iii) Professional Characteristic.
16.4 Once a client is identified in any condition defined as being of higher susceptibility, the registration documentation must be forwarded to the Compliance area prior to the start of its operations with Vixi Exchange. The methodology defined as to customer susceptibility establishes the following criteria:
Business Segment: Financial institutions and factorings (including individuals with major positions), exchange houses, brokerage and distribution companies, tourism, gaming, church, entertainment, political parties, air transport, and insurance companies;
Customer Source: The country of origin and current residential address must be considered. The following are considered highly susceptible: tax havens, non-cooperative countries, countries with a recent history of war, guerrilla warfare or drug trafficking; and
Professional Feature: PEPs, family members and close associates of PEPs, other political personalities and media personalities.
16.4.1 For the purposes of this clause, will be considered "Tax Havens" the countries with favored taxation or that oppose secrecy related to the corporate structure of legal entities (RFB listing). In turn, "Non-Cooperative Countries" are those countries that do not act or do not cooperate in the fight against money laundering practices and financing of terrorism due to their permissive legislation, or even due to the lack of legal instruments for inspection and regulation of the economic sectors that are vulnerable to money laundering and financing of terrorist activities (COAF list).
17.1. The effectiveness of this Policy will be evaluated annually by the compliance area and will be substantiated in a specific report.
17.2. Vixi Exchange will prepare an action plan to address any deficiencies in this Policy and in the PLD/CFT procedures through effectiveness evaluation.
17.3 The follow-up of the action plan implementation will be documented by means of a follow-up report, to be prepared by the compliance area.
17.4 The effectiveness reports, action plans, and follow-up reports will be sent to the Vixi Exchange Board of Directors by June 30th of each year.
17.8 The information systems of Vixi Exchange will be submitted to periodic tests to verify their adequacy to the guidelines of this Policy.
This Policy has been approved by the Board of Directors of Vixi Exchange.
This Information and Cyber Security Policy ("Policy") aims to create an internal reference for the implementation of a secure technological and informational environment, facilitating the control of information and related processes, including with regard to the contracting of data processing and storage and cloud computing services, in line with information security principles, applicable regulations and best market practices.
The guidelines of this Policy also aim to protect, in accordance with the LGPD, the personal data processed by Vixi Exchange from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful processing.
Applies to Vixi Exchange Employees and Third Parties, as of 06/03/2021.
Contributor(s): all the employees of Vixi Exchange, as well as all those who have a post, function, position, or corporate, employment, commercial, professional, contractual or trust relationship with Vixi Exchange, as well as interns and trainees;
Board of Directors: This is a group made up of the members of the Board of Directors of Vixi Exchange. The Executive Board has the function of monitoring the Company's projects and their respective results, as well as deliberating on and directing these projects based on the Company's best interests;
Banking Secrecy Law: the Complementary Law No. 105, of January 10, 2001;
LGPD: the Law No. 13,709 of August 14, 2018, known as the General Data Protection Law;
Politics: the present Information and Cyber Security Policy;
Third Party(ies): suppliers and providers of goods and services, representatives, intermediary agents, attorneys-in-fact, technical consultants, expediters, external collaborators and/or any other third parties acting on behalf, benefit or interest of Vixi Exchange.
4.1.1 The Directors and the Information Security area of Vixi Exchange are responsible for ensuring that all Employees, in their respective business areas, are aware of their obligations regarding information security.
4.1.2 Information security aims at generating value to stakeholders, as well as strengthening corporate governance and the internal control environment.
4.1.3 The information security structure at Vixi Exchange includes internally defined models, with techniques for monitoring risks related to information security and specialized personnel hierarchically subordinated to the departments linked to the corporate risk components.
4.2.1 Information is one of the most valued assets in the business environment. Besides the possession of structured and quality information being one of its strategic objectives, information is an asset provided by our customers and partners that must be treated with the highest technical level, secrecy and confidentiality, observing the current legislation.
4.2.2 Examples of confidential information are:
Customer information that must be protected by legal obligation, including registration data (number of enrollment in the National Registry of Individuals of the Ministry of Economy - CPF, RG, address, etc.), transactional data, financial situation and movement of funds;
Information about products and services that reveal Vixi Exchange's competitive advantages in the market;
All of Vixi Exchange's strategic material (printed material, stored in systems, in electronic messages, or even in the form of a person's business knowledge);
Any Vixi Exchange information that should not be disclosed to the external environment before publication by the competent areas;
All types of passwords to systems, networks, stations, and other information used in authentication, remembering that they are personal and non-transferable data.
4.2.3 A quality flow of information can decide the success of an enterprise, a project, and an evaluation. However, this power, added to the increasing ease of access, makes this "asset" a target of constant internal and external threats.
4.2.4 When not properly managed, these risks and threats can cause considerable damage to Vixi Exchange, partners, and customers, impairing their growth and competitive advantage.
4.2.5 All Vixi Exchange employees must care for the information under their responsibility, paying attention to the following main aspects:
Integrity: ensuring that information is maintained in its original state, in order to protect it, in storage or transmission, against undue alterations, whether intentional or accidental;
Confidentiality and Secrecy: ensuring that access to information is obtained only by authorized persons, pursuant to the LGPD and the Bank Secrecy Act; and
Availability: ensuring that authorized users gain access to the information and corresponding assets whenever necessary.
4.3.1 We categorize the types of information depending on their use, such as:
Public Information: can be accessed by Collaborators, customers, Third Parties and the general public.
Internal Information: can only be accessed by Employees. They have a degree of sensitivity that can compromise the organization's image and/or negatively impact its objectives and results. Access is not restricted by internal controls.
Confidential Information: can be accessed only by employees of the organization who have special authorization. Unauthorized disclosure may impact Vixi Exchange's business, customers, partners, and/or reputation. Access permitted only when a business need has been identified and such access is expressly approved.
4.3.2 In general, all Employees and Third Parties associated with Vixi Exchange are responsible for
Faithfully comply with this Policy;
Protect information from unauthorized access, modification, destruction, or disclosure;
Ensure that the technological resources, information and systems at its disposal are used only for the determined and approved purposes;
Comply with the laws and regulations governing intellectual property, as well as the LGPD and the Bank Secrecy Act; and
Do not share confidential or sensitive information of any kind.
4.4.1. The following precautions should be observed when handling unstructured information (voice and stored outside computerized systems):
You should not discuss or comment on confidential Vixi Exchange matters in public places or via private text messages;
Orally disseminated information should also be subject to caution, both within the internal and external premises;
Whenever Employees are in public places, it is necessary to adopt practices that ensure the confidentiality of information (e.g. not mentioning the names of customers, partners, and prospects);
Another caution to be taken is discretion and impersonality when referring to companies and people, as well as not mentioning sensitive issues;
In general, goals, comments, strategies, budgets, etc. should be discussed in a private setting, such as internal meetings and/or private chat rooms; and
It is forbidden to obtain information illegally (i.e., in noncompliance with applicable rules and regulations) for any purpose.
4.5.1 The authorized user is fully responsible for the correct possession and use of his passwords and system access authorizations, as well as for the actions resulting from their use.
4.5.2 Access and use of all information systems, network directories, databases, and other resources must be restricted to explicitly authorized persons and according to the needs of their functions, observing the "minimum necessary access" rule.
4.5.3 Periodically, the accesses granted must be reviewed by Vixi Exchange's Information Security Manager.
4.5.4 All Employees should adopt the following basic practices:
Keep updated on the servers and shared networks the products of the work developed in the course of the activities;
Do not keep copies of your files on a local computer;
Use complex passwords that contain characters composed of letters, numbers and symbols, avoiding the use of first names, last names, document numbers, telephone numbers, dates that can be related to the user, changing such passwords periodically;
Use encryption whenever sending or receiving data containing confidential/strategic information, observing the need for authorization of this sharing;
When using the Internet, certify the origin of any website and the use of secure (encrypted) connections when performing transactions;
Verify the integrity of websites whose access is necessary for the exercise of the activity;
Type the desired address into the browser and do not use unknown links as a resource to access another destination address;
Do not open files or run programs attached to e-mails without first checking them with a virus scanner; and
Do not use the executable format in compressed files.
4.5.5 The following activities are expressly prohibited by this Policy:
Introduce code into IT systems, use, facilitate or allow third-party input by any means;
Reveal personal identification, authentication and authorization codes (e.g. account, passwords, private keys, etc.) or allow third parties to use resources authorized through these codes;
Advertising or marketing products, items, or services from any resource of the IT systems;
Attempting to interfere with a service or transaction without express authorization;
Change event logging of systems;
Modify data communication protocols;
Gain unauthorized access to, or improperly access data, systems or networks, including any attempt to investigate, examine or test vulnerabilities;
Monitor or intercept data traffic on IT systems;
Violating security or authentication measures without authorization from the competent function;
Provide information to third parties about users or services made available in the IT systems, except those of a public nature or by express authorization;
Store or use games on resources belonging to the Vixi Exchange environment; and
Use unapproved applications and/or applications with an inactive or unauthorized license.
4.5.6. Access requests should follow the following premises:
Requests for new user identifications and changes in privileges must be made in writing and approved by the Information Security area, and their needs must be mapped out according to each employee's scope of work;
In case of changes, users must substantiate the necessity of the changes in their privileges and the relation of such changes to the activities performed;
Privileges must be immediately revoked at the end of specific projects, if the professional is working as a Collaborator or partner. The same must be observed upon dismissal or end of the contractual relationship, and the dismissed Collaborator or partner is entirely responsible for the activities and acts perpetrated during his/her permanence;
The privileges for all network service users must be reviewed every 12 (twelve) months by the Information Security area, or less frequently if necessary.
4.5.7. Collaborators must observe the following guidelines regarding access passwords:
Access passwords are the security controls for the systems in the Vixi Exchange IT environment and are personal, confidential, and non-transferable;
If undue exposure is suspected, the fact should be reported immediately to Information Security and all passwords should be changed;
Users should have guidance on the secret maintenance of their access passwords and the responsibilities involved with their misuse;
In case of proven compromise of the IT environment security by some unforeseen event, all access passwords must be changed;
Similarly, all recent changes of users and system privileges should be reviewed to detect any unauthorized data modifications; and
All users need to be identified before they are able to perform any activity in an IT environment.
4.5.8. regarding the use of communication equipment and resources:
Corporate equipment, as well as Vixi Exchange software, must be made available and approved by the Information Security area;
Private equipment, such as computers or any portable device that can store and/or process data, should not be used to store or process business-related information, nor should it be connected to networks unless previously authorized;
Computers with sensitive and/or classified information must, obligatorily, be turned off or locked in the absence of the Collaborator;
When Employee equipment or accounts are not in use, they should be immediately locked or turned off;
Unauthorized access to third-party mailboxes is prohibited, and any attempts to gain access must be logged;
It is forbidden to send critical information to unauthorized people or organizations, observing, when applicable, guidelines for classified information;
It is forbidden to send obscene, illegal, or unethical material, advertising, entertainment messages, or messages of any nature related to nationality, race, sexual orientation, religion, political conviction, or any other subject unrelated to the scope of work;
Sending simultaneous messages to all network users should be avoided;
Communication applications should always be used based on common sense and in accordance with legal precepAplicativos de comunicação devem ser utilizados sempre baseados no bom senso e de acordo com os preceitos legais;ts;
Products resulting from the work of authorized users (data and document collection, system, methodology, results, among others) are the property of Vixi Exchange. In the event of contract termination or rescission, these users must return all confidential information generated and handled as a result of the provision of services, or issue a destruction declaration;
All information assets must be properly stored, especially documents on paper or removable media. Documents must not be abandoned after printing or copying; and
Following the best legal guidance, Vixi Exchange reserves the right to monitor equipment, electronic mail, and corporate communication tools whenever necessary, regardless of prior communication and/or authorization from the Employee.
4.6.1 Vixi Exchange must maintain in its operation the premises defined by this Policy, as well as the controls to ensure the confidentiality, integrity and availability of the data and support systems in accordance with the business structure, risk profile and nature of Vixi Exchange's activities.
4.6.2. communication applications should always be used based on common sense and in accordance with legal precepts.
4.6.3 When hiring Third Parties for processing, data storage and cloud computing activities, the Information Security area will be responsible for conducting a Due Diligence process of the potential contracted partner, in order to verify (i) its technical and operational capacity, (ii) the security and integrity of its systems, and (iii) the possibility of full compliance with the provisions of this Policy.
4.7.1 The responsibility of reporting information security events to the competent areas is assigned to all Vixi Exchange Employees.
4.7.2 All communication of events that negatively impact the information security premises must be timely communicated to the Information Security area.
4.7.3 The Information Security area is responsible for collecting data and evidence of the events that negatively impact Vixi Exchange's information security.
4.7.4 All collected evidence must be duly filed and directed to the Compliance area at Vixi Exchange by magnetic means and/or in a directory with restricted access.
4.7.5 The Information Security area must apply the analysis based on the root cause of the event, as well as document in internal reports the characteristics of the event.
4.7.6 The analysis will not be allowed to be performed by the agents involved or by those who identified the event.
4.7.7 The action plan to mitigate the events identified by the entity must be highlighted in the internal reports, as well as the dates for the implementation of improvements by the areas involved.
4.7.8 The Information Security area is responsible for monitoring the implementation of action plans and the Compliance area is responsible for certifying their effectiveness.
4.7.9 All event analyses shall be supported by classification according to expected impact, as follows:
High (Severe Impact): An event that affects relevant systems or critical information, with the potential to negatively impact revenue or customers or compromise Vixi Exchange's business continuity;
Medium (Significant Impact): An event that affects non-critical systems or information, without negative impact to revenue or customers, resulting from unintentional errors or weaknesses in processes; and
Low (Minimal Impact): Possible event, non-critical systems, incident or Employee investigations, long-term investigations involving extensive research and/or detailed forensic work.
4.7.10. These are classified as negative or adverse events:
Any confirmed or suspected adverse event related to the security of computer systems or computer networks, as well as associated physical and logical structures, that compromises the confidentiality, integrity, and availability of the organization's environment;
Unavailability of the technological environment due to malicious attacks;
Security incidents or situations of unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful treatment;
Internal or external attempts to gain unauthorized access to systems, data, or even compromise the IT environment;
Violation of security policy;
Unauthorized use or access to a system;
Modifications to a system, without the knowledge or prior consent of the responsible manager; and
Password Sharing.
4.8.1 Security breaches must be reported to the Information Security area.
4.8.2. Any violation or deviation will be duly investigated for the determination of necessary measures, aiming to correct failures or restructure processes.
4.8.3 Below are some violations that may result in administrative, civil, and criminal sanctions:
Illegal use of software;
Introduction of a virus or malicious program (intentional or not);
Unauthorized access attempts to data and systems;
Sharing of confidential/sensitive business information; and
Disclosure of information from customers, partners or contracted operations.
4.8.4 The non-compliance with the guidelines of this Policy and the violation of rules derived from it subject the violators to civil and criminal liability penalties as provided by law, without prejudice to the immediate termination of the service provision contract of the employee involved.
4.8.5 It is the user's responsibility to know and comply with the legislation, especially the obligation of secrecy provided in Article 5, XII, of the Federal Constitution, Law no. 12,737/2012 (criminal typification of computer crimes), the provisions of the Marco Civil da Internet (Law no. 12,965/2014), the LGPD and the Bank Secrecy Law.
Define the structure and controls for compliance risk management, roles and attributions related to Compliance and related areas, in adherence to the applicable internal and external rules.
Applies to Vixi Exchange Employees and Third Parties, as of 06/03/2021.
Code of Ethics and Conduct: This is the Code of Ethics and Conduct, with values, principles and standards of conduct that must guide the relationships of all managers, Employees and Third Parties who act on behalf and/or for the benefit of Vixi Exchange;
Contributor(s): all the employees of Vixi Exchange, as well as all those who have a post, function, position, or corporate, employment, commercial, professional, contractual or trust relationship with Vixi Exchange, as well as interns and trainees;
Conformity: comply, perform, satisfy, carry out what has been imposed on you, and enforce internal and external regulations imposed on Vixi Exchange's activities;
Board of Directors: is a group made up of the members of the Board of Directors of Vixi Exchange. The Board has the function of monitoring the Company's projects and their respective results, as well as deliberating and directing the referred projects based on the best interests of the company;
Politics: the present Compliance Policy;
Compliance Risk: corresponds to the possibility of sanctions, financial losses or damage to Vixi Exchange's reputation/image, due to non-compliance with or inadequate treatment of external standards (laws, regulations, recommendations and guidelines of regulatory and self-regulatory entities, domestic or foreign) and/or the Code of Ethics and other internal policies that guide Vixi Exchange's business; and
Third Party(ies): suppliers and providers of goods and services, representatives, intermediary agents, attorneys-in-fact, technical consultants, expediters, external collaborators and/or any other third parties acting on behalf, benefit or interest of Vixi Exchange.
4.1. The provisions of this Policy apply to Vixi Exchange Employees, Third Parties and customers.
4.2 Employees are responsible for assessing and treating the Compliance Risks to which Vixi Exchange may be exposed. Vixi Exchange's subsidiaries, controlled and associated entities may issue additional rules to this Policy, aimed at regulating the subject within their scope of action.
4.3. Compliance Risk must be avoided by complying with internal and external laws and regulations, being, above all, an individual obligation of each Collaborator to ensure strict compliance with the applicable rules.
4.4 The Compliance area must ensure, together with the other areas, the adequacy, strengthening and operation of the internal controls program, seeking to mitigate risks, as well as disseminate the culture of controls aiming to ensure compliance with existing laws and regulations.
4.5. The Compliance area shall provide a channel for denunciations, so that Employees and Third Parties can report attitudes that fall short of the standard of conduct provided for by applicable internal and external regulations and legislation. Vixi Exchange will not tolerate any form of retaliation or discrimination against Employees and Third Parties who make reports and denounce violations of internal and external rules in good faith.
4.6. The Compliance area shall provide a communications channel, in order to solve eventual doubts related to this Policy.
4.7. Vixi Exchange shall set up an area for internal audits, which will assist in the investigation of complaints received, perform operational audits on the area's procedures, and corroborate for the identification of residual risks for the Compliance area.
5.1 In accordance with the Code of Ethics, all practiced acts must maintain unrestricted and full submission to the ethical pillars of honesty, dignity, loyalty, respect, clarity of purpose, and good faith.
5.2 It is the duty of all Employees to ensure effective compliance with the values upheld by Vixi Exchange, the internal and external rules (applicable legislation and regulations).
5.3 Vixi Exchange Compliance will be responsible for overseeing Compliance Risk in cooperation and synergy with the other areas of supervision and control.
5.4 If Vixi Exchange's Compliance identifies possible violations to the Code of Ethics or other internal and external rules of Vixi Exchange by Employees or Third Parties, disciplinary measures may be applied in accordance with the seriousness of the act committed.
6.1.1 In performing its duties, Vixi Exchange Compliance has the prerogative of free access to information and direct contact with all employees, regardless of their position or hierarchical position.
6.1.2 Within Vixi Exchange's corporate governance structure, Compliance shall report its activities periodically to the Senior Management. Additionally, it shall systematically and timely communicate to the Board of Directors the situations that may impact Vixi Exchange's Compliance Risk.
6.1.3 While maintaining the principles of independence and objectivity, Vixi Exchange's Compliance must act in synergy with the Internal Audit, Internal Controls and Risk Management functions.
6.2.1 Vixi Exchange Compliance is responsible for managing and monitoring the Compliance Program, consisting of policies, procedures, training, and activities to strengthen business compliance and integrity with respect to compliance with legal and regulatory issues.
6.2.2 Compliance will be responsible for internal controls aimed at preventing, detecting and deterring violations of applicable laws and regulations.
6.2.3 The Compliance Program must be directed by a risk-based approach, in order to ensure focus on the aspects of greatest relevance and criticality.
6.2.4 Vixi Exchange's Compliance must offer permanent support and consultancy to the management, administrative and business areas, with a view to identifying, assessing and treating Compliance Risk, while respecting the proper independence inherent to its activities.
6.2.5 The management of Compliance Risk must include actions for testing the adherence of the activities developed, with periodic reporting of its results to Senior Management.
6.2.6 The summary of the activities related to Compliance Risk management, containing its main conclusions, recommendations and measures taken by Vixi Exchange, will be included in an annual report submitted to the Board of Directors.
7.1 The internal supervision and control structures of Vixi Exchange are formalized in specific policies and comprise three different lines of defense. The management of Compliance Risk, developed within the Risk Management strategy, is equally based on the independent and integrated performance of the following structures:
FIRST LINE OF DEFENSE - ADMINISTRATIVE AND BUSINESS AREAS
7.2 The first line of defense is composed of operational controls from the administrative and business areas themselves.
7.3 The Collaborators and managers of Vixi Exchange are responsible for mapping and managing the Compliance Risks linked to their activities, implementing preventive and detective controls in their work processes.
SECOND LINE OF DEFENSE - RISK MANAGEMENT, CONTROLS AND COMPLIANCE
7.4 The second line of defense includes the integrated risk management activity, in its different aspects, in addition to the internal control units.
7.5 The risk management and internal control areas assist managers in identifying risks and developing controls to mitigate their consequences.
7.6 In this line of defense, Compliance is also located, responsible for centralizing the Compliance Risk management initiatives, applying the principles and guidelines issued by Senior Management by means of policies, processes and procedures for the identification, treatment and mitigation of the Compliance Risks, as established in this Policy.
THIRD LINE OF DEFENSE - INTERNAL AUDIT
7.7 The third line of defense comprises Vixi Exchange's Internal Audit, which is responsible for undertaking independent evaluations as to the effectiveness and efficiency of administrative and business areas and risk management.
8.1. Senior Management is responsible for establishing the Compliance activity guidelines, as well as ensuring the effectiveness and adequate management of this Policy, providing the necessary means, material and human, to ensure that the Compliance attributions are properly exercised.
8.2 Compliance activities will be communicated on a regular basis, at least quarterly, to the Operational Risk Management and Compliance Committee.
8.3 In turn, the assessment of any irregularities or failures identified, as well as other situations that may impact the Compliance Risk of Vixi Exchange, will be reported systematically and timely to the Governance Committees in operation, as the case may be.
The Compliance areas of Vixi Exchange are responsible for identifying, monitoring and assessing Compliance Risks:
Manage the application of the principles set out in this Policy and related documents;
Monitor the trends and changes in the regulatory environment, providing information and advice to the administrative and business areas regarding Compliance Risks;
Coordinate the development of internal policies and procedures, as well as monitor eventual plans for adapting Vixi Exchange's structures to the evolutions of the regulatory environment, centralizing the process of treatment and control of laws and norms coming from regulatory, self-regulatory, and class entities;
To test and evaluate, together with the other inspection and control structures, the adherence of Vixi Exchange to the legal framework, to the infra-legal regulations, to the recommendations of the supervisory bodies and to the code of ethics and related internal policies;
Monitor the solution of the points raised in the report of non-compliance with legal and regulatory provisions prepared by the independent auditor, together with the other inspection and control structures, as per specific regulations;
Disseminate and apply the guidelines, codes, and internal policies related to ethics, conduct, and integrity, using mechanisms that ensure the reach to all Collaborators and Third Parties;
To promote permanent internal culture in relation to the themes of ethics, conduct, integrity, and other compliance-related matters, undertaking qualification, orientation, and training actions for employees, partners, and relevant outsourced service providers;
Develop and apply actions aimed at the treatment and mitigation, as applicable, of legal and image/reputation risks in operations, products and services, as well as in contracting suppliers and partners;
To implement and manage the integrity program, aimed at preventing and fighting fraud, deviations, and other illicit practices, with special focus on anti-corruption issues in dealing with government bodies and entities;
To elaborate a periodic report, at least annually, to be submitted to the Board of Directors, containing a summary of the results of the Compliance activities, its main conclusions, recommendations and measures adopted; and
To provide support and report systematically and timely the situations involving Compliance Risk to the Board of Directors or other Senior Management bodies, as the case may be.
10.1 It is the duty of all Vixi Exchange Employees and Third Parties, in all units and countries of operation, to sign a term of adhesion to this policy, in order to attest their knowledge and agreement.
10.2 It is the duty of Vixi Exchange to collect and store the acceptance of the term of adhesion to this Policy, at the time of admission of Employees and at the beginning of the relationship with Third Parties.
10.3 The provisions of this Policy shall remain in effect for a period of one year, when it must be reviewed.
Establish the steps and controls to know the transactions and report to the competent authorities, under the terms of the applicable legislation and in accordance with the best market practices.
Applies to Vixi Exchange employees, partners and customers, as of 06/03/2021.
CNPJ:National Register of Legal Entities;
COAF: Council for Financial Activities Control;
Contributor(s): all the employees of Vixi Exchange, as well as all those who have a post, function, position, or corporate, employment, commercial, professional, contractual or trust relationship with Vixi Exchange, as well as interns and trainees;
CPF: National Registry of Individuals;
KYC: Know Your Client process, designed to get to know, verify and classify Vixi Exchange's clients;
KYP: Know Your Partner process, designed to get to know, verify, and classify Partners;
Partner: individuals or companies that do business with Vixi Exchange;
PEP: as defined in item 11 of the Vixi Exchange Money Laundering Prevention and Combating the Financing of Terrorism Policy.
4.1.1 Vixi Exchange is responsible for adjusting the transactional limits of its Partners and customers, assigned individually by CPF or CNPJ.
4.1.2 In establishing the transactional limit, Vixi Exchange takes into account the amount requested by the Partner, KYP/KYC results of the Partner or customer in reference, among other criteria it deems relevant.
4.2.1 Vixi Exchange records and monitors all transactions made, products and services contracted that pass through its platform and collects, at a minimum, the following information:
Type;
Value (where applicable);
Date held;
Name and CPF or CNPJ registration number of the owner and the beneficiary of the operation;
Financial channel/operation used.
4.2.2 In the case of transactions related to payments, receipts and transfers of funds, by means of any instrument, the following information is included in the register:
Name and CPF or CNPJ registration number of the sender or drawee;
Name and CPF or CNPJ registration number of the recipient or beneficiary;
Identification codes, in the payment settlement or funds transfer system, of the institutions involved in the transaction;
Numbers of the dependencies and accounts involved in the operation.
4.2.3 In the case of transactions with cash funds of an individual value greater than R$ 2,000.00 (two thousand reais), the name and respective CPF enrollment number of the holder of the funds are included in the register.
4.2.4 In the case of deposits or contributions in kind of an individual amount greater than R$ 50,000.00 (fifty thousand reais), the following information is included in the record:
Name and respective CPF or CNPJ enrollment number of the resource owner;
Name and CPF (taxpayer identification number) of the resource holder;
Origin of the deposited or contributed resources.
4.3.1 Based on the monitoring performed (item 4.2), some operations, situations or services provided will be selected as suspicious, namely:
May configure the existence of signs of money laundering or terrorism financing, considering the parties involved, the amounts, the ways of accomplishment, the instruments used, or the lack of economic or legal grounds;
By its habitualness, value or form, it is an artifice that aims to circumvent the identification, qualification, registration, monitoring and selection procedures;
That present evidence of concealment or dissimulation of the nature, origin, location, disposition, movement or property of assets, rights and values;
That are incompatible with the customer's financial capacity, including assets, income (natural person), or billing (legal entity);
Transactions with PEP (in line with Vixi Exchange's Anti-Money Laundering and Combating the Financing of Terrorism Policy) of Brazilian nationality and their representatives, family members or close associates;
Operations with representatives, family members or close associates of politically exposed persons;
Operations with foreign politically exposed persons;
Customers and transactions for which it is not possible to identify the final beneficiary;
Operations originating from or destined for countries or territories with strategic deficiencies in implementing the recommendations of the Financial Action Task Force (FATF);
Situations in which it is not possible to update customer registration information;
Operations and situations that may indicate suspicion of terrorist financing.
4.3.2 Transactions to which a sanctioned person or country is a party or ultimate beneficiary are strictly forbidden.
4.4.1 Upon receiving an alert from the system/platform, the Vixi Exchange Compliance area will conduct an analysis of the suspicious transaction/situation.
4.4.2 The aforementioned analysis will take into consideration the information in item 4.3, the information related to the KYP/KYC of the Partner/customer in reference, among other points that Vixi Exchange deems relevant.
4.4.3 The aforementioned analysis will result in a "Suspicious Operation Report", which will be discussed with the "Compliance Committee" that, by majority vote, will define whether or not to communicate the suspicious operation or situation to COAF.
4.4.4. The period for performing the analysis procedures of suspect operations will not exceed 45 (forty-five) days, counted from the date of selection of the operation or situation.
4.4.5. The "Compliance Committee" is composed of the following members:
CEO Vixi Exchange;
Legal Head;
Head of Compliance.
Establish the steps and controls for customer knowledge and prevention of money laundering, applicable to the registration and record-keeping related to individuals and legal entities holding digital accounts linked to Vixi Exchange in digital platform.
Applies to Vixi Exchange Employees and Third Parties, as of 06/03/2021.
BCB: Central Bank of Brazil;
BCB Circular 3.978: Circular 3.978, of January 23, 2020, of the Central Bank of Brazil;
Contributor(s): all the employees of Vixi Exchange, as well as all those who have a post, function, position, or corporate, employment, commercial, professional, contractual or trust relationship with Vixi Exchange, as well as interns and trainees;
Board of Directors: is a group made up of members of the Vixi Exchange Board of Directors. The Board has the function of monitoring the company's projects and their respective results, as well as deliberating and directing the referred projects based on the best interests of the company;
PEP: as defined in item 11 of the Vixi Exchange Money Laundering Prevention and Combating the Financing of Terrorism Policy;
PLD/CFT: preventing money laundering and combating the financing of terrorism;
RFB: Receita Federal do Brasil;
Third Party(ies): suppliers and providers of goods and services, representatives, intermediary agents, attorneys-in-fact, technical consultants, expediters, external collaborators and/or any other third parties acting on behalf, benefit or interest of Vixi Exchange.
4.1 In its registration, KYC and Onboarding procedures, Vixi Exchange complies with all provisions contained in laws and regulations of the BCB and with the guidelines of self-regulatory entities of the cryptoactive industry, as best practices, adopting procedures that ensure the identification, qualification and classification of its customers.
4.2. The execution of customer registration for the purpose of opening digital accounts linked to the Vixi Exchange platform must obtain, at a minimum, the information set forth herein, in accordance with the terms of Law No. 9613 of March 3, 1998 and BCB Circular 978.
4.3 Data to be collected at the time of registration:
Full Name;
Mother's full name;
Date of birth;
Registration number in the National Registry of Individuals of the Ministry of Economy (CPF);
Home address;
Cell phone number and Distance Direct Dialing (DDD) code;
E-mail;
Self-declaration of "Politically Exposed Person - PEP";
Occupation.
In the case of operations involving an individual residing abroad who is not required to register with the CPF, the type and number of the travel document and respective issuing country will be collected.
Company name or corporate name;
Address of the registered office and/or branch office;
Main activity;
Form and date of incorporation;
Registration number in the National Register of Legal Entities of the Ministry of Economy (CNPJ);
Listed information about natural persons for all partners (with the exception of professional occupation and salary range).
Note: For the qualification process of the legal entity, all the shareholders must be included in the analysis, until the identification of the natural person classified as the final beneficiary of the entity, to which must be applied, at least, the same verification and validation procedures applicable to the risk category of the legal entity client in which the final beneficiary has a shareholding.
4.3.1 For the purposes of this KYC Procedure, the following shall be considered final beneficiary i) the natural person participating in the corporate chain of interest of the legal entity with interest equal to or higher than twenty percent (20%) and ii) representative, including the attorney-in-fact and proxy, who exercises the de facto command over the activities of the legal entity.
4.4 Documents to be collected at the time of registration:
Photo, front and back, of the same ID document (RG or CNH);
Selfie of the document holder holding the respective document;
Proof of residence.
Self-declaration of annual turnover;
Acts of incorporation of the company and its partners who are PJs;
Photo, front and back, of the same ID document (RG or CNH) of all members;
Selfie of each member holding the respective document;
Proof of residence for all partners.
4.5 In the selfie, the bearer must be holding the same document as in the front and back photos. The bearer must not be wearing objects that obstruct his or her face.
4.6 All photos of documents must be crystal clear.
4.7. In the case of legal entities incorporated as publicly-held companies or non-profit entities, the registration information must include the natural persons authorized to represent them, as well as controllers, administrators and directors, if applicable.
4.8. The documents submitted by the cardholder to fill out the registration form must be legible, in good condition and without erasures. Documents and information submitted outside these conditions will be rejected, at the risk of compromising the true identity of the holder.
4.9. For clients who are legal entities incorporated or headquartered abroad:
Registration number and/or company identification;
Address of the company's headquarters and/or branches abroad;
Letter from the client about his risk qualification by overseas financial entities.
5.1. The registration of clients and analysis of the information provided occurs through the adoption of procedures and controls that allow the verification and validation of the identity of the holder, the authenticity of the information required, as well as procedures relating to PLD/CFT, including by comparing the information with that available in public or private databases.
5.2 Such procedures and controls are made possible through consultations to certain databases, such as, but not limited to, public records, credit protection agencies and RFB, in order to confirm the veracity of the information provided by the holders. Data analysis and crossing services are also used in digital environments (big data), in order to seek greater security about the data provided.
5.3 In addition to public databases, Vixi Exchange uses contracted tools to validate the registration information and subsequent updates, containing national and international data.
5.4 The registration information and the information contained in the attached documents are automatically validated in the aforementioned tools.
6.1 The Compliance area of Vixi Exchange performs automated checks at the time of customer registration, as well as performing periodic checks after entering the platform (via APIs).
6.2 The Compliance area, in the KYC analysis, checks especially:
Negative media;
Possible classification as PEP;
Enrollment in restrictive lists, the main ones being: OFAC, United Nations Security Council, and Interpol;
Existence of administrative and/or judicial proceedings.
6.3 Checks of individuals include potential corporate participation of these individuals in business companies.
6.4 Checks on legal entities include their partners and other companies in which these partners have an equity stake.
7.1 If the system finds any inconsistency in the data or any warning point (e.g. classification as a PEP, blacklisting, or criminal record), the client's record is sent to a manual check.
7.2 The manual analysis is conducted by a compliance analyst, who will check the client's data and information more thoroughly, according to the situation reported by the system.
7.3 The manual analysis of a client will always result in the production of the "KYC Analysis Report, containing the client's data, what was found in compliance checks, other information that the analyst considers important, date of analysis, analyst's name, and the client's risk score, as per item 9.
7.4 For clients that resulted in a WBS alert, Compliance shall classify the WBS exposure level.
7.5 Because of the positions they hold, PEPs can be associated with crimes of tax evasion, embezzlement or corruption. This is because PEPs are all those people who hold or have held, in the last five (5) years, important public functions, both in Brazil and abroad.
7.6 For clients that resulted in a WBS alert, Compliance must classify the WBS exposure level according to the following criteria:
PEP Holder: They are politicians, judges, prosecutors, general officers, diplomats, political advisors to the executive or legislative branch;
Related WBS: People close to the person holding the position, such as family members, friends, and employees;
Critical PEP: History of investigations of crimes of tax evasion, embezzlement and corruption. In this case, the rating will automatically be "VERY HIGH", in line with item 8 of this procedure.
8.1. The registration will be automatically blocked in cases of:
CPF contains any irregularity with RFB;
Existence of death certificate;
Name or date of birth inconsistent with the databases; and/or
Presence on sanction list or involvement in financial crime (manual analysis).
9.1 As provided in BCB Circular 3,978 and in line with Vixi Exchange's business model, we have established below the criteria for classifying the risk profile of clients, both individuals and companies, as well as the entity's final beneficiary:
LOW: No relevant negative and financial factors related to the client;
MEDIUM: Some negative and financial factors related to the customer;
HIGH: Several negative and financial factors or some relevant negative factor;
VERY HIGH: Indications/evidence that the individual and/or legal entity is involved in financial crimes or is on a sanction list.
9.1.2 All customers will have a risk rating. Customers that are not sent to manual analysis will always be assigned the risk LOW.
9.1.3 As per item 7, every "KYC Analysis Report" will contain a risk classification linked to the client, which will be assigned by the Compliance analyst.
9.1.4 Vixi Exchange does not allow the opening of an account by a customer classified as risk "VERY HIGH”.
9.1.5 The Compliance area will be responsible for monitoring, reviewing, and approving all the risk scores linked to each client and keeping a file with all the history of consultations and analysis results for a minimum period of 5 (five) years.
10.1 In order to keep the registrations up to date and conduct compliance checks, the system developed by Vixi Exchange must periodically check its clients in the analysis tools.
10.2 The updates and rechecks occur periodically according to the risk attached to the client:
LOW: every 9 (nine) months;
MEDIUM: every 6 (six) months;
HIGH: every 3 (three) months.
10.3 Vixi Exchange reserves the right to immediately block and/or cancel an end customer's account if the end customer fails a periodic recheck conducted by the system.
10.4 Clients will be instructed to keep their registration information permanently updated. In case of suspicion of outdating, a recheck may be performed regardless of the frequency set forth in item 10.1.2.
10.5 New checks may be performed in case the business relationship between the client and Vixi Exchange evolves and/or the client's risk profile changes.
Define the activities, controls and criteria for the identification and classification of Partners, in order to prevent money laundering crimes, financing of terrorism or concealment of assets, rights and values.
Applies to all Vixi Exchange Partners from 06/03/2021.
BCB: Central Bank of Brazil;
BCB Circular 3.978: Circular 3.978, of January 23, 2020, of the Central Bank of Brazil;
KYP: Know Your Partner process, designed to get to know, verify, and classify Partners.
Partner: individuals or companies that do business with Vixi Exchange.
PEP: as defined in item 11 of the Vixi Exchange Money Laundering Prevention and Combating the Financing of Terrorism Policy;
SFN: National Financial System;
4.1.1 This document has the following main objectives:
Certify a good integrity record;
Ensure the hiring of Partners according to pre-defined and standardized criteria;
Ensure appropriate experience and credentials for relationship with Vixi Exchange;
To prevent the use of the SFN for crimes such as money laundering, terrorist financing, trafficking, and other illicit activities;
Prevent the involvement of Vixi Exchange in acts that may fall under current laws and regulations, including:
Anticorruption Law - No. 12,846, of August 1, 2013.
Law for the Prevention of Money Laundering and Terrorism Financing - n. 9.613, of March 3, 1998.
BCB Circular 3.978;
4.1.2 The following situations regarding Partners are prohibited:
Enter into agreements and/or contracts with Partners: i) involved in cases of money laundering or terrorism financing; and ii) that have directors or officers qualified as PEP.
Make donations to political parties on behalf of the Partner;
Providing data that may jeopardize the Vixi Exchange Compliance Program; and
Forward incorrect or untruthful information to the review process.
4.1.3 The Compliance area will check the Partners: i) for reputation, by means of access to public and private contracted bases; and ii) of unacceptable information that may appear in restrictive lists.
4.1.4 Vixi Exchange will only do business with reputable Partners of good reputation, with adequate technical qualification and that expressly commit to adopt the same zero tolerance policy regarding corruption, money laundering and financing of terrorism adopted by Vixi Exchange.
4.1.5 The analysis procedures will be defined by the Compliance area, proportionally i) to the risks faced by Vixi Exchange in each hiring and ii) to the relevance of the object of the service or partnership hiring.
4.1.6. The process for selecting and contracting Partners is composed of activities of utmost importance for Vixi Exchange, both for compliance with regulatory issues and for mitigating financial, legal and reputational risks.
4.2.1 For the commencement of any KYP analysis, the following documents must be provided by the Partner:
Name, ID, and registration number in the Ministry of Economy's National Registry of Individuals (CPF) of the company's managers with more than a 20% stake;
Social contract or bylaws and last alteration;
Proof of business address;
Copy of RG and CPF of the signatories of the contract/proposal;
In case of signature by proxy, copy of the power of attorney;
Copy of the National Register of Legal Entities card from the Ministry of Economy (CNPJ) of the company and its respective branches;
Billing Statement and/or Balance Sheet.
4.2.2 The aforementioned data and documents are received by the Compliance area of Vixi Exchange, which will always result in the production of the "KYP Analysis Report", containing the Partner's data, what was found in the checks, relevant information, media data, analysis date, risk classification and conclusion, according to item 4.3. below.
4.2.3 For Internal Auditing purposes and eventual requests from inspection agencies, all Analysis Reports - KYP will be filed in physical and/or electronic media for a period of no less than 5 (five) years.
4.2.4 Sending analysis reports to the requesting Partners is strictly forbidden, being only up to the area responsible for contacting the Partner to communicate the "Approved" or "Not Approved" status.
4.2.5 In order to maintain an adequate internal control environment, the Partners will be checked periodically, according to the criteria defined in item 4.3.
Note: In the case of international partners, the required documentation can be adapted.
4.3.1 Based on the checking of all the aspects detailed in the "KYP Analysis Report, which will be subject to adjustments whenever necessary, the Partners will be classified according to the criteria below:
| Classification | Rational | Conclusion | Rechecking |
|---|---|---|---|
| VERY HIGH | Evidence or strong indications that the company, partners or representatives are involved in financial crimes and/or are on a sanction list. | REPROVED | Not applicable. |
| HIGH | Several negative factors related to the company, partners or representatives, or some isolated negative factor of great relevance or repercussion. | Deliberation of the "Compliance Committee". | If approved, every 6 (six) months. |
| MEDIUM | Some isolated negative factors of low relevance related to the company, partners or representatives. | APPROVED | Every 9 (nine) months. |
| LOW | No relevant negative factors related to the company, partners or representatives. | APPROVED | Every 12 (twelve) months. |
4.3.2 It is strictly forbidden to enter into business, contracts or agreements with Partners classified with risk "VERY HIGH”.
4.3.3 The Partners classified with risk "HIGHshould be submitted immediately to the analysis of the Compliance Committeethat, by majority vote, will decide for the approval or disapproval. If necessary, the Compliance Committee may request in-depth analyses from specialized professionals to support its decision.
4.3.4 The "Compliance Committee" is composed of the following members:
CEO Vixi Exchange;
Legal Head;
Head of Compliance.
E-mail: contato@vixiexchange.com.br
© VIXI Exchange Digital Services LTDA, 2022. All rights reserved