IMPLEMENTATION OF LAWS

In the implementation of this business plan, the company intends and undertakes to comply with the requirements established Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (4th AMLD) was adopted by the European Parliament and the Council in June 2015.
One of the main objectives of the 4th AMLD is to align EU AML/CFT legislation with the international standards on combating money laundering and the financing of terrorism and proliferation that the Financial Action Task Force (FATF), an international anti-money laundering standard setter, adopted in 2012.
The preventive measures set out in the 4th AMLD (except for the requirement to establish beneficial ownership registers) have been implemented into Liechtenstein law. The relevant provisions can be found in the Law on Professional Due Diligence to Combat Money Laundering, Organized Crime and Terrorist Financing (Due Diligence Act; DDA) and the associated Due Diligence Ordinance (DDO).1 The revised rules came into effect on 1 September 2017.

The 4th AMLD introduces a new definition of beneficial ownership with respect to legal persons and arrangements. Pursuant to the revised definition implemented in Article 3(1) DDO, the following persons are deemed to be beneficial owners in corporate bodies, including establishments with a corporate structure or trust enterprises, and companies without legal personality:

1. natural persons, who ultimately directly or indirectly:

• hold or control a share or voting right amounting to 25% or more in such legal entities;
• have a share of 25% or more in the profits of such legal entities; or
• exercise control over the management of such legal entities in another way;

2. natural persons, who are members of the executive body if – after exhausting all alternatives and provided there are no grounds for suspicion – no such person as referred to in no. 1 can be identified;
With respect to foundations, trusteeships and establishments with a structure similar to that of a foundation or trust enterprise, the following persons must be identified as beneficial owners:

1. natural persons, who are effective, non-fiduciary sponsors, founders or settlors, irrespective of whether they exercise control over the legal entity after its foundation;
2. natural or legal persons who are members of the foundation board or board of directors or of the trustee;
3. any natural persons who are protectors or persons in similar or equivalent functions;
4. natural persons who are beneficiaries;
5. if the beneficiaries have yet to be determined, the group of persons, in whose interests the legal entity is primarily established or operated.
6. in addition to the above, the natural persons who ultimately control the legal entity through direct or indirect ownership rights or in any other way.

Politically exposed persons. The definition of “politically exposed person” (PEP) has been extended to encompass persons who are or have been entrusted with prominent public functions domestically and with respect to senior figures in international organizations.
Business profile.

It is set out more explicitly in the revised law that the information obtained with respect to the customer and the beneficial owner (including information on the origin of the deposited assets, economic back-ground of the assets, occupation and business activity of the effective contributor of the assets, and intended use of the assets) needs to be reviewed at regular, risk-based intervals. For higher-risk business relationships, this review needs to be performed at least every two years.

Suspicious transaction reporting.
It is now clearly set out in the revised DDA that the responsibility for submitting suspicious transaction reports to the Financial Intelligence Unit (FIU) Liechtenstein lies with the member appointed at the executive level (board of directors or supervisory board). Moreover, the FIU is now empowered to suspend the execution of a current transaction that might be connected with money laundering, predicate offences to money laundering, organized crime, or terrorist financing for a maximum period of two working days, irrespective of any suspicious transaction reports submitted. During this period the FIU may analyze the transaction, examine the reasons for suspicion, and subsequently forward the results of the analysis to the prosecution authorities.

Third-party reliance.
Even though this option is now only rarely used in practice, obliged firms may continue to have certain due diligence carried out by third parties, provided that they are domiciled in another EEA Member State or third country and their due diligence and record-keeping requirements and due diligence supervision are in line with the requirements of the 4th EU Anti-Money Laundering Directive. Based on the assessments of relevant international agencies, the FMA must issue a list of states that meet these requirements. The FMA is currently engaged in evaluating the relevant states.

In the implementation of this business plan, the company intends and undertakes to comply with the requirements established REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

The purpose of the GDPR is to harmonize data protection requirements in European countries within the framework of the common EU data protection regulation. It applies to legal entities governed by public and private law, acting as a data controller or processor. The new law is aimed at protecting the rights and freedoms of individuals, increasing the trust of personal data subjects to organizations that store or process their data, as well as strengthening the internal market of the EU. To achieve these goals, the GDPR offers a single set of rules governing the processing of personal data throughout the EU. However, the capacity of the GDPR to harmonize requirements across the EU is partly limited by so-called introductory articles, which allow EU countries to adopt their own laws and requirements relating to certain aspects of data processing.

These introductory articles may require controllers and data processors to comply with additional requirements and obligations, but do not change the provisions of the regulations.
Fundamentals.

The GDPR introduces several new legislative requirements that may have a significant impact on the activities of the controller or processor. Therefore, each controller or processor needs to find out what GDPR requirements apply to it and ensure that they are properly implemented.

General principle.
In accordance with the General principles of processing, the GDPR regulations require that data processing be lawful, proportionate, transparent, adequate, accurate, secure, confidential, time-limited and consistent with stated purposes, subject to standards of responsibility and accountability (which implies the application of appropriate security measures, including technical and organizational measures, to ensure the integrity and confidentiality of data).

Personal data.
The GDPR clearly defines “personal data” as data relating to an identified or identifiable individual. Article 4(1) of the GDPR rules States: “an identifiable natural person is an individual who can be directly or indirectly identified, inter alia, by means of signs such as name, identification number, location data, online identifier or by one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. This term explicitly includes metadata and other related data, such as IP addresses, cookies and other identifiers, as well as combinations of such data that allow you to trace the path to an individual. The GDPR regulations have expanded the previously used catalogue of special categories of personal data to include genetic data, biometric data when used to uniquely identify an individual, and data relating to criminal records and offences.

Legitimacy.
The processing of personal data is lawful only if it meets one of the criteria for the authorization of such processing established by the GDPR. In the absence of a direct authorization under the law, organizations are required to obtain consent from the individuals whose data will be processed.

This consent shall apply to all purposes for which the organization intending to process the data collects and processes the data; the regulations also imply the right of an individual to withdraw the consent at any time. Therefore, concepts such as General consent or global consent for various undefined purposes are not applicable to the processing of personal data.

Accountability.
The GDPR regulations are aimed at increasing the accountability of organizations processing personal data and increasing the transparency of the processed data. With all the similarities of the structure and essence of the GDPR with the current EU Directive, the new regulation provides for much more stringent measures for its implementation. Penalties for violations of the regulations are extremely severe, including administrative fines of up to 4 per cent of the organization’s global annual turnover or 20 million euros (the larger of the two amounts applies). Potential claims for damages and other legal liability risks are intended to encourage companies to develop the internal structures and processes necessary to ensure compliance with the provisions of the regulations.