This chapter describes the operational processes, controls, and reporting for KYC/AML and regulatory reporting. It provides a detailed insight into the measures taken by ecrop GmbH to comply with applicable regulations and combat money laundering and terrorist financing.

Identification, Verification, and Monitoring

  • Identification & Verification: ecrop utilizes the PostIdent procedure of Deutsche Post (KYC/AML service provider) for automated identity verification. This multi-step process includes the collection and verification of identification data (e.g., ID card details, address), as well as biometric verification. Data from third-party providers is also collected to verify client identities and validate the information provided. All collected data is encrypted and stored securely, protected from unauthorized access.
  • Risk Classification: Clients are categorized into different risk levels based on the collected data and information (e.g., PEP status, transaction volume, country of origin). This classification enables risk-based client management and tailoring of due diligence measures to the respective risk profile.
  • Ongoing Monitoring: Client activity is continuously monitored to detect suspicious transaction patterns and behavioral changes. Rule-based systems and machine learning algorithms are employed for this purpose. Monitoring is conducted in real-time, and all data is logged in a secure audit trail.
  • Enhanced Due Diligence (EDD): Enhanced due diligence (EDD) measures are performed for high-risk clients to minimize the risk of money laundering and terrorist financing. This includes, for example, obtaining additional information on the client’s background and business activities. EDD measures are adjusted and documented based on the assessed risk.
ecrop GmbH has implemented comprehensive controls to ensure compliance with KYC/AML requirements:
  • Plausibility Checks: Entered data is automatically checked for consistency and plausibility to ensure data quality and prevent errors.
  • Sanctions Screening: Client data is screened against international sanctions lists (e.g., OFAC, EU sanctions list, DNK lists) to identify individuals subject to sanctions.
  • Beneficial Ownership Identification: ecrop verifies the identity of the natural persons who ultimately control or own the assets. This helps prevent money laundering and terrorist financing.
  • Regular Reviews: Trained compliance officers review samples of client data and transactions to ensure the effectiveness of automated controls and identify potential risks early on.
ecrop GmbH generates comprehensive reports to document compliance with KYC/AML requirements and provide necessary information to regulatory authorities:
  • Transaction Monitoring Reports: All transactions are monitored and analyzed in real-time to detect suspicious patterns using rule-based systems and machine learning algorithms.
  • Internal Reporting: Regular reports on KYC/AML activities and key performance indicators (KPIs) are provided to management and the risk management team. These reports include information on the number of verified clients, the number of reported suspicious activity reports (SARs), and the average processing time for KYC requests.
  • External Reporting: Suspicious transactions are reported to the Financial Intelligence Unit (FIU) in accordance with legal requirements. Reporting is conducted electronically via a secure reporting system (goAML).
  • Key Performance Indicator (KPI) Reporting: Key performance indicators (KPIs) related to KYC/AML compliance are collected and reported, e.g., number of verified clients, number of SARs filed, and number of EDD checks performed.

Regulatory Reporting: Transparency and Compliance

  • Reporting: ecrop fulfills all regulatory reporting obligations and documents these activities in accordance with the requirements of relevant laws and regulations. This includes:
    • Reports to BaFin: ecrop reports transaction data and other relevant information related to crypto custody to BaFin. These reports include all transaction details, such as the type of transaction, timestamp, involved parties, addresses of the wallets involved, and the value of the transaction. (Reference: KryptoWTransferV)
    • Reports to the FIU: Suspicious transactions that may indicate money laundering, terrorist financing, or other criminal activities are reported to the Financial Intelligence Unit (FIU) as required by § 43 GwG. (Reference: GwG)
    • Other Reports: Additional reports to BaFin, e.g., those related to the supervision of crypto custody or suspected market abuse, are submitted as required by law. (Reference: KWG, MAR)
  • Documentation: ecrop meticulously documents all relevant processes and transactions related to regulatory reporting. Documentation is maintained electronically and stored in a secure document management system (DMS). ecrop GmbH ensures that all documentation is complete, up-to-date, traceable, and readily available, readable, and tamper-proof throughout the legally mandated retention period. (Reference: GoBD - Principles of Orderly Accounting and Storage of Books, Records and Documents in Electronic Form and Data Access).
  • Archiving: Documentation and all relevant data are archived in accordance with legal and regulatory requirements. Archiving is carried out in a secure and audit-proof archive system.
  • Data Quality Controls: Reported data is subject to rigorous quality controls to ensure completeness, accuracy, and consistency.
  • Compliance Checks: Processes and systems are regularly reviewed to ensure compliance with regulatory requirements.
  • Regular Reviews: Trained compliance personnel conduct regular reviews of reported data and processes to ensure the effectiveness of controls.
  • Regular Reports: ecrop generates regular reports for management and supervisory authorities on regulatory reporting activities and KPIs.
  • Ad-hoc Reports: Ad-hoc reports are generated as needed, for example, in response to changes in regulatory requirements or identified anomalies.