vebbopay.com - programmable money

1. Introduction and Purpose

This Anti-Money Laundering and Know Your Customer Policy ("AML/KYC Policy") sets out the principles, procedures, and controls that Cibeeo Inc SRL ("Cibeeo," "we," "us," or "our"), the operator of the VebboPay platform ("VebboPay" or the "Service"), has implemented to prevent, detect, and report money laundering, terrorist financing, and other financial crimes. This Policy applies to all employees, officers, directors, contractors, and agents of Cibeeo Inc SRL, as well as to all users of the VebboPay platform.

2. Legal Framework

This AML/KYC Policy is designed to comply with the following legislation and regulatory frameworks:

Directive (EU) 2015/849 — Fourth Anti-Money Laundering Directive (4AMLD), as amended
Directive (EU) 2018/843 — Fifth Anti-Money Laundering Directive (5AMLD/AMLD5), extending AML obligations to virtual currency providers, prepaid card issuers, and enhancing beneficial ownership transparency
Directive (EU) 2018/1673 — Sixth Anti-Money Laundering Directive (6AMLD/AMLD6), harmonizing the definition of money laundering criminal offences, extending criminal liability to legal persons, and introducing stricter penalties
Regulation (EU) 2023/1113 — Transfer of Funds Regulation (TFR) recast
Romanian Law No. 129/2019 — for preventing and combating money laundering and terrorist financing, as amended
Romanian National Office for Prevention and Control of Money Laundering (ONPCSB) — guidelines and supervisory requirements
Financial Action Task Force (FATF) Recommendations
European Banking Authority (EBA) Guidelines on customer due diligence and risk factors

3. Risk-Based Approach

Cibeeo Inc SRL adopts a risk-based approach to AML/KYC compliance, as mandated by the EU AML Directives and FATF Recommendations. This means we:

Conduct a comprehensive business-wide risk assessment to identify and assess money laundering and terrorist financing risks
Allocate resources proportionally to the risks identified
Apply simplified due diligence where risks are demonstrably lower, standard due diligence as a baseline, and enhanced due diligence where risks are higher
Regularly review and update our risk assessment to account for new threats, products, services, and technologies, including the autonomous AI agent capabilities of VebboPay
Document our risk assessment methodology and its findings for regulatory review
Classify customers, products, services, delivery channels, and geographic areas into risk categories (low, medium, high) and apply proportionate measures accordingly

4. Customer Due Diligence (CDD)

4.1 When CDD Is Required

We perform Customer Due Diligence in the following circumstances:

At the establishment of a business relationship (account opening)
When carrying out an occasional transaction above the applicable threshold (€15,000 or equivalent)
When there is a suspicion of money laundering or terrorist financing, regardless of transaction amount
When there are doubts about the veracity or adequacy of previously obtained customer identification data
When a user configures an AI Agent for autonomous financial transactions

4.2 Standard CDD Measures

Standard CDD includes the following measures:

Identifying the customer and verifying their identity on the basis of reliable, independent source documents, data, or information
Identifying the beneficial owner(s) and taking reasonable measures to verify their identity
Assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship
Conducting ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship

4.3 Simplified Due Diligence (SDD)

In accordance with Articles 15–17 of the 4AMLD, Cibeeo Inc SRL may apply Simplified Due Diligence measures where a lower risk of money laundering or terrorist financing has been identified through our risk assessment. SDD may be applied in the following circumstances:

Customers that are publicly listed companies subject to disclosure requirements ensuring adequate transparency of beneficial ownership
Customers that are public administrations or enterprises of EU/EEA Member States
Products or transactions with limited value thresholds and restricted functionality (e.g., certain low-value prepaid instruments)
Financial institutions that are themselves subject to AML/KYC requirements and supervision within the EU/EEA

Even where SDD is applied, Cibeeo Inc SRL continues to monitor transactions for suspicious activity and will escalate to standard or enhanced due diligence if indicators of higher risk emerge. SDD does not exempt the customer from identity verification; rather, it permits a reduced scope and frequency of verification measures.

5. KYC Verification Process

5.1 Individual Customers

For individual (natural person) customers, we require the following documents and information:

Government-Issued Photo Identification: Valid passport, national identity card, or driving licence issued by an EU/EEA Member State or recognized third country
Proof of Address: Utility bill, bank statement, or official government correspondence dated within the last three (3) months, confirming the customer's residential address
Date of Birth and Nationality
Tax Identification Number (TIN) where applicable
Source of Funds Declaration: Information regarding the origin of the funds to be used on the platform (e.g., employment income, investment returns, savings, inheritance)
Source of Wealth: For higher-risk customers or where transaction volumes warrant, documentation demonstrating the origin of overall wealth

5.2 Corporate and Business Customers

For legal entities, we additionally require:

Certificate of incorporation or equivalent registration document
Articles of association or equivalent constitutional documents
Identification of all beneficial owners holding 25% or more of ownership or control
Proof of registered office address
Board resolution or power of attorney authorizing the account opening
Identification documents for all directors, authorized signatories, and beneficial owners
Latest audited financial statements where available
Information on the ownership and control structure

5.3 Verification Methods

VebboPay utilizes a combination of automated and manual verification processes, including electronic identity verification, document verification through certified third-party providers, biometric verification (liveness detection), and manual review by trained compliance personnel where required.

6. Enhanced Due Diligence (EDD)

Enhanced Due Diligence is applied in situations that present a higher risk of money laundering or terrorist financing, including but not limited to:

Customers who are or have been Politically Exposed Persons (PEPs), their family members, or known close associates
Customers from high-risk third countries identified by the European Commission or FATF
Complex or unusually large transactions, or unusual patterns of transactions that have no apparent economic or lawful purpose
Correspondent banking relationships with institutions from non-EU/EEA jurisdictions
Customers operating in high-risk sectors (e.g., gambling, crypto-assets, cash-intensive businesses)
AI Agents configured for high-value or high-frequency autonomous transactions

EDD measures include, but are not limited to:

Obtaining additional identification information and documents
Conducting enhanced background checks and adverse media screening
Establishing the source of funds and source of wealth through documentary evidence
Obtaining senior management approval for establishing or continuing the business relationship
Increasing the frequency and intensity of ongoing monitoring
Conducting on-site visits where appropriate

7. Politically Exposed Persons (PEP) Screening

In accordance with Articles 20–23 of the 4AMLD and Romanian Law No. 129/2019, we maintain robust PEP screening procedures. All customers and beneficial owners are screened against comprehensive PEP databases at onboarding and on an ongoing basis. PEPs include:

Heads of State, heads of government, ministers, and deputy or assistant ministers
Members of parliament or of similar legislative bodies
Members of the governing bodies of political parties
Members of supreme courts, constitutional courts, or other high-level judicial bodies
Members of courts of auditors or boards of central banks
Ambassadors, chargés d'affaires, and high-ranking officers in the armed forces
Members of the administrative, management, or supervisory bodies of State-owned enterprises
Directors, deputy directors, and members of the board of international organizations
Family members and known close associates of the above persons

PEP status does not automatically preclude a person from becoming a customer of VebboPay. However, all PEPs are subject to Enhanced Due Diligence, senior management approval, and enhanced ongoing monitoring.

8. Sanctions Screening

VebboPay screens all customers, beneficial owners, and transaction counterparties against applicable sanctions lists, including:

European Union Consolidated Sanctions List
United Nations Security Council Sanctions List
Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) List
HM Treasury Financial Sanctions List (UK)
Romanian National Sanctions Lists

Sanctions screening is performed at customer onboarding, on a continuous basis against updated lists, and at the point of each transaction. Any positive match or potential match is escalated immediately for review by the Compliance team. Confirmed sanctions matches result in immediate freezing of the account and reporting to the relevant authorities.

9. Ongoing Monitoring and Transaction Surveillance

Cibeeo Inc SRL maintains ongoing monitoring of all customer relationships and transactions processed through VebboPay. Our monitoring framework includes:

Transaction Monitoring: Automated systems that analyze transactions in real-time and retrospectively to detect suspicious patterns, including unusual volumes, frequencies, geographic patterns, and counterparty relationships
AI Agent Activity Monitoring: Specialized surveillance of autonomous AI Agent transactions, including monitoring for anomalous agent behavior, exceeding configured parameters, or patterns indicative of misuse
Customer Profile Review: Periodic review and updating of customer risk profiles, information, and documentation based on a risk-based schedule
Threshold-Based Alerts: Automated alerts triggered when transaction values or frequencies exceed pre-defined thresholds
Behavioral Analytics: Detection of deviations from expected customer behavior based on their risk profile and historical activity

10. Suspicious Activity Reports (SARs)

Where we know, suspect, or have reasonable grounds to suspect that funds are the proceeds of criminal activity or are related to terrorist financing, we will:

File a Suspicious Activity Report (SAR) / Suspicious Transaction Report (STR) with the Romanian Financial Intelligence Unit — Oficiul Național de Prevenire și Combatere a Spălării Banilor (ONPCSB)
File reports with any other relevant Financial Intelligence Unit as required by applicable law
Ensure that no "tipping off" occurs — employees are strictly prohibited from disclosing to the customer or any third party that a SAR has been filed or that an investigation is underway
Retain all documentation related to the SAR filing and internal investigation

11. Record Keeping

In accordance with Article 40 of the 4AMLD and Romanian Law No. 129/2019, Cibeeo Inc SRL retains the following records for a minimum period of five (5) years after the end of the business relationship or the date of the occasional transaction:

Copies of all CDD and EDD documents and information
Records of all transactions, including the amount, currency, date, and parties involved
Records of all AI Agent configurations, transaction logs, and audit trails
Internal reports and analysis relating to suspicious activity
Copies of all SARs filed and related correspondence with regulatory authorities
Training records for all employees

Records may be retained for longer periods where required by national law, regulatory instruction, or ongoing investigation.

12. Money Laundering Reporting Officer (MLRO)

Cibeeo Inc SRL has appointed a designated Money Laundering Reporting Officer (MLRO) who is responsible for:

Receiving and evaluating internal suspicious activity reports from employees
Determining whether SARs should be filed with the ONPCSB or other relevant authorities
Serving as the primary point of contact with the ONPCSB and other regulatory bodies
Overseeing the development, implementation, and maintenance of AML/KYC policies and procedures
Ensuring that AML/KYC training is provided to all relevant employees
Reporting to senior management and the board on AML/KYC compliance matters

The MLRO has direct access to senior management and the board, and operates with sufficient authority and independence to carry out their responsibilities effectively.

13. Employee Training and Awareness

All employees, officers, and relevant contractors of Cibeeo Inc SRL receive AML/KYC training that covers:

The legal and regulatory framework for AML/KYC
How to identify suspicious transactions and behaviors
Internal reporting procedures
The consequences of non-compliance, including criminal liability
Specific risks associated with autonomous AI Agent transactions on VebboPay

Training is provided at the time of hiring and refreshed on at least an annual basis, or more frequently when significant changes in legislation, regulations, or internal procedures occur.

14. Consequences of Non-Compliance

Non-compliance with this AML/KYC Policy or applicable AML/KYC laws and regulations may result in:

For Users: Suspension or termination of the VebboPay account, freezing of funds, filing of SARs with relevant authorities, and reporting to law enforcement
For Employees: Disciplinary action, up to and including termination of employment, and potential personal criminal liability under Romanian and EU law
For Cibeeo Inc SRL: Regulatory sanctions, fines (up to €5,000,000 or 10% of annual turnover under 6AMLD for legal persons), reputational damage, and potential criminal prosecution of the company and its officers

15. Policy Review and Updates

This AML/KYC Policy is reviewed at least annually or whenever there are significant changes in applicable legislation, regulatory guidance, business operations, or the risk environment. All updates are approved by senior management and communicated to relevant employees and stakeholders.

16. Contact Information

For questions, concerns, or to report suspicious activity related to AML/KYC compliance, please contact our Compliance team:

Email: compliance@vebbopay.com
Company: Cibeeo Inc SRL
Subject Reference: AML/KYC Compliance Inquiry