Internal Policy BitBay

I. Introduction

In the content of this internal policy adopted and used by the operator of the BitBay exchange, we want to provide you, in a comprehensive manner and in accordance with valid legal regulations, with a description of how we act in order to counteract money laundering and financing of terrorism by means of cryptocurrencies. We present the legal basis of our actions and the assumptions and rules that directly apply to users of our exchange and influence the form of our services.

II. General information

The operator of the BitBay cryptocurrency exchange is BB Trade Estonia OÜ, a company based in Estonia at: Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 8a, 11415, entered into the Register of Companies under no. 14814864 (hereinafter the Company). Within the scope of the website (hereinafter called the Website) and its subdomains, the Company provides electronic services based bringing users together via the Website so that they can conclude transactions involving the purchase or sale of cryptocurrencies available on the Website.

BB Trade Estonia OÜ is licenced to provide the exchange of virtual currency for fiduciary currency (no. FVR001150 issued by Politsei- ja Piirivalveamet) and to provide virtual currency portfolio services (no. FRK001037 issued by Politsei- ja Piirivalveamet).

In accordance with applicable EU and national AML/CTF (Anti-Money Laundering / Counter-Terrorism Financing) provisions, the operator of the BitBay exchange, BB Trade Estonia OÜ, is an entity obliged to take actions aimed at counteracting the criminal use of business activity for money laundering and financing of terrorism and is subject to supervision by the Estonian Financial Intelligence Unit (FIU) of the Estonian Police and Border Guard Board in this respect.

IV. Internal anti-money laundering and counter-terrorism (AML/CTF) procedures

Each entity obliged in accordance with § 14 of the Act must have procedures regulating anti-money laundering and counter-financing of terrorism (AML/CTF) activities. These procedures specify the rules for application of due diligence measures, the risk identification and management model, methodologies and instructions on how to act in cases of suspected money laundering or financing of terrorism, the rules for storing and sharing data, the rules for training employees, and any other actions necessary for the effective functioning of the AML/CTF system.

Bearing the financial security of our users in mind, we have implemented a number of due diligence measures that are thoroughly specified in provisions of law. The procedures adopted by us define precisely the full scope of BitBay’s activities aimed at counteracting financial fraud and other forms of financial abuse made to the detriment of our users and the Internet community in its broad sense.

Due to the fact that AML/CTF procedures specify details of BitBay’s activities in formal, organisational and technological aspects, documents concerning these activities are not made publicly available. However, we assure you that they are consistent with applicable laws and that they are subject to evaluation by auditors and FIU supervision.

V. Due diligence measures

As an obliged entity, BitBay uses due diligence measures in accordance with § 19 of the Act. These consist in the identification and verification of a private customer (§ 21 of the Act), the identification and verification of a legal entity (§ 22 of the Act), the identification and verification of the actual beneficiary (§ 22 of the Act), the specification of the customer’s risk profile (§ 20 of the Act), the monitoring of business relations (§ 23 of the Act), the use of enhanced due diligence measures (§ 36 of the Act), the use of additional due diligence measures in legally stipulated cases (§ 38 of the Act), the use of increased due diligence measures towards persons from high-risk countries (§ 39 of the Act), the use of increased due diligence measures towards persons holding prominent political positions (called politically exposed persons – “PEP”) (§ 41 of the Act).

Acting in compliance with the law, BitBay tries to ensure that AML/CTF processes cause as little inconvenience as possible to users, while securing the implementation of all legally stipulated tasks of an obliged entity.

VI. Know Your Customer (KYC) process

In implementing the obligations specified in § 21 and § 22 of the Act, we are obliged to become familiar with and verify the identity of our customers. In the first phase, the user must enter his/her data into registration forms and fill in the AML questionnaire. The second phase is the verification of the customer, which must be based on independent and reliable sources – in our case, we have assumed that photographs of identity documents issued by government institutions (in the case of ascertaining the user’s identity) constitute a reliable and independent source; in the case of ascertaining the address, these are photographs of documents issued by independent and reliable institutions. A detailed catalogue of such documents is available on the verification pages in the Website; for the sake of example, however, we can indicate the following documents:

  • Official document
  • Bank account statement
  • Confirmation of a transfer made by the Customer
  • Telephone service/utility bill
  • Agreement with a bank or any other public trust institution

During registration, as part of the KYC process, the user is obliged to submit a number of statements, for example, about his/her employment status, average remuneration, country of employment, purpose of setting up an account, the expected amount of the investment and his/her investment experience. In addition, the user is asked about the origin of funds to be allocated to the platform, their legality and whether he/she is a politically exposed person or a person from the inner circle of such a person. All such information helps us learn more about the customer and make sure that transactions are consistent with our knowledge about the user. In each case, an employee of the Security Department of may ask the user to send additional documents both in the case of private and corporate customers; this is always determined by the Company’s need to fulfil its statutory duties and should also be treated as a sign of concern for the user and protection of his/her significant legal interests.

VII. Private user identification

For the purposes of identification of a private customer, it is required to fill in the form submitted to the Website during the registration of the user’s account.

The customer may verify their account by attaching to the verification form two sides of an identity document (e.g., an identity card, a passport or a residence card) and a selfie photograph with the identity document used in the verification process. The photograph must show the full face of the person whose account being verified along with the identity document held in his/her hand. It is very important not to process submitted photographs in any manner. A watermark may not be placed on the photograph nor may any part of the documents be covered. The submitted photograph of the document should be fully (1:1) consistent with the original.

The verification of identity documents on the Website is supported by specialist software made by Jumio, which scans submitted documents and checks both their substantive and formal aspects. Thus, any processing of the submitted photograph is treated as a falsification of the document and verification is automatically rejected. For the purpose of avoiding complications during the verification of your account, please adhere strictly to instructions specified on the verification pages of the website.

The fundamental rules of customer identification and verification are presented below:

  • The submitted copy of the document should be fully (1:1) consistent with the original (covering a fragment of the document or its processing in graphics software, e.g., adding a watermark, is unacceptable).
  • The identity document must not bear visible signs of damage.
  • All data on the document must be legible.
  • All four corners of documents must be visible.
  • The verification may only take place on the basis of an identity document that will remain valid for at least one month from the submission of the verification request.

Moreover, for verification purposes, it is also necessary to include a document confirming the customer’s address that is not older than 6 months from the date of issue. If any discrepancies are found, we are entitled to ask the customer for a video call in order to rule out any doubts regarding the verification of the user and data submitted by him/her.


In the case of verification of business entities, the identification process is more complex due to the fact that we must acquire information about the actual beneficiaries of verified entities and persons entitled to represent entities, the type of their business activity and business relations, as well as the origin of funds.

For this purpose, each corporate customer is required to fill out a detailed AML questionnaire. Moreover, a corporate customer is obliged to submit a copy of a document from the official register of companies that presents the structure of the company under verification. Please remember that the aforementioned document must reflect the factual state and may not be older than 3 months. In addition, a corporate customer is obliged to submit a scan of its articles of association and a document confirming who is the actual beneficiary of the entity concerned and confirming who has the right to represent the entity concerned if is not immediately apparent from the aforementioned documents. For the purpose of verification of a corporate customer's representative, it is also necessary to submit a scan of an identity document, in accordance with the requirements relating to a private customer.

VIII. Monitoring of business relations

According to § 23 of the Act, Bitbay is obliged to monitor business relations established within the scope of business activity by checking transactions for the purpose of ensuring the conformity of the transaction with knowledge about the customer, its activity and risk profile, determining the origin of funds and updating documents and data. The transaction monitoring process is performed with the use of dedicated AML software that defines transactions deviating from certain standards that have no justified, visible or lawful economic purpose. Each transaction identified in this manner is checked individually and usually verified directly with the user for the purpose of full compliance with the provisions of law. Please remember that the higher the amount of funds traded at the exchange by the user, the more intense due diligence measures Bitbay is obliged to use towards the user in order to comply with the provisions of law.

IX. Limitations that may occur during the use of BitBay's services

On the basis of internal policy, FATF guidelines, the list of international sanctions or the list of high-risk industries, BitBay may refuse to establish economic relations with a customer or terminate relations already established if we find during the risk analysis process that the customer-related risk level is unacceptable to the Company.

X. Non-acceptable countries and high-risk countries

On the basis of internal policy and the list of international sanctions, BitBay reserves the right to refrain from concluding business relations with citizens, residents or entities based in or staying in countries included on the list of international sanctions. Moreover, because of a very high risk of money laundering and financing of terrorism, BitBay stipulates that it will not establish business relations with customers, residents or entities based in or staying in countries that have been identified as unacceptable countries by internal procedures. This situation results strictly from international guidelines and legal requirements and is absolutely not aimed at the discrimination of such persons due to their nationality. List of non-acceptable countries and regions

  1. Countries not co-operating in anti-money laundering activities:
    • a) Iran
    • b) Pakistan
    • c) São Tomé and Príncipe Islands
  2. Kraje wspierające działalność terrorystyczną:
    • a) Iran,
    • b) Libya,
    • c) Sudan,
    • d) Syria,
    • e) North Korea
  3. Countries and regions not acceptable for legal and licence reasons:
    • a) Crimea In addition, the operator of the BitBay exchange as an obliged entity is obliged to use enhanced due diligence measures towards customers who are citizens, residents or entities based in or staying in countries that are recognised as high-risk countries in terms of money laundering. Enhanced due diligence measures involve, among other things, the additional verification of the customer, the collection of additional information about the purposes and type of commercial relations and transactions undertaken by the customer, and the identification and origin of funds being used. We stress that each establishment of business relations with a customer from a high-risk country requires the prior consent of the Management Board of the Company. In addition, more detailed questions regarding the identification and verification of the user, the understanding of its business relations or the ascertainment of the origin of funds should be expected. If we recognise the risk concerning AML/CTF as too high, we will not establish relations with the user or previously established relations will be dissolved. List of high-risk countries:
  4. Countries and territories using harmful tax competition (“tax havens”):
  5. Countries producing drugs, in particular:

    • 1) Colombia
    • 2) the Golden Triangle (Burma, Laos and Thailand)
    • 3) the Golden Crescent (Afghanistan, Pakistan and Iran)
  6. High-risk countries resulting from the delegated regulation of the European Commission
  • 1) North Korea (DPR Korea)
  • 2) Afghanistan
  • 3) Bosnia and Herzegovina
  • 4) Guyana
  • 5) Iraq
  • 6) Lao People’s Democratic Republic
  • 7) Syria
  • 8) Uganda
  • 9) Vanuatu
  • 10) Yemen
  • 11) Ethiopia
  • 12) Sri Lanka
  • 13) Trinidad and Tobago
  • 14) Tunisia Additional jurisdictions specified by the European Commission

  • 1) Afghanistan,
  • 2) American Samoa,
  • 3) Guam
  • 4) Iraq,
  • 5) Libya,
  • 6) Nigeria,
  • 7) Panama,
  • 8) Puerto Rico,
  • 9) Samoa,
  • 10) ASaudi Arabia
  • 11) Virgin Islands
  1. High-risk countries
    • 1) Bahamas
    • 2) Botswana
    • 3) Cambodia
    • 4) Ghana
    • 5) Iceland
    • 6) Mongolia
    • 7) Panama
    • 8) Trinidad and Tobago
    • 9) Yemen
    • 10) Zimbabwe

In addition, as a part of managing the risk of money laundering and financing of terrorism, BitBay uses also enhanced due diligence measures towards entities operating in industries or conducting a kind of business activity that increases the risk of money laundering and financing of terrorism. A detailed list of industries and business activities generating a higher risk of money laundering and financing of terrorism is included in the appendix to the internal AML procedure.

XI. U.S. Tax residency

The applicable provisions of Estonian law oblige financial institutions to comply with the Foreign Account Tax Compliance Act (FATCA).

The American FATCA regulation puts foreign (non-American) financial institutions under an obligation to submit specific information about accounts kept for U.S. taxpayers to local fiscal authorities.

These institutions are obliged to identify American accounts – i.e., accounts held by tax residents of the United States of America – and to report information about these accounts and profits related to them to Estonian fiscal authorities.

Bitbay is not registered on the website of the Tax Office of the United States of America and does not provide reporting services; therefore, for the purpose of compliance with the law, we prevent tax residents of the United States of America from using our services.

XII. Data storage and protection

According to § 47 of the Act, BitBay as an obliged entity is obliged to keep original documents or their copies that serve as a basis for the identification and verification of persons and documents serving as a basis for the determination of a business relation, correspondence and documentation of all activities conducted as a part of AML/CFT policy for a period not shorter than 5 years after the end of the business relation.

In practice, the above means that we are obliged to keep all data concerning the customer and its transactions for a period not shorter than 5 years after the end of co-operation between the user and Bitbay.

Bitbay is obviously obliged to protect personal data in accordance with the provisions of the Act and the regulations of the European Union.

With regard to personal data protection, Bitbay complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), called also the GDPR, unless the provisions concerning AML/CFT specify otherwise.