Anti-Money Laundering & Security Policy
Introduction & Policy Statement
Citizen Ticket (“ CT ” or “ us/we/our ”) takes seriously the threat of money laundering across our platform (which includes our website at http://www.citizenticket.com/ , our Ticket Wallet and Organiser Toolbox mobile applications – collectively, the “ Site ” or “ Platform ”). We take considerable steps to prevent this from happening, and if it does happen, we endeavour to manage the issue appropriately based on any anti-money laundering (“ AML ”) rules and regulations applicable to CT. CT is constantly looking to improve and innovate our systems to make the most secure and robust system possible, protecting all stakeholders.
It is our policy to conduct all of our business in an honest and ethical manner. We take a zero-tolerance approach to money laundering and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships.
Any employee who breaches this AML & Security Policy (the “ Policy ”) will face disciplinary action, which could result in dismissal for gross misconduct. Any non-employee who breaches this Policy may have their contract terminated with immediate effect.
This Policy does not form part of any employee's contract of employment and we may amend it at any time. It will be reviewed regularly.
The purpose of this Policy is to:
set out our responsibilities, and of those working for and on our behalf, in observing and upholding our position on AML; and
provide information and guidance to those working for and on our behalf on how to recognise and deal with any money laundering issues.
Below are some of the measures and considerations in place around money laundering and security.
All client funds are held in trust by CT in a ring-fenced client account (Bank of Scotland), which is kept separate from CT’s operating business and deposit accounts. Client funds are ‘off balance sheet’ for CT and Bank of Scotland.
The CT client account adds an extra layer of protection to CT clients’ revenue. CT operates strict client accounting procedures, reconciling the account daily and exercising meticulous due diligence when dealing with client funds and transfers.
CT has been fully Payment Card Industry (“ PCI ”) compliant since 2013 via payment gateway Opayo (formerly Sage Pay) and its parent Elavon, a global payments company.
CT is fully insured via Hiscox Insurance for professional indemnity, public liability, cyber security and data security.
Compliance & Customer Due Diligence
Customer due diligence (“ CDD ”) checks are carried out on any new clients engaged by CT. CDD measures will also be applied to existing clients, as and when appropriate, on the bases of risk and materiality.
CT takes appropriate steps to identify and assess any possible risks of money laundering and terrorist financing, and has established an up-to-date, written risk assessment and a written policy on how to manage such risks.
CT has a nominated officer – Money Laundering Reporting Officer (“ MLRO ”) – who is responsible for CT complying with any applicable anti-money laundering laws and regulations.
All CT employees are made aware of the relevant laws and regulations and are provided with training on how to recognise and deal with transactions that may be related to money laundering.
CDD is also carried out on our business partners and clients (e.g. event organisers) to ensure that they are compliant with any applicable data protection laws (such as the UK GDPR). CT has an internal data protection team, which is responsible for CT’s ongoing compliance and reporting responsibilities as regards personal data control, processing and breaches. All CT staff are fully trained in handling personal data in line with applicable laws and regulations. Processing of personal data is undertaken based on the express consent of data subjects via the Platform.
Any suspicious activities identified on the Platform (such as events uploaded and promoted with unusually high ticket prices) are immediately investigated. Equally, any bulk purchase of tickets with a regular amount of £10,000 (or equivalent amount in foreign currencies or more) are investigated by CT.
CDD involves steps such as identifying and verifying the relevant party (via CT I.D. (as explained further below), where possible), obtaining information on the nature of its business and details of any of its beneficial owners. CDD is carried out before CT establishes a business relationship with any party or in any event, before CT allows events and tickets to be made live on the Platform. CT conducts CDD on all of their business partners and customers, regardless of the perceived risk levels and whether or not CT carries out any business activities covered by anti-money laundering regulations at any relevant time. Depending on the risk involved, the level of CDD (i.e. standard, simplified or enhanced) to be applied in each case may vary.
Citizen Ticket I.D. (CT I.D.)
Our natively built CT I.D. feature helps to make events safer and more secure by verifying that event organisers and ticket purchasers are real legal persons (be it individuals or genuine corporate bodies), and not bots or computer-generated profiles.
CT I.D. helps prevent unwanted ticket resales and allows event organisers to know who is in attendance (as opposed to who has simply purchased tickets). It can also remove the need for ID checks on entry to an event.
CT I.D. has an added benefit of helping protect against money laundering activities and strictly manages end-users for high value events and tickets. These stringent ID checks work as a deterrent to any person looking to use the Platform in an inappropriate manner.
How CT I.D. works in simple terms:
Users quickly & securely upload their government ID and a ‘selfie’ video so that we can verify that the individuals are real.
CT securely stores a small photo that door staff will see when users enter the event in question.
CT I.D. allows us to effectively manage genuine fan-to-fan ticket exchanges, while ensuring that potential criminals cannot take advantage of CT’s platform technology.
High value events will require a verified CT I.D. in order to purchase & transfer tickets. Some events will require a verified CT I.D. for entry - this is notified to end-users before purchase.
Once an ID has been verified (usually within a few days), any sensitive personal data is deleted from the CT system, apart from a small greyscale photo which is kept for event entry purposes. Following the event, this is then deleted from the CT system.
Compliance and Monitoring
CT will take reasonable care to establish and maintain appropriate systems and controls for compliance with its AML obligations and to counter the risk that it might be used to further financial crime. CT will also take reasonable care to ensure adequate records are maintained for AML purposes.
UK GDPR Compliance
We are committed to protecting and respecting the privacy of both event organisers and ticket purchasers who use our platform. The personal data we may collect or otherwise process include:
Identity data, including first name, maiden name, last name, marital status, title, date of birth and gender;
Contact data, including billing address, delivery address, email address, social media handles and telephone numbers;
Transaction data, including details about payments to and from CT customers and other details of products and services CT customers have purchased from us or other transactions between them and us;
Technical information, including: the Internet protocol (IP) address used to connect the end-user’s computer or other enabled device to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
Information about each visit to our Platform, including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time); page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page; and
Profile data, including usernames and passwords of customers who hold a CT account, purchases or orders made by the relevant CT customer, their interests, preferences and feedback and survey responses.
We may receive personal data of CT customers through close collaboration with third parties (such as, event organisers, sub-contractors and service providers in technical, payment and back-up and data storage services, advertising networks, analytics providers, search information providers, credit reference agencies).
All personal data is stored on servers located in the UK and is not transferred outside of the UK. Personal data will only be retained for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. However, in some instances, personal data may need to be retained for a longer period – for example, if we reasonably believe there is a prospect of litigation in respect to our relationship with a CT customer.
CT customers have the right to request access to, rectification or erasure of, their personal data, or restrict or object to our processing of their personal data, as well as the right to data portability. They can do this via the account settings on our Site, where they can download, amend or delete all of the data we hold on them.