taler-docs

tops.rst (79716B)

---

 Taler Operations Deployment
 ===========================
 
 Definitions / Glossary
 ----------------------
 
 * GwG: German "Geldwäschegesetz", Swiss law regarding anti-money laundering
 * VQF: Verein für Qualitätssicherung im Finanzwesen, self-regulatory
   organization that Taler Operations AG is a member of and thus
   needs to stick to their rules
 * TmeR: German "Transaktion mit erhöhtem Risiko", i.e.
   high-risk transactions
 * GmeR: "Geschäftsbeziehung mit erhöhtem Risiko", i.e.
   high-risk business relationships
 * PEP: Politically exposed person
 * MROS: Money Laundering Reporting Office Switzerland
 * StGB: (Switzerland-specific:) Strafgesetzbuch, Swiss criminal law
 
 Regulatory Requirements Introduction
 ------------------------------------
 
 Regulatory requirements are set by `VQF <https://www.vqf.ch/indexen.html>`_
 and detailed in their SRO-Regulation document.  Our AML processes
 are based on their forms ("VQF Document Nr. 902.$x").
 
 Overview of High-Level Processes
 --------------------------------
 
 Establishing a Business Relationship
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 1. A business relationship must be established if the thresholds of 15,000 CHF
    per year or 2,500 CHF per month are exceeded. The GNU Taler transaction
    system automatically records the transaction volumes and notifies the
    customer when a business relationship needs to be established. At this
    point, transactions are then frozen until the business relationship is
    established.
 
 2. To do this, the customer must complete the corresponding VQF forms online
    and upload documents. The customer's address is then verified by sending a
    PIN letter. The customer must also submit a certified copy of their ID by
    postal mail. This is then digitally and physically filed. Alternatively, an
    identity check can in principle also be carried out manually by TOPS
    employees on site (in person) at the customer's premises. In this case, the
    ID copies must be signed by the TOPS employee.
 
 3. New business relationships are checked against the current sanctions list.
    An automatic preliminary check takes place first, and suspected cases are
    then processed manually.
 
 4. When all the required data has been provided, it is in any case checked
    manually by the AML officer. Finally, the AML officer must categorize
    the customer to to derive a risk profile. Based on the risk profile,
    risk-based rules are set for monitoring the business relationship. If
    the AML officer has concerns about the business, they
    escalate the case to the management as to whether the
    business relationship can be opened.
    The management can then make a final decision on acceptance or rejection.
 
 Monitoring a Business Relationship
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 1. For each business relationship, risk-based and customer-specific transaction
    limits are defined. If these are exceeded, an "alert" is automatically
    generated. These transactions must then be validated by the responsible
    customer consultant. All validated alerts are checked by the AML
    officer and either approved or returned to the customer consultant for further
    validation, or escalated to management for final decision-making or
    appropriate action.
 
 2. Business relationships are periodically reviewed and updated. The following rhythm applies:
 
    * every 5-7 years for low-risk business relationships
    * every 2 years for high-risk business relationships
    * annually for PEP relationships
 
    The review includes the verification of identification documents and any
    supporting documents submitted when the business relationship was
    established. Likewise, the information in the customer profile and the
    transaction behavior during the duration of the business relationship are
    reviewed.
 
 3. All business relationships are continuously and automatically checked
    against current sanctions lists, especially when a new sanctions list is
    available, without delay.
 
 4. Regardless of the risk category and the corresponding review frequency, a
    business relationship must be reviewed if special circumstances arise, such
    as negative press reports, unusual transactions and activities, etc.
 
 Terminating a Business Relationship
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 A business relationship is automatically considered terminated if no
 transactions have been processed with the GNU Taler system for over 12 months.
 
 Credit / Debit Restrictions
 ---------------------------
 
 Only Swiss IBANs (``CH...``) are allowed for both credit and debit transactions.
 
 
 Initial Threshold Rules
 -----------------------
 
 * Withdrawal
 
   * ``withdrawal-low``: 200 CHF per month => measure ``sms-registration`` (or ``postal-registration``)
   * 2500 CHF per month => measure ``verboten``
   * 15000 CHF per year => measure ``verboten``
 
 * Deposit:
 
   * ``deposit-zero``: 0 CHF => measure ``accept-tos``
   * Note: While there are no further DEPOSIT rules,
     the aggregate rules still apply after deposits
     have been made.
 
 * Aggregate:
 
   * 2500 CHF per month => measure ``kyx``
   * 15000 CHF per year => measure ``kyx``
 
 * Merge (p2p receive)
 
   * ``merge-zero``: 0 CHF => measure ``sms-registration`` (or ``postal-registration``)
   * 2500 CHF per month => measure ``verboten``
   * 15000 CHF per year => measure ``verboten``
 
 
 Measures
 ---------
 
 Measures that ask for information:
 
 * ``sms-registration``: Validate (Swiss) mobile phone number of customer via SMS TAN.
 
   * On success:
 
     * Remove rule ``withdrawal-low``
     * Remove rule ``merge-zero``
 
 * ``postal-registration``: Validate (Swiss) postal address of customer via snail mail with TAN.
 
   * On success:
 
     * Remove rule ``withdrawal-low``
     * Remove rule ``merge-zero``
     * If arriving at the form via ``kyx`` measure, continue with manual check by AML officer.
 
 * ``accept-tos``: Ask customer to accept terms of service.
 
   * On success:
 
     * Remove rule ``deposit-zero``
 
 * ``kyx``: Allow customer to initiate KYC/KYC process via form ``vqf_902_1_customer``.
 
   * On success:
 
     * Follow-up with other VQF-forms, or
     * ``postal-registration`` to validate submitted address, or
     * if everything is done AML officer must proceed manually with plausibilization.
 
 * ``form-902.9``: Allow customer fill out form to determine beneficiary owner.
 
   * On success:
 
     * Possibly more forms triggered via ``kyx``, or
     * ``postal-registration`` to validate submitted address, or
     * if everything is done AML officer must proceed manually with plausibilization.
 
 * ``form-902.11``: Allow customer fill out form to determine controlling person.
 
   * On success:
 
     * Possibly more forms triggered via ``kyx``, or
     * ``postal-registration`` to validate submitted address, or
     * if everything is done AML officer must proceed manually with plausibilization.
 
 
 Threshold Presets
 -----------------
 
 Threshold presets are presets that the AML officer can
 select after the verifying the customer's documents and conducting
 a risk assessment.
 
 Exact thresholds will depend on the busines type and risk and may
 be assigned fully individually. However, we have a few typical
 profiles:
 
 * E-commerce:
 
   * Merge: 0 CHF / month
   * Withdrawal: 0 CHF / month
   * Deposit: 25000 CHF / month (high-value transactions with Taler are suspicious)
   * Aggregate: 25000 CHF / month
 
 * Point-of-sale:
 
   * Merge: 25000 CHF / month (peer-to-peer transfers may happen there)
   * Withdrawal: 0 CHF / month
   * Deposit: 25000 CHF / month (high-value transactions with Taler are suspicious)
   * Aggregate: 25000 CHF / month
 
 
 Properties
 ----------
 
 Properties are registered at the GNU Taler Account Properties `GNU Taler Account Properties <https://git.taler.net/gana.git/tree/gnu-taler-account-properties>`_.
 
 * ``FILE_NOTE :: Text``:
 
   * Current note on the GWG file.
 
 * ``CUSTOMER_LABEL :: Text``
 
   * Customer name or internal alias.
 
 * ``ACCOUNT_OPEN :: Boolean``
 
   * Was this customer activated for deposit operations?
   * Only set after merchant passes KYC
   * We store this to know when to emit the ``(INCR|DECR)_ACCOUNT_OPEN`` and related events
 
 * ``PEP_DOMESTIC :: Boolean``
 
   * Is the customer a domestic PEP?
 
 * ``PEP_FOREIGN :: Boolean``
 
   * Is the customer a foreign PEP?
 
 * ``PEP_INTERNATIONAL_ORGANIZATION :: Boolean``
 
   * Is the customer a international org PEP?
 
 * ``HIGH_RISK_CUSTOMER :: Boolean``
 
   * Is the customer classified as high-risk?
 
 * ``HIGH_RISK_COUNTRY :: Boolean``
 
   * Is the customer associated with high-risk (VQF Dok. Nr. 902.4.1) country?
 
 * ``ACCOUNT_IDLE :: Boolean``
 
   * The account has been marked as idle (typically by a batch process that checks
     for idle accounts).
 
 
 * ``INVESTIGATION_STATE``
 
   * The MROS reporting state for the account.
   * Values:
 
     * ``NONE`` / undefined: No MROS reporting for that account
     * ``INVESTIGATION_PENDING``: Pending investigation.  The AML officer should
       submit ``vqf_902_14`` to conclude investigation.  Usually the property
       would be set by the sanction list tool or some AML program that detects
       an account crossing a threshold or an SQL trigger doing transaction
       monitoring (see ``tops-0001.sql`` for an example).
       The ``vqf_902_14`` form could also be used to start an
       investigation (by setting ``INCRISK_RESULT`` to ``OTHER``).
     * ``INVESTIGATION_COMPLETED_WITHOUT_SUSPICION``: Completed according to Art. 6 GwG
     * ``REPORTED_SUSPICION_SIMPLE``: Reported under Art. 305 StGB (German "einfacher Verdacht", simple suspicion)
     * ``REPORTED_SUSPICION_SUBSTANTIATED``: Reported under Art. 9 GwG (German "begründeter Verdacht", substantiated suspicion)
 
 * ``INVESTIGATION_TRIGGER :: Text``
 
   * Informal reason why the AML investigation was triggered;
     examples include suspicious transaction or (automated)
     sanction list match
 
 * ``SANCTION_LIST_BEST_MATCH :: Text``
 
   * Identifies the sanction list entry that the account matched against
     (best match, does not mean it was a good match)
 
 * ``SANCTION_LIST_RATING :: Integer``
 
   * [0,10**9] score for how good the sanction list match was
     (0: none, 10**9: perfect match)
 
 * ``SANCTION_LIST_CONFIDENCE :: Integer``
 
   * [0,10**9] score for how much supporting data we had for
     the sanction list match (0: none, 10**9: all fields available)
 
 * ``SANCTION_LIST_SUPPRESS :: Boolean``
 
   * Suppress flagging this account when it creates a hit on a sanctions list, this is a false-positive.
 
 
 Events
 ------
 
 Account opening/closing:
 
 * ``INCR_ACCOUNT_OPEN`` /  ``DECR_ACCOUNT_OPEN``
 
 PEP/Risk classification:
 
 * ``INCR_HIGH_RISK_CUSTOMER`` / ``DECR_HIGH_RISK_CUSTOMER``
 * ``INCR_HIGH_RISK_COUNTRY`` / ``INCR_HIGH_RISK_COUNTRY``
 * ``INCR_PEP`` / ``DECR_PEP``
 * ``INCR_PEP_FOREIGN`` / ``DECR_PEP_FOREIGN``
 * ``INCR_PEP_DOMESTIC`` / ``DECR_PEP_DOMESTIC``
 * ``INCR_PEP_INTERNATIONAL_ORGANIZATION`` / ``DECR_PEP_INTERNATIONAL_ORGANIZATION``
 
 
 MROS Reporting (see ``INVESTIGATION_STATE`` property):
 
 * ``MROS_REPORTED_SUSPICION_SIMPLE``
 * ``MROS_REPORTED_SUSPICION_SUBSTANTIATED``
 * ``INCR_INVESTIGATION_CONCLUDED`` / ``DECR_INVESTIGATION_CONCLUDED``
 
 
 PIN Letter
 ----------
 
 After gathering initial information (``vqf_902_1_officer``), a letter with a
 PIN code is generated and sent to the customer.  The customer needs to enter
 the PIN in the KYC SPA in order to validate their address.  The letter
 also needs to ask the customer to send a certified copy of certain documents.
 
 The KYC SPA should also specify which documents are still needed.
 
 Implementation notes:
 
 * The letter is sent and generated via ``challenger``
 * We keep track of required documents via an ``INFO`` measure,
   where the context is updated based on documents still required.
 
 
 
 Procedural View
 ---------------
 
 This section provides a procedural view of the AML processes defined by the rules
 earlier in the document.  It is meant to give some further context to the rules
 and show how the rules are used in the context of Taler business processes.
 
 It only takes into account the standard rules.  Decisions from the AML
 officer can lead to a deviation from the standard process/rules.
 
 Wallet User: Onboarding and Withdrawal
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 1. User installs the Taler wallet software on their device of choice.
 2. User adds the TOPS Taler Exchange to their Taler wallet
 3. User starts a new withdrawal via the wallet. This creates a new
    (pending) transaction in the wallet. *Optionally:* If the wallet can deduct
    that the user has to complete a KYC process for the withdrawal, it notifies
    the user.
 4. User follows instructions to send money to the TOPS exchange
 5. The wallet waits until the exchange knows about the
    user's wire transfer.
 6. The user's wallet checks with the exchange whether the withdrawal would
    cross the balance threshold.  The key/identifier for is the wallet ID for
    the exchange (which is typically the reserve public key for P2P
    transactions).
 
    **The TOPS exchange currently has no balance limits set, thus balance limits would
    never be crossed.**
 
    * If the balance limit is not crossed (or the user increased the limit via KYC), continue at (7).
    * If no KYC process is started or the KYC process fails or times out, funds
      are automatically wired back to the customer after a reserve close
      timeout. **Done.**
 
 7. The wallet attempts to withdraw electronic cash tokens.  The exchange
    checks the withdrawal limit based on the IBAN that the
    customer used to transfer CHF to the exchange:
 
    * If the customer has already successfully completed
      the ``sms-registration`` or ``postal-registration``,
      the withdrawal limit is 2500 CHF/month and 15000 CHF/year.
    * Otherwise, the limit is 200 CHF per month.  If this limit would
      be crossed by the withdrawal, the wallet redirects the user to
      the exchange's KYC page, where the user can complete the ``sms-registration``
      or ``postal-registration``.
    * If no limit would be crossed, continue at (8)
    * If a limit would be crossed and the customer is not able to
      lift it via the KYC process, funds are wired back automatically
      after a reserve close timeout. **Done.**
 
 8. The wallet receives the (blindly signed) tokens from the exchange,
    the withdrawal is done.  **Done.**
 
 
 Wallet User: Deposit of E-Money
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 This process applies when the user wants to send CHF in their Taler wallet back
 to their CHF bank account.  Technically, it is the same process as the merchant
 accepting a Taler payment.  However, it might be treated differently from an
 AML perspective.
 
 1. The user's wallet asks the exchange to deposit a Taler payment
    to the user's own bank account.
 2. The exchange checks whether the users's public key is associated with the
    users's bank account specified in the deposit permission.
 
    Note that by default, the wallet uses a bank account that has
    previously used for withdrawal.  The withdrawal already associates
    the reserve's public key with the IBAN used for the withdrawal.
    Thus *usually* the right associated public key is already present.
 
    * If the association is missing, the exchange rejects the deposit. The
      customer must do a 1 rappen wire transfer to the exchange with a public
      key (as shown in the wallet) in the remittance information. **Done.**
    * Otherwise, continue at (3).
 3. The exchange checks the ``DEPOSIT`` limit of the user. The user is identified via their IBAN.
 
    * Initally, the deposit limit is CHF 0.  The user must accept the exchange's
      terms of service on the exchange's KYC page to lift this limit to CHF 2500/month
      and CHF 15000/year
    * If no deposit limit would be crossed, the exchange accepts the deposit from the user.
      Continue at (4).
    * Otherwise the exchange rejects the payment. The response is relayed to the
      wallet, which can (if necessary) refund coins previously deposited for the
      same payment and then refresh used coins.  **Done.**
 4. After the wire transfer deadline for the deposit has passed, the exchange
    checks whether the wire transfer would cross the ``AGGREGATE`` threshold for
    the merchant.
 
    * Initally, the aggregate limit is CHF 2500/month and CHF 15000/year.  If
      that limit would be crossed, the customer must undergo a KYB process.  This
      KYB process might result in limits being increased, depending on the
      details of the user.
    * If no aggregation limit would be crossed, the exchange initiates the wire transfer to the user.
    * Otherwise the exchange holds the funds until the user completes the necessary AML process.
 
 
 Wallet User: Receiving P2P Payments
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 *Applicable to both receiving P2P payments (push) and getting paid for P2P
 payment requests (pull).*
 
 1. The customer instructs their wallet to accept a P2P payment from another wallet.
 2. The wallet tries to receive the P2P payment.
    The exchange checks the P2P receive (technically: ``MERGE``)
    limit, based on the wallet ID.
 
    * If the customer has successfully completed ``postal-registration`` or ``sms-registration``,
      the limits are 2500 CHF / month and 15000 CHF / year.
    * Otherwise, the limit is 0 CHF. The wallet redirects the user to the
      exchange's KYC page, where the user can complete the ``sms-registration``
      or ``postal-registration``.
    * If P2P receive is below the limits (or the customer increases the limits via KYC),
      the P2P recive can proceed.  **Done.**
    * Otherwise, the P2P payment expires and the sender's wallet reclaims the money.  **Done.**
 
 
 
 
 FIXME: Do withdrawal limits also apply for withdrawal from the merge reserve?
 
 Wallet User: Sending P2P Payments
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 *Applicable to both sending P2P payments (push) and paying for P2P payment
 requests (pull).*
 
 There are no KYC/AML-relevant steps required for
 sending P2P payments.
 
 Merchant: Onboarding
 ^^^^^^^^^^^^^^^^^^^^
 
 1. The merchant provisions a Taler merchant backend service.
 2. A keypair is generated (or imported) for the merchant.
 3. The merchant adds their (Swiss) bank account to the merchant backend
 4. The merchant backend checks the KYC status of the account with the exchange.
 5. The exchange checks if the merchant's public key is already associated with
    the merchant's bank account.
 
    * If not, the merchant needs to make a payment (1 rappen) to the exchange
      with the public key in the remittance information.  Continue at (4).
    * Otherwise, continue at (6).
 
 6. If the merchant's bank account still has a deposit limit of zero, the
    merchant needs to accept the TOPS exchange terms of service on the
    exchange's KYC page.
 
 7. The deposit rule is lifted and the merchant can start accepting Taler payments from customers.
    However, initially no aggregated settlement payments (wire transfers)
    will be send from the exchange to the merchants, until the merchant
    has completed further KYC steps (``vqf_902_1_customer`` etc.).
 8. Optionally, the merchant can (via a link in the merchant backend to the KYC page)
    and immediately complete the further KYC process steps.
 
 Merchant: Receiving Payments from Wallets
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 1. The merchant receives a Taler payment (technically: deposit permissions) from a
    wallet.
 2. The merchant asks the exchange to deposit the Taler payment.
 3. The exchange checks whether the merchant's public key is associated with the
    merchant's bank account specified (as a salted hash) in the deposit
    permission.
 
    * If the association is missing, the exchange rejects the deposit.  **Done.**
    * Otherwise, continue at (4).
 
 4. The exchange checks the ``DEPOSIT`` limit of the merchant.
    The merchant is identified via their IBAN.
 
    * Initally, the deposit limit is CHF 0.  The merchant must accept the exchange's
      terms of service on the exchange's KYC page to lift this limit to CHF 2500/month
      and CHF 15000/year
    * If the merchant has accepted the terms of service, the deposit limit
      is CHF 2500/month and CHF 15000/year.  If that limit
      is crossed, the merchant must undergo a KYB process.  This KYB
      process might result in limits being increased, depending
      on the details of the business.
    * If no deposit limit would be crossed, the exchange accepts the deposit from the merchant.  **Done.**
    * Otherwise the exchange rejects the payment. The response is relayed to the
      wallet, which can (if necessary) refund coins previously deposited for the
      same payment and then refresh used coins.  **Done.**
 
 
 Merchant: Receiving Wire Transfers for Taler Payments
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 1. The merchange receives payments from wallets.
 2. The exchange waits and aggregates payments until the first wire transfer
    deadline set by the merchant has passed.
 3. The exchange checks whether the aggregated wire transfer would cross the
    ``AGGREGATE`` threshold for the merchant.
 
    * Initally, the aggregate limit is CHF 2500/month and CHF 15000/year.  If
      that limit would be crossed, the merchant must undergo a KYB process.  This
      KYB process might result in limits being increased, depending on the
      details of the business.
    * If no aggregation limit would be crossed, the exchange initiates the wire transfer to the merchant.
    * Otherwise the exchange holds the funds until the merchant completes the necessary AML process.
 
 KYC Providers
 -------------
 
 challenger-postal
 ^^^^^^^^^^^^^^^^^
 
 **Purpose:** Validate customer address via postal mail.
 
 **Attributes**
 
 .. code:: none
 
    CONTACT_NAME :: Text
    ADDRESS_LINES :: Text
    ADDRESS_COUNTRY :: "CH"
 
 * ``CONTACT_NAME``
 
   **Description:** Name of the person or company whose address was validated.
 
 * ``ADDRESS_LINES``
 
   **Description:** Contact address (without name and country). May span
   over multiple lines (separated by newline characters).
 
 * ``ADDRESS_COUNTRY``
 
   **Description:** Country of the validated address. Only "CH" is allowed.
 
 challenger-sms
 ^^^^^^^^^^^^^^
 
 **Purpose:** Validate customer phone number via SMS.
 
 **Attributes**
 
 .. code:: none
 
    CONTACT_PHONE :: Text
 
 * ``CONTACT_PHONE``
 
   **Description:** Phone number that was validated.
 
 
 AML/KYC Forms
 -------------
 
 The following subsections define the contents of the forms. The corresponding
 field names are registered via `GANA <https://git.taler.net/gana.git/tree/gnu-taler-form-attributes>`_.
 The the UI for the forms is defined in `taler-typescript-core <https://git.taler.net/taler-typescript-core.git/tree/packages/web-util/src/forms/gana>`_
 
 When the customer or officer submit the information throught the client software it must
 include the fields FORM_ID and FORM_VERSION attributed as defined in GANA.
 
 Field names are always in ``SCREAMING_SNAKE_CASE``.
 
 File uploads should always use a nested structure, either
 using ``FILE`` with a `KycFileUploadAttribute` or
 ``BULK`` with a `KycBulkUploadAttribute`.
 
 
 accept-tos
 ^^^^^^^^^^
 
 **Filled out by:** Customer
 
 **Purpose:** Customer confirms that they accept the terms of service.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-accept%20tos-EmptyForm>`__
 
 **Attributes**:
 
 .. code:: none
 
    ACCEPTED_TERMS_OF_SERVICE :: Text
    DOWNLOADED_TERMS_OF_SERVICE :: Boolean
 
 * ``ACCEPTED_TERMS_OF_SERVICE``
 
   * **Description**: ToS version that the user accepted.
 
 * ``DOWNLOADED_TERMS_OF_SERVICE``
 
   * **Description**: Whether the user downloaded the
     terms of service.
 
 generic_note
 ^^^^^^^^^^^^
 
 **Filled out by:** AML Officer, customer
 
 **Purpose:** Free-form note.  Should be used instead of the ``FILE_NOTE`` when there
 are attachements or the note contains very sensitive information.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-generic_note-EmptyForm>`__
 
 **Attributes**:
 
 .. code:: none
 
   NOTE_TEXT :: Text
   SUPPLEMENTAL_FILES_LIST[].DESCRIPTION :: Text
   SUPPLEMENTAL_FILES_LIST[].FILE :: File
 
 
 generic_upload
 ^^^^^^^^^^^^^^
 
 **Filled out by:** Customer
 
 **Purpose:** Free-form upload. The type/name of the requested
 document is taken from the context.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-generic_upload-EmptyForm>`__
 
 **Context:**
 
 * ``REQUESTED_FILE_TITLE``
 * ``REQUESTED_FILE_DESCRIPTION``
 
 **Attributes**:
 
 .. code:: none
 
   NOTE_TEXT :: Text
   FILE :: File
 
 
 vqf_902_1_customer
 ^^^^^^^^^^^^^^^^^^
 
 **Filled out by:** AML Officer, customer
 
 **Purpose:**
 Initial collection of basic attributes about customer during onboarding.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_1_customer-EmptyForm>`__
 
 **Remarks:**
 
 * We first ask for ``CUSTOMER_TYPE`` to know what type of basic information we need to ask.
   Only later in the form we ask for ``CUSTOMER_TYPE_VQF``, which can be ``OTHER``. We can't
   combine those two fields, as for ``CUSTOMER_TYPE_VQF=OTHER`` we wouldn't know what
   basic information to ask.
 
 **Attributes**:
 
 .. code:: none
 
   title TITLE_VQF_902_1_CUSTOMER
   SIGNATURE :: Text
   CUSTOMER_TYPE :: 'NATURAL_PERSON' | 'LEGAL_ENTITY'
   when CUSTOMER_TYPE = 'NATURAL_PERSON' {
     FULL_NAME :: Text
     DOMICILE_ADDRESS :: Text
     CONTACT_PHONE :: Optional[Text]
     CONTACT_EMAIL :: Optional[Text]
     DATE_OF_BIRTH :: Date
     NATIONALITY :: Text
     PERSONAL_IDENTIFICATION_DOCUMENT_COPY :: File
     CUSTOMER_IS_SOLE_PROPRIETOR :: Boolean
     when CUSTOMER_IS_SOLE_PROPRIETOR {
       COMPANY_NAME :: Text
       REGISTERED_OFFICE_ADDRESS :: Text
       LEGAL_ENTITY_IDENTIFICATION_DOCUMENT_COPY :: File
     }
   }
   when CUSTOMER_TYPE = 'LEGAL_ENTITY' {
     COMPANY_NAME :: Text
     REGISTERED_OFFICE_ADDRESS :: Text
     CONTACT_PERSON_NAME :: Optional[Text]
     CONTACT_PHONE :: Optional[Text]
     CONTACT_EMAIL :: Optional[Text]
     LEGAL_ENTITY_IDENTIFICATION_DOCUMENT_COPY :: File
     COMPANY_SHARE_REGISTRY :: Optional[File]
     ESTABLISHER_LIST[].FULL_NAME :: Text
     ESTABLISHER_LIST[].DOMICILE_ADDRESS :: Text
     ESTABLISHER_LIST[].DATE_OF_BIRTH :: Text
     ESTABLISHER_LIST[].NATIONALITY :: Text
     ESTABLISHER_LIST[].PERSONAL_IDENTIFICATION_DOCUMENT_COPY :: File
     ESTABLISHER_LIST[].SIGNING_AUTHORITY_TYPE :: 'SINGLE' | 'COLLECTIVE_TWO' | 'OTHER'
     ESTABLISHER_LIST[].SIGNING_AUTHORITY_EVIDENCE_TYPE :: 'CR' | 'MANDATE' | 'OTHER'
     ESTABLISHER_LIST[].SIGNING_AUTHORITY_EVIDENCE_DOCUMENT_COPY :: File
     when (ESTABLISHER_LIST[].SIGNING_AUTHORITY_EVIDENCE = 'OTHER') {
       ESTABLISHER_LIST[].SIGNING_AUTHORITY_EVIDENCE_OTHER :: Text
     }
   }
   CORRESPONDENCE_LANGUAGE :: 'en' | 'de' | 'fr' | 'it'
   CUSTOMER_TYPE_VQF :: (
     'NATURAL' | 'OPERATIONAL' | 'FOUNDATION' |
     'TRUST' | 'LIFE_INSURANCE' | 'OTHER')
 
 * ``SIGNATURE``
 
   * **Type:** String
   * **LABEL DE:** Dieses Formular wurde ausgefüllt von (Vorname/Name):
 
 * ``CUSTOMER_TYPE``
 
   * **Type:** Single choice
   * **Choices:**
 
     * ``NATURAL_PERSON``
 
       * **Label DE:** Die Vertragspartei ist eine natürliche Person
 
     * ``LEGAL_ENTITY``
 
       * **Label DE:** Die Vertragspartei ist eine juristische Person
 
 * ``CUSTOMER_TYPE_VQF``
 
   * **Description:** Customer type according to the VQF classification.
   * **Type:** Single Choice
   * **Choices:**:
 
     * ``NATURAL``
 
       * **Label DE**: Die Vertragspartei ist eine natürliche Person und es bestehen keine Zweifel, dass
         diese selber an den Vermögenswerten wirtschaftlich
         berechtigt ist
       * **Label EN:** A natural person and there are no doubts that this person is the sole beneficial owner of the assets
 
     * ``OPERATIONAL``
 
       * **Label DE**: ... eine operative juristische Person oder Personengesellschaft
 
     * ``FOUNDATION``
 
       * **Label DE**: ... eine Stiftung (oder ein ähnliches Konstrukt; inkl. Underlying
         Companies).
 
     * ``TRUST``
 
       * **Label DE**: ... ein Trust (inkl. Underlying Companies)
 
     * ``LIFE_INSURANCE``
 
       * **Label DE**: ... eine Lebensversicherung mit separater Konto-/Depotführung
         (sog. Insurance Wrapper)
 
     * ``OTHER``
 
       * **Label DE**: alle übrigen Fälle
 
 * ``FULL_NAME``
 
   * **Description**: Full name of the customer.
   * **Type**: Single-line text
   * **Label EN**: Name / First Name
   * **Label DE**: Name/Vorname
 
 * ``DOMICILE_ADDRESS``
 
   * **Description**: Domicile address of the customer.
   * **Type**: Multi-line text
   * **Label DE**: Wohnsitzadresse
 
 * ``CONTACT_PHONE``
 
   * **Description:** Contact phone number of the customer.
   * **Type**: Phone number (**optional**)
   * **Label DE:** Telefon
 
 * ``CONTACT_EMAIL``
 
   * **Description:** Contact e-mail address of the customer.
   * **Type**: E-Mail address (**optional**)
   * **Label DE:** E-Mail
 
 * ``DATE_OF_BIRTH``
 
   * **Description:** Customer's date of birth.
   * **Type**: Date
   * **Label DE:** Geburtstsdatum
 
 * ``NATIONALITY``
 
   * **Description:** Customer's nationality (only for natural person).
   * **Type**: Country code
   * **Label DE:** Staatsangehörigkeit
 
 * ``PERSONAL_IDENTIFICATION_DOCUMENT_COPY``
 
   * **Type**: File upload (PDF).
   * **Label DE:** Identification document
 
 * ``CUSTOMER_NATURAL_COMPANY_NAME``
 
   * **Type**: Single-line text
   * **Label DE:** [Bei Inhabern von Einzelunternehmen (in Ergänzung zu oben):] Firma
 
 * ``REGISTERED_OFFICE_ADDRESS``
 
   * **Type**: Multi-line text
   * **Label DE:** [Bei Inhabern von Einzelunternehmen (in Ergänzung zu oben):] Geschäftsadresse
 
 * ``LEGAL_ENTITY_IDENTIFICATION_DOCUMENT_COPY``
 
   * **Type**: File upload (PDF).
   * **Label DE:** Identifizierungsdokument für Unternehmen
 
 * ``COMPANY_SHARE_REGISTRY``
 
   * **Type**: File upload (PDF).
   * **Label DE:** // FIXME #11022
 
 * ``COMPANY_NAME``
 
   * **Type:** Single-line text
   * **Label DE:** Firma
 
 * ``CONTACT_PERSON_NAME``
 
   * **Type:** Single-line text (**optional**)
   * **Label DE:** Kontaktperson
 
 * ``CORRESPONDENCE_LANGUAGE``
 
   * **Type:** Single selection
   * **Choices:** ISO 639-1 Alpha-2 language codes. Currently only ``en``, ``de``, ``fr`` and
     ``it`` are supported.
 
 * ``ESTABLISHER_LIST[].FULL_NAME``
 
   * **Type:** Single-line string
   * **Label DE:** Name/Vorname
 
 * ``ESTABLISHER_LIST[].DOMICILE``
 
   * **Type:** Multi-line string
   * **Label DE:** Wohnsitzadresse
 
 * ``ESTABLISHER_LIST[].NATIONALITY``
 
   * **Type:**  ISO 3166 two-letter uppercase country code.
   * **Label DE:** Staatsangehörigkeit
 
 * ``ESTABLISHER_LIST[].PERSONAL_IDENTIFICATION_DOCUMENT_COPY``
 
   * **Type**: File upload (PDF).
   * **Label DE:** Identifikationsdokument
 
 * ``ESTABLISHER_LIST[].SIGNING_AUTHORITY_TYPE``
 
   * **Type:** Single Choice
   * **Label DE:** Art der Zeichnungs- oder Vertretungsberechtigung
   * **Required:** yes
   * **Choices:**
 
     * ``SINGLE``
 
       * **Label DE:** Einzelunterschrift
 
     * ``COLLECTIVE_TWO``
 
       * **Label DE:** Kollektiv zu zweit
 
     * ``OTHER``
 
       * **Label DE:** Anderes
 
 * ``ESTABLISHER_LIST[].SIGNING_AUTHORITY_TYPE_OTHER``
 
   * **Type:** Single-line string
 
 * ``ESTABLISHER_LIST[].SIGNING_AUTHORITY_EVIDENCE``
 
   * **Type:** Single Choice
   * **Label DE:** Kenntnisnahme der Bevollmächtigtenbestimmungen durch
   * **Choices**:
 
     * ``CR``
 
       * **Label DE:** Handelsregisterauszug
 
     * ``MANDATE``
 
       * **Label DE:** Vollmacht
 
     * ``OTHER``
 
       * **Label DE:** Anderes:
 
 * ``ESTABLISHER_LIST[].SIGNING_AUTHORITY_EVIDENCE_OTHER``
 
   * **Type**: Single-line text
 
 * ``ESTABLISHER_LIST[].SIGNING_AUTHORITY_EVIDENCE_DOCUMENT_COPY``
 
   * **Description:** Attached document as evidence of the person's signing authority.
   * **Type:** File upload.
 
 
 **Strings**
 
 * ``TITLE_VQF_902_1_CUSTOMER``
 
   * ``Identifizierungsformular (Kundenbasisdaten)``
 
 **Measure after submission by customer:**
 Depending on ``CUSTOMER_TYPE``, the customer is asked to fill out another
 form:
 
 * ``NATURAL``: No other form to fill out. A PIN letter will be directly
   sent to the customer.
 * ``OPERATIONAL``: Form ``vqf_902_11_customer``
 * ``FOUNDATION``: Form ``vqf_902_12``
 * ``TRUST``: Form ``vqf_902_13``
 * ``LIFE_INSURANCE``: Form ``vqf_902_15``
 * ``OTHER``: Form ``vqf_902_9_customer``
 
 vqf_902_1_officer
 ^^^^^^^^^^^^^^^^^
 
 **Filled out by:** Only AML Officer
 
 **Prerequisites:** ``vqf_902_1_customer`` (with follow-up form if required),
 ``vqf_902_5`` and ``vqf_902_4`` must have been submitted and checked.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_1_officer-EmptyForm>`_
 
 **Differences from VQF form 902.1:**
 
 * We do not ask for the type of correspondence service,
   but instead assume that correspondence is done via the Taler
   protocol or directly to the customer via postal mail.
 * We do not accept languages other than English, German and French
 * Section 6 ("Laufkunden/Kassageschäften") is not applicable
 * Section 7 ("Beilagen"): The other forms must be filed by
   the AML officer *before* filing ``vqf_902_1_officer``.
   In the future, this will be checked by an AML program
   that runs for the form submission.
 
 **Attributes:**
 
 .. code:: none
 
   ACCEPTANCE_DATE :: Date
   ACCEPTANCE_METHOD :: (
     'FACE_TO_FACE' |
     'AUTHENTICATED_COPY' |
     'RESIDENTIAL_ADDRESS_VALIDATED')
   ACCEPTANCE_FURTHER_INFO :: Optional[Text]
   EMBARGO_TERRORISM_CHECK_RESULT :: 'LISTED' | 'NOT_LISTED'
   EMBARGO_TERRORISM_CHECK_DATE :: Date
   when EMBARGO_TERRORISM_INFO = 'LISTED' {
     EMBARGO_TERRORISM_INFO :: Text
   }
   SUPPLEMENTAL_FILES_LIST[].FILE :: File
   SUPPLEMENTAL_FILES_LIST[].DESCRIPTION :: File
 
 
 
 vqf_902_4
 ^^^^^^^^^
 
 **Filled out by:** AML officer only
 
 **Purpose:** The AML officer uses this form
 to document the risk profile of a customer.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_4-EmptyForm>`__
 
 **Differences from VQF form**
 
 * "LÄNDERRISIKO (Zahlungsverkehr)" does not apply, since we
   only accept Swiss customers
 * "PRODUKTRISIKO (Art der vom Kunden verlangten Dienstleistungen und Produkte)
   does not apply, since we do not offer customized products/services.
 
 **Attributes:**
 
 .. code:: none
 
    CUSTOMER_NAME :: Text
    PEP_FOREIGN :: Boolean
    PEP_DOMESTIC :: Boolean
    PEP_INTERNATIONAL_ORGANIZATION :: Boolean
    when (PEP_DOMESTIC or PEP_INTERNATIONAL_ORGANIZATION) {
      PEP_HIGH_RISK :: Boolean
    }
    when PEP_FOREIGN or PEP_HIGH_RISK {
      PEP_ACCEPTANCE_DATE :: Date
    }
    HIGH_RISK_COUNTRY :: Boolean
 
    // FIXME-#9679: Unclear if this is single-choice or multiple-choice
    COUNTRY_RISK_NATIONALITY_TYPE :: List[
     'NATIONALITY_CUSTOMER' | 'NATIONALITY_OWNER' |
     'DOMICILE_CUSTOMER' | 'DOMICILE_OWNER' |
     'DOMICILE_CONTROLLING']
    COUNTRY_RISK_NATIONALITY_LEVEL :: 'LOW' | 'MEDIUM' | 'HIGH'
    // FIXME-#9679: Unclear if this is single-choice or multiple-choice
    COUNTRY_RISK_BUSINESS_TYPE :: List['CUSTOMER' | 'OWNER']
    COUNTRY_RISK_BUSINESS_LEVEL :: 'LOW' | 'MEDIUM' | 'HIGH'
    COUNTRY_RISK_PAYMENTS_LEVEL :: 'LOW' | 'MEDIUM' | 'HIGH'
    INDUSTRY_RISK_TYPE :: 'CUSTOMER' | 'OWNER'
    INDUSTRY_RISK_LEVEL :: (
      'TRANSPARENT' | 'HIGH_CASH_TRANSACTION' |
      'NOT_WELL_KNOWN' | 'HIGH_RISK_TRADE' | 'UNKNOWN_INDUSTRY')
    CONTACT_RISK_LEVEL :: 'LOW' | 'MEDIUM' | 'HIGH'
    PRODUCT_RISK_LEVEL :: List['LOW' | 'SOPHISTICATED' | 'HIGH_OFFSHORE' |
      'HIGH_COMPLEX' | 'HIGH_PASSTHROUGH' | 'HIGH_BACKGROUND' |
      'HIGH_FREQUENT_TMER']
    RISK_RATIONALE :: Text
    RISK_CLASSIFICATION_LEVEL :: 'HIGH_RISK' | 'NO_HIGH_RISK'
    when (HIGH_RISK_COUNTRY OR
          RISK_CLASSIFICATION_LEVEL = 'HIGH_RISK') {
      HIGH_RISK_ACCEPTANCE_DATE :: Date
    }
 
 * ``CUSTOMER_NAME``
 
   * **Type**: String
   * **Label DE:** Vertragspartei
 
 * ``PEP_FOREIGN``
 
   * **Type**: Checkbox
   * **Label DE:** Ist die Vertragspartei, der wirtschaftlich
     Berechtige resp. Kontrollinhaber oder der
     Bevollmächtigte ein ausländischer PEP
     oder steht er einem solchen nahe?
 
 * ``PEP_DOMESTIC``
 
   * **Type**: Checkbox
   * **Label DE:** Ist die Vertragspartei, der wirtschaftlich
     Berechtigte resp. Kontrollinhaber oder
     der Bevollmächtigte ein inländischer PEP
 
 * ``PEP_INTERNATIONAL_ORGANIZATION``
 
   * **Type**: Checkbox
   * **Label DE:** Ist die Vertragspartei, der wirtschaftlich
     Berechtigte resp. Kontrollinhaber oder der Bevollmächtigte ein PEP bei
     internationalen Organisationen oder steht er einem solchen nahe?
 
 * ``PEP_HIGH_RISK``
 
   * **Type**: Checkbox
   * **Label DE:**  Ist ein Risikokriterium aus diesem Formular erfüllt?
   * **VQF form original label:** Ist ein Risikokriterium gemäss Ziff. 3 nachfolgend erhöht?
 
 
 * ``PEP_ACCEPTANCE_DATE``
 
   * **Type:** Date
   * **Label DE:** Die Zustimmung des obersten Geschäftsführungsorgans zur Aufnahme einer
     Geschäftsbeziehung mit einem PEP wurde eingeholt am:
 
 * ``COUNTRY_RISK_NATIONALITY_TYPE``
 
   * **Type:** Multi-choice
   * **Label DE:** LÄNDERRISIKO (Nationalität)
   * **Choices:**
 
     * ``NATIONALITY_CUSTOMER``
 
       * **Label DE:** [Staatsangehörigkeit] Vertragspartei
 
     * ``NATIONALITY_OWNER``
 
       * **Label DE:** [Staatsangehörigkeit] An Vermögenswerten wirtschaftlich berechtigte Person
 
     * ``DOMICILE_CUSTOMER``
 
       * **Label DE:** [Sitz/Wohnsitz] Vertragspartei
 
     * ``DOMICILE_CONTROLLING``
 
       * **Label DE:** [Sitz/Wohnsitz] Kontrollinhaber
 
     * ``DOMICILE_OWNER``
 
       * **Label DE:** [Sitz/Wohnsitz] an Vermögenswerten wirtschaftlich berechtigte Personen
 
 * ``COUNTRY_RISK_NATIONALITY_LEVEL``
 
   * **Type:** Single choice
   * **Choices:**
 
     * ``LOW``
 
       * **Label DE:** Risiko 0 gemäss VQF-Länderliste (VQF Dok. Nr. 902.4.1)
 
     * ``MEDIUM``
 
       * **Label DE:** Risiko 1 gemäss VQF-Länderliste (VQF Dok. Nr. 902.4.1)
 
     * ``HIGH``
 
       * **Label DE:** Risiko 2 gemäss VQF-Länderliste (VQF Dok. Nr. 902.4.1)
 
 * ``COUNTRY_RISK_BUSINESS_TYPE``
 
   * **Type:** Multi-choice
   * **Label DE:** LÄNDERRISIKO (Geschäftstätigkeit)
   * **Choices:**
 
     * ``CUSTOMER``
 
       * **Label DE:** [Ort der Geschäftstätigkeit] Vertragspartei
 
     * ``OWNER``
 
       * **Label DE:** [Ort der Geschäftstätigkeit] an Vermögenswerten wirtschaftlich berechtigte Person
 
 * ``COUNTRY_RISK_BUSINESS_LEVEL``
 
   * **Type:** Single choice
   * **Choices:**
 
     * ``LOW``
 
       * **Label DE:** Risiko 0 gemäss VQF-Länderliste (VQF Dok. Nr. 902.4.1)
 
     * ``MEDIUM``
 
       * **Label DE:** Risiko 1 gemäss VQF-Länderliste (VQF Dok. Nr. 902.4.1)
 
     * ``HIGH``
 
       * **Label DE:** Risiko 2 gemäss VQF-Länderliste (VQF Dok. Nr. 902.4.1)
 
 
 * ``INDUSTRY_RISK_TYPE``
 
   * **Type:** Multi-choice
   * **Label DE:** BRANCHENRISIKO
   * **Choices:**
 
     * ``CUSTOMER``
 
       * **Label DE:** [Art der Geschäftstätigkeit] Vertragspartei
 
     * ``OWNER``
 
       * **Label DE:** [Art der Geschäftstätigkeit] an Vermögenswerten wirtschaftlich berechtigte Person
 
 * ``INDUSTRY_RISK_LEVEL``
 
   * **Type:** Single choice
   * **Choices:**
 
     * ``TRANSPARENT``
 
       * **Label DE:**
         Dem Mitglied gut bekannte, klar um rissene, transparente
         und einfach verständliche Geschäftstätigkeit
 
     * ``HIGH_CASH_TRANSACTION``
 
       * **Label DE:** Geschäftstätigkeit mit hohen Bargeldtransaktionen
 
     * ``NOT_WELL_KNOWN``
 
       * **Label DE:** Dem Mitglied eher unbekannte Tätigkeit
 
     * ``HIGH_RISK_TRADE``
 
       * **Label DE:**
         Waffen-/Rüstungshandel, Rohedelsteine- und Diamantenhandel,
         Schmuckhandel, internationaler Handel mit exotischen Tieren, Casino-
         und Lotteriegewerbe, Erotikgewerbe
 
     * ``UNKNOWN_INDUSTRY``
 
       * **Label DE:**
         Keinerlei persönliche Kenntnisse des Mitglieds zur Branche der
         Vertragspartei
 
 * ``CONTACT_RISK_LEVEL``
 
   * **Type:** Single choice
   * **Label DE:**
     KONTAKTRISIKO: Kontaktformen zur Vertragspartei/an Vermögenswerten
     wirtschaftlich berechtigten Person
 
   * **Choices:**
 
     * ``LOW``
 
       * **Label DE**:
         Persönliche Bekanntschaft zwischen Mitglied und Vertragspartei/an
         Vermögenswerten wirtschaftlich berechtigter Person vor
         Geschäftsaufnahme seit mehreren Jahren (min. 2 Jahre)
 
     * ``MEDIUM``
 
       * **Label DE**:
         Vertragspartei/an Vermögenswerten wirtschaftlich berechtigte Person war dem Mitglied vor Geschäftsaufnahme
         nicht seit mehreren Jahren (min. 2 Jahre) persönlich bekannt, aber
         (a) keine Geschäftsaufnahme unter Abwesenden oder
         (b) zumindest Einführung/Vermittlung des Kunden durch eine Vertrauensperson
 
     * ``HIGH``
 
       * **Label DE**:
         Vertragspartei/an Vermögenswerten wirtschaftlich berechtigte Person
         persönlich unbekannt und Geschäftsaufnahme unter Abwesenden
         (Korrespondenzbeziehung) sowie keine Einführung/Vermittlung des Kunden
         durch eine Vertrauensperson
 
 * ``PRODUCT_RISK_LEVEL``
 
   * **Type:** Multi-choice
   * **Label DE:**
     PRODUKTRISIKO: Art der vom Kunden verlangten
     Dienstleistungen und Produkte
 
   * **Choices:**
 
     * ``LOW``
 
       * **Label DE**:
         Einfach zu verstehende, transparente Dienstleistungen
         und Produkte, bei welchen die wirtschaftlichen Hintergründe
         leicht verständlich und überprüfbar sind
 
     * ``MEDIUM``
 
       * **Label DE**:
         Anspruchsvollere Dienstleistung/Produkte, bei welchen die
         wirtschaftlichen Hintergründe nicht ohne Weiteres verständlich
         und überprüfbar sind
 
     * ``HIGH_OFFSHORE``
 
       * **Label DE**:
         Schwergewicht "Offshore – Business" (insbesondere:
         Beziehungen zu Sitzgesellschaften oder zu sonstigen
         Offshore-Konstruktionen)
 
     * ``HIGH_COMPLEX``
 
       * **Label DE**:
         Komplexe Strukturen, insbesondere durch Verwendung
         einer Sitzgesellschaft mit fiduziarischen Aktionären, in einer
         intransparenten Jurisdiktion, ohne nachvollziehbaren
         Grund oder zwecks kurzzeitiger Vermögensplatzierung
 
     * ``HIGH_PASSTHROUGH``
 
       * **Label DE**:
         Die Vertragspartei oder die an Vermögenswerten
         wirtschaftlich berechtigte Person verfügt über eine Vielzahl
         von Konten mit Durchlauftransaktionen (Durchlaufkonti)
 
     * ``HIGH_BACKGROUND``
 
       * **Label DE**:
         Komplexe Dienstleistung/Produkte, bei welchen die
         wirtschaftlichen Hintergründe nur eingeschränkt oder nur
         mit grossem Aufwand verständlich und überprüfbar sind
 
     * ``HIGH_FREQUENT_TMER``
 
       * **Label DE**:
         Häufige Transaktionen m it erhöhten Risiken
 
 * ``RISK_RATIONALE``
 
   * **Type:** Multi-line text
   * **Label DE:** Begründung für abweichende Risikobewertung
 
 * ``HIGH_RISK``
 
   * **Type:** Checkbox (yes/no)
   * **Label DE:** [Risikoklassifizierung] Geschäftsbeziehung mit erhöhtem Risiko
 
 * ``HIGH_RISK_ACCEPTANCE_DATE``
 
   * **Type:** Checkbox (yes/no)
   * **Label DE:**
     Die Zustimmung einer vorgesetzten Person / Stelle oder der Geschäftsführung
     zur Aufnahme einer Geschäftsbeziehung mit erhöhtem Risiko wurde eingeholt
     am:
 
 
 vqf_902_5
 ^^^^^^^^^
 
 **Filled out by:** AML officer only
 
 **Purpose:** Customer profile
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_5-EmptyForm>`__
 
 **Differences from VQF form:**
 
 **Attributes:**
 
 .. code:: none
 
    CUSTOMER_NAME :: Text
    BIZREL_PROFESSION :: Text
    BIZREL_FINANCIAL_CIRCUMSTANCES :: Text
    BIZREL_ORIGIN_NATURE :: Text
    BIZREL_ORIGIN_AMOUNT :: Text
    BIZREL_ORIGIN_CATEGORY :: List[
      'SAVINGS' | 'OWN_BUSINESS' |
      'INHERITANCE' | 'OTHER']
    when BIZREL_ORIGIN_CATEGORY contains 'OTHER' {
      BIZREL_ORIGIN_CATEGORY_OTHER :: Text
    }
    BIZREL_ORIGIN_DETAIL :: Text
    BIZREL_PURPOSE :: Text
    BIZREL_DEVELOPMENT :: Text
    BIZREL_FINANCIAL_VOLUME :: Text
    BIZREL_FINANCIAL_BENEFICIARIES_FULL_NAME :: Text
    BIZREL_THIRDPARTY_RELATIONSHIP :: Text
    BIZREL_THIRDPARTY_AMLA_FILES :: Text
    BIZREL_THIRDPARTY_REFERENCES :: Text
    BIZREL_FURTHER_INFO :: Text
 
 * ``CUSTOMER_NAME``
 
   * **Type**: String
   * **Label DE:** Vertragspartei
 
 * ``BIZREL_PROFESSION``
 
   * **Type:** Multi-line text
   * **Label DE:** [Geschäftliche Aktivitäten] Beruf, geschäftliche Aktivitäten
     etc. (frühere, aktuelle, evtl. geplante)
 
 * ``BIZREL_FINANCIAL_CIRCUMSTANCES``
 
   * **Type:** Multi-line text
   * **Label DE:**
     [Finanzielle Verhältnisse]
     Einkommen und Vermögen, Verpflichtungen
     (geschätzt)
 
 * ``BIZREL_ORIGIN_NATURE``
 
   * **Type:** Multi-line text
   * **Label DE:**
     [Herkunft der eingebrachten Vermögenswerte]
     Art, Betrag und Währung der eingebrachten
     Vermögenswerte
 
 * ``BIZREL_ORIGIN_CATEGORY``
 
   * **Type:** Multiple choice
   * **Label DE:**
     [Herkunft der eingebrachten Vermögenswerte]
     Art, Betrag und Währung der eingebrachten
     Vermögenswerte
   * **Choices:**
 
     * ``SAVINGS``
 
       * **Label DE**: Ersparnis
 
     * ``OWN_BUSINESS``
 
       * **Label DE**: Eigener Geschäftsbetrieb
 
     * ``INHERITANCE``
 
       * **Label DE**: Erbschaft
 
     * ``OTHER``
 
       * **Label DE**: Anderes, was?
 
 * ``BIZREL_ORIGIN_CATEGORY_OTHER``
 
   * **Type**: Multi-line text
   * **Label DE**: Andere Herkunft:
 
 * ``BIZREL_ORIGIN_DETAIL``
 
   * **Type**: Multi-line text
   * **Label DE**:
     [Herkunft der eingebrachten Vermögenswerte] Detaillierte Beschreibung der wirtschaftlichen Herkunft der
     in die Geschäftsbeziehung eingebrachten Vermögenswerte
 
 * ``BIZREL_PURPOSE``
 
   * **Type**: Multi-line text
   * **Label DE**:
     Zweck des Geschäfts- bzw. der Geschäftsbeziehung
 
 * ``BIZREL_DEVELOPMENT``
 
   * **Type**: Multi-line text
   * **Label DE**:
     Angaben über die geplante Entwicklung der Geschäftsbeziehung und der
     Vermögenswerte
 
 * ``BIZREL_VOLUME``
 
   * **Type**: Multi-line text
   * **Label DE**:
     Insbesondere bei Kassa-, Geld- und Wertübertragungsgeschäften mit Stammkunden:
     (1) Angaben zum üblichen Geschäftsvolumen
     (2) Angaben zu den Begünstigten (Name, Vorname, Adresse, Bankverbindung)
 
 * ``BIZREL_THIRDPARTY_RELATIONSHIP``
 
   * **Type**: Multi-line text
   * **Label DE**: Beziehung der Vertragspartei zu wirtschaftlich
     berechtigten Personen, Kontrollinhaber, Begünstigten, Bevollmächtigten und weiteren in die
     Geschäftsbeziehung involvierten Personen
 
 
 * ``BIZREL_THIRDPARTY_AMLA_FILES``
 
   * **Type**: Multi-line text
   * **Label DE:** Verbindungen zu anderen GwG-Files
 
 * ``BIZREL_THIRDPARTY_REFERENCES``
 
   * **Type**: Multi-line text
   * **Label DE:** Introducer / Vermittler / Referenzen
 
 * ``BIZREL_FURTHER_INFO``
 
   * **Type**: Multi-line text
   * **Label DE:**
     Sonstige aus Sicht des Mitglieds
     relevante Informationen
 
 
 
 vqf_902_9_customer
 ^^^^^^^^^^^^^^^^^^
 
 **Filled out by:** Customer only.
 
 **Purpose:** Establish the identity of the beneficial owner.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_9_customer-EmptyForm>`__
 
 **Differences from VQF form 902.9:**
 
 * The VQF form can only be filled out by the customer. We also
   allow the AML officer to fill out this form, but then require
   an attached version signed by the customer.
 
 **Attributes:**
 
 .. code:: none
 
    info DECL_BENEFICIAL_OWNER
    IDENTITY_CONTRACTING_PARTNER :: Text
    IDENTITY_LIST[].FULL_NAME :: Text
    IDENTITY_LIST[].DATE_OF_BIRTH :: Date
    IDENTITY_LIST[].DOMICILE_ADDRESS :: AddressString
    IDENTITY_LIST[].NATIONALITY :: CountryCodeString
    info NOTICE_WRONG_DECLARATION
    SIGNATURE :: Text
    SIGN_DATE :: Date
    info NOTICE_CHANGES
 
 * ``IDENTITY_CONTRACTING_PARTNER``
 
   * **Type:** Multi-line text
   * **Label EN:** Contracting party (name and address)
   * **Label DE:** Vertragspartner (Name und Adresse)
 
 * ``IDENTITY_LIST``
 
   * **Description:** Identities of controlling persons.
 
 * ``IDENTITY_LIST[].FULL_NAME``
 
   * **Type:** Single line text
   * **Label DE:** Name, Vorname
 
 * ``IDENTITY_LIST[].DATE_OF_BIRTH``
 
   * **Type:** Date entry
   * **Label DE:** Geburtsdatum
 
 * ``IDENTITY_LIST[].NATIONALITY``
 
   * **Type:** Country code
   * **Label DE:** Nationalität
 
 * ``IDENTITY_LIST[].DOMICILE_ADDRESS``
 
   * **Type:** Multi-line text
   * **Label DE:** Effektive Wohnsitzadresse
 
 * ``SIGNATURE``
 
   * **Type:** Single-line text
   * **Label EN:** Signed by:
   * **Label DE:** Unterzeichnet von:
 
 * ``SIGN_DATE``
 
   * **Type**: Single-line text (pre-filled with current date)
 
 
 **Strings:**
 
 * ``DECL_BENEFICIAL_OWNER``
 
   * **DE:**
     Der Vertragspartner erklärt hiermit, dass die nachfolgend aufgeführte(n) Person(en) an den
     in die Geschäftsbeziehung eingebrachten Vermögenswerten wirtschaftlich berechtigt
     ist/sind. Ist der Vertragspartner selber allein an diesen Vermögenswerten wirtschaftlich
     berechtigt, so sind nachstehend seine Personalien festzuhalten:
 
 * ``NOTICE_WRONG_DECLARATION``:
 
   * **DE**: Die vorsätzliche Angabe falscher Informationen in diesem Formular ist eine strafbare
     Handlung (Urkundenfälschung gemäss Artikel 251 des Schweizerischen Strafgesetzbuchs).
 
 * ``NOTICE_CHANGES``
 
   * **DE:** Der Vertragspartner verpflichtet sich, Änderungen jeweils unaufgefordert mitzuteilen.
 
 **Others:**
 
 When filled out by the customer, the form **must** contain a notice that
 filling this form with incorrect information is a punishable offence (document
 forgery) according to Swiss law.
 
 vqf_902_9_officer
 ^^^^^^^^^^^^^^^^^
 
 **Filled out by:** AML Officer only.
 
 **Purpose:** Establish the identity of the beneficial owner.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-VQF_902_9_officer-EmptyForm>`__
 
 **Differences from VQF form 902.9:**
 
 * We also allow the AML officer to fill out this form, but then require an
   attached version signed by the customer.
 
 **Attributes:**
 
 .. code:: none
 
    info DECL_BENEFICIAL_OWNER
    IDENTITY_CONTRACTING_PARTNER :: String
    IDENTITY_LIST[].FULL_NAME :: String
    IDENTITY_LIST[].DATE_OF_BIRTH :: Date
    IDENTITY_LIST[].DOMICILE_ADDRESS :: AddressString
    IDENTITY_LIST[].NATIONALITY :: CountryCodeString
    info NOTICE_WRONG_DECLARATION
    ATTACHMENT_SIGNED_DOCUMENT :: File
    info NOTICE_CHANGES
 
 * ``IDENTITY_CONTRACTING_PARTNER``
 
   * **Type:** Multi-line text
   * **Label EN:** Contracting party (name and address)
   * **Label DE:** Vertragspartner (Name und Adresse)
 
 * ``IDENTITY_LIST``
 
   * **Description:** Identities of controlling persons.
 
 * ``IDENTITY_LIST[].FULL_NAME``
 
   * **Type:** Single line text
   * **Label DE:** Name, Vorname
 
 * ``IDENTITY_LIST[].DATE_OF_BIRTH``
 
   * **Type:** Date entry
   * **Label DE:** Geburtsdatum
 
 * ``IDENTITY_LIST[].NATIONALITY``
 
   * **Type:** Country code
   * **Label DE:** Nationalität
 
 * ``IDENTITY_LIST[].DOMICILE_ADDRESS``
 
   * **Type:** Multi-line text
   * **Label DE:** Effektive Wohnsitzadresse
 
 * ``ATTACHMENT_SIGNED_DOCUMENT``
 
   * **Label DE:** Scan des vom Kunden unterschriebenen Formulars.
 
 **Strings:**
 
 * ``DECL_BENEFICIAL_OWNER``
 
   * **DE:**
     Der Vertragspartner erklärt hiermit, dass die nachfolgend aufgeführte(n) Person(en) an den
     in die Geschäftsbeziehung eingebrachten Vermögenswerten wirtschaftlich berechtigt
     ist/sind. Ist der Vertragspartner selber allein an diesen Vermögenswerten wirtschaftlich
     berechtigt, so sind nachstehend seine Personalien festzuhalten:
 
 * ``NOTICE_WRONG_DECLARATION``:
 
   * **DE**: Die vorsätzliche Angabe falscher Informationen in diesem Formular ist eine strafbare
     Handlung (Urkundenfälschung gemäss Artikel 251 des Schweizerischen Strafgesetzbuchs).
 
 * ``NOTICE_CHANGES``
 
   * **DE:** Der Vertragspartner verpflichtet sich, Änderungen jeweils unaufgefordert mitzuteilen.
 
 **Others:**
 
 When filled out by the customer, the form **must** contain a notice that
 filling this form with incorrect information is a punishable offence (document
 forgery) according to Swiss law.
 
 
 vqf_902_11_customer
 ^^^^^^^^^^^^^^^^^^^
 
 **Filled out by:** Customer only.
 
 **Purpose:** Determine the controlling person of an operational legal
 entity or partnership.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_11_customer-EmptyForm>`__
 
 **Differences from VQF form 902.11:**
 
 * The VQF form can only be filled out by the customer.
   When the officer fills out the VQF 902.11, we use our ``vqf_902_11_officer``.
 
 **Attributes:**
 
 .. code:: none
 
    title TITLE_VQF_902_11_CUSTOMER
    info INFO_VQF_902_11_CUSTOMER
    IDENTITY_CONTRACTING_PARTNER :: Text
    CONTROL_REASON :: 'HAS_25_MORE_RIGHTS' | 'OTHER_WAY' | 'DIRECTOR'
    IDENTITY_LIST[].FULL_NAME :: Text
    IDENTITY_LIST[].DOMICILE_ADDRESS :: Text
    THIRD_PARTY_OWNERSHIP :: Boolean
    info NOTICE_WRONG_DECLARATION
    SIGNATURE :: String
    SIGN_DATE :: Date
 
 * ``CONTROL_REASON``
 
   * **Type:** Single choice
   * **Label DE:** Der Vertragspartner erklärt hiermit, (das Zutreffende ankreuzen) ...
   * **Choices:**
 
     * ``HAS_25_MORE_RIGHTS``
 
       * **Label DE:**
         ... dass
         die nachfolgend aufgeführte(n) Person(en) am Vertragspartner Anteile
         (Kapitals- oder Stimmrechtsanteile) von 25 % oder mehr halten
 
     * ``OTHER_WAY``
 
       * **Label DE:**
         ... falls die Kapitals- oder Stimmrechtsanteile nicht festgestellt werden können oder
         falls keine Kapitals- oder Stimmrechtsanteile von 25% oder mehr bestehen, erklärt
         der Vertragspartner hiermit, dass die nachträglich aufgeführte Person(en) auf
         andere Weise die Kontrolle über den Vertragspartner ausübt/ausüben;
 
     * ``DIRECTOR``
 
       * **Label DE:**
 
         ... falls auch diese Person(en) nicht festgestellt werden kann/können, oder diese
         Person(en) nicht besteht/bestehen, erklärt der Vertragspartner, dass die
         nachfolgend aufgeführte(n) Person(en) die Geschäftsführung ausüben.
 
 
 * ``IDENTITY_LIST[].FULL_NAME``
 
   * **Type:** Single line text
   * **Label DE:** Name, Vorname
 
 * ``IDENTITY_LIST[].DOMICILE``
 
   * **Type:** Multi-line text
   * **Label DE:** Effektive Wohnsitzadresse
 
 * ``THIRD_PARTY_OWNERSHIP``
 
   * **Type:** Choice yes/no
 
     * **Label DE:**
       Ist eine Drittperson an den auf dem Konto/Depot liegenden Vermögenswerten wirtschaftlich berechtigt?
 
   * **Choices:**
 
     * false
 
       * **Label DE**: Nein
 
     * true
 
       * **Label DE**: Ja. => Die entsprechenden Angaben zur wirtschaftlichen Berechtigung sind durch
         das Ausfüllen eines separaten Formulars VQF Dok Nr. 902.9 zu erheben.
 
 
 * ``SIGNATURE``
 
   * **Type:** Single-line text
   * **Label EN:** Signed by:
   * **Label DE:** Unterzeichnet von:
 
 * ``SIGN_DATE``
 
   * **Type**: Single-line text (pre-filled with current date)
 
 **Strings**
 
 * ``NOTICE_WRONG_DECLARATION``:
 
   * **DE**: Die vorsätzliche Angabe falscher Informationen in diesem Formular ist eine strafbare
     Hand lung (Urkundenfälschung gemäss Artikel 251 des Schweizerischen Strafgesetzbuchs).
 
 * ``TITLE_VQF_902_11_CUSTOMER``
 
   * **DE:**
     Feststellung des Kontrollinhabers an nicht
     operativ tätigen juristischen Personen und
     Personengesellschaften (K)
 
 * ``INFO_VQF_902_11_CUSTOMER``
 
   * **DE:**
     (bei operativ tätigen juristischen Personen und Personengesellschaf ten als Vertragspartner
     sowie sinngemäss bei operativ tätigen juristischen Personen und Personengesellschaf ten als
     wirtschaf tlich Berechtigte)
 
 **Measure after submission from the customer**: If ``THIRD_PARTY_OWNERSHIP`` is
 true, ``vqf_902_9_customer`` needs to be filled out.
 
 **Others:**
 
 When filled out by the customer, the form **must** contain a notice that
 filling this form with incorrect information is a punishable offence (document
 forgery) according to Swiss law.
 
 vqf_902_11_officer
 ^^^^^^^^^^^^^^^^^^
 
 **Filled out by:** AML officer only.
 
 **Purpose:** Determine the controlling person of an operational legal
 entity or partnership.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_11_officer-EmptyForm>`__
 
 **Differences from VQF form 902.11:**
 
 * The VQF form can only be filled out by the AML officer.
   When the customer directly fills out the VQF 902.11, we use our ``vqf_902_11_customer``.
 
 **Attributes:**
 
 .. code:: none
 
    title TITLE_VQF_902_11_OFFICER
    info INFO_VQF_902_11_OFFICER
    IDENTITY_CONTRACTING_PARTNER :: Text
    CONTROL_REASON :: 'HAS_25_MORE_RIGHTS' | 'OTHER_WAY' | 'DIRECTOR'
    IDENTITY_LIST[].FULL_NAME :: Text
    IDENTITY_LIST[].DOMICILE :: Text
    THIRD_PARTY_OWNERSHIP :: Boolean
    ATTACHMENT_SIGNED_DOCUMENT :: File
 
 * ``IDENTITY_CONTRACTING_PARTNER``
 
   * **Type:** Multi-line text
   * **Label EN:** Contracting party (name and address)
   * **Label DE:** Vertragspartner (Name und Adresse)
 
 * ``CONTROL_REASON``
 
   * **Type:** Single choice
   * **Label DE:** Es wird erklärt, (das Zutreffende ankreuzen) ...
   * **Choices:**
 
     * ``HAS_25_MORE_RIGHTS``
 
       * **Label DE:**
         ... dass
         die nachfolgend aufgeführte(n) Person(en) am Vertragspartner Anteile
         (Kapitals- oder Stimmrechtsanteile) von 25 % oder mehr halten
 
     * ``OTHER_WAY``
 
       * **Label DE:**
         ... falls die Kapitals- oder Stimmrechtsanteile nicht festgestellt werden können oder
         falls keine Kapitals- oder Stimmrechtsanteile von 25% oder mehr bestehen, erklärt
         der Vertragspartner hiermit, dass die nachträglich aufgeführte Person(en) auf
         andere Weise die Kontrolle über den Vertragspartner ausübt/ausüben;
 
     * ``DIRECTOR``
 
       * **Label DE:**
 
         ... falls auch diese Person(en) nicht festgestellt werden kann/können, oder diese
         Person(en) nicht besteht/bestehen, erklärt der Vertragspartner, dass die
         nachfolgend aufgeführte(n) Person(en) die Geschäftsführung ausüben.
 
 
 * ``IDENTITY_LIST[].FULL_NAME``
 
   * **Type:** Single line text
   * **Label DE:** Name, Vorname
 
 * ``IDENTITY_LIST[].DOMICILE``
 
   * **Type:** Multi-line text
   * **Label DE:** Effektive Wohnsitzadresse
 
 * ``THIRD_PARTY_OWNERSHIP``
 
   * **Type:** Choice yes/no
 
     * **Label DE:**
       Ist eine Drittperson an den auf dem Konto/Depot liegenden Vermögenswerten wirtschaftlich berechtigt?
 
   * **Choices:**
 
     * false
 
       * **Label DE**: Nein
 
     * true
 
       * **Label DE**: Ja. => Die entsprechenden Angaben zur wirtschaftlichen Berechtigung sind durch
         das Ausfüllen eines separaten Formulars VQF Dok Nr. 902.9 zu erheben.
 
 
 * ``ATTACHMENT_SIGNED_DOCUMENT``
 
   * **Label DE:** Scan des vom Kunden unterschriebenen Formulars.
 
 **Strings**
 
 * ``TITLE_VQF_902_11_OFFICER``
 
   * **DE:**
     Feststellung des Kontrollinhabers an nicht
     operativ tätigen juristischen Personen und
     Personengesellschaften (K)
 
 * ``INFO_VQF_902_11_OFFICER``
 
   * **DE:**
     (bei operativ tätigen juristischen Personen und Personengesellschaf ten als Vertragspartner
     sowie sinngemäss bei operativ tätigen juristischen Personen und Personengesellschaf ten als
     wirtschaf tlich Berechtigte)
 
 
 vqf_902_12
 ^^^^^^^^^^
 
 **Purpose:** Declaration for foundations.
 
 **This form will not be supported for the TOPS MVP. Foundations will either
 not be accepted as customers or the AML officer will need to submit
 a PDF form.**
 
 vqf_902_13
 ^^^^^^^^^^
 
 **Purpose:** Declaration for trusts.
 
 **This form will not be supported for the TOPS MVP. Trusts will either
 not be accepted as customers or the AML officer will need to submit
 a PDF form.**
 
 
 vqf_902_14
 ^^^^^^^^^^
 
 **Filled out by:** AML officer only.
 
 **Purpose**: Special clarifications regarding the customer. This form is filled
 out by at the initiative of the AML officer or in response to an alert.
 
 **Form Demo:** `Link <https://www.taler.net/files/storybook-forms/stories.html#forms-vqf_902_14-EmptyForm>`__
 
 **Attributes:**
 
 .. code:: none
 
    CUSTOMER_NAME :: String
    INCRISK_REASON :: Text
    INCRISK_MEANS :: 'GATHERING' | 'CONSULTATION' | 'ENQUIRIES' | 'OTHER'
    when INCRISK_MEANS_OTHER = 'OTHER' {
      INCRISK_MEANS_OTHER :: Text
    }
    INCRISK_SUMMARY :: Text
    INCRISK_DOCUMENTS :: Text
    INCRISK_RESULT :: (
      'NO_SUSPICION' | 'SUBSTANTIATED_SUSPICION' |
      'SIMPLE_SUSPICION' | 'OTHER')
    if INCRISK_REASON = 'OTHER' {
      INCRISK_RESULT_OTHER :: Text
    }
 
 * ``CUSTOMER_NAME``
 
   * **Type**: String
   * **Label DE:** Vertragspartei
 
 * ``INCRISK_REASON``
 
   * **Type:** Free-form, multi-line text.
   * **Label DE:** [Grund für die besonderen Abklärungen]
     Beschreibung der Umstände/Transaktionen, die zu
     den besonderen Abklärungen geführt haben
 
 * ``INCRISK_MEANS``
 
   * **Type**: Single choice
   * **Choices**:
 
     * ``GATHERING``
 
       * **Label DE:** Einholen Auskunft von Vertragspartei, an Vermögenswerten
         wirtschaftlich berechtigten Person, Kontrollinhaber
 
     * ``CONSULTATION``
 
       * **Label DE:** Konsultation öffentlicher Quellen und Datenbanken
 
     * ``ENQUIRIES``
 
       * **Label DE**: Erkundigung bei vertrauenswürden Dritten (z.B. Depotbank)
 
     * ``OTHER``
 
       * **Label DE**: Andere, welche?
 
   * **Label DE:** Verwendete Mittel zur Abklärung
 
 * ``INCRISK_MEANS_OTHER``
 
   * **Type:** Free-form, multi-line text
   * **When:**  ``INCRISK_MEANS = 'OTHER'``
   * **Label DE:** Erklärung zu anderem Mittel
 
 * ``INCRISK_SUMMARY``
 
   * **Type:** Fee-form, multi-line text.
   * **Label DE:** Zusammenfassung und Plausibilisierung der eingeholten Informationen
     (=> Die Ergebnisse der Abklärungen sind zu dokumentieren und auf ihre Plausibilisierung zu überprüfen.)
 
 * ``INCRISK_DOCUMENTS``
 
   * **Type:** Fee-form, multi-line text.
   * **Label DE:** Eingeholte/eingesehene Unterlagen
 
 * ``INCRISK_RESULT``
 
   * **Type:** Single Choice
   * **Choices:**
 
     * ``NO_SUSPICION``
 
       * **Label DE**: Sachverhalt konnte plausibilisiert werden, kein
         begründeter Verdacht nach Art. 9 GwG (evtl. Anpassung Kun- denprofil (VQF
         Dok. Nr. 902.5) und/oder Risikoprofil (VQF Dok. Nr. 902.4))
 
     * ``REASONABLE_SUSPICION``
 
       * **Label DE**: Begründeter Verdacht nach Art. 9 GwG, Meldepflicht an MROS
 
     * ``SIMPLE_SUSPICION``
 
       * **Label DE:** Einfacher Verdacht nach Art. 305ter Abs. 2 StGB, Melderecht an MROS
 
     * ``OTHER``
 
       * **Label DE:** Anderes, was?
 
 * ``INCRISK_RESULT_OTHER``
 
   * **Type:** Free-form, multi-line text
   * **When:**  ``INCRISK_RESULT = 'OTHER'``
   * **Label DE:** Erklärung zu anderem Verdacht
 
 
 vqf_902_15
 ^^^^^^^^^^
 
 **Purpose:** Declaration for life insurance companies.
 
 **This form will not be supported for the TOPS MVP. Life insurance companies
 will either not be accepted as customers or the AML officer will need to submit
 a PDF form**
 
 
 Derived Properties and Events (AML Officer)
 -------------------------------------------
 
 When the AML officer submits a form, the AML SPA will derive some pre-defined
 properties and events from the filled-in form attributes. The AML Officer can change
 (override) these derived properties and events.
 
 * Assumptions:
 
  * Properties are always calculated only based on new attributes and the previous properties. They are never calculated
    from older attribute collections or the current rules.
  * The AML officer can always override derived properties or events.
  * In the future, we might derive *rules* from properties, but we don't do that right now.
 
 The derivation is defined in pseudo-code.  The following special
 variables/functions are available:
 
 * ``oldProps``: Previous properties of the account (before the decision)
 * ``newProps``: New properties of the account (i.e. the derived properties)
 * ``form``: Form attributes of the AML form submitted by the AML officer
 * ``emit(evt)``: Function that marks an event as emitted
 * ``propBecameTrue(prop)``: Helper predicate that returns true iff a property was false or undefine before (in ``oldProps``)
   and is now true (in ``newProps``).
 * ``propBecameFalse(prop)``: Helper predicate that returns true iff a property was true before (in ``oldProps``)
   and is now false or undefined (in ``newProps``).
 
 The event-rule tag is included to reference the implementation and testing functions in code.
 
 vqf_902_1_officer
 ^^^^^^^^^^^^^^^^^
 
 Properties:
 
 .. code:: javascript
 
    newProps.ACCOUNT_OPEN = true;
 
 Events:
 
 .. code:: javascript
 
    if (propBecameTrue(ACCOUNT_OPEN)) {
      emit(INCR_ACCOUNT_OPEN); // event-rule 1
 
      const isPep = (
        newProps.PEP_FOREIGN ||
        newProps.PEP_DOMESTIC ||
        newProps.PEP_INTERNATIONAL_ORGANIZATION
      );
 
      if (isPep) {
        emit(INCR_PEP); // event-rule 2
      }
 
      if (newProps.PEP_FOREIGN) {
        emit(INCR_PEP_FOREIGN); // event-rule 3
      }
 
      if (newProps.PEP_DOMESTIC) {
        emit(INCR_PEP_DOMESTIC); // event-rule 4
      }
 
      if (newProps.PEP_INTERNATIONAL_ORGANIZATION) {
        emit(INCR_PEP_INTERNATIONAL_ORGANIZATION); // event-rule 5
      }
 
      if (newProps.HIGH_RISK_CUSTOMER) {
        emit(INCR_HIGH_RISK_CUSTOMER); // event-rule 6
      }
 
      if (newProps.HIGH_RISK_COUNTRY) {
        emit(INCR_HIGH_RISK_COUNTRY); // event-rule 7
      }
    }
 
 
 vqf_902_4
 ^^^^^^^^^
 
 Properties:
 
 .. code:: javascript
 
    newProps.PEP_FOREIGN = form.PEP_FOREIGN;
    newProps.PEP_DOMESTIC = form.PEP_DOMESTIC;
    newProps.PEP_INTERNATIONAL_ORGANIZATION = form.PEP_INTERNATIONAL_ORGANIZATION;
    newProps.HIGH_RISK_CUSTOMER = form.RISK_CLASSIFICATION_LEVEL == "HIGH_RISK";
    newProps.HIGH_RISK_COUNTRY = form.COUNTRY_RISK_NATIONALITY_LEVEL == "HIGH";
 
 Events:
 
 .. code:: javascript
 
    if (oldProps.ACCOUNT_OPEN) {
      if (propBecameTrue(PEP_FOREIGN) {
        emit(INCR_PEP_FOREIGN); // event-rule 8
      }
      if (propBecameTrue(PEP_INTERNATIONAL_ORGANIZATION) {
        emit(INCR_PEP_INTERNATIONAL_ORGANIZATION); // event-rule 9
      }
      if (propBecameTrue(PEP_DOMESTIC) {
        emit(INCR_PEP_DOMESTIC); // event-rule 10
      }
      if (propBecameFalse(PEP_FOREIGN) {
        emit(DECR_PEP_FOREIGN); // event-rule 11
      }
      if (propBecameFalse(PEP_INTERNATIONAL_ORGANIZATION) {
        emit(DECR_PEP_INTERNATIONAL_ORGANIZATION); // event-rule 12
      }
      if (propBecameFalse(PEP_DOMESTIC) {
        emit(DECR_PEP_DOMESTIC); // event-rule 13
      }
      const wasPep = (
        oldProps.PEP_DOMESTIC ||
        oldProps.PEP_FOREIGN ||
        oldProps.PEP_INTERNATIONAL_ORGANIZATION);
      const isPep = (
        newProps.PEP_DOMESTIC ||
        newProps.PEP_FOREIGN ||
        newProps.PEP_INTERNATIONAL_ORGANIZATION);
      if (wasPep && !isPep) {
        emit(DECR_PEP); // event-rule 14
      }
      if (!wasPep & isPep) {
        emit(INCR_PEP); // event-rule 15
      }
      if (propBecameTrue(HIGH_RISK_COUNTRY)) {
        emit(INCR_HIGH_RISK_COUNTRY); // event-rule 16
      }
      if (propBecameFalse(HIGH_RISK_COUNTRY)) {
        emit(DECR_HIGH_RISK_COUNTRY); // event-rule 17
      }
      if (propBecameTrue(HIGH_RISK_CUSTOMER)) {
        emit(INCR_HIGH_RISK_CUSTOMER); // event-rule 18
      }
      if (propBecameFalse(HIGH_RISK_CUSTOMER)) {
        emit(DECR_HIGH_RISK_CUSTOMER); // event-rule 19
      }
    }
 
 
 vqf_902_14
 ^^^^^^^^^^
 
 Properties:
 
 .. code:: javascript
 
 
    if (INCRISK_RESULT == "SIMPLE_SUSPICION") {
      newProps.INVESTIGATION_STATE = "REPORTED_SUSPICION_SIMPLE";
    } else if (INCRISK_RESULT == "SUBSTANTIATED_SUSPICION") {
      newProps.INVESTIGATION_STATE = "REPORTED_SUSPICION_SUBSTANTIATED";
    } else if (INCRISK_RESULT == "NO_SUSPICION") {
      newProps.INVESTIGATION_STATE = "INVESTIGATION_COMPLETED_WITHOUT_SUSPICION";
    } else if (INCRISK_RESULT == "OTHER") {
      // FIXME-#9677: would be nice if we instead could set the property to "undefined"/null
      // and *force* the AML officer to manually set it.
      // Alternatively, we should probably default to "INVESTIGATION_PENDING". -CG
      newProps.INVESTIGATION_STATE = "INVESTIGATION_COMPLETED_WITHOUT_SUSPICION";
    } else {
      not_reached();
    }
 
 Events:
 
 .. code:: javascript
 
    if (oldProps.INVESTIGATION_STATE == "NONE" ||
        oldProps.INVESTIGATION_STATE == "INVESTIGATION_PENDING" ||
        oldProps.INVESTIGATION_STATE == null) {
      if (newProps.INVESTIGATION_STATE == "REPORTED_SUSPICION_SIMPLE" ||
          newProps.INVESTIGATION_STATE == "REPORTED_SUSPICION_SUBSTANTIATED" ||
          newProps.INVESTIGATION_STATE == "INVESTIGATION_COMPLETED_WITHOUT_SUSPICION") {
        emit(INCR_INVESTIGATION_CONCLUDED); // event-rule 20
      }
      if (newProps.INVESTIGATION_STATE == "REPORTED_SUSPICION_SUBSTANTIATED") {
        // FIXME-//9676: if possible, we should force the AML officer to tick
        // an extra check-box "I submitted this case to MROS". No need to
        // actually do anything here server-side, it's more an explicit
        // acknowledgement/reminder to make really sure this event is only
        // emitted if the report was files.
        emit(MROS_REPORTED_SUSPICION_SUBSTANTIATED); // event-rule 21
      }
      if (newProps.INVESTIGATION_STATE == "REPORTED_SUSPICION_SIMPLE") {
        // FIXME-//9676: if possible, we should force the AML officer to tick
        // an extra check-box "I submitted this case to MROS". No need to
        // actually do anything here server-side, it's more an explicit
        // acknowledgement/reminder to make really sure this event is only
        // emitted if the report was files.
        emit(MROS_REPORTED_SUSPICION_SIMPLE); // event-rule 22
      }
    }
 
 Derived Properties and Events (Customer/KYC forms)
 --------------------------------------------------
 
 When the customer submits an AML form, the AML program that checks the
 form can also derive properties and events.
 
 Examples for this are:
 
 * When the customer selects a correspondence language, a property could be set to
   store the correspondence language.
 * When the customer fills out a form that requires the AML officer to
   check the form, a property could be used to indicate which manual verification
   from the AML officer is still pending.
 
 **TBD: Spec this fully**
 
 
 Reporting
 ---------
 
 GwG File List
 ^^^^^^^^^^^^^
 
 VQF requires a list of all open and closed GwG files.
 To satisfy this requirement, we need a *table* of all AML accounts
 with the following colums (see VQF 902.8):
 
 * File number (should take some row ID)
 * Customer (internal designation is also okay); use payto:// data
 * Comments
 * Increased risk business relationship (yes/no)
 * Acquisition date
 * Exit date
 
 Event Reporting (VQF)
 ^^^^^^^^^^^^^^^^^^^^^
 
 The VQF self-declaration contains the following questions that we need
 to answer with statistics derived via events:
 
 .. code:: none
 
   Original German Text:
 
   3. Anzahl der betreuten GwG-Files
 
   3.1. GwG-Files für dauernde Geschäftsbeziehungen (gemäss Art. 7 lit. b SRO-Reglement)
 
   3.1.1. Anzahl der am 01.01.20XX betreuten GwG-Files
 
   3.1.2. Zwischen 01.01.20XX und 31.12.20XX hinzugekommene GwG-Files
 
   3.1.3. Anzahl der während des Jahres 20XX betreuten GwG-Files
   (Relevante Zahl für die jährliche GwG-File Gebühr / Jahresrechnung)
 
   3.1.4. Zwischen 01.01.20XX und 31.12.20XX beendigte GwG-Files
 
   3.1.5. Anzahl der am 31.12.20XX betreuten GwG-Files (gerechnet ab dem 01.01.20XX)
 
   4. Angaben zu Kundenstruktur, Produkten, Betriebsstruktur
 
   4.1. Führten Sie im Jahre 2024 Geschäftsbeziehungen mit erhöhtem Risiko (Art. 58 SRO-Reglement)?
 
   4.2. Falls bei Ziff. 4.1 mit "Ja" geantwortet, bei wie vielen davon handelt es
   sich um politisch exponierte Personen (PEP)? (nummerische Anzahl)
 
   4.3. Wie viele von den genannten PEP sind ausländische PEP?
   (nummerische Anzahl)
 
   4.4. Falls bei Ziff. 4.1 mit "Ja" geantwortet, wie viele weitere
   (zusätzlich zu den in Ziff. 4.2 / PEP genannten)
   Geschäftsbeziehungen mit erhöhten Risiken führten Sie?
   (nummerische Anzahl)
 
   4.5. Total der Geschäftsbeziehungen mit erhöhtem Risiko
 
   4.6. Führten Sie im Jahre 2024 Geschäftsbeziehungen mit
   Vertragspartnern oder wirtschaftlich berechtigten Personen mit
   Nationalität oder Domizil/Sitz in einem Land mit Risikostufe
   "High" gemäss VQF-Länderliste (VQF Dok. Nr. 902.4.1)?
 
   5. Meldungen an die Meldestelle (MROS)
 
   5.1. Meldepflicht (Art. 9 Abs. 1 GwG) (nummerische Anzahl)
   5.2. Melderecht (Art. 305ter Abs. 2 StGB) (nummerische Anzahl)
   5.3. Total der an die Meldestelle (MROS) und den VQF erfolgten MROS-Meldungen
 
 
   English Translation
 
   TBD.
 
 
 Based on this, we have the following statistics:
 
 * Number of open accounts on January 1st (self-declaration 3.1.1)
 
   * Implemementation: ``evtcount(INCR_ACCOUNT_OPEN, start=0, end=jan_first_20xx) - evtcount(DECR_ACCOUNT_OPEN, start=0, end=jan_first_20xx)``
 
 * Number of newly opened accounts between 01.01.20XX and 31.12.20XX (self-declaration 3.1.2.)
 
   * Implemementation: ``evtcount(INCR_ACCOUNT_OPEN, start=jan_first_20xx, end=dec_last_20xx)``
 
 * Number of AML files managed during the year 20XX (self-declaration 3.1.3.)
 
   * All accounts ever opened except the ones that were closed *before* 20xx
   * Implemementation: ``evtcount(INCR_ACCOUNT_OPEN, start=0, end=dec_last_20xx) - evtcount(DECR_ACCOUNT_OPEN, start=0, end=jan_first_20xx)``
 
 * Number of AML files closed between 01.01.20XX and 31.12.20XX (self-declaration 3.1.4)
 
   * Implemementation: ``evtcount(DECR_ACCOUNT_OPEN, start=jan_first_20xx, end=dec_last_20xx)``
 
 * Were there business relationships in the year 20XX with high risk? (self-declaration 4.1)
 
   * Implementation: ``evtcount(INCR_HIGH_RISK_CUSTOMER, start=0, end=dec_last_20xx) - evtcount(DECR_HIGH_RISK_CUSTOMER, start=0, end=dec_last_20xx) > 0``
 
 * Of those, how many were with PEPs? (self-declaration 4.2.)
 
   * Implementation: ``evtcount(INCR_PEP, start=0, end=dec_last_20xx) - evtcount(DECR_PEP, start=0, end=dec_last_20xx)``
 
 * Of those PEPs, how many were with *foreign* PEPs? (self-declaration 4.3.)
 
   * Implementation: ``evtcount(INCR_PEP_FOREIGN, start=0, end=dec_last_20xx) - evtcount(DECR_PEP_FOREIGN, start=0, end=dec_last_20xx)``
 
 * Number of other additional (other than PEPs and foreign PEPs) high-risk business relationships in 20XX (self-declaration 4.4.)
 
   * Implementation: Difference between 4.5. and 4.2
 
 * Number of high-risk business relationship n total in 20xx (self-declaration 4.5.)
 
   * Implementation: ``evtcount(INCR_HIGH_RISK_CUSTOMER, start=0, end=dec_last_20xx) - evtcount(DECR_HIGH_RISK_CUSTOMER, start=0, end=dec_last_20xx)``
 
 * Number of reports (substantiated suspicion) to MROS during 20xx (self-declaration 5.1)
 
   * Implementation: ``evtcount(REPORTED_SUSPICION_SUBSTANTIATED, range=year_20xx)``
 
 * Number of reports (simple suspicion) to MROS during 20xx (self-declaration 5.2)
 
   * Implementation: ``evtcount(REPORTED_SUSPICION_SIMPLE, range=year_20xx)``
 
 * Total number of reports to MROS during 20xx (self-declaration 5.3)
 
   * Implementation: ``evtcount(REPORTED_SUSPICION_SIMPLE, range=year_20xx) + evtcount(REPORTED_SUSPICION_SUBSTANTIATED, range=year_20xx)``
 
 
 Event Reporting (TOPS)
 ^^^^^^^^^^^^^^^^^^^^^^
 
 The following event-based statistics are custom-defined by us and shown in the AML officer dashboard.
 
 * Number of accounts that are opened:
 
   * Implementation: ``evtcount(INCR_ACCOUNT_OPEN) - evtcount(DECR_ACCOUNT_OPEN)``
 
 * Number of new GwG files in the last year.
 
   * Implementation: ``evtcount(INCR_ACCOUNT_OPEN, range=last_year)``
 
 * Number of GwG files closed in the last year
 
   * Implementation: ``evtcount(DECR_ACCOUNT_OPEN), range=last_year)``
   * Note: we only close GwG files after 1 year of inactivity, so implementation not exactly pressing ...
 
 * Number of GwG files of high-risk customers
 
   * Implementation: ``evtcount(INCR_HIGH_RISK) - evtcount(INCR_HIGH_RISK)``
 
 * Number of GwG files managed with "increased risk" due to PEP status
 
   * Implementation: ``evtcount(INCR_PEP) - evtcount(DECR_PEP)``
 
 * Number of MROS reports based on Art 9 Abs. 1 GwG (per year)
 
   * Implementation: ``evtcount(MROS_REPORTED_SUSPICION_SUBSTANTIATED, range=last_year)``
 
 * Number of MROS reports based on Art 305ter Abs. 2 StGB (per year)
 
   * Implementation: ``evtcount(MROS_REPORTED_SUSPICION_SIMPLE, range=last_year)``
 
 * Number of customers involved in proceedings for which Art 6 GwG did apply
 
   * Implementation: ``evtcount(INCR_INVESTIGATION, range=last_year)``
 
 
 
 Suspicious Transaction Reporting
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Also called TmeR ("Transaktionen mit erhoehtem Risiko").
 We define fixed criteria that apply to all customers.
 
 Examples:
 
 * sudden increase in volume (monthly volume exceeding previous year's, plus above 100,000 CHF)
 
 https://bugs.taler.net/9639
 
 
 Sanction Lists
 --------------
 
 When a new customer is onboarded, they are checked against a sanction list.
 
 Three properties are set:
 
 * ``SANCTION_LIST_BEST_MATCH`` identifies the position of the entry in
   the sanctions list that matches the new customer the best
 * ``SANCTION_LIST_RATING`` is set to a numeric score ``[0,1]`` that
   identifies how well the available data matches (with 1.0 being a perfect
   match)
 * ``SANCTION_LIST_CONFIDENCE`` is set to a numeric score ``[0,1]`` that
   indicates how confident we are that the rating is accurate, with 0
   indicating no data available, and 1 indicating that all possible
   fields could be evaluated
 * ``INVESTIGATION_STATE`` is set to ``INVESTIGATION_PENDING``
   if the rating and confidence are sufficiently high
 * ``INVESTIGATION_TRIGGER`` is set to ``SANCTION_LIST_MATCH``
 
 Finally, sanction list hits trigger one of two possible events:
 
 * ``sanction-list-hit-account-frozen`` is set if the hit was so clear
   that the system immediately froze the account
 * ``sanction-list-hit-partial-account-investigated`` is set if the hit
   requires the account to be investigated
 
 
 Implementation Gaps
 -------------------
 
 Auditing:
 
 * For the yearly audit, it would be convenient (and probably also *necessary*)
   to show all information we have on an exchange AML account (=GwG file in VQF terminology)
   on a single, printable page.
 
 Moving logic into the AML programs:
 
 * For ``vqf_902_1_officer``, it would be great if an AML program could check
   that required forms have actually been submitted.
 
 * For MROS reporting, submission of the ``vqf_902_14`` should run an AML
   program that sets the events/properties based on the form.
 
 
 Open Questions
 --------------
 
 
 * Do we use ``Boolean`` attributes or always ``'YES' | 'NO'`` to be extensible
   in the future?
 
 * General forms question: Are attributes *first* stored and *then* validated or the
   other way around? If first stored: What if the AML program fails to run?
 
 * We need a generic way to show INFO to a customer (e.g. asking for more documents)
 
 
 FAQ
 ---
 
 * Q: What's the difference between the controlling entity and beneficiary owner?
 
   * A: Controlling entity: Natural person(s) with at least 25% ownership or voting rights (direct or indirect, alone or colletively).
     Beneficial owner:  Natural person(s) who enjoy the benefits of ownership even though the title to some form of property is in another name.
 
 * Q: How is the "file note" (German: "Aktennotiz") handled?
 
   * A: Two ways: Each AML customer account can have a note as a property.
     For more complex notes (attachments, more sensitive information),
     a ``generic_note`` form should be submitted by the AML officer.
 
 * Q: What's the difference between simple/substantiated suspicion?
 
   A: Simple suspicion is a suspicion according to Art 305ter Abs. 2 StGB. It is
   a suspicion that *may* be reported ("Melderecht"). A substantiated suspicion
   is according to Art. 9 GwG and *must* be reported ("Meldepflicht")
 
 References
 ----------
 
 * Taler-Exchange AML flows (`git <https://git.taler.net/exchange.git/tree/doc/flows/main.tex>`_, `PDF <http://taler.net/files/taler-exchange-flows.pdf>`__)
 * VQF forms (`VQF Website <https://www.vqf.ch/de/vqf-downloads>`__)
 * GANA form attributes (`git <https://git.taler.net/gana.git/tree/gnu-taler-form-attributes/registry.rec>`__)
 * taler-typescript-core forms implementation (`git <https://git.taler.net/taler-typescript-core.git/tree/packages/web-util/src/forms/gana>`__)