Annual
Statutory financial audit
Conducted under International Standards on Auditing by an independent registered audit firm. Covers financial statements, internal controls over financial reporting, going concern, and related-party disclosure.
Home · Compliance
Compliance.
ExCom built and operates a single internal trading platform — the ExCom Trading Platform — that runs every lot from origin to settlement: order capture, counterparty data, transit, pricing window, audit trail. Compliance is one chapter of that platform, the chapter that proves what the others did. Doré moves through opacity. The work of buying it is therefore inseparable from the work of seeing through that opacity — origin verification, counterparty discipline, transaction monitoring, and a documentary trail that survives an audit five years on.
Statutory
AML/CFT (Malta)
Origin
OECD DDG
Refining
LBMA RGG
Voluntary
RJC CoC
Posture
Posture, not posture-taking.
Public-facing compliance pages tend to drift toward declarative virtue — a list of what a firm believes. That is not what compliance is. Compliance is a set of operational artifacts: questionnaires returned, transactions monitored, alerts adjudicated, files preserved. This page describes the artifacts, not the beliefs.
The frameworks below are not equally weighted. Maltese AML/CFT statute is binding; it sets the floor. The OECD Due Diligence Guidance is the operating manual the trading book runs on day-to-day. LBMA Responsible Gold Guidance is the standard refineries hold ExCom to as their counterparty. RJC Chain of Custody is voluntary alignment to industry best practice for downstream traceability.
Origin diligence
The five OECD steps, applied.
The OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas is the lingua franca of doré sourcing. ExCom applies it in the form intended by the OECD — a five-step risk-based management system, not a checkbox.
Step 01
Establish strong company management systems
A documented supply-chain policy aligned to OECD Annex II, embedded in counterparty contracts. A nominated senior compliance officer accountable to the board for chain-of-custody integrity. Counterparty and transaction records preserved for five years. Internal training cadence covering compliance, finance, and operations staff annually.
Evidence Policy register · officer mandate · training log · records-retention schedule
Step 02
Identify and assess risks in the supply chain
Origin verification at first counterparty: producer KYC, ultimate beneficial ownership, jurisdictional risk screening, sanctions screening (UN, EU, OFAC, UK), PEP screening, adverse-media review. Annex II red-flag screen against each producer-and-route combination, refreshed at every transaction. Lots originating in CAHRA jurisdictions or routed through them are escalated for enhanced diligence ex-ante.
Evidence Producer KYC dossier · UBO chart · screening hits log · Annex II risk score per lot
Step 03
Design and implement a strategy to respond to identified risks
Where risk is identified, the response is graduated: enhanced controls, mitigation timeline negotiated with the counterparty, or — where mitigation is not possible — disengagement. Disengagement decisions are board-approved and documented. Risk-mitigation timelines are tracked to closure, with periodic reassessment of whether mitigation is in fact occurring.
Evidence Risk-response register · mitigation milestone tracker · disengagement minutes
Step 04
Carry out independent third-party audit
The supply-chain due diligence system is subject to independent assurance against the OECD Guidance and the LBMA Responsible Gold Guidance. The audit covers policy, governance, risk identification, risk response, transactional sampling, and records integrity. Audit findings, management response, and remediation timelines are formally tabled with senior management.
Evidence Annual independent assurance report · management response · remediation log
Step 05
Report on supply-chain due diligence
An annual public-facing supply-chain due diligence report is published, summarising scope, jurisdictions sourced, risks identified, responses taken, audit outcome, and management actions. Counterparty-specific information is redacted; aggregate statistics are disclosed. The report is the primary external accountability artifact.
Evidence Annual SCDD report · audit summary · aggregate sourcing statistics
Counterparty diligence
The KYC stack.
Every counterparty — producer, refinery, logistics provider, banking counterparty — passes through the same intake protocol before any commercial relationship is opened. The stack is described below in functional terms; specific provider names are confidential and disclosed under engagement.
L1
Identity & structure
Legal entity verification, beneficial ownership chart to natural persons (≥10% threshold), board and signatory map, regulatory licence verification where applicable, articles of association.
L2
Sanctions, PEP & adverse media
Continuous screening against UN, EU, OFAC, UK sanctions lists; politically-exposed persons screening at UBO and signatory level; structured adverse-media sweep with hits triaged by a compliance analyst, not auto-cleared.
L3
Source-of-funds & source-of-wealth
For producer counterparties, evidence of operational provenance — production licence, mining title, royalty arrangements. For institutional counterparties, audited financials and banking references. Source-of-funds is verified per transaction above defined thresholds.
L4
Operational diligence
Site visits to producer counterparties at material engagement thresholds. Independent assay and weight verification. Logistics and insurance counterparty due diligence. Refinery accreditation status verification (LBMA Good Delivery, RJC certification).
L5
Ongoing monitoring
Annual KYC refresh as standard; trigger-based refresh on adverse-media hit, sanctions update, ownership change, or material transaction-pattern deviation. Transaction monitoring with parametrised thresholds, alerts adjudicated within 48 hours.
Audit cadence
Three audit clocks.
Audit is not a single annual event. ExCom runs three concurrent audit cadences, calibrated to what each is meant to surface.
Annual
Supply-chain due diligence audit
Independent third-party assurance against OECD DDG and LBMA RGG. Covers policy, governance, risk identification, risk response, transactional sampling, and records integrity. Findings tabled with management; remediation tracked to closure.
Quarterly
Internal compliance review
Internal sample-based review of KYC files, transaction monitoring alerts, suspicious-activity reports filed, sanctions screening hits, and risk-register updates. Findings delivered to the senior compliance officer and tabled at the next governance meeting.
Suspicious activity
Reporting protocol.
Where transaction patterns or counterparty behaviour cross defined thresholds, ExCom files a Suspicious Transaction Report with the Maltese Financial Intelligence Analysis Unit (FIAU). The protocol below governs how that determination is made and how it is documented.
01
Detection
Alerts generated by transaction monitoring, by sanctions / PEP / adverse-media screening, or by frontline staff observation are logged in a single alert register within one business day of detection.
02
Triage
The compliance function adjudicates each alert within 48 hours. Adjudication is recorded with a reasoned decision: cleared, escalated, or referred to the senior compliance officer for STR consideration.
03
STR determination
Where suspicion meets the statutory threshold, the senior compliance officer prepares the report and files with the FIAU within the statutory window. Filing is documented in a confidential STR register accessible only to the compliance function.
04
Tipping-off prohibition
Under Maltese statute, the existence of an STR may not be disclosed to the counterparty. ExCom maintains internal information-barrier controls to prevent inadvertent disclosure during ongoing commercial dialogue.
05
Continuation or termination
Filing an STR does not automatically terminate a counterparty relationship. The board takes a separate, documented decision on continuation, taking into account FIAU guidance where given, and the wider counterparty risk profile.
Governance
Where compliance sits.
Compliance reports independently of the trading function. The senior compliance officer has a direct reporting line to the board, with authority to halt transactions where compliance thresholds are not met.
Senior compliance officer
Mandated by the board, responsible for the AML/CFT programme, OECD DDG implementation, and STR filings. Reports to the board, not to the trading function. Holds authority to halt transactions.
Board oversight
The board reviews the compliance dashboard at every quarterly meeting: KYC pipeline, alert volumes, STR statistics, audit findings, and risk-register movements. Material items are tabled out-of-cycle on a same-week basis.
Independence
Compliance budget, hiring, and engagement of external auditors and counsel are not subject to trading-function approval. The independent audit firm is appointed by the board on a multi-year mandate.
Whistleblowing
A confidential channel is available to staff and counterparties for reporting suspected breaches of policy, statute, or industry standard. Reports are received by the senior compliance officer; retaliation is prohibited under board policy.
Counterparty enquiries
Compliance documentation available under engagement.
Counterparty compliance packets — supply-chain due diligence report, KYC questionnaire, statutory licence evidence, audit summary — are released to qualified counterparties under written request. Routed via the compliance function.
info@ex-com.org →