Notice No. 4/GBM/2015 of 17 June Approving the Guidelines on Prevention and Repression of Money Laundering and Terrorist Financing

SUMÁRIO A V I S O The matter to be published in the «Boletim da República» must be submitted as a duly authenticated copy, one for each subject matter, containing the necessary indications for that purpose, including the following endorsement, signed and authenticated: For publication in the «Boletim da República». IMPRENSA NACIONAL DE MOÇAMBIQUE, E.P. Banco de Moçambique: Notice No. 4/GBM/2015: Approves the Guidelines on Prevention and Repression of Money Laundering and Terrorist Financing. Wednesday, 17 June 2015 I SERIES — Number 48

Banco de Moçambique Notice No. 4/GBM/2015 of 17 June Law No. 14/2013, of 12 August, establishes the new regime for the Prevention and Combating of Money Laundering and Terrorist Financing in Mozambique and, among other aspects, grants supervisory authorities the competence to issue rules to materialize compliance with the law. Given the need to guide the conduct of financial institutions, which under the aforementioned Law fall under its supervisory scope, Banco de Moçambique, exercising the powers attributed to it by the combined provisions of paragraph a) of Article 27 and paragraphs b) and c) of paragraph 2 of Article 29 of the said Law, determines:

1. The Guidelines on Prevention and Repression of Money Laundering and Terrorist Financing, attached to this Notice, are approved, forming an integral part thereof.
2. Non-compliance with the rules of this Notice constitutes a regulatory offence punishable under Law No. 14/2013, of 12 August.
3. This Notice enters into force 60 (sixty) days after its publication, revoking all provisions to the contrary. Doubts arising in the interpretation and application of this Notice must be submitted to the Regulation and Licensing Department of Banco de Moçambique. Maputo, 6 May 2015. — The Governor of Banco de Moçambique, Ernesto Gouveia Gove.

Guidelines on Prevention and Repression of Money Laundering and Terrorist Financing CHAPTER I Object and Scope of Application

1. These guidelines establish the procedures and measures for prevention and repression of money laundering and terrorist financing.
2. These guidelines apply to all financial institutions that, under paragraphs a), b) and d) of paragraph 2 of Article 3 and paragraph a) of Article 27 of Law No. 14/2013, of 12 August, fall under the supervision of Banco de Moçambique.
3. Financial institutions of a different kind than banks and microbanks are subject to the rules of this Notice, insofar as they are applicable.

CHAPTER II Internal Control Programme SECTION I Responsibilities of the Board of Directors or Equivalent Body

1. The Board of Directors or body with equivalent functions of financial institutions must document and approve policies on risk identification, assessment, and management, and internal control measures that enable effective management and mitigation of identified money laundering and terrorist financing risks, prioritizing a risk-based approach.
2. The Board of Directors or equivalent body must ensure that the control process and adopted procedures are effective, efficient, and contribute to reducing the risk of the institution being used for money laundering and terrorist financing.
3. The money laundering and terrorist financing risk management policy must contain, inter alia: a) Policies and procedures on the duty of identification and verification, which must at least include: customer acceptance policy, procedures for identifying and monitoring suspicious transactions; b) Policies and procedures on risk assessment, management, and monitoring procedures; c) Policies regarding confidentiality of accounts under monitoring to determine suspicious transactions; d) Internal policies and procedures on reporting suspicious transactions and other types of reports; e) Internal policies and procedures on document retention.
4. The Board of Directors or equivalent body must also appoint, at headquarters, branches, subsidiaries, and other forms of representation, a Suspicious Transaction Reporting Officer (STRO). The STRO must be chosen from the institution's management-level staff and must, at minimum, exercise the duties referred to in paragraph 2 of this Chapter.
5. The Board of Directors or equivalent body must ensure sufficient resources for the STRO's functionality, namely human, material, and technological resources. The level of resources must reflect the institution's size, complexity, number of clients, and products offered.

SECTION II Responsibilities of the STRO

1. The STRO supports and guides the management of money laundering and terrorist financing risk in the financial institution.
2. Without prejudice to provisions established in other applicable legislation, the STRO's responsibilities include, inter alia: a) Ensuring the submission of suspicious transaction reports to the Financial Information Office of Mozambique (FIOM/GIFiM), with all relevant information regarding the transaction and the client; b) Ensuring the immediate submission of any additional information requested by competent authorities in cases of suspected money laundering and terrorist financing; c) Regularly reviewing the adequacy of the control system for preventing and combating money laundering and terrorist financing, namely by supervising the implementation of policies and procedures for prevention and combating, ensuring an appropriate monitoring process, and actively participating in the selection of information technology (software) applications to monitor clients and their transactions; d) Ensuring coordination with various stakeholders, namely internal auditors, external auditors, Banco de Moçambique, FIOM/GIFiM, and judicial authorities; e) Ensuring that all relevant information on the prevention of money laundering and terrorist financing is transmitted to employees, supervising compliance with the institution-approved training and capacity-building policies, and ensuring that its content is adequate, up-to-date, and aligned with best practices and trends in the boundaries of money laundering and terrorist financing.

SECTION III Responsibility of Internal Audit

1. Internal audit is responsible for conducting an independent assessment and ensuring the effectiveness and efficiency of the money laundering and terrorist financing prevention system, namely by verifying the adequacy of policies, procedures, and system support for detecting potential money laundering and terrorist financing operations.
2. The internal audit report must be submitted in a timely manner to the Board of Directors and the audit committee, if one exists.
3. The internal audit program must be aligned with the risk assessment conducted by the financial institution.

CHAPTER III Duty of Identification and Verification SECTION I Know Your Customer (KYC) Financial institutions must adopt policies on the identification and verification of their clients. The "Know Your Customer" policy of financial institutions must incorporate the following elements: a) Customer acceptance policy; b) Client identification and verification procedures; c) Operation monitoring; and d) Risk management.

SECTION II Customer Acceptance Policy

1. Financial institutions must develop a clear policy on customer acceptance, including applicable measures for each category of clients.
2. The customer acceptance policy must take into account risks associated with the client, country or geographic region, and risks associated with the delivery channel of the product, service, or operation (as per examples presented in Annex No. 1 of this regulation).
3. Essentially, the customer acceptance policy must integrate, without limitation, the following: a) Prohibition of opening anonymous or fictitious accounts; b) Prohibition of opening numbered accounts; c) Client categorization according to the risk assessment conducted; d) Necessary documentation, additional information to be required, and applicable measures for each category of client, based on the risk assessment conducted; e) Enhanced due diligence measures for accepting high-risk clients (as per examples, merely indicative, in Annex 2); f) Prohibition of opening or closing an account when the financial institution is unable to apply due diligence measures; g) The circumstances under which a client is allowed to act on behalf of another (natural person or entity) must be clear and in accordance with current legislation; h) Type of necessary inquiries before account opening, to verify that the client has no criminal records and is not on the list of terrorists or terrorist organizations.

SECTION III Client Identification and Verification Procedures SUBSECTION I General Procedures

1. Financial institutions must identify their clients under the terms and situations provided for in Law No. 14/2013, of 12 August, and whenever they lack sufficient and current information about the client.
2. Financial institutions must identify and verify the identity and current address of their clients and understand the nature of the client's business, sources of income, financial situation, and the quality with which they intend to establish a business relationship with the institution.
3. Financial institutions must ensure, as far as possible, that they are dealing with a reputable person and verify the identity of the person in question, in accordance with the provisions of this Chapter. If the funds to be deposited or transferred are provided by a third party, the institution must proceed with the identification and verification of this third party. If the institution is unable to determine whether the applicant in the business is acting on their own behalf or on behalf of a third party, it must consider submitting a suspicious operation report to FIOM/GIFiM.
4. Financial institutions must require clients to provide, in writing, the identity and information of the beneficial owner(s) of the business relationship or transaction, as part of monitoring measures to identify and verify their identity.
5. Financial institutions must obtain all necessary information to confirm the client's identity and verify the information provided by them. For this purpose, they may use available national and international public information, cross-reference with other evidence, namely service invoices for water, energy, telephone, telephone directories, credit registries, criminal records, and keep them in their files.
6. If the client is not the beneficiary of the business relationship, the institution must take reasonable measures to verify the identity of the beneficial owner, using relevant information or data obtained from a source considered reliable for confirmation.
7. When a client closes an account and requests the opening of another in the same institution, they are not exempt from the duty of identification and verification; in this case, details regarding the client's file must be reconfirmed. Account details and previously conducted due diligence for identity verification, along with records, must be transferred to the new account's records.
8. Any subsequent change in the client's name, address, or employment status known to the institution must be recorded and duly substantiated by documentary evidence, as part of the due diligence process. Information regarding the client and beneficial owner must be retained in the file.
9. If a client transfers the balance of an account they held with one bank to another institution, the receiving institution must consider the possibility that the previous account manager may have suspicions about the client's activities. If the receiving institution has any reason to suspect that the client was rejected by another financial institution, it must apply enhanced due diligence procedures before accepting them.
10. For individual accounts, financial institutions must ensure that identity proofs are obtained during a client interview to certify whether the client is indeed the person they claim to be, i.e., verifying the resemblance between the person and the photograph on the identity document.
11. For joint accounts, financial institutions must verify the names and addresses of all account holders.
12. The verification procedures necessary to establish the client's identity must be the same, regardless of account type (e.g., current account, deposit account, among others).
13. The name of the institution employee who conducted the account opening process and the senior responsible person who authorized the account opening must be recorded in the client's file.
14. Financial institutions must proceed with the identification and verification of persons or entities holding control over businesses and assets.
15. Whenever a financial institution cannot obtain all necessary due diligence information, it must not open the account, initiate commercial relations, or execute the transaction, and must consider sending a suspicious operation report to FIOM/GIFiM.

SUBSECTION II Opening of Individual Client Accounts In cases where the client is an individual, identification must be proven by presenting one of the official documents referred to in paragraph 2 of Article 5 of Decree No. 66/2014, of 29 October, taking into account the client's risk category.

SUBSECTION III In-Person Account Opening by Individual Clients

1. The identification of an individual client must cover the name, date of birth, physical address, nature of business, source of income, knowledge of normal financial transactions, and any representation relationship.
2. The names of individual clients must be verified through a valid document during an interview with them.
3. For the purposes of paragraph a) of paragraph 1 of Article 6 of Decree No. 66/2014, of 29 October, the following are considered reliable elements for confirming domicile: a) Invoices issued by energy, water, telephone, and internet service providers; b) Information from the telephone directory; c) Recent credit or debit card statement from another financial institution; d) Recent bank reference; e) Any other document that individually or cumulatively proves the applicant's business address, namely the neighborhood declaration and employer statement.

SUBSECTION IV Forms for Opening Individual Client Accounts

1. The account opening form for an individual client must, at minimum, contain the following information: a) Name; b) Current permanent address; c) Correspondence address; d) Telephone and fax number; e) Date and place of birth; f) Nationality; g) Occupation and employer name (if self-employed, the nature of self-employment and its confirmation); h) Unique Tax Identification Number (NUIT); i) Economic Activity Classifier Code (CAE); j) Signature(s); k) Bank reference letter from the bank where the non-resident is a client in their country of residence; l) Authorization for the financial institution to investigate and obtain references regarding the client.
2. The duly completed form must be accompanied by a legible copy of the identification document used and all documentation related to client identity verification.

SUBSECTION V Identity Verification in Non-In-Person Account Opening Cases Before accepting a business relationship with a non-in-person client, financial institutions must: a) Adopt identification procedures applicable to in-person clients and, as soon as possible, create conditions for an interview; b) Adopt enhanced due diligence measures to mitigate inherent risk (non-in-person client).

SUBSECTION VI Account Opening by Non-Resident Individual Clients

1. Non-resident individual clients requesting account opening from abroad must complete an application form containing, at minimum, the following information: a) Name; b) Permanent address; c) Current address; d) Telephone and fax number; e) Date and place of birth; f) Nationality(ies); g) Occupation and employer name (if self-employed, the nature of self-employment); h) Passport number, issue date, and expiry date; i) Signature(s); j) Bank reference letter from the institution where they are a client in their current country of residence; k) Authorization for the financial institution to investigate references regarding the potential client.
2. The completed application form must be accompanied by a copy of a valid passport and address information, confirmed through an original or authenticated copy of an invoice issued by third-party service providers, namely energy, water, telephone, and internet suppliers.
3. Additionally, as supplementary measures related to address verification, consultation of the telephone directory or inquiries with financial institutions or other entities in the client's country of residence may be requested, as well as consultations with national or international sources considered reliable by the requesting institution.

SUBSECTION VII Account Opening by Legal Entities

1. In the process of opening accounts for legal entities, financial institutions must verify: a) Identification of shareholders holding control over the company's business and assets; b) Identification of senior managers; c) Identification of all holders of qualified participation; d) Identification of all holders of bearer shares valued at 20% or more; e) Identification of persons authorized to represent the company; f) Unique Tax Identification Number (NUIT); g) Economic Activity Classifier Code (CAE); h) Proof of the company's legal existence.
2. The identification and verification process must display the elements indicated in paragraph 4 of Article 5 of Decree No. 66/2014, of 29 October.
3. In high-risk scenarios, verification and inquiries must be conducted via a visit to the company to ascertain its existence and confirm economic purpose according to the license or supervisory authority, ensuring whether the company continues to exist and has not been or is not in the process of dissolution or liquidation.
4. As with individual client accounts, "Know Your Customer" due diligence for legal entity accounts is a continuous process. If there are changes in the company's structure or ownership, or if suspicions arise from a change in business nature or payment/receipt profile through a corporate account, other verifications must be conducted to determine the reasons for such changes.

SUBSECTION VIII Account Opening by Non-Resident Legal Entities The identification and verification process referred to in paragraphs 26 to 29 of this Chapter is equally applicable, with necessary adaptations, to non-resident legal entities seeking to open an account from abroad.

SUBSECTION IX Fiscal Information

1. Financial institutions must, at the time of opening a bank deposit account, obtain information on the Unique Tax Identification Number (NUIT) of each respective holder.
2. The Unique Tax Identification Number (NUIT) may be proven by presenting the original or certified copy of a document containing that number, or through collecting and verifying this information element with the responsible management entities.

SUBSECTION X Consortiums/Unincorporated Companies

1. In cases of companies constituted in the form of consortia or unincorporated companies, the identification and verification of persons holding company control, shareholders with qualified participation, and their representatives must also comply with paragraphs 26 to 29 of this Chapter.
2. Financial institutions must conduct inquiries to confirm the true nature of business activities and verify whether the businesses in question have a legitimate purpose.

SUBSECTION XI Clubs and Charitable Institutions

1. Before opening accounts for clubs or charitable institutions, financial institutions must certify the legitimate purpose of the organization, request an authenticated copy of the club's or institution's constitution, and, in case of doubt, conduct a visit to their premises to understand the true nature of their activities.
2. The identification and verification of persons controlling the club or charitable institution must be determined according to procedures necessary for individual clients.
3. Changes occurring within the club or charitable institution imply a new duty of identification and verification.

SUBSECTION XII Foundations

1. The identification and verification of a foundation must, among others, be carried out according to the following: a) Its name; b) The registration certificate; c) Date and country of incorporation; d) Its professional domicile; e) Its main place of business and operations (if different from the professional domicile).
2. Due diligence for foundation verification is conducted, namely, through the registration certificate issued by the competent entity, the latest audited financial statements, and other additional information deemed pertinent.
3. Regarding persons directing the foundation, identity is required from management members or equivalent body, especially those with authority to conduct a transaction or give instructions on the use or transfer of funds or assets, the founder, executor, protector, beneficiary, and administrator.
4. If the foundation has charitable purposes, the norms relating to identity are applicable.