Financial Markets Anti-Money Laundering Act (FM-GwG)

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) Original Version: published in Federal Law Gazette I 118/2016 Amendments: Federal Law Gazette I 107/2017; 136/2017; 17/2018; 37/2018; 62/2019; 25/2021; 98/2021, 151/2024. Note about this translation: this consolidated version reflects the version of the Federal Act up to including the amendment published in Federal Law Gazette I 151/2024 as of the date below. Date: 01.01.2025

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 2 / 62 TABLE OF CONTENTS Section 1 Scope and Definition of Terms Article 1. Scope Article 2. Definition of Terms Section 2 Risk assessment Article 3. National cooperation and drawing up of the risk assessment Article 4. Risk assessment at company level Section 3 Customer due diligence Article 5. Application of due diligence obligations Article 6. Scope of due diligence obligations Article 7. Point of time of application of due diligence obligations Article 7a. Transaction monitoring using an artificial intelligence-based approach Article 8. Simplified due diligence Article 9. Enhanced due diligence Article 9a. Business relationships and transactions with a link to high-risk third countries Article 10. Correspondent relationships Article 11. Transactions and business relationships with politically exposed persons (PEPs) Article 11a. Transactions in connection with self-hosted wallet addresses Article 12. Inadmissible business relationships and measures for non-cooperative countries and territories Section 4 Performance by third parties Article 13. Admissibility of performance by third parties Article 14. Performance by third parties in the case of groups Article 15. Outsourcing and agency relationships Section 5 Reporting obligations Article 16. Reports to the Financial Intelligence Unit (Geldwäschemeldestelle) Article 17. Non-execution of transactions Article 18. Notifications from the competent authorities to the Financial Intelligence Unit (Geldwäschemeldestelle) Article 19. Exclusion from claims for damages and protection against threats Article 20. Prohibition of disclosure Section 6 Retention of records, data protection, exchange of information and requirements for their internal organisation Article 21. Requirements for retention of records and data protection Article 22. Exchange of information Article 23. Requirements for internal organisation and trainings

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 3 / 62 Article 23a. Requirements in relation to the risk of non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation Article 24. Strategies and procedures for groups Section 7 Supervision Article 25. Aims and principles of supervision Article 26. Authorisation for processing of personal data Article 27. Cooperation of Bundesrechnungszentrum GmbH Article 28. Supervision costs Article 29. Information and disclosure obligations Article 30. On-site inspections Article 31. Supervisory measures of the FMA Article 32. Supervision in the Context of the Freedom of Establishment and the Freedom to Provide Services Article 32a. Registration of providers of virtual currencies Article 33. Professional secrecy and cooperation between the FMA and other authorities in relation to the combating of money laundering and terrorist financing Section 8 Penal provisions and disclosures Article 34. Breaches of obligations Article 35. Penal liability of legal persons Article 36. Extension of the limitation period Article 37. Disclosure Article 38. Effective punishment of breaches of obligations Article 39. Usage of received fines Article 40. Protection of whistleblowers Article 41. Notifications to the European Supervisory Authorities Section 9 Transitional and final provisions Article 42. Entry into force Article 43. Entry into force of amendments Article 44. References Article 45. Gender-neutral use of language Article 46. Repealed (BGBl. I 62/2019) Article 47. Enforcement Clause Annexes Annex I Annex II Annex III

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 4 / 62 SECTION 1: SCOPE AND DEFINITION OF TERMS Scope Article 1. (1) This Federal Act shall apply to credit institutions and financial institutions as well as providers in relation to virtual currencies (obliged entities). Excluded from this group are branches or branch establishments located in other Member States of credit institutions and financial institutions incorporated in Austria. (2) Furthermore, this Federal Act shall also make provision for the coordination committee for developing measures and strategies for the prevention of money laundering and terrorist financing, the national risk assessment to be drawn up by this committee, as well as the provision of statistical and analytical duties required in relation thereto. Definition of Terms Article 2. For the purposes of this Federal Act, the following definitions shall apply:

1. credit institution: a credit institution pursuant to Article 1 para. 1 BWG and a CRR-credit institution pursuant to Article 9 BWG which provides activities in Austria through a branch.
2. financial institution: a. financial institution pursuant to Article 1 para. 2 nos. 1 to 6 BWG; b. an insurance undertaking pursuant to Article 1 para. 1 no. 1 VAG 2016 and a small insurance undertaking pursuant to Article 1 para. 1 no. 2 VAG 2016 respectively within the scope of their life assurance operations (classes 19 to 22 pursuant to Annex A to VAG 2016); c. an investment firm pursuant to Article 3 para. 1 WAG 2018 and an investment services provider pursuant to Article 4 para. 1 WAG 2018; d. an AIFM pursuant to Article 4 para. 1 AIFMG and a non-EU AIFM pursuant to Article 39 para. 3 AIFMG; e. an e-money institution pursuant to Article 3 para. 2 of the E-Geldgesetz 2010; f. a payment institution pursuant to Article 10 ZaDiG 2018; g. the Austrian Post with regard to its money transfer services; h. Financial institutions pursuant to points a) to d) of Article 3 (2) of Directive (EU) 2015/849 with their place of incorporation in another Member State with business operations conducted through branches or branch establishments located in Austria as well as branches or branch establishments of such financial institutions that are authorised in third countries.
3. beneficial owner: a beneficial owner pursuant to Article 2 WiEReG. Article 2 no. 1 WiEReG shall not apply to exchange-listed companies, whose securities are admitted to listing on a regulated market in one or more Member States, or exchange-listed companies from third countries which are subject to disclosure obligations pursuant to a Regulation to be issued by

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 5 / 62 the FMA on the basis of Article 122 para. 10 BörseG 2018 and such disclosure obligations are equivalent or comparable to those set forth in Union law. 4. trust or company service provider: any person providing one of the following services for third parties on a commercial basis: a. the formation of companies or other legal persons; b. acting as, or arranging for another person to act as, a director or secretary of a company, a partner of a partnership , or a similar position in relation to other legal persons; c. providing a registered office, business address, correspondence or administrative address and other related services for a company, a partnership or any other legal person or arrangement; d. acting as, or arranging for another person to act as, a trustee of an express trust or a similar legal arrangement; e. acting as, or arranging for another person to act as, a nominee shareholder for another person other than a company listed on a regulated market that is subject to disclosure requirements in accordance with Union law or subject to equivalent international standards. 5. Correspondent relationship: a. the provision of banking services by one credit institution as the correspondent to another credit institution as the respondent, including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services; b. the relationships between and among credit institutions and financial institutions including where similar services are provided by a correspondent institution for a respondent institution; these include inter alia relationships established for securities transactions or funds transfers or for transactions with crypto-asset or crypto-asset transfers. 6. politically exposed person: a natural person who is or who has been entrusted with prominent public functions including the following: a. heads of state, heads of government, ministers and deputy or assistant ministers; in Austria this particularly applies to the Federal President, the Federal Chancellor and the members of the Federal Government and the provincial governments; b. Members of parliament or members of similar legislative bodies; in Austria this particularly applies to the members of the National Council (Nationalrat) and the Federal Council (Bundesrat); c. Members of the governing bodies of political parties; in Austria this particularly applies to members of the governing bodies of political parties in the National Council; members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances; in Austria this particularly applies to judges in the Supreme Court of Justice (Oberster Gerichtshof), the

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 6 / 62 Constitutional Court (Verfassungsgerichtshof) and the Supreme Administrative Court (Verwaltungsgerichtshof); d. Members of courts of audit or the management bodies of central banks; in Austria this particularly applies to the President of the Austrian Court of Audit (Bundesrechnungshof) as well as the Directors of the Courts of Audit of the individual provinces (Landesrechnungshof) and the Members of the Governing Board of the Oesterreichische Nationalbank; e. Ambassadors, chargés d'affaires and high-ranking officers of the armed forces; in Austria this particularly applies to high-ranking officers in the armed forces in particular members of the military with a rank of Lieutenant General (Generalleutnant) or higher; f. Members of the administrative, management or supervisory bodies of state-owned enterprises; in Austria this particularly applies to enterprises in which the Federal Government holds at least 50% of the nominal capital, share capital or equity capital or which the Federal Government solely operates or which the Federal Government actually controls by financial means or other economic or organisational measures; in the case of enterprises in which a province holds at least 50% of the nominal capital, share capital or equity capital, or which a province solely operates or which the province actually controls by financial means or other economic or organisational measures - provided the total annual turnover of such an enterprise exceeds EUR 1 000 000 - the management board or the managing director. The total annual turnover shall be determined on the basis of the annual turnover stated in the most recent adopted annual financial statement; g. Directors, deputy directors and members of the board or an equivalent function of an international organisation. No public function referred to in points a) to h) shall be understood as covering middle-ranking or more junior officials; 7. Family members: in particular a. the spouse of a politically exposed person, a person considered to be equivalent to a spouse of a politically exposed person or the life partner as defined in Article 72 para. 2 StGB, b. the children (including adopted and foster children) of a politically exposed person and their respective spouses, or a person considered to be equivalent to a spouse or life partner as defined in Article 72 para. 2 StGB, c. the parents of a politically exposed person. 8. persons known to be close associates: a. natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person;

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 7 / 62 b. natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person. 9. senior management: officers or employees of the obliged entity with sufficient knowledge of the institution's money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the board of directors. 10. business relationship: any business, professional or commercial relationship which is connected with the commercial activities of an obliged entity and which is expected, at the time when the contact is established, to have an element of duration. 11. group: a group of undertakings which consists of a parent undertaking, its subsidiaries, and the entities in which the parent undertaking or its subsidiaries hold a participation, as well as undertakings linked to each other by a relationship within the meaning of Article 22 of Directive 2013/34/EU; 12. electronic money: electronic money pursuant to Article 1 para. 1 E-Geldgesetz 2010. 13. shell bank: a credit institution or financial institution, or an institution that carries out activities equivalent to those carried out by credit institutions and financial institutions, incorporated in a jurisdiction in which it has no physical presence, involving meaningful mind and management, and which is unaffiliated with a regulated financial group. 14. Financial Intelligence Unit (Geldwäschemeldestelle): the Financial Intelligence Unit (Geldwäschemeldestelle) pursuant to Article 4 para. 2 no. 1 of the Criminal Intelligence Service Austria Act (BKA-G, Bundeskriminalamt-Gesetz). 15. customer: any person who has established a business relationship with the obliged entity, or wishes to establish one, as well as any person for whom the obliged entity conducts a transaction or intends to conduct one, that does not fall within the scope of a business relationship (occasional transaction). 16. high-risk third countries: third countries, which have strategic deficiencies in their national anti-money laundering and counter financing of terrorism regime, that pose significant threats to the financial system of the European Union and which have been determined by the European Commission by means of a Delegated Regulation pursuant to Article 9 of Directive (EU) 2015/849. 17. Member State: a Member State of the European Union or another State that is a signatory country to the Agreement on the European Economic Area, published in Federal Law Gazette no. 909/1993 in the version of the protocol adjustment in Federal Law Gazette no. 910/1993 (EEA). 18. third country: any country that is not a Member State pursuant to no. 17. 19. life assurance contracts: life assurance contracts (classes 19 to 22 pursuant to Annex A to VAG 2016) and life assurance contracts and other insurance contracts with an investment purpose, provided that they are sold in Austria under the freedom of establishment.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 8 / 62 20. European Banking Authority: the European Banking Authority pursuant to Regulation (EU) No 1093/2010. 21. crypto-asset: A crypto-asset as defined in Article 3 (1) point 5 of Regulation (EU) 2023/1114, unless the crypto-asset falls under a category listed in Article 2 (2), (3) and (4) of Regulation (EU) 2023/1114 or otherwise qualifies as funds. 22. crypto-asset service provider: a crypto-asset service provider as defined in Article 3 (1) point 15 of Regulation (EU) 2023/1114, where it performs one or more crypto-asset service providers as defined in Article 3 (1) point 16 of Regulation (EU) 2023/1114, with the exception of providing advice on crypto-assets as defined in Article 3 (1) point 16 (h) of Regulation (EU) 2023/1114. 23. self-hosted address: a self-hosted address as defined in Article 3 point 20 of Regulation (EU) 2023/1113. 24. targeted financial sanctions: both the freezing of assets as well as prohibiting making money or other assets directly or indirectly available for the benefit of persons and organisation, who are listed in decisions of the Council on the basis of Article 29 TEU or on the basis of Article 215 TFEU. 25. targeted financial sanctions in relation to the financing of proliferation: the targeted financial sanctions listed under point 24 imposed in accordance with the Decision (CFSP) 2016/849 and Decision (CFSP) 2010/413 as well as under Regulation (EU) 2017/1509 and Regulation (EU) No 267/2012. SECTION 2: RISK ASSESSMENT National cooperation and drawing up of the risk assessment Article 3. (1) A coordinating committee shall be established at the Federal Ministry of Finance to develop measures and strategies for the prevention of money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation, to identify, assess, understand and mitigate the risks prevailing in Austria with regard to money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation as well as all data protection issues. The Federal Ministries of Constitutional Affairs, Reforms, Deregulation and Justice, for the Interior, for Digital and Economic Affairs, for Europe, Integration and Foreign Affairs, as well as the Financial Market Authority (FMA) and the Oesterreichische Nationalbank shall nominate at least one member and a deputy member. The chairperson and their deputy shall be nominated by the Federal Minister of Finance. The chairperson shall convene the coordination committee at least twice per calendar year. The members of the coordination committee may also request it to be convened in the event of material reasons prevailing.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 9 / 62 (2) The coordinating committee shall draw up and maintain a national risk assessment on an ongoing basis. The basis of the national risk assessment shall consist of the contributions of the members listed in para. 1, who shall draw up such contributions in relation to their respective competences. The Federal Ministers who are represented in the coordination committee shall in drawing their contributions respectively involve the competent supervisory authorities, the Financial Intelligence Unit (Geldwäschemeldestelle) and other relevant authorities, in particular the tax offices and the prosecuting authorities in a suitable manner within the scope of their enforcement, and to also take their insights into consideration. In addition, the Federal Minister of Finance shall also hear the competent regional authorities within the scope of supervision of regional authorised operators of gaming machines and betting companies, where their duties in this regard are affected. In drawing up the national risk assessment, the findings of the report of the European Commission on the risks of money laundering and terrorist financing affecting the internal market pursuant to Article 6 (1) of Directive (EU) 2015/849 shall be taken into account. Equally relevant additional information from other Member States may also be taken into consideration as applicable. The chairperson of the coordination committee shall be responsible for coordinating the drawing up of the national risk assessment. The report shall not be allowed to contain any confidential information. (3) The national risk assessment shall serve the following purposes:

1. the improvement of the regime for combatting of money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation, in particular by identifying any areas where the obliged entities shall be required to apply enhanced measures and recommending the measures to be taken;
2. the identification of sectors or areas of lower or greater risk of money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation;
3. the identification of money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation risks in relation to the development of new products and business practices including new delivery channels and the use of new or developing technologies both for new as well as for existing products;
4. the allocation and prioritisation of resources to combat money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation;
5. to ensure that appropriate rules are drawn up for each sector or area, in accordance with the risks of money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation;
6. making appropriate information available promptly to obliged entities to facilitate them in carrying out their own assessments of risks in relation to money laundering and terrorist

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 10 / 62 financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation; 7. the description of the institutional structure and the main features of the systems for combating money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation in Austria, inter alia in relation to the Financial Intelligence Unit (Geldwäschemeldestelle), the supervisory authorities (Article 12 para. 1 no. 3 WiEReG), the registry authority (Article 14 WiEReG), the tax offices and law enforcement authorities, as well as the human and financial resources allocated, provided that such information is available; and 8. the description of the national efforts and resources (in terms of manpower and financial means) that are made available for combating money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation. The Federal Ministries of Finance, of Constitutional Affairs, Reforms, Deregulation and Justice, for the Interior, for Digital and Economic Affairs, for Europe, Integration and Foreign Affairs, as well as the Financial Market Authority (FMA) and the Oesterreichische Nationalbank shall take necessary steps within the scope of their respective competences to realise these purposes. (4) The Oesterreichische Nationalbank and the FMA upon request and within the scope of their competence, shall submit all data, information, analyses and assessments relating to the financial market that are necessary for drawing up the national risk assessment to the Federal Minister of Finance without delay. The Oesterreichische Nationalbank shall submit the data that it has investigated and processed pursuant to Article 8 para. 2 of the Sanctions Act (SanktG; Sanktionsgesetz), to the FMA, provided that this data is required for the performance of duties by the FMA in accordance with this Federal Act. (5) The Federal Minister of Finance shall submit the findings of the national risk assessment, including the accompanying updates, to the European Commission and shall publish it on the Federal Ministry of Finance’s website. (6) In addition, the coordination committee shall also develop strategies and measures for combatting of money laundering and terrorist financing on a national level, shall regularly review whether they are up-to-date, and shall issue recommendations for their implementation. Para. 2 shall apply accordingly. (7) In order to facilitate and promote effective cooperation and in particular information exchange, the Federal Minister of Finance shall submit a list including contact details of the authorities that are competent for the supervision of obliged entities (Article 9 para. 1 nos. 1 to 14 WiEReG) to the European Commission. The Federal Minister of Finance shall keep this list constantly updated. The authorities named in this list shall, within the scope of their powers, be the point of contact for the corresponding competent authorities in other Member States. The FMA is the point of contact for the European Banking Authority.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 11 / 62 (8) The Federal Ministers for Finance, for Constitutional Affairs, Reforms, Deregulation and Justice, for the Interior, for Europe, Integration and Foreign Affairs, as well as the FMA and the Oesterreichische Nationalbank shall compile comprehensive statistics that are relevant for the effectiveness of such systems within the scope of their competence for the prevention of money laundering and terrorist financing as a contribution towards the preparation of the national risk assessment and for the purposes of reviewing the effectiveness of national systems for combatting money laundering and of terrorist financing. These statistics shall cover:

1. data measuring the size and importance of the different sectors which fall in the scope of application of Directive (EU) 2015/849, including the number of natural persons and entities as well as the economic importance of every sector,
2. data measuring the suspicious activity reporting, investigations and judicial proceedings within the national regime for combatting money laundering and terrorist financing, including the number of suspicious activity reports submitted to the Financial Intelligence Unit (Geldwäschemeldestelle), the follow-up measures to such reports and, on an annual basis the number of cases investigated, the number of persons prosecuted and those convicted under Article 165 StGB, the types of predicate offences, when such information exists, as well as the value in euro of property that has been frozen, seized or confiscated,
3. if available, data identifying the number and percentage of suspicious activity reports resulting in further investigation, together with the annual report to obliged entities detailing the usefulness and follow-up of the suspicious activity reports they presented;
4. data regarding the number of cross-border requests for information that were made, received, refused and partially or fully answered by the FIU, broken down by the Member State or third country making the request,
5. The staffing levels that have been assigned by the supervisory authorities for the supervision of the combatting of money laundering and terrorist financing, as well as the personnel allocated by the Financial Intelligence Unit (Geldwäschemeldestelle) for the performance of its duties,
6. The number of on- and off-site measures of the supervisory authorities, the number of breaches determined on the basis of the measures taken by the supervisory authorities (Article 12 para. 1 no. 3 WiEReG) and the registry authority (Article 14 para. 1 WiEReG) and the number of sanctions/administrative measures applied by the supervisory authorities. (9) The coordination committee shall consolidate the statistics pursuant to para. 8 on an annual basis and draw up a summary. In so doing the statistics of the competent regional authorities within the scope of supervision of regional authorised operators of gaming machines and betting companies shall also be taken into account. The Federal Minister of Finance shall publish the summary on the website of the Federal Ministry of Finance and shall submit the consolidated statistics on a yearly basis to the European Commission. (10) The Federal Ministry for Europe, Integration and Foreign Affairs shall draw up a list, in which the precise functions are stated that are considered important public offices pursuant to Article 2 no. 6

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 12 / 62 lit. h, keep the list up-to-date and shall submit it at least annually to the coordination committee. Once the list and the list of those functions that are considered as important public offices pursuant to Article 2 no. 6 has been handled in the coordination committee, it shall be submitted by the Federal Minister of Finance to the European Commission. (11) The Federal Minister of Finance shall submit a description about the mechanism established pursuant to Article 7 of Directive (EU) 2015/849 on the basis of this provision to the European Commission, the European Banking Authority and other Member States. Risk assessment at company level Article 4. (1) The obliged entities shall identify and assess the potential risks of money laundering and terrorist financing and non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation, to which they are exposed, on the basis of data and information taking into account all risk factors, in particular those that relate to customers, countries or geographical areas, products, services, transactions and delivery channels as well as other new or developing technologies, both for new and already existing products. In so doing, they shall take into account findings of the national risk assessment (Article 3) and of the report of the European Commission on the risks of money laundering and terrorist financing affecting the internal market (Article 6 (1) of Directive (EU) 2015/849). The investigation and assessment in relation to new products, practices and technologies shall in any case take place prior to their roll-out. The steps involved in the investigations and assessment shall be proportionate to the nature and size of the obliged entities. (2) The obliged entities shall keep records for the investigation and assessment steps conducted pursuant to para. 1 and their outcome in an understandable way, and shall keep records up-to-date and shall make them available to the FMA upon request in a generally available electronic format. The FMA may determine by means of a Regulation that the records of a risk assessment may not be necessary for specific types of obliged entities within a sector, if the specific risks existing within the sector are clearly recognisable and are understood by the obliged entities within this sector. SECTION 3: CUSTOMER DUE DILIGENCE Application of due diligence obligations Article 5. The obliged entities shall apply customer due diligence pursuant to Article 6 in the following cases:

1. when establishing a business relationship; savings deposit transactions in accordance with Article 31 para. 1 BWG and transactions pursuant to Article 12 of the Securities Deposit Act (DepotG; Depotgesetz) shall always be considered as business relationships;
2. when executing any transactions which are not conducted within the scope of a business relationship (occasional transactions),

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 13 / 62 a. which involve an amount of at least EUR 15 000 or a euro equivalent value, regardless of whether the transaction is carried out in a single operation or in multiple operations between which there is an obvious connection; or b. which involves a transfer of funds as defined in Article 3 (9) of Regulation (EU) 2015/847 exceeding EUR 1 000; if the amount in the cases listed in letter a) is not known prior to the start of the transaction, then the due diligence obligations shall be applied as soon as the amount involved is known and it has been determined that the amount is at least EUR 15 000 in value or euro equivalent value; 3. for each deposit into savings deposits, and for each withdrawal of savings deposits if the amount deposited or withdrawn is at least EUR 15 000 or a euro equivalent value; 4. if the institution suspects or has reasonable grounds to suspect that the customer belongs to a terrorist organisation (Article 278b StGB) or the customer objectively participates in transactions which serve the purpose of money laundering (Article 165 StGB – including asset components which stem directly from a criminal act on the part of the perpetrator) or terrorist financing (Article 278d StGB); 5. when there are doubts as to the veracity or adequacy of previously obtained customer identification data. Scope of due diligence obligations Article 6. (1) Customer due diligence shall comprise:

1. identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source, including electronic means for identification and trust services pursuant to Regulation (EU) No. 910/2014 and other secure procedures for remote or electronic identification according to para. 4;
2. identifying the beneficial owner and taking reasonable measures to verify that person's identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer. Where the identified beneficial owner belongs to the top management level pursuant to Article 2 no. 1 lit. b WiEReG, the obliged entities must take the necessary appropriate measure to check the identity of the nature persons belonging to the top management level, and must keep records about the measures taken in relation to any difficulties arising during the checking procedure. An appropriate measure is the inspection of the Beneficial Owners Register within the terms of Article 11 WiEReG;
3. assessing and obtaining information on the purpose and intended nature of the business relationship;

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 14 / 62 4. obtaining and checking of information about the source of the funds used; such information may include details about professional or business activities, income or operating result or the general financial situation of the customer and their beneficial owners; 5. identification and verification of the trustor and the trustee pursuant to para. 3; 6. conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds. 7. regular checking of the availability of all required information, data and documents that are required under the Federal Act, and updating of such information data and documents. The identity of those persons claiming to be wanting to act on behalf of the customer (natural persons authorised to represent the customer) shall be determined and verified pursuant to no. 1. The power of representation shall be verified in a suitable way and manner. The customer shall report any changes relating to the power of representation during an ongoing business relationship without delay at their own initiative. (2) The verification of identity pursuant to para. 1 no. 1 shall in the case of

1. a natural person be by means of showing an official photo identification document in person. For the purposes of this provision, documents which are issued by a government authority and which bear a non-replaceable, recognisable photograph of the face of the person in question and include the name, date of birth and signature of the person as well as the authority which issued the document are considered to be official photo identification documents; in the case of foreign passports, the passport need not contain the person's signature and complete date of birth if this corresponds to the law of the country issuing the passport. Individual criteria with regard to the official photo identification may be waived where technical advances, such as biometric data, give rise to other criteria which are at least equivalent to the waived criteria in terms of their identification effects. However, the criterion stipulating that the identification must be issued by a government authority must always be fulfilled;
2. a legal person, on the basis of meaningful supporting documentation available under the usual legal standards of the country in which the legal person is incorporated. In any case the effective existence, name, legal form, power of representation and place of incorporation of the legal person shall be checked. (3) The obliged entities shall request customers to indicate the following:
3. Whether the customer intends to conduct the business relationship (Article 5 para. 1 no. 1) or the occasional transaction (Article 5 para. 1 no. 2) on one’s own account or for the account of others or on behalf of a third party, and
4. the identity of its beneficial owner(s). The customer shall comply with this request and shall report any changes relating to this request during an ongoing business relationship without delay at their own initiative. If the customer

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 15 / 62 indicates that they intent to conduct the business relationship for the account of others or on behalf of a third party (no. 1), then they shall also be required to prove the identity of the trustor to the obliged entity, and the obliged entity shall determine and verify the identity of the trustor. The trustee shall be identified pursuant to para. 2 no. 1, and only in the physical presence of the trustee. The identification of the trustee by third parties shall be excluded. In the case of natural persons, the identity of the trustor shall be ascertained and verified by presentation of the original or a copy of the trustor’s official photo identification document (para. 2 no. 1); in the case of legal persons, by means of meaningful supporting documents (para. 2 no. 2). The trustee must also submit a written declaration to the obliged entity stating that the trustee has ascertained the identity of the trustor personally or through reliable sources. In this context, reliable sources refer to courts and other government authorities, notaries, attorneys at law and third parties as specified in Article 13. (4) The personal presentation of the official photo identification document as defined in para. 2 may be replaced by safeguards for business relationships or transactions without face-to-face contacts. The obliged entity must in any case know the name, date of birth and address of the customer, or in the case of legal persons the company name and place of incorporation. The following security measures shall be permissible:

1. the presentation in a video-based electronic procedure of the official photo identification document (online identification),
2. a statutorily prescribed procedure, which ensures that the same information would be made available as would be if an official photo identification document were presented (electronic ID card),
3. the submission of a legally binding declaration by the customer in the form of a qualified electronic signature in accordance with point 12 of Article 3 of Regulation (EU) No 910/2014 or the delivery of a legally binding declaration by the obliged entity via registered mail to the customer address given as the place of residence or place of incorporation, if in addition a. in the case of legal persons the place of incorporation is also the place of the central administration, which shall be confirmed by the customer by means of a written declaration; b. a copy of the official photo identification document of the customer or the customer's legal representative, or in the case of legal persons of the body authorised to represent it has been supplied prior to the conclusion of the contract, provided that the legal transaction has not been concluded electronically using a qualified electronic signature, and c. for customers with a place of incorporation or place of residence in a third country, a written declaration by another credit institution with which the customer has a permanent business relationship is provided, stipulating that the identity of the customer has been determined and verified in accordance with this Federal Act, and that the permanent business relationship is still maintained. If the credit institution providing the confirmation has its place of incorporation in a third country, then this

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 16 / 62 third country must fulfil the requirements pursuant to Article 13 para. 4. In lieu of identification and confirmation by a credit institution, identification and written confirmation by the Austrian representation in the third country in question or by a recognised certification authority is also permissible; or 4. the first payment during transactions is settled through an account opened in the customer's name with a credit institution as specified in Article 13 and copies of customer documents are available, on the basis of which the information provided by the customer or the natural person authorised to represent the customer may be verified in a credible manner. In lieu of such copies, a written declaration from the credit institution through which the first payment is intended to be made shall be sufficient for determining and verifying the identity of the customer as defined in this Federal Act or Directive (EU) 2015/849. The FMA shall determine by means of a Regulation with the consent of the Federal Minister of Finance, which measures shall be necessary for online identification to mitigate the increased risk, and in so doing shall in particular define the requirements in relation to security of data, security against forgeries as well as for those persons that will conduct the online identification process. (5) The obliged entities may determine the extent of the due diligence obligations listed in paras. 1 to 3 on a risk-sensitive basis. When assessing the risks of money laundering and terrorist financing at least the variables set out in Annex I shall be taken into account. As a result of this assessment, every customer shall be assigned to a risk class. The obliged entities shall have to be able to demonstrate to the FMA, that the measures they have taken are appropriate in view of the risks of money laundering and terrorist financing that have been identified. Point of time of application of due diligence obligations Article 7. (1) The determination and verification of the identity of the customer, the beneficial owner and the trustor and trustee (Article 6 para. 1 nos. 1, 2 and 5) and about the obtaining of information on the purpose and intended nature of the business relationship and the origin of the funds used (Article 6 para. 1 nos. 3 and 4) must occur prior to the establishment of a business relationship or the carrying or conducting of an occasional transaction. The determination and verification of the identity of a natural person authorised to represent the customer (Article 6 para. 1 closing part) must occur, when the authorised representative invokes their power of representation. When initiating a new business relationship with a legal entity pursuant to Article 1 WiEReG the obliged entities must obtain an excerpt from the Beneficial Owners Register pursuant to Article 9 or Article 10 WiEReG as proof of registration of the beneficial owners. When initiating a new business relationship with a company, a trust, a foundation, a legal arrangements similar to a foundation, or with legal arrangements similar to trusts with their place of incorporation in another Member State or in a third country, which is equivalent to a legal entity as defined in Article 1 WiEReG, the obliged entities must obtain proof or registration or an excerpt, provided that their beneficial owners are required to be

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 17 / 62 registered in a Register that corresponds to the requirements set forth in Article 30 or 31 of Directive (EU) 2015/849. (2) By way of derogation from para. 1, the obliged entities may allow verification of the identity of the customer, the beneficial owner and the trustor to be completed during the establishment of a business relationship, if this is necessary to not interrupt the normal conduct of business, and where there is little risk of money laundering or terrorist financing. In such situations, those procedures shall be completed as soon as practicable after initial contact. (3) By way of derogation from para. 1, the opening of a bank account, including accounts that permit transactions in transferable securities, shall be permissible at an obliged entity, provided that there are adequate safeguards in place to ensure that transactions are not carried out by the customer or on its behalf until full compliance with the customer due diligence requirements pursuant to Article 6 para. 1 nos. 1 to 5 has been obtained. (4) In the case of life assurance contracts, insurance undertakings shall also be required to comply, in addition to the customer due diligence obligations towards customers and beneficial owners, with the following due diligence obligations towards the beneficiaries of life assurance contracts:

1. in the case of beneficiaries that are identified as specifically named persons or as legal arrangements, the insurance undertaking shall hold the names of the respective persons;
2. in the case of beneficiaries that are designated by characteristics, class or by other means, insurance undertakings shall obtain sufficient information concerning those beneficiaries to ensure that they will be able to establish the identity of the beneficiary at the time of the payout. The insurance undertakings shall, in the instances named in nos. 1 and 2, verify the identity of the beneficiaries prior to payout. In the case that the life assurance contract is either fully or partially taken over by a third party, or the claim from this contract is assigned fully or partially to a third party, then the insurance undertakings that are aware of this takeover or assignment shall determine and verify the identity of the new customer or the beneficial owner at the time at which the claims from the contract were assigned to or taken over by the natural or legal person or legal arrangement. (5) Where the beneficiaries of trusts or of similar legal arrangements are designated by means of particular characteristics or by class, the obliged entities shall be required to obtain sufficient information concerning the beneficiaries to be satisfied that they will be able to establish the identity of the beneficiary at the time of the payout or at the time that the beneficiary exercises its vested rights. The identity of the beneficiaries must in any case be verified prior to payout. (6) The obliged entities shall apply customer due diligence obligations not only to all new customers, but also to existing customers on a risk-sensitive basis at the appropriate time. This shall in particular be the case when the relevant circumstances of a customer change. Or if the obliged entity is legally obliged to contact the customer during the course of the calendar year in question to check any relevant information about the beneficial owner(s), or if the obliged entity is required to do so pursuant to Council Directive 2011/16/EU.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 18 / 62 (7) If, with the exception of Article 6 para. 1 nos.6 and 7, the obliged entities either do not comply or are not able to comply with the customer due diligence obligations, then they shall not be allowed to carry out a transaction through a bank account, to establish a business relationship or to carry out transactions. Furthermore, they shall have to terminate an existing business relationship. Insurance undertakings shall not be allowed in the case of life assurance contracts to establish a business relationship and to carry out a transaction, if they do not or are unable to fulfil their due diligence obligations towards a customer or a beneficiary. Occupational severance and retirement funds shall not be allowed to conduct transactions, if they do not or are unable to fulfil their due diligence obligations towards a customer. In cases as per Article 6 para. 1 no. 6 a transaction may be delayed until the necessary checking steps have been concluded. In all cases the obliged entities shall consider making a suspicious transaction report in relation to the customer in accordance with Article § 16 to the Financial Intelligence Unit (Geldwäschemeldestelle). (8) The acceptance and acquisition of securities for

1. securities accounts (Article 11 DepotG) and
2. business relationships pursuant to Article 12 DepotG, which were initiated or entered into before 1 August 1996, shall only be permissible, when the customer due diligence obligations had previously been applied pursuant to Article 6. The sale of securities and the withdrawal of balances and income from securities accounts (Article 11 DepotG) and from business relationships pursuant to Article 12 DepotG may only be carried out provided that the customer due diligence obligations pursuant Article 6 have previously been applied. (9) In the case of existing savings accounts pursuant to Article 31 BWG, where customer due diligence obligations pursuant to Article 6 have not yet been applied, deposits may neither be made or received, and amounts from credit transfers may not be credited to such savings accounts. (10) Savings accounts, for which customer due diligence obligations pursuant to Article 6 have not yet been applied, shall be operated as specially marked accounts. Deposits into and withdrawals from such accounts may only be made, and funds transfers only credited to those accounts, if the customer due diligence obligations pursuant to Article 6 have been applied. (11) Existing anonymous safe-deposit boxes shall not be allowed to be used where the customer due diligence pursuant to Article 6 has not been applied, and are to be specially marked as such. They shall only be allowed to be used in any way whatsoever, when customer due diligence pursuant to Article 6 has been applied. Transaction monitoring using an artificial intelligence-based approach Article 7a. (1) The transaction monitoring to be implemented based on the provisions contained in this Federal Act may be conducted or supplemented using an approach that is based upon artificial Intelligence (AI) or other advanced technologies provided that the conditions set out in para. 2 are observed.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 19 / 62 (2) The usage of an approach pursuant to para. 1 shall be permissible pursuant in accordance with Article 6 para. 1 no. 6, where

1. the functioning of the approach pursuant to para. 1 is developed and implemented in such a way that it fulfils the requirements set forth in Article 6 para. 1 no. 6 and Article 9 para. 3 in a risk-based manner taking into consideration the respective risk assessment both at company level (Article 4) as well as at customer level (Article 6 para. 5) based on the scenarios, parameters, thresholds and other mechanisms used,
2. the approach pursuant to para. 1 is kept up-to-date and is updated on an ad hoc basis, and is adapted based on information responses given by the Financial Intelligence Unit (Geldwäschemeldestelle) and data pursuant to Article 16 paras. 4 and 6, and
3. the development and implementation of the functioning of the approach pursuant to para. 1 is appropriately documented, so that its functioning is able to be understood and demonstrated accordingly towards the FMA. (3) In the development and conducting of transaction monitoring data processed for the purposes of this Federal Act as well as data from publicly accessible data sources shall be allowed to be processed by automated means, provided that doing so is necessary and appropriate for the prevention of money laundering and terrorist financing. Simplified due diligence Article 8. (1) Where an obliged entity identifies on the basis of its risk assessment (Article 4) that areas exist of a lower risk of money laundering or terrorist financing, then it may apply simplified customer due diligence. In this case, the risks of money laundering and terrorist financing relating to types of customers, geographic areas, and particular products, services, transactions or delivery channels shall be assessed and at least the factors of potentially lower risk situations set out in Annex II taken into account. (2) Before applying simplified customer due diligence for a customer, obliged entities shall ascertain that the business relationship or the transaction presents a lower degree of risk. In particular they shall not assume a low risk of money laundering or terrorist financing if there is information available to suggest that the risk of money laundering or terrorist financing might not in fact be low. (3) Also in those areas, in which the obliged entities apply simplified due diligence, they shall ensure that the transactions and business relationships shall be adequately monitored to enable the detection of unusual or suspicious transactions. (4) The obliged entities shall be required to retain sufficient information in order to be able to demonstrate compliance with the requirements for the application of simplified due diligence. (5) The FMA may determine, with the consent of the Federal Minister of Finance, by means of a Regulation in which areas a low risk of money laundering or terrorist financing exists, if this has been determined in the national risk assessment (Article 3) or the FMA itself has identified that a low risk exists taking into account para. 1 second sentence. The FMA shall determine, as necessary the

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 20 / 62 precise scope of simplified due diligence towards customers in a Regulation pursuant to this paragraph. (6) Regulation (EU) 2015/847 shall not apply to domestic transfers of funds to a payee account permitting payments for the provision of goods or services if:

1. the payment service provider of the payee is subject to the obligations set forth in Directive (EU) 2015/849;
2. the payment service provider of the payee is able by means of a reference number relating to the customer to trace back, through the payee, the transfer of funds to the natural or legal person who has made an agreement with the payee for the provision of goods and services, and
3. the amount being transferred is EUR 1 000 or less. Enhanced due diligence Article 9. (1) In the cases listed in Articles 9a to 12, as well if an obliged entity determines on the basis of its risk assessment (Article 4) or in another way, that an increased risk of money laundering or terrorist financing exists, this it shall apply enhanced customer due diligence to adequately manage or mitigate such risks. In this case, the risks of money laundering and terrorist financing relating to types of customers, geographic areas, and particular products, services, transactions or delivery channels shall be assessed and at least the factors of potentially higher risk situations set out in Annex III taken into account. (2) Where obliged entities have branches or branch establishments or subsidiaries incorporated in high-risk third countries, they shall not have to automatically invoke enhanced customer due diligence needed for them, where those branches or branch establishments or subsidiaries fully comply with the group-wide strategies and procedures (Article 24). In this instance the obliged entities shall assess on a risk-sensitive basis whether it shall be necessary to apply enhanced due diligence obligations. (3) The obliged entities shall examine, where this is possible to an appropriate extent, the background and purpose of all transactions that fulfil one of the following conditions:
4. the transactions are complex ones;
5. the transactions are unusually large;
6. the transactions follow an unusual pattern of transactions;
7. the transactions do not have any apparent financial or legal purpose. In particular, obliged entities shall increase the degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear suspicious. (4) The FMA may determine, with the consent of the Federal Minister of Finance, by means of a Regulation in which areas, in addition to those listed in this Federal Act, a high risk of money laundering or terrorist financing exists, if this has been determined in the national risk assessment (Article 3) or the FMA itself has identified that a high risk exists taking into account para. 1 second

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 21 / 62 sentence. The FMA shall determine, as necessary the precise scope of enhanced due diligence towards customers in a Regulation pursuant to this paragraph. Business relationships and transactions with a link to high-risk third countries Article 9a. (1) In relation to business relationships or transactions involving high-risk third countries, obliged entities shall in any case apply the following enhanced customer due diligence measures:

1. obtaining and appropriate checking of additional information on the customer and its beneficial owners;
2. obtaining additional information on the purpose and intended nature of the business relationship;
3. obtaining additional information for the checking of the origin of the means used and obtaining additional information about the financial circumstances of the customer and its beneficial owners;
4. obtaining information on the reasons for the intended or performed transactions;
5. obtaining the approval of its senior management prior to establishing or continuing the business relationship; and
6. continuous enhanced monitoring of the business relationship by further increasing the frequency and intervals of the controls and by additionally selection patterns of transactions that need further examination. (2) In addition to the enhanced due diligence measures prescribed in para. 1 the FMA may instruct one or several risk mitigation measures in relation to all or certain high-risk third countries by means of a Regulation with the approval of the Federal Minister of Finance, in relation to business relationships or transactions involving high-risk third countries, in compliance with the Union’s international obligations. These measures shall consist of one or several of the following elements:
7. the application of additional enhanced due diligence measures;
8. the introduction of enhanced relevant reporting mechanisms or systematic reporting of financial transactions;
9. the limitation of business relationships or transactions with natural persons or legal entities from high-risk third countries . (3) With regard to high-risk third countries the Federal Minister of Finance may as applicable order by means of a Regulation in addition to the measures listed in para. 1 and in compliance with the Union’s international obligations one or several of the following measures against all or specific high-risk third countries:
10. refusing the establishment of subsidiaries, branches or branch establishments or representative offices of obliged entities from the third country concerned, or otherwise taking into account the fact that the relevant obliged entity is from a high-risk third country;
11. prohibiting obliged entities from establishing branches or branch establishments or representative offices in the third country concerned, or otherwise taking into account the fact

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 22 / 62 that the relevant branch, branch establishment or representative office would be in a high￾risk third country; 3. introducing increased supervisory examination by the FMA or increased external audit requirements for branches or branch establishments and subsidiaries of obliged entities located in the third country concerned; 4. introducing increased external audit requirements in relation to the financial statement for financial groups with respect to any of their branches and subsidiaries located in the country concerned, whose parent undertaking has its place of incorporation in Austria; 5. introducing the requirement for credit and financial institutions to review and amend, or if necessary terminate, correspondent relationships with respondent institutions in the third country concerned. (4) The FMA and the Federal Minister of Finance shall as applicable take into consideration appropriately when issuing or applying the measures listed in paras. 2 and 3 relevant evaluations, assessments or reports of international organisations or standard-setting establishments with competences in the field of the prevention of money laundering and the combating of terrorist financing with regard to the risks emanating from individual third countries. (5) The Federal Minister of Finance shall inform the European Commission prior to the issuing of a Regulation pursuant to para. 2 or 3. Correspondent relationships Article 10. (1) In the case of cross-border correspondent relationships which cover the execution of payments with a respondent institution incorporated in a third country, credit institutions and financial institutions shall, when establishing a business relationship in addition to the customer due diligence obligations set out in Article 6:

1. gather sufficient information about a respondent institution to understand fully the nature of its business and be able to ascertain the reputation of the institution and the quality of supervision on the basis of publicly available information;
2. satisfy themselves of the adequacy of the respondent institution's controls for combatting money laundering and terrorist financing;
3. obtain approval from senior management before establishing new correspondent relationships;
4. document the respective responsibilities of each institution, and
5. with respect to payable-through accounts, be satisfied that the respondent institution has verified the identity of and performed ongoing due diligence on the customers having direct access to accounts of the respondent institution, and that the respondent institution is able to provide relevant customer due diligence data to the obliged entity upon the latter’s request;

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 23 / 62 (2) In the case of cross-border correspondent banking relationships, in which crypto-asset services as defined in Article 3 (1) point 16 of Regulation (EU) 2023/1114, with the exception of providing advice on crypto-assets as defined in Article 3 (1) point 16 (h) of Regulation (EU) 2023/1114, as conducted with a respondent establishment that is not established in the European Union and comparable services, including crypto-asset transfers, providers of crypto-asset services are obliged – by way of derogation from Article 10 para. 1 and over and beyond the customer due diligence obligations set forth in Article 6 – when establishing a business relationship with such an establishment,

1. to determine whether the respondent establishment is authorised or registered;
2. to gather sufficient information about the respondent establishment to understand fully the nature of the respondent's business and to determine from publicly available information the reputation of the institution and the quality of supervision;
3. to assess the controls that the respondent establishment takes regarding the prevention of money laundering and terrorist financing as well as the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation;
4. to obtain approval from its senior management before establishing new correspondent relationships;
5. to document the respective responsibilities of each involved party in the correspondent banking relationship;
6. to be satisfied with respect to payable-through crypto-asset accounts, be satisfied that the respondent institution has verified the identity of, and performed ongoing due diligence on, the customers having direct access to accounts of the correspondent establishment, and that it is able to provide relevant customer due diligence data to the correspondent establishment, upon request. (3) Where crypto-asset service providers decide to terminate correspondent banking relationships in consideration of their strategies for the prevention of money laundering and terrorist financing as well as the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation, they shall document and minute this decision. (4) Crypto-asset service providers shall update the information about the due diligence obligation in relation to the correspondent banking relationship on a regular basis, as well as when new risks emerge in relation to the respondent establishment. (5) Crypto-asset service providers shall take the information listed in paras. 2 to 4 into account, when determining suitable measures on a risk-based approach, that are to be taken for the mitigation of risks existing in connection with the respondent establishment. Transactions and business relationships with politically exposed persons (PEPs) Article 11. (1) In addition to the customer due diligence obligations set out in Article 6, the obliged entities shall

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 24 / 62

1. have in place appropriate risk management systems, including risk-based procedures, to be able to determine whether the customer, the beneficial owner of the customer, or the trustor of the customer is a politically exposed person and to apply these procedures prior to establishing the business relationship as well as to apply them at regular intervals during the ongoing business relationship.
2. in the case of business relationships with politically exposed persons: a. obtain the approval of their senior management, before establishing or continuing business relationships with such persons; b. take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons; and c. subject the business relationship to enhanced ongoing monitoring.
3. If the beneficial owner of the customer pursuant to Article 2 no. 1 point b sub-point cc WiEReG has been identified, then no. 2 shall not apply in the case of Austrian politically exposed persons, where no risk factors exist that indicated an increased level of risk. (2) Insurance undertakings shall take reasonable measures to determine whether the beneficiaries of a life insurance contract and/or, where necessary, the beneficial owner of the beneficiary is a politically exposed person. Those measures shall be taken no later than at the time of the payout or at the time of the assignment, in whole or in part, of the life assurance contract. Where increased risks have been identified, in addition to applying the customer due diligence laid down in Article 6, obliged entities shall also be required to:
4. inform its senior management prior to payout, and
5. conduct enhanced scrutiny of the entire business relationship with the insurance policyholder. (3) Where a politically exposed person is no longer entrusted with a prominent public function by a Member State or a third country, or with a prominent public function by an international organisation, obliged entities shall, for at least twelve months, be required to take into account the continuing risk posed by that person and to apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to politically exposed persons. (4) The measures referred to in this Article shall also apply to family members or persons known to be close associates of politically exposed persons. Transactions in connection with self-hosted wallet addresses Article 11a. (1) Crypto-asset service providers shall identify and assess the risk of money laundering and terrorist financing as well as the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation that is associated with crypto-asset transfers to or from a self-hosted address. Crypto-asset service providers shall have internal policies, controls and procedures in place in this regard. Crypto-asset service providers shall be obliged to apply risk mitigation measures that are commensurate to the risks identified.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 25 / 62 (2) The risk mitigation measures pursuant to para. 1 shall include at least the following measures:

1. taking risk-based measures for determining and verifying the identity of the originator or the beneficiary of a transfer to or from a self-hosted address, or the beneficial owner of the originator or beneficiary in question, also by making use of third parties;
2. requesting additional details about the origin and destination of transfers of crypto-assets;
3. conducting enhanced ongoing monitoring of relevant transactions;
4. any other measure to mitigate and manage the risks of money laundering and terrorist financing as well as the risk of non-implementation and evasion of targeted financial sanctions and proliferation financing-related targeted financial sanctions. Inadmissible business relationships and measures for non-cooperative countries and territories Article 12. (1) The obliged entities shall not enter into or continue a correspondent relationship with a shell bank, and shall take appropriate measures to ensure that they do not engage in or continue correspondent relationships with a credit institution or financial institution, which is known to permit its accounts to be used by a shell bank. (2) The obliged entity shall in any case be prohibited from keeping anonymous accounts, anonymous savings account passbooks or anonymous safe-deposit boxes; Article 7 paras. 8 to 11 shall apply accordingly. (3) In cooperation with the Main Committee of the National Council, the federal government shall issue a regulation designating as non-cooperative countries and territories those countries which do not take the measures against money laundering necessary according to international standards in their territories or jurisdictions. In particular, a violation of international standards is to be assumed in cases where the Council of the European Union or the Financial Action Task Force on Money Laundering have adopted resolutions to this effect. (4) In connection with non-cooperative countries and territories, the following provisions apply:
5. unless proven otherwise, persons with their place of incorporation or residence in a non-cooperative country or territory shall be considered in any case not to meet the requirements for the sound and prudent management of an obliged entity.
6. a licence shall not be granted to an obliged entity, where one or more persons who hold a qualifying holding in the undertaking submitting the application have their place of incorporation or residence in a non-cooperative country or territory, unless the applicant submitting the application is able to prove that the obliged entity shall not conduct activities for the purpose of money laundering and will not conduct any transactions in violation of United Nations decisions which are binding under public international law.
7. The FMA shall prohibit the acquisition of a qualifying holding in an obliged entity by persons whose place of incorporation or residence is in a non-cooperative country or territory.
8. The identity of a customer, whose place of incorporation or residence is in a non-cooperative country or territory, may be ascertained only by the customer appearing in person at the

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 26 / 62 obliged entity confirming their identity using an original official photo identification document; for transactions carried out on behalf of others, these requirements apply to both the trustee and the trustor; the obliged entities shall make copies of the official photo identification documents and shall be required to retain them pursuant to Article 21. 5. All transactions, a. in which the originator or beneficiary is a person whose place of incorporation or residence is in a non-cooperative country or territory, or b. which are executed into or from an account held at a foreign credit institution or financial institution incorporated in a non-cooperative country or territory, shall be reported to the Financial Intelligence Unit (Geldwäschemeldestelle) by credit and financial institutions without delay, if the amount exceeds EUR 100 000 or a euro equivalent value; Article 16 shall apply. This reporting obligation applies regardless of whether the transaction is carried out in a single operation or in multiple operations between which there is an obvious connection; in cases where the amount is unknown at the beginning of a transaction, the report must be submitted as soon as the amount is known and it is established that it will come to at least EUR 100 000 or an equivalent value. SECTION 4: PERFORMANCE BY THIRD PARTIES Admissibility of performance by third parties Article 13. (1) The obliged entities may rely on third parties for the fulfilment of the customer due diligence obligations set out in Article 6 para. 1 nos. 1 to 5 and 7, provided that no indications exist to suggest that the listed obligations will not be fulfilled to a comparable standard. However, the ultimate responsibility for meeting those obligations shall remain with the obliged entity which relies on the third party. (2) The obliged entities shall ensure that they obtain the necessary information without delay with regard to the customer due diligence obligations set out in Article 6 para. 1 nos. 1 to 5 and 7 from the third parties upon whom they are reliant. Furthermore, they shall be required to take appropriate steps to ensure that the third party is able to forward them upon request copies of the documentation used to satisfy these due diligence obligations as well as other relevant documentation on the identity of the customer or the beneficial owner(s). This shall also cover electronic means for identification and trust services pursuant to Regulation (EU) No 910/2014 as well as other secure procedures for remote or electronic identification in accordance with Article 6 para. 4. (3) Credit institutions and financial institutions incorporated in Austria shall be considered as third parties, for the purpose of this Article, provided that they do not only hold an authorisation for conducting exchange bureau business (Article 1 para. 1 no. 22 BWG), as well as the persons listed in items a and b of Article 2 (1) 3) of Directive (EU) 2015/849 and insurance intermediaries pursuant to

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 27 / 62 Article 365m1 para. 2 no. 4 of the Commercial Code (GewO 1994 - Gewerbeordnung) incorporated in Austria. (4) Credit institutions and financial institutions pursuant to points 1 and 2 of Article 3 of Directive (EU) 2015/849 shall be considered as third parties for the purposes of this Article, provided that they do not only hold an authorisation for conducting exchange bureau business, as well as the persons listed in items a) and b) of Article 2 (1) 3) of Directive (EU) 2015/849 incorporated in another Member State and corresponding obliged entities incorporated in a third country

1. whose customer due diligence requirements and record-keeping requirements are consistent with those laid down in Directive (EU) 2015/849; and
2. that are subject to supervision in relation to compliance with these requirements, consistent with Section 2 of Chapter VI of the Directive (EU) 2015/849. Obliged entities shall be prohibited from relying on third parties established in high-risk third countries. This shall not apply for branches or branch establishments of third parties incorporated in Austria or in another Member State and their subsidiaries, where those branches or branch establishments or subsidiaries fully comply with the group-wide policies and procedures. Performance by third parties in the case of groups Article 14. The requirements pursuant to Article 13 may be fulfilled by the implementation of a group programme (policies and procedures to be applied on a group-wide basis pursuant to Article 24), in which all of the following requirements are fulfilled:
3. the obliged entity relies on information provided by a third party that is part of the same group;
4. the group applies customer due diligence, rules on record-keeping and programmes against money laundering and terrorist financing in accordance with this Federal Act or Directive (EU) 2015/849, or equivalent rules;
5. the effective implementation of the requirements referred to in no. 2 is supervised at group level by a competent authority of the home Member State or of the third country. Outsourcing and agency relationships Article 15. This Section shall not apply to outsourcing or agency relationships where, on the basis of a contractual arrangement, the outsourcing service provider or agent is to be regarded as part of the obliged entity.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 28 / 62 SECTION 5: REPORTING OBLIGATIONS Reports to the Financial Intelligence Unit (Geldwäschemeldestelle) Article 16. (1) The obliged entities shall inform the Financial Intelligence Unit (Geldwäschemeldestelle) without delay upon their own initiative by means of a suspicious activity report, if they know, suspect or have reasonable grounds to suspect, that

1. an attempted, upcoming, ongoing or previously conducted transaction is related to asset components originating from one of the criminal activities listed in Article 165 StGB (including asset components which stem directly from a criminal act on the part of the perpetrator);
2. an asset component originates from one of the criminal activities listed in Article 165 StGB (including asset components which stem directly from a criminal act on the part of the perpetrator) or
3. a customer has violated the obligation to disclose trust relationships pursuant to Article 6 para. 3; or
4. the attempted, upcoming, ongoing or previously conducted transaction or the assets are connected to a criminal organisation pursuant to Article 278a StGB, a terrorist organisation pursuant to Article 278b StGB, a terrorist crime pursuant to Article 278c StGB or terrorist financing pursuant to Article 278d StGB. The suspicious activity report shall be submitted in a commonly used electronic format, via the secure communications channels determined by the Financial Intelligence Unit (Geldwäschemeldestelle). (2) The obliged entities, and their employees as applicable, shall cooperate fully with the Financial Intelligence Unit (Geldwäschemeldestelle), by providing the Financial Intelligence Unit (Geldwäschemeldestelle) irrespective of a suspicious activity report pursuant to para. 1, directly upon request all necessary information it deems necessary for preventing or pursuing money laundering or terrorist financing. (3) Credit institutions shall inform the Financial Intelligence Unit (Geldwäschemeldestelle) without delay about all requests to withdraw savings deposits, if
5. the customer's identity has not yet been determined pursuant to Article 6 para. 1 for the savings deposit, and
6. the payout is intended to be made from a savings deposit with a credit balance of at least EUR 15 000 or euro equivalent value. Payouts from such savings deposits shall only be made upon expiry of a period of seven calendar days following the request for the payout, unless the Financial Intelligence Unit (Geldwäschemeldestelle) orders a longer period pursuant to Article 17 para. 4. (4) The Financial Intelligence Unit (Geldwäschemeldestelle) shall provide obliged entities with access to up-to-date information on the ways of money laundering and terrorist financing, and provide indications that allow suspicious transactions to be recognised. Likewise, the authority shall ensure

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 29 / 62 that timely feedback is provided about the effectiveness of and follow-up to reports of suspected money laundering or terrorist financing. (5) The Financial Intelligence Unit (Geldwäschemeldestelle) shall also be authorised to examine required information from natural and legal persons and other facilities with a legal personality for the prevention of and pursuit of money laundering and terrorist financing and to directly or indirectly process this information together with information that it has processed or is allowed to process by means of operational or strategic analysis in the enforcement of national or regional laws. The data shall be deleted as soon as it is no longer required for the fulfilment of duties, at latest after a period of five years. Submissions shall be permissible within the meaning of Article 4 para. 2 nos. 1 and 2 of the Criminal Intelligence Service Austria Act (BKA-G, Bundeskriminalamt-Gesetz). (6) The Financial Intelligence Unit (Geldwäschemeldestelle) may submit the following data, copies, scenarios, parameters and thresholds electronically to obliged entities and to other competent authorities in accordance with Federal Acts and provincial laws for the prevention of money laundering and terrorist financing via a secure channel of communication (para. 1):

1. data about and copies of counterfeit, falsified or suppressed identification documents, of other documents and photo identification that may be used for the performance of customer due diligence, provided that this is necessary and appropriate for the prevention of money laundering and terrorist financing.
2. scenarios, parameters and thresholds that may be used by obliged entities during the course of ongoing monitoring of business relationships for preventing money laundering and terrorist financing, and
3. in the case of natural persons their name, date of birth, place of birth, nationality, gender and place of residence; in the case of legal entities their name, registered office, registry entry and registration number or in the case of the accounts the International Bank Account Number (IBAN), and where necessary the international sort code (Bank Identifier Code, BIC) or the account number and sort code, where the suspicion exists regarding them that they are implicated with circumstances listed in Article 16 para. 1 and where submission is appropriate and absolutely necessary in order to prevent money laundering or terrorist financing. Where the grounds for a submission in accordance with nos. 1 and 3 no longer exist, it is to be revoked without delay. The data and copies are to be expunged by the Financial Intelligence Unit (Geldwäschemeldestelle), provided that they are no longer required for purposes of preventing money laundering or terrorist financing, as soon as possible, however at the latest after five years. The scenarios, parameters and thresholds submitted pursuant to no. 2 shall not allow conclusions to be drawn about specific natural or legal persons. The data, copies, scenarios, parameters and thresholds in accordance with this paragraph that are submitted by the Financial Intelligence Unit (Geldwäschemeldestelle) shall only be allowed to be processed by the obliged entities for the purpose of preventing money laundering or terrorist financing provided this is appropriate and necessary. (7) The Financial Intelligence Unit (Geldwäschemeldestelle) shall cooperate closely with

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 30 / 62

1. the FMA,
2. the competent authorities pursuant to point (40) of Article 4(1) of Regulation (EU) No. 575/2013,
3. the authorities entrusted on behalf of the public sector with the supervision of the obliged entities listed in Article 2(1) points 1 and 2 of Directive (EU) 2015/849 regarding compliance with this Directive, and
4. other Financial Intelligence Units (FIUs) and shall provide them with information that is relevant for their respective duties pursuant to this Federal Act, Directive 2013/36/EU, Regulation (EU) No 575/2013 and Directive (EU) 2015/849, provided that such cooperation and this exchange of information would not affect any ongoing investigations, enquiries or procedures under Austrian criminal or administrative law. Non-execution of transactions Article 17. (1) The obliged entities shall cease to conduct any further execution of related transactions following submission of a suspicious activity report (Article 16 para. 1) and shall fulfil any additional specific instructions received from the Financial Intelligence Unit (Geldwäschemeldestelle). The Financial Intelligence Unit shall take into account whether the risk exists by delaying or ceasing the transactions could hinder or impede the investigation of the case or the pursuit of the beneficiary of a suspicious transaction. (2) In the event that it is not possible to cease the execution of the transactions listed in para. 1, or any stoppage or delay could impede the pursuit of the beneficiary of a suspicious transaction, the obliged entities concerned shall submit the suspicious activity report (Article 16 para. 1) to the Financial Intelligence Unit (Geldwäschemeldestelle) immediately thereafter. In cases of doubt, orders involving incoming funds may be executed, while orders involving outgoing funds are not to be executed. (3) The obliged entities shall be entitled to request that the Financial Intelligence Unit (Geldwäschemeldestelle) should decide whether concerns exist about the immediate execution of a transaction; if the Financial Intelligence Unit (Geldwäschemeldestelle) fails to respond by the end of the following banking day, the transaction may be executed immediately. (4) The Financial Intelligence Unit (Geldwäschemeldestelle) shall be authorised to instruct that an ongoing or upcoming transaction, for which a report pursuant to Article 16 para. 1 is to be submitted, shall be omitted or temporarily delayed, and that instructions given by the customer relating to the disbursement of funds shall only be allowed to be conducted with the consent of the Financial Intelligence Unit (Geldwäschemeldestelle). The Financial Intelligence Unit (Geldwäschemeldestelle) must inform the Public Prosecutor's office of this instruction without unnecessary delay. The customer shall also be informed, although informing the customer may be put off for up to a maximum of five banking days, if doing so could otherwise impede the pursuit of the beneficiary of a suspicious transaction. The obliged entities shall be informed about the delay in informing the

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 31 / 62 customer. The notification to the customer must include an indication that the customer or another affected party may be entitled to lodge a complaint with the competent administrative court regarding violations of their rights. (5) The Financial Intelligence Unit (Geldwäschemeldestelle) shall repeal the instruction in accordance with para. 4 as soon as the conditions for its having been issued no longer prevail, or the public prosecutor declares that the conditions for confiscation pursuant to Article 109 no. 2 and Article 115 para. 1 no. 3 of the Code on Criminal Procedure (StPO; Strafprozessordnung) do not exist. Otherwise, the instruction shall be abrogated:

1. once six months have elapsed since it was issued, or
2. as soon as the court has issued a legally effective decision on a request for confiscation pursuant to Article 109 no. 2 and Article 115 para. 1 no. 3 StPO. Notifications from the competent authorities to the Financial Intelligence Unit (Geldwäschemeldestelle) Article 18. (1) In the event that the FMA or the Oesterreichische Nationalbank, in performing their supervision duties, find reason to suspect that a transaction serves the purpose of money laundering or terrorist financing, they shall report this to the Financial Intelligence Unit (Geldwäschemeldestelle) without delay. This shall also apply according for the Federal Minister of Finance as the registry authority pursuant to Article 14 para. 1 WiEReG and the government tax authorities in the performance of their duties. (2) The FMA shall, when it receives information from the Financial Intelligence Unit (Geldwäschemeldestelle) by way of provision of assistance or the exchange of information, provide the Financial Intelligence Unit (Geldwäschemeldestelle) with a response about the usage of such information and the findings of the investigations or inspections conducted on the basis of the supplied information. Exclusion from claims for damages and protection against threats Article 19. (1) Claims for damages may not be asserted due to the fact that an obliged entity or employees of the obliged entity have delayed or omitted the execution of a transaction in negligent ignorance of the fact that the suspicion of money laundering or terrorist financing or of violations pursuant to Article 6 para. 3 was incorrect. (2) The obliged entities shall ensure that individuals, including employees and representatives of the obliged entity, who report suspicions of money laundering or terrorist financing internally or to the Financial Intelligence Unit (Geldwäschemeldestelle), are protected from being exposed to threats, reprisals or hostile action, and in particular from adverse or discriminatory employment actions. (3) The FMA shall be required to guarantee that individual persons who are exposed to threats, retaliatory or hostile action or adverse or discriminatory employment actions because they have internally reported or reported to the Financial Intelligence Unit (Geldwäschemeldestelle) a

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 32 / 62 suspicion of money laundering or terrorist financing, may be able pursuant to Article 40 paras. 2 to 4 to notify their suspicion as well as further tip-offs about the non-observance of the regulations contained in this Federal Act or Regulation (EU) 2015/847 to the FMA in a secure manner. Prohibition of disclosure Article 20. (1) Obliged entities shall be obliged to ensure confidentiality towards customers and third parties of all procedures in relation to Articles 16 and 17. Furthermore, the obliged entities shall, if they become aware or have a suspicion of or have reasonable grounds to assume, that a circumstance that requires to be reported pursuant to Article 16 para. 1 exists and they could reasonably assume that the application of customer due diligence obligations could impede the pursuing of the beneficiary of a suspicious transaction, they shall waive the application of customer due diligence obligations and shall instead inform the Financial Intelligence Unit (Geldwäschemeldestelle) immediately by means of a suspicious activity report. (2) As soon as the customer has been informed by the Financial Intelligence Unit (Geldwäschemeldestelle) about the order pursuant to Article 17 para. 4 having been issued, the obliged entities shall be empowered to refer the customer - although only at the customer’s request

• to the Financial Intelligence Unit (Geldwäschemeldestelle); furthermore, the obliged entities shall with the consent of the Financial Intelligence Unit (Geldwäschemeldestelle) also be empowered to inform the customer of the order. (3) The prohibition pursuant to this Article:

1. does not affect the disclosure of information to the FMA, the Oesterreichische Nationalbank, or the disclosure of information for law enforcement purposes;
2. does not affect the disclosure of information between credit institutions and financial institutions with their registered office in Member States or between their branches or branch establishments and their subsidiaries in third countries, provided that such entities fully comply with the applicable group-wide policies and procedures (Article 24) and the policies and procedures to be used throughout the group comply with the requirements of Directive (EU) 2015/849;
3. does not prevent the passing on of information pursuant to Article 22 para. 2 in cases that refer to the same customer and the same transaction, in which two or more obliged entities are involved.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 33 / 62 SECTION 6: RETENTION OF RECORDS, DATA PROTECTION, EXCHANGE OF INFORMATION AND REQUIREMENTS FOR THEIR INTERNAL ORGANISATION Requirements for retention of records and data protection Article 21. (1) The obliged entities shall be required to retain:

1. copies of the documents and information which are necessary to comply with the customer due diligence requirements, including electronic means for identification purposes and relevant trust services pursuant to Regulation (EU) No. 910/2014 as well as other secure procedures for remote or electronic identification in accordance with Article 6 para. 4, for a period of ten years after the end of the business relationship with their customer or after the date of an occasional transaction;
2. receipts and records of transactions required to investigate transactions, for a period of ten years after the end of the business relationship with their customer or after the date of an occasional transaction. (2) The obliged entities shall be required to delete all personal data, which they have processed solely for the purposes of this Federal Act upon expiry of the retention periods in accordance with para. 1, unless the regulations set out in other Federal Acts require or allow a longer retention period. No data shall be allowed to be deleted until any pending investigative, main or appeal proceedings in relation to Articles 165, 278a, 278b, 278c, 278d or 278e StGB have been ended in a legally binding manner, if the obliged entity has demonstrably become aware of the proceedings. (3) (repealed by the amendment in Federal Law Gazette I 62/2019) (4) Personal data that is processed by obliged entities on the basis of this Federal Act solely for the purposes of the prevention of money laundering and terrorist financing, shall not be allowed to be processed further in such a way that is incompatible with those purposes. This personal data shall not be allowed to be processed for other purposes, for example for commercial purposes. (5) Obliged entities shall provide new customers with the information required in accordance with Articles 13 and 14 of Regulation (EU)2016/679 before establishing a business relationship or carrying out an occasional transaction. That information shall, in particular, include a general notice concerning the legal obligations of obliged entities under this Federal Act with regard to the processing of personal data for the purposes of the prevention of money laundering and terrorist financing. (6) The processing of personal data on the basis of this Federal Act for the purposes of preventing money laundering and terrorist financing shall be considered a matter conducted in the public interest pursuant to Regulation (EU) 2016/679. The need for safeguarding public interests pursuant to Article 23 (1) of Regulation (EU) 2016/679 may exist, if the refusal of information (Article 20 para. 1) is necessary to ensure the confidentiality of procedures, which serve the purpose of the performance of Articles 16 and 17, in order to

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 34 / 62

1. enable the obliged entity or the FMA to fulfil its/their tasks properly for the purposes of this Federal Act, or
2. avoid obstructing official or legal inquiries, analyses, investigations or procedures for the purposes of this Federal Act and to ensure that the prevention, investigation and detection of money laundering and terrorist financing is not jeopardised. Exchange of information Article 22. (1) The obliged entities shall have systems in place that enable them to respond fully and speedily through secure channels to enquiries from the Financial Intelligence Unit (Geldwäschemeldestelle) or the FMA, in a manner that ensures full confidentiality of the enquiries, that appear necessary to the aforementioned bodies for the purposes of the prevention of or pursuing of money laundering or terrorist financing, as to whether they are maintaining or have maintained, during a five-year period prior to that enquiry a business relationship with specified persons, and on the nature of that relationship. (2) Obliged entities shall be allowed to exchange information in cases that refer to the same customer or the same transaction in which two or more obliged entities are involved, where this is appropriate and necessary for the purposes of preventing money laundering and terrorist financing; this shall also apply for
3. credit and financial institutions pursuant to Article 3 nos. 1 and 2 of Regulation (EU) 2015/849 with their registered office in another Member State, which do not only hold an authorisation for conducting exchange bureau business, and
4. obliged entities fitting the definition in Article 3 (1) and (2) of Regulation (EU) 2015/849, whose registered office is in a third country where the equivalence conditions set forth in Directive (EU) 2015/849 apply, where such obliged entities are subject to equivalent obligations with regard to professional secrecy and the protection of personal data. The information exchanged is to be used exclusively for the purposes of the prevention of money laundering and terrorist financing. Requirements for internal organisation and trainings Article 23. (1) The obliged entities shall establish policies, controls and procedures for the effective mitigation and management of risks of money laundering and terrorist financing identified on European Union, national and company-wide levels, which shall be commensurate to the type and size of the obliged entity. In so doing, they shall take into account the report of the European Commission pursuant to Article 6 (1) of Directive (EU) 2015/849, the national risk assessment (Article 3) and the risk assessment at company level (Article 4) into account. The policies, controls and procedures shall in particular include the following:
5. risk classification at customer level (Article 6 para. 5),

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 35 / 62 1a. the identification and assessment of risks for transfers of crypto-assets to or from a self-hosted address (Article 11a para. 1), 2. risk management systems (Article 11 para. 1 no. 1), 3. customer due diligence measures; this shall also include measures relating to new products, practices and technologies for addressing the risks associated with them, 4. suspicious activity reports, 5. retention of documentation, and 6. provisions for compliance with para. 6 (2) The policies, controls and procedures (para. 1) shall be determined in written form and approved by the management board; they shall be applied on an ongoing basis, and adapted accordingly as necessary. The ongoing compliance with the internal regulations, which form part of the policies, controls and procedures, of the employees who are subject to these regulations, shall be monitored by the special officer (para. 3). In particular, he/she shall also be responsible for the compliance with group-wide policies and procedures pursuant to Article 24. Furthermore, a risk-based independent review of the policies, procedures and controls as well as their ongoing application, shall be conducted by Internal Audit. Where obliged entities are not required to have an internal auditing body, and where an independent inspection is necessary due to the type and scope of the business activities conducted, the inspection shall be conducted by an independent body. (3) The obliged entities shall appoint a special officer to ensure compliance with the provisions of this Federal Act. The position of the special officer shall be set up in such a way that such officer shall be responsible only to the management board and shall report to the management board directly, without any intermediate levels. Moreover, the officer shall be granted free access to all information, data, records and systems that may in any possible way be connected to money laundering and terrorist financing, as well as sufficient powers for the enforcement of compliance with the provisions contained in this Federal Act. Obliged entities shall guarantee by means of appropriate organisational measures that all the special officer’s duties may be fulfilled at all times on site. The obliged entities shall ensure that the special officer shall at all times possess adequate professional qualifications, knowledge and experience (expert qualification) and is reliable and of integrity (personal reputation). (4) The obliged entities shall designate a member of the management board, who shall be competent for ensuring that the provisions intended to prevent or combat money laundering or terrorist financing are complied with. (5) The obliged entities shall ensure by means of measures that are commensurate to the risks to which they are exposed, as well as their type and size, that their employees are aware of the provisions for the prevention or combatting of money laundering or terrorist financing to an extent that is necessary for the fulfilment of their duties. Those measures shall include participation of the competent employees in special ongoing training programmes, in which they learn how to recognise operations which may be related to money laundering or terrorist financing and to instruct them as to how to proceed in such cases.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 36 / 62 (6) Furthermore, the obliged entities shall also consider, when selecting staff members, their propriety with regard to their attachment to legal values; attention shall also be paid, prior to the appointment of supervisory board members, to their attachment to legal values. (7) Electronic money issuers as defined in point 3 of Article 2 of Directive 2009/110/EC and payment service providers as defined in point 11 of Article 4 of Directive (EU) 2015/2366, are incorporated in another Member State and which are established in Austria in another form than a branch, shall name a central point of contact in Austria, if they satisfy the criteria set out in the delegated act pursuant to Article 45 (10) of Directive (EU) 2015/849, which are responsible, on behalf of the appointing institution, for guaranteeing compliance with the rules for the combatting of money laundering and terrorist financing and to facilitate supervision by the FMA, by among other ways making documents and information available to the FMA upon request. Requirements in relation to the risk of non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation Article 23a. (1) Obliged entities shall observe targeted financial sanctions in connection with the financing of proliferation pursuant to Article 2 no. 25 and establish policies, controls and procedures in order to mitigate and control the risk of non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation. The established policies, controls and procedures for effectively mitigating and controls such risks shall in particular include:

1. the risk assessment at company level (Article 4);
2. Measures for recognising risk factors and potential indications for the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation or potentially risk-prone constellations;
3. risk management systems regarding the risk of non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation;
4. notification and reporting obligations in connection with targeted financial sanctions in connection with the financing of proliferation pursuant to Article 23 (2) of Regulation (EU) 2017/1509. (2) The policies, controls and procedures (para. 1) shall be commensurate to the type and size of the obliged entity, and shall be determined in written form and approved by the management board; they shall be applied on an ongoing basis, and adapted accordingly as necessary. The ongoing compliance with the internal regulations, which form part of the policies, controls and procedures, of the employees who are subject to these regulations, shall be monitored by a special officer. Employees shall be trained accordingly. Furthermore, a risk-based independent review of the policies, procedures and controls as well as their ongoing application, shall be conducted by Internal Audit. Where obliged entities are not required to have an internal auditing body, and where an independent inspection is necessary due to the type and scope of the business activities conducted, the inspection shall be conducted by an independent body. The provisions pursuant to Article 23 para. 3 shall apply accordingly.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 37 / 62 (3) Obliged entities that are part of a group shall implement group-wide policies and procedures for the purpose of prevention of financing of proliferation as defined in Article 2 no. 25, including data protection policies as well as policies and procedures for sharing information within the group, to be defined in written form, and to be applied on an ongoing basis. Those policies and procedures shall be implemented effectively at the level of branches or branch establishments and subsidiaries in Member States and third countries. The special officer (para. 2) shall ensure the implementation and observation of these policies and procedures. The provisions set out in Article 24 paras. 2, 4 and 6 shall apply accordingly. (4) The provisions on requirements for retention of records and data protection pursuant to Article 21 and information exchange pursuant to Article 22 shall apply accordingly. (5) The supervisory powers and measures set forth in Section 7 shall stand at the FMA’s disposal for monitoring and enforcing the observance of targeted financial sanctions in connection with the financing of proliferation. Policies and procedures for groups Article 24. (1) Obliged entities that are part of a group shall implement group-wide policies and procedures for the purpose of combatting money laundering and terrorist financing, including data protection policies as well as policies and procedures for sharing information within the group, to be defined in written form, and to be applied on an ongoing basis. Those policies and procedures shall be implemented effectively at the level of branches or branch establishments and subsidiaries in Member States and third countries. (2) Obliged entities shall ensure that their branches or branch establishments in other Member States observe the national legislation passed transposing Directive (EU) 2015/849 in the Member State in question. (3) Obliged entities shall ensure that their branches or branch establishments and their subsidiaries located in third countries, where the minimum requirements for the prevention of money laundering and terrorist financing are less strict than those set out in this Federal Act, shall apply the requirements of this Federal Act, to the extent that the third country's law so allows. (4) The obliged entities shall inform the FMA in cases in which the implementation of the policies and procedures to be applied on a group-wide basis pursuant to para. 1 is not permissible in accordance with the law of a third country. Furthermore the obliged entities shall ensure that their branches or branch establishments and their subsidiaries in this third country apply additional measures to effectively mitigate the risk of money laundering or terrorist financing. If the additional measures are not sufficient, then the FMA shall exercise additional supervisory actions. The FMA may any among other things prescribe that the group shall not be allowed to establish or that it terminates business relationships, and shall not be allowed to undertake transactions in the third country or where necessary request the group to close down its operations in the third country.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 38 / 62 (5) The FMA shall notify the European Banking Authority of instances in which a third country's law does not permit the implementation of the policies and procedures required under para. 1. In such cases, coordinated action may be taken to pursue a solution. The FMA shall take into consideration any legal restrictions that may prevent the orderly implementations of such policies and procedures, including restrictions in relation to the secrecy obligation or data protection and other restrictions that impede the exchange of information that may be relevant for this purpose in the assessment about which third countries do not permit the implementation of the policies and procedures required under para. 1. (6) The exchange of information, including personal data of customers, shall be permitted within the group for the purposes of combatting money laundering and terrorist financing; in particular the documents and information, which are required for satisfying due diligence obligations towards customers and the information submitted together with a suspicious activity report may be passed on within the group, in order to fulfil the group-wide policies and procedures pursuant to para. 1. The information submitted in conjunction with a suspicious activity report shall be shared within the group, unless the Financial Intelligence Unit (Geldwäschemeldestelle) or the Financial Intelligence Unit of another Member State or a third country instructs otherwise. SECTION 7: SUPERVISION Aims and principles of supervision Article 25. (1) The FMA shall supervise the compliance of the rules of this federal act and of Regulation (EU) 2023/1113 by

1. credit institutions pursuant to Article 2 no. 1;
2. financial institutions pursuant to Article 2 no. 2 point a), that belong to a group of credit institutions pursuant to Article 30 BWG or a group supervised by the FMA pursuant to Article 197 para. 1 VAG 2016;
3. financial institutions pursuant to Article 2 no. 2 points b) to h), and
4. crypto-asset service providers pursuant to Article 2 no. 22 with the objective of preventing the financial system for being used for the purposes of money laundering and terrorist financing as the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation. In so doing, it shall take into account the national economic interest in maintaining a functioning financial system. By way of derogation from Article 1, for the purposes of this section only those entities listed in nos. 1 to 4 shall be considered as obliged entities. (2) The FMA shall, when performing its duties and exercising its supervisory powers pursuant to this Federal Act, proceed on the basis of a risk-based approach. It shall

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 39 / 62

1. analyse and assess the risks of money laundering and terrorist financing as well as the non￾implementation and evasion of targeted financial sanctions in connection with the financing of proliferation existing in the financial system in Austria,
2. base the frequency and intensity of on-site and off-site supervision on the risk profile of obliged entities, and on the risks of money laundering and terrorist financing as well as the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation in Austria,
3. review the assessment of the money laundering and terrorist financing as well as the non￾implementation and evasion of targeted financial sanctions in connection with the financing of proliferation risk profile of obliged entities, including the risks of non-compliance, both periodically and when there are major events or developments affecting the obliged entities’ management and operations.
4. take into account, as appropriate, the degree of discretion allowed to the obliged entities as well as the risk assessments that underlie this discretion, as well as the adequacy and implementation of the internal policies, controls and procedures of the obliged entities. (3) The FMA shall, in the enforcement of the provisions of this Federal Act, including the issuing of Regulations on the basis of this Federal Act and their enforcement, as well as on the basis of Regulation (EU) 2015/847 take into account European convergence in respect of supervisory tools and supervisory procedures. To this end, the FMA shall participate in the activities of the European Banking Authority, and shall apply Guidelines, Recommendations and other measures decided upon by the European Supervisory Authorities. The FMA may deviate from the aforementioned Guidelines and Recommendations when justified grounds exist to do so, in particular in the event of a conflict with provisions set out under national law. (4) The FMA shall cooperate within the meaning of Regulations (EU) no 1093/2010 with the European Banking Authority and with the other participants of the European System of Financial Supervision (ESFS) pursuant to Article 1 (3) of Regulation (EU) no 1092/2010, and shall make all information available to them without delay necessary for the performance of their duties in accordance with the aforementioned Regulations that they require on the basis of Directive (EU) 2015/849. (5) The FMA may cooperate mutually with authorities in Member States and third countries that perform the duties that correspond to the FMA's duties, and shall share all information, where the sharing of the information serves the purposes of supervision of financial markets. Such information shall also include information about shareholders, members of the management board, the supervisory board, the administrative board, and the executive directors of the obliged entities as well as information relating to the customers of the obliged entities. The FMA may also exercise its powers under federal law exclusively for the purposes of cooperation or exchange of information in accordance with this paragraph, even if the conduct that is subject of the investigation does not constitute a breach of a regulation applicable in Austria. (6) The submission of information to authorities in third countries pursuant to para. 5 shall only be permissible, if they are subject to or have agreed to an equivalent level of professional secrecy that

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 40 / 62 corresponds to the professional secrecy pursuant to the respective European legal acts that govern the activities of obliged entities and the transferring of personal data occurs in accordance with Chapter V of Regulation (EU) 2016/679. Where information that the FMA receives from the competent authority of another Member State is affected, such information may only be allowed to be disclosed with the explicit consent of that supervisory authority and only for the purposes, for which that authority has given its consent. Furthermore, such a submission shall only be permissible on the basis of a reciprocal agreement or actual reciprocity. (7) In the case of credit institutions and financial institutions that are part of a group, whose parent undertaking has its place of incorporation in Austria, then FMA shall supervise the effective implementation of strategies and procedures throughout the group pursuant to Article 24 para. 1. For this purpose and in the case that credit institutions and financial institutions with their registered office in Austria are part of a group with a parent undertaking with its place of incorporation in another Member State, then the FMA shall cooperate with the competent authorities of the Member State. This shall also apply with regard to branches or branch establishments of credit institutions and financial institutions that are part of a group. (8) The FMA shall be authorised within the material scope of the combatting of money laundering and terrorist financing as well as the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation to exchange information and provide official assistance with other authorities in Member States and third countries that are required to perform duties that are equivalent to those performed by the FMA. The FMA shall not be allowed to refuse a request for the exchange of information or official assistance within the material scope of the combating of money laundering and terrorist financing as well as the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation for one of the following reasons:

1. the request in the FMA’s opinion is also based on tax matters;
2. the obliged entities from whom this information originates are subject to secrecy obligations or are obliged to preserve confidentiality, except in cases in which the information to which the request relates are protected by a right to refuse to give evidence or in which a duty of confidential of notaries, lawyers, defence lawyers in criminal cases, tax advisers, external auditors or other providers of legal advice, provided that an obligation of confidentiality is prescribed for them, applies;
3. there is a pending investigation, inquiry or proceedings, unless the investigation, inquiry or proceedings would be jeopardised by the exchange of information or the provision of assistance;
4. the type and position of the competent authority making the request is different to the type and position of the FMA. (8a) For the purpose of combating the non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation in accordance with this Federal Act and the competent authorities pursuant to the Sanctions Act 2024 (SanktG 2024; Sanktionengesetz 2024)

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 41 / 62 published in Federal Law Gazette I XXX/202x, shall be mutually authorised for the purpose of performing their duties conferred upon them under the Sanctions Act 2024, to provide each other with information, data and documents on measures, approvals, prohibitions and procedures, and to provide information, where doing so is necessary for conducting their legal duties. Exchanging relevant information may also occur at the own initiative of the authority submitting the information. Article 14 of the Sanctions Act 2024 shall apply accordingly for the processing of personal data pursuant to Article 14 para. 1 of the Sanctions Act 2024. (9) In order to guarantee that the supervisory measures imposed by the FMA, the sanctioning of breaches of obligations and the publications of such sanctions achieve the desired results, the FMA must cooperate closely with the other competent authorities in Austria, and in the case of cross￾border issues with the competent authorities in Member States and third countries in the exercising of powers in this regard pursuant to the provisions of this Federal Act, and coordinate their measures. (10) The FMA shall ensure that its staff members, who are active on behalf of the FMA in the enforcement of this Federal Act, is also suitably qualified with regard to matters of confidentiality, data protection and the standards about the handling of conflicts of interest, and with regard to integrity that it satisfies high standards and works to a high professional standard. Authorisation for processing of personal data Article 26. The FMA is authorised to process personal data as defined in Regulation (EU) 2016/679, provided that this is necessary for the performance of its duties in accordance with this Federal Act. Cooperation of Bundesrechnungszentrum GmbH Article 27. The Bundesrechenzentrum GmbHshall cooperate in the conduct of business operations, that the FMA is subject to in accordance with this Federal Act and Regulation (EU) 2015/847, provided that such a cooperation is in the interest of simplicity, expedience or cost-effectiveness. Supervision costs Article 28. (1) The costs of the FMA for the supervision of obliged entities in accordance with this Federal Act shall constitute costs of the accounting groups for banking supervision, insurance supervision, securities supervision and Pensionkassen supervision pursuant to Article 19 para. 1 nos. 1 to 4 FMABG and shall be refunded to the accounting groups in accordance with the allocation set out in paras. 2 to 6, or where accounting subgroups shall be established within the accounting group pursuant under the Federal Act to the accounting subgroups. (2) The costs for the supervision of credit institutions pursuant to Article 1 para. 1 BWG, with the exception of credit institutions pursuant to Article 1 para. 1 nos. 13, 13a and 21 BWG, the costs of supervision of CRR-credit institutions pursuant to Article 9 BWG, which conduct activities in Austria through a branch, for financial institutions pursuant to Article 1 para. 2 nos. 1 to 6 BWG that are part

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 42 / 62 of a group of credit institutions pursuant to Article 30 BWG, for CRR-financial institutions pursuant to Article 11 and Article 13 BWG, which conduct activities in Austria through a branch, for electronic money institutions pursuant to Article 3 para. 2 E-Geldgesetz 2010, for branches pursuant to Article 9 E-Geldgesetz 2010, payment institutions pursuant to Article 10 ZaDiG 2018 and branches pursuant to Article 27 ZaDiG 2018, shall be assigned to the sub-accounting group to be established pursuant to Article 69a para. 1 BWG within the accounting group Banking Supervision pursuant to Article 19 para. 1 no. 1 FMABG. (3) The costs for the supervision of insurance undertakings pursuant to Article 5 no. 1 VAG 2016, small insurance undertakings pursuant to Article 5 no. 3 VAG 2016, the branches of EEA insurance undertakings pursuant to Article 5 no. 7 VAG 2016, the branches of third-country insurance undertakings pursuant to Article 5 no. 5 VAG 2016 and of financial institutions pursuant to Article 1 para. 2 nos. 1 to 6 BWG, which form part of a group to be supervised by the FMA pursuant to Article 197 VAG 2016, shall be assigned to the accounting group Insurance Supervision pursuant to Article 19 para. 1 no. 2 FMABG. (4) The costs for the supervision of investment firms pursuant to Article 3 para. 1 WAG 2018, of investment services providers pursuant to Article 4 para. 1 WAG 2018 and investment firms pursuant to point 1) of Article 4 (1) of Directive 2014/65/EU, which are authorised in another Member State, and which conduct activities in Austria pursuant to Article 17 WAG 2018 through a branch, shall be assigned to the accounting subgroup to be established pursuant to Article 89 para. 1 WAG 2018 for providers of investment services within the accounting group for Securities Supervision pursuant to Article 19 para. 1 no. 3 FMABG (5) The costs for the supervision of AIFMs pursuant to Article 4 para. 1 AIFMG, of branches established pursuant to Article 33 AIFMG, of non-EU AIFMs pursuant to Article 39 para. 3 AIFMG, of management companies pursuant to Article 5 para. 1 InvFG 2011, of branches established pursuant to Article 36 para. 2 InvFG 2011, of real estate investment fund management companies pursuant to Article 2 para. 1 ImmoInvFG and corporate provision funds pursuant to Article 18 para. 1 BMSVG shall be assigned to the account subgroup to be established pursuant to Article 45a para. 1 BMSVG, Article 56 para. 5 AIFMG, Article 2 para. 12 ImmoInvFG and Article 144 para. 1 InvFG 2011 within the accounting group Securities Supervision pursuant to Article 19 para. 1 no. 3 FMABG. (6) Repealed (Art. 1 of amendment published in Federal Law Gazette I 151/2024). (7) The costs of supervision of crypto-asset service providers shall be allocated to the Sub￾Accounting Group to be established pursuant to Article 22 of the MiCAR Enforcement Act (MiCA-VVG; MiCA-VO-Vollzugsgesetz) published in Federal Law Gazette I No. 111/2024 within the accounting group for Securities Supervision pursuant to Article 19 para. 1 no. 3 FMABG, provided that they have not already been allocated pursuant to paras. 2 to 5.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 43 / 62 Information and disclosure obligations Article 29. (1) The FMA may request information from obliged entities at any time on all issues that are addressed in this Federal Act and in Regulation (EU) 2015/847 and may request necessary documents to be disclosed and may determine the way and manner in which the documents shall be disclosed. (2) The FMA may, in order to ensure the legality of insurance business, also request information from insurance intermediaries pursuant to Article 365m para. 3 no. 4 of the Commercial Code (GewO 1994; Gewerbeordnung 1994) at any time and request the submission of documents, in particular about contracts held by insurance intermediaries or contracts with third parties, and may inspect them on￾site; Article 30 paras. 1 to 3 shall apply accordingly. (3) The FMA, in relation to the supervisory obligations conferred upon it in accordance with this Federal Act, may request information from anyone about issues covered by this Federal Act. Any other existing obligation of secrecy existing in accordance with other legal provisions shall not be affected by this. The auditor of the obliged entity may not however invoke his secrecy obligation. (4) The obligation to disclose information implies a commitment to submit certificates and other written documentation, or to permit them to be inspected. On-site inspections Article 30. (1) The competent bodies within the FMA may conduct on-site inspections at the obliged entities at any time to verify compliance with the provisions of this Federal Act. (2) The FMA may, with the consent of the host country’s competent authority, conduct inspections of branches or branch establishments and subsidiaries in Member States and third countries of obliged entities incorporated in Austria to check the effective implementation of the policies and procedures pursuant to Article 24. Paras. 3 to 8 of this Article shall be applied accordingly. The FMA may request the host country’s competent authority to perform the inspection, if doing so simplifies or speeds up the procedure or if doing so is in the interests of expedience, simplicity, rapidity or cost￾effectiveness. (3) Where necessary, the FMA may appoint inspection bodies that do not belong to the FMA. They shall be remunerated by the FMA with a fee that is commensurate to the work involved in the inspection and the expenses incurred for this purpose. (4) The inspection shall be announced at least one week prior to commencement, provided that doing so shall not thwart the purpose of the inspection. The inspectors are to be provided with a written inspection engagement and must voluntarily present proof of their identity as well as the inspection engagement before beginning the inspection. The inspection mandate shall describe the subject matter of the inspection. (5) Obliged entities shall make the documents required for the inspection available to the inspection bodies, and allow them to inspect the bookkeeping records, receipts and documents, and to provide

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 44 / 62 information as requested. Furthermore, the obliged entities shall grant the inspectors access to the business premises at any time during usual business and working times. (6) The inspection bodies may request the information and documentation required for the inspection directly from any person employed by the obliged entities within the scope of that person’s activities. (7) The inspection bodies shall be provided with suitable premises and tools for the purpose of conducting the inspection. Where data is entered or stored using data media, the obliged entity shall be obliged at its own expense to provide the tools necessary to render the documents readable within a reasonable period of time and, where necessary, provide the required number of permanent copies which can be read without auxiliary tools. (8) The findings made during the course of the inspection shall be recorded in writing. The affected obliged entity shall be given an opportunity to submit its opinion. (9) Paras. 1 to 8 shall be applied accordingly for service providers, to whom the functions or business activities have been outsourced by the obliged entities, and regardless of whether such a transfer requires authorisation. If the service provider is incorporated in another Member State or a third country, then the FMA shall be required to gain the consent of the competent authority in the host state before an on-site inspection is conducted. In the case of an entity that is not subject to supervision, the competent authority in the host country, in which the service provider is incorporated, shall be the competent authority. The FMA may delegate an on-site inspection to the competent authority in the host country, in which the service provider is incorporated. (10) A service provider incorporated in Austria, to whom functions or business operations have been outsourced by a credit and financial institution pursuant to items a to d of Article 3 nos. 1 to 2 of Directive (EU) 2015/849 incorporated in another Member State, or by comparable entities in a third country , may, with the consent of the FMA, be inspected on-site by the competent authority of the relevant Member State or third country or by persons appointed by them. The FMA itself or inspection bodies appointed by the FMA pursuant to para. 3 may participate in this inspection. Paras. 4 to 8 shall be applied accordingly. The FMA may perform the inspection at the request of the host country’s competent authority, if doing so simplifies or speeds up the procedure or if doing so is in the interests of expedience, simplicity, rapidity or cost-effectiveness. (11) Austrian branches or branch establishments and subsidiaries of credit institutions and financial institutions pursuant to points a) to d) of Article 3 (1) and (2) of Directive (EU) 2015/849 incorporated in another Member State or comparable third country entities may, with the consent of the FMA, be inspected by the competent authorities of their home state or persons appointed by those authorities with regard to the effective implementation of policies and procedures as defined in Article 45 (1) of Directive (EU) 2015/849. The FMA itself or inspection bodies appointed by the FMA pursuant to para. 3 may participate in such an inspection. Paras. 4 to 8 shall be applied accordingly. The FMA may perform the inspection at the request of the host country’s competent authority, if doing so simplifies or speeds up the procedure or if doing so is in the interests of expedience, simplicity, rapidity or cost-effectiveness.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 45 / 62 Supervisory measures of the FMA Article 31. (1) The FMA shall issue all instructions that are necessary and suitable to ensure that the business operations of obliged entities are conducted in accordance with this federal act and with Regulation (EU) 2023/1113. In particular, this shall also include the power

1. to order that the obliged entity or the natural person in question ceases its behaviour and must refrain from any repeat occurrence;
2. to temporarily or permanently prohibit a person held responsible for the breach of the provisions, regardless of whether that person has already performed these managerial functions, from exercising managerial functions in obliged entities;
3. to revoke the licence granted by the FMA pursuant to the procedures set out in Article 9 para. 1 no. 4 AIFMG, Article 6 para. 2 no. 3 in conjunction with Article 70 para. 4 BWG, Article 26 para. 7 E-GeldG, Article 148 para. 5 InvFG 2011, Article 285 VAG 2016, Article 90 para. 3 no. 5 in conjunction with Article 92 para. 8 WAG 2018, Article 94 para. 7 ZaDiG or Article 64 of Regulation (EU) 2023/1114, and
4. to revoke the registration undertaken by the FMA pursuant to Article 43a para. 2. (2) In addition to supervisory measures addressed to the obliged entities themselves, if their purpose require, such supervisory measures in accordance with para. 1 may also be issued to:
5. the members of the management body of the obliged entity, as well as the persons who control the obliged entity; or
6. service providers, to whom the functions or business activities have been outsourced, and regardless of whether or not outsourcing requires authorisation. Supervision in the context of the Freedom of Establishment and the Freedom to Provide Services Article 32. (1) If a credit institution or financial institution pursuant to Article 3 nos. 1 and 2 of Directive (EU) 2015/849 incorporated in another country, which performs business operations in Austria, breaches the provisions of this Federal Act or of Regulation (EU) 2015/847, then the FMA shall request this entity to remedy such shortcomings. This request shall not be issued in the form of an administrative decision. At the same time, the FMA shall communicate its findings to the competent authority of the home Member State. (2) In the event that the credit institution or financial institution pursuant to Article 3 nos. 1 and 2 of Directive (EU) 2015/849 incorporated in another Member State does not comply with the instruction pursuant to para. 1, then the FMA shall communicate this to the competent authority in the home Member State, and shall request that the supervisory authority in the entity’s home Member State takes the appropriate measures for remedying the shortcomings. (3) If the competent authority of the home Member State does not take any measures, or if the measures taken appear to be inadequate or ineffective, then the FMA, in applying Article 31 shall issue the necessary and suitable instructions to the credit institution or financial institution pursuant

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 46 / 62 to Article 3 nos. 1 and 2 of Directive (EU) 2015/849 incorporated in another Member State. The competent authority of the home Member State shall be contacted prior to instructing a measure in accordance with this paragraph. (4) In the event that a measure is urgently necessary for preventing the misuse of the financial system for the purposes of money laundering and terrorist financing, then the FMA shall issue the necessary and suitable instructions, without procedures pursuant to paras. 1 to 3 and applying Article 31, to the credit institution or financial institution pursuant to Article 3 nos. 1 and 2 of Directive (EU) 2015/849 incorporated in another Member State. The competent authority of the home Member State shall be contacted once a measure in accordance with this paragraph has been ordered. Article 32a. Repealed (Art. 1 of amendment published in Federal Law Gazette I 151/2024). Article 32b. The FMA shall prohibit the activities of providers pursuant to Article 2 no. 22 without a registration pursuant to Article 32a para. 1. The powers pursuant to Articles 22b to 22e FMABG shall be afforded to the FMA for this purpose. Professional secrecy and cooperation between the FMA and other authorities in relation to the combating of money laundering and terrorist financing Article 33. (1) Irrespective of Article 14 para. 2 FMABG, all persons that were or are active for the FMA as well as external auditors and experts who were commissioned by the FMA are subject to professional secrecy in relation to the information that they have obtained in the exercising of their obligations in accordance with this Federal Act. With the exception of the cases covered under criminal law, confidential information, which the person named in the first sentence receives in the exercising of their duties in accordance with this Federal Act, shall only be allowed to be passed on in summarised or aggregated form, so that individual obliged entities are not able to be identified. (2) Para. 1 shall not preclude an exchange of information and mutual cooperation by the FMA with other authorities in Member States and third countries, which perform the duties that correspond to those of the FMA, in particular pursuant to Article 25 paras. 4 to 6 and Article 30, provided that doing so is expedient for the fulfilment of duties for the prevention of money laundering and terrorist financing or for other statutory duties within the scope of supervision of the financial market. This shall also apply for the European Central Bank, when it is active in accordance with Regulation (EU) 1024/2013. The FMA may monitor the credit institutions and financial institutions pursuant to Directive (EU) 2015/849 in accordance with the said Directive with the other competent authorities, and may conclude an agreement about the practical modalities for the exchange of information with the European Central Bank with the assistance of the European Banking Authority, where the European Central Bank is acting pursuant to Article 27 (2) of Regulation (EU) 1024/2013 and Article 56 1st subparagraph lit. g of Directive 2013/36/EU. (3) The FMA shall only be allowed to use confidential information, which it receives through the exchange of information with other authorities pursuant to Article 57a (1) of Directive (EU) 2015/849, for the following purposes:

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 47 / 62

1. for exercising its duties in accordance with this Federal Act or other national or European legal acts in the field of the combating of money laundering and terrorist financing, the supervision of financial services and the supervision of credit institutions and financial institutions, including the imposing of administrative penalties;
2. within an appeal procedure against a decision by the FMA, including related judicial proceedings;
3. within judicial proceedings that have been initiated on the basis of specific provisions under Union law in the scope of Directive (EU) 2015/849 or within the scope of supervision of financial services or the supervision of credit institutions and financial institutions. (4) In the supervision of credit institutions and financial institutions, the FMA shall cooperate with other competent authorities for the supervision of credit institutions and financial institutions in other Member States to the furthest possible extent. Such a cooperation shall also be allowed to include the conducting of investigations within the powers of the competent authority, for which their assistance has been requested, on behalf of the competent authority making the request, as well as the subsequent exchange of information obtained during such investigations. (5) The FMA may be authorised by the Federal Minister of Finance within the supervision of credit institutions and financial institutions to conclude cooperation agreements for the purposed of cooperation with and exchanging of confidential information with the competent authorities of third countries that perform duties that correspond to the FMA’s duties, provided that so doing is expedient for the purposes of supervision of the financial market. Such cooperation agreements shall only be allow to be concluded on the basis of reciprocity and one where it is possible to guarantee that the competent authorities of third countries, to which information is passed on, at least are subject to the requirements of professional secrecy pursuant to para. 1. The information that is exchanged pursuant to these cooperation agreements must serve the purpose of fulfilling the duties of these authorities under supervisory law. The FMA shall only be allowed to pass on information to an authority in a third country that it has received from another Member State or a third country with the explicit approval of the competent authority that passed on this information, and as applicable exclusively for the purposes which the authority has approved. (6) Taking into consideration the application of the provisions of this Federal Act and taking into consideration professional confidentiality obligations, the FMA may for the purposes of prevention of money laundering and terrorist financing exchange information with the following authorities:
4. the Federal Minister of Finance in relation to its supervision of holders of government￾approved licences pursuant to Article 14 and Article 21 GSpG an as the registry authority pursuant to Article 14 para. 1 WiEReG;
5. the competent regional authorities with regard to the supervision of regionally authorised parties for the operation of gaming machines and providers of betting services within the meaning of the regulations set out under regional law;
6. the Bar Associations with the scope of their supervision of attorneys;

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 48 / 62 4. the Austrian Chamber of Notaries (Notariatskammer) within the scope of its supervision of notaries; 5. the Chamber of Tax Advisors and External Auditors (KSW; Kammer der Steuerberater und Wirtschaftsprüfer) within the scope of supervision of tax advisors and external auditors; 6. the President of the Austrian Economic Chambers (WKO) within the scope of the WKO's supervision of balance sheet accountants, accounts and payroll accountants pursuant to Article 1 BiBuG 2014; 7. the authorities pursuant to Article 333 GewO within the scope of supervision of obliged entities pursuant to Article 365m1 para. 2 GewO; 8. the Financial Intelligence Unit (Geldwäschemeldestelle), with the FMA being obliged to cooperate closely with the Financial Intelligence Unit (Geldwäschemeldestelle) and to exchange information that is relevant for the Financial Intelligence Unit (Geldwäschemeldestelle) for its duties pursuant to this Federal Act, provided that such cooperation and this exchange of information would not affect any ongoing investigations, enquiries or procedures under Austrian criminal or administrative law. An exchange of information with authorities in other Member States or third countries that perform comparable duties to the authorities listed in nos. 1 to 8 shall be permissible, where it is guaranteed that these authorities are subject to professional confidentiality requirements that are at least equivalent to those pursuant to para. 1. (7) Irrespective of para. 1 and para. 3 the FMA may exchange information with law enforcement authorities, public prosecutor’s offices, and the courts for purposes relating to penal law and for purposes of the prevention of money laundering and terrorist financing. Confidential information that is exchanged pursuant to this paragraph shall only be allowed to serve the purpose of fulfilling the legal duties of the relevant authorities. Persons that have access to this information must be subject to an obligation of professional secrecy, which is at least equivalent to the requirements listed in para. 1. SECTION 8: PENAL PROVISIONS AND DISCLOSURES Breaches of obligations Article 34. (1) Any person who, as person responsible (Article 9 VStG) of an obliged entity, breaches the obligations pursuant to

1. Article 4 (conducting, documenting and updating the risk assessment),
2. Articles 5 to 12 (customer due diligence obligations) and the Regulations of the FMA issued on the basis of Article 6 para. 4, Article 8 para. 5 and Article 9 para. 4,
3. Articles 13 to 15 (execution by third parties),
4. Articles 16. to 17. (reporting obligations),

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 49 / 62 5. Article 19 para. 2 (protection against being exposed to threats or hostile actions in an employment relationship), 6. Article 20 (prohibition of disclosure) 7. Article 21 paras. 1 to 3 (retention obligations) and Regulations of the FMA issued on the basis of Article 21 para. 3, 8. Article 23 paras. 1 to 3 or 6 (internal organisation), 9. Article 23 paras. 4, 5 or 7 (trainings, responsibility of the management body and designation of the central point of contact), 10. Article 24 (policies and procedures for groups), 11. Article 11 para. 1 third sentence WiEReG (Due diligence in determining and checking of beneficial owners in relation to trusts and arrangements of a similar nature to a trust), or 12. Article 23a (Requirements in relation to the risk of non-implementation and evasion of targeted financial sanctions in connection with the financing of proliferation) commits an administrative offence and shall be punished by the FMA with a fine of up to EUR 150 000. (2) Any person who, as person responsible (Article 9 VStG) for an obliged entity,

1. breaches Articles 4, 5 or 6 of Regulation (EU) 2023/1113, by failing to transmit details about the payer or the payee,
2. breaches Articles 14, 15 or 19 of Regulation (EU) 2023/1113, by failing to transmit details about the originator or the beneficiary,
3. breaches Article 26 of Regulation (EU) 2023/1113, by failing to observe rules regarding the retention of records,
4. breaches Articles 8, 11, 12, 17, 20 or 21 of Regulation (EU) 2023/1113, by omitting to introduce effective procedures, or
5. in the case that the obliged entity is an intermediary payment service provider pursuant to Article 3 no. 5 of the Regulation, severely breaches Article 11 or 12, or Article 19, 20 or 21 of Regulation (EU) 2023/1113, commits an administrative offence and shall be punished by the FMA with a fine of up to EUR 5 000 000 or up to double the amount of the gain arising from the breach, where this amount is able to be determined. (3) Anyone acting as trustee, who does not fulfil their disclosure obligation pursuant to Article 6 para. 3, commits an administrative offence and shall be punished by the FMA with a fine of up to EUR 60 000. (4) In the case of breaches pursuant to para. 1 nos. 2, 4, 7, 8, 9, 10 and 12 as well as breaches of duties pursuant to para. 2 nos. 1 to 5 that are severe, repeated or systematic breaches or a combination of such breaches, the fine shall be up to EUR 5 000 000 or up to double the amount of the gain arising from the breach of obligations, where this amount is able to be determined.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 50 / 62 (5) Anyone who provides services in relation to virtual currencies pursuant to Article 2 no. 22 without the necessary registration pursuant to Article 32a para. 1, commits an administrative offence and shall be punished by the FMA with a fine of up to EUR 200 000. Penal liability of legal persons Article 35. (1) The FMA may impose fines against legal persons, if a breach of an obligation pursuant to Article 34 paras. 1, 2 and 4 was committed to their benefit by a person, who acted individually or as part of an organ of the legal person, and who, even though they are not allocated the function of a person responsible pursuant to Article 9 VStG, holds a managerial position within the legal person based on any of the following powers:

1. the power to represent the legal person;
2. the power to take decisions on behalf of the legal person; or
3. the power to exercise control within the legal person. (2) Legal persons may also be held responsible for breaches of the obligations pursuant to Article 34 paras. 1, 2 and 4, if a lack of monitoring or control by a person listed in para. 1 enabled the committing of one of the breaches of the obligations listed in Article 34 paras. 1, 2 and 4 by a person acting for the legal person to the benefit of the legal person. (3) The fine pursuant to paras. 1 and 2 shall be up to EUR 150 000 for breaches of obligations pursuant to Article 34 para. 1 and up to EUR 5 000 000 or 10% of total annual turnover in the case of breaches of obligations pursuant to Article 34 paras. 2 and 3. The total annual turnover shall be determined on the basis of the annual turnover from the most recent adopted annual financial statement. If the obliged entity is a credit institution, an electronic money institution pursuant to Article 3 para. 2 and Article 9 para. 1 E-Geldgesetz 2010, which is a CRR-financial institution pursuant to point 26 of Article 4 (1) of Regulation (EU) No 575/2013, a payment institution pursuant to Article 4 no. 4 ZaDiG 2018, which is a CRR-financial institution pursuant to point 26 of Article 4 (1) of Regulation (EU) No 575/2013, an AIFM pursuant to Article 2 para. 1 no. 2 AIFMG or an investment firm pursuant to Article 1 no. 1 WAG 2018, then the total annual turnover is the total of the income items listed in nos. 1 to 7 of Annex 2 to Article 43 BWG less the expenditures listed therein. If the obliged entity is an insurance undertaking pursuant to Article 5 no. 1 VAG 2016 or a small insurance undertaking pursuant to Article 5 no. 3 VAG 2016, then the total annual turnover shall be the total of the income items listed in Article 146 para. 4 nos. 1 to 8 and 10 to 11 VAG 2016 less the expenditures listed therein. If the obliged entity is a parent undertaking or a subsidiary of a parent undertaking, which is required to prepare consolidated financial statements in accordance with Article 22 of Directive 2013/34/EU, then the total annual turnover shall be determined on basis of the proceeds of the annual revenues of the corresponding type of income in accordance with the relevant accounting Directives according to the last available consolidated accounts. Where the FMA is unable to determine or calculate the bases for the total revenues, then it shall estimate them. In so doing, all relevant circumstances shall be taken into account that are relevant for the estimate.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 51 / 62 (4) (Repealed) Extension of the limitation period Article 36. A period of limitation of six years shall apply in the case of administrative offences pursuant to this federal act, instead of the period of limitation for pursuing this matter pursuant to Article 31 para. 1 VStG. The period of limitation for penal liability (Article 31 para. 2 VStG) in such cases shall be eight years. In addition to the time periods stated in Article 31 para. 2 nos. 1 to 4 VStG, to time for a proceeding in front of the Federal Administrative Court (BVwG; Bundesverwaltungsgericht) shall not be included into the period of limitation for penal liability. Disclosure Article 37. (1) The FMA may publish the name of the natural person or legal person on its website in the event of a breach of obligations pursuant to Article 34 paras. 1, 2, 4 and 5 including details about the breach of obligations, provided that such disclosure does not seriously jeopardise the stability of the financial markets, or cause a disproportionately high level of damage to the party concerned. (2) The FMA shall publish legally effective imposed fines for breaches of obligations pursuant to Article 34 paras. 1, 2, 4 and 5 as well as legally binding supervisory measures imposed against breaches of the obligations listed in Article 34 paras. 1, 2, 4 and 5 on its website, including the identity of the natural or legal person upon whom the sanction has been imposed or the supervisory measures enacted and information about the type and character of the underlying breach of the obligation without delay, once the person in question has been informed about the fine or supervisory measures becoming legally effective. (3) Where the FMA considers the publication of such data to be disproportionate following a case￾by-case assessment of the proportionality of the publication of the identity of the person or personal data of the affected natural or legal person named in para. 2, or where the publication of this data would threaten the stability of the financial markets of one or several Member States, or the conducting of on-going investigations, then the FMA shall only publish the decision (para. 2):

1. once the reasons for not publishing it cease to exist;
2. anonymously, if such an anonymous publication ensures an effective protection of the relevant personal data; if it is decided to publish the information on an anonymous basis, then the FMA may postpone the publication of the relevant data for a reasonable period of time, if it is to be assumed that the reasons for an anonymised publication shall cease to exist within that period; or
3. choose not to publish the decision, if the options in accordance with nos. 1 and 2 are not sufficient to ensure a. that the stability of the financial markets is not jeopardised, or b. that with regard to measures deemed to be of a minor nature, that proportionality is preserved in publishing the decisions.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 52 / 62 (4) The person affected by this publication may make an application to the FMA to review the lawfulness of the publication pursuant to paras. 1, 2 or 3 in a procedure resulting in an administrative decision. In this case, the FMA shall notify the public of the initiation of such a procedure in the same way as the original publication. If, in the course of this review, it is found that the publication was unlawful, the FMA shall correct the publication or in accordance with the request of the person subject to this publication, either revoke it or remove it from its website. (5) In the event that the administrative decision underlying the publication pursuant to paras. 1 to 3 is appealed against, then this as well as the outcome of this procedure shall be published in the same manner as the original publication. In the event that suspensory effect is granted for such an appeal in a procedure in a court of law, then the FMA shall also make this known. If an appeal is granted against a decision that is the subject of the publication pursuant to paras. 1 to 3, the publication may be removed as the request of the affected party from the FMA’s internet presence. (6) If a publication is not to be revoked or removed from the internet on the basis of a decision pursuant to paras. 4 and 5, it shall remain published for a period of five years. Publication of the personal data shall however only be maintained for as long as none of the criteria for an anonymised publication are fulfilled. Effective punishment of breaches of obligations Article 38. (1) When applying a supervisory measure pursuant to Article 31 para. 3 or imposing a fine pursuant to Article 34 or Article 35, the FMA shall take all relevant circumstances into account, including where applicable

1. the severity and the duration of the breach of the obligation;
2. the degree of culpability of the natural or legal person held responsible;
3. the financial strength of the natural or legal person held responsible, as indicated for example by the total turnover of the legal person held responsible or the annual income of the natural person held responsible;
4. the benefit derived from the breach by the natural or legal person held responsible, provided that this can be determined;
5. the losses caused to third parties by the breach of obligations, provided that they can be determined;
6. the willing of the natural or legal person held responsible to cooperate with the competent authority; and
7. previous breaches of obligations by the natural or legal person held responsible and convictions in relation to Article 165 StGB (money laundering), Article 278a StGB (criminal organisations), Article 278b StGB (terrorist associations), Article 278c StGB (terrorist offences) or Article 278d StGB (financing of terrorism) in the case of natural persons or convictions of comparable offences in other Member States or third countries. The provisions of the VStG shall be unaffected by this paragraph.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 53 / 62 (2) Prior to imposing a fine pursuant to Article 34 or Article 35 the FMA shall obtain an extract of a judicial record from the accused natural person or from the natural person(s), who has/have acted pursuant to Article 35 alone or as part of a body of the legal person. If there is evidence that suggest that an entry exists in the judicial record of another Member State, then the FMA shall request Vienna Provincial Police Directorate (LPD Wien; Landespolizeidirektion Wien) to obtain information from the judicial record from the relevant country/countries. Usage of received fines Article 39. Fines imposed by the FMA pursuant to this Federal Act shall flow to the Federal Government. Protection of whistleblowers Article 40.(1) Obliged entities shall have appropriate procedures in place to enable their employees, whilst keeping their identity confidential, to report any internal breaches of the provisions contained in this Federal Act, in regulations or administrative decisions enacted on the basis of this Federal Act, or against the provisions of Regulation (EU) 2015/847, or any administrative decision issued on the basis of that Regulation to a suitable body. The procedures pursuant to this paragraph must comply with the requirements of para. 3 nos. 2 to 5. (2) The FMA shall establish effective mechanisms to encourage the reporting of breaches or suspected breaches of the provisions of this Federal Act, of the regulations or administrative decisions issued on the basis of this Federal Act, of the provisions of Regulation (EU) 2015/847, or of an administrative decision issued on the basis of that Regulation. (3) The mechanisms referred to in para. 2 shall include at least:

1. specific procedures for the receipt of reports on breaches and their follow-up;
2. appropriate protection for employees of obliged entities who report breaches committed within the obliged entity;
3. appropriate protection for the accused person;
4. protection of personal data concerning both the person who reports the breaches and the natural person who is allegedly responsible for a breach, in compliance with the principles laid down in Regulation (EU) 2016/679;
5. clear rules to guarantee that the identity of the person who reported the breach is not disclosed, unless such disclosure of identity is obligatory in relation to public prosecution, court or administrative proceedings. (4) The FMA shall establish a procedure for the exchange of information and for cooperation against threats, reprisals, or hostile actions or detrimental or discriminatory measures with regard to employment relationships that may arise as a result of reporting a breach against the regulations in this Federal Act or in Regulation (EU) 2015/847, with other relevant authorities that have a role to

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 54 / 62 protect individuals who report such suspicious activities to the FMA. The procedure for the exchange of information and cooperation must at least ensure the following:

1. comprehensive information and information must be made available to the persons making such reports about the legal remedies under national law and the procedures for protection against threats, reprisals, or hostile actions or detrimental or discriminatory measures with regard to employment relationships, including the procedures for demanding financial compensation;
2. Persons making such reports must receive effective assistance from the competent authorities towards other relevant authorities involved in safeguarding them against discrimination, including the confirmation in the case of disputes in relation to employment law that the individual is appearing as an informant. Notifications to the European Supervisory Authorities Article 41. The FMA shall report all fines imposed for breaches of obligations pursuant to Article 34 paras. 2 and 3 and Article 35 in conjunction with Article 34 paras. 2 and 3, as well as supervisory measures imposed pursuant to Article 31 para. 3 to the European Banking Authority. If an appeals procedure is initiated, then both this fact and the outcome of the appeal shall also be reported to the European Banking Authority. SECTION 9: FINAL PROVISIONS Entry into force Article 42.(1) This Federal Act shall enter into force on 1 January 2017, with the exception of Article 8 para. 6 and Articles 34 to 38. Article 34 paras. 1, 2, 4 and 5 and Articles 35 to 38 in the version of the Federal Act published in Federal Legal Gazette I no 118/2016 shall enter into force upon expiry of the date of their publication in the Federal Law Gazette, at earliest however, on 1 January 2017. Article 8 para. 6 and Article 34 para. 3 shall enter into force on 26 June 2017. (2) Article 46 including its heading shall expire at the end of 25 June 2017. (3) The FMA may already issue Regulations on the basis of mandates conferred upon it in this Federal Act from the day following publication of the Federal Act. These Regulations shall enter into force at the earliest at the same time as the corresponding mandates become effective. (4) Article 2 para. 1 point f, Article 28 para. 2, Article 31 para. 3 no. 2, Article 35 para. 3 and Article 44 para. 1 no. 17 in the version of the Federal Act amended in Federal Law Gazette I No. 17/2018 shall enter into force on 1 June 2018. Entry into force of amendments Article 43. (1) Article 46 including its heading in the version of the Federal Act amended in Federal Law Gazette I No. 107/2017 shall enter into force on 26 June 2017.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 55 / 62 (2) Article 2 no. 2 point c, Article 28 para. 4, Article 31 para. 3 no. 2, Article 35 para. 3 and Article 44 para. 1 no. 16 in the version of the Federal Act amended in Federal Law Gazette I No. 107/2017 shall enter into force on 3 January 2018. Article 33 including its heading, Article 34 para. 4 and Article 35 para. 4 shall expire at the end of 2 January 2018. (3) Article 2 para. 3 no. 6 point g, Article 11 para. 1 final part, Article 23 para. 3 and Article 44 para. 1 no. 22 in the version of the Federal Act amended in Federal Law Gazette I No. 136/2017 shall enter into force on the day following their publication. (4) Article 1, Article 3 paras. 1 to 3 and 5 to 9, Article 16 para. 5, Article 18, Article 21 para. 6, Article 24 para. 6, Article 25 para. 9, Article 31 para. 1 and Article 38 shall enter into force on 1 August 2019. Article 2 no. 21, Article 6 para. 1 nos. 1 and 2, Article 7 paras. 1, 6 and 11, Article 9 paras. 1 and 3, Article 9a including heading, Article 10, Article 12 para. 2, Article 13 para. 2, Article 16 para. 2, Article 19 paras. 2 and 3, Article 20 para. 3 no. 2, Article 21 para. 1, Article 24 para. 5, Article 25 para. 1 nos. 2 to 4, paras. 7 and 8, Article 28 paras. 1 and 6, Article 31 para. 3 nos. 1 to 3, Article 32b, Aritcle 33 including heading, Article 34 para. 1 nos. 9 to 11, Article 34 para. 4, Article 40 para. 4 and Article 44 para. 1 nos. 23 and 24, para. 2 nos. 4 to 7, para. 3 nos. 5 and 6 and 8 to 10 as well as no. 3 in Annex II and no. 1 lits. f and g, no. 2 lits. c, e and f in Annex III as well as the amendments to the table of contents regarding Article 9a, Article 32a and Article 33 shall enter into force on 10 January 2020. Article 46 including heading in the version of the Federal Act amended in Federal Law Gazette I No. 37/2018 as well as the entry relating to Article 46 in the table of contents shall expire at the end of 31 December 2019. Article 21 para. 3 shall expire at the end of 9 January 2020. Article 2 no. 22 and Article 32a including its heading shall enter in force on 1 October 2019 providing that the obligation to register enters into force from 10 January 2020. (5) Article 2 no. 20, Article 3 paras. 7, 10 and 11, Article 7a including its heading, Article 13 para. 3, Article 16 para. 6, Article 20 para. 3 no. 3, the heading for Section 6, Article 22 including its heading, Article 24 para. 5, Article 25 paras. 1, 3 and 4, Article 33 paras. 1, 2 and 6 no. 7, Article 41, Article 44 para. 3 no. 3 and nos. 4 to 8, Article 47 no. 2 as well as the amendment to the table of contents regarding Article 7a, Section 6 and Article 22 in the version of this Federal Act amended in Federal Law Gazette I No. 25/2021, shall enter into force on 01 March 2021. Article 44 para. 3 nos. 4 and 5 shall expire at the end of 28 February 2021. (6) The table of contents with regard to Article 23a including heading, Article 2 nos. 24 and 25, Article 3 para. 1, Article 3 para. 3 nos. 1 to 8, Article 4 para. 1, Article 23a including heading, Article 25 para. 1, para. 2 nos. 1 to 3, para. 8, para. 8a, Article 34, Article 35 para. 1, para. 2, Article 36 and Article 37 paras. 1 and 2 shall enter into force in the version contained in Article 1 of the Act Amending the FM-GwG (FM-GwG Anpassungsgesetz) published in Federal Law Gazette I No. 151/2024, at the end of the day of its publication. The table of contents with regard to Article 11a including heading, Article 1 para. 1, Article 2 no. 5 lit. b, Article 2 nos. 21, 22, 23, Article 5 no. 2 lit. b, Article 6 para. 1 no. 2, Article 8 para. 6, Article 10, Article 11a, Article 19 para. 3, Article 23 para. 1 no. 1a, Article 25 para. 3, Article 27, Article 28 para. 7, Article 29 para. 1, Article 31, Article 32 para. 1, Article 40 paras. 1, 2 and 4, Article 43a including heading, Article 44 para. 2 no. 4, Article 44 para. 3

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 56 / 62 no. 5, Article 44 para. 3 nos. 7 to 9, in the version contained in Article 1 of the Act Amending the FM￾GwG (FM-GwG Anpassungsgesetz) published in Federal Law Gazette I No. 151/2024, shall enter into force on 30 December 2024. Articles 28 paras. 6, Article 32a and Article 34 para. 5 shall expire at the end of 31 December 2024. Article 34 para. 5 shall apply for the last time to circumstances, that occurred prior to 01 January 2025. Article 28 para. 6 in the version of the Federal Act amended in Federal Law Gazette I No. 98/2021 shall apply for the last time to the breakdown of costs for FMA financial years beginning prior to 31 December 2024. Transitional Provisions Article 43a. (1) Service providers that were registered prior to 30 December 2024 as virtual asset service providers pursuant to Article 32a in the version of the federal act amended in Federal Law Gazette I No. 98/2021, from 30 December 2024 until 31 December 2025 or until the time at which they receive an authorisation or are refused an authorisation in accordance with Article 63 of Regulation (EU) 2023/1114, depending on which point in time occurs first, when providing services pursuant to Article 2 no. 22 lits. a to e, in conjunction with no. 21 in the version of the federal act amended in Federal Law Gazette I Nr. 98/2021 shall be considered for the purposes of this federal act as crypto-asset service providers pursuant to Article 2 no. 22 and as crypto-asset service providers pursuant to Article 3 (1) point 15 of Regulation (EU) 2023/1114 for the purpose of the statement of costs pursuant to Article 22 MiCA-VVG. Irrespective of this rule, the breakdown of costs pursuant to Article 28 para. 6 in the version of the federal act amended in Federal Law Gazette I No. 98/2021 shall apply to service providers registered prior to 30 December 2024 as virtual asset service providers pursuant to Article 32a in the version of the federal act amended in Federal Law Gazette I No. 98/2021 for FMA financial years that begin prior to 31 December 2024. (2) Where the FMA has specific indication that the requirements of this federal act are unable to be observed by service providers that were registered prior to 30 December 2024 as virtual asset service providers pursuant to Article 32a in the version of the federal act amended in Federal Law Gazette I No. 98/2021, and which provide services pursuant to Article 2 no. 22 lits. a to e in conjunction with no. 21 in the version of the federal act amended in Federal Law Gazette I No. 98/2021 until 31 December 2025, or if the FMA has doubts about the personal reputation of the director(s) or the natural person who holds a qualifying holding, or where the service provider has not commenced its activities within a year have passed since its registration, then the FMA may revoke the registration. By having its registration revoked, the service provider’s right to provide services under the transitional measures pursuant to Article 143 (3) of Regulation (EU) 2023/1114 lapses. (3) Service providers that were registered as virtual asset service providers prior to 30 December 2024 pursuant to Article 32a in the version of the federal act amended in Federal Law Gazette I No. 98/2021 and which provide services pursuant to Article 2 no. 22 lits. a to e in conjunction with no. 21 in the version of the federal act amended in Federal Law Gazette I No. 98/2021 until 31 December 2025 are obliged to notify the FMA without delay of any change regarding

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 57 / 62

1. the provider’s name or company name and where available of its director(s);
2. the place of incorporation of the undertaking and the appropriate business address for deliveries;
3. the business model;
4. internal control systems as well as the planned policies and procedures in order to fulfil the requirements of this federal act and Regulation (EU) 2015/847; and
5. the identity and the amount of participations of the owners, who hold a qualifying holding pursuant to point 36 of Article 4 (1) of Regulation (EU) No. 575/2013 either directly or indirectly in the service provider. The FMA shall publish the details pursuant to paras. 2 and 3 on its official website and shall keep them continually updated until 31 December 2025. References Article 44. (1) Where references are made in this Federal Act to the following laws, they shall apply to their respective current versions unless specified otherwise:
6. Securities Deposit Act (DepotG; Depotgesetz) published in Federal Law Gazette no. 424/1969,
7. Criminal Code (StGB; Strafgesetzbuch) published in Federal Law Gazette no. 60/1974,
8. Code on Criminal Procedure 1975 (StPO; Strafprozeßordnung 1975), published in Federal Law Gazette no. 631/1975;
9. Administrative Penal Act 1991 (VStG; Verwaltungsstrafgesetz 1991), published in Federal Law Gazette no. 52/1991;
10. Administrative Enforcement Act 1991 (VVG; Verwaltungsvollstreckungsgesetz 1991), published in Federal Law Gazette no. 53/1991;
11. Banking Act (BWG; Bankwesengesetz), published in Federal Law Gazette no. 532/1993;
12. Private Foundation Act (PSG; Privatstiftungsgesetz), published in Federal Law Gazette no. 694/1993;
13. Commercial Code 1994 (GewO 1994; Gewerbeordnung 1994), published in Federal Law Gazette no. 194/1994;
14. Cooperative Auditing Association Act 1997 (GenRevG 1997; Genossenschaftsrevisionsgesetz 1997), published in Federal Law Gazette I no. 127/1997;
15. Stock Exchange Act 2018 (BörseG 2018; Börsegesetz 2018), published in Federal Law Gazette I No. 107/2017;
16. Financial Market Authority Act (FMABG; Finanzmarktaufsichtsbehördengesetz), published in Federal Law Gazette I no. 97/2001;
17. Criminal Intelligence Service Austria Act (BKA-G; Bundeskriminalamt-Gesetz), published in Federal Law Gazette I no. 22/2002;
18. Associations Act 2002 (VerG; Vereinsgesetz 2002), Federal Law Gazette I no. 66/2002;

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 58 / 62 14. Act on Severance and Retirement Funds for Salaried Employees and Self-Employed Persons (BMSVG; Betrieblicher Mitarbeiter- und Selbständigenvorsorgegesetz) published in Federal Law Gazette I no. 100/2002; 15. Real Estate Investment Fund Act (ImmoInvFG; Immobilien-Investmentfondsgesetz), published in Federal Law Gazette I no. 80/2003, 16. Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 2018), published in Federal Law Gazette I no. 107/2017; 17. Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018), published in Federal Law Gazette I no. 17/2018; 18. E-Money Act 2010 (E-Geldgesetz 2010; E-Geldgesetz 2010), published in Federal Law Gazette I no. 107/2010; 19. Investment Funds Act 2011 (InvFG 2011; Investmentfondsgesetz 2011), published in Federal Law Gazette I no. 77/2011; 20. Alternative Investment Funds Manager Act (AIFMG; Alternative Investmentfonds Manager￾Gesetz), published in Federal Law Gazette I no. 135/2013, 21. Insurance Supervision Act 2016 (VAG 2016; Versicherungsaufsichtsgesetz 2016), published in Federal Law Gazette I no. 34/2015; 22. Beneficial Owners Register Act (WiEReG; Wirtschaftliche Eigentümer Registergesetz), published in Federal Law Gazette I no. 136/2017; 23. the Gaming Act (GSpG; Glücksspielgesetz), published in Federal Law Gazette No. 620/1989; 24. Balance Sheet Accounting Act 2014 (BiBuG 2014; Bilanzbuchhaltungsgesetz 2014), published in Federal Law Gazette I No. 191/2013; (2) Where references are made in this Federal Act to EU Directives, unless instructed otherwise, the following listed versions thereof shall apply:

1. Directive 2007/64/EC on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC, OJ L 319, 05.12.2007, p. 1 most recently amended by Directive 2009/111/EC, OJ L 302, 17.11.2009, p. 97;
2. Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC, OJ L 267, 10.10.2009, p. 7;
3. Directive 2013/34/EU on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC and repealing Directives 78/660/EEC and 83/349/EEC, OJ L 182, 29.06.2013, p. 86, most recently amended by Directive 2014/102/EU, OJ L 334 of 21.11.2014, p. 86;
4. Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, OJ L 141 of 05.06.2015, p. 73, most recently amended by Regulation (EU) 2023/1113, OJ L 150, 09.06.2023, p. 1;

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 59 / 62 5. Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173, 12.06.2014, p. 349, last amended by Directive (EU) 2016/1034, OJ L 175, 23.06.2016, p. 8, as amended by the corrigendum, OJ L 64, 10.03.2017, p. 116; 6. Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC, OJ L 176, 27.06.2013, p. 338, most recently amended by Directive (EU) 2018/843, OJ L 156, 19.06.2018, p. 43; and 7. Directive 2011/16/EU on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC, OJ L 64, 11.03.2011, p. 1, most recently amended by Directive (EU) 2018/822, OJ L 139, 05.06.2018, p. 1. (3) Where references are made in this Federal Actto EU Regulations, unless instructed otherwise, the following listed versions thereof shall apply:

1. Regulation (EC) No 1781/2006 on information on the payer accompanying transfers of funds, OJ L 345, 08.12.2006, p. 1.
2. Regulation (EU) No 1092/2010 on European Union macro-prudential oversight of the financial system and establishing a European Systemic Risk Board, OJ L 331, 15.12.2010, p. 1.
3. Regulation (EU) No 1093/2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Decision 2009/78/EC, OJ L 331, 15.12.2010, p. 12, most recently amended by Regulation (EU) No 2019/2175, OJ L 334, 27.12.2019, p. 1;
4. Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012, OJ L 176, 27.06.2013, p. 1, most recently amended by Delegated Regulation (EU) 2018/405, OJ L 74, 16.03.2018;
5. Regulation (EU) 2023/1113 of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849, OJ L 150, 09.06.2023, p. 1;
6. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 04.05.2016, p. 1;
7. Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, OJ L 257, 28.08.2014, p. 73;
8. Regulation (EU) No. 1024/2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions, OJ L 287, 29.10.2013, p. 63, as amended by the corrigendum OJ L 218, 19.08.2015 p. 82; and
9. Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937, OJ L 150, 09.06.2023, p. 40.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 60 / 62 Gender-neutral use of language Article 45. Where expressions in this Federal Act relating to persons are given only in the masculine form, they shall refer equally to men and women. The respective gender-specific form shall be used when applied to specific persons. Article 46. (repealed by the amendment in Federal Law Gazette I 62/2019) Enforcement clause Article 47. Responsible for the execution of this Federal Act are:

1. the Federal Minister for Justice with regard to Article 19;
2. the Federal Minister for the Interior with regard to Article 16 paras. 4 to 7 and Article 17 paras. 4 and 5;
3. the Federal Minister of Finance in consultation with the Federal Minister of the Interior with regard to Article 16 paras. 1 and 2, Article 17 paras. 1 to 3 and Article 22; and
4. with regard to all other provisions, the Federal Minister of Finance. ANNEXES Annex I to Article 6 The following is a non-exhaustive list of risk variables that obliged entities shall consider when determining to what extent to apply customer due diligence in accordance with Article 6 para. 5:
5. the purpose of an account or a business relationship;
6. the level of assets to be deposited by a customer or the size of transactions undertaken;
7. the regularity or duration of the business relationship. Annex II to Article 8 The following is a non-exhaustive list of factors and types of evidence of potentially low risk in accordance with Article 8 para. 1:
8. Risk factors relating to customers: a. exchange-listed companies, whose securities are admitted to listing on a regulated market in one or more Member States, or exchange-listed companies from third countries which are subject to disclosure obligations equivalent or comparable to those set out under Union law, as determined by a regulation to be issued by the FMA on the basis of Article 122 para. 10 BörseG 2018; b. public administrations or enterprises; c. customers that are resident in geographical areas of lower risk in accordance with no. 3.
9. Risk factors relating to products, services, transactions or delivery channels:

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 61 / 62 a. life assurance contracts with low premiums, b. insurance policies for pension schemes, provided that the policies neither contain an early surrender option, nor may they be used as collateral for loans, c. a pension, superannuation or similar scheme, such as those operated by corporate provision funds that receive severance contributions and pension contributions for the self-employed, which provide retirement benefits to employees, where contributions are made by way of deduction from salaries, and where the rules of the system do not permit the beneficiary to transfer their rights to someone else, d. financial products or services that provide appropriately defined and limited services to certain types of customers with the aim of granting access to the financial system for the purposes of financial inclusion, e. products where the risks of money laundering and terrorist financing are managed by other factors such as restrictions in place on the electronic purse or transparency of ownership (e.g. certain types of electronic money). 3. Geographical risk factors – registration, establishment, place of residence in: a. Member States, b. third countries having effective systems for the combatting of money laundering and terrorist financing, c. third countries identified by credible sources as having a low level of corruption or other criminal activity, d. third countries which, on the basis of credible sources (e.g. mutual evaluations, detailed assessment reports or published follow-up reports), have requirements to combat money laundering and terrorist financing consistent with the revised FATF Recommendations and effectively implement those requirements.

Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt Geldwäschegesetz) 62 / 62 Annex III to Article 9 The following is a non-exhaustive list of factors and types of evidence of potentially higher risk in accordance with Article 9 para. 1:

1. Risk factors relating to customers: a. the business relationship is conducted in unusual circumstances, b. customers that are resident in geographical areas with a high risk pursuant to no. 3, c. legal persons or arrangements that operate as personal asset-holding vehicles, d. companies that have nominee shareholders or shares issued in bearer form, e. businesses that are cash-intensive, f. the ownership structure of the company appears unusual or excessively complex given the nature of the company's business, g. the customer is a citizen of a third country, who applies for rights of residence or the citizenship of a Member State in exchange for the transfer of capital, the purchasing of real estate or government debt or investments in companies in this Member State, h. the customer is the beneficiary of a life insurance contract.
2. Risk factors relating to products, services, transactions or delivery channels: a. private banking, b. products or transactions that might favour anonymity, c. non-face-to-face business relationships or transactions, without certain safeguards, including electronic means for identification purposes and relevant trust services pursuant to Regulation (EU) No. 910/2014 as well as other secure procedures for remote or electronic identification in accordance with Article 6 para. 4, d. payments received from unknown or unrelated third parties, e. new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products, f. transactions in relation to oil, weapons, precious metals, tobacco products, cultural goods and other articles of archaeological, historical, cultural or religious significance of or exceptional scientific value as well as in ivory and protected species.
3. Geographical risk factors: a. without prejudice to Article 2 no. 17, countries that are identified by credible sources (e.g. mutual evaluations, detailed assessment reports or published follow-up reports) as not having effective systems for combatting money laundering or terrorist financing, b. third countries identified by credible sources as having a significantly high level of corruption or other criminal activity, c. countries, against whom for example the European Union or the United Nations has/have imposed sanctions, embargos or similar measures, d. countries that provide financial or other means of support for terrorist activities, or in which known terrorist organisations operate.