COSOB Guidelines No. 04-2025 of October 22, 2025, on the Self-Assessment by Obliged Entities of Money Laundering, Terrorist Financing, and Proliferation Financing Risks (Version 0.2)

Algerian People's Democratic Republic Guidelines No. 2025-04 Dated October 22, 2025 Concerning the Self-Assessment by Obliged Entities of Money Laundering, Terrorist Financing, and Proliferation Financing Risks Version Number 0.2 October 2025 Commission for the Organization and Surveillance of Stock Market Operations Commission d’Organisation et de Surveillance des Opérations de Bourse – COSOB -

Introduction These guidelines aim to provide a methodological framework for obliged entities in the securities sector to assess their compliance with legal and regulatory requirements related to combating money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction. This measure aims to ensure that these entities possess the policies, procedures, and systems necessary to effectively identify, mitigate, and manage financial risks. Combating money laundering involves preventing and detecting any attempt to conceal or legitimize funds obtained illegally, including proceeds from organized crime, corruption, or other serious crimes, as well as bribes, whether direct or indirect, to support terrorist activities. Note that funds used in terrorist financing may be legitimately sourced but used for illicit purposes. Financing the proliferation of weapons of mass destruction relates to any activity contributing to the development, production, or acquisition of nuclear, chemical, or biological weapons, a field governed by strict international sanctions and financial controls. These three areas are interconnected and require a comprehensive and proactive approach. The legal and regulatory framework includes: • Ordinance No. 66-156 dated 18 Safar 1386 corresponding to June 8, 1966, concerning the Penal Code, as amended and supplemented; • Decree-Law No. 93-10 dated May 23, 1993, concerning the Stock Exchange, as amended and supplemented; • Law No. 01-05 dated February 6, 2005, concerning the prevention and combating of money laundering and terrorist financing, as amended and supplemented; • Executive Decree No. 23-429 dated November 29, 2023, concerning the General Register of Beneficial Owners for legal persons and entities; • Executive Decree No. 25-101 dated March 12, 2025, concerning procedures for the freezing and/or seizure of funds within the framework of preventing terrorist financing and the financing of the proliferation of weapons of mass destruction and combating them; • Executive Decree No. 102-25 dated March 12, 2025, defining the composition of the Committee for Monitoring Targeted International Sanctions and organizing its operation; • Executive Decree No. 103-25 dated March 12, 2025, defining the methods for registration on and removal from the National List of Terrorist Persons and Entities and the related effects; • COSOB Regulation No. 01-24 dated 11 Muharram 1446 corresponding to July 17, 2024, concerning the prevention and combating of money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction; • COSOB Instruction No. 07-24 dated November 21, 2024, containing due diligence measures towards customers within the framework of preventing money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction.

Definitions For the purposes of these guidelines, the following terms are defined as follows: • Obliged Entity: Securities brokers, clearing houses, stock exchange operators, investment fund management companies, investment financing companies, collective investment schemes, and operators of crowdfunding platforms (Funding-Crowd). • Customer: A natural or legal person who deals with the Obliged Entity. • Business Relationship: The relationship arising between the Customer or any financial institution associated with any investment activity. • Politically Exposed Persons (PEPs): Algerians and foreigners entrusted with or who have been entrusted with prominent public functions in Algeria or abroad, such as Heads of State or Governments, senior politicians, senior government officials, senior judicial officials, senior executives of state-owned corporations, political party executives, and persons entrusted with or who have been entrusted with prominent functions by an international organization as senior management members, including Directors and Deputy Directors or equivalent positions, and members of boards of directors. • Targeted Financial Sanctions: The freezing and/or seizure of funds and the prohibition of making funds or assets available, directly or indirectly, for the benefit of persons and entities listed on the Consolidated Sanctions List and the National List of Terrorist Persons and Entities. • Consolidated Sanctions List: A list recording the full identity of persons and information regarding all entities subject to targeted financial sanctions imposed by the United Nations Security Council related to terrorism and its financing or the prevention of the proliferation of weapons of mass destruction and its financing, including relevant Security Council lists. • National List of Terrorist Persons and Entities: The list established under Article 87 ter 13 of Ordinance No. 66-156 dated 18 Safar 1386 corresponding to June 8, 1966, concerning the Penal Code.

1. Objectives of the Self-Assessment The self-assessment process aims to: a. Understand specific threats associated with activities, products, customers, and geographic areas. Risk here is the probability that certain activities or events will lead to negative consequences, such as regulatory non-compliance or financial loss. b. Analyze the effectiveness of mechanisms adopted to mitigate these risks. This includes internal controls, which are procedures and systems designed to monitor and limit operational, financial, and legal risks. c. Verify the extent of regulatory compliance. Regulatory compliance refers to the conformity of practices with applicable laws and regulations, and compliance with legal requirements imposed by competent authorities. d. Implement corrective measures to address deficiencies and enhance the institution's resilience and regulatory continuity.

2. Regulatory Framework Adopted The Obliged Entity is defined by the following texts: • Regulations related to combating money laundering and terrorist financing: This includes regulatory texts imposing specific obligations on Obliged Entities to prevent money laundering and terrorist financing, including provisions related to customer due diligence, monitoring of financial transactions, and procedures for reporting suspicious transactions. • Financial Action Task Force (FATF) Recommendations: FATF is an international organization that sets global standards for combating money laundering and terrorist financing and formulates their legal and regulatory frameworks. Its recommendations serve as a fundamental reference for national regulatory bodies. • "Know Your Customer" (KYC) and "Customer Due Diligence" (CDD) procedures: The term "Know Your Customer" refers to the procedures Obliged Entities must follow to identify their customers, understand the nature of their economic activities, and determine the sources of their funds. Customer Due Diligence is a fundamental part of this framework, involving the collection of information about the customer and verification of its authenticity. • International Sanctions: Restrictive measures imposed by international organizations such as the United Nations or the FATF against non-compliant activities, aiming to limit financial activities with countries, entities, or individuals involved in illicit activities.

3. Basic Stages of the Self-Assessment 3.1 Risk Identification and Assessment a. Analysis of Products and Services Products and services provided directly by the entity affect their exposure to risks. Complex products, such as derivatives or high-risk cryptocurrencies, are examples, as they are difficult to understand or assess, increasing the probability of exploitation or misuse for illicit activities such as money laundering. Product Risks: • Products with high potential for misuse. b. Analysis of Customers Certain customer categories are considered high-risk. High-risk categories include: • Politically Exposed Persons (PEPs): Individuals holding important or influential public positions, who may be exposed to risks of corruption or embezzlement of public funds. • Customers subject to sanctions: Entities or individuals listed on international sanctions lists. c. Analysis of Geographic Areas Some geographic areas are considered high-risk due to weak cooperation with international authorities or political instability. For example, countries listed on the black or grey lists of the Financial Action Task Force (FATF) require a high degree of vigilance and continuous monitoring.

3.2 Review of Policies and Procedures a. Documentation Written policies are official documents that define the internal rules and guidelines of the institution. These documents must be clear, easily accessible, and regularly updated to align with regulatory and legal developments. b. Regulatory Compliance The Obliged Entity must fully comply with legal or regulatory requirements. Regulatory gaps occur when the entity fails to comply, which is necessary to avoid penalties or damage to the institution's reputation. Identifying these gaps is essential.

3.3 Compliance with "Know Your Customer" (KYC) and "Customer Due Diligence" (CDD) Procedures a. Initial Customer Identification This involves collecting information about the customer and verifying it when establishing a business relationship, including official documents such as passports or identity cards. b. Continuous Review This includes periodically updating customer data and monitoring any fundamental changes, such as changes in economic activity or the emergence of unusual financial behaviors.

3.4 Monitoring of Financial Transactions a. Detection Tools The following tools use algorithms to analyze transactions and detect unusual patterns. For example, an unusually high-value financial transaction may trigger an automatic alert. b. Reporting to Competent Authorities Reporting refers to notifying competent authorities (such as the Financial Intelligence Unit – CTRF) upon discovering suspicious activity. The reporting process must be carried out within the legal timeframe to avoid exposure to penalties.

4. Documentation and Final Report The final report must include: 4.1 Summary of Results: A brief overview of the strengths and weaknesses identified during the assessment process. 4.2 Corrective Action Plan: Defining precise procedures to address deficiencies, with specified deadlines for implementation. 4.3 Supporting Evidence and Documents: Providing concrete examples (such as screenshots or internal audit reports) to support the results and conclusions reached.

5. Continuous Follow-up and Improvement Follow-up involves monitoring the implementation of corrective measures and ensuring their effectiveness. Improvement consists of regularly reviewing adopted policies and procedures to keep pace with regulatory changes and new challenges and risks.

Issued in Algiers on October 22, 2025 The President Youssef Bouznada