Gibraltar FSC AML/CFT/CPF Guidance Notes: Customer Due Diligence

www.gfsc.gi 5. Customer Due Diligence AML/CFT/CPF Guidance Notes May 2026

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2 Table of Contents 5.1 Knowing Your Customer................................................................................................................... 4 5.2 Risk-Based Approach to Due Diligence............................................................................................. 5 5.3 Timing of Verification ....................................................................................................................... 6 5.3.1 Linked Transactions..................................................................................................................... 7 5.3.2 Transaction Threshold Applicable to Bureaux de Change .......................................................... 7 5.3.3 Identification of Customers & Beneficiaries Post-Establishment of a Business Relationship .... 7 5.4 Natural Persons................................................................................................................................ 8 5.4.1 Beneficial Ownership of Natural Persons ................................................................................... 8 5.4.2 Application of Identity Verification Measures............................................................................ 9 5.4.3 Alternate Forms of Identity Verification ..................................................................................... 9 5.4.4 Pooled Accounts & Funds ......................................................................................................... 10 5.4.5 Face-to-face vs. Non-face-to-face Interactions......................................................................... 10 5.4.6 Electronic Identity Verification Measures................................................................................. 11 5.5 Corporate Customers ..................................................................................................................... 12 5.5.1 Identification of Ownership & Control...................................................................................... 13 5.5.2 Beneficial Ownership of Corporate Entities.............................................................................. 13 5.5.3 Beneficial Ownership of Trusts & Similar Legal Arrangements ................................................ 14 5.5.4 Publicly Listed Entities............................................................................................................... 14 5.5.5 Protected Cell Companies (“PCCs”) .......................................................................................... 15 5.5.6 Limited Partnerships (“LPs”) & Limited Liability Partnerships (“LLPs”) .................................... 15 5.5.7 Clubs, Societies & Management Companies ............................................................................ 16 5.5.8 Charities & Non-Profit Organisations (“NPOs”) ........................................................................ 16 5.5.9 Nominee Shareholdings & Directorships.................................................................................. 16 5.5.10 Bearer Shares........................................................................................................................ 16 5.6 Exercising Control via Other Means............................................................................................... 17 5.7 Certification of Documents............................................................................................................. 18 5.8 Reliance .......................................................................................................................................... 18 5.9 Accounts & Products That Facilitate Anonymity ............................................................................ 19 5.10 Determination of Source of Funds & Wealth................................................................................. 20 5.10.1 Source of Funds & Wealth .................................................................................................... 20 5.10.2 Identification of Source of Funds & Wealth ......................................................................... 20 5.10.3 Independent Verification of Source of Funds & Wealth ...................................................... 21 5.10.4 Establishing Source of Wealth & Funds of Corporate Customers........................................ 23 5.11 Acquisitions of Business ................................................................................................................. 23 5.12 Simplified Due Diligence Measures................................................................................................ 24

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 3 5.12.1 Application of Simplified Due Diligence (“SDD”) Measures ................................................. 24 5.12.2 Customer Risk Factors .......................................................................................................... 24 5.12.3 Product, Service, Transaction or Delivery Channel Risk Factors .......................................... 24 5.12.4 Geographical Risk Factors..................................................................................................... 25 5.12.5 Natural Persons .................................................................................................................... 25 5.12.6 Legal Entities, Legal Arrangements or similar (collectively known as “Legal Entities” or “Corporate Entities”).............................................................................................................................. 25 5.13 Enhanced Due Diligence (“EDD”) Measures................................................................................... 27 5.13.1 Customer Risk ....................................................................................................................... 28 5.13.2 Product, Service, Transaction & Delivery Channel Risk........................................................ 28 5.13.3 Geographical Risk.................................................................................................................. 29 5.13.4 Additional Risk Factors.......................................................................................................... 29 5.13.5 Politically Exposed Persons (PEPs)........................................................................................ 29 5.13.6 National Risk Assessment..................................................................................................... 29 5.13.10 Application of Enhanced Due Diligence Measures............................................................... 30 5.13.11 Senior Management Approval.............................................................................................. 31 5.13.12 Enhanced ongoing monitoring of the business relationship..................................................... 31 5.14 Sanctions Screening........................................................................................................................ 31 5.15 Wire Transfers................................................................................................................................ 32 5.16 The Travel Rule ............................................................................................................................... 34 5.17 Artificial Intelligence…………………………………………………………………………………………………………………..39

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 4 5.1 Knowing Your Customer AML /CFT/CPF Requirements R12 A regulated entity must take appropriate measures to identify and verify the subject of a business relationship or occasional transaction. The application of these measures must be in line with the risk profile of that customer. Guidance

1. Ensuring that there is a robust understanding of each business relationship underpins all AML/CFT/CPF-related efforts and controls and is the primary defense against a regulated entity’s susceptibility to financial crime. The application of customer due diligence measures affords assurances to a regulated entity that the subject of a business relationship or occasional transaction is who they say they are. This in turn allows the regulated entity to determine whether it is appropriate to provide them with the product or service in question.
2. Section 11 of POCA requires a regulated entity to apply customer due diligence measures prior to the establishment of a business relationship or occasional transaction. These measures must be applied to the subject of the relationship/transaction, i.e. the customer and all beneficial owner(s) of the customer1 . A regulated entity must also consider, where appropriate, whether any additional parties may also be considered to form part of the subject of the relationship/transaction, such as in the case of: a) Any person acting or purporting to act on behalf of the customer/beneficial owner (for example, in the case of the guardian of a natural person, an authorised signatory, persons to whom powers of attorney have been granted, or the directors/senior managers acting on behalf of a legal entity); or b) Any other person who is acting on behalf of the customer/beneficial owner.
3. As set out under POCA, the application of customer due diligence measures includes understanding “the purpose and nature of the business relationship or occasional transaction” 2 . In order to truly understand the proposed relationship to be held with a prospective customer, a regulated entity must have a robust awareness of the purpose for which that customer has decided to engage with the entity and its product offering. When afforded sufficient context, the purpose of a business relationship may have a significant impact on the perceived level of risk posed by a customer or may lead a regulated entity to determine that it no longer wishes to continue establishing the business relationship or carrying out the occasional transaction.
4. In order to fully know a customer and understand the purpose and nature of a business relationship, a regulated entity must ensure that that customer is not subject to financial sanctions. This is achieved through screening each customer against the applicable sanctions lists3 . In Gibraltar, the following sanctions lists apply directly under the Sanctions Act 20194 : • United Nations; • European Union; • United Kingdom; and • Gibraltar. 1 Section 10, Proceeds of Crime Act 2015 2 Section 10(d), Proceeds of Crime Act 2015 3 Section 8(3), Sanctions Act 2019 4 Section 6(2), Sanctions Act 2019

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 5 5. For further guidance on sanctions screening requirements, please refer to the “Policies, Procedures & Controls” section of these Guidance Notes. In addition to sanctions designations, regulated entities should also consider whether there is any adverse media or open source information on a customer which would impact its assessment of the level of risk posed to the firm by a business relationship. 6. Failing to gather information about the purpose and nature of a business relationship or occasional transaction based on the type of transaction or product/service in question, may expose a regulated entity to undue levels of risk. In cases of potential ambiguity, a regulated entity should consider collecting further information and/or documentation, or employing specific measures, to ensure that a full understanding is achieved and documented. 5.2 Risk-Based Approach to Due Diligence 7. The identity of the customer, including the beneficial owner(s), must always be verified to some extent. The application of customer due diligence measures must be risk-based, meaning that the extent of verification required should be determined by the level of ML, TF and PF risk posed by the customer5 . A robust assessment of the level of risk posed by a prospective customer will allow a regulated entity to determine whether it is appropriate to, for example, apply simplified due diligence measures, or conversely, whether enhanced due diligence may be required. For further guidance on the assessment of the ML, TF & PF risks posed by prospective customers, please refer to the “Customer Risk Assessment” section of these Guidance Notes. 8. There is no prescriptive approach to the application of due diligence measures and controls. In assessing the risk of each prospective customer, a regulated entity must determine the appropriate level of documentation/verification required. In practice, these measures should ensure that the regulated entity identifies and verifies, on a risk sensitive basis: a) The identity of the customer (and its beneficial owners); b) The ownership and control structure of the customer (in the case of corporates and legal entities); c) The economic profile of the customer (and its beneficial owners); and d) The purpose and nature of the business relationship. 9. Following the initial on-boarding of a new business relationship, a regulated entity must continue to consider, on an ongoing basis, whether any additional identification/verification measures are necessary. Where there are any changes in circumstances associated with a customer, this may prompt a regulated entity to apply additional due diligence measures in line with any perceived increased risks. The frequency at which the risk profile of a customer (and by extension, the appropriateness of the identification/verification measures applied to date) are reviewed on an ongoing basis, should be determined by the customer’s risk profile. 10. Figure 1 below visually demonstrates the relationship between the customer risk assessment and the application of a risk-based approach to due diligence measures. 5 Section 10(e), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 6 Figure 1 – The application of a risk-based approach to customer due diligence measures. 5.3 Timing of Verification AML/CFT/CPF Requirements R13 A regulated entity must apply customer due diligence measures prior to the establishment of a business relationship or occasional transaction6 . 6 Section 13, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 7 Guidance 5.3.1 Linked Transactions 11. In order to understand a customer and assess the level of ML, TF & PF risk posed by that customer, a regulated entity must apply customer due diligence measures prior to the establishment of a business relationship or completing an occasional transaction. With regards to occasional transactions, verification of identity is not required in the case of any transactions (whether single or linked) that are: a) Below 15,000 EUR7 ; b) In the case of persons trading in goods whose transactions are carried out in cash, below 10,000 EUR8 ; and/or c) In the case of transactions involving virtual assets, below 1,000 EUR9 . 12. Where multiple small transactions are made by the same party (and are therefore linked), a regulated entity must pay due regard to whether the total sum of the transactions is set to breach any of the thresholds referenced above. If so, the regulated entity must apply customer due diligence measures in line with the assessed risk profile of that customer prior to carrying out the occasional transaction. 5.3.2 Transaction Threshold Applicable to Bureaux de Change Sector-Specific Guidance – Bureaux de Change 13. In the case of Bureaux de Change activities, the occasional transaction threshold to which due diligence measures must be applied, is reduced to 5,000 EUR. 5.3.3 Identification of Customers & Beneficiaries Post-Establishment of a Business Relationship 14. There may be exceptional cases where a regulated entity is unable to verify the identity of a customer prior to the establishment of a business relationship. In limited extenuating circumstances, it may be permissible to complete such verification during the establishment of the relationship10. This may only be undertaken, however, where: a) It is necessary to not interrupt the normal conduct of business (e.g. in an instance where a regulated entity is required to perform transactions rapidly in accordance with market conditions); b) There is little risk of ML, TF or PF occurring; and c) The verification is completed as soon as practicable after contact is first established. 15. Undertaking identity verification following the establishment of a business relationship can introduce a significant level of risk to the operations of a regulated entity. Regulated entities must therefore take all necessary steps to ensure that this is avoided as far as possible. Where the exemption afforded under Section 13(4) of POCA is applied, regulated entities must thoroughly document the rationale for allowing the business relationship to be established in accordance with the criteria set out above, together with any additional mitigating measures that have been applied. 7 Section 11(1)(b), Proceeds of Crime Act 2015 8 Section 11(1)(ba), Proceeds of Crime Act 2015 9 Section 11(1)(g), Proceeds of Crime Act 2015 10 Section 13(4), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 8 Sector-Specific Guidance - Life Assurance Providers, Pension Service Providers & Insolvency Practitioners 16. There may be exceptional cases where a regulated entity is unable to identify and verify the beneficiary of a business relationship at the point of establishment, for example, beneficiaries of life assurance, pension schemes and other investment-related insurance policies. In such cases, the provider in question would be required to verify the identity of the beneficiaries at the point of pay-out11. In doing so, the regulated entity must pay due regard to: a) Any additional ML, TF, PF risks posed by the beneficiaries; and b) Ensuring that the beneficiaries are not named terrorists, or subject to any sanctions designations at the point of pay-out. Sector-Specific Guidance – Insolvency Practitioners 17. In the case of insolvency practitioners, where due diligence measures are unable to be completed prior to initiation of the business relationship (such as where an appointment is made at a Decision Procedure or by Court Order), reliance may be placed, in part, on the order of the appointment by the Court. Nevertheless, the insolvency practitioner must complete the appropriate level of due diligence as soon as possible. It is expected that the due diligence process would be commenced no later than five working days following the date of appointment. Sector-Specific Guidance – Credit Institutions 18. In the case of credit institutions, the verification of the identity of a bank account holder may take place after the bank account has been opened so long as there are adequate safeguards in place to ensure that12: a) The account is not closed; and b) Transactions are not carried out by or on behalf of the account holder (including any payment from the account to the account holder), before verification has been completed. 5.4 Natural Persons Guidance 5.4.1 Beneficial Ownership of Natural Persons 19. In the case of natural persons, POCA defines beneficial ownership as13 follows: a) Where a person is conducting a transaction or activity on his own behalf, the natural person; or b) Where a transaction or activity is being conducted on behalf of another person, the person on whose behalf the transaction or activity is being conducted. 20. When engaging with business relationships or occasional transactions with natural persons, a regulated entity must ensure that it has identified all relevant subjects, in line with the provisions set out above. 11 Section 13(3), Proceeds of Crime Act 2015 12 Section 13(5), Proceeds of Crime Act 2015 13 Section 7(1A)(a), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 9 5.4.2 Application of Identity Verification Measures 21. It is ultimately the responsibility of a regulated entity to determine what verification measures should be applied to its customers based on the level of risk posed. A regulated entity must maintain an appropriate audit trail documenting its assessment of the approach taken in each case of customer identification. 22. In order to verify the physical identity of an individual, a regulated entity is typically expected to request an official identification document, such as those included within the following non￾exhaustive list: • A passport, bearing a photograph of the natural person; • A national identity card (or equivalent), bearing the photograph of the natural person; or • A driving licence, bearing a photograph of the natural person. 23. The residence of an individual may have a significant impact on the level of ML, TF or PF risk that they pose. Aside from instances where simplified due diligence measures are able to be applied, a regulated entity is typically expected to request additional documentation to verify the residential address of their customers. The following are non-exhaustive examples of potential documentation that can be used to verify an individual’s residential address: • A recent bank statement; • A recent utility bill; • A tenancy agreement; or • Copies of correspondence with an independent source. 24. There is a wide range of documentation which may be provided to verify a customer’s identity or residential address. Each regulated entity must determine the appropriateness of any given document in light of its documented risk mitigation procedures and controls. Particular care should be afforded in accepting documents that are particularly susceptible to forgery or which can be easily obtained using a falsified identity. 5.4.3 Alternate Forms of Identity Verification 25. Reliance on a strict set of identity verification documentation/measures may inadvertently exclude underserved groups from access to financial services. This financial exclusion may disproportionately impact disadvantaged groups, such as low-income earners, the socially vulnerable and residents/nationals of developing countries. The FATF’s guidance is clear in that the application of a risk-based approach to financial crime prevention affords sufficient flexibility to allow for robust AML/CFT/CPF controls to be applied without undermining financial inclusion objectives14 . 26. Where a regulated entity has exhausted its means of receiving standardised government-issued identity verification documentation (as set out within Section 5.4.2 above), a regulated entity may rely on additional forms of documents, data or information. When assessing the validity of a particular alternative document or source, a regulated entity must thoroughly document its assessment, taking into account the following key factors: a) The credibility of the issuing authority; b) The presence of any security features or unique identifiers; c) The consistency of the information presented across different data points within the document; 14 FATF Guidance on AML & TF Measures & Financial Inclusion

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 10 d) The availability of any potential means of authenticating or verifying the validity of the document; e) The independence between the issuer and the customer; f) Whether the geographical coverage of the document/source corresponds with what is understood of the customer; g) Whether the original intent of the document/source corresponds with what is understood of the customer; and h) The vulnerability of the document to potential forgery or alteration. 5.4.4 Pooled Accounts & Funds Sector-Specific Guidance – Credit Institutions 27. Credit institutions may accept pooled deposits which relate to the underlying customers of an account holder. Where the account holder in question is an entity regulated by the GFSC, due diligence need only be undertaken on the account holder itself (including any authorised signatories), and not its underlying customers. This is on the basis that the account is only ever to be operated by the account holder and its signatories, and that no effective control over the account is to be held by the customer or any additional parties. Sector-Specific Guidance – Experienced Investor Funds 28. In instances where nominee banks invest in EIFs on behalf of their clients, the regulated entity (e.g. the fund manager) does not need to identify or verify the underlying clients of the nominee bank. 29. The regulated entity must perform CDD on the nominee bank itself. This includes identifying and verifying the nominee bank in accordance with the regulated entity’s internal CDD procedures and the nominee bank must be treated as a customer in this regard. 30. If the nominee bank meets certain criteria outlined in Schedule 6 of POCA, the regulated entity is permitted to apply SDD measures. Where SDD measures are applied, these do not absolve the regulated entity from applying other requirements under POCA such as ongoing monitoring and transaction monitoring requirements. 5.4.5 Face-to-face vs. Non-face-to-face Interactions 31. In cases where a business relationship or occasional transaction has been established on a face￾to-face basis, a regulated entity will be able to itself check whether the likeness of the individual is in accordance with the photograph included within the submitted identity document. In the case of non-face-to-face business relationships, a regulated entity is unable to rely on any pre￾identified knowledge on the likeness of the individual, therefore, increasing the interface risk posed by the business relationship. 32. Any mechanism through which a customer interacts with a regulated entity on a non-face-to￾face manner increases the regulated entity’s exposure to risk. As an example, this may lead to the potential obfuscation of the true subject of a business relationship/transaction through the provision of falsified identification documentation. Additional risk mitigation controls are therefore required to ensure adequate verification of the customer’s identity. These controls may include those provided within the following non-exhaustive list: • Requesting additional verifying documents, data or information; • Requesting a live image or “selfie” of the individual to assess their likeness against the submitted identity document;

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 11 • Requesting the certification of identity documents, asserting whether the photograph is a true likeness of the individual in question; • Ensuring that the first payment received in respect of that business relationship/transaction is conducted through an account in the customer’s name within a regulated credit institution; or • Sending information or documentation required to operate the business relationship/transaction to a physical address that has been verified. 5.4.6 Electronic Identity Verification Measures 33. The application of AML/CFT/CPF-related requirements is technologically neutral. When seeking to verify the identity of an individual, a regulated entity is able to make use of electronic means of verification, such as electronic databases and systems. 34. As stated within the “Customer Risk Assessment” section of the Guidance Notes, establishing a business relationship or occasional transaction through video call is considered to be equivalent to a face-to-face interaction. A regulated entity should, however, pay due care and diligence to the following factors when determining the suitability of a video call as a means of customer identity verification: • The appropriateness and reliability of the video calling platform being used; • The susceptibility of the video calling platform to any potential tampering; • The strength of the internet connection and clarity of the image produced; • The responsiveness of the individual to any questions posed during the video call; • The speed and specificity of the answers received in response to any questions posed during the call; • Whether the physical image produced is moving/speaking in accordance with the individual’s voice; • Ensuring that the individual is unable to apply a “filter” over their image to obfuscate their appearance; and • Ensuring that the image produced is not a pre-recorded video. 35. The use of third-party identity verification systems for non-face-to-face business relationships has increased significantly in recent years. The FATF has issued its own Guidance on Digital Identity, which regulated entities may find useful when determining the suitability of such an approach15 . Examples of common models of electronic identification used during the customer due diligence process include: a) The use of biometric analysis to compare the likeness of a live “selfie” of an individual to their photographic identification document; b) The use of visual and informational analysis to assess whether an identification document is fraudulent or has been tampered with; and c) The use of IP address identification to aid in verifying the residence of an individual. 36. When considering the use of a particular solution, a regulated entity should assess the extent to which the tool in question can address or exacerbate certain ML/TF/PF-related risks, such as: • ICT and security risks; • Qualitative risks; • Legal risks; and • Impersonation fraud risks. 15 FATF Guidance on Digital Identity

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 12 37. When assessing ICT & security risks in particular, regulated entities may consider whether the solution in question is compliant with the relevant standards set by the International Organisation for Standardisation (“ISO”), together with that of the International Electrotechnical Commission (“ISE”). Relevant standards include: • Identity proofing and enrolment of natural persons (ISO/IEC 29003:2018); • Entity authentication assurance framework (ISO/IEC 29115:2013); • Risk Management Guidelines (ISO 31000:2018); • Biometrics (ISO/IEC JTC 1/SC 37); and • Information security management systems (ISO/IEC 27001:2022). 38. A regulated entity that relies on the use of external providers for the provision of such services remain ultimately responsible for meeting its ongoing obligations relating to customer due diligence. As with all outsourced relationships, the use of such providers should be assessed and conducted in line with the GFSC’s Outsourcing Guidance Note16, with sufficient consideration given to ensuring there is adequate oversight of the relationship. 39. When selecting the use of a particular provider (or changing providers), a regulated entity should conduct a thorough assessment of the appropriateness and reliability of the system, in line with the proposed use. This assessment should be formally documented. Some providers which may be deemed appropriate for some regulated entities/products, may be inappropriate for others dependent on a number of factors. As an example, the nature of a regulated entity’s customer base may mean that a particular system would be unsuitable (e.g. some systems may not recognise identity documents from certain jurisdictions). 40. Examples of the types of elements to consider when selecting a particular provider for customer identification purposes include: • Whether the solution draws upon sufficient data points and sources; • Whether the solution is transparent in the way that it communicates the checks that were carried out, the sources that are used, how it determines the results, and how reliable the results are; • Whether the solution is appropriate given the business model of the regulated entity; • What level of testing has been undertaken to assess the appropriateness of the solution prior to implementation; and • What level and type of oversight would be considered appropriate over the solution. 5.5 Corporate Customers AML/CFT/CPF Requirements R14 In the case of customers which are legal entities, legal arrangements or similar (referred to collectively as “corporate entities” or “corporate customers”), a regulated entity must take appropriate measures to understand the ownership and control structure of the customer. This includes identifying and verifying (on a risk sensitive basis) the identity of all relevant ultimate beneficial owners. 16 GFSC Outsourcing Guidance Notes

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 13 Guidance 5.5.1 Identification of Ownership & Control 41. As stated above, in the case of all business relationships and occasional transactions, the subject of these include both the customer and its beneficial owner(s). Understanding the control and ownership structure of a corporate customer is crucial in identifying the true subject of each relationship/transaction. Where the complexity of an ownership structure does not have an obvious legitimate or transparent purpose, this may also be indicative of any potential red flags associated with the obfuscation of the true ultimate beneficial owner(s). 42. As with individual customers or natural persons, it is the responsibility of the regulated entity to determine the extent of documentation/verification required of each prospective corporate customer. The following is a non-exhaustive list of documentation which may be used to verify the identity of a corporate entity: • The Certificate of Incorporation (or equivalent); • The Memorandum of Articles or Incorporation (or equivalent); • The latest Audited Financial Statements; • The Register of Directors (or equivalent); • The Register of Shareholders (or equivalent); and • A Company Registry search extract. 43. There is a wide range of documentation which may be provided to verify a corporate entity’s identity. A regulated entity must determine the appropriateness of any given document in light of its documented risk mitigation procedures and controls. Particular care should be afforded in accepting documents which can be easily falsified. 44. In addition to the above, in cases where the corporate entity is subject to registration of beneficial ownership information within the country of establishment, the regulated entity must collect proof of registration or an excerpt from the relevant register confirming registration17. In cases where the content of the register is not publicly available, the regulated entity should request documentary proof of registration from the corporate customer. 5.5.2 Beneficial Ownership of Corporate Entities 45. The term “beneficial owner” is defined under Sections 7 (1A) to (1C) of POCA. In the case of a corporate entity, this is defined as: a) The natural person who ultimately owns or controls the corporate entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity, including through bearer shareholdings; b) If, after having exhausted all plausible means, i. There is doubt as to whether the person identified under sub-paragraph a) is the beneficial owner; or ii. No person under sub-paragraph (a) is identified, the natural person exercising control via other means. c) If, after having exhausted all possible means, i. There is doubt as to whether the person identified under sub-paragraph (b) is the beneficial owner; or ii. No person under sub-paragraph (b) is identified, the person is specified under sub-paragraph (d); 17 Section 11(4A), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 14 d) For the purposes of sub-paragraph (c), the person is: i. If the company or legal entity is ultimately owned or controlled through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity, including through bearer shareholdings, by a Listed Entity or a majority owned subsidiary of a Listed Entity, the Listed Entity (for further guidance on Listed Entities, please refer to Section 5.5.4); and ii. In all other cases, the natural person who holds the position of senior managing official. 46. POCA dictates that the ownership threshold which constitutes a “sufficient percentage of the shares or voting rights” as set out in sub-paragraph (a) above, is 25%. This is regardless of whether the share or ownership interest is held directly in the corporate customer, or indirectly through additional layers of ownership. 47. When identifying and verifying the beneficial owner(s) of any form of corporate entity, the same due diligence requirements apply as in the cases of customers that are natural persons. 5.5.3 Beneficial Ownership of Trusts & Similar Legal Arrangements 48. In the case of trusts, beneficial ownership is defined as18: a) The settlor or settlors; b) The trustee or trustees; c) The protector or protectors, if any; d) The beneficiaries, or where the individuals benefiting from the trust have yet to be determined, the class of persons in whose main interest the trust is set up or operates; and e) Any other natural person exercising ultimate control over the trust by means of direct or indirect ownership by other means. 49. In the case of other legal entities or arrangements similar to trusts, such as foundations, beneficial ownership refers to the natural person(s) holding equivalent or similar positions to those referred to above, such as19: a) The founder; b) The foundation councilors; c) The guardian, if any; d) The beneficiaries; and e) Any other natural person exercising control over the foundation or similar legal arrangement. 50. Where any of the beneficial ownership roles or functions listed above are held by a corporate entity, Section 5.5.2 applies in identifying that entity’s beneficial owner(s). 5.5.4 Publicly Listed Entities 51. In the case of publicly listed entities (as defined under Section 7(1) of POCA), no further steps are required to determine beneficial ownership of the entity. As set out under POCA, the beneficial owner of a publicly listed entity is the entity itself20 . This concession afforded to listed 18 Section 7(1A)(d), Proceeds of Crime Act 2015 19 Section 7(1A)(d), Proceeds of Crime Act 2015 20 Section 7(1A)(b), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 15 entities, however, only applies to body corporates with shares admitted to trading on a regulated market21: a) In Gibraltar; b) In the European Economic Area; or c) Listed in Schedule 9 of POCA. 52. If an entity is listed on a market which does not fall within the above definition, it cannot be treated as a publicly listed entity for the purposes of applying customer due diligence measures. All beneficial owners must therefore be identified (and where necessary, verified) in accordance with the measures applicable to all other corporate entities. 53. When dealing with publicly listed entities, a regulated entity should take record of the entity’s listing within the public register of the regulated market in question. 5.5.5 Protected Cell Companies (“PCCs”) 54. A PCC is a legal vehicle where multiple ‘cells’ form part of a single legal entity together with a ‘core’. A PCC can create an unlimited number of cells, each with segregated assets and liabilities. When conducting due diligence on a PCC, a regulated entity must take into consideration all cells. Likewise, when determining beneficial ownership of a PCC, a regulated entity must consider: • The ownership structure of each particular cell; and • The ownership structure of the core. 55. Since a PCC forms a singular collective legal entity, both the core and each cell must be factored into account in understanding the control structure. This is to prevent an individual attempting to conceal their beneficial ownership in the entity by ring-fencing their shares among a spread of different cells. The same requirements apply in relation to establishing beneficial ownership for PCCs as in the case of other corporate entities, as set out under Section 6.4.2. 5.5.6 Limited Partnerships (“LPs”) & Limited Liability Partnerships (“LLPs”) 56. Both LPs & LLPs have a legal personality that is separate to their individual partners. In the absence of a share threshold, it is necessary to identify those individuals who hold control over the partnership’s operations. In the case of an LP, for example, the potential influence or control exerted by a general partner is generally considered greater than that of a limited partner. Exerting significant influence over a partnership arrangement could include (but is not limited to): a) Holding the right to appoint or remove a partner; b) Holding the right to direct or veto the investment decisions, profit share or capital returns of the partnership’s funds or assets; or c) Holding the right to dissolve or convert the partnership. 57. All individuals identified to hold ownership or control over a partnership must be verified in line with the due diligence requirements applied to individual customers. In cases where the identified partner is not a natural person, steps should be taken to identify and verify beneficial ownership of the entity in line with the relevant requirements outlined above. 58. Where a formal partnership agreement exists, a mandate from the partnership, authorising the opening of an account with the regulated entity in question and conferring authority on those who will operate it, should be obtained. 21 Section 7(1), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 16 5.5.7 Clubs, Societies & Management Companies 59. When applying customer identification measures to clubs, societies or management companies, a regulated entity must seek to identify and, on a risk-based approach, verify, the officers of the entity who have authority over any funds or assets. A regulated entity must also take appropriate measures to be reasonably satisfied that the individual(s) in question is appropriately authorised by the club, society or management company. 5.5.8 Charities & Non-Profit Organisations (“NPOs”) 60. Charities and NPOs form a crucial part of the global economy, through their efforts in aiding those in need worldwide. It is well known, however, that such organisations are particularly vulnerable to exploitation by criminal actors, including terrorists and terrorist organisations. The risk involving the use of a charity or NPO to disguise the raising and distribution of funds for criminal or terrorist activity is of particular concern where the charity/NPO has connections with high-risk jurisdictions. 61. Most jurisdictions will require charities/NPOs to be publicly registered. The formal registration of a charity/NPO may provide a regulated entity with some level of indication of the legitimacy of the operations. This does not, however, eliminate the risk of the charity/NPO being used as a front for the raising of capital for illicit purposes. 62. In cases where the charity/NPO is a corporate entity, it is likely that there will be no singular individual who will be deemed to hold beneficial ownership as a result of shareholding or ownership interest. In such cases, in accordance with POCA, the senior managing official would be considered the beneficial owner22 . This individual must be subject to due diligence measures in line with those set out above for natural persons. 5.5.9 Nominee Shareholdings & Directorships 63. The use of nominee shareholdings and nominee directorships are facilities which introduce complexity to the ownership and control structure of a corporate entity. A regulated entity must have controls in place to identify and assess cases where there has been a misuse of nominee shareholdings or directorships as a means to obfuscate the true beneficial ownership of the entity. 64. The existence of nominee shareholders or directors within the control/ownership structure of a corporate entity will typically increase the level of customer risk posed by that business relationship, and as a result may warrant the application of enhanced due diligence measures. For the purposes of identifying beneficial ownership, a nominee shareholder or director is not considered a beneficial owner of a corporate entity. A regulated entity must identify who the true beneficial owner(s) is by considering: a) The person(s) from whom instructions are being taken by the nominee director(s); and/or b) The person(s) for whom the shares or interests are being held by the nominee shareholder(s). 5.5.10 Bearer Shares 65. A bearer share, or bearer share warrant, is a physical document that entitles its holder to rights of ownership or title to an underlying property, asset or entity. In such cases, ownership or control is reliant on physical possession of the bearer share document. Beneficial ownership can 22 Section 7(1A)(c)(iv)(a), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 17 therefore easily change hands from one individual to another without the awareness or knowledge of the regulated entity. 66. The use of bearer shares introduces a significant level of anonymity, which may be misused by those seeking to use corporate entities as vehicles for illicit activity. As a result, the issuance of new bearer shares is prohibited in Gibraltar. The existence of bearer shares within the ownership structure of a corporate customer also warrants the application of enhanced due diligence measures. These shares must be subject to either conversion or immobilisation. 67. In cases where a particular transaction involves bearer instruments, verification evidence must be obtained and recorded for the following transactions: a) Bearer shares converting to registered form; and b) Surrender of coupons for payment of dividend, bonus or capital event. 5.6 Exercising Control via Other Means 68. In cases where: a) There is doubt whether the natural person identified by way of shareholding/ownership as the beneficial owner of a corporate (as set out above) is the true beneficial owner; or b) No individual has been identified as the beneficial owner; Beneficial ownership may be attributed to “the natural person exercising control via other means”23 . 69. Identifying such instances in practice is likely to pose a significant level of difficulty and must therefore be considered on a case-by-case basis. Examples of such instances would include: a) Where a natural person with controlling levels of shareholding/ownership is influenced or dominated by another individual into relinquishing functional control (e.g. by way of a close personal relationship); b) Where a natural person is afforded additional legal powers over a corporate entity allowing them to impact decisions taken by those with controlling levels of shareholding/ownership (e.g. by way of a legal contract, such as a management or service agreement); c) Where a natural person is afforded the power to appoint the majority of an entity’s senior management directly or indirectly (e.g. if the power is vested in a company which is in turn wholly owned by an individual); d) Where different voting rights are applied to shareholdings, affording a minority shareholder control over the entity; e) Where the provisions of a debt instrument, or other financial arrangement, are applied to afford a natural person (e.g. a lender or creditor) control over a legal entity (such as where debt is convertible into voting equity); or f) Where a natural person exercises substantial control over a legal entity such that they are responsible for the strategic decisions that fundamentally affect the business practices or operations of the legal entity. 70. Dependent on the particulars of a business relationship and the level of influence/control held by the legal entity’s management body, key executives (such as an corporate customer’s directors) may be deemed to fall within the criteria of sub-paragraph (f) listed above. Regulated entities must therefore consider whether it should undertake due diligence on such individuals 23 Section 7(1A)(c)(i)(b)

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 18 in accordance with both the level of perceived control that they hold and the wider risk-based approach. 5.7 Certification of Documents 71. Where copies of documentation requested as part of a regulated entity’s verification measures are provided in the place of true originals, a standard mechanism adopted to mitigate the risk of potential tampering or falsification is to request that the copy is certified by a suitable professional. When assessing the suitability of a potential certifier, a regulated entity should consider a variety of factors, including whether they are: • In any way connected to or affiliated with the natural person or corporate entity which is seeking certification; • Based in a jurisdiction with an effective AML/CFT/CPF regime (which does not have a propensity for corruption); • Of a suitable reputation, and have not been subject to any enforcement/supervisory/legal/civil action or similar; and • Of a suitable professional background, such as in cases where they are: o An accredited member of a professional body; or o In a public position subject to high levels of trust. 72. When certification of an identity document is sought by a regulated entity, the regulated entity should ensure that the following information is included within the provided certification: • The name of the certifier; • The professional position held by the certifier; and • A method of contact for the certifier. 73. In the case of business relationships or occasional transactions commenced on a non-face-to￾face basis, a regulated entity may request certified identity documents to assure itself that the customer is the true owner of the document. In such cases, a certifier should confirm in writing that the photograph included within the identity document represents a true likeness of the individual in question. 5.8 Reliance 74. Where a business relationship or occasional transaction is introduced to a regulated entity via an introducer, the regulated entity is still required to conduct appropriate due diligence measures in line with the assessed risk profile. The exception to this is in the case of relationships/transactions introduced by an eligible introducer24 . 75. To be an eligible introducer, a third party must meet all five of the following conditions:

1. It must be regulated by the GFSC (or an equivalent supervisory authority if it carries out business outside of Gibraltar);
2. It must be subject to equivalent AML/CFT/CPF-related legislative and regulatory requirements;
3. It must be based in Gibraltar or a country with an equivalent AML/CFT/CPF regime;
4. There must be no secrecy or other obstacles which would prevent the Gibraltar regulated entity from obtaining the original without delay when required; and
5. It must consent to being relied upon. 24 Section 23, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 19 76. Section 23(2) of the Proceeds of Crime Act 2015 further expands upon the types of entities that are able to be relied upon for due diligence purposes. These are25: a) Credit or financial institutions (as defined under POCA26); b) Auditors; c) Insolvency Practitioners; d) External accountants; e) Tax advisors; and f) Independent legal professionals supervised for AML/CFT/CPF purposes. 77. Where an introducer satisfies all four of the criteria listed above, a regulated entity may place reliance on the customer identification measures enacted by the eligible introducer, and only request copies of such documentation when necessary. For each business relationship where reliance is placed, the introducer must complete the Eligible Introducer Certificate (“F1 Certificate”) available for download on the GFSC website27. This certificate must be held by the regulated entity in line with record-keeping requirements. 78. In cases where the regulated entity is required to evidence the application of customer identification measures, the eligible introducer must be able to produce the relevant documentation without delay. When assessing the eligibility of an introducer, a regulated entity must ensure that the introducer complies with AML/CFT/CPF-related requirements which are at least equivalent to those set out locally. In the case of record keeping requirements, for example, the regulated entity must ensure that the introducer will retain records of customer identification documentation in line with the requirements set out under POCA and that the regulated entity may access those at any given time. 5.9 Accounts & Products That Facilitate Anonymity 79. The provision of any form of anonymous accounts, or products that facilitate anonymity, poses a significant level ML, TF & PF risk and are therefore not permitted under POCA or these Guidance Notes. A regulated entity must always seek to identify and verify the identity of its customers, as well as the beneficial owners of those customers. Sector-Specific Guidance – Virtual Asset Service Providers 80. Virtual Asset Service Providers (“VASPs”) (including Distributed Ledger Technology providers) should be aware of the ML/TF/PF risks that certain products and services pose as a result of their ability to obfuscate the identity of the parties involved in a transaction. 81. Privacy-enhancing assets or protocols allow for the concealment of information typically present in a transaction, which facilitates the non-disclosure of user identity. This allows for the obfuscation of the identity of the sender, recipient, holder and/or beneficial owner of the virtual assets in question. For this reason, the GFSC does not permit the use of privacy enhancing protocols, or the listing/sale of privacy enhancing assets which have had their privacy-enhancing capabilities enabled. 82. Virtual asset mixing/tumbling services allow for various transactions to be pooled together in order to obfuscate the origin of particular virtual assets, allowing for increased anonymity. These techniques are typically associated with obscuring the identification of “tainted” assets 25 Section 23(2), Proceeds of Crime Act 2015 26 Section 7, Proceeds of Crime Act 2015 27 Eligible Introducer (F1) Certificate, available under the “Forms” tab.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 20 associated with illicit flows or services. For this reason, the GFSC considers the provision of such services to fall outside of its risk appetite and are, therefore, not permitted. 83. For further information on the scope of the VASP registration regime, and those VA activities deemed to fall outside of the risk appetite of the GFSC, please refer to the GFSC’s VASP Registration Framework Scope Guidance Note28 . Further information on the DLT Framework can also be found on the “Distributed Ledger Technology Providers” section of the GFSC website29 . 5.10 Determination of Source of Funds & Wealth AML/CFT/CPF Requirements R15 A regulated entity is required to apply a risk-based approach to the establishment and verification of source of funds and wealth of its customers, as well as the beneficial owners behind corporate customers. In the case of customers that do not pose a high level of ML, TF or PF risk, a regulated entity must, as a minimum, assess and document the source of wealth and/or funds to a level that is both plausible and verifiable. R16 In cases of higher risk, a regulated entity is required to seek independent verification of the source of funds and wealth of its customers, as well as the beneficial owners behind corporate customers. Guidance 5.10.1 Source of Funds & Wealth 84. In accordance with Section 10(f) of POCA, the application of customer due diligence measures includes “taking a risk-based approach to the verification of source of funds and wealth of a customer and the beneficial owners”. Understanding the monetary sources associated with a business relationship is crucial in not only forming an understanding of the level of risk posed by a specific customer but also allows for an assessment of their overall economic profile. It is with this economic profile in mind, that all activity undertaken throughout a business relationship must be scrutinised to aid in the identification of any potentially suspicious activity. 85. In order to undertake a robust assessment a regulated entity must first understand the distinction between source of funds and source of wealth. The FATF defines source of funds as “the origin of the funds or assets which are the subject of the business relationship between the firm and its client and the transactions the firm is required to undertake on the client’s behalf (e.g., the amounts being invested, deposited or remitted)”. Source of wealth is defined as “the origin of the entire body of wealth (i.e., total assets) of the client”. 86. In some cases, the funds and wealth of a customer may be derived from the same source. In cases where a customer has multiple streams of income, their total wealth may have been derived from additional sources. In order to provide a robust economic profile of that customer, they should be asked, on a risk-sensitive basis, to provide information on all forms of income through which they have developed their wealth. 5.10.2 Identification of Source of Funds & Wealth 87. As with other customer due diligence measures, a regulated entity’s approach to the identification and verification of source of funds and wealth must be risk-based. The minimum 28 Virtual Asset Service Provider Registration Framework Scope Guidance Note 29 GFSC Website – Distributed Ledger Technology Providers

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 21 due diligence required on source of funds and wealth to satisfy customer identification documentation on source of funds and wealth is to document this to a level that is both plausible and verifiable. The assessment of source of funds and wealth information in line with this approach has been broken down below. 88. Plausible Each piece of information provided on a customer’s source of funds and wealth should correlate with the regulated entity’s collective assessment of the economic profile of that customer. 89. Verifiable The information provided on a customer’s source of funds and wealth should be to a level of detail that would enable the regulated entity, law enforcement agencies or other relevant bodies, to verify the information if the customer’s risk profile increases; or if ML, TF or PF was known or suspected. Example – Plausible & Verifiable Source of Funds & Wealth Information 90. When asked to provide information on source of funds and wealth, a prospective low risk customer responds with the following: “salaried employee, earning over 250k”. 91. Based on the information provided, a regulated entity would be unable to determine the plausibility of this individual’s economic profile. This is because no information has been provided on the individual’s place of work, the sector that they operate in, or the role that they hold. A regulated entity would be unable to determine whether a salary of that amount, for example, would be plausible in that given scenario. If the risk profile of that customer were to increase or their pattern of transactions were to change, the regulated entity may also have difficulty in verifying whether this activity is still in line with the customer’s economic profile. In the example provided above, this is in part due to the annual salary amount of the individual being defined as anything “over 250k” and not a specific figure, which is very wide-ranging. 5.10.3 Independent Verification of Source of Funds & Wealth Guidance 92. In cases of higher risk, it is not considered adequate to apply standard due diligence measures. A regulated entity must instead apply enhanced due diligence measures. In such cases, a regulated entity is required to seek independent verification of source of funds and wealth of their customers, as well as the beneficial owner(s) of those customers. In addition to instances where a regulated entity has risk profiled a customer as high risk, independent verification must also be sought for PEPs, as well as family members and close associates of PEPs. 93. Independent verification requires that a regulated entity corroborate the information provided by its customer using reliable and independent sources. The type of document or source of information that would satisfy this requirement, is likely to depend on the nature of the customer’s income or wealth. A non-exhaustive list of corroborating examples for source of funds and wealth information has been included below: Table 1 – Corroborating Examples of Source of Wealth/Funds Documentation Source of Wealth/Funds Examples of Corroborating Information Company Sale - Copy of the contract of sale;

• Internet research of Company Registry;
• Name and address of Company;
• Total sales price;

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 22

• Applicants’ share participation;
• Nature of business;
• Date of sale and receipt of funds;
• Media coverage. Company Profits/Dividends - Copy of latest audited financial statements;
• Copy of latest management accounts;
• Board of Directors approval minutes;
• Dividend distribution;
• Tax declaration form. Inheritance - Name of deceased;
• Date of death;
• Relationship to applicant;
• Date received;
• Total amount;
• Solicitor’s details;
• Tax clearance documents. Employment Income - Nature of employer’s business;
• Name and address of the employer;
• Annual salary and bonuses for the last couple of years;
• Last month/recent pay slip;
• Confirmation from the employer of annual salary;
• Latest accounts or tax declaration if self employed. Savings/Deposits - Bank statement and enquiry on source of wealth. Property Sale - Details of the property sold;
• Copy of contract of sale;
• Title deed from land registry Sale of shares or other investment - Copy of contract;
• Sale value of shares sold and how they were sold;
• Statement of account from agent;
• Transaction receipt/confirmation;
• Shareholder’s certificate;
• Date of sale. Loan - Loan agreement;
• Amount, date and purpose of loan;
• Name and address of lender;
• Details of any security. Gift - Date received;
• Total amount;
• Relationship to applicant;
• Letter from donor explaining reason for the gift;
• Certified identification documents of donor;
• Source of wealth documentation of donor Maturity/surrender of life policy - Amount received;
• Policy provider;
• Policy number/reference;
• Date of surrender. Virtual asset trading - Virtual asset exchange trading statement;
• Cryptocurrency wallet address (which is then screened to demonstrate the origin of the crypto assets).

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 23 94. In the case of high net worth individuals, it may be difficult to assess the entirety of their income or wealth as a result of its complexity. In these cases, the extent of verification required should be in line with the risk profile of the individual and if considered higher risk, include independent verification of at least the majority of the customer’s income or wealth. 95. Where open source information is available on the source of funds or wealth of a customer, this can also be used for verification purposes. This is only considered appropriate, however, in cases where the information comes from a source that is both reputable and independent (i.e. not derived directly from the customer, the customer’s website or any individual/entity associated with the customer). 5.10.4 Establishing Source of Wealth & Funds of Corporate Customers 96. In the case of a corporate customer, the requirement to identify and verify source of funds and wealth extends to its beneficial owners, regardless of whether or not the corporate entity’s funds are derived from those individuals. This is because of the risk that the beneficial owners are in a position to potentially transmit illicit funds through the legitimate business operations of the corporate customer. In cases where a beneficial owner has not transmitted their own funds into or through the corporate customer in question, the requirement would solely apply to identify and verify their source of wealth. 5.11 Acquisitions of Business 97. When a regulated entity acquires the business of another financial services provider (either in whole or as part of a portfolio or “book”), it is not necessary for the identity of all existing customers to be re-established, provided that: a) All records relating to those customers are acquired with the business; and b) The financial services provider in question has applied AML/CFT/CPF measures equivalent to those applicable within Gibraltar. 98. Prior to engaging in the acquisition of business from another financial services provider, a regulated entity must conduct the necessary due diligence to ensure that it is not exposing itself to undue levels of risk. In cases where a regulated entity has determined that its acquisition does not satisfy the requirements listed above, adequate customer identification measures must be established prior to the on-boarding of any of the acquired business. 99. A regulated entity must also consider whether each individual business relationship forming part of the proposed book/portfolio of business, falls within its risk appetite. Virtual asset mining - Mining pool contracts;

• Maintenance records;
• Mining software licences;
• Electricity bills; and
• Cryptocurrency wallet address (which is then screened to demonstrate the origin of the crypto assets). Other income sources - Nature of income (amount, date received, who from);
• Appropriate supporting documentation.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 24 5.12 Simplified Due Diligence Measures 5.12.1 Application of Simplified Due Diligence (“SDD”) Measures 100. Simplified due diligence is the minimal level of due diligence that can be applied to a business relationship or occasional transaction. Under POCA, this is only permissible where there is a low risk of ML, TF, and PF. A regulated entity may apply SDD measures in cases where, following a risk assessment, the entity has established that the business relationship or transaction presents a lower degree of risk of ML, TF and PF risks and there are no suspicions or knowledge of ML, TF, or PF30 . 101. SDD allows a regulated entity to adjust the extent of the verification applied as part of its due diligence measures in a way that is proportionate to the lower risk that has been identified. It is not an exemption from applying the customer due diligence measures under POCA. The regulated entity must carry out its customer risk assessment including the four risk areas before it can conclude that SDD measures can be applied. These risk factors must include customer, product, country and interface risk factors. This will indicate whether there is, in fact, a low risk of ML, TF or PF. Further guidance on customer risk assessments can be found within the “Customer Risk Assessment” section of these Guidance Notes. A regulated entity must be able to demonstrate that it has taken all necessary steps and have reasonable grounds for deeming that the customer or transaction falls within one of the categories set out in Schedule 6 of POCA. 102. It is important to note that there is no mandatory requirement to apply SDD measures. A regulated entity may therefore elect to apply standard customer due diligence measures in instances of low identified risk where SDD is not deemed appropriate. Instead, Schedule 6 of POCA includes a non-exhaustive list of risk factors which may be used as a guide to determine the instances in which a business relationship or occasional transaction may pose a lower risk. There are a range of factors to consider when assessing whether there is a low risk of ML, TF or PF and this will typically be dependent on the type of relationship which is being established. Schedule 6 of POCA provides a non-exhaustive list of factors and types of potentially lower risk relationships that could justify the application of simplified due diligence.31These risk factors have been set out within each of the sections included below. 5.12.2 Customer Risk Factors 103. The following factors are examples of instances that would lead to a decreased perceived level of customer risk: • Public companies listed on a stock exchange and subject to disclosure requirements (either by stock exchange rules or through law or enforceable means), which impose requirements to ensure adequate transparency of beneficial ownership; • Public administrations or enterprises; • Customers that are resident in geographical areas of lower risk. 5.12.3 Product, Service, Transaction or Delivery Channel Risk Factors 104. The following factors are examples of instances that would lead to a decreased level of product, service, transaction or delivery channel risk: • Life insurance policies for which the premium is low; 30 Section 16(1), Proceeds of Crime Act 2015 31 Schedule 6, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 25 • Insurance policies for pension schemes if there is no early surrender option and the policy cannot be used as collateral; • A pension, superannuation or similar scheme that provides retirement benefits to employees, where contributions are made by way of deduction from wages, and the scheme rules do not permit the assignment of a member’s interest under the scheme; • Financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes; • Products where the risks of ML and TF are managed by other factors such as purse limits or transparency of ownership (e.g., certain types of electronic money). 5.12.4 Geographical Risk Factors 105. Residence, establishment or registration in the following jurisdiction would be considered to pose a decreased level of geographic risk: • Gibraltar; • Third countries having effective AML/CFT/CPF systems; • Third countries identified by credible sources as having a lower level of corruption or other criminal activity; • Third countries which, on the basis of credible sources such as mutual evaluations, detailed assessment reports or published follow-up reports, have requirements to combat ML, TF and PF consistent with the revised FATF Recommendations and effectively implement those requirements. 106. Where a regulated entity has concluded it may apply SDD measures, it must continue to comply with the customer due diligence requirements under Section 10 of POCA. Regardless of the determination of a lower level of ML/TF/PF risk and application of SDD measures, a regulated entity must continue to conduct adequate ongoing monitoring of those business relationships and transactions in keeping with the provisions under Section 12 of POCA32. This requirement is crucial as it allows a regulated entity to identify any unusual or suspicious activity or transactions. 5.12.5 Natural Persons 107. If a regulated entity determines that it is appropriate to conduct SDD measures on a natural person, it would be expected to collect, as a minimum,: • The name of the individual; • The residential address of the individual; • The contact details of the individual; and • Information on the source of funds and wealth of the individual to a level that is both plausible and verifiable. 5.12.6 Legal Entities, Legal Arrangements or similar (collectively known as “Legal Entities” or “Corporate Entities”) 108. If a regulated entity determines that it is appropriate to conduct SDD measures on a legal entity, it would be expected to document, as a minimum: • The name of the entity, including any trading or business names; • The number of incorporation/registration, or equivalent; 32 Section 16(2), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 26 • The legal form of the entity; • The date of incorporation/registration; • The country or countries of registration and activity; • The registered office address; • Information relating to each of the beneficial owners, as specified under Section 6.10.2 of these Guidance Notes; and • Information on the source of funds and wealth of both the entity and the beneficial owners to a level that is both plausible and verifiable. 109. The examples set out below provide cases where SDD may or may not be applied in respect of customers that are corporate or legal entities. Please note that these examples are illustrative only and any similar case should be subject to the outcome of the regulated entity’s risk assessment which must be considered as a whole. Example – Well-Established Public Company in a Low-Risk Industry 110. Public companies listed on regulated markets are typically required to comply with strict financial reporting standards and regulations. They may be subject to regular audits, and their financial statements may be publicly available. This transparency provides a level of assurance regarding the company's financial health and reduces the need for extensive due diligence on financial information. 111. Public companies are typically subject to significant regulatory oversight and inspection by regulatory bodies. These regulatory bodies monitor the company's compliance with disclosure requirements, corporate governance requirements, and other regulatory obligations. The existence of such oversight contributes to a lower risk profile and supports the application of simplified due diligence. 112. Publicly listed companies are typically required to disclose relevant information to the market. This information includes financial reports, annual reports, press releases, and disclosures of material events. Financial firms can access and analyse this publicly available information to gain insights into the company's operations, performance, and corporate governance practices, thereby facilitating simplified due diligence. 113. When determining the level of due diligence that should be applied to a publicly listed entity, a regulated entity must take into account the reputability of the market within which the entity has been listed. While concessions are afforded under Section 7(1A)(b) of POCA in determining the beneficial ownership of a listed entity, this only applies to entities listed on a regulated market in Gibraltar, the EEA, or otherwise listed within Schedule 9 of POCA33 . 33 Section 7(1), Proceeds of Crime Act 2015 Scenario A regulated entity is considering providing banking services to a well-established public company that is listed on a regulated market within the EEA. The company operates in a low-risk industry with a long history of transparent financial reporting and compliance. Why would simplified due diligence be appropriate in the above scenario?

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 27 Example – High-Risk Jurisdiction and Complex Ownership Structure 114. In high-risk jurisdictions that have a lack of regulatory oversight, financial services firms face a higher likelihood of encountering customers involved in money laundering, terrorist financing and/or proliferation financing. Simplified due diligence typically involves reducing the extent of assessment and verification, which can undermine compliance with regulatory duties and increase the risk of inadvertently engaging with individuals/companies who are engaging in illicit activities. 115. The complexity of the ownership structure and the involvement of offshore entities raise red flags for potential illicit activities, such as hiding the identities of beneficial owners. Simplified due diligence may not sufficiently capture the details of the structure and the associated risks. Thorough due diligence, including enhanced measures, is necessary to assess the legitimacy and reliability of the potential customer. 116. Operating in a high-risk jurisdiction and establishing relationships without thorough due diligence can expose a regulated entity to significant reputational risks. If a potential customer is involved in illegal activities, it can damage the firm's reputation and break down customer trust. A regulated entity must, therefore, demonstrate a commitment to apply robust due diligence measures to mitigate such risks. 117. Applying simplified due diligence in a situation that requires more comprehensive scrutiny may lead to regulatory non-compliance and thus, potential supervisory penalties or consequences for the regulated entity. 5.13 Enhanced Due Diligence (“EDD”) Measures AML/CFT/CPF Requirements R17 A regulated entity must apply enhanced due diligence measures in scenarios which it deems to pose a higher level of ML, TF and PF risk, such as those set out within these Guidance Notes and Schedule 7 of POCA34. The measures applied should be commensurate with the risks posed by the business relationship/occasional transaction, taking into account product, interface, customer and country risk factors. 34 Schedule 7, Proceeds of Crime Act 2015 Scenario A regulated entity is considering establishing a business relationship with a potential customer who operates in a high-risk jurisdiction which is known for its weak regulatory regime and prevalent financial crime. The potential customer is a company with a complex ownership structure involving multiple layers of ownership and offshore entities. Why would simplified due diligence not be appropriate in the above scenario?

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 28 R18 A regulated entity must apply enhanced due diligence measures to customers established in high-risk jurisdictions35 . Guidance 118. Conducting enhanced due diligence involves applying additional verification measures to independently corroborate the information provided by a prospective customer. EDD is a vital tool when dealing with business relationships or occasional transactions that present a higher level of ML/TF/PF risk. This guidance aims to outline the potential higher risk factors that a regulated entity should consider when determining the application of EDD measures. 119. Schedule 7 of POCA provides a non-exhaustive list of factors and types of potentially higher risk relationships that impose the application of enhanced due diligence. These risk factors have been set out within each of the sections included below. 5.13.1 Customer Risk 120. The following factors are examples of instances that would lead to an increased perceived level of customer risk: • Business relationships occurring under unusual circumstances; • Customers residing in high-risk geographical areas; • Legal entities or arrangements functioning as personal asset-holding vehicles; • Companies with nominee shareholders or shares held in bearer form; • Cash-intensive businesses; • The ownership structure appears excessively complex or unusual considering the nature of business; and • Customers who are third-country nationals seeking residence rights or citizenship in exchange for capital transfers, property purchase, government bonds, or investments in corporate entities within that country. 5.13.2 Product, Service, Transaction & Delivery Channel Risk 121. The following factors are examples of instances that would lead to an increased level of product, service, transaction or delivery channel risk: • Private banking services; • Products or transactions that enable anonymity; • Companies under management which pose a level of increased risk; • Cash intensive businesses; • Non-face-to-face business relationships or transactions without adequate safeguards, such as electronic signatures, identification means, or trusted electronic identification processes recognised or approved by the relevant supervisory body; • Receipt of payments from unknown or unaffiliated third parties; • Introduction of new products, business practices, delivery mechanisms, and emerging technologies for both new and existing products; and • Transactions involving oil, arms, precious metals, tobacco products, cultural artifacts, archaeological/historical/cultural/religious items, rare scientific valuables, ivory, protected species, or other potentially high risk markets. 35 Section 17(1)(b), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 29 5.13.3 Geographical Risk 122. The following factors are examples of instances that would lead to an increased level of geographical risk: • Countries lacking effective (AML/CFT/CPF) systems, as identified by credible sources such as those involving mutual evaluations, detailed assessment reports, or published follow-up reports; • Countries identified by credible sources as having significant levels of corruption or other criminal activities; • Countries subject to sanctions, embargoes, or similar economic measures; and • Countries identified as providing funding or support for terrorist activities or hosting designated terrorist organizations. 5.13.4 Additional Risk Factors 123. In addition to the factors outlined in POCA, the GFSC has specified additional risk factors that should be taken into account to identify higher-risk situations. This non-exhaustive list of factors has been set out in Sections 16.13.5 to 16.13.8 of these Guidance Notes and should be taken into consideration when risk assessing both prospective and new customers. 5.13.5 Politically Exposed Persons (PEPs) 124. A regulated entity must apply enhanced due diligence measures for PEPs, their family members, and close associates as defined in Section 20A of POCA. This applies regardless of the geographical location of the PEP or other potential lower risk factors. 5.13.6 National Risk Assessment 125. A regulated entity should be sufficiently familiar with the HM Government of Gibraltar National Risk Assessment to understand the threats and vulnerabilities associated with specific products or services present in the jurisdiction and/or specific sector. The NRA may also list countries and territories that are considered to pose a higher risk to Gibraltar. A regulated entity must ensure that any information published in the NRA is incorporated into the entity's risk methodology and scoring mechanism. 5.13.7 Ministerial Notices & Information 126. If a risk is classified as high through a notice published in the Gazette, or if the National Coordinator for Anti-Money Laundering and Combatting Terrorist Financing Regulations 2016 states any factors which indicate a high-risk product, service, country or customer, enhanced due diligence measures must be applied. 5.13.8 High-Risk Business Relationships 127. If a regulated entity identifies a business relationship as high risk based on its own risk methodology, enhanced due diligence measures must be applied, unless the entity can provide a documented justification for otherwise and apply mitigating factors accordingly. 5.13.9 Outsourced Providers in High-Risk Jurisdictions 128. Enhanced due diligence measures are not required to be carried out by a regulated entity on an outsourced provider based in a high-risk jurisdiction if the provider is compliant with Gibraltar legislative and regulatory requirements. Nonetheless, a regulated entity may wish to take this into consideration as best practice.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 30 5.13.10 Application of Enhanced Due Diligence Measures 129. When applying enhanced due diligence measures the regulated entity should take the following steps to verify the information provided by the applicant for business. 130. Business Relationship: A regulated entity is required to gather comprehensive information about the nature and purpose of the business relationship with the customer. This includes understanding the scope of the services or transactions involved, the expected duration of the relationship and its intended nature and purpose. The process may also involve assessing the customer's industry, business activities, and the potential risks associated with the proposed relationship. 131. Purpose & Scope of the Business Relationship: A regulated entity must understand the underlying reasons for establishing a particular business relationship. By understanding the purpose, the regulated entity can assess the legitimacy of the relationship and ensure that it falls within its own risk appetite. This will also involve determining the type and volume of anticipated transactions, the frequency of interactions and any arrangements or services requested. 132. Obtaining information about the specific activities the customer intends to carry out within the business relationship is key. This can include details such as anticipated financial flows, intended counterparties, geographic locations involved and any other relevant factors. By understanding the expected activities, a regulated entity can assess the potential exposure to ML/TF/PF. 133. In some cases, a regulated entity may request supporting documentation to substantiate the intended nature of the business relationship. This can include business plans, contracts, project details, or any other relevant documents that provide additional insight into the customer's objectives and activities. By gathering additional details on the intended nature of the business relationship, a regulated entity can better assess the associated risks, tailor its due diligence measures accordingly, and ensure that the relationship aligns with regulatory requirements and its own risk management framework. 134. Beneficial Owners: A regulated entity is required to collect enhanced documentation on the beneficial owners involved. This information helps verify who holds the ultimate decision-making power and financial interests within legal entities 135. Independent Verification of Source of Wealth & Funds Seeking independent verification of the source of funds and source of wealth of the customer and the beneficial owner(s) involves obtaining objective and reliable information from external, independent sources to confirm the legitimacy and origin of the funds and wealth involved in the business relationship. 136. A key part of the establishment of enhanced measures is the verification of source of wealth and funds applied during the business relationship. When applying enhanced measures, getting the applicant for business documenting the source of funds and wealth will not be sufficient. A regulated entity must seek to independently verify the origin of these funds. Section 6.10.3 highlights examples of the type of documentation a regulated entity can request from the applicant for business for verification purposes. 137. A regulated entity may use independent data sources to verify the nature of the source of wealth and funds of the beneficial owner(s). These independent sources ensure that the information obtained has not been subject to manipulation by the applicant for business or customer.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 31 138. Rationale for the Intended or Completed Transactions Requesting information regarding the volume and nature of transactions at the onset and throughout the business relationship should clarify the purpose and reasoning behind the specific financial transaction or activity in line with the business relationship. 139. A regulated entity needs to gain insight into the purpose and rationale behind the transactions to assess the legitimacy and potential risks. This may involve asking the customer to provide a clear explanation of why is engaging in a particular transaction or series of transactions. Understanding the rationale helps determine if the activities align with the customer's usual or anticipated business, expected turnover and whether is in keeping with what the customer outlined when establishing the business relationship. 140. Requesting further information also helps identify any red flags or suspicious elements associated with the transactions. If the explanation provided by the customer appears vague, inconsistent, or does not align with the established business activities, it may indicate that illicit activity is taking place. In such cases, further scrutiny and enhanced due diligence measures may be necessary. 141. Documenting the purpose of the business A regulated entity should maintain proper documentation of the rationale provided by the customer. This documentation serves as evidence that the business relationship and associated transactions are in line with expectations and that the regulated entity has taken appropriate steps to verify this. 5.13.11 Senior Management Approval 142. Before establishing a new high risk business relationship or occasional transaction (or when determining to continue an existing one at the point of periodic review or upon a trigger event), a regulated entity should consider obtaining senior management review and approval. This should be documented alongside any risk mitigation strategy devised by the senior management team. The following are instances where obtaining senior management approval is deemed mandatory under POCA: − When establishing or continuing a business relationship or occasional transaction involving a high risk jurisdiction36; and − When establishing or continuing a business relationship with a Politically Exposed Person (including a close associate or family member of a Politically Exposed Person)37 . 5.13.12 Enhanced ongoing monitoring of the business relationship 143. Enhanced ongoing monitoring refers to an increased level of scrutiny that a regulated entity must implement for high-risk business relationships. It will involve continuously monitoring and assessing the activities, transactions, and behaviours of these relationships to detect and mitigate any potential risks associated with ML, TF or PF. Ongoing monitoring, including enhanced ongoing monitoring requirements, is covered within the “Ongoing Monitoring” section of these Guidance Notes. 5.14 Sanctions Screening AML/CFT Requirements 36 Section 17(6)(e), Proceeds of Crime Act 2015 37 Section 20(1)(a), Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 32 R19 A regulated entity is required to conduct appropriate sanctions screening on all customers and their beneficial owners: a) Prior to establishing a business relationship or an occasional transaction; and b) On an ongoing basis, in line with the updates to the relevant sanctions lists. Guidance 144. As part of a regulated entity’s customer due diligence obligations, POCA requires a regulated entity to conduct sanctions screening38 . 145. A regulated entity is therefore required to carry out sanctions screening of all business relationships and occasional transactions. This screening must include the customer, any beneficial owners and/or controllers and other associated parties. 146. The screening must be carried out at the start of a business relationship as well as on an ongoing basis. The screening must be carried out without delay whenever there is an amendment or change made to the required sanctions lists. 147. The Sanctions Act 2019 provides for the automatic recognition and enforcement of UN, UK, and EU sanctions to which a regulated entity is subject to when conducting its sanctions screening. The Sanctions Act 2019 and the Terrorist-Asset Freezing Regulations 2011 also provide for separate Gibraltar sanctions designations to be made by the relevant competent authority in Gibraltar. 148. A regulated entity is subject to the enforcement of UN, EU, UK & Gibraltar sanctions39 and should ensure that it maintains awareness of any additional targets that have been designated locally under the Sanctions Act 2019 or the Terrorist Asset-Freezing Regulations 2011. 149. The restrictive measures imposed by the UK will always take precedence in circumstances where restrictive measures have been imposed by both the UK and EU40 . 150. In determining the suitability of automated versus manual screening, a regulated entity should assess various factors, including: its respective sector; the frequency of updates to relevant lists; the number of customers on the client base; the resources available including capacity of staff; and the volume and complexity of transactions. If a regulated entity chooses to implement an automated screening system, it must ensure that any sanctions monitoring arrangements with third party providers have been adequately assessed and are deemed to comply with the local legislative requirements. 151. As stated within the “Suspicious Activity Reporting” section of these Guidance Notes, all MLROs must register an account with Themis in order to receive notification of sanctions notices from the GFIU via the Themis Notice Board. 152. A hit on a sanctions designation must be made to the competent authority, which is the Chief Minister, via the GFIU. For further information on local designations and sanctions measures please visit the GFIU website and the GFIU’s Financial Sanctions Guidance Notes. 5.15 Wire Transfers Sector-Specific Guidance – Payment Services 38 Section 10(ca), Proceeds of Crime Act 2015 39 Section 6(2), Sanctions Act 2019 40 Section 6(3), Sanctions Act 2019

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 33 153. Investigations into major money laundering cases in recent years have shown that criminals make extensive use of electronic payment and messaging systems. The rapid movement of funds between accounts in different jurisdictions increases the complexity associated with such cases and the ability to trace each transaction. 154. Requirements relating to wire transfers apply to the transfer of funds, in any currency, which are sent or received by a Payment Service Provider (“PSP”) established in Gibraltar41 . The requirements do not apply to transfers of funds: a) Carried out using a payment card, an electronic money instrument or a mobile phone, or any other digital or IT repaid or postpaid device with similar characteristics (unless used in order to effect a person-to person transfer of funds), where: i. The card, instrument or device is used to pay for goods or services; or ii. The unique identifying number of that card, instrument or device accompanies all transfers flowing from the transaction. b) Where the payer withdraws cash from their own payment account; c) Where the funds are issued to a public authority as payment for taxes, fines or other levies; d) Where both the payer and payee are payment service providers acting on their own behalf; e) That are carried out through cheque image transfers, including truncated cheques; f) Where the service provided does not constitute a payment service, as listed within points (a) to (m) and (o) of Schedule 2, Part 4, Paragraph 18 of the Financial Services Act 201942; or g) Carried out within Gibraltar to a payee’s payment account permitting payment exclusively for the provision of goods or services where: i. The payment service provider of the payee is subject to the Proceeds of Crime Act 2015; ii. The payment service provider of the payee is able to trace back, through the payee, by means of a unique transaction identifying, the transfer of funds from the natural or legal person who has an agreement with the payee for the provision of goods or services; and iii. The amount of the transfer (or sum of linked transactions) does not exceed EUR 1,000. 155. Where both the PSP of the payer and payee are situated within Gibraltar, the United Kingdom or the EU, transfers of funds are required to be accompanied by at least the account number of both the payer and payee, or a unique identifier as long as it allows the transaction to be traced back to the payer. If requested by the PSP of the payee, however, complete information on the payer should be issued within three working days of that request. 156. For domestic wire transfers (i.e. within Gibraltar), PSPs should ensure that the information accompanying the transfer is the same as is required for cross-border wire transfers. 157. Where a transfer of funds is made to a payee’s PSP situated outside of the UK or EU, this must be accompanied by the following information on the payer: • The full name of the payer; 41 Regulation (EU) 2015/847 of the European Parliament and of the Council 42 Schedule 2, Part 4, Paragraph 18, Financial Services Act 2019

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 34 • The address of the payer (alternatively substituted by the individual’s date of birth, customer identification number or national identity number); and • The account number of the payer (or equivalent unique identifier). 158. In the case of such transfers, the PSP of the payer must verify the information on the payer only where the amount exceeds EUR 1,000, unless the transaction is carried out in several operations that appear to be linked and together exceed EUR 1,000. 159. Intermediary PSPs must ensure that all originator and beneficiary information that accompanies a wire transfer is retained within it. They should also take reasonable measures to identify cross￾border wire transfers that do not contain all required originator and/or beneficiary information. 160. Payment service providers must ensure that all originator and beneficiary information is retained in keeping with the record keeping requirements set out under POCA. 161. In the case of batch file transfers, the individual transfers bundled together need not include the information listed within paragraph 143, provided that the batch file contains that information and that the individual transfers carry the account number of the payer or a unique identifier. 162. The PSP of the payee should take reasonable measures (either in the form of post-event monitoring, or real-time monitoring where available), to identify cross-border wire transfers that lack required originator information or required beneficiary information. If the payment service provider of the payee becomes aware, when receiving transfers of funds, that information on the payer required is missing or incomplete, it must either reject the transfer or ask for complete information on the payer. The PSP should also consider whether a report to GFIU should be made. In the case of the repeated failure to supply the required information, the PSP should consider escalating matters appropriately. 5.16 The Travel Rule Sector-Specific Guidance – Virtual Asset Service Providers (VASPs) 5.16.1 Exchange of Beneficiary & Originator Information 163. VASPs are subject to additional AML/CFT/CPF requirements when acting as the originator or beneficiary of a virtual asset transaction where the value of the transaction is equal to or exceeds EUR 1,000 43. In such circumstances, VASPs are required to transmit and receive specific information as part of the transaction. 164. In the case of an originator VASP sending a virtual asset transfer to another VASP, the originator must submit the following information44: a) The payee’s name; b) The payee’s virtual asset account number; c) The payer’s name; d) The payer’s virtual asset account number; e) Where the payee or the payer does not have a virtual asset account number, a unique transaction identifier; and f) One of the following: i. The payer’s address; ii. The payer’s national identity number; 43 Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021 44 Regulation 4, Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 35 iii. The payer’s customer identification number; or iv. The payer’s date and place of birth. 165. Where a beneficiary VASP receives a virtual asset transfer equal to or above the EUR 1,000 threshold from another VASP, the beneficiary VASP must ensure that it receives the information specified above, as well as corroborate that the information is consistent with its own records45 . 166. In cases where the beneficiary VASP receives a virtual asset transfer equal to or above the EUR 1,000 threshold from a person that is not a VASP, the beneficiary entity must ensure that it obtains the payer’s name, as well as one of the following46: a) The payer’s address; b) The payer’s national identity number; c) The payer’s customer identification number; or d) The payer’s date and place of birth. 167. VASPs must ensure that the transfer of information specified above is made on an immediate and secure basis, and that all information is held in accordance with the record keeping requirements set out under Section 25 of POCA. It is the responsibility of the local VASP to identify an appropriate solution to facilitate the transmission of such information. VASPs are also required to establish and maintain documented policies and procedures which appropriately reflect the controls being applied for the purposes of ensuring compliance with the Travel Rule. 168. A VASP must implement an effective control framework to ensure that it can comply with its targeted financial sanctions obligations. Both originator and beneficiary VASPs must screen the names of the other parties (payee or payer) to confirm that the relevant party is not the subject of targeted financial sanctions. In addition, as per Section 6.2.3 of these Guidance Notes, regulated entities must have appropriate controls in place to screen counterparty wallet addresses as a means of assessing risk and identifying potential illicit/suspicious activity. 169. Where a VASP chooses to place reliance on an intermediary VASP as part of a virtual asset transfer, Travel Rule requirements continue to apply. In such circumstances, the local VASP will retain responsibility for ensuring Travel Rule compliance with all parties involved throughout the entirety of the transaction. 5.16.2 In Scope & Out of Scope Transfers Example – In-scope virtual asset transfers 170. For the sake of clarity, regulated entities should be aware that the following virtual asset transfers are also considered to be in-scope of Travel Rule requirements:

1. Transfers where the originator and beneficiary are the same person;
2. Transfers between wallets held with different legal entities within the same group;
3. Transfers which appear to be linked and collectively surpass a value equal to or above £1,000; and
4. Transfers where there are reasonable grounds for suspecting that are linked to illicit activities, irrespective of the value of the transaction. Example – Out of scope virtual asset transfers

171. Virtual asset transfers considered to be out of scope of Travel Rule requirements include: 45 Regulation 5(1), Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021 46 Regulation 5(2), Proceeds of Crime Act 2015 (Transfer of Virtual Assets) Regulations 2021

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 36

1. Transfers where both the originator and the beneficiary hold accounts with the same VASP;
2. Transfers between two VASPs acting on their own behalf; and
3. The receipt of transaction fees relating to virtual asset transfer. 5.16.3 Transactions with Travel Rule-compliant Counterparties

172. Where the originator or beneficiary VASP of a virtual asset transfer is located within the UK, EU, Gibraltar, or any other jurisdiction that has implemented the Travel Rule, the local VASP must ensure that it fully complies with Travel Rule requirements. Where the originator or beneficiary VASP of a virtual asset transfer is not located within the UK, EU or Gibraltar, the local VASP must take reasonable and demonstrable steps to determine whether the corresponding VASP is located within a jurisdiction that has implemented the Travel Rule. When transacting with originator or beneficiary VASPs based in other jurisdictions, regulated entities should regularly review the Travel Rule implementation status in those jurisdictions and adapt their operations as appropriate. 5.16.4 Transfers with non-compliant counterparties
173. In cases where the originator or beneficiary VASP of a virtual asset transfer is located within a jurisdiction that has yet to implement the Travel Rule, Travel Rule requirements will continue to apply. Should the local VASP be unable to submit or receive the necessary Travel Rule information immediately upon or prior to a virtual asset transfer taking place, the regulated entity should: a) Consider the status of Travel Rule compliance in the jurisdiction in question; b) Take all reasonable steps to establish whether the required information can be received/submitted and verified via alternative means (e.g. via email correspondence, receipt of physical documentation, etc., subject to those means of information sharing being appropriately robust and secure); and c) If the information remains missing or incomplete, apply a risk-based approach in determining whether to proceed with the transaction in light of all relevant risk factors and any associated mitigating measures. Should the local VASP have any suspicions regarding the ownership or control of a corresponding parties’ virtual asset wallet address throughout this process, the VASP should not proceed with the intended transaction.
174. It is the responsibility of each VASP to assess and appropriately mitigate all risks associated with proceeding with a transaction where complete Travel Rule information cannot be immediately obtained. In undertaking this assessment, VASPs should take into account all relevant risk factors associated with the transaction in question. A non-exhaustive list of potential factors to consider in such instances include: a) The size, purpose and nature of the transaction; b) The risks associated with the jurisdiction(s) where the counterparty VASP is located/trading; c) The regulatory status, reputation and known compliance track record of the counterparty VASP; d) The risk profile of the originator or beneficiary in question; e) The presence of any adverse media or potential sanctions concerns; and f) The presence of any relevant red flags or risk indicators.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 37 175. VASPs should document all measures undertaken in response to failures to provide the required information. They should also establish a clear escalation process, which may include issuing warnings and setting deadlines for addressing incomplete or missing information provided by the originating VASP. 176. VASPs must also establish and maintain appropriate, risk-sensitive policies, procedures, controls and procedures outlining their approach to such circumstances. 5.16.5 Use of Third-Party Solutions 177. VASPs may utilise third party technological solutions to achieve compliance with Travel Rule requirements. Where a VASP chooses to implement technological solutions relating to the Travel Rule, it retains all liability and responsibility for ensuring Travel Rule compliance in accordance with the principles set out within the GFSC’s Outsourcing Guidance Note47 . 178. When selecting a specific Travel Rule solution, VASPs must ensure that the chosen system complies with Gibraltar’s legal and regulatory framework, including any guidance issued by the GFSC. 179. In accordance with Section 9.6 of these Guidance Notes, VASPs must be aware of the potential differences between the record keeping requirements under POCA and data protection requirements. A VASP must therefore have due regard to both sets of obligations. 180. When selecting a Travel Rule solution, VASPs should also take appropriate steps to assess: a) Whether the system is capable of appropriately communicating with the VASP’s own internal systems; b) Whether the system meets the needs of the business in terms of compatibility with block chain networks and interoperability with other technological Travel Rule solutions; c) Whether the system affords the VASP an appropriate degree of reachability with other counterparties, taking into consideration the diversity of counterparties that can be reached; d) Whether the system is able to effectively handle the VASP’s expected transactional volumes; e) Whether the system enables the VASP to adequately identify transfers with missing or incomplete information; and f) In the case of DLT Providers, whether the system meets the operational, technical and organisational cybersecurity standards set out within the GFSC’s Systems and Security Access Guidance Notes regarding Regulatory Principle 7 48. 181. Where a Travel Rule solution temporarily fails or proves incapable of issuing or receiving the necessary information required to meet Travel Rule requirements, the local VASP should ensure that it acquires the relevant information via alternative means. As with all critical and sensitive systems and data, however, VASPs should ensure that there are adequate back-ups and that any recovery processes are tested regularly, with adequate business continuity and disaster recovery plans in place. When utilising a Travel Rule solution, a VASP must also ensure that it remains capable of identifying, detecting, suspending, reviewing, and in accordance with a risk￾based approach, rejecting, any virtual asset transactions which are deemed to be non-compliant with Travel Rule requirements prior to the transaction taking place. 47 GFSC Outsourcing Guidance Notes 48 GFSC DLT Provider Guidance Notes – Systems and Security Access

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 38 5.16.6 Counterparty VASP Due Diligence 182. When initiating a virtual asset transfer, regulated entities must conduct due diligence on the counterparty VASP prior to engaging in an initial transaction. Using a risk-based approach, the assessment should include verifying the counterparty VASP’s identity and licensing, evaluating its reputation and history, reviewing its compliance programs, risk managements controls, and adherence to the Travel Rule. Additionally, sanctions screening, security protocols, and geographical restrictions should also be considered. This due diligence must be refreshed on an ongoing (or where warranted, ad-hoc) basis in accordance with the level of risk posed by the counterparty in question. 5.16.7 Transfers with Self-Hosted Wallets 183. Travel Rule requirements also extend to transfers between VASPs and self-hosted wallets. Self￾hosted wallets (also referred to as non-custodial or un-hosted wallets) are virtual asset wallets where individuals maintain the ownership and control over their private keys and assets and do not involve a third-party custodian or intermediary. 184. In accordance with Travel Rule requirements, VASPs engaging in transactions with self-hosted wallets must obtain and hold the information on the self-hosted address and ensure that the transfer of virtual assets can be verified. This includes collecting information on the originator and beneficiary of a virtual asset transfer in accordance with Section 5.16.1 of these Guidance Notes. Due to the technical challenges that VASPs may encounter with third-party self-hosted wallets, they may need to gather information from supplementary sources or employ other reliable verification methods to meet their verification obligations. 185. Self-hosted wallets, by nature, are considered to be higher risk in relation to ML, TF & PF given the difficulties in ascertaining the owner/controller of the wallet address. As part of each VASPs wider risk-based approach, regulated entities must consider the increased risk posed by dealing with transfers to self-hosted wallets. When assessing the level of risk posed by such transfers, regulated entities should consider the following non-exhaustive factors prior to the initiation of that transfer: a) The purpose of the business relationship with its customer; b) The value of the transfer; c) The frequency of transfers made by or to the customer; and d) The duration of the business relationship with the customer. 186. When engaging in a virtual asset transfer with a self-hosted wallet, VASPs must take reasonable steps to verify the ownership of that self-hosted wallet. To facilitate the verification of self￾hosted wallet ownership, VASPs may consider the following non-exhaustive methods: a) Implementing cryptographic proof of wallet ownership mechanisms; b) Microtransactions (commonly referred to as the “Satoshi Test”), which involves sending a series of small transactions to/from the wallet; c) Visual proof of ownership, such as a screenshot or video clip; and/or d) Submission of an ownership self-declaration. It should be noted, however, that subject to the level of risk posed and the materiality of the transaction, this method should only be considered appropriate when used in combination with another verification method and in accordance with the perceived level of risk. 187. It should be noted that in accordance with an effective risk-based approach, VASPs are expected to implement enhanced verification methods in areas identified as high risk.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 39 188. In circumstances where the VASP has conducted an assessment and is satisfied that the self￾hosted address is owned or controlled by its customer, the VASP should consider whitelisting the address in question. Should there be any indication that the ownership or control of the self￾hosted address has changed, the VASP should remove this address from its whitelist and consider any necessary escalation. 189. Where a VASP is unable to obtain sufficient information to be satisfied with the ownership and control of the self-hosted wallet, the virtual assets should not be made available to the intended beneficiary. Additionally, a VASP should determine whether the activity raises suspicion of ML, TF, PF or other criminal activity and file a suspicious transaction report to the GFIU without delay in accordance with the “Suspicious Activity Reporting” section of these Guidance Notes. 5.17 Artificial Intelligence Guidance 5.17.1 AI-related Risks 190. The FATF’s Horizon Scan AI and Deepfakes report, published in December 2025, provides a forward-looking perspective and analysis on the current and potential Artificial Intelligence (“AI”) related risks and trends.. The GFSC recognises the risks associated with AI and is aligned with the FATF’s perspective on this. 49

5.17.2 AI & Deepfakes 191. While no universal term exists, the GFSC applies the FATF’s definition of deepfakes which are defined as “synthetic media, typically videos, images, or audio, created using AI techniques, especially deep learning, to convincingly mimic real people’s appearance, voice or actions”. Deepfakes have become increasingly widespread and can be used to circumvent traditional AML/CFT/CPF CDD controls by impersonating individuals and manipulating biometric authentication. Through the use of deepfakes, criminals can increase the complexity, scale, and reach of their operations by disguising, manipulating, and anonymising identities. 192. All GFSC regulated entities are exposed to the risks presented by deepfakes, particularly due to the increase in online financial services. Easy accessibility of AI systems, in this case to create deepfakes, has also added to the existing risks by allowing both less experienced and high skilled criminals exploit the current AML/CFT/CPF systems in place. A developing tactic involves gathering stolen identity documents and constructing “hybrid” synthetic identities which combine personal information from both victims and suspects. These blended identities are then used to open accounts with regulated entities, evade CDD measures, and bypass facial recognition systems, heightening the risks of predicate offences. 193. The three key risk areas enhanced by deepfakes are: a) The increasing dependance on biometric verification, particularly the use of facial recognition and video-based CDD, which creates heightened vulnerabilities to deepfake manipulation; b) The continued lag in technological adoption, where many AML/CFT/CPF systems and controls remain insufficiently equipped to detect synthetic or manipulated content; and 49 FATF Horizon Scan: Artificial Intelligence and Deepfakes

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 40 c) The complexity of cross-border environments, where the interconnected nature of global finance systems complicates digital identification and the acceptance of remote identity verification; thereby creating opportunities for criminals to exploit weaknesses within AML/CFT/CPF regimes. 194. To mitigate the risks posed by deepfakes, regulated entities should take a risk based approach, and may consider the following non-exhaustive methods: a) Adopt enhanced identity-verification technologies, such as advanced liveness and other biometric authentication methods; b) Strengthen CDD controls with AI-driven deepfake detection systems to establish any consistencies in video and audio content; and c) Provide specialised training to employees on how to detect and mitigate the risks of AI generated deepfakes, as well as common typologies within its respected sector.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2017 Gibraltar Financial Services Commission