BCT Circular to Banks and Financial Institutions No. 2018-09 of October 18, 2018

Tunis, October 18, 2018

CIRCULAR TO BANKS AND FINANCIAL INSTITUTIONS No. 2018-09 Subject: Internal control rules for managing money laundering and terrorist financing risks.

The Governor of the Central Bank of Tunisia: Having regard to Organic Law No. 2004-63 of July 27, 2004 on the protection of personal data; Having regard to Organic Law No. 2015-26 of August 7, 2015 on the fight against terrorism and the repression of money laundering; Having regard to Law No. 2000-93 of November 3, 2000, as amended and supplemented by subsequent texts promulgating the Commercial Companies Code, notably Law No. 2009-16 of March 16, 2009; Having regard to Law No. 2005-51 of June 27, 2005 on electronic funds transfer; Having regard to Law No. 2016-35 of April 25, 2016 on the status of the Central Bank of Tunisia; Having regard to Law No. 2016-48 of July 11, 2016 on banks and financial institutions; Having regard to Decree-Law No. 2011-87 of September 24, 2011 organizing political parties; Having regard to Decree-Law No. 2011-88 of September 24, 2011 on associations; Having regard to Decree No. 2016-1098 of August 15, 2016 fixing the organization of the Tunisian Financial Analysis Commission; hereinafter CTAF; Having regard to Government Decree No. 2018-1 of January 4, 2018 on procedures for implementing resolutions adopted by competent UN bodies related to the repression of terrorist financing; Having regard to Circular to Credit Institutions No. 2006-06 of July 24, 2006 on the establishment of a compliance control system; Having regard to Circular No. 2006-01 of March 28, 2006 on the regulation of outsourcing operations; Having regard to Circular No. 2006-19 of November 28, 2006 on internal control in credit institutions; Having regard to Circular No. 2011-06 of May 20, 2011 on strengthening good governance rules in credit institutions; Having regard to Circular to Approved Intermediaries No. 2012-11 of August 8, 2012 on the declaration to the Central Bank of Tunisia of foreign banknote operations with a value equal to or greater than 5,000 Tunisian dinars; Having regard to Circular No. 2017-08 of September 19, 2017 on the establishment of internal control rules for managing money laundering and terrorist financing risks; Having regard to the Tunisian Financial Analysis Commission Decision No. 2017-01 of March 2, 2017 on guiding principles regarding the reporting of suspicious operations and transactions; Having regard to the Tunisian Financial Analysis Commission Decision No. 2017-02 of March 2, 2017 on guiding principles for financial professions regarding the detection and reporting of suspicious operations and transactions; Having regard to the Tunisian Financial Analysis Commission Decision No. 2017-03 on beneficial owners, as amended and supplemented by Decision No. 2018-10 of June 8, 2018; Having regard to Opinion No. 07-2018 of the Compliance Control Committee dated October 3, 2018, as provided for in Article 42 of Law No. 2016-35 of April 25, 2016 on the statutes of the Central Bank of Tunisia.

Decides: Article 1: The provisions of paragraphs 2 and 3 of Article 2 and the first paragraph of Article 58 of Circular No. 2017-08 are hereby repealed and replaced as follows: • Paragraph 2 of Article 2 (new): "Beneficial owner": the natural person(s) who directly or indirectly holds more than 20% of the capital or voting rights of a legal entity or legal arrangement, and generally any natural person who ultimately owns or exercises effective control over the client or on whose behalf a transaction is being conducted. By legal arrangement is meant trusts, fiduciaries, or any other similar legal arrangement within the meaning of CTAF Decision No. 2017-03. • Paragraph 3 of Article 2 (new): "Politically Exposed Persons": Tunisian or foreign persons who hold or have held high public office or representative or political missions in Tunisia or abroad, and persons who hold or have held important positions within or on behalf of an international organization, and notably:

• Head of State, Head of Government or government member,
• Governors,
• Parliament member, national and regional elected officials,
• Member of a constitutional court or high jurisdiction,
• Member of a constitutional body,
• Senior military officer,
• Ambassador, chargé d'affaires or consul,
• Member of boards or administrative councils of regulatory and supervisory authorities as well as the heads of these authorities,
• Member of the administrative, management, or supervisory body of a public company,
• Member of the management bodies or board of an international institution created by treaty or the head of its representation,
• Senior official of a political party,
• Member of the management bodies of a trade union or employers' organization. First paragraph of Article 58 (new): Covered institutions must immediately report suspicious operations and transactions in accordance with the model provided by CTAF Decision No. 2017-01 of March 2, 2017.

Article 2: The provisions of Articles 5, 6, 7, 8, 9, 10, 16, 19, 23, 46, 51, and 52 of Circular No. 2017-08 are hereby repealed and replaced as follows:

Article 5 (new): Covered institutions must, upon establishing a business relationship with a client and/or, where applicable, their representative, verify their identity and the scope of their activity as well as their banking and financial environment. They must conduct an interview during the first contact, for which a client identification "KYC" form, countersigned by an authorized person, must be added to the client's file, enabling:

• legal identification of the person;
• a clear understanding of the account holder's activities, income, and assets;
• to obtain, when the client is a legal entity, any indication of its business flow, including, among other things, recent financial statements;
• to obtain, when the client is a legal arrangement, all information on its constituent elements, pursued objectives, management and representation arrangements, as well as the identity of the persons who established it and those managing it and the beneficial owners, and
• to understand and obtain information on the intended object and nature of the relationship. To this end, the information elements likely to be collected regarding the knowledge of the client's identity and legal, professional, economic, and financial situation must be contained in the "KYC" client identification form containing the minimum information as per Annex 1 of this circular. The above identification elements must also be collected from persons who may be required to operate a client's account under a power of attorney and from the managers of legal entities, whether salaried or not. Covered institutions are required to identify and verify the identity of occasional clients and, where applicable, beneficial owners. Client identification information must be supported by official documents, copies of which must be retained in the said client's file.

Article 6 (new): Covered institutions must perform due diligence regarding the identification of the client and the beneficial owner of the operation or transaction, and the capacity of the person acting on their behalf, notably when:

• the client wishes to open an account, regardless of its nature, or rent a safe deposit box;
• the client conducts occasional transactions, with a value equal to or greater than an amount set by ministerial decree of the Minister of Finance, whether carried out in a single operation or in several operations appearing linked;
• the client conducts operations in the form of electronic funds transfers;
• there is suspicion of money laundering or terrorist financing; and
• there are doubts regarding the accuracy or relevance of previously obtained client identification data.

Article 7 (new): Covered institutions may apply simplified due diligence measures to certain clients provided that a lower risk has been identified and assessed, and that this assessment is consistent with the national risk assessment and their own money laundering and terrorist financing risk assessments. They must, to this end, document their assessments to demonstrate their basis, keep them updated, and be able to justify to the Central Bank of Tunisia the adequacy of the due diligence measures they have implemented relative to the money laundering and terrorist financing risks presented by the business relationship. Simplified measures must be proportional to the lower risk factors, which notably consist of:

• Verification of the client's and beneficial owner's identity after the establishment of the business relationship;
• Reduction in the frequency of updates to client identification elements; and
• Reduction in the intensity of ongoing monitoring and the depth of transaction scrutiny based on a reasonable threshold. Simplified due diligence measures are not acceptable when there is suspicion of money laundering or terrorist financing or in specific higher-risk cases.

Article 8 (new): Covered institutions must observe the due diligence provided for by CTAF Decision No. 2017-3 and take all reasonable measures in accordance with Article 108 of the Organic Law to verify the identity of the beneficial owner, notably by consulting relevant information or data obtained from reliable sources. To this end, they must notably:

• determine, for all clients, whether the client is acting on behalf of a third party and take, if so, all reasonable measures to obtain sufficient identification data to verify the identity of this third party;
• ensure that the client is not a nominee or a shell company.
• take, when the client is a legal entity or a legal arrangement, all reasonable measures to verify the identity of the beneficial owner(s) using the following identification elements: i. if the client is a legal entity: i.1- the identity of the natural person(s) who ultimately hold or hold a participation in the legal entity enabling them to exercise effective control; i.2 After applying (i.1) and as soon as there are doubts as to whether the person(s) holding a controlling participation are the beneficial owner(s) or as soon as no natural person exercises control through a participation, covered institutions must verify the identity of the natural person(s), if any, exercising effective control over the legal entity by any other means, including control over its management, administrative, or supervisory bodies or general assemblies; i.3 when no natural person is identified under points (i.1) or (i.2), covered institutions must identify and take reasonable measures to verify the identity of the relevant natural person holding the position of senior managing official. (ii) If the client is a legal arrangement: ii.1 For trusts, the identity of the trust settlor, the trustee(s), the protector, the beneficiaries or category of beneficiaries, and any other natural person ultimately exercising effective control over the trust, including through a chain of control or ownership. ii.2 For other types of legal arrangements, the identity of persons holding positions equivalent or similar to (ii.1). When the client is a company listed on a financial market and subject to disclosure obligations ensuring satisfactory transparency of beneficial owners, or a majority-owned subsidiary of said company, covered institutions may be exempted from the obligation to identify and verify the identity of the shareholders or beneficial owners of this company provided they obtain the relevant identification data from public registers or from the client or other reliable sources.

Article 9 (new): When covered institutions rely on third parties to fulfill the customer due diligence obligation, they must:

• immediately obtain the necessary information regarding the customer due diligence measures;
• take adequate measures to ensure that the third party is able to provide, upon request and without delay, copies of identification data and other relevant documents related to customer due diligence duties;
• ensure that the third party is subject to regulation and supervision regarding the repression of money laundering and the fight against terrorist financing and has taken measures to comply with customer due diligence duties and document retention obligations; and
• ensure that the third party is a legal arrangement whose identity is clear and could be easily identifiable. When covered institutions determine the countries in which third parties meeting the conditions may be established, they must take into account in their relations with them the available information on the risk level associated with these countries. Reliance on a third party does not exempt the covered institution from its responsibilities regarding client identification and in all cases it must continue to ensure the obligations placed on it by the legal and regulatory framework governing outsourcing. When a covered institution relies on a third party belonging to the same financial group, the obligations indicated above are satisfied under the following circumstances: (a) the group applies customer due diligence measures, document retention obligations, politically exposed person identification measures, and anti-money laundering and terrorist financing programs; (b) the implementation of these customer due diligence measures, document retention obligations, as well as anti-money laundering and terrorist financing programs is controlled at the group level by a competent authority; (c) any higher risk presented by the country is satisfactorily mitigated by anti-money laundering and terrorist financing policies at the group level.

Article 10 (new): Covered institutions with subsidiaries or branches established abroad must ensure that their branches and subsidiaries established abroad in which they hold a majority stake are protected, in appropriate forms, against the risk of being used for money laundering and terrorist financing purposes by implementing at the group level adequate and risk-appropriate programs for money laundering and terrorist financing risks and the nature of their activity, which notably include: (a) compliance control mechanisms; (b) selection procedures guaranteeing the recruitment of employees according to stringent criteria; (c) a continuous training program for staff; (d) an independent audit function; (e) information sharing policies and procedures required for customer due diligence and money laundering and terrorist financing risk management; (f) the provision of information from branches and subsidiaries regarding clients, accounts, and operations, when necessary for anti-money laundering and terrorist financing purposes, to group-level compliance functions. This information must include data and analyses of transactions or activities that appear unusual if such analyses have been conducted. Likewise, the group-level compliance control body must also share this information with compliance officers at the branch and subsidiary levels when relevant and appropriate for risk management; and (g) satisfactory guarantees regarding confidentiality and use of exchanged information, including guarantees to prevent disclosure. Covered institutions must ensure that their foreign branches and subsidiaries in which they hold a majority stake are equipped with a due diligence mechanism at least equivalent to that provided for by this circular. These subsidiaries and branches must communicate to the parent company, where applicable, the local mechanisms applicable in host countries that oppose the implementation of all or part of the requirements provided for by this circular.

When the minimum anti-money laundering and terrorist financing obligations of the host country are less stringent than those provided for by this circular, covered institutions ensure that their majority-owned branches and subsidiaries apply the obligations provided for by this circular to the extent permitted by the laws and regulations of the host country. When the host country does not allow the appropriate implementation of anti-money laundering and terrorist financing measures provided for by this circular, covered institutions must ensure that their majority-owned branches and subsidiaries apply appropriate additional measures to adequately manage money laundering and terrorist financing risks and must inform the Central Bank of Tunisia.

Article 16 (new): Covered institutions must, in addition to the measures provided for in Chapter I of Title I, exercise enhanced due diligence for their relationships with politically exposed persons. To this end, they must: a) implement risk management systems to determine whether the client or beneficial owner is a politically exposed person; b) obtain authorization from the board of directors or executive committee, or any person authorized to this effect, to establish or continue, as the case may be, a business relationship with such a person; c) take reasonable measures to understand the origin of the assets and funds of clients and beneficial owners identified as politically exposed persons; and d) ensure continuous and enhanced monitoring of this relationship. These same provisions apply to close relatives of the persons referred to in the first paragraph of this article, as well as to persons having close ties with them. Close relatives of the aforementioned persons are considered to be direct family members: ascendants and descendants in the first degree, as well as their spouses. A person having ties with the aforementioned persons is considered any natural person known to maintain close business ties with them.

Article 19 (new): Covered institutions must take enhanced due diligence measures proportional to the risks in their business relationships and operations with natural and legal persons from countries against which the Financial Action Task Force (FATF) calls for action in its public statements. These measures include:

• Obtaining additional information on the client and more frequent updates of client and beneficial owner identification data;
• Obtaining additional information on the intended nature of the business relationship;
• Obtaining information on the origin of funds or the origin of the client's assets;
• Obtaining authorization from the board of directors or executive committee, or any authorized person, to engage or continue the business relationship; and
• Increasing the number and frequency of checks and the selection of operations requiring more in-depth scrutiny. Covered institutions are required, in their business relationships and operations with natural and legal persons from countries presenting strategic deficiencies in the fight against money laundering and terrorist financing, to apply effective and risk-proportional countermeasures when the FATF calls for it in its public statements. These countermeasures notably include:
• systematically reporting financial operations;
• refraining from opening subsidiaries, branches, or representative offices in these countries;
• limiting business relationships or financial operations with identified countries and persons in these countries;
• prohibiting reliance on third parties established in the concerned country to carry out certain elements of the customer due diligence process; and
• reviewing and modifying or, if necessary, terminating correspondent banking relationships with financial institutions in the concerned country. Covered institutions must, independently of any FATF call, take effective and risk-proportional countermeasures in their business relationships and operations with natural and legal persons from countries against which competent Tunisian authorities call for action. Covered institutions must take into account the shortcomings raised by the FATF and the associated risks in their business relationships and operations with natural and legal persons from countries or jurisdictions under FATF surveillance reported in its statements on "Improving global compliance with anti-money laundering and terrorist financing standards: a permanent process".

Article 23 (new): The ordering party's covered institution ensures that qualified international wire transfers contain the following exact and complete information on the don