Instruction No. 20/2020 of December 9 on AML/CFT Reporting, Risk Assessment, and IT Tools

INSTRUCTION NO. 20/2020 of December 9 SUBJECT: FINANCIAL SYSTEM

• Report on the Prevention of Money Laundering, Financing of Terrorism and Proliferation
• Risk Assessment
• IT Tools and Applications

Given the need to define the reporting model, as well as the implementation of risk assessment and the respective adequacy of auxiliary IT systems of Financial Institutions under the supervision of the National Bank of Angola, inherent to the fulfillment of obligations to prevent and combat money laundering, financing of terrorism, and proliferation of weapons of mass destruction;

In accordance with the provisions established in Article 9 of Law No. 05/20 of January 27, the Law on Prevention and Combat of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction, combined with Articles 4, 6, and 27, all of Notice No. 14/20 of June 22.

I DETERMINE:

1. Object and Scope 1.1 This Instruction defines the reporting model, as well as the implementation of risk assessment and the respective adequacy of auxiliary IT systems of Financial Institutions. 1.2 This Instruction is applicable to Banking Financial Institutions under the supervision of the National Bank of Angola, hereinafter abbreviated as Institutions, under the terms and conditions provided in the Legal Framework of Financial Institutions Law.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 2 of 33

2. Report on the Prevention of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction. 2.1 The Report on the Prevention of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction, hereinafter designated as the BCFTP Report, to be reported by the Institutions, is composed of: a) ANNEX I - Main Part; b) ANNEX II - Declaration by the Administrative/Management Body; c) ANNEX III - Opinion of the External Auditor regarding the truthfulness and adequacy of the Report, duly dated and signed; d) ANNEX IV - Opinion of the Supervisory Body; and, e) ANNEX V – Self-Assessment Questionnaire. 2.2 For the purposes of the established in numbers 1 and 2 of Article 27 of Notice No. 14/20, of June 22, the Institutions must submit the BCFTP Report to the National Bank of Angola: a) By January 31 of each year, reflecting the Institution's situation in the period between January 1 and December 31 of the previous year, containing the minimum information provided in the Annexes of this Instruction, and forming an integral part thereof. b) Without prejudice to the provision in the previous letter, the Institutions must submit the BCFTP Report to the National Bank of Angola in electronic PDF format, to the email address prevencaobcft@bna.ao, or in physical format, addressed to the Financial Conduct Department (DCF).

3. Risk Assessment 3.1 The Institutions must carry out annually the Institutional Risk Assessment process, on an individual basis, with reference to the period between January and December of each year, and the assessments must be submitted to the National Bank of Angola by March 10 of the following year. 3.2 Without prejudice to the provision in number 1 of Article 9 of Law No. 05/20 of January 27, in risk assessments, the Institutions must consider the profile of shareholders, the adequacy of IT tools and applications, the level of knowledge and integrity of the members of the Board of Directors and employees, regarding matters related to the Prevention and Combat of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction, assigning a risk weight to each factor. 3.3 The risk assessment may be conducted using tools and/or external entities with proven experience and knowledge in the matter.

4. IT Tools and Applications 4.1. The Institutions must implement and adapt IT tools and applications intended for the Prevention and Combat of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction by January 31, 2020. 4.2. For the purposes of the provision in the previous sub-point, it is considered: a) Tools, the general-purpose programs to perform simple and routine tasks; and, b) IT Applications, the specific programs with the objective of responding to the needs of a specific corporate business through the automation of functionalities inherent to the stages of its management process. 4.3. Without prejudice to the provision in number 2 of Article 9 of Law No. 05/20 of January 27, combined with Article 6 of Notice No. 14/20 of June 22, the IT tools and applications must: a) Ensure interoperability between the Institution's main system and the IT tools and applications intended for the Prevention and Combat of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction; b) The interoperability referred to in the previous letter must allow that the operations carried out in the Institution's main system, among others, account opening, deposits, withdrawals, transfers, credits, foreign exchange, are reflected in real-time by the IT tools and applications with a view to verifying at least the following: i. Whether they are or are linked to designated persons and Institutions; ii. Whether they are politically exposed persons (PEPs); iii. The risk classification level associated with the client and transactions; and iv. Split transactions. c) Generate statistical reports on alerts, maintaining the history of due diligence carried out. 4.4. The Institutions must submit to the National Bank of Angola, by January 31, 2021, the instruction manual and functional description of the IT tools and systems implemented.

5. Doubts and Omissions Doubts and omissions resulting from the interpretation of this Instruction are resolved by the National Bank of Angola.

6. Sanctions Non-compliance with the provisions of this Instruction constitutes an offense punishable under the terms of Law No. 12/15, of June 17, the Legal Framework of Financial Institutions Law.

7. Transitional Provisions The Institutions must be in compliance with the provisions of this Instruction by January 31, 2021.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 5 of 33

8. Repealing Norm Number 5 of Instruction No. 01/2013 of March 22, the Directive No. 01/DRO/DSI/15, of October 12, on the Self-Assessment Questionnaire, and other regulations contrary to the provisions of this Instruction are hereby repealed.

9. Entry into Force This Instruction enters into force on the date of its publication.

PUBLISH. Luanda, on December 9, 2020. THE GOVERNOR JOSÉ DE LIMA MASSANO

ANNEX I Main Part

1. Institutional Information and Relevant Contacts of the Financial Institution 1.1 General Information a) Full corporate name; b) Type of Financial Institution; c) Registration number at the National Bank of Angola; d) Address of the Financial Institution. 1.2 Presence Abroad a) Countries or jurisdictions of subsidiaries; b) Countries or jurisdictions of branches; c) Identification of correspondent banks and respective countries or jurisdictions where they are located; 1.3 Financial Institution with headquarters abroad, when operating in national territory, through branches. Identification of the headquarters address. 1.4 Activities and business areas a) Total assets (net, on an individual basis); b) Institution's strategy in AML/CFT/FP, including risk assessment and management criteria, duly formalized (current and planned) 1.5 Identification of members of the administrative body and employees with relevant functions 1.5.1. Administrative/Management Body: a) Identification of members of the administrative/management body and indication of their respective portfolios; b) Areas involved in the preparation of the report, telephone contact and email. 1.5.2. Compliance Officer at the end of the reference period: a) Name;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 7 of 33

b) Date of commencement of duties; c) Direct telephone contact; d) Email address; and e) Minutes of their appointment (attach as annex). 1.5.3. Internal Audit Function: a) Name; b) Date of commencement of duties; c) Direct telephone contact; and d) Email address.

2. Policies and Procedures for AML/CFT Control 2.1. Identification and Due Diligence Obligation 2.1.1. Verification of identification elements after establishment of the business relationship. In the reference period, indication of the number of new business relationships established and their respective percentage relative to the total business relationships established in that period, in which the institution's verification was completed after the start of the business relationship. 2.1.2. Information on the origin and destination of funds Indication of the number of: a) New business relationships established by natural persons and their respective percentage relative to the total business relationships established and information on the origin and destination of funds; b) Occasional transactions carried out and their respective percentage relative to the total universe of occasional transactions carried out and information on the origin and destination of funds; 2.1.3. Verification of identification elements of beneficial owners

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 8 of 33

2.1.4. Indication of the number of: a) New business relationships established by legal entities and their respective percentage relative to the total business relationships established and which verification of the identification elements of beneficial owners has been carried out based on authentic documents, as provided in number 2 of Article 10 of Notice 14/20, of July 22; b) Occasional transactions carried out and their respective percentage relative to the total universe of occasional transactions carried out. 2.2. Simplified Due Diligence Procedures 2.2.1. Description of the number of new business relationships established and their respective percentage relative to the total business relationships established, in which the Compliance Officer intervened, with the subsequent decision to apply simplified due diligence measures. 2.2.2. Description of the simplified due diligence procedures applied, namely: a) Verification of the identification of the client and the beneficial owner after the establishment of the business relationship; b) Frequency of updates of the elements collected in compliance with the identification and due diligence obligation; c) Reduction of the intensity of continuous monitoring and the depth of the analysis of operations; d) The absence of collection of specific information and the non-execution of specific measures that allow understanding the object and nature of the business relationship; e) The mere collection of elements that should not appear in the identification document of natural persons, legal entities or collective interest centers without legal personality;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 9 of 33

f) Determination of the client's activity or respective profession based on the purpose or type of business relationship established or the transaction carried out; g) Other measures defined by the National Bank of Angola; h) Other measures defined by the Financial Institution. 2.3. Enhanced Due Diligence Procedures 2.3.1. Indication of the number of: a) Alerts generated by tools or information systems that require the intervention of a management member or another element of higher hierarchical level, in order to validate and allow the establishment of the business relationship, the execution of the operation or the collection of additional information, as well as description of the rule underlying the alert; b) New business relationships established and their respective percentage relative to the total business relationships established in that period, regarding which the intervention of the compliance officer or another member of the management took place, with the subsequent decision to apply enhanced due diligence measures; c) Cases in which the compliance officer or another member of the management decided to apply enhanced measures, motivated by the increased risk of: i. Money Laundering; ii. Financing of Terrorism; iii. Financing of Proliferation of Weapons of Mass Destruction. d) Enhanced measures applied, with information on whether the application was motivated by the risk of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction, namely:

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 10 of 33

i. The obtaining of additional information about clients, their representatives or beneficial owners, as well as about planned or carried out operations; ii. The carrying out of additional due diligence to verify the obtained information; iii. The intervention of higher hierarchical levels to authorize the establishment of business relationships, the execution of occasional transactions or the carrying out of operations in general; iv. The intensification of the depth or frequency of the business relationship monitoring procedures or of certain operations or set of operations, with a view to detecting possible indicators of suspicion and the subsequent fulfillment of the communication obligation provided in Article 17 of Law No. 5/20, of January 27; v. The reduction of time intervals for updating the information and other elements collected in the exercise of the identification and due diligence obligation; vi. The monitoring of the follow-up of the business relationship referred to in letter f) number 2 of Article 11 of Law No. 5/20, of January 27 or by another employee of the obligated Institution who is not directly involved in the commercial relationship with the client; vii. The requirement that the first payment related to a given operation be made through a traceable means originating from a payment account opened by the client with a Financial Institution or another legally authorized entity, which, not being located in a high-risk third country, applies identification and due diligence measures equivalent to those required.

e) High-risk third countries relevant in the context of the specific operational reality of the Institution; f) Occasional transactions carried out and their respective percentage relative to the total universe of occasional transactions carried out, without the client or their representative being physically present. g) Occasional transactions carried out and their respective percentage relative to the total universe of occasional transactions carried out in the reference period, with clients holding the status of "Politically Exposed Persons"; h) Clients holding the status "Holder of other political or public offices", in which an increased risk of Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction has been identified.

2.4. Obligation of Refusal 2.4.1. Description of the procedures implemented to comply with the obligation of refusal provided in Article 15 of Law No. 5/20 of January 27. 2.4.2. In the reference period, indication of the number of account openings, business relationships, execution of occasional transactions or other operations, refused, not initiated or terminated due to non-obtention of the elements contained in Articles 11 to 14 of Law No. 05/20 of January 27.

2.5. Obligation of Conservation 2.5.1. Description of the procedures implemented to comply with the obligation of conservation provided in Article 16 of Law No. 5/20 of January 27. 2.5.2. Support and location of archive information on the mode of conservation of the elements contained in Article 16 of the Law, with indication:

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 12 of 33

a) Of the types of durable support used; b) Of the archive location. 2.6. Obligation of Communication 2.6.1. Description of the procedures implemented to comply with the obligation of communication provided in Article 17 of Law No. 05/20 of January 27. 2.6.2. Description of the information circuit in the process of communication of suspicious operations (from the moment the suspicious situation is detected until the eventual decision to communicate it to the competent authorities), including information on: a) The formal participants in the process; b) The IT functionalities associated, when applicable. 2.6.3. In the reference period, indication of the total number of communications to the Financial Intelligence Unit ("FIU") of: a) Declaration of Suspicious Operations (DOS); b) Declaration of Cash Transactions (DTNS); c) Declaration of Identification of Designated Persons, Groups or Entities (DIPD). 2.7. Obligation of Abstention 2.7.1. Description of the procedures implemented to comply with the obligation of abstention provided in Article 18 of Law No. 05/20 of January 27. 2.7.2. In the reference period, indication of the number of communications resulting from situations in which the financial institution executed a suspicious operation considering that abstention from its execution was not possible.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 13 of 33

2.8. Obligation of Cooperation and Provision of Information 2.8.1. Description of the procedures implemented to comply with the obligation of cooperation and provision of information provided in Article 19 of Law No. 05/20 of January 27. 2.8.2. In the reference period, indication of the number of requests for cooperation and provision of information received under Article 19 of Law No. 05/20 of January 27, regarding each of the following Institutions: a) Attorney General's Office (PGR); b) Financial Intelligence Unit (FIU); c) Judicial and Police Authorities; d) General Tax Administration (AGT). 2.9. Duty of Confidentiality Description of the procedures implemented to comply with the duty of confidentiality provided in Articles 20 and 21, both of Law No. 05/20 of January 27. 2.10. Obligation of Training 2.10.1. Description of the procedures implemented to comply with the duty of training provided in Article 23 of Law No. 05/20 of January 27. 2.10.2. In the reference period, statistical information on training actions on AML/CFT prevention matters directed to relevant employees of the Financial Institution. 2.10.3. Describe the information for each training action carried out: a) Name and object; b) Subject matter of the action; c) Date of execution; d) Training entity; e) Name and function of the trainers (internal/external)

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 14 of 33

f) Duration (in hours); g) Supporting didactic material h) Nature (internal or external training); i) Environment (face-to-face or distance training); j) Indication of the functions of the trainees; k) Number of participating employees; l) Final evaluation of the trainees. 2.11. Restrictive Measures 2.11.1. Description of the means and mechanisms implemented to ensure compliance with restrictive measures, adopted by the United Nations Security Council against designated persons or Institutions, and related to the Financing of Terrorism and Proliferation of Weapons of Mass Destruction, namely: a) Detection of any person or entities identified in restrictive measures; and b) The freezing and unfreezing of funds and economic resources. 2.11.2. Information on whether the Institution uses external Institutions that allow for the real-time updating of the information contained in the restrictive measures and their subsequent validation with the Institution's Financial Institution client base: a) In the affirmative, indication of the External Institutions; b) In the negative, description of the adapted procedure. 2.11.3. Indication of the time interval between: a) The updating of information on restrictive measures and the subsequent reflection in the IT tools and applications in use in the Financial Institution, with indication on: i. Whether the updates are in real-time;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 15 of 33

ii. If not in real-time, their periodicity (in hours). 2.11.4. Indication on whether the Financial Institution proceeds to verification: a) Before the establishment of a business relationship; b) Before the execution of an occasional transaction; and c) During a business relationship. 2.11.5. Indication of the number of cases in which freezing and unfreezing measures of funds and economic resources were applied. 2.12. Correspondence Relationships 2.12.1. Measures under the responsibility of the respondent In the reference period, information on cross-border correspondence relationships in which the Financial Institution acts as respondent, with indication: a) Description of procedures for the establishment of Cross-Border Correspondence Relationships b) The name of the correspondents; c) Products and services provided d) The jurisdiction of the correspondent; e) The number of operations; f) The aggregated value of the operations. 2.13. Execution of Obligation by Third Parties In cases where the Financial Institution relies on third parties to execute identification and due diligence measures on clients, their representatives or beneficial owners, describe the following: a) Procedures that allow assessing whether the entity observes AML/CFT/FP obligations b) Name of the third-party service provider;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 16 of 33

c) Software to be used by the entity; d) Jurisdiction of the headquarters of the third-party service provider Institution; e) The number of clients subject to identification and due diligence procedures executed by the third-party institution.

3. Risk Management 3.1. Information related to the Compliance Function: a) Description of functions; b) Description of existing mechanisms that ensure the independence/autonomy of Compliance; c) Description of human and technological resources and access to relevant information for the execution of its function. 3.2. In cases where there is no segregation between the compliance function and other organizational units, describe the alternative mechanisms that allow mitigating potential conflicts of interest. 3.3. Description of the risk management model for Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction of the Financial Institution, with indication: a) Information on risk factors for Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction, related to the activity of the Financial Institution; b) Information on risk factors for Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction inherent to clients and transactions; c) Describe the policies, procedures and controls instituted to identify, assess, monitor and control risks, in order to ensure compliance with the provisions provided in Articles 9 and 22, both of Law No. 05/20, of January 27 for the mitigation

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 17 of 33

of the identified and assessed risk factors; 4