Anti-Money Laundering Risk-Based Oversight and Supervision Guideline (January 2021)

RESERVE BANK OF ZIMBABWE NATIONAL PAYMENT SYSTEMS ANTI-MONEY LAUNDERING -RISK-BASED OVERSIGHT & SUPERVISION GUIDELINE January 2021

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 2 of 82 TABLE OF CONTENTS

1. INTRODUCTION.......................................................................... 8
2. LEGAL FRAMEWORK................................................................. 9 Compliance with Anti-Money Laundering Laws................................ 10
3. RISK-BASED APPROACH.......................................................... 10
4. OBJECTIVE OF THE GUIDELINE .............................................. 12
5. SCOPE AND APPLICATION OF THE GUIDELINE...................... 13
6. BENEFITS AND RATIONALE FOR RBA .................................... 14
7. ENFORCEABILITY OF THIS GUIDELINE.................................. 14
8. RISK CATEGORIES AND DEFINITIONS.................................... 15
9. IDENTIFYING AND UNDERSTANDING ML/TF RISKS.............. 15
10. COMPONENTS OF THE RBA .................................................. 16 Risk-Based Approach vs Risk Appetite:......................................... 17 Implementation process:............................................................... 18
11. GENERAL GUIDANCE ON AML/CFT ..................................... 18 Key Narrative............................................................................... 18 Terrorism Financing..................................................................... 22
12. AML/CFT REQUIREMENTS FOR PSPs/FIs............................... 23
13. AML/CFT GOVERNANCE FRAMEWORK ............................... 23
14. AML/CFT RISK MANAGEMENT............................................. 25
15. KNOWING YOUR CUSTOMER (KYC) AND CUSTOMER DUE DILIGENCE (CDD) .......................................................................... 26
16. CUSTOMER ACCEPTANCE POLICY ...................................... 29
17. TECHNOLOGICAL DEVELOPMENTS..................................... 29
18. TRANSACTION MONITORING............................................... 31
19. IDENTIFICATION OF DESIGNATED ENTITIES AND PERSONS AND FREEZING OF FUNDS ............................................................ 33
20. KNOWING YOUR EMPLOYEE (KYE)..................................... 35
21. CORE OBLIGATIONS OF REPORTING ENTITIES................... 38

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 3 of 82 Institutional Risk Assessment........................................................ 40 Internal Controls, Policies and Procedures.................................... 41 Risk Profiling ............................................................................... 42 Customer Due Diligence................................................................ 43 Beneficial Owner .......................................................................... 44 Ongoing Monitoring ..................................................................... 44 CDD Measures To Be Applied ...................................................... 46 Enhanced Due Diligence ............................................................... 47 Politically Exposed Person (PEP) .................................................. 48 Reliance on Intermediaries for CDD ............................................. 48 Dormant accounts ........................................................................ 49 22. ELECTRONIC FUNDS TRANSFERS ........................................ 49 23. NON-FACE-TO-FACE SITUATIONS........................................ 50 24. REMITTANCES....................................................................... 52 25. CONFIRMATION OF IDENTITY BY OTHER INSTITUTIONS .. 54 26. NON-RESIDENT PERSONAL CUSTOMERS ............................ 54 27. COMPANIES AND OTHER LEGAL ENTITIES......................... 55 28. CORRESPONDENT BANKING SERVICES .............................. 56 29. SUSPICIOUS TRANSACTION REPORT (STR) ......................... 57 30. TIPPING OFF AND PROTECTION FROM LIABILITY.............. 59 31. MANAGEMENT INFORMATION SYSTEM (MIS), ................... 60 32. TRAINING AND AWARENESS PROGRAMMES...................... 60 ATTACHMENT OF ANNEXURES.............................................. 64 ANNEXURE 1.............................................................................. 64 ANNEXURE 2.............................................................................. 67 General Guidance to Risk Based Approach ................................... 67 Risk-Based Approach Cycle.......................................................... 68 ANNEXURE 3.............................................................................. 71

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 4 of 82 Risk Profiling of Customers.......................................................... 71 ANNEXURE 4.............................................................................. 74 Specific High Risk Elements and Recommendations for EDD ........ 74 ANNEXURE 5.............................................................................. 76 General High Risk Factors............................................................ 76 General Low Risk Factors ............................................................ 78 ANNEXURE 6.............................................................................. 81 Other Sources of AML/CFT Guidance .......................................... 81

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 5 of 82 DEFINITIONS ‘Agent’’ means a person acting in the name and on behalf of, and so representing one or more PSP issuing a retail payment instrument vis-àvis users. The issuing PSP is subject to all relevant Zimbabwe rules on principal-agent relationship. By virtue of the agency agreement, the agent is permitted to conduct solely and specifically the services indicated in the agreement. “Financial institution” means any person who conducts a business on one or more of the following activities for a— (a) Recognised payment systems provider in terms of the National Payment Systems Act (Chap24:23); (b) Participant bank or entity on a recognised payment systems; and, (c) Third party services provider to a recognised payment system including, but not limited to, credit and debit cards, cheques, money orders and electronic money; “Payment Service Provider (PSP)’’ means an entity that provides services enabling funds to be deposited and withdrawn from an account; payment transactions involving transfers of funds; the issuance and/or acquisition of payment instruments such as cheques, e-

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 6 of 82 money, credit cards, debit cards; remittances and other services central to the transfer of funds. “Wire transfer” means any transaction carried out on behalf of an originator through a financial institution (including an institution that originates the wire transfer and an intermediary institution that participates in completion of the transfer) by electronic means with a view to making an amount of money available to a beneficiary person at another financial institution.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 7 of 82 LIST OF ABBREVATION AML/CFT Ant-Money Laundering and Combating Financing of Terrorism CAP Customer Acceptance Policy CBR Correspondent Banking Relationship CDD Customer Due Diligence EDD Enhanced Due Diligence ESAAMLG Eastern and Southern Africa Anti- Money Laundering Group FATF Financial Action Task Force TF/FT Terrorism Financing FIU Financial Intelligent Unit G-20 Group of Twenty KYC Know Your Customer KYCC Know Your Customer’s Customer KYE Knowing Your Employee ME Mutual Evaluation ML/TF Money Laundering and Terrorist Financing MLPC Money Laundering & Proceeds of Crime Act, Chapter 9:24 NRA National Risk Assessment PEPs Politically Exposed Persons PSPs Payment System Provider RBZ Reserve Bank of Zimbabwe RBA Risk Based Approach UNSCRs United Nations Security Council Resolutions SDD Simplified Due Diligence STR Suspicious Transaction/Activity Report

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 8 of 82

1. INTRODUCTION 1.1 Money laundering and terrorism financing (ML/TF) risk management continue to be a priority global threat which can adversely affect a country’s reputation and lead to multiple negative economic and social consequences, such as de-risking. 1.2 Internationally, there have been concerted efforts, driven primarily by the Financial Action Task Force (FATF), to implement effective measures to prevent and detect ML/TF. 1.3 In 2012, the FATF revised its 40 Recommendations for anti-money laundering and combatting the financing of terrorism (AML/CFT). The FATF Standards/ Recommendations are the global benchmark for assessing the strength and effectiveness of a country’s AML/CFT regime. The FATF also added standards for countering proliferation financing (CPF). 1.4 A key element of the FATF’s revised 2012 Recommendations is the application of a risk based approach. Under the risk-based approach, countries and financial institutions are expected to understand, identify and assess their risks, take appropriate actions to mitigate those risks and allocate their resources efficiently by focusing on higher risk areas. 1.5 Consequently, in 2013, Zimbabwe’s AML/CFT legislation was revised to align more closely with the revised FATF Standards. 1.6 Subsequently amended Money Laundering and Proceeds of Crime (MLPC) Act of 2018, have significant provision including the requirement to apply risk sensitive measures based on a comprehensive ML/TF risk assessment taking into consideration the nature, size and complexity of the business.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 9 of 82 1.7 The Reserve Bank of Zimbabwe (RBZ) through its National Payment Systems is issuing an Anti-Money Laundering (AML) Risk Based Oversight and Supervision Guideline (hereinafter referred to as the Guideline) to ensure that the payment services providers or financial institutions that fall under its regulation comply with the MLPC Act and implement robust AML/CFT frameworks that are commensurate with their size, complexity and risk profile. 1.8 In 2015, Zimbabwe was subject to a 4 th Round Mutual Evaluation (ME) by the Eastern and Southern Africa Anti- Money Laundering Group (ESAAMLG) to assess compliance with the FATF’s revised Standards. The country also conducted a National Risk Assessment (NRA) during 2014/ 2015 period. 1.9 Consequently, this revised Guideline seeks to address the findings of the ME and the subsequent NRAs whilst closely reflect the 2012 revised FATF Recommendations. 2. LEGAL FRAMEWORK 2.1 Zimbabwe underwent a comprehensive review of its AML/CFT regime. This exercise led to a number of new laws and amendments to the existing legislations to strengthen the regime. 2.2 The Bank Use Promotion and Suppression of Money Laundering Act (Chap 24:24) was the initial legal framework promulgated in 2002. 2.3 Zimbabwe then passed the Money Laundering and Proceeds of Crime Act [Chap. 9:24] [Amendment of 2018] (MLPC Act) which is a composite legislation criminalising ML and TF.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 10 of 82 2.4 The MLPC Act, section 12B , requires financial institutions to apply risk sensitive measures based on a comprehensive ML/TF risk assessment. The Section relates to, assessing risks and implementing risk-based approach by financial institutions (FIs) and designated non-financial businesses and professions (DNFBPs). 2.5 Nevertheless, implementing such an approach involves a comprehensive analysis and profound knowledge in AML standards and KYC international norms and standards. Compliance with Anti-Money Laundering Laws 2.6 Every payment service provider or FI shall comply with the obligations and requirements under any enactment, directives, instructions and guidelines relating to anti-money laundering and the prevention of terrorism. 2.7 A payment service provider or FI shall guarantee that any agent or other third party acting on its behalf shall comply with the enactments, directives, instructions and any guidelines. 3. RISK-BASED APPROACH 3.1 The risk-based approach (RBA) is the most effective way to combat money laundering and terrorist financing. According to FATF guidance, published on October 2014, “RBA to AML/CFT means that countries, competent authorities and financial institutions are expected to recognise or identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 11 of 82 3.2 Subsequently, the RBA is considered by regulatory bodies as an important element in the fight against money laundering and terrorism where any financial institution should establish an AML/CFT strategy to mitigate and assess the risks involved in dealing with high-risk customers and ongoing due diligence required. 3.3 However, the implementation process of measuring the level of risks versus the financial institution risk appetite and regulatory environment, all need to be considered in order to properly assess the risk associated with each customer. 3.4 Therefore, the AML/CFT compliance programme should be risk-based, and should be designed to mitigate the Money Laundering and Terrorist Financing risks the reporting entity may encounter. 3.5 The general principle of a risk-based approach is that where customers are assessed to be of higher ML/TF risks, a reporting entity should take enhanced measures to manage and mitigate those risks, and that correspondingly where the risks are lower, simplified measures may be applied. 3.6 The use of a risk-based approach has the advantage of allowing resources to be allocated in the most efficient way directed in accordance with priorities so that the greatest risks receive the highest attention. 3.7 For example, the risk-based approach may require extensive customer due diligence for high risk customers, such as an individual (or corporate entity) whose source of wealth and funds is unclear or who requires the setting up of complex ownership and control structures.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 12 of 82 3.8 A reporting entity should be able to demonstrate to a supervisory authority that the extent of customer due diligence and ongoing monitoring is appropriate in view of the customer’s ML/TF risks. 3.9 While there are no universally accepted methodologies that prescribe the nature and extent of a risk-based approach, an effective risk based approach will allow a reporting entity to exercise reasonable business judgment with respect to its customers. The risk-based approach to customer due diligence and on-going monitoring is recognized as an effective way to combat ML/TF risks. Refer to Annexure 5. 4. OBJECTIVE OF THE GUIDELINE 4.1 The MLPC Act, designates the RBZ as the AML/CFT Supervisory Authority (SA) or Overseer for the payment systems providers or financial market infrastructures as defined in this Guideline. 4.2 This Guideline is therefore being issued pursuant to the MLPC Act and is intended to assist payment services providers or financial institutions with the: 4.2.1 Understanding and compliance with AML/CFT legislative and regulatory requirements; 4.2.2 Developing and implementing effective, risk-based AML/CFT compliance programs that enable adequate identification, monitoring and reporting of suspicious transactions; 4.2.3 Understanding the expectations of the Central Bank with respect to the minimum standards for AML/CFT controls; and

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 13 of 82 4.2.4 Creating an enabling environment for effective collaboration and sharing information as required for the purposes of AML/CFT. 5. SCOPE AND APPLICATION OF THE GUIDELINE 5.1 The RBZ issued an Oversight Framework on Payment Systems (2016) to guide the payment services providers, participants, users and other stakeholders on payment systems related issues. The Framework briefly depicted the risk based approach (RBA) concept. 5.2 Pursuant to that, this Guideline applies to: 5.2.1 Financial institutions regulated under the National Payment Systems Act, Chap. 24:23 (NPS Act) which include payment services providers and participant banks facilitating transactions on the approved payment systems platforms; 5.2.2 Any entity or individual licensed under the Exchange Control Act, Chap. 22:05 (EC Act); 5.2.3 Any entity or individual in money transmission or remittance business pursuant to Exchange Control or NPS Acts This includes agents and sub-agents of money transfers. 5.3 The Guideline together with the AML/CFT legislation and regulations will form the framework against which the RBZ will assess the adequacy and effectiveness of payment systems providers’ and participant banks’ AML/CFT compliance programs. 5.4 From time to time the RBZ will amend this Guideline to address changes in the AML/CFT legislative framework. However, financial institutions and PSPs should as part of their risk management practices, stay current with

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 14 of 82 emerging developments as they relate to AML/CFT and update their AML/CFT programmes as necessary as possible. 6. BENEFITS AND RATIONALE FOR RBA 6.1 Risk-based oversight/supervision provides numerous benefits to the overseer as well as to the institutions, these include the following: 6.1.1 enhances institutions’ ability to identify, understand, measure, manage, and control risks as well as correct deficiencies; 6.1.2 encourages frequent, open communication between payment systems providers/participant and supervisor; 6.1.3 enhanced supervision effort, in which the monitoring of new developments and strategic changes at a given institution are conducted throughout the oversight cycle; 6.1.4 less time spent on investigation, assessment of the institutions’ activities as preliminary analysis is done through off-site analysis; 6.1.5 greater emphasis on supervision or oversight inspection of payment system institutions and areas exhibiting highest risk or adverse trends; 6.1.6 improved quality of supervisory activities necessary to support ‘the recommendations and conclusions. (Refer to Annexure 2) 7. ENFORCEABILITY OF THIS GUIDELINE 7.1 Further to MLPC Act, the RBZ is empowered to issue guidelines to aid compliance with the NPS Act , the Banking Act or any other written law relating to AML/CFT. 7.2 Section 3 of the MPLC Act provides that RBZ as a designated supervisory authority thereby should issue compliance directions to an insurer or agent,

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 15 of 82 or its controllers or officers for breaching any written law, including AML/CFT laws. This may be done jointly with FIU where deemed necessary. 8. RISK CATEGORIES AND DEFINITIONS 8.1 It is therefore necessary to have a common set of risk definitions for use in communications among overseers and the institution’s management, which will serve as a basis for risk-focused oversight strategies. 8.2 In simple terms, risk is defined as a potential that events expected or unanticipated, may have an adverse effect on the institution’s economic and social performance. 8.3 For risk-based oversight of payment systems purposes, the following are generally key risks: strategic, money laundering, terrorist financing, fraud, smuggling, corruption, tax evasion, credit, settlement, liquidity, operational, compliance, legal and reputation among others. 8.4 Each PSP, participant and other stakeholders are therefore required to develop their own comprehensive risk management framework or system tailored to their size and complexity for approval by the Central Bank. 9. IDENTIFYING AND UNDERSTANDING ML/TF RISKS 9.1 In order to develop a risk based AML/CFT compliance programme, a PSP or financial institution must first conduct an institutional risk assessment in order to understand its risks. 9.2 Reporting institutions must take appropriate steps to identify, assess and understand their ML/TF risks in relation to their customers, countries or

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 16 of 82 geographical areas and products, services, transactions or delivery channels. 9.3 Risk assessments should help financial institutions understand the inherent ML/TF risk exposure and which areas of their business they should prioritise in the fight against ML/TF. 9.4 The risk assessment should be approved by the Board and form the basis for the development of policies and procedures to mitigate ML/TF risks. It should reflect the risk appetite of the institution and establish the risk level deemed acceptable. The Central Bank will request and evaluate the adequacy of the financial institution’s risk assessment on an ongoing basis. 9.5 Financial institutions shall also incorporate the results of the National Risk Assessment (NRA) where available into their ML/TF risk assessment process and apply the appropriate simplified or enhanced measures commensurate with the identified risks. 10. COMPONENTS OF THE RBA 10.1 The revised FATF Recommendation 1 advises on how to identify and assess ML/TF risks and ensure that the determined measures to prevent or mitigate them are adequate to the defined risks and the regulatory environment. 10.2 It states that ““Countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action, including designating an authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively.”

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 17 of 82 10.3 Therefore, FATF Recommendation 1 can be considered as the groundwork towards the implementation of the risk-based approach as indicated in the process flow diagram below: Figure: RBA –Risk factors Risk-Based Approach vs Risk Appetite: 10.4 Developing a risk-conscious environment can be challenging, however, the financial institution should demonstrate an ability to balance between strategic objectives with the amount of risk that the entity is willing to take on pursuit of value and profit in a challenging and dynamic environment. 10.5 The financial institution which is prepared to take adverse risk should demonstrate a high level of scrutiny and enhanced due diligence (EDD) tools that will allow compliance with AML/CTF obligations. 10.6 Notably, this can increase the cost of compliance and regulator concerns on the level of compliance.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 18 of 82 Implementation process: 10.7 During the implementation process, it is important for the financial institution to plan the process to eliminate gaps that can lead to negative observations from the regulators. 10.8 The first step is the base of implementing RBA and should cover all aspects by identifying the risk factors and setting up risk scoring. 11. GENERAL GUIDANCE ON AML/CFT Key Narrative 11.1 Money laundering is the process used by criminals to conceal the illegal origin and ownership of funds derived from criminal activities. If successfully undertaken, it allows them to maintain control over those proceeds, the funds lose the criminal identity and appears to be legitimately derived. 11.2 The money laundering process involves three (3) main stages, namely, placement, layering and integration:

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 19 of 82 i. Placement: refers to the placing of proceeds of crime into the financial system without arousing suspicion, for example via deposits, purchases of cheques or money orders. ii. Layering: refers to the movement of the money, often in a series of financial transactions which may cross multiple jurisdictions designed to disguise the criminal source and provide the appearance of legitimacy. These transactions include purchasing investment instruments, insurance contracts, wire transfers, money orders and letters of credit. iii. Integration: refers to the attempt to legitimize wealth derived from criminal activity. The illicit funds re-enter the legitimate economy by way of investment in real estate, luxury assets and business ventures, until the laundered funds are eventually disbursed back to the criminal appearing to be legitimate funds. 11.3 There are three (3) broad groups of offences related to money laundering which are as follows;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 20 of 82 11.3.1Knowingly assisting (in a number of specified ways) in concealing, or entering into arrangements for the acquisition, use, and/or possession of criminal property; 11.3.2Failing to report knowledge, suspicion, or where there are reasonable grounds for knowing or suspecting, that another person is engaged in money laundering; and 11.3.3Tipping off or prejudicing an investigation. 11.4 There are five main categories inherent AML/CFT risk falls into : i. Governance, ii. Institution and related sector, iii. Products and services, iv. Delivery channel, v. Customers, vi. Geographic location. 11.5 However, money laundering risks may be measured using various categories, which may be modified by risk variables. The Wolfsberg risk￾based approach guidance is the most commonly used risk criteria. 11.6 Based on Wolfsberg’ s guidance on a risk-based approach, risk factor identification or indicators that can allow the assessment and measurement of the level of risk can be summarized in the following diagram:

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 21 of 82 Figure: RBA –Risk factors Source: Wolfsberg 11.7 Identifying these risk factors will assist in defining the weightage (weighted risk level) by listing each component and attributing a rating that will allow the risk rating. 11.8 In order to define the customer risk, the financial institution should understand the nature of the customer and that should be defined based on its vulnerability to money laundering and terrorist financing (e.g., the AML/CTF risk would be higher for non-resident customers than for residents). 11.9 Identifying the risk level of the customers can be challenging to financial institution in countries where there is no clear definition of high risk customers or activities. However, there are international organizations that have advised on the type of customers susceptible to be used by money launderers and terrorist financiers; such as FATF recommendations,

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 22 of 82 Wolfsberg principles, EU Directives and BSA/AML Risk assessment guidance which can be adopted as best practices. 11.10It is also a separate offence under the MLPC Act not to establish appropriate policies and procedures to detect and prevent money laundering (regardless of whether or not money laundering actually takes place). Terrorism Financing 11.11Terrorism is defined as the unlawful threat of action designed to compel the government or an international organization or intimidate the public or a section of the public for the purpose of advancing a political, religious or ideological belief or cause. Financing of terrorism (FT/TF) is the process by which funds are provided to an individual or group to finance terrorist acts. 11.12The key difference between ML and TF is that with ML, the person seeks to disguise the origins of illicit funds with a profit motive in mind; while in contrast, a person funding terrorism may use legitimately-held funds to pursue illegal and ideological motives. Financial institutions should bear this in mind when assessing the risks posed by those funding terrorism. 11.13A financial institution that carries out a transaction, knowing that the funds or property involved are owned or controlled by terrorists or terrorist organisations or that the transaction is linked to or is likely to be used in terrorist activity, is committing a criminal offence. 11.14TF often involves small sums of money and may be difficult to detect. Notwithstanding, many of the AML controls financial institutions have in place will overlap with measures to combat the financing of terrorism

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 23 of 82 (CFT). These may include for example, risk assessments, customer due diligence procedures, 12. AML/CFT REQUIREMENTS FOR PSPs/FIs 12.1 Payment Services Providers regulated under the NPS Act are required to implement risk-based AML/CFT compliance programmes that are approved by their board of directors. 12.1.1Internal systems, processes and controls to ensure ongoing compliance with AML/CFT requirements; 12.1.2 Internal and external audits to verify compliance with AML/CFT requirements; 12.1.3Training of relevant personnel in the identification, monitoring and reporting of suspicious transactions; and 12.1.4A Compliance Officer, appointed by Senior Management and approved by the RBZ, with responsibility for continuous compliance with the AML/CFT legislation and guidelines. 12.1.5The Compliance Officer is required to be “fit and proper” to diligently carry out AML/CFT responsibilities effectively. 13. AML/CFT GOVERNANCE FRAMEWORK 13.1 ML and TF prevention should not be viewed in isolation from a PSPs or financial institution’s other business systems and needs, but as part of the institution’s overall risk management strategies. 13.2 Consequently, it is imperative that the board and senior management of PSPs or financial institutions ensure that the policies, procedures, systems

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 24 of 82 and processes that are put in place to prevent ML/FT and PF are appropriate. Refer to Annexure 1. 13.3 The PSPs or financial institution’s AML/CFT programme should be risk￾based and commensurate with the nature, size, complexity and inherent risks of the institution. 13.4 The PSPs or financial institution’s AML/CFT policies, procedures and controls must be clearly documented and communicated to all relevant employees in the business units. All employees must be adequately trained to implement the AML/CFT policies and procedures and to be aware of their obligations in ensuring compliance with prevailing AML/CFT laws, regulations and guidelines. 13.5 The compliance function and other control functions comprise the second line of defence and is responsible for ongoing monitoring of the financial institution’s compliance with AML/CFT requirements. 13.6 Internal Audit is responsible for independent oversight and evaluation of the PSPs or financial institution’s AML/CFT risk management controls, processes, systems and of the effectiveness of the first and second line of defence functions. Findings of such reviews must be reported to the audit committee of the Board or an equivalent oversight body. 13.7 External auditors and the RBZ play a critical role in independently assessing the institution’s overall governance and control structure to determine whether it is adequately complying with the relevant standards and rules. 13.8 External auditors are required to conduct an annual AML/CFT audit on all regulated entities and submit reports to the RBZ. (Refer to Annexure 1)

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 25 of 82 14. AML/CFT RISK MANAGEMENT 14.1 Having a risk-based approach to AML/CFT is essential for the implementation of an effective AML/CFT risk management framework and the promotion of financial inclusion. 14.2 The risk based approach allows for the implementation of appropriate customer due diligence, verification and monitoring procedures that are proportionate to the identified ML/TF risks that the PSP or institution is exposed to from its customers, products and countries with which it transacts business. (Refer to Annexure 2) 14.3 FATF recognizes a regime that is risk based will not be a ‘zero failure’ regime. However, the RBZ must be satisfied that the PSP or financial institution is generally taking reasonable measures to identify, monitor, control and report its ML/TF risks. 14.4 The RBZ recognizes that the relationship between a customer and a PSP or financial institution is contractual and the decision to accept or maintain a business relationship has a commercial basis. 14.5 However, ‘de-risking’ or terminating or restricting business relationships with customers or categories of customers without adequately assessing the risk and considering options to manage the risk, is not in keeping with a risk based approach. 14.6 An overly cautious approach to AML/CFT measures may have the unintended consequence of excluding legitimate businesses and consumers from the formal financial system. Such actions may also lead to an overall reduction in financial sector transparency, creation of obstacles to trade,

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 26 of 82 contribute to financial exclusion and drive financial transactions underground. 14.7 Further information on the subject of de-risking is available at the following link: http://www.fatf￾gafi.org/publications/fatfgeneral/documents/rba-and-de-risking.html. 14.8 The risk-based approach requires PSPs or financial institutions to implement measures to mitigate the risks identified from its enterprise business risk assessment that are appropriate for the nature, size and complexity of the institution. 14.9 The assessment of ML/TF risk is not a static exercise and assessments must be reviewed and updated at appropriate times. Risks that have been identified may change or evolve over time due to any number of factors, including shifts in customer conduct, the development of new technologies and changes in the market. 14.10Emerging risks observed from suspicious activity/transaction reports, compliance breaches or intelligence from front-line employees that have a bearing on the risk assessment should be noted and reflected in the risk assessment as soon as possible. 15. KNOWING YOUR CUSTOMER (KYC) AND CUSTOMER DUE DILIGENCE (CDD). 15.1 PSPs or financial institutions must develop and implement risk based policies and procedures to mitigate the ML/TF risks identified in their business and customer risk assessments.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 27 of 82 15.2 The risk assessment framework should identify which customers or categories of customer’s present higher risk and therefore require the application of enhanced due diligence (EDD). 15.3 Similarly, where the PSPs or financial institution determines that a customer or a category of customer presents low risk, simplified due diligence (SDD) should be applied. Where SDD measures are applied on the basis of an assessment of low ML/TF risk, the customer due diligence (CDD) policies and procedures should clearly articulate the rationale and the applicable measures to be undertaken. In this regard, at a minimum CDD measures must: 15.3.1Identify the customer and where applicable, the customer’s beneficial owner or legal representatives; 15.3.2Verify the customer’s identity on the basis of reliable and independent sources and where applicable, verify the beneficial owner’s identity in a way that the financial institution/PSP is satisfied that it knows who the beneficial owner is. For legal persons and arrangements, this should include taking reasonable measures to understand the ownership and control structure of the customer; 15.3.3Understand and as appropriate, obtain information regarding the purpose and intended nature of the business relationship; and 15.3.4Conduct ongoing due diligence on the business relationship and scrutinize transactions throughout the relationship to ensure that the activity is consistent with the financial institution’s knowledge of the customer and its risk profile, including where applicable, the source of funds.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 28 of 82 15.4 Financial institutions are required to conduct CDD on the customer and where applicable, the beneficial owner and the person acting on behalf of the customer at appropriate times such as when a customer is attempting to: 15.4.1Establish a business relationship; 15.4.2Conduct a one-off or occasional transaction of based on set limits, where the transaction is carried out in a single operation or in several operations that appear to be linked; or 15.4.3Conduct a one-off or occasional wire transfers above a set limit where the transaction is carried out in a single operation or in several operations that appear to be linked. 15.5 Financial institutions may also conduct CDD where: 15.5.1There is suspicion of ML/TF, regardless of the amount of the transaction, unless doing so results in tipping off the customer. In such instances, the financial institution may forego the CDD and must file an STR; 15.5.2There is doubt about the veracity or adequacy of documents, data or information previously obtained for the purposes of identification or verification. 15.6 CDD should also be conducted when there is a change in the circumstances of the customer, for example, changes to the customer’s transaction activity. 15.7 The primary purpose of the CDD process is to ensure that the financial institution knows its customers and understands their financial activities. There should be sufficient information to obtain a complete picture of the risk associated with the business relationship and provide a meaningful basis for subsequent monitoring.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 29 of 82 16. CUSTOMER ACCEPTANCE POLICY 16.1 Every PSP or FI should develop a clear Customer Acceptance Policy (CAP), laying down explicit criteria for acceptance of customers. 16.2 Examples of such clarity should be as follows; 16.2.1 No account or e-wallet is opened in anonymous or fictitious name(s), 16.2.2 Customers must be categorised as per their risk profile; and, 16.2.3 Independent verifications and checks should be diligently conducted 16.3 Customer Acceptance Policy (CAP), should be approved by PSP or FI board and be continuously reviewed to take into account any market developments and changes in customer risk profiles. 16.4 CAP should be one of the cornerstone of the RBA and creates the effective implementation of the AML/CFT risk management policy. 17. TECHNOLOGICAL DEVELOPMENTS 17.1 The accelerated development and increased functionality of new technologies to provide payment channels or financial services create challenges in ensuring that these types of payment products and services are not misused for ML/TF purposes. Virtual currencies and various forms of electronic money, for example, are emerging as potential alternatives to traditional payment methods. 17.2 The RBZ reiterates that new and existing digital financial technologies should be approved before launching and being connected to any ecosystem in line with NPS Act. Therefore, financial institutions, PSPs and members of the public are therefore advised to undertake the necessary due diligence and assessment of risks involved in dealing in digital financial technologies or with entities providing services associated with digital currencies.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 30 of 82 17.3 Nothing in this document shall be taken to indicate the RBZ’s licensing, authorisation, endorsement or validation of digital currency services or any entities involved in providing similar services is associated with digital currencies. 17.4 Accordingly, dealings in digital currencies are not covered by prudential and market conduct requirements applicable to licensed and authorised activities, or by established avenues for redress in the event of complaints or losses and damages incurred by parties dealing in digital currencies. 17.5 Financial institutions must therefore assess the ML/TF risks associated with the introduction of all: 17.5.1 New financial products and services and/or changes to existing products and services; 17.5.2 New or additives and developing technologies used to provide services; 17.6 Financial institutions must: 17.6.1Undertake the risk assessment and approval prior to the launch or adoption of such new digital services, products, business practices and technologies. 17.6.2Take appropriate measures to manage and mitigate the risks; and, 17.6.3 Properly document the risk assessment. 17.7 In such instances, financial institutions must also consider as applicable, the RBZ’s Guidelines regarding new or materially different products and services in line with the NPS, Banking and Exchange Control Acts among others.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 31 of 82 17.8 Financial institutions must also assess the level of risk associated with potential or existing customers and third parties who offer technologically innovative products and services, such as Fintech companies, to determine whether the relationship poses higher ML/TF risk and thereafter, categorize the relationship and conduct due diligence accordingly. 17.9 In this regard, financial institutions should ensure there are systems and controls in place to identify emerging ML/TF risks, assess and where appropriate, incorporate these into the institutional risk assessments in a timely manner. 17.10The Central Bank will continue to monitor developments on new payment methods and provide additional guidance as necessary on emerging best practices to address regulatory issues in respect of ML/TF risks. 18. TRANSACTION MONITORING 18.1 Payment Systems Providers and financial institutions must have appropriate mechanisms and processes in place that allow for the identification of unusual transactions, patterns and activity that is not consistent with the customer’s risk profile. 18.2 Since these will not all be suspicious, financial institutions should also have processes to analyse transactions, patterns and activity to determine if they are suspicious and meet the reporting threshold. 18.3 Transaction monitoring processes or systems may vary in scope or sophistication (e.g. using manual spreadsheets and exception reports to automated and complex systems or a combination of both) depending on the size, volumes and complexity of the business operations.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 32 of 82 18.4 Regardless, the key element of any system is having up-to-date customer information to facilitate the identification of unusual activity. 18.5 Monitoring can be either: 18.5.1In real time, in that transactions and/or activities can be reviewed as they take place or are about to take place; or 18.5.2After the event through an independent review of the transactions and/or activities that a customer has undertaken. 18.5.3Any monitoring mechanisms commensurate with the level of risk identified and measured. 18.6 PSPs and financial institutions should also have systems and procedures to deal with customers who have not had contact for some time, such as dormant accounts or relationships, to be able to identify future reactivation and unauthorized use. 18.7 In designing monitoring arrangements, it is important that appropriate account be taken of the frequency, volume and size of transactions with customers, in the context of the assessed customer and product risk. 18.8 Monitoring processes and systems should enable trend analysis of transaction activity including monitoring of transactions with parties in higher risk countries or jurisdictions, to identify unusual or suspicious business relationships and transactions. 18.9 The monitoring system should enable PSPs or financial institutions to monitor and report to senior management on significant customer relationships and activity on an individual or consolidated basis across the financial group and identify activity that is inconsistent with the financial institution’s knowledge of the customer, their business and risk profile.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 33 of 82 18.10The parameters and thresholds used to generate alerts of unusual transactions/activity should be customized to be commensurate with a financial institution’s ML/TF risk profile and the complexity and extent of its business activities. Standard parameters provided by the vendor may be used but the financial institution must be able to validate and demonstrate to the RBZ that these are appropriate for the institution’s risk position. 18.11The monitoring system should be tested on a periodic basis to ensure that the parameters are performing as expected and remain relevant. Where necessary modifications may be required as a result of such testing. 18.12Findings, analysis and the proposed modifications should be documented indicating: 18.12.1 The rationale for reviewing the parameters and thresholds; 18.12.2 Details of testing; any assumptions made and the analysis of outcomes; and, 18.12.3 The changes made to the parameters and thresholds. 19. IDENTIFICATION OF DESIGNATED ENTITIES AND PERSONS AND FREEZING OF FUNDS 19.1 PSPs and financial institutions must be able to identify and to comply with reporting and freezing instructions issued by the FIU regarding individuals and entities designated by the United Nations Security Council or by the High Court as terrorist entities. 19.2 Pursuant to MLPC Act, PSPs or financial institutions have specific obligations to immediately report to the FIU where any of the following apply:

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 34 of 82 19.2.1 A person or entity named on the United Nations or consolidated lists has funds in the financial institution; 19.2.2 The PSPs or financial institution has reasonable grounds to believe that the designated person or entity has funds in Zimbabwe; and 19.2.3 If the designated person or entity attempts to enter into a transaction or continue a business relationship, a suspicious transaction/activity report must be submitted immediately to the FIU. The financial institution must not enter into or continue such transaction with the designated person or entity. 19.3 Terrorist screening is not a risk-sensitive due diligence measure and must be carried out regardless of the customer risk profile. 19.4 PSPs or Financial institutions must put in place processes to screen customer details and payment instructions against the designated lists of persons and entities and also to ensure that the lists being screened against are up to date. 19.5 The following measures should be considered: 19.5.1 : Continuous risk based screening of customer records; 19.5.2 Immediate screening of one-off, occasional transactions before the transaction is completed; 19.5.3 Procedures to screen applicable payment messages; and 19.5.4 Procedures to screen payment details on wire transfers and remittances to reasonably ensure that originator, intermediary and beneficiary details are included on the transfers. 19.6 PSPs or financial institution’s policies and procedures should address:

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 35 of 82 19.6.1 The information sources used by the financial institution for screening (including commercial databases used to identify designated individuals and entities); 19.6.2 The roles and responsibilities of the financial institution’s employees and officers involved in the screening, reviewing and dismissing of alerts, maintaining and updating of the various screening databases and escalating potential matches; 19.6.3 The frequency of review of such policies, procedures and controls; 19.6.4 The frequency of periodic screening; 19.6.5 How potential matches from screening are to be resolved by the financial institution’s employees and officers, including the process for determining that an apparent match is a positive hit and for dismissing a potential match as a false match; and 19.6.6 The steps to be taken by the compliance officer for escalating potential or positive matches to senior management and reporting potential or positive matches to the FIU. 20. KNOWING YOUR EMPLOYEE (KYE) 20.1 In addition to knowing the customer, a PSP or financial institution must have robust procedures in place for knowing its employees. 20.2 Every regulated institution should have a recruitment policy to attract and retain employees of the highest levels of integrity and competence. The ability to implement an effective AML/ CFT programme depends in part on the quality and integrity of employees.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 36 of 82 20.3 Consequently, PSP or financial institutions should undertake due diligence on prospective employees and throughout the course of employment. At a minimum, the regulated institution should: 20.3.1 Verify the applicant’s identity and personal information including employment history and background. Consider credit history checks on a risk-based approach; 20.3.2 Develop a risk-focused approach to determining when pre￾employment background screening is considered appropriate or when the level of screening should be increased, based upon the position and responsibilities associated with a particular position; 20.3.3 The sensitivity of the position or the access level of an individual employee may warrant additional background screening, which should include verification of references, experience, education and professional qualifications; 20.3.4 Maintain an ongoing approach to screening for specific positions, as circumstances change, or for a comprehensive review of employees over a period of time. Internal policies and procedures should be in place (e.g. codes for conduct, ethics, conflicts of interest) for assessing employees; and, 20.3.5 Have a policy that addresses appropriate actions when pre￾employment or subsequent due diligence detects information contrary to what the applicant or employee provided. 20.4 Verification should generally include the following: 20.4.1 Reference checks; 20.4.2 Checking the authenticity of academic qualifications; and

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 37 of 82 20.4.3 Verifying Employment History; and, 20.4.4 Any other possible source of evidence of one’s background. 20.5 The names, addresses, position titles and other official information pertaining to employees appointed or recruited by the financial institution should be maintained for up to a period of six years after termination of employment and made available to the RBZ upon request. 20.6 PSPs or financial institutions should ensure to the extent permitted by the laws of the relevant country, that similar recruitment policies are followed by its branches, subsidiaries and associate companies abroad, especially in those countries which are not sufficiently compliant with the recommendations of the Financial Action Task Force. 20.7 In addition, to a robust recruitment policy, financial institutions should implement ongoing monitoring of employees to ensure that they continue to meet the institution’s standards of integrity and competence. 20.8 PSPs or financial institutions should establish and maintain procedures to ensure high standards of integrity among employees, including the meeting of statutory “fit and proper” criteria of the officers of the company. Integrity standards should be documented and accessible to all employees. 20.9 These procedures may include standards for: 20.9.1 Acceptance of gifts from clients; 20.9.2 Social liaisons with clients; 20.9.3 Disclosure of information about clients who may be engaged in criminal activity; and, 20.9.4 Confidentiality.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 38 of 82 20.10 The standards should include a code of ethics for the conduct of all employees and procedures should allow for regular reviews of employees’ performance and their compliance with established rules and standards. It should also provide for disciplinary action in the event of breaches of these rules. 20.11 Financial institutions and PSPs should monitor employees paying particular attention to employees whose lifestyles cannot be supported by their salary or known financial circumstances. 20.12 Supervisors and managers should be encouraged to know the employees in their department and investigate any substantial changes in their lifestyles which do not match their financial condition. Procedures should provide for special investigation of employees who are associated with unexplained shortages of funds. 21. CORE OBLIGATIONS OF REPORTING ENTITIES 21.1 The core AML/CFT obligations of reporting designated non-financial business and professional are set out in sections 24-34 of the MLPC Act. 21.2 These core obligations can be summarised as follows: 21.2.1 To appoint an appropriately qualified and experienced compliance and reporting officer (CRO) with responsibility for AML/CFT compliance, and to establish and maintain procedures and systems (including an audit function and training programme) sufficient to ensure compliance; and 21.2.2 To apply customer due diligence (CDD)measures, also known as ‘Know Your Customer’ (KYC) measures, using a risk-based approach, in

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 39 of 82 respect of all customers, business relationships and transactions (s12B of the MLPC Act); 21.2.3 To conduct ongoing monitoring of business relationships, including paying special attention to complex, unusual or large transactions with no apparent economic/lawful purpose, and relationships and transactions with persons in high-risk jurisdictions; 21.2.4 To stop acting and terminate any existing business relationship whenever unable to apply CDD or ongoing monitoring; 21.2.5 To maintain records, including records of all prescribed CDD measures and all transactions and related correspondence, for at least ten years from the transaction or correspondence date or the end of the business relationship; 21.2.6 To report suspicious transactions or attempted transactions to the FIU in terms section 30 of the MLPC Act, and 21.2.7 To make disclosures required by the Statutory Instrument 56 of 2019, for the Suppression of Foreign and International Regulation. 21.3 Failure to comply with these core obligations may result in compliance action by the FIU, disciplinary action by the relevant supervisory authority (for example, the RBZ), and potentially in criminal prosecution for breach of the Suppression of Terrorism statutes or complicity in money laundering. 21.4 It is important to appreciate that the MLPC Act (2018) reflect a risk￾sensitive approach to due diligence and monitoring by reporting entities. This means that reporting entities are permitted to adopt different

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 40 of 82 approaches to CDD and ongoing monitoring of customers according to the different risk ratings of those customers. 21.5 A reporting entity may be allowed to apply ‘simplified due diligence ‘in certain situations that are deemed to be low-risk for money laundering and financing of terrorism, and required to implement enhanced measures in situations that are deemed to be high-risk. Institutional Risk Assessment 21.6 Prior to conducting the risk assessment, PSPs or FIs should familiarise themselves with the latest National Risk Assessment (NRA), the Mutual Evaluation Report of Zimbabwe, any trends and typology reports issued by Financial Intelligence Unit (FIU) and any other guidance issued by the RBZ or any arms of Government. 21.7 This will ensure that PSPs or FIs comprehend the ML/TF risk inherent to them at the national/country level and same is reflected in the risk assessment conducted at institutional level. 21.8 Furthermore, PSPs or FIs need to ensure that they are aware of the relevant requirements under the FATF 40 Recommendations which have an impact on their operations, and keep abreast of developments in the ML/FT landscape in order to update the risk assessment, as necessary, with relevant information. 21.9 In assessing ML/TF risks as guided in section 8 above, reporting institutions are required to have the following processes in place: 21.9.1 Documenting their risk assessments and findings;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 41 of 82 21.9.2 Considering all the relevant risk factors before determining what is the level of overall risk and the appropriate level and type of mitigation to be applied; 21.9.3 Keeping the assessment up-to-date through a periodic review; and 21.9.4 Having appropriate and clearly defined mechanisms to provide risk assessment information to the supervisory authority. 21.10 PSPs or FIs do not have to follow all the processes in this Guideline but should apply the method of risk assessment that best suits its individual business needs, as long as it is adequate for the business and tailored to the local context. 21.11 However, they should be able to explain and demonstrate to the Central Bank, the adequacy and effectiveness of procedures, policies and controls stated therein, within the context of the Zimbabwe’s AML/CFT requirements. Internal Controls, Policies and Procedures 21.12 Reporting institutions and PSPs must: 21.12.1Have policies, controls and procedures to manage and mitigate ML/TF risks that have been identified; 21.12.2Monitor the implementation of those policies, controls, procedures and enhance them if necessary; and 21.12.3Take enhanced measures to manage and mitigate the risks where higher risks are identified. 21.13 Every reporting entity must take appropriate measures to ensure that all officers, employees, and agents engaged in dealing with customers or

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 42 of 82 processing business transactions understand and comply with all applicable AML/CFT requirements. 21.14 Reporting entities who are individuals with no employees or associates do not have to appoint a separate compliance and reporting officer (CRO) to implement the procedures and systems set out in the MLPC Act. That does not, however, excuse the individual from compliance with the core obligations of CDD, ongoing monitoring, record-keeping, and reporting suspicious transactions. 21.15 All other reporting entities must appoint a CRO with overall responsibility for AML/CFT compliance. 21.16 The CRO must be a senior officer who is sufficiently qualified and experienced to comply with the detailed requirements of the MLPC Act, to act as the liaison point with the FIU and relevant supervisory authorities in Zimbabwe, and to command the necessary independence and authority to train and supervise all other officers, employees, merchants and agents. 21.17 The CRO should at all times be resident in Zimbabwe. In addition, it is highly recommended that an alternate to the CRO is appointed to assume the prescribed responsibilities and duties in the CRO’s absence. When several entities operate closely together within a group, a single CRO at group level may be designated. Risk Profiling 21.18 Financial institutions including PSPs must conduct risk profiling on their customers.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 43 of 82 21.19 In profiling the risk of its customers, reporting institutions must consider the following factors: 21.19.1 Customer risk (e.g. resident or non-resident, type of customers, occasional or one-off, legal person structure, status as PEP, occupation); 21.19.2 Geographical location of business or country of origin of customers; 21.19.3 The products, services, transactions or delivery channels (e.g. cash￾based, face-to-face, non-face-to-face, domestic or cross-border); and 21.19.4 Any other information suggesting that the customer is of higher risk. 21.20 The risk control and mitigation measures implemented by reporting institutions shall be commensurate with the risk profile of a particular customer or type of customer. 21.21 Upon the initial acceptance of the customer, reporting institutions are required to regularly review and update the customer’s risk profile based on their level of ML/TF risks. (Refer to Annexure 3) Customer Due Diligence 21.22 Customer due diligence (CDD), as defined section 26 of the MLPC Act, has four key components: 21.23 Identifying customers, including any person acting on behalf of a non￾individual customer, and verifying their identity; 21.24 Where the customer is not the beneficial owner, identifying the beneficial owner and taking reasonable measures to verify the beneficial owner’s identity;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 44 of 82 21.25 Obtaining enough information about the nature of the business relationship and the customer or beneficial owner’s business to identify complex or unusual transactions or patterns of transactions and other high-risk activity; and, beneficial owner” has the meaning given to it in section 13; 21.26 Taking reasonable measures to ascertain the purpose of one-off transactions relating to transactions outside an existing business relationship that exceed defined thresholds or limits. Beneficial Owner 21.27 Note that the concept of ‘beneficial owner’ is now extensively defined in section 13 of the MLPC Act. This should be carefully studied by all CROs. 21.28 It is critical to emphasise that the concept of beneficial ownership is not the same as legal ownership and cannot be determined by reference to the legal position alone. Beneficial ownership is a broader concept which focuses on real benefit and/or ultimate effective control. 21.29 The four core CDD obligations apply across the full range of business relationships and transactions that may be undertaken by reporting entities, and continue after a business relationship has been established. Ongoing Monitoring 21.30 The CDD obligations are supplemented by the general obligation of all reporting entities to conduct ongoing monitoring of all business relationships. 21.31 Ongoing monitoring has two key components:

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 45 of 82 21.31.1 Scrutinising transactions for consistency with the customer’s business, risk profile, and source of funds/wealth; and 21.31.2 Keeping all CDD information and documentation up to date. 21.32 The objective of the ongoing monitoring obligation is to identify activities of customers during the course of a business relationship which are not consistent with the reporting entity’s knowledge of the customer, or the purpose and intended nature of the business relationship, and which need to be assessed for the possibility that the reporting entity may have grounds to report a suspicion of money laundering or terrorist financing. 21.33 A reporting entity is accordingly obliged to monitor all dealings with a customer, to the extent reasonably warranted by the customer’s risk profile, for consistency with the entity’s knowledge of the customer and the customer’s business and pattern of transactions. 21.34 When scrutinising the source of funds a reporting entity should seek to discover the origin and the means of transfer for funds that are directly involved in the transaction (for example, business activities, proceeds of sale, corporate dividends). 21.35 Furthermore, when scrutinising the source of wealth a reporting entity should seek to discover the activities that have generated the total net worth of the customer (that is, the activities that produced the customer’s funds and property). 21.36 Other measures for on ongoing monitoring of relationships inlcude : 21.37 Review of the customer account/relationship and the risk classification and undertaking additional due diligence; 21.38 Enhanced monitoring of the relationship/transactions;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 46 of 82 21.39 Imposition of restrictions on the customer relationship; or 21.40 Escalation to the relevant senior management level to determine how to handle the relationship going forward and whether to terminate the customer relationship. CDD Measures To Be Applied 21.41 The default position is that CDD requirements are triggered whenever a reporting entity: 21.41.1establishes a business relationship; 21.41.2 carries out a one-off transaction, outside an existing business relationship, that exceeds set limits in cash or wire transactions, whether in a single or several linked operations; 21.41.3 has doubts about the veracity or adequacy of identification documentation; or 21.41.4 reasonably suspects money laundering, terrorist financing, or other serious criminal conduct. 21.42 In the first two situations, the customer’s identity and the nature of the relevant business or transaction must be verified before the business relationship is established or the transaction carried out. 21.43 The only exception is for CDD conducted during the establishment of a business relationship, which is permissible in low-risk situations when necessary to avoid interruption to the normal conduct of business. 21.44 In this case the CDD must still be completed as soon as practicable after the relationship is established (refer to FATF -R. 10). What constitutes an acceptable time for this process must be determined in the light of all

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 47 of 82 the circumstances, including the nature of the business, the geographical location of the parties, and whether it is practical to obtain all necessary documents before commitments are entered into or money changes hands. 21.45 All reporting entities should develop customer profiles based on CDD information obtained. A customer profile will facilitate the ongoing monitoring of accounts and transactions and assist the reporting entity to identify suspicious transactions or patterns of transactions. 21.46 For banks and other financial institutions it is recommended that proof of sources of wealth and initial source of funds are identified at the outset of a customer relationship. (Refer to Annexures 3 & 4) Enhanced Due Diligence 21.47 A number of situations are deemed by the AML/CFT Laws to be sufficiently high-risk to trigger independent or additional CDD requirements. 21.48 However, the ultimate responsibility for identifying high-risk situations, and responding to those risks through enhanced CDD and ongoing monitoring, rests with reporting entities. 21.49 Reporting entities should have adequate systems in place to identify in advance the countries in which their customers will be operating or transacting and, if necessary, to obtain additional supporting documentation, such as contracts and invoices, to verify the purpose and commercial reality of a relationship or transaction. (Refer to Annexures 4 & 5).

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 48 of 82 Politically Exposed Person (PEP) 21.50 Enhanced CDD and enhanced ongoing monitoring (on a risk-sensitive basis) are required whenever a customer, or any beneficial owner of a customer, is or becomes a politically exposed person (PEP). 21.51 A ‘customer’ for this purpose includes any person entering a business relationship or undertaking a one-off transaction with the reporting entity. 21.52 A PEP is defined in section 13 of the MLPC Act as an individual entrusted with a prominent public function, and includes any immediate family member or close associate of such an individual. It is important to note that both local and foreign PEPs are covered by this definition (refer to the Act). 21.53 A PEP also includes family members and associates, who may have different names and may not publicise the fact of their association with the relevant individual. Reporting entities are allowed to rely on public information in determining whether persons are within the definition of ‘close associates’ (for example, partners or joint ventures), and should conduct regular searches and checks for this purpose. 21.54 Once a PEP has been identified, a business relationship can only be established with the approval of senior management, and the reporting entity must take adequate measures to establish the source of wealth and the source of funds involved in any proposed relationship or transaction. Reliance on Intermediaries for CDD 21.55 Section 18 of the MLPC Act allows some reporting entities to rely on intermediaries to apply CDD measures on their behalf, but only in tightly prescribed circumstances.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 49 of 82 21.56 However, reliance on intermediaries does not excuse reporting entities from their obligation to make CDD records available on request by the RBZ and other regulatory bodies. 21.57 MLPC Act 18(4) expressly provides that the ultimate responsibility for CDD remains with the reporting entity. 21.58 The person relied on may apply CDD measures in respect of a reporting entity’s customer, any beneficial owner of the customer, any third party for whom the customer is acting (or beneficial owner of that third party), and any person purporting to act on the customer’s behalf. Dormant accounts 21.59 Reactivation of dormant accounts can only be undertaken following reverification of the account holder in line with the requirements for new customers. 22. ELECTRONIC FUNDS TRANSFERS 22.1 Section 27 of the MLPC Act applies specifically to reporting entities which are licensed as financial institutions or payment systems providers in Zimbabwe. 22.2 When these entities provide electronic funds transfers for their customers, they are required to include accurate, unique identifier number, addresses, paying and receiving banks or entities, originator, recipient, amount and other related information or messages on the transfer and to ensure that the same information remains with the transfer. 22.3 This obligation should be read together with the requirements of the National Payment System Act and Guidelines.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 50 of 82 22.4 Reporting entities should ensure that they obtain full name and address information from the ordering customer for all credit/debit transfers made by electronic means, both domestic and international, regardless of the payment or message system used. 22.5 To ensure that the SWIFT system is not used by criminals as a means to break the audit trail, when sending SWIFT MT 100 messages (customer transfers), reporting entities should accurately complete the fields for both the ordering and beneficiary customers with their respective names and addresses. 22.6 In addition, when the transfer is the result of a credit or debit card transaction, it is not necessary to include or keep originator information as long as the credit or debit card number is included with the transfer. 22.7 Records of electronic payments and associated messages must be treated in the same way as any other transaction records and kept by the reporting entity in an accessible form for a minimum of ten years (refer section 9.2 Guidelines for Retail Payment Systems and Instruments 2017). 23. NON-FACE-TO-FACE SITUATIONS 23.1 Any non-face-to-face transactions or contact between reporting entities and customers inevitably poses difficulties for customer identification. Reporting entities are nevertheless obliged to apply equally effective customer due diligence and ongoing monitoring procedures for non-face￾to-face customers. 23.2 Financial institutions in particular are increasingly requested to open accounts or electronic wallets on behalf of customers who do not present

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 51 of 82 themselves for personal interview. An institution is obliged to put specific and adequate measures in place to mitigate this higher risk and to take particular care in supervising the account opening process. 23.3 It may be inappropriate to accept photographic evidence of identity, for example, as there is a greater difficulty in matching the purported customer with the documentation supplied. 23.4 However, examples of good practice measures for risk mitigation in the non-face-to-face context include: 23.4.1 Requiring additional documents; 23.4.2 Requiring certification of documents presented by a notary, diplomatic official, or equivalent independent professional; 23.4.3 Independent contact with the customer; 23.4.4 Third party introduction, where consistent with the AML Regulations regarding reliance on intermediaries to conduct CDD on the reporting entity’s behalf; and 23.4.4.1.1 Reporting institutions may rely on third parties to conduct CDD or to introduce business. 23.4.4.1.2 The ultimate responsibility and accountability for CDD measures shall remain with the reporting institution relying on the third parties. 23.4.4.1.3 Reporting institutions shall have in place internal policies and procedures to mitigate the risks when relying on third parties.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 52 of 82 23.4.5 Requiring an initial payment to be carried through an account in the customer’s name with another bank subject to equivalent CDD requirements, in particular diasporians requiring such services. 24. REMITTANCES 24.1 Full details of all remittances, as required by law, must be recorded including names of the beneficiary. 24.2 If information as required by law relating to the name of the originator (including details of the transaction) is not provided by the customer, then the transaction should not be processed and the PSP or FI should consider submitting a report to the FIU. 24.3 If staff have any concerns about the validity of the documents provided by the customer, reference must be made to senior management and/or the compliance officer before conducting the transaction. Copies of supporting documents must be kept together with the payment system or wire transfer application form. 24.4 In circumstances where the PSP/FI’s knowledge of the customer is not consistent with the value or purpose of the remittance but staff are satisfied regarding the explanation given for the remittance, the remittance may be processed for payment. 24.5 Future requests to transfer funds should be monitored against the customer profile to confirm or deny the initial explanation. Should staff form a view that the customer may be involved in money laundering or terrorist financing, a suspicious transaction report must be completed and submitted to the compliance officer.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 53 of 82 24.6 Payment of cash in excess of the threshold amount, to non-bank account holders through the PSP or wire transfer will require evidence of the remitter’s name, address, and account number or unique identification number. An explanation for the source of the funds and their purpose should also be obtained. If the funds are to be collected by the beneficiary, then evidence of proof of identity of the beneficiary should also be provided. 24.7 Where inward remittances are received that do not include the required information as specified by law, the wire transfer should approach the remitting bank to obtain missing information. If the information is not provided, the wire transfer may, depending on the size and nature of the transaction, accept the payment and provide funds to the beneficiary, decline to accept the funds and return the funds to the sending institution, or, through the compliance officer, submit a report to the FIU. 24.8 Alternative remittance systems: 24.8.1 Unregulated remittance systems such as hawala and other informal mechanisms. These systems often have traditional roots or ethnic ties and operate in jurisdiction where the formal systems are less functional or not established. Notably, funds can be transferred without any documentation. 24.8.2 Cash couriers: Cash is smuggled across borders, for example through border jumping or crossings and truck shipments where borders are uncontrolled or have limited capacity to monitor.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 54 of 82 24.8.3 False invoicing: False trade invoicing provides a means to transfer money between jurisdictions by overstating the value of the goods or services for which payment is due. 24.8.4 High-value commodities: Commodities like gold and diamonds can also be used to transfer value across borders as both are easy to convert into cash. 25. CONFIRMATION OF IDENTITY BY OTHER INSTITUTIONS 25.1 The obligation to verify identity using the best evidence and means available rests with the reporting entity opening the account or establishing the relationship. 25.2 In cases where a reporting entity is not satisfied with the documentary evidence provided or with the results of public enquiries, it may need to approach another institution, on a non-competitive basis, specifically for the purpose of verifying identity. 25.3 A standard format can be used for making such enquiries. It may be necessary to obtain the prior consent of the prospective client for disclosure of their information by the other financial institution. 26. NON-RESIDENT PERSONAL CUSTOMERS 26.1 Persons who are not resident in Zimbabwe but who wish to open electronic wallets or accounts or establish other business relationships with reporting entities in the jurisdiction are subject to verification procedures similar to those for resident customers. 26.2 Address verification can pose difficulties. However, passports or national identity cards will always be available. It is impractical to set out detailed

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 55 of 82 descriptions of the various identity documents that might constitute acceptable evidence of identity by foreign nationals. 26.3 Reporting entities may wish to verify identity with a reputable credit or financial institution in the applicant's country of residence. Alternatively, a police character certificate from the applicant’s country of residence may be sought. 26.4 For prospective non-resident customers who wish to open electronic wallets or accounts without appearing in person, it will not be practical to seek sight of an original passport or national identity card. Copies should be certified by notaries, diplomatic officials, or equivalent independent professionals. 26.5 Verification of identity and address should also generally be sought from a reputable credit or financial institution in the applicant's country of residence. Steps should be taken to verify the applicant’s signature. 27. COMPANIES AND OTHER LEGAL ENTITIES 27.1 For customers that are legal persons, reporting institutions are required to understand the nature of the customer’s business, its ownership and control structure. 27.2 Corporates have a high potential of concealing beneficial ownership, company bank accounts or mobile banking agents or merchants are one of the most high-risk vehicles for money laundering, particularly when opened and ostensibly operated by a legitimate trading company.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 56 of 82 27.3 Additional obligations for assessing corporate activities focus on knowledge of and about the beneficial owners and any other persons authorised to act on behalf of the account holder. 27.4 Obtaining information on the purpose and nature of the business relationship, including proof of sources of wealth and initial source of funds, is also particularly important, to enable the reporting entity to conduct meaningful ongoing monitoring. 27.5 Before a business relationship is established with a legal entity, and at appropriate regular intervals after the relationship is established, measures should be taken by way of a company search and/or other commercial enquiries to ensure that the applicant company has not been, or is not in the process of being, dissolved, struck off, wound up or terminated. 27.6 Further checks should be made whenever the reporting entity becomes aware of changes in the management or ownership structure. 28. CORRESPONDENT BANKING SERVICES 28.1 Licensed financial institutions in Zimbabwe may not enter into cross￾border correspondent banking relationships without satisfying a number of additional controls set out in section 21 of the MLPC Act, including: 28.1.1Fully understanding the nature of the business of the proposed correspondent bank or payment service provider; 28.1.2Being satisfied on reasonable grounds as to the reputation, quality of supervision, and AML/CFT financial controls of the proposed correspondent;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 57 of 82 28.1.3Documenting the responsibilities of the proposed correspondent in applying AML/CFT controls; 28.1.4 Being satisfied on reasonable grounds that CDD and ongoing monitoring measures are being properly applied to customers with direct access to any payable-through account held with the bank in the name of the proposed correspondent, and that CDD documentation is available to the bank on request; and, 28.1.5Obtaining approval of the Board of Directors. 28.1.6Regulated entities or payment services providers in Zimbabwe are not permitted to enter into or continue correspondent banking relationships with shell banks, nor with banks that permit their accounts to be used by a shell bank. 29. SUSPICIOUS TRANSACTION REPORT (STR) 29.1 PSPs as reporting institutions must promptly submit a suspicious transaction report to the Financial Intelligence Unit whenever the reporting institutions suspect or have reason to suspect that the transaction (including attempted or proposed transaction), regardless of the amount. 29.2 Section 13 of the MLPC Act, defines the Suspicious Transaction Report(STR). 29.3 Financial institutions or Payment Service Providers are required by section 30 to make a suspicious transaction report (STR) in any situation in which the reporting entity deems necessary in line with MLPC Act as follows:

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 58 of 82 29.3.1Has knowledge or reasonable grounds to suspect that any service or transaction may be related, directly or indirectly, to the commission of criminal conduct (but not limited to money laundering or terrorist financing) or to money or property that is or represents the benefit of criminal conduct;

1. Has information that may be relevant to an act preparatory to an offence or to money or property that is or represents the benefit of criminal conduct;
2. Has information that may be relevant to an investigation or prosecution of a person for criminal conduct; or
3. Has information that may be of assistance in enforcing the AML/CFT Acts. 29.4 It is also important to appreciate that there may be an obligation to make an STR in the absence of any transaction or proposed transaction. Reasonable grounds for suspicion can arise in the context of any service provided by a reporting entity. 29.5 It is not only reporting entities that are obliged to make STRs. Section 30 of the MLPC Act provides that supervisory authorities and auditors of reporting entities must make an STR where any transaction or attempted transaction by or through the entity is reasonably suspected by the authority or auditor to be related to the commission of criminal conduct (or an act preparatory thereto) or of assistance in the enforcement of the Act. 29.6 The obligation to make STRs under the MLPC Act complements the duties of disclosure of good corporate citizen require all persons (not just

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 59 of 82 reporting entities) to disclose to the authorities any information that will assist in the prevention or detection of money laundering and terrorist acts, including information about any property in his or her possession or control that is known to be owned or controlled by or on behalf of a terrorist group, in the circumstances set out in that Suppression of Foreign an International Terrorism Act. 29.7 It should be noted that if a reporting entity permits a service or transaction to proceed where the timely making of a STR would have prevented that service or transaction from taking place, that reporting entity is likely to have committed the offence of money laundering and financing of terrorism. 30. TIPPING OFF AND PROTECTION FROM LIABILITY 30.1 The MLPC Act, section 31 requires all officers, employees, and agents of reporting entities to exercise the utmost confidentiality on issues related to money laundering and terrorist financing. 30.2 However, the Act also provides protection for CROs and others who discharge their statutory responsibilities in good faith. 30.3 In cases where the reporting institution forms a suspicion of ML/TF and reasonably believes that performing the CDD process would tip off the customer, the reporting institution is permitted not to pursue the CDD process. In such circumstances, the reporting institution may proceed with the transaction and immediately file a suspicious transaction report. 30.4 Reporting institutions shall observe the prohibition of tipping-off as stipulated under section MLPC Act, section 31.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 60 of 82 31. MANAGEMENT INFORMATION SYSTEM (MIS), 31.1 PSPs as reporting institutions must have in place an adequate management information system (MIS), to complement and support its CDD process. 31.2 The MIS is required to provide the reporting institution with timely information on a regular basis to enable the reporting institution to detect irregularity and/or any suspicious activity. 31.3 The MIS shall be commensurate with the nature, scale and complexity of the reporting institution’s activities and ML/TF risk profile. 31.4 The MIS must be able to capture, at a minimum, information on multiple transactions over a certain period, large transactions, anomalies in transaction patterns, customers’ risk profiles and transactions exceeding any internally specified threshold. 31.5 The MIS shall be able to aggregate customer transactions from multiple accounts and/or from different systems. 31.6 The MIS may leverage on and be integrated with the reporting institution’s existing information systems that support its business operations to the extent that customer information captured in such systems is accurate, up-to-date and reliable. 32. TRAINING AND AWARENESS PROGRAMMES 32.1 An integral element of the fight against money laundering and the financing of terrorism is the awareness of those charged with the responsibility of identifying and analysing potential illicit transactions. 32.2 Therefore, in accordance with MLPC Act, PSPs or financial institutions are required to ensure that appropriate training is conducted with board

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 61 of 82 of directors and all relevant employees (on an ongoing basis) to equip them to perform their obligations in respect of AML/ CFT requirements. 32.3 PSPs or financial institutions should conduct AML/CFT training for all new board of directors and relevant employees and should at least on an annual basis conduct refresher training programmes to ensure that employees remain familiar with and are updated in regards to their responsibilities. 32.4 Refresher programmes should address among other things new AML/CFT typologies, legislative updates (including new and proposed amendments) and international developments in AML/CFT. 32.5 At a minimum, a financial institution is required to: 32.5.1 Develop an appropriately tailored training and awareness programme consistent with the financial institution’s size, resources and type of operation to enable relevant employees to be aware of the risks associated with ML and TF; 32.5.2 The training should also ensure employees understand how the institution might be used for ML or TF; enable them to recognize and handle potential ML or TF transactions; and to be aware of new techniques and trends in money laundering and terrorist financing; 32.5.3 Document, as part of their AML/ CFT policy document, their approach to training, including the frequency, delivery channels and content; 32.5.4 Ensure that all employees are aware of the identity and responsibilities of the CO to whom they should report unusual or suspicious transactions;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 62 of 82 32.5.5 Establish and maintain a regular schedule of new and refresher programmes, appropriate to their risk profile, for the different types of training required for: 32.5.5.1.1 new employees; 32.5.5.1.2 operations employees; 32.5.5.1.3 agents 32.5.5.1.4 supervisors; 32.5.5.1.5 board and senior management; and 32.5.5.1.6 audit and compliance employees. 32.5.6 Obtain an acknowledgement from each employees on the training received; 32.5.7 Assess the effectiveness of training; and, 32.5.8 Provide all relevant employees with reference manuals/materials that outline their responsibilities and the institution’s policies. These should complement rather than replace formal training programmes. 32.6 The effectiveness of the institution’s training programme may be assessed by: 32.6.1 Testing employees’ understanding of the policies and procedures to combat ML/TF, the understanding of their statutory and regulatory obligations, and also their ability to recognize suspicious transactions; and 32.6.2 Monitoring the compliance of employees with the AML/CFT procedures as well as the quality and quantity of internal reports so that further training needs may be identified and appropriate action can be taken.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 63 of 82 32.7 Financial institutions are also required to maintain records of employee training which at a minimum should include: 32.7.1 The names of employees who have received the training; 32.7.2 The date on which the training was delivered; 32.7.3 The results of any testing carried out to measure employees understanding of the anti-money laundering requirements; and 32.7.4 An on-going training plan. 32.8 Risk management systems should depend on the size and complexity of each payment system provider. 32.9 All sound risk management programs, however, have several common fundamentals. Regardless of the risk management program’s design, each should include: risk identification, risk measurement, risk control and risk monitoring. PREPARED BY : NATIONAL PAYMENT SYSTEMS DEPARTMENT APPROVED BY : J. MUTEPFA, DEPUTY DIRECTOR FINANCIAL MARKETS SIGNATURE : DATE : 15 JANUARY 2021

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 64 of 82 ATTACHMENT OF ANNEXURES ANNEXURE 1 Board of Directors and Senior Management Responsibilities a) Board of Directors and Senior Management at minimum are required to:  undertake a risk assessment which identifies the vulnerability of the PSP/financial institution to be used to launder money or finance terrorists;  on the basis of the risk assessment, implement a risk management framework to ensure that the PSP/FI is not used to launder money or finance terrorists;  ensure that the risk management framework is risk based with sufficient resources being devoted to dealing with higher-risk customers and transactions;  ensure that the PSP/FI has appropriate compliance management arrangements, including the appointment of a compliance officer at management level; and;  devote sufficient resources to deal with money laundering and terrorist financing, including ensuring that the compliance function is adequately resourced and that staff receive appropriate and adequate training.  carry out a risk assessment, which should be reviewed and updated on a regular basis, identifying where the business is vulnerable to ML and TF;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 65 of 82  based on the risk assessment, develop internal policies, procedures, and controls to combat money laundering and the financing of terrorism;  ensure staff effectively implement the internal policies, procedures, and controls and receive appropriate training;  monitor the effective implementation of the policies, procedures, and controls and make improvements where required on the basis of changes to the ML and TF risk assessment or as recommended by the supervisory agency and/or the FIU.  ensure effective implementation of a risk based approach to the management of money laundering and terrorist financing risk. The management of risk needs to be reviewed and updated from time to time to reflect changes in the institution ’s strategy or other factors such as changes to the law.  Ensure policies and procedures should take into account risk factors relating to the customer, product and service, delivery channel, and geographic location of the customer. Where higher risks are identified, based on the institution’s risk assessment, the staff must take extra measures and senior management should ensure that the staff fully understand and implement the requirements of the policies and procedures.  ensure that there is documented evidence of its oversight function, for example, in minutes of meetings of the Board (or committees of the Board).

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 66 of 82 b)Ensuring that the Board receives the requisite training on AML/CFT generally as well as on the institution’s specific AML/CFT risks and controls; c) Ensuring receipt of regular and comprehensive reports on the financial institution’s AML/CFT risks from the senior management, including but not limited to:  Remedial action plans if any, to address the results of independent audits (either internal or external); regulatory reports received from the Central Bank or other regulators on its assessment of the institution’s AML/CFT program; and results of compliance testing and self-identified instances of non￾compliance with AML/CFT requirements;  Recent developments in AML/CFT laws and regulations and implications if any, to the financial institution;  Details of recent significant risk events and potential impact on the financial institution; and,  Metrics including but not limited to, statutory reporting to the FIU, orders from law enforcement agencies, refused or declined business and de-risked relationships.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 67 of 82 ANNEXURE 2 General Guidance to Risk Based Approach PSPs and participating institutions may conduct their internal money laundering and financing of terrorism risk assessments (for their customers, products & services, transactions channels and geographic areas) with the purpose to develop their own policies and procedures, in order to identify, assess, manage and mitigate related risks on ongoing basis. It is always advisable that measures to prevent ML/FT risks are commensurate to the risks identified for effective mitigation. Such risk assessments are generally based on perception, subjective judgment and experience of banks about risk regarding aforesaid elements. In this regard, the major considerations for PSPs/FIs may be: i) Quantification of risk through a risk Matrix: A matrix which quantifies likelihood and impact/consequences on two dimensions may be developed thereby categorizing risk as low, medium, high or any appropriate scale. ii) It is pertinent to mention here that without proper quantification of risks, it may be difficult to decide which customer qualifies for simplified due diligence (SDD) or enhanced due diligence (EDD). iii) Risk Register: A risk register may be developed whereby risks emanating from various business aspects can be accounted for. These may include the following:

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 68 of 82 a. Customers: Identifying risk determinants while establishing relationships with customer; b. Products: Envisaging risk attributes resulting from customer’s need for financial services and appropriate controls; c. Delivery Channels: Identifying risks associated with delivery channels which may vary from customer to customer depending on their needs; and, d. Geographic/Jurisdictional: Risks resulting from customer geographic presence and jurisdiction in which the customer is operating. iv) Controls: After assessing the risks the controls are reviewed and assessed whether these are effective to cater to the risks. v) Residual Risk: In the next step, after assessing the risks controls are accounted for to quantify the residual risks. vi) Risk decision: After identification and quantification of inherent risks, controls and residual risks, the decision should be taken. For example, while establishing relationship the decision whether to take the customer on-board, mark as high risk or refuse to accept the customer etc. Risk-Based Approach Cycle i) The following cycle represents the six steps of the risk-based approach: ii) Identification of inherent risks (business-based risk assessment along with the relationship-based risk assessment); a. Setting risk tolerance;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 69 of 82 b. Creating risk-reduction measures and key controls; c. Evaluating residual risks; d. Implementing risk-based approach; and e. Reviewing risk-based approach. iii) All PSPs and FIs should complete the risk based template to determine the potential risk levels. (see Annexure 1). Risk Based Annexure 1-Table Indicator* Correlation of indicator To Risk Importance of indicator** Institution's Risks for each indicator*** 5 Very high, 4 High, 3 Medium, 2 Low 1 Very low Name of Institution OVERALL Corporate Governance Positive Very high, Very low Very low ML/TF risk level for the sector Positive Very high, Very low Very low Legal Framework Clarity Positive Very high, Very low Very low Size of Institution Positive Very high, Very low Very low Complexity & No of Products Positive Very high, Very low Very low Geographical Spread Positive Very high, Very low Very low Transactional Values Positive Very high, Very low Very low Customer Base Positive Very high, Very low Very low High Net Worth Customers Positive Very high, Very low Very low Foreign Customers Positive Very high, Very low Very low Foreign Customers from High Risk Countries Positive Very high, Very low Very low Customers with Predictable Sources of Income Positive Very high, Very low Very low Customers with Unpredictable Sources of Income Positive Very high, Very low Very low PEPS Positive Very high, Very low Very low

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 70 of 82 Cash Transactions Positive Very high, Very low Very low Internal Controls Positive Very high, Very low Very low Third Party Payments Positive Very high, Very low Very low Payments terms outside norms Positive Very high, Very low Very low Risk Appetite Positive Very high, Very low Very low Staff Knowledge Positive Very high, Very low Very low Overall Very high, Very low Very low

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 71 of 82 ANNEXURE 3 Risk Profiling of Customers PSPs and participating institutions(FI) should profile every new customer using their own judgment and information obtained through CDD/KYC process. A template of Customer Risk Profiling (CRP) is provided at ‘Annexure-3A’ for guidance in order for respective institutions to develop their own CRP formats considering their business activities, customer base and internal procedures etc. PSPs and all FIs are required to have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the digital financial services sector and prevent the institution from being used, intentionally or unintentionally, for criminal activities.… Adequate policies and processes’ in this context requires the implementation of other measures in addition to effective CDD rules. These measures should also be proportional and risk-based, informed by PSPs’ own risk assessment of ML/FT risks. Such policies and procedures should require basic due diligence for all customers and commensurate due diligence as the level of risk associated with the customer varies. For proven lower risk situations, simplified measures may be permitted, if this supported with the appropriate customer risk profiling.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 72 of 82 It is important that, the customer acceptance policy is not so restrictive that it results in a denial of access by the general public to digital financial services, especially for people who are financially or socially disadvantaged. Annexure 3A. A Template of Customer Risk Profiling (CRP) Form Risk Determinants Risk Variables/ Determinants Assigned Risk Weight Customer Exceptions in getting KYC related information from customer 1 High net worth customer or high value transactions 6 Politically exposed person, its close associate or family member 10 Relatively complex control/ ownership structure 9 Reliability of verification measures 3 Unclear source of funds or income from undocumented sources 6 Beneficial ownership of funds may not belong to customer 5 Product & Services Use of products & services which entail non face￾to-face conduct 7 Customer seeks private banking or other riskier services 5 Customer subscribes for International/ foreign products & services 4 Excessive use of funds remitting instruments 5 Channels Large wire-in/wire-out or inland online transfers 6 Level of cash based transactions 7 Element of anonymity in transactions 8 Locations Customer is based or linked to High Risk Jurisdictions as per FATF 9 Customer is based or linked to UN Sanctioned Countries 10

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 73 of 82 Customer's link to offshore centers or tax heavens 12 Name matches with databases i-e World Check, OFAC, EU lists etc 9 Transaction Volumes 4 Values 3 Frequency 1 Limits 4 Others Red Alerts or guidance provided by FIU on ML/FT typologies 5 TOTAL 139 Scale Please note that risk weight assigned as above have been selected according to prevalence of risk i-e. Never = 0 Low = 5 Moderate = 10 High = 20 Benchmarking Risk Score Range Rating Below 50 1 51 - 80 2 →81 - 110 3 111 - 140 4 141 - 170 5 170 & above 6 Rating Customer Risk Profiling Check 1 to 2 Low Risk 3 to 4 Moderate Risk 139 5 to 6 High Risk Customer Risk Profile is re-considered in line with predefined criteria of PSP/FI's own Internal Risk Assessment Moderate Risk Prepared by: ………………………………… Date ……………….. Reviewed by: ………………………………… Date ……………….. Approved by: ………………………………… Date ………………..

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 74 of 82 ANNEXURE 4 Specific High Risk Elements and Recommendations for EDD Some of the relatively high risk elements identified by regulators and recommended actions for EDD may be but not limited as under; Refer Type of Customer Suggested EDD 1 NPOs/NGOs/ Charities, Trusts, Clubs, Societies, and Associations etc In relation to these customers, FIs may seek: (i) A declaration from responsible authorities of Trustees/Executive Committee/sponsors on ultimate control, purpose and source of funds etc; (ii) An undertaking from responsible authorities of Trustees/Executive Committee /sponsors to inform the FIs about any change of control or ownership during operation of the account; and (iii) A fresh resolution of the responsible authorities of the entity in case of change in person(s) authorized to operate the account. Maids/housewives In relation to housewife accounts, FIs may seek; (i) A self-declaration for source and beneficial ownership of funds; (ii) Updated details of funds providers, if any along with customer’s profile; and (iii) To identify and verify funds providers if monthly credit turnover exceeds an appropriate threshold to be decided by FIs. Proprietorships and self￾employed individuals/ professionals In relation to these accounts, following measures may be taken by FIs: (i) The business transactions in personal accounts of proprietors may only be permitted by linking it with account/business turnover. For example, such customers having monthly turnover equivalent to say USD10,000.00 or above may be required to open a separate account for business related transactions; and

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 75 of 82 (ii) In order to verify the physical existence of business or self-employment status, FIs may conduct physical verification within seven working days of the opening of account and document the results thereof on account opening form. In case of unsatisfactory verification, FI may consider reporting it to FIU and/or may change risk profile, as may deemed appropriate. Products & Services Suggested EDD Online transactions/ remittances /e-payments In relation to such transactions, FIs should pay special attention to geographical factors/locations for movement funds. Delivery Channel Suggested EDD Cash In relation to cash transactions, FIs may: (i) Monitor cash transactions on enhanced basis by applying relatively stringent thresholds, as deemed appropriate; and (ii) Pay special attention on cash based transactions considering examples of high risk customers. Wire transfers In relation to wire transfers, FIs may: (i) monitor such transactions on enhanced basis by applying relatively stringent thresholds, as deemed appropriate; and (ii) Ensure that funds transfers which are out of character/ inconsistent with the history, pattern, source of earnings and purpose, shall be viewed with suspicion and properly investigated for appropriate action, as per AML/CFT law.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 76 of 82 ANNEXURE 5 General High Risk Factors In respect of general high risk elements mentioned at section (20) above, PSPs or FIs may conduct EDD measures which are effective and commensurate to the level of risks. At minimum, the following high risk elements/factors should also be considered as per international standards. Customers Activities Geography or Locations i) Non-resident customers ii) Correspondent banks’ accounts iii) Non-face-to-face business relationships or transactions Customers with links to offshore tax havens iv) Customers in high-value items etc v) High net worth customers with no clearly identifiable source of income vi) There is a doubt about the veracity or adequacy of available identification data on the customer vii) There is reason to believe that the customer has been refused banking facilities by another FIs i) Cash intensive or other forms of anonymous transactions ii) Payment received from unknown or un-associated third parties iii) Private banking relationships iv) Informal business with relatively large transactional activities not consistent with the nature of legal activities i) The jurisdictions which have been identified for inadequate AML/CFT measures by FATF or called for taking counter￾measures ii) Countries identified by credible sources such as mutual evaluations or detailed assessment reports, as having inadequate AML/CFT standards iii) Countries subject to sanctions, embargos, for example, the United Nations sanction list. iv) Countries identified by credible sources as having significant levels of corruption, or other criminal activity v) Countries or geographic areas identified by credible sources

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 77 of 82 viii) Companies that have nominee shareholders or shares in bearer form ix) Legal persons or arrangements that are personal asset holding vehicles as providing funding or support for terrorism activities Examples of such EDD measures may include: i) Obtaining additional information on the customer (occupation, volume of assets, address, information available through public databases, internet, etc); ii) Reducing interval for updating and reviewing customer risk profile; (c) Reducing interval for updating the identification data of customer and beneficial owner; iii) Obtaining additional information on the intended nature of the business relationship; iv) Obtaining information on the reasons for intended or performed transactions; v) Obtaining additional information on the sources of funds or sources of wealth of the customer; vi) Obtaining the approvals of senior management to commence or continue the business relationship; vii) Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied and selecting patterns of transactions that need further examination; viii)A signatory who is neither a beneficial owner nor a key principal may also be verified if they were the principal contact with the FI acting on behalf of directors or owners with whom the PSPs had little or no direct contact; and ix) Documentary evidence may be sought to support transaction where possible, e.g. purchase of property etc High Risk Businesses Potential Risk Cash-intensive businesses such as restaurants, retail stores, hypermarkets  Difficulty in identifying unusual activity  No proper record management  Inability to verify the source of funds  Acting as fronts company for terrorists and money launderers Offshore corporations located in tax havens  Entity located in countries where the level of transparency is low. Leather goods stores  Businesses can be used to conceal the illegitimate activities.

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 78 of 82 Exchange Houses  Weak anti-money launderers Controls. Luxury goods dealerships;  Goods used by Money Launderers in the integration stage. Used-cars and truck-dealers  Activities using cash in the payment process which can facilitate money laundering and terrorist financing. Travel agencies;  Can be used by money launderers to legitimate illegitimate funds. Brokers/dealers in securities;  Risk of money laundering, financial crimes such as fraud. Jewels, gem and precious metals dealers;  Used by money launderers and arms dealers as payment methods. Import/ export companies;  Can be used to import and export prohibited goods to sanctioned countries. Gatekeepers(Lawyers, notaries, accountants, investments advisors, trust and company service providers)  Can be acting on behalf of the UBO and facilitating the money launderers. Free zone companies  Beneficial ownership difficult to identify and can be used as fronts for sanctions entities General Trading  Difficulty in identifying the underlined business activities, since the company can be involved in multiple businesses activities. General Low Risk Factors There may be circumstances where the risk of money laundering or financing of terrorism may be low, for example where information on the identity of the customer and the beneficial ownership is publicly available. In such circumstances, and provided there has been an adequate analysis of the risk by the PSP or FI, simplified customer due diligence (SDD) measures may be applied. Examples of such low risk scenarios/factors may include: Description Factors General low risk factors for customers i) A financial institution regulated/ supervised by the Central Bank except cooperatives;

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 79 of 82 ii) A entity regulated/ supervised by Securities Exchange Commission of Zimbabwe (SECZ)and Insurance Pension Commission unless an entity is notified for application of the requirements; iii) A government entity; iv) A foreign government entity; v) Public administrations or enterprises; vi) An entity listed on Zimbabwe Stock Exchange; and vii) An entity listed on a Stock Exchange outside Zimbabwe that is subject to regulatory disclosure requirements and its information is publically available Low risk factors for Products and Transaction Channel i) Basic Low KYC Accounts; ii) Low value accounts having monthly credit turnover below defined threshold; iii) Salary accounts of individuals subject to the condition that account is not used for other than salary purposes; iv) Pension accounts for direct credit of pensions; v) Remittance cards restricted to receive inward remittances only; and vi) Other financial products or services that provide appropriately defined and limited services to certain types of customers so as to increase access to financial services Low risk factors for Geography or Locations i) Country identified by credible sources such as mutual evaluation or detailed assessment reports, as adequately complying with and having effectively implemented the FATF Recommendations; and ii) Country identified by credible sources as having a low level of corruption, or other criminal activity. Examples of some SDD measures i) Decreasing the frequency of customer identification updates; ii) Reducing the degree of on-going monitoring and scrutinizing transactions based on a reasonable monetary threshold; and iii) Not collecting specific information (no exemption shall be presumed in respect of minimum documents prescribed in MLPC Act and Suppression of International Terrorism Regulations or carrying out specific measures to understand the purpose and intended nature of the business relationship, but

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 80 of 82 intended purpose and nature of account may be ascertained from the relationship established or from the type of transactions. In relation to above, SDD measures should not be considered in following situations: i) When there is a suspicion of money laundering or financing of terrorism; ii) There are no exceptions in reporting suspicion to FIU within the provisions of MLPC Act. iii) In case of certain high risk factors are identified by Central Bank, by PSP or FI in its own internal risk assessment or as per international standards viz-a-viz FATF Recommendations etc. iv) In relation to customers that are from or in jurisdictions which have been identified for inadequate AML/CFT measures by FATF or identified by the PSP or FI itself having poor AML/CFT standards or otherwise identified by the Central Bank,

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 81 of 82 ANNEXURE 6 Other Sources of AML/CFT Guidance The Financial Action Task Force has prepared a number of documents that provide detailed guidance to a reporting entity to assist them better implement their AML/CFT obligations under domestic legislation. Some of the guidance documents a reporting entity may consider consulting include the following: i) FATF Guidance for Financial Institutions in Detecting Terrorist Financing (2002). http://www.fatfgafi.org/media/fatf/documents/Guidance%20for%20financial%20insti tutions%20in%20detecting%20terrorist%20financing.pdf ii) FATF Guidance on the Risk-Based Approach for the Banking Sector (2014) http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach￾Banking-Sector.pdf iii) Guidance for a Risk-Based Approach for Money or Value Transfer Services (2016) http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money￾value-transfer-services.pdf iv) Anti-Money Laundering and Combating the Financing of Terrorism General Guidelines, 2017 Page 19 of 20 d. Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment Services (2013) http://www.fatfgafi.org/media/fatf/documents/recommendations/Guidancerisk￾based approach-NPPS.pdf v) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion (February 2013). http://www.fatfgafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_ Financial_Incl usion_2013.pdf

Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021) Page 82 of 82 vi) Guidance on Transparency and Beneficial Ownership (2014) http://www.fatfgafi.org/publications/fatfrecommendations/documents/transparenc y-andbeneficial-ownership.html vii) FATF Guidance Politically Exposed Persons (2013) http://www.fatf￾gafi.org/media/fatf/documents/recommendations/GuidancePEP-Rec12-22.pdf viii) The Implementation of Financial Provisions of United Nations Security Council Resolutions to Counter the Proliferation of Weapons of Mass Destruction (2013) ix) http://www.fatf￾gafi.org/media/fatf/documents/recommendations/GuidanceUNSCRS-Prolif￾WMD.pdf x) Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion (2013) http://www.fatfgafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_ Financial_Incl usion_2013.pdf