Regulation of the Financial Market Council on Practical Measures for Combating Money Laundering, Countering Terrorism Financing and Preventing the Proliferation of Weapons

1 Regulation of the Financial Market Council on Practical Measures for Combating Money Laundering, Countering Terrorism Financing and Preventing the Proliferation of Weapons The Council Board of the Financial Market Council, Having regard to Organic Law No. 2015-26 of August 7, 2015 on combating terrorism and money laundering, particularly Articles 107 and 115, Having regard to Law No. 94-117 of November 14, 1994 reorganizing the financial market, as amended and supplemented by subsequent texts, particularly Law No. 2009-64 of August 12, 2009 promulgating the code for financial services to non-residents, particularly Articles 28, 29, 31, 40 and 48, Having regard to Decree No. 99-2478 of November 1, 1999 on the status of stock exchange intermediaries, as amended and supplemented by Decree No. 2007-1678 of July 5, 2007, particularly Articles 50 bis, 65 bis, 86 new and 86 bis, Having regard to Decree No. 2006-1294 of May 8, 2006 implementing Article 23 of Organic Law No. 2005-96 of October 18, 2005 on strengthening the security of financial relations, as amended and supplemented by Decree No. 2009-1502 of May 18, 2009, particularly Articles 6 and 6 ter, Having regard to the Regulation of the Financial Market Council on collective investment schemes in securities and portfolio management for third parties, subject to the order of the Minister of Finance dated April 29, 2010, as amended and supplemented by the order of February 15, 2013, particularly Articles 82, 84 and 152. Decides:

1 As referred to by the order of the Minister of Finance dated January 19, 2017 and amended by the order of the Minister of Finance dated March 6, 2018.

2 Article 1: This regulation sets out the practical measures to be applied, for combating money laundering and countering terrorism financing, by:

• stock exchange intermediaries,
• portfolio management companies for third parties. Hereinafter referred to as "the institutions". Article 2: For the purposes of this regulation, the following terms apply:
• Client: a client of the institutions, whether regular or occasional, natural person or legal entity. An occasional client is any person who approaches the institutions with a view to preparing or carrying out a single transaction or operation. A single transaction or operation is one that does not give rise to the establishment of an account opening or management agreement.
• Legal entity: any entity with its own resources and an autonomous patrimony distinct from that of its members or partners, even if legal personality has not been granted to it under a special provision of law.
• Beneficial owner: the natural person who ultimately owns or effectively controls the client, or on whose behalf a transaction or operation is carried out, even in the absence of a written mandate between the client and the beneficial owner.
• Reliable and independent sources: central or local official authorities, or financial institutions established in a country applying sufficiently the international standards for combating money laundering and countering terrorism financing.
• Electronic transfer: any fund transfer operation by electronic means within the meaning of Law No. 2005-51 of June 27, 2005 on electronic fund transfers.

3

• Risk-exposed persons due to their functions: persons who hold or have held, in Tunisia or a foreign country, up to the year preceding the business relationship, high public offices or representative or political missions and notably:

1. Head of State, head of government or member of a government,
2. Member of parliament,
3. Member of a constitutional court, or a high jurisdiction whose decisions are not subject to appeal,
4. Member of a constitutional body,
5. Senior military officer,
6. Ambassador, charge d'affaires or consul,
7. Member of the governing bodies of supervisory and regulatory authorities,
8. Member of the administrative, management or supervisory body of a public company,
9. Member of the governing bodies of an international institution created by treaty or the head of its representation,
10. Senior official of a political party,
11. Member of the governing bodies of a trade union or employers' organization.

• Financial Action Group: an intergovernmental body with objectives including the development of standards and promotion of policies relating to combating money laundering and countering terrorism financing.
• Suspicious transactions and operations: transactions and operations showing suspicion directly or indirectly linked to funds originating from unlawful acts classified by law as misdemeanors or crimes, or to the financing of persons, organizations or activities related to terrorist offenses provided for by Organic Law No. 2015-26 of August 7, 2015 on combating terrorism and money laundering, as well as any attempt to carry out said transactions or operations.

4

• The Commission: the Tunisian Financial Analysis Commission provided for in Article 118 of Organic Law No. 2015-26 of August 7, 2015 on combating terrorism and money laundering.
• Fictitious foreign correspondent: a foreign bank or financial institution without a fixed registered office for carrying out its activities and not subject to the control of a regulatory authority. This definition does not apply to institutions affiliated with an approved bank or financial institution subject to the control of a regulatory authority established in a country applying sufficiently the international standards for combating money laundering and countering terrorism financing.
• Organization: a structured group of three or more persons, formed for any duration and operating in concert with the aim of committing one of the offenses provided for by Organic Law No. 2015-26 of August 7, 2015 on combating terrorism and money laundering within the national territory or abroad.
• Designated person or entity: Any natural or legal person or entity designated for the application of targeted financial sanctions related to preventing, combating and interrupting the proliferation of weapons of mass destruction pursuant to United Nations Security Council resolutions, whose names appear on the list established by the competent national authority with legal authority. (Order of the Minister of Finance dated March 6, 2018)
• Targeted financial sanctions: includes both the freezing of funds of a designated person or entity and its other assets, as well as prohibitions aimed at preventing funds and other assets from being made available, directly or indirectly, to or for the benefit of such person or entity. (Order of the Minister of Finance dated March 6, 2018)
• Competent national authority with legal authority: the national authority or authorities designated by law and responsible for implementing and enforcing targeted financial sanctions. (Order of the Minister of Finance dated March 6, 2018)

5 Chapter One Due diligence measures regarding clients Article 3: Institutions must refrain from opening anonymous or fictitious name accounts. They must, at the time of establishing a business relationship, verify, using official documents and other documents from reliable and independent sources, the complete identity of the client, their activity, address, as well as the purpose and nature of the business relationship, and record all necessary data capable of identifying them. When a client designates a person to represent them, institutions must verify their complete identity and obtain data proving the relationship linking them to the client, even if such designation occurred after the business relationship was established. In the case of an occasional client, the identity verification obligation applies when they carry out occasional financial transactions or operations with a value equal to or greater than the amount set by current regulatory texts, or in the form of electronic transfers, whether carried out in a single operation or several linked operations. Institutions must also comply with the identity verification obligation when:

• there is suspicion of money laundering or terrorism financing,
• there are doubts regarding the accuracy or relevance of previously obtained client identification data. The identity verification obligation does not apply to companies listed on the Tunis Stock Exchange and public enterprises. Article 4: If circumstances of the transaction or operation indicate that it is carried out or may be carried out for the benefit of a third party,

6 the identity verification obligation on institutions extends to the beneficial owner of the transaction or operation. Article 5: Without prejudice to account opening procedures for clients provided by regulatory texts governing the financial market, institutions must, at a minimum, collect the following data when identifying the client, their representative and the beneficial owner: When it is a natural person:

• Full name, date and place of birth, as well as nationality,
• Identity card or passport number, date of issue and validity,
• Effective residence address including postal code, telephone number and, where applicable, electronic address,
• Profession and its address,
• Purpose of the business relationship and its nature,
• A specimen signature. The aforementioned data are verified in particular based on the national identity card for Tunisians and an official recognized identification document bearing a photo, address and holder's activity for foreigners. When it is a legal entity:
• Date of incorporation, trade name or denomination, legal form and corporate purpose,
• Registration number in the commercial register and tax identification number,
• Registered office address including postal code, telephone and fax numbers and electronic address. When main activities are not carried out at the registered office, the effective business address must be indicated,
• Capital distribution,
• Identity of its directors and persons authorized to bind it, along with documents proving their capacity to do so, with the obligation to collect physical person data regarding them as provided in this article,
• Identities and addresses of major shareholders holding at least 40% of the capital, and persons controlling it when it is a company, or if it is an entity other than a company, the identities of founders and persons exercising effective control or who are beneficial owners, with the obligation to collect physical person data regarding them as provided in this article,
• Purpose of the business relationship and its nature. The aforementioned data are verified in particular based on the articles of association, a extract from the commercial register, a deed of incorporation and any equivalent official document or other document from reliable and independent sources, when the legal entity is registered abroad. Institutions must consult the original documents on which the data provided in this article were verified and obtain copies to be filed in a dedicated folder for each client. Article 6: Institutions must take necessary measures to verify, at the time of establishing a business relationship or carrying out an occasional transaction or operation and subsequently on a periodic basis, that the client or beneficial owner does not appear on the list of persons or organizations whose link with terrorist crimes is established by competent international bodies or by the national commission against terrorism provided for in Article 66 of Organic Law No. 2015-26 of August 7, 2015 on combating terrorism and money laundering. They must also freeze the assets belonging to persons or organizations referred to in the first paragraph of this article and make the related declaration, in accordance with Article 103 of Law No. 2015-26 of August 7, 2015 on combating terrorism and money laundering.

Article 6 (bis): Institutions must take necessary measures to verify, at the time of establishing a business relationship or carrying out an occasional transaction or operation and subsequently on a periodic basis, that the client or beneficial owner is not registered on the list of persons or entities subject to targeted financial sanctions related to preventing, combating and interrupting the proliferation of weapons of mass destruction and its financing as set by the competent national authority with legal authority. Institutions must also:

• freeze, without delay and without prior notification, the funds and other assets of designated persons and entities. The freezing obligation extends to: • all funds or other assets owned or controlled by the designated person or entity, not only those particularly linked to an act, conspiracy or threat of proliferation of weapons, • funds or other assets owned or controlled wholly or jointly, directly or indirectly, by the designated person or entity, • funds or other assets originating from or generated by funds or other assets owned or controlled, directly or indirectly, by the designated person or entity, • funds or other assets of natural or legal persons acting on behalf, or under instructions, of the designated person or entity.
• prohibit making available to the designated person or entity the frozen funds and other assets except with authorization from the competent national authority with legal authority,
• declare to the competent national authority with legal authority, all frozen funds or other assets and all measures taken in accordance with the prohibitions issued by it, including attempts at operations. Article 7: Institutions must regularly update data and documents relating to client identity and exercise continuous vigilance towards them throughout the duration of the business relationship. The frequency of updates is determined based on the volume of transactions and operations carried out by institutions and the degree of risks to which they are exposed. Article 8: Institutions must, from the publication of this regulation and regarding clients with whom they have established prior business relationships, take necessary measures to comply with provisions relating to client identity verification, taking into account the degree of risk these clients pose regarding their identity and the nature of operations they carry out, as well as the relevance of previously collected data concerning them. Article 9: Institutions that use a third party to establish business relationships or carry out occasional transactions or operations must:
• Ensure that it is subject to legislation and supervision regarding combating money laundering and countering terrorism financing,
• Specify in writing the procedures to be put in place to verify client identity in accordance with this regulation and ensure compliance,
• Obtain without delay the identification data relating to clients,
• Ensure that it is able to provide upon request and in the shortest possible time, copies of documents on which client identity was verified and other related documents. In the event that institutions use a third party belonging to the same group, they must ensure that group entities apply due diligence measures and procedures regarding combating money laundering and countering terrorism financing covering the use of a third party to establish business relationships or carry out occasional transactions or operations. In the event that the use of a third party gives rise to an agreement, it must mention the obligations incumbent on the third party provided for in items 2 to 4 of the first paragraph of this article. When institutions have been unable to take the due diligence measures provided for in the first and second paragraphs of this article, they must refrain from using a third party. In all cases, the use of a third party does not exempt institutions from their responsibility regarding compliance with current provisions on combating money laundering and countering terrorism financing, particularly their responsibility for verifying client identity. Article 10: Institutions must exercise particular vigilance regarding business relationships that do not involve the physical presence of the parties. To this end, they must:
• Compare data collected from the client with other data from reliable and independent sources,
• Take care to arrange a direct interview with the client as soon as possible,
• Require the client to carry out their first financial transactions via a bank established in a country applying sufficiently international standards on combating money laundering and countering terrorism financing in accordance with Financial Action Group decisions. Article 11: Institutions must exercise particular vigilance regarding business relationships with risk-exposed persons due to their functions and with their spouses, ascendants and descendants up to the first degree, and with persons closely associated with them, notably those maintaining close business ties with them. To this end, institutions must:
• Put in place procedures to verify whether the client, their representative or beneficial owner belong to the category of persons referred to in the first paragraph of this article,
• Obtain authorization from administrative, management bodies or authorized persons to establish or continue a business relationship with persons referred to in the first paragraph of this article,
• Put in place procedures to determine the source of funds for persons referred to in the first paragraph of this article,
• Subject transactions and operations carried out by persons referred to in the first paragraph of this article to enhanced and continuous monitoring. Article 12: When institutions fail to verify the data provided in Article 5 of this regulation, or if these data are insufficient or manifestly fictitious, they must refrain from opening the account, establishing or continuing the business relationship, or carrying out the transaction or operation and consider making the declaration provided for in Article 18 of this regulation. Article 13: Institutions must refrain from receiving cash funds with a value equal to or greater than the amount set by current regulatory texts, even through several deposits that may be linked. They must also refrain from receiving checks or bank transfers not issued by the client or their representative. Chapter Two Due diligence measures regarding transactions and operations Article 14: Institutions must carefully examine transactions and operations carried out by their clients, to ensure they are consistent with the data available concerning them, taking into account the nature of their activities, the risks they incur and, where applicable, the source of their funds. Article 15: Institutions must exercise particular vigilance regarding unusual transactions and operations, notably those:
• Having a complex nature,
• Involving an abnormally high amount,
• Whose economic purpose or lawfulness does not appear manifest,
• Not appearing consistent with client identification data,
• Carried out by persons established in countries that do not apply or apply insufficiently international standards on combating money laundering and countering terrorism financing, as highlighted in Financial Action Group communications. Institutions must carefully examine the framework in which unusual transactions or operations are carried out, as well as their nature, and where applicable request additional information concerning the reason for the transaction or operation and the source of client funds, to determine that they are not suspicious transactions or operations. The results of the examination must be recorded in writing in a register kept for this purpose. Article 16: Institutions must take necessary measures to identify and assess money laundering and terrorism financing risks linked to the development of new products and services or the use of new technologies. They must, where applicable, update rules and procedures regarding combating money laundering and countering terrorism financing. Article 17: Institutions must exercise particular vigilance regarding transactions and operations carried out via electronic transfers, notably when:
• The electronic transfer order is given by an occasional client,
• or the electronic transfers are carried out by

---