SEC Guidelines on Risk-Based AML/CFT Implementation and Risk Rating System for Covered Persons

SEC Memorandum Circular No. ______ Series of 2020 TO : ALL SEC COVERED PERSONS SUBJECT : GUIDELINES IN THE IMPLEMENTATION OF A RISK-BASED APPROACH TO ANTI-MONEY LAUNDERING/COMBATING THE FINANCING OF TERRORISM (AML/CFT) AND ADOPTION AND DEVELOPMENT OF A RISK RATING SYSTEM FOR SEC COVERED PERSONS WHEREAS, the Commission is the government agency having jurisdiction and supervision over all corporations, partnerships or associations who are the grantees of primary franchises and/or licenses or permits issued by the Government; WHEREAS, as Supervising Authority, it is mandated to assist the Anti-Money Laundering Council (AMLC) in supervising the implementation of the Anti-Money Laundering Act, as amended (AMLA), and the Terrorist Financing Prevention and Suppression Act (TFPSA), and their respective Implementing Rules and Regulations (IRRs), and other AMLC issuances; WHEREAS, in order to be able to focus supervisory resources where the risks are higher, there is a need to identify, assess, and understand the money laundering/terrorist financing (ML/TF) risks to which the sectors of covered persons supervised by the Commission are exposed; WHEREAS, a risk-based approach to Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) would ensure that the appropriate measures commensurate to those risks are taken in order to mitigate them effectively; WHEREAS, complementary to a risk-based approach to AML/CFT is the implementation and development of a risk-focused examination process and rating system to gauge the sufficiency of a covered person’s AML/CFT framework as against the risks to which it is exposed; WHEREAS, Rule 15, Chapter V of the 2018 IRR of the AMLA, likewise requires covered persons to take appropriate steps to identify, assess, and understand the ML/TF risks by conducting their own institutional risk assessment and formulating and implementing their own institutional risk management; NOW, THEREFORE, the Commission, hereby issues these Guidelines in the implementation of its Risk-Based Approach to AML/CFT and resolves to adopt an AML/CFT Risk Rating System (ARRS) to be employed by the Commission in the conduct of its on-site examinations of covered persons. 26 Published: Philippine Star, September 26, 2020 Manila Standard, September 26, 2020

2 CHAPTER I RISK ASSESSMENT AND MANAGEMENT BY COVERED PERSONS Section 1. Coverage. This Circular shall apply to all SEC covered persons as enumerated under Section 3(a) of the AMLA and Section 1.2 of the SEC Memorandum Circular No. 16, Series of 2018 or the 2018 AML/CFT Guidelines. Section 2. Institutional Risk Assessment. All SEC covered persons shall conduct an institutional risk assessment as mandated by the 2018 IRR of the AMLA. 2.1. “Institutional Risk Assessment” refers to a comprehensive exercise to identify, assess understand a covered person’s ML/TF threats, vulnerabilities and the consequential risks, with a view to mitigate illicit flow of funds and transactions. 2.2. The risk assessment should be commensurate to the size, nature and complexity of the covered person’s business and should enable it to understand how, and to what extent, it is vulnerable to ML/TF. 2.3. The risk assessment should be properly documented, regularly updated and communicated to the relevant covered person’s senior management. 2.4. Institutional risk assessment shall be conducted, at least, once every two (2) years, or as often as the board or senior management, the Commission or the AMLC may direct, depending on the level of risks found in the previous institutional risk assessment or other relevant AML/CFT developments that may impact the operations of the covered persons. 2.5. Covered persons should consider internal feedback within their organization, including from those who interact with customers, compliance risk management, and internal audit departments (where relevant), in performing their periodic risk assessments. Section 3. Information to be Considered. In conducting their risk assessments, covered persons should consider quantitative and qualitative information obtained from relevant internal and external sources to identify, manage and mitigate these risks. This may include the National Risk Assessment (NRA) published by the AMLC, the Sectoral Risk Assessment conducted by the Commission, crime statistics, typologies, risk indicators, red flags, guidance and advisories issued by inter-governmental organizations, national competent authorities and the Financial Action Task Force (FATF), and AML/CFT mutual evaluation and follow-up reports by the FATF or associated assessment bodies. Section 4. Risk Factors. In identifying and assessing indicators of ML/TF risk to which they are exposed, covered persons should consider a range of factors including: a. The nature, diversity and complexity of its business, products and target markets; b. The proportion of customers identified as high risk;

3 c. The jurisdictions in which the covered person is operating or otherwise exposed to, either through its own activities or the activities of customers, especially jurisdictions with greater vulnerability due to contextual and other risk factors such as the prevalence of crime, corruption, or financing of terrorism, the general level and quality of the jurisdiction’s prosecutorial and law enforcement efforts related to AML/CFT, the regulatory and supervisory regime and controls and transparency of beneficial ownership; d. The distribution channels through which the covered person distributes its products, including the extent to which the securities provider deals directly with the customer and the extent to which it relies (or is allowed to rely) on third parties to conduct customer due diligence (CDD) or other AML/CFT obligations, the complexity of the transaction chain (e.g. layers of distribution and sub-distribution, type of distributors such as independent financial advisors, investment advisors) and the settlement systems used between operators in the payment chain, the use of technology and the extent to which intermediation networks are used; e. The internal and external (such as audits carried out by independent third parties, where applicable) control functions and regulatory findings; and f. The expected volume and size of its transactions, considering the usual activity of the covered person and the profile of its customers. Section 5. Country/Geographic Risk. Country/area risk, in conjunction with other risk factors, provides useful information as to potential ML/TF risks. Factors that may be considered as indicators of higher risk include: a. Countries/areas identified by credible sources as providing funding or support for terrorist activities or that have designated terrorist organizations operating within them; b. Countries/areas identified by credible sources as having significant levels of organized crime, corruption, or other criminal activity, including source or transit countries for illegal drugs, human trafficking and smuggling and illegal gambling; c. Countries subject to sanctions, embargoes or similar measures issued by international organizations such as the United Nations; and d. Countries/areas identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by the FATF statements as having weak AML/CFT regimes, and for which financial institutions should give special attention to business relationships and transactions.

4 Section 6. Customer/Investor Risk. Covered persons should determine whether a particular customer/investor poses higher risk and analyze the potential effect of any mitigating factors on that assessment. Such categorization may be due to a customer’s occupation, behavior or activity. These factors considered individually may not be an indication of higher risk in all cases. However, a combination of them may warrant greater scrutiny. Categories of customers whose business or activities may indicate a higher risk include: a. Customer is sanctioned by the relevant national competent authority for non-compliance with the applicable AML/CFT regime and is not engaging in remediation to improve its compliance; b. Customer is a politically exposed person (PEP) or customer’s family members or close associates are PEPs (including where a beneficial owner of a customer is a PEP) as covered under Section 2.1.18 of the 2018 AML/CFT Guidelines; c. Customer resides in or whose primary source of income originates from high-risk jurisdictions (regardless of whether that income originates from a cash-intensive business); d. Customer resides in countries considered to be uncooperative in providing beneficial ownership information; e. Customer acts on behalf of a third party and is either unwilling or unable to provide consistent information and complete documentation thereon; f. Customer has been mentioned in negative news reports from credible media, particularly those related to predicate offenses for ML/TF or to financial crimes; g. Customer’s transactions indicate a potential connection with criminal involvement, typologies or red flags provided in reports produced by the FATF or national competent authorities [e.g. financial intelligence unit (FIU), law enforcement etc.]; h. Customer is also a covered person, acting as an intermediary or otherwise, but is either unregulated or regulated in a jurisdiction with weak AML/CFT oversight; i. Customer is engaged in, or derives wealth or revenues from, a high-risk cash-intensive business; j. The number of suspicious transaction reports (STRs) on certain customers and their potential concentration on particular client groups; k. Customer is a legal entity predominantly incorporated in the form of bearer shares;

5 l. Customer is a legal entity whose ownership structure is unduly complex as determined by the covered person or in accordance with any regulations or guidelines; m. Customers who have sanction exposure (e.g. have business/activities/transactions exposed to the risk of sanctions); and n. Customer has a non-transparent ownership structure. Section 7. Product/Service/Transaction Risk. An overall risk assessment should include looking into the potential risks presented by specific products and services offered by the covered person. Transactions may be conducted on a regulated exchange or other market or they may be conducted between parties directly. A covered person should assess, using a risk-based approach, the extent to which the offering of its products and services presents potential vulnerabilities to placement, layering or integration of criminal proceeds into the financial system. Determining the risks of products and services offered to a customer may include a consideration of their attributes, as well as any associated risk mitigation measures. Products and services that may indicate a higher risk include: a. Products or services that may inherently favor anonymity or obscure information about underlying customer transactions (e.g. bearer share instruments or the provision of omnibus account services); b. The geographical reach of the product or service offered, such as those emanating from higher risk jurisdictions; c. Products with unusual complexity or structure and with no obvious economic purpose; d. Products or services that permit the unrestricted or anonymous transfer of value (by payment or change of asset ownership) to an unrelated third party, particularly those residing in a higher risk jurisdiction; e. Use of new technologies or payment methods not used in the normal course of business by the covered person; f. Products that have been particularly subject to fraud and market abuse, such as low-priced securities; g. The purchase of securities using physical cash; h. Offering bank-like products, such as check cashing and automated cash withdrawal cards; i. Securities-related products or services funded by payments from or instructions given by unexpected third parties, particularly from higher risk jurisdictions;

6 j. Transactions wherein customers request the transfer of funds to a higher risk jurisdiction/country/corridor without a reasonable business purpose provided; and k. A transaction is requested to be executed, where the securities provider is made aware that the transaction will be cleared/settled through an unregulated entity. Section 8. Distribution Channel Risk. Products and services are typically distributed to customers directly (including online) or through intermediaries. An overall risk assessment should include the risks associated with the different types of delivery channels to facilitate the delivery of securities products and services. a. Covered persons that distributes products or services directly through online delivery channels should identify and assess the ML/TF risks that may arise in relation to distributing its products using this business model. In addition to the analysis of risks performed in advance of engaging in such an online business, the risk assessment process for online delivery risk should be performed when the covered person develops new products and new business practices; b. Covered persons should analyze the specific risk factors, which arise from the use of intermediaries and their services. Covered persons should understand who the intermediary is and perform a risk assessment on the intermediary prior to establishing a business relationship. Covered persons and intermediaries should establish clearly their respective responsibilities for compliance with applicable regulation. Assessing intermediary risk is more complex for securities providers with an international presence due to varying jurisdictional requirements, the potential risk of non-compliance by intermediaries with the applicable local AML/CFT regulations and the logistics of intermediary oversight. An intermediary risk analysis should include the following factors, to the extent that these are relevant to the securities providers’ business model: i. Intermediaries suspected of criminal activities, particularly financial crimes or association with criminal associates; ii. Intermediaries located in a higher risk country or in a country with a weak AML/CFT regime; iii. Intermediaries serving high-risk customers without appropriate risk mitigating measures; iv. Intermediaries with a history of non-compliance with laws or regulation or that have been the subject of relevant negative attention from credible media or law enforcement; v. Intermediaries that have failed to attend or complete AML/CFT training programs requested by the covered persons; and

7 vi. Intermediaries that have weak AML/CFT controls or operate substandard compliance programs, i.e. programs that do not effectively manage compliance with internal policies and/or external regulation or the quality of whose compliance programs cannot be confirmed. Section 9. Institutional Risk Management. The board of directors of the covered persons shall exercise active control and supervision in the formulation and implementation of institutional risk management. They shall be ultimately responsible for the covered persons’ compliance with the AMLA and TFPSA, their respective IRRs, and other AMLC issuances. 9.1. Covered persons shall: i. Develop sound risk management policies, controls and procedures, which are approved by the board of directors to enable them to manage and mitigate the risks that have been identified in the NRA, or by the AMLC, the Commission or the covered persons themselves; ii. Monitor the implementation of those controls and to enhance them if necessary; and iii. Take enhanced measures to manage and mitigate the risks where higher risks are identified. 9.2. Covered persons may adopt Reduced Due Diligence (RDD) to manage and mitigate risks if lower risks have been identified. Provided, that the requirements of Rules 13 to 16 of the 2018 IRR of the AMLA are met. RDD is not allowed whenever there is a suspicion of ML/TF. CHAPTER II AML/CFT RISK RATING SYSTEM OF THE SECURITIES AND EXCHANGE COMMISSION Section 10. Risk Based AML/CFT Supervision. The Commission shall implement a risk-based AML/CFT supervision of its covered persons comprised of assessing the quality of controls to detect and deter ML/TF based on the assessed risks, including controls that are required by law. Such supervision shall be applied through off-site and on-site examinations, which can include questionnaires and dedicated meetings and shall be based on having appropriate access to all the books and records of each supervised covered person sufficient to provide all the information that the Commission needs. Section 11. AML/CFT Risk Rating System (ARRS). Complementary to the risk-based approach to AML/CFT is the development and implementation of a risk-focused examination process and the adoption of an ARRS that will serve as a supervisory tool in measuring the effectiveness of the covered person’s AML/CFT framework and its level of compliance with AML/CFT rules and regulations.

8 Section 11. Adoption of the ARRS. The ARRS is to be used by the Commission in the conduct of its on-site examinations of covered persons. The adoption and implementation of the ARRS is intended to ensure that supervisory attention is appropriately focused on entities with inefficient Board and Senior Management oversight and monitoring, inadequacies in their AML/CFT framework, weaknesses in their internal controls and audit, and defective implementation of their AML/CFT procedures and policies. Covered persons are directed to give their utmost cooperation in the implementation of the ARRS. SECTION 12. Composite Rating. Under the ARRS, each covered person is assigned a Composite Rating based on an assessment of three (3) components of a covered person’s framework and operations in the prevention of ML/TF. These component factors consist of the following: a. Efficient Board of Directors (BOD) and Senior Management (SM) oversight; b. Sound AML policies and procedures embodied in its Money Laundering and Terrorist Financing Prevention Program (MTPP) duly approved by the BOD; and c. Effective implementation. SECTION 13. Inherent and Residual Risks. The development and implementation of the risk rating system will have to take into account the inherent risks to which a covered person may be exposed and the level of its awareness of the risk, an assessment of the covered person’s risk profile based on the records of the Commission, the sectoral risk assessment to be conducted by the SEC in coordination with the AMLC and the institutional risk assessment to be conducted by the covered persons concerned. Apart from engendering awareness and an understanding of the risks, this will also enable the SEC to determine any residual risk that remains after the controls are put in place and implemented. The risk profile of a covered person shall initially be determined based on the following available information: a. Value/size of assets or transactions – the larger the value and importance of the covered person, the easier it is for the criminals to disguise illegal transactions. b. Complexity and diversity of products – the diversity and complexity of the products can attract more sophisticated money launderers and provide them with more opportunities to launder money. c. Customer profile – assesses whether the covered persons are being used by high risk customers to launder money, i.e. PEPs, clients with foreign business or interests, non-resident clients, high-net-worth individuals. d. Frequency of international transactions (cross-border funds flow, transactions with off-shore centers, tax havens and high-risk jurisdictions) – covered persons are at risk of ML/TF abuse if it engages in certain international transactions.

9 e. Distribution channels (deals directly with customers, uses the services of third parties or agents, to conduct customer due diligence process, non-face-to-face or the use of information and communication technology) – assesses the quality of the initiation of business relationships of the covered person, i.e. non-face-to-face initiation raises ML/TF vulnerability. f. Record of compliance with relevant rules and regulations of the Commission. SECTION 14. Control Risk. Assessment of the covered institution’s control risk shall cover the following components with their corresponding sub-components and risk factors: a. Efficient oversight of the BOD and SM i. Corporate Governance ii. Compliance Office iii. Institutional Risk Assessment iv. Internal Audit b. Detailed AML policies and procedures and strong internal control and audit i. Coverage and Risk Management Policies and Practices ii. Dissemination, continuing education and training program c. Effective implementation of internal policies and procedures i. Customer Identification, Verification and Acceptance ii. Ongoing monitoring and customer due diligence iii. Covered Transaction Monitoring and Reporting System iv. Suspicious Transaction Analysis and Reporting System v. Record Keeping and Retention SECTION 15. Rating System. Covered persons shall be evaluated using an overall composite rating of Weak, Needs Improvement, Satisfactory and Strong with the corresponding numerical scale of 1 to 4. The highest rating is 4 indicating a strong risk management system and most effective operational practices that entail the least degree of supervision. The lowest rating of 1 signifies a weak risk management system and defective implementation which requires the highest degree of supervision including the placement of the covered person within the framework of prompt corrective action. This should also correspond to an indication of the level of compliance with the AMLA and its IRR. SECTION 16. Enforcement Actions. For findings and/or deficiencies noted during the assessment and evaluation of the covered persons using the ARRS, the following shall apply: a. An overall rating of 4 and 3 will require no enforcement action. b. An overall rating of 2 and 1 will require submission by the covered person to the Anti-Money Laundering Division of the Enforcement and Investor Protection Department (AMLD-EIPD) of a written action plan duly approved by the BOD aimed at correcting the noted inefficiency in BOD and SM oversight, inadequacy in AML/CFT policies and procedures, weakness

10 in internal controls and audit, and/or ineffective implementation within a reasonable period of time. The viability of the plan shall be assessed and the covered person’s performance monitored. c. An overall rating of 1 shall be considered an indication that the AML/CFT framework and level of AML/CFT compliance of the covered person concerned is grossly inadequate. Prompt corrective action shall be immediately implemented by the covered person. The covered person shall be subjected to close monitoring and regular compliance audit by the AMLD-EIPD. d. If after due notice and hearing, the Commission finds that there is a violation of the mandatory provisions of these guidelines or any order issued by the Commission in the implementation thereof including the failure of the covered person concerned to submit an acceptable plan within the deadline or to properly implement the action plan, the Commission may, in accordance with the provisions of the Revised Corporation Code of the Philippines (RCCP), impose any or all of the following sanctions taking into consideration the extent of participation, nature, effects, seriousness and frequency of the violation: i. Imposition of a fine ranging from Five Thousand Pesos (P5,000.00) to Two Million Pesos (P2,000,000.00), and not more than One Thousand Pesos (P1,000.00) for each day of continuing violation but in no case to exceed Two Million Pesos (P2,000,000.00); ii. Issuance of a permanent cease and desist order; iii. Suspension or revocation of the certificate of incorporation; and iv. Dissolution of the corporation and forfeiture of its assets under the conditions in Title XIV of the Revised Corporation Code of the Philippines. e. Such violations shall likewise be a ground for the revocation of the secondary license of the erring or non-compliant corporation. f. The findings of any violations of the AMLA and its IRR shall be endorsed to the AMLC for appropriate action. SECTION 17. Repealing Clause. All rules, regulations, orders, circulars and issuances of the Commission that are inconsistent with this Memorandum Circular are hereby amended and/or repealed accordingly. SECTION 18. Effectivity. This Memorandum Circular shall take effect fifteen (15) days after its publication in two (2) national newspapers of general circulation and its posting in the Commission’s website. Pasay City, Philippines, _____ September 2020. EMILIO B. AQUINO Chairperson 24