Code for Compliance Function

Code for Compliance Function Bois De Rose Avenue P.O. Box 991 Victoria Mahé Seychelles Tel: +248 4380800 Fax: +248 4380888 Website: www.fsaseychelles.sc Email: enquiries@fsaseychelles.sc Version: 3 rd April, 2023

Page 2 of 14 Table of Contents

1. Interpretation................................................................................................................................ 3
2. Introduction .................................................................................................................................. 5
3. Scope............................................................................................................................................. 5
4. Legal obligation ............................................................................................................................. 5
5. Compliance function ..................................................................................................................... 6
6. Responsibility of licensees ............................................................................................................ 7
7. The board of directors................................................................................................................... 8
8. Appointment of Compliance Officer............................................................................................. 8
9. Exemption from the requirement to appoint a Compliance Officer ............................................ 9
10. Compliance Officer appointed under the AML/CFT Act ............................................................... 9
11. Role of the Compliance Officer................................................................................................... 10
12. Delegation of duties.................................................................................................................... 11
13. Access by the Compliance Officer............................................................................................... 11
14. Independence of compliance function and Compliance Officer................................................. 11
15. Temporary absence of the Compliance Officer .......................................................................... 12
16. Compliance manual..................................................................................................................... 13
17. Compliance with this Code.......................................................................................................... 14

Page 3 of 14

1. Interpretation In this Code— “AML/CFT Act” means the Anti-Money Laundering and Countering the Financing of Terrorism Act, 2020; “AML/CFT Regulations” means the Anti-Money Laundering and Countering the Financing of Terrorism Regulations, 2020; “Authority” means the Financial Services Authority established under the Financial Services Authority Act, 2013; “board of directors” means the collective group of appointed directors having the power to act on behalf of the licensee; “compliance function” means the independent function that identifies, assesses, monitors and reports on the licensee’s compliance risk, including the provision of compliance training to member of staff and having responsibility for ensuring compliance by the licensee with its regulatory obligations; “compliance risk” means the risk of legal or regulatory sanctions, financial loss, or loss to the reputation a licensee may suffer as a result of its failure to comply with applicable legal and regulatory obligations as well as with its own internal policies and procedures; “director” means an individual that— (a) is appointed as such under the Companies Act, 1972; (b) is appointed in relation to a company incorporated under the International Business Companies Act, 2016 for the purpose of the licensee in question; or (c) is appointed as such, by whatever name called, under a relevant legislation from a recognised jurisdiction for the purpose of the licensee in question; “FSA Act” means the Financial Services Authority Act, 2013; “in writing” means notification through the submission of a formal letter, duly signed as appropriate; “licensee” means a person holding a licence under a regulatory legislation specified under Part 1 of Schedule 1 of the Financial Services Authority Act, except the licensees exempted under the Financial Services Authority (Exemption) Notice, 2021; “auditor” means a person which provides the service of maintaining and preparation of accounts, financial analysis, providing accounting and financial advice as an auditor and the examination of documents and accounting records and review of methods and procedures as an auditor for the issue of an opinion as the correctness or fairness of the document so examined and reviewed.”; “outsourced service provider” means a person approved by the Authority under the Code on Outsourcing of Compliance Function as an outsourced service provider; “outsourcing agreement” means a written agreement setting out the terms and conditions governing the relationships, obligations, responsibilities, rights and expectations of the parties in an outsourcing arrangement;

Page 4 of 14 “regulatory obligation” means an obligation imposed by— (a) the Financial Services Authority Act, 2013; (b) the AML/CFT Act, 2020; (c) the Beneficial Ownership Act, 2020; (d) the Financial Consumer Protection Act, 2022; (e) the relevant “financial services legislation” as defined under the Financial Services Authority Act, 2013; (f) any binding Codes or Guidelines issued by the Authority; (g) the Authority through directions or directives; or (h) a condition attached to a licence granted; “temporary absence” means a period of absence which is not more than twenty-eight (28) consecutive calendar days or a total of eighty-four (84) calendar days in a consecutive twelve (12) month period.

Page 5 of 14 2. Introduction 2.1 The emergence of compliance function is a relatively new initiative that aims to ensure that entities are conforming to rules, policies, standards and laws in order to act responsibly within the regulatory and legal frameworks of the jurisdiction within which they have been licensed. 2.2 As a concept, a strong compliance function allows an entity to operate its business in order to meet its objectives whilst ensuring that the entity is run in accordance with its obligations under the regulatory framework in which it operates. It also ensures the stability of that entity’s growth and mitigates any compliance risk. 2.3 Section 23 of the FSA Act stipulates the legislative requirements for compliance function for licensees under the regulatory legislation (i.e. specified under Part 1 of Schedule 1 of the FSA Act) subject to the Financial Services Authority (Exemption) Notice, 2021. 3. Scope 3.1 This Code sets out the standards expected by the Authority in relation to the compliance function of licensees. The Code is designed to assist licenseesin having efficient and effective compliance standards and sets out the minimum criteria that the Authority will use to assess the adequacy of a licensee’s compliance function. 3.2 This Code shall be applicable to licensees under the— (a) International Corporate Service Providers Act; (b) Securities Act, except for a representative of a securities dealer and representative of an investment advisor; (c) Mutual Fund and Hedge Fund Act, except a legal person granted a fund license; (d) Seychelles Gambling Act; and (e) Insurance Act. 3.3 The contents of this Code are neither intended to, nor should be construed as an exhaustive treatment of the subject. Given the differences that exist in the organisational structure of licensees and the nature and scope of business activities conducted, licensees should adopt compliance standards which are commensurate to their respective risks exposures and business profiles. As such, the Authority will take into account the different circumstances of each licensee when assessing the adequacy of the compliance standards of that licensee. 3.4 The aim of this document is to provide clarification regarding the organisation of a compliance function, as well as the distribution of roles and responsibilities between the different functions of an organisation in relation to the compliance function. 3.5 The Authority may, after consultation with such persons or stakeholders, revise this Code by revoking, varying, amending or adding to its provisions. 4. Legal obligation This Code is issued by the Authority in accordance with section 33(1) of the FSA Act. This Code has the force of law. Failure to comply constitutes the commission of an offence under section 33 (5) of the

Page 6 of 14 FSA Act. Therefore, this Code must be adhered to by all licensees and must be considered and read in conjunction with the legislative framework under which the licensee operates. The Authority may, where it deems it necessary, take relevant enforcement action against licensees, its directors and/or officers for failure to comply with this Code. 5. Compliance function 5.1 The compliance function means the independent function that identifies, assesses, monitors and reports on the licensee’s compliance risk, including the provision of compliance training to member of staff and having responsibility for ensuring compliance by the licensee with its regulatory obligations. General information about the compliance function 5.2 Compliance refers to the conformity with both international and domestic laws and regulations. Compliance is an independent line management responsibility, reporting ultimately to the board. The compliance function should, nevertheless, contribute to helping line management develop and implement an effective system of internal controls in order to identify, document and assess the compliance risks associated with the firm’s business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships. 5.3 The compliance function should have a preventive, advisory and supervisory role, with particular emphasis on— (a) facilitating the effective identification of risk violation of relevant external requirements, such as compliance with laws, regulations and codes, as well as providing advice on risk reduction measures; (b) developing and facilitating the implementation of internal controls that will provide the organisation with protection from compliance risk; (c) monitoring and reporting on the effectiveness of control measures with recommendations for corrective action; (d) providing the business with advice and assistance about acceptable ethical behaviours and practices when carrying out the firm’s obligations under the regulatory framework; (e) provide analysis and early warning of regulatory change which may impact the business and to ensure that such change is communicated to the board and the management; and (f) ensuring awareness and training. 5.4 When performing the tasks above, there should be cooperation between the compliance function and other departments, such as departments responsible for legal, risk, human resources, quality management, operations, internal control and internal audit matters. Internal control 5.5 The term internal control encompasses the processes and measures that are intended to reduce or mitigate the risk of events that could threaten the organization’s achievement of

Page 7 of 14 its objectives. This is, among other things, to ensure effective and efficient operations, reliable reporting and compliance with external and internal regulations. 5.6 Internal control therefore implies more than typical or more commonly known control measures, such as authorisations, reconciliation procedures, quality assurance, but also such controls that relate to attitudes, values, integrity, culture and expertise. Operational risk and compliance risk 5.7 Operational risk is the risk of failure and loss arising from processes related to business operations. On the other hand, compliance risk is the risk associated with the company’s operations leading to violation(s) of regulatory requirements (including statutory regulations). Nonetheless, Compliance risk is therefore considered to be an operational risk. For example, the possibility of failure in IT systems poses an operational risk, but if this also means that the business cannot fulfil a legal requirement that is supported by the IT system, the system’s failure can as also be considered a compliance risk. 5.8 It is the responsibility of the organisation to establish a structure that is best suited to the achievement of effective risk management controls and measures. This assessment must be documented and subject to periodic review and amendments. Some organisations have divided the structure of the second-line’s monitoring between operational risk and compliance risk while other businesses have consolidated the functions within the same department. Regardless of their position, there should be a close dialogue and coordination of the work undertaken by the various functions. The organizational position and segregation of duties from other control functions are essential prerequisites for providing the compliance function with authority and the ability to exercise its role. 6. Responsibility of licensees 6.1 Licensees and their board of directors shall assume full responsibility for their compliance standards, including the establishment and maintenance of a well-designed, applied and monitored compliance framework. They must ensure that a compliance culture permeates the entire organisation. 6.2 It is the responsibility of licensees to— (a) ensure that its regulatory obligations permeate its compliance standards; (b) ensure that the compliance function remains independent; (c) ensure that its compliance standards are commensurate with the nature, size, complexity, structure and diversity of its business, giving consideration to— (i) the products and services it offers; (ii) the characteristics of its clients, for example whether these are retail or institutional; (iii) the structure and diversity of its operations (including the geographical spread of and the regulatory requirements applicable to its operations); and (iv) the number of people that it engages to conduct its business; (d) ensure that its compliance standards are adequate to identify compliance breaches;

Page 8 of 14 (e) integrate its compliance standards within its overall business management function through the implementation of good governance, systems of control and corporate ethics; (f) ensure that all its directors, officers and other employees are aware of their responsibilities in regards to the implementation of the licensee’s compliance standards and holds accountability for same; (g) hold itself to high standards when carrying on business, and at all times strive to observe the spirit as well as the letter of the law; (h) collaborate with the relevant authorities in an open and co-operative manner; (i) ensure that it does not engage in any actions or activities that may negatively affect the good repute of Seychelles as an international financial services center; and (j) provide relevant economic and technological resources for the training of employees on compliance matters. 7. The board of directors The board of directors of a licensee shall have the ultimate responsibility for the compliance function of the organisation. The board shall be responsible for the establishment, maintenance and oversight of the licensee’s compliance standards and shall ensure that this is in line with the scope of the business of the licensee. The rationale behind same is to reduce the risk exposure of the licensee and to guarantee that the licensee maintains a solid foundation for compliance and ensure that there are clear lines of reporting to the Board taking into consideration relevant regulatory obligations, internal policies and procedures. 8. Appointment of Compliance Officer 8.1. Licensees shall appoint a Compliance Officer, who shall be approved as fit and proper by the Authority and who shall be responsible for overseeing the licensee’s compliance function per the provisions of section 23 (2) of the FSA Act. 8.2. An application for approval as a Compliance Officer under the FSA Act must comprise of— (a) A cover letter; and (b) A completed Personal Questionnaire Form accompanied by the relevant documents listed in the checklist. 8.3. In relation to sole traders, a director of the company may be appointed as a Compliance Officer. However, this will be subject to the director having the relevant academic/ professional qualifications and work experience. 8.4. The Compliance Officer shall— (a) be employed directly with the licensee under a valid contract of employment on a full time basis or, in the case of an outsourced service provider approved by the Authority, a valid outsourcing agreement; (b) be resident in Seychelles;

Page 9 of 14 (c) have sufficient seniority and resources to effectively perform his or her role; and (d) be sufficiently independent to perform his or her role objectively. 8.5. The criteria to assess the fitness and propriety of a Compliance Officer shall be as specified under the relevant regulatory legislation (i.e. specified under Part 1 of Schedule 1 of the FSA Act) and as specified under the Code for Fit and Proper. Note: The Code for Outsourcing of Compliance Function is only applicable to licensees under the Securities Act, 2007 and the Mutual Fund and Hedge Fund Act, 2008. 9. Exemption from the requirement to appoint a Compliance Officer 9.1 The Authority, in line with power afforded to it under section 35 (b) of the FSA Act, reserves the right to exempt certain category of licensees from the obligation to appoint a Compliance Officer through the publication of a notice of exemption in accordance with section 35 of the FSA Act. 9.2 Licensees featured on the notice of exemption are only exempted from the requirement to appoint a Compliance Officer under section 23(2) of the FSA Act. This exemption does not extend to any other provisions of the Act. Despite being exempted from the requirement to appoint a Compliance Officer, licensees are not absolved from their obligations under section 23(1) of the Act. 9.3 Notwithstanding the exemption given under paragraph 9.2, licensees must in any case, ensure the establishment and maintenance of a well-designed, applied and monitored compliance framework. 10. Compliance Officer appointed under the AML/CFT Act 10.1 A person approved by the Authority to serve as Compliance Officer under section 23(2) of the Act, may also undertake the role of Compliance Officer under the AML/CFT Act. This appointment will however, be dependent on whether the individual has the necessary qualifications and experience to undertake the role of Compliance Officer for AML/CFT purposes as provided by section 34 of the AML/CFT Act and Part 3 of the First Schedule of the AML/CFT Regulations. 10.2 Where individuals who are already determined fit and proper by the Authority, for the purposes of section 23 (4) of the FSA Act, are being proposed to fulfil the role of Compliance Officer for the purpose of the AML/CFT Act, the Authority shall accept a formal letter from the licensee confirming the following information in lieu of a Personal Questionnaire Form— (a) providing the details of the individual being proposed as Compliance Officer pursuant to section 34(1) of the AML/CFT Act; (b) confirming that this individual is currently fit and proper as Compliance Officer for the purpose of the FSA Act; and (c) declare that the information held by the Authority in respect to the said individual is up to date, accurate and still applicable to the individual.

Page 10 of 14 Note: Where any information previously submitted to the Authority is outdated, has changed or expired, this information should be resubmitted to the Authority. The documents submitted to the Authority should not exceed a period of 3 months prior to submission of the document. 11. Role of the Compliance Officer 11.1 Pursuant to Section 23(5) of the FSA Act, the Compliance Officer of a licensee shall be responsible for establishing and maintaining a program for training ofstaff and other officers of the licensee in regards to the licensee’s compliance function as well as the individual responsibilities of the licensee’s staff and officers with respect to the overall compliance function. The Compliance Officer is also responsible for overseeing the implementation of the procedures and compliance manual. 11.2 The responsibilities and duties of a Compliance Officer shall include, but not be limited to the following— (a) promote an ethical culture and a culture of compliance within the licensee; (b) advise the board and senior management on all compliance matters; (c) communicate the approved compliance policy and ensure that it is observed; (d) co-ordinate the management of the licensee’s compliance risk; (e) ensure that compliance risk is understood and managed, and that the licensee’s compliance systems are part of the fabric of business operations; (f) identify, measure and assess the compliance risks associated with the licensee’s business, including the compliance risks associated with the material changes in, or the development of new products, types of business or customer relationships. This should address any shortfalls (policy, procedures, implementation or execution) related to how effectively existing compliance risks have been managed, as well as the need for any additional policies or procedures to deal with new compliance risks identified as a result of the annual compliance risk assessment; (g) report to the board of directors on the management of the licensee’s compliance risk; (h) keep the regulatory obligations of the licensee and the compliance systems and controls under review, identify any deficiencies, making regular assessment reports to the board of directors and making recommendations for any updates or revisions; (i) promptly instigating action to remedy any deficiencies identified in the licensee’s compliance systems and controls; (j) oversee the implementation of the compliance and keeping the manual under regular review; (k) maintain a register of compliance breaches containing information on the date, nature and extent of each compliance breach and whether the breach has been reported to the Authority; (l) immediately report to the Authority any serious compliance breach that he or she becomes aware of;

Page 11 of 14 (m) ensure that the staff of the licensee are aware of the need for and the objectives of compliance and that they are familiar with, and understand, to the extent necessary to undertake their responsibilities, the regulatory regime, and any changes to it; (n) ensure that the licensee complies with its reporting obligations to the Authority, including the returns submitted to the Authority are accurate, complete and filed within the relevant time period; (o) establish and maintain procedures for the monitoring and handling of complaints, and keeping the complaints procedures under review; (p) prepare and submit to the board of directors an annual compliance report; (q) have a role in preventing or managing conflicts of interest; (r) establish and maintain a training program for staff of the licensee concerning the licensee’s compliance function and their individual responsibilities; (s) supervise the activities of compliance staff (if applicable); and (t) act as the principal point of contact with the Authority on day-to-day regulatory matters. 12. Delegation of duties 12.1 The Compliance officer may delegate certain duties to other employees within the compliance department. Where such a delegation is made, the Compliance Officer shall retain full responsibility for the delegated duties and for implementation of the compliance regime. 12.2 The Compliance Officer shall continue to exercise appropriate oversight to ensure that delegated responsibilities are effectively carried out. 13. Access by the Compliance Officer The Compliance Officer of a licensee shall have unrestricted access to— (a) the directors, senior officers and auditor of the licensee; (b) the staff of the licensee, in order to seek information and explanations concerning compliance matters; and (c) all documentation, registers, software management systems such as, the Customer Relationship Management (CRM) and any other information relating to the business of the licensee and its customers. 14. Independence of compliance function and Compliance Officer 14.1 Depending on the organizational structure of a licensee, the Compliance Officer may, to some degree, execute certain reporting to Senior Management, ideally the CEO of the licensee. However, ultimately and foremost, the Compliance Officer should report directly to the Board, as and when required, but at least twice annually.

Page 12 of 14 14.2 Individuals working in the organization’s compliance function should, wherever possible, be organized independently from the operational part of the organization (i.e. line management). This means for example that the function should be not performed or be responsible for operational activities. 14.3 Whilst the Authority notes that it may be more challenging for smaller businesses to create a specific position to undertake the Compliance Function, taking into consideration the sensitive nature attached to the function, the Authority reiterates that the function must be and remain a function which is entirely independent of the organisation. On that line, it is important that the job description of the Compliance Officer makes this clear, as it is a well appreciated fact that a mixture of roles can negatively impact the independence of the compliance function. 14.4 The Authority must emphasize that from the outset, businesses should have sufficient resources to have a well-functioning and independent compliance function. The function can involve line management in providing assistance in solving problems so long as this does not violate the independence requirements. 14.5 In undertaking the compliance function, the Compliance Officer shall— (a) report directly to the board of directors; (b) possess sufficient independence to perform his or her role objectively and effectively; (c) be capable of exercising independent judgment and of acting upon his or her own initiative; (d) not be subjected to any undue influence or pressure with respect to the carrying out of the compliance function; (e) have sufficient seniority in the organisational structure of the licensee to— (i) effectively undertake the compliance function; (ii) communicate freely with the relevant Authorities concerning compliance matters on his or her own initiative; and (iii) ensure that requests made, where appropriate, are acted upon by the licensee and its staff and recommendations are considered by the board of directors; (f) have access to all relevant information and personnel necessary to carry out his or her responsibilities. 15. Temporary absence of the Compliance Officer 15.1. Licensees shall have foreknowledge of whether its Compliance Officer will be absent from office beyond the period specified for temporary absence. 15.2. Licensees shall notify the Authority in case the Compliance Officer will be absent from office beyond the period specified for temporary absence, including the timeframe that the Compliance Officer would be absent from office. The notification must be made, in writing,

Page 13 of 14 as soon as the licensee becomes aware that the Compliance Officer will be temporarily unable to fulfil its responsibilities. 15.3. If the period during which the Compliance Officer is unable to perform his or her functions exceeds the period specified for temporary absence, licensees shall make necessary arrangements for a designated person to undertake the compliance function during the temporary absence of the Compliance Officer. However, this arrangement cannot continue for a period of more than 3 consecutive months unless the Authority approves otherwise. For the period that the compliance function of a licensee is being undertaken by another designated person, the ultimate responsibility of the compliance function remains with the board of directors. 15.4. If the arrangement for a designated person continues for a period of more than 3 consecutive months, the licensee must propose either the designated person or another individual to the Authority to be vetted and approved as its Compliance Officer. 15.5. Licensees shall ensure through a due diligence check that— (a) the designated person has adequate probity, competence, experience and soundness of judgement for fulfilling the responsibilities of the relevant position; (b) the designated person has adequate knowledge and understanding of the legal and professional obligations being assumed; (c) the designated person has adequate educational and or professional qualifications; and (d) the interest of clients is not likely to be threatened by the individual holding this position; 15.6. Licensees shall notify the Authority of the appointment of a designated person and provide details of the designated person. This notification is required to be made in writing. 15.7. Licensees shall maintain a record of all the temporary absences of its Compliance Officer and shall submit required notifications to the Authority in a timely manner. 16. Compliance manual 16.1 Licensees shall establish and maintain a compliance manual, which shall be approved by the board of directors. The compliance policy, systems and controls of a licensee shall be documented in the compliance manual and should be communicated, and be readily available, to the directors, officers and staff who have the responsibility of implementing them. 16.2 Licensees shall ensure that their compliance manual are structured coherently and provide sufficient details to ensure that all their staff understands the compliance function, policies, systems and controls, and their individual roles in the compliance framework. 16.3 A compliance manual shall provide a compilation of compliance policies and procedures developed by the licensee in accordance with the laws and regulations. 16.4 The licensee shall—

Page 14 of 14 (a) review and enhance its compliance and procedures manual at a minimum, once every two (2) consecutive years and following changes in relevant legislations; (b) ensure that the manual is updated where there are substantial changes within the company itself, for instance if there is a change in size, customer profile or products/services being offered and complexity of services/products as some examples. (c) ensure that it files a copy of the updated compliance manual with the Authority every two years, or as and when the manual is updated. 17. Compliance with this Code Licensees shall comply with this Code and, in addition, implement such supplementary practices as they consider necessary for the proper management and control of its business. Where a licensee considers or foresees that it may not be able to achieve full compliance with this Code for a temporary period (for example, for a short period after first being licensed), the licensee shall, in advance, notify the Authority in writing and submit a detailed plan of action, which should specify, amongst others, the relevant timescales within which it will become into full compliance with this Code.