Guidance Note on Simplified Due Diligence Measures for Customers (2025)

NBFIRA/RS/AML/CFT/GUD01 Page 1 of 16 GUIDANCE NOTE ON THE APPLICATION OF SIMPLIFIED DUE DILIGENCE (SDD) MEASURES ON CUSTOMERS 2025 NBFIRA/RS/AML/CFT/GUN01

NBFIRA/RS/AML/CFT/GUD01 Page 2 of 16 TABLE OF CONTENTS

1. PURPOSE................................................................................................3
2. SCOPE.....................................................................................................3
3. ASSOCIATED DOCUMENTS....................................................................3
4. DEFINITIONS.........................................................................................4
5. ACRONYMS AND ABBREVIATIONS .......................................................5
6. RESPONSIBILITIES ...............................................................................6
7. INTRODUCTION.....................................................................................6 7.1 OBJECTIVES...........................................................................................7 7.2 CUSTOMER DUE DILIGENCE.................................................................7 7.3 FINANCIAL INCLUSION........................................................................8 7.4 THE RISK-BASED APPROACH ...............................................................9 7.5 SIMPLIFIED CUSTOMER DUE DILIGENCE .........................................10 7.6 ELEMENTS OF A SIMPLIFIED CDD PROGRAM ...................................11 7.7 WHEN TO CONDUCT SIMPLIFIED CDD ..............................................12 7.8 CHARACTERISTICS OF SIMPLIFIED CDD ..........................................14 7.9 WHEN NOT TO CONDUCT SIMPLIFIED CDD......................................15 7.10 CONCLUSION ...............................................................................16

NBFIRA/RS/AML/CFT/GUD01 Page 3 of 16

1. PURPOSE This guidance is issued by the Non-Bank Financial Institutions Regulatory Authority (NBFIRA) in accordance with section 49(1)(c) of the Financial Intelligence Act that provides that, through consultation with the Financial Intelligence Agency (FIA) supervisory authorities shall establish and issue guidance notes and provide feedback to help a specified party comply with the Act. This guidance note is issued to provide guidance on how to conduct simplified customer due diligence.
2. SCOPE This guidance applies to institutions licensed, exempted and supervised by NBFIRA through various primary and secondary legislation (i.e., NBFIs). These include, but are not limited to, the NBFIRA Act, Financial Intelligence Act (CAP 08:07), Insurance Industry Act (CAP 46:01), Retirement Funds Act (27:03), Botswana Stock Exchange Act (CAP 56:08), Collective Investment Undertakings (CAP 56:09), Securities Act (CAP 56:08), and the Virtual Assets Act.
3. ASSOCIATED DOCUMENTS Document Reference Financial Intelligence Act Cap 08:07 Financial Intelligence Regulations Cap 08:07 Financial Action Task Force (FATF) Recommendations Financial Intelligence (Amendment) Act

NBFIRA/RS/AML/CFT/GUD01 Page 4 of 16 4. DEFINITIONS Term Definition Customer Due Diligence (CDD) the process where relevant information about a customer is collected and evaluated for any potential risk of commission of financial offences. Customer Identification Identification is a process of obtaining information about your customers for the purpose of knowing who they are. Customer identification is an essential element of an effective CDD program. Customer Verification This means checking reliable, independent source documentation, data or information that confirms the veracity of the identifying information obtained during the identification process. De-risking Refers to the phenomenon of financial institutions refusing to provide, terminating or restricting business relationships with customers or categories of customers to avoid risk rather than to sufficiently understand and manage the risk. Enhanced Due Diligence Refers to a higher level of due diligence required to mitigate the increased risk of commission of financial offence. This involves obtaining additional identifying information about customers. Financial Inclusion Refers to the access and active use of adequate and affordable financial services by individuals and entities that would benefit from such services

NBFIRA/RS/AML/CFT/GUD01 Page 5 of 16 Risk-Based Approach Means to identify, assess, and understand the money laundering and terrorist and proliferation financing risks to which entities are exposed, and take the appropriate mitigation measures in accordance with the level of risk. Simplified Customer Due Diligence Refers to the lowest level of due diligence that can be completed on a customer. It is the basic and minimal process of identifying, verifying and conducting ongoing monitoring of a standard customer relationship and transactions. 5. ACRONYMS AND ABBREVIATIONS Abbreviation Full Phrase AML/CFT/CPF Anti-Money Laundering/Counter Financing of Terrorism/Counter Proliferation Financing CDD Customer Due Diligence FI Act Financial Intelligence Act FATF Financial Action Task Force KYC Know-Your-Customer ML/TF/PF Money Laundering, Terrorism Financing and Proliferation Financing NBFIs Non-Bank Financial Institutions PIP Prominent Influential Person RBA Risk Based Approach Simplified CDD Simplified Customer Due Diligence STR Suspicious Transaction Reporting UNSC United Nations Sanctions Committee

NBFIRA/RS/AML/CFT/GUD01 Page 6 of 16 6. RESPONSIBILITIES Boards of directors (or most senior management in the absence of the former) of NBFIs are accountable and responsible for their entity’s compliance with provisions of the Financial Intelligence legislation including those on the establishment and maintenance of an effective compliance function. The responsibility may be delegated to executive management to ensure compliance on day-to-day business activities as conducted by NBFIs. 7. INTRODUCTION The Non-Bank Financial Institutions Regulatory Authority (NBFIRA) is a designated supervisory authority under Schedule II of the Financial Intelligence Act, 2022 (the Act) and is established to supervise non-bank financial institutions (NBFIs). NBFIRA, as a supervisory authority, is also obligated to establish and issue guidance notes and provide guidelines to facilitate NBFIs’ compliance with the Act. It is for this purpose that NBFIRA documented this Guidance Note for NBFIs reference. NBFIs are designated as specified parties under Schedule I of the FI Act, having the responsibility of ensuring implementation of adequate controls against the commission of financial offences. The law requires NBFIs to adopt and implement robust Anti-Money Laundering, Counter Financing of Terrorism and Counter Proliferation Financing (AML/CFT/C PF) Policies, Controls and Procedures which include; i. an assessment of money laundering risk in each NBFI by carrying out an AML/CFT/CPF risk assessment; ii. the development of policies which introduce controls to mitigate ML/TF/PF risk; and iii. Customer risk assessments on every customer/service to determine the type and extent of CDD to be undertaken.

NBFIRA/RS/AML/CFT/GUD01 Page 7 of 16 7.1 OBJECTIVES These guidelines provide clear standards on how to conduct simplified CDD at each stage of a business relationship with a customer: i. when the relationship is established; ii. when financial transactions with existing customers are performed; and iii. on an ongoing basis after the business relationship is established. The guidelines are not intended to be exhaustive nor to set limits for the steps to be taken by compliance officers in working to prevent ML/TF/PF. The Act involves a combination of risk-based and rules-based approaches to the prevention of ML/TF/PF; the general approach of designated persons should be to take the steps warranted by the risk of ML/TF/PF in any given circumstance. 7.2 CUSTOMER DUE DILIGENCE Customer due diligence means the process where relevant information about a customer is collected and evaluated for any potential risk of the commission of a financial offence1 . Financial institutions are required by the FI Act to identify a customer (whether permanent or occasional and whether natural or legal person or legal arrangement). They are further required to ascertain the said customer’s identity using reliable, independent source documents, data or information. In terms of ML/TF/PF controls, CDD requires policies, practices and procedures that enable a financial institution to predict with relative certainty the types of transactions in which the customer is likely to engage2 . An effective AML/CFT/CPF program is built on knowledge i.e., 1 Financial Intelligence Act, 2022 2 Association of Certified Compliance Specialists version 6.52

NBFIRA/RS/AML/CFT/GUD01 Page 8 of 16 the more financial institutions know about their customers, the greater the chance of preventing ML/TF/PF abuses. There are three different levels of due diligence that can be applied to a customer; and a financial institution’s CDD program must have a process in place to consider each level of due diligence that might be necessary. The three levels of due diligence are; i. low level (simplified due diligence), which is applied where the risk of money laundering or terrorism financing is low; ii. medium level (standard due diligence), the default level used for a vast majority of customers that are identified as neither low nor high risk, it entails standard verification processes; iii. high level (enhanced due diligence), which is a heightened in￾depth investigation used for individuals or situations where the risk of commission of a financial offense is high, such as with Political Exposed persons (PEPs). 7.3 FINANCIAL INCLUSION Over time, the concept of financial inclusion has evolved to include not only access to financial services, but also the appropriate usage and quality of those services. Traditional financial inclusion efforts sought to address the needs of unserved individuals and entities that did not have access to regulated financial services or the underserved, being those with limited access. According to the FATF, financial products and services developed by institutions for purposes of financial inclusion must include appropriate measures to mitigate identified risks. Such products and services can be developed in such a way that mitigation measures are embedded in their

NBFIRA/RS/AML/CFT/GUD01 Page 9 of 16 design. This can include, for example, monetary transfer limitations3 . The inappropriate application of Risk Based Approach (RBA) on ML/TF/PF measures can facilitate financial exclusion, which can have the unintended consequence of driving financial activity to unregulated channels. Financial institutions should ensure appropriate RBA measures, including de-risking measures that enhance financial sector transparency and keep criminals out of the financial system. This will aid with the detection and reporting of suspicious transactions as well as facilitate law enforcement investigations. An appropriate application of the RBA allows and encourages simplified measures where risks are lower. Regulated entities and supervisors should share a common understanding of risks to enable regulated entities to have confidence in applying simplified CDD measures as per the findings of their institutional risk assessments. Entities should use the results of the national risk assessment and sectoral risk assessments and share their institutional risk assessments with supervisors to avoid inconsistencies in the understanding of risks. 7.4 THE RISK-BASED APPROACH An RBA requires that NBFIs identify, assess, and understand the ML/TF/PF risks to which they are exposed, and apply the appropriate mitigation measures in accordance with the level of risk. A risk-based approach will enable the NBFIs to dedicate resources relative to the risk level, i.e., apply enhanced measures in situations where the risks are higher and apply simplified measures where the risks are lower. Before determining the level of due diligence to apply, NBFIs should understand the nature and level of risks they are exposed to in view of a particular customer. NBFIs should, before determining what level of due diligence to apply to a customer, consider all the relevant risk factors 3 FATF Guidance on Financial Inclusion and AML/TF Measures

NBFIRA/RS/AML/CFT/GUD01 Page 10 of 16 about that customer. NBFIs should apply simplified CDD measures when they are satisfied that the customer is at such a risk level. FATF Recommendation 1 provides for financial institutions to maximise the use of limited resources by applying enhanced measures to manage higher risks, and simplified measures to manage low risk. Institutional failure to apply the RBA appropriately can result in disproportionately strict controls that contribute to higher compliance costs and reduce profitability4 . 7.5 SIMPLIFIED CUSTOMER DUE DILIGENCE Simplified customer due diligence (simplified CDD) refers to a set of basic minimal measures which must be in place when establishing a business relationship or carrying out an occasional transaction. It is applied where a customer or transaction has been assessed to have little opportunity of risk of a commission of a financial offence. Simplified CDD does not imply an exemption from CDD measures, rather, it means the lowest level of due diligence that can be completed on a customer. Section 28 of the FI Act provides that NBFIs may apply simplified CDD measures to a particular business relationship or transaction where the risk of commission of a financial offence is considered low. The interpretive note to FATF Recommendation 10 states that in circumstances where the risk of ML/TF/PF is lower, simplified measures may be applied. The simplified measures may relate to customer acceptance measures, aspects of ongoing monitoring, or both. It is, therefore, important that where simplified CDD measures have been applied, the justification/rationale for the application of the measures be documented along with the ML/TF/PF risk assessment. 4 FATF Guidance Financial Inclusion and AML/CFT Measures

NBFIRA/RS/AML/CFT/GUD01 Page 11 of 16 7.6 ELEMENTS OF A SIMPLIFIED CDD PROGRAM ELEMENT DESCRIPTION Risk Assessment Assessment of risks associated with the customer or transaction. Customer Identification After determining the low-risk nature of the customer or transaction, the financial institution collects basic customer information. Risk Profiling After establishing the customer’s identity, the financial institution must create a risk profile of the customer which helps determine the level of due diligence required. Ongoing monitoring The continuous monitoring of customer activity and transactions to determine any changes in risk status, despite the simplified nature of the due diligence.

NBFIRA/RS/AML/CFT/GUD01 Page 12 of 16 7.6.1 STAGES OF SIMPLIFIED CDD 7.7 WHEN TO CONDUCT SIMPLIFIED CDD Simplified CDD only comes into play in specific circumstances where the risk of commission of a financial offence is deemed low. The application of these simplified CDD measures must be justified by the results of the National Risk Assessment (NRA) which provides a national- level overview of financial related offenses. The results of the NRA should be used by regulated entities to inform their institutional ML/TF/PF risk assessment and customer risk assessments. Simplified CDD is predicated on the principle of proportionality, whereby the depth and breadth of due diligence measures are aligned with the assessed level of risk. Stage 1: collection of basic information Stage 2: determine the risk level Stage 3: identify risk mitigating measures Stage 4: apply proportionate simplified CDD measures Stage 5:record keeping Stage 6:ongoing monitoring

NBFIRA/RS/AML/CFT/GUD01 Page 13 of 16 Simplified CDD must, therefore, be applied based on the conduct of the customer risk assessment and informed by the conduct of an institutional ML/TF/PF risk assessment, the board-approved risk appetite statement and risk tolerance levels for ML/TF/PF which are in overall informed also by the NRA. The following are examples of potentially lower risk situations to consider for the application of simplified CDD. Customer risk factors: i. Public companies listed on a stock exchange which imposes requirements to ensure adequate transparency of beneficial ownership; ii. Public administrations or enterprises; iii. Financial institutions and DNFBPs that are subject to AML/CFT/CPF requirements and have effectively implemented those requirements and are effectively supervised to ensure compliance with AML/CFT/CPF requirements; iv. Retired persons with domestic transactions. Product and service risk factors: i. Offering a product or service with a low risk of ML/TF/PF; ii. Pension schemes that provide retirement benefits to employees where member contributions are deducted from source; iii. Products and services tailored and limited to certain types of customers for financial inclusion purposes. Transaction risk factors: i. Handling low value transactions under the de minimis threshold or transactions that are too small to be significant; for example, a life insurance policy where the premium is low (e.g., an annual premium of less than P 10 000).

NBFIRA/RS/AML/CFT/GUD01 Page 14 of 16 Country risk factors: i. Countries identified by mutual evaluation as having effective AML/CFT/CPF systems; ii. Countries identified by credible sources as having a low level of corruption or other criminal activity. The examples provided above are not exhaustive and are intended to be used as a guide only. 7.8 CHARACTERISTICS OF SIMPLIFIED CDD Simplified CDD measures should be proportionate to the nature of the lower risk. Simplified CDD does not mean an exemption of CDD measures but includes basic and minimal measures that still respond to all the components of CDD. Below are some non-exhaustive and non-prescriptive common characteristics of a simplified CDD program; i. Verification of the identity of the customer and the beneficial owner may be done after the establishment of the business relationship; ii. Reduced frequency of customer identification updates; iii. Reduced degree of ongoing monitoring and transactions scrutiny; iv. Less information requirements on understanding the intended nature of the business relationship. The purpose and nature shall be inferred from the type of transaction or business relationship established; v. Identifying and verifying the beneficial owner based on information from the customer’s profile. Despite the above outlined simplified CDD characteristics, an NBFI must still respond to the four components of CDD outlined by the FATF. These include:

NBFIRA/RS/AML/CFT/GUD01 Page 15 of 16 i. Customer identification and verification; ii. Beneficial owner identification and verification; iii. Understanding the purpose and nature of the relationship; iv. Ongoing monitoring. 7.9 WHEN NOT TO CONDUCT SIMPLIFIED CDD The following outline circumstances or situations of when NOT to conduct simplified CDD on a customer; i. Where there is suspicion of a commission of a financial offence; ii. Where the business relationship or transaction no longer poses a low risk of a commission of a financial offence; iii. When in doubt of the veracity or accuracy of any information previously obtained when identifying and verifying the customer’s identity; iv. In any case identified by the specified party, through a risk assessment, as one where there is a high risk of commission of a financial offence or from information provided to the specified party by a supervisory authority from the risk assessment or as part of supervision; v. In any business relationship or transaction established in high￾risk jurisdiction or at the instance of an international organisation; vi. When undertaking a transaction for a high-risk business; vii. If the specified party has established that the customer or prospective customer is a PIP; viii. In any case where the transaction is complex and unusually large, or there is an unusual pattern of transactions, or has no apparent economic or legal purpose; ix. From transactions relating to beneficiaries of life insurance or other investment-related insurance policies, in accordance with section 23 of the FI Act, 2022;

NBFIRA/RS/AML/CFT/GUD01 Page 16 of 16 x. In any case where the FATF has advised that measures should be taken in relation to a country as the country poses a threat to the international financial system; xi. In any case where the Financial Intelligence Agency has reasonable belief that there is a risk that financial offences are being carried out in the country. 7.10 CONCLUSION Knowledge is what the entire AML/CFT/CPF compliance program is built upon. The more an organization knows about its customers, the greater the chance of preventing ML/TF/PF abuses. The extent of due diligence that is performed on customers, whether simplified or enhanced, should be dependent on their ML/TF/PF risk. Financial institutions should take into account risk variables relating to the different ML/TF/PF risk categories, which can either alone or in combination increase or decrease potential risk posed. This has an impact on the appropriate level of CDD measures to be applied by the financial institution and tailored to the identified risks. The levels of CDD measures applied to customers are not static since risks associated with customers evolve and risk levels of products assessed as lower risk may increase. Financial institutions are, therefore, required to update their risk assessments on an ongoing basis considering the changing ML/TF/PF typologies and in the event that criminals start to exploit the simplified controls.