Instruction No. 05/2024 of 12 June

INSTRUCTION NO. 05/2024 of 12 June SUBJECT: FINANCIAL SYSTEM

• Report on Combating and Preventing Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction
• Risk Assessment
• IT Tools and Applications

Given the need to define the Report model that Non-Bank Financial Institutions (NBFIs) supervised by the National Bank of Angola must follow in the context of Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction (ML/TF/PF), as well as the implementation of the risk assessment process and the adaptation of auxiliary IT systems inherent to compliance with obligations arising from ML/TF/PF; Under the combined provisions of paragraph 2 of Article 57 of Law No. 05/20 of 27 January, Law on Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, Article 36 of Law No. 14/21 of 19 May, Law on the General Regime of Financial Institutions, paragraph f) of paragraph 1 of Article 31 and paragraph 1 of Article 98, both of Law No. 24/21 of 18 October, Law of the National Bank of Angola; I DETERMINE:

1. Object This Instruction defines the Report model that Non-Bank Financial Institutions (NBFIs) must follow in the context of Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, as well as the implementation deadline for the risk assessment process and the adaptation of auxiliary IT systems under the provisions of Notice No. 02/2024 of 22 March on Rules and Procedures for Preventing and Combating Money Laundering and Terrorism Financing.

2. Scope This Instruction applies to Non-Bank Financial Institutions supervised by the National Bank of Angola, as provided for in paragraph 3 of Article 7 of Law No. 14/2021 of 19 May, Law on the General Regime of Financial Institutions.

3. Definitions For the purposes of this Instruction, the following are understood: a) Tools - programs that NBFIs use to perform simple and routine tasks; and b) IT Applications - specific programs aimed at meeting the needs of a particular corporate business through the automation of functionalities inherent to the stages of its management process.

4. Report on Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction. 4.1. The Report on Combating and Preventing Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, hereinafter referred to as the ML/TF/PF Report, to be submitted by NBFIs, consists of: a) ANNEX I – Main Part; b) ANNEX II – Declaration by the Management/Administration Body; and c) ANNEX III – Self-Assessment Questionnaire. 4.2. The ML/TF/PF Report must be submitted by NBFIs with necessary adaptations, depending on their nature, size, and complexity.

5. Risk Assessment 5.1. NBFIs must conduct an Annual Institutional Risk Assessment, and whenever the nature, size, and complexity of the activity justify it, or when the business product presents lower exposure to ML/TF/PF risks, the assessment frequency may be extended up to two years. 5.2. For the purposes of the preceding sub-point, assessments must be submitted to the National Bank of Angola by March 10 of the corresponding year. 5.3. NBFIs must consider the adequacy of IT tools and applications, the level of knowledge and integrity of the Management/Administration bodies and employees regarding matters related to Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, assigning a risk weight to each factor. 5.4. The risk assessment may be conducted with the assistance of reputable external entities with proven experience and knowledge in the subject matter.

6. IT Tools and Applications 6.1. NBFIs must implement and/or adapt IT tools and applications aimed at Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, considering their individual characteristics, namely the nature, size, and complexity of the activity developed. 6.2. Without prejudice to the provisions of paragraph 2 of Article 9 of Law No. 05/20 of 27 January, Law on Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, combined with Article 8 of Notice No. 02/24 of 22 March, NBFIs must ensure interoperability between the main NBFI system and the IT tools and applications for Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, whenever they are autonomous from each other. 6.3. The interoperability referred to in the preceding sub-point must allow, at a minimum, the following: a) Interconnection between front-office and Compliance areas; b) Identification and verification of client identities; c) Inclusion of client registration forms, which must contain all mandatory identification fields; d) Definition of transaction limits in accordance with current regulations on operational rules associated with the subject and nature of the Non-Bank Financial Institution; e) Cross-referencing client data with the United Nations Sanctions List and Politically Exposed Persons (PEPs) List; f) Assess and assign the risk profile associated with clients and transactions; and, g) Monitor clients and transactions, allowing the generation of a client history, their transactions, and tracking changes in client behavioral profiles. 6.4. Without prejudice to sub-point 6.1., whenever circumstances justify it, the National Bank of Angola may waive the requirement to implement IT tools and applications. 6.5. Without prejudice to the preceding sub-point, in the event of a waiver for implementing IT tools and applications, NBFIs must ensure that, manually, they comply with all money laundering and terrorism financing prevention and combating requirements, with emphasis on: a) Identification and due diligence measures regarding clients, operations, and beneficial owners; b) Matching client or potential client data with politically exposed persons lists at the time of establishing the business relationship and before executing a transaction; and, c) Matching client and potential client data with lists of persons, groups, and entities designated by the United Nations Sanctions Committee and other internationally accepted lists, at the time of establishing the business relationship and before executing a transaction. 6.6. NBFIs must submit to the National Bank of Angola, by October 30, 2024, the Manual of Instructions and descriptive functionality of the implemented IT tools and systems.

7. Information Submission 7.1. NBFIs must submit to the National Bank of Angola the ML/TF/PF Report by January 31 of each year, reflecting the Institution's situation for the period between January 1 and December 31 of the previous year, containing the minimum information provided in the Annexes, which are an integral part of this Instruction. 7.2. For the purposes of the preceding sub-point, NBFIs must submit the ML/TF/PF Report to the National Bank of Angola in electronic PDF format to the email address prevencaobcft@bna.ao, and in physical format to the Financial Conduct Department (DCF).

8. Transitional Provisions Institutions must comply with the provisions of this Instruction by December 30, 2024.

9. Sanctions Non-compliance with the provisions of this Instruction constitutes an offense punishable under Law No. 5/20 of 27 January, Law on Preventing and Combating Money Laundering, Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction, and Law No. 14/21 of 19 May, Law on the General Regime of Financial Institutions.

10. Doubts and Omissions Doubts and omissions resulting from the interpretation and application of this Instruction are resolved by the National Bank of Angola.

11. Entry into Force This Instruction enters into force on the date of its publication. PUBLISH. Luanda, June 12, 2024 THE GOVERNOR MANUEL ANTÓNIO TIAGO DIAS

CONTINUATION OF INSTRUCTION NO. 05/2024 Page 2 of 32 ANNEX I Main Part

1. Institutional Information and Relevant Contacts of the Non-Bank Financial Institution 1.1 General Information a) Full corporate name; b) Type of Non-Bank Financial Institution; c) Registration number with the National Bank of Angola; d) Address of the Non-Bank Financial Institution. 1.2 Activities and Business Areas a) The Non-Bank Financial Institution's strategy regarding AML/CFT/CPF, including risk assessment and management criteria, duly formalized; 1.3 Identification of members of the management/administration body and employees with relevant functions; 1.3.1. Compliance Officer at the end of the reference period: b) Name; c) Date of commencement of duties; d) Direct telephone contact; e) Email address; and, f) Appointment minutes (attach as annex). 1.3.2. Internal Audit Function: a) Name; b) Date of commencement of duties; c) Direct telephone contact; and d) Email. 1.3.3. If Audit is outsourced, indicate: a) Name of the Internal Auditor; b) Service provision contract (attach); c) Direct telephone contact; and d) Email.

2. Policies and Procedures for AML/CFT/CPF Control 2.1 Identification and Due Diligence Obligation 2.1.1. Does the NBFI have a procedure for identifying clients and beneficial owners at the time of establishing a business relationship or executing transactions? Indicate the requested documents. 2.1.2. What information is requested from clients regarding the source and/or destination of funds related to establishing a business relationship and executing transactions? 2.1.3. Indicate the number of: a) In the total universe of executed transactions, indicate the percentage of occasional transactions executed, if applicable; b) Early loan repayments, if applicable; 2.2 Enhanced Due Diligence Procedures 2.2.1. Indicate the number of: a) Alerts generated by tools or information systems requiring Compliance intervention; and, b) Occasional transactions executed with clients holding the status of Politically Exposed Person (PEP). 2.3 Refusal Obligation 2.3.1. Does the NBFI have an implemented procedure to comply with the refusal obligation? Describe it. 2.3.2. Indicate the number of refusals in establishing business relationships or executing transactions. 2.4 Retention Obligation 2.4.1. Does the NBFI have implemented procedures to comply with the retention obligation? Describe it. 2.4.2. Describe the medium and location for archiving information regarding the conservation method, indicating: a) Type of durable medium used; and, b) Archiving location. 2.5 Reporting Obligation 2.5.1. Does the NBFI have a reporting procedure? Describe the information circuit in the process of reporting suspicious transactions (from the moment the suspicious situation is detected, until the eventual decision to report it to the competent authorities), including information on formal participants in the process. 2.5.2. Indicate the total number of reports to the Financial Intelligence Unit (FIU) of: a) Suspicious Transaction Reports (STR); and, b) Identification Reports of designated persons, groups, or entities (IDR). 2.6 Non-Disclosure Obligation 2.6.1. Does the NBFI have a non-disclosure procedure? Describe it. 2.6.2. Indicate the number of reports resulting from situations where the Financial Institution executed a suspicious transaction because it considered that refraining from executing it was not possible. 2.7 Cooperation and Information Provision Obligation 2.7.1. Does the NBFI have cooperation and information provision procedures? Describe them. 2.7.2. Indicate the number of cooperation and information provision requests received from the Entities listed below: a) Attorney General's Office (PGR); b) Financial Intelligence Unit (FIU); c) Judicial and Police Authorities; d) General Tax Administration (AGT). 2.8 Duty of Confidentiality 2.8.1. Does the NBFI have a confidentiality procedure? Describe it. 2.9 Training Obligation 2.9.1. Does the NBFI have a training procedure? Describe it. 2.9.2. Indicate the number of specific training actions on AML/CFT/CPF prevention directed at employees, which must include the following: a) Topic covered by the training action; b) Date of execution; c) Training entity; d) Name and role of trainers (internal/external); e) Duration (in hours); f) Supporting teaching material; g) Nature (internal or external training); h) Environment (in-person or distance training); i) Number of participating employees; j) Final evaluation of trainees. 2.10 Restrictive Measures 2.10.1. Does the NBFI have implemented means and mechanisms to ensure compliance with restrictive measures against persons, groups, or entities designated by the United Nations Sanctions Committee, related to Terrorism Financing and Proliferation Financing of Weapons of Mass Destruction? Describe them. a) In case of negative response, describe the adopted procedure. 2.10.2. Indicate the time interval between: a) Updating information on restrictive measures and the subsequent reflection in IT tools and applications, indicating: i. Are updates in real-time? ii. If not in real-time, what is the periodicity (in hours)? 2.10.3. At what point are client data cross-referenced with lists of designated persons, groups, and entities? a) Before establishing a business relationship? b) Before executing a transaction? c) During a business relationship?

3. Risk Management 3.1. Does the NBFI have a designated Compliance Officer? a) Describe their functions; and, b) Did the NBFI define policies, processes, and procedures to guarantee the autonomy and independence of the Compliance Officer? Describe them. 3.2. In cases where there is no segregation between the Compliance Function and other organizational units, did the NBFI define alternative mechanisms to mitigate potential conflicts of interest? 3.3. Does the NBFI have a risk management model for Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction of the Non-Bank Financial Institution, containing at a minimum the following: a) Policies, procedures, and controls established to identify, assess, monitor, and control risks; b) Information on risk factors related to the activity; and, c) Information on risk factors inherent to clients and transactions.

4. Use of New Technologies, Products, and Services with Potential Impact on AML/CFT/CPF Prevention, If Applicable 4.1. Does the NBFI transact products and services through the use of new technologies? If affirmative, describe the implemented AML/CFT/CPF prevention and combating procedure. 4.2. Indicate the products and services transacted using new technologies.

5. Control of Compliance with the Regulatory Framework 5.1. Does the NBFI have an area responsible for controlling compliance with the regulatory framework regarding Preventing and Combating Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction, if different from Compliance? If affirmative, indicate.

6. Control of Compliance with Obligations Related to Reporting Irregularities Provided for in Paragraph 1 of Article 13 of Notice No. 02/24 of 22 March 6.1. Does the NBFI have a procedure for detecting irregularities in the identification of clients and beneficial owners? Describe it. 6.2. Did the NBFI detect irregularities in the identification of clients and beneficial owners? Which ones? Indicate the number of irregularities.

7. Internal Audit a) Does the NBFI have an employee designated to perform the Internal Auditor function? b) Did the NBFI approve an audit plan for evaluating policies, processes, and procedures on AML/CFT/CPF? Evidence it. c) Indicate the date of the last internal audit action for the systematic evaluation of the effectiveness and efficiency of policies, procedures, and controls established within the AML/CFT/CPF Prevention and Combating Program; d) Indicate the date of the last internal audit action on the adequacy of IT tools and applications dedicated to Preventing and Combating Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction; e) Indicate the identified shortcomings related to policies, procedures, controls, and IT tools and applications for Preventing and Combating Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction, including the date of identification of the shortcoming, the process in question, comments from the responsible area, and respective corrective measures.

8. Tools and Information Systems 8.1. Indicate the name of the IT tools and applications for monitoring clients and transactions used in the Non-Bank Financial Institution regarding AML/CFT/CPF and describe their functionality, which must at a minimum perform: a) Documentary registration of clients and transactions; b) Cross-referencing client data with sanctions lists; c) Cross-referencing client data with PEP lists; d) Criteria for updating client data; e) Brief description on: i. All variables to determine assessment and classification of client and transaction profiles; ii. Classification and assignment of risk profiles for clients and transactions; iii. Percentage of clients associated with each risk profile relative to the total number of clients; iv. Periodicity of updating the risk profile associated with clients, business relationships, occasional transactions, and operations in general. 8.2. Information on whether the monitoring tool allows blocking of clients, operations, and listed entities, and the factors likely to trigger an automatic block; 8.3. Information on whether the IT tool allows the production of statistical data on alerts and their respective treatment; 8.4. Description of the main measures implemented to reduce the number of results considered false positives generated in IT tools and applications; 8.5. Indication on whether IT tools and applications record the history of participants, generated alerts, and due diligence performed on each analyzed alert.

9. Corrective Measures Adopted to Remedy Deficiencies Identified Following Supervisory Actions Conducted by the National Bank of Angola - BNA Description of procedures adopted for implementing and adopting corrective measures issued by BNA, indicating the following elements: a) Identified deficiency; b) Date of the deficiency note issued by BNA; c) Actions underway to remedy deficiencies; and, d) Date of correction or expected date for correcting the deficiency.

CONTINUATION OF INSTRUCTION NO. 05/2024 Page 3 of 32 ANNEX II Draft Declaration by the Management/Administration Body The Management/Administration Body declares that, to the best of its knowledge, the principles of the specific internal control system for Preventing Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction reflect the requirements established in Law No. 5/20 of 27 January, Law on Preventing and Combating Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction, combined with the provisions of Notice No. 02/2024 of 22 March, which establishes rules on the conditions for the effective implementation of obligations to Prevent and Combat Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction. It further declares that the information contained in the Report to which this Declaration refers is true and appropriate. __________, ________ of ____________ of 20 Signature of Members of the Administration/Management Council

CONTINUATION OF INSTRUCTION NO. 05/2024 Page 4 of 32 ANNEX III Self-Assessment Questionnaire on Requirements for Preventing and Combating Money Laundering, Terrorism Financing, and Proliferation Financing of Weapons of Mass Destruction

Chapter	Description	Questions	Yes	No	Observations
A. Responsibilities of the Management/Administration Body		1. The Management/Administration Body of the Financial Institution is responsible for applying policies, procedures, and controls regarding the prevention of money laundering, terrorism financing, and proliferation financing of weapons of mass destruction.	1. Is there a defined, approved, and implemented AML/CFT/CPF prevention and combating strategy, adequate to the characteristics and business of the FI (size, nature, and complexity), covering all transactions and clients?
			2. Did the Management/Administration Body define and formalize a specific and independent organizational and functional structure for preventing and combating money laundering, terrorism financing, and proliferation financing of weapons of mass destruction?
			3. Did the Management/Administration Body designate one/more Compliance Officer(s) (or equivalent function) for preventing and combating money laundering, terrorism financing, and proliferation financing of weapons of mass destruction with a suitable profile for the role, defining and approving the content of the respective function?