COSOB Regulation No. 24-01 on the Prevention and Fight Against Money Laundering, Terrorism Financing, and Financing of Proliferation of Weapons of Mass Destruction

12 JOURNAL OFFICIEL DE LA REPUBLIQUE ALGERIENNE N° 67 4 Rabie Ethani 1446 7 octobre 2024 MINISTERE DES FINANCES Arrêté du Aouel Rabie El Aouel 1446 corresponding to 5 september 2024 approving the regulation of the commission for the organization and supervision of stock exchange operations (COSOB) n° 24-01 of 11 Moharram 1446 corresponding to 17 july 2024 relating to the prevention and fight against money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction. ———— The Minister of Finance, Having seen legislative decree n° 93-10 of 23 may 1993, modified and completed, relating to the securities exchange; Having seen presidential decree n° 23-119 of 23 Chaâbane 1444 corresponding to 16 march 2023, modified, appointing the members of the Government; Decrees: Article 1st. — The regulation of the commission for the organization and supervision of stock exchange operations (COSOB) n° 24-01 of 11 Moharram 1446 corresponding to 17 july 2024 relating to the prevention and fight against money laundering, terrorism financing and the financing of the proliferation of weapons of mass destruction, attached to this decree, is approved. Art. 2. — This decree will be published in the Official Journal of the Algerian Democratic and Popular Republic. Done in Algiers, on Aouel Rabie El Aouel 1446 corresponding to 5 september 2024. Laziz FAID. ———————— ANNEX Regulation of the commission for the organization and of surveillance of stock exchange operations (COSOB) n° 24-01 of 11 Moharram 1446 corresponding to 17 july 2024 relating to the prevention and fight against money laundering of money, terrorism financing and financing of the proliferation of weapons of mass destruction. ———— The president of the commission for the organization and of surveillance of stock exchange operations (COSOB), Having seen ordinance n° 66-156 of 8 june 1966, modified and completed, establishing the penal code; Having seen ordinance n° 75-59 of 26 september 1975, modified and completed, establishing the commercial code; Having seen legislative decree n° 93-10 of 23 may 1993, modified and completed, relating to the securities exchange; Having seen law n° 05-01 of 27 Dhou El Hidja 1425 corresponding to 6 february 2005, modified and completed, relating to the prevention and fight against money laundering and terrorism financing; Having seen law n° 18-07 of 25 Ramadhan 1439 corresponding to 10 june 2018 relating to the protection of natural persons in the processing of personal data; Having seen executive decree n° 23-197 of 5 Dhou El Kaâda 1444 corresponding to 25 may 2023 fixing the list of activities eligible for the status of self-employed person and the modalities of registration in the national register of the self-employed; Having seen executive decree n° 23-428 of 15 Joumada El Oula 1445 corresponding to 29 november 2023 relating to the procedure for freezing and/or seizing funds and assets in the framework of the prevention and fight against terrorism financing and financing of the proliferation of weapons of destruction massive; Having seen executive decree n° 23-429 of 15 Joumada El Oula 1445 corresponding to 29 november 2023 relating to the register public of beneficial owners of legal persons of Algerian law; Having seen executive decree n° 23-430 of 15 Joumada El Oula 1445 corresponding to 29 november 2023 fixing the conditions and modalities of exercise by regulatory authorities, control and/or supervision of their missions in the field of prevention and fight against money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction, vis-à-vis the regulated entities; Having seen the presidential decree of 5 Chaâbane 1444 corresponding to 26 february 2023 appointing the president of the commission for the organization and supervision of stock exchange operations; Having seen the decree of 29 Ramadhan 1443 corresponding to 30 april 2022, modified, appointing the members of the commission for the organization and supervision of stock exchange operations; After adoption by the commission for the organization and of surveillance of stock exchange operations, on the date of 11 Moharram 1446 corresponding to 17 july 2024; Enacts the regulation whose content follows: Article 1st. — In application of the provisions of article 10 bis 3 of law n° 05-01 of 27 Dhou El Hidja 1425 corresponding to 6 february 2005, modified and completed, aforementioned, this regulation sets the due diligence measures to take in matters of prevention and fight against money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction that persons and organisms subject to the controls of the commission for the organization and supervision of stock exchange operations (COSOB) must put in place.

JOURNAL OFFICIEL DE LA REPUBLIQUE ALGERIENNE N° 67 13 4 Rabie Ethani 1446 7 octobre 2024 CHAPTER 1st GENERAL PROVISIONS Art. 3. — The regulated entities referred to in article 2 above are required to apply the provisions of this regulation, each insofar as it concerns them, according to the nature of the activities entrusted to them by the legislation and regulation in force. Art. 4. — In order to fight against money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction, the regulated entities must put in place a permanent vigilance device which must be part of the overall risk management system. This vigilance device must be based on a risk-based approach and include the following elements: — client acceptance rules; — identification and knowledge of business relationships, client representatives, occasional clients and beneficial owners; — updating and conservation of documentation related to clients and the operations they perform; — the information system; — measures required in terms of organization, internal control, continuous training and awareness; — monitoring and control of operations; — suspicious transaction reports to the specialized body « CTRF »; — application of targeted financial sanctions, including the freezing of securities. The vigilance device must be adapted to the typology of risks, to the size of the regulated entity, to the nature, to the complexity and volume of its activities. CHAPTER 2 THE RISK-BASED APPROACH Art. 5. — Regulated entities must demonstrate vigilance by developing and maintaining an up-to-date written prevention program aimed at preventing, detecting and fighting against money laundering, terrorism financing and the financing of the proliferation of weapons of mass destruction. This program must be adapted to the nature of their activities and the associated risks and must include, among other things, policies, procedures and internal controls. Art. 2. — For the purposes of this regulation, the following terms are understood as:

• Commission: the commission for the organization and supervision of stock exchange operations provided for by the legislation in force;
• Specialized body: the financial intelligence processing unit « CTRF » provided for by the regulation in force;
• Regulated entities: stock exchange transaction intermediaries, keepers of securities depository accounts, collective investment schemes in securities, the Algiers Stock Exchange, the central depository (Algérie Clearing), venture capital companies and managers of crowdfunding platforms (Crowd-Funding);
• Client: the natural or legal person who deals with the regulated entity;
• Occasional client: the client who is not linked to the regulated entity by a continuous business relationship;
• Business relationship: the relationship established between the client and any regulated entity, linked to any activity;
• Subsidiary company: the company in which a person or group of persons united by a single interest owns, at least, 50% of the capital, or in which this person or these persons have an influential interest allowing them to control its management or general policy;
• Group: any financial, non-financial or professional group composed of a parent company or any other type of legal person that holds dominant shares and coordinates functions with the rest of the group in order to apply or implement control over the group, under fundamental principles, as well as branches and/or subsidiaries that are subject to policies and procedures for prevention against money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction at the group level;
• Immediately and without delay: the rapid action to initiate the procedures provided for by this regulation, in application of the resolutions of the Security Council of the United Nations Organization and, in all cases, this deadline is set at 24 hours, at the latest, from the publication of the resolutions of the Security Council;
• Targeted financial sanctions: sanctions relating to the prevention and fight against terrorism and its financing as well as the prevention and fight against the financing of the proliferation of weapons of mass destruction, taken by resolutions of the Security Council of the United Nations Organization when it acts under chapter VII of the United Nations Charter.

14 JOURNAL OFFICIEL DE LA REPUBLIQUE ALGERIENNE N° 67 4 Rabie Ethani 1446 7 octobre 2024 Art. 6. — The program mentioned above is listed in a procedure manual validated by the board of directors or the supervisory board of the regulated entity. This procedure manual must be regularly updated by the regulated entity to ensure its compliance with laws and regulations in force and to adapt it to the evolution of its activities. Art. 7. — Regulated entities are required to take the following measures: — conduct an assessment of money laundering risks, terrorism financing and financing of the proliferation of weapons of mass destruction. This assessment must allow identifying, evaluating and understanding these risks according to the nature and size of the regulated entity concerned as well as the extent of its activities. This assessment must include: • the integration of information or conclusions of any risk assessment carried out by the State; • the identification, evaluation and understanding of risks associated with clients, countries or geographic regions, products and services, operations, as well as service delivery channels; • the taking into account of all risk factors associated before determining the overall level of risks and the type of measures to be implemented to mitigate them. — regularly update the assessment processes; — document the assessments performed, update them and conserve them; — establish an appropriate mechanism to report the results of the assessments to the general management of the regulated entity and to the competent authorities, upon completion or upon request; — explain and disseminate the results of the risk assessment to all employees. Art. 8. — Regulated entities must ensure that the measures taken to identify and evaluate money laundering risks, terrorism financing and financing of the proliferation of weapons of mass destruction allow: — to evaluate the risk profile of the business relationship with each client, while determining the objective and the nature expected of this relationship; — to identify changes in risks of money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction related to new products and services offered, following the application of new technologies. Art. 9. — Regulated entities must take appropriate measures to: — identify and evaluate money laundering risks, terrorism financing and financing of the proliferation of weapons of mass destruction associated with the development of new services or products and new professional practices, including new ways of providing services and those resulting from the use of new or developing technologies in relation to each of the new products or existing products; — perform a risk assessment, before launching products, practices or technologies or their use; — take appropriate measures to manage these risks and mitigate them, including specific risks related to business relationships and transactions that do not involve the physical presence of the parties. Art. 10. — Based on the results of their own evaluation as well as the result of the national and sectoral risk assessment, regulated entities must do the following: — establish policies, controls and procedures approved by the board of directors or the supervisory board, supervise and strengthen them if necessary, in order to manage and reduce identified risks; — take enhanced measures to manage and mitigate identified risks as high; — put in place simplified measures to manage and reduce identified risks as low; — ensure permanent compliance with these procedures and their regular update; — monitor the implementation of these measures and strengthen them if necessary. CHAPTER 3 DUE DILIGENCE MEASURES TOWARDS CLIENTS Art. 11. — Regulated entities must put in place all appropriate due diligence measures towards clients in order to prevent and mitigate identified risks, as they emerge from the assessment cited in articles 7, 8 and 9 above. Art. 12. — Regulated entities must apply the due diligence measures provided for by this regulation towards clients and the operations they perform, according to the typology of risks they represent, taking into account the due diligence measures already implemented towards clients and operations.

JOURNAL OFFICIEL DE LA REPUBLIQUE ALGERIENNE N° 67 15 4 Rabie Ethani 1446 7 octobre 2024 Art. 13. — Under no circumstances is it authorized to hold anonymous or numbered securities accounts, or securities accounts under fictitious names, or to deal with unidentified persons or bearing fictitious names. Art. 14. — Policies and procedures related to « customer knowledge » must integrate the essential aspects of risk management and controls, including: — a policy for the acceptance of new clients; — the identification of clients and the beneficial owner, as well as the monitoring of movements and operations; — continuous monitoring of all clients. These procedures must be approved by the board of directors or the supervisory board. Regulated entities must: — conduct a careful examination of operations performed during the entire duration of the business relationship, in order to ensure that they are consistent with the knowledge they have of their clients, business activities and the risk profile of these clients, which includes, where applicable, the origin of funds; — ensure that documents, data or information obtained in the exercise of due diligence remain up-to-date and relevant. This implies the examination of existing elements, particularly for categories of clients presenting higher risks. Regarding existing clients on the date of entry into force of these new provisions, regulated entities are required to apply due diligence measures proportional to the risks they represent and must implement these provisions in a timely manner, taking into account the existence of previous client due diligence measures as well as the relevance of the information obtained. Art. 15. — Regulated entities must take the due diligence measures provided for by this regulation towards their clients when: — they establish business relationships; — they perform occasional operations whose amount is greater than two million (2,000,000) dinars, including in situations where the transaction is executed in a single operation or in several operations appearing to be linked to each other; — there is a suspicion of money laundering or terrorism financing or financing of the proliferation of weapons of mass destruction, regardless of any threshold provided for by this regulation; — they doubt the veracity or relevance of client identification data previously obtained. Art. 16. — The client identification procedure must take place before or during the establishment of the business relationship, as provided for in article 11 above, and must allow determining the identity and address of the client and, where applicable, the beneficial owner(s) as well as the object and the intended nature of the business relationship. In addition to the client's identity, the following must also be identified: — any beneficial owner; — attorneys and agents acting on behalf of others; — any other person claiming to act on behalf of the client. Art. 17. — Regulated entities must take client identification measures whether they are regular or occasional, national or foreign, and this, by obtaining the following information: In the case where the client is a natural person: • client identity: name and first name(s), nationality, place and date of birth, permanent address, national identification number, identity document number, place and date of issuance as well as its expiration date, mother's name, family status and spouse's name; • client's economic activity: nature of work or client's activity, sources of income, work address, name of the employer or employer organization as well as the amount of monthly income; • client's place of residence: actual or current residence; • client's contact details: phone number and email address; • origin of funds; • object and nature of the business relationship; • registration number in the commercial register, statistical identification number as well as tax identification number for natural persons having a merchant status; • national register number for natural persons having the status of self-employed entrepreneur. In the case where the client is a legal person, including any type of non-profit organization: • company information: corporate name, registration number in the commercial register, registered office, postal address, website (if available), sector of activity as well as description of activities;

16 JOURNAL OFFICIEL DE LA REPUBLIQUE ALGERIENNE N° 67 4 Rabie Ethani 1446 7 octobre 2024 • information on legal representatives: name and first name, place and date of birth, nationality, postal address, identity document number and position within the company; • additional information: company status, company organizational chart, activity report (if available) and proof of the origin of funds. Regulated entities are also required to determine the beneficial owners of clients and to take reasonable measures to verify their identity using information or data obtained from a reliable source, thus ensuring effective knowledge of beneficiaries. For agents and brokers acting on behalf of others as well as any person claiming to act on behalf of the client, regulated entities must, in addition to the documents mentioned above, verify the powers delegated to them. Furthermore, regulated entities must obtain any other information they deem necessary based on the nature and level of risks. They must also verify the authenticity of the documents provided and ensure that the information is consistent. Art. 18. — Notwithstanding the provisions of articles 11 and 12 above, when the risk of money laundering, terrorism financing or financing of the proliferation of weapons of mass destruction seems low, the verification by regulated entities of the client's identity and the beneficial owner can be carried out after the establishment of the business relationship, subject to the following conditions: — the verification is done as soon as reasonably possible; — the postponement is essential not to interrupt the normal course of business; — risks are effectively managed. Regulated entities must put in place risk management procedures regarding the conditions under which a client can benefit from the business relationship before verification. Art. 19. — The verification of the identity of beneficial owners for clients who are legal persons, such as mentioned in article 17 above, must be done by means of the following identification elements: — the identity of the natural person(s) holding, ultimately, a participation equal to or greater than 20% of the capital or voting rights in the legal person allowing them to exercise effective control; — in case of uncertainty about the identity of the beneficial owner(s) or their non-identification after the application of the first paragraph, the beneficial owner is the natural person(s) exercising, in fact or in law, directly or indirectly, a power of control or effective or legal control over the bodies in charge of the direction and management or over the general assembly or over the functioning of the legal person, by determining the content of the decisions taken by the general assembly, under the voting rights in which he acts, or having the power, as a partner or shareholder, to appoint or remove the majority of the members of the direction, management or control bodies of the legal person or any other control instrument; — when no natural person is identified after the application of the first and second paragraphs above, the identity of the relevant natural person occupying the position of senior manager is determined. In such cases, regulated entities must document the reasons for which they identified a senior manager as the beneficial owner of the client and must conserve the information related to the measures taken. Art. 20. — During the entire duration of the business relationship, regulated entities must collect,