Region

Jurisdiction

Regulator

2022-02-23

FMA Circular on Due Diligence Obligations for the Prevention of Money Laundering and Terrorist Financing

The Austrian Financial Market Authority issued this circular to provide guidance on the due diligence obligations imposed on obliged entities under the Financial Markets Anti-Money Laundering Act. It details the requirements for customer identification, verification of beneficial owners, ongoing monitoring, and risk-based enhanced or simplified due diligence measures. The document also addresses specific procedures for non-face-to-face operations, virtual asset service providers, and the application of these obligations to various financial institutions and business relationships.

Austria

Finanzmarktaufsicht

FMA CIRCULAR on Due Diligence Obligations for the prevention of money laundering and terrorist financing Version: February 2022 Document No.: Publication date: 01/2022 23.02.2022

Disclaimer: This circular does not constitute a legal regulation. It is intended to serve as guidance and reflects the FMA's legal interpretation. No rights and obligations extending over and above the provisions of the law can be derived from circulars.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS TABLE OF CONTENTS TABLE OF CONTENTS ..........................................................................................................................................3 1 Introduction ...................................................................................................................................................6 2 Obliged entities under the FM-GwG and execution by third parties ............................................................9 2.1 Obliged entities ........................................................................................................................................ 9 2.2 Qualified third parties ............................................................................................................................ 10 2.3 Outsourcing of due diligence obligations ............................................................................................... 11 3 Cases for applying due diligence obligations ............................................................................................. 13 3.1 Establishing a business relationship ....................................................................................................... 13 3.2 Conducting an occasional transaction ................................................................................................... 14 3.3 Incoming and Outgoing Payments in the case of Savings Deposits ....................................................... 16 3.4 Suspicion of money laundering, terrorist financing or membership of a terrorist organisation ........... 17 3.5 Doubts in relation to Customer Identification Information ................................................................... 18 4 Scope of due diligence obligations ............................................................................................................. 19 4.1 Customer identification and verification ............................................................................................... 19 4.1.1 General ....................................................................................................................................... 19 4.1.2 Determination of identity ................................................................................................................ 19 4.1.3 Verification of Identity ..................................................................................................................... 20 4.1.4 Representation Relationships .......................................................................................................... 28 4.2 Determining and verifying the identity of trustors and beneficial owners............................................ 32 4.2.1 Trusteeships ..................................................................................................................................... 33 4.2.2 Determining and verifying the beneficial owners: ........................................................................... 37 4.2.3 Mandatory inspection of the Register of Beneficial Owners ........................................................... 37 4.2.4 Beneficial owners of companies and other legal persons ............................................................... 38 4.2.5 Beneficial owners of Trusts .............................................................................................................. 44 4.2.6 Beneficial owners of foundations, comparable legal persons and legal arrangements similar to trusts ....................................................................................................................................... 45 4.2.7 Determining and verifying the beneficial owners: ........................................................................... 47 4.2.8 Verification of the beneficial owners of customers that entered in the Register of Beneficial Owners ....................................................................................................................................... 50 4.2.9 Checking Beneficial Owners using WiEReG Compliance Packages .................................................. 53 4.2.10Making remarks ............................................................................................................................... 54

CIRCULAR ON DUE DILIGENCE OBLIGATIONS 4.2.11Beneficial owners of private equity funds ....................................................................................... 55 4.3 Collection of information about the purpose and intended nature of the business relationship ........ 60 4.4 Checking of the origins of funds ............................................................................................................. 63 4.5 Ongoing monitoring of the business relationship .................................................................................. 64 4.6 Updates ................................................................................................................................................ 67 5 Non-face-to-face operations ...................................................................................................................... 69 5.1 Online identification ............................................................................................................................... 69 5.1.1 Organisational safeguards................................................................................................................ 70 5.1.2 Procedural safeguards ..................................................................................................................... 71 5.1.3 Compulsory termination of the online identification procedure .................................................... 73 5.1.4 Being conducted by service providers ............................................................................................. 73 5.2 Electronic ID card ................................................................................................................................... 74 5.3 Qualified electronic signature ................................................................................................................ 74 5.4 Registered postal delivery ...................................................................................................................... 74 5.5 First payment made through a reference account ................................................................................ 75 6 Point of time of application of due diligence obligations .......................................................................... 77 6.1 Application of due diligence obligations prior to establishment of a business relationship ................. 77 6.2 Application of due diligence obligations before carrying out an occasional transaction ...................... 77 6.3 Exceptions .............................................................................................................................................. 78 6.4 Specificities for insurance undertakings ................................................................................................ 78 6.5 Specificities of Business Relationships with Trusts or arrangements of a similar nature to a trust ...... 79 6.6 Application of due diligence obligations to existing customers ............................................................ 80 6.7 Consequences of failure to apply due diligence obligations .................................................................. 80 7 Simplified due diligence ............................................................................................................................. 82 8 Enhanced due diligence ............................................................................................................................. 84 8.1 Preliminary remarks ............................................................................................................................... 84 8.2 High-risk third countries: ........................................................................................................................ 84 8.3 High risk based on the obliged entity’s own risk assessment ................................................................ 85 8.4 Branches, branch establishments or subsidiaries domiciled in high-risk countries .............................. 86 8.5 Correspondent banking relationships .................................................................................................... 86 8.6 Transactions and business relationships with politically exposed persons (PEPs) ................................ 88 8.7 Inadmissible business relationships and measures for non-cooperative countries and territories ...... 92 9 Registration of virtual asset service providers. .......................................................................................... 93

CIRCULAR ON DUE DILIGENCE OBLIGATIONS 9.1 Conditions for the obligation to register ................................................................................................ 93 9.2 Registration application pursuant to Article 32a para. 1 FM-GwG ........................................................ 94 9.3 Notification of Amendments under Article 32a para. 3 FM-GwG ......................................................... 97 10 Annex .......................................................................................................................................................... 98 10.1 Literature ................................................................................................................................................ 98

CIRCULAR ON DUE DILIGENCE OBLIGATIONS Version: 18.12.2018 PAGE 6 1 INTRODUCTION 1 The objective, on an international level within the Financial Action Task Force (FATF) and on a European level in Directive (EU) 2018/843 (5th Anti-Money Laundering Directive), is to prevent the financial system from being used for the purpose of money laundering and terrorist financing. It is intended to counteract the flow of monies and virtual currencies of a criminal origin and monies and virtual currencies determined for terrorist purposes, by means of obliged financial market participants being required to observe certain due diligence and reporting obligations. 2 In Austria, due diligence and reporting obligations contained in the Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt-Geldwäschegesetz1 ) and the supplementary permissions about the beneficial owner in the Beneficial Owners Register Act (WiEReG; Wirtschaftliche Eigentümer Registergesetz2 ) form the central elements for an effective system for the prevention of money laundering and terrorist financing in the financial market. However, such a system can only be implemented effectively, where the obliged entities under the FM-GwG co-operate accordingly by fulfilling the due diligence and reporting obligations placed upon them. The observance of due diligence and reporting obligations by obliged entities not only serves the prevention of money laundering and of terrorist financing, but also for assisting the criminal prosecution authorities in their work. 3 Money launderers and persons financing terrorism can only be prevented from abusing the financial system for these purposes where obliged entities collect sufficient information on the identity of their customers and the economic beneficiaries (trustors, beneficial owners) about the purpose and the nature of the desired business relationship and about the origin of the funds used, and update this information regularly and continuously monitor the business relationship. Obliged entities should therefore also been in the position to be able to detect anomalies in relation to their customers, and if required to stop the corresponding transactions and to pass on the necessary information to the Financial Intelligence Unit (Geldwäschemeldestelle). 4 This circular does not constitute a legal regulation. It is intended to serve as guidance and reflects the FMA's legal interpretation. No rights and obligations extending over and above the provisions of the law can be derived from circulars. 5 Obliged entities under the FM-GwG comprise:

credit institutions pursuant to Article 1 para. 1 of the Austrian Banking Act (BWG3 ) and CRR credit institutions pursuant Article 9 BWG that provide activities in Austria through a branch;
financial institutions pursuant to Article 1 para. 2 nos. 1 to 6 BWG (MN 6);

1 Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt-Geldwäschegesetz), published in Federal Law Gazette I No. 118/2016 as amended. 2 Beneficial Owners Register Act (WiEReG - Wirtschaftliche Eigentümer Registergesetz), published in Federal Law Gazette I No. 136/2017 as amended. 3 Austrian Banking Act (BWG; Bankwesengesetz), published in Federal Law Gazette No. 532/1993, as amended.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS Version: 18.12.2018 PAGE 7

insurance undertakings pursuant to Article 1 para. 1 no. 1 of the Insurance Supervision Act 2016 (VAG 2016; Versicherungsaufsichtsgesetz 20164 ) and small insurance undertakings pursuant to Article 1 para. 1 no. 2 VAG 2016 respectively within the scope of their life insurance operations (classes 19 to 22 pursuant to Annex A of VAG 2016));
investment firms pursuant to Article 3 para. 1 of the Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 20185 ) and investment services providers pursuant to Article 4 para. 1 WAG 2018;
AIFMs pursuant to Article 1 para. 5 and Article 4 para. 1 of the Alternative Investment Fund Managers Act (AIMFG; Alternative Investmentfonds Manager-Gesetz6 ) and non-EU-AIFMs pursuant to Article 39 para. 3 AIFMG;
electronic money institutions pursuant to Article 3 para. 2 E-Geldgesetz 20107 ;
payment institutions pursuant to Article 10 of the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 20188 );
the Austrian Post with regard to its payment services;
financial institutions pursuant to points a) to d) of Article 3 (2) of Directive (EU) 2015/849 (4th Anti-Money Laundering Directive) with established in another Member State where business operations are conducted through branches or branch establishments located in Austria as well as branches or branch establishments of such financial institutions that are authorised in third countries;
wind-down units pursuant to Article 84 para. 2 of the Bank Recovery and Resolution Act (BaSAG; Bundesgesetz über die Sanierung und Abwicklung von Banken9 ) as well as Article 3 para. 4 of the Federal Act on the Creation of a Wind-down Unit (GSA; Bundesgesetz zur Schaffung einer Abbaueinheit10);
wind-down entities pursuant to Article 162 para. 1 BaSAG in conjunction with Article 84 para. 2 BaSAG;
Virtual asset service providers pursuant to Article 2 no. 22 FM-GwG (point 8). 6 A financial institution pursuant to Article 1 para. 2 nos. 1 to 6 BWG is an institution that is not a credit institution as defined in Article 1 para. 1 BWG that is authorised to provide one or several

4 Insurance Supervision Act 2016 (VAG 2016; Insurance Supervision Act 2016), published in Federal Law Gazette I no. 34/2015, as amended. 5 Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 2018), published in Federal Law Gazette I no. 107/2017, as amended. Alternative Investment Fund Managers Act (AIFMG; Alternative Investmentfonds Manager-Gesetz), published in Federal Law Gazette I No. 135/2013, as amended. 7 Electronic Money Act 2010 (E-Geldgesetz 2010), published in Federal Law Gazette I No. 107/2010 as amended. 8 Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018), published in Federal Law Gazette I no. 17/2018, as amended. 9 Bank Recovery and Resolution Act (BaSAG; Bundesgesetz über die Sanierung und Abwicklung von Banken), published in Federal Law Gazette I No. 98/2014 as amended. 10The Federal Act on the Creation of a Wind-Down Entity (GSA; Gesetz zur Schaffung einer Abbaueinheit), published in Federal Law Gazette I No. 51/2014 as amended.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS Version: 18.12.2018 PAGE 8 of the activities listed in Article 1 para. 2 BWG on a commercial basis, provided that the institution conducts such activities as its principle activity. The principal activity as defined for the purpose of qualifying as a financial institution is to be identified on the basis of the overall picture arising in the specific case in hand, i.e. taking into consideration all relevant factors of both qualitative and quantitative natures as well as criteria with regard to a flexible system. In any case, a principal activity shall be assumed to exist, where the activity contributes 50 % to the entity's performance.11 In addition, the existence of a principal activity is not only assessed exclusively on the basis of the contribution of the activity to the entity's performance - i.e. a purely quantitative feature. Instead, based on the overall picture of the case in hand on the basis of qualitative features, it is the case of whether an activity of an undertaking is a principal activity or whether this activity „due to its close relationship to the principal activity and due to its subordinate significance in comparison to the principal activity in accordance with public opinion appears to be comparable“. 12 In so doing, as part of a flexible system, the business plan and business strategy, the deployment of resources, returns, acquisitions and marketing etc. must be considered. 13 It should focus on whether a specific activity "by way of its nature has an autonomous character or is purely of an ancillary nature to the undertaking's other […] activities". 14 It should be noted in this context that the definition is based on the commercial law interpretation of the principal activity, and that an undertaking may not necessarily only have one principal activity.15 7 Joint control by the entity is not a compulsory condition for the provision of safe deposit services pursuant to Article 1 para. 2 no. 6 BWG, provided certain security obligations - especially regarding access control - are observed.16 8 A virtual asset service provider is any natural or physical person resident/domiciled in Austria or providing a service in Austria pursuant to Article 2 no. 22 FM-GwG in relation to virtual currencies pursuant to Article 2 no.21 FM-GwG on a commercial basis for third parties. It also covers virtual asset service providers domiciled in another EU Member State or in a third country that actively offers or provides a service pursuant to Article 2 no. 22 FM-GwG in Austria. 9 Where designations used refer to natural persons, the formulation used applies to both genders.

11 Supreme Administrative Court (VwGH), 10.11.2017, Ro 2017/02/0023 citing further literature. 12 Federal Administrative Court (BVwG), 02.08.2017, W230 2150836-1 citing further literature; VwGH 24.10.2018, Ro2017/02/0025. 13 The corporate identity, company name and the activity advertised on the undertaking's website, may be taken into consideration in the assessment. Furthermore, it must also be taken into account, whether "other items, other assets, another organisation and measures are necessary" for the performance of the activity in questions (BVwG 02.08.2017, W230 2150836-1). 14 BVwG, 02.08.2017, W230 2150836-1 citing further literature. 15 In this case also BVwG 02.08.2017, W230 2150836-1. 16 VwGH, 10.11.2017, Ro 2017/02/0023

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 9 2 OBLIGED ENTITIES UNDER THE FM-GWG AND EXECUTION BY THIRD PARTIES 2.1 Obliged entities 10 Credit institutions and financial institutions, and virtual asset service providers, to whom the FMGwG applies, are afforded the designation of “obliged entities” (Verpflichtete) under this law. All credit institutions and financial institutions listed in Article 2 nos. 1 and 2 FM-GwG with their registered office in Austria, including their business operations that they provide by way of the freedom to provide services in other Member States of the European Union and the European Economic Area (hereinafter: Member States) are covered by this term (MN 5). Branches and branch establishments of obliged entities in Member States are excluded from the scope of application of the FM-GwG. 11 In contrast, the business activities of obliged entities with established in another Member State (freedom of establishment) or in a third country are covered by the scope of application of the FM-GwG, provided that such activities are provided through branches or branch establishments in Austria. On the other hand, if credit institutions or financial institutions from Member States are active in Austria under the freedom to provide services, the FM-GwG shall not apply to this activity. The supervision of such obliged entities and their business activities shall be conducted by the competent supervisory authority in their home Member State. 12 Electronic money issuers and payment service providers with their registered offices in another Member State, where they provide these services in Austria through service providers such as agents as defined in Article 4 no. 35 ZaDiG 2018 form a special case. Such service providers do not constitute a branch of the respective electronic money issuer or payment service provider, but are however to be qualified as another form of establishment. Electronic money issuers and payment service providers performing such activities therefore fall within the scope of application of the FM-GwG. However, in turn the out-and-out distribution and redemption of electronic money by natural or legal persons on behalf of an electronic money institution established in another Member State are excluded from this rule.17 They however must continue to observe the legal regulations under national law in the respective Member State enacted in transposing the 4th Anti-Money Laundering Directive. 13 Obliged entities primarily rely on their staff members to fulfil the due diligence obligations stipulated in the FM-GwG. Additionally, for fulfilling (certain) due diligence obligations qualified third parties (MN 14 et seq.) or outsourcing service providers and representatives (MN 20) may also be used.

17 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 15; covering the selling of electronic money products in tobacconists or supermarket chains.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 10 2.2 Qualified third parties 14 Obliged entities may rely on the third parties listed in Article 13 paras. 3 and 4 FM-GwG (“qualified third parties”) to fulfil due diligence obligations – with the exception of the obligation to continually monitor business relationships pursuant to Article 6 para. 1 no. 6 FM-GwG. Where this approach is taken, no indications shall be allowed to exist that cause the obliged entity making use of a qualified third party to doubt that due diligence obligations will be fulfilled in a comparable manner. The obliged entity must review on a case-by-case basis whether the third party is a qualified third party listed in Article 13 para. 3 FM-GwG, or a third party satisfies the conditions set forth in Article 13 para. 4 FM-GwG and therefore is a qualified third party. 15 Financial advisers active on a commercial basis as defined in Article 136a of the Commercial Code of 1994 (GewO 1994; Gewerbeordnung 199418) acting as intermediaries of life insurance products, and who are insurance intermediaries as defined in Article 137a para. 1 GewO 1994, where they are active in relation to life insurance, 19 shall be considered qualified third parties pursuant to Article 13 paras. 3 or 4 FM-GwG. This applies irrespective of whether the insurance intermediary is active as an “insurance agent” (cf. Article 43 of the Insurance Policy Act (VersVG; Versicherungsvertragsgesetz20)) or as an insurance broker (cf. Article 26 of the Brokers Act (MaklerG; Maklergesetz21). It is generally possible to rely on commercially active financial advisers active and insurance intermediaries as qualified third parties in conjunction with activities in the life insurance sector, provided they have been entered in the Insurance and Credit Intermediaries Register (Versicherungs- und Kreditvermittlerregister) of the “Gewerbeinformationssystems Austria (GISA)”22, irrespective of whether they hold an Austrian trade licence or are active in Austria under the freedom of establishment or the freedom to provide services. Obliged entities must review on a case-by-case basis whether financial advisers active on a commercial basis or insurance intermediaries established (or resident) in a third country may be considered as a qualified third party. 16 The obliged entity retains ultimate responsibility for the observance of due diligence and reporting obligations, where to do so a qualified third party is used. 17 Obliged entities must collect the necessary information without delay from the qualified third party that they will rely upon to fulfil the respective due diligence obligations. In this regard “without delay” means that the necessary information must be received by the obliged entity at latest at the time of the application of the respective due diligence obligations (MN 284ff). Furthermore, obliged entities shall ensure, e.g. by means of an appropriate agreement, that at their request that the qualified third party shall make copies of the documentation used for

18 The Commercial Code 1994 (GewO 1994; Gewerbeordnung 1994), published in Federal Law Gazette I no. 194/1994, as amended. 19 Respectively with their place of incorporation (residence) in Austria, in a Member States or under the conditions stipulated in Article 13 para. 4 with their place of incorporation (residence) in a third country. 20 The Insurance Policy Act (VersVG; Versicherungsvertragsgesetz), published in Federal Law Gazette No. 2/1959, as amended. 21 The Real Estate Broker Act (MaklerG; Maklergesetz), published in Federal Law Gazette No. 262/1996, as amended. 22 See also https://www.gisa.gv.at/at.gv.wien.fshost-gisaat/user/formular.aspx?pid=f3cbbd2e05c54d8d889b1bddcb648fa2&pn=Bacc9a84823284ea099c0af9ff5837cda.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 11 fulfilling the respective due diligence obligations as well as any other relevant documentation regarding the identity of the customer or the beneficial owner. The obliged entity must document how the observance of this obligation is ensured, and to make it available to the FMA upon request. 18 If the Member State, in which the third party is established, has implemented the 4th Anti-Money Laundering Directive, or if the third country, in which the third party is established, has equivalent due diligence and retention obligations or supervision rights as defined in Article 13 para. 4 FMGwG23, then the obliged entity may rely on the information and documents provided by the third party, where the obliged entity is not aware of any indications having conducted the necessary plausibility check that the third party does not fulfil the corresponding due diligence and retention obligations. Such indicators may primarily arise following examination of the information and documents received, as well as from penalties published by supervisory authorities and reporting in the media. 19 Simplifications exist for such cases qualified third parties24 are used that belong to the same group (Article 14 no. 1 FM-GwG) and where the further conditions set forth in Article 14 paras. 2 and 3 FM-GwG are fulfilled. The necessary information and files as well as (copies of the) documentation are collected as part of the policies and procedures to be applied throughout the group pursuant to Article 24 FM-GwG and it is no longer necessary for the rules on the transmission of information and copies of the files and other relevant documentation can be applied. Upon request the information and (copies of the) documentation shall be made available to the FMA that was collected by the obliged entity during the programme at group level that are necessary to fulfil the due diligence obligations. 2.3 Outsourcing of due diligence obligations 20 Pursuant to Article 15 FM-GwG obliged entities may also make use of outsourcing service providers or representatives for fulfilling due diligence obligations. The FM-GwG does not stipulate any restrictions with regard to which due diligence obligations may be outsourced. The question of whether an outsourcing per se is permissible must be assessed in accordance with the respective applicable supervisory laws that apply for the obliged entities.25 For example, obliged entities, for whom BWG applies, are required to observe the provisions on outsourcing pursuant to Article 25 BWG; obliged entities, for whom WAG 2018 applies, are required to observe the provisions on outsourcing pursuant to Article 34 WAG 2018 in conjunction with Articles 30 to 32 of Delegated Regulation (EU) VO 2017/565; obliged entities, for whom ZaDiG 2018 applies, are required to observe the provisions on outsourcing pursuant to Article 21 ZaDiG; obliged entities, for whom AIFMG applies, are required to observe the provisions on the

23 When reviewing the equivalence of third countries, the steps taken in the review, the considerations addressed and the outcome of the review are required to be documented. 24 In this case they must be the qualified third parties as defined in Article 13 FM-GwG described here. Article 14 FM-GwG shall not apply to other third parties which do not fall under the definition of qualified third parties pursuant to Article 13 FM-GwG. See Article 28 (a) in conjunction with Article 26 (1) of the 4th Anti-Money Laundering Directive 25 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 11.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 12 transferring of functions pursuant to Article 18 AIFMG; obliged entities, for whom InvFG applies, are required to observe the provisions on the transferring of tasks of the management company to third parties pursuant to Article 28 InvFG; obliged entities for whom the E-Geldgesetz 2010 applies, shall apply the provisions on outsourcing pursuant to Article 15 para. 3 E-Geldgesetz 2010 in conjunction with Article 21 ZaDiG 2018; while obliged entities for whom the VAG 2016 applied must observe Article 5 no. 37 VAG 2016.26 Please consult the FMA Circular on Internal Organisation for more detail about outsourcing.

26 In the case of the due diligence obligations for the prevention of money laundering and terrorist financing, “material operational tasks” as defined in Article 25 BWG, “operational tasks, which […] are material” as defined in Article 34 WAG 2018, “important operational tasks” as defined in Article 21 ZaDiG 2018, “functions” as defined in Article 18 AIFMG and Article 28 InvFG and “operational duties” as defined in Article 15 E-Geldgesetz 2010 or “functions” as defined in Article 5 no. 37 VAG 2016.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 13 3 CASES FOR APPLYING DUE DILIGENCE OBLIGATIONS 21 Article 5 FM-GwG lists the cases in which the due diligence obligations set forth in Article 6 FMGwG shall be applied. Where possible in specifically applying Article 5 FM-GwG, all the due diligence obligations stipulated in Article 6 FM-GwG must therefore be applied.27 22 Article 6 para. 5 FM-GWG defines the necessary risk orientation for the application of due diligence obligations. The variables listed in Annexes I, II and III to the FM-GwG are to be taken into consideration as a minimum. Customer level risk evaluation forms the basis of a risk-based and appropriate application of due diligence obligations. Obliged entities must be able to prove towards the FMA that the implemented measures are adequate. 3.1 Establishing a business relationship 23 Pursuant to Article 5 no. 1 FM-GwG, obliged entities shall apply the due diligence obligations pursuant to Article 6 FM-GwG when establishing a permanent28 business relationship (MN 25) towards customers pursuant to Article 2 no. 15 FM-GwG. “When establishing” does not really differ in meaning from “prior to” establishing,29 and it must therefore be ensured that the measures pursuant to Article 6 para. 1 nos. 1-5 FM-GwG had already taken place at the time of the contract was concluded. 24 For example, a permanent business relationship exists once

a current account is opened;
a savings account is opened;
a securities account is opened;
a credit account is opened;
safe deposit services are provided;
a life insurance policy contract is included;
savings deposits business pursuant to Article 31 BWG and business relationships pursuant to Article 12 DepotG are established. 25 Article 2 no. 10 FM-GwG defines how a business relationship is to be understood in FM-GwG. That provision states that only such business, professional or commercial relationships fall within the scope of application of the FM-GwG that are associated with an obliged entity’s commercial activities – upon which basis it qualifies as an obliged entity under the FM-GwG. The FM-GwG

27 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 6. 28 Cf. Article 2 no. 10 FM-GwG. 29 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 6.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 14 therefore clearly explains that it does not capture all contractual relationships of an obliged entity. Business activities not constituting a business relationship of the obliged entity to a customer as defined in Article 2 no. 15 FM-GwG do not fall in the scope of the FM-GwG (e.g. due diligence obligations do not apply towards contractual partners for rental contracts, contracts with cleaning companies or IT service providers, or energy supply contracts and similar arrangements). Furthermore, when the contract is established, a certain degree of permanence is to be assumed about the business relationship to be established. Objective circumstances are therefore assumed for assessing this criterion, with the actual duration of a business relationship or the intended duration (by one side or both sides) not playing any role in this context. The establishing of a business relationship is therefore not excluded in the case of a customer only wishing to settle a one-off transaction by means of a contract for a current account to then terminate the contract immediately thereafter. Instead it is to be assumed based on the objective circumstances that such a business relationship will be for a certain duration when concluding a contract for a current account. In contrast several occasional transactions may be conducted (concluded in quick succession), without a business relationship being established. 26 Subsequent application of due diligence obligations is only permissible within the scope of Article 7 paras. 2 and 3 FM-GwG (See MN 290 et seq). 3.2 Conducting an occasional transaction 27 The wording of the law explains that “occasional transactions” defined in Article 5 no. 2 FM-GwG applies only to such transactions that are not provided within a business relationship as defined in Article 2 no. 10 FM-GwG. Article 2 no. 15 FM-GwG states that any person is considered a customer, rather than any person who has established a business relationship with the obliged entity, or wishes to establish one, as well as any person for whom the obliged entity conducts a transaction or intends to conduct one, that does not fall within the scope of a business relationship (occasional transaction). 28 Due diligence obligations shall be applied to occasional transactions that involve the transfer of at least Euro 15 00030. Examples of such individual transactions including buying and selling of foreign instruments of payment or the discounting of bills of exchanges or cheques. 29 In the case of individual transactions, an obligation to apply due diligence obligations primarily exists once the Euro 15 000 threshold is reached or exceeded. However, where clear connections exist between several individual transactions and the amounts of these transactions do not individually reach or exceed Euro 15 000, but do cumulatively, then due diligence obligations pursuant to Article 6 FM-GwG must also be applied. 30 A connection exists between several individual transactions conducted in close succession to one another, where such transactions could also have been performed as a single transaction, but were however instead split up for whatever reason. If it subsequently emerges that the amounts

30 In the case of foreign currencies and virtual currencies as defined in Article 2 no. 22 FM-GwG, where the amount reaches the equivalent of EUR 15 000.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 15 of several single transactions, between which a connection clearly exists, reach or exceed Euro 15 000, then the due diligence obligations shall apply, once this circumstance is determined. 31 The due diligence obligations set out in Article 6 FM-GwG shall additionally also apply pursuant to Article 5 no. 2 lit. b FM-GwG in the case of transfers of funds as defined in Article 3 no. 9 of Regulation (EU) 2015/847 (“Transfer of Funds Regulation“) where the transfer amount exceeds Euro 1 000. The legal wording differs from Article 5 no. 2 lit. a FM-GwG in that Euro 1 000 must be exceeded rather than merely being reached. 32 An aggregation rule, as exists for transactions (Article 5 no. 2 lit. a FM-GwG), does not exist in the cases of transfers of funds, under which the due diligence obligations would also have applied to a single transfer of funds when the total amount exceeds Euro 1 000. In this case, while the obligation exists to transmit information about the payer and payee by the payment service provider in accordance with Article 4 et seq. of the Transfer of Funds Regulation, the FM-GwG’s due diligence obligations are not required to be applied. They are only required to be applied where either a single transfer of funds exceeds Euro 1 000 or several transfers of funds individually for under or over Euro 1 000 reach a total of Euro 15 000, since under Article 5 no. 2 lit. b FM-GwG transfers of funds are also conceptually considered to be transactions. Article 5 no. 2 lit. a FM-GwG therefore also applies in this final case. 33 Article 6 para. 5 FM-GWG also applies to occasional transactions, for which obliged entities may apply a risk-oriented approach for determining the scope of the applicable due diligence obligations. The customer’s risk level is deduced from information collected during the initial business contact, based especially on the type and amount of the transaction to be conducted. In this context, the purpose of the occasional transaction (e.g. payment of a bill) and information about the payment recipient may provide indications. Obliged entities must in any case verify and check the identity of the customer. Furthermore, depending on how the case in hand is classified, further due diligence obligations (especially the collection and checking of information about the origin of the funds used; verifying and checking of the beneficial owners; determining in relation to the customer, whether the beneficial owner or the trustor is a politically exposed person (PEP)) may be conducted on a risk-oriented basis. Criteria for such a risk-oriented approach may include the frequency of incoming and outgoing payments, the prominence of the recipient/payer involved, the geographical proximity of the recipient/payer, the amount of the transaction, the business activity/profession of the recipient/payer or the business model of the obliged entity.31 Atypical recipients or recipient countries and large cash payments by persons considered as non-residents shall be considered as factors that increase the level of risk. 34 The FMA also refers in this context to the Transfer of Funds Regulation that is directly applicable in Austria, which prescribes certain obligations in the case of transfers of funds as defined in Article 3 no. 9 of the Transfer of Funds Regulation for the payment service providers involved (Article 3 no. 5 of the Transfer of Funds Regulation) and intermediary payment service providers

31 Taking into consideration these criteria especially in the case of transactions that are made from an account (e.g. the receiving of daily cash receipts [from third parties], or deposits using a paying-in slip) simplifications may arise regarding the application of due diligence obligations.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 16 (Article 3 no. 6 of the Transfer of Funds Regulation). Payment service providers and intermediary payment service providers with established in the EEA shall also have to take into account the European Supervisory Authorities’32 “Joint Guidelines under Article 25 of Regulation (EU) 2015/847 on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information” (JC/GL/2017/16) (publication date 16.01.2018).33 EBA Guidelines determine what the appropriate supervisory practices from the ESAs’ perspective in the area of prevention of money laundering and terrorist financing within the European System of Financial Supervision or how Union law should be applied in a specific area. Pursuant to Article 16(3) of the EBA Regulation34 competent authorities and obliged entities must make every possible effort to comply with the Guidelines. Article 25 para. 3 FM-GwG stipulates that the FMA is required to apply Guidelines and Recommendations and other measures issued by EBA. 3.3 Incoming and Outgoing Payments in the case of Savings Deposits 35 In addition to establishing savings deposits business pursuant to Article 5 no. 1 FM-GwG, due diligence obligations defined in Article 6 FM-GwG pursuant to Article 5 no. 3 FM-GwG also apply to incoming and outgoing payments in relation to savings deposits for amounts of at least Euro 15 000. 36 A rule aggregating the values of transactions as set forth in Article 5 no. 2 lit. a FM-GwG, in accordance with which the due diligence obligations set forth in Article 6 FM-GwG shall apply where several individual incoming or outgoing payments exceed Euro 15 000, does not exist for savings credit balances, but the regulations set forth in Articles 31 and following BWG must however be considered. 37 Orders in relation to a savings deposit by means of a credit transfer35 or cheque shall not be permissible. Incoming payment transactions made in cash and credit transfers into (still existing anonymous) savings accounts shall only be allowed to be received or credited pursuant to Article 7 para. 9 FM-GwG irrespective of their amount where due diligence obligations have been applied towards customers pursuant to Article 6 FM-GwG. Furthermore, outgoing payments shall not be allowed to be conducted from these savings accounts, again irrespective of the amount involved, pursuant to Article 7 para. 10 FM-GwG with such savings accounts required to be specially marked. 38 In this regard, Article 32 para. 4 BWG only stipulates to whom an outgoing payment shall be allowed to be made. A condition for an outgoing payment being made in accordance with one of the cases listed in Article 32 para. 4 BWG, is however the fulfilment pursuant to Article 7 para. 10 FM-GwG of the due diligence obligations set forth in Article 6 FM-GWG.

32 The European Banking Authority (EBA); the European Insurance and Occupational Pensions Authority (EIOPA); the European Securities and Markets Authority (ESMA). 33 See also the FMA Circular on Internal Organisation. 34 Regulation (EU) No 1093/2010 35 Exceptions to this principle are defined in Article 32 para. 3 BWG.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 17 3.4 Suspicion of money laundering, terrorist financing or membership of a terrorist organisation 39 Due diligence obligations shall also be applied pursuant to Article 5 no. 4 FM-GwG, if the institution suspects or has reasonable grounds to suspect that the customer belongs to a terrorist organisation (Article 278b StGB) or the customer objectively participates in transactions which serve the purpose of money laundering (Article 165 StGB – including asset components stemming directly from a criminal act on the part of the perpetrator)36 or terrorist financing (Article 278d StGB). This obligation exists irrespective of magnitude of the amount or the insurance premium. 40 Objective involvement in the listed transactions does not mean that blame necessarily needs to be apportioned to the customer. The customer is therefore not required to know, or even seriously consider it possible, or resign themselves to the fact (Article 5 para. 1 StGB) that the transactions in which they are involved in are being used for money laundering or terrorist financing. It shall suffice for the obliged entity to suspect or have justified reason to assume that the customer’s transaction satisfies the objective elements of the offence defined in Article 165 StGB or the objective elements of the offence defined in Article 278d StGB. The customer’s intent is not required to be proven, and not required to be checked by the obliged entity. The due diligence obligations set forth in Article 6 FM-GwG shall also be applied pursuant to Article 5 para. 4 FM-GwG to customers that are exploited as an unintentional tool by third parties - as a rule the economic beneficiaries. 41 Regarding customers in a permanent business relationship with the obliged entity, then the obliged entity must already hold their identification details. Where doubts now exist about the customer’s identity due to suspicions that have arisen, then irrespective of Article 5 no. 5 FMGWG, the identification details must be collected again or missing information added and the collected information (in some circumstances in combination with existing information) subjected to another review. To verify the received information it would be feasible to collect additional further documents, data and information that originates from a credible and independent body. 42 Where a suspicion or justified reason for an assumption as defined in Article 16 FM-GwG arises, the obliged entity is required to inform the Financial Intelligence Unit (Geldwäschemeldestelle) about this suspicion. In such cases, the obliged entities are furthermore required pursuant to Article 20 para. 1 FM-GwG to suspend the application of due diligence obligations where they may reasonably assume that doing so might impede the pursuit of the beneficiaries of a suspicious transaction. 43 However, where online identification of a customer is used (Article 6 para. 4 no. 1 FM-GwG) and where a suspicion exists or a justified assumption of one of the cases in Article 5 no. 4 FM-GwG, then the online identification is to be concluded and the submission of a suspicious activity report pursuant to Article 16 FM-GwG considered (Article 5. para. 2 Online-IDV).

36 Even though self-laundering is already covered under Article 165 StGB by the activity of money laundering.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 18 3.5 Doubts in relation to Customer Identification Information 44 Where a staff member of the obliged entity doubts the authenticity or adequacy of identification data of the customer, then a repeat or supplementary identification process must be conducted pursuant to Article 5 no. 5 FM-GwG about the information for which doubts exist. 45 Where doubt exists about the authenticity or the adequacy of the proof of identity, then further documents, data and information are to be requested that originate from a credible and independent body to verify the identify information collected, and to be applied for identity verification. 46 Where doubts are not assuaged by the recent or supplementary identification, additional appropriate due diligence measures must be taken. In the case of an online identification procedure, it must be completed (Article 5 para. 2 Online-IDV). In such cases making of a suspicious activity report pursuant to Article 16 FM-GwG should in any case be considered. Furthermore, the ramifications defined in Article 7 para. 7 FM-GwG must be considered where obliged entities are not in a position to fulfil the due diligence obligations in Article 6 FM-GwG. 47 If in such cases a circumstance exists that is required to be reported, and where the obliged entity is able to reasonably assume that the application of due diligence obligations might impede the pursuit of the beneficiary of a suspicious transaction, then the application of due diligence obligations shall be suspended pursuant to Article 20 para. 1 FM-GwG, and a suspicious activity report made instead.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 19 4 SCOPE OF DUE DILIGENCE OBLIGATIONS 4.1 Customer identification and verification 4.1.1 General 48 The identification and verification of the (potential) customer pursuant to Article 6 para. 1 no. 1 FM-GwG and persons authorised to represent them pursuant to the concluding part of Article 6 para. 1 FM-GwG by obliged entities constitutes a core due diligence obligation with regard to the prevention of money laundering and terrorist financing. 49 The identification process is split into two sections, firstly that of determination of identity (MN 51 et seq.) followed by the verification of identity (MN 57 et seq). Determination of identity means collecting information about the identity of a natural or legal person, while verification of identity deals with the checking of the information held based on documents, data or information which originate from a credible and independent source, including electronic means for identification purposes and relevant trust services pursuant to Regulation (EU) No. 910/2014 as well as other secure procedures for remote or electronic identification in accordance with Article 6 para. 4 FM-GwG. 50 The information that is collected and verified during the identification process are required to be documented. Furthermore, copies of the documents and information that are required for fulfilling the customer due diligence obligations pursuant to Article 21 para. 1 no. 1 FM-GwG are required to be retained for the duration of ten years following the ending of the business relationship or following the conducting of an occasional transaction. 4.1.2 Determination of identity 51 When collecting information about the identity of a customer it is necessary to differentiate between necessary and supplementary information. 52 Necessary information for identifying a natural person are forename(s) and surname(s), date of birth and place of residence. 53 In order to be able to draw up a comprehensive KYC profile for a customer, obliged entities also require additional information about the identity of a natural person on a risk-oriented basis. These may include the job, employer or type of self-employed activity, nationality, country of birth, signature, telephone number and e-mail address.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 20 54 Necessary information about the identity of a legal person are the company name37, legal form, country of registration, registration number38, registered office, forename(s) and surname(s), date of birth and place of residence of the management bodies as well as other persons authorised39 to represent the legal person towards the obliged entity (see MN 100). 55 Supplementary information to be collected on a risk-oriented basis, in the case of legal persons, may be telephone numbers, e-mail addresses, VAT numbers, or where such information exists, information about the structure of the group. Additional information for the KYC profile of a legal person may also be found on its website. 56 If an obliged entity is unable to collect the necessary and if need be supplementary information about the identity of a natural or legal person, e.g. because the customer fails to cooperate accordingly, then a business relationship shall not be allowed to be established, and an occasional transaction shall not be conducted.40 4.1.3 Verification of Identity 4.1.3.1 Natural persons 57 In the case of natural persons, the verification of their identity is generally41 conducted by personally submitting an official photo identification document. Pursuant to Article 6 para. 2 no. 1 FM-GwG an official photo identification document is a:

document issued by a governmental authority,
containing a non-replaceable (i.e. to be attached by the issuing authority) recognisable photograph of the face of the person to be identified and
the name,
the date of birth,
the signature of the person to be identified, as well as
the issuing authority. 58 Austrian passports, driving licences and personal identity card are in any case considered as official photo identification documents and may be used for identification purposes.

37 In the case of legal persons for which an entry in the Commercial Register is not required, and where they choose not to do so voluntarily, it shall suffice if the obliged entity knows the name/designation used in legal communication instead of the company name. 38 In Austria, the Commercial Register (Firmenbuch) number or the number in the Central Register of Associations (Zentraler Vereinsregister) (ZVR-Zahl). 39 As a rule only this only covers such persons authorised to represent the legal person towards the obliged entities in legal transactions. 40 Article 7 para. 7 FM-GwG; see MN 301 et seq. for further details 41 See MN 246 et seq. about the potential exceptions; in the event that payments are made to the administrator of the bankruptcy estate or the insolvency estate in the case of insolvent customers, their identity shall not be checked on the basis of a photo identification document. In this case, proof of appointment by the insolvency court shall suffice (e.g. from the insolvency database (Ediktsdatei)).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 21 Identification documents that are not considered official photo identification documents as defined in the FM-GwG are identification documents that were not issued by a government authority or where the photograph was affixed by the bearer, or where a photograph may be changed without any visible traces being left behind42. Travel passes for public transportation, school pupil identification documents and ski passes therefore cannot be used for identification purposes.43 59 A photo identification document shall be considered as having been issued by a government authority, where it was issued by an entrusted body within the scope of its sovereign functions. Therefore, for example, identification cards for doctors, attorneys and notaries may also be used for identification purposes. With regard to whether student identification documents pursuant to Article 6 para. 2 no. 1 FM-GwG qualify as official photo identification documents, it is necessary to differentiate whether or not the issuing university or technical college is active within its administrative jurisdiction – and therefore is a government authority. Universities are active within their administrative jurisdiction pursuant to the Universities Act 2002 (UG; Universitätsgesetz 2002), Danube University Krems pursuant to the Federal Law on the University for Continuing Education Krems (DUK-Gesetz 2004; Bundesgesetz über die Universität für Weiterbildung Krems) and public teaching training colleges pursuant to the Higher Education Act of 2005 (HG 2005; Hochschulgesetz 2005). Student identification documents from such establishments therefore fulfil the criterion of being issued by a government authority and may – provided they also fulfil the other conditions set out in Article 6 para. 2 no. 1 FM-GwG – therefore be considered as suitable proof of identity. Private teaching training colleges and private courses of studies, private university courses of studies as well as private courses pursuant to the HG 2005 as well as private universities pursuant to the Private Universities Act (PUG; Privatuniversitätengesetz) and technical colleges pursuant to the Act on Studies at Technical Colleges (FHStG; Fachhochschul-Studiengesetz), irrespective of the legal rank of the legal entity, do not act within their administrative jurisdiction when issuing a student identification card, and therefore in this regard do not qualify as government authorities. Student identification documents from such establishments do not qualify as official photo identification documents pursuant to Article 6 para. 2 no. 1 FM-GwG as they do not fulfil the criterion of being issued by a government authority. 60 Official photo identification documents that have already expired may also be applied for identification purposes, where they are credible. For the assessment of whether an official photo identification document is a suitable proof of identity, the validity period of the document is not decisive, instead its suitability is decisive (whether a positive match of the photograph with the person identifying themselves, comparing of signatures etc. is possible).44 An expired official photo identification document is not automatically no longer suitable as proof of identity

42 e.g. by the lamination of other security features being damaged as a result of the photograph being changed. 43 In this context, see also the School Savings Schemes Due Diligence Regulation (Schulspar-SoV; SchulsparenSorgfaltspflichtenverordnung - published in Federal Law Gazette II No. 2/2017), the Corporate Provision Funds Risk Analysis and Due Diligence Regulation (BVK-RiSoV - published in Federal Law Gazette II No. 4/2017) and the Regulation on Due Diligence for Fiduciary Accounts (AndKo-SoV; Anderkonten-Sorgfaltspflichtenverordnung - published in Federal Law Gazette II No. 5/2017). 44 With regard to an expired passport see VwGH 9.9.2013, 2011/17/0336.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 22 especially where the relevant identification information about the person to be identified has been determined as being unchanged. 61 Foreign official photo identification documents may be used for identification purposes, provided they fulfil the necessary criteria (MN 57). Foreign travel documents that authorise the bearer to enter Austria are in particular considered as suitable proof of identity. Furthermore, driving licences issued by Member States shall also be considered as suitable photographic proof of identity, where they conform to the harmonised design rules set out in Directive (EU) 2006/126/EC (3rd EU Driving Licence Directive).45 62 In the case of foreign travel documents the criteria for the signature and full date of birth may be waived, where doing so corresponds to the law of the issuing land. In any case such a foreign travel document must have been issued by a government authority. 63 Obliged entities must assure themselves about the authenticity of the submitted official photo identification documents. In particular, it is necessary to check whether the criteria listed in MN 57 are fulfilled, and whether the official photo identification document submitted is in an intact state46. Furthermore, the visual security features of the identification document must be checked.47 64 While checking the identification details of the physically present natural person, the person shown in the headshot and the person identifying themselves must be compared. The signature contained in the official photo identification document must also be compared with that of the person identifying themselves. Where irregularities emerge during this comparison, then the obliged entity must take further steps to resolve irregularities (e.g. by collecting additional documents from the person to be identified). Similarly, this also applies for comparing the calculated age on the basis of the date of birth printed in the official photo identification document with the estimated actual age. 65 Asylum seekers, persons who have been granted asylum, or foreigners without a right of residence, who are unable to be deported for legal or factual reasons (hereinafter: tolerated persons), in many cases do not possess any other identification document than a proof of identity that was issued to them in accordance with the provisions of the Asylum Act 2005 (AsylG; Asylgesetz 200548) or the Aliens Police Act 2005 (FPG; Fremdenpolizeigesetz 200549).50 As a rule, the following identification documents are issued in such cases:

45 In this case it applies to driving licences that have been issued since 19.01.2013. 46 It should be ensured in particular that the lamination is intact and the obliged entity must check there is no suggestion that would allow the conclusion to be reached that the photo was only subsequently attached to the official photo identification document. 47 A good resource for information about travel and identity documents for all EU Member States, Iceland, Norway and Switzerland and in particular about the security features of the respective documents can be found on “PRADO – Public Register of Authentic travel and identity Documents Online” at: http://www.consilium.europa.eu/prado/en/prado-startpage.html. 48 Asylum Act 2005 (AsylG; Asylgesetz 2005), published in Federal Law Gazette I no. 100/2005, as amended. 49 Aliens Police Act 2005 (FPG; Fremdenpolizeigesetz 2005), published in Federal Law Gazette I no. 100/2005, as amended. 50 In the restricted instance (albeit one that is generally obliged to be permitted) of concluding a payment account with basic functions by means of a framework agreement, see also MN 71ff.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 23

Procedure Cards (Article 50 AsylG);
Residence Entitlement Cards (Article 51 AsylG);
Cards for Persons Having Entitlement to Asylum (Article 51a AsylG);
Cards for Persons Holding Subsidiary Protection Status (Article 52 AsylG);
Cards for Tolerated Persons (Article 46a FPG). 66 Such documents are by and large only issued on a temporary basis, and serve the purpose of proof of identity in the procedure in front of the competent authority, as well as where applicable to prove the legality of their residence.51 These documents are required to contain the following details based on the legal rules: Name, date of birth, nationality, sex, a picture and signature of the holder as well as the designation of the authority, date of issue and the name of the authorising party. The criteria for an official photo identification document pursuant to Article 6 para. 2 no. 1 FM-GwG are therefore fulfilled. 67 Against this background and in light of the specific circumstance that asylum seekers, persons having entitlement to asylum and tolerated persons often do not possess any other identity document than one of the aforementioned proof of identity documents, and in light of such documents generally only serving the purpose of proving their identity in relation to their procedure in front of the competent authority and as applicable for confirming the legality of their residence, such proof of identity may be used for verifying and checking of identity.52 68 The contrary applies, however, where doubts exist about the authenticity or adequacy of the submitted proof of identity. Where doubts exist about their authenticity further subsequent research should be done and information obtained about the authenticity of the submitted proof of identity. It may occur that an incomplete or fictitious date of birth has been entered on the aforementioned identity documents. This happens in cases in which the date of birth is not known. In the case of asylum seekers, persons having entitlement to asylum and tolerated persons it is often not possible for the Austrian authorities to establish actual information about dates of birth. In such cases the authority enters a fictitious date of birth53. Such residency documents with a fictitious date of birth are therefore not per se unsuitable for identification purposes. 69 Additional documents data and information, which originate from a credible and independent body, may be requested if need be for additional checking of the collected identity information (e.g. for clarifying the current status, an up-to-date document relating to the procedure under the AsylG or FPG or if certain cards only have a limited validity period and whether accordingly a claim for having a new card issued, or if the status of the procedure of the person in question). Where supplementary measures are insufficient to assuage doubts and obliged entities are

51 Such documents are therefore not generally granted an identification function for other domains. 52 See also explanatory remarks to the government bill (ErlRV) no. 1059 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 20f, in relation to this outcome 53 In most cases 01 January.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 24 therefore not in the position to comply with legal rules on identification, they shall not be allowed pursuant to Article 7 para. 7 FM-GwG to establish any business relationship and to conduct any occasional transactions.54 If during the course of advisory meetings or in the course of the identification processes an additional suspicion or a justified reason as defined in Article 16 para. 1 FM-GwG arises, then a suspicious activity report must be made to the Financial Intelligence Unit (Geldwäschemeldestelle). 70 Pursuant to Article 6 para. 1 no. 7 obliged entities must guarantee that the relevant documents, data and information about the respective customer are updated (MN 239 et seq.) With regard to the temporary issuance of and the restricted purpose of the payment of the documents named in MN 65 this means that for example in the case of the subsequent granting of a (permanent) residency title that the corresponding new proof of identity as defined in Article 6 para. 2 no. 1 FM-GwG must be obtained. 4.1.3.2 Special topic: Consumer Payment Account Act (VZKG; Verbraucherzahlungskontogesetz) 71 Article 23 para. 6 Consumer Payment Account Act (VZKG; Verbraucherzahlungskontogesetz55) states that for determining and verifying the identity of a natural person if no other official photo identification document is available that corresponds to the rules prescribed in Article 6 para. 2 no. 1 FM-GwG, a Procedure Card (Article 50 AsylG), Residence Entitlement Card (Article 51 AsylG) or a Card for Tolerated Persons (Article 46a FPG) may be used instead when concluding a framework contract for a payment account with basic functions. The VZKG therefore permits the aforementioned documents to be used as proof of identity for the purpose of concluding a framework contract for a payment account with basic functions and explicitly confers an identification function upon them in this regard. 72 The outright rejection of such documents with reference to Article 23 para. 7 VZKG without reviewing the respective case in hand is incompatible with Article 23 para. 6 VZKG. Furthermore, asylum seekers or tolerated persons, who frequently do not possess any other official photo identification document than one of the aforementioned documents in many cases are unable in practice to exercise their right to access to a payment account with basic features as a result of such documents being flatly rejected. This however would not be compatible with the mandatory rules set out in Article 16 (2) of Directive 2014/92/EU.56 73 From Article 23 para. 7 VZKG it emerges that Article 23 para. 6 VZKG does not affect the due diligence obligations of credit institutions under the FM-GwG. It should be determined where doubts exist regarding the authenticity or appropriateness of the submitted proof of identity, that they shall not be allowed to be used for the determination or verification of the identity of a natural person. In such cases, obliged entities are forbidden under Article 7 para. 7 FM-GwG from establishing a business relationship or conducting an occasional transaction. No oblifations

54 For more detail, see MN 301ff. 55 the Consumer Payment Account Act (VZKG; Verbraucherzahlungskontogesetz), published in Federal Law Gazette No. 35/2016, as amended. 56 Cf. explanatory remarks to the government bill (ErlRV) no. 1059 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 20 and recitals 34 and 36 to Directive 2014/92/EU.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 25 therefore exists to conclude a framework contract for a payment account with basic functions. In fact, in such cases, where a suspicion or justified grounds exist pursuant to Article 16 para. 1 FM-GwG, a suspicious activity report is to be submitted to the Financial Intelligence Unit (Geldwäschemeldestelle). When concluding a framework contract for a payment account with basic functions, obliged entities must therefore assess the suitability of the documents listed in Article 23 para. 6 VZKG, as well as other identification documents based on the actual prevailing circumstances of the specific case in hand. 4.1.3.3 Legal persons 74 In the case of legal persons, identity verification pursuant to Article 6 para. 2 no. 2 FM-GwG must occur on the basis of conclusive documentation which is available under the usual legal standards of the country in which the legal person is established. In any case, it must be possible from the conclusive documentation to determine the legal person’s continuing existence, company name (or the name or designation used in legal communication), legal form, power of registration and registered office. These criteria must be checked by the obliged entity. 75 Where an obliged entity has a business relationship with a legal person that is part of a group of undertakings, and where further business relationships are intended to be established with legal persons from the same group of undertakings, it shall be permitted to refer to information and documents that have already been obtained, provided they can be considered as being conclusive documentation as per the following margin notes, and are suitably up-to-date. They may generally be assumed to be suitably up-to-date where the necessary intervals for updating the documents stipulated in Article 6 para. 1 no. 7 FM-GwG (cf. MN 239 et seq.) are observed. 76 Register excerpts provided by registration authorities (in particular Commercial Register excerpts; excerpts from the central register of associations (ZVR; zentrales Vereinsregister)) and excerpts from databases that are recognised in general legal communication are considered as conclusive documentation for legal persons registered in Austria. In the case of Austrian legal persons, a simple or extended excerpt from the Register of Beneficial Owners may be used as conclusive documentation for the purpose of identity verification. The respective current Austrian official directory (Österreichischer Amtskalender) can be referred to with regard to regional or local authorities, authorities and public sector entities (e.g. also for parties, social insurance carriers, churches, chambers, interest groups etc.). 77 Since the Austrian registers for legal persons are generally accessible, under the case law of the Supreme Administrative Court (VwGH), even a register excerpt that is only a few days old may not be considered as being “conclusive”.57 78 In the case of trusts (Article 1 para. 3 WiEReG) and arrangements of a similar nature to a trust (Article 1 para. 2 no. 18 WiEReG), which are administered from Austria58, obliged entities are also required to take deliberate steps in addition to the determination and verification of the identity

57 Supreme Administrative Court (VwGH) 10.11.2014, Ro 2017/02/0020 58 Administration in Austria in particular exists where the trustee or the holder of a position of authority comparable to a trustee has its place of residence or place of incorporation in Austria.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 26 of the customer and the customer’s beneficial owners prior to establishing the business relationship, to satisfy themselves that the trust or the arrangement of a similar nature to a trust has been entered into the Register of Beneficial Owners (Article 11 para. 1 final sentence WiEReG). If the trust or the arrangement of a similar nature to a trust is not entered in the register, then the obliged entity shall not be allowed to establish any business relationship.59 During the course of the update process (cf. MN 239ff) obliged entities should also satisfy themselves in the case of existing business relationships with trusts or arrangements of a similar nature to a trust, that they are entered in the Register of Beneficiary Owners. 79 In the case of foreign legal entities the conclusive documentation for checking their identity must correspond to the legal standards that are typical for country in this regard. Obliged entities must therefore “firstly check which documents are typically used or available for proving the existence [of a legal person]”. 60 In the first instance this will be excerpts from registers (that are comparable to those Austrian excerpts). Where the foreign register excerpts are less comprehensive that the Austrian excerpts or if the law of the country in which the registration would occur does not prescribe any documents that are comparable to the Austrian register excerpts, then the identity of the foreign legal person is to be checked instead using other documents, which originate from a credible and independent body.61 Where it is not possible to verify the identity as defined in the FM-GwG on the basis of individual items of proof, then instead this may be done by a composite view of several documents, each of which respectively originates from a credible and independent body. 80 Obliged entities are required to check what constitutes customary practice for every legal person established in a foreign country.62 Less stringent requirements than those placed upon Austrian excerpts are only possible where this is customary practice for the country concerned. The obliged entity must check and evaluate this. In such cases, not only public or (publicly) certified documentation may be considered as authoritative. However, as is apparent from the risk-based approach, the greater the risk becomes, then the greater the requirements for the conclusiveness of a document “so that in the individual case in hand private or uncertified documents may no longer suffice, although it may in turn depend on the 'customary practice in the country'” (cf. also MN 82).63 81 A (foreign) document may only be considered “conclusive” for the purposes of the FM-GwG, where in addition to its availability being customary for the country concerned subject to it being appropriately up-to-date. Only in this way is it possible to guarantee a direct temporal

59 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 13. 60 Supreme Administrative Court (VwGH) 10.11.2014, Ro 2017/02/0020 61 See explanatory remarks to the government bill (ErlRV) no. 32 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 22nd legislative period, 4, which also lists potential our proof that may be considered .e.g. national licences, confirmations of their membership of a chamber of commerce, banking information and the minutes of general meetings. In this case also BVwG 19.09.2014, W210 2000428-1. Potential other proof may also be in the form of excerpts from databases that are recognised in general legal communication. 62 For this purpose it is possible to refer to service providers (attorneys, notaries etc.) or the Trade Commissioner of the Austrian Foreign Trade Delegation in the country in question. 63 Supreme Administrative Court (VwGH) 10.11.2014, Ro 2017/02/0020

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 27 relationship between the establishing of the business relationship and the proof of existence of the legal person. The degree of “conclusiveness” therefore increases the closer the date of issuance of the documentation is to the date of the establishing of the business relationship. As already stated in MN 77, under the VwGH’s case law, register excerpts that are already several days old may not be considered as being “conclusive” where the country concerned has publicly accessible registers or registers that are at least accessible for the legal person concerned.64 As a rule, foreign proof of identity and any other additional documentation should be recent, and where at all possible no older than six weeks old. This is intended to prevent obliged entities from being faced with legal entities that potentially no longer exist or where the ownership or control structure of the legal entity has changed again in the intervening period. In individual cases older proof of identity and documents made be used, where doing so is necessary due to prevailing circumstances (e.g. due to the postal service or because additional required documents were only made available by the potential customer to the obliged entity only when requested). In any case, the obliged entity shall also make sure in such casesthat the documents are both conclusive and suitable, and that the identity and ownership and control structure of the legal person is able to be determined and verified from them. See MN 188 et seq. regarding the usage of public documents that are contained in a compliance package. 82 Under the risk-based approach, in the case of foreign public documents, documents and other proof, it may be necessary that they are authenticated by a recognised certification body. Authentication is therefore not necessary in every case. The conclusiveness of documents is in any case increased by their being certified. 83 Respective national law defines what constitutes a recognised certification body. For a legally valid authentication, the corresponding national regulations must be duly observed by the certification body. The document therefore either requires diplomatic authentication (legalisation, consisting of a provisional attestion (Zwischenbeglaubigung) and subsequent supplementary attestation (Überbeglaubigung)) or, in the case that the issuing state of the document is also a signatory to the “Hague Convention abolishing the Requirement of Legalisation of Foreign Public Documents”65, then the public document only needs to be apostilled66 by the designated authority.67 The authentication of the document does not however confirm the accuracy of its content. Instead the authentication of a public document merely confirms the authenticity of the signature and the official stamp, or in the case of private documents the authenticity of the signature, i.e., that the signature is that of the person who signed in front of the authenticating party or who recognised that their signature was genuine. Where an apostille is issued in an orderly manner as per the aforementioned Hague Convention, then in addition to proving the authenticity of the signature, the capacity in which the signatory of the public document was acting is also proved. Such an apostille may therefore in principle be considered for the proof of the power of representation, provided that it is suitably up-to-date,

64 Supreme Administrative Court (VwGH) 10.11.2014, Ro 2014/02/0020 65 A list of Member States can be found on the Hague Conference on Private International Law (HCCH) website at https://www.hcch.net/en/instruments/conventions/status-table/?cid=41. 66 For further information see: https://www.bmeia.gv.at/en/travel-stay/documents-and-authentications-apostille/. 67 For the respective competent authorities see Federal Law Gazette no. 27/1968, most recent amended in Federal Law Gazette III No. 168/2016.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 28 with it being up-to-date being clearly ascertained from the apostille. This must be checked on a case-by-case basis. 84 The necessary and if need be additional information about the identity of foreign legal entities should be stored in either German or English. The preparation of working translations by staff members within the entity shall be permitted. 4.1.4 Representation Relationships 85 Obliged entities shall also, in addition to the identity of the customer, also determine and verify the identity of every person claiming to want to act on the customer’s behalf (natural person authorised to represent them, deputy). The determination and verification of the identity of the person authorised to represent shall therefore occur pursuant to Article 6 para. 1 no. 1 FM-GwG – i.e. in the same way as the customer him/herself. In addition, the power of representation shall be verified in a suitable way and manner.68 In representation relationships accordingly “both the identity of the party being represented (pursuant to [Article 6 para. 1] no 1 [FM-GwG]) as well as the identity of the representative (para. 1 closing part in conjunction with no. 1 [leg. cit.]) is to be determined and verified.”69 Where the person authorised to represent the customer is a legal person, then the identity of the natural person authorised to represent the legal person must be determined and verified accordingly in addition to the identity of the legal person. 70 Furthermore in such cases, the natural person’s power of representation to represent the legal person must be verified in a suitable nature and manner (See MN 96 et seq. about legally representing the organisation). 86 Power of representation may be granted by means of a legal transaction (legal representation), or be derived from the articles of association of a legal entity (legal representation of the organisation) or by law (statutory representation). Regarding the scope of identification requirements, it is therefore necessary to differentiate between the cases of legal representation, legal representation of the organisation and statutory representation. This arises from the purpose of the statutory representation, where a comprehensive identification of the represented party and the represented party’s duty to cooperate is often not possible on factual grounds. This may either be due to the fact that the party being represented does not (yet) possess any identification documents, or also be due to the fact that the represented party is not able to cooperate in (personal) identification - e.g. due to illness or their advanced age. 4.1.4.1 Statutory Representation 87 Customers who do not have full legal capacity require a legal representative for establishing a business relationship or for conducting an occasional transaction. This applies primarily to children who are minors (cf. Article 170 of the General Civil Code (ABGB)) as well as persons who have reached the age of majority, who are not able to take care of some or all of their affairs

68 Article 6 para. 1 final part FM-GwG. 69 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 6. 70 As is stated in the final part of Article 6 para. 1 FM-GwG, the identity of the “natural persons authorised to represent the customer”, who claims to be wanting to act on behalf of the customer, must be determined and verified.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 29 themselves (cf. Article 269 ABGB) due to a mental illness or comparable impediment to their ability to make a decision without the threat of their suffering a disadvantage. For such persons, an adult representative must conduct the necessary acts (cf. In particular Articles 264 et seq. ABGB). 88 Where the customer requires a legal representative for conducting the activities in question (establishing a business relationship; conducting an occasional transaction), the obliged entity also required to determine and verify the identity of the natural person authorised to represent the customer in accordance with the rules set out in the FM-GwG. Furthermore, the power of representation must also be verified in a suitable way and manner. In the latter case, this may be done by submitting a decision passed by a court. Since the power of representation granted to parents is already directly derived from the law, and therefore their appointment to represent the child does not require a court decision, in such cases a declaration by the parents together with a submitted proof of identity for the parents and the child suffice as proof of the power of representation. 89 The identity of the person who is authorised to represent the customer is to be determined and verified in accordance with the rules on identification of natural persons as customers (see MN 51 et seq.). 90 For the identification and verification of the represented party in the case of underage minors “unmündige Minderjährige” (persons up to the age of 14) and for persons for whom an adult representative (Erwachsenenvertreter) or person authorised by the patient to manage their affairs (Vorsorgebevollmächtigter) has been appointed, is shall suffice that the natural persons who are authorised to represent them shows an official photo identification document of the represented party, on the basis of which the obliged entity is able to identify the identity of the represented party. In such a case, it is not necessary for the represented party to be physically present. 91 In the case of identifying underage minors in the interest of practical efficiency it may be possible to partially dispense with formal rigour. For example in cases in which the underage minor does not yet hold an official photo identification document, their identity may be verified on the basis of a document that is appropriate for their age (so-called “pseudo proof of identity” such as school pupil ID cards or similar), which may not normally be used for identification purposes. However, in any case necessary proof of identification must be submitted, oral declarations shall not suffice. 92 In the case of the customer being a minor “mündige Minderjährige” (persons between the age of 14 and 18 years of age), the verification of their identity shall in any case occur by means of an identification document as defined in Article 6 para. 2 no. 1 FM-GwG and with the customer being physically present. In the case of business relationships that require the approval or involvement of their legal guardian, then the identity of both persons (the customer and the person authorised to represent them) must be verified using and official photo identification document as defined in Article 6 para. 2 no. 1 FM-GwG and with both persons being physically present.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 30 4.1.4.2 Representation in Legal Transactions 93 The customer may confer (also only specific) powers of representation upon other persons in accordance with the general rules on rights of representation. Generally representation is understood as the authorisation and/or engaging of another person by means of a legal transaction concluded in their name.71 The representative may, for example, be authorised to establish a business relationship for the represented party, to conduct orders within the scope of business relationships for the represented party, or to execute occasional transactions for the represented party. The obliged entity only gains knowledge of such authorised representation following disclosure and is required to verify the power of representation in a suitable way and manner (e.g. presentation of a written power of attorney). 94 In the area of banking transactions, authorisation to act as a signatory is the most frequent form of the power of representation in a legal transaction. By granting signatory rights to the authorised representative, they become authorised to make disposals on the customer’s account. This signatory rights are granted to the authorised signatory by means of an explicit declaration in writing by the customer. 95 Both the identity of the person(s) authorised to represent the party (representative; authorised signatory) as well as of the customer (represented party) are to be determined and verified in accordance with the rules on identification of natural persons as customers (see MN 51 et seq. and 57 et seq). Accordingly, both are required be identified by presenting their official photo identification document in person. Where the person authorised to represent the party is a legal person, then their identity is required to be determined and verified in accordance with the rules on the identification of legal entities (see MN 54 et seq. and MN 74 et seq). 4.1.4.3 Legal representation of the organisation 96 Legal entities are represented in activities constituting legal transactions by their bodies. Alternatively, in addition to the legal entity’s bodies, other persons may also be entrusted with representation in legal transactions (in practice this especially includes cases of powers of commercial representation). 97 In addition to determining and verifying the identity of the legal person (see MN 54 et seq. and MN 74 et seq.) natural persons who are authorised to represent the legal entity must be identified by the obliged entity and the power of representation checked in a suitable nature and manner. Where the power of representation is conferred by an excerpt from a register about the legal entity (MN 76), this shall generally be considered sufficient as a certificate for proving the power of representation. Otherwise obliged entities are required to gather suitable (additional) confirmations (e.g. articles of association, agreements relating to legal transactions or similar items). 98 Where an obliged entity reaches the conclusion in relation to business relationships to credit institutions and financial institutions (this includes correspondent banking relationships) during

71 For a definition, see e.g. Rubin in Kletečka/Schauer, ABGB-ON1.03, Article 1002, MN 25.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 31 the course of a specific customer risk analysis that only a low risk of money laundering or terrorist financing exists (Article 8 FM-GwG) and therefore that simplified due diligence may be applied, it shall suffice for the persons authorised to represent the customer to be identified by means of a “confirmation” from databases acknowledged in international business. Enhanced customer due diligence pursuant to Article 10 FM-GwG shall in any case continue to apply for correspondent banking relationships. 99 Where the person who is authorised to represent the organisation is also a legal person, then its identity must also be determined and verified accordingly. 100 In the case of legal persons, not all representatives of the organisation are required to be determined and verified by obliged entities. It shall suffice to verify the identity of those persons authorised to represent the entity towards the obliged entity in legal transactions or the identity of other persons authorised to represent the entity on a risk-based basis (Article 7 para. 1 second sentence FM-GwG).72 4.1.4.4 Rights of representation and non-face-to-face operations 101 In the case of rights of representation physical presentation of an official photo identification document may also be replaced by an online identification procedure (for greater detail, see MN 251 et seq.) 102 Where, in the case of a legal right of representation, online identification is made, then the rules set out in Article 4 para. 2 nos. 2 and 3 Online-IDV regarding screengrabs shall also apply in relation to the official photo identification document of the represented party. It is only possible in this way to ensure that the obliged entity, in addition to determining the representative’s identity, which is determined and verified using the online identification procedure, also determines the identity of the represented party by means of an official photo identification document, which is presented by the representative during the online identification procedure. The partial waiving of formal strictness explained in MN 91 also applies for the identification documents that may be used in the online identification procedure for underage minors (children). Where minors (over the age of 14) require their legal representative’s involvement, both parties shall identify themselves individually in accordance with the rules contained in the Online Identification Regulation (Online-IDV). 103 In the case of rights of representation for legal transactions, where online identification is used, all involved persons (i.e. also the authorised signatory) shall be required to be identified in accordance with the rules stipulated in the Online Identification Regulation (Online-IDV). 104 The determination and verification of identity of representatives of the organisation may also be conducted using an online identification procedure. The same rules apply as for online identification of natural persons as customers.

72 Cf. See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 8.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 32 105 Where physically presenting the official photo identification document is replaced by means of a qualified electronic signature, it is to be noted that the customer (as a natural person) himself/herself – and not the person who is authorised to represent then - shall be required to provide the declaration about the legal transaction in the form of a qualified electronic signature. The qualified electronic signature pursuant to Article 3 no. 12 of Regulation (EU) 910/2014 must therefore be issued to the customer. If the customer is a legal person, then during the process of determining their identity without physically presentation of their official photo identification document by the natural person authorised to represent the legal person, then they must possess and sign using the qualified electronic signature. See MN 275 et seq for further requirements. This form of non-face-to-face operations may not be used in the case of legal representation relationships, in which the (e.g. minor) customer does not (yet) possess a qualified electronic signature. 106 Where registered postal delivery is being used in relation to non-face-to-face operations, this may only be used for cases of legal representation and the representation of the organisation. See MN 277 et seq for further requirements in this regard. In contrast the FM-GwG does not stipulate the use of registered postal delivery for representation relationships for legal transactions between natural persons.73 107 A further option for non-face-to-face operations is the first payment being made through a reference account. In so doing, it must be ensured that this account has been opened “in the customer’s name” (see MN 279 et seq. for further details). Payment through a reference account that was opened in the name of a person authorised to represent the customer, therefore does not constitute a form of non-face-to-face operations stipulated by the FM-GwG. 4.2 Determining and verifying the identity of trustors and beneficial owners 108 Obliged entities are not only required to determine and verify the identity of their direct customer, but also those of trustors and beneficial owners. 109 The obliged entity relies on the customer’s cooperation to fulfil this due diligence obligation. To be able to make recourse to the customer’s cooperation, the obliged entity must request the customer to state whether they wish to conduct the business relationship or the occasional transaction on their own account, on the account of others, or on behalf of a third party. Where the customer is a legal entity with operational business activities74, they may refrain from actively asking the customer whether they are acting as a trustee. On the other hand, where the obliged entity gains the impression that the customer is acting in trust, it shall request them to divulge without delay about whether they are conducting the business relationship on their own account or on the account of others, or on behalf of a third party. If the customer states they are acting in trust the following due diligence obligations must also be applied to this business relationship.

73 Cf. Article 6 para. 4 no. 3 lit. b FM-GwG (“…of the customer or the customer's legal representative, or in the case of legal persons of the body authorised to represent it…”). 74 It does not cover enterprises that conduct trust transactions (“trusts”).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 33 110 In addition the customer is to be requested to reveal the identity of its beneficial owner(s). In both cases the customer has an obligation to cooperate when requested to by the obliged entity. On the one hand, this exists with regard to the identification of the trustor or the beneficial owner. On the other hand, the customer is also obliged to inform on their own initiative about any changes during an ongoing business relationship without delay.75 111 The obligation to request the customer to divulge about the existence of a trust arrangement and the identity of a beneficial owner, requires active action by the obliged entity.76 This can be done for the disclosure of a trust relationship by asking the customer77 or by asking the customer to tick a 'tick box' with the choice of whether the customer is acting in a trustee capacity or not. Obliged entities should also make customers aware that they are obliged to notify any change in their intention during an ongoing customer relationship without delay. To prove this to the FMA within the scope of information and disclosure obligations pursuant to Article 29 para. 1 FMGwG, the query and notification about disclosing any changes must be documented accordingly. Furthermore, the obliged entity shall request the customer to reveal the identity of any beneficial owners.78 Where the customer is a legal entity as defined in Article 1 para. 2 WiEReG, information about their beneficial owners may also be queried from the Register of Beneficial Owners. The customer as a legal entity itself as defined in Article 1 para. 2 WiEReG is obliged to determine and verify their beneficial owners’ identity and to notify them to the register. Pursuant to Article 3 para. 1 WiEReG customers must also supply the obliged entity information about its legal owners as well as conclusive documentation about their beneficial owners. In the case of complex participation structures, the customer itself will often rely on the cooperation of superordinate entities. Article 4 WiEReG therefore stipulates for the legal entities within the scope of WiEReG that their owners and their beneficial owners are also obliged to cooperate.79 4.2.1 Trusteeships 112 Where the customer states that they wish to conduct the business relationship or the occasional transaction for the account of or on behalf of a third party, then the obliged entity is not only required to determine and verify the identity of the customer (the trustee) but also the trustor’s identity. Since Article 6 para. 3 no. 1 FM-GwG not only refers to operation on one's own account or on the account of others, but also to operating on behalf of a third party, it is clearly apparent that trust arrangements are meant, also including contractual relationships.

75 Article 6 para. 3 FM-GwG. 76 It therefore does not suffice, for example, if it has already been stated in an (electronic) system that it is (not) a business relationship conducted in trust; cf. the previous legal basis in the BWG, Independent Administrative Senate for Vienna (UVS Wien) 25.03.2011, 06/FM/9/503/2010. 77 E.g. a question about this issue may have been asked to the customer during the account opening process by the customer advisor. It is sufficient in the case that the customer advisor actively documents this in the corresponding (electronic) customer file by making a remark. 78 Such an obligation only exists in the case of customers, in which a beneficial ownership may exist. It especially includes the legal entities listed in Article 1 para. 2 WiEReG with their registered office in Austria and comparable legal entities with their registered office in a Member State or a third country. 79 Regarding WiEReG for further detail see MN 178et seq.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 34 113 The objective of this provision is to prevent the circumvention of identification obligations. It is therefore not only necessary for the obliged entity to determine and verify the trustee’s identity, but also to prove the trustor’s identity and the existence of the trust relationship.80 114 Where isolated transactions are carried out in trust during a business relationship that is not conducted in trust, this does not automatically mean that the entire business relationship is conducted on a trust basis. However, individual transactions may constitute an indication that the business relationship is being conducted on a trust basis. In this case, the obliged entity must conduct further investigations to check plausibility and - in the event that a possible trust relationship has not been disclosed - file a suspicious activity report pursuant to Article 16 para. 1 no. 3 FM-GwG. 4.2.1.1 Determining and verifying the identity of trustees 115 While the trustee conducts the business relationship or occasional transaction in their own name, they conduct it for the account or on behalf of another person. In this case, the trustee is the customer of the obliged entity. 116 Where the obliged entity suspects or has reasonable grounds to assume that the trustee as a customer is concealing the existence of a trust relationship, or fails in this regard during an intact business relationship to notify about any changes, or states the wrong person as the trustor, then when the obliged entity becomes aware of such a circumstance it shall submit a suspicious activity report pursuant to Article 16 para. 1 no. 3 FM-GwG to the Financial Intelligence Unit (Geldwäschemeldestelle) without delay. 117 For determining and verifying the identity of trustees, Article 6 para. 3 FM-GwG stipulates two additional due diligence measures to the measures prescribed for customers (MN 48 et seq.):

The trustee shall be identified exclusively by means of their physical presence. Identification by way of non-face-to-face operations is therefore not permissible.
Identification of the trustee by qualified third parties pursuant to Article 13 FM-GwG and by assistants is therefore excluded. 4.2.1.2 Identification and verification of the identity of trustors 118 Trustors are natural or legal persons, on whose account or on whose behalf a business relationship is established or an occasional transaction is executed. Since the business relationship is established in the trustee’s name, or the occasional transaction conducted in their name, the obliged entity is not in a contractual relationship with the trustor. However, as is also the case of the beneficial owner of a legal person, it is the economic beneficiary of the business relationship or the occasional transaction. 119 Where they are a natural person, the obliged entity must determine and verify the identity of the trustor using the original or a copy of the official photo identification document (MN 57 et seq.).

80 See explanatory remarks to the government bill (ErlRV) no. 1130 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 18th legislative period, item 142 et seq. with regard to the early provision in the BWG.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 35 Any additional information required about the identity of the trustor must be checked by the obliged entity using a risk-based approach using additional evidential certificates. 120 If the trustor is a legal person, the obliged entity must check the necessary information and if necessary the additional information about its identity by means of additional evidential certificates (MN 74 et seq.). 121 The trustee shall satisfy themselves about the identity of the trustor personally or through a reliable source and confirm this to the obliged entity in a written declaration. Pursuant to Article 6 para. 3 final sentence FM-GwG, reliable sources are courts and other government authorities, notaries, attorneys at law and other qualified third parties as specified in Article 13 FM-GwG, provided that their official sphere of activity, domicile or residence is in Austria or in an EU Member State. Where such third parties have their official sphere of activity, domicile or residence in a third country, the third country must have implemented due diligence and retention obligations corresponding to those set out in the 4th Anti-Money Laundering Directive. Furthermore, observance of due diligence and retention obligations in the third country must be monitored by a supervisory authority that fulfils the rules set out in Articles 47 and 48 of the 4 th Anti-Money Laundering Directive. This must be verified by the obliged entity on a case-bycase basis prior to recourse being made to a reliable source in a third country. A source domiciled in a high-risk country (MN 321 et seq.) is not considered to be reliable. 4.2.1.3 Simplified Proof of Identity of Trustors 122 The FMA has determined there to be a low risk of specific fiduciary accounts held by attorneys, notaries or authorised real estate managers being misused for the purposes of money laundering or terrorist financing in the Regulation on Due Diligence for Fiduciary Accounts (AndKo-SoV; Anderkonten-Sorgfaltspflichtenverordnung).81 123 Determination and verification of trustors’ identity may be omitted for fiduciary omnibus accounts, fiduciary accounts for the distribution of inheritances, fiduciary accounts for guardianships and fiduciary accounts in insolvency proceedings held by attorneys and notaries (Article 1 para. 2 nos. 1-4 AndKo-SoV). 124 In the case of fiduciary accounts held by authorised real estate managers (Article 1 para. 2 no. 5 AndKo-SoV) for property owners’ associations, credit institutions may determine and verify the identity of the joint owners of a property (trustors) that are natural persons on the basis of an excerpt from the land register (Grundbuchauszug). It is irrelevant whether the fiduciary account is for a property owners' association established by the owners of apartments (falling within the scope of the Property Ownership Act 2002 (WEG 2002; Wohnungseigentumsgesetz 2002) for properties split into individual dwellings “parifiziert”) or whether the property is simply co-owned by several owners (falling within the scope of the General Civil Code (ABGB; Allgemeines Bürgerliches Gesetzbuch) where the property has not been split into individual dwellings “nicht parifiziert”). The AndKo-SoV therefore applies both (explicitly) for fiduciary accounts as defined

81 Pursuant to Article 1 paras. 1 and 5 AndKo-SoV this covers deposit-taking business (Article 1 para. 1 no. 1 BWG or Point 1 of Annex I CRD IV) and current account business (Article 1 para. 1 no. 2 BWG or Point 4 of Annex I CRD IV).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 36 in Article 20 para. 6 WEG, as well as for (the less frequent cases of) fiduciary accounts that are held by authorised real estate managers for out and out joint ownership associations for real estate.82 125 The term authorised real estate manager (“befugter Immobilienverwalter”) not only cover persons who are active in real estate management on the basis of their business licence (Article 117 para. 3 GewO), but also covers attorneys and notaries acting as real estate managers within the scope of their professional competence.83 126 Where credit institutions require additional information about the identity of the trustor to fulfil their due diligence and reporting obligations for such fiduciary accounts, they must collect the necessary information from the respective attorney, notary or authorised real estate manager. This may for example be the case, where a credit institution determines the occurrence of unusual transactions during the course of ongoing monitoring. Where the attorney, notary, or authorised real estate manager fails to comply with its obligation to supply information, then the credit institution is required, inter alia, to consider making a suspicious activity report pursuant to Article 16 para. 1 FM-GwG to the Financial Intelligence Unit (Geldwäschemeldestelle).84 127 Article 1 para. 2 AndKo-SoV contains a list of types of fiduciary accounts for which simplified due diligence may be applied. All due diligence obligations stated in the FM-GwG therefore continue to apply in full for all other types of fiduciary accounts other than those types listed in the AndKoSoV. Credit institutions may however check at any time while conducting their own risk assessment pursuant to Article 4 FM-GwG, whether there a low risk also applies for other types of fiduciary accounts (e.g. fiduciary accounts of court-appointed fiduciaries in absorption procedures pursuant to Article 199 of the Insolvency Code (IO; Insolvenzordnung), fiduciary accounts of authorised real estate managers for rental deposits) and apply simplified due diligence in such cases.85 128 In addition to the aforementioned fiduciary accounts, credit institutions may identify savings associations as customers that fulfil the conditions of Article 2 of the Regulation on Savings Associations (SpVV) for whose members (trustors) simplified identification may be applied. The identification of members of savings associations in such cases may be conducted by a body of the association using a list containing the names, dates of birth and addresses (of the members of the savings association) provided to the credit institution. 129 For collective class school savings book accounts (Article 1 para. 2 no. 2 of the School Savings Schemes Due Diligence Regulation (Schulspar-SoV) determination and verification of the identity of an authorised individual school pupil for the savings deposit (trustor) may be conducted in simplified form. It shall suffice for identification to be carried out in trust by a teacher and credit

82 The previous legal situation in Article 40 para. 2 final sentence BWG in the version prior to the one amended in Federal Law Gazette I No. 118/2016 addressed both of these cases. In accordance with the explanatory remarks to the Regulation published in Federal Law Gazette II No. 7/2017, it is intended that Article 3 AndKo-SoV is intended to continue the previously applicable legal situation set out in Article 40 para. 2 final sentence BWG; ibid. 3. The explanatory notes in relation to FMA Regulations may be consulted (in German only) online at https://www.fma.gv.at/national/fma-verordnungen/. 83 Explanatory remarks to the Regulation published in Federal Law Gazette II No. 7/2017, point 2 84 Explanatory remarks to the Regulation published in Federal Law Gazette II No. 7/2017, point 3 85 Explanatory remarks to the Regulation published in Federal Law Gazette II No. 7/2017, point 2

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 37 institutions may refer to a corresponding list of names, dates of birth and addresses of the school pupils in question for determining the trustors’ identity (Article 3 Schulspar-SoV). 4.2.2 Determining and verifying the beneficial owners: 130 Pursuant to Article 6 para. 1 no. 2 FM-GwG obliged entities shall determine the identity of its customers’ beneficial owners and take appropriate measures to check their identity. For the purposes of the FM-GwG, beneficial owners are defined as all natural persons, under whose ownership or control a legal entity ultimately stands (Article 2 no. 3 FM-GwG in conjunction with Article 2 WiEReG). The term “legal entity” covers:

companies and other legal persons established in Austria listed in Article 1 para. 2 nos. 1-16 WiEReG;86
companies and other legal persons domiciled in a Member State or third country that are comparable to those entities listed in Article 1 para. 2 nos. 1 to 16 WiEReG;
trusts and arrangements of a similar nature to a trust pursuant to Article 1 para. 2 nos. 17 and 18 WiEReG.87
foreign legal entities required to submit reports as defined in Article 1 para. 2 no. 19 WiEReG. 131 Further information about the Register of Beneficial Owners see MN 178 et seq. The Decree on the Determination, Checking and Reporting of beneficial owners pursuant to the Beneficial Owners Register Act (WiEReG), published in Federal Law Gazette I No. 136/2017 (BMF Decree in relation to WiEReG), BMF-2020-0.681.009 of 23 October 2020 (BMF-AV No. 171/2020) is not directly applicable to credit institutions and financial institutions, but may be serve as an aid to interpretation. In this context it must be noted that a risk-based approach does not apply for legal entities regarding the verification of the beneficial owners. The scope of the steps in the review process is the same across all levels (see also Point 3.4 of the BMF Decree in relation to WiEReG). In particular every individual connecting link should always be reviewed on the basis of evidential documents. Under the risk-based approach, it may nevertheless still be necessary for obliged entities under certain circumstances to collect additional/more detailed information and documents from their customers about their beneficial owners than are required for the reporting of the legal person to the Register of Beneficial Owners.88 4.2.3 Mandatory inspection of the Register of Beneficial Owners 132 Under Article 7 para. 1 FM-GwG, obliged entities are required when starting a new business relationship with a legal entity pursuant to Article 1 WiEReG to obtain at least a “basic” excerpt

86 A legal entity is deemed to be established in Austria where a legal entity is entered in the respective identification register (e.g. Commercial Register (Firmenbuch), Register of Associations (Vereinsregister)). 87 In this case, in contrast to the case of establishing a business relationship (cf. MN 297), regarding the obligation for determining and verifying the beneficial owners’ identity it is immaterial whether or not the trust or the arrangement of a similar nature to a trust is managed from Austria. Such a difference is however relevant for the obligation to be entered into the Register of Beneficial Owners. 88 In this context, we also refer to the substantial collection of examples on the Federal Ministry of Finance (BMF) website at https://www.bmf.gv.at/services/wiereg/rechtliche-grundlagen-faq-fallbeispiele-wiereg.html (in German only).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 38 (cf. MN 183) from the register as proof of registration of the beneficial owners. When initiating a new business relationship with a company, a trust, a foundation, a legal arrangements similar to a foundation, or with legal arrangements similar to trusts with their place of incorporation in another Member State or in a third country, equivalent to a legal entity as defined in Article 1 WiEReG, obliged entities must obtain proof of registration89 or an excerpt, provided there is a requirement for their beneficial owners to be registered in a Register that corresponds to the requirements set forth in Article 30 or 31 of Directive (EU) 2015/849. In the latter cases, the (mandatory) gathering of proof or an excerpt is only required to take place, where the Register in question is publicly accessible (which EU Member States are in any case required to ensure under the rules in Articles 30 or 31 of Directive (EU) 2015/849). Obliged entities are required to document the steps taken for clarifying that a Register is not publicly accessible. 90 4.2.4 Beneficial owners of companies and other legal persons 133 Regarding the definition of companies, the Beneficial Owners Register Act (WiEReG) contains a detailed91 list of the legal entities in Article 1 para. 2 nos. 1-11, 13 and 14 (Article 2 no. 1 WiEReG). In addition, all legal entities comparable to the aforementioned ones that are domiciled in a Member State or a third country also fall under this definition. Obliged entities must check in every single instance whether the legal entity is a comparable one in a Member State or a third country as per the definition of the beneficial owner or is merely a union of natural persons for a common purpose without a legal capacity92. In the case of EEA Member States, national classification of a legal entity as a company or trust or foundation in the respective EEA Member State is the basis for the classification of a legal entity under Article 2 nos. 1, 2 or 3 WiEReG. 134 Pursuant to Article 2 no. 3 FM-GwG, Article 2 no. 1 WiEReG does not apply to exchange-listed companies, whose securities are admitted to listing on a regulated market in one or more Member States, and exchange-listed companies from third countries which are subject to disclosure obligations pursuant to a Regulation issued by the FMA on the basis of Article 122 para. 10 BörseG 2018 and such disclosure obligations are equivalent or comparable to those under Union law. In the case of such companies, the disclosed information as a rule replaces the determination and verification of the beneficial owners under the definition set out in Article 2 no. 1 WiEReG.93 In the case that the obliged entity’s customer is an exchange-listed company pursuant to Article 2 no. 3 FM-GwG, no obligation exists to determine and verify the beneficial owners. Irrespective of this, Austrian exchange-listed companies are obliged to notify their beneficial owners to the Register of Beneficial Owners94 . 135 The exception contained in Article 2 no. 3 FM-GwG also applies to cases, where the exchangelisted company itself is not a customer of the obliged entity, but where such an entity can be

89 In this case it may also be a confirmation of registration by the competent authority for the register in question. 90 See also, in this regard, the information about registers in other Member States and in third countries, (“Informationen über Register anderer Mitgliedstaaten und von Drittstaaten”), that can be found on the aforementioned BMF website. 91 Arg.: “in particular“. 92 In Austria e.g. a partnership under civil law (Gesellschaft bürgerlichen Rechts) pursuant to Articles 1175 et seq. ABGB. 93 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 18. 94 For further details see also MN 132.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 39 found at a superordinate level in the shareholding structure of the customer. In this case the beneficial owners behind this exchange-listed company are also not required to be determined and verified, in this case the disclosed information instead replaces the need to determine and verify the beneficial owners. When there are additional shareholding chains in addition to the shareholding chain with the exchanged-listed company for the purpose of identifying any other beneficial owner, then in this case the beneficial owners are to be determined and appropriate verification measures taken, including such measures required to understand the ownership and control structure of the customer in this area. Where beneficial owners could not be identified pursuant to Article 2 no. 1 lit. a WiEReG, the subsidiarity rule set out in Article 2 no. 1 lit. b WiEReG shall apply (MN 147 et seq.) 136 The definition in Article 2 no. 1 WiEReG is comprehensive and serves as a catch-all clause for all legal entities not captured by Article 2 no. 2 (MN 156 et seq) or no. 3 (MN 159 et seq). 137 Beneficial ownership in companies as defined in Article 2 no. 1 WiEReG is justified where a natural person

directly or indirectly holds an adequate shareholding (25 % plus one share) or has an adequate participation in the company (more than 25 %) (1st case),
directly or indirectly holds an adequate proportion of voting rights (more than 25 %) in the company (2nd case) or
exercises control over the company or where several natural persons jointly exercise direct control over the company, then these natural persons are direct beneficial owners (3rd case). 138 All three cases rank equally to one another, meaning that all persons covered in a single case are determined to be beneficial owners and required to be verified by means of appropriate measures. Successful determination of one or several beneficial owners under a single group does not exempt them from the obligation to determine further beneficial owners in accordance with other cases and to verify them using appropriate measures.95 Where the conditions of all three case groups are met, then all persons in question are considered beneficial owners and are to be identified as such. 139 The statutory provisions contain presumptiive rules regarding beneficial ownership existing. It should, however, be noted that even where the explicitly cited thresholds are not reached (e.g. 25 %), beneficial owner status may be established by aggregation (cf. Fig. 1). In particular a corresponding examination must also be conducted on the superordinate levels, where additional indications exist suggesting the existence of beneficial ownership.96

95 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period. GP 4. 96 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 4.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 40 Fig. 1: Aggregation 140 Similarly, a mixture of direct and indirect voting rights may occur when calculating voting rights shares, meaning that a sufficient proportion (more than 25%) of voting rights are held cumulatively. Indirect voting rights may arise from contractual agreements or from practical possibilities. These include e.g. syndicate agreements, power of attorney agreements, other arrangements for the (long-term) consensual exercising of voting rights, or voting rights granted as collateral or as a right of usufruct. Where an affected person is not bound to any instructions regarding such voting rights, and is therefore able to exercise them independently, then the corresponding voting rights shall be attributed to them. 141 In addition to holding a sufficient shareholding or a sufficient participation and a sufficient share of the voting rights, beneficial ownership may also be established on based on the possibility of (actively) exercising control over the company. The concept of control is legally clarified further.97 Accordingly, control is to be assumed where someone

holds a shareholding of 50% plus one share or a participation of more than 50%;
meets one or more of the criteria set out in Article 244 para. 2 UGB;
performs a function pursuant to Article 2 no. 2 or 3 WiEReG in an ultimate legal entity holding a sufficient participation in the customer, sufficient voting rights or that controls the customer;
is able to exercise influence based on a corresponding trust agreement or a comparable legal agreement over the trust property (shareholding, participation) (cf. Fig. 2);
ultimately controls the company in another way.

97 See Article 2 no. 1 lit. a final paragraph WiEReG explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 4 et seq. Person 2 controls A GmbH due to aggregation of the respective directly (10 %) and indirectly (45 %) held stakes As a result of aggregation person 2 holds a total of 26 % in Customer GmbH.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 41 Figure 2: Beneficial ownership in a trust arrangement 142 WiEReG also differentiates between direct and indirect beneficial owners.98 Direct beneficial ownership may only be established on the first level of participation. For this, a natural person must hold a stake of 25% plus one share, a participation of more than 25% or more than 25% of the voting rights directly in the obliged entity’s customer - without there being any other intermediate legal entity. Direct beneficial ownership also exists, if a natural person directly controls the obliged entity’s customer. 143 Direct beneficial ownership also exists where a natural person or legal entity (trustee) directly holds a sufficient stake in shares or a sufficient participation (trust property) in a legal entity (customer) on behalf of a third party (trustor) on the basis of a trust agreement (or a comparable legal agreement) (see Fig. 2 above). Since the trust property is directly attributable to the third party on the basis of the corresponding agreement, the third party is also the direct beneficial owner ("control through a trustee relationship"). In addition, however, the trustee (as the legal owner) is also the direct beneficial owner based on holding a sufficient shareholding or participation.99 144 Indirect beneficial owner exists where a natural person controls

a legal entity, which in turn holds 25% plus one share or more than 25% of the customer's shares or voting rights, or
several legal entities, which collectively hold a share of 25% plus one share or a participation or voting rights of more than 25% in the customer.

98 This differentiation is not significant for the identification of the beneficial owner (cf. MN 167 et seq.) 99 The legal owner of a sufficient shareholding or participation is therefore as previously the case in any case also the (direct) beneficial owner. This applies irrespective of whether there are additional (direct) beneficial owners on the basis of other agreements. Person 1 is a direct beneficial owner through its participation in the customer (60 %); Person 2 is also a (direct) beneficial owner based on its (direct) participation in the customer (40 %); Person 3 has agreed with Person 2 that the latter will hold these shares in the customer (the trust property) in trust for the former. Person 3 is also a direct beneficial owner of the customer. Person 3 Person 1 Customer GmbH 40% 60% Person 2 Trust contract

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 42 Fig. 3: direct and indirect beneficial ownership 145 Control of the legal entity/ entities may either occur directly or through a chain of participations. From the second level of participation onwards, the element of control must therefore be realised at each further level. According to the international understanding of the concept of control, active control is to be assumed, which is understood as a majority (more than 50%) of the shares, participation or voting rights.100 146 Where a legal entity is in liquidation or if insolvency proceedings have been initiated against a legal entity, then liquidators or the insolvency administrator are generally not beneficial owners by virtue of this function for the purpose of fulfilling the due diligence obligations set out in the FM-GwG. Where the insolvency or liquidation of the legal entity does not alter the ownership and control relationships, then there is also no change to the beneficial owners. However, where there were changes in the ownership and control structure, then the beneficial owners must be re-determined and verified again. Where the rule of subsidiarity is applied in this instance (cf. MN 147), the top level of management is relevant for determining the beneficial owner, and the administrator of the bankruptcy estate or the insolvency estate is only to be considered as the top level of management in the case that the legal entity no longer has its own top level of management.101 147 Where no natural person fulfils the criteria set out in Article 2 no. 1 lit. a WiEReG, the natural persons who belong to the top management level of the customer are considered (on the basis of subsidiarity) as beneficial owners and are to be determined and verified as such. The legal

100 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 5. 101 See also Point 2.6.6 of the BMF Decree in relation to WiEReG (MN 131) (in the case of domestic legal entities subject to reporting requirements, in the case of an insolvency or liquidation it may be possible to also refer to the notification in the Register of Beneficial Owners to obtain information about the beneficial owners). Person 1 is a direct beneficial owner based on its participation in the customer (60 %); Person 2 controls A GmbH, which in turn holds a sufficient participation in the customer (40 %). Person 2 is an indirect beneficial owner. Customer GmbH 40 % Person 2 A GmbH Person 1 100% 60%

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 43 fiction of a subsidiary beneficial owner only exists as a last resort and once all other means have been exhausted for determining the identity of the beneficial owner. Where the beneficial owner is determined based on the rule of subsidiarity, then obliged entities under Article 6 para. 1 second sentence FM-GwG must take necessary appropriate measures to check the identity of the nature persons belonging to the top management level, and must keep records about the measures taken in relation to any difficulties arising during the verification procedure. An appropriate measure is the inspection of the Beneficial Owners Register within the terms of Article 11 WiEReG. The subsidiarity rule does not apply in cases where the obliged entity does not receive the documents from its customers that it needs to determine and verify the beneficial owner. In this case, the legal ramifications of Article 7 para. 7 FM-GwG must be followed (see MN 301 et seq.) The steps taken must be recorded to be able to prove this to the FMA. In addition, no suspicious circumstances as defined in Article 16 para. 1 FM-GwG shall be allowed to have arisen at the obliged entity during the course of the measures taken for determining a beneficial owner, since a suspicious activity report would be required to be filed in such a case. 148 The rule of subsidiarity also applies in such cases, in which the last beneficial owner has died, and where there are no (new) beneficial owners following the conclusion of probate proceedings.102 149 The currently relevant top management level in this context must be distinguished from the management level pursuant to Article 2 no. 9 FM-GwG and only covers the top operational management level of the legal entity that is the customer. This includes, for example, in the case of a stock company only the members of the board of directors, in the case of a limited liability company only the executive directors and in the case of associations only their representatives. In the case of associations, obliged entities may restrict the top management level further based on respective job titles.103 If no indications exist that the association is directly or indirectly under the control of one or more other natural persons, it shall generally suffice for the chairperson, treasurer and the deputy chairperson and deputy treasurer to be identified as beneficial owners and verified by means of appropriate measures. Therefore, under no circumstances do authorised signatories, authorised representatives, anti-money laundering officers or comparable key function holders fall under this term.104 150 If a customer’s top management consists (in part) of legal persons, the authorised natural persons in this authorised legal person’s top management shall be determined as (subsidiary) beneficial owners. In such cases, the beneficial owner of the legal person with a power of representation is not to be taken into account. If, for example, in the case of a GmbH & Co KG as a customer, only the GmbH’s general partner is entrusted with the management and no beneficial owners ate able to be determined, the managing directors of the GmbH are determined as subsidiary beneficial owners and not their own beneficial owners.

102 See also Point 4.5.2 of the BMF Decree in relation to WiEReG (MN 131) (in the case of domestic legal entities subject to reporting requirements, in the event of the death of a beneficial owner it may be possible to also refer to the notification in the Register of Beneficial Owners to obtain information about the amendments). 103 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 10. 104 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 5.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 44 151 In Article 2 no. 1 lit. b sublits. aa to cc WiEReG, for individual national standard constellations, rebuttal presumption rules are established that are intended to facilitate the determination and verification of the beneficial owner for obliged entities in certain legal forms of companies. In all of the following cases (MNs 152 to 154), the presumption rule only applies in cases where no beneficial owner could be identified based on the criteria set out in Article 2 no. 1 lit. a WiEReG, and therefore subsidiary beneficial owners were required to be identified. 152 In the case of Austrian companies with the legal form OG and KG, where the partners are exclusively natural persons, then the managing partners shall be considered as subsidiary beneficial owners, provided that no grounds exist that show that the company is either directly or indirectly under the control of one or several other natural persons. 153 In the case of commercial and industrial cooperatives the members of the top management level (the management board), or where directors are also entered in the register, only the directors shall be considered to be subsidiary beneficial owners.105 154 In the case of ownerless companies, such as e.g. Associations, savings banks and mutual insurance associations, no ownership rights exist by definition. The natural persons in the top level of management therefore are considered to be subsidiary beneficial owners. 155 Regional or local authorities (the federal government, provincial governments, municipalities), authorities and public sector institutions (that also include e.g. churches, religious orders and similar) do not have a beneficial owner if not entered in the Commercial Register (Firmenbuch) (Article 1 para. 2 no. 13 WiEReG). In these cases, obliged entities are therefore not required to determine and verify beneficial owners and the subsidiarity rule of Article 2 para. 1 lit. b WiEReG also does not apply. 4.2.5 Beneficial owners of Trusts 156 The legal institution of a trust is a foreign term to Austria law. The provision set out in Article 2 no. 2 WiEReG is therefore to be applied to trusts that were established under foreign law, and for which a business relationship is intended to be established at an obliged entity or an occasional transaction conducted.106 Article 1 para. 3 WiEReG defines when a customer is a trust as defined in WiEReG. 157 The persons listed in Article 2 no. 2 lits. a to d WiEReG are in any case beneficial owners by virtue of their function. This applies independent of whether a person in any case also controls the trust (lit. e leg. cit.). Therefore all the persons listed there, as well as where applicable those persons that control the trust in another way, are identified as being beneficial owners. Where one of the functions listed in lits. a to d is performed by a legal person, then the natural persons that exercise

105 See in this regard also the exemption from the obligation to notify pursuant to Article 6 para. 3 WiEReG. 106 This is also apparent given that pursuant to Article 1 para. 2 no. 17 WiEReG trusts are only covered by the provisions on being entered into the Register, where they are managed from Austria.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 45 control over this legal person, are to be determined and verified107 as beneficial owners pursuant to lit. e that ultimately control the trust. 158 The beneficiaries of a trust, who have already been defined as one, are now considered as beneficial owners irrespective of the amount of their (potential) contributions. If the individual persons, who are the beneficiaries of a trust, have not yet been determined, then the group of persons, in whose interest the trust was established or in whose interest the trust is operated (circle of beneficiaries) is to be designated in an abstract manner instead of identifying individual beneficiaries. From this abstract designation the conditions must arise that future beneficiaries are required to meet, in order to be able to be defined as such. If a person from this circle of beneficiaries is determined to be a beneficiary, then they shall be considered as beneficial owners of the trust. Where a person from the circle of beneficiaries only receives a one-off benefit of more than EUR 2 000, then they shall only be considered as a beneficial owner in the calendar year in question. 4.2.6 Beneficial owners of foundations, comparable legal persons and legal arrangements similar to trusts 159 In principle, in the case of foundations, comparable legal persons and legal arrangements similar to trusts, it applies pursuant to Article 2 no. 3 WiEReG that those natural persons are deemed to be beneficial owners that hold equivalent or similar functions to those in the case of trusts. Therefore, in such cases, the capacity of beneficial owner is based on the function rather than on the actual ownership structure. All natural persons holding a corresponding (equivalent or similar) function are to be identified as beneficial owners. Whether it is an equivalent or similar function in comparison to the functions in the case of a trust must be examined on a case-bycase basis for legal persons that are comparable to foundations and for legal arrangements similar to trusts.108 Furthermore, all natural persons who control the foundation, the comparable legal person, or legal arrangements similar to trusts in another way are beneficial owners. If one of the listed functions is performed by a legal person, then the natural persons that exercise control over this legal person, are determined and verified as beneficial owners. (cf. MN 157f regarding trusts). 160 For private foundations pursuant to Article 1 para. 1 of the Private Foundations Act (PSG; Privatstiftungsgesetz) Article 2 no. 3 lit. a WiEReG explicitly states which persons are determined as being beneficial owners. By so doing, it was also clarified that neither the members of a supervisory board of a private foundation nor of an advisory board as required to be established are determined to be beneficial owners. Individual cases could arise where a member of the supervisory board or an advisory board member is considered as a beneficial owner, where they are allocated a defined control function due to the corresponding design of the rights of the supervisory board or advisory board. In such cases, members would be required to be notified,

107 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period. GP 6. 108 For foundations see MN 160ff.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 46 as they control the private foundation in another manner. The auditor of the foundation does not perform any function that is comparable to that of a protector of a trust. The auditor therefore does not control the foundation in any other way and is not to be determined as the beneficial owner.109 In the case that the founder of a private foundation has already died, they must be entered by the private foundation in the Register of Beneficial Owners on the basis of the provisions of the WiEReG. Where the private foundation is a customer of an FM-GwG obliged entity, the latter shall (no longer) not be required to determine and verify the founder as the beneficial owner. The information about the deceased founder may, however, serve to clarify the origin of the foundation's funds. 161 In the case of private foundations, current beneficiaries are also considered to be beneficial owners, irrespective of the amount of their (potential) benefits. Beneficiary status relevant for the purposes of WiEReG may result from being designated in the foundation deed or in the supplementary foundation deed, determined by a body appointed for this purpose by the founder (Article 9 para. 1 no. 3 PSG) or determined by the foundation board (Article 5 or Article 6 PSG). Where the group of beneficiaries is defined in such a way that the persons covered are able to be specified and already have a status as beneficiaries under the PSG, then such persons are also beneficiaries and must be reported as such. For example “My descendants in a direct line are beneficiaries.” The children of the founder are able to be specified and are already beneficiaries and are required to be notified to the Register. In addition, the circle of beneficiaries (“The descendants of the founder in a direct line”) is also required to be notified110 . 162 In connection with private foundations, it should be noted that the submission of the notification to the tax office pursuant to Article 5 PSG is not sufficient in its own right to record the beneficiaries of a private foundation. In order to be able to determine and verify all (possible) beneficiaries of a private foundation, who might be considered as beneficial owners, the information from the foundation deed or the supplementary foundation deed is also necessary in any case. 163 A circle of beneficiaries is required to be notified under Article 2 no. 3 lit. a) sublit. bb) WiEReG. In this case it is a group of persons from whose members the beneficiaries are selected based on a separate determination (Article 5 PSG). This group may be outlined in an abstract manner, or may arise from the foundation’s purpose. The decisive fact is that relevant persons only achieve the status of beneficiary following once determined by a body convened by the founder for this purpose (Article 5 PSG). Where persons from this circle are determined to be beneficiaries and where they therefore have a permanent beneficiary status, then must also be notified as beneficiaries111. If beneficiary status is dependent on a condition precedent (e.g. "upon reaching the age of 18"), this person is to be recorded as the beneficial owner of the private foundation only once this condition has been met. Where a person from the circle of beneficiaries is determined to be a beneficiary pursuant to Article 5 PSG, they are deemed to be the beneficial owner of the private foundation as of this point in time. Where a person from the circle of

109 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 6 citing further literature. 110 See in detail Point 2.7 on Private Foundations (“2.7 Privatstiftungen”) in the BMF Decree in relation to WiEReG. 111 See in detail Point 2.7 on Private Foundations (“2.7 Privatstiftungen”) in the BMF Decree in relation to WiEReG.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 47 beneficiaries only receives a one-off benefit of more than EUR 2 000, then that person shall only be considered as a beneficial owner in the calendar year in question. The determination and verification of one-time beneficiaries can also be carried out on the basis of the private foundation's notification to the Register of Beneficial Owners. A review of the foundation's accounts is not necessary112 . 164 For certain private foundations, specified in greater detail in Article 2 no. 3 lit. a sublit. bb WiEReG113, it suffices if the function of the beneficiary as beneficial owner merely describes the circle of beneficiaries in abstract terms. The identification of the individual beneficiaries from the corresponding foundation is not required. 165 For Foundations and Funds pursuant to Article 1 of the Federal Act on Foundations and Funds (BStFG 2015; Bundes-Stiftungs- und Fondsgesetz 2015) as well as foundations and funds established under regional law, Article 2 no. 3 lit. b WiEReG determines who is identified as beneficial owners. For such foundations and funds, it also suffices if the function of the beneficiary as beneficial owner merely describes the circle of beneficiaries in abstract terms. The identification of the individual beneficiaries from the corresponding foundation or corresponding fund is not required. In this regard, information may also be centrally queried from the Register of Beneficial Owners. 166 The term of legal arrangements similar to trusts does not generally include trust arrangements (e.g. fiduciary processing of a property purchase by a notary). As a rule, such arrangements are not comparable with trusts in terms of their structure and function. However, if a trust, due to its contractual structure, provides for the administration of wealth/an asset for the benefit of a person (beneficiary) who is different from the trustor, it must be examined for each individual case in hand whether a legal agreement similar to a trust exists.114 4.2.7 Determining and verifying the beneficial owners: 167 Beneficial owners may be determined by inspecting the Register of Beneficial Owners, by obtaining information from the customer by means of a questionnaire or by means of separate research. In general terms, the customer is requested to supply the identity of its beneficial owner(s). Once requested to do so by the obliged entity, the customer has an obligation to cooperate. In addition, the customer is also obliged to notify any changes during an ongoing business relationship at their own initiative without delay. When using the WiEReG web service, manual data entry of information about the beneficial owner may be automated by data about the beneficial owner held in the Register of Beneficial Owners being automatically entered.

112 See in detail Point 2.7 on Private Foundations (“2.7 Privatstiftungen”) in the BMF Decree in relation to WiEReG. 113 These include private foundations pursuant to Article 66 VAG 2016, savings banks in the legal form of private foundations pursuant to Article 27a of the Savings Banks Act (SpG; Sparkassengesetz), foundations established for the purpose of supporting the purpose of the entity pursuant to Article 4d para. 1 of the Income Tax Act (EStG 1988), foundations established for the purpose of supporting employees pursuant to Article 4d para. 2 EStG 1988, foundations for the purposes of profitsharing by workers and employees pursuant to Article 4d paras. 3 and para. 4 EStG 1988. 114 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 7.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 48 168 The obligation to request the customer to divulge the identity of a beneficial owner, requires the obliged entity to take active action.115 Obliged entities should also make customers aware that they are required to notify any change in their beneficial owners during an ongoing customer relationship without delay. Queries and note about disclosing any changes must be documented accordingly to be able to prove this to the FMA within the scope of information and disclosure obligations pursuant to Article 29 para. 1 FM-GwG. Where the customer is a legal entity as defined in Article 1 para. 2 WiEReG, the customer itself is obliged to determine and verify the identity of their beneficial owners at least once a year and to notify them to the Register. 169 Where beneficial owners are determined by inspecting a simple or extended excerpt from the register of beneficial owners, then the request for the customer may be limited to confirming that its beneficial owners correspond to those reported to the Register of Beneficial Owners, are up-to-date and that no control relationships or trust relationships exist that are different to the excerpt. 170 In addition to information about its legal owners, pursuant to Article 3 para. 1 WiEReG the customer is also required to supply the obliged entity evidential documentation about their beneficial owners. Where complex participation structures exist, the customer itself will often rely on the cooperation of superordinate entities. Article 4 WiEReG therefore stipulates for the legal entities covered under WiEReG that their owners and beneficial owners also have a n obligation to cooperate.116 171 Where an obliged entity establishes a business relationship with a legal entity or carries out an occasional transaction on behalf of such a legal entity, it shall first be required to establish the identity of the beneficial owner of that legal entity and take reasonable - i.e. risk-based - measures to verify the identity of the beneficial owner, so that it can be satisfied it knows the identity of the customer’s beneficial owner. To this end, the obliged entity must also take reasonable steps to understand the customer's ownership and control structure. In continuation of the FMA's previous legal opinion, this means that in cases of indirect beneficial ownership, the obliged entity must understand by whom and in what manner and to what extent the capacity as (indirect) beneficial owner has been identified. Knowledge about the intermediate links in the chain between customers and beneficial owners constitutes a necessary element. Accordingly, the obliged entity must know and understand its customer’s entire ownership and control structure. This is the only way to ensure that all beneficial owners can be identified and that the obliged entity is able, if necessary, to aggregate interests that are split between different strands. For legal entities with a shareholding structure that is exclusively Austrian, the relevant shareholding structure may now be determined on the basis of an extended excerpt from the Register of Beneficial Owners. 172 Following the risk-based approach, the scope of the verification steps of the individual participation levels are not required to be of the same intensity as the verification steps for the

115 It therefore does not suffice, for example, if it has already been stated in an (electronic) system that it is (not) a business relationship conducted in trust; cf. the previous legal basis in the BWG, Independent Administrative Senate for Vienna (UVS Wien) 25.03.2011, 06/FM/9/503/2010. 116 Regarding WiEReG for further detail see MN 178et seq.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 49 beneficial owner at the end of the participation chain or of the customer itself. In the case of intermediate links, the name/designation, legal form, nationality/country of registration and amount of the participation as well as the voting rights or type of control must be gathered as a minimum. In these cases, an excerpt from the Register of Beneficial Owners may also provide information on voting rights, capital shares, control and trustee relationships. Where further information is needed to understand the customer's ownership and control structure, the obliged entity must also obtain such information. In order to determine and verify the entire ownership and control structure beyond doubt, it may be necessary, on a risk-based manner, to also obtain corresponding evidential documents about intermediate members. As previously indicated, for the high-risk area this means that each individual intermediate link must also be verified on the basis of evidential documents. 173 The information about the identity of the beneficial owner must be verified in a risk-based manner; the obliged entity is only able to convince itself that it knows who the beneficial owner of its customer is. To satisfy the requirement of being convinced about the identity of a beneficial owner, the obliged entity needs to have relevant documents about the identity of the beneficial owner.117 Information that is only provided orally or personal knowledge of the possible beneficial owner(s) are insufficient to fulfil this obligation.118 The customer’s self-disclosure about their beneficial owner is therefore insufficient. If, however, the obliged entity comes to the conclusion based on its risk assessment that only a low risk of money laundering and terrorist financing exists for a customer, in principle a self-disclosure or with a basic or extended excerpt from the Register may be considered sufficient. 174 In exceptional circumstances119, instead of obtaining copies of the necessary documents and documentation, it may be sufficient to inspect the relevant documentation - e.g. on-site at the customer's premises - and to make full remarks in files. Remark may be made by either an employee of the obliged entity or by qualified third parties (cf. MN 14 et seq.) and outsourcing service providers and agents as defined in Article 15 FM-GwG. 175 A full remark must in any case contain the following items:

the date and location of the inspection;
the signature and identity of the person conducting the inspection;
the precise designation of the inspected document, who drew up the document and/or issued it and signed it in what capacity;
the exact content of the document especially naming of beneficial owners and the nature and scope of beneficial ownership.

117 For the purposes of verifying the identity of beneficial owners, it is not necessary in every case that this shall be done on the basis of an official photo identification document. For example, it may also suffice to verify identity using excerpts from the Register. 118 Judgement of the Federal Administrative Court (BVwG) 19.09.2014, W210 2000428-1. 119 Examples of justified reasons for making a file note can be found in point 6.5 of the BMF Decree in relation to WiEReG (MN 131); see there also the potential usage of remarks and the requirements in this regard in relation to compliance packages.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 50 176 Sources of information for the verification of the beneficial owner are in particular publicly accessible register excerpts and non-public documents (e.g. memoranda of association or similar contracts for the establishment of a legal entity). If, based on the customary legal standards in the country, the beneficial owners are derived from register excerpts, these are to be used for the verification. Other documentation and information may be accepted on a risk-based basis provided that they originate from reliable and objective sources of information - which must be verified accordingly in each individual case.120 If beneficial ownership is identified on the basis of a trust agreement, obliged entities must verify the existence of the trust relationship on the basis of such a trust agreement. In continuation of the FMA’s previous legal opinion, such a trust agreement must in principle be signed by both the trustor and the trustee or it must be possible for the trust relationship to be derived from corresponding declarations by the trustee and trustors. 177 As mentioned above in MN 80, the greater the risk becomes, then the greater the requirements for the evidential nature of a document “so that in the individual case in hand private or uncertified documents may no longer suffice, although it may in turn depend on the 'customary practice in the country'”).121 See also MN 184 et seq about the possibility of verifying the identity of the beneficial owner based on a full extended excerpt from the Register of Beneficial Owners. 4.2.8 Verification of the beneficial owners of customers that entered in the Register of Beneficial Owners 178 The publication of the Beneficial Owners Register Act in Federal Law Gazette I No.136/2017 (WiEReG; Wirtschaftliche Eigentümer Registergesetz) created a Register of Beneficial Owners (hereinafter: the Register) in Austria transposing Articles 30 and 31 of the 4th Anti-Money Laundering Directive.122 This Register is established at the Federal Ministry of Finance as the registry authority and is intended to serve as a starting point for obliged entities to fulfil their obligation to determine and verify the identity of customers’ beneficial owners. As a result of WiEReG, the obligation to determine and verify the identity of beneficial owners no longer exists only for obliged entities, but also for legal entities as defined in Article 1 WiEReG (MN 130), i.e. an obliged entity’s (potential) customers. They must now also determine the identity of their beneficial owners and take reasonable steps to verify their identity so that they are satisfied that they know who their beneficial owner is.123 Legal entities may allow both the determination and verification and the notification of beneficial owners to be carried out by representatives of the party acting in a professional capacity (see MN 188 et seq. regarding the compliance package). The legal entities or the appointed representatives of the party must retain the corresponding evidential documents on their beneficial owners for five years. Pursuant to Article 3 para. 1 final

120 These may be e.g. annual financial statements, database queries or the obliged entity’s own (Internet) research. The necessary information may arise from an overview of the documentation and information. 121 Supreme Administrative Court (VwGH) 10.11.2014, Ro 2014/02/0020 122 Further information about the Register can be found on the Federal Ministry of Finance’s website at https://www.bmf.gv.at/services/wiereg.html as well as in the BMF Decree in relation to WiEReG mentioned in MN 131. 123 This also includes the legal entity’s obligation to understand its ownership and control structure.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 51 sentence WiEReG, legal entities shall submit these documents to the obliged entity within the scope of fulfilling their due diligence obligations. 179 The legal entities shall be required to check whether the beneficial owners notified to the Register are still up-to-date and to confirm this information at least once a year. Therefore, excerpts from the Register represent a starting point for fulfilling the obligation to update customer information pursuant to Article 6 para. 1 no. 7 FM-GwG. 180 Legal entities must report all case groups of beneficial owners to the Register. Therefore, relevant information may arise from the Register of Beneficial Owners especially in the case of partnerships (as capital shares are not entered in the Commercial Register), if company shares are held in trust (as such trusts are not entered in the Commercial Register) or in the case of other control relationships (e.g. syndicate agreements, forms of de facto control). In the case of ownership and control structures that extend to foreign countries, the legal entities are also required to report their ultimate legal entities together with the local Commercial Register number, and in this regard relevant information may also come from the Register. 181 All legal entities listed in Article 1 para. 2 WiEReG are obliged to report to the Register. For such legal entities, an officially signed excerpt from the Register may generally be used to establish the identity of the beneficial owner. Obliged entities pursuant to Article 9 para. 1 nos. 1 to 3 WiEReG are authorised to inspect the Register. In principle, however, obliged entities may not exclusively rely on the information contained in the Register to fulfil their due diligence obligations (Article 11 para. 1 first sentence WiEReG). 182 WiEReG distinguishes between different excerpts for obliged entities, which have a different quality with regard to their use for verifying the identity of beneficial owners. A common feature of the excerpts is that the identity of the beneficial owners in the case of persons domiciled in Austria is verified by means of a comparison with the Central Residence Register (Zentrales Melderegister), and the data is compared daily against that held in the Zentrales Melderegister. A superscript (ZMR) next to names in excerpts is used to indicate that entries have been compared. This measure ensures that such beneficial owners also actually exist, that the name is spelt correctly and that the address information is up-to-date. In addition, they are marked as deceased, as soon as this information is stored in the Central Residence Register (Zentrales Melderegister). Persons who do not have a place of residence in Austria, are required to upload passport copies with the declaration. These may also be inspected in addition to the excerpt. The identity of beneficial owners who are not resident in Austria can be verified by means of these passport copies. 183 On the one hand, "basic" excerpts containing the information listed in Article 9 para. 4 WiEReG on, among other things, the legal entity, the direct and indirect beneficial owners, the date of the last notification and any remark (MN 194f) may be requested, or excerpts within the scope of public inspection that contain the information listed in Article 10 WiEReG. These respective cases relate to excerpts that may only be used for determining the identity of beneficial owners, but not for verifying their identity. It should be noted, however, that public excerpts do not contain any information about remarks.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 52 184 On the other hand, obliged entities may alternatively request an "extended" excerpt pursuant to section Article 9 para. 5 WiEReG. In addition to the information contained in a "basic" excerpt (MN 182), this excerpt also contains an automatically generated representation of all known participation levels, pre-compiled beneficial owners, the persons authorised to represent a legal entity and the indication about whether a complete extended excerpt is available based on the completeness analysis. An extended excerpt is complete if there is no valid remark (MN 194f), the reported data corresponds to the data compiled by automated means and the completeness analysis shows all data are available for compiling the beneficial owners. For example, foundations, foreign legal entities, partnerships appearing at a relevant point in the participation structure may prevent a complete extended excerpt. A complete extended excerpt is only available if no control relationships or trust relationships have been reported that deviate from the status shown in the Commercial Register. 185 Based on a complete extended excerpt, obliged entities can determine and verify beneficial owners where no factors exist to suggest an increased risk124 with a legal entity as a customer and the obliged entity has satisfied itself by enquiring with the customer that no control relationships or trust relationships exist that deviate from the excerpt. This enquiry must be made prior to establishing the business relationship (e.g. as part of the account opening process). In the case of existing business relationships, complete extended excerpts may also be used for update purposes after appropriate consultation with the customer. 186 An incomplete extended excerpt may still be used to verify the beneficial owner if obliged entities take additional risk-based measures. Such measures may, for example, include obtaining additional excerpts for superordinate entities from the Register of Beneficial Owners or from public registers or in obtaining corresponding documents from the legal entity itself. The obliged entity must be convinced, when considering all the documents and excerpts obtained, that it knows who the beneficial owner is and understands the customer’s ownership and control structure. For this purpose, the information reported to the Register on superordinate entities or on the ultimate beneficial owner may also be queried. Since an indirect beneficial owner’s position is established starting from the ultimate legal entity, this information, together with the compiled shareholding structure in an extended excerpt, can help to understand ownership and control structures. To fulfil the obligation pursuant to Article 6 para. 3 no. 2 FM-GwG, whereby customers are instructed to divulge the identity of their beneficial owner(s), it generally suffices for the customer to explicitly confirm that their beneficial owners correspond to those notified to the Register, are up-to-date and that no control relationships or trust relationships exist that deviate from those contained in the extended excerpt.125 187 In the case that a notification to the Register is submitted by representatives of the party acting in a professional capacity for a legal entity, they are obliged to state whether they have already conducted the review in their capacity as the representative of the party acting in a professional

124 This is to be assessed on the basis of the risk classification as defined in Article 6 para. 5 FM-GwG. If the customer is classified in a “high” or “increased risk” risk class, such a complete extended excerpt may not be used for the verification of the beneficial owner. 125 In such cases it is therefore no longer generally necessary to instruct the customer to enter additional data and information about their beneficial owners in a form.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 53 capacity. If this is the case, it is stated in basic or extended excerpts from the Register. This information may be considered by obliged entities as part of a risk-based approach. However, it does not permit the determining and verification by means of an authorised third party pursuant to Article 13 FM-GwG, since the obliged entity is unable to ensure, pursuant to Article 13 para. 2 FM-GwG that the documentation used and other relevant documents about the customer or beneficial owner’s identity were forwarded to the obliged entity. 4.2.9 Checking Beneficial Owners using WiEReG Compliance Packages 188 Representatives of the party acting in a professional capacity, if they have verified and checked a legal entity’s beneficial owners in accordance with the requirements defined in the WiEReG, may submit all necessary information, data and documents for verifying and checking the beneficial owners’ identity to the Register (Article 5a para. 1 WiEReG). This is known as a compliance package (for details about the necessary contents and creating such a package see point “6 Erstellung von Compliance-Packages” in the BMF-Decree on WiEReG mentioned in MN 131. A compliance package should contain all documentation needed for determining and verifying the beneficial owners. Beneficial owners may consult a compliance package together with an extended excerpt from the Register of Beneficial Owners. In so doing, a zip file may be downloaded, which, in addition to the extended excerpt, contains the summary of the contents of the compliance package including a confirmation of the date on which it was accessed, as well as the necessary documentation for the review in a structured form. In general the documentation contained in a complete and valid126 compliance package, may be used on a riskbased basis in combination with an extended excerpt (Article 9 para. 5 WiEReG) for the determining and checking of beneficial owners (Article 11 para. 2a WiEReG).127 189 The inspection of a compliance package therefore constitutes a special way of obtaining the necessary documentation for checking of the beneficial owners. Since the compliance package is always required to be compiled by a representative of the party acting in a professional capacity, the beneficial owners and the up-to-dateness of the documents contained therein from the representative of the party acting in a professional capacity, which is always an obliged entity as defined in Directive (EU) 2015/849, is required to be reviewed and confirmed, with infringements against reporting obligations and the obligation to update such information being sanctioned by by fines of up to EUR 200,000, the legislator has defined certain simplifications regarding the usage of documents from compliance packages. In this way, proof of existence of foreign companies may also be used, where they are older than six weeks’ old at the time of verifying beneficial ownership, provided that the compliance package as such is valid. 190 A compliance package automatically becomes void 12 months after the last report, and may no longer be retrieved from the Register. If a compliance package was retrieved from the Register prior to the expiry of this deadline and the verification by the obliged entity under the FM-GwG is delayed, then it is necessary to assess on a risk-based basis, whether and which documents are

126 cf. the statement in this regard pursuant to Article 9 para. 4 no. 7b WiEReG. 127 cf. the report and motion of the Finance Committee (Finanzausschuss) no. 644 supplement to the stenographic protocols of the National Council for the 26th legislative period, 59: “The risk-based checking of beneficial owners on the basis of these documents therefore constitutes an appropriate measure e.g. as defined in Article 6 para. 1 no. 2 FM-GwG”.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 54 required on a case-by-case basis. A Zip file containing the documents may be saved that also contains a summary of the content of the Compliance package, which also contains the retrieval date as proof of the documents having been retrieved as part of a compliance package. 191 In the risk-based verification of the beneficial owners assisted by the documents contained in a compliance package, the obliged entity must ensure that the documents in the compliance package in conjunction with the other data and information that are available to the obliged entity for verifying the identity of the beneficial owner are sufficient to be convinced to know who the beneficial owner is (including an understanding of the ownership and control structure). Where this is the case, the documents contained in the compliance package may generally suffice.128 192 Where private law documents that are customary in the country are included in a compliance package, the corresponding power of representation and up-to-dateness of the relevant documents must be verified by the representative of the party acting in a professional capacity when the compliance package is prepared and therefore, in principle, does not need to be verified again by the obliged entity. Remarks pursuant to Article 5a para. 3 WiEReG shall be considered as equivalent to original documents in terms of their evidential value. In particular it is not necessary to verify whether grounds actually existed against the transmission of a document to the Register. 193 If, in the course of the risk-based application of due diligence, the obliged entity arrives at the conclusion that additional information or documentation is required to satisfy them about the identity of the beneficial owner, such information shall be obtained in addition to the compliance package. Based on the risk-based application of due diligence, the obliged entity shall not be allowed to have any reason to doubt the accuracy or authenticity of the report, its up-todateness, accuracy and completeness of the documents and evidence contained in the compliance package. 4.2.10 Making remarks 194 If, in the course of performing their due diligence, obliged entities discover that the beneficial owners entered in the Register do not correspond to those they identified in the course of performing their due diligence and if they are convinced that know the entry in the Register to be incorrect or incomplete, obliged entities are required to make a remark (for details, see also the point “8 Setzung von Vermerken” (Making remarks) in the BMF-Decree mentioned in MN 131). In making the remark, the obliged party declares that it was unable to verify the beneficial owner entered in the Register when determining and verifying the beneficial owner's identity.129 The obligation to set a remark lapses where the obliged entity advises its customer about the incorrect or incomplete entry, and the customer makes a correction within an appropriate timeframe.130 A remark shall not be permitted if an obliged entity is required to file

128 Cf. the report and motion of the Finance Committee (Finanzausschuss) no. 644 supplement to the stenographic protocols of the National Council (BlgNR) for the 26th legislative period, 59. 129 See Article 11 para. 3 WiEReG in detail. 130 See also Point 8 of the WiEReG BMF-Erlass (MN 131).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 55 a suspicious activity report under the obligation set out in Article 16 para. 1 FM-GwG and where it can reasonably assume that the related information of the customer could hinder the prosecution of the beneficiaries of a suspicious transaction. In such a case, only the suspicious activity report must be filed. 195 Where the obliged person is aware of a valid remark in the Register, this leads to the need to take appropriate additional measures to determine and verify the identity of the beneficial owner. In addition, the obliged entity must also make a remark, where the conditions listed in Article 11 para. 3 WiEReG are met. However, the mere existence of a remark does not automatically mean that there is an increased risk associated with this customer that requires the customer to be listed in a higher risk class.131 An additional measure could be, for example, to request the customer to correct the Register entry. If the customer complies with this request, the remarked is removed by the new notification being made without further proceedings. The obliged entity may subsequently request a new Register excerpt which no longer contains the remark. If obliged entities establish a business relationship despite a remark existing or nevertheless conduct an occasional transaction, the additional measures taken must be sufficiently documented - e.g. further public register excerpts obtained, further evidential documents obtained from the customer itself – the ensure them to be convinced that they know the identity of the beneficial owner, that they understand the ownership and control structure and that they know how they have resolved the discrepancy with the beneficial owner recorded in the Register. 4.2.11 Beneficial owners of private equity funds 4.2.11.1 General 196 In the case of private equity funds132 these are considered to be alternative investment funds (AIFs).133 Under the rules in the AIFMD or the AIFMG, an AIF is only allowed to be managed by a single alternative investment fund manager (AIFM). The AIFM must hold the appropriate authorisation (licence or registration) for managing the AIF, and is responsible for observing the provisions. In addition, the AIFM itself is also an obliged entity134 as defined in the FM-GwG. 197 The AIFM is either an external manager, which is the legal person appointed by the AIF or on behalf of the AIF and that is responsible for managing the AIF as a result of this appointment (external

131 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 14. 132 See points 9 and 10 of Annex IV, Reporting Templates: AIF in Commission Delegated Regulation (EU) 231/2013 about AIF types and investment strategies. It should generally be noted that there are different types of AIF depending on the investment strategy or national regulation pursued, such as e.g. special funds, other assets and pension investment funds as defined in Part 3 of the Investment Funds Act 2011 (InvFG; Investmentfondsgesetz) published in Federal Law Gazette I No. 77/2011 as amended. 133 An AIF exists, provided the conditions listed in the AIF definition as defined in Article 4 (1) lit. a of Directive 2011/61/EU (AIFMD) or Article 2 para. 1 no. 1 AIFMG, published in Federal Law Gazette I No. 135/2013 as amended are met, and it is not an undertaking for collective investment in transferable securities (UCITS) as defined in Article 5 of Directive 2009/65/EC (UCITS Directive) or Article 2 InvFG 2011. A UCITS is a harmonised fund product and as a rule every fund that is not a UCITS, and provided that there is no exception as defined in the AIFMD, is qualified as an AIF. 134 Article 2 no. 2 lit. d FM-GwG.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 56 AIFM); or in the case that the AIF’s legal form permits internal management and where the AIF’s management body chooses not to appoint an external AIFM, the AIF itself; in this case the AIFM shall be authorised as AIFM (internal AIFM)135. AIFs may be established in different forms and legal structures, whether in contractual form, the form of a trust, in the form listed in the statutes, or in another legal form136 . 198 In practice different designs exist for private equity funds, with the specific design is based on the respective national law of the state of domicile of AIFMs or managers137 and of the private equity fund. The most popular form for private equity funds in Austria is a GmbH acing as an external AIFM of a GmbH & Co KG that is qualified as an AIF. In Anglo-American legal sphere, private equity funds are predominantly established as “limited partnerships” i.e. as a partnership. 4.2.11.2 Determining and checking the identity of the beneficial owner in very constellations involving a private equity fund 199 The following remarks apply exclusively to AIFs of a private equity fund type and equivalent138 private equity funds from equivalent third countries, or for constellations where the obliged entity’s customer is the AIFM or manager, the private equity fund139, the target entity140 of the private equity fund or a special purpose vehicle (“SPV”)141. In the final two constellations, the private equity fund appears in the customer’s ownership chain. 200 Obliged entities shall generally take into account when determining the beneficial owner pursuant to Article 6 para. 1 no. 2 FM-GwG in conjunction with Article 2 WiEReG in the aforementioned constellations that there are generally several persons involved in the provision of a private equity fund, such as, for example, the AIFM or manager, the “general partner”, the fund initiator, advisors, trusts, registration bodies, investors and the like142. The rights and obligations of the persons and investors involved in the case of private equity funds are usually based on various contracts and ancillary agreements (e.g. partnership agreements, management agreements, general partner agreements, limited partnership agreements and management agreements, advisory agreements, etc.) which may be a relevant source of information for fulfilling FM-GwG due diligence obligations. Depending on the constellation of the individual case in hand, it may

135 See in detail Article 5 AIFMD or Article 3 AIFMG. 136 See in detail Article 2 (2) AIFMD or Article 1 para. 2 AIFMG. 137 The term “manager” is understood in this Circular as an equivalent (compared to the AIFMD) authorised and supervised company domiciled in a third country that is contractually entrusted with the management or administration of the private equity fund. 138 With regard to the type of AIF and the private equity fund investment strategy. 139 As already stated in MN 197, the AIFMD distinguishes between the internal management of a private equity fund – in this instance the private equity fund is authorised as an AIFM (identical legal personality). When appointing an external AIFM it must be borne in mind that in principle the appointed AIFM is solely entrusted with representing the private equity fund and where the private equity fund acts directly as a customer, the granted mandate or other authorisation for representation should be submitted by the external AIFM, and should be taken into account. 140 The entity in which the private equity fund is investing in accordance with the rules of the investment guidelines. 141 In this case it is a company that is interposed between the private equity fund and one or more target entities of the private equity fund for a specific purpose, such as investment in and management of the target entities (asset value of the private equity fund). 142 Cf. also the Final Report on Guidelines on revised ML TF Risk Factors, Guideline 16, 16.1.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 57 occur that one or more persons exercise (joint) control under WiEReG vis-à-vis the private equity fund, and thereby constituting beneficial owners. 201 As a rule, private equity funds have a lower number of investors that may be both private persons as well as institutional investors (pension funds, investment funds). In the case of private equity funds manufactured for a limited number of affluent private persons or for “family offices”, investors may be in a position to exercise influence over the fund’s assets. When determining and verifying the beneficial owners, particular attention must be paid to whether the private investor or wholesale investors’ potential activities in relation to the fund’s assets constitute control as defined in WiEReG143 and where applicable such persons should also be determined as being beneficial owners, and to checked accordingly. In addition, in the case where investors exercise control over the assets, such funds are considered as an asset management vehicle, which Annex III of Directive (EU) 2015/849 lists as a factor for potential high risk144 . 202 Where an obliged entity’s customer is a target undertaking of a private equity fund, it should be considered when determining and checking the beneficial owner, inter alia, that the essence of a private equity fund is usually in exercising a controlling influence145 over the target company146 and, in addition to this ("control"), a position as beneficial owner (para. 183) of the natural persons controlling the private equity fund in relation to the target company may also arise and if this is the case, such natural persons must also be determined and appropriately verified as beneficial owners. 203 Where the obliged entity’s customer is a special purpose vehicle (“SPV”) of a private equity fund, then the private equity fund shall be considered as the parent undertaking of the special purpose vehicle (“SPV”). In the case of there being an intermediate special purpose vehicle (“SPV”), the private equity fund acquires investment items indirectly via the special purpose vehicle (“SPV”). The AIFM managing the private equity fund must ensure by means of control rights that the special purpose vehicle (“SPV") meets all the requirements set out in the AIFMD147 and may be deduced in this way as being the beneficial owner of the AIFM, where applicable with other persons148. In such a case, these natural persons are also determined as the beneficial owners of the special purpose vehicle (“SPV”), and verified in an appropriate manner. 204 In cases, where an obliged entity under the FM-GwG is a participant in an (international) syndicate, e.g. providing funding to the borrower for a large-volume investment of a private equity fund with further EU/EEA banks or banks from equivalent third countries as syndicate partners, then in practice the syndicate leader (who is an obliged entity under the AMLD or comparable equivalent international regulations) is frequently responsible, among other things, for reviewing the funding, collecting and verifying KYC documentation, including the identification and verification of the beneficial owner. Nevertheless, each syndicate partner has an original obligation to adequately

143 cf. also the Final Report on Guidelines on revised ML TF Risk Factors, Guideline 16, 16.3., lit. b. 144 cf. also the Final Report on Guidelines on revised ML TF Risk Factors, Guideline 16, 16.3., lit. b. 145 The dominant influence may arise inter alia from a direct or indirect participation, from the voting rights or investment contracts or other ancillary agreements. 146 cf. Tollmann in Dornseifer/Jesch/Klebeck/Tollmann, AIFM-RL, Geltungsbereich (AIFMD, Scope), Article 2, MN 68. 147 cf. Tollmann in Dornseifer/Jesch/Klebeck/Tollmann, AIFM-RL, Geltungsbereich (AIFMD, Scope), Article 2, MN 73. 148 Persons as defined in MN 200.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 58 review the documentation and information regarding its suitability and completeness in relation to ensuring due diligence for the prevention of money laundering and terrorist financing. In practical terms, an “AML Letter” (cf. MNs 199, 200 and 208) is also submitted in this regard. Where the obliged entity under the FM-GwG arrives at the conclusion that no increased risk of money laundering and terrorist financing emanates from the customer, the “AML Letter” may suffice for the verification of the beneficial owner. This also applies to the checking of the completeness and up-to-dateness of the data, documents and information that is to be performed regularly during the course of the business relationship. 205 Taking into consideration the applicable risk-based approach for preventing money laundering and terrorist financing, during the course of business relationships involving a private equity fund, the following risk-minimising variables may also be taken into account:

AIFMs or managers or private equity funds are subject to regulation in the EU/EEA or comparable regulation in third countries including an equivalent regulation with regard to the prevention of money laundering and terrorist financing, and no grounds exist to suspect the existence of shortcomings or deficiencies in the prevention of money laundering and terrorist financing149, etc.
Conclusively plausible expert opinions exist about jurisdictions including the third country AML provisions relevant to the financial market which demonstrate equivalence as well as private equity fund constructions that typical in the market. Regarding the risks relating to corruption, criminality, etc., reference may be made to current, reliable and objective sources, such as FATF reports (incl. FSRB reports), etc., as an alternative to an expert opinion.
Increased publicity requirements arising from the size or prestige of the private equity fund (potential criteria e.g. Top 300 funds) or their AIFM or manager.
The AIFM or manager and private equity funds have implemented a suitable AML programme taking into account minimum standards (in any case, clarification of the applicable jurisdiction, material due diligence principles for the prevention of money laundering and terrorist financing, e.g. customer identification, handling of risk situations/transactions, etc.), with control processes ensuring compliance with such standards, and this is also regularly reviewed and adapted as necessary.
Having conducted in-depth research in registers, databases, etc., no grounds exist with regard to the AIFM or manager, or the private equity fund that lead to an increased risk with regard to money laundering and terrorist financing.
Queries/excerpts/information from an existing fund register private equity fund’s country of domicile or a database with relevant information on the beneficial owner.

149 In this context, in particular country reports by the Financial Action Task Force (FATF) and the FATF-Style Regional Bodies (FSRBs) as well as inspection reports by other (international) institutions such as the International Monetary Fund (IMF) are to be applied.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 59 It should be noted that this is a demonstrative list and obtaining of documentation and assessment as risk-minimising must be documented accordingly. 206 The following may be considered as variables that increase risk:

AIFMs or managers or private equity funds are unregulated or not subject to equivalent regulation; anomalous, unusual or opaque structures for AIFMs or managers and/or private equity fund; such structures cannot be explained or are implausible in legal/economic terms, or there are off-shore relationships that do not permit the beneficial owner to be clearly identified,
The private equity fund’s target entities have a business activity/industry/business model that is prone to risk, e.g. manufacturing of weapons, etc.,
Failure of EU Member States to transpose or inadequate transposition of the 4th and 5th AML Directives, or where pending infringement procedures exist in this regard, especially with regard to beneficial ownership rules. It should be noted that this is a demonstrative list and obtaining of documentation and their assessment as risk-increasing must be documented accordingly. A holistic view must be taken of the riskminimising and risk-increasing variables determined in the case in hand. 207 Obliged entities must conduct a risk assessment at individual customer level taking into consideration the risk variables pursuant to Annexes I, II and III of the FM-GwG150. Where the obliged entity reaches the conclusion on the basis of its risk assessment that the customer (AIFM, target undertaking or special purpose vehicle or private equity fund) does not present an increased risk of money laundering and terrorist financing, then a current “AML Letter” (see MN 208) may be sufficient for reviewing the beneficial owner. 208 At least the following information should be obtained from the “AML Letter”
The name and address of the AIFM/manager and the private equity fund,
Country of incorporation of the AIFM/manager and the private equity fund,
Statements about the authorisation held and the competent supervisory authorities regarding AIFMs or managers and private equity funds.
Statements about the ownership and control structure of the relevant persons in private equity constructions (at least a non-objection statement about the investors).
Regulations that apply for the prevention of money laundering and terrorist financing of particular interest in cases where the manager and the private equity funds are not domiciled in the same country, or statements about the AML programme of the private equity funds.

150 Cf. FMA Circular on risk assessment for the prevention of money laundering and terrorist financing, Chapter 4, (Publication date: February 2022).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 60

Statements about the issuer of the “AML Letter” (see MN 208) and the extent to which the issuer is authorised to issue or provide the information on the basis of a representation agreement or a legal transaction. Where the aforementioned statements cannot be found in the “AML Letter”, the obliged entity shall be required to take other measures, such as Internet research, database queries and similar in order to obtain information, and to document it accordingly. 4.3 Collection of information about the purpose and intended nature of the business relationship 209 Pursuant to Article 6 para. 1 no. 3 FM-GwG information must be collected about the purpose and intended nature of the business relationship. This information, together with the other information to be obtained under Article 6 para. 1 nos. 1, 2, 4 and 5 FM-GwG, is significant for establishing a financial profile of the customer in accordance with the "Know Your Customer" (KYC) principle. In individual cases, especially depending on the risk level of the customer or the transaction, this may include gathering of information or even documentation as applicable about the customer’s significant business partners and other relevant contractual parties under the “Know your customer's customer” (KYCC) principle. A customer’s profile should enable the obliged entity to assess whether transactions and actual customer behaviour are within the range of predictable customer behaviour and typical business activity based on the information obtained or should be assessed as being unusual. Obliged entities must therefore perform consistency or transaction behaviour plausibility checks based on the obtained KYC information. 210 The customer's choice of product, may in particular be used as a primary starting point for obtaining information about the purpose and intended nature of the business relationship. As a rule, services or products used will already provide indications about a specific economic purpose being fulfilled. 211 In the case of passbook-based savings account or a savings account, a low-risk, at least mediumto long-term investment to generate income and (regular) deposits are to be expected, while regular outflows are generally not to be expected. Conversely, the purpose of a current account will primarily to perform day-to-day payment transactions and the associated settlement of private or (business) liabilities, with short-term availability of the funds used being important in this instance. 212 In the area of securities business and of investing of assets, the specific choice of product will provide points of reference about the customer's typical expected investment and transaction behaviour, especially against the background of their investor profile (e.g. long-term investment or speculative) and specific customer needs. In the individual case in hand, it may be necessary, depending on the specific product or service, to gather additional information or documentation. 213 In the life insurance sector, for example, the purpose of the business relationship will be wealth accumulation, financial security in the event of death, or credit hedging.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 61 214 In the field of virtual currencies the purpose and type of business relationship may be determined based on the service offered or used as defined in Article 2 no. 22 FM-GwG (for example: increase in value, speculation, exchange into fiat money, purchasing for private activity in a blockchain network e.g. as a validator etc.). Accordingly, it may be assumed, for example, that using custodian services pursuant to Article 2 no. 22 point a FM-GwG follows a different purpose than exchange activities pursuant to Article 2 no. 22 points b and c FM-GwG. It may therefore be necessary to obtain further information (e.g. about the term and investment amount etc.) when ascertaining the respective purpose and type of the business relationship. 215 Information on the business relationship’s purpose and nature may also include the following items on a risk-based basis:

expected incoming and outgoing payments from and to the account (frequency, source, destination, amount);
expected incoming and outgoing payments regarding foreign payments;
types of transactions that may be performed;
disclosure of the origin of funds or financial resources in the case of incoming payments;
the expected destination of outgoing payments and services from the account;
amount and origin of the customer’s assets and their income;
description of business segments and the customer’s business activities and presentation of the company structure or group structure;
description of target markets or customers;
description about any permanent business relationships to other undertakings, e.g. major customers, suppliers or other co-operations with companies.
Information or documentation as applicable regarding the customer’s significant business partners and other relevant contractual parties (cf. MN 216 ff). 216 Especially with regard to customers or transactions with an increased risk (cf. MN 318 ff.), it may be necessary to obtain risk-based information or, if applicable, documents on the customer's material business partners and other relevant contractual parties prior to establishing the business relationship or during the course of the business relationship and to document this accordingly, e.g. within the framework of a KYC profile151. Such material business partners of the customer may be involved in the customer's predominant payment flows or carry out correspondingly high individual or regular transactions. The objective of collecting KYCC information is in particular to collect information about the legal origin of the funds used within the scope of the business relationship or to detect and investigate to avoid that the obliged entity

151 Judgement of the Federal Administrative Court (BVwG), W230 2138107-1/37 E.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 62 is misused of money laundering and terrorist financing purposes. Corresponding information or, as applicable, documentation will be required, for example152, in the following constellations: Example 1: A corporate customer of a credit institution exports to a high-risk country (e.g. a country that is named or listed in the Delegated Regulation153). Prior to establishing the business relationship, information must be gathered about the customer’s business activity and business environment. During this process, it is necessary to obtain information or research about the customer’s material business partners and therefore consequently the legal origins of the funds used within the scope of the business relationship. The same applies mutatis mutandis in the context of the continuous monitoring of the business relationship and settled transactions. Example 2: The customer of a credit institution is a natural person selling a property. Additional risk factors prevail with regard to the transaction, e.g. the purchase price is very (potentially even excessively) high or is clearly not the going market rate, or because the actual purchase price deviates from the one stated in the sale and purchase agreement, or because a complex construction is involved, in particular involving intermediate (trust) structures, or an unusual method of payment (e.g. cash) and/or an increased geographical risk, or the purchaser is a holding company that is not operationally active etc. In such cases it doesn’t suffice to obtain the sale and purchase agreement. Instead further information must be obtained or research conducted regarding the legal origin of the funds used in the business relationship and therefore about the customer’s "business partner" (in this instance the purchaser). 217 In principle, the evidential value of information or documentations must be oriented towards the respective risk level of the customer or transaction. The higher the risk related to the customer or transaction, the stricter the requirements are regarding the informative value or independence of the information or documentation about the customer's material business partners and the customer’s other relevant contractual parties154. Regarding the information, or as applicable, documentation to be obtained, it should be noted that information may be obtained from the customer about business partners or contractual partners as well as independent information from (public) databases or registers or other reliable sources for checking the plausibility of the information provided by the customer. Where an increased risk exists, it may be necessary to also obtain further information or, if necessary, documentation in addition to the information from the customer or the business partner itself. Where no possibilities exist to make queries via corresponding (foreign) databases, information or, as the case may be, documents on the customer’s material business partners and other relevant contractual parties may also be obtained via the customer or through (internal) research by the obliged entity. 218 For example, the following information or documentation may be gathered about the customer’s significant business partners and other relevant contractual parties: annual financial statements,

152 Regarding the examples, it should be noted that, by their very nature, these cannot be considered as comprehensive descriptions of the facts, but only those aspects are singled out that are particularly material with regard to the KYCC principle. 153 Commission Delegated Regulation (EU) 2016/1675 of 14.07.2016 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council by identifying high-risk third countries with strategic deficiencies. OJ L 254, 20.09.2016, most recently amended by Commission Delegated Regulation (EU) 2021/1675, 07.12.2020, OJ L 1 14, 18.01.2021. 154 Judgement of the Federal Administrative Court (BVwG), W230 2138107-1/37 E.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 63 balance sheets, memoranda of association, publicly available register excerpts, supply contracts, framework arrangements, tax returns, other information about the contractual relationship to the customer, queries about natural persons in the bank’s internal databases as well Internet queries about the entity or the natural persons, or excerpts from the entity’s website etc. 4.4 Checking of the origins of funds 219 Pursuant to Article 6 para. 1 no. 4 FM-GwG, information on the origin of the funds used must be obtained prior to the business relationship being established or an occasional transaction being conducted. For example, enquiries must be made about the professional or business activity, the income or business result or the general financial circumstances of the customer and its beneficial owners. Such information may be supported by income tax statements, current salary payments into an account, deeds in relation to donations and contracts in relation to the delivery of goods, as well as balance sheets, certificates of business licences or similar. 220 In the area of virtual currencies, the following documents and information may be considered as examples of proof of the origin of funds: statements from the wallet in the customer's possession ("hot storage" and "cold storage"), containing the historical depiction of purchases and sales of the virtual currencies on the wallet, receipts of purchases and sales made at ATMs, proof of mining activity (e.g. purchasing of hardware and software), proof of virtual currencies generated from mining, contracts, invoices, transaction histories for trading on "exchangers" or trading platforms for virtual currencies, etc. 221 As a matter of principle, it is necessary to scrutinise and document the origin of the customer’s assets, both when checking the origin of funds pursuant to Article 6 para. 1 no. 4 FM-GwG as well as during ongoing monitoring pursuant to Article 6 para. 1 no. 6 FM-GwG. The customer may on the one hand have earned its assets itself, or on the other hand received them from third parties, as is usual for example in the case of purchase or donation agreements. In particular in the case of customers or transactions with an increased risk where the assets originate from third parties, it may be necessary to obtain additional information or, as applicable, documentation (respectively from an independent source) about the origin of the assets of the third parties. Simply obtaining a contract without addition information or documentation about the origin of assets of the involved parties, shall not suffice in all cases. The customer's refusal to fully disclose the origin of funds may lead to a suspicion of money laundering or terrorist financing on the part of the obliged entity (see MN 39).155

222 Cash continues to represent of high risk potential and a high degree of due diligence must therefore in particular be observed for cash transactions. As already mentioned, the checking of the origin of funds on a risk-oriented basis is therefore unavoidable. Risk factors, such as: − duration of the business relationship, − monetary amount and quantity of the transaction(s),

155 Supreme Administrative Court (VwGH) 11.06.2002, 99/01/0437 with reference to the Supreme Court of Justice (OGH) 05.12.1995, 14 Os 181/95.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 64 − the risk classification, − the assets or financial position of the customer, − past payment behaviour, − past anomalies in relation with the customer’s behaviour, − distribution of individual transactions across a longer period of time, − time period between outgoing and incoming payments, − occupation/profession or industry in which the customer is active, may be used for checking the plausibility of a transaction conducted as well as the required extent of the documentation for checking of the origin of funds. Taking the aforementioned factors into consideration, it is therefore perfectly possible that a cash transaction carried out for a customer with standard risk is classified as a transaction with an increased or high risk and consequently must be subjected to an in-depth review. In doing so, a risk-based approach is to be taken, whereby not only the risk of the customer, but also the risk of the individual transaction is considered. The factors mentioned do not constitute an exhaustive list; the relevant circumstances of the case in hand must always be taken into account. 223 In the area of virtual currencies, anonymous virtual currencies and virtual currencies unable to be subjected to continuous systemic monitoring represent an increased risk potential for misuse for the purposes of money laundering and terrorist financing, especially since it is exceptionally difficult or even impossible to check the origin of funds for such virtual currencies. In the event that the due diligence requirements, among others, are unable to be met for verifying the origin of funds, the acceptance of such virtual currencies may not be permissible, when taking into account the provisions set out in the FM-GwG. This also includes virtual currencies associated with various methods of concealing the sender or amount, for example by using mixing services, etc., especially if virtual currency transfers are carried out directly by mixing services or similar conduits. 224 Please also refer to the explanations on regular customer business in MN 26ff. 4.5 Ongoing monitoring of the business relationship 225 Ongoing monitoring of the business relationship forms part of the due diligence obligations under Article 6 para. 1 no. 6 FM-GwG, and includes reviewing transactions conducted over the course of the business relationship. Obliged entities must therefore ensure that the transactions carried out are consistent with their knowledge about the customer, its business activities and risk profile, including the origin of funds. 226 Adequate safeguarding measures, especially for the prevention of terrorist financing, may be necessary as part of ongoing monitoring in addition to checking of the origin of funds for checking how funds are used. Money used for terrorist financing may, in contrast to money laundering, originate from both legal and illegal sources, and may also be quite low in terms of the amounts

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 65 used. It may therefore be necessary to scrutinise the purpose of the transfer of assets within the framework of preventive measures. Therefore risk-based information about the purpose of the business relationship or transaction must be obtained and a plausibility check conducted. Due to the increased risk in connection with terrorist financing, the KYC principle has a significant role, with information merely provided orally by the customer in the context of the plausibility check unable to be considered an adequate measure. Instead, conclusive up-to-date documents must be collected to prove the purpose of the payment, in addition to information provided by the customer. 227 The full and meaningful collection and recording of all relevant KYC information about the customer forms the basis of such monitoring, both at the start of, or during the course of the business relationship, and must be conducted in a risk-based manner (cf. MN 209 ff.). This includes, for example - depending on the respective risk level of the customer or the transaction

logging the customer’s business model, the customer’s payment behaviour, its main business partners and transactions intended to be processed via accounts held at the obliged entity, as well as information about their products and deliveries of goods and commodities and approximate amounts, as well as information on the origin of funds, and the purposes or activities they are used for (and, where applicable, which geographical links they have, e.g. transfer to countries with active terrorist groups). Especially where there is an increased risk, the reasons why the customer’s business partners or contractual partners receive or send transactions must be apparent to the obliged entity. Where a customer is active in several countries it may be necessary to obtain (international) information and proof, in particularly regarding (trading) activity, the parties involved and the expected payment flows. Where this is not done, a suitable plausibility check may be unable to be carried out during the course of the necessary in-depth review of the executed transactions156 . 228 In this case, to recognise unusual, atypical transactions or deviating transaction behaviour, the prerequisites for risk-based and appropriate consistency checks are complete and up-to-date information, data and documents as stated in Article 6 para. 1 no. 7 FM-GwG.157 229 Article 6 para. 5 FM-GwG stipulates required risk-based orientation of ongoing monitoring, as well as for the other due diligence obligations. The risk assessment at customer level forms the basis for a risk-based and appropriate ongoing monitoring. Frequency and intensity of such monitoring measures depends on the risk level. 230 In this context, obliged entities must check, based on criteria defined on a risk-based basis (e.g. type, frequency, amount or value, purpose, origin or destination as well as ordering party and recipient of the transactions), whether the transactions processed during the course of the business relationship correspond to the predictable transaction behaviour that can be derived from the available knowledge about the customer and the economic beneficiary. 231 With regard to the type of monitoring methods to be implemented, a distinction is made between monitoring measures “by automated means” and “manual” ones, or a combination of both. Monitoring measures must ensure that both transactions using fiat money as well as

156 Judgement of the Federal Administrative Court (BVwG) 07.02.2019, W230 2138107-1/37 E. 157 Judgement of the Federal Administrative Court (BVwG) 19.09.2014, W210 2000428-1.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 66 transactions with virtual currencies are able to be subjected to adequate checks using recognised databases or recognised analysis software. 232 Depending on the respective type and size of the obliged entity, its business model or the number of business relationships to be monitored, generally, and especially for transactions involving virtual currencies, transaction behaviour monitoring is usually required to be performed using an IT-supported system in addition to manual monitoring activities (see MN 234 below). 233 A “list system” (overall monitoring using Excel-based lists) is generally not suitable for checking account movements and transaction patterns based on certain indications, to identify irregularities or to establish a relationship between transaction patterns, the customer, the purpose of its business relationship and its risk profile. 158 234 Depending on the customer’s risk category, manual monitoring measures must also be implemented in a risk-oriented manner regarding existing business relationships (e.g. manual consistency checks including obtaining meaningful proof about the origin of funds, cash transaction checking, etc.), in addition to monitoring by automated means that is usually required, depending on the specific design of this monitoring. Such manual monitoring activities must be implemented in addition to manual "processing steps" within the scope of “hit processing”. 235 Even when simplified due diligence obligations are applied, Article 8 para. 3 FM-GwG requires transactions159 and business relationships to be monitored to a sufficient extent, thereby ensuring a minimum level of monitoring. 236 In cases where there is an increased risk of money laundering or terrorist financing (Article 9 para. 1 FM-GwG), relevant monitoring measures must take place with both a greater frequency and with a greater degree of accuracy and intensity, in order to identify suspicious transactions or transaction patterns. 237 Under Article 9 para. 3 FM-GwG, obliged persons must investigate the background and purpose of all complex and unusually large transactions and all unusual transaction patterns without an obvious economic or legitimate purpose in all business relationships – irrespective of risk level. For this purpose, obliged entities must intensify the scope and type of monitoring of the business relationship concerned to clarify whether it involves suspicious transactions or activities. 238 To ensure the traceability of transactions in virtual currencies to reduce the number of anonymous transactions, obliged entities are required, pursuant to Regulation (EU) 2015/847 (“Transfer of Funds Regulation”) following para. 7b of the Interpretive Note to FATFRecommendation 15 with reference to Recommendation 16 (“Wire Transfer”), to collect information and substantive proof prior to executing a transaction about the owner of the respective sender and recipient wallets. This also includes “unhosted wallets”.

158 Judgement of the Federal Administrative Court (BVwG) 19.09.2014, W210 2000428-1. 159 In corporate provision fund business this generally only refers to direct incoming payments by a customer and not those contributions that are passed onto the corporate provision fund by the respective competent social insurance carriers.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 67 4.6 Updates 239 Article 6 para. 1 no. 7 FM-GwG states that regular checks and updates must be performed in relation to the required information, data and documents. 240 Regular checks and updates must be carried out both are appropriate regular intervals for respective customer risk as well as on an ad hoc basis, where there are indications of any change. For example, in the case of customers classified as low risk, ad hoc updates may be sufficient. For customers classified as medium risk, updates must be carried out at intervals of no more than three years in addition to any ad hoc update. If customers are classified as high risk, the update interval is reduced to one year. In the case of international syndications, an update interval of up to two years may also be provided for on a risk-oriented basis. The risk-based update requires the correct risk classification of customers (cf. FMA Circular on Risk Assessment). In the area of life insurance and occupational pension fund business, the aforementioned update intervals may be limited to event-related cases to be described and justified in more detail (e.g. premium increases, one-off payments in the case of a current insurance contract, pay-outs) based on the obliged entity’s corresponding risk analysis. 241 Ad hoc cases that indicate changes in customer behaviour and that may trigger update measures, arise, for example, from changes in transaction behaviour or due to anomalies in transaction behaviour or where new circumstances become known about the customer. If the customer wishes to conclude additional or other products, it may also be necessary to make use of existing update measures, in light of the possible existence of new or more up-to-date circumstances. It should be noted that such case-by-case updates do not require updating all of a customer's documentation and documents. 242 In addition, the type and scope of the updating measures vary in individual cases depending on the risk level. Where classified as high risk, in the case of legal persons, for example, a current register excerpt or conclusive documents confirming the legal existence of the company (e.g. in the case of offshore customers a so-called "certificate of good standing") on an annual basis, a current power of attorney (Prokura) from the authorised representative, insofar as this is not apparent from the current register excerpt, and updated documents on the beneficial owner must be obtained.160 243 Using the Register of Beneficial Owners’ web-based service, the entire customer base may also be queried using batch processing and the data of the customer’s beneficial owners recorded in the Register can therefore be determined and updated in a single process. Regarding the verification of the beneficial owners, a risk-based approach is to be taken in each case (cf. MN 173ff.). 244 The update service (Article 9 para. 9 WiEReG), allows an obliged entity to be informed with regard to all customers within the scope of application of the Register of Beneficial Owners about the occurrence of a change of beneficial owners. Having been informed about the change, the obliged entity is immediately able to determine the changed beneficial owners and verify them

160 Cf. in this regard Supreme Administrative Court (VwGH) 10.10.2014, Ro 2014/02/0020.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 68 in a risk-based manner (cf. MN 173ff). Using the update service, it is possible to significantly increase the up-to-dateness of the data on beneficial owners that is stored by the obliged entity. 245 When updating the documents and information, - as far as is customary in the country - publicly accessible register excerpts as well as other public and non-public documents are to be consulted, in the same way as before establishing a business relationship or carrying out an occasional transaction (cf. MN 176). Where a lack of publicly accessible registers exists, other suitable documents must already be available on the basis of the initial review to be checked for possible changes. If, due to the lack of a publicly accessible register, other suitable documents are used to fulfil due diligence obligations, these documents must be obtained again as part of the updating measures where they have changed. If these documents have not changed, a written confirmation made by the customer that states that the documents - to be specified precisely - the obliged entity has obtained are still current and that no changes have occurred may be sufficient for the update. The customer must prove that it has checked their up-todateness.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 69 5 NON-FACE-TO-FACE OPERATIONS 246 The FM-GwG stipulates that the verification of the identity of a natural person generally must be carried out by physically presenting an official photo identification document (see MN 5756ff). If a potential customer or its authorised representative is not physically present at the premises of the obliged entity for determining and verifying their identity and if physical presentation of an official photo identification document is therefore not possible, this constitutes a factor for a potentially increased risk within the meaning of Article 9 para. 1 FM-GwG if no additional safeguarding measures are taken.161 247 If the physical presentation of the official photo identification document is replaced by one of the safeguards listed in Article 6 para. 4 FM-GwG (taxative162), the mere fact that the identity of a natural person is determined and verified without physical presentation of the official photo identification document does not result in an obligation to apply increased due diligence obligations towards this customer. 248 The following security measures163 have been declared to be permissible by the legislator:

online identification (MN 251ff);
electronic ID card (MN 274);
qualified electronic signature (MN 275f);
registered postal delivery (MN 277f);
first payment made through a reference account (MN 279ff). 249 In all the aforementioned instances, the obliged entity must in any case know the name, date of birth and address in the case of natural persons and the company name and registered office in the case of legal entities. 250 It shall not be possible to use non-face-to-face operations in the case that the customer acts in trustee capacity. In order to determine the identity of the trustee, the trustee must in any case be physically present at the customer's premises in accordance with Article 6 para. 3 FM-GwG (see MN 112ff on trusteeships). 5.1 Online identification 251 A possible safeguarding measure to counteract the increased risk due to the lack of physical presence of a natural person when determining and verifying their identity is to present the official photo identification document as part of a video-based electronic or purely biometric procedure.

161 no. 2 lit. c of Annex III to the FM-GwG. 162 “The following security measures shall be permissible: […]”. 163 During the process of digital transformation, among others, the option for electronic proof of identity and an electronic signature were/are being developed further, with extended functions as a result.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 70 252 Based on the power to issue Regulations conferred upon it stipulated in the FM-GwG, the FMA has specified in detail in the Online-IDV164 about the measures that may be taken to compensate for the increased risk in online identification. These safeguards are intended in particular to ensure that the parties involved in the identification process can be made out visually, that simultaneous voice contact is possible, that the identity of the potential customer or the natural person authorised to represent the customer can be established based on an identification document, and that the process compensates for uncertainties associated with distance communication. 253 The use of online identification is not limited to potential customers in Austria or from Member States. Neither the FM-GwG, nor the Online-IDV, stipulate the exclusion from online identification for potential customers that are domiciled or resident in a third country. However, since the Online-IDV’s safeguarding measures apply without prejudice to the due diligence obligations under the FM-GwG, a customer’s (residential) domicile must in any case also be taken into account when determining the scope of the due diligence obligations.165 254 With regard to the measures to be taken, the Online-IDV distinguishes between organisational and procedural safeguards, which must be observed cumulatively and without prejudice to the further due diligence obligations stipulated in the FM-GwG. 5.1.1 Organisational safeguards 255 Online identification must be performed by sufficiently trained and reliable employees. In this context, it is important that staff members not only have sufficient knowledge of the legal requirements for performing and cancelling online identification procedures, but are also proficient in the technical performance of such procedures. To ensure that staff members observe the safeguards at all times, training must be completed prior to performing online identification for the first time. 256 After completing the training, staff members must have complete knowledge of

the requirements for official photo IDs in accordance with Article 2 no. 2 Online-IDV, so that these can be accepted within the scope of the Online-IDV;
the taking of screen grabs pursuant to Article 4 para. 2 Online-IDV;
the obligation to issue instructions to the customer pursuant to Article 4 para. 3 Online-IDV;
the procedure for being able to ascertain that official photo identification documents are authentic (Article 4 para. 4 Online-IDV);
the cases under which the compulsory termination of the online identification procedure must take place (Article 5 para. 1 Online-IDV).

164 Regulation of the Financial Market Authority (FMA) on video-based online identification of customers (Online Identification Regulation – Online-IDV; Online-Identifikationsverordnung) published in Federal Law Gazette II No. 5/2017, as amended. 165 no. 1 lit. c of Annex II and no. 1 lit. b of Annex III to the FM-GwG.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 71 257 The requirements for staff members to only carry out online identification procedures in a legally permissible and technically controlled manner is a way for fulfilling the due diligence obligations for the prevention of money laundering and terrorist financing, especially the proper determination and verification of a customer’s identity or of the natural person authorised to represent them. To ensure authentic interpretation, staff members must also be trained by means of role plays or "best practice" examples.166 Such training measures should also include, among other things, common practices for forging official photo identification documents and any changes regarding due diligence obligations for the prevention of money laundering and terrorist financing. Where (new) deceptive practices or other errors in the procedure become known, training measures must also be adapted accordingly. 258 Training measures conducted regarding for online identification must be documented accordingly, as must training measures in accordance with the FM-GwG167 . 259 In addition to sufficient expertise, staff members must also possess the necessary personal reputation. 260 The online identification procedure may only be carried out in a separate room equipped with an access control system, to be able to check, if necessary, who was involved in the procedure once online identification was completed. 5.1.2 Procedural safeguards 261 In order for the FMA to be able to check compliance with the required security measures according to the Online-IDV, which include in particular the procedure-related safeguards, the sound of entire conversation during the online identification procedure or the part of the conversation which serves the purpose of the online identification must be recorded. These recordings shall be submitted to the FMA where requested by the FMA. 262 The FM-GwG or the Online-IDV do not stipulate any restrictions regarding the specific languages that may be used for the online identification procedure. However, in light of the obligations to provide and submit information pursuant to Article 29 para. 1 FM-GwG, it must be ensured that the audio recordings made available to the FMA are translated into German if required. 263 In addition to recordings of telephone conversions, particular importance is placed on screen grabs about the significant parts of the online identification procedure. The core part of determining and verifying the identity of a natural person is comparing the person against the photograph on the presented official photo identification document. During the course of the online identification procedure, firstly, the face of the natural person to be identified must be documented, and in addition the corresponding photo identification document that is used to determine and verify the identity must also be documented. The front side of the photo identification document (in credit card format), which contains the photo, as well as the back side of this same card are to be documented using screen grabs. In the case of a passport, the

166 Explanatory remarks to the publication in Federal Law Gazette II no. 5/2017, 2. 167 See in this regard the FMA Circular on Internal Organisation.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 72 page containing the photograph and other data of the natural person (name, date and place of birth, etc.), and other information page(s) documented by means of screen grabs (the back cover of the passport itself is not to be documented). 264 In order to prevent manipulation during the course of the online identification procedure, e.g. by only holding a photo of a natural person in front of the camera, the person to be identified should move their head once at the request of the employee to avoid any illusion of a still picture being used. A further safeguard is requiring the serial number of the photo ID used to be read. This is done to establish a link between the telephone recording and the screen grabs. 265 The staff member ascertains the authenticity of the official photo identification document presented by means of several verification steps pursuant to Article 4 para. 4 Online-IDV. The optical security features of the identification card, the correct numerical orthography and the integrity of the lamination of the identification card must be checked. Furthermore, the staff member must check that there is no evidence that would allow the conclusion to be reached that the photo was only subsequently attached to the official photo identification document. Finally, the logical consistency of the official photo identification document itself as well as in relation to the specified holder of the identification document must be checked.168 266 To conclude the online identification procedure, the potential customer or the natural person authorised to represent them shall, in accordance with Article 4 para. 5 Online-IDV, while the video transmission is still in progress, directly enter a centrally generated sequence of digits valid specifically for this purpose and transmitted to them by e-mail or SMS and send them back electronically to the staff member. 267 The retention and deletion periods set out in the FM-GwG of ten years shall apply for recordings and screen grabs.169 268 In contrast to the video-based electronic procedure, in the case of a biometric procedure pursuant to Article 2 no. 4 in conjunction with Article 4 para. 6 Online-IDV the identification of a customer is basically purely conducted algorithmically, without involving a staff member of the obliged entity in the personal contact. The conditions for doing so are that the customer agrees to biometric identification and that the procedure corresponds to the technological state of the art and that a comparable level of security is guaranteed as to when the identification process is conducted by staff members and checked by video-based means that the person is actually physically taking part in the identification process (liveness check). The photo identification document of the customer is also to be checked for this purpose. This check must be performed from 1 January 2023 by reading the electronic security chip (NFC chip). Until then video-based proof of identity will be permissible.

168 See in this regard as well as regarding abstract example for the correct alphanumerical orthography the explanatory remarks to Federal Law Gazette II no. 5/2017, 3f. 169 Article 21 para. 1 and para. 2 FM-GwG.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 73 5.1.3 Compulsory termination of the online identification procedure 269 If the visual verification of the identity of the potential customer, the natural person authorised to represent them, and/or the respective official photo identification document or the NFC chip is not possible, then the online identification procedure is required to be terminated. Identification may not be possible for example due to poor light contrast, poor picture quality or poor image transmission or a technical fault.170 270 Moreover, the online identification procedure must be terminated where other irregularities or other uncertainties prevail. Such uncertainties may arise for example due to interference with voice communications or other technical issues. Irregularities must in any case lead to the online identification procedure being terminated where they are not traceable and are unable to be resolved without any doubt. 271 Where the suspicion or the justified reason arises for an obliged entity during an online identification procedure to assume that the potential customer belongs to a terrorist organisation or is objectively participating in transactions that serve the purposes of money laundering or terrorist financing, then the obliged entity is required to terminate the online identification procedure. Consequently the obligations set out in Article 7 para. 7 FM-GwG are to be taken into consideration, under which a business relationship shall not be allowed to be established or an occasional transaction conducted. In addition it must be considered wheter to submit a suspicious activity report to the financial Intelligence Unit (Geldwäschemeldestelle) pursuant to Article 16 para. 1 FM-GwG. The obliged entity shall proceed as follows: Conducting the online identification procedure – not establishing a customer relationship – suspicious activity report to the Financial Intelligence Unit (Geldwäschemeldestelle).171 5.1.4 Being conducted by service providers 272 Obliged entities may make use of service providers for conducting the online identification procedure, although it must be ensured that the service provider takes safeguards in doing so that are adequate both in terms of the scope and quality of the requirements set out in the Online-IDV. Ultimate responsibility for meeting those obligations however remains with the obliged entity that makes use of such a service provider. 273 Where the online identification procedure is outsourced to a service provider, then the service provider shall neither be allowed to significantly compromise the quality of the internal controls172 nor the possibility for the FMA to check compliance with all requirements relating to the Online-IDV.

170 Explanatory remarks to the Regulation published in Federal Law Gazette II No. 5/2017, point 5 171 Ibid. 172 This also includes the control activities performed by the statutory auditor.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 74 5.2 Electronic ID card 274 Pursuant to Article 6 para. 4 no. 2 FM-GwG, a statutorily prescribed procedure, which ensures that the same information may be made available as if an official photo identification document were presented (electronic ID card) is a permissible safeguarding measure. 5.3 Qualified electronic signature 275 As an additional safeguarding measure, as a substitute for personal submission of the official photo identification document, the FM-GwG makes provisions for a “qualified electronic signature”. In this case the customer submits their legal declaration in the form of a qualified electronic signature pursuant to Article 3 no. 12 of Regulation (EU) 910/2014 (eIDAS-R).173 The following conditions must also be observed in addition to the conditions stipulated in MN 249:

Where the customer is a legal person, the legal person’s registered office must at the same time also be the registered office of the central administration, and the customer shall be required to provide the obliged entity with a written declaration that this is the case174;
Where the customer is established or domiciled in a third county, then the obliged entity must obtain a written declaration from a credit institution, with which the customer has a permanent business relationship, which determines and verifies the identity of the customer within the meaning of the FM-GwG, and confirming that the business relationship is still intact. If the credit institution providing this confirmation is domiciled in a third country, then due diligence and retention obligations must apply in this third country that correspond with those contained in the 4th Anti-Money Laundering Directive. Furthermore, credit institutions in this third country must be subject to supervision with regard to observance of due diligence and retention obligations corresponding to the rules contained in Articles 47 and 48 of the 4th AntiMoney Laundering Directive. 276 Identification and written confirmation by a recognised certification authority175 is also permissible in lieu of identification and confirmation by a credit institution. The obliged entity must check accordingly that the aforementioned conditions are satisfied, and document this and present them to the FMA upon request in the course of its supervisory powers. 5.4 Registered postal delivery 277 The delivery of the legal declaration of the obliged entity by registered postal delivery to the customer address that is stated as the domicile or place of residence of the customer, is recognised in the FM-GwG as an additional safeguard as an alternative for submission in person of an official photo identification document. The statutory condition of registered postal delivery

173 See the European Commission’s “EU Trust Services Dashboard” at https://esignature.ec.europa.eu/efda/tlbrowser/#/screen/home regarding the “Qualified Trust Service Providers” that are authorised in the EU, who are (i.a.) allowed to create qualified electronic signatures as defined in the aforementioned eIDAS-R. 174 In this declaration, the customer must confirm in writing that the registered office stated towards the obliged entity is also the registered office of the entity’s central administration, i.e. the location at which material decisions are taken with regard to the general management of the entity. 175 For more detail, see MN 82f.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 75 can be met by a registered letter to be delivered by hand and not handed over to persons authorised to receive mail. The requirements set out in the FM-GwG are also met by means of the “Ident. Brief-Verfahren” that has been introduced in Austria. In this variation of non-face-toface operations, in addition to the conditions already listed in MN 249,

in the case of the customer being a legal person, the registered office of the legal person must at the same time also be the registered office of the central administration, and the customer shall be required to provide the obliged entity with a declaration in writing176;
a copy of the customer’s, or their legal representative’s, official photo identification document must be submitted to the obliged entity prior to the conclusion of the contract or in the case of the legal person for the natural persons legally authorised to represent them;
where the customer is domiciled or resident in a third country, written confirmation to the obliged entity by a credit institution, with which the customer has a permanent business relationship, in which the identity of the customer has been determined and verified within the meaning of the FM-GwG, and confirming that the business relationship is still intact. If the credit institution providing this confirmation is domiciled in a third country, then due diligence and retention obligations must apply in this third country that correspond with those contained in the 4th Anti-Money Laundering Directive. Furthermore, credit institutions in this third country must be subject to supervision with regard to observance of due diligence and retention obligations that correspond to the rules contained in Articles 47 and 48 of the 4 th Anti-Money Laundering Directive. 278 Identification and written confirmation by a recognised certification authority177 is also permissible in lieu of identification and confirmation by a credit institution. The obliged entity must check accordingly that the aforementioned conditions are satisfied, document them and present them to the FMA upon request in the course of its supervisory powers. 5.5 First payment made through a reference account 279 The first payment to the obliged entity in the context of a business relationship that is being established by way of non-face-to-face operations being made via an account held at a credit institution prior to the opening of which the identity of the customer has been determined and verified in accordance with the provisions of the FM-GwG or as defined in the rules contained in the 4th Anti-Money Laundering Directive, this also constitutes a potential variant of non-face-toface operations.178

176 In this declaration, the customer must confirm in writing that the registered office stated towards the obliged entity is also the registered office of the entity’s central administration, i.e. the location at which material decisions are taken with regard to the general management of the entity. 177 See MN 82 et seq. about recognised certification bodies. 178 In the case of providing life insurance this variety of non-face-to-face operations may also be used in conjunction with such cases, in which the identification of the beneficiary is only conducted when the insurance benefit is paid out (cf. Also Article 7 para. 4 FM-GwG) and this payment is made into an account as defined in MN 279f.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 76 280 In addition to the conditions already mentioned in MN 249, the account from which the first payment is processed must have been opened at a credit institution that fulfils the requirements of Article 13 FM-GwG for a qualified third party179 . 281 Furthermore, copies of the customer’s documents must also be held by the obliged entity and - in the case of representative relationships - of the natural person(s) authorised to represent the customer, on the basis of which the information can be credibly reconstructed. 282 Instead of such copies, the obliged entity may also obtain written confirmation from the credit institution through which the first payment is to be made that confirms and verifies the identity of the customer and - in the case of representative relationships - of the natural person(s) authorised to represent the customer in accordance with the provisions of the FM-GwG or the requirements of the 4th Anti-Money Laundering Directive. 283 The obliged entity must have received the copies of the documents or the confirmation from the credit institution prior to making the first payment.180

179 See MN 14 et seq. about qualified third parties. 180 Arg.: “... through which the first payment is intended to be made …” (Article 6 para. 4 no. 4 second sentence FM-GwG).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 77 6 POINT OF TIME OF APPLICATION OF DUE DILIGENCE OBLIGATIONS 284 From the drafting of due diligence obligations it follows that they are to be observed on an ongoing basis. Article 7 FM-GwG stipulates that the following due diligence obligations must be already be applied before a permanent business relationship is established and, in principle181 , before an occasional transaction is carried out:

Determination and verification of the customer’s identity (Article 6 para. 1 no. 1 FM-GwG);
Determination and verification of the beneficial owner’s identity (Article 6 para. 1 no. 2 FMGwG);
Determination and verification of the identity of the trustor and the trustee (Article 6 para. 1 no. 5 FM-GwG);
Assessing and obtaining information on the purpose and intended nature of the business relationship (Article 6 para. 1 no. 3 FM-GwG);
Obtaining and checking of information about the source of the funds used (Article 6 para. 1 no. 4 FM-GwG). 6.1 Application of due diligence obligations prior to establishment of a business relationship 285 See MN 24ff above about the term “business relationship”. 286 The due diligence obligations listed in MN 284 must be carried out pursuant to Article 7 para. 1 FM-GwG prior to a business relationship being established. See MN 301ff regarding the consequences for failing to apply due diligence obligations. 287 The identity of a natural person authorised to act as a representative must be determined and verified if that person claims to be authorised to act as a representative (see MN 85ff. on representative relationships). 6.2 Application of due diligence obligations before carrying out an occasional transaction 288 See MN 27ff above about the term “occasional transaction”. 289 The due diligence obligations stated in margin no. 284 must be observed prior to conducting an occasional transaction. Pursuant to Article 7 para. 7 FM-GwG, occasional transactions shall only be allowed to be carried out once all applicable due diligence requirements have been fulfilled.

181 See MN 290ff about the exceptions.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 78 No exceptions, as set out for business relationships and bank accounts in Article 7 para. 2 and para. 3 FM-GwG, for occasional transactions. 6.3 Exceptions 290 Pursuant to Article 7 para. 2 FM-GwG, obliged entities are given the option of completing the verification of the identity of the customer, the beneficial owner and the trustor only during the establishment of the business relationship, where doing so is necessary for continuing normal business operations and where a low risk of money laundering or terrorist financing exists. The determination of the identity of the customer, the beneficial owner and the trustor is still required to take place before the business relationship is established. Only the verification of the obtained information may be permitted to take place at a later point in time, but must however be carried out as soon as possible. If obliged entities are unable to obtain suitable documents for the verification of identity, e.g. even during ongoing business operations, or if the customer is unwilling to provide such documents promptly after the business relationship has been initiated, then the business relationship must be terminated again. 291 The obliged entity shall document accordingly why the verification of the identity of a customer, a beneficial owner or a trustor would interfere with the continuation of normal business operations prior to establishing the business relationship. A possible case of application would be e.g. establishing a business relationship to a legal person. Due to a change in the corporate structure that has not yet been entered in the Commercial Register, the obliged entity initially could only determine the beneficial owners on the basis of a self-disclosure by the customer. If the obliged entity otherwise has all the necessary documents and records about the customer - in particular also in order to be able to determine a low risk in this business relationship - then the verification of the identity of the beneficial owners may also take place at a later point in time (for example when the restructuring has been entered in the Commercial Register and once a current excerpt from the Commercial Register is available). 292 For bank accounts - including accounts through which securities transactions may be carried out

it should be noted that these may be opened subject to a condition precedent under Article 7 para. 3 FM-GwG. Therefore, in exceptional cases, the business relationship may already be established even if an obliged person has not yet fully complied with the due diligence requirements (MN 284). In such cases, it must be adequately ensured that the account is blocked for all transactions until the condition is met, i.e. until all due diligence obligations have been fulfilled. It is therefore also not permissible to accept credits for an account prior to the due diligence obligations having been fulfilled. 6.4 Specificities for insurance undertakings 293 Article 7 para. 4 FM-GwG sets out additional due diligence obligations for insurance undertakings towards the beneficiaries of life insurance contracts:
The identity of the named beneficiaries or beneficiaries established by legal agreement must be recorded by the insurance undertaking (no. 1).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 79

In the case of beneficiaries being designated in the insurance contract by characteristics, class or in some other way, then insurance undertakings shall have to obtain adequate information concerning the beneficiaries to ensure that they will be able to determine the identity of the beneficiary at the time of the pay-out (no. 2). 294 Insurance undertakings shall verify the identity of the beneficiaries accordingly prior to pay-out. 295 In the case that the life insurance contract is either fully or partially taken over by a third party, or the claim from this contract is assigned fully or partially to a third party, then the insurance undertakings shall determine and verify the identity of the new customer or the beneficial owner at the time at which the claims from the contract were assigned to or taken over by the third party. 296 This provision is intended to cover all conceivable constellations of cases in which rights from an insurance contract are transferred to a third party. If the insurance contract is taken over by a third party, the third party acquires the insurance contract (second-hand policy) and thereby becomes a customer of the insurance undertaking. Prior to granting the approval for the transfer of the contract, the insurance undertaking shall identify the new customer accordingly. Where only the claims from the insurance contract are assigned to a third party, then this third party shall become the beneficial owner and must also be identified accordingly.182 This provision does not cover the restriction of transferability and the pledging of rights arising from a life insurance contract. Since such legal instruments are usually used as collateral for loans, it is not necessary to determine and verify the credit-granting credit institution.183 6.5 Specificities of Business Relationships with Trusts or arrangements of a similar nature to a trust 297 Pursuant to Article 11 para. 1 final sentence WiEReG, obliged entities are required to ascertain that they are entered in the Register of Beneficial Owners prior to establishing a business relationship with a trust or arrangement of a similar nature to a trust, or carrying out an occasional transaction for a trust or arrangement of a similar nature to a trust managed from Austria. The verification of the registration must be verifiably documented and submitted to the FMA upon request. If the trust or arrangement of a similar nature to a trust that is managed from Austria is not entered in the Register, then a business relationship shall not be allowed to be established.184 298 Since beneficiaries of trusts and arrangements of a similar nature to a trust are beneficial owners under the WiEReG, they must be identified as such by the obliged entity prior to the business relationship being established or before an occasional transaction is carried out.185 If the

182 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 8. 183 Similarly, in the case of assignments of collateral for the purpose of loan collateralisation, it is not necessary to determine and verify the credit-granting credit institution. 184 See explanatory remarks to the government bill (ErlRV) no. 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 13. 185 See MN 156ff for trusts and MN 159ff for legal arrangements similar to trusts.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 80 individual persons who are the beneficiaries of a trust or legal arrangements similar to trusts have not yet been determined, then the circle of beneficiaries shall be designated in abstract terms. In such cases, the obliged entity must determine and verify the identity of the beneficiary pursuant to Article 7 para. 5 FM-GwG in any case at the time of pay-out or at the time when a beneficiary exercises their acquired rights. 6.6 Application of due diligence obligations to existing customers 299 Pursuant to Article 7 para. 6 FM-GwG, obliged entities are not only required to apply due diligence to all new customers but also, at the appropriate time, to existing customers on a riskbased basis. This shall in particular be the case where the relevant circumstances of a customer change, or where the obliged entity is legally obliged to contact the customer during the course of the current calendar year in relation to the beneficial owner, or where there is a requirement to do so pursuant to Council Directive 2011/16/EU. This was to ensure that obliged entities had sufficient time to implement the measures newly required as of 01.01.2008, which were introduced within the scope of the transposition of the 3rd Money Laundering Directive (this concerned in particular the due diligence obligations regarding the beneficial owner and the purpose and type of the intended business relationship). In particular, the corresponding measures were to be implemented as soon as the obliged entity's own conducting of business permitted it without unreasonable burden for the customer.186 A full year was to be set aside for implementation and establishing contact with the customer at an appropriate time.187 The already existing due diligence obligations were therefore already to be implemented. Accordingly, the provision in Article 7 para. 6 FM-GwG is now intended to give the obliged entities sufficient time to take into account the innovations introduced by the FM-GwG.188 300 The changes in due diligence obligations arising from the FM-GwG must be applied to existing customers in any case where they lead to a change in relevant circumstances. Such relevant circumstances may be, for example: a change in the customer's business activity, a change in the customer's place of residence or registered office, a change in the beneficial owner, a change in the person authorised to dispose of the assets. 6.7 Consequences of failure to apply due diligence obligations 301 In the event that an obliged entity does not or is unable to comply with it due diligence obligations pursuant to Article 6 para. 1 nos. 1 to 5 FM-GwG with regard to the customer, it shall not be allowed to carry out any transaction via a bank account, establish any business relationship or execute any transactions Existing business relationships must be terminated.

186 See explanatory remarks to the government bill (ErlRV) no. 286 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 23rd legislative period, SP 6. 187 Judgement of the Federal Administrative Court (BVwG) 19.09.2014, W210 2000428-1. 188 For example it is mentioned here that enhanced customer due diligence obligations are also to be applied in the case of business relationships or occasional transactions with Austria PEPs (MN 343 et seq).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 81 302 Article 7 para. 7 FM-GwG now adds to the constellation of cases in which the obliged entity is not in a position to apply the due diligence obligations (for example, as a result of failure by the customer to provide information) those cases in which the due diligence obligations were not properly applied by the obliged entity for other reasons (for example, as a result of the obliged entity’s failure to obtain information).189 303 In the area of life insurance, no business relationships may be established or transactions carried out as a consequence of the non-application of due diligence obligations towards customers and beneficiaries. In the case of employee severance funds, no transactions shall be allowed to be carried out if the due diligence obligations towards customers are not applied. 304 Transactions shall not be permitted to be executed during the period of time between the termination of the business relationship and it actually ending. It shall therefore only be permitted to transfer the credit balance to the customer once the business relationship has ended (provided the Financial Intelligence Unit (Geldwäschemeldestelle) has not taken action pursuant to Article 17 para. 4 FM-GwG or funds have not been seized pursuant to Article 109 no. 2 and Article 115 para. 1 no. 3 StPO). 305 Obliged entities must implement necessary measures (e.g. technically freezing of accounts) in order to ensure that is it not possible for transactions to be conducted. 306 In conjunction with the termination of existing business relationships, it should be noted that this option must only occur in exploiting the legal options that are available to the obliged entity. Accordingly obliged entities should, where legally permissible, include corresponding clauses about options to terminate business relationships in their contracts.190 307 Where the suspicion arises or there is justified reason to assume that a business relationship or a transaction serves the purpose of money laundering or terrorist financing or that the customer is a member of a terrorist organisation, in addition, a suspicious activity report must be submitted to the Financial Intelligence Unit (Geldwäschemeldestelle). 308 Where, following the submission of a suspicious activity report, the Financial Intelligence Unit (Geldwäschemeldestelle) does not impose any sanctions pursuant to Article 17 para. 3 or pursuant to Article 17 paras. 4 and 5 FM-GwG, then the obliged entity in accordance with Article 7 para. 7 FM-GwG shall nevertheless still not be allowed to establish any business relationship or shall end existing business relationships, where the customer due diligence obligations are not or are unable to take place.

189 In accordance with this extension the breach of duty only ceases to exist only once the orderly application of due diligence obligations has been made good, or upon termination of the affected business relationship. 190 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 10.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 82 7 SIMPLIFIED DUE DILIGENCE 309 Article 8 FM-GwG defines the possibility to apply simplified due diligence towards customers in cases where a low risk exists. As a consequence of expanding the risk-based approach in the 4 th Anti-Money Laundering Directive, it is now the obliged entities’ responsibility to decide whether they apply simplified due diligence. There is no longer a taxative list, as previously existed in the respective provisions in Article 40a BWG or Article 130 VAG 2016191 . 310 Obliged entities shall take decisions regarding the application of simplified due diligence obligations, their scope and in which areas (e.g. for which customers or which products) they are intended to be applied, in the risk assessment to be conduct pursuant to Article 4 FM-GwG. Risks of money laundering and terrorist financing for certain types of customers, geographical areas, particular products, services transactions or delivery channels shall be assessed for this purpose. The risk variables listed in Annex II of the FM-GwG shall in any case also be taken into account (See MN 65 et seq of the FMA Circular on the Risk Assessment with regard to the individual risk variables). 311 Within the scope of simplified due diligence, obliged entities shall also take into consideration the EBA Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (‘The ML/TF Risk Factors Guidelines’) under Articles 17 and 18(4) of Directive (EU) 2015/849, repealing and replacing the Joint Committee Guidelines JC/2017/37, (The Risk Factors Guidelines, Publication Date 01.03.2021). With regard to the EBA Guidelines see MN 34 above. 312 Pursuant to Article 8 para. 2 and para. 3 FM-GwG, obliged entities must still continue to gather a certain minimum amount of information about customers, for whom simplified due diligence is to be applied, to be able to assess at all, whether simplified due diligence may be applied in the specific case in hand. Therefore in the course of simplified due diligence obligations, under no circumstance may due diligence obligations be waived completely, instead the scope of due diligence obligations may be reduced to an appropriate extent by applying the risk-based approach. In particular, it must be possible to identify such customers using the necessary identification information192. Furthermore, for such customers, sufficient transaction and business relationship monitoring must be carried out to enable unusual or suspicious transactions to be detected. 313 The identity of the beneficial owner of customers for whom simplified due diligence is applied, must in any case be determined and may as a rule be established by means of a self-disclosure by the customer or the necessary information found in an excerpt from the Register of Beneficial Owners. Similarly the customer’s self-disclosure may also be referred to and used in relation to the collection and checking of information about the origin of the funds used. The information

191 In their respective versions prior to the amendments published in Federal Law Gazette I No. 118/2016. 192 See in this regard MN 52 and MN 54.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 83 about the purpose and nature of the business relationship may generally be derived within the scope of simplified due diligence from the selected product. 314 Pursuant to Article 8 para. 4 FM-GwG obliged entities shall be required to retain sufficient information to be able to demonstrate that the conditions for the application of simplified due diligence are met. Obliged entities are therefore required to hold sufficient documentation to be able to prove to the FMA that there is only a low risk of money laundering and terrorist financing for certain areas. 315 Furthermore, obliged entities must also adequately document that the conditions for the application of simplified due diligence are met on an ongoing basis and not just at the point in time of establishing a business relationship, in order to be able to prove this towards the FMA. Control activities must also be taken at regular intervals at regular intervals to be able to check that the conditions are continually met on an ongoing basis. 316 The FMA may define areas where a low risk exists by means of Regulations pursuant to Article 8 para. 5 FM-GwG. This information may arise from the national risk assessment or where the FMA determines there to be a low risk. The following FMA Regulations currently exist in this regard:

Life Insurance Due Diligence Regulation (LV-SoV; LebensversicherungsSorgfaltspflichtenverordnung; published in Federal Law Gazette II No. 1/2017);
School Savings Schemes Due Diligence Regulation (Schulsparen-SoV; SchulsparenSorgfaltspflichtverordnung; published in Federal Law Gazette II No. 2/2017);
Regulation of the Financial Market Authority (FMA) concerning the identification of members of savings associations (SpVV; Sparvereinverordnung; published in Federal Law Gazette II No. 62/2015 as amended in Federal Law Gazette II No. 3/2017);
Corporate Provision Funds Risk Analysis and Due Diligence Regulation (BVK-RiSoV; BVKRisikoanalyse- und Sorgfaltspflichtenverordnung; published in Federal Law Gazette II No. 4/2017);
Regulation on Due Diligence for Fiduciary Accounts (AndKo-SoV; AnderkontenSorgfaltspflichtenverordnung; published in Federal Law Gazette II No. 7/2017). 317 Article 8 para. 6 FM-GwG contains simplifications for certain types of domestic money transfers. Where the following conditions are met, the Transfer of Funds Regulation does not apply. Domestic transfers of funds to a payee account permitting payments for the provision of goods or services are excluded from the scope of application of this Regulation, if:
the payment service provider of the payee is subject to the obligations set forth in the 4th AntiMoney Laundering Directive (no. 1),
the payee’s payment service provider is able through the payee using a reference number relating to the customer to trace the transfer of funds to the natural or legal person who has made an agreement with the payee for the provision of goods and services (no. 2), and
the amount being transferred is EUR 1 000 or less (no. 3).

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 84 8 ENHANCED DUE DILIGENCE 8.1 Preliminary remarks 318 Article 9 FM-GwG is to be understood as the general standard for the enhanced customer due diligence obligations defined in Articles 9 to 12 FM-GwG. This provision defines the framework within which the special standards defined in Articles 10 to 12 FM-GwG are found, while Article 9 FM-GwG also acts as a catch-all for those cases of application of enhanced customer due diligence that do not fall within the scope of Articles 10 to 12 FM-GwG. By so doing, the riskbased approach is also taken into consideration, with the objective of adequately addressing and mitigating the risks. 319 Obliged entities shall analysis the reasons for measures being taken with regard to enhanced customer due diligence. This analysis process should be conducted in written form for this purpose and be conducted within the risk assessment pursuant to Article 4 FM-GwG. Furthermore, clear and unambiguous conduct rules in the form of operating procedures (for employees) are to be drawn up by the obliged entity, and these must be proven to have been brought to the attention of all (relevant) employees. Operating procedures that are not documented in written form – which therefore are only “established practice” – cannot be considered to be appropriate risk-based procedures.193 320 In the same way as in the application of simplified due diligence obligations, obliged entities are also required in the application of enhanced due diligence obligations to take the EBA Guidelines on Risk Factors as well as the Guidance published by the FATF on the area of virtual currencies including the risk factors, for example, about “unhosted wallets”, anonymous virtual currencies, “peer-to-peer transactions” etc. (cf. MN 311) into account. 8.2 High-risk third countries: 321 Firstly, Article 9 para. 1 and Article 9a FM-GwG specifically cover the case of natural or legal persons, who are resident in third countries identified as high risk countries. This relates to the countries listed in the annex to Delegated Regulation (EU) 2016/1675194 (high-risk countries). 322 The FM-GwG does not focus exclusively on whether the customer has their (residential) domicile in a high-risk country. Instead all business relationships and (occasional) transactions with a link to a high-risk country fall within this provision’s scope. This means that where the customer, the person authorised to represent the customer, the beneficial owner or the trustor has their (residential) domicile in a high-risk country, then enhanced customer due diligence shall be applied to this business relationship. Furthermore, the obliged entity’s customers are also in

193 In relation to business relationships with politically exposed persons (cf. MN 343 et seq regarding PEPs) see the ruling of the Federal Administrative Court (BVwG) of 21.07.2016, W148 2113453-1. 194 Commission Delegated Regulation (EU) 2016/1675 of 14 July 2016 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council by identifying high-risk third countries with strategic deficiencies, as amended.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 85 scope irrespective of their place of residence, where conducting (occasional) transactions (either incoming or outgoing ones) involving a high-risk country.195 323 In relation to high-risk countries it is not absolutely necessary to stop and check the plausibility of all transactions on an “ex ante” basis. Stopping a transaction in order to conduct an “ex ante” review may however be justified in individual cases or on an ad hoc basis. 324 Obliged entities may196 in the case of transactions involving a high-risk country (either incoming or outgoing), also conduct “ex post” monitoring by automated means on an ongoing basis using appropriate checking rules and thresholds, provided the increased risk is controlled and mitigated by additional measures. Checking rules and thresholds must be individually set by every obliged entity and be evaluated during the course of the annual review of the risk assessment with regard to its adequacy. An additional measure as referred to above may be to analyse all transactions on at least a quarterly basis197 involving a high-risk country, including an investigation of this analysis for anomalies. Where anomalies are discovered, a more in-depth check is to be conducted, and checks made whether a suspicious activity report pursuant to Article 16 FM-GwG is needed. 325 Commercial customers may be excluded from the aforementioned additional measures (“white listed”) based on their operational activity in a high-risk country once the obliged entity has conducted the necessary review and plausibility checking and be monitored on an ongoing basis using the obliged entity’s prescribed measures in accordance with their risk classification. 326 The individual justification, about the checking rules, thresholds and additional measures an obliged entity sets in relation to the aforementioned approach must be described and illustrated in the risk assessment and in additional procedures accordingly. 327 Classifying a customer as belonging to the increased risk class exclusively as a result of the circumstance that transactions involving a high-risk country are conducted on an isolated basis, is not absolutely necessary for every individual case in hand. However, it is necessary to check whether increased risks of money laundering or terrorist financing exist on the basis of the transactional behaviour. In such cases, enhanced customer due diligence shall apply to this business relationship. The obliged entity shall be required to document the checking steps taken. 8.3 High risk based on the obliged entity’s own risk assessment 328 Article 9 para. 1 FM-GwG also covers the case of an obliged entity reaching the conclusion that an increased risk of money laundering and terrorist financing exists based on its own risk assessment conducted pursuant to Article 4 FM-GwG. This assessment shall consider the risk factors listed in Article 9 para. 1 final sentence FM-GwG and Annex III. Furthermore, obliged

195 See also Article 18a of Directive (EU) 2018/843. 196 The following approach is an alternative for the case that an obliged entity individually confirms the plausibility of all transactions in which there is a link to a high-risk country, by means of (manual) measures. 197 Such an analysis is to be conducted on the basis of criteria that are to be individually determined by every obliged entity.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 86 entities must also take into account the Joint Guidelines published by the European Supervisory Authorities (see the FMA Circular on the Risk Assessment MN 31 et seq.)198 329 As already stated in MN 246ff, in Austria not being physically present to show an official photo identification document may only be overcome by means of one of the safeguards on a taxative list. A business relationship is not able to be established by way of non-face-to-face operations, without recourse to one of the stipulated safeguards. However, the circumstance that the business relationship was established by non-face-to-face operations does not constitute a factor exclusively in its own right to assume that increased risk exists.199 330 Obliged entities are required in this regard to also consider whether is a link to an offshore country exists in the case of a business relationship or occasional transaction (e.g. because the customer or a company within the customer’s ownership structure is domiciled in an offshore country or because transactions are conducted to such countries).200 However, this does not necessarily mean that such business relationships must be listed in an increased risk category (e.g. a natural person resident in an offshore country does not necessarily have to be listed as a high-risk customer, where no additional factors exist to suggest an increased risk). 331 If the customer is a legal person in the form of a private foundation, this circumstance alone does not as a rule lead in every case to the obligation to classify this customer in an increased risk category. Instead, it is a risk factor to be considered accordingly in the course of the customer’s risk classification pursuant to Article 6 para. 5 FM-GwG (see also the FMA Circular on Risk Assessment). 8.4 Branches, branch establishments or subsidiaries domiciled in high-risk countries 332 In branches, branch establishments or subsidiaries of the obliged entity that are domiciled in a high-risk country (MN 321) pursuant to Article 9 para. 2 FM-GwG enhanced customer due diligence are not automatically required be applied, provided that the branches, branch establishments or subsidiaries adhere without restrictions to the strategies and procedures to be applied on a group-wide basis pursuant to Article 24 FM-GwG201. Obliged entities shall assess whether the application of enhanced customer due diligence is necessary in a risk-based manner. 8.5 Correspondent banking relationships 333 Article 2 no. 5 FM-GwG defines what is understood by a “correspondent banking relationship”. On the one hand, it includes the provision of banking services by one bank as the correspondent bank for another credit institution as the respondent institution (lit. a). On the other hand, it also

198 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 10. 199 Cf. In contrast Annex III no 2 lit. c. 200 For further detail, see the FMA Circular on Risk Assessment. 201 See the FMA Circular on Internal Organisation.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 87 covers relationships both between and among credit institutions and financial institutions, where similar services are provided by a correspondent institution for a respondent institution (lit. b).202 In both cases, the respondent institution must enter into a business relationship203 with the correspondent bank or the correspondent institution. However, correspondent banking relationships do not cover one-off transactions, merely exchanging of “SWIFT Relationship Management Application Keys (RMA)”, or business relationships in relation to loan-based financing, letters of credit or guarantees. 334 Since the form of services provided within the scope of correspondent banking relationships may vary widely, Article 2 no. 5 FM-GwG only states examples of services that are in any case covered. They include, among other things providing of current accounts or liability accounts and related services, such as cash management (in particular for liquidity management), international funds transfers or cheque clearing, as well as services in relation to payable-through accounts and foreign exchange services. Furthermore, relationships are also included that are established for securities transactions or funds transfers. 335 In the case of respondent institutions domiciled in Member States, enhanced customer due diligence requirements are not mandatory.204 However, they should be applied, this notwithstanding, under Article 9 FM-GwG when the obliged entity arrives at the conclusion based on its risk assessment that an increased risk exists. 336 In the case of respondent institution in third countries, due diligence obligations to be observed pursuant to Article 10 nos. 1 to 5 FM-GwG extend beyond the general due diligence obligations set out in Article 6 FM-GwG. 337 The following information may be included in the information to be gathered about the respondent institution pursuant to Article 10 no. 1 FM-GwG:

Information about the country in which it is established and its supervisory regime. In this regard, the criteria relating to geographical risk, as presented in Chapter 4.1.3.3 and 4.1.4.3 of the FMA Circular on Risk Assessment are applicable;
Information about owners and bodies including the ownership and control structure and management structure. In this case, for example, whether politically exposed persons (PEPs) hold shares in the respondent institution, or exercise control over it should be identified;
Information about business activities and customer structure. In doing so, it should be ensured that a respondent institution does not conduct any relationships and transactions with shell banks.

202 Therefore not only credit institutions as defined in Article 2 no. 1 FM-GwG, but also all financial institutions as defined in Article 2 no. 2 FM-GwG are covered. The provisions on correspondent banking relationships are therefore directly, where applicable, to all obliged entities under the FM-GwG. 203 It must be a business relationship as defined in Article 2 no. 10 FM-GwG. Therefore, when contract is established, it must be assumed that the business relationship will have a certain degree of permanence. 204 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period. GP 10.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 88 338 How to proceed in gathering information about the nature and scope shall be established in such a manner, that the obliged entity (correspondent institution) fully understands the respondent’s institution’s business activities and was able to convince itself about the respondent institution’s reputation and the quality of supervision based on the available information. Much of this information may be requested using a questionnaire to be filled out by the respondent institution in question. This information must nevertheless be checked, in terms of its correctness, by also conducting independent research. This can be done, for example, by scrutinising the respondent institution’s company reports and official measures, e.g. inspection reports by the competent supervisory authority and results from independently conducted research (including from on-site visits) may be applied. Within the scope of this information gathering exercise, obliged entities may also make use of databases that are recognised in international trade or other platforms for storing or exchanging information and documents made available by specialised providers. In this case, the obliged entity retains ultimate responsibility for observance of due diligence requirements. 339 To convince itself about the adequacy of the respondent institution’s controls for anti-money laundering and countering the financing of terrorism (Article 10 no. 2 FM-GwG), the obliged entity must ascertain that the respondent institution takes adequate measures to ensure the observance of due diligence obligations, that it has conducted and documented an appropriate risk assessment at company level, has adequate personnel resources to ensure that the due diligence obligations and additional measures are duly observed, and that staff members complete relevant training and ongoing training programmes. 340 The approval of the senior management (Article 2 no. 9 FM-GwG) must be obtained (Article 10 no. 3 FM-GwG) prior to entering into a new correspondent banking relationship. 341 Documentation of the respective responsibilities of each and every involved institution should be in written form for evidence purposes (Article 10 no. 4 FM-GwG). 342 Finally, in the case of “payable-through accounts”, the obliged entity is required to ascertain pursuant to Article 10 no. 5 FM-GwG that the respondent institution has verified the identity of the customers that have direct access to the respondent institution’s accounts and to subject these customers to continuous monitoring. Furthermore, the respondent institution must also be in the position to submit the relevant data regarding these customer due diligence obligations to the obliged entity at the latter’s request. 8.6 Transactions and business relationships with politically exposed persons (PEPs) 343 Transactions and business relationships with politically exposed persons (hereafter: PEPs) are subject to the following compulsory enhanced customer due diligence obligations. 344 Generally PEPs pursuant to Article 2 no. 6 FM-GwG are natural persons holding, or having held up to at least twelve months ago, an important official office or role within the European Union or internationally (known as “inherent PEPs”). Ultimately the position performed by the person

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 89 is the most important criterion for classification as a politically exposed person or the office that they hold under the aspect that this function or this office is associated with a corresponding level of influence. To guarantee a uniform application, lits. a to h list those categories of domestic politically exposed persons that are in any case to be subsumed under the definition. In addition, it may also be necessary in specific cases to classify additional categories of persons as being politically exposed.205 345 The term “ambassadors” listed in Article 2 no. 6 lit. f FM-GwG covers anyone bearing the title “ambassador” abroad (from the perspective of the respective sending state) and who actually performs this function. This term does not cover those persons who bear the title of Ambassador, but who do not however perform this function. The term “chargés d'affaires” shall also cover professional consuls, provided that they have been authorised to perform diplomatic official duties (in a representative capacity for a certain term). In this case, only such persons are in scope who have been authorised to perform diplomatic official acts, because for example an embassy is (permanently) not staffed with an ambassador, or where the ambassador is incapacitated from performing his/her duties. Persons are not captured, who only perform representative activities on a temporary basis (e.g. as holiday cover).206 346 Persons with a medium or lower rank are not captured by the PEP definition under Article 2 no. 6 FM-GwG. 347 The provisions of Article 11 para. 1 FM-GwG shall also apply to immediate family members (Article 2 no. 7 FM-GwG) of PEPs or persons known to be close associates of PEPs (Article 2 no. 8 FM-GwG). Regarding qualification as persons known to be close associates as defined in Article 2 no. 8 lit. e first case FM-GWG, it should be assumed that such persons, in addition to being a PEP, are also the beneficial owner of the same legal person or legal arrangement. The term “family members” in this case covers the spouse, persons of comparable standing to the spouse, and the partners (as defined in Article 72 para. 2 StGB) of PEPs (Article 2 no. 7 lit. a FMGwG), the children (including adoptive and foster children) and children-in-law207 of PEPs (lit. b leg. Cit.) as well as the parents of PEPs (lit. c leg. cit.). Enhanced customer due diligence obligations shall apply for such persons for the same temporal scope as for PEPs themselves (i.e. for at least 12 months following ceasing to perform the important public office). Irrespective of that fact, the application of enhanced customer due diligence in the case of business relationships with a former politically exposed person shall also be required over and beyond the twelve month limit, provided that the person presents a high risk. Where persons only become PEPs during the course of business relationships, the measures listed in Article 11 FM-GwG shall apply without delay once this becomes known.208

205 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 3. 206 Members of the management bodies of central banks for example are considered as politically exposed persons (PEPs) pursuant to Article 2 no. 6 lit. e FM-GwG. In Austria this refers to the members of the Governing Board of the Oesterreichische Nationalbank, but not to the members of the General Council and the General Meeting. 207 Stepchildren are not covered. 208 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period. GP 10.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 90 348 Obliged entities must have adequate risk management systems, including risk-based procedures, that allow them, prior to the establishment of the business relationship or prior to the conducting of an occasional transaction, to determine whether customers, beneficial owners of customers or trustors of the customer are PEPs (Article 11 para. 1 no. 1 FM-GwG). A political exposure check for a person should only be necessary for the persons explicitly named in the FM-GwG. It is therefore generally not necessary to check whether an authorised representative of the customer is politically exposed, provided that they are not simultaneously also the customer’s beneficial owner.209 349 With regard to adequate risk management systems, it is not sufficient to rely on the customer’s self-declaration that they are (not) a PEP. Instead obliged entities should already critically review the self-declaration by means of an objective and adequate procedure for its correctness prior to the establishment of the business relationship. Automated checking against PEP databases is necessary once a certain number of customers is exceeded.210 350 In the area of corporate provision fund business pursuant to Article 1 para. 1 no. 21 BWG, there is only a low risk of money laundering and terrorist financing on the basis of the restricted business model (Article 2 para. 1 Corporate Provision Funds Risk Analysis and Due Diligence Regulation (BVK-RiSoV; BVK-Risikoanalyse- und Sorgfaltspflichtenverordnung). Corporate provision fund business also contains certain specificities, which further reduce such risk considerably.211 Therefore obliged entities that are corporate provision funds may dispense with PEP checking systems (supported by automated means). It suffices if manual checking measures are performed on an ad hoc basis, for the case that a business relationship is intended to be established directly with an entitled beneficiary. 351 Approval by the senior management (Article 2 no. 9 FM-GwG) must be obtained prior to the establishment or continuation of the business relationship to a politically exposed person as defined in Article 2 no. 6 FM-GwG. In this case the approval must not necessarily be granted by the management board. The approval shall be granted by the manager who is able to assess the increased risk in relation to the business relationship and reaches their decision based on detailed information.212 352 Obliged entities shall take appropriate measures to determine the origin of assets and the origin of funds that are used during the business relationship or the transaction involving a politically exposed person and shall subject the business relationship to an enhanced ongoing monitoring. 353 All customers, who are either Austrian PEPs or foreign PEPs, shall be classified in the increased risk class. This shall also apply a PEP is the customer’s beneficial owner or trustor.213 354 The scope of enhanced customer due diligence obligations may be designed differently in accordance with the risk-based approach depending on the case of application. Therefore, as a

209 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 10. 210 In this case also BVwG 21.07.2016, W148 2113453-1. 211 See in detail the explanatory remarks to the Regulation published in Federal Law Gazette II No. 4/2017, point 1 212 The Risk Factors Guidelines MN 52. 213 On the other hand, this shall not apply in the case of the person authorised to represent the customer is a PEP.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 91 result, different grades shall be permissible within the enhanced customer due diligence. For example, different intervals for updating the information, data and documents relating to the customer pursuant to Article 6 para. 1 no. 7 FM-GwG may apply for Austrian and foreign PEPs. In any case with regard to business relationships with PEPs it must be ensured that the measures listed in Article 11 para. 1 FM-GwG are observed in all cases. 355 For the duration of their ongoing business relationship, all existing customers are to be checked at appropriate regular intervals whether any PEP characteristic exists, since it is possible for persons to also only become PEPs following the establishment of the business relationship. Since the FM-GwG assumes that a PEP characteristic as being considered to exist immediately from the point in time when the performance of an important public office is started, from the FMA’s perspective at least a quarterly monitoring period is necessary, during which time the customer base must be reviewed for the presence of any (new) PEPs.214 Where existing customers only fulfil the definition of a PEP following having established the business relationship, approval must be obtained from the senior management to continue the business relationship without delay, and enhanced customer due diligence shall be applied to this business relationship without delay. 356 In the case of state-owned companies pursuant to Article 2 no. 6 lit. g FM-GwG the members of the administrative body, management body or supervisory body are also considered as PEPs. Based on the subsidiarity rule set forth in WiEReG (cf. MN 147) these natural persons may also be the beneficial owners of the state-owned company. In such a constellation, the measures set out in Article 11 para. 1 FM-GwG are to be applied in full in relation to the business relationships to those natural persons that are ex lege PEPs. With regard to the business relationship to the state-owned company, under Article 11 para. 1 no. 1 FM-GwG, obliged entities must ensure that they recognise whether the beneficial owner is a PEP. Where in such a business relationship the beneficial owner becomes apparent by applying the rule of subsidiarity and where the PEP characteristic is derived exclusively from exercising a function in a state-owned company, then it is not mandatory to apply the measures set out in Article 11 para. 1 no. 2 FM-GwG. The characteristic of being a customer in this instance constitutes a potentially low risk.215 Classifying the business relationship to the state-owned company in an appropriate risk category and therefore the decision on the scope of the due diligence obligations to be applied must be taken by the obliged entity based on the customer risk assessment that must be conducted. 357 In the case of ownerless companies (especially in the case of associations), provided that all possibilities have been exhausted, where no-one was able to be identified in accordance with Article 2 no. 1 lit. a WiEReG, the official representatives (see also MN 149) shall be considered as to be beneficial owners based on the presumption rule set forth in Article 2 no. 1 lit. b sublit. cc WiEReG. Where a beneficial owner identified in this manner is an Austrian PEP, then the measures prescribed in Article 11 para. 1 no. 2 FM-GwG shall not apply to the business relationship to this association. Where no other apparent risk factors exist that indicate there to be an increased risk, enhanced due diligence obligations shall not be applied to this business

214 The Federal Administrative Court (BVwG) rejected a monitoring period of one year in this regard, and instead considering a review interval of one month to be appropriate; BVwG 19.09.2014, W210 2000428-1. 215 No. 1 lit. b of Annex II to the FM-GwG; see also the FMA Circular on Risk Assessment MN 67ff.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 92 relationship. Since under Article 11 para. 4 FM-GwG the regulations set forth in paras. 1-3 of that Article also apply for immediate family members or close associates of PEPs, this provision also applies to these persons, where they belong to the top management level of an association, and where they are also persons based domestically. The measures prescribed in Article 11 para. 1 no. 2 FM-GwG shall not be applied in the case of an association, when a beneficial owner it is the family member of a PEP based in Austria, or a close associate of the PEP based in Austria. In addition, in such cases the measures stated in Article 11 para. 1 no. 2 FM-GwG also shall not apply to the other members of the top management level of the association. 358 The exception stated in MN 357 does not apply for business relationships to commercial and industrial cooperative societies (Erwerbs- und Wirtschaftsgenossenschaften) (cf. Article 2 no. 1 lit. b sublit. bb WiEReG). The directors of commercial and industrial cooperatives active in a voluntary capacity do not have any influence on the business policy of the cooperative society, under application of the presumption rule set forth in Article 2 no. 1 lit. b sublit. bb WiEReG, and therefore only the executive directors are entered as beneficial owners into the Register of Beneficial Owners. Where directors in a voluntary capacity are Austrian PEPs, the measures prescribed in Article 11 para. 1 no. 2 FM-GwG shall not apply to the business relationship to this cooperative society.216 359 In addition, pursuant to Article 11 para. 2 FM-GwG insurance undertakings shall take appropriate measures to determine whether the beneficiary of a life insurance contract or other insurance contract held for investment purposes is a politically exposed person. Where the beneficiary is a legal person such measures shall also apply to the beneficial owner of the beneficiary. The determining of any PEP characteristic shall occur at latest prior to pay-out or the time of the full or partial surrender of the insurance contract. In the event of a PEP characteristic existing then the entire business relationship with the insurance policyholder is to be subjected to enhanced scrutiny and the senior management informed prior to pay-out. 8.7 Inadmissible business relationships and measures for noncooperative countries and territories 360 Pursuant to Article 12 para. 1 FM-GwG obliged entities shall not be allowed to have a correspondent banking relationship with a shell bank. Any such ongoing correspondent banking relationships must be ended. Using appropriate measures, obliged entities must ensure that such correspondent banking relationships are not entered into or are discontinued. 361 Obliged entities are prohibited pursuant to Article 12 para. 2 FM-GwG from managing anonymous accounts or receiving anonymous savings deposits. 362 Where non-cooperative states are named in a Regulation issued by the Federal Government in agreement with the Main Committee of the National Council, then obliged entities shall take the measures listed in Article 12 para. 4 FM-GwG.

216 Amendment 222 to government bill 1660 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 2.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 93 9 REGISTRATION OF VIRTUAL ASSET SERVICE PROVIDERS. 9.1 Conditions for the obligation to register 363 Pursuant to Article 32a FM-GwG, obliged entities pursuant to Article 1 para. 1 FM-GwG intending to provide one or more of the services defined in Article 2 no. 22 FM-GwG in connection with virtual currencies pursuant to Article 2 no. 21 FM-GwG217 on a commercial basis domestically (i.e. with place of residence/domicile in Austria), or offer the service from Austria, are required under Article 32a para. 1 FM-GwG to apply for a registration from the FMA beforehand. 364 Article 2 no. 21 FM-GwG defines a virtual currency as: “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically.” 365 The European legislator consciously defined this definition broadly to cover all potential payment purposes, in addition to those as a payment instrument, also as a means of exchange, as an investment, as product for retention of value, or for use in online casinos. “Local currencies” or “supplementary currencies” that are only used in a limited environment (e.g. within a city, region, a restricted online gaming environment etc.)218 or are only used by a low number of users are excluded from the definition. 366 In transposing Directive (EU) 2018/843 (5th Anti-Money Laundering Directive) in Article 2 no. 22 lit. a) to lit. e) FM-GwG, Austria has also already taken into account the FATF’s adapted recommendations219 and has defined the following services that are required to be registered: a) services to safeguard private cryptographic keys, to hold, store and transfer virtual currencies on behalf of a customer (custodian wallet providers); b) exchanging of virtual currencies into fiat currencies and vice versa; c) exchanging or one or more virtual currencies between one another; d) transferring of virtual currencies between two or several wallet addresses); e) the provision of financial services for the issuance and selling of virtual currencies. In connection with an “Initial Coin Offering” (ICO) or an “Initial Token Offering” (ITO) this for example covers those service providers who perform supporting activities in connection with the issue, the offer, the sale, distribution, trading etc. including market making etc.

217 As defined in Article 2 of the Value Added Tax Act (UStG; Umsatzsteuergesetz). 218 Cf. explanatory remarks to the government bill (ErlRV) no. 137 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 3 and recitals 10 and 11 to Directive (EU) 2018/843 219 Government bill (RV) no. 137 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 26th legislative period, 2.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 94 More detailed explanations on the scope of the individual services can be found in the “FATF Draft updated Guidance for a risk-based approach to virtual assets and VASPs” (October 2021). 367 Natural and legal persons that actively offer or provide one or more of the services listed in Article 2 no. 22 FM-GwG that are domiciled or headquartered in a foreign country (domestic link) are also required to register. For a domestic link to exist, the initiative for concluding a contract must originate from the natural or legal person that actively offers or provides the services pursuant to Article 2 no. 22 FM-GwG in Austria. In contrast an active provision of the service domestically is not assumed, where e.g. persons resident in Austria make use of such services at their own initiative. 368 Offering a service pursuant to Article 2 no. 22 FM-GwG without a registration constitutes an administrative offence and shall be punished by the FMA pursuant to Article 34 para. 34 FM-GwG with a fine of up to EUR 200 000. 9.2 Registration application pursuant to Article 32a para. 1 FM-GwG 369 Prior to offering and taking up of services pursuant to Article 2 no. 2 FM-GwG virtual asset service providers are required to submit a registration application to the FMA electronically via the email address reg.virtuellewaehrungen@fma.gv.at or by post. Depending on whether the applicant is a natural or legal person, the application must contain the following documents and information pursuant to Art. 32a para. 1 FM-GwG. 370 For natural persons as providers • Forename and surname, date and place of birth of the provider including a copy of an official photo identification document; • Registration numbers from identification registers (e.g. Commercial Register (Firmenbuch) number); • Place of incorporation (residence) of the provider as well as an e-mail address and telephone number; • A current excerpt of a judicial record (not older than six weeks) of the provider or an equivalent foreign document; • Description of the business model including the precise details about which services listed in Article 2 no. 22 FM-GwG are being applied for. The respective service applied for must be presented in detail in the form of a workflow procedure containing the information about which companies are involved in the process, what tasks they perform, who is in a contractual relationship with whom, how the transfer between fiat money and virtual currencies is handled as well as which virtual currencies are covered (with delineation between crypto currencies and tokens including the functional design of the tokens). Furthermore, details should also be provided about the start of planned business activities or existing business activities.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 95 • Description of the internal control system and the planned strategies and procedures to meet the requirements set out in Regulation (EU) 2015/847 (“Transfer of Funds Regulation”) taking into account the requirements in FATF Recommendation 16 (“travel rule”220), including details about the person that will take over the role of the Anti-MoneyLaundering Officer, consisting of information and proof with regard to the expertise and qualification for performing the position as well as proof of personal reputation (curriculum vitae, references, excerpt of a judicial record etc.). • Proof of the internal “Fit & Proper Assessment” having been conducted (see FMA Circular on Internal Organisation, Publication Date: February 2022) 371 For legal persons as service providers • Information about the undertaking (especially the company name, registered office, business address, e-mail address and telephone number, registration numbers from identification registers (e.g. Commercial Register (Firmenbuch) number); • Up-to-date excerpt from the Commercial Register or an equivalent excerpt from a public register/database excerpt (no older than six weeks) for the provider; • Forename and surname, date and place of birth of the director(s) including copies of official photo identification documents; • Forename and surname, date and place of birth of the beneficial owner(s) pursuant to Article 4 (1) point 36 of Regulation (EU) No 575/2013 (CRR) (holder of a qualifying holding) including copies of an official photo identification document of the beneficial owner(s); • An up-to-date (no older than six weeks) excerpt of a judicial record of the director(s) as well as the beneficial owner(s) pursuant to Article 4 (1) point 36 of Regulation (EU) No 575/2013 (holder of a qualifying holding); • A depiction of the ownership and control structure of the service provider in the form of an organisation chart including information about the level of the participation held by the beneficial owner(s) pursuant to Article 4 (1) point 36 of Regulation (EU) No 575/2013; • Description of the business model including the precise details about the services listed in Article 2 no. 22 FM-GwG for which an application is being made. The respective service being applied for must be presented in detail in the form of a workflow procedure containing information about which companies are involved in the process, the tasks they perform, who is in a contractual relationship with whom, how transfers between fiat money and virtual currencies are handled and which virtual currencies are covered (with a delineation between crypto currencies and tokens including the functional design of the tokens). Furthermore, details should also be provided about proposed commencement of planned business activities or existing business activities.

220 Para 7b of Interpretive Note [INR] 15

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 96 • A description of the internal control system and the planned strategies and procedures to meet the requirements set out in the FM-GwG and Regulation (EU) 2015/847 (“Transfer of Funds Regulation”) taking into account the requirements in FATF Recommendation 16 (“travel rule”221), including details about the person taking over the role of the AntiMoney-Laundering Officer, consisting of information and proof regarding their expertise and qualification for performing the position and proof of personal reputation (curriculum vitae, references, excerpt of a judicial record etc.). • Proof that the internal “Fit & Proper Assessment” has been conducted (see FMA Circular on Internal Organisation, Publication Date: February 2022) 372 In relation to the respective business model and the types of virtual currencies involved, the description of the internal control system must state how it is ensured that nationally applicable provisions on the prevention of money laundering and terrorist financing are observed, by means of specific processes, procedures, systems and controls. 373 Foreign documents (e.g. excerpts from registers, memoranda of association etc.) must be submitted as certified translations (in German or English). 374 During the registration procedure, the FMA may request further information and documentation, especially about the description of the business model and the description of the internal control system for the prevention of money laundering and terrorist financing, as well as conducting a Fit and Proper Test with the Anti-Money-Laundering Officer or management body named in the application. 375 Where the FMA has grounds to believe from the details submitted during the registration procedure or based on observations under supervisory law that the requirements set out in the FM-GwG, the Transfer of Funds Regulation or FATF Recommendation 16 may not be fulfilled, or where it has doubts about the personal reputation of the director(s), the natural person that holds a qualifying holding or the natural person intending to be active as a service provider pursuant to Article 2 no. 22 FM-GwG, then the FMA shall not undertake the registration. 376 A processing fee is charged for the registration of providers in relation to virtual currencies pursuant to Article 32a FM-GwG. The fee is EUR 3,000.222 The notification about the registration having been performed shall be made as an administrative decision. In accordance with Article 32a para. 4 FMGwG, the registration will be published and updated in the Company Database on the FMA website. 377 Virtual asset service providers shall pay a contribution towards supervision costs to the FMA annually pursuant to the FMA Regulation on Costs223 (FMA-KVO; FMA-Kostenverordnung).

221 Para 7b of Interpretive Note [INR] 15 222 Regulation of the Financial Market Authority on the fees for financial market supervision (FMA-GebV; FMAGebührenverordnung) published in Federal Law Gazette II No. 230/2004 in the version amended in Federal Law Gazette II No. 352/2019. 223 Regulation of the Financial Market Authority (FMA) on the costs of Financial Market Supervision (FMA KVO 2016; FMAKostenverordnung 2016) published in Federal Law Gazette II No. 419/2015 as amended.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 97 9.3 Notification of Amendments under Article 32a para. 3 FM-GwG 378 Under Article 32a para. 3 FM-GwG, registered virtual asset service providers are required to notify the FMA without delay about changes in the details listed in Article 32a para. 1 FM-GwG. The notification should be stated precisely as such and should be submitted by e-mail (to reg.virtuellewaehrungen@fma.gv.at) or by post. 379 Depending on the type of amendment, or which of the details listed in Article 32a para. 1 it relates to, the point in time from when a notification is required to be made without delay varies. Without delay in any case means without unnecessary delay or without “culpable delay”. Depending on the type of change, this means that the notification of any amendment must be made without delay from the point in time where knowledge is obtained about the amendment, or at latest where amendments become legally valid (e.g. when they are entered into registers and directories e.g. the Commercial Register (Firmenbuch) etc.) or have been passed by resolution or approved (e.g. in the case of changes to the business model or the strategies and procedures about the prevention of money laundering and terrorist financing by means of a resolution by the partners etc.). 380 The notification of amendment must precisely define the specific amendment it relates to, and when this is approved, implemented or has entered into legal effect. Where amendments are made to existing text passages, forms etc. such changes must be marked accordingly in a recognisable manner for the purpose of transparency. 381 In any case, the following amendments are required to be brought to the FMA’s attention by means of a notification of amendment: • Changes relating to natural or legal persons (e.g. company name, legal form of the company, company address etc.); • Changes within the management body or in the identity of the Chief Executive Officer; • Changes in the ownership and control structure regarding the type and extent of the qualifying holding pursuant to Article 4 (1) (36) of Regulation (EU) No 575/2013 including the persons holding a qualifying holding in the virtual asset service provider; • Material changes in the business model (especially changes in the services listed pursuant to Article 2 no. 22 lits. a to e FM-GwG). 382 In the case of the aforementioned changes another review and registration requirement may arise. In such cases, the notification must be made prior to such changes being implemented, and implementation should only take place following the response by the authority.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 98 10 ANNEX 10.1 Literature224

Directive (EU) 2015/849 of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (“4th Anti-Money Laundering Directive”).
Directive (EU) 2018/843 of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (“5th Anti-Money Laundering Directive”).
European Commission, Report from the Commission to the European Parliament and the Council on the assessment of the risks of money laundering and terrorist financing affecting the internal market and relating to cross-border activities, June 2017 (COM(2019) 370 final).
European Supervisory Authorities, Joint Opinion on the risks of money laundering and terrorist financing affecting the Union's financial sector, February 2017 (JC/2017/07).
European Supervisory Authorities, Opinion on the use of innovative solutions by credit and financial institutions in the customer due diligence process, January 2018 (JC/2017/81).
Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (‘The ML/TF Risk Factors Guidelines’) under Articles 17 and 18(4) of Directive (EU) 2015/849, repealing and replacing the Joint Committee Guidelines JC/2017/37, March 2021 (EBA/GL/2021/02).
European Supervisory Authorities Joint Guidelines under Article 25 of Regulation (EU) 2015/847 on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information, January 2018 (JC/GL/2017/16).
Financial Action Task Force, Anti-money laundering and counter-terrorist financing measures – Austria, Mutual Evaluation Report, September 2016.
Financial Action Task Force, Guidance for a risk-based approach – The banking sector, October 2014.
Financial Action Task Force, Guidance on transparency and beneficial ownership, October 2014.
Financial Action Task Force, Guidance for a risk-based approach – Money or value transfer services, February 2016.
Financial Action Task Force, Guidance on corresponding banking services, October 2016.

224 Documents published by the Financial Action Task Force (FATF) may be downloaded from the Publications section of the FATF website: http://www.fatf-gafi.org/.

CIRCULAR ON DUE DILIGENCE OBLIGATIONS PAGE 99

Financial Action Task Force, International standards on combating money laundering and the financing of terrorism & proliferation – The FATF Recommendations, February 2012.
Financial Market Authority, FMA Circular on risk assessment for the prevention of money laundering and terrorist financing, (Publication date: February 2022).
Financial Market Authority, FMA Circular on internal organisation for the prevention of money laundering and terrorist financing, (Publication date: February 2022).
National Risk Assessment for Austria.225
Opinion of the European Banking Authority on the application of customer due diligence measures to customers who are asylum seekers from higher-risk third countries or territories, April 2016 (EBA/Op/2016/07).
Draft updated Guidance for a risk-based approach to virtual assets and virtual asset service provider, March 2021.
Final Report on Guidelines on revised ML TF Risk Factors, March 2021 (EBA/GL/2021/02).
Dornseifer/Jesch/Klebeck/Tollmann, AIFMD. Note: Where this circular contains weblinks, this is done solely for information purposes. The links are guaranteed as being correct at the time of the decision passed regarding the publication of this FMA Circular.

225 Available for download (in German only) at https://www.bmf.gv.at/finanzmarkt/geldwaescheterrorismusfinanzierung/Nationale_Risikoanalyse_Oesterreich_PUBLIC.pdf.