Instruction No. 20/2020 of 9 December

---

INSTRUCTION NO. 20/2020 of 9 December SUBJECT: FINANCIAL SYSTEM

• Anti-Money Laundering, Counter-Terrorist Financing and Proliferation Financing Reporting,
• Risk Assessment
• IT Tools and Applications

Whereas it is necessary to define the reporting model, as well as the implementation of risk assessment and its adequacy regarding the auxiliary IT systems of Financial Institutions under the supervision of the National Bank of Angola, in compliance with obligations to prevent and combat money laundering, terrorist financing, and proliferation of weapons of mass destruction; In accordance with the provisions established in Article 9.º of Law No. 05/20 of 27 January, the Anti-Money Laundering, Counter-Terrorist Financing and Proliferation of Weapons of Mass Destruction Prevention and Combating Law, combined with Articles 4.º, 6.º and 27.º, all of Notice No. 14/20 of 22 June. HEREBY DETERMINES:

1. Object and Scope 1.1 This Instruction defines the reporting model, as well as the implementation of risk assessment and the corresponding adequacy of auxiliary IT systems of Financial Institutions. 1.2 This Instruction applies to Banking Financial Institutions supervised by the National Bank of Angola, hereinafter abbreviated as "Institutions", under the terms and conditions provided in the Framework Law of Financial Institutions.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 2 of 33 2. Anti-Money Laundering, Counter-Terrorist Financing and Proliferation of Weapons of Mass Destruction Reporting. 2.1 The Anti-Money Laundering, Counter-Terrorist Financing and Proliferation of Weapons of Mass Destruction Reporting, hereinafter referred to as BCFTP Report, to be submitted by Institutions, consists of: a) ANNEX I - Main Part; b) ANNEX II - Declaration by the Management/Administrative Body; c) ANNEX III - External Auditor's Opinion regarding the accuracy and adequacy of the Report, duly dated and signed; d) ANNEX IV - Supervisory Body's Opinion; and, e) ANNEX V – Self-Assessment Questionnaire.

2.2 For the purposes established in numbers 1 and 2 of Article 27.º of Notice No. 14/20, of 22 June, Institutions must submit the BCFTP Report to the National Bank of Angola: a) By 31 January each year, reflecting the Institution's situation for the period between 01 January and 31 December of the previous year, containing the minimum information provided in the Annexes of this Instruction, and forming an integral part thereof. b) Without prejudice to the preceding subparagraph, Institutions must submit the BCFTP Report in electronic PDF format, to the email address prevencaobcft@bna.ao, or in physical format, addressed to the Financial Conduct Department (DCF).

3. Risk Assessment 3.1 Institutions must conduct an annual Institutional Risk Assessment process, on an individual basis, with reference to the period between January and December of each year; assessments must be submitted to the National Bank of Angola by 10 March of the following year.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 3 of 33 3.2 Without prejudice to Article 9.º, number 1 of Law No. 05/20 of 27 January, risk assessments must consider the shareholder profile, the adequacy of IT tools and applications, the level of knowledge and integrity of Board members and staff regarding matters related to AML/CFT/FP, assigning a risk weight to each factor. 3.3 Risk assessment may be conducted using external tools and/or reputable entities with proven experience and knowledge in the subject matter.

4. IT Tools and Applications 4.1 Institutions must implement and adapt IT tools and applications for AML/CFT/FP by 31 January 2020. 4.2 For the purposes of the preceding subpoint, it is considered: a) Tools, general-purpose programs for simple and routine tasks; and, b) IT applications, specific programs designed to meet the needs of a particular corporate business through automation of functions inherent to their management process stages. 4.3 Without prejudice to Article 9.º, number 2 of Law No. 05/20 of 27 January, combined with Article 6.º of Notice No. 14/20 of 22 June, IT tools and applications must: a) Ensure interoperability between the Institution's main system and the IT tools and applications for AML/CFT/FP; b) The interoperability referred to in the preceding subparagraph must allow operations performed in the Institution's main system, including among others account opening, deposits, withdrawals, transfers, credits, foreign exchange, to be reflected in real time by the IT tools and applications, aiming to verify at least the following: i. Whether they are or are linked to designated persons and Institutions; ii. Whether they are politically exposed persons (PEPs); iii. The risk classification level associated with the client and transactions; and iv. Fractionated operations. c) Generate statistical reports on alerts, maintaining a history of conducted due diligence measures.

4.4 Institutions must submit to the National Bank of Angola, by 31 January 2021, the instruction manual and functional description of the implemented IT tools and systems.

5. Doubts and Omissions Doubts and omissions resulting from the interpretation of this Instruction are resolved by the National Bank of Angola.

6. Sanctions Non-compliance with this Instruction constitutes an offense punishable under Law No. 12/15, of 17 June, the Framework Law of Financial Institutions.

7. Transitional Provisions Institutions must comply with this Instruction by 31 January 2021.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 5 of 33 8. Repealing Norm Number 5 of Instruction No. 01/2013 of 22 March, Directive No. 01/DRO/DSI/15, of 12 October, on the Self-Assessment Questionnaire and other regulations contrary to this Instruction are hereby repealed.

9. Entry into Force This Instruction enters into force on the date of its publication. PUBLISHED. Luanda, 9 December 2020. THE GOVERNOR JOSÉ DE LIMA MASSANO

ANNEX I Main Part

1. Institutional Information and Relevant Contacts of the Financial Institution 1.1 General Information a) Full corporate name; b) Type of Financial Institution; c) Registration No. at the National Bank of Angola; d) Address of the Financial Institution.

1.2 Presence Abroad a) Countries or jurisdictions of subsidiaries; b) Countries or jurisdictions of branches; c) Identification of correspondent banks and respective countries or jurisdictions where located;

1.3 Financial Institution with headquarters abroad, when operating in national territory through branches. Identification of the headquarters address.

1.4 Activities and business areas a) Total assets (net, on an individual basis); b) Institution's AML/CFT/FP strategy, including risk assessment and management criteria, duly formalized (current and planned)

1.5 Identification of administrative body members and staff with relevant functions 1.5.1. Administrative/Management Body: a) Identification of administrative/management body members and indication of respective portfolios; b) Areas involved in report preparation, telephone contact and email.

1.5.2. Compliance Officer at the end of the reference period: a) Name;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 7 of 33 b) Date of commencement of duties; c) Direct telephone contact; d) Email address; and e) Minutes of appointment (attached as annex).

1.5.3. Internal Audit Function: a) Name; b) Date of commencement of duties; c) Direct telephone contact; and d) Email address.

2. Control Policies and Procedures for AML/CFT Prevention and Combating 2.1. Identification and Due Diligence Obligation 2.1.1. Verification of identification elements after establishment of the business relationship. During the reference period, indication of the number of new business relationships established and their percentage relative to the total business relationships established in that period, where institution verification was completed after the start of the relationship.

2.1.2. Information on fund origin and destination Indication of the number of: a) New business relationships established by natural persons and their percentage relative to total established business relationships, with information on fund origin and destination; b) Occasional transactions conducted and their percentage relative to the total universe of occasional transactions, with information on fund origin and destination;

2.1.3. Verification of identification elements for beneficial owners

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 8 of 33 2.1.4. Indication of the number of: a) New business relationships established by legal entities and their percentage relative to total established business relationships, regarding which verification of beneficial owners' identification elements was carried out based on authentic documents, as provided in number 2 of Article 10.º of Notice 14/20, of 22 July; b) Occasional transactions conducted and their percentage relative to the total universe of occasional transactions.

2.2. Simplified Due Diligence Procedures 2.2.1. Description of the number of new business relationships established and their percentage relative to total established business relationships, in which Compliance intervened, with the subsequent decision to apply simplified due diligence measures. 2.2.2. Description of applied simplified due diligence procedures, namely: a) Verification of client and beneficial owner identification after establishment of the business relationship; b) Frequency of updates to collected elements in compliance with identification and due diligence obligations; c) Reduction in the intensity of continuous monitoring and depth of operational analysis; d) Absence of specific information collection and non-execution of specific measures to understand the object and nature of the business relationship; e) Mere collection of elements that should not appear in identification documents for natural persons, legal entities or unincorporated collective interest centers;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 9 of 33 f) Determination of client activity or respective profession based on the purpose or type of established business relationship or conducted transaction; g) Other measures defined by the National Bank of Angola; h) Other measures defined by the Financial Institution.

2.3. Enhanced Due Diligence Procedures 2.3.1. Indication of the number of: a) Alerts generated by information tools or systems requiring intervention by a management member or another senior-level element, to validate and allow establishment of the business relationship, conduct of operations, or collection of additional information, as well as description of the underlying alert rule; b) New business relationships established and their percentage relative to total business relationships in that period, regarding which Compliance or another management member intervened, with the subsequent decision to apply enhanced due diligence measures; c) Cases where Compliance or another management member decided to apply enhanced measures, motivated by increased risk of: i. Money Laundering; ii. Counter-Terrorist Financing; iii. Proliferation Financing of Weapons of Mass Destruction. d) Applied enhanced measures, with information on whether application was motivated by Money Laundering, Counter-Terrorist Financing and Proliferation Financing of Weapons of Mass Destruction, namely:

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 10 of 33 i. Obtaining additional information about clients, their representatives or beneficial owners, as well as planned or conducted operations; ii. Conducting additional due diligence to verify obtained information; iii. Intervention of higher hierarchical levels to authorize establishment of business relationships, execution of occasional transactions or operations in general; iv. Intensification of depth or frequency of business relationship monitoring procedures or specific operations/sets of operations, aiming to detect potential indicators of suspicion and subsequent compliance with the reporting obligation provided in Article 17.º of Law No. 5/20, of 27 January; v. Reduction of time intervals for updating information and other elements collected in exercising identification and due diligence obligations; vi. Monitoring of business relationship follow-up referred to subparagraph f) number 2 of Article 11.º of Law No. 5/20, of 27 January or by another obligated Institution staff member not directly involved in commercial client relationship; vii. Requirement to make the first payment related to a given operation through a traceable means originating from a payment account opened by the client with a Financial Institution or other legally authorized entity, not located in a high-risk third country, which demonstrably applies equivalent identification and due diligence measures.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 11 of 33 e) Relevant high-risk third countries in the context of the Institution's specific operational reality; f) Occasional transactions conducted and their percentage relative to the total universe of occasional transactions, without the client or representative being physically present. g) Occasional transactions conducted and their percentage relative to the total universe of occasional transactions in the reference period, with clients holding "Politically Exposed Persons" status; h) Clients holding "Holders of other political or public offices" status, where increased risk of Money Laundering, Counter-Terrorist Financing and Proliferation Financing of Weapons of Mass Destruction has been identified.

2.4. Refusal Obligation 2.4.1. Description of implemented procedures to comply with the refusal obligation provided in Article 15.º of Law No. 5/20 of 27 January. 2.4.2. During the reference period, indication of the number of account openings, business relationships, occasional transactions or other operations refused, not initiated or terminated due to failure to obtain elements provided in Articles 11.º to 14.º of Law No. 05/20 of 27 January.

2.5. Retention Obligation 2.5.1. Description of implemented procedures to comply with the retention obligation provided in Article 16.º of Law No. 5/20 of 27 January. 2.5.2. Support and filing location for information on the conservation mode of elements provided in Article 16.º of the Law, with indication:

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 12 of 33 a) Types of durable support used; b) Filing location.

2.6. Reporting Obligation 2.6.1. Description of implemented procedures to comply with the reporting obligation provided in Article 17.º of Law No. 05/20 of 27 January. 2.6.2. Description of the information circuit in the suspicious operations reporting process (from the moment the suspicious situation is detected to the eventual decision to report it to competent authorities), including information on: a) Formal participants in the process; b) Associated IT functionalities, where applicable.

2.6.3. During the reference period, indication of total reporting to the Financial Intelligence Unit ("FIU") of: a) Suspicious Operations Declaration (SOD); b) Cash Transactions Declaration (CTD); c) Identification of Designated Persons, Groups or Entities Declaration (IDPD).

2.7. Abstention Obligation 2.7.1. Description of implemented procedures to comply with the abstention obligation provided in Article 18.º of Law No. 5/20 of 27 January. 2.7.2. During the reference period, indication of the number of communications resulting from situations where the financial institution executed a suspicious operation considering that abstention was not possible.

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 13 of 33 2.8. Cooperation and Information Provision Obligation 2.8.1. Description of implemented procedures to comply with the cooperation and information provision obligation provided in Article 19.º of Law No. 5/20 of 27 January. 2.8.2. During the reference period, indication of the number of cooperation and information provision requests received under Article 19.º of Law No. 5/20 of 27 January, regarding each of the following Institutions: a) Attorney General's Office (AGO); b) Financial Intelligence Unit (FIU); c) Judicial and Police Authorities; d) General Tax Administration (GTA).

2.9. Duty of Confidentiality Description of implemented procedures to comply with the duty of confidentiality provided in Articles 20.º and 21.º both of Law No. 05/20 of 27 January.

2.10. Training Obligation 2.10.1. Description of implemented procedures to comply with the training duty provided in Article 23.º of Law No. 05/20 of 27 January. 2.10.2. During the reference period, statistical information on training actions regarding AML/CFT/FP prevention directed to relevant Institution staff. 2.10.3. Describe information for each training action conducted: a) Name and object; b) Subject matter of the action; c) Date of conduct; d) Training entity; e) Name and function of trainers (internal/external)

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 14 of 33 f) Duration (in hours); g) Supporting didactic material h) Nature (internal or external training); i) Environment (face-to-face or distance training); j) Indication of trainees' functions; k) Number of participating staff members; l) Final assessment by trainees.

2.11. Restrictive Measures 2.11.1. Description of means and mechanisms implemented to ensure compliance with restrictive measures adopted by the United Nations Security Council against designated persons or Institutions, related to Counter-Terrorist Financing and Proliferation of Weapons of Mass Destruction, namely: a) Detection of any person or entities identified in restrictive measures; and b) Freezing and unfreezing of funds and economic resources.

2.11.2. Information on whether the Institution uses external Institutions that allow real-time updating of information contained in restrictive measures and subsequent validation with the Institution's client database: a) In case of affirmative, indication of External Institutions; b) In case of negative, description of adapted procedure.

2.11.3. Indication of the time interval between: a) Updating information on restrictive measures and subsequent reflection in IT tools and applications used by the Financial Institution, with indication regarding: i. Whether updates are in real time;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 15 of 33 ii. If not real time, their periodicity (in hours).

2.11.4. Indication on whether the Financial Institution conducts verification: a) Before establishment of a business relationship; b) Before conducting an occasional transaction; and c) During the course of a business relationship.

2.11.5. Indication of the number of cases where freezing and unfreezing measures for funds and economic resources were applied.

2.12. Correspondence Relationships 2.12.1. Measures under the respondent's responsibility During the reference period, information on cross-border correspondence relationships where the Financial Institution acts as respondent, with indication: a) Description of procedures for establishing Cross-Border Correspondence Relationships b) Name of correspondents; c) Products and services provided d) Jurisdiction of the correspondent; e) Number of operations; f) Aggregate value of operations.

2.13. Execution of Obligation by Third Parties In cases where the Financial Institution uses third parties to execute identification and due diligence measures on clients, their representatives or beneficial owners, describe the following: a) Procedures to assess whether the entity observes AML/CFT/FP obligations b) Name of the third-party service provider;

CONTINUATION OF INSTRUCTION NO. 20/2020 Page 16 of 33 c) Software to be used by the entity; d) Jurisdiction of the headquarters of the third-party service Institution; e) Number of clients subject to identification and due diligence procedures executed by the third institution.

3. Risk Management 3.1.Information related to Compliance Function: a) Description of functions; b) Description of existing mechanisms ensuring Compliance independence/autonomy; c) Description of human and technological resources and access to relevant information for executing its function.

3.2.In cases where there is no segregation between the compliance function and other organizational units, describe alternative mechanisms to mitigate potential conflicts of interest.

3.3.Description of the Institution's Money Laundering, Counter-Terrorist Financing and Proliferation of Weapons of Mass Destruction risk management model, with indication: a) Information on risk factors for Money Laundering, Counter-Terrorist Financing and Proliferation of Weapons of Mass Destruction, related to the Institution's activity; b) Information on risk factors for Money Laundering, Counter-Terrorist Financing and Proliferation of Weapons of Mass Destruction inherent to clients and transactions; c) Describe policies, procedures and controls established to identify, evaluate, monitor and control risks, in order to ensure compliance with provisions provided in Articles 9.º and 22.º both of Law No. 5/20, of 27 January for mitigation of identified and evaluated risk factors;

4