Notice No. 5/GBM/2022 of 17 November Approving Guidelines on the Prevention and Combating of Money Laundering, Terrorism Financing and Proliferation Financing

SUMÁRIO A V I S O The matter to be published in the «Boletim da República» must be submitted as a duly authenticated copy, one for each subject matter, containing the following endorsement, signed and authenticated: For publication in the «Boletim da República». IMPRENSA NACIONAL DE MOÇAMBIQUE, E. P. Banco de Moçambique: Notice No. 5/GBM/2022 of 17 November: Approves the Guidelines on the Prevention and Combating of Money Laundering, Terrorism Financing and Proliferation Financing. Thursday, 17 November 2022 | I SERIES — Number 222

BANCO DE MOÇAMBIQUE Notice No. 5/GBM/2022 of 17 November Law No. 11/2022, of 7 July, establishes the new regime for the Prevention and Combating of Money Laundering, Terrorism Financing and Proliferation Financing in Mozambique. Given the need to guide the operations of financial institutions that, under the aforementioned Law, fall within its supervisory scope, Banco de Moçambique, exercising the powers attributed to it by the combined provisions of paragraph a) of Article 54 and paragraphs 1 to 4 of Article 4 of the said Law, determines:

1. The Guidelines on the Prevention and Combating of Money Laundering, Terrorism Financing and Proliferation Financing are hereby approved, attached to this Notice, forming an integral part thereof.
2. Non-compliance with the provisions of this Notice constitutes a regulatory offence punishable under Law No. 11/2022, of 7 July.
3. Notice No. 4/GBM/2015 of 17 June, on the Guidelines for the Prevention and Combating of Money Laundering and Terrorism Financing, is hereby revoked.
4. This Notice enters into force within sixty days from the date of its publication.
5. Interpretation and application doubts regarding this Notice shall be submitted to the Regulation and Licensing Department of Banco de Moçambique. Maputo, 2 September 2022. — Governor, Rogério Lucas Zandamela.

Guidelines on the Prevention and Combating of Money Laundering, Terrorism Financing and Proliferation Financing CHAPTER I General Provisions ARTICLE 1 Object These Guidelines establish the procedures and measures for the prevention and combating of money laundering, terrorism financing and proliferation financing.

ARTICLE 2 Scope of Application

1. These Guidelines apply to all financial institutions that, under paragraphs 1 to 4 of Article 4 of Law No. 11/2022, of 7 July, are under the supervision and monitoring of Banco de Moçambique.
2. Financial institutions of a different nature than banks and microbanks are subject to the provisions of this Notice, insofar as applicable.

CHAPTER II Risk Management Policies ARTICLE 3 Responsibilities of the Board of Directors or Equivalent Body

1. The board of directors or equivalent body of financial institutions must document and approve policies on risk identification, assessment and management, as well as internal control measures that enable effective management and mitigation of identified money laundering, terrorism financing and proliferation financing risks, and submit them to Banco de Moçambique.
2. For the purposes of the preceding paragraph, the board of directors or equivalent body must prioritize a risk-based approach.
3. The board of directors or equivalent body must annually approve the institution's risk assessment policy, determine the level of risk it is willing to accept, and propose adequate risk mitigation measures.
4. The board of directors or equivalent body must, at least annually: a) formally communicate risk tolerance and acceptance strategies to all institution employees; and b) disseminate recommendations on the implementation of policies for preventing and combating money laundering, terrorism financing and proliferation financing.
5. The board of directors or equivalent body must ensure that the adopted control processes and procedures are effective, efficient, and contribute to reducing the risk of the institution being used for money laundering, terrorism financing or proliferation financing.

ARTICLE 4 Risk Management Policy The money laundering, terrorism financing and proliferation financing risk management policy must contain, inter alia: a) policies and procedures on the duty of identification and verification; b) policies and procedures on risk assessment, management and monitoring; c) policies on confidentiality regarding accounts under monitoring to determine suspicious transactions; d) policies and procedures on the reporting of suspicious transactions and other types of reports; and e) policies and procedures on document retention.

ARTICLE 5 Risk Assessment

1. Financial institutions must prepare an annual documented risk assessment for all money laundering, terrorism financing and proliferation financing risks, which must be approved by the board of directors or equivalent body.
2. In preparing the risk assessment, the institution must use internal information, such as operational and transactional data, as well as external information, such as national and sectoral risk assessment reports.
3. The risk assessment must be prepared using quantitative and qualitative elements and must be updated whenever any changes in the assumptions used for its preparation occur that may have a relevant impact.
4. The risk assessment must be formally approved by the board of directors or equivalent body, via minutes, and must cover the following elements: a) products and services provided to clients; b) specifics of the institution's transactions, including nature, complexity, etc.; c) direct or indirect distribution channels; d) client characteristics; and e) geographic areas where clients or related transactions are located.
5. The risk assessment must consider all jurisdictions with which the institution has commercial relations and all possible types of transactions, namely: a) documentary credits; b) correspondent banking; and c) transfers.

ARTICLE 6 Implementation of Risk Mitigation Measures The board of directors or equivalent body must ensure the implementation of approved mitigation measures within the risk assessment framework.

ARTICLE 7 Procedures Regarding Confidentiality

1. Financial institutions' confidentiality procedures must contain provisions regarding the confidentiality of the existence, content and follow-up of suspicious transaction reports, to avoid tipping-off.
2. Tipping-off constitutes a criminal offence under Article 206 of Law No. 20/2020, of 31 December.

CHAPTER III Suspicious Transactions Reporting Officer (STRO) ARTICLE 8 Appointment

1. The board of directors or equivalent body must appoint a Suspicious Transactions Reporting Officer (STRO) at headquarters, branches, subsidiaries and other forms of representation, ensuring sufficient resources for its functionality, namely human, material and technological.
2. The STRO must be selected from the institution's management-level employees and must, at minimum, possess a high degree of responsibility and independence.
3. The level of resources referred to in paragraph 1 must reflect the institution's size, complexity, number of clients and offered products.

ARTICLE 9 Responsibilities of the Suspicious Transactions Reporting Officer (STRO)

1. The STRO supports and guides the management of money laundering, terrorism financing and proliferation financing risks in the financial institution.
2. Without prejudice to other applicable legislation, the STRO's responsibilities include, inter alia: a) regularly reviewing the adequacy of the control system for preventing and combating money laundering, terrorism financing and proliferation financing, namely: i. supervising the implementation of policies and procedures for preventing and combating money laundering, terrorism financing and proliferation financing; ii. ensuring an appropriate monitoring process; and iii. actively participating in the selection of software to monitor clients and their transactions; b) ensuring that all relevant information is transmitted to workers, supervising compliance with the institution's approved training and capacity-building policies and ensuring that its content is adequate, up-to-date and aligned with best practices and trends in money laundering, terrorism financing and proliferation financing.

ARTICLE 10 Confidentiality

1. STROs are subject to a confidentiality obligation regarding all individual alerts, transactions and suspicious operations they handle in the exercise of their functions.
2. Information exchange within the institution may only be conducted with organization personnel subject to the same confidentiality obligation in cases of money laundering, terrorism financing and proliferation financing, based on the institution's procedures defining the "need to know" rule.

ARTICLE 11 Centralized Coordination

1. Financial institutions must appoint a coordinating STRO, responsible for coordinating and centralizing information received from other STROs and analyzing detected unusual transactions.
2. The coordinating STRO is specifically responsible for: a) ensuring the submission of suspicious transaction reports to the Financial Information Office of Mozambique (GIFiM), with all relevant information on the transaction and client; b) ensuring the immediate submission of any additional information requested by competent authorities, regarding suspected money laundering, terrorism financing and proliferation financing cases; and c) ensuring centralized coordination with various stakeholders, namely internal auditors, external auditors, Banco de Moçambique, GIFiM, and judicial and administrative authorities.

ARTICLE 12 Substitution

1. In case of STRO substitution due to absence or other reasons, the financial institution must ensure that the substitute meets the relevant requirements.
2. To avoid conflicts of interest, under no circumstances may the STRO be replaced by a member of internal audit.

ARTICLE 13 Conflicts of Interest The board of directors or equivalent body must adopt provisions on preventing conflicts of interest for STROs, including prohibiting incentives that may hinder the timely identification and reporting of suspicious transactions to competent authorities.

CHAPTER IV Internal Audit ARTICLE 14 Responsibilities of Internal Audit Internal audit is responsible for conducting an independent assessment and ensuring the effectiveness and efficiency of the money laundering, terrorism financing and proliferation financing prevention system, namely: a) verifying policy adequacy; b) adopting support procedures and systems to detect potential money laundering, terrorism financing and proliferation financing suspicious operations; c) evaluating whether each line of defense adequately performs its assigned tasks and functions; and d) reviewing system functioning to ensure adequate performance.

ARTICLE 15 Independence Internal audit must always be independent and report directly to the board of directors or equivalent body.

ARTICLE 16 Internal Audit Program and Report

1. The internal audit program must be aligned with the risk assessment conducted by the financial institution.
2. The internal audit report must be submitted in a timely manner to the board of directors or equivalent body and, if applicable, to the audit committee.

ARTICLE 17 Scope and Methodology The board of directors or equivalent body must ensure that the scope and methodology of internal audit are adequate to the financial institution's risk profile and that audit frequency is risk-based.

ARTICLE 18 Findings Any adverse findings by internal audit must be duly forwarded to the board of directors or equivalent body, according to the formal corporate governance structure.

ARTICLE 19 Duties of Internal Audit

1. Internal audit must ensure compliance with money laundering, terrorism financing and proliferation financing prevention procedures in all branches and subsidiaries of the financial institution.
2. The aforementioned duty must cover third parties and agents acting on behalf of the financial institution, to ensure their compliance with the institution's policies and procedures.
3. Internal audit must, in particular, review due diligence and "Know Your Customer" processes conducted for clients, products, services or distribution channels identified as high risk.
4. Internal audit must verify the diligent handling of money laundering, terrorism financing and proliferation financing alerts, and whether generated alerts are promptly closed with an adequate risk assessment.

ARTICLE 20 Frequency Internal audits must be conducted on all or part of the financial institution's money laundering, terrorism financing and proliferation financing prevention system at least annually.

CHAPTER V Outsourcing and Group Organization ARTICLE 21 Outsourcing A financial institution that outsources operational activities to service providers, which include or are linked to money laundering, terrorism financing and proliferation financing obligations, must verify whether its procedures are effectively implemented by the service provider, especially if located abroad.

ARTICLE 22 Group Relationship

1. If the financial institution belongs to a group or is the parent company of a financial group, internal procedures must allow information sharing within the group for organizational and monitoring purposes regarding money laundering, terrorism financing and proliferation financing prevention, including forwarding information to the group's parent company.
2. Information sharing procedures must comply with relevant legislation on the matter.

ARTICLE 23 Equivalence Principle If the financial institution is the parent company of a financial group, the STRO responsible for implementing the group's money laundering, terrorism financing and proliferation financing risk management policy must verify whether measures applied in foreign entities are at least equivalent to those in force in Mozambique and whether subsidiaries located in other States comply with provisions similar to Mozambique's.

ARTICLE 24 Communications If the financial institution is the parent company of a financial group, the STRO responsible for implementing the group system must be informed of suspicious transaction communications made to a Financial Intelligence Unit by any entity within the group.

ARTICLE 25 Branches If the financial institution holds branches, the STRO responsible for implementing the group system must verify whether applicable local legislation does not prevent rapid access to documents or transaction details.

CHAPTER VI Duty of Identification and Verification SECTION I Policies and Client Classification ARTICLE 26 Know Your Customer (KYC)

1. Financial institutions must adopt policies on client identification and verification, regardless of individual transaction amounts.
2. The financial institutions' "Know Your Customer" policy must incorporate the following elements: a) client acceptance policy; b) client identification and verification procedures; c) transaction monitoring; and d) risk management.

ARTICLE 27 Client Acceptance Policy Financial institutions must develop a clear policy on client acceptance, including applicable measures for each client category.

ARTICLE 28 Content of Client Acceptance Policy

1. The client acceptance policy must consider risks associated with the client, country or geographic region, and risks associated with the product/service/operation delivery channel, as exemplified in Annex I of this Notice.
2. Essentially, the client acceptance policy must integrate, without limitation, the following: a) prohibition of anonymous or fictitious accounts; b) prohibition of numbered accounts; c) client categorization according to the risk assessment conducted; d) necessary documentation, additional information to be required and applicable measures for each client category, based on the risk assessment conducted; e) enhanced due diligence measures for accepting high-risk clients, as exemplified in Annex II; f) prohibition of account opening or closure when the financial institution is unable to apply due diligence measures; g) circumstances under which a client may act on behalf of another, whether natural or legal person, must be clear and in accordance with prevailing legislation; and h) type of necessary inquiries before account opening, to verify that the client has no criminal record and is not on terrorist or terrorist organization lists.

ARTICLE 29 Risk Classification

1. Financial institutions must have a clear and active risk classification policy for their clients.
2. Client risk classification must be updated at least once a year.
3. The frequency of risk classification must be increased for high-risk clients.

ARTICLE 30 Trigger Management System Financial institutions must have an adequate trigger management system that allows conducting the necessary review of the client acceptance process in light of any events occurring to the client that may imply a revision of their risk classification.

SECTION II Client Identification and Verification Procedures ARTICLE 31 Duty of Identification Financial institutions must identify their clients under the terms and situations provided in Law No. 11/2022, of 7 July, and whenever they lack sufficient and current information about the client.

ARTICLE 32 Duty of Verification

1. Financial institutions must identify and verify the identity and current address of their clients, and understand the nature of the client's business, income sources, financial situation, and the quality with which they intend to establish a business relationship with the institution.
2. Financial institutions must ensure, as much as possible, that they are dealing with a reputable person and verify the identity of the person in question, in accordance with the provisions of this Chapter.

ARTICLE 33 Intermediaries

1. If the funds to be deposited or transferred are provided by a third party, the institution must proceed with the identification and verification of that person.
2. If the institution is unable to determine whether the applicant in the business is acting on their own behalf or on behalf of a third party, it must consider submitting a suspicious transaction report to GIFiM, even if the account is eventually not opened or the transaction is not processed.

ARTICLE 34 Surveillance Measures Financial institutions must require clients to provide, in writing, the identity and information of the effective beneficial person(s) of the business relationship or transaction, as part of surveillance measures to identify and verify their identity.

ARTICLE 35 Identity Confirmation

1. Financial institutions must obtain all necessary information to confirm the client's identity and verify the information provided by them.
2. For this purpose, financial institutions may use available national and international public information, cross-reference information with other evidence, namely service invoices (water, energy, telephone), telephone directories, credit registries, criminal records, and maintain such elements in their archives.

ARTICLE 36 Beneficial Owner Identity If the client is not the beneficiary of the business relationship, the financial institution must take reasonable measures to verify the beneficial owner's identity, using relevant information or data obtained from a source considered reliable for confirmation.

ARTICLE 37 Account Closure

1. When a client closes an account and requests the opening of another in the same financial institution, they are not exempt from the duty of identification and verification; in this case, details regarding the client's file must be reconfirmed.
2. Account details and due diligence conducted under the preceding paragraph to verify identity and records must be transferred to the new account's records.

ARTICLE 38 Alteration of Identification Elements

1. Any subsequent alteration of the client's name...