Management of Anti-Money Laundering and Countering Financing of Terrorism Risks (Proper Conduct of Banking Business Directive No. 411)

בנק ישראל. ת.ד. 780 ירושלים 9100701 | טל. 03-5640520 Banking Supervision Department October 24, 2021 Circular no. C-06-2677 To: The banking corporations and credit card companies Re: Management of Anti-Money Laundering and Countering Financing of Terrorism Risks (Proper Conduct of Banking Business Directive no. 411) Introduction

1. In recent years, advanced payment services, such as payment applications—both in terms of scope of activity and in terms of the options of making payments for purchasing products and services at merchants—have been developed in Israel. Accordingly, the Banking Supervision Department found it proper to establish supervisory regulation from the perspectives of AML and CFT, in line with the level of risk. The regulation will apply to certain payment services, as defined in the Payment Services Law, 5779-2019 (“the Payment Services Law”), that are provided by the banking corporation to the service recipient.
2. Alongside the advantages incorporated in using advanced means of payment, their use entails risks, including the utilization of the means of payment for money laundering and terror financing. The risk assessment conducted within the framework of formulating the regulation indicates that the AML/CFT risks involved in payment service activity are not high, as of today, given tight limitations, among other things limiting the scope of activity and of credit facilities. In line with that, alternative means of identification and authentication can be established, with regard to part of the requirements in the Prohibition of Money Laundering (Banking Corporations’ Requirements regarding Identification, Reporting, and Record-Keeping for the prevention of money laundering and terror financing) Order, 5761–2001 (“the Order”).
3. The report on the audit conducted by the FATF (Financial Action Task Force) on the State of Israel regarding AML/CFT, which was published in December 2018, indicated that there are some gaps between the international standards determined in this issue, and the guidelines existing in Israel, and those were regulated as part of the update to this Directive.
4. On March 14, 2021, in the regulations file, an update was published for the Prohibition on Money Laundering Order that applies to credit services providers, and among other things it was determined that it would also apply to financial asset service providers, with various adjustments and updates (“the AML Order on Credit Service Providers”). The Order will go into effect on November 14, 2021. The amendment to the AML Order on Credit Service Providers serves as an additional pillar in reducing the risks to the banking system in opening and managing accounts for such service providers and makes it possible to provide various easings in managing accounts for such entities.

2 5. For customers—who manage an account at the banking corporation—to be added remotely to investment portfolio management services (“managed account”), easings were granted from certain obligations established in the Order; the assessment is that AML/CFT risks incorporated in opening a managed account for a customer that already manages an existing account, are not high and make it possible to provide certain easings from the requirements that apply due to the Order. 6. In light of the entry into force, on October 20, 2019, of the Payment Services Law, 5779- 2019, (“the Payment Services Law”), which among other things cancelled the Debit Cards Law, 5746-1986, adjustments were made in this Directive. However, the term “Payment Card” remains in use as defined in the Banking (Licensing) Law, 5741-1981. 7. In view of the above, and after consultation with the Advisory Committee for Banking Business and with the approval of the Governor, I have amended this Directive. The revisions to the Directive 8. In Section 6 (Definitions), the definition of “Acquirer” was added. Explanatory remarks The addition of the definition is in accordance with Payment Services Law. 9. In Section 10 (AML/CFT policy), before Subsection (p), the words “For credit-card companies, the following are also included” are to be deleted; at the beginning of Subsection (p) the words “for a banking corporation that is an acquirer” shall be added, further in the section the word “acquirer” is to be added, and “for formation of business relations by an acquirer with an aggregator” shall be added, and at the end of Subsection (q) the words “that it issued” shall be added. Explanatory remarks The adjustments were made in accordance with the definitions in the Payment Systems Law; the obligation established in Subsection (p) applies to an acquiring corporation that forms business relations with an aggregator; the obligation established in Subsection (q) applies to a banking corporation that issues and clears payment cards. 10. In Section 12, the words “or where the customer is a resident of a high-risk country” shall be replaced with the words “or in a case where the customer or activity in the account is identified as being high risk”. Explanatory remarks In accordance with the FATF’s international standard, banking corporations are required to establish in their policy that the Know Your Customer process shall be carried out regardless of alternative identification processes, easings, or other exemptions that were established in a Directive, in any case in which it was identified that the customer or activity in the account is high risk. 11. In Section 46 (Customer identification), the following subsection is to be added: “(b) A banking corporation that receives an electronic transfer that originates from abroad, shall authenticate the identification details of the transfer recipient, to the extent that they were not previously authenticated by it, and shall keep the transfer documents, except in cases in

3 which the amount transferred does not exceed NIS 5,000 and no concern of ML/FT was raised by it.” Explanatory remarks In accordance with the FATF’s international standard, a banking corporation must record and authenticate the identification details of the transfer recipient, in cases of electronic transfers that originate from abroad. This requirement will not apply in cases in which the amount transferred does not exceed NIS 5,000 and no concern of ML/FT was raised. In this regard, the transfer recipient is the service recipient as defined in the Order and identification details are the details established in Section 2(k) of the Order; to the extent that these details were authenticated in the past, no further authentication is necessary. 12. Section 47 (Customer identification) At the end of Subsection (a), the following is to be added: “This obligation shall apply both to a banking corporation managing the beneficiary’s account and to an intermediating banking corporation through which the transfer was executed.” Explanatory remarks In accordance with the FATF’s international standard, a banking corporation must establish risk based procedures regarding electronic transfers that originate from abroad. This obligation shall apply both to the receiving banking corporation as well as to an intermediating banking corporation through which the transfer was executed. 13. Section 48 (Customer identification), after Section (a) the following is to be added: “(a1) A banking corporation that receives an instruction from a customer in Israel to carry out an electronic transfer, shall verify that it can submit the particulars noted in Subsection (a), to enforcement authorities, immediately, if required.” Explanatory remarks In accordance with the FATF’s international standard, a banking corporation is to submit items related to the electronic transfer in Israel, immediately with the requirement by enforcement authorities. 14. After Section 48 (Customer identification) the following is to be added: “48a. A banking corporation shall not execute several electronic transfers in one batch to outside of Israel, for the same transferor without having the particulars of the transferor and transferee as determined in Section 2(k) of the Order for each transfer in the batch. With regard to this subsection, “batch”—several transfers for the same transferor to various transferees, that are transferred in one file.” Explanatory remarks This adds guidance that also in the case of several electronic transfers executed for the same customer, in one batch, to several beneficiaries outside of Israel, the existence of all the particulars of the transferor and transferee as determined in Section 2(k) of the Order shall be verified; this guidance is required under the FATF’s international standard. 15. The provisions of Sections 11–14 above shall not apply to electronic transfers due to activity deriving from a payment card, except if the payment card is used for transferring funds, as noted in Section 2(k) of the Order.

4 16. In Section 50 (Reasonable refusal), after Section (b), the following shall be added: “(c) execution of the know your customer process will lead to a violation of the prohibition established in Section 12 of the Order.” In the last paragraph of the section, after the words “Non-execution of the transaction” the following shall be added: “including non-completion of the know your customer process or not opening an account”. Explanatory remarks In accordance with the FATF’s international standard, in a case in which there is a reasonable concern that completing the “know your customer” process is liable to lead to a violation of the prohibition on disclosure of reporting and the content of a report on unusual activity, the service provider may not complete the process. Accordingly, a guideline was added, based on which in cases in which the banking corporation has a reasonable concern that completing the “know your customer” process will lead to violating the prohibition in Section 12 of the Order, it is required not to complete the said process, and it will be considered a reasonable refusal to open and manage an account. The non-completion of the process does not obviate the banking corporation’s examination of the need to report an unusual transaction to the authorized entity in accordance with Section 9 of the Order. 17. Sections 76–81 (Activity with aggregators) a. In Section 76, the definition of aggregator was revised; instead of “a business that concentrates debits and credits for merchants” shall be: “a corporation that concentrates merchants’ debits and credits carried out via payment cards, provided that the corporation has a license pursuant to the Control of Financial Services (Regulated financial services) Law, 5776-2016 or is a regulated financial entity that received a permit to continue operations and whose license request was not rejected.” b. In Sections 77–81, instead of “credit card company” and “the company”, the word “acquirer” shall be used. c. In Section 78:

1. “NIS 50,000” shall be replaced by “NIS 2,000,000”.
2. The provisions of the Section shall be followed by: “Notwithstanding the above, to the extent that the reference is to an aggregator on whose activity as an aggregator an Order, under the Prohibition on Money Laundering Law, 5760-2000, and under the Combatting Terrorism Law, 5776-2016, is not imposed, the limit on the scope of annual acquiring for an individual merchant shall be a total of NIS 100,000.”
3. The words “in these cases” shall be replaced by “In the cases noted above”. Explanatory remarks The definition of aggregator was updated, regarding a corporation holding a license pursuant to the Control of Financial Services (Regulated financial services) Law, 5776-2016 or is a regulated financial entity that received a permit to continue operations and whose license request was not rejected. In addition, against the background of the revision of the AML Order on Credit Service Providers, and in term of viewing the aggregator as a factor contributing to competition and that can assist small merchants, easings were established with regard to an acquirer’s activity vis-à-vis an aggregator without a direct acquiring agreement vis-à-vis the merchant. We emphasize that opening business relations with an aggregator, shall be carried out, among other things, while taking into account the directives and guidelines of international credit card organizations and the acquirer’s policy.

5 18. Sections 84–87 (Management of risks involving payment card transactions in risk￾intensive industries): In Sections 84–87, the word “acquirer” shall replace “credit card company”. Explanatory remarks Update of terms in accordance with the definitions in the Payment Services Law. 19. Appendix A.3 (Arrangement Established by the Supervisor of Banks under Section 5(a)8 of the Order): a. After the words “holders of a license to extend credit” shall come “or holders of a license to provide services in a financial asset” b. After the words “that are managed on behalf of their customers” shall come “and that a valid Order applies to their activity as holders of a license, pursuant to the Prohibition on Money Laundering Law, 5760-2000, and pursuant to the Combatting Terrorism Law, 5776-2016”. 20. Appendix A.4 (Arrangement Established by the Supervisor of Banks under Section 5(b) of the Order): a. After the words “holders of a license to extend credit” shall come “or holders of a license to provide services in a financial asset” b. After the words “that are managed on behalf of their customers” shall come “and that a valid Order applies to their activity as holders of a license, pursuant to the Prohibition on Money Laundering Law, 5760-2000, and pursuant to the Combatting Terrorism Law, 5776-2016”. Explanatory remarks In accordance with the Order, a banking corporation is required to record the details of the account’s beneficiary based on a declaration, with an original signature, of the account opening applicant and of the account owner. In a case of opening an account for a corporation, the banking corporation shall require a declaration from the corporation, with an original signature, regarding the holder of control in the corporation. In view of the publication of the Credit Service Providers Order, an exemption was granted, with regard to recording a beneficiary and receiving a declaration about a beneficiary and the holder of control. It is emphasized that the exemption applies only with regard to the obligations of the Order, and it does not exempt the banking corporation from receiving a declaration of beneficiary by the power of the provisions of other laws regarding managing the account for those entities. 21. Appendix B.1(The arrangement established by the Supervisor of Banks in accordance with Section 7a of the Order): The link to the Population and Immigration Authority shall be replaced by: https://www.gov.il/he/Departments/General/types_of_visas_for_infilitrators Explanatory remarks The link to the website that enables the banking corporations to check the validity and originality of a customer’s residence permit by the power of Section 2(a)(5) of the Entry into Israel Law was updated. 22. Appendix B.2 (The arrangement established by the Supervisor of Banks in accordance with Section 7a of the Order) shall be added to the Directive. Explanatory remarks a. In accordance with the Order, the banking corporation is required, among other things, to comply with obligations to record identifying particulars, to authenticate details, and to require

6 documentation, to carry out a “Know Your Customer” process, to receive a declaration regarding beneficiaries and face to face identification of the service recipient (the “Order’s obligations”), as detailed in Chapter B of the Order. b. Within the framework of the arrangement, a banking corporation is required, among other things, to record the identification details of the service recipient, and to record the details of the payment account managed at a banking corporation in Israel, and the details of the means of payment issued by the banking corporation in Israel, of the service recipient. We clarify that the obligation to record details of the means of payment shall only apply in a case in which some use was made of the means of payment when providing the payment service. c. Likewise, within the framework of the Agreement, the banking corporation is required to record if the payment services are provided for a business goal or a non-business goal. It is clarified that, for this matter, a declaration from the service recipient can be relied on. In addition, the banking corporation is to maintain a computerized database of details on the payment activities executed within the framework of providing the payment services, which is to include the beneficiary’s name, the payer’s name, the amount of the payment or acquiring activity, the goal of the payment activity (for example, payment for receiving a business service) as submitted by the service recipient, and the date the payment or acquiring activity is executed. d. In addition to the above, the banking corporation is to act in accordance with one of the following alternatives:

1. To record the identification particulars of the service recipient noted in Paragraph b above based on a copy of the identification document or according to an identification document issued by the State of Israel, bearing a name, ID number, date of birth, and picture, and to authenticate them with the Population Registry. It is clarified that recording the residence of the service recipient can be done via contacting the Population Registry, provided that the customer’s consent is received for that.
2. To verify vis-à-vis the other banking corporation, in which the payment account is managed, and vis-à-vis the banking corporation that issued the means of payment, that the service recipient is the owner of the payment account and means of payment that are being used, in line with the circumstances. It is clarified that to the extent that there is a change in the payment account details or a change in the means of payment details, the examination process should be carried out again vis-à-vis the other banking corporation (to the extent that such changes are known by the banking corporation). e. If, when contracting with the service recipient, the banking corporation was unable to verify the service recipient’s identification details vis-à-vis the Population Registry or to authenticate that the service recipient is the owner of the payment account or of the means of payment with the other banking corporation on-line, the banking corporation may complete the authentication or verification process as soon as possible after setting up the service, provided that it establishes a limitation on the activity framework until the authentication is completed. f. The manner in which the banking corporation carries out the authentication or ownership verification activity as noted shall be determined by the banking corporation and shall be anchored in its procedures, and may be executed via an automated system between the various banks or by establishing an authorization to debit an account at the banking corporation or by another way that will be determined by the banking corporation. g. It is clarified that in a case in which the payment service allows the accruing of a balance, and the balance that is calculated as a moving average at any given moment, for a period of 3 months, is NIS 5,000 or more, the banking corporation is to act in accordance with the provisions of Section d.1 above, without the option of choosing between the alternatives offered in Section d.

7 h. The Agreement shall apply to payment services to individual residents of Israel. This includes issuing means of payment, acquiring of payment activities and managing a payment account, subject to the following conditions:

1. The total fund transfers that the service recipient can execute in the course of a year shall be limited to NIS 100,000; It is clarified that executing transactions via payment cards shall be considered as transferring funds and shall be included in the said limitation of scope;
2. The total funds that the service recipient can receive in the course of a year shall be limited to NIS 100,000;
3. The maximum credit facility on the payment card that the banking corporation will be permitted to extend to the service recipient shall not exceed NIS 20,000. In this matter is shall be emphasized that this agreement refers to extending a credit facility via payment card alone, and does not apply to providing credit;
4. The banking corporation can monitor the activity of the service recipient in accordance with all laws. i. The Agreement shall not apply in the following cases:
5. Managing a payment account on behalf of a beneficiary or on behalf of a payer whose accrued balance exceeds NIS 20,000;
6. Opening and managing a current account at a banking corporation. j. This Agreement refers exclusively to easings with regard to obligations required within the framework of Chapter B of the Order, and it does not exempt the banking corporation from all obligations of the Order and the Directive, including with regard to monitoring the customer’s activity. k. When the payment service is provided to the service recipient in a banking corporation in which the service recipient manages a payment account, the payment service will be seen as part of the account management, and the provisions of this Agreement shall not apply. This is only in a case that the banking corporation authenticated before the beginning of the providing of the service that the service recipient manages a payment account with it and that all the requirements of Chapter B of the Order have been fulfilled with regard to it. l. When the payment service is provided to a service recipient regarding which the banking corporation carried out all the obligations detailed in Chapter B of the Order, the quantitative limitations established in this Agreement shall not apply. m. The quantitative limitations established in this Agreement shall not apply in a case in which the payment service is provided by an auxiliary corporation controlled by a banking corporation that manages the payment account, provided that all the relevant information for monitoring and reporting, including “Know Your Customer” information, are transferred to the auxiliary corporation controlled in accordance with the law, including receiving the customer’s consent to transfer the information. n. It is further clarified that when the payment service is provided to a service recipient at a banking corporation regarding which the identification obligations detailed in Section 6a of the Order are carried out, all the requirements of this Agreement shall apply. o. It is emphasized that the current Agreement does not exempt the banking corporation from any obligations of the provisions of other laws and regulations. p. The provisions of Chapter C of Proper Conduct of Banking Business Directive no. 367, on “E-banking”, shall not apply to an account opened in accordance with this Agreement. q. To remove any doubt, when issuing a payment card, a banking corporation may act in accordance with the provisions of Section 6a of the Order. r. It is clarified that this Agreement does not change the Banking Supervision Department letter dated March 5, 2017, on the issue of prepaid cards.

8 23. Appendix B.3 (The Arrangement Established by the Supervisor of Banks under Sections 6a(5) and 7a of the Order) shall be added to the Directive. Explanatory remarks In accordance with the Order, a banking corporation is required to implement, among other things, obligations of face to face identification and receipt of a declaration on beneficiaries with an original signature, when opening an account for a customer. In accordance with the assessment of AML/CFT risk inherent in opening a managed account, a customer managing an existing account that passed identification and authentication processes as required in the Order, it is possible to exempt banking corporations from some of the obligations under the Order and to establish instead an alternative Arrangement. Within the framework of the Arrangement, the banking corporation is required to authenticate the identity of the customer in the existing account using at least 2 authentication factors as defined in Section 8 of Proper Conduct of Banking Business Directive no. 367 on “E-banking” and to receive from the customer a declaration regarding beneficiaries, without an original signature in the managed account, subject to the following conditions: (a) The beneficiaries in the managed account and the beneficiaries in the existing account are completely identical; (b) The customer or the activity in the existing account or in the managed account were not identified as being high AML/CFT risk; (c) The funds in the managed account will be received from the customer’s existing account, in the same banking corporation; (d) The funds in the managed account will be transferred back to the account owned by the customer in the banking corporation or in another banking corporation. Applicability 24. The amendments to this Directive shall go into effect as follows: a. Regarding Sections 6, 10, 76–81, 85–87, and Appendices A.3, A.4, B.1, and B.3—from the date this Directive is published; b. Regarding Sections 12, 46(b), 47(a), 48(a1), 48a and 50(c)—on December 15, 2021. c. Regarding Appendix B.2—within 12 months from the publication date of this Directive. The amendments are required, both in regard to new customers and to existing customers. To remove any doubt, a banking corporation that is prepared to do so, may act in accordance with this Directive earlier than the start date, provided it has submitted notice of that in writing to the Banking Supervision Department. Updating of the file 25. Attached are the updates to the Proper Conduct of Banking Business file. Following are the updates: Remove page Insert page (09/21) [19] 411-1-32 (10/21) [20] 411-1-34 Sincerely, Yair Avidan Supervisor of Banks