Minimum Requirements for Licensed Financial Institutions for the Management of Money Laundering and Terrorist Financing Risk

Reserve Bank of Fiji Banking Supervision Policy Statement No: 6 MINIMUM REQUIREMENTS FOR LICENSED FINANCIAL INSTITUTIONS FOR THE MANAGEMENT OF MONEY LAUNDERING AND TERRORIST FINANCING RISK NOTICE TO FINANCIAL INSTITUTIONS LICENSED UNDER THE BANKING ACT 1995 Reserve Bank of Fiji April 2025 (Revised)

1 PART 1: PRELIMINARY 1.0 Introduction 1.1 This Policy is issued under Section 14(3) of the Banking Act 1995, Section 36 of the Financial Transactions Reporting Act 2004 (FTR Act 2004 or ‘the FTR Act”) and sections 35, 36 and 37 of Financial Transactions Reporting Regulations 2007 (“FTR Regulations”). 1.2 The Policy issued in 2014 has been amended to incorporate the relevant provisions of the FTR Act 2004 and the FTR Regulations 2007, the requirements of Basel Committee on Banking Supervision’s Core Principle No.15 and the Financial Action Task Force (“FATF”) 40 recommendations relevant to Licensed Financial Institutions (“LFIs”). 2.0 Objective of the Policy 2.1 The objective of this Policy is to ensure that each LFI has in place a comprehensive Money Laundering/Terrorist Financing (“ML/TF”) Risk Management Framework that is aligned to the LFI’s strategy and business plans, and commensurate with the size, complexity and nature of its operations in Fiji. 2.2 The Policy therefore sets out the minimum requirements on establishing a risk management framework comprising of systems, structures, processes and people within which the LFI identifies, assesses, mitigates and monitors money laundering and terrorist financing risk. PART 2: MINIMUM REQUIREMENTS 3.0 Risk-Based Approach 3.1 In meeting its obligations under this Policy, LFIs must undertake a risk-based approach and in this regard comply with the requirements of the Fiji Financial Intelligence Unit (“FIU”)’s Policy Advisory on Risk Based Approach1 . 3.2 At a minimum, each LFI should identify, assess and understand its ML/TF risk with regard to the following, before providing a product or service to a customer: a) Its customer types; b) The source of funds and source of wealth of customers c) The business or occupation of customers d) The types of products and services that it provides; e) The methods by which it delivers designated products and services; and f) The foreign jurisdictions it has dealings with. 1 Reference 5/2007, Date: 22/06/07, Risk Based Approach

2 3.3 LFIs must document the measurement techniques that they have chosen, the reasons for their selection of measurement techniques and procedures associated, that will enable the assessment and quantification of ML/TF risk, and the impact on their operations. 4.0 Money Laundering/Terrorist Financing Risk Management Framework 4.1 Each LFI is required to establish an effective ML/TF Risk Management Framework. The ML/TF Risk Framework is the totality of systems, structures, processes and people that address the ML/TF Risk Management process. The ML/TF Risk Management Framework sets the scope for the ML/TF risk management process and determines how the process can be established and maintained. 4.2 Each LFI is required to develop as part of its ML/TF Risk Management Framework, an Anti-Money Laundering/Combating of Financing of Terrorism (“AML/CFT”) Policy that outlines the LFI’s approach to managing ML/TF risk and the processes involved. At a minimum, the internal AML/CFT Policy must include measures for: a) Customer Due Diligence, in compliance with sections 4, 6 and 7 of the FTR Act; b) Record Retention as per the requirements of sections 8 and 9 of the FTR Act; implementing processes and systems for monitoring customers; c) On-going Monitoring of Transactions as per the requirements of sections 10 and 11of the FTR Act; d) Recognition and Reporting of Suspicious Transactions in compliance with the requirements of sections 14 and 18 of the FTR Act; e) Reporting of cash transactions and electronic fund transfers as per the requirements under section 13 of the FTR Act; f) Recording information on the originator of wire transfers as per the requirements of section 12 of the FTR Act; g) Correspondent banking relationships as per the requirements of section 5 of the FTR Act; h) The development and launch of new products and new business practices, including new delivery mechanism and the use of new or developing technologies for both new and pre-existing products. Furthermore, LFIs must undertake ML/TF risk assessments prior to the launch of the product, processes and technologies that may arise from the provision of this new product, and take appropriate measures to manage and mitigate these risks; and i) AML/CFT Training Program for all officers and employees. 4.3 Furthermore, each LFI must ensure that its internal AML/CFT Policy complies with all requirements outlined in the FIU’s Guidelines and Policy Advisories. 4.4 The AML/CFT Policy must be documented, easily understood, auditable, accessible to all staff and reflective of the size, complexity and nature of the LFI’s

3 ML/TF risk profile and exposure. Furthermore, the AML/CFT Policy must be approved by the Board or its proxy. 4.5 LFIs must regularly review and update the documents, data or information collected under their internal AML/CFT Policy. 5.0 Roles and Responsibilities of the Board 5.1 The ultimate responsibility and accountability for ensuring the LFI’s compliance with this Policy, the AML/CFT laws such as the FTR Act and FTR Regulations, FIU Guidelines and Policy Advisories rests with the LFI’s Board or its proxy. 5.2 At a minimum, the Board or its proxy is required to: a) Ensure the safety and soundness of the LFI; b) Ensure that an appropriate, adequate and effective system for ML/TF risk management and internal control is established, implemented, maintained and documented by Senior Management. Procedures must be in line with the requirements of the FTR Act, FTR Regulations, FIU’s Policy Advisories and Guidelines; c) Identify and understand the ML/TF risks faced by the LFI; d) Ensure that ML/TF risks are appropriately managed by Senior Management; e) Approve the policies and procedures for the evaluation and management of ML/TF risk; f) Review and approve the ML/TF Risk Management Framework annually or whenever there are changes in circumstances that could impact on ML/TF risk; and g) Monitor and review functions of the Internal Audit Function. 6.0 Role and Responsibilities of Senior Management 6.1 The responsibilities of the Senior Management include, at a minimum: a) Developing effective internal policies, procedures and controls that identify, measure, manage and monitor the ML/TF risks faced by the LFI; b) Implementing ML/TF risk management strategies and policies approved by the Board; c) Notify the Board of material changes to procedures and policies for compliance with AML/CFT standards and laws; d) Ensure that the LFI complies with FTR Act and FTR Regulations, and FIU’s Policy Advisories and Guidelines; e) Monitoring appropriateness, adequacy and effectiveness of the ML/TF risk management system; f) Ensure that all officers and employees are provided with training on an ongoing basis to ensure that they are aware of the laws, policies and procedures relating to AML/CFT standards, current developments and changes made;

4 g) Assist and cooperate with the relevant law enforcement authorities in Fiji such as Financial Intelligence Unit and Fiji Police Force, in investigating money laundering and terrorist financing activities; and h) Reporting to the Board on all of the above requirements. 7.0 Roles and Responsibilities of the AML Compliance Officer 7.1 LFIs must comply with Section 21(2) of the FTR Act which stipulates that the LFI must appoint an AML compliance officer at the management level, to perform the following functions: a) be responsible for ensuring compliance with the FTR Act, FTR Regulations and other related policies and guidelines; b) be given appropriate and adequate authority and responsibility to implement the requirements of the FTR Act and FTR Regulations; and c) have the authority to act independently and to report to senior management above the compliance officer’s next reporting level. 7.2 The AML Compliance Officer and other employees designated by such officer must have timely access to customer identification data and other customer due diligence information, transaction records and other relevant information. 7.3 The AML Compliance Officer must report to the FIU, in the prescribed form and manner, any suspicious transactions under section 14 of the FTR Act, and Threshold Transaction Reporting (TTR) according to the FIU Notices issued under the FTR (Amendment) Act 2022. 7.4 Furthermore, the AML Compliance Officer must ensure that all employees and officers are aware of the laws, procedures and policies relating to money laundering and financing of terrorism. 8.0 Roles and Responsibilities of the Internal Audit Function 8.1 Each LFI must, under Section 21 (3) of the FTR Act, establish an audit function to test its procedures and systems for combating money laundering and financing of terrorism. 8.2 The LFI’s audit function must be adequately resourced and independent to test compliance (including sample testing) with the procedures, policies and controls required, including: a) Attestation of the overall integrity and effectiveness of the written procedures, policies, systems, and controls and technical compliance with the Act and FTR Regulations; b) Transaction testing in all areas of the LFI with emphasis on high-risk areas, products and services to ensure that the LFI is complying with the Act and FTR Regulations;

5 c) Assessment of the employees’ knowledge of procedures, policies, systems, and controls; d) Assessment of the adequacy, accuracy, and completeness of employee training programmes; and e) Assessment of the adequacy and effectiveness of LFI’s process for identifying and reporting suspicious transactions and activities, and other reporting requirements under the Act and FTR Regulations. 8.3 An LFI must report to FIU any suspicious information or transaction noted during the internal audit. PART 3: OVERSIGHT AND IMPLEMENTATION ARRANGEMENTS 9.0 Oversight by the Reserve Bank of Fiji 9.1 For the purpose of this Policy, all LFIs are required to provide to the Reserve Bank of Fiji, its initial AML/CFT Policy within 30 days from the date of the implementation of this Policy. Each LFI must also provide a copy of the same whenever material changes are made to the Policy, and this must be submitted to the Reserve Bank of Fiji within 7 days of Board approval. 9.2 Non-compliance with this Policy may result in sanctions as provided under section 15 of the Banking Act and Section 29 of the FTR Act. 10.0 Reporting to the Reserve Bank of Fiji 10.1 The Reserve Bank may require from time to time, ML/TF risk management information, in a format specified, to meet the objectives of this policy. 11.0 Implementation Arrangements 11.1 This Policy applies to all LFIs licensed under the Banking Act 1995 and will be effective immediately. Reserve Bank of Fiji April 2025 (Revised) Attach: Schedule: Interpretation

6 SCHEDULE Interpretation - (1) Any term or expression used in this Notice that is not defined in this Notice: a) which is defined in the Act shall, unless the context otherwise requires, have the meaning given to it by the Act; b) which is not defined in the Act and which is defined in any of the Reserve Bank of Fiji Policy Statements shall, unless the context otherwise requires, have the meaning given to it by those policy statements; and c) which is not defined in the Act or in any of the Reserve Bank of Fiji’s Policy Statements shall, unless the context otherwise requires, be interpreted in accordance with generally accepted accounting practice. (2) In this Notice, unless the context otherwise requires: Act: means the Financial Transactions Reporting Act 2004 unless otherwise specified as the Banking Act 1995. Licensed Financial Institution: for the purpose of this Policy, refer to a bank or a credit institution as defined under the Banking Act 1995. Proxy: for the purpose of this Policy is relevant to licensed financial institutions which operate as a branch in Fiji. In such cases, the responsibilities of the Board may be conferred on a Senior Official nominated and approved by the Head Office. The LFI must ensure that the Reserve Bank is notified of such nominations and any changes made therein. CEO’s are not to be delegated this responsibility. Senior Management: include those persons whose conduct has a significant impact on the sound and prudent management of the LFI’s operations, and includes but not limited to Senior Managers, Senior Executives, General Managers/Chief Executive Officer.