AML/CFT/CPF Handbook — 2 Responsibility of Key Individuals

www.gfsc.gi 2. Responsibility of Key Individuals AML/CFT/CPF Guidance Notes May 2026

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2 Table of Contents

1. AML/CFT/CPF Responsible Person ...................................................................................................... 3 2.2 The MLRO........................................................................................................................................ 4 2.2.1 Appointment of the MLRO.......................................................................................................... 4 2.2.2 Functions of the MLRO................................................................................................................ 5 2.2.3 Reporting..................................................................................................................................... 6 2.3 Head of Compliance Function ......................................................................................................... 8 2.4 Overseas Branches, Subsidiaries and Outsourced Functions.......................................................... 8

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 3

1. AML/CFT/CPF Responsible Person AML/CFT/CPF Requirements R1 The senior management of a regulated entity is responsible for, and must ensure the establishment and maintenance of, robust and appropriate systems and controls to prevent and detect money laundering, terrorist financing and proliferation financing, in accordance with the requirements set out in both the legislation and these Guidance Notes. Guidance
2. POCA imposes the requirement that regulated entities must appoint a director, senior manager or partner with overall responsibility for compliance with POCA and these Guidance Notes1 .
3. Section 34 of POCA refers to offences committed by bodies corporate, partnership and unincorporated associations. Where an offence is committed by a regulated entity this may be apportioned to its directors, managers, company secretary or other officers, members or partners if said offence can be attributable due to the neglect of such persons. For the purposes of these Guidance Notes, these persons are collectively known as “senior management.”
4. The director, senior manager or partner with responsibility for compliance must be appointed as the AML/CFT/CPF Responsible Person and notified to the GFSC. They will hold ultimate responsibility for ensuring that the regulated entity is compliant with the provisions set out in legislation and in these Guidance Notes.
5. The AML/CFT/CPF Responsible Person holds overall responsibility for the establishment and maintenance of effective AML/CFT/CPF systems of control in accordance with the legislative requirements set out in the applicable legislation and these Guidance Notes.
6. The AML/CFT/CPF Responsible Person shall ensure that the regulated entity has appointed a Money Laundering Reporting Officer (MLRO), who can demonstrate sufficient experience, knowledge and understanding of the Gibraltar legislative framework and reporting requirements. There may be instances where the functions of the MLRO and AML/CFT/CPF Responsible Person are carried out by the same individual. This should be assessed and determined by the regulated entity depending on the size and nature of the business and regulated activities undertaken.
7. The AML/CFT/CPF Responsible Person is responsible for ensuring that adequate training in respect of Anti Money Laundering, Counter Terrorist Financing and Counter Proliferation Financing is provided to employees on a continual basis. The training must cover the requirements set out within the local legislative and regulatory framework and include: a) The employees’ legal and regulatory responsibilities; b) The identification and management of risk associated with the regulated entity being used to facilitate money laundering, terrorist financing and proliferation financing; c) How to recognise behaviour, typologies, red flags or patterns which may constitute as potential money laundering, terrorist financing and proliferation financing; d) The internal process for making a suspicious activity report; and e) The provisions for tipping-off and applicable offences.
8. The AML/CFT/CPF Responsible Person must ensure that regular and timely information is made available to senior management in respect of the regulated entity’s money laundering, terrorist 1 Section 9B, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 4 financing and proliferation financing risks. This information must be documented and made available to senior management in the event of any breaches of the legislative requirements and must also include any remedial actions the regulated entity has taken to rectify the position. 8. The AML/CFT/CPF Responsible Person has responsibility for ensuring that the regulated entity’s risk management framework relative to AML/CFT/CPF, including policies, procedures, methodologies and business risk assessment, is documented, assessed on a regular basis and applied to ensure it remains fit for purpose. The AML/CFT/CPF Responsible Person is ultimately responsible for the oversight of the regulated entity’s AML/CFT/CPF activities and the implementation of its AML/CFT/CPF strategy, systems and controls. 9. The policies, procedures and framework referred to in paragraph 8 must include appropriate measures that are commensurate to the size and products/services provided by the regulated entity and must give consideration to the following: a) The permission/authorisation/registration held by the regulated entity and the extent to which measures must be applied; b) Changes in the regulated entity’s business profile; c) The development of new products; d) The onboarding of new business relationships; e) The continued development of existing business relationships; f) All relevant legislative and regulatory requirements. 2.2 The MLRO 2.2.1 Appointment of the MLRO AML/CFT/CPF Requirements R2 A regulated entity must, at all times, have an appointed Money Laundering Reporting Officer (MLRO) who is sufficiently qualified, independent, competent and approved by the GFSC to undertake the function in that sector and entity. Guidance 10. All regulated entities which are classified as a relevant financial business under Section 9 of POCA are required to appoint an individual to act as the Money Laundering Reporting Officer (MLRO)2 . 11. The appointment of the MLRO must be approved by the Gibraltar Financial Services Commission as the relevant Supervisory Authority listed under Schedule 2 of POCA. 12. The MLRO must be sufficiently experienced, senior, and free to act on their own authority and be informed of any relevant knowledge or suspicions arising within the regulated entity. 13. The regulated entity needs to assess the size and nature of the business activities undertaken in ensuring that the MLRO is sufficiently senior to command the necessary authority to comply with their reporting obligations. 14. The MLRO will act as the “appropriate person” as required under Section 28 of POCA to receive and process internal and external suspicious activity reports. 2 Schedule 14, Financial Services Act 2019

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 5 15. The MLRO is required to act as a central point of contact with law enforcement agencies, to handle the suspicious activity reports raised by the regulated entity’s employees in relation to potential money laundering, terrorist financing and proliferation financing. 16. The MLRO is required to be an employee of the regulated entity, whether as part of its governing body, management or staff and be based in Gibraltar or the immediate surrounding area. This requirement applies to all regulated entities, including multinational entities or branches operating from or within Gibraltar. The MLRO is generally required to be employed by the regulated entity on a full-time basis. 17. In the case of an MLRO ceasing to carry out the function, this must be notified as soon as practically possible to the GFSC as outlined in Section 104 of the Financial Services Act 2019 and a replacement identified to ensure continuity of the MLRO function. 2.2.2 Functions of the MLRO AML/CFT/CPF Requirements R3 The Money Laundering Reporting Officer (MLRO) of a regulated entity is the appropriate person to receive, investigate and disseminate suspicious activity reports to the Gibraltar Financial Intelligence Unit (GFIU) or any other relevant law enforcement agencies. Guidance 18. The MLRO shall act as the appropriate person to receive disclosures about knowledge or suspicions of money laundering, terrorist financing or proliferation financing that may be taking place in regard to the activities carried out by the regulated entity or its customers/affiliated entities. 19. The MLRO is required to take into consideration all other relevant information for the purposes of determining whether the information, or other matter contained in the internal suspicious activity report (SAR) gives rise to such knowledge or suspicion that an applicant for business, or existing business relationship may be engaged in money laundering, terrorist financing or proliferation financing. 20. The MLRO must have reasonable access to all information which may be of assistance in maintaining the internal reporting procedures concerned. This must include a record of all internal suspicion reports received and the rationale supporting or negating the suspicions outlined. 21. In addition to the above, the MLRO must have access to all relevant records relating to the business relationship should it be requested by law enforcement agencies to assist at any point in the event of an investigation. 22. The MLRO must take steps to validate the suspicion in order to determine whether or not a report should be disseminated to the GFIU. In deciding, the MLRO must consider all relevant information available concerning the applicant for business, or the business relationship. If, after conducting an extensive review, there are no facts that would negate the suspicion, a SAR must be submitted to the GFIU.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 6 23. It is a requirement to disclose information or any other matter relating to ML/TF/PF to the GFIU as soon as is reasonably practicable after the suspicion has been identified and assessed by the MLRO. Failure to do so is considered an offence under POCA3 . 24. Following the disclosure of a SAR, the MLRO is required to provide the GFIU with all relevant information appropriate to the case and is expected to liaise on any questions and/or on whether to discontinue the business relationship in such circumstances. 25. The MLRO is guilty of an offence under Section 68(1)c of POCA if the information, or other matters received are not disclosed to the GFIU as soon as it is reasonably practicable once the suspicion has been identified and assessed. 26. The MLRO must keep a formal record of all matters reported and whether or not it resulted in a formal disclosure to the GFIU. The format should consist of, as a minimum, the member of staff who raised the internal SAR (if applicable), the description of the suspicion, any supporting evidence and the date on which a determination was made. This must be in line with the record keeping requirements set out within POCA4 . 27. The MLRO should not make a SAR disclosure to the GFIU if there are no grounds to support any suspicion after undertaking reasonable, extensive internal enquiries to determine that all relevant information has been considered. This is constituted as defensive reporting. 28. The MLRO having sufficient financial and non-financial resources available to them to undertake the function and appoint a sufficiently qualified individual to be able to undertake the function in periods of absence. 2.2.3 Reporting 29. The MLRO is required to support and assist senior management in identifying, managing, and mitigating the risk of money laundering, terrorist financing and proliferation financing being carried out via the regulated entity. 30. A regulated entity is required, on an ongoing basis, to carry out regular assessments of its systems and controls to ensure satisfactory measures are in place to ensure suspicious activity is appropriately identified and disclosed in order to prevent and detect money laundering, terrorist financing and proliferation financing. Where a regulated entity has identified a breach or deficiency in their AML/CFT/CPF systems or controls, it is required to notify the GFSC without delay. That notification should also include how the regulated entity intends to mitigate the AML/CFT/CPF risks as a result of the issues identified. 31. Regulated entities with five or more employees must commission an MLRO report to senior management assessing the operation and effectiveness of the regulated entity’s systems of control in relation to managing and mitigating money laundering, terrorist financing and proliferation financing risks. The report must be compiled at least annually and include: a) The number of internal suspicious activity reports presented to the MLRO for review, including the rationale as to why these were, or were not, disseminated to the GFIU; b) Deficiencies identified within the regulated entity’s AML/CFT/CPF controls and proposals to remediate the deficiencies; c) Any improvements which could strengthen the regulated entity’s AML/CFT/CPF controls; 3 Section 6B(1)(c), Proceeds of Crime Act 2015 4 Section 25, Proceeds of Crime Act 2015

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 7 d) The progress of any significant remediation programs; and e) The outcome of any relevant quality assurance, internal or independent audit where a review has been carried out of the regulated entity’s AML/CFT/CPF processes and procedures. 32. Senior management must take into consideration any deficiencies or shortcomings highlighted in the MLRO report and take any action required to remediate or address the regulated entity’s AML/CFT/CPF controls in a timely manner. In the cases where remedial action is required, the MLRO must consider increasing the frequency of reporting to senior management. Sector-specific Guidance – Initial Coin Offerings (ICOs) 33. In general, the MLRO (Money Laundering Reporting Officer) must be a permanent, full-time employee of the entity seeking registration. However, the GFSC has adopted a slightly different approach for token sale entities that solely conduct activities under Regulation 4(1)(c) of the Proceeds of Crime Act (Relevant Financial Business) (Registration) Regulations 2021. 34. In the case of such token sale entities, the GFSC considered the matter and concluded that if the regulated entity is providing services from or within Gibraltar and is registered and supervised for AML/CFT/CPF purposes, the MLRO's role and responsibility must be fulfilled within Gibraltar. While the MLRO function itself may be outsourced, the ultimate responsibility for compliance must remain within Gibraltar. 35. The GFSC has allowed some flexibility in respect of ICO providers by permitting an individual in full-time employment (such as a current MLRO/Director of another, generally unrelated entity) to take on the role of MLRO for an Initial Coin Offering (ICO) on a temporary basis, considering it is a limited-time event. 36. The GFSC will consider, on a case-by-case basis, whether an employee or director of an unrelated entity has the necessary skills, experience, capacity and independence from their other role(s) to also carry out the MLRO function. In order to reach a decision in such cases, the GFSC may request information on: a) The applicant entity’s expected number of customers/token sales; and/or b) The controls put in place by the applicant entity to preclude the existence of significant conflicts of interest (e.g. preventing the MLRO’s remuneration from being linked to the number of tokens sold). Where an individual is not a permanent, full-time employee of the entity seeking registration, they must be appointed as an officer of the entity (e.g. as an Executive Director). Sector-specific Guidance – Insolvency Practitioners (IPs) 37. IPs are licensed as individuals. As such, the named IP automatically assumes the roles of both the MLRO and the AML/CFT/CPF Responsible Person. 38. The responsibilities associated with the MLRO and AML/CFT/CPF Responsible Person functions cannot be outsourced. Whilst an IP can seek operational support on the fulfillment of these functions, they will retain ultimate responsibility for their fulfilment. For this reason, it is imperative that the IP is aware of, and can identify, the ML/TF/PF red flags and typologies associated with this sector. Any outsourcing agreements or arrangements should be detailed within the policies and procedures and should be readily available upon request. Where such outsourcing arrangements exist, the IP should also be able to evidence oversight and decision￾making power.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 8 2.3 Head of Compliance Function 39. A regulated entity is required to appoint a Head of Compliance under Schedule 14 of the Financial Services Act 2019. 40. The Head of Compliance is considered a Regulated Individual with the responsibility for overseeing and managing a regulated entity’s compliance with legal and regulatory requirements. The role involves developing, implementing and maintaining policies and procedures to ensure the entity adheres to the relevant legislative requirements, regulations and industry standards and expectations. 41. The appointment of a Head of Compliance is required to be notified to, and approved by, the GFSC. The fitness, propriety and suitability of the candidate to undertake the function is taken into consideration at application stage. Once an individual ceases to hold the Head of Compliance function, this must be notified to the GFSC, and a suitable replacement appointed as soon as reasonably possible. 42. In certain circumstances, the GFSC may allow for the Head of Compliance to be an individual who is already carrying out another regulated function. This is determined by the GFSC on a case-by-case basis and the capacity and capability of the proposed applicant is considered. 2.4 Overseas Branches, Subsidiaries and Outsourced Functions AML/CFT/CPF Requirements R4 A regulated entity must ensure that where it has overseas branches, subsidiaries or outsourced functions, the AML/CFT/CPF controls, processes and procedures carried out are as a minimum, in line with the Gibraltar legislative and regulatory framework. R5 Where functions are outsourced, the regulated entity must ensure it has full oversight of and access to, information held by the outsourced provider. It must conduct regular checks to ensure compliance with Gibraltar legislative standards and these Guidance Notes. Guidance 43. A regulated entity must ensure that its branches and subsidiary undertakings situated in countries or territories outside Gibraltar implement measures, as far as the law of that country or territory allows. These measures must be, as a minimum, to an equivalent standard to those required by Gibraltar law in respect of customer due diligence, ongoing monitoring and record keeping. 44. If the laws of a country or territory outside Gibraltar do not allow the branch or subsidiary undertaking located there to implement the equivalent measures outlined in paragraph 36, the regulated entity must: • Notify its supervisory authority; • Implement additional measures to effectively manage the risks of ML, TF, and PF; and • Ensure that the requirements expected in Gibraltar are met, to the extent permitted by the laws of that country or territory. 45. A regulated entity may choose to outsource part of its systems and controls. However, in these instances the outsourced function must be conducted in line with the applicable legislation and these Guidance Notes. A regulated entity is unable to absolve itself of its regulatory responsibilities to third parties and therefore, has ultimate responsibility for any outsourced function or activity.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 9 46. In all instances of outsourcing, the delegating entity bears the ultimate responsibility for the duties undertaken in its name. This will include the requirement to ensure that the provider of the outsourced services has in place satisfactory AML/CFT/CPF systems, controls and procedures, and that those policies and procedures are adhered to, are current, and reflect changes in requirements of Gibraltar legislation and these Notes. 47. A regulated entity must require its branches and subsidiary undertakings which are located in a country or territory outside Gibraltar to apply, to the extent permitted by the law of that country or territory, measures at least equivalent to those set out in POCA with regard to customer due diligence measures, ongoing monitoring and record keeping. 48. The regulated entity must also adhere to the applicable reporting procedures, legislative and regulatory requirements in the host country. Where local laws or requirements do not reflect the same standard as Gibraltar equivalent practices or higher, the regulated entity must inform the GFSC. Where meeting local requirements would result in a lower standard than in Gibraltar, Gibraltar applicable and equivalent standards must be applied. 49. In the cases of suspected suspicious activity relating to money laundering, terrorist financing or proliferation financing occurring in overseas operations of a regulated entity, these must be reported within the jurisdiction where the suspicion arose. Regulated entities must also consider the requirement for a report to be made locally to the GFIU. 50. Where operational activities are undertaken in other jurisdictions, all employees and contractors of such entity must be subjected to the AML/CFT/CPF policies, procedures and training that are applicable to the Gibraltar-based entity. This extends to and includes internal reporting procedures and legislative and regulatory requirements. Outsourcing agreements must be in place and regularly reviewed to cover the requirement to appropriately report management information on an ongoing basis in respect of money laundering, terrorist financing and proliferation financing controls. Experienced Investor Funds/Alternative Investment Fund Managers 51. Experienced Investor Funds are required under Regulation 9 of the Financial Services (Experienced Investor Funds) Regulations 2020 to appoint an administrator. The fund administrator’s duties must be clearly outlined in an outsourcing agreement which covers the duties of the fund administrator. In cases where compliance is outsourced, the Experienced Investor Fund must still be compliant with the above regulations and have its own appointed MLRO in line with Section 28 of POCA and policies as outlined under Section 26(1) of POCA. 52. Experienced Investor Funds and Alternative Investment Fund Managers are not able to absolve their responsibilities under POCA as relevant financial businesses and must note that they are not exempt from Gibraltar-specific legislative requirements, including the obligation to undertake Gibraltar-based training in line with the requirements. In addition, a regulated entity needs to be aware that whilst the compliance function can be outsourced to the fund administrator, the ultimate responsibility for compliance lies with the MLRO and the AML/CFT Responsible Person based in Gibraltar.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2017 Gibraltar Financial Services Commission