COSOB Guidelines No. 02-2025 of 22 October 2025 on Customer Due Diligence Measures (Version 0.2)

---

People's Democratic Republic of Algeria Guidelines No. 02-2025 Dated 22 October 2025 Concerning Due Diligence Measures Towards Customers Version 0.2 October 2025 Commission for the Organization and Supervision of Stock Exchange Operations – COSOB –

Introduction These guidelines constitute a comprehensive strategic framework aimed at enhancing awareness and guidance from the Commission for the Organization and Supervision of Stock Exchange Operations, to ensure effective compliance by regulated entities with the indivisible procedures of the prevention and fight against money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction. These measures form part of the preventive framework for applying appropriate due diligence measures. The objective of these guidelines is to enhance the implementation of these measures, in full alignment with the recommendations of the Financial Action Task Force (FATF), specifically Recommendations 10, 11, 12, 16, 18, 19, and 34. The primary objective of these guidelines is to ensure the effective implementation of these measures, thereby contributing to the protection of the financial system against money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction, in accordance with international standards and best practices in this field.

First: Legal and Regulatory Framework • Ordinance No. 66-156 dated 18 Safar 1386 corresponding to 8 June 1966, concerning the Penal Code, as amended and supplemented; • Decree No. 93-10 dated 23 May 1993, concerning the Stock Exchange, as amended and supplemented; • Law No. 01-05 dated 6 February 2005, concerning the prevention and fight against money laundering and terrorist financing, as amended and supplemented; • Executive Decree No. 23-429 dated 29 November 2023, concerning the Register of Beneficial Owners of Legal Entities Subject to Algerian Law; • Executive Decree No. 25-101 dated 12 March 2025, concerning freezing and/or seizure procedures in the framework of preventing terrorist financing and the financing of proliferation of weapons of mass destruction; • Executive Decree No. 102-25 dated 12 March 2025, determining the composition of the Committee for the Follow-up of Targeted International Sanctions and organizing its work; • Executive Decree No. 103-25 dated 12 March 2025, determining the procedures for registration on and deletion from the National List of Terrorist Persons and Entities, and the consequences thereof; • COSOB Regulation No. 24-01 dated 11 Muharram 1446 corresponding to 17 July 2024, concerning the prevention and fight against money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction; • COSOB Instruction No. 07-24 dated 21 November 2024, concerning due diligence measures towards customers in the framework of preventing money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction.

Second: Definitions For the purpose of understanding these guidelines, the following terms are defined as follows: • Regulated Entities: Entities subject to the supervision of the Commission for the Organization and Supervision of Stock Exchange Operations, including securities brokers, investment fund management companies, securities investment companies, public offering companies, and crowdfunding platform operators. • Customer: A natural or legal person who deals with the Regulated Entity. • Occasional Customer: A customer who does not have a continuing business relationship with the Regulated Entity. • Business Relationship: The business relationship between the customer and any Regulated Entity, arising from any activity. • Beneficial Owner: The natural person(s) who, directly or indirectly:

1. Owns or effectively controls a customer or its agent, or beneficiaries of life insurance contracts or investments; and/or
2. On whose behalf a transaction or operation is being executed; or
3. Exercises effective control over a legal person or legal arrangement. • Politically Exposed Person (PEP): Algerian nationals and foreigners entrusted with or who have been entrusted with prominent public functions in or outside Algeria, such as Heads of State or Government, senior politicians, senior government officials, judges, senior executives of state-owned companies, senior executives of political parties, as well as persons entrusted with or who have been entrusted with prominent functions by an international organization as senior management members, board members, or equivalent positions. This definition does not apply to persons holding middle or lower-level positions within the categories mentioned above. • Trusts: Any current legal entity that is not subject to the regulations governing trusts, including those established outside the territory under a contract or agreement whereby a person makes funds available to another person or places them under specific control for the purpose of managing them for the benefit of a specific beneficiary or for a specific purpose. The funds do not form part of the assets of the person managing or controlling them. • Trusts: A legal relationship created by a contract whereby a person places assets under the management of a trustee for the benefit of a beneficiary or for a specific purpose. • Targeted Financial Sanctions: Freezing and/or seizure of funds and prohibition of making funds or assets available, directly or indirectly, for the benefit of persons and entities listed on the Unified Sanctions List and the National List of Terrorist Persons and Entities. • Unified Sanctions List: A list recording the full identity of persons and information concerning all entities subject to targeted financial sanctions imposed by the United Nations Security Council related to terrorism and its financing or the prevention of proliferation of weapons of mass destruction and its financing, including relevant Security Council lists. • National List of Terrorist Persons and Entities: The list established pursuant to Article 87 ter 13 of Ordinance No. 66-156 dated 18 Safar 1386 corresponding to 8 June 1966, concerning the Penal Code. • Group: A majority group consisting of a parent company or other legal entities holding shares in subsidiaries, applying or implementing group-wide control principles in conjunction with branches and/or subsidiaries subject to policies and procedures to combat money laundering and terrorist financing at the group level.

Regulated entities must comply with the duty of vigilance. For this purpose, they must establish a written prevention, detection, and fight against money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction program, taking into account their business model and risks associated with money laundering and terrorist financing, specifically: • Policies, • Procedures, • Internal controls.

Third: Due Diligence Measures Before Establishing a Business Relationship or Executing Transactions A. Identification of Customers and Their Agents • Verification and Confirmation: Regulated entities must verify the identity of the customer using a set of reliable official documents (such as national ID cards, passports, company or trade registry records). They must also verify the identity of agents or representatives using official documents, such as legal powers of attorney. • Supervision of Agents: Regulated entities must carefully verify the persons acting on behalf of customers, using independent verification means, such as trade registries or validation of registered legal powers of attorney. B. Determination of Purpose and Nature of the Relationship • Data Analysis: Each customer file must include a complete analysis of the purpose of the relationship (e.g., commercial? investment? financial?) and expected activities. For example, for a customer using complex financial services, the purpose of this service and financial intentions must be investigated and documented. • Analysis of Future Activities: It is necessary to anticipate the type of operations expected within the framework of the relationship (e.g., large? periodic?). C. Processing Suspicious Information • Independent Verification: In case of doubt regarding the accuracy or completeness of information provided by the customer, independent investigations must be conducted using reliable means, such as supplementary data, information updated by financial authorities, or audits conducted by third parties. • Preventive Measures: If suspicions persist after verification, enhanced measures may be taken, such as requesting additional documents or suspending the business relationship until clarification is obtained. Verification of consistency between operations and stated objectives is required. • Consultation with Sanctions Lists: Regulated entities must establish procedures to verify that customers are not listed on national or international sanctions lists related to money laundering, terrorist financing, and proliferation of weapons of mass destruction. • Periodic Verification: Names appearing in these lists must be verified regularly. D. Suspicious Operations • Suspension of Operations: In case of doubt regarding an operation related to money laundering, terrorist financing, or the financing of proliferation of weapons of mass destruction, the Regulated entity must immediately suspend the operation and investigate it. • Reporting of Suspicions: A suspicion report must be sent to the Financial Intelligence Processing Unit and/or the competent local authorities in accordance with the law. E. Continuous Verification of Data • Periodic Update: Regulated entities must update customer information regularly, taking into account the risks associated with each customer. • Frequency of Update: Updates must occur at least once a year, but may be more frequent if significant changes occur in the customer's activities or associated risks.

Fourth: Due Diligence Measures for Identifying and Verifying the Identity of the Customer A. Basic Measures • Collection of Detailed Information: Regulated entities must collect all required information from the customer (whether natural or legal) using the approved "Know Your Customer (KYC)" form. B. Reports and Documents • Verification of Documents: Official documents provided by the customer must be verified using techniques such as biometric analysis or verification tools to ensure information accuracy.

Fifth: Information Collection About the Customer Before Establishing the Relationship A. Pre-Relationship Information Analysis • Regulated entities must analyze all available data (such as information on business activity, financial status, sources of funds) and ensure compliance with legal standards. • Customers must be classified according to the risk level associated with their file (low, medium, high) before establishing a business relationship. B. Customer Knowledge File • A complete file must be prepared for each customer, containing personal or legal data, purpose and nature of the relationship, and associated risk level.

Sixth: Due Diligence Measures for an Existing Business Relationship A. Verification of Information • Use of Advanced Techniques: Regulated entities must use video verification, digital interviews, or biometric verification tools to ensure customer identity accuracy. • Analysis of Provided Data: Customer-provided data must be compared with data available in public or private databases. B. Interviews and Checks • Direct Interviews: In case of doubt, direct interviews via communication platforms may be necessary.

Seventh: Updating Customer Knowledge and Data A. Periodic Review of Data • Regulated entities must update customer information at specific intervals based on associated risks. Annual updates are the minimum requirement. For high-risk customers, updates may be more frequent. B. Verification of Changes in the Relationship • Information must be updated in case of changes in the business relationship structure, such as changes in ownership or addition of new financial services.

Eighth: Analysis of Updated Information and Re-evaluation of Risks • After updating data, a complete re-evaluation of the customer file must be conducted to ensure that associated risks remain low or under control.

Ninth: Effective Internal Control System Regulated entities must establish a strong internal control system that ensures regular updates of information and integrates these systems into adopted procedures.

Tenth: Measures in Case of Difficulty Updating • If a Regulated entity is unable to update a customer's data and notify the competent authorities, it must immediately close the account. • Reporting Procedures: Regulated entities must notify competent authorities, such as the Financial Intelligence Processing Unit, and terminate the business relationship if necessary.

Eleventh: Ongoing Vigilance During the Business Relationship A. Continuous Monitoring of Operations • Operations executed must be monitored permanently and integrally throughout the duration of the relationship. • Continuous Review: Operations must be reviewed regularly, taking into account customer information updates, risk assessments, and changes in administrative policies. • Automated systems must be used to monitor suspicious or unusual operations. B. Use of Technological Tools • Automated systems must be used to detect unusual operations or transactions if operations are executed remotely. • Monitoring tools must be based on reliable and updated customer information to accurately identify non-compliant transactions.

Twelfth: Defining Criteria for Unusual Operations A. Clear Definition of Criteria • Precise criteria must be defined to identify unusual operations, such as high-value operations, operations executed under exceptional circumstances, or those that are opaque, complex, or lack economic justification. • Regulated entities must apply flexible criteria to detect operations that may be related to money laundering or terrorist financing. B. Risk-Based Analysis • Thresholds of significance must be adapted to the nature of the customer and the business environment. For example, operations executed in high-risk countries or regions require closer attention.

Thirteenth: Operations Monitoring System A. Establishing Automated Monitoring Systems • The absence of an automated monitoring system covering all financial activities of the entity, for the detection of unusual operations, is not acceptable. • For simple or small operations, manual systems may be used to reduce costs while ensuring monitoring effectiveness. B. Continuous Review of the System • The system must be reviewed regularly to assess its effectiveness and update criteria to reflect business and risk developments. • Alert Analysis: In case an unusual operation is detected, the alert must be examined carefully to determine if it is related to money laundering or terrorist financing.

Fourteenth: Human Resources for Alert Analysis • Regulated entities must have specialized and well-trained employees to analyze alerts generated by the operations monitoring system. • These employees must have access to all internal information necessary to ensure process effectiveness.

Fifteenth: Application of Enhanced Measures for Business Relationships with High-Risk Countries A. Establishing Additional Measures for Customers from High-Risk Countries • Regulated entities must apply enhanced due diligence measures for customers coming from countries classified as high-risk in the field of money laundering and terrorist financing. • This includes collecting and analyzing additional data, following guidance from competent authorities regarding the treatment of these countries. B. Enhanced Measures • Anti-risk measures must be applied, such as requesting additional information on customer business activities or conducting deeper controls on financial transactions. • In-depth Audit: A detailed check of fund flows must be conducted to detect any suspicious activity.

Sixteenth: Legal Structures A. Verification of Foreign Legal Structures • It is necessary to verify details of foreign legal structures such as trusts or entities with complex structures. • This requires collecting specific documents regarding the organizational structure, controllers, trusts, and beneficiaries. B. Verification of Documents • Documents related to legal structures must be verified using reliable documents, such as official registries or notarized documents.

Seventeenth: Enhancing Supervision of High-Risk Relationships A. Strict Monitoring of High-Risk Customers • Customers classified as high-risk must be subject to continuous monitoring, and additional data on their activities must be collected. B. Management of High-Risk Operations • Large operations or those executed in particularly high-risk geographic areas must be monitored.

Eighteenth: Application of Simplified Measures for Low-Risk Customers A. Reducing Vigilance Level in Case of Low Risk • Regulated entities may apply simplified measures when operations or customers are of low risk (e.g., licensed financial institutions or companies listed on stock exchanges). B. Clear Definition of Low-Risk Customers • Customers belonging to specific sectors or countries with effective anti-money laundering systems must be classified as low-risk.

Nineteenth: Document Retention A. Retention Period • Regulated entities must retain documents related to due diligence procedures and executed operations for at least five years after account closure or termination of the business relationship. B. Access to Documents • Documents must be easily accessible to competent authorities when needed, ensuring data integrity and security. C. Secure Record Keeping • Regulated entities must keep archives securely, including data backups stored in safe locations. D. Maintaining Accurate Records • Records must be detailed enough to reconstruct operations clearly if requested by authorities.

Twentieth: Final Provisions Procedures related to appropriate due diligence measures must be clear and precise for all levels of the Regulated entity to ensure effective compliance and avoid any penalty or legal action in case of non-compliance.

Algeria, 22 October 2025 President Youssef Bouznada