CBB Volume 5 Draft Common Modules for Trust Service Providers

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 1 Reference to the draft Directive: Comments REF CBB’s Response Module AA AA-3.1.2 Specialised licensees are required to submit a Quarterly Prudential Return (QPR). Specialised licensees may apply in writing to CBB for an exemption from the requirement that the QPR be reviewed by the licensee’s external auditor: this exemption would normally only be given where the licensee had established a track record of accurate and timely reporting, and there were no other supervisory issues of concern. Further details on the CBB’s reporting and related requirements, including the precise scope of the auditor’s review and attestation, will be contained in Module BR (CBB Reporting). A Trust Service Provider inquired if the requirement for the quarterly prudential return is applicable to Trust service providers? Are they exempt or should they write to the CBB in accordance with this Module? If so, when should they apply for exemption? As Module BR for trust service providers will be developed in the future, along with the appropriate quarterly prudential return, this requirement will apply at a later date. Reference to the draft Directive: Comments REF CBB’s Response Module FC

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 2 FC-1.1.4 For the purposes of this Module, “customer” includes counterparties such as financial markets counterparties, except where financial institutions are acting as principals where simplified due diligence measures may apply. These simplified measures are set out in Section FC 1.10. For the representative office licensees, ‘customer’ includes customers of the HO that the Representative office liaises with for general purposes. Examples might include general inquiries and inquiries regarding the accuracy of customer information. A Trust Service Provider noted that it would be helpful if the definition of “financial markets counterparties” is clarified. Having read the Module in context of a capital markets structure and the following Jersey Trust Company business guidance: “Where a relevant person acts as a trustee to a charitable trust which is established to hold an investment in a debt-issuing vehicle, or to hold security (as bare trustee for debt-holders)over assets held within such a vehicle, then the “originator” of the transaction is likely to be a person who is concerned with the trust. Except to the extent that any debt-holder is able to exercise effective control over the underlying debt-issuing vehicle, debt holders will not be considered to be persons who are concerned with the trust (nor will they be considered to be beneficial owners and controllers of the underlying debt-issuing vehicle).” Does this mean that the CBB would still consider debt-holders and other counterparties to be customers (and therefore subject to client Due Diligence requirement) except where the principal (or originator) in a structure is a regulated financial institution? The definition of “customer” should be clarified further and how it includes financial markets counterparties. The CBB does consider any debt holders and other counterparties to be “customers” and subject to Module FC as defined under the Paragraph FC-1.1.4. Certain parties (such as a bank making a funds transfer on behalf of its customer) may be a counterparty of the trust provider but they are not its customer. In Volume 1 counterparties are defined separately from customers. Therefore we would refer to the definition of counterparty in Volume 1 which states: “ Counterparty A counterparty is the other person in a contract. Therefore, if bank A buys a security issued by company B from broker C, bank A has counterparty risk to broker C and Issuer Risk in respect of company B. A counterparty may include any legal person or arrangement, but generally would mean the following: (a) Any individual; (b) Any unincorporated body of persons; (c) Any company which is not a member of a group; or (d) Any group of companies; or (e) Any government of a State or any public bodies, local authorities or nationalised industries of a State.”

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 3 FC-1.2.1 If the customer is a natural person, licensees must obtain and record the following information (in hard copy or electronic form), before providing financial services as described in Paragraph FC-1.1.2: (a) Full legal name and any other names used; (b) Full permanent address (i.e. the residential address of the customer; a post office box is insufficient); (c) Date and place of birth; (d) Nationality; (e) Passport number (if the customer is a passport holder); (f) CPR or residence permit number (for residents of Bahrain or GCC states); (g) Telephone/fax number and email address (where applicable); (h) Occupation or public position held (where applicable); (i) Employer’s name and address (if self-employed, the nature of the self￾employment); A Trust Service Provider noted that the statutory requirements for obtaining customer information are very comprehensive, much more so than Jersey. Can it be clarified how and when “where applicable” will apply with regards to the contact details and occupation/ public position held? It is noted that if a resident in Bahrain, a substantial amount of this information is provided on the CPR extract and identification documentation, however, if the customer is outside Bahrain, some of this information may seem onerous and may not add a requisite amount of value to the identification being sought. The Trust Service Provider also wanted clarification whether there is any scope for varying client due diligence requirements based on the customer’s risk status? These are in accordance with the FATF recommendations and are standard requirements. This is very basic information and is required for all customers without any exception. In this context “where applicable” refers to when a person is a PEP or not, or whether they have an email account or not and nothing more than that. If not a PEP, you just need occupation and to get written evidence (a certified copy) of occupation. If customer does not have an email address, move on to next question. With regards to contact details and occupation/ public position held, this is already covered in the revised FATF Recommendations under Recommendation 10 and its interpretative notes. Risk variables are mentioned also in the interpretative notes for Recommendation 10. Module FC chapters one and two very clearly show areas where enhanced and simplified due diligence may take place. The licensees should take time to read these sections.

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 4 (j) Type of account, and nature and volume of anticipated business dealings with the licensee; (k) Signature of the customer(s); and (l) Source of funds. FC-1.2.5 Identity documents which are not obtained by an authorised official of the licensee in original form (e.g. due to a customer sending a copy by post following an initial meeting) must instead be certified (as per FC-1.2.4) by one of the following from a GCC or FATF member state: (a) A lawyer; (b) A notary; (c) A chartered/certified accountant; (d) An official of a government ministry; (e) An official of an embassy or consulate; or (f) An official of another licensed financial institution or of a licensed associate company of the licensee. A Trust Service Provider noted that Jersey and Guernsey are not members of FATF or the GCC. Should commercial business be provided from their sister offices, clarification on the CBB’s position for certifying/ notarising documents by authorized individuals of regulated institutions, lawyers, notaries or accountants from Jersey or Guernsey? For your guidance on Jersey and Guernsey’s postiton within FATF, the following is taken from the FATF website http://www.fatf￾gafi.org/pages/faq/membercountriesandobservers/ : “The Channel Islands (Jersey and Guernsey) and the Isle of Man are not FATF members. They are Crown Dependencies of the United Kingdom (which is an FATF Member) and members of group of International Finance Centre Supervisors (GIFCS), a body that is an observer to the FATF. The GIFCS conducts evaluations of its Members’ anti-money laundering and counter￾terrorist financing systems.” The CBB has allowed Guernsey and Jersey and the Isle of Man and Cayman to be viewed as equivalent to FATF members for the purpose of Module FC because their industry associations (GIFCS in this case) and they attend FATF meetings and they are subject to mutual assessments by the IMF or other regional FATF-type bodies. So certifications have been allowed from licensees in these jurisdictions in the past and will continue in the future. Licensees should approach the CBB in respect of any other specific jurisdictions.

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 5 FC-1.2.6 The individual making the certification under FC-1.2.5 must give clear contact details (e.g. by attaching a business card or company stamp). The licensee must verify the identity of the person providing the certification through checking membership of a professional organisation (for lawyers or accountants), or through checking against databases/websites, or by direct phone or email contact. A Trust Service Provider noted that the requirement to verify all certifiers via online data sources or directly could prove onerous and not commercially viable for taken-on business, when compared to other regulated jurisdictions. Is there any opportunity to take a risk based approach based on jurisdiction, type of business, etc.? No, this is a standard approach used and mandated by the FATF. The risk based approach is used in customer due diligence and is already mentioned in the interpretative notes of Recommendation 10 in the revised FATF Recommendations and is outlined in FC-1 and FC-2. FC-1.2.7 If the customer is a legal entity or a legal arrangement such as a trust, the licensee must obtain and record the following information from original identification documents, databases or websites, in hard copy or electronic form, to verify the customer’s legal existence and structure: (a) The entity’s full name and other trading names used; (b) Registration number (or equivalent); (c) Legal form; (d) Registered address and A Trust Service Provider noted that the requirement to request such information as the telephone, email, fax and external auditors is an increased requirement compared with the Jersey Handbook and would inhibit the commerciality of the business take-on in the region. Clarification needed on what is meant by the “Legal Form”. The CBB considers all these requirements basic and essential and common sense measures to achieve FATF compliance. These measures were included in the Basel Committee General Guide to Account opening and customer identification. Since the FATF Recommendations are high level, there is no specific requirement to request information such as the telephone, email, fax and external auditors. Legal form refers to the legal structure of the legal entity such as Bahrain stock company (BSC), with limited liability (WLL), Single person company (SPC).

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 6 trading address (where applicable); (e) Type of business activity; (f) Date and place of incorporation or establishment; (g) Telephone, fax number and email address; (h) Regulatory body or listing body (for regulated activities such as financial services and listed companies); (i) Name of external auditor (where applicable); (j) Type of account, and nature and volume of anticipated business dealings with the licensee; and (k) Source of funds. FC-1.2.11 Licensees must also obtain and document the following due diligence information. These due diligence requirements must be incorporated in the licensee’s new business procedures: (a) Enquire as to the structure of the legal entity or trust sufficient to determine and verify the identity of the ultimate A Trust Service Provider noted that in subparagraph: (c) The requirement to obtain the country of residence and nationality of all directors/ partners of a customer is an increase in the requirements previously operated under and certainly an increase on the Jersey Handbook. This is usually only required for medium or high risk customers. Is there any scope to take a risk based approach based on jurisdiction, type of business, etc. of the customer? (c)No scope for a risk based approach. This basic information is required for all customers as required by the FATF. Look at FATF Guides. (e) 20% is the requirement as per the CBB. The interpretative notes for Recommendation 10 of the revised FATF Recommendations require “The identity of the natural persons (if any – as ownership

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 7 beneficial owner of the funds, the ultimate provider of funds (if different), and the ultimate controller of the funds (if different); (b) Ascertain whether the legal entity has been or is in the process of being wound up, dissolved, struck off or terminated; (c) Obtain the names, country of residence and nationality of directors or partners (only necessary for private or unlisted companies); (d) Require, through new customer documentation or other transparent means, updates on significant changes to corporate ownership and/or legal structure; (e) Obtain and verify the identity of shareholders holding 20% or more of the issued capital (where applicable). The requirement to verify the identity of these shareholders does not apply in the case of FATF/GCC listed companies; (f) In the case of trusts or similar arrangements, establish the identity of the 7ettler(s), (e) The requirement to identity of shareholders holding 20% or more is a tightening of the thresholds operated by the Jersey Handbook and the FSA (25%). (f) The requirement to obtain due diligence documentation on all beneficiaries of a trust is not commercial where the trust is an employee benefit trust or an occupational savings scheme. Is there any possibility that these types of structures can obtain an exemption? In Jersey, there is an exemption for employer sponsored trusts established for the benefit of their employees where contributions to the trust are made via the employer or payroll deduction. interests can be so diversified that there are no natural persons (whether acting alone or together) exercising control of the legal person or arrangement through ownership) who ultimately have a controlling ownership interest in a legal person;”. A controlling ownership interest depends on the ownership structure of the company. It may be based on a threshold, e.g. any person owning more than a certain percentage of the company (e.g. 25%). (f) Noted. In case of employee benefit trust and occupational saving schemes, the TSP should be exempted from the requirement of obtaining due diligence documentation on all beneficiaries of a trust. Amendment has been made accordingly and rule added to deal specifically with these instances (See updated FC-1.2.11A).

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 8 trustee(s), and beneficiaries (including making such reasonable enquiries as to ascertain the identity of any other potential beneficiary, in addition to the named beneficiaries of the trust); and (g) Where a licensee has reasonable grounds for questioning the authenticity of the information supplied by a customer, conduct additional due diligence to confirm the above information.

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 9 FC-1.7.1 A licensee may only accept customers introduced to it by other financial institutions or intermediaries, if it has satisfied itself that the introducer concerned is subject to FATF￾equivalent customer due diligence measures. Where licensees delegate part of the customer due diligence measures to an introducer, the responsibility for meeting the requirements of Chapters 1 and 2 remains with the licensee, not the introducer. A Trust Service Provider required clarification whether the CBB will accept the concept of a Group Introductory Certificate, whereby a company within the Trust Service Provider’s Group* would introduce a client and verify that it holds all the relevant due diligence on the client? The Trust Service Provider’s Group policy is that due diligence is obtained in accordance with Jersey, or local regulations, whichever is higher. Jersey’s customers due diligence measures are equivalent to FATF. *Ogier Fiduciary Services (Jersey) limited is a 50% shareholder of Two Seas Trust BSC©. Yes, subject to the introducer satisfying the conditions in FC-1.7.2. FC-1.10.1 Licensees may apply simplified customer due diligence measures, as described in Paragraphs FC￾1.10.2 to FC-1.10.6, if: (a) The transaction is a one-off or occasional transaction not exceeding BD 6,000 (or equivalent in other currencies), or one of a number of transactions which are related and, when taken together, do not exceed BD 6,000 per year (or equivalent in other currencies); A Trust Service Provider noted : (c) Please provide the CBB’s opinion on whether the acceptance of simplified due diligence on companies listed within an exchange that is either a member or Associate of the International organization of Securities Commissions or a member of the World Federation of Exchanges is acceptable, suffice as the disclosure requirements on the respective exchange is at least equivalent to the Bahrain Stock Exchange. CBB only accepts GCC or FATF member for item (c) to qualify for simplified customer due diligence measures. “If the exchange is regulated within a GCC or FATF approved jurisdiction then the CBB would regard that exchange as having adequate customer due diligence procedures. Should the CBB determine that these standards are not adequate, it will issue a notice to this effect. It is very clear that the principle here is that FATF determines the standard (which any licensed exchange meets) and that if you meet the FATF standard, you meet the

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 10 (b) The transaction is a wire transfer below the equivalent of US$1000; (c) The customer is a company listed on a GCC or FATF member state stock exchange with equivalent disclosure standards to those of the BSE; (d) The customer is a financial institution whose entire operations are subject to AML/CFT requirements consistent with the FATF Recommendations / Special Recommendations and it is supervised by a financial services supervisor in a FATF or GCC member state for compliance with those requirements; (e) The customer is a financial institution which is a subsidiary of a financial institution located in a FATF or GCC member state, and the AML/CFT requirements applied to its parent also apply to the subsidiary; (f) The customer is the Central Bank of Bahrain (‘CBB’), the Bahrain Stock Exchange licensed exchange standard. GCC exchanges are included due to agreements reached on this at GCC level.”

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 11 (‘BSE’) or a licensee of the CBB; or (g) The customer is a Ministry of a Gulf Cooperation Council (‘GCC’) or Financial Action Task Force (‘FATF’) member state government, a company in which a GCC government is a majority shareholder, or a company established by decree in the GCC.

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 12 FC-2.2.3 Licensees must consider the need to include automated transaction monitoring as part of their risk￾based monitoring systems to spot abnormal or unusual flows of funds. In the absence of automated transaction monitoring systems, all transactions above BD 6,000 must be viewed as “significant” and be captured in a daily transactions report for monitoring by the MLRO or a relevant delegated official, and records retained by the licensee for five years after the date of the transaction. A Trust Service Provider noted that this module states that licensees must consider the need to monitor transactions and that all transactions over BD 6000 should be classified as “significant”. It is usual policy for a trust company business to monitor transactions automatically; however, the trust company would need to rely on the bank reporting to flag these transactions. Could the CBB provide greater clarification on how they expect this to apply to trust eservice providers? Since TSP is not handling funds, the automated transaction monitoring would be required at the bank level. By virtue of the activities of the TSPs, by default FC-2.2.3 would not apply to TSPs. However, new guidance Paragraph FC￾2.2.3A has been added for greater clarity. FC-2.2.11 Licensees must review and update their customer due diligence information at least every three years. If, upon performing such a review, copies of identification documents are more than 12 months out of date, the licensee must take steps to obtain updated copies as soon as possible. A Trust Service Provider noted that in accordance with the Jersey Handbook, the Trust Company Business is able to take a risk based approach whereby the due diligence documentation is reviewed on the following frequencies dependent on the level of risk applied to the “customer”. It is A Trust Service Provider’s policy to review every 1, 3, and 5 years in line with the application of a risk based approach. (a) Low risk: 5 years (or upon expiry of the documentation) (b) Medium risk: 3 years (or upon expiry of FATF requires due diligence information reviewed and updated at least every 3 years. The revised FATF Recommendations do not specify the frequencies of the review process for each level of risk applied. The interpretative notes to Recommendation 10 mentions the following: “Financial institutions should be required

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 13 the documentation) (c) High risk: 1 years (or upon expiry of the documentation) Is there any opportunity to take this approach within the CBB guidelines? to ensure that documents, data or information collected under the CDD process is kept up-to-date and relevant by undertaking reviews of existing records, particularly for higher-risk categories of customers.” The CBB has chosen three years as a review frequency (FC-2.2). FC-5.3.1 Reports made by the MLRO or his duly authorised delegate under Section FC-5.2 must be sent to the Financial Intelligence Unit at the Ministry of the Interior and copied to the Compliance Directorate at the Central Bank of Bahrain at the following addresses: Financial Intelligence Unit General Directorate of Criminal Investigation Ministry of Interior P.O. Box 26698 Manama, Kingdom of Bahrain Telephone: 17 718888 Fax: 17 715818 E-mail: bahrainfiu@moipolice.bh A Trust Service Provider noted that they wanted the CBB to confirm the format as to how the CBB would like to receive SARs? Is it acceptable to provide the copy by fax or scanned e-mail, or is it preferable that the Compliance Directorate receives the SAR by hand delivery? In addition is a copy of the SAR acceptable tot eh Compliance Directorate. Under Part B of Volume 5, there is a standard STR Form, complete with instructions and noted the possibility of electronic filing. Please refer to the actual form.

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 14 Director of Compliance Directorate Central Bank of Bahrain P.O. Box 27 Manama, Kingdom of Bahrain Telephone: 17 547107 Fax: 17 535673 E-mail: Compliance@cbb.gov.bh FC-7.1.4 All records required to be kept under this Section must be made available for prompt and swift access by the relevant authorities or other authorised persons. A Trust Service Provider noted that they wanted the CBB to clarify whether it is acceptable for the records to be retained and provided in electronic format. This section does not specify whether records must be in original form. Recommendation 11”Record Keeping” of the revised FATF Recommendations mentions the following: “The CDD information and the transaction records should be available to domestic competent authorities upon appropriate authority.” It does not mention in what format the information must be retained. Under Volume 1, electronic records are allowed. FC-7.1.4 has been amended to allow for electronic records, where permitted by law.

Trust Service Providers Licensees Draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 15 FC-11.1.7 Licensees must provide regular training to their management and staff, to make them aware of potential fraud risks. A Trust Service Provider noted that they wanted the CBB to clarify whether the training provided should apply to spotting internal or external fraud? Their training focuses on anti-money laundering and countering terrorist financing which are the principal criminal threats to a financial services business. Their training covers profiling and suspicious activities (so fee earners will be aware of the need for vigilance to ensure our structures are not being used to commit fraud) and also the dangers of identity fraud (which we may face when customers provide CBB). But in terms of providing training to staff not to commit fraud within the Ogier Group, this is a question of relevance and practicality. This would usually be covered by human resources’ vetting and screening procedures as well as their internal operating policies, procedures, systems and controls (i.e. signing authorities) but is difficult to train. This section deals both with internal and external fraud. The training to detect internal fraud would be related to specific functions within the licensee, particularly those functions dealing with compliance, internal audit or other “control” type of functions.

Trust Service Providers Licensees draft Modules – Volume 5 Industry Comments and Feedback November 2012 Common Modules 16 Reference to the draft Directive: Comments REF CBB’s Response Module EN EN-2.2.4 Appointed experts report in a form and within a scope defined by the CBB, and are solely responsible to the CBB for the work they undertake in relation to the investigation concerned. The report produced by the appointed experts is the property of the CBB (but is usually shared by the CBB with the firm concerned). The cost of the appointed experts’ work must be borne by the licensee concerned. A Trust Service Provider noted that the cost of appointing an expert to carry out an onsite investigation is to be borne by the Licensee. The module does not distinguish between whether or not the investigation is warranted or if the Licensee is not proved of any suspected wrong doing. Is there a distinction as to where the cost is borne? No, the cost is to be borne by the licensee. The CBB as the regulator mandates whether such investigation is required. EN-5.3.1 In addition to the general circumstances set out in Section EN￾5.2, a financial penalty of up to BD 20,000 may be applied by the CBB in cases where a licensee fails to comply with any of the requirements in Module FC (Financial Crime). A Trust Service Provider noted that when comparing the modules to other jurisdictions for industry best practice, there is no provision for discounts on early settlement of financial penalties. Is this something that the CBB has considered. No, there are no discounts available on early settlement of financial penalties.