Simplified Due Diligence for Non-Bank Financial Institutions (Guidance Note 1 of 2021)

1 | P a g e

APPLICATION OF SIMPLIFIED DUE DILIGENCE (SDD) ON CUSTOMERS AND RELATED PARTIES Guidance Note 1 of 2021 for Non-Bank Financial Institutions Issued January 2021 Disclaimer This Guidance Note is authored by the NBFIRA in line with section 44(1)b of the Financial Intelligence Act and Regulations 2019 (“FI Legislation”) of the Republic of Botswana for comprehensive use by the NBFIs. The note is indicative and while due care was exercised to ensure that this guideline is accurate and consistent with the FI Legislation, the latter shall prevail in the unfortunate case of ambiguity and NBFIRA does not guarantee or take any liability whatsoever.

2 | P a g e Contents Introduction...................................................................................................................................................3 Objectives .....................................................................................................................................................3 Definitions.....................................................................................................................................................4 Customer Due Diligence vis-a-vis Monitoring.........................................................................................4 Identification & Verification.....................................................................................................................4 Enhanced Due Diligence vis-a-vis Enhanced Monitoring ........................................................................4 Simplified Due Diligence Standard (Normal) Monitoring .......................................................................4 Risk Based Approach vis-à-vis Risk Based Supervision..........................................................................5 Financial Inclusion vis-à-vis CDD and Market Development..................................................................5 Risk Assessment .......................................................................................................................................5 Considerations for Risk Assessment.........................................................................................................6 Customer Due Diligence...............................................................................................................................7 When to Undertake Due Diligence ...........................................................................................................7 Simplified Customer Due Diligence .............................................................................................................8 Simplified customer due diligence when establishing a business relationship.........................................8 Identification of beneficial owners ...........................................................................................................9 Inability to conduct Customer Due Diligence.........................................................................................10 Persons Who Should Not Be Dealt with as Customers...........................................................................10 Simplified Due Diligence Exclusions.....................................................................................................11

3 | P a g e Introduction

1. The Non-Bank Financial Institutions Regulatory Authority (NBFIRA) is a designated supervisory authority under Schedule II of the Financial Intelligence Act (the Act) established to supervise the non-bank financial institutions (NBFIs), who are designated as specified parties under Schedule I, for the purpose of complying with the Act and ensuring they have adequate controls again money laundering, terrorist and proliferation financing (referred together as financial crimes/offences). Among other supervisory duties, the NBFIRA is also mandated to issue instructions, guidelines or recommendations to help NBFIs comply with the Act. It is for this purpose that the NBFIRA documented this Guidance Note for the NBFIs.
2. In order to provide the most up-to-date guidance to best meet the needs of NBFIs, this Guidance Note will be a ‘living document’ which may be updated as needed to draw upon evolving guidance for their recognized international bodies as well as best practice for NBFIs in other jurisdictions.
3. The amendment of the Act in 2018 and 2019 introduced a flexible and principle-based application of some of the obligations of the Act. The risk-based approach allows the NBFIRA to concentrate its supervisory resources on sectors that pose medium to high risk on Money Laundering (ML)/Terrorist Financing (TF)/Proliferation Financing (PF) and moderate oversight on low risk sectors. Similarly, the law requires NBFIs to adopt and implement robust Anti Money Laundering (AML)/Counter Financing of Terrorism (CFT) & Counter Financing of Proliferation (CFP) Policies, Controls and Procedures which include; a) an assessment of money laundering risk in each NBFI by carrying out an AML/CFT&CFP risk assessment; b) the development of policies which introduce controls to mitigate money laundering risk; and c) customer risk assessments on every customer/ service in order to determine the type and extent of CDD to be undertaken Objectives
4. This Guide provides clear standards on how to conduct simplified CDD at each stage of a business relationship with a customer or client: a) when the relationship is established; b) when financial transactions with existing customers are performed;

4 | P a g e c) on an ongoing basis after the business relationship is established. 5. The guidelines are not intended to be exhaustive nor to set the limits for the steps to be taken by compliance officers in working to prevent money laundering, terrorist and proliferation financing. The Act involves a combination of risk-based and rules-based approaches to the prevention of money laundering and terrorist and proliferation financing; the general approach of designated persons should be to take the steps warranted by the risk of money laundering in any given circumstance. Definitions Customer Due Diligence vis-a-vis Monitoring 6. The Act defines CDD as the process where relevant information about the customer is collected and evaluated for any potential risk of commission of financial offence. Information to be documented may include identity, address, source of funds and expected business or transactional activity. CDD also involves continuous monitoring of business relationships, including the due diligence information obtained, to ensure it remains up to date and that the relationship is operating as expected for that customer. CDD is required for all new or continuing business relationships or occasional transactions on the identity and financial identity and ongoing monitoring of customers and the transactions in which they engage, in relation to the money laundering and terrorism and proliferation financing risks that they pose. Identification & Verification 7. Identification is a process of obtaining information about your customers for purposes of knowing who they are. Verification means checking reliable, independent source documentation, data or information that confirms the veracity of the identifying information obtained during the identification process. Enhanced Due Diligence vis-a-vis Enhanced Monitoring 8. Refers to a higher level of due diligence required to mitigate the increased risk of commission of financial offence. This involves obtaining additional identifying information about customers. The process is meant to ensure that the person or company you are dealing with is as they represented themselves, and does not appear to be laundering money by engaging in illegal activities and it is not on any sanctions list. Simplified Due Diligence Standard (Normal) Monitoring 9. This refers to the lowest level of due diligence that can be completed on a customer. The basic and minimal process of identifying, verifying and ongoing monitoring of a standard

5 | P a g e customer relationship and transactions. FATF Recommendation 10 specifies that simplified measures can be applied to these four CDD components: a) identification/verification of a customer, b) identification/verification of beneficial owner, c) understanding the purpose and nature of the relationship and d) ongoing monitoring of the relationship. Risk Based Approach vis-à-vis Risk Based Supervision 10. Means to identify, assess, and understand the money laundering and terrorist and proliferation financing risks to which entities are exposed, and take the appropriate mitigation measures in accordance with the level of risk. Financial Inclusion vis-à-vis CDD and Market Development 11. This means the application of measures that enable disadvantaged and other vulnerable groups, including low income, rural and undocumented persons, who have been underserved or excluded from the formal financial sector to access and use adequate range of regulated, safe, convenient and affordable financial services. Risk Assessment 12. Risk is generally defined as the possibility and impact of an uncertain event on an object. Uncertainty comes as a result of threats (external factors), vulnerability (internal weakness relative to external threats) and consequence (impact if risk occurs). In this context the risk would refer to the possibility of financial crimes and their impact given the vulnerability of a NBFI. 13. On the other hand, a risk assessment can be described as a comprehensive assessment to determine the risk level of financial crime on their operations and related-party activities; thus the threats, vulnerabilities and possible impact. 14. The Act requires that NBFIs should conduct assessment to determine the risk level of financial crime on their operations and related-party activities. The law goes further to specify areas to be assessed for risks which include businesses practices, relationships and transactions, products and their delivery channels. 15. Identifying, assessing and understanding the risks is central to application of risk based approach in that where risk is elevated, enhanced control measures are applied and conversely where the risks are low, simplified controls may be implemented. 16. In other words, it is a requirement to carry out a stand-alone risk assessment on each and every customer to whom NBFIs provide a regulated financial service to, to determine the type of CDD to be applied to that customer. This risk assessment of every client should help in determining the NBFIs’ exposure to ML/TF/PF risks and the appropriate CDD procedures to be applied. 17. NBFIs should consider keeping records of decisions on risk assessment processes of what CDD was undertaken. This does not need to be in significant detail, but merely a note on

6 | P a g e the CDD file stating the risk level the solicitor attributed to a file and why the compliance officer considered s/he had sufficient CDD information. 18. Such an approach may assist firms to demonstrate that they have applied a risk-based approach in a reasonable and proportionate manner. Notes taken at the time are better than justifications provided later. 19. In documenting the thought process, below are some of the things to consider; a) assess the risk of ML/TF/PF (i.e., the risk of committing the substantive offence, and whether any known indicators of suspicion may not be present); b) consider the potential statutory reporting obligation; and, c) carry out compliance, should you proceed with the instructions/legal service. 20. This approach allows compliance officers to place all relevant circumstances in context and, should the need arise in the future, enable them to demonstrate their level of knowledge and rationale for proceeding with a transaction or not. Considerations for Risk Assessment 21. This section provides factors which could be considered to be of low risk nature, but does not ascertain the low risk level. NBFIs remain obliged to conduct risk assessment and continuously monitor business relationships to ascertain the risk level of each business relationship and apply adequate controls commensurate to the identified risks. a) Transactions i. Total amount of annual premiums ii. Total amount of annual savings/investment deposits iii. Total amount of a transaction or related transactions iv. Third party transactions v. Transaction frequency b) Products/Services & Delivery Channels vi. Funeral policy vii. Short-term insurance viii. Medical aid ix. Low credit facilities often offered by micro lenders x. Small savings schemes xi. Online product/service offerings c) Nature of Business and Profession xii. Total annual income xiii. Total amount of assets and liabilities xiv. Nature of business and profession xv. Business and beneficial ownership structure

7 | P a g e d) Geographical Location xvi. Verified low-risk territories (based on UNSC sanctions list) xvii. Low risk domestic areas Customer Due Diligence 22. Customer Due Diligence (CDD) is an important part of the “Know Your Customer” (KYC) process. By knowing its potential or existing customers, an NBFI can make an informed decision on whether to accept a potential customer, and what must be done to monitor the customer relationship once it is established. 23. To put it another way, KYC refers to what must be done; CDD refers to how to do it. 24. Section 16 of the Act requires that specified parties or accountable institutions shall where required conduct due diligence before establishing a business relationship or carrying out a transaction￾a) Establish and verify the identity of a customer, unless the identity of that customer is known and has been verified by the specified party; b) Establish and verify the identity of the beneficial owner c) Collect information to enable understanding of the anticipated purpose and intended nature of the business relationship or transaction; and d) Obtain approval of senior management where the business relationship or transaction is established in a high risk jurisdiction or involves a high risk business 25. Each NBFI is required to collect, verify, and keep records of customer identification information and conduct sanction screening against lists of known criminals/United Nations Security Council Resolutions. 26. At a minimum, due diligence and screening should confirm that customers are not in any sanction lists and identified as PIP’s or PIP related or not. When to Undertake Due Diligence 27. Section 14 of the Act read with Regulation 3 outlines when due diligence needs to be conducted and it echoes the requirements of the FATF Recommendations. A specified party or accountable institution shall conduct customer due diligence measures￾a) When establishing a business relationship or concluding a transaction with a customer

8 | P a g e b) When carrying out a transaction in excess of the prescribed amount on behalf or on the instruction of a customer or any person, whether conducted as a single transaction or several transactions appear to be linked c) When carrying out a domestic or international wire transfer d) When there is doubt about the veracity or adequacy of previously obtained customer identification data; and e) Where there is suspicion of a financial offence 28. Some level of due diligence is required for all customers, although the intensity may vary depending on the nature of the customer and the degree of ML/TF/PF risk posed by the relationship Simplified Customer Due Diligence 29. Simplified due diligence is the lowest level of due diligence that can be completed on a customer. This is appropriate where there is little opportunity or risk of an entity’s services or customer becoming involved in ML/TF/PF. For example, simplified CDD can be used for small-value accounts, such as savings accounts of no more than a certain threshold [tiered KYC] that do not involve international transfers of funds. a) Where an NBFI is satisfied that a customer, product, or service falls into the simplified due diligence category, then it is only required to identify the customer. This can be done by requiring the customer to submit certain basic information such as his or her name, citizenship identity card, address, and so forth, along with a passport-type picture. b) In the case of such small limited-use accounts, the information may be submitted electronically or in person at the office of the NBFI. This information does not need to be verified through third party sources. 30. While simplified CDD is sufficient when starting a low-risk relationship, the NBFIs should continuously monitor the account for any significant circumstances that may require heightened scrutiny in the future. If during the business relationship additional information indicates that the relationship may pose a greater risk than originally determined, the NBFI should undertake increased due diligence. Simplified customer due diligence when establishing a business relationship 31. When an NBFI establishes a new business relationship with a customer, it should determine the following: a) the purpose of the relationship;

9 | P a g e b) the intended nature of the relationship, such as where the customer’s funds will come from, the general purpose of transactions, and so on. 32. The NBFI may need to obtain the following type of information: a) details of the customer’s business or employment; b) the expected sources and origin of the funds that the customer will be using during the relationship; c) copies of recent and current financial statements; d) details of the relationships between the customer (including signatories on any account) and any underlying beneficial owners; e) the expected level and type of activity that will occur during the relationship. Identification of beneficial owners 33. One of the most critical aspects of customer identification is knowing the beneficial owner of an account or of a legal entity that seeks to become a customer of an institution. The Act defines a beneficial owner as a natural person, who directly or indirectly through any contract, arrangement, understanding, relationship or otherwise ultimately owns or has a controlling ownership or exercises ultimate effective control of a company. 34. The Act requires NBFIs to identify and maintain records of such beneficial owners. 35. While the Act makes it an obligation for NBFIs to conduct customer due diligence, it also provides for the flexibility of its application depending on the level of risk as determined by a deliberate comprehensive risk assessment exercise as explained in the preceding section. 36. NBFIs may apply simplified due diligence procedures to customers and products which have been assessed to pose minimal financial crime risks. Guidance on procedures and documentation of customer information for low risk business relationship is provided below. a) Natural Person i. Collect identity document, which may be verified during business relationship or at disbursements; ii. Ultimate beneficial owner(s) may be identified during business relationship or at disbursements; iii. Continuous monitoring of transaction throughout business relationship to ensure transaction are related to the nature and intended purpose of the business relationship; iv. Source of Income; v. Recollection and validation of the above information after 2 years b) Legal Person i. Collect registration document with registration body before business relationship;

10 | P a g e i. Collecting registration document with registration body before business relationship; ii. Office or place of business, from which the entity operates; iii. Identify and verify directors (senior management) and ultimate beneficial owners; iv. Obtaining and validating information on the nature and intended purpose of the business relationship; v. Verify source of funds and wealth except in the case medical aid fund contribution or similar arrangements; vi. Continuous monitoring of transactions throughout business relationship to ensure transaction are related to the nature and intended purpose of the business relationship; vii. Recollection and validation of the above information after 2 years. c) Legal Arrangements i. Collect identity documents of trustees or controllers and ultimate beneficial owners, which may be verified during business relationship or at disbursements; ii. Registered name and registration number; iii. Ultimate beneficial owner(s) may be identified during business relationship or at disbursements; iv. Continuous monitoring of transaction throughout business relationship to ensure transaction are related to the nature and intended purpose of the business relationship; v. Recollection and validation of the above information after 2 years. Inability to conduct Customer Due Diligence 37. The Act provides that where an NBFI is unable to obtain sufficient CDD to enable it to know its customer and the risks posed by the business relationship, it should a) not open the account, start business relations or perform the requested transaction, b) or terminate the existing business relationship; and c) consider making a suspicious transaction report (STR) regarding the customer. 38. If an NBFI suspects money laundering, terrorist or proliferation financing but is concerned that the CDD process would tip off the customer, it need not pursue the process. Instead, it should file an STR. This decision should be thoroughly documented according to the NBFI’s policies and procedures Persons Who Should Not Be Dealt with as Customers

11 | P a g e 39. NBFIs must have policies and procedures to ensure that business relationships are not established or continued, or transactions are not carried out a) where the NBFI has not obtained satisfactory evidence of customer’s identity; b) with shell banks; c) with anonymous accounts; and d) for persons identified by the Security Council of the United Nations (UN) or other credible sources as terrorist entities or terrorists. Links to the UN list, FATF list, and European Union terrorist list are available on the website Simplified Due Diligence Exclusions 40. The Act provides that under no circumstances should a simplified due diligence be conducted when there is; suspicion of commission of a financial crime, high risk for financial crimes (risk assessment), doubt about the veracity or accuracy of any documents or information previously obtained for purposes of identification or verification.