i GUIDELINES ON ANTI-MONEY LAUNDERING, COUNTERING THE FINANCING OF TERRORISM AND COUNTERING PROLIFERATION FINANCING FOR THE SECURITIES MARKET

ii

iii AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Table of Contents

1. Applicability .......................................................................................................................1
2. Assessing Risk and Application of Risk-based Approach.........................................................2 2.1. Risk Assessment..........................................................................................................2 2.2. Customer Risk Profiling ................................................................................................3 2.3. Timely Reporting Requirement......................................................................................3 2.4. Policies & Procedures...................................................................................................4 2.5. Internal Controls .........................................................................................................4 2.6. Foreign Branches and Subsidiaries ................................................................................4 2.7. Using New Technologies ..............................................................................................5 2.8. Third-Party Customer Deposits and Payments ................................................................5
3. Customer Due Diligence (CDD)............................................................................................7 3.1. CDD Applied for All Customers......................................................................................7 3.1.1. Delayed Verification ...........................................................................................8 3.2. Non-Governmental Organizations (NGOs), Not-for-Profit Organizations (NPOs) or Charities 9 3.3. Customers from High-Risk Countries ...........................................................................10 3.4. Regulated Entity which relies on a Third-Party..............................................................11
4. Enhanced and Simplified Customer Due Diligence Measures .................................................12 4.1. Enhanced Customer Due Diligence (ECDD) Measures for High-Risk Customers/Transactions ………………………………………………………………………………………………………………………………………..12 4.2. Simplified CDD Measures for Low-Risk Customers/Transactions ......................................12
5. Beneficial Ownership ........................................................................................................14
6. Politically Exposed Persons (PEPs)......................................................................................16
7. Targeted Financial Sanctions .............................................................................................17
8. Compliance Function & Training.........................................................................................18
9. Suspicious Transactions & Mandatory Reporting ..................................................................19
10. Record Keeping................................................................................................................21
11. Interpretation ..................................................................................................................22

iv AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 12. Schedules........................................................................................................................25 Schedule 1 Money Laundering & Terrorist Financing Risk Management for Regulated Entities .....................26 Schedule 2 Customer Due Diligence for Regulated Entities ......................................................................38 Schedule 3 Identification of Beneficial Ownership for Regulated Entities ...................................................45 Schedule 4 Identification of Politically Exposed Persons for Regulated Entities...........................................59 Schedule 5 Sanction Screening for Regulated Entities .............................................................................74 A. Combating Financing of Terrorism (CFT) ........................................................................75 B. Combating Proliferation Financing (CPF).........................................................................80 Schedule 6 Suspicious Transactions Reporting for Regulated Entities........................................................85

AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 1

1. Applicability
2. These Guidelines may be cited as the Anti-Money Laundering, Countering the Financing of Terrorism, and Countering the Proliferation Financing (AML/CFT/CPF) Guidelines for the Securities Market issued by the Securities and Exchange Commission of Sri Lanka (SEC).
3. These Guidelines apply to all trading participants, depository participants, market institutions, market intermediaries and trustees of collective investment schemes regulated by the SEC (Hereinafter identified as “Regulated Entity” or “Regulated Entities”). However, it is recognized that not all the requirements/measures given in these Guidelines are applicable to all the entities operating in the securities market of Sri Lanka. Therefore, each entity shall consider the specific nature of its business, organizational structure types of clients and transactions, etc. when implementing these Guidelines.
4. Further, the attention is drawn to the Directive issued by the SEC on 03rd October 2025 (Ref: SEC/DDG/2025/10/66) to all the market institutions and market intermediaries licensed by the SEC to ensure compliance with the applicable Laws, Rules, Directions, Regulations, Guidelines and Circulars issued by the Financial Intelligence Unit (FIU) of Sri Lanka. In that context, the SEC requires that all the entities satisfy themselves that systems, processes and other measures taken by the entities on AML/CFT/CPF are adequate, appropriate and comply with the said legal requirements.
5. Where Regulated Entities may be required to comply with more stringent regulatory requirements concerning AML/CFT/CPF issued by any local or international regulatory body, that are more stringent than those specified in these Guidelines issued by the SEC, the Regulated Entity shall comply with such more stringent regulatory requirements, where applicable.
6. In case of any inconsistency between these Guidelines issued by the SEC and the Regulations, Rules or Guidelines issued by the FIU, the Regulations, Rules or Guidelines set forth by the FIU shall prevail, and all Regulated Entities shall comply with such requirements imposed by the FIU.
7. These Guidelines shall be reviewed by the Securities and Exchange Commission from time to time as necessary.

2 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 2. Assessing Risk and Application of Risk-based Approach 2.1. Risk Assessment

1. The intensity and extensiveness of risk management functions should be in compliance with the "risk￾based approach" and be proportionate to the nature, scale and complexity of the Regulated Entity's activities and Money Laundering (ML), Terrorist F inancing (TF) and Proliferation Financing (PF) risk profile.
2. A Regulated Entity is required to take appropriate steps to identify, assess and manage its ML/TF/PF risks in relation to its customers, countries or geographical areas, products, services, transactions and delivery channels. (Refer Schedule 1 Money Laundering and Terrorist Financing Risk Management for Regulated Entities)
3. A Regulated Entity should conduct the following processes in assessing ML/TF/PF risks:- a) document their risk assessments and findings; b) consider all relevant risk factors before determining the level of overall risk and the appropriate level and type of mitigation to be applied; c) keep the assessment up-to-date through a periodic review; and d) have appropriate mechanisms to provide risk assessment information to the supervisory authority.
4. A Regulated Entity is required to have proper risk control and mitigation measures including the following1 :- a) have internal policies, controls and procedures to manage and mitigate ML/TF/PF risks that have been identified; b) monitor the implementation of those policies, controls, procedures and enhance them if necessary; and c) take appropriate measures to manage and mitigate the risks, based on the risk-based approach. 1 In this exercise the Regulated entity shall be guided by the FATF guidance for a risk based approach to the securities sector (https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/RBA-Securities￾Sector.pdf.coredownload.pdf) as well as guidance provided by the FIU of Sri Lanka

3 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 2.2.Customer Risk Profiling 5. A Regulated Entity should conduct risk profiling on its customers considering the following :- a) risk level according to customer category (ex: type of customers such as resident or non￾resident, occasional or one-off, legal persons, Politically Exposed Persons (PEPs) and customers engaged in different types of occupations); b) geographical location of business or country of origin of the customer; c) products, services, transactions or delivery channels of the customer (ex: cash-based, face-to￾face or non- face-to-face, cross-border); and d) any other information regarding the customer. 6. The risk control and mitigation measures implemented by the Regulated Entity is expected to commensurate with the risk level of a particular customer as identified based on risk profiling. 7. Upon the initial acceptance of a customer, the Regulated Entity should regularly review and update, the customer's risk profile based on his/her level of ML/TF/PF risk. 8. A Regulated Entity's ML/TF/PF risk management should be affiliated to and integrated with the overall risk management relating to the Regulated Entity. 2.3.Timely Reporting Requirement 9. A Regulated Entity should provide a timely report of its risk assessment, its ML/TF/PF risk profile and the effectiveness of risk control and mitigation measures to, its Board of Directors. The frequency of reporting should commensurate with the level of risks involved and the operating environment thereof. 10. The report referred to in Guideline 9 above is required to include the following :- a) results of monitoring activities carried out by the Regulated Entity for combating ML/TF/PF risks ex: level of the Regulated Entity's exposure to ML/TF/PF risk, break-down of ML/TF/PF risk exposures based on key activities or customer segments, trends of Suspicious Transactions Reports (STRs) and threshold reports in terms of the Financial Transactions Reporting Act, No. 6 of 2006 (FTRA), judicial pronouncements and freezing actions under the United Nations Security Council Resolutions (UNSCR);

4 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka b) details of recent significant risks involved in either internally or externally, the modus operandi and its impact or potential impact on the Regulated Entity; and c) implications for the Regulated Entity as a result of any recent developments in written law on AML/CFT/CPF. 2.4.Policies & Procedures 11. (1) A Regulated Entity should formulate an internal policy approved by its Board of Directors subject to the written laws in force for the time being, on AML/CFT/CPF. (2) The detailed procedures and controls are required to be developed by each Regulated Entity in compliance with such policy. 12. Such policies, procedures and controls are required to include, risk assessment procedures, Customer Due Diligence (CDD) measures, manner of record retention, the detection and internal reporting procedure of unusual and suspicious transactions and the obligation to report suspicious transactions to the FIU. 13. A Regulated Entity should in formulating policies, procedures and controls, take into consideration, ML/TF/PF risks that may arise from the use of new or developing technologies, especially those having features of anonymity or inconsistency with the basic principles of CDD measures. 2.5.Internal Controls 14. A Regulated Entity is required to maintain an independent audit function that is adequately resourced and able to regularly assess the effectiveness of the Regulated Entity's internal policies, procedures and controls and, its compliance with regulatory requirements. 2.6.Foreign Branches and Subsidiaries 15. If the Regulated Entity is a part of group of companies, the Regulated Entity or the Regulated Entity Group is expected to implement group-wide programmes, which are required to be applicable and appropriate for all branches and majority-owned subsidiaries of the Regulated Entity/ Regulated Entity Group with a view of combatting ML/TF/PF activities and are additionally required to include the following:-

5 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka a) initiate measures and procedures for sharing information required for the purposes of conducting CDD and ML/TF/PF risk within the group; b) provide information of customers, accounts and transactions, and of audits, with group level compliance, from all branches and subsidiaries of the Regulated Entity/ Regulated Entity Group when necessary for implementing the AML/CFT/CPF measures; and c) maintain adequate safeguards on the confidentiality and use of information exchanged among the branches and subsidiaries of the Regulated Entity/ Regulated Entity Group. 16. A Regulated Entity should ensure that their foreign branches and majority-owned subsidiaries apply AML/CFT/CPF measures consistent with the domestic law requirements, where the relevant written laws of the relevant foreign country provide less stringent requirements than those provided for in the domestic law. 17. Where the foreign country does not permit the proper implementation of AML/CFT/CPF measures consistent with the domestic law requirements; a Regulated Entity is required to apply appropriate additional measures to manage ML/TF and PF risks. 2.7.Using New Technologies 18. A Regulated Entity should identify and assess ML/TF/PF risks that may arise in relation to the development of new products and new business practices, including new delivery mechanisms and the use of new or developing technologies for both new and pre-existing products. 19. Regulated Entity should – a) undertake the risk assessments prior to the launch or use of new products, practices and technologies; and b) take appropriate measures to manage and mitigate the risks which may arise in relation to the development of new products and new business practices. 2.8.Third-Party Customer Deposits and Payments 20. In view of the risks associated with third-party deposits and payments, the Regulated Entity should consider and assess the risk arising from third-party deposits and ensure that appropriate control measures are implemented to mitigate the risk.

6 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 21. A Regulated Entity which is unable to exercise appropriate control measures to mitigate the inherent ML/TF/PF risk and other associated risks and meet the relevant compliance requirements must not accept any third-party deposits. 22. Generally, a Regulated Entity must not accept any request from customers for payments to be made from the customers’ account into a third-party account. However, clerks, accountants, employees, agents, or authorized persons of business places who are authorized to deal with the accounts would not be considered as a third party; Further, if any Regulated Entity has reasonable grounds to suspect that the transaction or series of linked transactions are suspicious or unusual, Regulated Entity should obtain such information irrespective of the amount of transaction.

7 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 3. Customer Due Diligence (CDD) 3.1.CDD Applied to All Customers 23. (1) In terms of the provisions of section 2 of the FTRA, no Regulated Entity should open, operate or maintain any anonymous account, any account in a false name, or in the name of a fictitious person or any account that is identified by a number only (hereinafter referred to as a "Numbered Account"). (2) Numbered Accounts include accounts that the ownership is transferable without knowledge of the Regulated Entity and accounts that are operated and maintained with the account holder’s name omitted. 24. A Regulated Entity is required to maintain accounts in such a manner that, assets and liabilities of a given customer can be readily retrieved. Accordingly, no Regulated Entity should maintain accounts separate from the Regulated Entity's usual operational process, systems or procedure. 25. Where two or more accounts are opened in the same Regulated Entity by one customer, the Regulated Entity should record the specific purpose for which such accounts are opened, in order to enable ongoing CDD of all accounts. 26. A Regulated Entity should conduct the CDD measures specified in these Guidelines, on customers conducting a transaction, when￾a) entering into new business relationships; b) the Regulated Entity has any suspicion that such customer is involved in ML/TF/PF activities, regardless of amount; or c) the Regulated Entity has any doubt about the veracity or adequacy of previously obtained information. 27. (1) Regulated Entity should – a) identify its customers prior to entering into business relationships; b) obtain the information specified in the Schedule 2 - Customer Due Diligence for Regulated Entities, verify such information, as applicable and record the same for the purpose of identifying and conduct of initial risk profiling of customers, at minimum; c) obtain the following information for the purpose of conducting CDD, at minimum :- (i) purpose of the account (ex: investment, trading, etc.); (ii) sources of earning; (iii) expected monthly turnovers;

8 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka (iv) expected mode of transactions (ex: cash, cheque, etc.); (2) Where any customer is rated as a customer posing a high risk, the Regulated Entity should take Enhanced Customer Due Diligence (ECDD) measures for such customer, in addition to the CDD measures in Guideline 28 (1) (c) above. 28. Under no circumstances should, a Regulated Entity establish a business relationship or conduct any transaction with a customer with high ML/TF/PF risk, prior to verifying the identity of the customer and beneficial owner. 29. A Regulated Entity is required to monitor all business relationships with a customer on an ongoing basis to ensure that the transactions are consistent with the customer's economic profile and risk profile, and where appropriate, the sources of earning. 3.1.1. Delayed Verification 30. A Regulated Entity should verify the identity of the customer and beneficial owner before or during the course of entering into a business relationship or conducting a transaction for an occasional customer. Provided however, where the risk level of the customer is low according to the risk profile of the Regulated Entity and verification is not possible at the point of entering into the business relationship, the Regulated Entity may, subject to Guidelines 32, allow its customer and beneficial owner to furnish the relevant documents subsequent to entering into the business relationship and subsequently complete the verification (hereinafter referred to as “delayed verification”). 31. In any case where delayed verification is allowed the following conditions are expected to be satisfied: a) verification should be completed as soon as it is reasonably practicable but not later than fourteen working days from the date of opening of the account; b) the delay should be essential so as not to interrupt the Regulated Entity's normal conduct of business; and c) no suspicion of ML/TF/PF risk should be involved. 32. To mitigate the risk of delayed verification, Regulated Entity is required to adopt risk management procedures relating to the conditions under which the customer may utilize the business relationship prior to verification. 33. A Regulated Entity is expected to take measures to manage the risk of delayed verification which may include limiting the number, type and amount of transactions that can be performed.

9 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 34. Where a Regulated Entity is unable to comply with the relevant CDD measures, such Regulated Entity should, - a) in relation to a new customer, not open the account or enter into the business relationship or perform the transaction; or b) in relation to an existing customer, terminate the business relationship, with such customer and consider making a suspicious transaction report in relation to the customer. 3.2.Non-Governmental Organizations (NGOs), Not-for-Profit Organizations (NPOs) or Charities 35. A Regulated Entity should conduct ECDD measures when entering into a relationship with NGOs, NPOs and Charities, to ensure that their accounts are used for legitimate purposes and the transactions commensurate with the declared objectives and purposes. 36. (1) A Regulated Entity is required to open accounts in the name of the relevant NGO, NPO or Charity as per the title given in the constituent documents thereof. (2) The individuals who are authorized to operate the accounts and members of their governing bodies are also required to be subject to ECDD measures. (3) A Regulated Entity should ensure that the persons referred to in Guideline 37 (2) above are not affiliated with any entity or person designated as a proscribed entity or person, whether under the same name or a different name. 37. No Regulated Entity should allow personal accounts of the members of the governing bodies of an NGO, NPO or Charity to be used for charity purposes or collection of donations. 38. (1) A Regulated Entity should review and monitor all existing relationships of an NGO, NPO or Charity to ensure that those organizations, their authorized signatories, members of their governing bodies and the beneficial owners are not linked with any entity or person designated as a proscribed entity and person, either under the same name or a different name. (2) In case of any suspicion on similarity in names, the Regulated Entity should file a STR or take any other legal action or both.

10 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 3.3.Customers from High-Risk Countries 39. (1) A Regulated Entity should apply the ECDD measures to business relationships and transactions to customers from high risk countries. (2) The Secretary to the Ministry of the Minister to whom the subject of Foreign Affairs has been assigned or the subject of Defense has been assigned, as the case may be, shall specify the high risk countries referred to in Guideline 40 (1) above￾a) based on the Financial Action Task Force (FATF) listing; or b) independently taking into account, the existence of strategic deficiencies in AML/CFT/CPF policies and not making sufficient progress in addressing those deficiencies in those countries; or c) high risk countries as specified by the FIU in its official website. 40. The type of ECDD measures applied under Guideline 40 (1) is expected to be effective and correspond to the nature of risk. 41. In addition to ECDD measures, A Regulated Entity is required to apply appropriate counter measures, as follows, for countries specified in the list of high risk countries referred to in Guideline 40 (2), corresponding to the nature of risk of listed high risk countries:- a) limiting business relationships or transactions with identified countries or persons located in the country concerned; b) conduct enhanced external audit, by increasing the intensity and frequency, for branches and subsidiaries of the Regulated Entity or Regulated Entity group, located in the country concerned; and c) conduct any other measure as may be specified by the FIU.

11 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 3.4.Regulated Entity which relies on a Third-Party 42. Where any Regulated Entity is permitted to rely on a third-party financial institution or designated non finance business in order to conduct CDD measures, including the identification of the customer, identification of the beneficial owner and understanding the nature of the business or initiating the business, the ultimate responsibility for CDD measures should remain with the Regulated Entity relying on the third party, which should￾a) obtain immediately the necessary information relating to CDD; b) take steps to satisfy itself that copies of identification data and other relevant documentation relating to CDD requirements are made available from the third party upon request without delay; and c) satisfy itself that the third party is regulated, supervised or monitored, and has measures to adhere to CDD and record-keeping requirements in compliance with the FTRA. 43. A Regulated Entity which relies on third party is required to, a) have internal policies and procedures which enables the mitigation of ML/TF/PF risks to the international financial system, including those from countries that have been identified by FATF as having strategic deficiencies in AML/CFT/CPF policies; and b) have regard to information available on the level of country risk, when determining the country of a third party. 44. The provisions of Guidelines 42 and 43 should apply in respect of a Regulated Entity which relies on a third party, that is a party of the same financial group or group of companies in the following circumstances:- a) when applying CDD and record-keeping requirements and implementing AML/CFT/CPF programmes, in accordance with the relevant written laws; b) when conducting supervision by the FIU, the SEC or any relevant authority, as to the implementation of CDD and record-keeping requirements and AML/CFT/CPF programmes, at group level; and c) when any risk arising due to a third party located in a high-risk country referred to in Guideline 40, is solely mitigated by the group' s internal policies on AML/CFT/CPF.

12 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 4. Enhanced and Simplified Customer Due Diligence Measures 4.1.Enhanced Customer Due Diligence (ECDD) Measures for High-Risk Customers/ Transactions 45. Every Regulated Entity should examine and document, as far as reasonably possible, the background and purpose of all complex, unusual large transactions, and all unusual patterns of transactions, which have no apparent economic or lawful purpose. Where the ML/TF/PF risks are higher, a Regulated Entity is required to conduct ECDD measures for higher-risk business relationships which may include: i. Obtaining and verifying additional information on the customer (e.g. occupation, volume of assets, information available through public databases, internet search, etc.) ii. Updating more regularly the identification data of customer and beneficial owner iii. Obtaining and verifying additional information on the intended nature of the business relationship iv. Obtaining and verifying information on the source of funds or source of wealth of the customer v. Obtaining and verifying information on the reasons for intended or performed transactions vi. Obtaining and verifying the approval of senior management to commence or continue the business relationship vii. Conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination. 4.2.Simplified CDD Measures for Low-Risk Customers/Transactions 46. Where the ML/TF/PF risk are lower, subject to the regulations, the Regulated Entities are allowed to conduct simplified CDD measures, which should take into account the nature of the lower risk. The simplified measures should be commensurate with the lower risk factors (e.g. the simplified measures could relate only to customer acceptance measures or to aspects of ongoing monitoring). Examples of possible measures are: i. Verifying the identity of the customer and the beneficial owner after the establishment of the business relationship (delayed verification). ii. Reducing the frequency of customer identification updates. iii. Reducing the degree of on-going monitoring and scrutinizing transactions, based on a reasonable monetary threshold. iv. Not collecting specific information or carrying out specific measures to understand the purpose

13 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka and intended nature of the business relationship, but inferring the purpose and nature from the type of transactions or business relationship established. 47. Simplified CDD measures are not acceptable whenever there is a suspicion of ML/TF/PF, or where specific higher-risk scenarios apply.

14 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 5. Beneficial Ownership 48. Where there is a beneficial owner, a Regulated Entity is expected to obtain information to identify and take reasonable measures to verify the identity of the beneficial owner of the customer using relevant information or data obtained from a reliable source, adequate for the Regulated Entity to satisfy itself that it knows who the beneficial owner is. (Refer Schedule 3 for the detailed guidelines on Identification of Beneficial Ownership for Regulated Entities) 49. In identifying the beneficial owner, the provisions of the Companies (Amendment) Act No 12 of 2025 shall apply. 50. If the customer is a natural person, the person can be treated as the beneficial owner unless there are reasonable grounds to show that he/she is acting on behalf of another or if another person is the beneficial owner of the property of the customer. 51. Where one or more natural persons are acting on behalf of a customer, a Regulated Entity is required to identify the natural persons who act on behalf of the customer and verify the identity of such persons. The authority of such person to act on behalf of the customer should be verified through documentary evidence including specimen signatures of the persons so authorized. 52. Where the customer is not a natural person, a Regulated Entity should take reasonable measures to understand the ownership and control structure of the customer and determine the natural persons who ultimately own or control the customer. 53. Regulated Entity should, in the case of a customer that is a legal person or legal arrangement, a) understand the nature of the customer' s business, its ownership and control structure; b) identify and verify the customer in terms of the requirements set out in Schedule 2 - Customer Due Diligence for Regulated Entities hereto. 54. In order to identify the natural person if any, who ultimately has controlling ownership interest in a legal person, a Regulated Entity must at the minimum obtain and take reasonable measures to verify the following:- a) identity of all directors and shareholders with equity interest of more than ten per cent with the requirement imposed on the legal person to inform of any change in such directors and shareholders; b) if there is a doubt as to whether the person with the controlling ownership, interest is the

15 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka beneficial owner or where no natural person exerts control through ownership interest, the identity of the natural person, if any, exercising control of the legal person or arrangement through independent sources; c) authorization given for any person to represent the legal person or legal arrangement either by means of board resolution or otherwise; d) where no natural person is identified under the preceding provisions, the identity of the relevant natural persons who hold the positions of senior management; e) when a legal person's controlling interest is vested with another legal person, a Regulated Entity shall identify the natural person who controls the legal person. 55. In order to identify the beneficial owners of a legal arrangement, the Regulated Entity is required to obtain and take reasonable measures to verify the following:- a) for Trusts, the identity/ies of the author of the Trust, the trustees, the beneficiary or class of beneficiaries and any other natural person exercising ultimate effective control over the trust, (including those who control through the chain of control or ownership); or b) for other types of legal arrangements, the identities of persons in equivalent or similar positions.

16 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 6. Politically Exposed Persons (PEPs) 56. In relation to PEPs or their family members and close associates, a Regulated Entity should – a) implement appropriate internal policies, procedures and controls to determine if the customer or the beneficial owner is a PEP; b) obtain approval from the Board of Directors of the Regulated Entity to enter into or continue business relationship where the customer or a beneficial owner is a PEP or subsequently becomes a PEP; c) identify, by appropriate means, the sources of funds and wealth or beneficial ownership of funds and wealth; and d) conduct enhanced ongoing monitoring of business relationships with the PEP. (Refer Schedule 4 Identification of Politically Exposed Persons for Regulated Entities)

17 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 7. Targeted Financial Sanctions 57. A Regulated Entity should verify whether any prospective customer or beneficiary appears on any list of designated persons or entities issued under any regulation made in terms of the United Nations Act, No. 45 of 1968, with respect to any designated list on targeted financial sanctions related to terrorism and terrorist financing and proliferation of weapons of mass destruction and its financing or whether such prospective customer or beneficiary acts on behalf of or under the direction of such designated persons or entities or for the benefit of such designated persons or entities. (Refer Schedule 5 on Sanction Screening for Regulated Entities)

18 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 8. Compliance Function & Training 58. A Regulated Entity should – a) appoint a compliance officer for the Regulated Entity under the Rules of FTRA, who should be responsible for ensuring the Regulated Entity's compliance with the requirements of the FTRA, Rules of the SEC Act and these Guidelines; b) ensure that the compliance officer has prompt access to all customer records and other relevant information which may be required to discharge his/her their functions; c) develop and implement a comprehensive employee due diligence and screening procedure to be carried out at the time of appointing or hiring of all employees whether permanent, contractual or outsourced; and d) frequently design and implement suitable training programmes for relevant employees including Board of Directors, in order to effectively implement the regulatory requirements and internal policies and procedures relating to ML/TF/PF risk management.

19 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 9. Suspicious Transactions & Mandatory Reporting 59. A Regulated Entity should obtain information and examine the background and purpose of all complex, unusually large transactions and all unusual pattern of transactions, which have no apparent economic or prima facie lawful purpose. 60. The background and purpose of such transactions should be inquired into and findings should be kept in record with a view to making such information available to the relevant competent authority when required and to make an STR. 61. A Regulated Entity is required to report transactions inconsistent with these Guidelines to the Regulated Entity's compliance officer for appropriate action. 62. (1) A Regulated Entity is required to periodically review the adequacy of customer information obtained in respect of customers and beneficial owners and ensure that the information is kept up to date, particularly for higher risk categories of customers. (2) The review period and procedures thereof shall be decided by each Regulated Entity in its internal policy for combating money laundering and terrorist financing according to risk based approach. 63. The frequency of the ongoing CDD or ongoing ECDD, is required to commensurate with the level of money laundering and terrorist financing risks posed by the customer based on the risk profiles and nature of transactions. 64. A Regulated Entity is required to increase the number and timing of controls applied and select patterns of transactions that need further examination, when conducting ECDD. 65. A Regulated Entity is required to perform such CDD measures as may be appropriate to its existing customers, having regard to its own assessment of materiality and risk but without compromise on the identity and verification requirements. In assessing the materiality and risk of an existing customer, Regulated Entity may consider the following:- a) the nature and circumstances surrounding the transaction including the significance of the transaction; b) any material change in the way the account or business relationship is operated; or c) the insufficiency of information held on the customer or change in customer's information.

20 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 66. A Regulated Entity should conduct CDD on existing customer relationships at appropriate times, taking into account whether and when CDD measures have previously been conducted and the adequacy of data obtained. 67. If an existing customer provides unsatisfactory information relating to CDD, the relationship with such customer should be treated as a relationship posing a high risk and be subject to ECDD measures. 68. Where a Regulated Entity forms a suspicion of ML/TF/PF risk relating to a customer and it reasonably believes that conducting the process of CDD measures would tip off the customer, it should terminate conducting the CDD measures and proceed with the transaction and immediately file an STR. (Refer Schedule 6 Suspicious Transaction Reporting for Regulated Entities)

21 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 10. Record Keeping 69. A Regulated Entity should maintain all records of transactions, both domestic and international, including the results of any analysis undertaken, such as inquiries to establish the background and purpose of complex, unusually large transactions for a minimum period of six years from completion of such transactions. 70. The records should be sufficient to permit reconstruction of individual transactions including the nature and date of the transactions, the type and amount of currency involved and the type and identifying number of accounts involved in the transactions so as to be produced in a court of law, when necessary, as evidence. The transaction records may be maintained in document form, by electronic means, on microfilm or in any other form that may be admissible as evidence in a court of law. 71. The records of identification data obtained through CDD process such as copies of identification documents account opening forms, know your customer related documents, verification documents and other documents along with records of account files and business correspondence, are required to be maintained for a minimum period of six years commencing from the date on which the business relationship was fulfilled or the occasional transaction was effected. 72. The records are required to be maintained up-to-date and be kept in original or copies with the Regulated Entity's attestation. 73. A Regulated Entity is expected to retain the above records for a longer period where transactions customers or accounts are involved in litigation or required to be produced in a court of law or before any other authority. 74. A Regulated Entity is required to ensure that all CDD information and transaction records are available immediately to the FIU, the SEC, and any other authority that perform the function of investigating and prosecuting ML/TF/PF associated offences and seizing or freezing and confiscating assets relating to such offences.

22 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 11. Interpretation 75. In these Guidelines —The words and terms defined in the Securities and Exchange Commission of Sri Lanka Act No. 19 of 2021 shall unless the context requires otherwise have the same meaning assigned to them in the said Act; "beneficiary" means a person to whom or for whose benefit the funds are sent or deposited in or paid to a Regulated Entity and may include a beneficiary Regulated Entity; "beneficial owner" means a natural person who ultimately owns or controls a customer or the person on whose behalf a transaction is being conducted and includes the person who exercises ultimate effective control over a person or a legal arrangement; "customer" in relation to a transaction or an account includes- (a) the person in whose name a transaction or an account is arranged, opened or undertaken; (b) a signatory to a transaction or an account; (c) any person to whom a transaction has been assigned or transferred; (d) any person who is authorized to conduct a transaction; or (e) such other person as may be prescribed; “close associate” includes – (a) a natural person having joint beneficial ownership of legal entities and legal arrangements, or any other close business relationship; and (b) a legal person or legal arrangement whose beneficial owner is a natural person and is known to have been set up for the benefit of such person or his immediate family members; “controlling interest” means interest acquired by providing more than ten percent of the capital of a legal person. "existing client" means a client who has commenced a business relationship on or before these Guidelines came into force; "Financial Action Task Force" means the independent inter-governmental body that develops land promotes policies to protect the global financial system against money laundering, terrorist financing and the financing for proliferation of weapons of mass destruction;

23 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka "immediate family member" includes the spouse, children and their spouses or partners, parents, siblings and their spouses and grandchildren and their spouses; "legal person" means any entity other than a natural person that is able to establish a permanent customer relationship with a Regulated Entity or otherwise owns property and includes a company, a body corporate, a foundation, a partnership or an association; “legal arrangement” includes an express trust, a fiduciary account or a nominee; "majority-owned subsidiary" means a subsidiary of a group of companies of which fifty percent or more of the shares of the group of companies are owned by the parent company; "money laundering” means the offence of money laundering in terms of section 3 of the Prevention of Money Laundering Act, No. 5 of 2006; "person" means a natural or legal person and includes a body of persons whether incorporated or unincorporated and a branch incorporated or established within or outside Sri Lanka; "politically exposed person" means an individual who is entrusted with prominent public functions either domestically or by a foreign country, or in an international organization and includes a Head of a State or a Government, a politician, a senior government officer, judicial officer or military officer, a senior executive of a State owned Corporation, Government or autonomous body but does not include middle rank or junior rank individuals; “Regulated Entity/Entities” means all trading participants, depository participants, market institutions, market intermediaries and trustees of collective investment schemes as defined in the SEC Act No.19 of 2021; "Regulated Entity group" means a group of companies that consists of a parent company or other type of a legal person, exercising control and coordinating function over the rest of the group, for the application of group supervision under the anti-money laundering, suppression of terrorist financing and countering proliferation financing policies and procedures, together with branches and subsidiaries that are subject thereto; "risk based approach" in relation to the application of CDD measures to manage and mitigate money laundering, terrorist financing and proliferation financing risks, means identifying, assessing, and understanding the money laundering, terrorist financing and proliferation financing (ML/TF/PF) risks to which customers are exposed and taking the most appropriate measures to mitigate the said risks including the use of simplified CDD measures in the case of customers with lower risk levels

24 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka and the use of enhanced CDD measures in the case of customers with higher risk levels; “SEC Act” means the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021; “Suspicious Transaction Report” means a report of a suspicious transaction or attempted transaction as per section 7 of the FTRA ; "terrorist financing” means an act constituting an offence connected with the financing of terrorism under the Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005; and "threshold report" means a report under section 6 of the FTRA.

25 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 12. Schedules Schedule No. Title Schedule 1 Money Laundering & Terrorist Financing Risk Management for Regulated Entities Schedule 2 Customer Due Diligence for Regulated Entities Schedule 3 Identification of Beneficial Ownership for Regulated Entities Schedule 4 Identification of Politically Exposed Persons for Regulated Entities Schedule 5 Sanction Screening for Regulated Entities Schedule 6 Suspicious Transactions Reporting for Regulated Entities

26 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Schedule 1 Money Laundering & Terrorist Financing Risk Management for Regulated Entities Contents A. Risk Management B. Risk Management Framework Corporate Governance I. Board of Directors (BoD) II. Senior Management C. The Risk Management Function I. Policies and Procedures II. Internal Controls III. The Compliance Function D. Risk Monitoring and Reporting E. Assessing ML/TF/PF Risk-Some Guidance I. Identification of Vulnerabilities II. Risk Assessment III. Risk Mitigation F. Risk Management Strategies Annexure

27 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka A. Risk Management

1. Every Regulated Entity should identify and analyze ML/TF/PF risks present within the Regulated Entity and design and effectively implement policies and procedures that are commensurate with and mitigate the identified risks, in order to ensure sound ML/TF/PF risk management.
2. In conducting a comprehensive risk assessment to evaluate ML/TF/PF risks, every Regulated Entity should consider all the relevant risk factors present in its customer base, products, delivery channels and services offered (including products under development or to be launched) and the jurisdictions within which it or its customers do business.
3. Risk assessments should be based on specific operational and transactional data and other internal information collected by the Regulated Entity as well as external sources of information such as national risk assessments conducted by Sri Lanka and by governmental agencies of foreign jurisdictions where the Regulated Entity has business relationships, either through customers or branch/subsidiary networks, country reports from reliable international and regional organizations, including reports and reviews prepared by the Financial Action Task Force (FATF), FATF-style regional bodies such as the Asia/Pacific Group on Money Laundering (APG), International Monetary Fund (IMF) and World Bank publications, and information from reliable commercial intelligence providers.
4. A Regulated Entity is required to have a risk management framework to address ML/TF/PF risks. Such a framework includes policies, controls and procedures that enable them to identify, measure, monitor, control and mitigate effectively the ML/TF/PF risks that have been identified. B. Risk Management Framework Corporate Governance
5. The SEC expects a Regulated Entity to establish a robust and effective corporate governance framework that ensures transparency, accountability and high ethical conduct in all aspects of their operations. A Regulated Entity should adopt a Code of Ethics that promotes consistent high standards of ethical conduct by all employees including the management. A sound corporate governance framework includes the use of effective policies and procedures, monitoring and reporting mechanisms and internal controls. Measures that ensure appropriate separation of functions and the avoidance of conflicts of interests are essential hallmarks of an effective corporate governance regime. The Board of Directors (BoD) is ultimately responsible for establishing a corporate vision, strategy and business model and for overseeing a Regulated Entity’s corporate governance culture and is expected to develop mechanisms including board committees to achieve this objective. Senior management is responsible for ensuring the effective functioning of the corporate governance framework on a day-to-day basis.

28 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka I. Board of Directors (BoD) 6. Members of the BoD should have a good understanding of the Regulated Entity’s business model and operations and the general business climate in which it operates. They should have the qualifications and experience necessary to understand the Regulated Entity’s business model and operations and how these relate to Sri Lanka’s general economic and social environment. The BoD should ideally be comprised of both executive and non-executive directors to ensure a desirable level of independence from the Regulated Entity’s management function. 7. The BoD should establish the Regulated Entity’s overall risk appetite and should ensure that mechanisms are in place to effectively mitigate risk. The BoD must ensure that appropriate policies, procedures and controls are in place to manage such risks and should also ensure that arrangements are in place for the effective reporting on all issues related to the functioning of the risk management framework. The BoD is ultimately responsible for the Regulated Entity’s operations, its management of the risk to which it is exposed and its compliance with all laws, regulations and guidelines to which it is subject. II. Senior Management 8. A Regulated Entity’s senior management is responsible for implementing the corporate vision, strategy and business model approved by the BoD. Senior management should demonstrate a firm understanding of all aspects of the Regulated Entity’s business model and is responsible for developing the components of the risk management framework. Senior management is responsible for ensuring that the Regulated Entity has all the resources necessary to effectively manage risk. They are also responsible for ensuring that effective communication and reporting arrangements are in place to support good risk management practices. This includes ensuring that all staff members are aware of the requirements of the risk management framework and their specific roles and responsibilities. Senior management is responsible for ensuring that internal reporting mechanisms, including reports to be sent to the BoD, are developed to provide accurate and timely information relevant to the effective management of risks. C. The Risk Management Function 9. The SEC expects Regulated Entities to develop an effective risk management function. The risk management function responsible for ensuring that the Regulated Entity effectively identifies, measures, monitors, controls and mitigates risks. From a day-to-day operational perspective risk management supports senior management and the BoD to achieve the ML/TF/PF risk management objectives discussed in this Schedule. The risk management function should commensurate with the size, nature and complexity of the Regulated Entity’s business model and operations.

29 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka I.Policies and Procedures 10. The SEC expects the senior management to develop policies and procedures to effectively manage the ML/TF/PF risks that arise from a Regulated Entity’s operation. Policies and procedures developed by senior management should be approved by the BoD. Policies and procedures should set out the day￾to-day measures that should be employed to ensure that the Regulated Entity effectively identifies, measures, monitors and controls ML/TF/PF risks. They should therefore be developed to reflect the risks implicit in a Regulated Entity’s customers, products and services, delivery channels and geographic regions. Policies and procedures should be comprehensively documented and communicated to all staff. They should also be subject to periodic reviews to ensure they are appropriate in light of changes to the Regulated Entity’s ML/TF/PF risk profile. 11. Policies and procedures should clearly set out lines of responsibility and accountability for the execution of the risk management function and should also establish effective reporting lines for all persons and business units involved in the management of ML/TF/PF risks. 12. An effective risk management framework should establish limits in the context of the Regulated Entity’s stated appetite for ML/TF/PF risk and the overall effective implementation of the risk management system. Policies and procedures should limit, for example, a Regulated Entity’s exposure to the ML/TF/PF risks arising from exposure to specific types of customers, products and services, delivery channels and geographic regions. An effective ML/TF/PF risk management framework should include a mechanism to report incidents where established limits have been breached and the frequency of such events. II. Internal Controls 13. An on-going system of internal controls is an essential component of a risk management framework. Regulated Entity is expected to employ measures on an on-going basis to ensure adherence to establish policies and procedures as well as relevant laws, regulations and guidelines. 14. Arrangements should be in place to reinforce the “four eyes” principle and avoid conflicts of interest. Measures should be employed, for example, to ensure adequate separation between operational and control functions such as front office and back-office activities. 15. A Regulated Entity is expected to develop effective internal audit arrangements. The internal audit function should be an independent function with a direct reporting line to the Board Audit Committee. The internal audit function should periodically assess the effectiveness of the Regulated Entity’s ML/TF/PF risk management framework and practices paying specific attention to the Regulated Entity’s adherence to established policies procedures and limits and applicable laws, regulations and guidelines.

30 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 16. A Regulated Entity is also expected to ensure that their ML/TF/PF risk management framework and practices are subject to external audit review. III.The Compliance Function 17. The SEC expects a Regulated Entity to develop an effective compliance function as a component of its ML/TF/PF risk management framework. The compliance function should a commensurate with the size, nature and complexity of the Regulated Entity’s business model and operations. The compliance function is separate from the internal audit function as it is a component of a Regulated Entity’s day-to-day operational activity. The compliance function should, on an-ongoing basis assess the extent to which the Regulated Entity is complying with established policies, procedures and limits and obligations arising from applicable laws, regulations and guidelines. The effectiveness of the compliance function rests heavily on the effectiveness with which the Management Information System (MIS) generates accurate and timely reports related to the management of ML/TF/PF risks. Compliance officer should possess sufficient seniority and knowledge and be up to date with recent laws and regulations. D. Risk Monitoring and Reporting 18. To effectively control and mitigate risk, Regulated Entity may need to develop MIS systems that provide reliable data on the quantity and nature of ML/TF/PF risks and the effectiveness with which risks are being mitigated. The MIS system used by a Regulated Entity should be commensurate with the size, nature and complexity of its business model and operations. Such systems should constantly measure ML/TF/PF risks, changes to the nature of such risks and should also report on adherence to the policies and procedures designed to mitigate risks. The system should, for example, not only identify instances in which policies and procedures have been breached but should maintain a record of all such incidents. The system should provide timely reports to all business units and senior management to allow them to make judgments on the measures necessary to manage risks. Reports should also be prepared and submitted to senior management and the BoD indicating how well the Regulated Entity is managing risk and highlighting instances of breaches of risk management policies, procedures and limits and obligations arising from applicable laws, regulations and guidelines. Training 19. The SEC expects Regulated Entities to have effective arrangements in place to train their staff on all issues related to their AML/CFT/CPF regime. It is important that staff understand the Regulated Entity’s inherent ML/TF/PF risks and the nature of the measures that have been developed to mitigate these risks. Training must be provided for all staff upon joining the Regulated Entity and should be an ongoing activity. Apart from general training provided to all staff, targeted training programs should be developed for specific categories of staff in light of the nature of their work in the context of ML/TF/PF risks. AML/CFT/CPF awareness raising programs should be conducted for members of the BoD.

31 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka E. Assessing ML/TF/PF Risk – Some Guidance 20. The following guidance sets out a methodology for the conduct of an assessment of ML/TF/PF risks by a Regulated Entity. It is not mandatory to follow this methodology, however, the SEC requires that each Regulated Entity should undertake a comprehensive assessment of its ML/TF/PF risks and develop appropriate risk management processes. I.Identification of Vulnerabilities: 21. A Regulated Entity should consider the following areas when identifying risk factors of their business that make them susceptible to ML/TF/PF. i. The nature, size and complexity of the business The size and complexity of a Regulated Entity plays an important role in how attractive or vulnerable it is for ML/TF. For example, a large Regulated Entity is less likely to know its customers personally and this could offer a greater degree of anonymity to customers than a smaller Regulated Entity. Similarly, a Regulated Entity that conducts complex transactions across international jurisdictions could offer greater opportunities for ML/TF/PF than a purely domestic business. ii. The products and services the business offers Some products and services are more attractive for ML/TF. When considering whether the products and services the business offers could be susceptible or attractive for ML/TF, the following is a list of indicators (not exhaustive) that identifies ML/TF/PF risk arising from products and services that are commonly offered by a Regulated Entity.

• non- face-to-face business relationship or transaction
• payment received from unknown or unrelated third parties
• any new product & service developed iii. The types of customers the Regulated Entity deals with Listed below are some indicators (not an exhaustive list) to identify ML/TF/PF risk arising from customers. Categories of customers pose a higher risk of ML/TF/PF can include:
• new customers that wish to carry out a large transaction(s)
• non-face-to-face customer on-boarding
• customers involved in occasional or one-off transactions above the threshold (either specified in the FTRA, the Customer Due Diligence (CDD) Rules or the Regulated Entity’s internal limits)
• customers who use complex business structures that offer no apparent financial benefits

32 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka

• customer or a group of customers making numerous transactions to the same individual or group
• customers who are Politically Exposed Persons (PEPs)
• customer who has a business which involves large amounts of cash
• customer whose identification is difficult to check
• customer who brings in large amounts of used notes and/or small denomination notes.
• customers conducting their business relationship or transactions in unusual circumstances for example: significant and unexplained geographic distance between the Regulated Entity and the location of the customer, frequent and unexplained movement of accounts to different institutions, frequent and unexplained movement of funds between institutions in various geographic locations.
• non- resident customers
• corporate customers whose ownership structure is unusual and excessively complex
• customers whose origin of wealth and/or source of funds cannot be easily verified or where the audit trail appears to be broken and/or unnecessarily layered
• customers that are non-profit organizations
• customers who conduct business through or are introduced by "gatekeepers" such as accountants, lawyers, or other professionals
• customers of a type that have been identified in National or Sector Risk Assessments as higher risk iv. The countries that the Regulated Entity deals with A Regulated Entity should give consideration to the following factors as indicators of higher risk for ML/TF:
• any country subject to United Nations sanctions embargoes or similar measures
• any country identified by credible sources such as the FATF as lacking adequate AML/CFT and CPF system
• any country which is identified by credible sources as having significant level of corruption, tax evasion, and other criminal activity
• any country identified by credible sources as supporting TF

33 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka

• any country that are identified by credible sources as tax havens v. The business delivery methods or channels The way the Regulated Entity delivers its products and services affects its vulnerability to ML/TF/PF. The following are some indicators (not an exhaustive list) that may help to identify ML/TF/PF risk involved with business delivery methods or channels
• non-face-to-face customers (via post, telephone, internet,) that pose challenges for verifying the identity of the account holder/customer. -indirect relationships with customers (via intermediaries, gatekeepers, pooled accounts) II. Risk Assessment

22. Having identified the threats involved, Regulated Entity needs to assess and measure ML/TF/PF risk in terms of the likelihood (chance of the risk event occurring) and the impact (the amount of loss or damage if the risk event occurs). The risk associated with an event is a combination of the likelihood that the event will occur and the seriousness of the damage it may do. Likelihood Scale
23. A likelihood scale refers to the potential of an ML/TF/PF risk occurring in the business for the particular risk being assessed. Three levels of likelihood of ML/TF/PF risk are shown below, but a Regulated Entity can have as many scales as are necessary for their circumstances. i. Very likely - Almost certain; ii. Likely - High probability; iii. Unlikely - Low probability, but not impossible. Impact Scale
24. An impact refers to the seriousness of the damage that is likely to be caused if the ML, TF or PF occurs. In assessing the possible impact or consequences, the assessment should be made from a range of viewpoints relevant to the business. Those set out below are not exhaustive. The impact of ML/TF/PF occurring could, depending on the individual Regulated Entity and its business circumstances, be rated or looked at from the point of view of: i. how it may affect the business in terms of financial loss relating to market perceptions (for example loss of investor confidence) and reputation or through fines or other sanctions (such as loss or suspension of business licenses) imposed by a regulator ii. the risk that a particular transaction may be seen to contribute to the activities of a terrorist or terrorist organizations. iii. the risk that a particular transaction may result in funds being used for any unlawful activity

34 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka as defined in Section 33 of the FTRA iv. how it may affect the reputation of the Regulated Entity if it is found to have aided, investigated, prosecuted or otherwise implicated in an illegal act, which may lead to loss of important commercial relationships or being shunned by the community of customers or shareholders/investors. 25. Three levels of impact of an ML/TF/PF risk to a Regulated Entity is shown below as an example. However, the SEC encourages a Regulated Entity to develop its own ML/TF/PF risk processes and assessments for dealing with certain customers/undertaking transactions in the way that best suits their business model/activities. i. Major- significant consequences, that inflict substantial damage, possibly resulting in the closure of the Regulated Entity, cessation of business activities, regulatory sanctions being imposed or financial/reputational damage being experienced by the Regulated Entity which will have a significant impact on business activities. ii. Moderate- moderate impact, involving substantial damage to the business and its reputation. iii. Minor- minor or negligible consequences or effects upon the Regulated Entity. 26. Based on the likelihood and impact scale, it is suggested that Regulated Entity should assess an overall risk score. The risk rating may be used to aid decision making and help in deciding what action to take in view of the overall risk. A suggested risk rating derivation can be seen in the risk matrix (Annex 1 of Schedule 1). However, a Regulated Entity is encouraged to adopt its own approach to assessing, identifying and quantifying ML/TF/PF risk. Irrespective of the methodology adopted, the SEC requires a Regulated Entity to develop a framework and implement practices to effectively identify, measure, monitor, control and mitigate ML/TF/PF risks as required by the FTRA and CDD Rules issued by the FIU. i. Extreme - risk almost certain to happen and/or to have very serious consequences on the Regulated Entity, including its financial standing and reputation. Response: Do not allow transaction to occur/or customer relationship to be established or reduce the risk to acceptable level through risk mitigation, such as enhanced due diligence. ii. High - risk likely to happen and/or to have serious consequences. Response: Do not allow transaction/establishment of customer relationship until risk reduced through risk mitigation, such as enhanced due diligence. iii. Medium - possible this could happen and/or have moderate consequences. Response: Mitigate risk; normal CDD and other requirements apply. iv. Low - unlikely to happen and/or have minor or negligible consequences.

35 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Response: Mitigate risk: simplified CDD and other requirements apply. III. Risk Mitigation 27. Once the Regulated Entity assesses the ML/TF/PF risk of individual customer, product/service, delivery channel and risks related to geographic region, it should develop strategies policies and procedures to manage and mitigate the risk. Examples of a risk reduction or mitigation are: i. Setting transaction limits for high-risk products or delivery channels ii. Having a management approval process for higher risk customers, products, services, or deliver channels iii. Risk rating customers and applying different requirements for high or low risk customers including applying different identification and verification methods and enhanced customer due diligence requirements iv. Not accepting customers who wish to transact with a high-risk country or customers that are considered to be higher risk based on the Regulated Entity’s board-approved customer acceptance policy. F. Risk Management Strategies 28. A Regulated Entity shall adopt the following components, among others, as part of their risk management strategy: i. Develop and implement ML/TF/PF risk management objectives at the board and senior management level of the Regulated Entity and monitoring progress of implementation of objectives. ii. Implement clearly defined management responsibilities and accountabilities regarding ML/TF/PF risk management. iii. Provide adequate staff resources to undertake functions associated with ML/TF/PF risk management. iv. Introduce staff reporting lines from the ML/TF/PF risk management system level to the board or senior management level, with direct access to the board members or senior managers responsible for overseeing the system. v. Implement procedural controls relevant to particular services and products, customers, and delivery channels that have been identified as being vulnerable to ML/TF/PF.

36 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka vi. Documenting all ML/TF/PF risk management policies and ensuring that these are kept up to date and reviewed regularly reflecting both the scope and nature of the Regulated Entity’s activities and the findings of risk assessments conducted by authorities. Such policies should also identify processes relating to non-compliance, including reporting of suspicious transactions to the FIU. vii. Provide appropriate training programs for staff to develop expertise in the identification of ML/TF/PF risks across the Regulated Entity, including reporting of suspicious transactions. viii. Develop an effective information management system which produce detailed and accurate financial, operational and compliance data relevant to ML/TF/PF risk management.

37 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Annex 1 of the Schedule 1 Overall AML/CFT Risk Very Likely Medium High Extreme Likelihood Likely Low Medium High Unlikely Low Low Medium Minor Moderate Major Impact

38 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Schedule 2 Customer Due Diligence for Regulated Entities Contents A. Individual Client B. Proprietorship/Partnership Accounts C. Corporations/ Limited Liability Company D. Clubs, Societies, Charities, Associations and Non-Governmental Organizations E. Trust Nominees and Fiduciary Accounts F. Stocks and Securities Sector Specific Requirements

39 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka A. Individual Client (a) The following information shall be obtained:- (a1) In the case of all clients – (i) Full name as appearing in the identification document; (ii) (Official personal identification or any other identification document that bears a photograph of the customer ( ex: national identity card, valid passport, or valid driving licence); (iii) Permanent address as appearing on the identification document. If residential address differs from the permanent address residential address shall be supported by a utility bill not more three months old or any other reliable proof of residence. Utility bills are to be specified as electricity bill, water bill and fixed line telephone operator's bill. No post-box number shall be accepted except for State owned enterprises. In the case of 'C/o', property owner's consent and other relevant address verification documents are required to be obtained; (iv) Telephone number, e-mail address, bank account details; (v) Date of Birth; (vi) Nationality; (vii) Occupation, business, public position held and the name of the employer and geographical areas involved (if available); (viii) Purpose for which the account is opened (ex; investment, trading, etc.); (ix) Expected turnover/volume of business; (x) Expected mode of transactions (ex; cash, cheque, etc.); (xi) Satisfactory reference, as applicable; and (a 2) In the case of non-resident customers – (i) The reason for opening the account in Sri Lanka; (ii) Name, address and the copy of passport of the person or persons authorized to give instructions; (b) The following documents shall be obtained (each copy shall be verified against the original) (i) Copy of identification document;

40 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka (ii) Copy of address verification document; (iii) Copy of the valid visa/permit in the case of accounts for non-national customers. B. Proprietorship/Partnership Accounts (a) The following information shall be obtained:- (i) Full names of the partners or proprietors as appearing in the business registration document; (ii) Nature of the business; (iii) Registered address or the principal place of business; (iv) Identification details of the proprietor/partners as in the case of individual accounts; (v) Contact telephone, fax numbers; (vi) Income Tax file number; (vii) The extent of the ownership controls; (viii) Other connected business interests; (b) The following documents shall be obtained (each copy shall be verified against the original):- (i) Copy of the business registration document; (ii) Proprietors' information / Partnership Deed; (iii) Copy of identification and address verification documents. C. Corporations/Limited Liability Company (a) The following information shall be obtained:- (i) Registered name and the Business Registration Number of the institution; (ii) Nature and purpose of business; (iii) Registered address of the principal place of business; (iv) Mailing address, if any; (v) Telephone/Fax/E-mail ; (vi) Income Tax file number;

41 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka (vii) Bank references (if applicable); (viii) Identification of all Directors as in the case of individual clients; (ix) List of major shareholders with equity interest of more than ten percent (In case where such major shareholder is not a natural person, the Regulated Entity should identify and verify the natural person(s) who ultimately own or control that legal person, whether directly or indirectly); (x) Lists of subsidiaries and affiliates; (xi) Details of names of the signatories; Note : In the case of companies listed on the Stock Exchange of Sri Lanka licensed under the Securities and Exchange Commission of Sri Lanka Act, No. 19 of 2021 or any other stock exchange subject to disclosure requirements ensuring adequate transparency of the beneficial ownership, the Regulated Entity may use the information available from reliable sources to identify the directors and major shareholders; (b) The following documents shall be obtained (each copy shall be verified against the original):- (i) Copy of the Certificate of Incorporation; (ii) Copy of Form 40 ( Registration of an existing company) or Form 1 (Registration of a company) under the Companies Act and Articles of Association; (iii) Board Resolution authorizing the opening of the account; (iv) Copy of Form 20 (Change of Directors/Secretary and Particulars of Directors/Secretary) under the Companies Act; (v) Copy of Form 44 (Full address of the registered or principal office of a company incorporated outside Sri Lanka and its principal place of business established in Sri Lanka) under the Companies Act; (vi) Copy of Form 45 (List and particulars of the Directors of a company incorporated outside Sri Lanka with a place of business established in Sri Lanka) under the Companies Act; (vii) Copy of the Board of Investment Agreement if a Board of Investment approved company; (viii) Copy of the Export Development Board (EDB) approved letter if EDB approved company; (ix) Copy of the certificate to commence business if a public quoted company;

42 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka (x) Name of the person or persons authorized to give instructions for transactions with a copy of the Power of Attorney or Board Resolution, as the case may be; (xi) Latest audited accounts if available: (xii) Latest Ultimate Beneficial Ownership details as required by the Companies (Amended) Act No.12 of 2025 Note: The above documents should apply to a company registered abroad as well. The non￾documentary methods in the absence of the above documents would entail a search at the Credit Information Bureau (CRIB), bank references, site visits and visiting the business website of the customer. D. Clubs, Societies, Charities, Associations and Non-Governmental Organizations (a) The following information shall be obtained:- (i) Registered Name and the Registration Number of the institution; (ii) Registered address as appearing in the Charter, Constitution etc.; (iii) Identification of at least two office bearers, signatories, administrators, members of the governing body or committee or any other person who has control and influence over the operations of the entity as in the case of individual accounts; (iv) Committee or Board Resolution authorizing the account opening; (v) The source and level of income/funding; (vi) Other connected institutions/associates/organizations; (vii) Telephone/Facsimile numbers/E-mail address. (b) The following documents shall be obtained and be verified against the original:- (i) Copy of the registration document/constitution charter etc.; (ii) Board Resolution authorizing the account opening; (iii) Name of the persons authorized to give instructions for transactions with a copy of the Power of Attorney or Board/Committee Resolution;

43 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka E. Trust Nominees and Fiduciary Accounts (a)The following information shall be obtained: - (i) Identification of all trustees, settlers/grantors and beneficiaries in case of trusts as in the case of individual accounts; (ii) Whether the customer is acting as a 'front' or acting as a trustee, nominee, or other intermediary; (b) The following documents shall be obtained (each copy should be verified against the original):- (i) Copy of the Trust Deed, as applicable; (ii) Particulars of all individuals. F. Stocks and Securities Sector Specific Requirements (a)The following information shall be obtained from the Funds approved by the Securities and Exchange Commission of Sri Lanka:- (i) Name of the Fund; (ii) Purpose of the Fund; (iii) Place of establishment of the Fund; (iv) Details (name, address, description etc.,) of the Trustee/Manager of the Fund; (v) If the Trustee/Manager is a company, date of incorporation, place of incorporation, registered address of such trustee/Manager; (vi) Copies of the documents relating to the establishment and management of the fund (ex: Prospectus/Trust Deed/Management Agreement/Bankers Agreement /Auditors Agreement); (vii) Copy of the letter of Approval of the Fund issued by the Supervisory Authority of the relevant country; (viii) Copy/copies of the relevant Custody Agreement/s; (ix) Details of beneficiaries.

44 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka (b) Certification requirement :- All supporting documents to be submitted to Central Depository System shall be certified, attested or authenticated by the persons specified in (A) or (B) below for the purpose of validating the applicant:- (A) For Non- resident applicants:- (i) By the Company Registrar or similar authority; (ii) By a Sri Lankan diplomatic officer or Sri Lankan consular officer in the country where the documents were originally issued ; (iii) By a Solicitor, an Attorney -at- Law, a Notary Public practicing in the country where the applicant resides; (iv) By the Custodian Bank; (v) By the Global Custodian (the Custodian Bank shall certify the authenticity of the signature of the Global Custodian) ;or (vi) By a broker; (B) For resident applicants :- (i) By the Registrar of Companies or the Company Secretary (applicable in respect of Corporate Bodies); (ii) By an Attorney- at- Law or a Notary Public; (iii) By a Broker; or (iv) By the Custodian Bank Note: (1) The person certifying shall place the signature, full name, address, contact telephone number and the official seal (Not applicable for Brokers, Custodian Banks and Global Custodians). (2) Where the application is titled in the name of the 'Registered Holder/Global Custodian, Beneficiary" and forwarded through a Custodian Bank, a copy of the SWIFT message or similar document issued by the Global Custodian instructing the local Custodian Bank to open the account on behalf of the Beneficiary company shall be submitted together with a declaration from the Global Custodian that a custody arrangement or agreement exists between the Global Custodian and the Beneficiary.

45 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Schedule 3 Identification of Beneficial Ownership for Regulated Entities Contents A. Background/ Context • Who is the beneficial owner? • Why it is important to identify the beneficial owner? • Ways in which beneficial ownership information can be hidden/obscured B. Establishing the Beneficial Owner (a) Beneficial owner of Legal Persons − Ownership − Effective Control − Person on whose behalf a transaction is being conducted (b) Beneficial owner of Legal Arrangement C. Identification and Verification of beneficial ownership information • Periodic Review of Information • Delayed Verification D. Other Requirements • Declaration of beneficial ownership by the customer • Record Keeping obligation • Beneficial owners who are Politically Exposed Persons (PEPs) • Sanctions E. Examples • Example 1: Record for ownership structure of a legal person • Example 2: Record for ownership and control structure of partnership Annexure 1 of Schedule 3 Beneficial Ownership Form

46 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka A. Background/Context Who is a beneficial owner?

1. As per the Guideline 75 of these Guidelines, the “beneficial owner” of the legal person or legal arrangement is a natural person who ultimately owns or controls a customer or the person on whose behalf a transaction is being conducted including the person who exercises ultimate effective control over a legal person or a legal arrangement. According to Guideline 49 of these Guidelines, controlling ownership interest means an interest acquired by providing more than ten percent (10%) of the capital of a legal person.
2. It is a Regulated Entity’s obligation to determine the natural person(s) who is/are the ultimate beneficial owner(s). The ultimate beneficial owner must be a natural person and cannot be a company, an organization or a legal arrangement. There may be more than one beneficial owner associated with a customer. Why is it important to identify the beneficial owner?
3. Corporate entities such as companies, trusts, foundations, partnerships, and other types of legal persons and arrangements conduct a wide variety of commercial and entrepreneurial activities. However, despite the essential and legitimate role that corporate entities play in the economy, under certain conditions, they have been misused for illicit purposes, including money laundering, bribery and corruption, insider dealings, tax fraud, terrorist financing, and other unlawful activities. This is because, for criminals trying to circumvent anti-money laundering and countering the financing of terrorism measures, corporate entities provide an attractive avenue to disguise the ownership and hide the illicit origin.
4. Various studies conducted by Financial Action Task Force (FATF), World Bank, United Nations Office on Drugs and Crime (UNODC) have explored the misuse of corporate entities for illicit purposes, including for ML/TF. In general, the lack of adequate, accurate and timely beneficial ownership information facilitates ML/TF/PF by disguising: a) the identity of known or suspected criminals, b) the true purpose of an account or property held by a corporate entities, and/or c) the source or use of funds or property associated with a corporate entities.

47 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Ways in which beneficial ownership information can be hidden/obscured 5. Beneficial ownership information can be obscured through various ways, including but not limited to; a) use of shell companies (which can be established with various forms of ownership structure), especially in cases where there is foreign ownership, which is spread across jurisdictions, b) complex ownership and control structures involving many layers of ownership, sometimes in the name of other legal persons and sometimes using a chain of ownership that is spread across several jurisdictions, c) bearer shares and bearer share warrants, d) use of legal persons as directors, e) formal nominee shareholders and directors where the identity of the nominator is undisclosed, f) informal nominee shareholders and directors, such as close associates and family, g) trust and other legal arrangements, which enable a separation of legal ownership and beneficial ownership of assets, h) use of intermediaries in forming legal persons, including professional intermediaries such as accountants, lawyers, notaries, trust and company service providers, B. Establishing the Beneficial Owner (a)Beneficial owner of Legal Persons 6. As per these Guidelines, "legal person" means any entity other than a natural person that is able to establish a permanent customer relationship with a Regulated Entity or otherwise owns property/shares and includes a company, a body corporate, a foundation, a partnership or an association. 7. In the process of identifying beneficial owner(s) of a legal person, a Regulated Entity has to consider three main elements: a) Which natural person(s) owns or controls more than ten percent (10%) of the customer’s equity? b) Which natural person(s) has “effective control” of the legal person? c) On behalf of which natural person(s) the transaction is being conducted? 8. The beneficial owner(s) of a customer (legal person) may satisfy one or more of the three elements

48 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka identified above. Accordingly, it would not be sufficient to simply apply only the ownership element in determining beneficial ownership. Ownership 9. As per these Guidelines, a Regulated Entity is required to understand the ownership and control structure of their customers when the customer is not a natural person. According to these Guidelines, the prescribed threshold for controlling interest is interpreted as owning more than ten percent (10%) of the customer. The ownership could be direct as well as indirect through aggregated ownership as illustrated below. Figure 1: Simple Indirect Shareholding Figure 2: Direct and Indirect Shareholdings Figure 3: Multi-Level Indirect Shareholdings

49 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 10. A natural person that exercises control over a controlling portion of equity interest, either directly, via nominees or via family members or close associates (whether disclosed or undisclosed) who nominally own or control the shares, can be considered as a beneficial owner. A majority shareholder or a majority formed by some combination of shareholders that are nominees for a natural person is also a beneficial owner. 11. For some customers, ownership may be spread over a large number of individuals with all individual owning less than ten percent (10%). In such instance, because no individual(s) owns more than ten percent (10%), the effective control element outlined below would be more appropriate to determine the beneficial owner(s)/controller(s). Effective Control 12. Effective control of a legal person is an important component that determines the beneficial ownership. Such control can be direct or indirect, formal or informal. At a direct and formal level, it is essential to understand the customer’s governance structure as an aid in identifying those natural persons that exercise effective control over the customer. In deciding the effective controller(s) in relation to a customer, Regulated Entity should consider, a) a natural person who can hire or terminate a member of senior level management;

50 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka b) a natural person who can appoint or dismiss Directors; c) Senior managers who have control over daily/regular operations of the legal person/arrangement (e.g. a CEO, CFO or a Managing Director). 13. Natural persons may also control the legal person through other means such as: a) Personal connections to persons in positions such as Executive Directors/ CEOs/ Managing Director or that possess ownership; b) Significant authority over a legal person’s financial relationships (including with Regulated Entity that hold accounts on behalf of a legal person) and the ongoing financial affairs of the legal person; c) Control without ownership by participating in the financing of the enterprise, or because of close family relationships, historical or contractual associations, or if a company defaults on certain payments; d) Use, enjoyment or benefit from the assets owned by the legal person even if control is never exercised. Figure 4: Effective Control

51 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Person on whose behalf a transaction is being conducted 14. Another aspect of the definition of beneficial ownership is a person on whose behalf a transaction is conducted. This may be the individual who is an underlying client of the customer. An example is, if a Regulated Entity knows that person ‘A’ is conducting an occasional transaction on behalf of person ‘B’, and then person ‘A’ and person ‘B’ should be identified and verified along with any other beneficial owners that may be a party to transaction. 15. Acting on behalf of the customer is when a person is authorized to carry out transactions or other activities on behalf of the customer. However, ‘Authority to act’ should not be confused with effective control. 16. There are instances where persons are acting on behalf of a customer may not necessarily be the beneficial owners of that customer. 17. As per these Guidelines, a Regulated Entity has to identify the natural persons that act on behalf of the customer and verify the identity of such persons. The authority of such person to act on behalf of the customer also should be verified through documentary evidence including specimen signatures of the persons so authorized. (b)Beneficial owner of Legal Arrangements 18. As defined under Guideline 75 of these Guidelines, legal arrangement includes an express trust, a fiduciary account or a nominee. 19. All trusts have the common characteristic of causing a separation between legal ownership and beneficial ownership. Legal ownership always rests with the trustee. Beneficial ownership can rest with the author of trust, trustees or beneficiaries, jointly or individually. 20. As per these Guidelines, Regulated Entity should identify and take reasonable measures to verify information about a trust, including, the identities of the author of the trust, the trustees, the beneficiary or class of beneficiaries and any other natural person exercising ultimate effective control over the trust (including those who control through the chain of control or ownership). 21. A Regulated Entity is required to obtain trust documents (e.g. deed of trust, instrument of trust, trust declaration, etc.) and the provisions of the trust document must be fully understood within the context of the laws of the governing jurisdiction. A Regulated Entity should take reasonable measures to verify trust document through independent means (e.g. Registry of Trust, Notary).

52 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Example: Person ‘A’ is the author of a trust for the benefit of his child. The trustee seeks to establish a relationship with a Regulated Entity to help manage the assets of the trust. Even though the trustee is the controller of the assets of the trust he may not be the ultimate beneficial owner and the main focus of CDD should include person ‘A’” as well. C. Identification and Verification of beneficial ownership information 22. As per these Guidelines, Regulated Entity should obtain information to identify and take reasonable measures to verify the identity of the beneficial owner(s) of the customer using relevant information or data obtained from a reliable source, adequate for the Regulated Entity to satisfy itself that it knows who the beneficial owner(s) is. 23. Accordingly, the identification of beneficial owner is mandatory. Once the Regulated Entity establishes who the beneficial owner(s) of a customer is/are, the Regulated Entity must collect at least the following information in relation to each individual beneficial owner: a) Full name; b) Official personal identification or any other identification number; c) Permanent/ Residential address. 24. As per these Guidelines, Regulated Entity is required to verify the identity of the beneficial owner before or during the course of entering into a business relationship with or conducting a transaction for an occasional customer. 25. Accordingly, once the identity is established, a Regulated Entity has to take reasonable measures to verify the identity of the beneficial owner(s). The reasonable measures for verification should be determined subject to the risk and complexities of the ownership and control structure of the legal person or arrangement. 26. Simplified verification procedures can be applied for verification of beneficial ownership of legal persons that are already subject to rules regarding corporate governance and transparency such as those that apply to firms with shares that publicly trade on a well-regulated exchange, or with simple and locally familiar ownership structures or legal persons who are expected to conduct low risk transactions. 27. For the verification of beneficial ownership, some of the documentation that Regulated Entity can rely on may include (but not limited to) the following:

53 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka a) Share register, b) Annual Returns, c) Trust deed, d) Partnership agreement, e) The constitution and/or certificate of incorporation for an incorporated association, f) The constitution of a registered co-operative society, g) Minutes of the board of directors meetings, h) Information available through open-source search or commercially available databases. 28. In case of foreign legal persons and arrangements Regulated Entity may also has to take additional measures such as verification through mother company or branches, correspondence Regulated Entity, other agents of the Regulated Entity, corporate registries etc. 29. In the case of companies listed on the Stock Exchange of Sri Lanka licensed under the Securities and Exchange Commission of Sri Lanka Act, No. 21 of 2021 or any other stock exchange subject to disclosure requirements ensuring adequate transparency of the beneficial ownership, Regulated Entity can use relevant identification information available from reliable sources (e.g. a public register) to identify the Directors and major Shareholders. 30. As per these Guidelines, Regulated Entity has to identify the natural persons holding senior management positions as beneficial owners when Regulated Entity is unable to determine the beneficial owner as there is no person owning more than ten percent (10%) of the customer’s equity or no individual exercising control over the customer. Periodic Review of Information 31. As per these Guidelines, Regulated Entity should periodically review the adequacy of information obtained in respect of beneficial owners to ensure that the information is up to date. The review period and procedures thereof should be decided by each Regulated Entity in its internal AML/CFT Policy according to the risk-based approach. 32. Any material/significant change in customer circumstances may necessitate a review of beneficial ownership. Some examples of material/significant changes include: a) a public company is taken private; b) a shareholder or group of shareholders takes effective control of voting shares; c) a new partner is added, or an existing partner is removed; d) change in management positions; e) new trustees are appointed; f) a trust is dissolved;

54 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka g) a new account is opened for the same customer; h) transactions are attempted that are inconsistent with the customer’s profile. Delayed Verification 33. As per these Guidelines, Regulated Entity are allowed to delay the verification of identity of beneficial owners when, a) risk level of the customer is low and verification is not possible at the point of entering into the business relationship, b) there is no suspicion of money laundering or terrorist financing risk involved, c) delay will not interrupt the normal conduct of business. 34. When delayed verification is allowed, Regulated Entity should adopt risk management procedures relating to the conditions under which the customer may utilize the business relationship prior to verification. These procedures should include a set of measures, such as a limitation of the number, types and/or amounts of transactions that can be performed and the monitoring of large or complex transactions being carried outside the expected types of transactions for that relationship. 35. A Regulated Entity should not establish a business relationship or conduct any transaction with a customer who poses a high money laundering and terrorist financing risk, prior to verifying the identity of the beneficial owner. 36. When a Regulated Entity is unable to comply with CDD measures as required in the Regulated Entities CDD Guidelines including identification and verification of beneficial ownership information, the Regulated Entity should not enter into the business relationship or perform the transaction with new customers and terminate the business relationship with existing customers and consider making a suspicious transaction report in relation to the customer. D. Other Requirements Declaration of beneficial ownership by the customer 37. Regulated Entity may obtain beneficial ownership information either by obtaining the required information on a standard certification form in the Annex 1 of the Schedule 3 or by any other means, up to the satisfaction of the Regulated Entity with regard to the identification of the beneficial owner(s). 38. Use of the form is optional and Regulated Entity may substitute this form with a version that is suitable, whether paper or electronic, so long as the required information is collected, protected, preserved and made available to competent authorities upon request and records are maintained in accordance with the Relevant Markert Intermediaries CDD Guidelines and FTRA.

55 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 39. Regulated Entity is required to document the procedure to be followed in the identification and verification of beneficial ownership requirements relating to legal persons and arrangements in the AML/CFT/CPF Policy approved by the Board of Directors. Record Keeping obligations 40. The Regulated Entity is required to maintain records of identification and verification information relating to beneficial ownership as prescribed under the Regulated Entities CDD Guidelines and FTRA. Beneficial owners who are Politically Exposed Persons (PEPs) 41. A Regulated Entity is required to implement appropriate internal policies, procedures and controls to determine if the beneficial owner is a politically exposed person. Through such process if the Regulated Entity identifies any beneficial owner as a PEP, the relationship should be considered as high risk and subject to enhanced due diligence as required in these Guidelines. Sanctions 42. Failure to comply with the beneficial ownership requirements as required under these Guidelines will be a violation of the Section 2 (3) of the FTRA and will be punishable under Section 19 of FTRA. E. Examples Example 1: Record for ownership and control structure of a legal person ABC Company Ltd. is a private limited liability company registered under the Companies Act, No. 7 of 2007. Mr. A owns 25% of the shares and BC Company Ltd. owns the balance 75% of shares of ABC. Mr. S is Managing Director of ABC Company and; the Board of Directors consists with his wife, Mrs. S, ABC's Chief Financial Officer; and their three children. In this example, Regulated Entity is required to record: • the ownership of the Company - shared by Mr. A (25% of the shares) and BC Company Ltd. (75% of the shares); • the ownership structure of the entity - ABC Company Ltd. is a privately traded. • the identification of all members the Board of Directors (Mr. S’s Family) as they are having effective control; • Identification of Mr. A as he is having more than 10% of ownership • Identification of all of the individuals who own or control, directly or indirectly, 10% or more of the

56 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka shares of BC Company Ltd since it owns 75% of the shares, it also exercises control. However, in a case like this, Regulated Entity must research further to determine whether any individual owns enough shares of BC Company Ltd. that would constitute 10% of ABC Company Ltd., or until Regulated Entity determines that there is no such individual; • the manner in which Regulated Entity obtained this information; and • the measures taken to verify accuracy of information. Example 2: Record for ownership and control structure of partnership Rainbow Property Developers is a partnership engaged in buying and selling of real estate in Western Province owned by two partners (Mr. T and Mr. J). Mr. T and Mr. J have signed a partnership agreement stating that Mr. T will invest Rs. 5,000,000 in the partnership to rent space for the Rainbow Property Developers and other administrative expenses, and Mr. J will be solely responsible for operations of the business. All decisions related to the partnership must be unanimous; in case of a disagreement, either partner can decide to end the partnership. Mr. T & Mr. J will split the profits from the business 50/50. If they decide to end the partnership, Mr. T will get 55% of the proceeds of the sale of the business assets, while Mr. J will get 45%. In this example Regulated Entity, is required to record: • the ownership structure of the entity, including the details of the partnership between Mr. T & Mr. J; • identification of Mr. T and Mr. J as both control the partnership; • the manner in which, the Regulated Entity obtained this information; and • the measures taken to confirm accuracy of information. Note: The business structure is important in this example as the ownership and control of the partnership is shared between Mr. T & Mr. J. The Regulated Entity needs to retain a copy of the partnership agreement to meet record keeping requirements as well as confirm the accuracy of the beneficial ownership information obtained. In the absence of such agreement it should be recorded that the partnership exists between Mr. T and Mr. J without having a written agreement.

57 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Annex 1 of the Schedule 3 Beneficial Ownership Form Declaration of Beneficial Ownership This form has been issued under the Financial Institutions (Customer Due Diligence) Rules, No. 1 of 2016 issued in terms of the Section 2(3) of the Financial Transactions Reporting Act No 6 of 2006. This form, or an approved equivalent, is required to be completed by customers of financial institutions designated under the Act to the best of their knowledge. The original completed and signed and witnessed version of this form must be retained by the financial institution and available to the competent authorities upon request. Customer Identification: Name and Designation of Natural Person Opening Account Name, Reg. No. and Address of Legal person for Which the Account is Being Opened Name, Deed No., Trustee and Address of Legal arrangement for Which the Account is Being Opened I declare that I: ☐ am the sole beneficial owner1 of the customer for this account. ☐ am not the beneficial owner of the customer of this account. Complete identifying information for all beneficial owners that own or control 10% or more of the customer’s equity, beneficial owners on whose behalf the account is being operated, and at least one person who exercises effective control of the legal entity regardless of whether such person is already listed. 1 beneficial owner as “a natural person who ultimately owns or controls a customer or the person on whose behalf a transaction is being conducted and includes the person who exercises ultimate effective control over a person or a legal arrangement

58 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Name NIC or Passport

/Country of Issue/Country of Citizenship Date of Birth Current Address Source of Beneficial Ownership (1=Equity (indicate %), 2=Effective Control, 3=Person on Whose Behalf Account is Operated) Check if Politically Exposed Person (PEP) 2 ☐ ☐ ☐ ☐ Details of the Natural person Authorized to Act on Behalf of the Customer Name : NIC/Passport : Date of Birth : Signature : (By signing you attest to the veracity of all information contained herein) Verification of Beneficial Ownership Authorized Financial Institution Official Name : Title : Date : Signature and Seal: (by signing, you attest that you have identified the Customer whose signature is on this form and have witnessed said signature) 2 politically exposed person" means an individual who is entrusted with prominent public functions either domestically or by a foreign country, or in an international organization and includes a Head of a State or a Government, a politician, a senior government officer, judicial officer or military officer, a senior executive of a State owned Corporation, Government or autonomous body but does not include middle rank or junior rank individuals

59 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Schedule 4 Identification of Politically Exposed Persons for Regulated Entities Contents A. Background/Context Who is a Politically Exposed Person(PEP)? B. Money laundering, Terrorism Financing and Proliferation Financing Risks Associated with PEPs C. Identification of PEPs D. Beneficial owners E. Methods used in PEP identification F. Review/ Update of Customer Status G. Managing PEP Risks H. Establishment of the Source of Wealth and Source of Funds of the PEP I. Time Limits of PEP Status J. PEP Red Flags/ Indicators K. Borad of Directors/ Senior Management L. Record Keeping Obligations M. Internal control policies-training and group-wide policies N. Information Sharing Annexure 1 of Schedule 4 Non-Exhaustive List Categories of Customers that can be Considered as PEPs • Domestic PEPs • Foreign PEPs Annexure 2 of Schedule 4 Detecting Misuse of the Financial System by PEPs – Red Flags and Indicators for Suspicion

60 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka A. Background/ Context Who is a Politically Exposed Person (PEP)?

1. Guideline 75 of these Guidelines define PEPs, their immediate family members and close associates.
2. “politically exposed person” means an individual who is entrusted with prominent public functions either domestically or by a foreign country, or in an international organization and includes a head of a State or a Government, a politician, a senior government officer, judicial officer or military officer, a senior executive of a State Owned Corporation/Government or Autonomous body but does not include middle ranking or junior ranking individuals. The CDD Rule is also applicable to family members and close associates of a PEP as well.
3. Accordingly, PEPs can be identified under following categories a. Domestic PEPs: individuals who are entrusted with prominent public functions in Sri Lanka. b. Foreign PEPs: individuals who are entrusted with prominent public functions by a foreign country. c. International organization PEPs: persons who are entrusted with a prominent function by an international organization. d. Immediate Family members: individuals who are related to a PEP either directly (on grounds of consanguinity) or through marriage or similar (civil) forms of partnership. e. Close associates: individuals who are closely connected to PEP, either socially or professionally.
4. Immediate family members of PEPs include any of the following relations: i. spouse (current and past); ii. siblings, (including half-siblings) and their spouses; iii. children (including step-children and adopted children) and their spouses; iv. parents (including step-parents); v. grand children and their spouses.
5. Close associates of PEPs or their family members includes; i. a natural person having joint beneficial ownership of legal entities and legal arrangements, or

61 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka any other close business relationship with any person identified in Guidelines 2 or 4 above; and ii. a legal person or legal arrangement whose beneficial owner is a natural person and is known to have been set up for the benefit of such person or his immediate family members identified in Guidelines 2 or 4; iii. a PEP’s widely- and publicly-known close business colleagues or personal advisors, in particular, persons acting in a financial fiduciary capacity. 6. For the purposes of the PEP definition, “international organizations” are organizations established by formal political agreements between its member countries, where such agreement has the status of an international treaty, and the organization is recognized in the law of the member countries. The examples of international organizations provided by FATF include: a) the United Nations and its affiliates such as the International Maritime Organization; b) regional international organizations; c) international military organizations such as the North Atlantic Treaty Organization; d) economic organizations such as the World Trade Organization, International Monetary Fund, World Bank, Asian Development Bank, etc. 7. Regulated Entities are required to establish specific procedures in relation to PEPs as well as their immediate family members and close associates. B. Money Laundering, Terrorism Financing and Proliferation Financing Risks Associated with PEPs 8. Due to their official status or position held and influence, it is recognized that many PEPs are in positions that potentially can be abused for money laundering and related predicate offences, including bribery and corruption, as well as activity related to terrorism financing. The potential risks associated with PEPs justify the application of additional AML/CFT measures to prevent, detect and manage these risks emanating from their conduct. 9. However, it should be noted that if a person is a PEP, this does not mean that there is an automatic link to criminal activities or abuse of the financial system. The additional AML/CFT measures applied in the case of PEPs are preventative and should not be interpreted as stigmatizing PEPs as being involved in criminal activity; rather these measures recognize the increased risk, including opportunity, associated with holding this type of role.

62 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka C. Identification of PEPs 10. Regulated Entity is required to implement appropriate internal policies, procedures and controls to determine if the customer or the beneficial owner is a politically exposed person. This is applicable for all new and ongoing business relationships with customers. 11. The ability to determine if customers or beneficial owner is a PEP fully depends upon the effective implementation of CDD measures, including the identification, verification, and ongoing due diligence requirements as set out in the CDD Rules. CDD measures are the indispensable starting point as these should be applied to any type of customer. Key factors in the CDD process such as principal occupation or employment would be a good starting point in such determination. 12. The PEP definition specifically excludes identifying middle ranking or junior individuals as PEPs. However, there should be awareness that middle ranking and junior officials could act on behalf of a PEP to circumvent AML/CFT controls. These less prominent public functions could be appropriately taken into account as customer risk factors in the framework of the overall assessment of risks associated with the business relationship in accordance with CDD Rules when they are acting on behalf of a PEP. 13. Regulated Entity doing business with a foreign PEP may not have had much first-hand knowledge or direct access to information about variables such as what a reasonable income would be for a foreign public official at a particular level or in a particular position. Consequently, appropriate risk management systems need to be implemented to address these particular risks both at the account opening/CDD stage, and when existing foreign customers become PEPs. 14. In case the customer is determined to be a domestic/international organization PEP, then Regulated Entity should gather sufficient information to understand the particular characteristics of the public functions that the PEP has been entrusted with and, in the case of an international organization, the business model of that organization. Information on international organizations, for example, may be found on their respective website. 15. Regulated Entity may refer to the non-exhaustive list at Annex 1 of Schedule 4 as examples of types of customers, whether domestic or foreign or in relation to international organizations and with political exposure. However, Regulated Entity is required to identify any individual who falls within the definition of PEP even though such person/designation is not listed within the Annex 1 of Schedule 4.

63 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka D. Beneficial owners 16. When conducting CDD, Regulated Entity is required to identify the beneficial owners and take reasonable measures to verify the identity of the beneficial owners. This should include legal persons and arrangements whose ultimate beneficial owners or controllers are PEPs or their family members or associates. 17. If there are reasonable grounds to believe that a beneficial owner is a PEP, a Regulated Entity is required to verify if the beneficial owner is a PEP. 18. Regulated Entity is required to inquire the reason for a person purporting to act on behalf of a beneficial owner in order to determine whether the beneficial owner of the customer or client is a PEP. 19. Regulated Entity is required to apply all the requirements applicable to a PEP for: a) a person who is acting on behalf of a PEP, or b) a customer or beneficial owner of a customer who is identified as a family member or close associate of a PEP. E. Methods used in PEP identification 20. There is no single method of identifying PEPs, their family members, or close associates. Whereas PEPs and family members can be identified using objective criteria, criteria for close associates are sometimes (but not always) relatively more subjective. It is highly unlikely that any single method of identification will be adequate. Instead a combination of methods will yield the best results. Some of those methods include: a. Screening of customer and beneficial owner identifiers using commercial databases compiled for this purpose. These databases are populated from public sources of information and, accordingly may not be complete or up-to-date. b. Screening of customer and beneficial owner identifiers using an internally maintained database of PEPs, family members, and close associates. c. Screening against publicly available registries of people with financial declaration/disclosure requirements in their home country in case of foreign PEPs.

64 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka d. Conducting and utilizing ad-hoc customer research. This involves researching customers using available tools such as search engines, social media, company registries, company websites, news websites, trade websites, government websites, commercial information aggregators, in-person interviews, etc. e. Self- declaration obtained from a customer - Regulated Entity can obtain information from customers on their PEP status as a part of the CDD process. However, Regulated Entity who confirms customer’s PEP status through a self-declaration should ensure that they do not rely solely on such self-declarations as customers may not be able to determine if they are indeed a PEP. Regulated Entity is advised to actively engage with customers and elicit information pertinent to the different elements of the PEP definition if they deploy self￾declaration. F. Review/Update of Customer Status 21. Existing customers may become PEPs after they enter a business relationship, therefore, it is essential that Regulated Entity monitors non-PEP accounts for a change in the customer status/profile or account activity and update customer information accordingly. Such monitoring is required to be based on risk, consistent with the requirements under the CDD Rules. Following are some instances where institutions are required to update its customer status relating to PEPs. a. when a customer spontaneously submits a new declaration of political exposure; b. when ongoing monitoring reveals activities or information that deviate significantly from the customer and/or account profile in a manner that suggests previously unknown political exposure; c. when an election is held that affects any of the customer’s PEP status; d. whenever the Regulated Entity becomes aware, through any means, of the need for such an update. 22. Existing PEP customer relationships should be subject to periodic review to ensure that due diligence information remains current and the associated controls remain appropriate. G. Managing PEP Risks 23. Regulated Entity is required to conduct enhanced due diligence of the business relationships of any customer identified as a PEP.

65 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 24. Once identified, PEPs, their family members, and close associates always represent additional risk that requires appropriate management. The precise nature and magnitude of that risk and commensurate risk mitigations, however, may vary widely. Factors that affect risk relating to PEPs may include: a. the perceptions of corruption and financial transparency in the PEP’s country of citizenship; b. the nature of the political exposure; c. the nature of the relationship with the PEP, in the case of family members and close associates; d. the elapsed time since the PEP held the position(s) that qualified him to be a PEP; e. the nature of the claimed sources of funds and the ability to fully and confidently verify those sources and their legitimacy; f. has business interests, which are related to his/her public functions (conflict of interest); g. involved in public procurement processes; where the PEP holds several (related or unrelated) prominent public functions that may enable influence to be exerted at several key decision making points in a process, especially relating to payments; h. holds a prominent public function in sectors known to be exposed to corruption; or i. holds a prominent public function that would allow him/her to exert a negative impact on the effective implementation of the AML/CFT framework in the country. 25. Regulated Entity is required to apply following measures relating to PEPs as per the CDD Rules; a. Obtain approval from the Regulated Entity’s board of directors/ senior management prior to entering in to a new business relationship or continuing an existing relationship; b. Identify the source of funds and wealth by appropriate means; c. Enhanced ongoing monitoring of the business relationship is performed. H. Establishment of the Source of Wealth and Source of Funds of the PEP 26. Regulated Entity is required to take reasonable measures to establish the source of wealth and the source of funds of PEPs, as required in the CDD Rules. 27. “Wealth” and “funds” are two different concepts. The source of wealth refers to the origin of the PEP’s entire body of wealth (i.e., total assets). This information will usually give an indication as to the volume of wealth the customer would be expected to have, and a picture of how the PEP acquired such wealth. Although Regulated Entity may not have specific information about assets not deposited or processed by them, it may be possible to gather general information from commercial databases or other open sources.

66 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 28. The source of funds refers to the origin of the particular funds or other assets that are the subject of the business relationship between the PEP and the Regulated Entity (e.g., the amounts being invested, deposited, or transferred/wired as part of the business relationship). Normally, it will be easier to obtain this information but it should not simply be limited to knowing from which institution it may have been transferred/wired. The information obtained should be substantive and establish a source or reason for having been acquired. 29. Information about the source of wealth and source of funds is useful for ongoing due diligence purposes. When conducting ongoing due diligence of the business relationship, it is important for Regulated Entity to ensure that the level and type of transactions are consistent with the institution’s knowledge of the PEP’s source of wealth and source of funds. The aim is to ensure that the reason for the business relationship is commensurate with what one could reasonably expect from the PEP, given his/her particular circumstances. 30. Where the level or type of activity in the business relationship is different from what can be reasonably explained, given the knowledge of a PEP's sources of funds and sources of wealth, an entity should undertake a further assessment on the business relationship to establish whether to: a. continue with or terminate the business relationship; or b. file a suspicious transaction report to the FIU. I. Time Limits of PEP Status 31. The handling of a customer who is no longer entrusted with a prominent public function should be based on an assessment of risk and not on any predetermined time limits. 32. Such risk-based approach requires that Regulated Entity assesses the ML/TF/PF risks of a PEP who is no longer entrusted with a prominent public function and take effective action to mitigate this risk. Possible risk factors are: a. the level of (informal) influence that the individual could still exercise; the seniority of the position that the individual held as a PEP; or b. whether the individual’s previous and current function are linked in any way (e.g., formally by appointment of the PEPs successor, or informally by the fact that the PEP continues to deal with the same substantive matters). 33. PEPs are not immune from the application of the requirements under the CDD Rule or from being the subject of the obligation to report suspicious transactions under Section 7 of the FTRA.

67 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka J. PEPs Red Flags / Indicators 34. The Financial Action Task Force (FATF) has developed a collection of red flags / indicators Annex 2 of Schedule 4 that can be used to assist in the detection of misuse of the financial systems by PEPs during a customer relationship. This list of red flags / indicators is relevant to detect those PEPs that abuse the financial system and does not intend to stigmatize all PEPs. Often, matching one or more of these red flags / indicators may only raise the risk of doing business with a customer (red flags, risk factors), and several red flags may need to be met to create a suspicion. However, in some cases and depending on the specific circumstances, matching just one or more of these red flags / indicators will directly lead to a ML suspicion (indicators of suspicion). 35. These PEP red flags are not an exhaustive list and are complementary to the usual ML red flags that a reporting entity may be using. The methods of those PEPs that engage in illicit activity change and therefore indicators of their activity will do so as well. Also, there may be other red flags that should be considered equally important in a particular country or region. K. Board of Directors/ Senior Management 36. Consistent with the requirement for Regulated Entity to obtain senior management approval for establishing or continuing a business relationship with PEP, a Regulated Entity should determine what constitutes senior management within the Regulated Entity. 37. What would constitute as senior management should depend on the size, structure, and nature of the entity involved. 38. Regulated Entity should ensure that senior management are aware of relationships with PEPs and in no circumstances the Regulated Entity undertakes business relationships with PEPs in the absence of adequate controls by senior management. 39. In assessing whether Regulated Entity should undertake a business relationship with a PEP, senior management involved shall: a. have full knowledge and understanding of the Regulated Entity's AML or CFT internal control programs; b. have a strong understanding of the potential or existing client's or customer's ML or TF risk profile; and c. have active involvement in the approval process of the entity’s AML or CFT policies and procedures.

68 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 40. Without limiting the determination or otherwise of Regulated Entity assessing what constitutes senior management, an entity may establish monitoring committees, or comparable decision- making structures that: a.review establishment of business relationships with PEPs at the acceptance stage and on an on￾going basis; b.ensure that all relevant internal information is carefully considered in specific cases; c. manage the termination of a business relationship with a PEP in appropriate circumstances; and d.ensure that appropriate information, which include internal policies, procedures, and controls regarding PEPs, is available within the reporting entity when and where necessary. L. Record Keeping Obligations 41. The Regulated Entity is required to maintain records of identification and verification information relating to PEPs as prescribed these Guidelines and FTRA. M. Internal control policies-training and group-wide policies 42. Regulated Entity should establish and maintain internal control policies that include ongoing employee training programs. 43. The training programs, which should be regularly updated, shall be designed to address effective ways of determining whether a client or customer is a PEP and to understand, assess and handle the potential risks associated with PEPs. 44. Regulated Entity that are part of a financial group should establish and maintain group-wide internal controls, policies and procedures. N. Information Sharing 45. Regulated Entity that are part of financial groups may share information amongst themselves on PEPs for AML/CFT purposes, provided that there are adequate safeguards on the confidentiality and use of information exchanged.

69 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka NON-EXHAUSTIVE LIST CATEGORIES OF CUSTOMERS THAT CAN BE CONSIDERED AS PEPS DOMESTIC PEPS A. 1 The President 2 The Prime Minister 3 The Speaker and the Deputy Speaker of the Parliament 4 Cabinet Ministers, Non-Cabinet Ministers, State Ministers, Deputy Ministers 5 Members of Parliament 6 Leaders of Political Parties B 7 Governors of Provinces 8 Chief Ministers of Provinces 9 Mayor, Chairman of Municipal Councils 10 Chairman of Provincial Councils 11 Members of Municipal Councils/ Provincial Councils / Local Government Bodies 12 The SECers/ Secretaries to Municipal Councils/ Provincial Councils / Local Government Bodies C 13 Chief Justice 14 Attorney General 15 Judges of Supreme Court 16 Judges of the Court of Appeal 17 Solicitor General of the Attorney General’s Department 18 Judges of High Courts/Provincial High Courts 19 Judges of District Courts 20 Judges of Magistrate Courts 21 Registrar of Supreme Court 22 Registrar of the Court of Appeal 23 Registrars of Judges of High Courts/Provincial High Courts 24 Registrars of District Courts 25 Registrars of Magistrate Courts D 26 Ambassadors /High Commissioners 27 Consul-General/ Deputy Head of Mission/Charged affaires/Honorary Consul 28 Ministers plenipotentiary and Envoys Extraordinary Annex 1 of Schedule 4

70 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 29 Representatives of UN agencies and Heads of other international organizations E 30 Secretary/ Senior Additional Secretaries/ Additional Secretaries to the President 31 Secretary/ Senior Additional Secretaries/ Additional Secretaries to the Prime Minister 32 Secretary /Senior Additional Secretaries/ Additional Secretaries to the Cabinet of Ministers, Non￾Cabinet Ministers, State Ministers, Deputy Ministers 33 Deputy Secretary to the Treasury 34 Secretary/ Senior Additional Secretaries /Additional Secretaries/ Deputy Secretaries to Ministries 35 Members of the Monetary Board 36 Governor / Deputy Governors / Assistant Governors and Heads and Additional Heads of Department of the Central Bank of Sri Lanka 37 Advisors to the President/ Prime Minister / Ministers/ Ministries 38 Chief of staff of presidential secretariat 39 Auditor General 40 Secretary General of Parliament 41 District Secretaries/ Government Agent and Secretaries 42 Heads and Senior Officials of Government Departments 43 Chairmen and Senior Officials of State Enterprises 44 Chairmen and Senior Officials of State Corporations / Statutory Boards/ Authorities/ Public Corporations F 45 Field Marshall / Admiral of the Fleet/ Marshal of the Air Force 46 Chief of Defence Staff 47 General of Sri Lanka Army/Admiral of Sri Lanka Navy/ Air Chief Marshal of Sri Lanka Air Force 48 Officers in the Rank of Lieutenant Colonel and above of Sri Lanka Army 49 Officers in the Rank of Commander and above of Sri Lanka Navy 50 Officers in the Rank of Wing Commander and above of Sri Lanka Air Force 51 Inspector General of Police 52 Police officers above the rank of Asst. Superintendent of Police G 53 Chairman/ members and senior officers of the Public Service The SEC 54 Chairman/ members and senior officers of the National Police The SEC 55 Chairman/ members and senior officers of the Human Right The SEC 56 Chairman/ members and senior officers of the SEC to Investigation Allegations of Bribery or Corruption 57 Chairman/ members and senior officers of the Finance The SEC 58 Chairman/ members and senior officers of the Election The SEC

71 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 59 Members of Constitutional Council 60 Chairman/ members and senior officers of the Audit Service The SEC 61 Chairman/ members and senior officers of the Delimitation The SEC 62 Chairman/ members and senior officers of the National Procurement The SEC 63 Members of Cabinet appointed committees H 64 Chairman, Members and senior officers of University Grant The SEC 65 Chairman, members of University Councils 66 Chancellor 67 Vice Chancellor 68 Registrar of universities FOREIGN PEPS I 69 Officials of international organizations who hold or have held, in the course of the last 5 years, management positions in such organizations (directors, heads of the boards or their deputies) 70 Officials of international organization who perform or performed any other management functions on the highest level, particularly in international and intergovernmental organizations 71 Members of international parliamentary assemblies, 72 Judges and management officials of international courts

72 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka DETECTING MISUSE OF THE FINANCIAL SYSTEM BY PEPS – RED FLAGS AND INDICATORS FOR SUSPICION A. PEPs attempting to shield their identity:

1. Use of corporate vehicles (legal entities and legal arrangements) to obscure i) ownership, ii) involved industries or iii) countries.
2. Use of corporate vehicles without valid business reason.
3. Use of intermediaries when this does not match with normal business practices or when this seems to be used to shield identity of PEP.
4. Use of family members or close associates as legal owner. B. Red flags and indicators relating to the PEP and his behavior
5. The PEP makes inquiries about the institution’s AML policy or PEP policy.
6. The PEP seems generally uncomfortable to provide information about source of wealth or source of funds.
7. The information that is provided by the PEP is inconsistent with other (publicly available) information, such as asset declarations and published official salaries.
8. The PEP is unable or reluctant to explain the reason for doing business in the country of the Regulated Entities.
9. The PEP provides inaccurate or incomplete information.
10. The PEPs seeks to make use of the services of a Regulated Entity that would normally not cater to foreign or high value clients.
11. Funds are repeatedly moved to and from countries to which the PEPs does not seem to have ties with.
12. The PEP is or has been denied entry to the country (visa denial).
13. The PEP is from a country that prohibits or restricts its/certain citizens to hold accounts or own certain property in a foreign country. C. PEP’s position or involvement in businesses:
14. The PEP has a substantial authority over or access to state assets and funds, policies and operations.
15. The PEP has control over regulatory approvals, including awarding licences and concessions.
16. The PEP has the formal or informal ability to control mechanisms established to prevent and detected ML/TF.
17. The PEP (actively) downplays importance of his/her public function, or the public function s/he Annex 2 of Schedule 4

73 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka is relates to associated with. 5. The PEP does not reveal all positions (including those that are ex officio). 6. The PEP has access to, control or influence over, government or corporate accounts. 7. The PEP (partially) owns or controls Regulated Entity, either privately, or ex officio. 8. The PEP (partially) owns or controls the Regulated Entity (either privately or ex officio) that is a counterpart or a correspondent in a transaction. 9. The PEP is a director or beneficial owner of a legal entity that is a client of a Regulated Entity. D. Red flags and indicators relating to the industry/sector with which the PEP is involved:

1. Arms trade and Defence industry.
2. Banking and finance.
3. Businesses active in government procurement, i.e., those whose business is selling to government or state agencies.
4. Construction and (large) infrastructure.
5. Development and other types of assistance.
6. Human health activities.
7. Privatization.
8. Provision of public goods, utilities.

74 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Schedule 5 Sanction Screening for Regulated Entities Contents A. Combating Financing of Terrorism (CFT) A.1. Regulatory obligations under UN Sanctions and Local Regulations A.2. Conduct Sanction Screening on Customers A.3.Targeted Financial Sanctions (TFS) Measures and Reporting Requirements B. Combating Proliferation Financing (CPF) B.1. Regulatory obligations under UN Sanctions and Local Regulations B.2. Conduct Sanction Screening on Customers B.3.Targeted Financial Sanctions (TFS) Measures and Reporting Requirements

75 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka A. Combating Financing of Terrorism (CFT) As per the Convention on the Suppression of Terrorist Financing Act, No. 05 0f 2005 and its subsequent Amendments, “Any person who unlawfully and willfully by any direct or indirect means provides or conspires to provide, material support or resources to any terrorist, terrorists or a terrorist organization shall be guilty of an offence under this Act.” Under the United Nations Regulations No. 01 of 2012 and the United Nations Regulations No. 02 of 2012, Secretary to the Ministry of Defense has been appointed as the Competent Authority for the implementation of UNSCR 1373, UNSCR 1267 and their successor resolutions in Sri Lanka. A.1. Regulatory obligations under UN Sanctions and Local Regulations A.1.1. A Regulated Entity is advised to strictly follow the procedures laid down in, and to ensure strict compliance with: • United Nations Regulation No. 1 of 2012, Gazetted on 15th May 2012; • United Nations Regulation No. 2 of 2012, Gazetted on 31st May 2012; • Any subsequent amendments to these UN Regulation No. 1 and 2 of 2012; and • Regulations issued under the Prevention of Terrorism (Temporary Provisions) Act, No. 48 of 1979, namely Prevention of Terrorism (Proscription of Extremist Organizations) Regulations No. 1 of 2019 by Extraordinary Gazette bearing No 2123/3 dated 13th May 2019 A.1.2. A Regulated Entity must comply with the relevant provisions of the Financial Transactions Reporting Act, No. 6 of 2006 (FTRA) and the Customer Due Diligence (CDD) Rules, No. 1 of 2016 and any subsequent amendments to these regulations. A.1.3. A Regulated Entity is required to adhere to the guidelines provided in FIU/UNSCR 1373/Directives No. 03 and FIU/UNSCR 1267/Directives No. 03 for the details on obligations of Stock Broker in complying with targeted financial sanctions related to terrorism and terrorism financing. A.1.4. A Regulated Entity is required to keep itself updated with– (a) the various resolutions passed by the United Nations Security Council (UNSC) on counter terrorism measures, in particular, the UNSC Resolutions 1267 (1999), 1373 (2001);

76 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka the modifications and strengthening of the Resolution’s sanctions regime by subsequent resolutions including 1526 (2004), 1617 (2005), 1745 (2006), 1822 (2008), 1904 (2009), 1988 (2011), 1989 (2011), 2253 (2015); any other subsequent resolutions which impose a series of obligations to apply sanction measures to any natural or legal person, group or entity associated with Taliban (Islamic Emirate of Afghanistan), ISIL (Islamic State of Iraq and Levant, also known as Da’esh) and Al-Qaida; (b) Orders as may be issued under Regulation 5 of the United Nations Regulations No. 1 of 2012 by the Secretary to the Ministry of Defense in Sri Lanka; and (c) The prescribed specified in the Schedule to Prevention of Terrorism (Proscription of Extremist Organizations) Regulations No. 1 of 2019 by Extraordinary Gazette bearing No 2123/3 dated 13th May 2019 A.2. Conduct Sanction Screening On Customers A.2.1 A Regulated Entity shall verify whether any existing or prospective customer or beneficiary appears on any list of designated persons or entities. The Regulated Entity must ensure that no new business relationship is established, and that no existing business relationship is maintained with any of the individuals or entities listed on or otherwise linked to such designated lists. A.2.2 A Regulated Entity must develop and implement a comprehensive employee due diligence and screening procedure to be carried out at the time of appointing or hiring of all employees whether permanent, contractual or outsourced. This shall include screening employees against relevant list of designated persons and ensuring that no employee appears on such lists. A.2.3 A Regulated Entity must conduct screening at the following critical trigger points: a) at the time of customer on-boarding; b) immediately upon updates to the designated lists are notified; and c) following any material changes to customer information. A.2.4 A Regulated Entity is advised to refer to the updated list of designated individuals and entities through following links:

1. Link to Updated List – Al-Qaida & ISIL https://www.un.org/securitycouncil/sanctions/1267/aq_sanctions_list

77 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 2. Link to Updated List – Taliban https://www.un.org/securitycouncil/sanctions/1988/materials 3. Link to Updated List - Local List (Designating individuals and entities related to terrorism and terrorist financing in national level) https://fiusrilanka.gov.lk/unscr_sanctions_TF.html A.2.5 In ensuring efficient detection of suspected financing of terrorism, a Regulated Entity should maintain a database of names and particulars of individuals or entities in the designated lists and should have a mechanism to screen both existing and prospective customers. A.2.6 A Regulated Entity should ensure that the information contained in the database is updated and relevant and made easily accessible to its employees at the head office, branch or subsidiary for the purpose of identifying funds, financial assets or economic resources of designated individuals and entities. A.2.7 A Regulated Entity is advised to utilize a combination of name, date of birth, Nationality, passport/NIC number and address for the search process. As there could be subtle differences between the list contents and customer data in Institution’s database, a phonetic search is recommended for an effective search. A.2.8 In the event a match is identified against designated lists, the Regulated Entity shall take reasonable and appropriate measures to verify the accuracy of the match. A.2.9 In order to ascertain whether a customer is a designated person, Regulated Entities are required to utilize the customer identification information obtained under Customer Due Diligence (CDD), as well as other publicly available information. A.3. Targeted Financial Sanctions (TFS) Measures and Reporting Requirements A.3.1. Upon identification of a match against designated lists, the Regulated Entity shall take the following actions: (a) If a fuzzy match is identified, the Regulated Entity shall, without undue delay, undertake appropriate due diligence measures to determine whether the match constitutes a true positive; (b) In the event of a direct or confirmed match, the Regulated Entity shall: i. prevent designated persons from conducting any transactions; and

78 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka ii. immediately freeze funds, financial assets or economic resources in accordance with, • paragraph 5 of United Nations Regulations No. 1 of 2012 and the Order published in the Extraordinary Gazette Notification No. 1863/25 dated 22nd May 2014 by the Competent Authority; or • paragraph 5 and 6 of United Nations Regulations No. 2 of 2012. (c) If, upon further due diligence, a fuzzy match is determined not to be a true positive, the Regulated Entity shall document the verification process and outcome, retain all relevant records, and proceed with the business relationship or transaction in accordance with its standard procedures. A.3.2.Upon freezing of funds, financial assets or economic resources of designated individuals and entities, or upon the occurrence of an attempted transaction by or for designated individuals or entities, the Regulated Entity should immediately, not later than 24 hours from the time of finding out such customer, inform full particulars of funds, financial assets or economic resources, held by such customer on their books to the FIU. i. convey over the telephone on 011-2477125; ii. the particulars being sent by post/fax; Postal Address: Financial Intelligence Unit Central Bank of Sri Lanka No.30, Janadhipathi Mawatha Colombo 01, Sri Lanka Fax No: 011-2477692/ 011-2477722 iii. the particulars shall be conveyed on email : fiu@cbsl.lk A.3.3. If a Regulated Entity identify a designated person in a transaction or financial service who is not a customer of the institution, (hence no assets to be frozen), the Regulated Entity is required, i. Not to carry out the transaction or financial service; ii. Inform the Competent Authority about the particulars of such activity; and iii. Submit an STR to the FIU regarding the same. A.3.4. A Regulated Entity shall also be sent by a copy of the communication mentioned above to the Competent Authority, both by post and via email.

79 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Postal Address: Office of the Competent Authority Ministry of Defense No. 15/5, Baladaksha Mawatha Colombo 03 Email: camod@defence.lk A.3.5. A Regulated Entity shall bring the provisions of the United Nations Regulation No. 1 of 2012 and United Nations Regulation No. 2 of 2012 to the notice of the staff concerned and ensure strict compliance. A.3.6. The Compliance Officer is responsible for the establishment and maintenance of written internal procedures and systems to implement, • UNSCR 1373 (2001) and all current and future subsequent resolutions to UNSCR 1373 (2001); and • UNSCR 1267 (1999) and all current and future subsequent resolutions to UNSCR 1267 (1999) including UNSCRs 1988 (2011), and 1989 (2011).

80 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka B. Combating Proliferation Financing (CPF) In the context of FATF Recommendation 1, “proliferation financing risk” refers strictly and only to the potential breach, non-implementation or evasion of the targeted financial sanctions obligations referred to in FATF Recommendation 7. By adopting risk-based measures, financial institutions should be able to ensure that these measures are proportionate to the risks identified, and that would enable them to make decisions on how to allocate their own resources in the most effective way. "Proliferation financing refers to: the act of providing funds or financial services which are used, in whole or in part, for the manufacture, acquisition, possession, development, export, trans-shipment, brokering, transport, transfer, stockpiling or use of nuclear, chemical or biological weapons and their means of delivery and related materials (including both technologies and dual use goods used for non-legitimate purposes), in contravention of national laws or, where applicable, international obligations.” United Nations (Sanctions in relation to Democratic People’s Republic of Korea) Regulations of 2017, the Secretary to the Ministry of Defense has been appointed as the Competent Authority for the implementation of UNSCR 1718 and its successor resolutions in Sri Lanka. B.1. Regulatory Obligations under UN Sanctions and Local Regulations B.1.1. A Regulated Entity is advised to strictly follow the procedures laid down in, and to ensure strict compliance with: • United Nations (Sanctions in relation to Democratic People’s Republic of Korea) Regulations of 2017, Gazetted on 06th October 2017; • United Nations (Sanctions in relation to Iran) Regulations No. 1 of 2018, Gazetted on 17th July 2018; and • Any subsequent amendments to these regulations B.1.2. A Regulated Entity must comply with the relevant provisions of the Financial Transactions Reporting Act, No. 6 of 2006 (FTRA) and the Customer Due Diligence (CDD) Rules, No. 1 of 2016 and any subsequent amendments to these regulations. B.1.3. A Regulated Entity is required to adhere to the directives and guidelines provided by FIU in relation to Sanctions on Proliferation: • UNSCR 1718 Implementation Practices and Enforcement obligations, Directives No. 1 0f 2019; • Guideline, No. 5 of 2018 on Implementing United Nations (Sanctions in relation to Democratic People’s Republic of Korea) Regulations of 2017;

81 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka • Directives Issued under the United Nations (Sanctions in relation to Iran) Regulation, No. 1 of 2018; and • Guidelines, No. 7 of 2018 on Implementing United Nations (Sanctions in relation to Iran) Regulations No. 1 of 2018. B.1.4. A Regulated Entity is required to keep itself updated with– (a) the resolutions passed by the United Nations Security Council (UNSC) on counter terrorism measures, in particular, the UNSC Resolutions 1718 (2006), 1737 (2006) and 2231 (2015); the modifications and strengthening of the Resolution’s sanctions regime by subsequent resolutions including 1874 (2009), 2087 (2013), 2094 (2013), 2270 (2016), 2321 (2016); any other subsequent resolutions which impose a series of obligations to apply sanction measures to any natural or legal person, group or entity associated with DPRK (Democratic People’s Republic of Korea) and Iran; and (b) Order under regulation 19(1) of the United Nations (Sanctions in relation to Democratic People's Republic of Korea) Regulations of 2017 by the Secretary to the Ministry of Defense in Sri Lanka. B.2. Conduct Sanction Screening on Customers B.2.1. A Regulated Entity shall verify whether any existing or prospective customer or beneficiary appears on any list of designated persons or entities. The Regulated Entity must ensure that no new business relationship is established, and that no existing business relationship is maintained with any of the individuals or entities listed on or otherwise linked to such designated lists. B.2.2. A Regulated Entity must develop and implement a comprehensive employee due diligence and screening procedure to be carried out at the time of appointing or hiring of all employees whether permanent, contractual or outsourced. This shall include screening employees against relevant list of designated persons and ensuring that no employee appears on such lists. B.2.3. A Regulated Entity must conduct screening at the following critical trigger points: a) at the time of customer on-boarding (new customer account openings); b) whenever a transaction is carried out for any customer (sender and receiver details); c) immediately upon updates to the designated lists are notified; and d) following any material changes to customer information.

82 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka B.2.4. A Regulated Entity is advised to refer to the updated list of designated individuals and entities through following links: Link to Updated List – DPRK https://main.un.org/securitycouncil/en/sanctions/1718/materials Link to Updated List – Iran https://main.un.org/securitycouncil/en/content/2231/list B.2.5. In ensuring efficient detection of suspected proliferation financing, a Regulated Entity should maintain a database of names and particulars of individuals or entities in the designated lists and make sure that no designated persons and associates are their customers, and it does not provide any financial services to such designated persons and associates. B.2.6. A Regulated Entity should ensure that the information contained in the database is updated and relevant and made easily accessible to its employees at the head office, branch or subsidiary for the purpose of identifying funds, financial assets or economic resources of designated individuals and entities. B.2.7. A Regulated Entity is advised to utilize a combination of name, date of birth, Nationality, passport/NIC number and address for the search process. As there could be subtle differences between the list contents and customer data in Regulated Entity’s database, a phonetic search is recommended for an effective search. B.2.8. In the event a match is identified against designated lists, the Regulated Entity shall take reasonable and appropriate measures to verify the accuracy of the match. B.2.9. In order to ascertain whether a customer is a designated person, Institutions are required to utilize the customer identification information obtained under Customer Due Diligence (CDD), as well as other publicly available information. B.3. Targeted Financial Sanctions (TFS) Measures and Reporting Requirements B.3.1. Upon identification of a match against designated lists, the Regulated Entity shall take the following actions: (a) If a fuzzy match is identified, the Regulated Entity shall, without undue delay, undertake appropriate due diligence measures to determine whether the match constitutes a true positive;

83 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka (b) In the event of a direct or confirmed match, the Regulated Entity shall: i. prevent designated persons from conducting any transactions; and ii. immediately freeze funds, financial assets or economic resources in accordance with, • Part III-Rule 29 of United Nations (Sanctions in relation to Democratic People’s Republic of Korea) Regulations of 2017; and • Order under regulation 19(1) of the United Nations (Sanctions in relation to Democratic People's Republic of Korea) Regulations of 2017 (c) If, upon further due diligence, a fuzzy match is determined not to be a true positive, the Regulated Entity shall document the verification process and outcome, retain all relevant records, and proceed with the business relationship or transaction in accordance with its standard procedures. B.3.2. Upon freezing of funds, financial assets or economic resources of designated individuals and entities, or upon the occurrence of an attempted transaction by or for designated individuals or entities, the Regulated Entity shall; (a) immediately, not later than 24 hours from the time of finding out such customer, inform full particulars of funds, financial assets or economic resources, held by such customer on their books to the FIU i. convey over the telephone on 011-2477125; ii. the particulars being sent by post/fax; Posal Address: Financial Intelligence Unit Central Bank of Sri Lanka No.30, Janadhipathi Mawatha Colombo 01, Sri Lanka Fax No: 011-2477692/ 011-2477722 iii. the particulars shall be conveyed on email : fiu@cbsl.lk B.3.3. If a Regulated Entity identify a designated person in a transaction or financial service who is not a customer of the institution, (hence no assets to be frozen), the Regulated Entity is required, i. Not to carry out the transaction or financial service; ii. Inform the Competent Authority about the particulars of such activity; and iii.Submit an STR to the FIU regarding the same.

84 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka A Regulated Entity shall also be sent by a copy of the communication mentioned above to the Competent Authority, both by post and via email. Postal Address: Office of the Competent Authority Ministry of Defense No. 15/5, Baladaksha Mawatha Colombo 03 Email: camod@defence.lk B.3.4. A Regulated Entity shall bring the provisions of the United Nations (Sanctions in relation to Democratic People’s Republic of Korea) Regulations of 2017 and United Nations (Sanctions in relation to Iran) Regulations No. 1 of 2018 to the notice of the staff concerned and ensure strict compliance. B.3.5. The Compliance Officer is responsible for the establishment and maintenance of written internal procedures and systems to implement, • UNSCR 1718 (2006) and all current and future subsequent resolutions to UNSCR 1718 (2006); and • UNSCR 2231 (2015) and all current and future subsequent resolutions to UNSCR 2231 (2015).

85 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Schedule 6 Suspicious Transactions Reporting for Regulated Entities Contents A. Legal Obligation B. Prerequisite for Development of Suspicion C. Suspicion D. Reporting of STRs • When Relevant Market Intermediary is provided with access to the LankaFIN system • When Relevant Market Intermediary is not provided with access to the LankaFIN system E. Timing of Reporting F. Content of Reporting G. Submission of Supporting Documents H. Miscellaneous Annexure 1 of Schedule 6 – Suspicious Indicators

86 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka A. Legal Obligation

1. Section 7 of the Financial Transactions Reporting Act, No. 6 of 2006 (FTRA) requires: Where a Regulated Entity— (a) has reasonable grounds to suspect that any transaction or attempted transaction may be related to the commission of any unlawful activity or any other criminal offence; or (b) has information that the Regulated Entity suspects may be relevant— (i) to an act preparatory to an offence under the provisions of the Convention on the Suppression of Financing of Terrorism Act, No. 25 of 2005; (ii) to an investigation or prosecution of a person or persons for an act constituting an unlawful activity, or may otherwise be of assistance in the enforcement of the Money Laundering Act, No. 5 of 2006 and the Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005, the Regulated Entity shall, as soon as practicable, after forming that suspicion or receiving the information, but no later than two working days therefrom, report the transaction or attempted transaction or the information to the FIU. Such reports are herein referred to as Suspicious Transaction Reports (STR).
2. As stated above as per the Section 7 of the FTRA all “Institutions”, should report suspicious transactions to the FIU. Institution means, any person or body of persons engaged in or carrying out any finance business or designated non-finance business as defined in the Section 33 of the FTRA.
3. As per Section 14 (1) (b) (iv) of the FTRA, every Regulated Entity is required to establish and maintain procedures and systems to implement the reporting requirement under Section 7 of the FTRA. Further, Section 14 (1) (d) requires every Regulated Entity to train its officers, employees and agents to recognize suspicious transactions.
4. As per these Guidelines, the internal AML/CFT Policy approved by the Board of Directors should include policies, procedures on the detection and internal reporting procedure of unusual and suspicious transactions and the obligation to report suspicious transactions to the FIU.

87 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka B. Prerequisites for Development of Suspicion 5. In order to develop a reasonable basis for suspicion, a Regulated Entity must first ensure the effective implementation of the FTRA, including all rules and instructions issued in relation to the FTRA. Failure of an effective implementation may,

• cause the submission of STRs that are inaccurate, incomplete or inappropriate or may fail to report suspicious transactions entirely.
• expose the Regulated Entity to regulatory, reputational, operational, and legal risks.
• lead to criminal liability for both individuals and legal entities involved.

6. A Regulated Entity is required to systematically capture and management of customer and transaction information. Accordingly, a) Regulated Entities, except the very smallest with close customer relationships, must systematically capture and manage customer and transaction information within their compliance and risk management frameworks. b) Larger intermediaries should implement electronic information systems operate based on rules, scenarios and profiles to measure and assess

• deviations of observed patterns from expected patterns from expected patterns or
• conformity of observed patterns to known patterns of abuse of the financial system. c) These systems need to be continually evaluated and adjusted to maximize effectiveness and continually updated with new operational and third-party information and need to be fully integrated into the Regulated Entity’s risk management process. d) Alerts generated by such systems should be promptly reviewed by the compliance officer.

7. A Regulated Entity should not rely exclusively on systems to the exclusion of human involvement. System-generated alerts may serve as the basis for submitting a STR. However, such alerts alone do not constitute a complete STR and cannot be accepted as a substitute for a STR that reflects thorough human evaluation and judgment in the reporting process.
8. A Regulated Entity must demonstrate a strong institutional commitment to:

• detect suspicious transactions;

88 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka

• recognize in good faith such suspicious transactions for what they are when detected; and
• fully and accurately report such transactions upon recognition.

9. A Regulated Entity must ensure that institutional commitment is driven by senior management including the board of directors, and is effectively communicated across the organization through concrete actions including,

• development of internal policies and procedures;
• implementation of training programs;
• regular compliance audits;
• investment in appropriate systems; and
• the consistent and disciplined exercise of sound judgment. C. Suspicion

10. A Regulated Entity must develop its own operating definition for suspicion. A Regulated Entity’s operating definition of suspicion should incorporate elements of unresolved and unsubstantiated but persistent feelings of doubt about an objective set of facts and circumstances relating to a behaviour, to a single transaction, to a series of transactions, attempted transaction or to any combination thereof. It can be a feeling that something is not as it was expected to be, or as it was explained to be, given the totality of knowledge of the circumstances in which that something exits. The feeling of doubt cannot be relieved by proof, one way or another, since no proof is available. The definition should allow formation of a belief that is not firmly grounded or perfectly clear. At the same time, the definition should not allow these beliefs to be fanciful or fleeting. Certainly, the definition should count as suspicious behaviours and activities that are unusual for the circumstances and not adequately or believably explained. The operating definition for suspicion must pass a test of reasonableness. If the definition is too narrow or rigid, it may exclude generation of reports that concern unknown or unanticipated unlawful circumstances (i.e. “false negatives”) and may also result in avoidance behaviour by criminals. On the other hand, a definition that is too broad or flexible might result in large number reports that are insufficiently analyzed and that do not reflect unlawful circumstances (i.e. “false positives” or “over compliance”). For Regulated Entity where electronic information systems are integrated into their processes, operating definitions are partially implemented by the triggers, profiles, scenarios and rules defined by the Regulated Entity. Suspicious indicators and typologies may also be elements of such definition. The concept of “unusual” patterns of behaviour and transactions should also reflect in these definitions. A non-exhaustive and unofficial list of suspicious indicators for transactions and behaviours is provided

89 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka in Annex 1 of Schedule 6. The Regulated Entity should complement this list with the Regulated Entity’s own indicators. When using indicators, it should be remembered that these indicators are not formulae and they do not necessarily indicate the presence of criminality. Conversely, the lack of known indicators does not necessarily mean the absence of criminality, in part because criminals may adjust behaviour to avoid such indicators. Instead, indicators, and especially combinations of indicators, should cause increased scrutiny that may lead to the formation of suspicion. 11. Regulated Entity being over compliance or malicious compliance will not generate expected quality of the STR. Overcompliance and malicious compliance are strongly discouraged. Over compliance results when Regulated Entity submit a large volume of reports that are inadequately analyzed or that fail to meet a reasonable standard of suspicion. Over compliance can be viewed as an attempt to transfer risk management from the Regulated Entity to the FIU. Malicious compliance is when Regulated Entity submits reports that, although they may contain some superficial elements of suspicion, are known by the Regulated Entity to not actually of suspicious nature. 12. If after consideration of facts and circumstances available to the Regulated Entity in good faith and within the context of the Regulated Entity’s own understanding of suspicion and risks for the Regulated Entity, and after gaining a thorough understanding of the FTRA and its implementing rules, regulations, circulars and guidelines, the Regulated Entity has doubts about whether a behaviour or activity should be reported as suspicious, the best course of action is to report. D. Reporting of STRs 13. When Regulated Entity is provided with access to the LankaFIN system: All reports must be submitted via LankaFIN online system or a successor system designated by the FIU followed by the signed hard copy of the STR submitted to the FIU by delivery or post. 14. When Regulated Entity is not provided with access to the LankaFIN system: Signed hard copy of the STR should be submitted to the FIU by delivery or post. 15. The Regulated Entity may submit STRs through other forms such as by way of email, fax or telephone in urgent situations to be followed by submission though LankaFIN and/or signed hard copy as appropriate within twenty-four hours.

90 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka E. Timing of Reporting 16. (1) The FTRA requires suspicious reports to be submitted to the FIU as soon as practicably possible but no later than two working days of formation of suspicion. (2) Regardless of the Regulated Entity’s ongoing processes after the initial formation of suspicion, the suspicion itself must be reported even if the Regulated Entity’s process has not completed. (3) The Regulated Entity’s process for dealing with suspicion may proceed concurrently with the reporting of suspicion. 17. If, after sending the report, the Regulated Entity discovers additional facts and circumstances to either support or refute the Regulated Entity’s initial suspicion, then the Regulated Entity should inform the FIU appropriately. F. Content of Reporting Completeness: 18. A single STR must stand alone and contain complete information about the suspicion providing a full picture of the suspicion itself as well as the objective facts and circumstances that gave rise to and support that suspicion. Where multiple transactions and/or behaviours are connected with a suspicion, a single report should be filed capturing all of these. Form Narrative: 19. (1) A Regulated Entity is required to fully describe the suspicion and the objective facts and circumstances that gave rise to and support the Regulated Entity’s suspicion. (2) The narrative should attempt to answer to the extent possible the basic descriptive questions of what, who, when, where, why and how. 20. In any case the Regulated Entity is unable to provide the full detailed narrative through LankaFIN, (1) the Regulated Entity may provide the narrative in a separate document and submit to the FIU along with the signed hard copy of the STR. (2) the Regulated Entity should mention a brief summary of the narrative in the LankaFIN system and explicitly mention that a full narrative will be sent with the hard copy. 21. A Regulated Entity should refrain from providing vague details of suspicions. Instead, a Regulated Entity should provide clear quantitative and qualitative data and relevant supporting documents.

91 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 22. Some of the questions that the narrative should attempt to answer, if possible, include: • What is the nature of the suspicion? • What offenses may have been committed? • What transactions, attempted transactions, behaviours, facts, belief and circumstances are involved and relevant to the suspicion? • Who are the natural and legal persons involved? • Who are the beneficial owners? • What are their identifiers such as names, ID numbers, registration numbers, etc.? • What are their addresses? • What are their occupations or lines/types of business? • Who are their employers? • What political exposure do they have, if any? • How are they connected with each other and with the transactions? • What were their roles in the transactions? • What property/shares is involved? • What is the nature and disposition and estimated value of involved property/shares? • When and where did the transactions or attempted transactions or behaviours occur? • How, if at all, do the timing or location of the transactions contribute to the Regulated Entity’s suspicion? • Why do these facts and circumstances support the suspicion? • How was the suspicion formed? • What triggers or indicators are present? • What actions have been taken by the reporting Regulated Entity? • What related STRs have the Regulated Entity already submitted? • What red flags are present? • What deviations from expected activities have taken place? 23. Regulated Entity is required to provide reasonable grounds for the suspicion and are requested to refrain from citing unjustifiable reasons such as ‘relationship between customers cannot be derived with the surnames’, ‘funds from African countries’, etc.

92 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka 24. The narrative should be structured in a logical manner so that information can be conveyed to the FIU analyst as efficiently, completely and accurately as possible. (1) Essay formats could be used for STR narratives i.e. having an introduction, a body, and a conclusion. (2) Paragraph breaks can be used to divide the narrative into logical units and enhance readability. (3) Within the body, information could be presented in a chronological manner when attempting to demonstrate possible causal links along a timeline. (4) It is advised to minimize the use of Regulated Entity’s internal jargon and acronyms brandings, product names by using generic descriptors instead. (For example, use “six- month term deposit account” rather than “Mega-Six Platinum Elite Plus Super Saver Account.”) (5) Use punctuation and sentence case. (6) Narrative should not be so brief as to compromise the goals of the narrative. It is advised to avoid words that do not contribute to the meaning of a sentence and to refrain from using too generic narratives such as ‘the transaction pattern does not match with the customer profile’. Accuracy: 25. It is imperative that factual information provided in the report is accurate, particularly identifiers such as names, ID numbers, registration numbers, etc. (1) All spellings and transcriptions of identifiers should be double checked. A single inaccurate digit in a passport number or an NIC, or a misplaced or transposed character in a name, can make the difference between a successful and an unsuccessful analysis. (2) Identifiers for legal entities (e.g. company / business registration number, registered name of company) should be exactly identical in every respect to those found on the official registration documents. G. Submission of Supporting Documents 26. A Regulated Entity is required to submit relevant supporting documents along with the STR. 27. If the Regulated Entity is unable to submit the supporting documents via LankaFIN, the Regulated Entity should, (1) submit the relevant supporting documents through email and/or along with the signed hard copy of the STR; and

93 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka (2) mention in LankaFIN that additional supporting documents are submitted via email or through post. 28. Supporting documents should support rather than replace the STR contents, including the narrative. It is not acceptable to only refer to a supporting document in the narrative when information from the supporting document can be directly included in the narrative. H. Miscellaneous Confidentiality 29. As per the Section 9 of the FTRA Regulated Entities are not allowed to inform any person, including the customer, about the contents of an STR and even that the Regulated Entity has filed such a report to the FIU. 30. As per these Guidelines, where a Regulated Entity forms a suspicion of money laundering or terrorist financing risk relating to a customer and where the Regulated Entity reasonably believes that conducting the process of CDD measures would tip off the customer, then the Regulated Entity should terminate conducting the CDD measures and proceed with the transaction and immediately file an STR. Breach of Confidentiality 31. If any customer is being tipped off about the reporting of STRs by any officer of the Regulated Entity it would consider as a violation under the FTRA Section 9 and 10. This is described as the offence of 'tipping off' and is an offence punishable with a fine not exceeding five hundred thousand rupees or imprisonment of either description for a term not exceeding two years, or to both such fine and imprisonment. Protection for Persons Reporting STRs 32. As per Section 12 of the FTRA: No civil, criminal or disciplinary proceedings shall lie against — (a) a Regulated Entity, an auditor or supervisory authority of a Regulated Entity ; or (b) a director, partner, an officer, employee or agent acting in the course of that person’s employment or agency of a Regulated Entity, firm of auditors or of a supervisory authority, in relation to any action by the Regulated Entity, the firm of auditors or the supervisory authority or a director, partner, officer, employee or agent of such Regulated Entity, firm or

94 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka authority, carried out in terms of the FTRA in good faith or in compliance with regulations made under FTRA or CDD rules or directions given by the FIU in terms of the FTRA. Failure to Report STRs 33. If a Regulated Entity fails to submit STRs when reasonable grounds exist to suspect that a transaction is related to money laundering or terrorist financing, such is considered as non-compliance with the FTRA, as per Section 19 of the FTRA such non-compliances are liable to penalties up to one million rupees (Rs. 1,000,000.00) or double this for subsequent failures to report. Should a reporting entity continue a business relationship with a customer about whom an STR has been reported? 34. The FTRA does not prohibit Regulated Entity from continuing business relationships with customers about whom STRs has been reported, or suspicion has been formed. Especially Regulated Entity’s behaviour toward the customer should not amount to any tipping off subject to the provisions of the Section 3 of the FTRA. Obligations of Regulated Entity which has submitted an STR in relation to a customer and is continuing the business relationship 35. After the submission of an initial STR, the Regulated Entity should continue to comply with all relevant provisions of the FTRA in all future dealings with that customer, which may include a requirement to submit additional STRs /information on further suspicions identified/further developments. Further Information Requests 36. Where the FIU has requested further information regarding any STR, the Regulated Entity should take all necessary measures to provide such information promptly to the FIU.

95 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka Annex 1 of Schedule 6 Suspicious Indicators This Annex contains a list of indicators related to customer behaviours and activities. This list is necessarily non-exhaustive and incomplete and should be modified and supplemented as necessary by each Regulated Entity. Indicators are not formulae and they do not always indicate the presence of criminality. Conversely, the lack of indicators does not mean the absence of criminality. However, the presence of an indicator, and especially the presence of multiple indicators, should cause increased scrutiny by the Regulated Entity and such scrutiny may lead to the formation of suspicion. General Indicators • Any behaviour unusual for the circumstances. • Any activity unusual for the customer. • Any activity unusual in itself. • Any knowledge that leads the Regulated Entity to believe that unlawful activity may be involved. • Any unresolved and persistent feelings of doubt related to customers and their transactions and attempted transactions. General Behavioural/Customer Indicators • Customer talks about or hints about involvement in criminal activities, even if in a humorous way. • Customer does not want correspondence sent to home address. • Customer appears to have accounts with several Regulated Entities for no apparent reason. • Customer repeatedly uses an address but frequently changes the names involved. • Customer uses addresses in close proximity of each other. • Customer is accompanied and watched when visiting the Regulated Entity. • Customer shows unusual curiosity about internal systems, controls and policies. • Customer has only vague knowledge of the amount of a deposit. • Customer presents confusing or inconsistent details about the transaction. • Customer over justifies or explains the transaction. • Customer tries to convince Regulated Entity staff to alter or omit reporting data. • Customer is secretive and reluctant to meet in person. • Customer is nervous, not in keeping with the transaction. • Customer insists that a transaction be done quickly.

96 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka • Customer attempts to develop a close rapport with staff. • Customer offers money, oversized commissions, gratuities or unusual favours for the provision of services. • Customer has unusual knowledge of the law in relation to suspicious transaction reporting. • Customer jokes about needing or not needing to launder funds. • Customer has no apparent ties to the community. • Customer has irregular work/travel patterns. Account Opening/Identity Indicators • Customer provides doubtful or vague information. • Customer produces seemingly false identification or identification that appears to be counterfeited, altered or inaccurate. • Customer refuses to produce personal identification documents. • Customer only possesses copies of personal identification documents. • Customer wants to establish identity using something other than his or her personal identification documents. • Customer’s supporting documentation lacks important details. • Customer unnecessarily delays presenting corporate documents. • All identification presented is foreign or otherwise unreasonably difficult to verify. • All identification documents presented appear new or have recent issue dates. • Customer is unemployed, or is an independent consultant, or switches jobs frequently. • Customer conspicuously displays large amount of cash. Indicators for a Businesses • Lack of regular business hours. • Unusually profitable business. • Profitable business in a failing industry. • Business receipts and incomes above industry norms. • Cash intensive business. • Use of high cost or inconvenient methods when lower cost or more convenient methods are available. • Apparent lack of in-depth knowledge of his own business or industry.

97 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka General Transaction Indicators • Transaction is unusual for the customer. • Transaction is unusual for the country. • Transaction is unusual for the industry. • Transaction is unusual for any other reason. • Transaction seems to be inconsistent with the customer’s apparent financial standing or usual pattern of activities. • Sudden unexplained increase in wealth. • Transaction appears to be out of the ordinary course for industry practice or does not appear to be economically advantageous for the customer. • Transaction uses account(s) that have been dormant. • Transaction is unnecessarily complex for its stated purpose. • Activity is inconsistent with what would be expected from declared business. • Transaction involves non-profit or charitable organization for which there appears to be no logical economic purpose or where there appears to be no link between the stated activity of the organization and the other parties in the transaction. Cash Transaction Indicators • Customer suddenly starts conducting frequent cash transactions in large amounts when this has not been a normal activity for the customer in the past. • Customer uses notes in denominations that are unusual for the customer, when the norm in that business is much smaller or much larger denominations. • Customer presents notes that are packed or wrapped in a way that is uncommon for the customer. • Customer deposits musty or extremely dirty bills. • Customer makes cash transactions of consistently rounded-off large amounts. • Customer consistently makes cash transactions that are just under the reporting threshold amount in an apparent attempt to avoid the reporting threshold. • Customer consistently makes cash transactions that are significantly below the reporting threshold amount in an apparent attempt to avoid triggering the identification and reporting requirements. • Customer presents uncounted funds for a transaction. Upon counting, the transaction is reduced to an amount just below that which could trigger reporting requirements. • Customer conducts a transaction for an amount that is unusual compared to amounts of past transactions. • Customer asks the Regulated Entity to hold or transmit large sums of money or other assets when this type of activity is unusual for the customer. • Shared address for individuals involved in cash transactions, particularly when the address is also for a

98 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka business location, or does not seem to correspond to the stated occupation (for example, student, unemployed, self-employed, etc.). • Stated occupation of the customer is not in keeping with the level or type of activity (for example a student or an unemployed individual makes daily maximum cash withdrawals at multiple locations over a wide geographic area). • Customers consistently claim that source of funds is gambling winnings with no evidence of corresponding losses. Transactions Involving Proxies • Transactions where a person who is matched by two attributes (e.g. name and address, or name and birthday, or birthday and address) appears to maintain multiple accounts with variations in one of these parameters. • Transactions with multiple accounts at the same address. • Transactions where the address does not exist in public records. • Transactions where the name does not exist in public records. • Transactions where the account holder is a PEP. • Transactions where the account holder is a relative or close associate of a PEP. • Transactions where the account holder shares an address with a PEP. • Large transactions by people with low-income jobs, especially when employed by or related to high wealth individuals. • Transactions in the name of very young people. • Transactions in the name of dead people. • Transactions in the name of people living in areas where such wealth would be abnormal. Red Flag Indicators for Securities Sector • Accounts that have been inactive suddenly experience large investments that are inconsistent with the normal investment practice of the client or their financial ability. • Any dealing with a third party when the identity of the beneficiary or counter-party is undisclosed. • Client attempts to purchase investments with cash. • Client wishes to purchase a number of investments with money orders, traveller's cheques, cashier's cheques, bank drafts or other bank instruments, especially in amounts that are slightly less than the reporting threshold, where the transaction is inconsistent with the normal investment practice of the client or their financial ability.

99 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka • Client uses securities or futures brokerage firm as a place to hold funds that are not being used in trading of securities or futures for an extended period of time and such activity is inconsistent with the normal investment practice of the client or their financial ability. • Client wishes monies received through the sale of shares to be deposited into a bank account rather than a trading or brokerage account which is inconsistent with the normal practice of the client. • Client frequently makes large investments in stocks, bonds, investment trusts or other securities in cash or by cheque within a short time period, inconsistent with the normal practice of the client. • Client makes large or unusual settlements of securities in cash. • The entry of matching buying and selling of particular securities or futures contracts (called match trading), creating the illusion of trading. • Transfers of funds or securities between accounts not known to be related to the client. • Several clients open accounts within a short period of time to trade the same stock. • Client is an institutional trader that trades large blocks of junior or penny stock on behalf of an unidentified party. • Unrelated clients redirect funds toward the same account. • Trades conducted by entities that you know have been named or sanctioned by regulators in the past for irregular or inappropriate trading activity. • Transaction of very large value. • Client is willing to deposit or invest at rates that are not advantageous or competitive. • All principals of client are located outside of Sri Lanka. • Client attempts to purchase investments with instruments in the name of a third party. • Payments made by way of third-party cheques are payable to, or endorsed over to, the client. • Transactions made by your employees, or that you know are made by a relative of your employee, to benefit unknown parties. • Third-party purchases of shares in other names (i.e., nominee accounts). • Transactions in which clients make settlements with cheques drawn by or remittances from, third parties.

100 AML/CFT/CPF Guidelines for the Securities Market Securities and Exchange Commission of Sri Lanka • Unusually large amounts of securities or stock certificates in the names of individuals other than the client. • Client maintains bank accounts and custodian or brokerage accounts at offshore banking centres with no explanation by client as to the purpose for such relationships. • Proposed transactions are to be funded by international wire payments, particularly if from countries where there is no effective anti-money-laundering system.