Instruction CTRF No. 02-2023 on Financial Institutions' Obligations for Combating Money Laundering, Terrorist Financing, and Proliferation Financing

Page 1 of 14 Ministry of Finance Financial Intelligence Processing Unit

Instruction No. 02 of the year 2023, Dated 20 Joumada El-Oula, corresponding to December 4, 2023, regarding the obligations of financial institutions in combating money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction.

The President of the Financial Intelligence Processing Unit,

• Having regard to Law No. 05-01 of 27 Dhou el Hidjah 1425 corresponding to February 6, 2005, relating to the prevention and combating of money laundering and terrorist financing, as amended and supplemented,
• In accordance with Executive Decree No. 22-36 of the first Joumada Ethania 1443 corresponding to January 4, 2022, defining the missions, organization, and functioning of the Financial Intelligence Processing Unit,
• After deliberation by the Council of the Financial Intelligence Processing Unit,

Issues the instruction with the following content:

Article 1: This instruction aims to define the obligations related to combating money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction imposed on financial institutions.

Article 2: The terms and expressions contained in this instruction have the meanings attributed to them below:

The Obligated Entities: "Financial Institutions," according to the definition contained in Article 4 of Law No. 05-01 of 27 Dhou El Hidjah 1425 corresponding to February 6, 2005, relating to the prevention and combating of money laundering and terrorist financing, as amended and supplemented, include: banks and financial institutions, payment service providers, financial services of Algérie Poste, and other similar financial institutions, exchange bureaus and independent brokers, stock market operation intermediaries, account keepers, securities custodians, collective investment schemes in movable property, the Algiers Stock Exchange, the central depository (Algérie Clearing), venture capital companies, crowdfunding platform managers, insurance and reinsurance companies, insurance brokers (the general agent, the broker), factoring establishments.

Client: The natural or legal person who deals with the financial institution.

Occasional Client: The client who is not linked to the financial institution by a continuous business relationship.

Business Relationship: The relationship established between the Client and any financial institution, linked to any activity.

The Beneficial Owner: The natural person or persons who, ultimately:

1. Own or control the client, the client's agent, or the beneficiary of life insurance contracts;
2. The natural person for whom a transaction is carried out or for whom a business relationship is concluded;
3. Persons who, ultimately, exercise effective control over the legal entity.

Politically Exposed Person (PEP): Any Algerian, foreigner, elected or appointed, who has exercised or is exercising high legislative, executive, administrative, or judicial functions in Algeria or abroad, as well as senior officials of political parties, and persons who have exercised or are exercising important functions within or on behalf of an international organization.

The Financial Group: A group constituted by a parent company or another type of legal entity holding majority shares and coordinating their functions with the rest of the group to apply or implement control over the group in accordance with fundamental principles, jointly with branches and/or subsidiaries subject to anti-money laundering and terrorist financing policies and procedures at the group level.

Article 3: Obligated entities must comply with the duty of vigilance and, to this end, must implement a written program for the prevention, detection, and combating of money laundering and terrorist financing. They must take into account the commercial dimension and the risks associated with money laundering and terrorist financing, which include notably:

• Policies,
• Procedures,
• Internal control.

Page 2 of 14

Chapter 1 - Risk-Based Approach

Article 4: Obligated entities are required to take the following measures: a) Conduct an assessment of money laundering and terrorist financing risks by identifying, evaluating, and understanding these risks, based on the nature of the establishment and its size, as well as the extent of its activities. This assessment must include:

• Inclusion of information or results from any risk assessment carried out by the State;
• Identifying, evaluating, and understanding the risks of clients, countries or geographic regions, products and services, operations, delivery channels, or service provision channels;
• Taking into account all related risk factors before determining the general level of risks, and the appropriate level and type of measures to apply to mitigate these risks. b) Update the assessment processes periodically and as necessary; c) Document the assessment operations they carry out, update them, and preserve them; d) Set up an adequate mechanism to report to the supervisory body and competent authorities the results of assessment operations upon their completion or upon request; e) Explain and disseminate the results of risk assessments to all employees.

Article 5: The risks, subject of Article 4 above, must be analyzed and evaluated at regular and appropriate intervals, compatible with the nature and size of the institution, as well as the scope of its activities.

Obligated establishments must also demonstrate to supervisory and control authorities and competent authorities that the measures taken to identify and evaluate money laundering and terrorist financing risks allow the following: a) Evaluate the risk profile of the business relationship with each Client; b) Identify changes in money laundering and terrorist financing risks, represented by new products and services offered through the application of new technologies to their services; c) Determine the expected purpose and nature of the relationship with each Client; d) Identify and recognize any changes related to money laundering and terrorist financing risks.

Article 6: Obligated entities must carry out the following: a) Identify and evaluate money laundering and terrorist financing risks associated with the development of new services or products and new professional practices, including new ways of providing services, and those resulting from the use of new or developing technologies in relation to each new and existing product;

Page 3 of 14

b) Conduct a risk assessment before launching products, practices, or technologies or their use; c) Take appropriate measures to manage and mitigate these risks, in addition to specific risks related to business relationships and transactions that do not involve the physical presence of the parties.

Article 7: Obligated entities must carry out the following: a) Establish policies, controls, and procedures approved by senior management enabling them to manage and reduce identified risks (according to their assessment or according to the national risk assessment), supervise them, and strengthen them if necessary; b) Take enhanced measures to manage and mitigate risks when high risks are identified; c) Take simplified measures to manage and reduce risks when low risks are identified; d) Ensure permanent compliance with these procedures and their regular update; e) Monitor the implementation of these controls and strengthen them if necessary.

Chapter 2 - Duties of Vigilance Towards Customers

Article 8: Standards related to "Know Your Customer" (KYC) must take into account the basic elements of risk management and control procedures, including: a) Policy for accepting new clients; b) Identification of the identity of the clientele, the beneficial owner, and control of movements and operations; c) Continuous control over all clients

With the obligation of approval of the above procedures by the superior authority.

Obligated entities must:

• Carefully examine transactions carried out throughout the business relationship to ensure they correspond with their knowledge of clients and their business activities, as well as their risk profile, including the origin of funds where applicable;
• Ensure that documents, data, or information obtained following the application of the duty of vigilance are up-to-date and compatible with them. This includes the review of existing elements, particularly for high-risk customer categories.

Regarding existing clients at the time of entry into force of these new provisions, obligated entities must apply the necessary vigilance measures based on the importance of the risks they represent, and must implement in a timely manner the necessary vigilance measures for existing relationships, taking into account previous vigilance measures regarding clients at the time of their implementation, and the importance of the information obtained.

Page 4 of 14

Article 9: Obligated entities must, each within their respective scope, take the vigilance measures provided for in this chapter when: a) They establish business relationships; b) They carry out an occasional transaction exceeding two million Algerian dinars or its equivalent in legal tender currency, including cases where the transaction is carried out as part of one or more transactions that appear to be linked; c) They carry out an occasional transaction in the form of a bank transfer exceeding 150 thousand Algerian dinars or its equivalent in legal tender currency, or several transactions that appear to be linked, and the total amount exceeds the fixed threshold; d) There is a suspicion of money laundering, terrorist financing, or proliferation of weapons of mass destruction, regardless of the minimum level stipulated in regulations; e) There is doubt regarding the accuracy or adequacy of previously obtained client identification data.

Article 10: Obligated entities must take client identification measures whether they are habitual or occasional, local or foreign, by obtaining the following information: a) If the client is a natural person:

• Verify the identity of the natural person through documents (notably original documents currently valid including a photo, namely the national identity card, driver's license, passport for foreigners), and at minimum the client's name and surname, nationality, date and place of birth, permanent address, identity card or passport number for the foreign person, place and date of issue, mother's name, social status, and spouse's name;
• Information on the client's economic activity: represented by the nature of the client's work or activity, sources of income, work address, name of the employer or employing organization, and monthly income value;
• Information on residence, the actual or current residence;
• Client contact information, represented by the client's phone number and email address;
• Any other information that financial institutions deem necessary to obtain according to the nature and degree of risks. b) If the client is a legal entity, including any type of non-profit organization, obligated entities must:

1. Understand the nature of the legal entity and its activities, as well as its ownership and control structure;
2. Identify and verify the identity of the legal entity by obtaining the required information notably by:

• Presenting an original of its statutes and any document proving that it is legally registered or approved, and that it has a real existence and address at the time of its identification;

Page 5 of 14

• Verification of the address by presenting an official document proving residence;
• The powers that govern and bind the legal entity, as well as the names of the persons concerned who hold management positions.

3. Determine the beneficial owners of the clients and take adequate measures to verify the identity of these persons using information or data obtained from a reliable source, with the assurance of knowing who the beneficial owner is;
4. For agents and brokers working on behalf of others, or any other person claiming to act on behalf of the client, obligated entities, in addition to the documents stipulated above, must verify the powers granted to them.

A copy of each document proving identity, agency, and address must be preserved.

Under no circumstances must obligated entities open or keep anonymous or numbered accounts, or accounts under fictitious names, or deal with unidentified persons or persons bearing fictitious names, or fictitious banks.

Article 11: When the risk of money laundering or terrorist financing appears low and it is necessary not to interrupt the normal course of activity, the identity of the client and the beneficial owner must be verified before or during the establishment of the business relationship, or the execution of transactions for the case of occasional clients. Furthermore, obligated establishments may carry out verification after the establishment of the business relationship provided that:

• This occurs within reasonable timeframes;
• It is necessary not to disrupt the normal course of business;
• Managing money laundering and terrorist financing risks effectively.

Obligated entities must adopt appropriate risk management measures regarding the circumstances in which the client may benefit from the business relationship before the verification operation. This operation must include a set of procedures:

• Determine restrictions, thresholds, or controls on the number and types/quantity of transactions or operations that can be carried out;
• Identify important or complex operations that exceed the thresholds provided for this type of relationship.

It is prohibited to postpone the verification operation in the following cases:

• Presence of high-risk indicators;
• When there are suspicions of money laundering or terrorist financing;

Page 6 of 14

• When it concerns essential client identification information, namely: identity card or passport information, or identity documents relating to the legal entity.

Article 12: Obligated entities must take adequate measures according to the money laundering and terrorist financing risks arising from the client and the business relationship, to determine beneficial owners, and determine if the beneficiary is a politically exposed person for the case of natural persons, and verify their identity through the following elements: a) Determine if the client acts for themselves and for their own interest, and if so, they must sign a declaration attesting that they are the beneficial owner of the business relationship; b) In the case where the client does not act for themselves and for their own account, or when obligated entities doubt the truthfulness of the client's declaration, they must determine the natural person or persons benefiting or ultimately and definitively controlling the business relationship, or the persons for whom or on whose behalf the transaction was carried out, or who exercise final and definitive control over the client's accounts, and determine the capacity in which the client acts on behalf of the beneficial owner; c) Apply the identification and identity verification procedures for natural persons provided for in this instruction on the identified beneficial owner(s), in accordance with the provisions of the first paragraph of this article, in a manner to convince the obligated entities that they have identified the beneficial owner.

Article 13: The beneficial owner(s) of the legal entity are determined and necessary measures will be taken to verify their identity as follows: a) The natural person or persons holding directly or indirectly a percentage equal to or greater than 20% of the capital or voting rights; b) In the case where the identity of the beneficial owner(s) is not confirmed, or if the identity of the beneficial owner(s) has not been determined after applying criterion (a), the beneficial owner is the natural person(s) exercising effective or legal control, by any direct or indirect means, on the administration, administrative or management bodies, or on the general assembly, or on the conduct of the affairs of the legal entity, through the determination of the content of decisions taken by the general assembly through the voting rights they possess, or by enjoyment, as a partner or shareholder, of the power to appoint or dismiss the majority of the management or administration members of the company, or control bodies, or other monitoring or control tools; c) In the case of non-identification of the beneficial owner(s) according to criteria (a) and (b), the beneficial owner is the natural person having the status of legal representative of the company in accordance with current legislation.

Page 7 of 14

Article 14: To ensure that the data they hold on clients is up-to-date, obligated entities must update them annually, based on: a) The importance of the risks represented by the client; b) When they carry out an operation that is not compatible with their knowledge of the client, their business activities, and their risk profile; c) On the occasion of a fundamental modification of client documentation standards, or a major change in account management mode, as well as in cases 4 and 5 provided for in Article 9 of this instruction.

However, if an obligated establishment finds at any time that the information it has about a client is insufficient, it must take the necessary measures to obtain all useful information as soon as possible.

Article 15: Obligated establishments may apply necessary simplified vigilance measures towards certain clients provided that low risks are identified and evaluated and that this assessment is consistent with national and sectoral risk assessments and with their own assessments. Their measures must be proportional to the lowest risk factors.

Simplified measures consist notably of the following: a) Verify the identity of the client and the beneficial owner after the establishment of the business relationship; b) Reduce the frequency of updates of client identification elements; c) Reduce the intensity of continuous vigilance and the depth of the examination of operations to a reasonable limit.

Simplified vigilance measures are not acceptable in cases of suspicion of money laundering or terrorist financing, or in specific cases presenting higher risks.

Article 16: Insurance, reinsurance companies, and intermediaries (general agent, broker) must take the following measures, in addition to the vigilance procedures required for clients and beneficial owners in accordance with the provisions of this chapter: a) Take vigilance measures on beneficiaries of life insurance contracts and other investment insurance products, from the identification or designation of these beneficiaries:

1. Obtain the name of the person for beneficiaries who are specifically designated natural or legal persons;
2. Obtain sufficient information on beneficiaries designated by attributes or categories (such as a husband or children at the time the insured incident occurs) or by other means such as a will, so that insurance and reinsurance companies and intermediaries (general agent, broker) can identify the beneficiary at the time of indemnification;
3. Verification of the identity of the beneficiaries referred to in paragraph 1 of this article, at the time of indemnification.

Page 8 of 14

b) Consider the beneficiary of a life insurance contract as a risk factor associated to determine the applicability of required enhanced vigilance measures. And when insurance, reinsurance companies, and intermediaries (general agent, broker) manage to consider the insurance beneficiary as a high-risk legal entity, necessary enhanced vigilance procedures must be applied in accordance with the provisions of this instruction, including taking adequate measures to identify the beneficial owner of an insurance contract and verify it at the time of indemnification.

Insurance, reinsurance companies, and intermediaries (general agent, broker) must develop and take necessary measures to determine if a politically exposed person is a beneficiary or beneficial owner of a life insurance contract. If so, they must proceed as follows:

• Inform the superior authority before paying indemnification from the life insurance product and conduct a careful review of the business relationship;
• Consider sending a suspicious transaction report to the Financial Intelligence Processing Unit.

Article 17: Obligated entities are required to have an appropriate risk management system at their disposal to determine if the potential client, current client, or beneficial owner is a politically exposed person within the meaning of Law No. 05-01 of 27 Dhou al-Hijah 1425, corresponding to February 6, 2005, relating to the prevention and combating of money laundering and terrorist financing, as amended and supplemented, mentioned above, and to take all measures