Statute on a Single Information System for Currency Operations

‘Approved’ Central Bank of the Republic of Azerbaijan Decision № 62/1 20 December 2023 Statute on a single information system on currency operations

1. General provisions 1.1. This Statute has been developed in accordance with Article 16-1 of the Law of the Republic of Azerbaijan ‘on Currency Regulation’ (hereinafter – the Law) and establishes the legal, organizational, and technological foundations for the creation, functioning, and use of the unified information system (hereinafter – the information system) for foreign exchange transactions conducted by both residents and non-residents for the purpose of currency control, as well as the types of information to be submitted to the information system. 1.2. Banks, local branches of foreign banks, the national postal operator and currency exchange license holders (hereinafter - currency control agents) send currency transaction data determined by this Regulation to the information system. 1.3. Necessary expenses for the maintenance and operation of the information system are funded from the resources of the Central Bank of the Republic of Azerbaijan (hereinafter - the Central Bank). The Central Bank supports the single information system to ensure the implementation of the requirements set up by the Law, the ‘Regulations on currency operations of residents of the Republic of Azerbaijan in foreign currency, as well as non-residents in national and foreign currencies’ (hereinafter – Regulations) and other regulations by currency control agents. 1.4. The use of the information system is free of charge. 1.5. The following information is not disclosed to other currency control agents: 1.5.1. the information specified in Items 7.4.2, 7.5.2 and 7.6.2 of this Statute. 1.5.2. information on exchange transactions conducted in years preceding the current calendar year. 1.5.3. information on foreign currency transfer operations outside the Republic of Azerbaijan conducted in the months preceding the current calendar month according to sub-item 4.3.8.3 of the Regulations. 1.6. The information system runs in real time (24/7/365) at any time of the day, including non-working days defined by the legislation. 1.7. Other issues not outlined in this Statute on the technical operation of the information system are regulated as per the User manual placed in the user's e-cabinet.
2. Main definitions 2.1. The definitions used for the purposes of this Statute bear the following meanings:

2.1.1. owner – the Central Bank, as the owner and operator of the system, ensures the use of the information system by currency control agents. 2.1.2. user – currency control agents who enter information on currency transactions with customers into the information system and retrieve information on currency transactions conducted by customers from the information system. 2.1.3. participant – user’s authorized employee. 2.1.4. customer – resident or non-resident individuals or legal entities, as well as other institutions, or authorized representatives of those persons, conducting currency transactions through the user. 2.1.5. electronic cabinet – personal electronic page that enables the participant or user to access and use the information system by authenticating themselves with an enhanced electronic signature within the functions defined by this Statute. 3. Principles of the information system operation 3.1. The information system runs based on the following principles: 3.1.1. ease of use - provision of convenient information system use and information exchange, without additional operations. 3.1.2. promptness – automated and swift provision, reception, response, acquisition, and exchange of information related to pertinent operations. 3.1.3. continuity – uninterrupted implementation of activities, regardless of organizational, administrative, technical, and other changes in the information system. 3.1.4. accountability – ensuring accountability in the operation of the system, possibility of monitoring the implemented procedures and their results. 4. Software and hardware of the information system 4.1. The information system consists of the following elements: 4.1.1. software of the information system. 4.1.2. central and backup hardware of the information system. 4.1.3. network infrastructure of the information system. 4.1.4. database of the information system. 4.2. The software of the information system includes operating systems, application software, information protection and other software tools. The application software covers the following areas: 4.2.1. electronic cabinet. 4.2.2. a single electronic base of currency operations. 4.2.3. information window for customers on currency transactions. 4.2.4. integration and electronic data request module that provides information sharing with other information systems and resources. 4.3. The information system hardware includes servers, memory devices, cooling systems, uninterrupted power sources and other technical means. 4.4. A backup copy of the information system is created in the backup center, and a copy of the software of the information system is stored in this center. The central and backup hardware of the information system runs under the control of the owner. 4.5. The network infrastructure of the information system consists of communication devices and protected telecommunication channels.

5. Security measures 5.1. To continually check the level of data protection, promptly identify security threats, and prevent potential risks, the information system is equipped with specialized protection systems and software which are regularly updated. 5.2. While processing data in the information system, any effects that may lead to disruptions in the operation of software and technical tools should be avoided. 5.3. The owner ensures the prompt detection of illegal intrusions in the information system, as well as the prevention of unauthorized dissemination and transfer of information to individuals who do not have permission to access it. 5.4. The protection means for the secure entry, systematization, storage, use, modification, deletion, and restoration of data in the information system should follow technical requirements. 5.5. To ensure the reliability and security of the data entered into the information system, information system users and participants are identified by an enhanced electronic signature. 5.6. When using the information system, the requirements for information protection should be observed in accordance with the Law of the Republic of Azerbaijan ‘on Information, Informatization, and Information Protection’.

6. Information system functions 6.1. The following is provided through the information system: 6.1.1. collection, processing, modification, cancellation, recovery, search, and analysis of information. 6.1.2. possibility of simultaneous use of the information system by multiple users. 6.1.3. continuous operation. 6.1.4. protection of data and data channels. 6.1.5. compatible technologies and software-hardware in information sharing. 6.1.6. bulk and separate sending of data by participants and users of the information system, reception, cancellation, and restoration of returned data. 6.1.7. search for exchange transactions based on the personal identification number (PIN) and the date of birth of individuals, or the date of birth and the number of the ID cards of those persons. 6.1.8. search for foreign currency transfer operations outside the Republic of Azerbaijan based on the following information: 6.1.8.1. the PIN and the date of birth of individuals, or the date of birth and the number of the ID cards of those persons. 6.1.8.2. TIN of a legal entity, its branch, representative office, and other entities that are not a legal entity, the name, and the country of registration in the absence of a TIN. 6.1.8.3. the date and number of supporting documents that provide the basis for conducting relevant operations (when such documents are required to be obtained under the Regulations). 6.1.9. creation of an electronic cabinet and an electronic data request module for information system users and participants, and an information window for customers 6.1.10. systematic storage of information.

7. Data submitted to the information system 7.1. Users submit to the information system the information specified in Items 7.2- 7.8 of this Statute about currency exchange operations of customers, as well as foreign currency transfer operations outside the Republic of Azerbaijan. 7.2. According to the legislation, in the event an ID card is obtained, PINs, the date of birth of individual customers (their authorized representatives) and authorized representatives of legal entity customers and where the currency operation is conducted in connection with the entrepreneurial activity of the individual, his/her TIN, in the absence of the TIN, the following additional information is entered to the system: 7.2.1. first, last, middle names. 7.2.2. country(ies) of citizenship. 7.2.3. the type and number of ID card. 7.2.4. the registration address. 7.3. TINs of customers who are legal entities, their branches, representative offices, and other entities that are not legal entities, in the absence of TINs the following information is included in the information system: 7.3.1. the name, organizational-legal form. 7.3.2. the country of registration. 7.4. The following information on currency exchange operations is included in the information system: 7.4.1. the transaction hour and date. 7.4.2. the name and address of the currency control agent selling/buying the currency and its structural unit. 7.4.3. form of sale/purchase of currency (cash/cashless). 7.4.4. currency sale/purchase method (cash office/payment terminal/mobile application/website/other). 7.4.5. amount and currency sold/bought. 7.4.6. the name of the document confirming the source of funds exchanged by the customer, the date and number of that document, if any (if such a document is obtained following the law). 7.5. Except for the operations outlined in Item 7.6 of this Statute, the following information on foreign currency transfer operations outside the Republic of Azerbaijan is included in the information system: 7.5.1. the transaction hour and date. 7.5.2. the name and address of the currency control agent its structural unit that transfers the currency. 7.5.3. the country of destination. 7.5.4. the name of the recipient. 7.5.5. the account number of the sender (if the transfer is made through an account). 7.5.6. transaction amount/currency. 7.5.7. the transaction channel (SWIFT/fast money transfer system (please specify)/ other (provide additional information). 7.5.8. the relevant structural element of the Regulations that defines the basis for the operation.

7.5.9. the name, date, and number of supporting documents that provide the basis for the operation. 7.5.10. the purpose of the operation. 7.5.11. a unique reference number of the operation. 7.6. Following sub-item 4.3.8.3 of the Regulations, the following information on foreign currency transfer operations outside the Republic of Azerbaijan is entered into the information system: 7.6.1. the transaction hour and date. 7.6.2. the name and address of the currency control agent its structural unit that transfers the currency. 7.6.3. transaction amount/currency. 7.6.4. the relevant structural element of the Regulations that defines the basis for the operation. 7.6.5. a unique reference number of the transaction. 7.7. When the transfer of foreign currency outside the Republic of Azerbaijan relates to the import of goods and (or) services (except for the case specified in Item 7.8 of this Statute), the following information on supporting documents for this transaction is entered into the information system: 7.7.1. the type, number, and date of declaration (if goods are imported). 7.7.2. the name of the sender (provider)/exporter of the goods (services). 7.7.3. the name of the recipient/importer of the goods (services). 7.7.4. the country supplying the goods (service). 7.7.5. the name and the code of imported good (service). 7.7.6. total value of goods (services) specified in the document that is the basis for the import transaction. 7.7.7. the value of the imported goods (services) in exchange for pre-paid funds (advance payment), its currency and its USD equivalent. 7.8. When pre-paid funds (advance payments) transferred outside the Republic of Azerbaijan are refunded, the following information is entered to the information system: 7.8.1. the date of refund. 7.8.2. the currency of the refund and its USD equivalent. 7.8.3. a unique reference number of the refund transaction. 8. Rights and responsibilities of the information system owner 8.1. The owner of the information system is entitled to suspend user's (participant's) access to information in the information system (electronic cabinet) if: 8.1.1. there are attempts of illegal access or intrusion to the information system. 8.1.2. the Central Bank suspends currency exchange activities. 8.2. The information system owner: 8.2.1. registers users, participants and customers in the information system and provides them with access to the information system following this Statute. 8.2.2. organizes the storage and protection of information history (logs) about the access of the owner, user, participant, and customer to the system, as well as data entry, modification, and deletion to safeguard the relevance, reliability, and protection of data within the information system, their backup copies, as well as address instances of illegal access and falsification.

8.2.3. provides access to information about the customer in the information system based on his/her request. 8.2.4. following this Statute, ensures the uninterrupted operation of the information system, which includes organizing stable information sharing through the system, controlling the full and timely transfer of information to the information system, and retrieving such information within the limits set by law. 8.2.5. keeps participants and users informed about the functions of the information system and the rules of their use, conducts necessary instructional work, provides them with methodical assistance, promptly investigates and solves the difficulties encountered by participants and users, organizes training sessions to regularly enhance related knowledge and skills of participants. 8.2.6. organizes the operation, maintenance and storage of information system components and software according to their purpose, conducts and monitors appropriate preventive works according to the established schedule. 8.2.7. takes organizational and technical measures related to the security of the data available in the information system. 8.2.8. informs information system participants in the event of any accident (error) or interruption in the operation of the information system. 8.2.9. ensures the completeness, integrity, accessibility, and confidentiality (secrecy) of the data available in the information system. 8.2.10. in cases outlined in sub-item 11.1.3 of this Statute, upon receiving information from the customer applies to the user for verification of the information and takes appropriate measures no later than the next working day, depending on the result. 8.2.11. organizes the activity of the information system following the requirements of this Statute, controls its formation, management, integration, archiving, stable and reliable operation. 8.2.12. registers information system downtimes and analyzes errors. 8.2.13. organizes the regular optimization of the information system database. 8.2.14. ensures the capability for immediate recovery of modified or deleted data in the information system. 8.2.15. ensures that the backup copy of the information system database is maintained in a pre-defined manner. 8.2.16. conducts scheduled preventive reviews of the server and network equipment hosting the information system and if necessary, ensures the prompt resolution of found malfunction. 8.2.17. ensures the intended operation, maintenance, and updating of system components and software, and the execution of preventive measures for improvement. 9. Rights and responsibilities of the information system users 9.1. Information system users are entitled to: 9.1.1. use the information system electronically. 9.1.2. make proposals on improving the work of the information system. 9.1.3. obtain information about his/her use of the data in the information system. 9.2. The information system users: 9.2.1. ensure that the data specified in Items 7.2-7.6 of this Statute in relation to banks, local branches of foreign banks and the national postal operator are submitted to

the information system in real time (at the time of entering the information on the currency transaction into their operating system), in relation to currency exchange license holders within 15 (fifteen) minutes from the time the currency exchange was conducted, and the data outlined in Items 7.7 and 7.8 of this Statute on the same day the supporting documents for foreign currency transfer operations are submitted to the currency control agent. 9.2.2. appoint participants authorized to enter data to the information system, provide the relevant information to the owner, as well as monitor the performance of tasks by participants as defined in Item 10.2 of this Statute. 9.2.3. at the request of the customer and/or the owner, ensure the verification of customer information in the information system within 7 (seven) working days (with an additional 7 (seven) working days if it is necessary to involve a third party), if inconsistencies are found in the information, take measures as outlined in Item 10.2 of this Statute and inform the customer about the results of the verification. 10. Rights and responsibilities of information system participants 10.1. Information system participants are entitled to: 10.1.1. use the information system as per this Statute within the user's rights. 10.1.2. verify the information they enter to the information system and acquire the said information. 10.2. Information system participants: 10.2.1. enter data to the information system following sub-item 9.2.1 of this Statute, take necessary measures to ensure the security of those data. 10.2.2. when inconsistencies are found in the data entered to the information system, promptly modify, or delete them, inform the user's management in writing about this, indicating the reasons. 10.2.3. do not to interfere with equipment and software that ensure data protection. 10.2.4. avoid actions that slow down the operation of the information system, damage it or cause its operation to stop. 10.2.5. retrieve data from the information system and use the retrieved data only for currency control purposes. 10.2.6. do not allow the information to be read by outsiders when using the information system and protect confidentiality of such information under the legislation. 10.2.7. do not violate confidentiality (secrecy) of the enhanced electronic signature tools that allow access to the information system. 10.2.8. do not create obstacles for authorized persons conducting verification of data protection measures. 11. Rights and responsibilities of customers 11.1. Customers are entitled to: 11.1.1. retrieve the information on themselves available in the information system. 11.1.2. obtain information on the use of information about themselves in the information system.

11.1.3. inform the owner and/or request the user of the information system to change or remove the relevant information if they find inconsistencies in the information about themselves in the information system. 11.2. Following Article 16-1.3 of the Law, the customer's consent is not needed for the collection and processing of data in the information system, they may neither object to the collection and processing of data in this system nor request the destruction of the information therein. 12. Public information resources and systems running in connection with the information system According to Part 7 of this Statute, the accuracy of the information sent to the information system is verified by obtaining it from relevant public information systems and resources (if integrated) through the Electronic Government Information System upon request. 13. Organization of information system activities 13.1. The threshold for the use of the information system's database by the participant is determined based on the user request. 13.2. The information entered to the information system should be complete, with all necessary fields filled in entirely. It is not mandatory to fill in those fields if the information does not have to be obtained following the requirements of the legislation. 13.3. Information is entered into the information system in the official language of the Republic of Azerbaijan. 14. The procedure for using the information system 14.1. The information system is used through an electronic cabinet and/or an electronic data request module. 14.2. Participants can use the information system through the electronic cabinet and/or electronic data request module after being identified with an enhanced electronic signature and perform other operations defined by this Statute. 14.3. After being authenticated with the Single Sign-on System ('ASAN login') on the Electronic Services Portal of the Central Bank, customers can access information about their currency transactions through the customer information window in the information system.