Decree No. 67/2018 Coll. on Requirements for Internal Rules Against Money Laundering and Terrorist Financing

Decree No. 67/2018 Coll. of 11 April 2018 on selected requirements for the system of internal rules, procedures and control measures against legitimisation of proceeds of crime and financing of terrorism As amended by Decree No. 235/2021 Coll. Decree No. 108/2024 Coll. Pursuant to Article 21(9) of Act No. 253/2008 Coll., on selected measures against legitimisation of proceeds of crime and financing of terrorism, as amended by Act No. 368/2016 Coll., the Czech National Bank stipulates the following: Article 1 Subject of regulation This Decree stipulates the requirements for the implementation and application a) of procedures of customer due diligence and determination of the extent of customer due diligence corresponding to the risk of legitimisation of proceeds of crime and financing of terrorism (“Risk”) based on the type of customer, business relationship, product or transaction, and b) of reasonable and appropriate methods and procedures of risk assessment, risk management, internal controls and compliance with obligations stipulated in the Act No. 253/2008 Coll., on selected measures against legitimisation of proceeds of crime and financing of terrorism, as amended (“the Act”) by institutions within the system of internal rules pursuant to Article 21(2) of the Act. Article 2 Personal scope of application (1) The Decree applies to an institution that is subject to supervision of the Czech National Bank1) and that is subject to the obligation to prepare a system of internal rules. (2) Institution that, in relation to a customer, applies an exemption from customer identification and due diligence in accordance with Article 13a of the Act, is not obliged, within the scope of the applied exemption, to comply with the requirements pursuant to Articles 6 to 10 in relation to this customer. (3) Institution that, in relation to a customer, performs simplified identification and due diligence pursuant to Article 13 of the Act, shall comply with the requirements pursuant to Articles 6 to 10 in proportion to the scope of the simplified client identification and due diligence performed in relation to this customer. Article 3 Definition of terms

1. Article 44 of Act No. 6/1993 Coll., on the Czech National Bank, as amended.

2 (1) For the purposes of this Decree, the following definitions shall apply: a) institution means an obliged entity pursuant to Article 2(1)(a) and (b) points 1 to 10 and (h) point 5 and paragraph 2(a) of the Act, which is subject to supervision of the Czech National Bank. b) an opaque ownership structure means a situation where it is not possible to establish the beneficial owner or the ownership and management structure of the customer from

1. a public register, a register of trust funds or a register of beneficial owners maintained by a public authority of the Czech Republic,
2. a similar register of another country, or
3. other source or combination of sources that the institution justifiably considers as reliable and with regard to which it reasonably believes that in their entirety they provide complete and up-to-date information about the beneficial owner and the ownership and management structure of the customer, in particular if they are issued by a public authority or are officially certified; an affidavit alone cannot be considered a trustworthy source for the purposes of establishing the beneficial owner and the ownership and management structure. (2) For the purposes of Article 7, Article 9(3) and (4) and Article 11, a legal person also means a trust fund, to which these provisions shall apply mutatis mutandis. Article 4 General provisions (1) Institution shall implement and apply procedures for the preparation, adoption, modification, implementation, and application of the risk assessment and the system of internal rules (“internal regulations”). (2) Institution shall take into account in its internal regulations guidelines of the European Banking Authority2) , the European Securities and Markets Authority3) , the European Insurance and Occupational Pensions Authority4) and the Joint Committee of the European Supervisory Authorities

in the field of prevention of legitimisation of proceeds of crime and financing of terrorism within the scope in which they apply to the institution, published in Czech language by the Czech National Bank on its website. (3) Institution, when preparing and applying its internal regulations, including customer identification and due diligence procedures, shall take into account recognised and proven principles and procedures in the field of prevention of legitimisation of proceeds of crime and financing of terrorism (“recognised standards”), an overview of which is published by the Czech National Bank on its website. This is without prejudice to the right

2. Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, as amended.
3. Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC, as amended.
4. Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No. 716/2009/EC and repealing Commission Decision 2009/79/EC, as amended.
5. E.g. Article 54 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council.

3 of an institution to select and take into account in its internal regulations also other recognised standards that are current and proportionate to the nature, scale and complexity of the activities it performs; however, their content or use may not be contrary to statutory requirements or circumvent their purpose. (4) Institution shall ensure that its internal regulations and the recognised standards it has selected are current and proportionate to the nature, scale and complexity of the activities performed. Institution shall, in its internal regulations, determine the minimum intervals in which it will evaluate and potentially update its internal regulations. These intervals must be adequate to ensure that the internal regulations of the institution remain current and reflect the real situation, and always take into account the products and services offered by the institution before their placement on the market as well as technologies before the institution starts to use them. (5) Institution shall further, without undue delay, evaluate whether its internal regulations are current and ensure their potential update whenever the need arises a) from a conclusion made in the risk assessment, b) from information the institution obtains and that leads to the conclusion that the risk assessment or the materials on which it is based are not current, c) from a change in the business activity or strategy of the institution, d) from a change in legislation, or e) from information about changes to the national risk assessment pursuant to Article 30a of the Act. (6) Institution shall always record the results of the evaluation pursuant to paragraphs 4 and 5 and its reasons. (7) Where relevant, institution shall also update customer risk profiles depending on the updates pursuant to paragraphs 4 and 5 at intervals proportionate to their risk profiles. Article 5 Risk assessment (1) During the risk assessment, institution shall always take into account a) the national risk assessment prepared in accordance with Article 30a of the Act, b) the European risk assessment prepared by the European Commission6) , c) methodological and interpretative materials and decisions of the Czech National Bank and the Financial Analytical Office, d) information provided by the Financial Analytical Office and law enforcement authorities, and e) information obtained during customer identification and due diligence. (2) During the risk assessment, institution shall take into account at least such scope and types of sources of information that ensure that the risk assessment genuinely reflects

6. Article 6(1) to (3) of Directive (EU) No 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC.

4 the real risks connected with the activities of the institution. (3) During the risk assessment, institution shall always take into account a) the nature of its business activities, b) the products and services it offers and provides, and the possibilities for their abuse for legitimisation of proceeds of crime and financing of terrorism, c) the risks connected with the use of new technologies within its business activities, d) the risks connected with the distribution channels it uses to offer and provide its products and services, and e) the risk management measures that the institution has adopted and applies. (4) During the risk assessment, institution shall also take into account measures, special risks and specific factors other than those specified in Article 5(3) if they arise from the specific nature of its activities. (5) Institution shall record the procedures it used to prepare its risk assessment, and the reasons on which it founded the conclusions contained in the risk assessment. Determination of the risk profile and other procedures during the establishment and in the course of a business relationship and during the execution of a transaction outside a business relationship Article 6 Institution shall implement and apply, within its system of internal rules, rules and procedures according to which, during the establishment of a business relationship and in its course, a) it determines customer risk profile, while taking into account

1. the information obtained about the customer,
2. factors known to the institution that increase or decrease the risk connected with the customer, the business relationship or a related ongoing transaction outside the business relationship, and
3. its own risk assessment, and b) it takes appropriate measures towards the customer depending on his/her risk profile. Article 7 (1) As part of the rules and procedures for determining customer risk profile, institution shall determine factors that it will take into account when determining customer risk profile, the weighting of individual factors, and their mutual relationships. Institution shall implement and apply these rules and procedures in a manner that ensures effective risk management. This is without prejudice to the obligation set out in Article 9(2). (2) The factors that an institution shall take into account pursuant to paragraph 1, where relevant, include in particular the following: a) the country of origin of the customer, of its beneficial owner and of the person authorised to act on behalf of the customer, b) the country of origin of a person with direct or indirect participation in a customer that is a legal person, and the country of origin of a person in which such a customer has direct or indirect participation,

5 c) the country of origin of a person that is a member of the statutory body of the customer, a representative of a legal person in this body and/or is in a position of similar status to a member of the statutory body, and of a person that is a person in the management structure of the customer pursuant to Article 11(4), second sentence, or who otherwise is able to exercise control in a customer that is a legal person, d) the country in which a customer that is a legal person subject to obligations pursuant to Article 24a or equivalent obligations pursuant to the legislation of another country has a branch or an establishment, e) in connection with a transaction, the country from which or to which the subject of the transaction was or should be transferred or provided, f) the ownership and management structure of a customer that is a legal person, g) the legal form of the customer, h) the business activity or the profession of the customer and its beneficial owner, i) the domicile or registered office of the customer, j) the behaviour of the customer or person representing him/her in the context of the transaction or business relationship, k) the characteristics of the products and services used, the nature of the transaction or business relationship, l) the characteristics of the distribution channel used and the participation of persons other than the customer in the transaction or business relationship, m) the origin of funds of the customer, n) the origin of assets of the customer and of its beneficial owner, o) information about a person that is a legal person and in which the customer has direct or indirect participation, or in which otherwise has the possibility to exercise control, p) the manner of performing the first identification of the customer, q) the manner of establishing and verifying of the ownership and management structure of a customer that is a legal person, r) negative information about a customer or about its beneficial owner obtained from the media or from other relevant sources of information. (3) Institution, in the case of a business relationship, shall regularly check the validity and completeness of the information about the customer and update the customer risk profile if appropriate. Institution shall, within its system of internal rules, implement and apply procedures for updating the customer risk profile and shall determine facts based on which updating will always be performed. Institution shall also determine the maximum periodic intervals for updating the customer risk profile depending on his/her risk profile. Institution shall record information about the assessment of the customer risk profile and its updating together with justification for the conclusions made, even if the conclusion is that it is not appropriate to make any changes. (4) If an institution uses an automated system to assess the level of risk of a customer, it must have the possibility to change the automatically generated assessment in justified cases. (5) In the case of provision of services connected with life insurance, institution, when assessing the risk of the relevant business relationship, shall always take into account information it has available about the beneficiary of life insurance.

6 (6) When determining customer risk profile within a business relationship, institution shall also take into account the risk connected with ongoing, executed and contemplated transactions within the business relationship. Customer due diligence Article 8 (1) Institution shall, within its system of internal rules, implement and apply towards the customer, depending on his/her risk profile, measures to ensure effective risk management, in particular so that the institution always has sufficient information to assess the risks connected with the customer, the transaction and the business relationship, and so that it can identify any potential suspicious transaction. (2) As part of the measures applied towards the customer pursuant to paragraph 1, institution shall implement and apply in particular procedures a) regarding the decision-making process on executing or rejecting a transaction, or on establishing a business relationship with a customer, or on terminating an already existing business relationship, b) regarding the performance of customer due diligence, in particular the scope and frequency of the measures taken. Article 9 (1) In the case of a risk profile with higher risk, an institution shall perform enhanced customer identification and due diligence to the extent and in a manner that ensures effective management of the identified risk. (2) Enhanced customer identification and due diligence comprises in particular of one or more of the following measures: a) enhanced monitoring of the business relationship and transactions within the business relationship, b) a wider range of required information about the customer, in particular information about its beneficial owner, the ownership and management structure of a customer that is a legal person, the nature of the business relationship, the executed transaction or the source of funds, c) prior approval of the establishment of a business relationship or the execution of a transaction within or outside a business relationship by at least one employee of the institution whose functional classification is a level higher than the functional classification of the employee or employees of the institution participating in the subject of business in question with the customer, alternatively the statutory body of the institution or persons authorised by it to manage the institution in the field of measures against the legitimisation of proceeds of crime and financing of terrorism, d) restrictions on access to some products and services that are, according to the assessment by the institution, connected with higher risk, e) a requirement that the first payment is made from an account held in the name of the customer at a credit institution or a foreign credit institution subject to obligations of customer identification and due diligence that are at least equivalent to the requirements of European Union law,

7 f) verification of information obtained from several trustworthy sources, or g) other corresponding measures further to the characteristics of the institution and its activities. (3) Institution shall always set a risk profile with higher risk for a customer in the event it identifies any of the following increased risk factors: a) any of the countries of origin of the customer, a person authorised to act on behalf of the customer with the institution, or any of the countries of origin of the beneficial owner of the customer, is a third country that has strategic deficiencies in combating the legitimisation of proceeds of crime and financing of terrorism pursuant to directly applicable legislation of the European Union7) or is designated as such as a high-risk jurisdiction subject to a call for action by the Financial Action Task Force (FATF) in a public statement published on its website, or should be deemed high-risk for another reason. b) the customer, a person authorised to act with the institution for the customer, the beneficial owner of the customer, persons in the ownership and management structure of a customer that is a legal person or, if these persons or the owner are known to the institution, the person with whom the customer performs the transaction, the person whom the customer controls, the natural person for whom the transaction is being executed or the beneficial owner of the person with whom the customer is performing the transaction, are included on the list of persons of the entities, bodies or organised groups against which restrictions or other measures are applied in accordance with other legislation implementing international sanctions8) , c) the customer and/or its beneficial owner are politically exposed persons, or it is known to the institution that they are acting to the benefit of a politically exposed person, d) the customer has an opaque ownership structure; an ownership structure is not opaque if the customer is a legal person whose securities have been accepted for trading on a European regulated market or foreign market similar to a European regulated market if subject to requirements for the publication of information equivalent to the requirements of European Union law, e) the customer is not the natural person for whom the transaction is being executed, f) a customer that is a legal person does not, if known to the institution, perform any economic activities g) suspicion that the beneficial owner of a customer that is a legal person is obscured as a result of an agreement between the beneficial owner and a person acting as a shareholder, a member of the statutory body or a person in a position of similar status to that of a member of the statutory body. (4) An institution shall always perform enhanced customer identification and due diligence if any of the following increased risk factors are identified: a) according to the information available to the institution, the subject of the transaction has been or should be, in connection with the transaction, transferred or provided from a third country that has strategic deficiencies in combating the legitimisation of proceeds of crime and financing of terrorism, pursuant to directly applicable legislation of the

7. E.g. Commission Delegated Regulation (EU) No 2016/1675 of 14 July 2016 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council by identifying high-risk third countries with strategic deficiencies, as amended.
8. E.g. Act No. 69/2006 Coll., on the implementation of international sanctions, as amended.

8 European Union7) or is designated as a high-risk jurisdiction subject to a call for action by the Financial Action Task Force or should be deemed high-risk for another reason, or the subject of the transaction has been or should be transferred or provided to such third country in connection with the transaction, or is otherwise related to such third country, b) any of the subjects of the business activity of a customer that it is a legal person is risky, c) it concerns an unusually complex or large transaction, an unusual method of conducting business, or a transaction whose economic and legal purpose is unclear, or unusual customer behaviour that is not consistent with the previous course of a business relationship, d) information available to the institution indicates that a customer has acted unlawfully in the past 5 years, where these unlawful activities could legitimise proceeds of crime and finance terrorism or where a concern about subsequent legitimisation of proceeds of crime or financing of terrorism is associated with these unlawful activities; in particular if such unlawful activities associated with a concern about legitimisation of proceeds of crime or financing of terrorism is included in the national risk assessment, e) the first identification of the customer was performed pursuant to Article 11(7) of the Act or in a similar manner in accordance with foreign law, unless the customer is using a product with potentially lower risk of abuse for legitimisation of proceeds of crime or financing of terrorism in accordance with risk assessment pursuant to Article 21a of the Act or is using a service with potentially lower risk of abuse for legitimisation of proceeds of crime or financing of terrorism in accordance with risk assessment pursuant to Article 21a. (5) Institution shall, within its system of internal rules, determine criteria for designating a transaction or method of conducting business or behaviour pursuant to paragraph 4(c). Institution shall also implement and apply rules and procedures to identify such transactions and methods of conducting business and behaviour. (6) In the event of identifying an increased risk factor pursuant to paragraph 4, institution shall apply at least enhanced customer identification and due diligence measures pursuant to paragraph 2(b), in particular it shall always examine the background and purpose of such transactions and methods of conducting business. Article 10 (1) Institution shall always and without undue delay verify the information it has available about a customer if it has doubts as to the veracity, completeness or accuracy of information obtained. (2) Institution shall, within its system of internal rules, implement and apply rules and procedures pursuant to which, when there is a change to legislation in the field of fight against legitimisation of proceeds of crime and financing of terrorism or related legislation, it shall verify whether the quantity and type of information it has available about its existing customers continues to meet the requirements of the new legislation, including rules and procedures for ensuring remedy, if necessary. Unless the legislation states otherwise, institution may, when determining the timeframe in which it shall perform such verification, take into account the customer risk profile. (3) Institution shall, within its system of internal rules, implement and apply procedures and rules to be followed in assessing whether carrying out due diligence or a part

9 thereof could frustrate or jeopardise an investigation of a suspicious transaction pursuant to Article 9b of the Act. These rules should include at least a procedure to determine the reason for not carrying out customer due diligence, an assessment thereof and a procedure for executing the transaction and reporting a suspicious transaction in such cases, including the essential elements of the report pursuant to Article 18(7) of the Act. In such cases, institution shall record the reasons for, and circumstances of, not carrying out due diligence or a part thereof. Article 11 (1) Institution shall perform customer due diligence to the extent and in manner sufficient to ensure it is fully capable of assessing, understanding, and managing the risks connected with such customer, transaction or business relationship. (2) Institution shall take all measures that can reasonably be required to establish all the countries of origin of a customer, the countries of origin of its beneficial owner, and the countries of origin of the person authorised to act on behalf of the customer. (3) In the case of a customer that is a legal person or a natural person - entrepreneur, institution shall obtain sufficient information about the business activity of the customer to understand the customer’s business activity. With regard to a customer that is a legal person or a natural person - entrepreneur, institution shall identify and shall take into account during its evaluation of customer´s risk all the business activities performed by the customer. (4) In order to understand the control structure of a customer that is a legal person, institution shall always establish at least all the persons who are members of the statutory body of the customer and/or are in a position similar to a member of the statutory body, and shall record this information. If a legal person is a member of the statutory body of a customer pursuant to the first sentence or is in a position similar to a member of its statutory body, institution shall also always establish all the persons who are members of the statutory body or are in a position similar to a member of the statutory body of this legal person. (5) In order to understand the control structure of a customer that is a legal person, institution shall establish the beneficial owner and assess the ownership structure. Article 12 International sanctions (1) Institution shall, within its system of internal rules, implement and apply rules and procedures to identify the increased risk factor pursuant to Article 9(3)(b). (2) Institution, within its system of internal rules, shall implement and apply rules and procedures for effective management of risk connected with the identification of the increased risk factor pursuant to paragraph 1. These rules and procedures shall include at least rules and procedures to meet obligations pursuant to the legislation implementing international sanctions. Article 13 Correspondent relationships (1) Institution shall ensure that, at the establishment of a correspondent relationship with a respondent institution pursuant to Article 25(1) of the Act, the obligations

10 and responsibilities of each institution connected with the correspondent relationship with regard to the application of measures against legitimisation of proceeds of crime and financing of terrorism are documented. (2) At the establishment of a correspondent relationship that allows the respondent institution’s customers to access the correspondent account, institution shall establish and during this relationship periodically verify at intervals determined pursuant to Article 7(3) that a) the respondent institution has identified and performed customer due diligence for all its customers who have access to the account of the respondent institution, and b) the respondent institution is able to provide to the institution upon request the information that it obtained during the identification and due diligence of its customers who have access to the account of the respondent institution. (3) Institution shall perform regular due diligence and potential updates of information about the respondent institution that it has available based on the obligations set out in Article 25(2) of the Act and in paragraphs 1 and 2. Article 14 Acceptance of identification and remote identification Institution shall, within its system of internal rules, implement and apply rules and procedures to establish whether, with regard to the identified risk, it is acceptable to accept identification pursuant to Article 11 of the Act. These rules and procedures shall contain measures ensuring appropriate management of the risks associated with allowing the use of a payment account with a foreign credit institution for performing remote identification pursuant to Article 11(7) of the Act and may comprise of other measures ensuring appropriate management of the risks associated with accepting identification. Article 15 Special provisions regarding institutions that are part of a group (1) Institution that is part of a group shall, within its system of internal rules, take into account the group strategies and procedures to prevent legitimisation of proceeds of crime and financing of terrorism which are in accordance with the law of the Czech Republic. The system of internal rules of an institution that is part of a group shall also take into account other factors connected with the participation of the institution in the group. Participation in a group and the characteristics of the group and its business activities must also be taken into account in the institution’s risk assessment. (2) Institution that is part of a group shall, within its system of internal rules, take into account also its own individual characteristics and the risks connected with them. It shall also take these individual characteristics into account in its risk assessment. If an institution is part of a group that operates also in a different country than the Czech Republic, the institution’s internal regulations shall also take into account the regulation and environment of the Czech Republic. (3) Institution that is part of a group shall take into account, a) as part of strategies and procedures for exchange of information within a group, at least information about reported suspicious transactions, the rejection of a transaction and the establishment of a business relationship with a customer or the termination of an already existing business relationship for a reason related to the risk of legitimisation of proceeds

11 of crime or financing of terrorism, and information affecting a customer risk profile, and b) information obtained from exchange of information within the group in the customer risk profile; in doing so, institution shall take into account the specific risks of the products and services it offers. Article 16 Personnel (1) Institution shall, within its system of internal rules, implement and apply rules and procedures to ensure that the institution’s human resources are proportionate to the nature, scale, and complexity of the activities it performs, and that they ensure the effective performance of obligations for prevention of legitimisation of proceeds of crime and financing of terrorism. (2) Institution shall, within its system of internal rules, establish the position of compliance officer for the area of prevention of legitimisation of proceeds of crime and financing of terrorism where appropriate with regard to the size and nature of its business. (3) The procedures and rules that ensure an institution has proportionate human resources in the extent of paragraph 1 and 2 shall include at least a) the determination of the range of employees and of persons who participate in the activities of the institution other than in a basic employment relationship participating in the institution’s system for prevention of legitimisation of proceeds of crime and financing of terrorism, including persons who may encounter suspicious transactions in the course of their work (“responsible employees”), b) the procedures and rules for selecting responsible employees, determining at least the requirements for knowledge and experience of the responsible employees appropriate to their job content and classification, c) the minimum frequency and method of training of the responsible employees pursuant to Article 23 of the Act, d) the procedures for selecting and authorising members of the statutory body pursuant to Article 22a of the Act and the scope of their obligations and powers in fulfilling the obligations laid down in the Act and this Decree; where this is justified by the scope and nature of an activity, institution shall ensure functional and effective separation of incompatible functions in the selection and authorisation procedures, e) the procedures, policies and rules for selecting the compliance officer for the area of prevention of legitimisation of proceeds of crime and financing of terrorism and a definition of his duties and powers. Article 17 (1) Institution shall ensure that the person who assesses possible suspicion of legitimisation of proceeds of crime and financing of terrorism a) has access to all information necessary to assess whether a transaction is suspicious, and b) has access to information contained in an information system of the institution enabling rapid and effective searching, monitoring and evaluation of the necessary information.

12 (2) Institution shall ensure automatic searching for information unless this is disproportionate to its size or scope or the nature of its business activity. Article 17a Time limit for investigation Institution shall establish in its internal regulations an adequate time limit for the investigation of any suspicion of legitimisation of proceeds of crime or financing of terrorism in order to be able to effectively perform obligations preventing legitimisation of proceeds of crime and financing of terrorism. Institutions shall calculate this time limit from the moment it obtains information about the execution of a transaction or customer behaviour giving rise to possible suspicion of legitimisation of proceeds of crime or financing of terrorism. Article 17b Technical equipment Institution shall define technical equipment in its internal regulations in the extent necessary for effective, adequate and timely compliance with the procedures laid down in the system of internal principles. Article 18 Reconstructibility (1) Institution shall ensure that the approval and decision-making processes and compliance activities within its system of internal rules, including their reasons, related responsibilities, powers, materials, and the evaluation of the report evaluating the activity of the institution in the field of prevention of legitimisation of proceeds of crime and financing of terrorism pursuant to Article 19 (“evaluation report”), including the process for customer identification and due diligence, assessing and determining the customer risk profile, the selection of appropriate measures used with regard to a customer, and assessments related to the submission of suspicious transaction reports, are reconstructible. (2) To comply with the requirement pursuant to paragraph 1, institution shall implement and apply a system to retain information in the extent set out in Article 16 of the Act, which shall also include information about findings and acts performed during customer identification and due diligence and the process of examining transactions, as well as the correspondence relating to transactions and business relationships, and information about the measures taken with respect to a customer based on his/her risk profile. Institution shall ensure reconstructibility of the preparation, assessment and updating of the customer risk profile in the information storage system. (3) Institution shall ensure reconstructibility pursuant to paragraph (1) by maintaining records in a manner that shall make it possible, where necessary, to establish the specific persons to whom the acts performed and findings made during customer identification and due diligence are related, who performed these acts and made the findings for the institution and with what result, on the basis of which documents and reasons, and when and by whom these documents or data were entered in the records maintained about a customer.

13 Evaluation report Article 19 (1) Institution shall, within the framework of its internal due diligence activities, at least once every 12 consecutive calendar months, prepare an evaluation report in which it shall evaluate the following facts: a) whether the procedures and measures that the institution applies in the field of prevention of legitimisation of proceeds of crime and financing of terrorism are sufficiently effective, b) whether deficiencies were identified in the system of internal rules of the institution, and which risks may arise for the institution as a result, c) what measures the institution has adopted to eliminate or mitigate the risks pursuant to letter b), and d) the findings of an internal audit, a statutory audit or other relevant verification, if such an audit or other verification were performed in the period in question, and the follow-up measures. (2) The conclusions and evaluations contained in the evaluation report must be duly substantiated. The evaluation report shall always be approved by at least the authorised person pursuant to Article 22a of the Act. If the institution has established the position of compliance officer for the area of prevention of legitimisation of proceeds of crime and financing of terrorism, this compliance officer shall prepare the evaluation report or shall at least make a statement on its completeness and correctness. If the institution has not established the position of compliance officer for the area of prevention of legitimisation of proceeds of crime and financing of terrorism, the contact person pursuant to Article 22 of the Act shall prepare the evaluation report or the evaluation report shall at least contain a statement from the contact person on its completeness and correctness. (3) Institution shall present in the evaluation report statistical data about suspicious transaction reports for the period for which it was prepared. Where appropriate, it shall break down these data according to the organisational arrangement or according to the business activities of the institution. Institution shall also include in the evaluation report an assessment of information about the use of reports submitted on suspicious transaction which it has received from the Financial Analytical Office. (4) If deficiencies are found in the field of prevention of legitimisation of proceeds from crime and financing of terrorism, institution shall present a proposal for their remedy in the evaluation report. Article 20 (1) Institution shall prepare the evaluation report at the latest by the end of the fourth calendar month following the end of the period for which it is prepared. (2) If an institution has a statutory body, this body shall discuss the evaluation report at the latest by the end of the fourth calendar month following the end of the period for which it is prepared, and shall make a statement on the deficiencies identified and the proposals contained in it. (3) If an institution has a supervisory board, a board of directors or a supervisory committee, such body shall also fulfil these obligations.

14 (4) In the case of a foreign institution that operates in the Czech Republic through a branch, organisational unit or establishment, the head of such branch, organisational unit or establishment shall fulfil these obligations. Article 21 (1) Institution shall retain the evaluation report together with the statements pursuant to Article 19(2) and Article 20 for at least 5 years following the end of the period for which it is prepared. Article 22 Repeal The following are repealed:

1. Decree No. 281/2008 Coll., on selected requirements for the system of internal rules, procedures and control measures against legitimisation of proceeds of crime and financing of terrorism.
2. Decree No. 129/2014 Coll., amending Decree No. 281/2008 Coll., on selected requirements for the system of internal rules, procedures and control measures against legitimisation of proceeds of crime and financing of terrorism. Article 23 Effect This Decree shall come into effect on 1 October 2018. Governor: Ing. Rusnok, duly signed Selected provisions of amendments Article II of Decree No. 235/2021 Coll. Transitional provision Institution shall update the risk profiles of its existing customers within a time limit which takes into account customer risk profiles. In relation to the risk factors specified in Article 9(3)(f) and (g), institution shall update the risk profiles of the existing customers within one year from the date of effect of this Decree.