Regulatory Bylaw No. 32: Due Care Controls Regarding Customers for Securities

Regulatory Bylaws of the Securities Regulatory Authority 2022

Based on Article 12, Paragraph 12 of the Temporary Securities Law No. (74) of 2004, and based on Article 26, Paragraph (Second) of the Anti-Money Laundering and Counter-Terrorist Financing Law No. (39) of 2015, we have issued the following Regulatory Bylaws:

Regulatory Bylaw No. (32) Due Care Controls Regarding Customers for Securities

Article (1) The following terms are intended to have the meanings indicated below for the purposes of these Bylaws:

First: The Law: The Anti-Money Laundering and Counter-Terrorist Financing Law No. (39) of 2015.

Second: The Office: The Anti-Money Laundering and Counter-Terrorist Financing Office.

Third: The Authority: The Iraqi Securities Regulatory Authority.

Fourth: The Securities Market: The securities market licensed by the Authority.

Fifth: Funds: Assets or property obtained by any means, whether national or foreign currency, securities, commercial instruments, deposits, current accounts, financial investments, bonds, instruments of any form, whether physical or digital, precious metals, gemstones, goods, and anything of financial value, whether real estate or movable, and the rights related to them, and any proceeds or profits from such funds, whether inside or outside Iraq. Any other type of funds determined by the Money Laundering Committee for the purposes of this Law by announcement in the Official Gazette.

Sixth: Terrorist Financing: Any act committed by any person who, by any means, collects or provides funds with the intent to use them, knowing that those funds will be used wholly or partially to execute a terrorist act or by a terrorist or terrorist organization, whether the crime has occurred or not, regardless of whether the act occurs in or is located in a state or terrorist organization.

Seventh: Beneficial Owner: The person who owns or exercises ultimate control over the customer or the legal person, or the person for whom the transaction is conducted on behalf of, or the person who exercises actual ultimate control over a legal person or legal arrangement.

Eighth: Customer: Any person who performs or engages in any of the following acts with any of the financial institutions licensed by the Authority: a. Arranging, opening, or executing a transaction, business relationship, or account for him. b. Signing a transaction or participating in a business relationship or account. c. Allocating or transferring an account, rights, or assets pursuant to a transaction. d. Authorizing a transaction or controlling a business relationship or account.

Ninth: Business Relationship: The financial institution or the non-financial professions and businesses and the customer with whom the relationship arises, which is expected to be of long duration.

Tenth: The Deposit Center: The Iraqi Deposit Center, which will be the central entity responsible for carrying out settlement and clearing for all transactions in securities.

Article (14) Reporting Officer: The head of the administrative body stipulated in the law, who is from senior management, for the purpose of reporting suspected operations related to money laundering and/or terrorist financing.

Eleventh: Immediately: Within hours, not exceeding one day.

Twelfth: High-Risk Senior Positions: These are persons entrusted with prominent public duties in the Republic of Iraq or a foreign state (such as heads of state or government, senior politicians, senior government officials, senior executives, senior judges, senior military officers, state-owned companies, and political party leaders), or those entrusted with prominent duties in an international organization such as senior management members and their deputies, board of directors members and equivalent bodies, or well-known individuals in a position that allows them to benefit to a large extent from the position, or persons working in positions closely linked to such persons, including immediate family members up to the second degree.

Article (2) Scope of Application: The provisions of these Bylaws apply to:

1. License holders licensed by the Authority and persons associated with them.
2. Securities markets licensed by the Authority.
3. The Deposit Center licensed by the Authority.
4. The Securities Association licensed by the Authority.

Article (3) Due Care Regarding Customers: The entities subject to the provisions of these Bylaws shall apply the following general rules regarding customers:

First: a. It is not permissible to deal with anonymous, digital, or pseudonymous accounts, or to maintain them or provide any services to them, and to take due care measures regarding the owners of these accounts or beneficiaries thereof at the earliest possible time before and during their use. b. Identifying the customer and the beneficial owner and verifying them using original documents and data or information verified from independent sources in accordance with the provisions stipulated in these Bylaws. c. Understanding the intended purpose and nature of the business relationship, and requesting additional information in this regard when necessary. d. Using automated systems to monitor the relationship with the customer continuously to identify their transaction patterns and detect any transactions inconsistent with this pattern or with the institution's information about its customer, their activity, and their risk file, including knowing the source of funds and the source of wealth of any customer classified as high-risk. e. Taking due care measures independently and not relying on a third party to take them.

Second: Cases: The entities subject to the provisions of these Bylaws shall implement due care measures in the cases stipulated in Paragraph (First) of Article (10) of the Law.

Third: Completing Due Care Measures Regarding Customers: If a financial institution is unable to fully comply with the due care measures stipulated in the Law or these Bylaws, it shall not commence a business relationship or execute a transaction or any operations, and shall terminate an existing relationship and report to the Office regarding the customer.

Fourth: Suspicion of Money Laundering: The completion of due care procedures may be suspended if the institution suspects money laundering or terrorist financing, if executing these procedures might alert the customer to the suspicious operation, in which case it must report immediately to the Office.

Fifth: Application of Due Care Measures Based on Relative Importance and Risk: Due care measures shall be applied to existing customer relationships prior to the implementation of the Law, and due care measures shall be taken for current business relationships, taking into account whether due care measures previously taken were obtained, when they were taken, and the adequacy of the data.

Sixth: It must be ensured that the customer is not included in local or international prohibited customer lists in accordance with the provisions of the Law before entering into a continuing relationship with them and before executing any transaction for a customer included in the prohibition lists who is not linked to them by a business relationship.

Seventh: Reliance on Identity Documents: Rely on identity documents to identify the customer, verify their validity, and keep a signed copy by the competent employee stating that it is a true copy. The institution shall verify the authenticity of documents or data provided to it by all possible means, including contacting the authorities that issued these documents or data.

Article (4) The entities subject to the provisions of these Bylaws shall do the following:

First: Conduct continuous monitoring of the existing relationship with the customer and examine transactions conducted through this relationship to verify that they are consistent with the knowledge of these Bylaws regarding the customer and the beneficial owner, their work or activity nature, and to evaluate the risks of money laundering or terrorist financing resulting from their relationship with them.

Second: Periodically review and update customer data, especially for high-risk customers or where there is doubt about the accuracy or suitability of previously obtained data.

Third: Exercise due care regarding customers who dealt with them prior to the date of issuance of these Bylaws, based on relative importance and risk, and take due care measures regarding their relationships with those customers at the following times: a. When executing trades on their accounts in large amounts. b. When realizing that sufficient information is not available about a customer. c. When there is a noticeable change in account management and the nature of transactions. d. When there is a noticeable change in the mechanism for documenting customer information.

Fourth: Record any amounts paid by the customer in cash if the total exceeds (15) million dinars or its equivalent in other currencies, or repeated or split payments of less than (15) million dinars by a small amount, in special records.

Fifth: Do not deal with anonymous persons, persons with fictitious or pseudonymous names, or with fictitious banks.

Article (5)

First: Procedures for Identifying Natural Persons and Their Activities: When dealing with natural persons, the following shall be observed: a. The full name of the customer, nationality, date and place of birth, passport number, and permanent address for non-Iraqis, and the purpose and nature of the business relationship, and any other information deemed necessary. b. In the case of dealing with persons lacking legal capacity, the entities subject to these Bylaws shall identify the persons subject to these Bylaws in such cases, according to the circumstances, regarding their legal capacity to obtain documents related to them and their representatives in accordance with Paragraph (a) of this clause. c. In the case where entities subject to these Bylaws deal with a person authorized by the customer, the necessary judicial powers of attorney to authorize this person must be obtained and kept, and the identity of the customer and the agent must be identified and verified in accordance with the identification procedures for customers stipulated in these Bylaws.

Second: Procedures for Identifying Legal Persons and Their Activities: When dealing with legal persons, the following shall be observed: a. Their name, legal form, registered address, type of activity practiced, capital, date and registration number with competent authorities, including the specific account number, and the purpose of the business relationship (b) below, and its nature, names of owners, names of authorized persons signing on their behalf, their addresses, and their ownership shares, such that the entities subject to these Bylaws are aware of the ownership structure and the regulations governing the legal person and the regulations governing the authority to make binding decisions for the legal person, and any other information deemed necessary to be obtained, provided that these Bylaws are updated until the date of its evaluation. b. Names and addresses of shareholders and partners whose share exceeds (5%) of the company's capital. c. Verification of the existence of the legal person and its legal entity through necessary documents and the information they contain, such as the founders' agreement certified by the company registration department, and in case the company is registered abroad, the necessity of obtaining an official certificate issued by a competent authority. d. Obtaining documents indicating the authorization of the legal person for persons representing it, the nature of their relationship with it, and identifying their identity and activity in accordance with the customer identification and activity procedures stipulated in Paragraph (First) of this Article, and preventing dealing with them by verifying the absence of legal impediments and obtaining samples of their signatures.

Third: Procedures for Identifying the Beneficial Owner: When identifying the beneficial owner, the following shall be observed: a. As a means of identifying or taking appropriate measures to verify the identity of the beneficial owner or information obtained from official documents and data, such that it generates conviction among the entities subject to these Bylaws that they are aware of the identity of the beneficial owner. b. Requesting the customer to submit a written declaration identifying the beneficial owner, which must include at least customer identification information. c. Obtaining information on the structure organizing the operation of the legal person, including ownership and controlling management.

Article (6)

First: The entities subject to the provisions of these Bylaws shall exercise special care in identifying the customer's identity and activity regarding the following: a. Large transactions and transactions that have no economic or legal purpose, and taking the necessary measures to ascertain the background of the circumstances surrounding these transactions and their purposes, and recording the results of that in their records. b. Transactions conducted with persons residing or belonging to countries that do not have appropriate systems for combating money laundering or terrorist financing, or if these countries do not apply international controls for combating money laundering or terrorist financing, or do not apply them adequately, including the recommendations issued by the Financial Action Task Force (FATF). c. In case of suspicion of a money laundering or terrorist financing operation, or in case of doubts regarding the accuracy or adequacy of previously obtained data to estimate the identity of customers or any operation that the entities subject to these Bylaws consider to pose a high risk for money laundering operations. d. Transactions that are not conducted face-to-face and are conducted through electronic means or tools, or through non-resident customers. e. High-Risk Senior Positions.

Second: The entities subject to the provisions of these Bylaws shall take enhanced due care measures for High-Risk Senior Positions as follows:

1. Taking reasonable measures to determine whether the customer or the beneficial owner is a High-Risk Senior Position.
2. Establishing risk management rules for High-Risk Senior Positions or those belonging to them, such that these rules include determining whether the beneficial owners are future beneficiaries.
3. Obtaining senior management approval when establishing a relationship with High-Risk Senior Positions and upon discovering one of the customers or beneficial owners in this category.
4. Taking adequate measures to verify the source of wealth of any customer or beneficial owner of High-Risk Senior Positions.
5. Close and continuous monitoring of transactions of High-Risk Senior Position customers with the financial institution.

Article (7)

First: The entities subject to the provisions of these Bylaws shall appoint a Reporting Officer and provide the Authority with the name of the Reporting Officer and their deputy, and a copy of the procedures they adopt to implement the provisions of the Law and these Bylaws, and they shall observe the following conditions: a. That they hold a high-level position. b. That they possess the necessary experience and competence. c. That they have appropriate scientific qualifications. d. That they have full legal capacity, and are of good conduct and reputation.

Second: Deputy to the Reporting Officer: The entities subject to the provisions of these Bylaws shall also appoint a deputy to the Reporting Officer in case of their absence, provided that the same conditions required for the Reporting Officer are met.

Third: Independence of the Reporting Officer: The Reporting Officer shall exercise their duties independently, ensuring the confidentiality of the information they handle, and they shall have access to the information, procedures, records, and data necessary to perform their duties.

Fourth: Reporting Procedures: a. The head and members of the Board of Directors, the Board of Directors, the General Manager, and all employees of the entities subject to these Regulatory Bylaws shall comply with these Bylaws and report to the Reporting Officer any operation suspected to be related to money laundering or terrorist financing. b. The Reporting Officer shall adhere to the provisions of the Law, regulations, bylaws, and decisions issued pursuant thereto, and report immediately to the Office regarding any operation suspected to be related to money laundering or terrorist financing, using the means or form approved by the Office, accompanied by all data and documents related to those operations and the reasons for suspicion. c. The entities subject to these Bylaws shall provide the Reporting Officer with everything that enables them to exercise their duties independently, ensuring the confidentiality of the information they handle, and they shall have access to the records, procedures, and data they establish, necessary for performing inspection, system review, and procedure review work, and the extent of compliance by the entity subject to combating money laundering and terrorist financing with what is required to complete any deficiencies or needs for updating and development or to increase its effectiveness and efficiency. d. It is prohibited to disclose, by any means, any of the reporting procedures or otherwise, any information suspected to be related to money laundering or terrorist financing, or any data related to the operations taken regarding those operations.

Article (8) The entities subject to the provisions of these Bylaws shall establish an appropriate internal system containing the policies, procedures, and internal controls required to combat money laundering and terrorist financing, such that the system includes the following: a. A clear policy for combating money laundering and terrorist financing approved by the Board of Directors or the Board of Directors, as appropriate. b. Detailed written procedures for combating money laundering and terrorist financing, specifying duties and responsibilities in accordance with the approved policy and the regulatory bylaws issued by the Securities Regulatory Authority on this matter. c. An appropriate mechanism to verify compliance with the system, policies, and procedures established for combating money laundering and terrorist financing. d. Conducting an assessment of the risks of money laundering and terrorist financing to which the institution is exposed, including identifying, evaluating, documenting, and understanding the institution's risks and taking effective measures to mitigate them, and making this assessment available to supervisory authorities. e. Allocating an independent and qualified staff within the internal audit department equipped with sufficient resources to test compliance with internal procedures, policies, and controls for combating money laundering and terrorist financing. f. Training programs for different levels of employees, and compliance with training courses approved by the Authority and/or the Office.

Article (9) The entities subject to the provisions of these Bylaws shall do the following: a. Retain records, documents, and files related to the transactions they conduct locally or internationally, containing sufficient data to identify these transactions, including identification records related to due care procedures regarding the identity of the customer and the beneficial owner, for a period of at least (5) years from the date of completing the transaction or terminating the customer relationship, as appropriate, and updating this data periodically. b. Prepare special files for operations suspected to be related to money laundering or terrorist financing, in which copies of reports, data, and documents for these operations are kept, for a period of not less than (5) years from the date of the report or the date of issuance of the decision of the competent court to close the case, whichever is longer. c. Information must be updated periodically and continuously or when doubts arise about it at any stage of dealing, and a comprehensive information system must be provided to preserve records and documents, enabling the answering of requests from the Office and competent official authorities within the specified time. d. The entities subject to the provisions of these Bylaws shall make all records and documents mentioned in Paragraph (a) of this Article and information related to the provisions of these Bylaws available to the Office and competent official authorities upon request.

Article (10) The entities subject to the provisions of these Bylaws shall do the following: a. Ensure that they have applied the provisions of the Law and these Bylaws and decisions issued pursuant thereto, and the adequacy of the policies and procedures related to that in their report to the auditor, with the necessity of informing the Authority immediately upon discovering any violation of these Bylaws. b. Provide the Authority with the auditor's opinion on the extent of application of the provisions of these Bylaws and decisions issued pursuant thereto, and the adequacy of the policies and procedures related to that, included in their annual report, accompanied by the final financial statements.

Article (11) In addition to the provisions of the Regulatory Bylaws issued based on the provisions of the Anti-Money Laundering and Counter-Terrorist Financing Law in effect on persons or entities exercising any of the activities subject to the supervision and licensing of the Authority, implementing the obligations contained in international decisions and resolutions of relevance, which are not notified to them by the Authority or competent authorities in this regard.

Article (12) It is prohibited for anyone who, by virtue of their position or work, or otherwise, becomes aware or has access to any information provided or exchanged in accordance with the Regulatory Bylaws issued pursuant to the Law and regulations, including these Bylaws, to disclose this information in any form.

Article (13) In case of violation by entities subject to the provisions of these Bylaws, they shall be subject to the penalties and procedures stipulated in the provisions of the Securities Law No. (74) of 2004 and/or the Anti-Money Laundering and Counter-Terrorist Financing Law in effect, whichever is more severe.

Article (14) The entities subject to the provisions of these Bylaws shall inform their employees of the following: a. Provisions of the Anti-Money Laundering and Counter-Terrorist Financing Law and the regulatory bylaws issued pursuant thereto. b. Guidelines for identifying patterns suspected to be money laundering or terrorist financing operations. c. Reporting procedures for operations suspected to be related to money laundering or terrorist financing.

Article (15) These Bylaws shall be implemented from the date of their approval by the Authority.