Industry Feedback on the Central Bank of Bahrain AML Module Consultation Paper

BY RULE INDUSTRY COMMENTS & FEEDBACK ON CONSULTATION PAPER FOR AML MODULE – RULE BY RULE AUGUST 2010 General Comments on AML Industry Comments CMS Comments CMS Recommendations/Action A Bank has the following answers to the 6 questions: Q1. Are the requirements clearly stated/workable? Believes that the requirements are clearly stated and would be workable if applied. Q2. Do respondents agree with the approach taken and the specific proposals? Agrees with the approach taken and all specific proposals. Q3. If not, how could these requirements be modified? N/A Q4. Is the guidance provided adequate? Believes the guidance provided is adequate. Q5. Is the implementation timetable proposed clear and workable? Do not have issues with the timetable implementation of the proposed requirements. Q6. Are there any other issues, not covered above, that you wish to comment on? No. Thanks the CBB for the opportunity to provide its opinion and is supportive of this initiative and believes it will be beneficial for CMSPs and the financial sector in Bahrain. Noted No change

2 General Comments on AML Continued Industry Comments CMS Comments CMS Recommendations/Action An Investment Firm has reviewed the Consultation Paper and does not have any specific comments. Below are the answers to the questions on page 5 of the Executive Summary: Q1. Are the requirements clearly stated/workable? Yes. Q2. Do respondents agree with the approach taken and the specific proposals? Yes. Q3. If not, how could these requirements be modified? N/A Q4. Is the guidance provided adequate? Yes. Q5. Is the implementation timetable proposed clear and workable? Yes. Q6. Are there any other issues, not covered above, that you wish to comment on? No. Noted No change An Insurance Company: Thanks CBB for providing an opportunity to represent its views and for taking the initiative to prescribe this policy for all CMSPs in Bahrain. Noted No change A Bank: Enclosed herewith is our responses on the consultation questions: Q1. Are the requirements clearly stated/workable? Yes. The requirements are largely at par with existing CBB requirements under the Financial Crime Module of Rulebook 1 for conventional banks. Rulebook 2 for Islamic banks and Ministerial Order 1/2004 with respect to money laundering at BSE, which AML Module would supersede once issued. Q2. Do respondents agree with the approach taken and the specific proposals? Yes, however we would like to raise some comments as elaborated under the response for Q3.

3 General Comments on AML Continued Industry Comments CMS Comments CMS Recommendations/Action A Bank Continued: Q3. If not, how should these requirements be modified? Largely, the requirements under the proposed Module are consistent with the existing requirements of FC Module and also in line with existing our AML policy and procedures. Therefore, the Bank is already compliant with the majority of the requirements under the current proposed Module. However, the Bank would like to raise the following comments on some of the proposed provisions/rules:

1. The AML requirements relevant to CBB licensees (conventional and Islamic) are already covered under FC Module of Rulebooks 1 & 2. Therefore, for this category of licensees the present AML Module provides duplication with some minor modified/ additional requirements. Therefore it should clearly specify the additional and separate requirements that should be followed by banks, whilst identifying the common requirements with FC Module provisions.
2. Licensees; i.e. us, would be under both Volumes 1 &
3. In this case do we have to file 2 separate sets of reports with the Compliance Unit – 1 for banking transactions and 1 for capital market transactions? CBB to provide clarity on this.
4. A separate policy and procedure for compliance with the requirements of this Module may not be stipulated if the bank or licensed institution already complies with comparable provisions of CBB as existing in the other volumes of the Rulebook. As mentioned by the Bank, this Module supersedes the AML Resolution No.1 of 2004 and therefore, the distinction between submitted notification and compliance with Volume 1 and the Resolution (new in this Module) will remain. No new overlap is created. Where transactions are governed under Volume 1, Module FC applies. Where transactions fall under Article 80 of the CBB Law (and therefore the definition of CMSP in this Module) Module AML applies. There will be separate requirements and notifications as they apply to different types of transactions. New policies and procedures in respect of securities transactions should be added to the existing policy of the bank if this had not already been done. No change

4 General Comments on AML Continued Industry Comments CMS Comments CMS Recommendations/Action A Bank Continued: 4. Feels that the present practice of annual audit to assess compliance with the requirements under FC Module is adequate for meeting the requirements under this Module. CBB should confirm if this arrangement of a single audit covering both Modules is acceptable. 5. According to AML-B.1.1 this Module is applicable to CMSPs and relevant persons. AML-B.3.3 defines the term „Persons‟ to include natural persons. A reading of the definition of CMSPs (Art. 80 of CBB Law) reveals that this term is not restricted to limited companies. CBB may wish to clarify whether this para is applicable only to CMSPs who are limited companies? CBB may also clarify the applicability of the „MLRO‟ chapter under AML-3.1.1 to „Persons‟. 6. The requirements pertaining to charity reporting and charity wire transfer transactions under AML-1.6.4 and AML-1.6.5 as well as the requirement under AML-1.7.3 for accounts held by intermediaries resident in Bahrain, where such funds are co￾mingled, would perhaps be more relevant to conventional and Islamic banks and may not be completely applicable to CMSPs. These provisions may be revisited. Q4. Is the guidance provided adequate? Yes, however some comments are raised under response for Q3 above and separately below. Q5. Is the implementation timetable clear and workable? Yes, however, a grace period of 6 months for full compliance with the requirements of this Module may be permitted. This should be acceptable, provided reference is made to both Modules. There are no restrictions to this section. The license of the CMSP will determine its compliance with AML-3.1.1 insofar as the CBB may be willing to exempt the licensee or the institution/person is an exempt, institution/person. Some CMSPs may be able to perform these types of transactions and therefore should be included in this Module. As the bulk of these requirements are in line with the 2004 Resolution, and in accordance with Volume 1, this should be the maximum time given (if any). No change

5 General Comments on AML Continued Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: Q6. Are there any other issues, not covered above, that you wish to comment on? No. Noted No change Another Bank: The requirements appear to be reasonable and we agree with the regulations proposed. However, as the following comments for the CBB to consider in particular listed below. Noted No change A Takaful Company: Feedback on the questions are as follows: Q1. Are the requirements clearly stated/workable? Yes, the document was well laid-out. Q2. Do respondents agree with the approach taken and the specific proposals? Yes, as CBB took a guided approach. Q3. If not, how could these requirements be modified? N/A. Q4. Is the guidance provided adequate? Yes, clear and descriptive. Q5. Is the implementation timetable proposed clear and workable? Yes. Q6. Are there any other issues, not covered above, that you wish to comment on? No. Noted No change Another Bank: Might it not be better to have a single (core) AML Module applicable to all Volumes, with the provisions applicable to that particular Rulebook contained in the form of a separate schedule for that particular Module? E.g. Definition of „PEP‟ in the proposed Module contains: (“i.e. spouse and children, including step-children or adopted children)”, which is currently absent from FC the Module. Such wording should be applicable for all Volumes. Having a core FC Module would avoid grey areas such as this. The Modules are as similar as possible considering they address different types of transactions. This Module is based on the core of Module FC in Volume 4. Isolated definitions will be reviewed. Rulebooks should remain specific to the licensed entity, but a review of definitions should be undertaken across the various Rulebooks.

6 General Comments on AML Continued Industry Comments CMS Comments CMS Recommendations/Action A Financial Institution: Has reviewed the document and has the following response to the questions: Q1. The requirements of the Module are clearly stated and are workable. Q2. Agree with the approach taken and the specific proposals with the exceptions as mentioned below. Q3. See comments for modifications below under separate rules/paragraphs. Q4. Feels that the guidance provided is adequate. Q5. Feels that the implementation timetable proposed is clear and workable. Q6. There are no other issues that require comments. Noted No change A Bank: Unless the CBB will restrict the definition of CMSP by excluding banking institutions which are bound by similar provisions in Module FC, the draft AML Module needs to be refined to take into consideration the factors listed below. Context: Notice that the Module has included comprehensive aspects in cases where a CMSP is offering or providing services either directly or indirectly. We recommend that the draft should also include rules that apply when a CMSP is participating or investing funds in the capital market, e.g. by buying bonds or sukuk. This could be by way of including an exclusive chapter for this purpose or by amending AML-1.8 to include this aspect. Extent of Application – While the Module explains that the Module is applicable to branches and subsidiaries and some activities, including the AML review, and should include that of the branches and subsidiaries, the CBB should limit the extent of such application to subsidiaries‟ undertaking activities set out in the schedule of the AML Law of 2001. The scope has been clearly defined. It is not clear what the Bank envisages for this new chapter. AML-B.1.4 clearly identifies the relationship between this Module and the 2001 Law and how this Module necessarily adds to and supplements the intention of that Law. No change No change No change

7 General Comments on AML Continued Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: For clarity, the Module should specify if the requirement to appoint an MLRO is satisfied should an MLRO have already been appointed and approved pursuant to other CBB Rulebooks. The same should apply to the remaining requirements under AML-3.3, AML-4.1, and AML-4.2. Further, it should explain whether a prior approval of the CBB is required for the appointment of a DMLRO. Whilst we appreciate CBB‟s effort to ensure the Kingdom will be ML&FT free and we work together to achieve this, it would facilitate the licensees‟ monitoring process if the CBB would share and circulate the list of PEPs including their names, IDs, position, ownership of stakes in any legal entity and possibly the names of their relatives to the necessary degree the CBB deems appropriate. Correct, but the CMSP must be audited on its compliance with this Rulebook Module and the MLRO must comply with the requirement of this Module. Whether or not a person is a PEP is determined by the institution. No change No change A Bank: Consultation Paper responses as follows: Q1. Are the requirements clearly stated/workable? Do not envisage any issues with the implementation of the proposed requirements as detailed in the Consultation Paper. These requirements are considered consistent with both existing practices and our Group standards. Q2. Do respondents agree with the approach taken and the specific proposals? Yes. Our Group‟s global policy is to comply with high standards of AML practice in all markets and jurisdictions in which it operates. This policy applies not only to money laundering, but also to terrorist financing. As a group, we will comply with both the specific provisions and the spirit of all relevant laws and regulations. Noted No change

8 General Comments on AML Continued Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: Q3. If not, how could these requirements be modified? N/A. Q4. Is the guidance provided adequate? Please see response to Q6 and below for clarification on particular points. Q5. Is the implementation timetable proposed clear and workable? The Bank in Bahrain is happy to participate in this consultation process within the timeframes provided. Q6. Are there any other issues, not covered above, that you wish to comment on? Yes – see below Scope of Module – Within Bahrain, our Securities Services is a global business line servicing principally, financial institutional clients. Its main products are global, regional, domestic, sub-custody and clearing; traditional and alternative investment, administration, institutional fiduciary services (e.g. trustee, depository, etc.); transfer agency services. Is it correct to understand that the AML Module applies to all capital markets businesses, including our Securities Services and as a result, the FC Module applies to all business lines quoted above? KYC/CDD Responsibilities – Clarification is sought as to how the CBB views and/or recognizes the differences in the role of global/sub-custodian against fund administrator/fund manager, as they relate to responsibilities surrounding KYC/CDD. Noted The services mentioned as part of HSS will be subject to this Module. The Bank‟s banking business will be subject to Module FC in Volume 1. The obligations on fund managers and custodians are the same to the extent that they perform a service covered by this Module. No comment No change No change

9 General Comments on AML (Continued) Industry Comments CMS Comments CMS Recommendations/Action A Bank: notes that the requirements of the Module are addressed by the Bank through the FC Module. For the purpose of clarity and to avoid duplication in processes; i.e. appointment of MLRO and DMLRO and the preparation, audit and submissions of annual reports, suggest the Module clarifies that entities licensed under Volume 1 are exempt from the requirements of this Module, as they are similar to the requirements in the FC Module. Further, noticed the following inconsistencies between the FC Module and the AML Module. Kindly request the CBB to review and amend these to be consistent with Volume 1. Q1. Are the requirements clearly stated/workable? Yes. Q2. Do respondent agree with the approach taken and the specific proposals? Yes, except for some exclusion mentioned in our cover letter. Q3. If not, how could these requirements be modified? Refer to our cover letter. Q4. Is the guidance provided adequate? Yes. Q5. Is the implementation timetable proposed clear and workable? Yes. Q6. Are there any other issues, not covered above, that you wish to comment on? No. There is no overlap with Volume 1 and the general requirements are the same. Module FC does not cover securities transactions and therefore, to the extent that the Bank is involved in these transactions, this Module is applicable. No change

10 General Comments on AML (Continued) Industry Comments CMS Comments CMS Recommendations/Action An Institution: Response to the questions as follows: Q1. Are the requirements clearly stated/workable? Yes. Q2. Do respondent agree with the approach taken and the specific proposals? Yes, however, we have some comments in respective areas. Q3. If not, how could these requirements be modified? These requirements can be modified by taking into consideration our comments that will be addressed below. Q4. Is the guidance provided adequate? The requirements of the Module helps the CMSPs to implement the 40 Recommendations on money laundering and 9 Special Recommendations on terrorist financing issued by the FATF relevant to CMSPs, as well as the IOSCO guidance. Also, other website references provided with regards to AML/CFT were helpful. Q5. Is the implementation timetable proposed clear and workable? The implementation timetable was not mentioned in the Module. Q6. Are there any other issues, not covered above, that you wish to comment on? Please find below our comments regarding other issues. The CBB reporting forms on the Suspicious Transaction Reporting (Part B of Volume 6) were not attached in the appendices for our comments. The AML Module did not cover Off Market Transactions “Exceptional Cases”. The AML Module sometimes refers to „Customers‟ and sometimes to „Clients‟, hence for the sake of consistency, it is recommended to use „Customers‟ only. Noted These will be sent to you. This is covered as Off Market Transactions are still performed through an SRO (e.g. clearing house/depository). This will be reviewed. No change Send to the Institution No change Change all „clients‟ to „customers‟.

11 General Comments on AML (Continued) Industry Comments CMS Comments CMS Recommendations/Action A Bank: Response to the questions as follows: Q1. Are the requirements clearly stated/workable? Yes they are. Q2. Do respondent agree with the approach taken and the specific proposals? Yes.. Q3. If not, how could these requirements be modified? N/A. Q4. Is the guidance provided adequate? Yes it is. Q5. Is the implementation timetable proposed clear and workable? SC already has implemented the AML/CFT policy and procedures as detailed in the attached consultation paper. Q6. Are there any other issues, not covered above, that you wish to comment on? No. Noted No change AML-A.3 – Interaction with Other Modules Industry Comments CMS Comments CMS Recommendations/Action An Insurance Company stated that interaction with other Modules of Volume 6 is provided in the Consultation Paper. However, reference to interaction with other Modules is not provided; e.g. FC Module of Volume 3 is applicable to insurance licensees. It is not clear as to which Module (this or FC Module) is more applicable to listed insurance/reinsurance companies. Therefore, specific reference to other Rulebook Modules may be inserted in the AML Module. Interaction with other Modules is contained in AML-A.3 which works together with the Scope of Application in AML-B.1. This Insurance Company is unlikely to fall within the definition of CMSP and this Module will therefore only be applicable should this Company perform a transaction in securities covered by this Module. No change A Bank: AML-A.3.1 requires all CMSPs to comply, inter alia, with all other applicable laws, rules and regulations (see AML-B.1.1 below). Noted No change

12 AML-B.1.1 – Scope of Application Industry Comments CMS Comments CMS Recommendations/Action A Bank: This Module is stated to be applicable to all CMSPs as defined in AML-B.3.1 including any financial institution. Therefore, an Islamic bank licensee is also a CMSP. This AML Module is significantly different from FC Module in Volume 2. It is not clear whether an Islamic bank licensee would have to comply with both Module AML and Module FC in Volume 2, or just with one of them (if so, which one?) It would have to comply with this Module if they were performing an activity under Article 80 of the CBB Law(copied in AML-B.3.1), failing which Module FC in volume 2 would apply. No change A Bank: It should be made clear how and to what extent (if any) this AML Module under Volume 6 applies to CBB licensees already governed by the FC Module on the same AML topic. See answer above and reply to the Bank under „General Comments‟. No change An Institution: In AML-B.1.1 – add „lawyers‟ after “…professional advisors, listing agents, auditors, …” in 5 th line from the bottom of the paragraph. Also add new sentence: “These rules are also applicable to companies which provide services related to online trading in securities.” Before the last sentence: “These rules are issued by way of a legally binding Directive” Remarks i) Lawyers may act as representatives who can act on behalf of individuals/companies; and ii) Given the advent of the internet, online trading has gained prominence and a sizable portion of trading activities are now performed online. AML-B.1.2: The primary responsibility of implementation of this Module in letter and spirit is of the BOD of the CMSPs. Where there is no board due to the legal structure of any CMSPs in Bahrain the responsibility of implementation of this Module lies with the appropriate senior management. In accordance with good corporate governance, the BOD should be responsible for the implementation of this Module. „Professional advisers‟ cover lawyers. Online banking is covered in the general ambit of Article 80 of the CBB Law. Noted No change No change

13 AML-B.1.1– Scope of Application (Continued) Industry Comments CMS Comments CMS Recommendations/Action A Bank: (AML-B.1.1 and cross ref. with AML-A.1.3) The Module should specify whether the Module is applicable to CBB licensees which are subjected to CBB Rulebook Volumes 1 & 2 respectively:  If the answer is negative, the Module should explain that;  If the answer is positive, the Module should address the possibility of discrepancy or conflict (including cases involving future amendment) and explain the appropriate measures that will apply in such situation (e.g. whether this Module or the Module in the respective Rulebook should prevail, or should the relevant entity apply the higher or lower requirements or should this matter be left to such institutions‟ discretion, or whether the Rulebook will address this possibility on a case-by-case basis). See earlier comments where a transaction or service falls under this Module, this Module applies. No change AML-B.2 – Overseas Subsidiaries and Branches Industry Comments CMS Comments CMS Recommendations/Action Citibank: AML-B.2.2 & AML-B.2.3 - .The concern highlighted by the CBB is very valid and appreciated. While we agree that all instances where AML standards applicable in a foreign jurisdiction are less stringent than CBB requirements should warrant a notification to the CBB, would appreciate a clarification on whether such notification would still be necessary in cases where the standards in a foreign jurisdiction are „higher‟ than the requirements outlined by the CBB, especially when all local CBB requirements will be met and additional requirements are also warranted either as part of a jurisdiction specific requirement, or a FI specific policy.

14 AML-B.2 – Overseas Subsidiaries and Branches (Continued) Industry Comments CMS Comments CMS Recommendations/Action Citibank (Continued): The reason for raising this query is because of the reference to the words „or higher‟ in the draft proposal. Would appreciate a clarification on the context and the reason for including the word „higher‟ in the proposed section of the Module. CBB have stated that the requirement in the Module will apply to CMSPs and “to all their branches and subsidiaries operating both in the Kingdom of Bahrain and in foreign jurisdictions”. Please clarify whether: i) Such requirements will also apply to all subsidiaries of foreign banks‟ branches licensed by CBB; or ii) Such requirements are only applicable to subsidiaries and branches involved in the service being provided by the CMSP licensed by the CBB. Whether or not the foreign regulations are „higher‟ is up to the institution. Only those institutions involved in the provision of the service is covered. Note that not all CMSPs are necessarily licensed by the CBB. No change AML-B.3 – Definitions Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-B.3.1 - Contrast this with the definition in the recently-released DRA Module. The Glossary for Volume 6 doesn‟t contain a definition of CMSP, but probably should to avoid the need to keep redefining it in individual Modules. AML-B.3.4 – Delete, as „Politically Exposed Person‟ is defined in AML-1.5.4. AML-B.3.6 – Within the definition, the word „Securities‟ should be in lower case and not underlined (as a defined term cannot be used in the definition itself) – see Module DRA. The glossary will contain CMSP (and all other definitions from Volume 6 Modules). This definition should remain as people look to the definition section for such information. Noted, this will be looked at throughout Volume 6. No change No change Review definition for updates. Another Bank: „SRO‟ – This term does not appear to have been defined in the Module – see later comment on AML-4.3. SRO definition will be included. Include definition of SRO.

15 AML-B.3 – Definitions (Continued) Industry Comments CMS Comments CMS Recommendations/Action An Institution: AML-B.3 – Add to Definitions: “Money Laundering” as defined in Decree Law No. 4 of 2001 and Decree Law 54 of 2006 with respect to the Prevention and Prohibition of the Laundering of Money” issued by CBB; and “Terrorism Acts” as defined in Decree Law No. 58 of 2006 with respect to the Protection of Society from Terrorism Activities” issued by CBB. Agreed. Included. Include in definitions. A Bank: AML-B.3.4 “PEPs” – Amend the definition of PEPs. See the Bank‟s comments under AML-1.5.4. AML-B.3.7 “Suspicious or Extraordinary Transactions” – as it is the CMSP that has to undertake the CDD, it is only proper that the subjective test should be that of the CMSP and not of the CBB. Thus, the reference to “CBB” on line 5 should be replaced by „CMSP‟. Reviewed under AML-1.5.4 Agreed. Amended. No change Replace CBB with CMSP. An Institution: AML-B.3.1 – CMSP as defined in the AML Module refers to entities specified in Article 80 of the CBB Law. However, we do not fall under Article 80. Although the scope of application of AML-B.1.1 refers to licensed exchanges in addition to CMSPs, all of the requirements and obligations of the AML Module are only addressed to CMSPs. AML-B.3.4 – The abbreviation MPs, what does it stand for? The Institution does fall within Article 80 and Module MAE requires the Institution compliance with AML Module. Member of Parliament. No change No change

16 AML-1.1 – General Requirements – Verification of Identity and Source of Funds Industry Comments CMS Comments CMS Recommendations/Action An Institution: Recommends that CMSPs must implement the customer due diligence measures outlined in AML-1 when carrying out one-off or occasional transactions above BD6,000 (or equivalent in foreign currencies), or where several smaller transactions that appear to be linked fall above this threshold. This change is recommended to be made throughout the document. This is already included in AML-1.1.2(a). No change AML-1.1.1 & 1.1.2 – General Requirements – Verification of Identity and Source of Funds Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-1.1.1 (cross ref. FC-1.1 etc.) – Whether there has to be separate internal procedures to specifically regulate the licensees‟ activities in and related to the capital market, or whether the one that the licensee has adopted, pursuant to its respective CBB Rulebook will suffice. In case of the latter, the Module should specify the proper approach in case of discrepancy and/or conflict. AML-1.1.2(a) – It is required under this regulation to implement the customer due diligence measures if the occasional small transaction exceeds BD6,000. However, the timeframe in which the sum of the small transaction exceeds the threshold is not defined. See earlier comments. This depends on the judgment of the CMSP as to whether these transactions are linked. No change No change

17 AML-1.1.1 & 1.1.2 – General Requirements – Verification of Identity and Source of Funds (Continued) Industry Comments CMS Comments CMS Recommendations/Action Citibank: Requirements in this Module are similar to those in FC Module (FC-2.2.1 – FC-2.2.3) and we follow a process of ongoing transaction monitoring activity to ensure that the customers‟ activities are in line with the expected transaction profile for our customers. Given that all retail customers could generally fall in this category, believe the provisions in the FC Module of the CBB Rulebook which generally covers the AML risks associated with such scenarios should adequately address this requirement. Believe that our existing process will address the above proposed draft requirements. Would like to seek confirmation on whether due diligence and AML monitoring procedures outlined in the FC Module (which is followed for retail customers in general), will be an acceptable process (to fulfill requirements of this proposed section), or whether there is a specific need to additionally monitor all investment transactions exceeding BD6,000. See comments under AML-2.2. No change

18 AML-1.1.6 – General Requirements – Verification of Third Parties Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-1.1.6 requires that the CMSP must obtain a signed statement from the third party confirming he/she has given authority to the customer to act on their behalf. Could this statement be a Power of Attorney certified by a Ministry, or must it be in an Authorization Form developed by the CMSP for such purpose? If the POA is accepted: a) Should it be accepted for certain cases like customer disability? b) Where other documents must be requested by the CMSP from the third party to validate and verify his status, should it be new or not older than a specified timeframe (i.e. 1 year)? c) Does the CMSP carry any liability to verify the validity of the POA? There is no set form. The CMSP must verify the details on the document, view the original and retain a certified copy. No change AML-1.1.10 – General Requirements – Timing of Verification Industry Comments CMS Comments CMS Recommendations/Action A Bank: “However, verification may be completed after receipt of funds in the case of non face-to-face business …. No disbursement of funds takes place”. The regulation should be clear if actual participation of the fund in the investment or providing certain financial services are not allowed before full submission of the CDD, or only disbursement of the fund by the customer is not allowed. It is clear that for non face-to-face business the CMSP may accept cash, but not dispense it until the CDD is complete. No change

19 AML-1.1.11. – General Requirements – Incomplete Customer Due Diligence Industry Comments CMS Comments CMS Recommendations/Action A Bank: In case the CMSP decides to process to avoid tipping off, the CMSP „must‟ and not merely „should consider‟ filing an STR. This approach should be adopted to avoid abuse of the system, otherwise, the second limb of this provision (an option to proceed to avoid tipping off) should be removed altogether. This will not always result in a suspicious transaction and therefore will not always proceed so as to avoid tipping off. No change AML-1.1.13. – General Requirements – Existing Customers Industry Comments CMS Comments CMS Recommendations/Action A Bank: Is this provision, for which there is no equivalent in Module FC, really necessary given AML￾2.2.11? Agreed. This clause to be deleted. Delete this clause. AML-1.2 – General Requirements – Face-to-Face Business Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-1.2.1(m) – What is meant by „Source of Securities‟? AML-1.2.3(b) – Refer to official identification (not documentation) card. AML-1.2.7(c) – Delete word „status‟ at the end. AML-1.2.7(l) - Unclear what is required here – doesn‟t AML-1.2.8(h) cover this? AML-1.2.8(d) – Module FC specifies certification is not necessary for companies listed in a GCC/FATF state. AML-1.2.8(h) – This is already covered in (f). Where (exchange – account with, etc.) and from when (account holder). Agreed. Amended. Should be preceded by „and‟. Disagree, necessary where transactions involve trustees/SPVs, etc. It is required in Module FC of Volume 4. No change Amend to „identification‟. Include „and‟ before „status‟. No change

20 AML-1.2 – General Requirements – Face-to-Face Business (Continued) Industry Comments CMS Comments CMS Recommendations/Action An Institution: In AML-1.2.13 the reference “(see section AML-1.6 for applicable measures)” should be changed to … see section AML-1.7 for applicable measures. Add a new paragraph AML-1.2.14: The CMSPs must also risk rate their customer at the time of starting a relationship. Moreover, a periodic review of the assigned risk rating of a client should be done during the tenure of relationship with the client. Depending upon the risk a customer may pose to a CMSP a client may be given a “High Risk” or “Low Risk” rating. Such a rating mechanism allows the CMSPs to deploy more attention to the clients who are “High Risk”. Additionally, it is also recommended that parameters be set to define “High Risk” and “Low Risk” clients. Agreed. Amended. To be discussed internally – RPC. No change No change A Bank: AML-1.2.4 – To insert “name” after placing a comma after the word “date” before the expression “and his signature”. Agreed. Amended. Insert „name‟. Another Bank: AML-1.2.1 - Will appreciate that we would have customers who are non-resident in Bahrain (e.g. other GCC nationals) for whom investment products are offered. Would appreciate CBB‟s views on what kind of residential address proof may be allowed/acceptable in respect of such non-resident customers in countries like Saudi Arabia, where physical addresses are not commonly verifiable through independent documents. Can we expect further guidance notes in this regard and/or to address any other similar concerns? CBB to discuss (RPC) No change - discuss at RPC.

21 AML-1.2 – General Requirements – Face-to-Face Business (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank (Continued): AML-1.2.5 – Would like to request the CBB to consider whether the above list can include another bank official in the non-resident customer‟s jurisdiction, e.g. an official from a bank where the customer maintains an account in the other country and a proof of the same has been provided by the customer/prospect. Noted. No change – discuss at RPC. A Financial Institution: AML-1.2.3(b) – use of tenancy agreement as a means of verification of address is open to abuse unless the tenancy agreement is notarized or somehow verified by the municipality. AML-1.2.7(l) – Suggest to add “Directors” after “such as” and replace “or” with “of” before trusts. AML-1.2.8(e) – Suggest audited accounts as mandatory by deleting “where possible”, as unaudited accounts are not reliable. Accounts are important documents that are used to ascertain the source of funds/income by knowing whether the amount transacted falls within the financial means of the customer. AML-1.2.8(h) – Feels that clause (f) makes this clause redundant. Agree. Deleted. Disagree. This clause is specific to trusts. Not possible to require audited accounts from all institutions. Agreed. (h) has been deleted. Delete reference to „tenancy agreement‟. Delete AML-1.2.8(h). A Bank: Certification of Documentation (AML-1.2 & AML-1.10) – Can you confirm that in relation to certification of documentation, where SDD is not applied, can an internal certification from a CBB regulated FI suffice; i.e. in-house professional legal employee. See AML-1.2.4 for internal certification. No change A Bank: AML-1.2.13 – It is recommended to elaborate to include all possible similar cases wherein the CMSP will not be responsible for receiving investor‟s funds, where the administrator or custodian of the funds takes such responsibility; e.g. where the CMSP will purchase Sukuk on the primary or secondary market, where the Not necessary to extend this as they will either be covered by definition of Article 80 of the CBB Law, or will not be regarded as dealing with customers (as per the Sukuk example). No change

22 obligors‟ CDD documents are maintained with the custodian. AML-1.2 – General Requirements – Face-to-Face Business (Continued) Industry Comments CMS Comments CMS Recommendations/Action An Institution: In AML-1.2.1 it refers to the „Electronic Forms‟ – does this part allow a licensed exchange to accept opening securities accounts with electronic forms (i.e. PDF)? Since the CPR as an ID has been cancelled by the authorities in Bahrain, it is recommended in rule AML￾1.2.1(f) to use the word „valid identity (ID) and valid passport copy‟, which can generally be used for Bahrainis, resident and non-resident. In rule AML-1.2.3 it refers to paragraph (FC-1.2.1), it is supposed to be change to rule AML-1.2.1(a) to (f) in order to be in line with the rest of the Module. This may be determined by the SRO so long as the objective of the Module can be achieved. No change AML-1.3.2 – General Requirements – Enhanced Customer Due Diligence: General Requirements Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-1.3.2.(b) –In our opinion considering a “personal preference” as one of the methods for obtaining additional information for the customers on which enhanced due diligence should apply, doesn‟t carry any strength. As there are additional enquiries, the strength of these documents can be determined by the CMSP. No change

23 AML-1.5 – General Requirements – Enhanced Customer Due Diligence: Politically Exposed Persons (PEPs) Industry Comments CMS Comments CMS Recommendations/Action An Institution: Add at the end of AML-1.5.3: “(f) Obtain information about the direct family members or associates who have the power to conduct transactions on the account.” As per MENA/FATF recommendations given in “Politically Exposed Persons (PEPs) in relation to AML/CFT issued on 11 November 2008. Add new paragraph AML-1.5.5: “Not removing the names of any of those persons listed under the category of political figures by the CMSPs, when they leave their positions, and keeping them on the lists for an appropriate period depending on the length of staying in their positions, but by all means this period shall not be less than 6 months. The removal of the name of the person shall be done after approval from senior management of the CMSPs”. As per MENA/FATF recommendation given in “Politically Exposed Persons (PEPs) in relation to AML/CFT issued on 11 November 2008. This would already be covered under AML-1.2.8. Not necessary. No change No change

24 AML-1.5.4 – General Requirements – Enhanced Customer Due Diligence: Politically Exposed Persons (PEPs) (Continued) Industry Comments CMS Comments CMS Recommendations/Action A Bank: (Cross-ref. with FC-1.5.4 and AML-B.3.4) – The definition of Bahraini PEPs (in both Modules) should include people holding position(s) equivalent to Ministers or Under-secretaries in government entities/ authorities/ institutions (other than ministries), e.g. the CEO and Directors of EGA, EDB, LMRA, BAC, CBB, etc., unless their exclusion has been intentional. It should also clearly mention if HM The King, HH The Prime Minister, HH The Crown Prince and Royal Family should be considered as PEPs or not, as per international definition. If definition includes the Royal Family, then to which degree? It should also clearly mention if the relatives of Ministers, MPs and Ministry officials with the rank of Under-secretary and above should be classified and monitored as PEPs. This is the same definition as in Volume 4. Definition will be reviewed for consistency across all Rulebooks. No change. Review consistency of „PEP‟ across all Rulebooks. AN INSTITUTION: The definition of PEPs is identified already in section B. AML-1.6 – General Requirements – Enhanced Customer Due Diligence: Charities, Clubs and Other Societies Industry Comments CMS Comments CMS Recommendations/Action An Institution: Change to the end of AML-1.6.5: “… remittance of the funds has been obtained by the concerned bank” to “…. remittance of the funds has been obtained by the concerned Capital Market Service Provider”. Agreed. Amended. Replace „bank‟ with „CMSP‟.

25 AML-1.7 – General Requirements – Enhanced Due Diligence “Pooled Funds” Industry Comments CMS Comments CMS Recommendations/Action A Financial Institution: AML-1.7.1 – Since professional intermediaries (i.e. investment and pension fund managers and stock brokers and authorized money transferors) are regulated persons, suggest that the provision of this article be amended as follows: “In case where a Capital Market Service Provider receives pooled funds managed by professional intermediaries that are registered or licensed in GCC or FATF compliance jurisdiction, it may limit its CDD to confirming that the professional intermediary is subject to FATF-equivalent customer due diligence measures”. Because lawyers are not subject to such stringent regulatory requirements, the provisions of AML-1.7.2 and AML-1.7.3 should apply to them as it is. Disagree, as this is not asking the CMSP not to perform CDD on the customers, but only on the introducer, as per AML-1.8. No change A Bank: (See also AML-1.7.2 & AML-1.7.3) – While AML-1.7.4 refers expressly to a situation involving foreign intermediaries, it is not clear whether this should be the case generally, or merely when the funds are co￾mingled (due to the wording of AML-1.7.2 & 1.7.3). Recommend that the Module should make it clear that AML-1.7.2 & 1.7.3 are applicable where the intermediaries are resident in Bahrain, while AML-1.7.4 is applied where the intermediaries are resident outside Bahrain, regardless of whether the funds are co-mingled or otherwise. CBB may want to consider rephrasing these as per our suggestion for clarity purposes. Requirements in AML-1.7.2 & 1.7.3 are quite onerous. While identification may be necessary, CBB should allow CMSPs to act on documentary evidence related to the beneficiaries‟ identity as provided by the intermediaries, This should not apply in cases where simplified CDD Reference to „Bahrain‟ in AML-1.7.3 will be deleted. Delete reference to „resident in Bahrain‟ in AML-1.7.3.

26 may be applied pursuant to AML-1.10.1 (see the Bank‟s comments below). AML-1.7 – General Requirements – Enhanced Due Diligence “Pooled Funds” (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: AML-1.73 & 1.7.4 – To avoid ambiguity, CBB may want to consider providing some guidance on what would constitute “reasonable effort” and “documentary evidence” respectively. This is to be determined by the CMSP based on meeting the objectives of this Module. No change Another Bank: The first sentence of this section (identical to FC-1.7.3 of Volume 1) stipulates that for accounts held for intermediaries resident in Bahrain, where such funds are co-mingled, the CMSP must make a reasonable effort to look beyond the intermediary and determine the identity of the beneficial owners or underlying clients. However, the second sentence of FC￾1.73 is missing in AML-1.7.3, which reads as follows: “Where, however, the intermediary is subject to equivalent regulatory and money laundering regulation and procedures (and, in particular, is subject to the same due diligence standards in respect of its client base) the CBB will not insist upon all beneficial owners being identified provided the bank has undertaken reasonable measures to determine that the intermediary has engaged in a sound customer due diligence process, consistent with the requirements in Section AML-1.8.” We are of the view that this very important provision should be included (with an appropriate equivalent reference to the requirements of FC-1.8, which are different from the ones of AML-1.8). If the intermediary is subject to CBB AML/CFT rules and has already fulfilled all the KYC requirements in accordance with such rules, there is no reasonable justification to require that the KYC be done a second time by the CMSP. This would be costly and time-consuming duplication of efforts. Would therefore respectfully request the wording Agreed. Included. Include proposed text.

27 be similar to the one in FC-1.7.3 (but with a minor amendment to replace the reference to FC-1.8.). AML-1.7.4 & AML-1.7.5 – General Requirements – Enhanced Due Diligence “Pooled Funds” (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: AML-1.7.5 – CBB should differentiate cases where the intermediaries failed or refuse to provide the required information for baseless or no reason with cases where the disclosure is prevented due to legally binding constraints. CBB should consider other alternatives in cases involving the latter, e.g. by the intermediaries submitting a written undertaking that similar standards of CDD have been undertaken by them or a written confirmation that they are subjected to similar requirements within their jurisdiction, but are not able to disclose the information on beneficial owners for a specific legally acceptable reason. To avoid ambiguity and for clarity, the Module should specify in this section that the requirements in AML-1.7 do not apply where the intermediaries are those that fall within the provisions of AML-1.10.1(c) to (g). This will form part of obtaining the permission of the CBB. This is clear from AML-1.10.1. No change No change An Institution: Change the word “bank” at the beginning of the second and third sentence to “Capital Market Service Provider”. Agreed. Amended. Replace „bank‟ with „CMSP‟.

28 AML-1.8.2 – General Requirements – Introduced Business from Professional Intermediaries Industry Comments CMS Comments CMS Recommendations/Action An Institution: Change AML-1.8.2(c) to read as follows: “The introducer is able to provide all relevant data pertaining to the identity of the customer and beneficial owner of the funds, sources of funds of the introduced customer and, where applicable, the party/parties on whose behalf the customer is acting; also, the introducer has confirmed that the Capital Market Service Provider will be allowed to verify the customer due diligence measures and measures to identify sources of the introduced customer undertaken by the introducer at any stage; and” And in AML-1.8.2(d) add the words: “/sources of funds” to “….40+9 Recommendations have been followed and the customer‟s identity/sources of funds established and verified.” It is important to identify the „sources of funds‟ to better determine the possibility of money laundering or terrorist financing. This is not necessary as AML-1.8.1 requires compliance with Chapters 1 & 2 which includes obtaining source of funds and securities. As above. No change No change The Bank: AML-1.8.1 & 1.8.2 – The Module should explain if AML-1.8.1 should be read in conjunction with AML-1.8.2. In any case, recommend that AML-1.8.2 is only applicable when the professional intermediary is not subject to FATF-equivalent CDD measures. AML-1.8.2 & 1.84 – The requirements are onerous. The Module should allow the CMSP to satisfy one of the requirements instead of all 4. Consideration is for the CMSP to satisfy itself that either the intermediary or the purported arrangement would allow a proper CDD to be undertaken to rule out ML or FT. These are not exclusive provisions as AML-1.8.1 is clear that all introducers must be subject to FATF requirements, which AML-1.8.2 providing additional guidance and confirmation that the introducer is subject to FATF. No change

29 AML-1.8.2 – General Requirements – Introduced Business from Professional Intermediaries (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: To insist that a CMSP may only accept introduced business when all the 4 requirements are satisfied would discourage CMSP‟s participation, which in turn may affect Bahrain‟s CM, while the same does not serve further benefit to the AML/CFT practice more than meeting one of those. Thus, recommend rewording AML-1.8.2 to take the above into consideration. This is especially in light of the provision in AML-1.8.4 which would be frivolous when read together with AML-1.8.2, if the provisions of AML-1.8.2 are to be kept. This is the same as Volume 4. A decision is required whether non-FATF introducers can be used (this would go against AML-1.8.1). Suggest deleting AML-1.8.4. Discussion at RPC. AML-1.9 – General Requirements – Shell Banks Industry Comments CMS Comments CMS Recommendations/Action An Institution: Add a new paragraph AML-1.9.3 stating: “The Capital Market Service Provider must satisfy itself that other CMSPs or financial institutions with which it has a relationship does not have any relations or business dealings with a Shell Bank by obtaining a declaration for such policy.” Shell banks have in the past been associated with money laundering and terrorist financing. This is covered under AML-1.9.1. No change

30 AML-1.10 – General Requirements – Simplified Customer Due Diligence Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-1.10.1(b) - Capitalise and underline „security‟ in the first line. See too AML-4.3.1 and AML￾7.1.1. Agreed. Amend. Include amendments. A Bank: AML-1.10 – As most of the securities transactions are of relatively higher value than retail banking transactions, CBB should consider increasing the threshold for customer due diligence measures suitably, to say BD15,000 or above. This is consistent with other non-banking Rulebooks. The threshold is set a value, whether it be for cash or securities No change A Financial Institution: AML-1.10.1(a) – Suggest that due to the nature of capital market transactions and the frequency of trades, the threshold limit for simplified due diligence may be increased to BD12,000 per year. AML-1.10.8 – Since it is not always possible to clearly determine if a transaction is being conducted as principal or on behalf of a customer, the wording may be amended as follows: “Simplified customer due diligence measures must not be applied where a Capital Market Service Provider knows, suspects, or has reason to suspect that the applicant or transaction involves money laundering or terrorism financing”. See above. This will still meet the objective. No change No change A Bank: AML-1.10.1(g) Define the „majority shareholder‟ in a % term to have more clarity and consistency for applying this regulation to all CMSPs. AML-1.10.2 – It is recommended to modify the regulation to state that AML-1.2.1 and AML-1.2.8 should apply. AML-1.10.4 There is no possibility of having natural persons falling under the categories AML-1.10.1 (c) to (g). This is to be interpreted according to its general meaning. Not necessary. Agreed. Reference to natural persons will be removed. No change No change Amend to remove reference to natural person. An Institution: Recommend to remove the first

31 paragraph of AML-1.10.1(b) and not refer to IPOs after January 2006. Such an issue empowers us to apply proper CDD. AML-2.2 – Ongoing Customer Due Diligence and Transaction Monitoring Industry Comments CMS Comments CMS Recommendations/Action An Institution: AML-2.2.3 - Add the words “(or equivalent in other currencies)” after “BD6,000 and add another paragraph at the end of AML-2.2.3 stating: “However, the Capital Market Service Providers must understand that BD6,000 threshold (or equivalent in other currencies) can be one of or a series of transactions just below reporting threshold to avoid BD6,000 threshold (or equivalent in other currencies). The Capital Market Service Provider must also include such transaction in their manual/automated monitoring system.” It is possible for an individual to avoid getting reporting if he/she processes multiple transactions below the BD6,000 limit; e.g. multiple BD5,900 transactions. Additionally, it is recommended that in addition to an individual transaction limit (BD6,000 per transaction) a cumulative transaction limit should also be set such as any set of transactions above BD3,000 which are cumulatively above BD,10,000 within the last 30 days (rolling calendar days). This may be covered through spotting abnormal or unusual flow of funds. RPC to discuss this. RPC discussion. No change at this time. A Bank: The term “provide up-to-date identification documents” appears to be inconsistent with the requirement: “If, upon performing such a review, copies of identification documents are more than 12 months out￾of-date …”. Theoretically, if for example, a copy of a customer‟s passport was taken 3 years ago, in terms of AML-2.2.11, but is only due to expire in a few months after the date that the review takes place, this may result in another copy of the passport not being taken for nearly This is up to the CMSD to determine, taking into account the objective to be achieved. No change

32 6 years (i.e. in another 2 ½ years time). Would this be consistent with the up-to-date requirement? AML-2.2 – Ongoing Customer Due Diligence and Transaction Monitoring (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: Automated Monitoring System (AML-2.2.3) – Clarification is requested that if an automated monitoring system was implemented, then the BD6,000 occasional/one-off monitoring threshold would not be applicable and that we may apply a threshold level that is appropriate to the client type. The threshold monitoring is not required where an automated monitoring system can perform the objective and spot abnormal or unusual flow of funds. No change A Bank: AML-2.2.11 – The regulation should clearly state what is the action required to be taken by CMSPs when the customers do not provide updated KYC documents and what is the timeframe for implementing those actions. This is required to unify the action that should be taken amongst all CMSPs. This is covered in AML-1.2 with respect to KYC documents. No change An Institution: Implementing the requirement in paragraph AML-2.2.11 seems to be technically difficult. Reviewing and updating customer identities every 3 years may sometimes be a responsibility for the broker too. AML-3.1 – Money Laundering Reporting Officer – Appointment of MLRO Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-3.1.1 - The corresponding provision in Module FC-4.1.1 also specifies that: a) The MLRO must be approved by CBB prior to his appointment; and (b) The licensee must notify the CBB of the appointment of the MLRO using the MLRO form (Appendix FC-4). AML-3.1.5 – The corresponding provision in Module FC-4.1 also specifies that: a) The position of DMLRO is a controlled function and the DMLRO is an approved person; and (b) The This is catered for in AML-3.1.2. This is covered in AML-3.1.1. No change No change

33 DMLRO must be approved by CBB prior to his appointment. AML-3.1 – Money Laundering Reporting Officer – Appointment of MLRO (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: Under AML-3.1.5 the DMLRO is not highlighted as a controlled function or an approved person. This is not consistent with the current requirements under Rulebook 1 for Conventional Banks. Compliance Monitoring: Under AML-3.3.7 it is indicated that the 4 reports specified as per AML-3.3.1 should be submitted to the CBB‟s Compliance Directorate by 30th April of the following year on an annual basis. This is not consistent with the existing requirements under the FC Module, in which only the external auditors report is required to be submitted by 30th April of the following year on an annual basis. Agreed. Amended to be in line with Volume 1. This also needs to be amended in Volume 4. Amended in line with Volume 1. Does the CBB not want these reports? Amend AML-3.1.5 and AML￾3.3.7. Delete AML-3.3.7 – RPC discussion. An Institution: Recommends that AML-3.1 is also applicable to foreign subsidiaries and branches of the Capital Market Service Providers which are based in Bahrain. Since foreign subsidiaries and branches of CMSPs are also conducting business in Bahrain, they should be brought under the ambit of this Module. This is clearly defined in the scope and application of this Module. No change An Institution: It is recommended not to use the words like his/him‟ – see AML-3.1.6. Necessary in the context. No change AML-3.2.1 – Responsibilities of the MLRO Industry Comments CMS Comments CMS Recommendations/Action An Institution: Add at the end to paragraph AML￾3.2.1(g) after “… as per rule AML-3.3.3” “and performing follow-up of the status of any anomaly identified during yearly review.” Follow-ups allow for better monitoring to be conducted. Agreed. Included. Include suggested wording.

34 Key point of contact for any query raised by the staff of the CMSPs related to AML/CTF Module and regulations should be provided. AML-3.3.1, AML-3.3.2 & AML-3.3.7 – Compliance Monitoring – Annual Compliance Review Industry Comments CMS Comments CMS Recommendations/Action A Bank: Scope of subsidiaries should be limited to subsidiaries undertaking activities listed in the Schedule to the AML Law of 2001. This can either be done by explicitly stating that in this provision or by incorporating a general definition of “Subsidiaries” to such effect. This is dealt with in the scope and application of the Module. No change An Institution: Add at the end to paragraph AML-3.3.2 “Separate reports must be made for each country where a Bahrain based Capital Market Service Provider has branches or subsidiaries.” Since branches of a Bahrain based CMSP in another country may be required to follow AML/CFT regulations of the home country as well, CBB should be aware of any violations with those regulation(s). The requirement is only on transactions concluded in Bahrain or covered by this Module. No change A Bank: The requirement under FC-4.3.5 is to submit the external auditor‟s report referred to in paragraph FC￾4.3.1(d) to the Compliance Directorate by 30 April each year. AML Module refers to the submission of a total of 4 reports. An amendment is recommended for consistency purposes. The requirement to submit 4 reports has been deleted. No change (deletion as per previous comment). AML-4.2 – Suspicious Transaction Reporting – External Reporting Industry Comments CMS Comments CMS Recommendations/Action An Institution: Add at the end of paragraph AML-4.2.1 “(within 1 working day” after the words “… he must report the fact promptly ….” Not necessary. No change A Bank: AML-4.2.4 – The CBB regulations should take it up with higher authorities to clarify if tax evasion is Tax matters are included as part of this Module. No change

35 considered as an AML crime or not. AML-4.3 – Suspicious Transaction Reporting – Reporting to the SRO Industry Comments CMS Comments CMS Recommendations/Action A Bank: The reporting mechanism to the SRO under AML-4.3 may be further clarified in terms of the specific conditions or circumstances that would require/mandate for such reporting to be filed by the institution or bank. In addition, contact details for the SRO may be specified under AML-4.4. Also, the timing of the reporting to the SRO should be specified; i.e. simultaneously with reporting to CBB/FIU or before/after such reporting. The SRO will determine the reporting requirements in their business rules. No change A Bank: “The MLRO, whenever he becomes aware or believes, or has reason to believe that a client is involved in a money laundering offence, shall in addition to the reporting in section AML-4.2, inform the SRO on which the transaction takes place, …”. There is only a finite number of SROs, shouldn‟t this/these be named as provided for in „Contacting the Relevant Authorities‟ in AML-4.4.1? Might this not make the investigation process by the relevant authorities more cumbersome, as this would then have to be coordinated between 3 authorities, which would each have their own approach to the report? Would it not be better for the CBB to coordinate with the SRO in this regard, without the MLRO having to submit a separate report to the SRO? Not all CMSPs may be members of SROs and not all SROs have to be informed if the suspicious transaction was not concluded on that SRO. See above for contact details. The SRO is required as soon as possible, as only it has the ability to stop the transaction (they control the system). No change An Institution: In rule AML-4.3 who is meant by SRO? The SRO on which the transaction is taking place. No change AML-6.1. 1 - Record Keeping - General Requirements – CDD and Transaction Records Industry Comments CMS Comments CMS Recommendations/Action An Insurance Company: AML-6.1.1 - Time period for This has been harmonized at 5 years. No change

36 maintenance of transaction records – the time period under this clause is at least 5 years, whereas in the FC Module (under Volume 3), the comparable clause (FC￾6.1.1 (b)) is at least 10 years. To be reviewed and synchronized. AML-6.1. – Record Keeping - General Requirements – CDD and Transaction Records (Continued) Industry Comments CMS Comments CMS Recommendations/Action An Institution: Add to AML-6.1.4: “All records related to a suspicious activity reported to the external authorities or which is part of litigation shall not be destroyed even after a laps of a 5 year period until the respective external authorities communicate completion of proceedings and closure of files related to the case”. Such documents should be retained in case the CBB would like to refer back to the litigation or there is an appeal. AML-6.1.4 relates to training, therefore this is not necessary. No change The Bank: Supporting documentation in respect of KYC and CDD documentation in pertaining to financial institutions maintaining relationships with us are held remotely but accessible should a regulator (CBB) require the same. Confirmation is requested to confirm this is acceptable practice. As long as these are accessible quickly enough to meet the objective and the storage is in accordance with best practice. No change An Institution: There is a title “access” after rule AML￾6.1.4 without a reference number and/or text. This is a heading for AML-6.1.5 as with all other headings in the Rulebook. No change AML-7 - General Requirements in Relation to Securities Industry Comments CMS Comments CMS Recommendations/Action A Bank: Under AML-7.1 – The general requirements in respect of substantial shareholding are explained. However, there are inconsistencies between these requirements and the current guidelines under the Disclosure Standards for major shareholding (5% and more) and the GR Module (GR-5.2 on Controllers). No reference is made to „major shareholding‟ and this is in line with the AML Resolution No. 1 of 2004 and will require such transactions to be conducted in Bahrain, thereby ensuring transparency and minimizing the possibility of money laundering, terrorist financing or fraud. No change

37 Further clarification should be offered on the processes and modality for ensuring, enforcing and monitoring compliance with such requirements for banks‟ clients. Feel that since the requirements are not directly AML related, they should not be part of this Module. AML-7 - General Requirements in Relation to Securities (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: Under AML-7.2 – Requirements for Listing – it is indicated that no company shall be listed on BSE unless it satisfies all legal requirements in the Kingdom or in their countries of incorporation. Feel that not all jurisdictions may have comparable regulations from AML perspective to that of Bahrain. Some of the high risk countries have weaker regulations. Therefore, only satisfaction of requirements in countries that have comparable AML legal and regulatory frameworks should be acceptable. Under AML-7.3 – The requirement for offering of securities may be reviewed in keeping with international practices by allowing the offering, listing and trading of bearer securities, with due approval by CBB and BSE. In addition, if the security is offered by an institution registered in Bahrain and listed on another stock exchange with comparable regulations, it should be allowed to be marketed locally in Bahrain. It may be useful to introduce a distinction for further clarity within this Module for the classification of strictly AML-related and non-AML-related issues, such as that under AML-7 covering general requirements in relation to securities and under AML-12 covering fraud. Feel that the non-AML issues should not be included under this Module, and if included should be identified separately. Agreed. Amendment included to refer to „comparable AML/CFT regulation‟. This provision is based on the Decree Law which will have to be amended for the CBB to introduce this concept. These provisions do directly impact the possibility of money laundering and terrorist financing and must be included in this Module. No change No change A Bank: This chapter relates to the „Controller‟ status which is referred to in the GR Module of Volume 1 and See comments below No change

38 does not pertain to AML/CFT. Hence, suggest that this be addressed separately. AML-7 - General Requirements in Relation to Securities (Continued) Industry Comments CMS Comments CMS Recommendations/Action A Bank: CBB to consider excluding non-convertible bonds from the requirements proposed in the section on General Requirements in Respect of Substantial Shareholding, as bonds and debt instruments do not confer ownership rights. Also, bonds are very similar to the loan product used by banks for the same purpose (providing debt) without undergoing these constraints – therefore it may not be constructive to put these restrictions on bonds. CBB may clarify that General Requirements in Respect of Substantial Shareholding applies to securities issued by Bahraini companies. CBB should also clarify different tranches of bonds (if bonds continue to be included under the proposed constraints), issued separately should qualify as different issue of securities for purpose of the purchase restrictions on additional securities, as outlined in the section on General Requirements in Respect of Substantial Shareholding. CBB should stipulate that the purchase restrictions on additional securities as outlined in the section on General Requirements in Respect of Substantial Shareholding should not be made applicable for securities issued by the Government of the Kingdom of Bahrain. The concern is not limited to ownership rights. The bonds are still a value that can be used for money laundering or terrorist financing. Bonds are necessarily excluded from some provisions (e.g. AML-7.1). These requirements are not necessarily related to only Bahraini companies, as exchanges in Bahrain allow for foreign listings. This will be determined on an ad hoc basis (read with the base prospectus), but most restrictions will not apply to bonds. Not necessary as the Government will not issue shares as securities (and Government owned entities are treated as companies). No change No change No change No change An Institution: In rule AML-7.2.1 it refers to the BSE, it is recommended to change this to „licensed exchange‟. Same change should also be applied to the last paragraph of AML-7.3.1. Agreed. Amend BSE to „licensed exchange‟.

39 AML-7 - General Requirements in Relation to Securities (Continued) Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-7.1 - General Requirements in Respect of Substantial Shareholding – This provision would appear to be more properly placed in the Module for the prevention of market abuse than in financial crime. AML-7.2 – Requirements for Listing – This provision would appear to be more properly placed in the Module for listing on the stock exchange than in financial crime. AML-7.3.1 – Requirements for Listing – This provision would appear to be more properly placed in the Module for offering listed securities on the stock exchange than in financial crime. AML-7.4.1 – Financing Requirements for Deposit – This provision would appear to be more properly placed in the Module regarding listed securities on the stock exchange than in financial crime. Some of these concepts may be replicated in other Modules, but they are necessary here as the trading of securities is internationally recognized as a possible form of money laundering and terrorist financing. No change A Financial Institution: AML-7.1 – Suggest that the provisions of this section be applicable to subscribed shareholding representing the ownership interest in a listed company only and not to other securities. Other securities to be excluded are bonds, commercial paper and preference shares. AML-7.1 is only for listed companies. No change A Bank: AML-7.1.1, 7.1.2 & 7.1.3 – To remove these provisions as they are not within the scope of AML or CFT. Further, provisions to such effect should have been dealt with in the BSE Law or the law of the relevant licensed exchange. AML-7.1.4 – Renumber AML-7.1 and stipulate all CMSPs should undertake the necessary to comply with the requirements of any applicable law or regulations pertaining to a licensed exchange before it will carry out any transactions, either for itself or on behalf of a client, involving 5% or more in a listed See the Bank comment above. No change

40 security, then insert the provision in AML-7.1.4. AML-7.2 , AML-7.3 and AML-7.4 – General Requirements in Relation to Securities (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: Remove the provision, see comments re AML-7.1.1, 7.1.2 and 7.1.3 above. AML-7.3.1 – Remove the provision, see comments above. AML-7.4.1 – Remove the provision and place it in the regulation regulating CDS (if it is not there yet). This is because of the specific nature of this provision, which does not fall within the scope of AML/CFT. See comments above. No change AML-8.1 .1 – Acceptance of Cash by SRO Members Industry Comments CMS Comments CMS Recommendations/Action A Financial Institution: To make the paragraph clearer and more effective, suggest to add the following at the end of the first paragraph: “… where the broker has complete KYC information and is satisfied that the transaction does not involve money laundering or terrorism financing”. Not necessary as these requirements will be applicable, as per AML Chapters 1 and 2. No change A Bank: Remove the provision and place it in the regulation regulating CDS (if it is not there yet). This is because of the specific nature of this provision, which does not fall within the scope of AML/CFT. See comments in AML-7. No change AML-9.1 – Special Measures for Non-Cooperative Countries or Territories (NCCTs) Industry Comments CMS Comments CMS Recommendations/Action A Bank: As per the FATF webpage: “As of 13 October 2006, there are no Non-Cooperative Countries and Territories”. Noted. No change

41 AML-9.3.3 – NCCT Measures and Terrorist Financing – Designated Persons and Entities Industry Comments CMS Comments CMS Recommendations/Action An Institution: Add to AML-9.3.3 after: “… contained in section AML-4.2, „within 1 working day‟ details …” Also add at the end of the paragraph: “The Capital Market Service Providers must adopt an adequate automated system to ensure that all assets, accounts, financial activities or balance of the designated persons and entities are frozen, and to ensure that no dealing will take place with them in the future.” Such an automated system will disable the transaction from reaching its intended conclusion. Not necessary. No change AML-10.1 – Regulatory Penalties Industry Comments CMS Comments CMS Recommendations/Action A Bank: This process should be subject to the due process similar to that provided in Chapter 2 of Part 9 of the CBB Law. This can be done either by incorporating provisions outlining similar process in the regulation or by explicitly adopting such process within the regulations. CBB Law process will be followed, as this is a CBB Module. No change AML-12.1 – Fraud – General Requirements for the Detection and Prevention of Fraud Industry Comments CMS Comments CMS Recommendations/Action A Bank: Under AML-12.1 the requirements for the detection and prevention of fraud are clarified, including the appointment of a fraud officer. Feel that fraud detection should not be part of this Module. It may be imperative to make these requirements clearly distinct and separate from the responsibilities of the MLRO, so as to avoid any potential confusion in roles and activities. Fraud is an integral part of financial crime and the investigative and analytical skills required to combat fraud are similar to those of money laundering. No change

42 AML-12.1 – Fraud – General Requirements for the Detection and Prevention of Fraud (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: Fraud detection should be highlighted as a separate process that is closely interlinked with operational risk management and internal control functions. Further guidance on the detection of fraud activities and general trends may be also separately provided elsewhere in the Rulebook. Under AML-12.1.3, it is stated that any actual or attempted fraud incident must be reported however small. This does not seem to be directly in line with the current stipulation for „notification of fraud‟ and other „material‟ concerns to CBB under the BR Module of Rulebook 1. The relevant provisions are reproduced for easy reference below: Notification of fraud or other material concerns: BR-5.1.13: All banks must report immediately to the Central Bank any frauds, either attempted or realised, or any well-founded concerns about the integrity of individual directors or members of management. This obligation to disclose extends to individual Board members and members of management; i.e. if a director or a member of management has reasonable grounds to believe that information that should have been reported to the Central Bank has not, then they have a duty to report the matter personally to the Central Bank. All such cases shall be treated in the strictest confidence by the Central Bank. The BR reference below is not related only to fraud. See above comments as to significance of fraud to be included in this Module. No change

43 AML-12.1 – Fraud – General Requirements for the Detection and Prevention of Fraud (Continued) Industry Comments CMS Comments CMS Recommendations/Action The Bank Continued: BR-5.1.14: All banks must report immediately to the Central Bank any material losses as soon as the bank becomes aware of them. This notification requirement is separate from notifications for loan write-offs (see BR-5.2.3) or frauds (see above), but refers to losses caused by external events (e.g. falls in stock markets) or internal control failures. In this context „material‟ would mean: a loss which exceeds 5% of net earnings in a given quarter, or a loss which reduces the bank‟s capital adequacy by more than 1%; or a loss which reduces total assets by more than 1%. As mentioned above, fraud detection and reporting should not be part of the Module. In addition, any reporting requirement should be consistent with other related CBB provisions. As above. No change A Bank: Requirement for implementation of monitoring systems to measure fraud patterns should not be mandatory, but based on the nature of the business and experience of incidence of fraud in the business, particularly in the case of retail banks. CBB may elaborate that the responsibility for prevention, detection and remedying frauds can reside with a senior employee handling other responsibilities as well (e.g. MLRO). This is the policy in AML-12 as it relies on the CMSP to appoint and allocate resources. No change

44 AML-12.1 – Fraud – General Requirements for the Detection and Prevention of Fraud (Continued) Industry Comments CMS Comments CMS Recommendations/Action A Bank: AML-12.1.3 - This section requires that monitoring systems must be designed to measure fraud patterns that might reveal a series of related fraud incidents. We are of the view that this requirements to install costly sophisticated computer systems for detecting fraud patterns should be imposed only on CMSPs that are involved in the trading securities on a stock exchange or are otherwise involved in „retail‟ activities, as opposed to CBB licensees that do not conduct such activities and whose own activities would not be sufficient to establish and measure fraud patterns. This will be determined by the CMSP as to what is „appropriate‟ in order to meet the objective and based on the CMSP business. No change A Bank: General Requirements for the Detection and Prevention of Fraud – This is a good addition to the Module. Noted. No change A Financial Institution: Wish to suggest some sources of external fraud in capital market context, such as: impersonation, insider trading, market manipulation and cybercrime. Noted. No change A Bank: This is related but not within the subject matter of AML/CFT. Accordingly, recommend to remove these from this Module and incorporate the same into the regulation regulating respective licensees. See comments above. No change A Bank: This chapter relates to „Prevention and Detection of Fraud‟ and is not part of the corresponding FC Module in Volume 1. An amendment is recommended for consistency purposes. Discuss with Banking. No change

45 AML Appendix IV Industry Comments CMS Comments CMS Recommendations/Action An Institution: The following examples of suspicious transactions may be added:

• The PEP requests the execution of an operation through another institution or company that does not usually deal with foreigners.
• The PEP requests that the operation be kept secret, e.g. by requesting it be registered in the name of another person or company.
• The PEP executes several operations through more than one geographic area to conceal the nature, source or ownership of the funds.
• Significant or frequent transfers of funds.
• The PEP repeatedly reduces the balance of his account to the minimum. Noted. These appear to be covered by other general requirements. Discuss the inclusion of the proposals.