Decrees No. 53/2023 and 54/2023, of August 31 - Regulations of the AML/CFT/CPF Law and the Counter-Terrorism Law

SUMMARY NOTICE The matter to be published in the "Boletim da República" must be submitted as a duly authenticated copy, one for each subject matter, containing the following endorsement, signed and authenticated: For publication in the "Boletim da República". IMPRENSA NACIONAL DE MOÇAMBIQUE, E.P. Council of Ministers: Decree No. 53/2023: Approves the Regulation of Law No. 14/2023, of August 28, which establishes the Legal Regime and Measures for the Prevention and Combat of Money Laundering and Terrorist Financing, and repeals Decree No. 66/2014, of October 29. Decree No. 54/2023: Approves the Regulation of Law No. 15/2023, of August 28, which establishes the Legal Regime for the Prevention, Repression and Combat against Terrorism and Proliferation of Weapons of Mass Destruction. Thursday, August 31, 2023 I SERIES — Number 169 COUNCIL OF MINISTERS Decree No. 53/2023 of August 31 Since it is necessary to regulate Law No. 14/2023, of August 28, which establishes measures for the prevention and repression of the use of the financial system and economic activities for the commission of acts of money laundering, terrorist financing and proliferation financing of weapons of mass destruction and related crimes, the Council of Ministers, using the powers conferred upon it by Article 84 of said Law, decrees: Article 1. The Regulation of Law No. 14/2023, of August 28, which establishes the Legal Regime and Measures for the Prevention and Combat of Money Laundering and Terrorist Financing, is approved, attached to this Decree and forming an integral part thereof. Art. 2. Decree No. 66/2014, of October 29, and all legislation contrary to this Regulation are repealed. Art. 3. This Decree enters into force upon its publication. Approved by the Council of Ministers, on August 29, 2023. Let it be published. The Prime Minister, Adriano Afonso Maleiane.

Regulation of the Law Establishing the Legal Regime and Measures for the Prevention and Combat of Money Laundering and Terrorist Financing CHAPTER I General Provisions Article 1 (Object) This Regulation establishes the measures and procedures regarding the prevention and combat of money laundering, terrorist financing, proliferation financing of weapons of mass destruction, and related crimes, applicable to financial institutions and non-financial entities, in accordance with Law No. 14/2023, of August 28.

Article 2 (Scope of Application) This Regulation applies to natural and legal persons, including those without legal personality, non-profit organizations, financial institutions, and non-financial entities, with headquarters in national territory, as well as to their branches, agencies, subsidiaries or any other forms of representation and to other institutions susceptible to being used for the commission of acts of money laundering, terrorist financing and proliferation financing of weapons of mass destruction.

Article 3 (Definitions) The definition of terms is contained in the Glossary, attached hereto, which forms an integral part of this Regulation.

2008 I SERIES — NUMBER 169 CHAPTER II Duties of Financial Institutions and Non-Financial Entities SECTION I General Duties Article 4 (Preventive Duties)

1. Obligated entities are subject, in their operations, to the following preventive duties: a) risk assessment; b) identification, verification and due diligence; c) refusal; d) abstention; e) reporting/communication; f) preservation/conservation; g) examination; h) collaboration; i) non-disclosure; j) training; and k) control.
2. The scope of control, identification and due diligence, and training duties must be proportional to the nature, size and complexity of the obligated entities and the activities they carry out, taking into account the specific characteristics and needs of smaller-sized obligated entities.
3. Obligated entities are prohibited from performing acts that may result in their involvement in any money laundering, terrorist financing or proliferation financing of weapons of mass destruction operation and must adopt all adequate measures to prevent such involvement.

SECTION II Risk Assessment for Money Laundering, Terrorist Financing and Proliferation Financing of Weapons of Mass Destruction (AML/CFT/CPF) Article 5 (Risk Assessment Duty)

1. Financial institutions and non-financial entities must conduct risk assessments for self-knowledge, with the objective of analyzing their activities and identifying risks and vulnerabilities associated therewith, concerning money laundering, terrorist financing and proliferation financing of weapons of mass destruction.
2. In the risk assessment, account shall be taken of: a) turnover; b) number of employees or company size; c) geographic area of operation, as well as operationalized payment means; and d) nationality of clients, buyers, suppliers, distributors, or other business partners, directly or through representatives.
3. In considering risks, the following transactions shall be taken into account: a) with foreign clients; b) of clients linked to high-risk countries for corruption or criminal organizations, payments of transactions through third parties or intermediaries in the process; c) transactions with entities holding high public office; d) trade that facilitates the concealment of benefits, in tax havens; e) where the client attempts to lower the transaction value to a specific amount.
4. For the purposes of paragraph 3, account shall be taken when the client: a) is mentioned in news linked to illicit activities, suspected of committing crimes; b) is listed in United Nations (UN) Resolutions lists; c) when the client refuses to place their personal data in any document linking them to property ownership; d) when the client attempts to conceal the identity of the beneficial owner or requests that the transaction be structured to conceal the true client's identity; and e) when the client provides unknown, false or uncertain data.
5. When the client is a commercial company, high risk exists when there is a lack of business and operational activity, as well as when commercial companies registered in Mozambique show apparent activity but low capital, or when the commercial company is constituted by partners who are in some way related to terrorist organizations or money laundering activities, or when the client is a recently created entity and the transaction value is high relative to its assets.
6. In addition to the risks mentioned in previous paragraphs, relevant risks for this Regulation include the type of business involved, namely high-value easily movable goods, goods or operations favoring client anonymity, activities conducive to higher cash payments, quantity of goods acquired apparently disproportionate to the client's size, and purchase of goods through a legal entity without apparent interest in its corporate object.
7. Risk assessment must be drafted in a document, which shall be maintained together with all supporting information and made available to competent supervisory authorities.
8. Risk assessment must also be kept updated every two years to ensure it reflects current risks to which institutions are exposed.
9. Financial institutions and non-financial entities must have policies and procedures to identify, assess, monitor, manage and mitigate the money laundering, terrorist financing and proliferation financing of weapons of mass destruction risks to which they are exposed.
10. For the purposes of the preceding paragraph, money laundering, terrorist financing and proliferation financing of weapons of mass destruction risks follow the following associated risk categories: a) to the client; b) geography or country; c) product or service; d) delivery channel; e) other risks to be defined by Supervisory Authorities.
11. Obligated entities must develop policies and procedures to effectively mitigate their money laundering, terrorist financing and proliferation financing of weapons of mass destruction risk.
12. Obligated entities must adopt enhanced due diligence measures when high-risk scenarios are identified, and conversely, when risks are lower, simplified due diligence measures may be permitted.
13. Simplified due diligence measures do not exempt the required identification duty and are not applicable when: a) they are not consistent with the risk assessment of money laundering, terrorist financing and proliferation financing of weapons of mass destruction in their respective sectors; and b) there is suspicion of money laundering, terrorist financing and proliferation financing of weapons of mass destruction.
14. Simplified due diligence measures may only be applied in circumstances where the assessment referred to in paragraph 1(a) concludes that it is low risk.

31 DE AGOSTO DE 2023 2009 Article 6 (Risk Management Model)

1. The exercise of the control duty by employees must result in the production of a risk model based on the experience of obligated entities.
2. The risk management model must be updated periodically, every two years, with the frequency potentially varying depending on the relevance of topics.
3. Management models must govern the degree of control and tolerance performed, in order to define a risk profile for clients, commercial transactions, and routine processes.

Article 7 (Results of Risk Management Model Application)

1. In compliance with the duties listed in Article 5 of this Regulation and having collected the data referenced therein, it must be possible to identify clients, their associated risk, involved values, as well as the set of data for each.
2. Concentrating client data will avoid repeating requests for already requested and received data during identification and examination, and better identify deviations from the normal course of transactions.
3. An annual assessment of this risk management model must be made, and where appropriate, alterations or simplifications proposed, better identified after compliance with all procedures provided for in this Regulation.

Article 8 (Duty to Establish Client Risk Profile)

1. Obligated entities must have adequate systems for establishing a risk profile for each client.
2. The assessment of money laundering, terrorist financing and proliferation financing of weapons of mass destruction risk associated with a client must take into account, among others, the following factors: a) client profile and nature of business; b) manner of establishing the business relationship; c) geographic location of the client and their business, where applicable; d) executed transactions; e) client history; f) goods and services acquired; g) types of services and products used by clients of the financial institution or non-financial entity; and h) types of distribution channels used by the client.
3. The assessment of the client risk profile must be carried out regularly and whenever changes in operations performed by them are recorded.

SECTION III General Identification, Verification and Due Diligence Rules Article 9 (Duty of Identification, Verification and Due Diligence)

1. Obligated entities must, within the scope of fulfilling the identification duty, maintain a record of their clients for a period of 10 years and make it available to competent supervisory authorities upon request.
2. No client, potential or actual, even if known to the financial institution or non-financial entity, may be exempt from fulfilling the necessary identification procedures.
3. If the business is conducted through a credit institution, the identification duty must specify the payment method, purpose of credit use, granting financial institution, and total amount granted.
4. For identifying the beneficial owner of the business, the identification duty must specify the client, the person conducting the business, and the beneficial owner of the business; the beneficial owner's signature may be omitted if not present at the conclusion of the business.

Article 10 (Identification Elements)

1. Identification of clients and their representatives is carried out, in the case of natural persons, by collecting and recording the following identification elements: a) full name and signature; b) date of birth; c) place of birth; d) nationality; e) sex; f) marital status; g) marriage regime; h) complete physical address, indicating province, district, city, locality, avenue or street and respective number, or document proving residence; i) telephone contact; j) parentage; k) letter from the employer attesting to labor relationship, profession, contract type and current net monthly salary; l) type, number, place and date of issuance of identification document; m) Unique Tax Identification Number – NUIT; and n) nature and amount of income.
2. For the purposes of the preceding paragraph, additional documents may be required if deemed relevant.
3. Identification of clients and their representatives is carried out, in the case of legal persons or centers of collective interests without legal personality, by collecting and recording the following elements: a) trade name or denomination; b) headquarters address, indicating province, district, city, locality, avenue or street and respective number, or main business location when not coinciding with headquarters; c) telephone contact; d) identification of top management members; e) Unique Tax Identification Number – NUIT; f) email address; g) corporate object and business purpose; h) identity of shareholders holding equity or voting rights in the legal person, valued at 10% or more; i) economic activity classifier code and economic group code, where applicable, issued by the licensing entity; j) identity of legal person representatives and respective mandate; k) specification of representation powers referred to in the preceding sub-paragraph, which must be duly proven by authentic or authenticated documents unequivocally mentioning them, or in cases where such documents cannot legally be obtained through private documents, of equivalent and legally binding content; l) document issued by competent entity authorizing establishment.
4. For companies and other legal persons in the process of formation, identification is carried out by collecting and recording: a) complete identification of founding partners and other persons responsible for the company or other entity to be formed, with applicable requirements; b) declaration of commitment to deliver, within 90 days, the establishment document and proof of registration with the competent authority.
5. In the case of fiduciary funds (trusts) or other centers of collective interests without legal personality of analogous nature, obligated entities obtain information on administrators (trustees), founders (settlor), and their beneficiaries.
6. Considered identification elements for beneficial owners, obligated entities obtain the following information: a) full name; b) date of birth; c) place of birth; d) nationality or nationalities; e) complete permanent residence address, including country; f) Unique Tax Identification Number; g) other identification document data.
7. When no natural person is identified, as per previous paragraphs of this article, the identity of the natural person holding a senior management position must be indicated.
8. In the case of client representatives, obligated entities also verify the document authorizing such persons to act on their behalf.

2010 I SERIES — NUMBER 169 Article 11 (Valid Supporting Documents)

1. For the purposes of the preceding article, a valid identification document is one that cumulatively meets the following requirements: a) issued by a competent entity; b) bears a current photograph of the holder, where applicable; c) is within its stated validity period.
2. Information provided in accordance with the preceding article, based on the risk category identified by the institution, may be proven by presenting one of the following official documents: a) natural persons: i. Identity Card; ii. receipt/ticket for Identity Card application, duly accompanied by Personal Certificate or Complete Narrative Birth Registration Certificate; iii. Passport, for both national and foreign residents and non-residents; iv. Identification and Residence Document for Foreigners (DIRE), for foreign citizens and Residents; v. Electoral Registration Card for nationals; vi. Work Identification Card; vii. military certificate; viii. refugee identification card; ix. political exile card; x. Driving License; xi. in cases of low-risk clients, financial institutions and non-financial entities may also prove provided information through endorsement by two witnesses of recognized integrity by the community or institution in question, or through comfort from the administrative entity responsible for the Community. b) legal persons: i. certificate of registration of legal entities or other public document proving, namely the copy of the Boletim da República containing the publication of Statutes or Notarial Certificate of Deed of Constitution or company contract, when regarding resident legal persons; or ii. proof of registration of legal entities or other public document, duly certified by competent entities of the country of origin, and authenticated by Mozambique's consular representation in that country, when regarding non-resident legal persons. iii. NUIT card or equivalent document issued by the competent entity; iv. document proving ownership of social shares, as well as the minutes of alteration of the company structure; v. declaration issued by the legal person itself, containing the names of management body holders, attorneys and representatives, in case of point v, sub-paragraph b) of Article 10 of this Regulation.
3. Proof of the data referred to in the preceding paragraph is carried out by the following means, whenever clients and their respective representatives possess the necessary elements for this purpose and manifest to the obligated entity the intention to use electronic identification means, qualified electronic signature and secure State authentication.
4. For the purposes of paragraph 1, obligated entities provide the necessary technological means and services.
5. Except for cases provided in paragraph 2 of this article, proof of the documents referred to in paragraph 1 is carried out by: a) reproduction of the original identification documents, on physical or electronic media; b) certified copies thereof; c) access to respective electronic information with equivalent value, namely through: i. use of secure devices, recognized, approved or accepted by competent authorities, conferring qualified certification; ii. collection and verification, with prior consent, of electronic data from competent entities responsible for their management.
6. For the purposes of verifying identification of legal persons or centers of collective interests without legal personality, obligated entities always require presentation of the legal person's identification document, commercial registration certificate or, in case of an entity with headquarters outside national territory, equivalent document issued by independent and credible source, proving identification elements provided in this article.
7. Whenever supporting supports regarding any identification elements presented to obligated entities raise doubts as to their content or suitability, authenticity, currency, accuracy or sufficiency, those entities carry out adequate procedures to prove the identification elements in question.

31 DE AGOSTO DE 2023 2011 Article 12 (Duty of Verification and Due Diligence)

1. Whenever there is doubt about the authenticity of presented documents or the truthfulness of the declaration provided, financial institutions and non-financial entities must carry out the following procedures: a) confirm domicile at indicated addresses, which may be done by visiting the location or through declaration issued by competent entity, or other deemed suitable elements; b) confirm authenticity of displayed documents with the issuing entity; c) confirm legitimacy of possession of presented funds, as well as their income sources; d) send a suspicious transaction report to the Financial Information Office of Mozambique (GIFiM).
2. Obligated entities may also obtain all necessary information to confirm client identity, by using available national and international public information, cross-referencing with other evidence and other procedures deemed necessary.

Article 13 (Criteria for Identifying Beneficial Owners)

1. Considered beneficial owners of collective investment bodies and corporate entities, when not companies with shares admitted to trading on a regulated market subject to information disclosure requirements consistent with internal rules or equivalent international standards, guaranteeing sufficient transparency...