Directive 1 – Establishing an AML/CFT Compliance Function

NBFIRA/RS/AML/CFT/DIR01 Page 1 of 9 Directive to Establish an AML/CFT Compliance Function (AML/CFT Directive 1) Effective December 1, 2024

NBFIRA/RS/AML/CFT/DIR01 Page 2 of 9 TABLE OF CONTENTS

1. PURPOSE...................................................................................................3
2. SCOPE.......................................................................................................3
3. ASSOCIATED DOCUMENTS.........................................................................3
4. DEFINITIONS ............................................................................................3
5. ACRONYMS AND ABBREVIATIONS ..............................................................4
6. RESPONSIBILITY .......................................................................................4
7. INTRODUCTION ........................................................................................5 7.1 AUTHORITY................................................................................................5 7.2 ESTABLISHMENT OF A COMPLIANCE FUNCTION...........................................5 7.3 RISK MANAGEMENT SYSTEMS AND CONTROLS ............................................6 7.4 REPORTING AND REGULATORY LIAISON .....................................................6 7.5 TRAINING...................................................................................................6 7.6 ASSURANCE................................................................................................7 7.7 ADDITIONAL REQUIREMENTS FOR DESIGNATION OF AN AMLCO..................8 DOCUMENT APPROVAL .....................................................................................9

NBFIRA/RS/AML/CFT/DIR01 Page 3 of 9

1. PURPOSE The purpose of this Directive is to prescribe for the establishment of an AML/CFT compliance function, and additional criteria for designating an AML/CFT Compliance Officer (AMLCO). It repeals and replaces the NBFIRA AML/CFT Directive 1 of 2020 which also sought to bring additional criteria for a compliance function but was based on the repealed Financial Intelligence Act, 2019.
2. SCOPE This Directive applies to entities licensed, exempted and supervised by the Authority through various primary and secondary legislation (supervised entities). These include but are not limited to the NBFIRA Act, Insurance Industry Act, Retirement Funds Act, Botswana Stock Exchange Act, Collective Investment Undertakings, the Securities Act, and Virtual Assets Service Providers Act.
3. ASSOCIATED DOCUMENTS The Directive should be read with the following; Document Reference Financial Intelligence Act 08:07 Fit and Proper Rules Non-Bank Financial Institutions Regulatory Authority Act 46:08 Any other referred to financial services legislation
4. DEFINITIONS Term Definition Fit & Proper Has the same meaning assigned to it under the NBFIRA Act. Financial Intelligence Legislation Financial Intelligence Act, Financial Intelligence Regulations, Financial Intelligence (Implementation of United Nations Security Council Resolutions) Regulations (UNSCR Regulations), and relevant regulatory instruments such as directives and guidance notes. Governing Body Refers to the highest-level management structure with accountability and responsibility for strategic direction and performance of a supervised entity. Money Laundering Has the same meaning assigned to it under the Proceeds and Instruments of Crime Act.

NBFIRA/RS/AML/CFT/DIR01 Page 4 of 9 Schemes & Typologies Various techniques and trends used in commission of ML/TF/PF. Proliferation Financing Has the same meanings assigned to it under the Nuclear Weapons (Prohibition) Act, Biological and Toxin Weapons (Prohibition) Act and the Chemical Weapons (Prohibition) Act (all referred as the NBC Weapons Prohibition Acts). Relevant Legislation Refers to any applicable enforceable regulation. Risk Management Systems Has the meaning assigned to it under the FI Act. Risk Profiling/Assessment Is an evaluation of risks associated with commission of ML/TF/PF and other financial offences including associated compliance risks to which a supervised entity is exposed using threats and vulnerability methodology. Terrorist Financing Has the same meaning assigned to it under the FATF Recommendations. 5. ACRONYMS AND ABBREVIATIONS Abbreviation Full Name ACT/FI Act Financial Intelligence Act AML/CFT&P Anti-Money Laundering/Counter Terrorism Financing & Proliferation AMLCO Anti-Money Laundering & Counter Terrorist Financing Compliance Officer FATF Financial Action Task Force FI Regulations Financial Intelligence Regulations ML/TF/PF Money Laundering/Terrorist Financing/Proliferation Financing NBFIs Non-Bank Financial Institutions 6. RESPONSIBILITY A governing body of a supervised entity is accountable and responsible for a supervised entity’s compliance with provisions of the Financial Intelligence legislations including those on establishing and maintenance of an effective

NBFIRA/RS/AML/CFT/DIR01 Page 5 of 9 compliance function. The responsibility may be delegated to management to ensure compliance during day-to-day business activities as conducted by a supervised entity. 7. INTRODUCTION The Non-Bank Financial Institutions Regulatory Authority (Authority) is empowered by the FI Act to supervise non-bank financial institutions (NBFIs/supervised entities) to comply with the Act and implement controls for the prevention of money laundering, terrorism and proliferation financing (ML/TF/PF) and others – all referred to as financial crimes (offences). The Authority continues to observe that several supervised entities have a designated function responsible for the management of compliance with the FI Act and other applicable laws. Despite this commendable progress, many entities are yet to fully consider and adopt key aspects to building adequate and more effective compliance functions over and above those prescribed in law. Part of the Authority’s supervisory mandate is to ensure that supervised entities do not simply comply with the letter of the law, but beyond that, they also operate in line with its spirit to achieve its primary intent. To augment the law and contextualise its general obligations for the non-bank financial institutions sector, the Authority may consider issuing guidance notes or directives to lead supervised entities to desired compliance levels. This Directive has considered some of the crucial factors for adequacy and effectiveness of a compliance function; these include independence, resourcing and competency of a compliance function [staff]. 7.1 AUTHORITY This Directive is issued by the Authority, pursuant to its authority provided for in Section 56(2) of the NBFIRA Act, which empowers the Authority to give directions to supervised entities. Compliance with this Directive is obligatory to all supervised entities pursuant to Sub-section 14(3) as read with Sub-section 14(1) of the FI Act. The Authority may therefore take enforcement action for non-compliance in line with Sub-section 14(4). The Authority may also consider relaxing part(s) of this Directive subject to its determination of a supervised entity’s risk profile. 7.2 ESTABLISHMENT OF A COMPLIANCE FUNCTION Supervised entities are obligated, through this Directive, to establish an effective compliance function responsible for ensuring that they comply with the FI Act, and related financial services laws for the prevention of commission of financial offences within and through their operations and services. The compliance function should directly report to a governing body, and administratively to the chief

NBFIRA/RS/AML/CFT/DIR01 Page 6 of 9 executive officer or equivalent. In instituting this function, a governing body shall take reasonable steps to ensure highest standards of an effective structure, autonomy, independence1 , resourcing, and competency with consideration to a risk profile of a supervised entity. The compliance function shall be headed by an AMLCO as proposed by a supervised entity and approved by the Authority. The function should be adequately resourced with additional officers as may be reasonably determined by a risk profile and/or relevant review of a supervised entity. Additional officers should be fit and proper but need not to be approved by the Authority. 7.3 RISK MANAGEMENT SYSTEMS AND CONTROLS The function shall primarily be responsible for the development of risk management systems and controls i.e., risk assessments, policies, systems, internal procedures and rules to ensure a supervised entity complies with the FI Act and other relevant laws to prevent commission of financial crimes through and within its operations. While the function is charged with putting in place systems and controls, and oversight of implementation of those controls, the management and general staff have the responsibility to apply them in carrying out their respective duties. 7.4 REPORTING AND REGULATORY LIAISON The function shall be responsible for addressing AML/CFT regulatory inquiries and managing communications with supervisory authorities, particularly the Authority and the Financial Intelligence Agency. It shall also ensure it files all statutory reports in accordance with the FI Act and any other regulatory instrument. 7.5 TRAINING The function shall provide or ensure that, regular and adequate training on prescribed subjects, at a minimum, for staff members and related parties of a supervised entity, is conducted. This is to ensure that a supervised entity's risk management systems and controls are implemented effectively. Priority training topics should be based on identified knowledge gaps and risks with greater efforts focused on areas with increased likelihood of commission of financial crimes and non-compliance. 1 The necessary independence includes the ability to operate and communicate in an unhindered manner and availability of structure and process for direct and frequent functional reporting to the governing body and its relevant committees.

NBFIRA/RS/AML/CFT/DIR01 Page 7 of 9 Prescribed subjects referred to on Paragraph 13 above. (a) Obligations under the FI Act & related legislation. (b) ML/TF/PF schemes & typologies relating to a supervised entity’s operations, products and services. (c) Supervised entity’s risk assessment reports (including current national and sectoral risk assessment reports). (d) Operating systems and applications for AML/CFT&P (if available). (e) Customer due diligence procedures. (f) Transaction monitoring and reporting procedures. (g)Integrity rules/codes of conduct. (h) Generally accepted compliance principles. (i) Any other relevant subject designed for the prevention of financial crimes. The Authority notes that some supervised entities may already have a compliance function, however, for purposes of complying with this Directive, the above form, responsibilities and roles should be clearly defined and documented. 7.6 ASSURANCE A governing body of a supervised entity shall subject the compliance function to an internal audit, at a minimum, every two years, to assess the adequacy and effectiveness of the compliance management systems and controls as well as to determine its compliance levels. An external audit on the compliance function shall be conducted, at a minimum, once in three years for a more independent and in￾depth review. An audit should review the adequacy and effectiveness of a compliance function by assessing elements which include but are not limited to; (a) Resources (human capital, control systems and processes including Information Technology controls). (b)Independence of the compliance function, conflict of interest, and allocation of responsibilities and coordination. (c) Internal policy framework including ML/TF/PF risk assessment methodologies and reports, AML/CFT&P policy, customer acceptance procedures, rules, etc. (d) Adherence to the FI legislation, this Directive, internal policy framework, other legislation for financial crime control and relevant standards, and codes of conduct.

NBFIRA/RS/AML/CFT/DIR01 Page 8 of 9 (e) Progress on implementation of remedial measures from previous reviews and inspections by the Authority and other supervisory authorities. All audits shall be conducted by an independent person of strong moral standing with technical expertise in Financial Intelligence legislation, financial crimes risks, as well as conducting audits.2 The audit should be conducted in an unbiased and independent manner, and the audit report shall reflect factual and truthful assessment of a supervised entity’s compliance level with the FI Act and effectiveness of controls against commission of financial crimes. Identified adverse, i.e. non-compliance findings should be accompanied by recommendations in the report. The governing body together with management shall be responsible for development of an action plan and implementation of corrective actions as recommended by the audit report. 7.7 ADDITIONAL REQUIREMENTS FOR DESIGNATION OF AN AMLCO Sub-section 14(1) of the FI Act requires that a supervised entity designate an AMLCO at management level who will oversee implementation of internal programmes and procedures, including maintenance of records and reporting of suspicious transactions, and ensure that the compliance officer always has, timely access to customer identification data, transaction records and other relevant information. While Sub-section 14(2) provides criteria for the designation, this Directive builds on them to make additional requirements. An AMLCO position should meet the following conditions3 . (a) be a senior management position [a controller]. (b) have sufficient powers, direct reporting line to and demonstrable support from the governing body and chief executive officer or equivalent. (c) have high level independence with appropriate management of conflict of interest. Furthermore, the proposed person for AMLCO shall; (a) possess proven and thorough knowledge, skills, and experience necessary to take a compliance management role. 2 An entity should have in place due diligence procedures that define appropriate levels of independence, integrity as well as necessary qualifications and skills for persons to carry out an AML/CFT audit. 3 These conditions shall be established and documented.

NBFIRA/RS/AML/CFT/DIR01 Page 9 of 9 (b) possess a qualification or commit to attend a formal examined training by an accredited training provider on money laundering, terrorism and proliferation financing control and/or financial crime control within a prescribed time. (c) be specifically assigned for day-to-day management of compliance function with the FI Act (and other laws) and not have any other responsibilities other than assurance functions i.e., internal audit/risk management. 4 Designation of an AMLCO at management level pursuant to FI Act (s.14(1)) makes such a person a controller in line with Section 2(2) of the NBFIRA Act. Thus, in addition to the criteria above, an AMLCO is subject to and shall satisfy fit and proper assessment, as well as all other obligations under the NBFIRA Act and NBFIRA Fit and Proper Rules. A supervised entity is required to subject proposed AMLCO for screening to ensure that they are a fit and proper person in line with the FI Act, Fit & Proper Rules, and this Directive. Thereafter, they should submit relevant documentation of the proposed AMLCO(s) to the Authority for an independent assessment prior to assumption of the position. A supervised entity shall notify the Authority of cessation of its AMLCO at least 10 working days prior to the cessation date. In exceptional circumstances, the notice may be made post cessation date. Cessation notice should provide detailed and relevant information including but not limited to full names of the outgoing AMLCO, cessation date, reasons for cessation, any other matters that may be material to cessation. DOCUMENT APPROVAL 8. This Directive was approved by the Acting Deputy Chief Executive Officer on October 28, 2024, and shall take effect on 1 December, 2024.

---

4 This control shall be established and documented.