Instructions on Registration of Virtual Asset Service Providers and AML/CFT Requirements in Oman

Decision No. E/35/2023 Instructions on Registration of Virtual Asset Services Providers and Implementation of the Requirements for Combating Money Laundering and Terrorism Financing Based on the Securities Law enacted by Oman Sultani Decree No. 46/2022 The Law on Combating ;Money Laundering and Terrorism Financing enacted by Oman Sultani Decree No. 30/2016 and In the interest of the public It has been decided Article 1 The attached instructions on Registration of Virtual Asset Services Providers and Implementation of the Requirements for Combating Money Laundering and Terrorism Financing shall have .effect Article 2 Existing virtual assets services providers on the date of effect of these instructions shall adjust .their situation within three (3) months from the effective date of these instructions Article 3 .All concerned entities shall enforce this decision as from the date of issuance Issued on: June 6, 2023 Corresponding to: Dhul Qaida 17, 1444 H Abdullah Salim Abdullah Al Salmi Executive President Instructions on Registration of Virtual Asset Services Providers and Implementation of the Requirements for Combating Money Laundering and Terrorism Chapter 1 Definitions and General Provisions Article 1 In the application of these Instructions, words and expressions shall have the same meaning as those contained in the Law on Combating Money Laundering and Terrorism Financing, and the following words and expressions shall have the meaning respectively ascribed to them unless the .context otherwise requires .Law: the Law on Combating Money Laundering and Terrorism Financing

CMA: the Capital Market Authority. Virtual Asset Service Provider or “VASP” Financial or designated non-financial business or professional entity carrying out the activities of virtual assets provided for in Article (2) of these instructions .Registered entity: A Virtual Asset Service Provider registered with the CMA Third party: a financial institution or designated non-financial business or profession carrying out the task of identification of a customer and beneficial owner, their verification and taking the required measures to obtain information on the nature and purpose of the business relationship on behalf of the registered entity in the Sultanate of Oman or foreign country that is .subject to AML/CFT requirements equivalent to those established in the Sultanate of Oman Suspected or unusual transactions: Transactions suspected of being related to the offences .stipulated in the Law Virtual Asset: a digital representation of value that can be digitally traded or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities, or other assets which are already regulated and .subject to AML/CFT requirements in the Sultanate of Oman Registry: the publicly accessible register of virtual assets services providers prepared and .maintained by the CMA Article 2 :The activities of VASPs shall be restricted to the following ;i) Exchange between Virtual Assets and fiat currencies ;ii) Exchange between one or more forms of Virtual Assets .iii) Transferring Virtual Asset from one Virtual Asset account to another .iv) Safekeeping and/or administration of Virtual Assets v) Participation in and provision of financial services related to an issue or offer of a Virtual .Asset Article 3 Registered entity shall not deal in Virtual Assets for the purpose of payment including the stored .(value facilities before obtaining the approval of the Central Bank of Oman (CBO Article 4 A person shall not carry out the activity of virtual assets services providers in the Sultante of .Oman except after registration with the CMA Virtual assets services provider registered with the CMA shall not deal in virual assets that disguise or conceal the identity of the originator or beneficial owner or value or nature of the transaction Chapter 2 Registration of VASPs Article 5 .The Following entities shall be obliged to register with the CMA ;VASPs that are a legal person incorporated in the Sultanate of Oman .1

;VASPs that are a natural person with a place of business in the Sultanate of Oman .2 VASPs, whether a legal or natural person, that offer or conduct VASP services in the .3 ;Sultanate of Oman Article 6 Entities desirous of registration shall submit an application to the CMA together with the :following information and/or documents ;i) The name, address and place of business of the applicant ii) The name, address, date and place of birth and verifying documentation of any beneficial ;ownerships of the applicant iii) The name, address, date and place of birth and verifying documentation of any shareholders ;with more than 10% interest in the applicant iv) The name, address, date and place of birth and verifying documentation of any person ;holding a management function in the applicant v) Certificate of no criminal conviction for the founders, directors or members of the board of partners ;vi) Information about the VASP services the applicant intends to provide ;vii) Information about the systems the applicant will use to carry out VASP Services viii) Copy of the commercial register of the applicant, in the event that the applicant is a legal ;person ix) The applicant’s enterprise risk assessment and policies and procedures for compliance with ;the Law and these Instructions x) Information on the bank the VASP will deal with provided the bank is a local bank lincened in the Sultanate of Oman; and xi) Any other information or documents requested by the CMA. CMA may request the original of .any of the above stated documents Article 7 Applicant shall inform the CMA immediately of any change in the information or documents .provided with the application Article 8 CMA must consider the application and issue its decision approving registration within thirty (30) days from the date of completing the required information . such term lapsing without issuing .the approval shall be deemed rejection Article 9 The registered entity shall be entered in the register and granted an approved certificate .establishing entry in the register Chapter 3 Expiration and removal of VASPs from the VASP Registry Article 10

:The CMA may cancel or deregister the registered entity where i) VASP Services are not commenced within three (3) months of date of registration ;ii) VASP Services have not been carried out for more than one year ;iii) The registration is withdrawn by the VASP iv) The VASP becomes bankrupt or liquidation proceedings are commenced or losing any of the .terms and conditions of registration v) Where the CMA was not made aware of any material circumstances before the VASP was ;entered into the VASP Registry vi) Registered entity fails to comply with CMA’s requirements under these instructions Article 11 A decision by the CMA to revoke an entry in the VASP Registry must be communicated by the .CMA to the relevant VASP and the VASP must cease providing the virtual assets service Article 12 Registered entity must inform the CMA of change in its ownership or strucuturing or executive .management or any change that may effect its business Chapter 4 Risk Assessment Article 13 Registered entities must identify, assess and understand the money laundering and terrorism .1 financing risks inherent to their business (the “Risk Assessment”). The Risk Assessment, and any underlying information must be documented in writing, be kept up-to-date and be readily available for the CMA or any other competent authority for review, on request. In assessing their :risk, registered entities must at a minimum give consideration to the following factors ;a) Risk related to customers b) Risks related to countries or geographic area in which the customer is domiciled, in which ;the customer operates and /or the place of origination or destination of a transaction c) Risk related to countries or geographic areas in which the registered entity maintains ;(operations and/or conducts business (target markets d) Risk related to the nature, diversity and complexity of the registered entity’s products, services and transactions offered; and e) Delivery channel risks for products and services, in particular the extent to which the registered entity deals directly with the customer and the extent to which it relies on third parties to conduct customer due diligence or other obligations, the complexity of the transaction chain (including layers of distribution and sub-distribution, type of distributors), and the settlement system used between operators in the payment chain and the extent to .which intermediation networks are used Registered entities must take into account in their Risk Assessment any variables or .2 combination of variables, which may increase or decrease the money laundering or terrorism :financing risk in a specific situation. Such variables include

;a) The purpose of an account, transaction or business relationship ;b) The types and size of transactions .c) The frequency of transactions or duration of the business relationship The Risk Assessment must take into account the prevailing risks identified through the risk .3 assessment at the national level. Registered entities must examine the factors and variables to determine what the level of overall risk is and take effective actions to mitigate the identified risks. For a higher level of risk enhanced due diligence or risk mitigation measures must be applied, and for a lower level of risk registered entities may apply simplified customer due diligence, provided there is no suspicion of money laundering or terrorism financing or other .specific high-risk scenario Registered entities must identify and assess the money laundering and terrorism financing .4 risks that may arise from the development of a new product, business practice or delivery mechanism, and from the use of a new or developing technology for new or pre-existing products. Such a risk assessment must be carried out prior to the launch of the new product, business practice or prior to the use of the new or developing technology. Registered entities .must take appropriate measures to manage and mitigate identified risks Registered entities may differentiate in the extent and depth of application of customer due .5 diligence measures according to the types and levels of risk for the various risk factors. To this end, registered entities must assign a risk classification to each customer or group of customers. Registered entities must be able to demonstrate to the CMA that the customer due diligence .measures applied are commensurate to the level of risk identified Article 14 Apart from the instances defined in Article 36 (c) and (d), Article 41 (b) and (d) of the Law, registered entities must apply enhanced due diligence measures where they otherwise consider, based on a risk assessment or any other information available, that the risk of money laundering or terrorism financing is higher. Possible indicators for situations of higher risk include but are :not limited to the following :Customer risk factors -1 ;a) The business relationship is conducted in unusual circumstances ;b) Non-resident customers ;(c) The use of front persons or entities (e.g., corporations, trusts ;d) Legal persons or arrangements that are personal asset management vehicles ;e) Companies that have nominee shareholders or shares in bearer form ;f) Businesses or activities that are cash intensive g) The ownership structure of the company appears unusual or excessively complex given ;the nature of the company’s business h) Dealings with financial institutions and intermediaries or customers or beneficiaries operating in jurisdictions with ineffective systems for combating money laundering or ;financing of terrorism, as identified in Clause (2) of this Article i) Politically exposed persons (PEP), which includes any natural person, whether as customer :or beneficial owner, including but not limited to i) Who is or was entrusted with a prominent public function in the Sultanate of Oman or in a)

;foreign country, such as Head of States or of governments ;ii) Senior politicians) ;iii) Senior government employee) ,iv) Senior judicial or military officials) ;v) Senior executives of state owned corporations) vi) Important political party officials; or) vii) Anyone exercising a prominent function with an international organisation, such as) .directors, deputy directors and members of the board The term also includes close associates and family members up to second degree of a politically exposed person, and widely and publicly known close business colleagues or personal advisors, or any persons who are in a position to benefit significantly from close business associations .with the politically exposed person ;j) High net worth customers whose source of income is unclear k) Customers with criminal, civil or regulatory proceedings against them for crime, ;corruption, or misuse of public funds, or customers associated with such persons l) The customer is sanctioned by a relevant competent authority for non-compliance with the applicable AML /CFT regime and is not engaging in remediation to improve its ;compliance m) The customer resides in or whose primary source of income originates from a high- risk .jurisdiction :Country or geographic risk factors -2 a) Countries classified by credible sources, such as mutual evaluation reports or published ;follow-up reports, as not having adequate AML/CFT systems ;b) Countries identified by the Committee as high risk c) Countries subject to sanctions, embargos or similar measures issued by the United ;Nations d) Countries classified by credible sources as having significant levels of corruption or other criminal activity; or e) Countries classified by credible sources as providing funding or support for terrorist .activities, or that have designated terrorist organisations operating within their country :Product, service, transaction or delivery channel risk factors -3 ;a) Activity involving pseydonyms b) Products are distributed via other party distributors or sub-distributors in multiple ;jurisdictions c) Business are introduced from one intermediary to another without adequate customer ;due diligence/know your customer (CDD/KYC) investigations or from high risk jurisdictions ;d) Unregistered or unregulated investment vehicles are used or involved ;e) There are cross-border trust and correspondent accounts

f) The existence of unusually complex trading schemes or trading schemes with no apparent ;economic purpose ;g) Transactions are structured with low level of regard for profits made h) Non-face-to face business relationships initiated without sufficient safeguards, such as ;certified electronic identification schemes ;i) Anonymous transactions j) Accounts opened, business relationships or transactions conducted with customers that ;are not physically present for identification k) Payment are or have been received from or channelled to unknown or unassociated ;parties l) Payments for bills of exchange made by way of other party cheques are payable to or .endorsed in favour of the customer Article 15 :Enhanced customer due diligence measures may include but are not limited to the following a) Corroborating the identity information received from the customer with information in third- ;party databases or other reliable sources ;b) Tracing the customer’s IP address c) Using analytical products such as blockchain analytics; and d) Searching the internet for corroborating activity information consistent with the customer’s .transaction profile ;(e) Obtaining additional information on the customer and the beneficial owner(s ;f) More frequently updating information on the customer and beneficial owner g) Obtaining information on the reasons for the intended or performed transactions or the ;(source of funds or source of wealth of the customer or where necessary the beneficial owner(s ;h) Obtaining senior management approval to commence or continue the business relationship i) Conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions requiring further examination; or .j) Adopting any other measures as may be prescribed by the Committee Registered entities must apply enhanced customer due diligence measures to higher risk .customers at each stage of the customer due diligence process and on an ongoing basis Article 16 Registered entities may apply simplified customer due diligence measures in situations where a lower risk has been identified in the businesses risk assessment conducted on the national level. The simplified measures taken must be such that they enable the registered entities’ business to properly manage and mitigate the prevailing risks. Lower risk situations may include but are not :limited to the following

:Customer risk factors -1 a) Financial institutions or non-financial businesses and professions that are effectively ;supervised or monitored to ensure compliance with the requirements of the law b) Companies listed on stock exchanges with disclosure requirements consistent with international standards which ensure adequate transparency of their subsidiaries or the subsidiaries of the beneficial owner(s); or .c) Public enterprises :Country or geographical area risk factors -2 a) Countries classified by credible sources as having effective systems to combat money laundering and financing of terrorism; or b) Countries classified by credible sources as having a low level of corruption or other .criminal activity :Product, service, transaction or delivery channel risk factors -3 a) Products or services where the risks of money laundering and terrorist financing are .managed by other factors such as wallet or transaction limits .b) Where cash withdrawals are not permitted In cases of a money laundering or terrorism financing suspicion or when specific higher risks .scenarios apply, simplified customer due diligence measures must not be permitted Article 17 Simplified customer due diligence measures shall take into account the nature of the lower risk and be commensurate with the lower risk factors. Simplified measures may include but are not :limited to the following i) Obtaining the relevant identification data from a public register, the customer, or other ;reliable sources ii) Verifying the identity of the customer and beneficial owner(s) after establishing the business ;relationship ;iii) Reducing the frequency of customer identification updates ;iv) Reducing the degree of on-going monitoring and transaction scrutiny v) Inferring the purpose and nature of the business relationship from the type of transactions or business relationship established, where it can be accomplished without collecting specific information or carrying out specific measures to understand the purpose and intended nature of .the business relationship Chapter 5 Due Diligence Measures Article 18 Registered entities must refrain from opening or maintaining anonymous accounts or accounts .under fictitious names, numbers or secret codes, or providing any services for such accounts Article 19

:Registered entities must undertake customer due diligence in the following circumstances .1 ;a) Before establishing a business relationship b) Before carrying out a transaction for a customer with whom it does not have an established business relationship, where the value of the transaction is equal to or greather than OMR 300, whether the transaction is carried out in a single operation or in several .operations that appear to be linked c) Whenever there is a suspicion of money laundering or terrorism financing, regardless of any thresholds; and d) Whenever doubts exist about the veracity or adequacy of previously obtained customer .identification data or documents Registered entities must identify and verify the identity of the customer based on documents, .2 .data or information issued by official authorities Registered entities must identify and verify the identity of any person purporting to act on .3 .behalf of the customer and verify that the person is authorized to act on behalf of the customer For purposes of fulfilling their obligations under subsections (2) and (3) of this Article, .4 registered entities must obtain the following unexpired and official documents to satisfy the :identification requirements as per this Article ;a) Civil card for Omani nationals and non-Omani residents ;b) Passport or travel document for persons not residing in the Sultanate of Oman c) Commercial license and registration certificates issued by the Ministry of Commerce, Industry and Investment Promotion for resident companies and establishments. In the case of branches of non-resident companies and establishments or who provided services in the Sultanate of Oman without having branches, official documents issued by competent ;authorities in their jurisdiction of incorporation or establishment d) Registered entities must obtain official identification documents for any customers not .falling into the categories mentioned above Registered entities must apply any additional or specific identification and verification .5 requirements if prescribed by the CMA, including for state bodies, agencies and public corporations, non-profit or non-governmental organizations, and any other organizations or associations. Registered entities shall take the required measures to understand and, as appropriate, obtain information on the purpose and intended nature of the business .relationship Article 20 The measures must include obtaining a signed affidavit (and any other documents or additional reliable sources of information deemed necessary) from the customer at the time of opening the account or establishing the business relationship, or whenever customer due diligence is carried .out If a registered entity determines that the customer is acting on behalf of one or more beneficial owners, it must identify and take reasonable measures to verify the identity of the beneficial owner(s) using relevant information or data obtained from a reliable source such that the .licensed entity is satisfied that it knows who the beneficial owner(s) is/are A registered entity is not required to identify and verify the identity of any shareholder or

beneficial owner of a customer that is a company listed on a stock exchange subject to disclosure requirements consistent with international standards and which ensure adequate transparency of beneficial ownership, or a majority-owned subsidiary of such a company. In this case, .registered entities shall only obtain customer identification documents on the company itself Article 21 For customers that are natural persons, registered entities must obtain the following .1 :information as part of the identification and due diligence measures ;a) Legal name ;b) Permanent address ;c) Telephone number, fax number and email address ;d) Date and place of birth ;e) Nationality ;f) Occupation, position held and name of employer g) The civil number as it appears from the Civil card referred to at Clause (4) of Article 19 of ;these instructions h) The beneficial owner’s name in case the customer is acting as nominee of another party ;i) The customer’s signature j) The type of account, product, or service sought by the customer; and k) Official personal identification number or other unique identifier contained in a .document that bears a photograph of the customer :Registered entities must verify the information by one or more of the following methods .2 a) Confirming the name and date of birth using the official document provided under Clause ;( 4) of Article 19 of these instructions b) Confirming the permanent address through utility bills, tax assessments, bank ;statements, or a letter from an official authority c) Contacting the customer by landline telephone, letter, or email to confirm the ;information supplied d) Confirming the validity of the official documents provided under Article 19 of these .instructions Article 22 For customers that are legal persons, a register entity must obtain the following information .1 :as part of the identification and due diligence measures ;a) The customer’s name, legal form ;b) The customer’s date and place of incorporation ;c) The customer’s place of management/operations

;d) Regulatory and/or supervisory bodies. which regulate or supervise that customer e) The names of any natural person(s) who directly or indirectly own(s) a controlling ownership interest in the customer as well as the names of all persons having senior ;management positions in the legal person ;f) The customer’s registered office address and, if different, a principal place of business g) The customer’s official contact information; and .h) Type of account, product or service being sought by the customer i) Any other information relevant to the purpose and nature of the business relationship :A registered entity must verify the information through one or more of the following methods .2 ;a) Using reliable documents issued by official authorities ;b) A memorandum or articles of association of the legal entity c) Where the customer is an established legal person, by reviewing a copy of the latest ;financial reports and accounts d) Conducting an enquiry by a business information service, or an undertaking from a reputable and known firm of lawyers or accountants confirming the accuracy of the ;submitted documents e) Conducting a company search to check if the legal entity has not been or is not in the ;process of being dissolved, struck off, wound up, or terminated f) Utilizing an independent information verification process, such as by accessing public and ;private databases g) Obtaining bank references from domestic banks or a bank in a country classified by credible sources as having effective systems to combat money laundering and financing of ;terrorism h) Conducting investigation by any method the registered entity deems appropriate and .reliable Article 23 For customers that are a legal person, a registered entity must understand the nature of the customer’s business and its ownership and control structure. A registered entity must also :identify and take reasonable measures to verify the identity of Any natural person who ultimately, has a controlling ownership interest in a legal person of 25% or more, including any natural person that exercises such control or ownership through ;a chain of ownership, or by means of control other than direct control If the controlling person are indeed the beneficial owners The natural person or persons exercising control of the legal person through other means; or In the absence of any natural persons who have a controlling ownership, the natural person(s) who hold the position of senior managing office Article 24 When opening an account for or providing services to a trust or other legal arrangement, a .1

registered entity must obtain the following information as part of the identification and due :diligence measures ;a) Name, legal form, and proof of existence of the trust or other legal arrangement ;b) Powers that regulate and bind the trust or other legal arrangement ;c) Names of all trustees or persons with equivalent positions ;d) Mailing address ;e) Contact telephone number ;(f) Official identification number, if available (e.g., tax identification number g) Description of the purpose/activities of the trust or other legal arrangement; and h) Other relevant information to understand the intended purpose and nature of the .business relationship A registered entity must take reasonable measures to verify the information through one or .2 :more of the following methods a) Obtaining an independent undertaking from a reputable and known firm of lawyers or ;accountants confirming the accuracy of the submitted documents b) Obtaining bank references from a domestic bank or a bank in a country classified by credible sources as having effective systems to combat money laundering and financing of terrorism; or .c) Accessing public and private databases or official sources Article 25 When opening an account for a trust or legal arrangement, in addition to carrying out customer due diligence on the trust or legal arrangement, a registered entity must identify and take :reasonable measures to verify the identity of ;Trustees, managers, board of directors, or persons in equivalent positions .1 ;Settlors, founders, or persons in equivalent positions .2 The trust or other legal arrangement, including any persons settling assets into the trust or .3 ;other legal arrangement, including through a chain of control or ownership The individual exercising ultimate effective control over the trust or other legal .4 ;arrangement Beneficiaries of the trust or other legal arrangement. Registered entities must obtain .5 sufficient information in relation to beneficiaries who have not yet been defined at the time of the establishment of the business relationship to satisfy themselves that they will be able to establish the identity of the beneficiaries at the time of exit or when the beneficiary ;intends to exercise vested rights .and Authorized signatories .6 Article 26 A registered entity must ensure that documents, data or information collected in accordance with this Chapter are kept up-todate and relevant by undertaking reviews of existing records, particularly of higher risk categories of customers, products or transactions. The frequency and .scope of the reviews should be determined on the basis of the risks posed Chapter 6

Ongoing Preventive Measures Article 27 A registered entity must conduct due diligence on business relationships and review existing records on an ongoing basis to ensure that documents, data, or information collected under the due diligence process are kept both up-to-date and relevant, particularly for higher risk customers. A registered entity shall furthermore adopt automated systems to monitor and scrutinize customer transactions throughout the course of the business relationship to ensure that they are consistent with the registered entity’s knowledge of the customer and the .customer risk profile and the source of the customer’s income if necessary Article 28 A registered entity must apply customer due diligence measures to customers and beneficial owners with which they have a business relationship at the time of the coming into force of these Instructions. The measures must be applied at appropriate times and based on materiality and risk, and taking into account whether and when customer due diligence measures have .previously been undertaken and the adequacy of the data obtained Article 29 A registered entity must apply enhanced customer due diligence measures for business relationships, occasional transactions, or transactions with a person who is not physically present for the purpose of identification. Such measures may include applying additional verification measures and where appropriate, requesting additional or certified documents or .applying other safeguards, such as certified remote electronic identification schemes Article 30 Where a registered entity is unable to comply with the required customer due diligence measures, it must not open the account, commence the business relationship, or carry out the transaction. Where there is an established business relationship, and the registered entity is unable to comply with the required customer due diligence meaures, the registered entity must immediately file a report with the Centre. A registered entity may delay the verification of the customer or beneficial owner(s) identity until after the establishment of the business relationship or transaction(s) for an established customer is/are carried out, provided all conditions referred to in Article 37 of the Law are met. For such situations, a registered entity must in their risk management policies include procedures to mitigate the risks, for example by limiting the number, types and/or amount of transactions that can be performed, and through close monitoring of large or complex transactions that are being carried out outside the expected norms of that relationship. Verification must be carried out as soon as possible after the establishment of the business relationship. An occasional transaction may in all cases not be .conducted prior to completion of all identification and verification measures Article 31 The measures and procedures applied to registered entities that seek to establish a correspondent relationship with another VASP or a financial institution pursuant to Article 38 of the Law must be documented in writing and registered entities must ensure that they clearly understand the respective AML/CFT responsibilities of each institution. The requirements set out in Article 38 of the Law shall apply also to cross border correspondent relationships established by registered entities prior to the enactment of the Law and issuance of these Instructions. With respect to accounts or custodial wallets able to be used directly by customers of the respondent VASP or financial institutions to transact business on the customer’s own behalf, a registered entity must be satisfied that the respondent VASP or FI has conducted CDD on such customers and is able to provide relevant CDD information on request. A registered entity shall not enter into or continue correspondent relationships with shell banks; and shall satisfy themselves that respondent institutions do not permit their accounts to be used by shell banks. Confidentiality

requirements shall not preclude the registered entity from providing the information or documents required by the financial institution when establishing correspondent relationship to .ensure they satisfy term and conditions equal to those provided for in Article (38) of the Law Article 32 A registered entity must examine, as far as reasonably possible, the background and purpose of all complicated, and unusual large transactions, and all unusual patterns of transactions which do not have an apparent economic or lawful purpose. Where the risk of money laundering or terrorism financing is higher, a registered entity must apply enhanced customer due diligence measures consistent with the risks identified. Such measures must include increasing the degree and nature of monitoring of the business relationship, and related transactions to determine ..whether those transactions or activities appear unusual or suspicious Article 33 In complying with the obligation in Article 36(d) of the Law, a registered entity shall apply the :following additional measures a) Put in place risk management systems to determine whether a customer or beneficial owner is ;a PEP, or a family member or close associate of a PEP b) Obtain senior management approval before establishing or continuing an existing business relationship involving a customer or beneficial owner that is a PEP, or a family member or close ;associated of a PEP c) Take reasonable measures to determine the source of funds and wealth of the customer or beneficial owner identified as PEPs, or as a family member of close associate of a PEP; and .d) Conduct enhanced ongoing monitoring on the business relationship e) In relation to a domestic PEP or person who has been entrusted with a prominent function by an international organization, or their family members or close associates, a registerd entity shall apply the additional measures mentioned in Article (15) of these Instructyions only in cases .where there is a higher risk associated with the business relationship Article 34 Registered entities must examine all transactions and business relations with natural and legal persons or financial institutions from countries which have been identified by the Committee pursuant to Article 13 (k) of the Law, and if required, must apply risk based enhanced measures that are effective and proportionate to the risks involved or that were prescribed by the Committee. Registered entities must also apply the counter measures prescribed by the Committee in relation to higher risk countries. Registered entities shall regularly check the Committee’s updates to the lists of high risk countries and the required measures to be taken in relation to each country. Registered entities are prohibited from accepting cash transactions or carrying out cash transactions for their customers except through the banking system or .electronic payment means licensed by the CBO Article 35 :A registered entity must maintain records of the following information .1 a) Copies of all records, documents, information, and data obtained through the customer due diligence process. This includes documents evidencing the identities of customers and beneficial owners, account files, and business correspondence for at least ten (10) years after the business relationship has ended or a transaction with a customer who does not .have an established business relationship with the registered entity has been carried out

b) All records of transactions, both domestic and international, attempted or executed for at least ten (10) years following the attempt or execution of the transaction. Such records must be sufficiently detailed to permit the reconstruction of each individual transaction so as to provide, if necessary, evidence for prosecution of criminal activity. These records must be kept in official records following a regular accounting system and include information relating to the public keys, IP addresses or accounts involved, and the nature, date and .value of each transaction c) Copies of suspicious transaction reports sent to the Centre and related documents for at .least ten (10) years after the date the report was made to the Centre d) Risk assessment reports and any underlying information for a period of five (5) years from .the date the assessment was carried out or updated e) Reliance solely on blockchain or other type of distribution ledger is not sufficient to .comply with the requirements under this Article A registered entity must keep the records, documents, information, and data referred to in .2 this Article in a way which permits them to be made immediately available to the competent .authority or the CMA Chapter 7 Internal Policies, Controls and Procedures Article 36 A registered entity must develop and implement AML/CFT policies, controls, and procedures which ensure that they are complying with the provisions of the Law, these Instructions, and any other Instructions issued by the CMA. Such policies, controls, and procedures must be approved by the board of directors of the registered entity and must enable the registered entity to adequately manage and mitigate the risks identified on the national level or by the registered entity, and be reflective in terms of their scope and sophistication of the size and nature of the registered entity’s business. A registered entity must monitor the implementations of those policies, controls and procedures and enhance them, if and as necessary. Such policies, controls, :and procedures must address, at a minimum, the following a) Risk assessment procedures in line with Article 34 of the Law and Chapter 4 of these Instructions, including for new and existing customers and beneficial owners, as well as for ;transactions and the business as such b) Procedures to identify and verify the identity of and apply full customer due diligence to ;customers and beneficial owners in line with Chapter 5 of these Instructions c) Procedures to maintain records and information of customers, beneficial owners, ;business relationships, and transactions in line with Article 35 of these Instructions d) Procedures for identifying suspicious transactions/activities and for reporting such ;transactions/activities to the Centre pursuant to Article 47 of the Law e) An independent audit function to ensure that internal policies, procedures, systems, and ;controls are subject to independent testing and review f) Procedures for appointing a compliance officer at senior management level to ensure ;compliance by the registered entity with the provisions of the Law and these instructions ;g) Screening procedures to maintain high standards when recruiting employees h) On-going training programs for new and existing employees, directors, board members, and executive or supervisory management to keep them informed of all aspects of legal

requirements and new developments in relation to money laundering and terrorism financing techniques to help them detect transactions and activities which may be connected to money laundering, predicate offences or terrorism financing and familiarize ;them with the procedures to be followed in such cases .i) Any other arrangements as prescribed by the CMA Article 37 AML/CFT policies, controls, and procedures should be applicable and appropriate to all .1 branches and majority-owned subsidiaries of the registered entity. In addition to elements mentioned in Article 36 of these Instructions, the AML/CFT policies, controls, and procedures :should contain a) Policies and procedures for sharing information for the purposes of CDD and ML/TF risk ;management b) In relation to group-level compliance, procedures for obtaining information from branches and subsidiaries in relation to relevant audit and AML/CFT functions, as well as customer, account, and transaction information. This should include information and analysis of transactions and activities that appear unusual, including suspicious activity and ;transaction reports, and underlying information c) Adequate safeguards on the confidentiality and use of information exchanged, including .safeguards to prevent tipping-off In the case of their foreign operations, where the minimum requirements of the host country .2 on anti-money laundering and combating the financing of terrorism are less strict, a registered entity must ensure that its branches and majority-owned subsidiaries in host countries implement the requirements stipulated by the Law and Instructions to the extent that host country laws permit. If the host country does not permit the proper implementation of the measures above, the registered entity should apply appropriate additional measures and inform .the CMA Article 38 As part of the procedures under Article 42 of the Law and Article 36 of these Instructions, a registered entity must appoint a compliance officer at the senior management level who is responsible for the registered entity’s compliance with and implementation of those obligations. The compliance officer and any other compliance staff must have timely access to customer identification data and other customer due diligence information, transaction records, and other relevant information. The compliance officer must have appropriate experience and qualifications in the field of anti-money laundering and combating the financing of terrorism and have the authority to act independently and to report to senior management. A registered entity must supply the CMA with details of the compliance officer, including name, qualifications, contact number, and email address. They must also promptly inform the CMA and the Centre of any compliance officer changes. This includes providing the CMA and the Centre with details of the deputy compliance officer in cases where the compliance officer is suspended for specific period of time. The compliance officer must periodically report to the board of directors or partners meeting. The latter must review the registered entity’s compliance with the requirements of the Law and these Instructions. Written reports to the registered entity’s board of directors shall be submitted at least quarterly and must include a statement on all suspicious transactions detected and their handling, implications of those suspicious transactions, and measures taken by compliance staff to strengthen the businesses’ AML/CFT policies, procedures, systems, and controls. The particulars of the suspected person or any indication thereto shall .not be mentioned in the reports

Article 39 The responsibility officer is required to provide periodic reports to the Board of Directors or the Partners' Assembly. It is the responsibility of the board to review the company's compliance with legal requirements and these instructions. Reports must be submitted to the Board of Directors at least once every (3) three months and should include a statement on all suspicious transactions detected, how they were handled, and the consequences and measures taken by compliance officers to enhance the company's policies related to combating money laundering and terrorist financing, along with the procedures, systems, and controls associated with them. It should be noted that the reports filed should not disclose the identity of the suspected individual or any references to them Article 40 A registered entity must maintain an adequately resourced and independent audit function to ensure that the compliance officer and all staff are performing their duties in accordance with the registered entity’s internal policies, procedures, systems, and controls as well as in .compliance with the requirements of the Law and these Instructions Article 41 A registered entity must define “fit and proper” requirements and a code of conduct for all of its employees, directors, board members, and executive or supervisory management. In addition, a registered entity must establish screening procedures to ensure appropriate standards when hiring employees, directors, board members, and executive or supervisory management. Such :screening procedures must ensure that i) Employees, directors, board members, and executive or supervisory management have the high level of competence necessary for performing their duties and have appropriate ability and ;integrity to conduct the business activities of the registered entity ii) Potential conflicts of interests are taken into account, including the financial background of the employees, directors, board members, and executive management; and iii) Persons charged or convicted of offences involving fraud, dishonesty, or other similar offences .are not employed or discharged of their duties Chapter 8 Reporting Obligations and Provision of Information Article 42 A registered entity’s managers, members of the board of directors, owners, authorized representatives, employees, agents, partners or professional experts must promptly notify the compliance officer of any unusual or suspicious transaction. The compliance officer or any other person so authorized must promptly file a suspicious transaction report (“STR”) with the Centre if there is a suspicion, or there are reasonable grounds to suspect, that funds are the proceeds of crime, or are related to terrorism financing. Such report must be made soon as possible but no later than 24 hours after forming a suspicion or having reasonable grounds to suspect that any transaction or attempted transaction (regardless of its value) involves proceeds of crime or funds related to terrorism financing. STRs must include all relevant information, documents and records relating to the transaction, customer or account involved, and comply with the .procedures and requirements set out by the Centre Article 43 The compliance officer shall, without delay, consider whether a suspicion or reasonable grounds to suspect as referred to Article (42) of these Instructions arise following the receipt of

information or notification from the registered entity’s managers, members of the board of directors, owners, authorized representatives, employees, agents, partners, or professionals .appointed to perform any tasks on their behalf Article 44 The registered entity’s managers, members of the board of directors, owners, authorized representatives, employees, agents, partners, and or professionals appointed to perform any tasks on their behalf shall not be liable for any criminal, civil, or administrative penalties for breach of any restrictions on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision if such disclosure was made in good faith to the Centre. This protection is available even if the individual(s) did not know precisely what the underlying .criminal activity was, and regardless of whether illegal activity in fact occurred Article 45 The requirements contained in Articles 42, 43 and 45 are subject to the non-disclosure requirement under Article 49 of the Law, according to which the reporting person shall not reveal to the customer, beneficial owner, or any other party that they have issued or are about to issue a report to the Centre, or give any information or data in relation to such reports or .alert them to any investigation in that regard Article 46 A registered entity must provide any relevant information or documents or files, however stored, regarding any requests received from the Centre, including requests related to a previously filed suspicious transaction report and other information the Centre deems necessary to perform its .duties within the time frame prescribed by the Centre Article 47 In cases where a registered entity forms a suspicion of money laundering or terrorist financing, and it reasonably believes that performing the CDD process will tip-off the customer, it shall not .pursue the CDD process, and instead should file a report to the Centre Chapter 9 Reliance on Third Parties for Client Due Diligence Purposes Article 48 A registered entity may rely on a third party to perform identification and verification of the .1 customer and beneficial owner, or to take the required measures to understand and as appropriate obtain information on the purpose and intended nature of the business .relationship :Where a registered entity places such reliance on a third party, it must .2 a) Immediately obtain all necessary information on the identity of the customer and/or beneficial owner and/or the purpose and intended nature of the business relationship as ;required under the Law and these Instruction b) Take steps to satisfy itself that copies of the identification data and other relevant documentation relating to customer due diligence requirements will be made available from ;the third party upon request and without delay c) Satisfy themselves that the third party is regulated and supervised, and has measures in place for compliance with customer due diligence and record keeping requirements in line with the obligations stipulated in the Law and these Instructions; and

d) The ultimate responsibility for all requirements stipulated herein remain with the .registered entity relying on the third party When determining in which countries the relied upon third party may be based, a registered .3 entity shall have regard to information available on the level of country risk and to the .instructions issued by the Committee pursuant to Article 13 (k) of the Law A registered entity relying on a third party within the same financial group may consider that .4 the third party relied upon meets the requirements under this Article, provided that, the group applies due diligence and record keeping requirements in line with the Law and these Instructions, the implementation of such requirements is supervised at the group level by a competent authority and any higher country risk is adequately mitigated by the group’s policies .and controls This Article shall not apply to outsourcing services and agency relationships where, on the .5 basis of a contract, the outsourcing service provider, intermediary or agent applies CDD measures on behalf of the registered entity, in accordance with its procedures, and is subject to the delegating registered entity’s control in relation to the effective implementation of the CDD .requirements Chapter 10 Virtual Asset transfer provisions Article 49 Subject to Article 46 of the Law, for the purposes of record keeping and due diligence obligations applicable to registered entities, all Virtual Asset Transfers are to be treated as a cross-border transaction. Registered entities who order a Virtual Asset Transfers shall obtain and hold verified originator and beneficiary information on such transfer and shall submit such information to the beneficiary institution immediately and securely and in all cases where a beneficiary institution exists. Post facto submission of the required information is not permitted. Registered entities or other financial institutions shall not execute Virtual Asset Transfers that do not comply with the .stipulated obligation Article 50 Registered entities who are the beneficiary institution of a virtual asset transfer shall obtain and :hold required originator information and verify. Originator information must include ;a) The full name of the Originator b) The Originator wallet address, where such an account is used to process the Virtual Asset .Transfer or a unique transaction reference which permits traceability of the transaction c) The Originator’s physical address, or national identification or customer identification .number, or the date and place of birth :Beneficiary information must include a) The name of the Beneficiary; and b) The Beneficiary wallet address where such an account is used to process the transaction, an account number, or a unique transaction reference which permits traceability of the .transaction Registered entities ordering or being the beneficiary of virtual asset transfers must keep records of transactions in line with Article 35 of these instructions and must make such information .available to the CMA or competent authorities upon request

Article 51 Registered entities shall ensure that the required information is transmitted along the chain of .1 virtual asset transfers and that relevant records are being kept in accordance with Article 35 of .these Instructions Registered entities shall have effective risk-based procedures that are consistent with straight .2 :through processing for a) Identifying Virtual Asset Transfers that lack required Originator and/or Beneficiary ;information b) Determining when to execute, reject, or suspend a Virtual Asset Transfer lacking required Originator or required Beneficiary information and considering reporting to the Centre; and c) Taking appropriate follow-up action which may include restricting or terminating business .relationships Article 52 Registered entities who are the beneficiary institution of a virtual asset transfer shall take reasonable measures to identify Virtual Asset Transfers which lack the required Originator and Beneficiary information. They shall also have effective procedures for determining when to reject a Virtual Asset Transfer lacking required Originator or required Beneficiary information and .consider reporting to the Centre Article 53 Registered Entities shall have procedures in place to detect Virtual Asset Transfers with countries identified pursuant to Article 13(K) of the Law and to take appropriate action, as required by the Committee Article 54 Confidentiality requirements under the law do not apply where VASPs disclose information to .comply with the obligations under this Chapter Chapter 11 Final Provisions Article 55 All registered entities shall comply with the decisions of the National Committee for Combating Terrorism and the United Nations Security Council’s Resolutions Issued under Chapter VII of the United Nations Charter on the Prevention and Suppression of Terrorism and the Financing of Terrorism and prevention, suppression and disruption of proliferation of weapons of mass .destruction and its financing Article 56 Registered entities must maintain a current list of its agents, which shall be held in a way that it is accessible by the CMA. Registered entities must ensure that their AML/CFT program applies equally to all agents, and must monitor their agents for compliance with their AML/CFT program .and the provisions of these Instructions Article 57 Any person breaching these Instructions shall be punished by one or more of the measures and .penalties stipulated in Article (52) of the Law

Article 58 The CMA shall supervise compliance by registered entities with the provisions of the Law and .these instructions