BANK OF THE REPUBLIC OF BURUNDI

CIRCULAR No. 01/AML-CFT/2026 RELATING TO THE IDENTIFICATION, IDENTITY VERIFICATION AND CUSTOMER DUE DILIGENCE BY ESTABLISHMENTS SUBJECT TO BANKING LAW, ISSUED PURSUANT TO REGULATION No. 02/2026 ON ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM

The Governor of the Bank of the Republic of Burundi,

Having regard to Law No. 1/34 of December 2, 2008, on the Statutes of the Bank of the Republic of Burundi;

Having regard to Law No. 1/17 of August 22, 2017, governing banking activities;

Having regard to Law No. 1/07 of May 11, 2018, on the National Payment System;

Having regard to Law No. 1/05 of February 27, 2019, governing the capital market of Burundi;

Having regard to Law No. 1/08 of March 27, 2025, amending Law No. 1/02 of February 4, 2008, on combating money laundering and the financing of terrorism;

Having regard to Regulation No. 02/2026 on combating money laundering and the financing of terrorism, issued in application of Law No. 1/08 of March 27, 2025, amending Law No. 1/02 of February 4, 2008, on combating money laundering and the financing of terrorism

Decrees:

CHAPTER I: GENERAL PROVISIONS

Article 1: Purpose

The purpose of this circular is to specify the procedures and identification elements for clients of establishments subject to banking law.

---

Article 2: Scope of Application

This circular applies to the following establishments subject to banking law:

1. credit institutions;
2. the National Post Office;
3. exchange bureaus;
4. payment institutions;
5. financing and/or guarantee funds;
6. microfinance institutions.

The provisions to be implemented by the entities referred to in the first paragraph above relate to all operations carried out under their responsibility. They also include, where applicable, those carried out by mandated third parties in the context of their operations.

CHAPTER II: CUSTOMER IDENTIFICATION AND VERIFICATION PROCEDURES

Article 3: Identification of Natural Persons

For natural person clients, the following documents and information are required:

1. Last name and first name;
2. Sex;
3. Place and date of birth (neighborhood/hill, zone, commune, province, country);
4. Passport photo;
5. TIN, if applicable;
6. Photocopy of identity card or passport;
7. Full residential address (street, neighborhood/hill, commune, province, country);
8. Nationality;
9. Marital status;
10. E-mail, if applicable;
11. Phone number, if applicable;
12. Profession;
13. Employer's name, phone number, and address, if applicable;
14. Monthly income;
15. Companies in which the client holds shares, their TIN, and the number of securities held.

In the case of a politically exposed person, obliged entities must, in addition to the above-mentioned documents:

16. Require authorization from the management of the obliged entity before establishing a business relationship with such a client;
17. Ensure enhanced and continuous monitoring of the business relationship.

Article 4: Identification of Legal Persons

For companies registered in Burundi, the following documents and information are required:

1. the certificate of registration in the commercial register;
2. the full address of the registered office (street, number, neighborhood/hill, commune, province, country);
3. the email address;
4. the phone number;
5. the constitutive act and the articles of association;
6. the board of directors' resolution regarding the opening of an account and its managers;
7. proof that the person representing the company has the mandate. This proof must be sought and retained;
8. proof of identity of the reference shareholder or qualified shareholders, and that of at least two directors and that of the General Manager and all authorized signatories;
9. the tax identification number (TIN);
10. the operating license issued by the competent authority (approval act, etc.);
11. companies in which the company holds shares (TIN and number of securities held);
12. the share capital;
13. the annual turnover.

For legal persons not registered in Burundi, the same documents certified by qualified persons such as notaries or chartered accountants in their country of registration must be produced.

Article 5: Identification of Clubs, Societies, and Charitable Organizations

In the case of opening accounts for clubs, societies, and charitable organizations, the obliged entity must ensure the legality of the organization's purpose by requesting a copy of its constitution.

The club, society, or charitable organization must be in possession of one or more of the following documents:

1. The trust deed (if applicable);
2. The certificate of registration;
3. The constitutive act of clubs, societies, and charitable associations;
4. The minutes of the last general meeting designating the representatives;
5. The logo;
6. The tax identification number (TIN);
7. The Permanent Residence Certificate for NGOs;
8. Any other document deemed relevant.

If the authorized signatories are not already known to the obliged entity, proof of identity in accordance with the requirements for individual clients must be presented.

Article 6: Identification of Occasional Clients

An occasional client is any person, often a tourist or someone passing through, who carries out a one-off operation with an obliged entity, consisting of one or more operations appearing to be linked to each other.

Enhanced attention and vigilance are required when:

1. transactions are carried out by an obliged entity for its occasional clients, such as electronic transfer requests;
2. funds are deposited into an existing account by persons whose names do not appear on the mandate of said account.

Proof of identity of the occasional client is required when the transaction involves large sums of money or is unusual.

Article 7: Identification of Safe Deposit Box Renters

Enhanced attention and vigilance are required in the case of safe deposit box rental.

When this facility is made available to non-account holders, the identification procedures set out in this circular must be followed.

Article 8: Identification of Correspondent Banks

A credit institution must gather sufficient information on its correspondent bank to fully understand the nature of its activities.

Factors to be considered include:

1. information on the bank's management contact;
2. main business activities;
3. location of the correspondent;
4. the correspondent's efforts in preventing and detecting money laundering and the financing of terrorism;
5. purpose of the account;
6. identity of third-party entities that will use the correspondent banking services;
7. the status of anti-money laundering and terrorist financing regulations, as well as the status of banking supervision in the correspondent's country;
8. Any other element deemed relevant by the obliged entity.

Burundian credit institutions verify the same elements when opening accounts in a foreign bank.

Article 9: Identification of Mandated Third Parties

A mandated third party is any natural or legal person mandated by an obliged entity to carry out activities for which this institution is approved or authorized under the conditions and procedures set by the legal and regulatory provisions governing its activities.

The obliged entity identifies its natural or legal person client acting as a mandated third party under the conditions provided for in this circular. It requires the client to provide a certified document justifying their capacity as the principal's representative and ensures that the business relationship or the contemplated transaction complies with the powers delegated to said representative.

Article 10: Identification of Beneficial Owners

The obliged entity identifies the beneficial owner(s) of its client's funds under the conditions provided for in this circular. It maintains an internal file detailing, in particular, the last names and first names, capital participation, voting rights, and control percentages of the identified beneficial owner(s) for each of its clients.

The obliged entity diligently verifies the accuracy of the list of beneficial owners.

Article 11: Identity Verification

The obliged entity verifies, where applicable using official documents, the identity of their natural or legal person clients, their occasional clients, their mandated third parties, their beneficial owners, their correspondent banks, and their safe deposit box renters in accordance with the requirements of this circular.

Article 12: Classification of Money Laundering and Terrorist Financing (ML/TF) Risks by Obliged Entities

The obliged entity implements customer due diligence measures based on a risk-based approach. It classifies the risks to which it is exposed in each of its business relationships by analyzing, in particular, the risk factors presented in Annex 1.

The obliged entity determines the extent of due diligence measures to be implemented for each business relationship based on the risk profile established in application of the preceding paragraph.

The obliged entity must be able to justify to the Central Bank that the classifications adopted are appropriate and consistent with its understanding of ML/TF risk.

Risk classification is documented, monitored, and updated, as needed, to ensure its long-term relevance.

Article 13: Weighting of Risk Factors

When weighting risk factors within the framework of the classification mentioned in the preceding article, the obliged entity ensures that the weightings:

1. are not excessively influenced by a single factor;
2. are not influenced by economic or profit considerations;
3. do not create a situation where it is impossible to classify a business relationship or transaction as high risk.

Article 14: Simplified Due Diligence Measures

In application of Article 12 of this circular, the obliged entity may apply the simplified due diligence measures specified in Annex 2, when the risk of the business relationship is classified as low.

Without prejudice to the obliged entity's obligation to analyze the risk, the following elements may be considered an indication of a low level of ML/TF risk:

1. the client is a regulated financial institution;
2. internal operation between accounts domiciled in the books of the same institution.

Article 15: Enhanced Due Diligence Measures

The obliged entity applies enhanced due diligence measures to clients, as specified in Annex 2, when it identifies, in particular, one of the following elements:

1. the risk of the business relationship is classified as high;
2. a transaction of significant or unusual value;
3. a significant change in the client's profile or account management;
4. insufficient information held on the client, particularly in terms of consistency or completeness.

Article 16: Updating of Information Obtained in the Context of Customer Due Diligence

Throughout the duration of the business relationship, the obliged entity updates, periodically and as often as necessary, the information obtained in the context of implementing its customer due diligence obligations.

The obliged entity systematically updates information related to the business relationship in the event of a significant event such as:

1. change of beneficial owner;
2. subscription to a new product or service;
3. knowledge of new elements likely to change the client's risk profile.

Article 17: Entry into Force

This Circular enters into force on the day of its publication on the website of the Bank of the Republic of Burundi and in the Official Gazette of Burundi.

Done in Bujumbura, on 30 / 4 /2026

Edouard Normand BIGENDAKO Governor

---

ANNEX 1: MAIN RISK FACTORS

1. Product risk: risks related to the types of services, products, or transactions concerned, particularly in terms of (i) transparency or opacity, (ii) complexity, (iii) value, size, or amount of the transaction, as well as (iv) marketing channels including technologies or intermediaries that the obliged entity might use.

2. Country risk: risks related to territories:

i. in which the obliged entity and/or its clients and/or beneficial owners have their registered office and/or carry out activities;

ii. with which the obliged entity and/or its clients have business relationships;

iii. where the funds used for the operation were generated or transited;

iv. identified as the final destination of the funds used for the operation.

In assessing country risk, obliged entities also take into account:

v. FATF grey or black lists; i. the list of countries, organizations, and persons subject to targeted financial sanctions published by the United Nations; ii. mutual evaluation reports and publications of the FATF and/or ESAAMLG. iii. IMF assessments and Financial Sector Assessment Program reports; iv. information disseminated by competent authorities; v. any other relevant information.

3. Client risk: risks related to client characteristics and the business relationship. Elements to consider include:

i. the nature of clients (natural person, legal person, or legal arrangement presenting itself as a more or less complex structure favoring or not anonymity, person acting on their own behalf or on behalf of a third party, politically exposed person, natural person not physically present, occasional or permanent client, etc.);

ii. the client's professional or economic activities;

iii. the client's financial and asset situation;

iv. the origin of the client's assets;

v. the amount, nature, and volume of contemplated or executed operations;

vi. the source and destination of funds;

vii. the client's financial history;

viii. the client's financial transaction history;

ix. the economic justification for the contemplated business relationship;

x. the duration of the ongoing business relationship;

xi. the involvement of intermediaries between the client and the financial institution;

xii. client behavior (refusal to provide information);

xiii. the client's presence on a sanctions list for terrorist financing or the proliferation of weapons of mass destruction.

---

ANNEX 2: SIMPLIFIED AND ENHANCED DUE DILIGENCE MEASURES

I. Measures that can be taken for simplification

The simplification of customer due diligence measures may relate, in particular, to one or more of the following elements:

1. verification of the identity of the client and the beneficial owner;
2. the requirement for translation of official client documents by a professional authorized for this purpose;
3. the timing of the verification of the identity of the client and the beneficial owner;
4. the frequency of controls carried out during the business relationship;
5. the quantity of information collected on the client and the beneficial owner, the business relationship, or the operation concerned;
6. the quality of information sources used for the identification of the client and the beneficial owner, knowledge of the business relationship, or the operation concerned;
7. the collection of elements of knowledge of the business relationship;
8. the frequency of updating collected information;
9. the extent of means implemented within the framework of AML/CFT;
10. the intensity of transaction monitoring.

II. Measures that can be taken for enhancement

The enhancement of customer due diligence measures includes, in particular, one or more of the following actions:

1. obtaining additional supporting documents, including originals of certain documents;
2. verification of the authenticity of submitted documents by any reasonable means;
3. in-depth analysis of the operation concerned, including its motivations, the origin, and the final destination of the funds;
4. submission of the issue to the executive body for decision;
5. searching for other sources of information on the client (media, Internet searches, etc.);
6. analysis of the capital structure and shareholding of the legal person client;
7. refusal to execute the operation;
8. complete termination of the business relationship.