Minimum Requirements for the Management of Money Laundering and Terrorist Financing Risk

Reserve Bank of Fiji Restricted Foreign Exchange Dealers and Money Changers Supervision Policy Statement No: 4 MINIMUM REQUIREMENTS FOR THE MANAGEMENT OF MONEY LAUNDERING AND TERRORIST FINANCING RISK NOTICE TO LICENSED RESTRICTED FOREIGN EXCHANGE DEALERS AND MONEY CHANGERS Reserve Bank of Fiji April 2025 (Revised)

2 PART I: PRELIMINARY 1.0 Introduction 1.1. This Policy is issued under section 36(b)1 of the Financial Transactions Reporting Act 2004 (“FTR Act 2004” or the “FTR Act”) and sections 35, 36 and 37 of the Financial Transactions Reporting Regulations 2007 (“FTR Regulations”) and is applicable to all restricted foreign exchange dealers (“RFEDs”) and money changers licensed by the Reserve Bank of Fiji (“RBF”). 1.2. The Policy issued in 2018 has been amended to incorporate the relevant provisions of the FTR Act 2004 and the FTR Regulations 2007, and is also issued in line with the Financial Action Task Force (“FATF”) 40 Recommendations and those recommendations which are relevant to Money or Value Transfer Services (“MVTS”)2 . 2.0 Objective of the Policy 2.1. The objective of this Policy is to ensure that licensed entities3 have in place a Money Laundering/Terrorist Financing (“ML/TF”) Risk Management Framework that is aligned to their strategy and business plans, and commensurate with the size, complexity and nature of their operations. 2.2. The Policy therefore sets out the minimum requirements for licensed entities in establishing a risk management framework comprising of systems, structures, processes and people within which a licensed entity identifies, assesses, mitigates and monitors ML/TF risk. 3.0 Background to Approach 3.1. Fiji’s location and level of accessibility, increases its susceptibility to money laundering and terrorism financing (ML/TF) risk. This has the potential to adversely affect the country’s reputation and investment climate, and may have economic and social consequences. The globalisation of financial services and advancements in technology has posed challenges to regulators and law enforcement agencies as criminals have become more sophisticated in laundering illicit funds and using financial service providers as conduits for ML/TF activities. 1 Section 36 (b) the relevant supervisory authority of a financial institution may examine and supervise the financial institution, and regulate and verify, through regular examinations, that a financial institution complies with the requirements of this Act. 2 Money or value transfer services (MVTS) as per definition of FATF refers to financial services that involve the acceptance of cash, cheques, other monetary instruments or other stores of value and the payment of a corresponding sum in cash or other form to a beneficiary by means of a communication, message, transfer, or through a clearing network to which the MVTS provider belongs. Transactions performed by such services can involve one or more intermediaries and a final payment to a third party, and may include any new payment methods. Sometimes these services have ties to particular geographic regions and are described using a variety of specific terms, including hawala, hundi, and fei-chen. 3 See Schedule Page 10

3 3.2. Further, the globalisation of financial markets and the development of information technology have made the movement of funds across borders easier and have thus further spurred the growth of money remitting business. 3.3. In drafting this policy, reference has been made to FATF guidance for Risk￾Based Approach for Money or Value Transfer Services and the relevant FATF recommendations. 4.0 Applicability to Foreign Branches, Subsidiaries, Intermediaries4 and Agents 4.1. Licensed entities are required to ensure that their agents or network of agents meet the requirements of this policy and the policy applies to the licensed entities’ agents as if the agent were the entity itself. 4.2. Licensed entities are required to closely monitor the foreign branches or their subsidiaries in other countries5 which may be operating in jurisdictions with inadequate anti-money laundering/combating the financing of terrorism (AML/CFT) laws. 4.3. Licensed entities are required to ensure that their foreign branches, subsidiaries and intermediaries apply AML/CFT measures in a manner that is consistent with the AML/CFT requirements in Fiji. Where the minimum AML/CFT requirements of the host or the home country are less stringent than those of Fiji, licensed entities must apply Fiji’s AML/CFT requirements, to the extent that host country laws and regulations permit. 4.4. If the host or home country does not permit the proper implementation of AML/CFT measures in a manner that is consistent with the AML/CFT requirements in Fiji, licensed entities are required to apply appropriate additional measures to manage the ML/TF risks, and adequately report to the RBF on the AML/CFT gaps and additional measures implemented to manage the ML/TF risks arising. PART II: MINIMUM REQUIREMENTS 5.0 Risk-Based Approach 5.1. While it is noted that licensed entities typically carry out occasional transactions and generally do not open or maintain accounts, a business relationship is sometimes formed to provide regular services. In this regard, licensed entities must have procedures, which are effectively implemented and used, to identify and verify, on a risk basis, the identity of a customer: a. when establishing business relations with that customer; b. when carrying out occasional transactions above the applicable designated threshold6 ; 4 Intermediary can include a branch or subsidiary of the parent entity of the licensed entity in Fiji or a third party engaged to carry out services for the licensed entity e.g. a money remitting payment system. 5 Opening a new subsidiary or a branch would require an upfront approval from the Reserve Bank of Fiji. 6 Above $5000 as per section 6 of FTR Regulations and FIU Advisory Guideline no 4 of 2007 on occasional customers. This will be applicable on “Purchase” transactions only, as the entity is to also comply with Exchange Control requirements whereby there is no threshold for “Sales” transactions, as such, CDD and verification is required for all sales transactions.

4 c. where they have suspicions of ML/TF risk regardless of any exemption or thresholds; and d. where they have doubts about the veracity or adequacy of previously obtained identification data. 5.2. In meeting their obligations under this Policy, licensed entities must undertake a risk-based approach. Licensed entities must identify, assess and understand the ML/TF risks which they are exposed to, and implement AML/CFT measures commensurate to their risk profile, based on their size and complexity of operations, in order to mitigate them effectively and efficiently. 5.3. Licensed entities must utilise the CDD and other guidelines, policy advisories issued by Financial Intelligence Unit in Fiji (“FIU”), from time to time (Refer to Advisory on Risk Based Approach7 and Identification and Verification of Occasional Customers8 as well as Enforceable Guideline on Higher Risk Countries9 and Politically Exposed Persons (PEPs)10). 5.4. At a minimum, each licensed entity before providing a product or service, must identify, assess and understand its ML/TF risk with regard to the following; a. customer types; b. the source of funds and source of wealth of customers; c. the business or occupation of customers; d. the types of products and services that it provides; e. the methods by which it delivers designated products and services; f. the intermediaries it has dealings with, and the effectiveness of their ML/TF risk controls; and g. the foreign jurisdictions it has dealings with, and the ML/TF risk controls of that country. 5.5. Licensed entities must document the measurement techniques that they apply, the reasons for the use of this measurement technique and the associated procedures that will enable the assessment and quantification of ML/TF risk, and its impact on their operations. 6.0 Money Laundering/Terrorist Financing Risk Management Framework 6.1. Licensed entities are required to establish and implement an effective ML/TF Risk Management Framework. At a minimum a licensed entity’s risk management framework must establish procedures to comply with the requirements of the FTR Act, FTR Regulations, and other policies and guidelines issued by the Reserve Bank of Fiji or the Fiji FIU from time to time. 7 Advisory 5/2007, Date: 22/06/07, Risk Based Approach 8 Advisory 4/2007, Date: 22/06/07, Identification and Verification of occasional customers 9 Guideline 6, Date: 18/01/18, Higher Risk Countries 10 Guideline 7, Date: 31/03/18, Politically Exposed Persons (PEPs)

5 The risk management framework must include procedures and systems that include the following: a. implementing customer identification requirements; b. implementing record keeping and retention requirements; c. implementing processes and systems for monitoring customers; d. implementing reporting requirements; e. making its officers and employees aware of the laws and policies for compliance with the AML/CTF standards; f. training its officers, employees and agents to recognize suspicious transactions; g. screening potential employees and monitoring fitness and propriety on an on-going basis; h. appointing a compliance officer to be responsible for ensuring the licensed entity’s compliance with the requirements of the FTR Act11; and i. establishing an audit function to test its procedures and systems to comply with the requirements. 6.2. Each licensed entity is required to prepare a customer profile for its ongoing business relationships by collating all necessary information obtained through CDD measures. This will determine the level and type of ongoing monitoring, and support its decision whether to enter into, continue or terminate a business relationship. Where the appropriate level of CDD is not possible, licensed entities must not enter into a business relationship or carry out an occasional transaction or terminate an already-existing business relationship; and consider filing a suspicious transaction report in relation to the customer. 6.3. Licensed entities also deal with intermediaries in their business, whereby settlement between them may be undertaken through cash courier, net settlement, or other mechanisms without any direct wire transfers between the originator and beneficiary to remit funds. As such, it is essential that prior to entering a new relationship with an intermediary, licensed entities must: a. identify and verify the intermediary with whom it conducts a business relationship; b. gather information about the nature of its business; c. determine from publicly available information the reputation of the intermediary and the quality of supervision it is subject to; d. assess the intermediary’s anti-money laundering and combating terrorist financing controls; e. document an agreement with the intermediary and clearly outline the responsibilities of the licensed entity and the intermediary. The written agreement must outline that: 11 Refer to Section 21.2 of FTR Act and Section 31 of FTR Regulations.

6 i. the intermediary would conduct customer identification requirements equivalent to Fiji’s requirements; and ii. where required, the intermediary will make information available to the licensed entity without delay f. obtain approval by senior management before establishing a new intermediary relationship; and g. conduct a review of the relationship on an annual basis. 6.4. Licensed entities are required to develop as part of their ML/TF Risk Management Framework, an Anti-Money Laundering/Combating of Financing of Terrorism (“AML/CFT”) Policy that outlines the licensed entity’s approach to managing ML/TF risk and the processes involved. At a minimum, the internal AML/CFT Policy must include measures for: a. customer12 due diligence, in compliance with Section 4 of the FTR Act and sections 5 to 12, 14 & 20, 21, 22 of the FTR Regulations; b. record retention as per the requirements of sections 8 and 9 of the FTR Act; c. on-going monitoring of transactions as per the requirements of sections 10 and 11 of the FTR Act and sections 17 & 18 of the FTR Regulations; d. recognition and reporting of suspicious transactions in compliance with the requirements of sections 14 and 18 of the FTR Act and section 24, 27, 28 of the FTR Regulations; e. recognition and reporting on property of terrorists groups in compliance with the requirements of section 16 of the FTR Act; f. protection of persons and information in suspicious transaction reports as per the requirements under section 19 and 20 of the FTR Act; g. reporting of cash transactions and electronic fund transfers as per the requirements under section 13 of the FTR Act and sections 25, 26, 27, 28 of the FTR Regulations; h. recording information on the originators and beneficiaries of wire transfers as per the requirements of section 12 of the FTR Act, sections 19,23, 26, 28 of the FTR Regulations and the requirements of the EFTR form13 ; i. the development of new products, new business practices, including new delivery mechanism and the use of new or developing technologies for both new and pre-existing products as per requirements under the FIU’s Enforced Guideline on New Technologies14 . Furthermore, licensed entities must undertake risk assessment which includes assessing ML/TF risk prior to the launch of a product, process or technology and implement appropriate measures to manage and mitigate these risks; and j. AML/CFT training program for all its officers and employees as per section 21 of the FTR Act and section 33 of the FTR Regulations. 12 Persons who utilise the services provided by the licenced RFEDs & MCs and persons who transact on behalf of those who utilise these services. 13 EFTR form requires details of both originator and beneficiary to be collected. 14 Guideline 5, Date: 18/01/18, New Technologies

7 6.5. Licensed entities must regularly review and update the documents, data, requirements or information in their internal AML/CFT Policy so that it complies with the prevailing regulatory requirements with regards to MF/TF risk, for example, changes or additions to FIU guidance notes. 7.0 Roles and Responsibilities of the Board 7.1. The ultimate responsibility and accountability for ensuring the licensed entity’s compliance with this Policy, the AML/CFT laws such as the FTR Act and FTR Regulations, FIU Guidelines and Policy Advisories, rests with the licensed entity’s board. 7.2. At a minimum, the board is required to: a. identify and understand the ML/TF risks faced by the licensed entity on an on-going basis; b. ensure the safety and soundness of the licensed entity by establishing an appropriate, adequate and effective system for ML/TF risk management framework which is aligned with the requirements of the FTR Act, FTR Regulations, FIU’s policy advisories and guidelines; c. approve the policies and procedures for the evaluation and management of ML/TF risk; d. ensure that senior management is implementing documented policies and procedures for the management of ML/TF risk, have a system of reviewing compliance with the same and detecting any exceptions to documented policies; e. review and approve the ML/TF Risk Management Framework annually or whenever there are changes in circumstances that could impact on ML/TF risk; and f. monitor and review functions of the internal audit function. 8.0 Roles and Responsibilities of Senior Management 8.1. The responsibilities of senior management include, at a minimum: a. developing effective internal policies, procedures and controls that identify, measure, manage and monitor the ML/TF risk faced by the licensed entity; b. effectively implementing the ML/TF risk management framework approved by the board; c. ensure that the licensed entity complies with the FTR Act and FTR Regulations, and FIU’s policy advisories and guidelines; d. monitoring appropriateness, adequacy and effectiveness of the ML/TF risk management system on an on-going basis; e. monitoring changes to AML/CFT standards and laws and informing the board of any policies/procedures that require changes; f. ensure that employees are free of criminal offences involving fraud and dishonesty and have necessary competence to carry out their duties;

8 g. ensure that all officers and employees are provided with training on an on￾going basis with regards to AML/CFT laws and the company’s internal policies and procedures relating to AML/CFT standards; h. assist and cooperate with the relevant law enforcement authorities in Fiji such as Financial Intelligence Unit and Fiji Police Force, in investigating money laundering and terrorist financing activities; and i. establish effective reporting to the board on all relevant requirements. 9.0 Roles and Responsibilities of the AML Compliance Officer 9.1. Licensed entities must comply with section 21(2) of the FTR Act and section 31 of the FTR Regulations which stipulate that licensed entities must appoint an AML compliance officer at the management level, to: a. be responsible for ensuring compliance with the FTR Act, FTR Regulations and other related policies & guidelines; b. be given appropriate and adequate authority and responsibility to implement the requirements of the FTR Act and FTR Regulations; and c. have the authority to act independently and to report to senior management above the compliance officer’s next reporting level. 9.2. The AML Compliance Officer must have timely access to customer identification data and other customer due diligence information, transaction records and other relevant information. 9.3. The AML Compliance Officer must be responsible to report to the Fiji FIU, in the prescribed form and manner, the CTR, the EFTR and file STRS. 9.4. Furthermore, the AML Compliance Officer must ensure that all employees and officers are aware of the laws, procedures and policies relating to money laundering and financing of terrorism. As per section 21 (2) of the Act and section 33 (3) of the Regulations, staff training should include new developments, recent trends in money laundering and identification of suspicious transactions. 10.0 Roles and Responsibilities of the Internal Audit Function 10.1. Licensed entities must, under section 21 (3) of the FTR Act and section 32 of the FTR Regulations, establish an audit function15 to test its procedures and systems for combating money laundering and financing of terrorism. 10.2. The licensed entity’s audit function must independently test compliance with its policies, procedures, and controls including: a. the effectiveness of the risk based system and transaction testing; b. assessment of employees’ knowledge of procedures, policies, systems, and controls; c. assessment of the adequacy, accuracy, and completeness of employee training programmes; and 15 An internal audit function that is independent of the activities audited should be sufficient.

9 d. assessment of the adequacy and effectiveness of its processes for identifying and reporting suspicious transactions and activities, and other reporting requirements under the Act and FTR Regulations. 10.3. Licensed entities must report to the Fiji FIU any suspicious information or transaction noted during the internal audit. PART III OVERSIGHT AND IMPLEMENTATION ARRANGEMENTS 11.0 Oversight by the Reserve Bank of Fiji 11.1. For the purpose of this Policy, all licensed entities are required to provide to the Reserve Bank of Fiji, their initial AML/CFT Policy within 90 days from the date of the implementation of this Policy. Licensed entities must also provide a copy of the same whenever material changes are made to the Policy, and this must be submitted within 30 days of board approval. 11.2. Non-compliance with this Policy may result in sanctions or suspension or revocation of license and/or penalties under the FTR Act and the FTR Regulations. 12.0 Reporting to the Reserve Bank of Fiji 12.1. The Reserve Bank may require from time to time, ML/TF risk management information, in a format specified, to meet the objectives of this policy. 13.0 Implementation Arrangements 13.1. This Policy applies to all licensed restricted foreign exchange dealers and money changers, and will be effective immediately. Reserve Bank of Fiji April 2025 (Revised) Attach: Schedule: Interpretation

10 SCHEDULE 1.0 Interpretation – (1) Any term or expression used in this Notice that is not defined in this Notice: (a) which is defined in the Act shall, unless the context otherwise requires, have the meaning given to it by the Act; (b) which is not defined in the Act and which is defined in any of the Reserve Bank of Fiji Policy Statements shall, unless the context otherwise requires, have the meaning given to it by those policy statements; and (c) which is not defined in the Act or in any of the Reserve Bank of Fiji’s Policy Statements shall, unless the context otherwise requires, be interpreted in accordance with generally accepted accounting practice. (2) In this Notice, unless the context otherwise requires: ‘Act’ means the Financial Transactions Reporting Act 2004 unless otherwise specified. ‘Agent’ Any natural or legal person providing MVTS on behalf of a foreign exchange dealer or money changer, whether by contract with or under the direction of the foreign exchange dealer or money changer. ‘Intermediary’ refers to a financial institution in a serial or cover payment chain that receives and transmits a wire transfer on behalf of the ordering financial institution and the beneficiary financial institution, or another intermediary financial institution. ‘Licensed Entities’ for the purpose of this Policy refer to Restricted Foreign Exchange Dealers and Money Changers licensed by the Reserve Bank. ‘Senior Management’ includes a person— (i) who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business of the Company; (ii) who has the capacity to affect significantly the Company’s financial standing; or (iii) in accordance with whose instructions or wishes the Directors of the Company are accustomed to act, excluding advice given by the person in the proper performance of functions attaching to the person’s professional capacity or their business relationship with the Directors or the Company and includes General Managers or Chief Executive Officer and any other personnel deemed to have the delegation for decision making that has a significant impact.