Guidelines on Internal Policies, Controls and Procedures for the Implementation of Restrictive Measures (Article 15 of the Sanctions Act)

Based on Article 15, paragraph 5, point 2 of the Sanctions Act ("Narodne novine", No. 133/2023), the Management Board of the Croatian Financial Services Supervisory Agency (Hanfa) adopted the following at its meeting held on June 4, 2024:

Guidelines on Internal Policies, Controls and Procedures for the Implementation of Restrictive Measures (Article 15 of the Sanctions Act)

I. Legal Basis and Scope of Application

1. According to Article 15, paragraph 1, in conjunction with Article 25, paragraph 2 of the Sanctions Act, the supervised entities of the Croatian Financial Services Supervisory Agency are required to adopt written policies, controls, and procedures for the implementation of restrictive measures, implement them in practice, and review and update them regularly, at least once a year.

2. In accordance with the provisions of Article 15, paragraph 6 of the Sanctions Act, the Croatian Financial Services Supervisory Agency is authorized to supervise the implementation of the aforementioned policies, controls, and procedures, as well as to assess their appropriateness in relation to the obligations under the Sanctions Act, and to order their amendments and supplements in accordance with such assessment.

3. These Guidelines are adopted on the basis of Article 15, paragraph 5 of the Sanctions Act.

4. These Guidelines apply to the obligors under Article 15 of the Sanctions Act supervised by Hanfa under Article 13, paragraph 1, point 3 of the Sanctions Act, according to the list located at the end of these Guidelines, which forms an integral part of them.

5. Obligated entities are expected to apply these Guidelines when: a) they adopt written policies, controls, and procedures for the implementation of restrictive measures, implement them in practice, and review and update them; b) they integrate the policies, controls, and procedures from point (a) into their internal control system.

II. Definitions

1. ZMO is the Sanctions Act ("Narodne novine", No. 133/2023), including its future amendments that are not contrary to the content of these Guidelines.

2. The Anti-Money Laundering and Countering the Financing of Terrorism Act is the Act on the Prevention of Money Laundering and Financing of Terrorism ("Narodne novine" No. 108/17, 39/19, 151/22), including its future amendments that are not contrary to the content of these Guidelines.

3. Hanfa is the Croatian Financial Services Supervisory Agency.

4. Obligated entities are entities under the supervision of Hanfa under Article 13, paragraph 1, point 3 of the ZMO and Article 82, paragraph 5 of the Anti-Money Laundering and Countering the Financing of Terrorism Act, according to the list which is an integral part of these Guidelines.

5. Restrictive measures are restrictive measures under Article 4, paragraphs 1 and 2 of the Sanctions Act, namely: a) measures of the European Union adopted on the basis of Article 29 of the Treaty on European Union or on the basis of Article 215 of the Treaty on the Functioning of the European Union; b) measures established by resolutions of the United Nations Security Council; c) measures of other international organizations that bind the Republic of Croatia in accordance with international law; and d) measures adopted by a decision of the Government of the Republic of Croatia upon the proposal of the ministry responsible for foreign affairs.

III. General Provisions

Obligated entities should identify and assess which areas of their business and other business activities are particularly vulnerable or exposed to restrictive measures and to the circumvention of restrictive measures. Based on this, they should establish, implement, and update their policies, controls, and procedures to ensure that they can effectively apply restrictive measures.

These policies, controls, and procedures should be effective and proportionate to the size, nature, and complexity of the obligated entity and its exposure to restrictive measures.

IV. Governance Framework

Obligated entities should establish a governance framework to ensure that policies, controls, and procedures for the implementation of restrictive measures are appropriate and effectively implemented.

IV.1. Role of the Management Body

The management body of the obligated entity is responsible for approving the entire strategy of the obligated entity for compliance with restrictive measures and for supervising its implementation. All members of the management body should be aware of the obligated entity's exposure to restrictive measures and the risks of circumventing restrictive measures.

If the business of the obligated entity is managed by a single person, that person may appoint a senior manager to perform the function of the management body in accordance with the preceding paragraph.

IV.1.1. Role of the Management Body in the Supervisory Function

The management body in the supervisory function is responsible for supervising and monitoring the internal control and management framework established by the obligated entity to comply with restrictive measures to ensure its effectiveness.

In addition to the provisions of applicable regulations on internal management, the management body in the supervisory function should: a) be informed about the results of the latest assessment of exposure to restrictive measures conducted in accordance with point V of these Guidelines; b) supervise and monitor, through the internal control function or, if not obliged to establish said function in accordance with special regulations, through the management body itself, to what extent the policies and procedures for implementing restrictive measures are appropriate and effective regarding the exposure to restrictive measures and the risks of circumventing restrictive measures to which the obligated entity is exposed, and take appropriate steps as necessary to ensure that corrective measures are taken; c) at least once a year, assess the effectiveness of the functioning of monitoring compliance with restrictive measures, including internal policies, controls, and procedures, among others regarding the appropriateness of human and technical resources allocated for compliance with restrictive measures.

IV.1.2. Role of the Management Body in the Executive Function

In addition to the provisions of applicable regulations on internal management, the management body in the executive function should: a) ensure that it is informed about the results of the latest assessment of exposure to restrictive measures conducted in accordance with point V of these Guidelines; b) adopt an appropriate risk management framework and internal control system that are sufficiently independent from the business they control; c) adopt policies, controls, and procedures that are proportionate to the obligated entity's exposure to restrictive measures and appropriate to ensure compliance with restrictive measures; d) ensure the effective implementation of the obligated entity's procedures for compliance with restrictive measures; e) implement the organizational and operational structure necessary for effective compliance with the strategy regarding restrictive measures adopted by the management body; f) ensure that human and technical resources allocated for compliance with restrictive measures are appropriate and proportionate to the obligated entity's exposure to restrictive measures; g) promote a culture of compliance with restrictive measures; h) if certain activities related to the implementation of restrictive measures are outsourced, ensure compliance with applicable regulations on outsourcing and receive regular reports from the outsourcing service providers on the effectiveness of the implementation of these activities to inform the management body.

IV.2. Appointment and Role of the Person Responsible for Compliance with Restrictive Measures

IV.2.1. Appointment of the Person Responsible for Compliance with Restrictive Measures

Obligated entities should appoint a person responsible for performing the activities and tasks listed in point IV.2.2 of these Guidelines. The management body should ensure that the person responsible for compliance with restrictive measures has the knowledge and understanding of restrictive measures necessary to perform their functions effectively.

The management body may assign this role to an employee who already has other duties or functions within the obligated entity (such as the authorized person for the prevention of money laundering and financing of terrorism or the compliance monitoring function) under the following conditions: a) this does not affect the ability of that person to effectively perform their duties or functions; and b) this combination of tasks does not lead to a conflict of interest, such as conflicts between operational and control tasks assigned to that person.

The management body may allow the person responsible for compliance with restrictive measures to assign and transfer the tasks from point IV.2.2 of these Guidelines to other employees acting under their leadership and supervision, provided that the ultimate responsibility for the effective execution of these tasks remains with the person responsible for compliance with restrictive measures.

Regardless of the organizational structure, obligated entities should ensure that the person responsible for compliance with restrictive measures can report to the management body and has direct access to that body.

IV.2.2. Role of the Person Responsible for Compliance with Restrictive Measures

The person responsible for compliance with restrictive measures should develop, establish, and maintain policies, controls, and procedures that are appropriate to ensure compliance with restrictive measures and proportionate to the obligated entity's exposure to restrictive measures.

The person responsible for compliance with restrictive measures should: a) take necessary measures to ensure compliance with the requirements for assessing exposure to restrictive measures from point V of these Guidelines; b) take necessary measures to ensure compliance with the requirements for effective policies and procedures for implementing restrictive measures from point V of these Guidelines; c) provide regular and appropriate information to the management body so that it can perform its duties. Information provided to the management body should include at least the following: i. changes in the obligated entity's exposure to restrictive measures and the outcome of the assessment of the obligated entity's exposure to restrictive measures; ii. new or future changes in the regime of restrictive measures and their impact on the obligated entity; iii. available statistical data and information relating to: • the number of alerts generated; • the number of alerts awaiting analysis; • the number of reports submitted to Hanfa as the supervisory authority or other bodies listed in the ZMO or the Office for the Prevention of Money Laundering in accordance with Article 56, paragraph 9 of the Anti-Money Laundering and Countering the Financing of Terrorism Act; • the time elapsed between the generation of an alert and the report submitted to the bodies in accordance with the previous sub-paragraph; • the value of frozen assets and the type of such assets, as well as the number and amount of unexecuted transactions; • the number of identified violations and the reasons for these violations; iv. information relating to human and technical resources and the appropriateness of these resources in view of the obligated entity's exposure to restrictive measures; v. deficiencies identified in relation to the obligated entity's policies, controls, and procedures for implementing restrictive measures; vi. violations and cases of circumvention of restrictive measures and the likely reasons for these violations and circumventions; vii. proposals on how to address any changes in regulatory requirements or exposure to restrictive measures or possible identified deficiencies in the policies, controls, and procedures of the obligated entity and identified cases of non-implementation or circumvention of restrictive measures; d) report to the Ministry of Foreign and European Affairs and Hanfa on the applied restrictive measure and, in cases determined by Article 8, paragraph 26 of the ZMO, to the competent authorities; e) effectively and constructively cooperate with the bodies competent for the implementation of restrictive measures determined by the provisions of the ZMO and with Hanfa as the supervisory authority competent for supervising the policies, controls, and procedures for implementing restrictive measures.

The person responsible for compliance with restrictive measures should oversee the preparation and implementation of the professional training and education program in accordance with point V of these Guidelines.

V. Implementation of the Assessment of Exposure to Restrictive Measures

Obligated entities should conduct an assessment of exposure to restrictive measures to understand to what extent each area of their business and other activities is exposed to restrictive measures and sensitive to the circumvention of restrictive measures.

When conducting the assessment of exposure to restrictive measures, obligated entities should identify and assess: a) which regimes of restrictive measures are applicable; b) the probability of non-implementation of restrictive measures; c) the probability of circumvention of restrictive measures; d) the impact of each violation of restrictive measures; and e) the following risk factors: i. geographic risk, including: • where the obligated entity operates, i.e., countries and geographical areas where it has a business establishment or operates; • to what extent those countries and geographical areas are exposed to restrictive measures or are known to be used for circumventing restrictive measures; • the origin and destination of transactions. ii. customer risk, including: • the connection of customers and, if applicable, their beneficial owners and shareholders with countries for which restrictive measures are in force due to a situation affecting that country or for which it is known that they are used for circumventing restrictive measures; • the number of customers, the type of customers, and the complexity of these customers, such as the identification of beneficial owners; • the activities of its customer base and the complexity of activities, including all connections with industries or sectors subject to economic or any other restrictive measures, as well as the frequency and type of transactions. iii. product and service risk, including: • the nature of the obligated entity's products and services; • to what extent the provision of these products and services exposes the obligated entity to the risk of violating restrictive measures and circumventing restrictive measures. iv. delivery channel risk, among others, whether the use of agents, third parties, correspondent banking relationships, or other delivery channels creates vulnerabilities, including: • whether the obligated entity becomes dependent on third-party verification procedures; • increased exposure of the obligated entity to geographic risks because it operates or has a business establishment in countries for which restrictive measures are in force due to a situation affecting that country or countries known to be used for circumventing restrictive measures.

Obligated entities should base this assessment on a sufficiently diverse range of information sources, including at least the following: a) information obtained within the framework of the application of customer due diligence measures by the obligated entity, in accordance with the provisions of Article 15 of the Anti-Money Laundering and Countering the Financing of Terrorism Act; b) information from international bodies, states, national competent authorities, including supervisory authorities for the supervision of the prevention of money laundering and financing of terrorism, financial intelligence units, and law enforcement bodies, such as updated typologies on circumventing restrictive measures; c) information from credible and reliable public sources, such as reports from reputable newspapers and other reputable media channels; d) information from credible and reliable commercial organizations, such as risk reports; e) if available, an analysis of previous alerts on restrictive measures (positive and false positive results) to identify situations where positive results are most likely to occur.

Obligated entities should consider whether a retroactive check of their customer database and records of past transactions could be useful and proportionate in this context. This may be the case if the obligated entity has identified or has justified reasons to suspect that its previous verification system was inadequate or ineffective.

Obligated entities should ensure that their assessment of exposure to restrictive measures is up-to-date and appropriate. To achieve this, obligated entities should review and, if necessary, update their assessment of exposure to restrictive measures at least in the following situations: a) significant changes in regulations on restrictive measures (e.g., inclusion of a new regime of restrictive measures or addition of new measures to existing regimes); b) before providing new products and services / offering new channels for delivering products and services / providing services to new groups of clients / entering new geographical areas; c) significant changes in the profile of activities, customer base, organizational structure, or business model of the institution; d) the identification of non-implementation of restrictive measures and circumvention of restrictive measures, which indicates the inappropriateness of the assessment of exposure to restrictive measures; e) the existence of deficiencies in the existing assessment of exposure to restrictive measures identified by the obligated entity or Hanfa.

Obligated entities should document their methodology for conducting the assessment of exposure to restrictive measures and the outcome of that assessment and make them available to the Croatian Financial Services Supervisory Agency upon request.

VI. Effective Policies and Procedures for the Implementation of Restrictive Measures

Policies, controls, and procedures for the implementation of restrictive measures will be effective if they enable obligated entities to fully and correctly apply restrictive measures without delay.

These policies, controls, and procedures should include at least the following: a) procedures to ensure that obligated entities have all up-to-date information on applicable restrictive measures; b) procedures to update applicable regulations on regimes of restrictive measures as soon as they are published; c) procedures to ensure that the assessment of exposure to restrictive measures remains appropriate and up-to-date; d) procedures to ensure that policies, controls, and procedures are proportionate to the assessment of exposure to restrictive measures and that all areas have the resources necessary to ensure compliance with internal policies, controls, and procedures for the application of restrictive measures; e) procedures to ensure that policies and procedures for restrictive measures are regularly reviewed and updated, effectively implemented, and functioning, and that corrective measures are taken immediately if deficiencies are identified; f) procedures for the rapid investigation of all possible matches with already identified cases; g) in the case of positive results, procedures for further actions, including immediate suspension, freezing, and reporting to competent authorities; h) documented internal organization in which tasks and responsibilities related to restrictive measures are clearly defined, among others in the case of outsourcing business processes.

VII. Professional Training and Education

Obligated entities should conduct professional training and education to ensure that their employees are and remain aware of: a) restrictive measures applicable to the obligated entity; b) the outcome of the assessment of exposure to restrictive measures; and c) policies, controls, and procedures for compliance with restrictive measures.

Professional training and education should be tailored to employees and their specific roles. They should be timely and appropriate to enable the obligated entity to comply with restrictive measures.

Obligated entities should document their professional training and education plan and be ready to prove to Hanfa, upon request, that it is appropriate and effective.

VIII. List of Obligated Entities for the Application of Guidelines

These Guidelines are intended for:

1. Obligors under Article 82, paragraph 5 of the Anti-Money Laundering and Countering the Financing of Terrorism Act and subsidiaries of similar obligors from another Member State and a third country, which are established in the Republic of Croatia: a) investment fund management companies and investment funds with legal personality with internal management; b) pension companies in the part of business relating to voluntary pension funds and pension insurance companies in the part of business relating to direct one-time payments of persons into such companies and pension accumulation companies; c) companies authorized to provide investment services and perform investment activities; d) insurance companies that have approval for the performance of life insurance and other insurance activities related to investments; e) legal and natural persons engaged in the activity of insurance representation in concluding life insurance contracts and other insurance contracts related to investments; f) legal and natural persons engaged in the activity of insurance mediation in concluding life insurance contracts and other insurance contracts related to investments; g) factoring companies; h) leasing companies; i) legal and natural persons performing activities related to virtual assets in accordance with the provisions of the Anti-Money Laundering and Countering the Financing of Terrorism Act.

2. Obligors - subjects to whom Hanfa issues a license for operation in accordance with special regulations: a) central securities depository; b) central counterparty; c) stock exchange; d) crowdfunding service provider.

CLASS: 011-01/24-01/02 FILE NO.: 326-01-70-72-24-1 Zagreb, June 4, 2024.

CHAIRMAN OF THE MANAGEMENT BOARD dr. sc. Ante Žigman