AML/CFT/CPF Guidance Notes 11: Suspicious Activity Reporting

www.gfsc.gi 11. Suspicious Activity Reporting AML/CFT/CPF Guidance Notes May 2026

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 1 Table of Contents 11.1 Identification of Suspicion.................................................................................................................... 2 11.2 Internal Reporting ................................................................................................................................ 2 11.3 External Reporting................................................................................................................................ 3 11.4 Failure to Disclose................................................................................................................................. 4 11.5 Tipping-off ............................................................................................................................................ 4 11.6 Data Subjects, Access Rights, Suspicious Activity Reports and the Data Protection Act ..................... 5

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 2 11.1 Identification of Suspicion AML/CFT/CPF Requirements R30 A regulated entity must have effective measures in place to be able to identify and report any suspicious activity both internally and externally whenever money laundering, terrorist financing or proliferation financing is suspected. Guidance

1. Defining suspicion in the context of money laundering, terrorist financing and proliferation financing poses a significant challenge. The reason for this difficulty stems from the numerous typologies associated with each of these illicit activities, making it hard to establish a concrete and exhaustive definition. Suspicion is subjective and is dependent on personal assessment, generally lacking the certainty of firm evidence.
2. Despite the elusive nature of a suspicion, there are common indicators that can raise red flags. Suspicious activity typically deviates from the intended nature of the business relationship or departs from the usual transactions expected from a particular customer. To recognise such activities, it is imperative that a regulated entity has a comprehensive understanding of the nature and purpose of the business relationship. Conducting an adequate risk assessment and periodic reviews can help evaluate whether the economic activity of a customer aligns with the expected norms of the business relationship.
3. All staff members of a regulated entity are required to report suspicions of money laundering, terrorist financing and proliferation financing. Section 28 of POCA mandates reporting to the "appropriate person" (referred to as the “Money Laundering Reporting Officer” or “MLRO” in these Guidance Notes) in accordance with internal procedures. 11.2 Internal Reporting
4. All staff members of a regulated entity have an obligation to report any knowledge, belief or suspicion of money laundering, terrorist financing or proliferation financing to the MLRO as soon as practically possible.
5. A regulated entity must establish and implement processes for reporting, processing and cooperating with law enforcement agencies based on internal reports. These processes should adhere to the following guidelines: • The reporting lines between staff members and the MLRO must be kept open, granting all staff members direct access to the MLRO; • Staff members must receive adequate training provided by the regulated entity in relation to: a) The identification of red flags and typologies specific to the products and services the regulated entity provides; b) Internal reporting lines and how to report any suspicious activity to the MLRO; c) The legislative provisions laid out in POCA1 in relation to tipping off and discharging responsibilities. 1 Section 5, Proceeds of Crime Act 2015.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 3 • The MLRO, upon receiving an internal suspicious activity report must consider the report taking into consideration all relevant information about the business relationship, to determine if it gives rise to any grounds for knowledge or suspicion. • Until the MLRO concludes whether an external report to the Gibraltar Financial Intelligence Unit (“GFIU”) is required, any further transactional activity or requests related to the business relationship, regardless of similarity to the previous suspicion, should be promptly referred to the MLRO. • If the MLRO determines that a report satisfies the grounds for knowledge or suspicion, the matter must be reported to the GFIU without delay, in line with the requirements set out in POCA or these Guidance Notes. Please refer to section 11.3 below on External Reporting for further information. • All internal suspicious activity reports submitted to the MLRO, even if initially made verbally under the reporting procedures, are expected to be documented at the earliest opportunity. • Upon receipt of the report, the MLRO should formally acknowledge it, while also reminding the reporting individual of the "tipping off" provisions of POCA. • All records of suspicions, investigations, and related documentation (whether externally disclosed or not) must be retained and made available upon request for a minimum of five years as set out in POCA2 . • Once a staff member has reported their suspicions to the MLRO, together with all supporting evidence and documentation, it is considered that they will have discharged their statutory reporting obligations. 11.3 External Reporting 6. The GFIU is the authority to whom reports of suspected or known money laundering, terrorist financing or proliferation financing must be reported. The GFIU was established in January 1996 to facilitate the receipt, analysis and dissemination of SARs made by financial and other institutions in accordance with the Drug Trafficking Act 1995, Terrorism Act 2018, Gambling Act 2005, Proceeds of Crime Act 2015, and Sanctions Act 2019. Since 2004, the GFIU has been a member of the Egmont Group of Financial Intelligence Units. 7. A regulated entity must ensure that all external SARs are submitted to the GFIU (via the secure Themis portal) as soon as practically possible after deeming the activity suspicious. 8. A regulated entity must ensure it follows the standard reporting template when disclosing a SAR. Access to the GFIU’s online reporting portal can be obtained from the GFIU's website (https://www.gfiu.gov.gi/reporting) and additional information and guidance on using Themis can be sought from the GFIU.3 9. All MLROs are expected to be signed up to the Themis portal to ensure disclosure of SARs to the GFIU are appropriately completed and submitted on a timely basis and that the regulated entity is able to directly receive all communications issued and published by the GFIU. 2 Section 25, Proceeds of Crime Act 2015. 3 https://www.gfiu.gov.gi/uploads/docs/publications/sp0Xk_Guidance_Notes_for_Submission_of_SARs_v1.0.pdf

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 4 10. A regulated entity must ensure its disclosures to the GFIU contain sufficient information about the suspicious activity, along with the grounds for suspicion, to facilitate the GFIU’s assessment and potential investigation. The report should clearly document and state the suspected criminal activity which will allow for dissemination to the appropriate authority. 11. In cases where additional relevant evidence is available, it should be included in the disclosure. The Themis reporting system provides a platform for uploading any supplementary information/evidence in various formats. 12. Upon receipt of all disclosures, the GFIU will acknowledge receipt and in some instances, written consent may be granted in cases where it is deemed appropriate for a regulated entity to continue providing services to the relevant parties. However, under exceptional circumstances (such as when a beneficial owner or a related party faces imminent arrest or asset restraint), consent may not be granted. In such cases, the regulated entity will be informed of the situation and must comply with any direction provided by the GFIU or another authority. 13. Where a regulated entity has submitted a SAR to the GFIU, or in the instance where the regulated entity is aware that a client or transaction is under investigation, it should not destroy any relevant records without the agreement of the authorities, even if the five-year retention period has expired. 11.4 Failure to Disclose 14. A person may be found guilty of an offence if there is knowledge, suspicion or other reasonable grounds to suspect that a customer may be engaging in money laundering, terrorist financing or proliferation financing and it is not reported. 11.5 Tipping-off 15. A regulated entity must ensure that staff members are aware of their obligations in respect of the tipping off provisions defined under Section 5(1) of POCA. 16. A person is guilty of an offence if after the disclosure of a SAR, they share information which would prejudice the investigation or inform the subject that a disclosure has been made to the GFIU or law enforcement agency 4 . 17. A person shall not incur any liability under this section where the disclosure is made between regulated entities to which this Act applies, and which are members of the same group. This also applies to situations between a regulated entity and its branches and majority-owned subsidiaries located in third countries, provided that those branches and majority-owned subsidiaries fully comply with the group-wide policies and procedures, including procedures for sharing information within the group. 18. Under the provisions of POCA5 , it is not deemed a tipping-off offence for an individual to disclose or provide information to the GFIU, a police or customs officer or a supervisory body. A regulated 4 Section 5(2) – Proceeds of Crime Act 2015. 5 Section 5(2A) – Proceeds of Crime Act 2015.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 5 entity is able to disclose information to supervisory bodies concerning both internal and external SARs. 11.6 Data Subjects, Access Rights, Suspicious Activity Reports and the Data Protection Act 19. A regulated entity may receive a request for access to personal data held by a regulated entity as a data controller under Section 14(38) of the Data Protection Act, some of which data may be relevant to an investigation or a suspicious activity report received by the GFIU in relation to money laundering/terrorist financing/proliferation financing. 20. Under the Data Protection Act, an individual can request access to their personal data, including any information about its source. However, the Data Protection Act exempts personal data from being disclosed if doing so could prejudice crime prevention or detection, or the apprehension and prosecution of offenders. This exemption generally includes the requirement to furnish information about any suspicious activity reports, or other relevant data relating to an investigation. 21. If a regulated entity relies on this exemption, data controllers should provide all other relevant data held on file relating to the subject - the exemption only relates to any information which could tip off or prejudice an ongoing investigation. If a regulated entity decides to withhold information under this exemption, it is not obligated to inform the individual about the withheld data. The information can be omitted from the response to the data request without any reference to it. Example – Branches, Subsidiaries & Passporting 22. When a regulated entity operates in multiple jurisdictions, it is the entity's responsibility to determine if dual reporting is necessary according to the applicable laws and regulations of each jurisdiction. 23. Where a regulated entity is passporting from another jurisdictions or is operating as a branch or subsidiary of another regulated entity within Gibraltar, it is mandatory to report all suspicious activities related to the activities of the Gibraltar branch or subsidiary to the GFIU.

Gibraltar Financial Services Commission AML/CFT/CPF Guidance Notes 6 Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2017 Gibraltar Financial Services Commission