Directive on Sound Business Operations

Unofficial and not binding translation Enclosure: 1 CENTRALE BANK VAN ARUBA [CENTRAL BANK OF ARUBA] March 1, 2015 Directive on Sound Business Operations §1 Definitions Article 1 Unless otherwise stipulated, the following terms in this Directive shall mean: Institution: a. a credit institution, referred to in Article 1 of the State Ordinance on the Supervision of the Credit System (AB 1998 No. 16) (“SOSCS”); b. an electronic money institution, referred to in Article 1 of the SOSCS; c. an insurer, referred to in Article 1 of the State Ordinance Supervision Insurance Business (AB 2000 No. 82) (“SOSIB”); d. an insurance broker, referred to in Article 27b, fourth paragraph, of the SOSIB; e. a money transfer company, referred to in Article 1 of the State Ordinance on the Supervision of Money Transfer Companies (AB 2003 No. 60) (“SOSMTC”); f. a trust office, referred to in Article 1 of the State Ordinance on the Supervision of Trust Offices (AB 2009 No. 13) (“SOSTSP”); g. a company pension fund, referred to in Article 1 of the State Ordinance on Company Pension Funds (“SOCOPF”) (AB 1998 No. GT 17). CBA: the Central Bank of Aruba. Incident: an act or event that constitutes a serious danger to the ethical conduct of the business of the institution in question.

Directive on Sound Business Operations 2 Protected Account: an account in which a balance in money, securities, precious metals, or other values can be held, while the identity of the client is not visible or is otherwise protected by only making use of a(n) (account) number, other number, or code word during the processing of transactions, whereas the identity of the client is known to the credit institution. Integrity Risk: danger of reputational damage or an existing or future threat to the assets or results of an institution as a consequence of the inadequate fulfillment of any provisions laid down by or pursuant to any statutory regulation or internal rule or any act or omission in conflict with what is generally accepted according to unwritten law. Integrity-Sensitive Positions: positions designated as such by the institution. They shall include in any event: a. positions of executive officers that are subordinate to the directors to be screened by the CBA or other persons that determine or co￾determine the policy of the institution; or b. the so-called key positions entailing an authority that implies an essential risk to the ethical conduct of the business of the institution, and which are related to inter alia:

• the power to dispose of the management of capital or assets of the institution or third parties or the assumption of obligations on behalf of the institution;
• access to personal data or company-sensitive information about the institution or third parties; and
• the performance of audit or supervisory work with regard to the accounting procedures and the internal control system of the institution and the fulfillment of applicable regulations and internal provisions. §2 Integrity and suitability screening Article 2

1. The integrity of a director, other person that determines or co￾determines the policy of the institution, member of the supervisory board, or the body of the institution that has a task similar to that

Directive on Sound Business Operations 3 of the supervisory board, or a holder of a qualified holding1 shall be beyond doubt, if it has been established by the CBA for the purpose of applying the supervisory state ordinances. 2. The CBA shall establish whether the integrity of a person, referred to in Article 2, first paragraph, is beyond doubt based on his intentions, acts, and antecedents. 3. In the assessment, referred to in the first paragraph, the CBA shall at least take into account the antecedents mentioned in Annexes A1 through E, as well as: a. the interrelationship between the act or acts on which an antecedent is based and the other circumstances of the case; b. the interests the supervisory state ordinance in question seeks to protect; and c. the other interests of the institution and the person concerned. 4. In any event, the integrity of a person, referred to in Article 2, first paragraph, shall not be beyond doubt, if he has been convicted for a serious offense, mentioned in Annex A2, if less than eight years have expired since the judgment became final and conclusive. 5. Based on the circumstances or interests mentioned in Article 2, third paragraph, the CBA may deviate from the fourth paragraph. Article 3 The suitability screening shall be aimed at the assessment of the knowledge, skills, and professional conduct of a director, other person that determines or co-determines the policy of the institution, member of the supervisory board, or the body of the institution that has a task similar to that of the supervisory board. The knowledge, skills, and professional conduct are evidenced by inter alia education, work experience, competences, and the use thereof in actual practice. Article 4 The CBA shall obtain insight into the intentions, acts, and antecedents referred to in Article 2, second paragraph, and the knowledge, skills, and professional conduct referred to in Article 3 by means of inter alia: a. the screening form filled out by the person concerned, as adopted by the CBA, and the information to be provided in it; b. information provided by the Procurator General based on data from the criminal records office; c. other data and information obtained from the Public Prosecution Service; d. data and information obtained from the Directorate of Taxes;

1 A direct or indirect interest of more than ten percent of the issued share capital of a credit institution, an insurer, a money transfer company, a trust office, or an insurance broker, or the possibility to exercise directly or indirectly the voting rights in a credit institution, an insurer, a money transfer company, or a trust office, or the possibility to exercise directly or indirectly a comparable controlling interest.

Directive on Sound Business Operations 4 e. data and information obtained from Aruban or foreign government agencies or from foreign agencies designated by the government, which are charged with the supervision of financial markets or of persons active in these markets; f. information obtained from references provided by the person concerned; g. data from public resources; h. information obtained from bankruptcy trustees or administrators with regard to bankruptcies, moratoriums, debt adjustments, administrations, or emergency regulations in which the person concerned has been involved; i. information obtained from organizations of current or former professional colleagues of the person concerned; j. data and information obtained from research conducted by the CBA itself. Article 5

1. When assessing the suitability, the CBA shall also take into account the other positions the person concerned occupies and/or occupied.
2. A combination of positions as director and member of the supervisory board or of the body that has a task similar to that of the supervisory board at the same institution is not permitted. Article 6 The CBA may proceed to a reassessment of the integrity and/or suitability of a person, referred to in Article 2, first paragraph, if a change in the relevant facts and circumstances gives reasonable cause for a new assessment. §3 Ethical conduct of the business Article 7
3. An institution shall take care of a systematic analysis of integrity risks.
4. An institution shall record its policy on the ethical conduct of its business in writing and shall see to it that the policy is laid down in written procedures and measures.
5. An institution shall inform all relevant business units of the policy, procedures, and measures.
6. An institution shall take care of the implementation and systematic review of the policy and the procedures and measures.
7. An institution shall dispose of procedures stipulating that shortcomings or defects identified be reported to the officer, referred to in Article 14.
8. An institution shall dispose of procedures stipulating that shortcomings or defects identified with regard to the ethical

Directive on Sound Business Operations 5 conduct of the business lead to an appropriate adjustment of the policy, procedures, and measures. Article 8 An institution shall take care of an integrity-aware company culture, embodied in the business operations. Article 9

1. A credit institution, electronic money institution, or insurer shall pursue a remuneration policy that does not encourage taking more risks than is acceptable to the institution in question.
2. A credit institution, electronic money institution, and insurer shall record the remuneration policy in writing. The policy shall be geared to the nature, size, complexity, and risk profile of the credit institution, electronic money institution, or insurer. Article 10
3. A credit institution, electronic money institution, or insurer shall dispose of procedures and measures to avoid conflicts of its interests or those of its clients with private interests of: a. directors and other persons that determine or co-determine the policy of the institution; b. members of the supervisory board or the body that has a task similar to that of the supervisory board; c. other employees or other persons that perform work for the institution on a regular basis on its instructions; d. holders of a qualified holding or persons or companies affiliated to them.
4. A company pension fund shall dispose of procedures and measures to avoid conflicts of its interests with private interests of: a. directors and other persons that determine or co-determine the policy of the company pension fund; b. members of the supervisory board; c. other employees or other persons that perform work for the pension fund on a regular basis on the instructions of the company pension fund.
5. The provision of services by a credit institution, electronic money institution, company pension fund, or insurer based on staff terms to directors and other persons who determine or co-determine the policy of the institution shall only take place in the ordinary conduct of the business and shall only take place each time with the consent of the supervisory board or the body that has a task similar to that of the supervisory board: a. if the service is provided beyond the limits of staff terms, it shall only take place in the ordinary conduct of the business and on the prevailing commercial terms and guarantees;

Directive on Sound Business Operations 6 b. the provision of services by the institution to members of the supervisory board or the body that has a task similar to that of the supervisory board, as well as to relatives, not being staff members, of directors or other persons who determine or co￾determine the policy of the institution, of members of the supervisory board or the body that has a task similar to that of the supervisory board, and of holders of a qualified holding or to persons or companies affiliated to them shall only take place in the ordinary conduct of the business and on the prevailing commercial terms and guarantees. Article 11

1. A credit institution shall dispose of policy, procedures, and measures with regard to protected accounts and accounts in which values are held for third parties.
2. A credit institution shall pursue a restrictive policy with regard to the opening of protected accounts.
3. A credit institution shall not open protected accounts other than with a view to the protection of privacy and safety of clients or for the prevention of insider trading.
4. A credit institution shall draw up adequate instructions for the staff with regard to the opening and management of protected accounts. Article 12
5. An institution shall dispose of written regulations to enable employees to report alleged abuse of a general, operational, and financial nature, without jeopardizing their legal position, within the institution to (the chairman of) the board or to a designated confidential adviser.
6. Alleged abuses concerning the performance of a director can be reported to the chairman of the supervisory board or to a body that has a task similar to that of the supervisory board, or, if the institution does not dispose of such a body, a designated confidential adviser.
7. The regulations referred to in the first paragraph shall discuss in any event: a. the further procedure; b. the person to whom the alleged abuse is reported; c. the internal investigation; d. the confidentiality to be maintained; and e. the legal protection of the reporter, provided he acts in good faith.

Directive on Sound Business Operations 7 Article 13

1. An institution shall dispose of procedures and measures as to how to deal with and record incidents and shall record them in writing. These procedures and measures shall at least provide for: a. the sound administrative recording of the characteristics of the incident, the data concerning the persons who caused or were otherwise involved in the incident, and the measures taken in connection with the incident; b. the way in which incidents are handled; and c. the information provision to the CBA.
2. In connection with an incident, an institution shall take measures aimed at the management of the risks that have occurred and the prevention of repetition thereof.
3. An institution shall promptly inform the CBA in writing of incidents. Article 14
4. An institution shall designate at least one officer who is charged with ensuring the fulfillment of the statutory regulations and internal rules and procedures concerning the ethical conduct of the business. This officer shall perform his duties in an independent and efficient manner.
5. The institution shall ensure that the officer, referred to in the first paragraph, can dispose of all data necessary for the performance of his duties within a short period, including transaction data and the data recorded by the institution pursuant to this Directive.
6. An institution shall guarantee that knowledge gained during the implementation of the first paragraph remains available within its organization. Article 15
7. With a view to an ethical conduct of the business, an institution shall dispose of procedures and measures with regard to: a. the acceptance of clients; b. the establishment of the identity of clients and the verification of their identity; c. risk classifications with regard to clients, products, and services; d. the analysis of data of clients, also in relation to the products or services purchased by those clients, and the detection of deviating transaction patterns.
8. Based on the procedures and measures, referred to in the first paragraph, the institution shall also determine the risks of certain clients, products, or services to the ethical conduct of its business.
9. An institution shall take care of the documentation and recording with regard to the acceptance and risk classification of clients and

Directive on Sound Business Operations 8 the monitoring of the conduct of clients. Such data shall be retained for ten years after the service provision or the termination of the relationship with the client concerned. Article 16

1. An institution shall keep an overview of the integrity-sensitive positions in its organization and of the duties, powers, and responsibilities belonging to each of the positions.
2. An institution shall dispose of written procedures and measures safeguarding that integrity-sensitive positions are only held by persons whose integrity it has assessed and continues to assess in a substantiated manner.
3. The work carried out in implementation of the first and second paragraph and the outcome of that work shall be recorded in writing by the institution. §4 Entry into force Article 17 The Directive shall enter into force on March 1, 2015.

Directive on Sound Business Operations 9 ANNEX A1 CRIMINAL ANTECEDENTS Criminal antecedents shall in any case include:

1. Convictions for violation criminal provisions (including abroad) The person concerned has been convicted by court decision for attempting to, preparing, committing (or arranging for third parties to commit), inciting (including unsuccessful incitement), participating in and/or complicity in: Criminal Code of Aruba (AB 2012 No. 24):

• public order and discrimination (Articles 2:49 through 2:97);
• crimes endangering public safety (Articles 2:98 through 2:127);
• public authority (Articles 2:128 through 2:164);
• perjury (Articles 2:165 through 2:168);
• currency offenses (Articles 2:169 through 2:172);
• forgery offenses other than currency offenses (Articles 2:175 through 2:182 and 2:184 through 2:188);
• sex crimes (Articles 2:193 through 2:209);
• threat of violence or crime (Articles 2:254 through 2:255);
• violent crimes against life (Articles 2:259 through 2:268);
• assault (Articles 2:273 through 2:276);
• involuntary manslaughter and bodily injury (Articles 2:282 and 2:283);
• simple theft (Article 2:288);
• aggravated theft (Articles 2:289 through 2:291);
• distortion (Articles 2:294 through 2:295);
• embezzlement (Articles 2:298 through 2:302);
• deceit (Articles 2:305 through 2:324);
• prejudice to creditors or persons having title (Articles 2:327 through 2:332);
• destruction (Articles 2:334 through 2:339);
• serious offenses involving abuse of office (Articles 2:344 through 2:363);
• handling stolen goods and knowingly handling stolen goods (Articles 2:397 through 2:399);
• money laundering (Articles 2:404 through 2:406);
• stating a false name, title, etc. (Articles 3:17 through 3:19);
• unauthorized exercise of a profession (Article 3:26);
• creating the impression of officially supporting or recognized acting (Article 3:20);
• acting on one’s own authority during a moratorium (Article 3:37). General State Ordinance on Taxes (AB 2004 No. 10):
• violation tax legislation (Articles 68 and 70).

Directive on Sound Business Operations 10 State Ordinance on Narcotics (AB 1990 No. GT 7):

• intentionally importing, exporting, transiting, preparing, treating, processing, selling, delivering, transporting, owning, having in one’s possession, using, manufacturing hard drugs and soft drugs (Articles 2 through 4). Firearms Ordinance (AB 1998 No. GT 3):
• having a firearm in one’s possession without authorization (Article 3). Weapons Ordinance (AB 1998 No. GT 4):
• having a weapon in one’s possession without authorization (Article 1). State Ordinance on Road Traffic (AB 1997 No. 18):
• joyriding (Article 3);
• other facts relating to road safety (Article 4);
• driving under the influence (Article 5);
• driving a motor vehicle after a driving ban (Article 6);
• driving a motor vehicle after a driving disqualification (Article 8);
• refusing to cooperate in an investigation (Article 40, paragraph 2);
• driving a motor vehicle provided with a false license plate (Article 17, paragraph 2, subparagraph d). Convictions shall also include convictions abroad for violating one or more criminal provisions applicable there, which are comparable to those mentioned above.

2. Transactions The person concerned made a voluntary payment, referred to in the Criminal Code of Aruba, for one or more of the criminal offenses mentioned above in paragraph 1. Transactions shall also include transactions abroad with the competent authorities, regarding the violation of one or more criminal provisions applicable there, which are comparable to those mentioned above.
3. (Conditional) dismissal, acquittal, or discharge from prosecution (including abroad) The person concerned is not prosecuted (any longer), or is acquitted, or discharged from prosecution for one or more of the criminal offenses mentioned above in paragraph 1. A (conditional) dismissal, no further prosecution, acquittal, or discharge from prosecution shall also mean similar judgments and measures abroad for the violation of one or more criminal provisions applicable there, which are comparable to those mentioned above.

Directive on Sound Business Operations 11 4. Other facts or circumstances Other facts or circumstances that can be of importance in reason to the supervisor to assess the integrity of the person concerned, such as evidenced by official reports or reports drawn up by the officials authorized to investigate criminal offenses, indicating that the person concerned could be (have been) involved in one or more of the criminal offenses mentioned in paragraph 1. Official reports or reports shall also include similar documents with equal evidentiary value, drawn up by the officials authorized to investigate criminal acts abroad regarding criminal provisions applicable there, which are comparable to those mentioned above in paragraph 1.

Directive on Sound Business Operations 12 ANNEX A2 CRIMINAL ANTECEDENTS Convictions (including abroad) The person concerned has been convicted by irrevocable court decision for attempting to, preparing, committing (or arranging for third parties to commit), inciting (including unsuccessful incitement), participating in and/or complicity in:

• terrorist financing (Article 2:55 Criminal Code of Aruba);
• participation in an organization, the object of which is to commit crimes or to commit terrorist crimes (Articles 2:79 and 2:80 of the Criminal Code of Aruba);
• perjury (Articles 2:165 of the Criminal Code of Aruba);
• forgery of documents (Articles 2:184 through 2:188 of the Criminal Code of Aruba);
• aggravated theft (Articles 2:289 through 2:291 of the Criminal Code of Aruba);
• embezzlement (Articles 2:298 through 2:301 of the Criminal Code of Aruba);
• prejudice to creditors or persons having title (Articles 2:327 through 2:332 of the Criminal Code of Aruba);
• knowingly handling stolen goods (Article 2:397 of the Criminal Code of Aruba);
• money laundering (Articles 2:404 through 2:406 of the Criminal Code of Aruba);
• violation of a provision from the sectoral supervisory state ordinances, for which the person concerned has been sentenced to an unconditional punishment or a fine of at least the fourth category. Convictions shall also include convictions abroad for violating one or more criminal provisions applicable there, which are comparable to those mentioned above.

Directive on Sound Business Operations 13 ANNEX B FINANCIAL ANTECEDENTS Financial antecedents, which are of importance to the assessment of the underlying action(s), shall in any case include: Personal

• the person concerned had considerable personal financial difficulties, which led to legal, debt collecting, or debt recovery proceedings;
• a moratorium, bankruptcy, debt rescheduling, or composition with creditors was applied for and/or ordered with regard to the person concerned;
• the person concerned is currently involved or expects to become involved in one or more legal proceedings in connection with personal financial difficulties (in Aruba or elsewhere);
• according to general standards, the personal financial commitments of the person concerned are not in healthy financial proportion to the income and/or capital. Commercial
• the current or one of the former employer(s) or any corporation or legal entity, at which the person concerned holds or held a position as a person determining or co-determining the policy, exercises or exercised actual control over the policy, or is or was otherwise (jointly) responsible for the policy, has significant financial difficulties;
• a moratorium or bankruptcy has been applied for or ordered as regards the current or one of the former employer(s) or any corporation or legal entity, at which the person concerned holds or held a position as a person determining or co-determining the policy, exercises or exercised actual control over the policy, or is or was otherwise (jointly) responsible for the policy;
• the person concerned has been ordered to pay outstanding debts because of liability for the bankruptcy of a corporation or legal entity. Other facts or circumstances Other facts or circumstances regarding the person concerned, which indicate involvement of the person concerned in one or more financial actions, insofar as they can be of importance to the CBA in reason to assess his integrity.

Directive on Sound Business Operations 14 ANNEX C SUPERVISION ANTECEDENTS Supervision antecedents, which are of importance to the assessment of the underlying action(s) of the person concerned, shall in any case include:

• the provision of incorrect and/or incomplete data (including in the PQ) to a supervisory body (in Aruba or elsewhere);
• an admission, license, or exemption was refused by a supervisor to the person concerned or a corporation or legal entity at which the person concerned holds or held a position as a person determining or co-determining the policy, exercises or exercised actual control over the policy, or is or was otherwise (jointly) responsible for the policy;
• an admission, license, or exemption granted to the person concerned or a corporation or legal entity at which the person concerned holds or held a position as a person determining or co￾determining the policy, exercises or exercised actual control over the policy, or is or was otherwise (jointly) responsible for the policy was revoked by the supervisor;
• a measure has been imposed by a supervisor (in Aruba or elsewhere) on the person concerned or a corporation or legal entity at which the person concerned holds or held a position as a person determining or co-determining the policy, exercises or exercised actual control over the policy, or is or was otherwise (jointly) responsible for the policy;
• a declaration of no objection by the Minister of Justice concerning the incorporation of or the amendment to the articles of incorporation of a corporation has been refused based on grounds mentioned in Article 38, second paragraph, Article 155d, second paragraph, of the Code of Commerce, and Article 12, first paragraph, of the State Ordinance on the Limited Liability Company to the person concerned or a corporation or legal entity, at which the person concerned holds or held a position as a person determining or co-determining the policy, exercises or exercised actual control over the policy, or is or was otherwise (jointly) responsible for the policy. Other facts or circumstances Other facts or circumstances regarding the person concerned, which indicate involvement in one or more actions as regards which rules have been laid down in Aruban or foreign supervisory legislation, which action or actions can be of importance to the CBA in reason for the assessment of his integrity.

Directive on Sound Business Operations 15 ANNEX D TAX ANTECEDENTS Tax antecedents, which are of importance to the assessment of the underlying action(s) of the person concerned, shall in any case include: Personal An irrevocable negligence penalty was imposed on the person concerned or proceedings are pending against the person concerned that could lead to the imposition of an irrevocable negligence penalty based on one or more of the criminal offenses listed below from the General State Ordinance on Taxes (AB 2004 No. 10):

• not complying with obligations to provide information (Article 54);
• intentionally filing a false or incomplete tax return (Article 57);
• due to the intent or gross negligence of the taxpayer, a tax assessment was set at too low an amount, or insufficient tax was levied otherwise (Article 58);
• due to the intent or gross negligence of the taxpayer or withholder, tax has not been paid at all, in part, or within the period set (Article 59). Commercial As regards a tax subject whose policy was (co-)determined by the person concerned, an irrevocable negligence penalty was imposed, or proceedings are pending, which could lead to imposing a negligence penalty based on one or more of the criminal offenses listed below from the General State Ordinance on Taxes:
• not complying with obligations to provide information (Article 54);
• intentionally filing a false or incomplete tax return (Article 57);
• due to the intent or gross negligence of the taxpayer, a tax assessment was set at too low an amount, or insufficient tax was levied otherwise (Article 58);
• due to the intent or gross negligence of the taxpayer or withholder, tax has not been paid at all, in part, or within the period set (Article 59). Other facts or circumstances Other facts or circumstances regarding the person concerned, which indicate involvement in one or more actions, insofar as they can be of importance to the CBA in reason. Depending on the specific situation of the case, this may include - inter alia - aforementioned criminal offenses, also if no negligence penalty has been imposed.

Directive on Sound Business Operations 16 ANNEX E OTHER ANTECEDENTS Other antecedents, which are of importance to the assessment of the underlying action(s) of the person concerned, shall in any case include:

• the person concerned is or has been subject to a procedure for taking disciplinary measures or other similar measures on the part of a professional organization in or outside Aruba, and this procedure led to measures against the person concerned;
• the person concerned is or has been involved in any conflict with his current or former employer regarding the incorrect performance of his duties or compliance with standards of conduct in connection with that performance of duties, and this conflict led to the imposition of a sanction under employment law on the person concerned (such as a warning, reprimand, suspension, or dismissal). Other facts or circumstances Other facts or circumstances regarding the person concerned, insofar as they can be of importance to the CBA in reason.

Directive on Sound Business Operations 17 General Explanatory Notes

1. Introduction On January 1, 2013, the State Ordinance on the Review of Sectoral Supervision Legislation (AB 2012 No. 55) has entered into force. The following State Ordinances have been reviewed:

• State Ordinance on the Supervision of the Credit System (AB 1998 No. 16: “SOSCS”);
• State Ordinance on the Supervision of the Insurance Industry (AB 2000 No. 82: “SOSIB”);
• State Ordinance on the Supervision of Money Transfer Companies (AB 2003 No. 60: “SOSMTC”);
• State Ordinance on the Supervision of Trust Offices (AB 2009 No. 13: “SOSTSP”). Aforementioned State Ordinances are hereinafter jointly referred to, together with the State Ordinance on the Supervision of Company Pension Funds (AB 1998 No. GT 17: “SOCOPF”), as: supervisory state ordinances. With the entry into force of the State Ordinance on the Review of Sectoral Supervision Legislation, a provision has been introduced concerning the sound business operations of supervised institutions. Furthermore, the provisions concerning the integrity and suitability of directors, other (co-)policymakers, members of the supervisory board or a similar body, and holders of a qualified holding have been reviewed and harmonized. The SOCOPF was already reviewed accordingly by means of the entry into force as of January 1, 2012 of the Ordinance amending the State Ordinance on General Pension (AB 2011 No. 86). The supervisory ordinances stipulate that an adequate policy on an ethical conduct of the business must be pursued, and that the business operations should be organized in such a way that the ethical conduct of the business is safeguarded. In the SOSCS, SOSIB, SOSMTC, and SOSTSP, this provision is aimed at the supervised institution. In the SOCOPF, this provision is directly aimed at the management of the company pension fund. It has also been stipulated that the CBA may give directives concerning the ethical conduct of the business and/or the ethical performance of duties and the integrity and suitability screening.2 This Directive contains uniform provisions for all sectors falling under the scope of the supervisory state ordinances, viz.: credit institutions, electronic money institutions, insurers, also including captive insurance companies, referred to in Article 1 of the State Decree on Captive

2 Article 19a, third paragraph, of the SOSCS, Article 14d, third paragraph, of the SOSIB, Article 6, third paragraph, of the SOSMTC, Article 6, third paragraph, of the SOSTSP, Article 7, first paragraph, of the SOCOPF.

Directive on Sound Business Operations 18 Insurance Companies (AB 2002 No. 50), insurance brokers3, money transfer companies, trust offices, and company pension funds. The Directive contains an elaboration of the provisions of the sectoral supervisory legislation with regard to sound business operations and the integrity and suitability. Integrity is an internationally accepted condition for a sound financial sector. An institution should avoid becoming involved in acts contrary to the law and/or acts contrary to socially accepted standards. The ratio hereof is the confidence of inter alia the public. Integrity forms one of the pillars of this confidence. Given the diversity and size of the institutions to which this Directive applies, a principle-based approach has also been opted for in this Directive. This means that the (minimum) standard has been included in the Directive. It is the responsibility of the institution to give adequate substance to the standards included in the Directive, depending on the nature, size, complexity, and risk profile of its business. At such time, the institution can also be guided by the contents of these explanatory notes. It may also be expected from an institution that it takes knowledge of and is familiar with the relevant international standards and guidance documents (such as documents of the Basel Committee on Banking Supervision, the International Association of Insurance Supervisors, and the International Organization of Pension Supervisors). 2. Ethical conduct of the business Acting with integrity is the institution’s own responsibility and is in the interest of the institution itself. Institutions should pursue an adequate policy on the ethical conduct of their business and organize their business operations in such a way that the ethical conduct of their business is safeguarded. The above entails the awareness, promotion, and maintenance of ethical conduct within all layers of the organization. The institution itself decides how substance will be given to the policy and how the business operations will be organized, albeit that the supervisory state ordinances indicate the minimum objectives of the policy and business operations: a. avoiding conflicts of interests; b. combating money laundering and terrorist financing; c. complying with the rules laid down by or pursuant to the State Ordinance on the Prevention and Combating of Money Laundering and Terrorist Financing (“AML/CFT State Ordinance”) or any other statutory regulation concerning the prevention and combating of money laundering and terrorist financing; d. discouraging criminal offenses or other violations of the law by the institution or its employees, which could prejudice the confidence in the institution or the financial markets;

3 Pursuant to Article 4, paragraph 3, of the State Decree on the Supervision of Insurance Brokers (AB 2014 No. 6), Article 14d of the SOSIB is equally applicable to insurance brokers.

Directive on Sound Business Operations 19 e. discouraging relationships with clients or other business relations that could prejudice the confidence in the institution or the financial markets; and f. discouraging other acts by the institution or its employees, which are contrary to what is accepted according to unwritten law to such an extent that the confidence in the institution or in the financial markets could be prejudiced by it.4 These standards are further specified in this Directive. The institution should carry out a systematic analysis of the integrity risks. Based on the outcome of such an analysis, the integrity policy and the related procedures and measures are drawn up and implemented. 3. Integrity and suitability Reliable and suitable directors, other (co-)policymakers, members of the supervisory board or of the body of the institution that has a task similar to that of the supervisory board, and reliable holders of a qualified holding contribute to a stable and ethical financial sector. The purpose thereof is that clients and other stakeholders can rely on financial institutions. For that reason, the integrity and/or suitability of aforementioned persons is/are screened. The integrity screening is based on facts, circumstances, and antecedents showing that the behavior exhibited by the person concerned is not in line with an ethical performance of the duties of the person concerned. The suitability screening is aimed at the assessment of the knowledge, skills, and professional conduct of the person concerned. The suitability screening takes into account the (intended) position of the person, the nature, size, complexity, and risk profile of the institution, and the composition and performance of the collective. The statutory requirement of integrity and suitability should be met on an ongoing basis. 4. Consultation The SOSCS and SOSIB state that the directives given by the CBA with regard to sound business operations and the integrity and suitability screening can only be given or modified after consulting with the relevant representative organizations.5 For that reason, the CBA consulted with the representative organization of the banks, the Aruba Bankers Association (ABA), and the representative organization of the insurers, the Insurance Association of Aruba (IAA). In addition, the CBA voluntarily sent a draft of the directive to the registered money transfer companies, trust offices, and company pension funds for comments.

4 Article 19a, second paragraph, of the SOSCS, Article 14d, second paragraph, of the SOSIB, Article 6, second paragraph, of the SOSMTC, Article 6, second paragraph, of the SOSTSP, Article 6, second paragraph, of the SOCOPF. 5 Article 19a, fourth paragraph, of the SOSCS, Article 14d, fourth paragraph, of the SOSIB.

Directive on Sound Business Operations 20 Explanatory notes on individual articles Article 2 The integrity screening is aimed at facts and circumstances that are relevant for determining whether the behavior exhibited by a director, other (co-)policymaker, member of the supervisory board or of the body of the institution that has a task similar to that of the supervisory board, or the holder of a qualified holding is in line with the ethical performance of the duties of the person concerned. Such facts and circumstances include inter alia: a. not telling the truth; b. no disclosing subjects relevant to the supervision; c. not handling confidential information in a discrete manner; d. not fulfilling directives or arrangements; and e. acting irresponsibly in the practice of their profession. In this connection, antecedents are understood to be inter alia:

• criminal antecedents (Annexes A1 and A2);
• financial antecedents (Annex B6 );
• supervision antecedents (Annex C7);
• tax antecedents (Annex D8);
• other antecedents (Annex E9).

6 The financial antecedents that (can) give an indication or risk of failure concerning the integrity have been included in Annex B. These are divided into personal and commercial. The personal financial antecedents mainly relate to the personal financial situation. The commercial antecedents reflect on possible financial difficulties that have occurred or are occurring at an institution where the person concerned has or had (joint) responsibility for the policy. 7 Annex C pertains to the relationship with the supervisory body/bodies in terms of integrity. Not every disagreement with the supervisory body leads to a non-integrity judgment. However, a tendency to refuse to comply with formal and valid decisions of the supervisory body, as well as intentionally providing incorrect or incomplete information lead to unreliability. 8 Annex D concerns the tax antecedents that are divided into personal and commercial. The personal tax antecedents relate to the question whether the person concerned was ever imposed an irrevocable tax negligence penalty and/or whether proceedings are pending that may result in imposing a tax negligence penalty. The commercial tax antecedents reflect on any tax negligence penalties imposed or pending procedures that could lead to imposing a tax negligence penalty as regards a taxpayer whose policy is/was (co-)determined by the person concerned. 9 Annex E contains the item ‘other antecedents’. This also includes conflicts or incidents with the previous employer regarding the correct interpretation of his position or compliance with standards of conduct associated with the performance of those duties, and this conflict has led to the imposition of a sanction under employment law on the person concerned (for instance, in the form of a warning, reprimand, suspension, or dismissal), or the person concerned is subject to a procedure for taking disciplinary or other similar measures by or on behalf of an organization of professional of the person concerned in or outside Aruba, and this procedure has led to measures.

Directive on Sound Business Operations 21 Only the antecedents stated in Annex A2 form an exhaustive list. The other Annexes contain a nonexhaustive list. Given the nature and seriousness of the criminal offenses listed in Annex A2, the acts on which those criminal offenses are based, if less than 8 years have expired since the date on which the judgment became final, are deemed incompatible, in principle, with the interests the sectoral supervisory state ordinances seek to protect, unless there clearly is question of mitigating circumstances (for instance, the youthful age of the offender when the criminal offense was committed). Therefore, the CBA should still form its own (marginal) opinion. If 8 years have expired since an irrevocable conviction for a criminal offense listed in Annex A2, the CBA will (re)assess whether, because of the passage of time, the weight of the antecedent is less important and/or whether the acts on which the criminal offense is based are still incompatible with the interests the relevant supervisory state ordinance seeks to protect (after all, the criminal offenses mentioned in Annex A2 are also mentioned in Annex A1). In case of criminal offenses, as listed in Annex A1, the CBA should form its own opinion on these antecedents. An antecedent that in itself would be of little significance to the CBA, combined with other factors or acts of the person concerned, could be the “straw that breaks the camel’s back” and thus imply that the CBA is of the opinion that the person’s integrity is not beyond doubt. This means, for example, that an acquittal by the criminal court or not imposing a particular criminal sanction does not mean, beforehand, that there could be no doubt as to the integrity of the person concerned. Article 3 The institution itself is responsible for ensuring that its directors, other (co-)policymakers, members of the supervisory board or of the body that has a task similar to that of the supervisory board are suitable both individually and collectively. If the institution does not sufficiently determine suitability in the opinion of the CBA, the test may be shifted back to the institution. It is important that the nominated person is suitable for the position. The person concerned should dispose of sufficient knowledge, skills, and professional conduct to perform the duties in an adequate manner. Knowledge is about what one knows and what substantive insights the person concerned has acquired. Skills indicate what someone can and are used to show certain behavior in specific situations, for instance in negotiation processes, during interviews, or in actual practice. Professional behavior includes the personal characteristics and acts that reflect the attitude or style in the workplace, in the boardroom, and in relation to clients, the CBA, and other stakeholders. Suitability can be

Directive on Sound Business Operations 22 proven inter alia by means of education, relevant (work) experience, and competences. Education and experience may not be too outdated, given the rapid developments within the financial markets. Relevant work experience is understood to be the experience gained in a work environment that corresponds with the type of institution and/or the type of position that the person concerned holds or will hold. Competences may also have been acquired elsewhere. Competences considered relevant are - inter alia:

• authenticity;
• decisiveness;
• communication skills;
• helicopter view and opinion forming;
• customer-focused and quality-oriented;
• leadership;
• loyalty;
• sensitivity to the environment;
• independence;
• negotiation skills;
• persuasiveness;
• collaborative skills;
• strategic control;
• stress-resistant;
• responsibility;
• chairman skills. These competences are neither cumulative nor exhaustive. This means that other competences may also be used by the institution to prove suitability. It is up to the institution to determine which competences are important to a particular position and then to prove, together with the person concerned, which competences the person concerned has, and how he applies them. To provide an insight into competences, an institution could arrange for an assessment to be performed (for example, by a specialized agency). What competences are important also depends on the position, nature, size, complexity, and risk profile of the institution and the composition and performance of the collective of which the person concerned forms or will form part. The competences required may differ per position and per institution. A director, other (co-)policymaker, or member of the supervisory board or of the body that has a task similar to that of the supervisory board must dispose of knowledge, skills, and professional conduct in various areas. To this end, the person concerned should (constantly) be suitable with regard to at least the topics mentioned below: a) governance, organization, and communication, including managing processes, areas of responsibility, and employees, complying with and enforcing generally accepted social, ethical, and professional standards, including timely, accurately, and clearly informing the CBA;

Directive on Sound Business Operations 23 b) products, services, and markets in which the institution or enterprise is active, including relevant legislation and financial (and actuarial) aspects; c) controlled and sound business operations; and d) balanced and consistent decision-making, in which the interests of customers clients and other stakeholders play a key role. Article 4 This Article contains a (nonexhaustive) enumeration of the agencies or persons and other information used by the CBA to gain insight into the intentions, acts, and antecedents of the person concerned, as well as his knowledge, skills, and professional conduct. Integrity and suitability are assessed by means of inter alia the information as laid down in the screening form drawn up by the CBA (“Personal Questionnaire” or “PQ”). The PQ is available via the website of the CBA or can be sent on request. The filled out PQ should be submitted together with the following documents:

• a certified copy of the passport of the person concerned;
• an extract from the Civil Registry of the person concerned;
• a certificate of good conduct of the person concerned;
• a copy of test results of any assessment with respect to the integrity or suitability by a regulator (in Aruba or elsewhere) in charge with financial supervision of the person concerned;
• copies of certificated qualifications of the person concerned;
• the curriculum vitae of the person concerned;
• the acceptance and selection policy and the procedure based on it;
• the position profile;
• information about the decision-making process concerning the selection of the person concerned and the grounds on which it is based. Of course, the CBA is at liberty to ask for additional information to assess the integrity and suitability. Article 5 The purpose of this Article is to avoid conflicting interests as a result of the combination of several (policy-determining) positions. The CBA will assess whether the other position held by the person concerned does not take too much time to enable the person concerned to perform the duties at the institution in an adequate manner. The CBA will also include in its assessment whether the interests by which the person considered is deemed to be guided in the other position are not contrary or could be contrary to the interests the person concerned will have to observe within the framework of his position at the institution. With a view to the protection of the integrity and reputation of the institution and the sector to which the institution belongs, the appearance of a conflict of interest should also be avoided at all times. Thus, the CBA will always

Directive on Sound Business Operations 24 emphatically include in its assessment the possible conflicts of interests in case of an intended appointment of a (local) PEP (politically exposed person) to a (co-)policy-determining position at an institution, and the CBA may ask both the institution and the person concerned to substantiate that there cannot be question of (the appearance of) conflicts of interests. In line with Article 1 of the AML/CFT State Ordinance, a PEP is understood to be a person who holds a prominent position or has held one in the past 5 years, as well as direct family members and associates of such a person. They will in any case include:

• heads of state, government leaders, ministers, and state secretaries;
• members of parliament;
• members of supreme courts, constitutional courts, and other high courts of justice rendering judgments that can no longer be appealed from, as a rule;
• members of audit offices;
• ambassadors and chargés d’affaires;
• high-ranking army officers;
• members of administrative, executive, or supervisory bodies of publicly-owned companies;
• positions held at international level, such as a representative at the United Nations. Article 6 The integrity and suitability of the person concerned are assessed by the CBA before the duties may be performed. However, integrity and suitability are requirements to be fulfilled on an ongoing basis. The CBA may deem a reassessment necessary, if facts and/or circumstances give rise to this in reason. Of course, the CBA may exercise its regular supervisory powers to determine whether there is question of a reasonable cause. Examples of reasonable causes for reassessment are: a. A drastic change in the risk profile, nature, size, complexity of the supervised institution (for instance, in case of a significant/high￾risk takeover). Under such circumstances, it may be desirable to reassess whether the current management board or supervisory board disposes of sufficient knowledge, skills, and professional conduct required by the changed circumstances. b. The findings arising from onsite inquiries. c. Information obtained from other supervisory bodies. d. Information from the media (for instance, possible involvement in objectionable practices). e. Departure of one director/supervisory director without an immediate replacement, while there are clear signs that the other board members/supervisory directors will be insufficiently able to take over adequately the duties of the departing member. f. A substantial change of roles within the collective (of one or more directors/supervisory directors).

Directive on Sound Business Operations 25 g. If governance gives cause to do so (for instance, in case of a director-major shareholder structure with insufficient checks and balances). h. Demonstrable ‘Sun King’ behavior (strong leaders who do not tolerate contradiction/criticism). i. In case of any, in the opinion of the CBA, inadequate action of the management board/supervisory board during incidents. j Antecedent (for instance, the CBA imposed an administrative fine on the institution or director). k. An unexpected, significant deterioration of the results. l. Concern about ethical and controlled business operations; inadequate financial and regulatory reports; offering controversial/harmful products or providing incorrect, unclear, and/or misleading information (complaints of clients about negligent service). m. Continuous serious concerns of the CBA about the business model or strategy used with little insight into improvement. n. Continuous serious concerns of the CBA about the corporate culture with little insight into improvement. o. Continuous serious concerns about the setup and performance of compliance with little insight into improvement. p. Structurally not responding or not responding in time to requests of the supervisory body. q. High staff turnover, while there are signs that this is related to the corporate culture, including the manner in which the institution or enterprise is managed. r. (Repeatedly) violating laws and regulations. Whether the CBA proceeds to reassessment depends on the specific circumstances of the case (for example, the nature and seriousness of the violation, the culpability of the person concerned, and the interests at stake, including those the law in question seeks to protect). If the CBA proceeds to rescreening, this screening will be focused on the conduct and actual performance of the person concerned in actual practice: how did he or she use his or her knowledge and skills, and how do the decision-making and setup of the business operations, for example, show professional conduct? Article 7 An institution should dispose of clearly formulated policy starting points and procedures and measures to control integrity risks. These risks may arise from activities, relationships, and acts of all parts of an institution. Therefore, it is important that an institution systematically performs an analysis of the integrity risks related to inter alia its organization structure, business culture, clients, the jurisdictions where its clients are domiciled, products and services, and the method of offering its products or providing its services. An analysis of integrity risks consists of an assessment of the nature, the degree of likelihood,

Directive on Sound Business Operations 26 and the impact of these risks. Integrity risks differ per institution and per sector to which an institution belongs, while one business unit of an institution could be exposed to other or greater risks than the other. An institution should complete the following phases to recognize and control integrity risks: (i) risk analysis; (ii) policy determination; (iii) policy implementation, and (iv) evaluation and adjustment. (i) Risk analysis: An institution itself should properly assess integrity risks. Integrity risks are - inter alia - money laundering, terrorist financing, and proliferation financing, corruption, conflict of interests, and several types of fraud (internal/external). For the purpose of this analysis, the institution itself will constantly screen is own organization to see which units of the institution entail integrity risks. (ii) Policy determination: Based on the results of the analysis, an institution prepares its policy to limit and control the risks. Subsequently, an institution converts the policy into organizational and administrative procedures and measures. The elements for which an institution must dispose of procedures and measures have been elaborated in Articles 8 through 16. (iii) Policy implementation: An institution expressly makes the policy and procedures and measures known to all layers and/or units of the organization and implements them. An institution stimulates the application of the policy and compliance with the procedures and measures within the organization. Ongoing training is an important tool to guarantee the effective implementation within the organization. (iv) Evaluation and adjustment: Finally, an institution periodically evaluates the effectiveness and news value of the policy and the procedures and measures. Such an evaluation must show that the institution concerned (a) has been organized in such a manner that the integrity risks are controlled, and (b) that the institution can act adequately against any incidents. An institution will adjust this policy, if necessary, to continue guaranteeing the ethical conduct of the business. Article 8 An integrity-aware business culture is understood to be an atmosphere and climate in which, apart from complying with rules and legislation, one also behaves or acts in a manner that can be explained and accounted for. A culture in which the professional, individual responsibility is stimulated and rewarded; a culture in which one does not only act according to the letter but also to the spirit of the law. The institution should take care of the awareness, promotion, and enforcement of the principles laid down in the policy, as well as the procedures and measures. These procedures and measures contribute to the creation of the business culture of the institution. The business

Directive on Sound Business Operations 27 culture is an important internal environment factor to embed ethical conduct. There are different elements an institution has to consider to guarantee an ethical business culture and thus sound business operations and to promote ethical conduct within the organization, such as:

• weighing of interests/acting in a well-balanced manner: recognizing and visibly including all relevant interests;
• acting consistently: acting in line with objectives and choices;
• negotiability: stimulating a positive critical attitude of employees and allowing the discussion of decisions, other opinions, mistakes, and taboos;
• exemplary behavior: tone and behavior at the top (personal integrity, including avoiding (the appearance of) conflicts of interests;
• feasibility: setting realistic targets and removing perverse incentives and temptations;
• transparency: recording and providing information on targets and fundamental choices to all stakeholders;
• enforcement: consequences are attached to noncompliance. The institution has to concretize the various elements in such a way that ethical conduct becomes a natural element of the business culture. The CBA can emphatically examine topics, such as leadership and leadership styles, beliefs and values of employees, the openness with which matters are discussed, and unconscious behavior patterns. The behavioral risks often already manifest themselves when everything still seems to be running smoothly financially. By quickly responding to behavioral signs, action can be taken before the risks materialize. When monitoring the compliance with this Article, the CBA may exercise its general supervisory powers, such as requesting information and entering all places. Within this framework, supervisors of the CBA may also attend a meeting of, for instance, the management board and/or supervisory board as an observer. The purpose of observation is to obtain information about the manner of consulting and acting during consultations and decision-making. Article 9 Credit institutions, electronic money institutions, and insurers do not apply a remuneration policy that can affect the solidity of the institution or the interests of their stakeholders, including clients, employees, shareholders, and investors. Such a remuneration policy does not contain any remuneration incentives that could lead to it that directors or employees of the institution let their own (short-term) interests prevail over the (long-term) interest of the institution. The recent international financial crisis has proven that a remuneration policy inciting to take excessive risks could undermine the effectiveness of a solid and efficient risk management and encourages behavior that is too risky. Perverse remuneration incentives are globally considered to be one of the causes of the recent international financial crisis. It concerns here, for instance, incentives that could lead to the disregard of the client

Directive on Sound Business Operations 28 interest, such as an unilateral orientation on the interest and profit realization in the short term. The undesired incentive effect can arise from the performance criteria chosen, but can also be caused by an undesirable high percentage of variable remunerations, while too much emphasis is placed on the pursuit of short-term objectives. The risks acceptable to a credit institution, electronic money institution, or insurer strongly depend on inter alia the financial situation of the institution in question, its strategy, risk appetite, and risk tolerance. Article 10 A conflict of interests, or the appearance thereof, may have negative consequences for both the clients of the institution and the institution itself. The (appearance of) conflicts of interests may also prejudice the confidence in the financial markets as a whole. Therefore, it is important that institutions dispose of policy to discourage conflicts of interests or the appearance thereof. The policy of the institution on conflicts of interests should make it clear how to deal with, for instance, personal, professional, and financial interests in relation to dealing with clients and other relations, dealing with (confidential) information, entering into client relationships, and engaging in other paid activities. When providing - and during the term changing - services of the institution (for instance, credits or insurances) to directors or other (co- )policymakers and members of the supervisory board (or a similar body) or to relatives of these persons, there is a risk of (the appearance of) conflicts of interests. This is notably the case when the service is provided based on conditions that are not in line with the market. For the purpose of avoiding conflicts of interests, the second paragraph contains provisions concerning the provision of services based on staff terms to directors or other (co-)policymakers. An institution may offer services on staff terms to directors or other (co- )policymakers. The conditions on which this takes place fall within the framework of the general employment conditions and should be adopted and recorded. It concerns here both financial conditions, such as pricing and discounts, and other conditions, such as terms and the income of the person to whom a credit is granted. The third paragraph attaches an additional condition to the provision of services to directors or other co-policymakers. As they themselves have a policy-determining role with regard to staff terms, the services provided to them under these conditions are subject to the obligation of approval by the supervisory board or a similar body. If these established staff terms are not used or are deviated from - for instance, with regard to the amount of the credit - commercial conditions and guarantees should apply pursuant to the third paragraph, subparagraph a. It is not allowed to favor directors or other (co-

Directive on Sound Business Operations 29 )policymakers outside the system. If services are only offered to directors and other (co-)policymakers and, consequently, not to third parties, conditions in line with the market should be applied. Given their supervisory position, services may only be provided to members of the supervisory board or a similar body and holders of a qualified holding on the usual commercial conditions pursuant to the third paragraph, subparagraph b. This also applies to relatives (not being employees) of members of the body charged with supervision, of directors, and other (co-)policymakers. In this connection, it should be noted that it concerns the separate provision of services to relatives. Thus, for instance, a mortgage credit in the name of the director or (co-)policymaker and his/her partner is not subject to the limitation of the second paragraph, subparagraph b. The “Supervisory Directive III.3 Credit extensions to insiders” should always be observed for credit institutions. Article 11 Protected accounts are accounts of which the data regarding the identity of a client are not visible, whereas these identity data are known (elsewhere) within the credit institution. The purpose of protected accounts usually is to protect the privacy and safety of the client(s) concerned. Although these are interests that can be justified in themselves, it is important, with a view to the associated risks, that credit institutions carefully open such accounts. Article 12 An (alleged) abuse may consist of a(n) (imminent) criminal offense, a(n) (imminent) violation of rules, a(n) (imminent) deliberate provision of incorrect information to (supervisory) bodies; improper conduct or omissions that form(s) a threat to the proper performance of the institution or (a threat of) deliberately withholding, destroying, or manipulating information about these facts. As the occasion arises, the designation of an external confidential adviser may be necessary for the purpose of the adequate implementation of the regulation. Article 13 An important element of the policy with regard to integrity is the handling and recording of acts or events that pose a serious threat to the ethical conduct of the business. It makes no difference whether the incident is caused by an act of staff members, directors, members of the supervisory board, or by natural persons or legal entities that carry out work for the institution in question. An act is understood to be both an act and an omission. Incidents are at any rate considered to be acts and events that led to or could lead to:

Directive on Sound Business Operations 30 a) a report to the judicial authorities; b) (possible) threat to the continued existence of the institution; c) serious shortcoming in the setup or effect of the procedures and measures for sound business operations; d) serious degree of publicity, financial consequences, or reputational damage for the institution or the sector. Examples of incidents are inter alia:

• (internal or external) fraud;
• raid by criminal authorities (search of premises) or onsite investigation by the Department of Taxes;
• legal cases that could have consequences for the financial position and/or the reputation of the institution or the sector;
• (temporary) failure or insufficient performance of the IT system;
• arrears in the disclosure of unusual transactions. The internal organization of an institution should be set up in such a way that incidents that could or have infringed the integrity of the institution are detected, recorded, and give rise to take corrective measures. In addition to measures against the person causing the incident, an institution will also have to take measures consisting of the improvement of internal procedures or the adjustment of the policy to prevent repetition of a similar incident and to control the underlying risk of the incident. An institution will promptly inform the CBA about incidents. This means that a written incident report has to be received by the CBA as soon as possible, but no later than within 2 workdays (48 hours) after the incident has been detected. An oral report on an incident should always be confirmed in writing within aforementioned period. Article 14 An independent compliance function is of importance to monitor the compliance with statutory regulations and internal rules and procedures and, consequently, for the ethical conduct of the business of the institution. The way in which this function is designed depends on the nature and size of the institution. The statutory requirements concerning the implementation of this function as regards the compliance with rules and legislation in the area of the prevention and combating of money laundering and terrorist financing have been laid down in Article 47, first paragraph, of the AML/CFT State Ordinance and part 2.5 of the Handbook for the prevention and detection of money laundering and combating the financing of terrorism for financial and trust services businesses regulated by the Central Bank of Aruba (AML/CFT Handbook) as regards credit institutions, life insurers, money transfer companies, and trust offices (the so-called Money Laundering Compliance Officer). The compliance officer has to perform his duties in an effective manner and be enabled to do so by the institution. Therefore, the compliance officer should have a thorough knowledge and experience and sufficient means and authority. Furthermore, the

Directive on Sound Business Operations 31 compliance officer should be independent. The compliance officer is responsible for assisting the management board of the institution with regard to the effective control of the (integrity) risks run by the institution. The duties of the compliance officer consist of inter alia:

• giving the management board advice, on request or otherwise, on the compliance with rules and legislation and the internal rules and codes of conduct, as well as keeping the management board informed of the developments in this area;
• preparing, implementing, adjusting, and maintaining appropriate strategy, policy, procedures and measures of an institution, including the ongoing training of employees, management board, and supervisory board;
• identifying and assessing the (integrity) risks;
• monitoring the compliance with statutory regulations and reporting to the management board and/or supervisory board on same;
• performing the duties in line with a compliance program. Depending on the type of institution, harmonization can be sought, when giving shape to the compliance function, with the international recommendations as laid down in the following publications: “Compliance and the compliance function in banks” of the Basel Committee on Banking Supervision, “Insurance Core Principles”, and “Issues Paper on Corporate Governance” of the International Association of Insurance Supervisors, “OECD/IOPS Good Practices for Pension Funds’ Risk Management Systems” of the International Organization of Pension Supervisors and the Organization for Economic Cooperation and Development. If an institution is of limited size, such as a small company pension fund, the compliance function can be combined with other appropriate functions, provided the independence of the function is not prejudiced, there is no question of a conflict of interests, and the duties can be performed properly. Article 15 The rules concerning client acceptance are in line with the mandatory client screening pursuant to the AML/CFT State Ordinance and the AML/CFT Handbook. Institutions to which the AML/CFT State Ordinance and the AML/CFT Handbook apply should comply with the regulations laid down in same, of course. A good understanding of the client and his risk profile and of the ultimate beneficiary is not only essential to combating money laundering and terrorist financing, however, but is also relevant to sound business operations. By closely monitoring its own clients and not entering into relations with persons that could prejudice the confidence in the institution, it can be avoided that the integrity of an institution is jeopardized. Therefore, this Article also applies to institutions to which the AML/CFT State Ordinance and the AML/CFT Handbook do not apply, such as nonlife insurers and brokers in nonlife insurances (exclusively). The scope and depth of the procedures and measures will depend on the nature of the risks. As

Directive on Sound Business Operations 32 regards nonlife insurers and brokers in nonlife insurance, for example, consideration could at any rate be given to the control of fraud risks. The institution has to divide its client basis into categories based on risks associated with the client concerned and risks associated with products and services. In addition, the institution has to investigate the background of the client. As the risk is larger, more data of persons or entities should be verified and additional measures should be taken to control the increased risk. Different acceptance procedures apply to the different risk categories. Pursuant to the AML/CFT State Ordinance, the institution will not proceed, in any case, to accepting a client, if his identity has not been sufficiently established. After acceptance, the institution should periodically test whether the client still meets the risk profile. If certain transactions show that the client deviates from the profile established earlier, the institution should verify which risks this could entail. The frequency and depth of that assessment depend on the risk classification of the client. An institution should carefully record all data used within the framework of the acceptance of a client to [sentence in the original text is not complete/translator], the analysis (considerations) of the client in relation to the products and services purchased by him, the underlying considerations and the results that led to acceptance of the client. Furthermore, this file also contains the measures taken with regard to the client concerned to control integrity risks. Finally, the file also contains the data concerning the continuous assessment as to whether the client still meets the risk profile. Article 16 An institution itself will screen the integrity of persons holding integrity-sensitive positions within its organization. That obligation does not only pertain to the appointment: the institution should continue making a substantiated assessment of the integrity of these persons on a periodic basis. The responsibility of the institution extends to all those holding such a position, including temporary workers. The institution may leave the assessment of the integrity of these persons to their (official) employer, but the institution remains responsible for the assessment at all times. For that purpose, the institution has to dispose of written procedures and measures concerning the screening of employees holding integrity-sensitive positions. The objective hereof should be: to maintain and promote the integrity of officers entering the employment of and employed by the institution and to create an integrity-aware company culture. If an institution has employed (in-employment screening) or employs (pre-employment screening) an employee who holds or will hold an integrity-sensitive position, the institution should form an opinion on

Directive on Sound Business Operations 33 the integrity of the person concerned. For that purpose, it may proceed to inter alia: a) explicitly asking the person concerned (by means of a job application form) about incidents from the past, which may be of importance to forming an opinion on his/her integrity; b) obtaining written information about the integrity of the person concerned from the employer(s) with whom the person concerned worked (for instance, the past five years), after the person concerned has given written permission for this; c) having the person concerned submit a certificate of good conduct within the meaning of the “State Ordinance on Judicial Documentation and Certificates of Good Conduct” (AB 1989 No. GT 83). Article 17 Given the contents of this Directive and the measures to be taken by the institution to comply with this Directive, the institution will have to comply with this Directive as of September 1, 2015. Thus, a reasonable period of six (6) months as of the date of entry into force is given to the institutions to comply with this Directive. Of course, this does not affect the fact that an institution should comply with the legal standard until September 1, 2015 and, based on the sectoral supervisory ordinance that applies to it, should pursue adequate policy on an ethical conduct of the business and should organize its business operations in such a way that the ethical conduct of the business is safeguarded.