Instruction No. 02 of 2023, dated 4 December 2023, on the obligations of financial institutions regarding anti-money laundering, counter-terrorist financing, and countering proliferation financing

Page 1 of 14 Ministry of Finance Financial Intelligence Processing Unit

Instruction No. 02 of 2023, dated 4 December 2023, on the obligations of financial institutions regarding anti-money laundering, counter-terrorist financing, and countering proliferation financing.

The President of the Financial Intelligence Processing Unit,

• Having regard to Law No. 05-01 of 27 Dhou el Hidjah 1425 corresponding to 6 February 2005, on the prevention and combating of money laundering and terrorist financing, as amended and supplemented,
• In accordance with Executive Decree No. 22-36 of first Joumada Ethania 1443 corresponding to 4 January 2022, defining the missions, organization, and functioning of the Financial Intelligence Processing Unit,
• After deliberation by the Council of the Financial Intelligence Processing Unit,

Issues the instruction as follows:

Article 1: This instruction aims to define the obligations related to anti-money laundering, counter-terrorist financing, and countering proliferation financing imposed on financial institutions.

Article 2: The terms and expressions contained in this instruction have the meanings attributed to them below:

Page 2 of 14 The Obligated Entities: "Financial institutions", according to the definition contained in Article 4 of Law No. 05-01 of 27 Dhou El Hidjah 1425 corresponding to 6 February 2005, on the prevention and combating of money laundering and terrorist financing, as amended and supplemented, include: banks and financial establishments, payment service providers, Algeria Post's financial services, other similar financial institutions, currency exchange offices and independent brokers, stock market operation intermediaries, account keepers, securities conservators, collective investment schemes in movable property, the Algiers Stock Exchange, the central depository (Algérie Clearing), venture capital companies, crowdfunding platform managers, insurance and reinsurance companies, insurance brokers (general agent, broker), factoring establishments. Client: A natural or legal person who deals with the financial institution. Occasional Client: A client not linked to the financial institution by a continuous business relationship. Business Relationship: The relationship established between the Client and any financial institution, linked to any activity. The Beneficial Owner: The natural person(s) who, ultimately:

1. Own or control the client, the client's agent, or the life insurance contract beneficiaries;
2. The natural person for whom a transaction is executed or on whose behalf a business relationship is concluded;
3. Persons who ultimately exercise effective control over the legal entity. The Politically Exposed Person (PEP): Any Algerian or foreign national, elected or appointed, who has held or holds high legislative, executive, administrative, or judicial offices in Algeria or abroad, as well as senior political party officials and persons who hold or have held important functions within or on behalf of an international organization. The Financial Group: A group consisting of a parent company or other type of legal entity holding majority shares and coordinating their functions with the rest of the group to apply or implement control over the group in accordance with fundamental principles, together with branches and/or subsidiaries subject to AML/CFT policies and procedures at the group level.

Article 3: Obligated entities must comply with the duty of vigilance and, to that end, must implement a written program for preventing, detecting, and combating money laundering and terrorist financing. They must take into account the commercial dimension and risks associated with AML/CFT, which include in particular:

• Policies,
• Procedures,
• Internal control.

Page 3 of 14 Chapter 1 - Risk-Based Approach Article 4: Obligated entities must take the following measures: a) Conduct an assessment of money laundering and terrorist financing risks by identifying, evaluating, and understanding these risks according to the nature and size of the establishment and the extent of its activities. This assessment must include:

• Inclusion of information or results from any risk assessments conducted by the State;
• Identifying, evaluating, and understanding risks related to clients, countries or geographic regions, products and services, operations, delivery channels or service provision channels;
• Taking into account all related risk factors before determining the overall risk level, and the appropriate level and type of measures to mitigate these risks. b) Update assessment processes periodically and as necessary; c) Document the assessment operations they conduct, update them, and preserve them; d) Establish an adequate mechanism to report the results of assessment operations to the supervisory body and competent authorities upon completion or upon request; e) Explain and disseminate risk assessment results to all staff.

Article 5: The risks referred to in Article 4 above must be analyzed and evaluated at regular and appropriate intervals, compatible with the nature and size of the institution, as well as the scale of its activities. Obligated establishments must also demonstrate to supervisory and competent authorities that the measures taken to identify and evaluate AML/CFT risks enable the following: a) Assess the risk profile of the commercial relationship with each Client; b) Identify changes in money laundering and terrorist financing risks, represented by new products and services offered through the application of new technologies to their services; c) Determine the expected purpose and nature of the relationship with each Client; d) Identify and recognize any changes related to money laundering and terrorist financing risks.

Article 6: Obligated entities must carry out the following: a) Identify and evaluate money laundering and terrorist financing risks associated with the development of new services or products and new professional practices, including new ways of providing services, and those resulting from the use of new or developing technologies in relation to each of the new and existing products; b) Conduct a risk assessment before launching products, practices, or technologies or their use; c) Take appropriate measures to manage and mitigate these risks, in addition to specific risks related to commercial relationships and transactions that do not involve the physical presence of the parties.

Article 7: Obligated entities must carry out the following: a) Establish policies, controls, and procedures approved by senior management enabling them to manage and reduce identified risks (according to their assessment or the national risk assessment), supervise them, and strengthen them if necessary; b) Take enhanced measures to manage and mitigate risks when high risks are identified; c) Take simplified measures to manage and reduce risks when low risks are identified; d) Ensure permanent compliance with these procedures and their regular updating; e) Monitor the implementation of these controls and strengthen them if necessary.

Page 4 of 14 Chapter 2 - Duties of Vigilance Towards Customers Article 8: Standards related to "customer due diligence" must take into account the basic elements of risk management and control procedures, including: a) New customer acceptance policy; b) Identification of customer identity, beneficial owner, and monitoring of movements and operations; c) Continuous control over all clients. With the obligation to obtain approval of the above procedures by the senior authority. Obligated entities must:

• Accurately examine transactions carried out throughout the business relationship to ensure they correspond with their knowledge of clients and their commercial activities, as well as their risk profile, including the source of funds where applicable;
• Ensure that documents, data, or information obtained following the application of due diligence are up-to-date and compatible with them, which includes reviewing existing elements, particularly for high-risk customer categories. Regarding clients existing at the time these new provisions enter into force, obligated entities must apply necessary due diligence measures according to the significance of the risks they represent, and must timely implement necessary due diligence measures for existing relationships, taking into account prior due diligence measures regarding clients at the time of their implementation and the importance of information obtained.

Page 5 of 14 Article 9: Obligated entities must, each within their respective scope, take the due diligence measures provided in this chapter when: a) They establish business relationships; b) They carry out an occasional transaction exceeding two million Algerian dinars or its equivalent in circulating legal foreign currency, including cases where the transaction is carried out as part of one or more transactions that appear linked; c) They carry out an occasional bank transfer exceeding 150 thousand Algerian dinars or its equivalent in circulating legal foreign currency, or multiple transactions that appear linked, and the total amount exceeds the fixed threshold; d) There is a suspicion of money laundering, terrorist financing, or proliferation financing, regardless of the minimum level stipulated in regulations; e) There is doubt regarding the accuracy or adequacy of previously obtained client identification data.

Article 10: Obligated entities must take customer identification measures for both regular and occasional, local or foreign clients, by obtaining the following information: a) If the client is a natural person:

• Verify the identity of the natural person through documents (notably valid original documents including a photo, namely national ID card, driver's license, passport for foreigners), and at minimum the client's name and surname, nationality, date and place of birth, permanent address, ID or passport number for foreign persons, place and date of issue, mother's name, social status, and spouse's name;
• Information on the client's economic activity: represented by the nature of work or activity, sources of income, and workplace address, employer name or employing organization, and monthly income value;
• Residence information: actual or current residence;
• Contact information: client's phone number and email address;
• Any other information that financial institutions deem necessary to obtain according to the nature and degree of risks. b) If the client is a legal person, including any type of non-profit organization, obligated entities must:

1. Understand the nature of the legal person and its activities, as well as its ownership and control structure;
2. Identify and verify the identity of the legal person by obtaining required information, including:

• Presentation of an original copy of its statutes and any document proving it is legally registered or approved, and has a real existence and address at the time of identification;
• Verification of the address by presenting an official proof-of-residence document;
• The powers governing and binding the legal person, as well as the names of persons holding management positions.

3. Determine the beneficial owners of clients and take adequate measures to verify their identity using associated information or data obtained from a reliable source, ensuring they know who the beneficial owner is;
4. For agents and brokers working on behalf of others, or any other person claiming to act on behalf of the client, obligated entities, in addition to the documents stipulated above, must verify the powers granted to them. A copy of each document proving identity, agency, and address must be preserved. In no case may obligated entities open or maintain anonymous or numbered accounts, or accounts under fictitious names, or deal with unidentified persons or persons bearing fictitious names, or fictitious banks.

Page 6 of 14 Article 11: When the risk of money laundering or terrorist financing appears low and it is necessary not to interrupt the normal course of business, the identity of the client and beneficial owner must be verified before or during the establishment of the business relationship, or the execution of transactions for occasional clients. Furthermore, obligated establishments may carry out verification after the establishment of the business relationship provided that:

• It occurs within reasonable timeframes;
• It is necessary not to disrupt the normal course of business;
• It manages money laundering and terrorist financing risks effectively. Obligated entities must adopt appropriate risk management measures regarding the circumstances in which the client may benefit from the business relationship before the verification operation. This operation must include a set of procedures:
• Determine restrictions, thresholds, or controls on the number and types/quantity of transactions or operations that may be carried out;
• Identify important or complex operations exceeding the thresholds provided for this type of relationship. Verification may not be deferred in the following cases:
• Presence of high-risk indicators;
• When there are suspicions of money laundering or terrorist financing;

Page 7 of 14

• When it concerns essential client identification information, namely: ID card or passport information, or identity documents related to the legal person.

Article 12: Obligated entities must take adequate measures according to the money laundering and terrorist financing risks arising from the client and the business relationship, to determine beneficial owners, and to determine if the beneficiary is a politically exposed person in the case of natural persons, and verify their identity through the following elements: a) Determine if the client acts for themselves and in their own interest; if so, they must sign a declaration attesting that they are the beneficial owner of the business relationship; b) In cases where the client does not act for themselves and in their own interest, or when obligated entities doubt the veracity of the client's declaration, they must determine the natural person(s) benefiting or ultimately and definitively controlling the business relationship, or the person(s) on whose behalf or for whom the transaction was executed, who exercise final and definitive control over the client's accounts, and determine the capacity in which the client acts on behalf of the beneficial owner; c) Apply the identification and identity verification procedures for natural persons provided in this instruction to the identified beneficial owner(s), in accordance with the provisions of the first paragraph of this article, so as to convince obligated entities that they have identified the beneficial owner.

Article 13: The beneficial owner(s) of the legal person are determined and necessary measures will be taken to verify their identity as follows: a) The natural person(s) directly or indirectly holding a percentage equal to or greater than 20% of the capital or voting rights; b) In cases where the identity of the beneficial owner(s) is not confirmed, or if it has not been determined after applying criterion (a), the beneficial owner is the natural person(s) exercising effective or legal control by any direct or indirect means over the administration, management bodies, or general assembly, or over the conduct of the legal person's affairs, through determining the content of decisions taken by the general assembly via voting rights held, or by enjoying, as a partner or shareholder, the power to appoint or remove the majority of the management or administration members, or control bodies, or other monitoring or control tools; c) In case of non-identification of beneficial owner(s) according to criteria (a) and (b), the beneficial owner is the natural person holding the quality of legal representative of the company in accordance with prevailing legislation.

Page 8 of 14 Article 14: To ensure that the data they hold on clients are up-to-date, obligated entities must update them annually, based on: a) The significance of the risks represented by the client; b) When they carry out an important operation that is not compatible with their knowledge of the client, commercial activities, and risk profile; c) Upon a basic modification of customer documentation standards, or a major change in account management mode, as well as in cases 4 and 5 provided for in Article 9 of this instruction. However, if an obligated establishment finds at any time that the information it holds regarding a client is insufficient, it must take necessary measures to obtain all useful information as soon as possible.

Article 15: Obligated establishments may apply necessary simplified due diligence measures to certain clients provided that low risks are identified and evaluated, and this assessment is consistent with national and sectoral risk assessments as well as their own evaluations. Their measures must be proportional to the lowest risk factors. Simplified measures consist in particular of: a) Verifying client and beneficial owner identity after the establishment of the business relationship; b) Reducing the frequency of updates to client identification elements; c) Reducing the intensity of continuous vigilance and the depth of transaction examination to a reasonable limit. Simplified due diligence measures are not acceptable in cases of suspicion of money laundering or terrorist financing, or in specific cases presenting higher risks.

Article 16: Insurance, reinsurance companies and intermediaries (general agent, broker) must take the following measures, in addition to the due diligence procedures required for clients and beneficial owners according to this chapter: a) Take due diligence measures on life insurance contract beneficiaries and other investment insurance products, upon identification or nomination of these beneficiaries:

1. Obtain the name of the person for specifically designated natural or legal beneficiaries;
2. Obtain sufficient information on named beneficiaries by attributes or categories (such as a husband or children at the time of the insured event) or by other means like a will, so that insurance/reinsurance companies and intermediaries can identify the beneficiary at the time of compensation;
3. Verify the identity of beneficiaries referred to in paragraph 1 of this article at the time of compensation. b) Consider the life insurance contract beneficiary as a risk factor to determine the applicability of required enhanced due diligence measures. When insurance/reinsurance companies and intermediaries succeed in considering the insurance beneficiary as a high-risk legal person, necessary enhanced due diligence procedures must be applied according to this instruction, including taking adequate measures to identify and verify the beneficial owner of an insurance contract at the time of compensation. Insurance/reinsurance companies and intermediaries must develop and take necessary measures to determine if a politically exposed person is a beneficiary or beneficial owner of a life insurance contract. If so, they must proceed as follows:

• Inform the senior authority before paying out from life insurance proceeds and conduct a careful review of the business relationship;
• Consider sending a suspicion report to the Financial Intelligence Processing Unit.

Page 9 of 14 Article 17: Obligated entities must have at their disposal an appropriate risk management system to determine whether a potential client, current client, or beneficial owner is a politically exposed person within the meaning of Law No. 05-01 of 27 Dhou al-Hijah 1425, corresponding to 6 February 2005, on the prevention and combating of money laundering and terrorist financing, as amended and supplemented, mentioned above, and to take all necessary measures.