Regulation (NAP) - Assessment and Management of Money Laundering and Terrorist Financing Risk

NAP PERMANENT APPLICABLE NORM COJGO S.F 12 PROPOSER(S) ENTRY INTO FORCE ISSUE DATE DOC NO FL 1/5 C.A. Subject: Assessment and Management of Money Laundering and Terrorist Financing Risk

Law No. 08/2013, dated October 15, "Law on the Prevention and Combating of Money Laundering and Terrorist Financing", establishes preventive and repressive measures to combat money laundering from illicit sources and terrorist financing, transposing into the domestic legal order the Recommendations of the Financial Action Task Force (FATF) regarding the prevention of using the financial system for money laundering and terrorist financing (ML/TF);

Considering that, within the framework of customer due diligence obligations, financial institutions are required to carry out identification, assessment, management, and mitigation measures for ML/TF risks;

Considering further the need for financial institutions to conduct an assessment of the ML/TF risks to which they are exposed, with a view to defining and applying mitigation measures (enhanced or simplified) according to the identified risk;

In these terms, the Central Bank of São Tomé and Príncipe, exercising the competence conferred upon it by letters d) and f) of paragraph 2 of Article 8 of its Organic Law, Law No. 8/92, combined with letter g) of paragraph 2 of Article 25 of the aforementioned Law No. 08/2013, determines the following:

Article 1. Scope and Purpose

This NAP defines rules and procedures for the assessment of ML/TF risks by financial institutions.

Article 2. Definitions

For the purposes of this NAP, it is considered that: a) Low risk, when entities, wealth sources, fund origins or corporate structures are easily identifiable or their operations usually appear adequate and in apparent conformity with the known profile of the client, whether an individual or a corporate entity. b) Medium risk, when factors exist that may lead to the worsening of a non-negligible risk for financial institutions, namely: the client's profession or activity, the entity's business object, the existence of some identification data and the transactional profile in the use of products and services. c) High risk, when: (i) entities fall within the criteria defined by financial institutions to consider client acceptance as conditional; (ii) factors considered strongly conducive to risk worsening are present, such as geographic criteria, politically exposed persons (PEP) status, clients whose risk is subject to manual allocation (due to specific occurrences indicating high risk); (iii) funding sources, identities and operations are not clear; and (iv) clients refuse to cooperate in providing required information or, by their nature, may directly or indirectly reveal higher risk for illicit practices.

Revocation Data: 09/04/2018 09/04/2018 07/2018

NAP PERMANENT APPLICABLE NORM COJGO S.F 12 PROPOSER(S) ENTRY INTO FORCE ISSUE DATE DOC NO FL 2/5 C.A.

Article 3. ML/TF Risk Assessment

1. The definition of the nature and extent of identity verification procedures and due diligence measures, under Article 10 of Law No. 08/2013, must be carried out within and in conformity with the global ML/TF risk management model defined by each financial institution, according to its specific profile.
2. Without prejudice to the legal and regulatory provisions governing their activity, financial institutions must, for the definition and execution of their respective ML/TF risk management model: a) Identify specific risks existing in the context of their specific operational reality, taking into account, among other aspects: i) Client risk profiles; ii) Forms and means of communication used in client contact; iii) Nature of transactions, products and services provided; iv) Nature of business areas developed; v) Nature, size and complexity of the institution's activity; vi) Distribution channels for products and services; vii) Degree of risk associated with the countries and geographical areas of the institution's operation; b) Assess identified risks and determine their level, as well as the potential financial or reputational impact, taking into account all relevant variables in the context of their specific operational reality, without prejudice to always considering at least the following aspects: i) The purpose of the business relationship, occasional transaction or operation in general; ii) The volume of assets to be deposited by a client or the volume of operations carried out; iii) The regularity or duration of the business relationship;

Revocation Data: 09/04/2018 09/04/2018 07/2018

Reviewed NAP PERMANENT APPLICABLE NORM COJGO S.F 12 PROPOSER(S) ENTRY INTO FORCE ISSUE DATE DOC NO FL 3/5 C.A.

c) Define, parameterize and implement control means and procedures that, given the size and organizational structure of the financial institution, are adequate for mitigating specific identified and assessed risks; d) Continuously evaluate the sufficiency and effectiveness of established control means and procedures.

Article 4. Determination of Client Risk Profile

Financial institutions must, for the purpose of determining clients' ML/TF risk profiles, classify them as follows: a) Low risk, when clients are classified under ML/TF risks 1 and 2; b) Medium risk, when clients are classified under ML/TF risks 3 and 4; c) High risk, when clients are classified under ML/TF risks 5 to 7.

Article 5. Duties of the Board of Directors

1. The Board of Directors of financial institutions must approve the internal policy on ML/TF risk management in a written document, which must detail: a) Risks inherent to the institution's specific activity and how it identified and evaluated them; b) Control means and procedures established and their adequacy for mitigating existing risks; c) How the institution monitors the adequacy and effectiveness of implemented controls.

2. The Board of Directors must also review at least annually the currency and adequacy of the policy set out in the preceding paragraph, so that it reflects any changes recorded in the institution's operational reality.

Article 6. Supervision

Within the scope of ML/TF prevention supervision, the Central Bank must: a) Monitor financial institutions' activities through: i) Analysis and evaluation of strategies, systems, models, policies, processes, procedures and controls applied by financial institutions, aiming to ensure assumptions regarding the effective management of ML/TF risks to which they are or may become exposed; ii) Analysis of the frequency, intensity and update of assessments, determining the quality of previous analyses, taking into account at least the size, nature, level and complexity of activities and the degree of exposure to ML/TF risk factors;

C 09/04/2018 09/04/2018 07/2018 Revocation Data:

NAP PERMANENT APPLICABLE NORM COJGO S.F 12 PROPOSER(S) ENTRY INTO FORCE ISSUE DATE DOC NO FL 4/5 C.A.

b) Define periodic information reports and, whenever justified, ad hoc information reports, requiring financial institutions to comply with reporting obligations within established deadlines; c) Conduct inspections in any facilities, whether or not affiliated to financial institutions, used for the exercise of their activities, and may require the presentation of any information or clarifications it deems relevant, including: i) On-site examination of information elements; ii) Extraction of copies and transcripts of all relevant documentation; iii) Summons of any person, for the purpose of hearing them and obtaining information; d) Issue recommendations and monitor compliance therewith; e) Draft specific directives aimed at remedying and preventing irregularities and require their compliance; f) Request any information or clarifications it deems necessary, especially for verification: i) Of its actual or potential risks and respective risk management and control practices; ii) Of the effectiveness of its internal control system regarding money laundering and terrorist financing prevention; iii) Of its administrative organization, particularly regarding the compliance function; iv) Of compliance with current legal and regulatory frameworks.

g) Inquire of any person or entity about information or clarifications needed for the exercise of its supervisory functions, and if necessary, summon them to provide statements. h) Request work reports related to money laundering and terrorist financing prevention, carried out by a duly qualified entity accepted by the Central Bank; i) Conduct, through an independent entity designated by the Central Bank and at the expense of the financial institution, special audits within the scope of money laundering and terrorist financing prevention, as well as the subsequent submission of respective reports.

Article 7. Corrective Measures

When it is found that banking institutions fail to comply with the legal and regulatory norms governing their activity regarding ML/TF prevention, the Central Bank may further require them to adopt certain corrective measures provided for in the "Law on Special Measures for Sanitation, Resolution and Liquidation of Banking Institutions".

Revocation Data: 09/04/2018 09/04/2018 07/2018

NAP PERMANENT APPLICABLE NORM COJGO S.F 12 PROPOSER(S) ENTRY INTO FORCE ISSUE DATE DOC NO FL 5/5 C.A.

Article 8. Enter into Force

This regulation enters into force upon its publication.

Central Bank of São Tomé and Príncipe April 09, 2018. - Reviewed Revocation Data: