Summary of Amendments to AML/CFT/CPF Guidelines for Capital Market Reporting Institutions

1 Confidential (Sulit) SUMMARY OF AMENDMENTS AND INTRODUCTION OF NEW OBLIGATIONS TO THE GUIDELINES ON PREVENTION OF MONEY LAUNDERING, COUNTERING FINANCING OF TERRORISM, COUNTERING PROLIFERATION FINANCING AND TARGETED FINANCIAL SANCTIONS FOR REPORTING INSTITUTIONS IN THE CAPITAL MARKET (PREVIOUSLY KNOWN AS THE GUIDELINES ON PREVENTION OF MONEY LAUNDERING AND TERRORISM FINANCING FOR REPORTING INSTITUTIONS IN THE CAPITAL MARKET) (Revised: 13 June 2024) The following table provides a summary of key amendments made to the Guidelines on Prevention of Money Laundering, Countering Financing of Terrorism, Countering Proliferation Financing and Targeted Financial Sanctions for Reporting Institutions in the Capital Market1 (“AML/CFT/CPF Guidelines”) effective on 13 June 2024. v General Amendments made throughout the AML/CFT/CPF Guidelines Consolidation of Guidelines The AML/CFT/CPF Guidelines is a consolidation of two (2) of the SC’s guidelines whereby the Guidelines on Implementation of Targeted Financial Sanctions Relating to Proliferation Financing of Capital Market Intermediaries (“PF Guidelines”) is subsumed into the Guidelines on Prevention of Money Laundering and Terrorism Financing for Reporting Institutions (“AML/CFT Guidelines”). The consolidated guidelines have thereafter been renamed the Guidelines on Prevention of Money Laundering, Countering Financing of Terrorism, Countering Proliferation Financing and Targeted Financial Sanctions for Reporting Institutions in the Capital Market. The AML/CFT/CPF Guidelines shall supersede the PF Guidelines. New requirements in relation to, among others, the following:

1. Implementation of risk-based approach application (which includes risk assessment and risk mitigation requirements) to proliferation financing risk;
2. Requirement for trustees or persons holding equivalent position in similar legal arrangement to disclose status when establishing business relations in customer due-diligence measures for legal arrangement;
3. Obligation on beneficiary institution to ensure veracity of beneficiary information received from the ordering institution;
4. Sanction screening for customer and beneficiary;
5. Identification and due diligence on counterparty Virtual Asset Service Providers; 1 SC-GL/AML-2014 (R3-2024)

2 Confidential (Sulit) 6. Prescription of additional minimum information required from customers and beneficial owners which is information on income or range of income; and 7. Requirement to have in place policies on the duration upon which internal suspicious transaction reports must be reviewed by the reporting institution (“RI”). Enhanced current requirements in relation to, among others, the following:

1. Traceability of wire transfers for digital assets;
2. Recordkeeping requirements;
3. Responsibilities of senior management; and
4. Customer due diligence requirements. Editorial enhancements in relation to, among others, the following:
5. Renumbering and rearrangements of current requirements in the Guidelines and other editorial amendments such as ‘Suspicious Transaction Report’ to ‘STR’;
6. Inclusion of the term ‘counter proliferation financing’ where the original term is ‘anti-money laundering and counter financing terrorism’ where relevant i.e. ‘anti-money laundering, counter financing terrorism and counter proliferation financing’; and
7. Inclusion of ‘CPF’ where reference is made to ‘AML/CFT’ where relevant i.e. ‘AML/CFT/CPF’. No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments
8. INTRODUCTION
9. Paragraph 1.1: The Guidelines on Prevention of Money Laundering and Terrorism Financing for Reporting Institutions in the Capital Market (Guidelines) are issued pursuant to section 66B, section 66E and section Amendment to Paragraph 1.1: 1.1 The Guidelines on Prevention of Money Laundering, Countering Financing of Terrorism, Countering Proliferation Financing and Targeted Financial Sanctions for Reporting Institutions in the Capital Market (Guidelines) are issued pursuant to the This paragraph is to clarify the legal basis for the issuance of specific areas of the Guidelines i.e. anti-money laundering, countering financing of terrorism and countering proliferation financing.

3 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 83 of the Anti-Money Laundering, Anti￾Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) read together with section 158(1) and section 160A of the Securities Commission Malaysia Act 1993 (SCMA). following: (a) in relation to anti-money laundering and countering financing of terrorism including Targeted Financial Sanctions relating to Terrorism Financing (TFS-TF), section 158(1) and section 160A of the Securities Commission Malaysia Act 1996 (SCMA) read together with section 66B, section 66E and section 83 of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA); (b) in relation to countering proliferation financing including Targeted Financial Sanctions relating to Proliferation Financing (TFS-PF) section 158(1) and section 160A of the SCMA read together with the following legislation (collectively referred to as “PF related legislations”) which provides the legal basis for domestic implementation of TFS-PF in relation to UNSCRs imposed on the designated countries and persons: (i) Strategic Trade Act 2010 (Act 708) (STA);

4 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (ii) Strategic Trade (United Nations Security Council Resolutions) Regulations 2010 (P.U. (A) 481/2010)2 ; (iii)Strategic Trade (Restricted End-Users and Prohibited End-Users) Order 2010 (P.U. (A) 484/2010); (iv)Strategic Trade (Delisting of Prohibited End￾Users) Regulations 2014 (P.U. (A) 289/2014); and (v) Strategic Trade (Unfreezing of Property in relation to Prohibited End-Users) Regulations 2014 (P.U. (A) 290/2014). 2. Paragraph 1.3 (a): These Guidelines provide- (a) requirements and obligations imposed on reporting institutions in preventing and combating money laundering and terrorism financing; and Amendment to Paragraph 1.3(a) These Guidelines provide: (a)requirements and obligations imposed on reporting institutions in preventing and combating money laundering, terrorism financing, proliferation financing and targeted financial sanctions; and This amendment is for the inclusion of reference to terrorism financing, proliferation financing and targeted financial sanctions. 2 Regulation 3 of Strategic Trade (United Nations Security Council Resolutions) Regulations 2010 (P.U. (A) 481/2010) is set out in Appendix G of the Guidelines.

5 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 3. Not applicable. Insertion of new Paragraph 1.4 These Guidelines supersede and replace the Guidelines on Implementation of Targeted Financial Sanctions Relating to Proliferation Financing for Capital Markets. This paragraph is an insertion of the guidelines which have been superseded. 2. APPLICABILITY 4. Paragraph 2.1: These Guidelines are applicable to reporting institutions including its branches and majority owned subsidiaries outside Malaysia carrying out the activities as listed in the First Schedule of the AMLA. Amendment to Paragraph 2.1: These Guidelines are applicable to reporting institutions as defined under Part I on Definition, Part VII on Combating Terrorism Financing and Part VIII on Combating Proliferation Financing as the case may be, including its branches and majority-owned subsidiaries outside Malaysia which carry out, among others, carrying out the activities as listed in the First Schedule of the AMLA. This paragraph is to clarify the applicability of the Guidelines. 5. Not applicable. Insertion of new Paragraph 2.5: Part VIII of these Guidelines set out TFS-PF obligations that must be complied with by reporting institutions. The Strategic Trade Controller may from time-to-time issue new guidelines or directives under the STA which a reporting institution may need to comply with. In this regard, the SC will notify all relevant reporting institution Insertion of Paragraph 2.5 following the consolidation of the PF Guidelines into the SC AML/ CFT Guidelines.

6 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments of such issuances accordingly. Where there are differing requirements, the more stringent requirements shall apply. 6. Not applicable. Insertion of new Paragraph 2.6 and its sub-paragraphs: The SC may, upon application, grant an exemption from or variation to the requirements of these Guidelines if the SC is satisfied that: (a) such variation is not contrary to the intended purpose of the relevant requirement in these Guidelines; or (b) there are mitigating factors which justify the said exemption or variation. This new insertion to the guidelines was provided for under the PF Guidelines. In view that the PF Guidelines have been subsumed into this Guidelines, this paragraph shall be applicable to all chapters within the Guidelines. 3. DEFINITIONS 7. Not applicable. Insertion of new definition under Paragraph 3.1: • AML/CFT/CPF - means Anti-Money Laundering / Counter Financing of Terrorism / Counter Proliferation Financing. • CMSA - means Capital Market and Services Act 2007. Addition of new terms and definitions corresponding with the introduction of new requirements into the Guidelines.

7 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments • financial group - means a group that consists of a parent company or of any other type of legal person exercising control and coordinating functions over the rest of the group, together with branches and/or subsidiaries that are subjected to AML/CFT/CPF policies and procedures at the group level.

• National Risk Assessment (NRA) - National Risk Assessment (NRA) by the National Coordination Committee to Counter Money Laundering (NCC) assesses and identifies the key threats and sectoral vulnerabilities that Malaysia’s financial system and economy is exposed to, has guided the strategies and policies of Malaysia’s overall AML/CFT/CPF regime. The NRA is the primary tool used for periodic assessment and tracking of effectiveness of the relevant Ministries, law enforcement agencies, supervisory authorities and reporting institutions in preventing and combating ML/TF/PF. Reference to NRA is not limited to the National ML/TF Risk Assessment and includes any sectoral, thematic or emerging risk assessments undertaken by the NCC.

8 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments • nominator - means an individual (or group of individuals) or legal person that issues instructions (directly or indirectly) to a nominee to act on its behalf in the capacity of a director or a shareholder, also sometimes referred to as a ‘shadow director’ or ‘silent partner’. • nominee - means an individual or legal person instructed by the nominator to act on its behalf in a certain capacity regarding a legal person. • nominee director - means an individual or legal entity that routinely exercises the functions of the director in the company on behalf of and subject to the direct or indirect instructions of the nominator. A nominee director is never the beneficial owner of a legal person. • nominee shareholder - means an individual or legal person that exercises the associated voting rights according to the instructions of the nominator and/or receives dividends on behalf of the nominator. A nominee shareholder is never the beneficial owner of a legal person based on the shares it holds as a nominee.

9 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments • related Party - means: a) person acting on behalf of or at the direction or under the control of designated person; b) person engaged in or providing support for, including through illicit means, proliferation￾sensitive activities and programmes; c) person assisting designated person in evading sanctions, or violating resolution provisions; and d) person with joint ownership or the beneficiaries of the assets (which includes property) of a designated person. • STR - means a Suspicious Transaction Report, to be submitted to FIED as in Appendix C. • strategic trade controller - has the same meaning assigned to the word Controller in the Strategic Trade Act 2010. • TFS-PF - means Targeted Financial Sanctions relating to Proliferation Financing.

10 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments • TFS-TF - means Targeted Financial Sanctions relating to Terrorism Financing. • UN - means United Nations. • UNSCR - means United Nations Security Council Resolution. • Virtual Asset Service Providers (VASP) - means any natural or legal person who is not covered elsewhere under the FATF Recommendations, and as a business conducts one or more of the following activities or operations for on behalf of another natural or legal person: (a) exchange between virtual assets and fiat currencies; (b) exchange between one or more forms of virtual assets; (c) transfer of virtual assets; (d) safekeeping and/ or administration of virtual assets or instruments enabling control over virtual assets; and (e) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

11 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 8. Paragraph 3.1: • beneficial owner - means any natural person who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes the natural person who exercises ultimate effective control over a legal person or arrangement. Reference to “ultimately owns or controls” and “ultimate effective control” refer to situations in which ownership/control is exercised through a chain of ownership or by means of control other than direct control. Amendment to Paragraph 3.1 – amendment to the definition of “beneficial owner”: • in the context of legal person, means any natural person who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes the natural person who exercises ultimate effective control over a legal person or arrangement. Reference to “ultimately owns or controls” and “ultimate effective control” refer to situations in which ownership/control is exercised through a chain of ownership or by means of control other than direct control. In the context of legal arrangements, beneficial owner includes: (a) the settlor(s); (b) the trustee(s); (c) the protector(s) (if any); (d) each beneficiary, or where applicable, the class of beneficiaries and objects of a power; and (e) any other natural person(s) exercising ultimate effective control over the legal arrangement. In the case of a legal arrangement similar to an Refinement of the definition to provide better clarity and context in the usage of the term “beneficial owner”.

12 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments express trust, beneficial owner refers to the natural person(s) holding an equivalent position to those referred above. When the trustee and any other party to the legal arrangement is a legal person, the beneficial owner of that legal person should be identified. Reference to “ultimate effective control” over trusts or similar legal arrangements includes situations in which ownership or control is exercised through a chain of ownership or control. 9. Paragraph 3.1: • beneficiary - in wire transfer, refers to the natural or legal person or legal arrangement identified by the originator as the receiver of the requested wire transfer. Amendment to Paragraph 3.1 – amendment to the definition of “beneficiary”: • the meaning of the term beneficiary depends on the context. in trust law, a beneficiary refers to the person or persons who are entitled to the benefit of any trust arrangement. A beneficiary can be a natural or legal person or arrangement. All trusts (other than charitable or statutory permitted non-charitable trusts) are required to have ascertainable beneficiaries. While trusts must always have some Refinement of the definition to provide better clarity and context in the usage of the term “beneficiary”.

13 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments ultimately ascertainable beneficiary, trusts may have no defined existing beneficiaries but only objects of a power until some person becomes entitled as beneficiary to income or capital on the expiry of a defined period, known as the accumulation period or following exercise of trustee discretion in the case of a discretionary trust. In wire transfer, refers to the natural or legal person or legal arrangement identified by the originator as the receiver of the requested wire transfer. 10. Paragraph 3.1: • legal person - means any entity other than a natural person that can establish a permanent customer relationship with a reporting institution or otherwise own property. This can include company, body corporate, foundation, partnership, or association and other relevantly similar entity. Amendment to Paragraph 3.1 – amendment to the definition of “legal person”: • means any entity other than a natural person that can establish a permanent customer relationship with a reporting institution or otherwise own property. This can include companies, bodies corporate, foundations, partnerships, or associations and other relevantly similar entity. To be in line with FATF’s definition of the term “legal person”.

14 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 11. Paragraph 3.1: • senior management - refers to any person having authority and responsibility for planning directing or controlling the activities of a reporting institution or a legal person including the management and administration of a reporting institution or a legal person. Amendment to Paragraph 3.1 – amendment to the definition of “senior management”: • refers to any person having authority and responsibility for planning directing or controlling the activities of a reporting institution or a legal person or legal arrangement including the management and administration of a reporting institution, or a legal person or legal arrangement. Extending the definition to include senior management of legal arrangement. GENERAL DESCRIPTION OF TERRORISM FINANCING 12. Not applicable. Insertion of new Paragraph 5A: 5A. GENERAL DESCRIPTION OF PROLIFERATION FINANCING 5A.1 In response to growing concerns over the proliferation of nuclear, biological and chemical weapons and their means of delivery which continue to pose a significant threat to international peace and security, the United Nations Security Council (UNSC) has intensified efforts to strengthen its global sanctions regime in order to prevent, suppress and disrupt Insertion of new Paragraph 5A following the consolidation of the PF Guidelines into the SC’s AML/CFT Guidelines.

15 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments proliferation of weapons of mass destruction and its financing. 5A.2 As is the case with other UNSC sanctions programmes, TFS on countries and specifically identified individuals and entities (i.e. designated persons) is the primary aspect of its overall sanctions regime to effectively disrupt financial flows across known proliferation networks. 5A.3 Recommendation 7 of the Financial Action Task Force (FATF) Standards requires countries to implement proliferation financing-related TFS-PF made under UNSCRs. Under this standard, countries are required to implement targeted financial sanctions without delay to comply with UNSCRs relating to the prevention, suppression and disruption of the proliferation of weapons of mass destruction and its financing. 5A.4 Proliferation financing refers to the act of raising, moving, or making available funds,

16 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments other assets or other economic resources, or financing, in whole or in part, to persons or entities for purposes of weapons of mass destruction (WMD) proliferation, including the proliferation of their means of delivery or related materials (including both dual￾use technologies and dual-use goods for non-legitimate purposes). 5A.5 TFS-PF are applicable to persons designated by the UNSC or the relevant committees set up by the UNSC. Designation or listing criteria are: (a) Person engaging in or providing support for, including through illicit means, proliferation-sensitive activities and programmes; (b) Acting on behalf of or at the direction of designated person; (c) Owned or controlled by designated person; and

17 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (d) Person assisting designated person in evading sanctions, or violating UNSCR provisions. 5A.5 In relation to TFS-PF obligations in Part VIII, the Strategic Trade Controller may from time-to-time issue new guidelines or directives under the STA which a capital market intermediary may need to comply with. In this regard, the SC will notify all relevant capital market intermediaries of such issuances accordingly. Where there are differing requirements, the more stringent requirements shall apply. PART IA: AML/CFT/CPF INTERNAL PROGRAMMES AND OBLIGATIONS OF THE BOARD OF DIRECTORS, SENIOR MANAGEMENT AND COMPLIANCE OFFICER 13. Paragraph 6A.1: Pursuant to the provisions of the AMLA, a reporting institution shall adopt, develop and implement internal programmes, policies, procedures and controls having regard Amendments to Paragraph 6A.1: Pursuant to the provisions of the AMLA, a A reporting institution shall adopt, develop and implement internal programmes, policies, procedures and controls having regardto its ML/TF/PF risks and size of business. These programmes shall include– Editorial Amendment.

18 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments to its ML/TF risks and size of business. These programmes shall include– (a) procedures to ensure high standards of integrity of its board of directors, senior management, employees or persons acting on behalf of the reporting institution, and adopt a screening system to evaluate the personnel when hiring; (b) regular independent audit function to check on the compliance and effectiveness of the reporting institution’s AML/CFT framework in relation to the AMLA and provisions of these Guidelines. Any audit findings and any necessary corrective measures to be undertaken must be tabled to the board of directors; (a) procedures to ensure high standards of integrity of its board of directors, seniormanagement, employees or persons acting on behalf of the reporting institution, and adopt a screening system to evaluate the personnel when hiring; (b) regular independent audit function to check on the compliance and effectiveness of the reporting institution’s AML/CFT/CPF framework in relationto the AMLA and provisions of these Guidelines. Any audit findings and any necessary corrective measures to be undertaken must be tabled to the board of directors; 14. Paragraph 6B.2: The board of directors has the following roles and responsibilities: Amendments to Paragraph 6B.2: The board of directors has the following roles and responsibilities: The amendment imposes obligations on board of directors to periodically update their policies to match trends

19 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (a) maintain accountability and oversight for establishing AML/CFT policies and procedures; (b) provide oversight and accord adequate priority and dedicated resources to manage ML/TF risks faced by the reporting institution including defining the lines of authority and responsibility for implementing the AML/CFT measures; (c) approve policies and procedures regarding AML/CFT measures; (d) ensure that the approved policies and procedures are implemented effectively by the senior management; (e) monitor the effectiveness of the implementation of the policies and procedures; (a) maintain accountability and oversight for establishing AML/CFT/CPF policies and procedures; (b) provide oversight and accord adequate priority and dedicated resources to manage ML/TF/PF risks faced by the reporting institution including defining the lines of authority and responsibility for implementing the AML/CFT/CPF measures; (c) approve policies and procedures regarding AML/CFT/CPF measures within the reporting institution; (d) ensure that the approved policies and procedures are implemented effectively by the senior management; (e) monitor the effectiveness of the implementation of the policies and procedures; (f) ensure that the policies and procedures are periodically reviewed and improvedwhere required in line with the changes and developments in the reporting institution’s products and services, technology as well as trends in ML/TF/PF; in financial crimes as well as keeps itself updated on any order issued pursuant to section 66B of the AMLA.

20 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (f) ensure that the policies and procedures are periodically reviewed and improved where required; (g) ensure effective independent audit function in assessing and evaluating the robustness and adequacy of overall AML/CFT measures; and (h) ensure that the board keeps itself updated and is aware of new or emerging trends of ML/TF, and understand the potential impact of such developments to the reporting institution. (g) ensure effective independent audit function in assessing and evaluating the robustness and adequacy of overall AML/CFT/CPF measures; and (h) ensure that the board keeps itself updated and is aware of new or emerging trends of ML/TF/PF including the relevant UNSCRs and any order issued pursuant to section 66B of the AMLA and understand the potential impact of such developments to the reporting institution. 15. Not applicable. Insertion of new Guidance for Paragraphs 6B.2(c) and 6B.2(f): Guidance for paragraph 6B.2(c): AML/CFT/CPF measures include but are not limited to Guidance on the roles and responsibilities of board of directors.

21 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments those required for risk assessment, mitigation and profiling, customer due diligence (CDD), record keeping, enhanced CDD and ongoing due diligence, suspicious transaction report and targeted financial sanctions.

Guidance for paragraph 6B.2(f): Periodic reviews and improvements of policies and procedures are to be conducted where there are changes and developments in a reporting institution’s products, services, technology, regulatory development, nature of business to capture changes in distribution channel, clients’ segment and etc. 16. Sub-paragraphs 6C.1(a) and (b): 6C. SENIOR MANAGEMENT 6C.1 The senior management is responsible for effective implementation of AML/CFT internal programmes, policies and procedures that can manage the ML/TF risks identified. In particular, the Amendments to Sub-Paragraphs 6C.1(a) and (b): The senior management is responsible for effective implementation of AML/CFT/CPF internal programmes, policies and procedures that can manage the ML/TF/PF risks identified. In particular, the senior management has the following roles and responsibilities: (a) implement AML/CFT policies and procedures; be aware of and understand the ML/TF/PF risks associated with including but not limited to business Amendments to enhance the roles and responsibilities of senior management.

22 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments senior management has the following roles and responsibilities: (a) implement AML/CFT policies and procedures; (b) establish appropriate mechanisms to effectively formulate and implement AML/CFT policies and procedures approved by the board of directors; activities/ strategies, delivery channels and geographical coverage of its business products and services offered and to be offered including new products, new delivery channels and new geographical coverage; (b) formulate AML/CFT/CPF policies to ensure that they are in line with the risks profiles, nature of business, complexity, value or volume of the transactions undertaken by the reporting institution and its geographical coverage; (c) establish appropriate mechanisms to effectively formulate and implement AML/ CFT policies and procedures approved by the board of directors; 17. Not applicable. Insertion of new Paragraph 6E.1: 6E.1 The requirements under this paragraph 6E are only applicable to reporting institutions that are part of a financial group. Amendment to clarify applicability of Paragraph 6E.1. 18. Paragraph 6E.1: Where applicable, a reporting institution is required to implement appropriate group wide ML/TF programmes Renumbered and amendment to the new Paragraph 6E.2: 6E.2 Where applicable, a reporting institution is required to implement appropriate group- wide ML/TF/PF programmes appropriate to its holding company, Deletion of the term “holding company” to clarify that the implementation of the appropriate group-wide

23 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments appropriate to its holding company, branches and majority owned subsidiaries. Such ML/TF programmes must include– branches and majority-owned subsidiaries. Such ML/TF/PF programmes must include– ML/TF/PF programmes is to be done in a top-down approach. PART II: RISK-BASED APPROACH APPLICATION 7. RISK-BASED APPROACH APPLICATION 19. Paragraph 7: 7. RISK-BASED APPROACH APPLICATION In formulating policies and procedures for the prevention of ML/TF, a reporting institution must take appropriate steps to identify, assess and mitigate its ML/TF risks. Appendix A of these Guidelines provides the measures to be adopted in implementing a risk-based approach. 7.1 Risk assessment and risk profiling Renumbered and amendments to the new Paragraph 7.1 and its sub-paragraphs: 7 RISK-BASED APPROACH APPLICATION 7.1 ML/TF Risk assessment 7.1.1 In formulating policies and procedures for the prevention of ML/TF, a reporting institution must take appropriate steps to identify, assess and mitigate its ML/TF risks. A reporting institution is required to take appropriate steps to identify, assess and understand its ML/TF risks, in relation to its customers, countries or geographical areas and products, services, transactions or delivery channels, and other relevant risk factors. Appendix A of these Guidelines Editorial amendment. Previous version Paragraph 7 has been renumbered as Paragraph 7.1.1 and reference to risk profiling is now under Paragraph 7.5.

24 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments provides the measures to be adopted in implementing a risk-based approach. 21. Paragraph 7.1.1 Renumbered to Paragraph 7.1.2 Editorial amendment. 22. Paragraph 7.1.2 Renumbered to Paragraph 7.1.5 Editorial amendment. 23. Not applicable. Insertion of new Paragraph 7.1.3: A reporting institution must conduct additional assessment as and when required by the SC. Amendment to ensure that Ris conduct additional assessment as and when required by the SC. 24. Not applicable. Insertion of new Paragraph 7.1.4: A reporting institution must be guided by the results of the NRA issued by the National Coordination Committee to Counter Money Laundering (NCC) in conducting its own risk assessments. A reporting institution must take enhanced measures to manage and mitigate the risks identified in the NRA. Amendment to ensure that RIs are guided by the NRA in conducting its own risk assessment. 25. Guidance for Paragraph 7.1.4: In identifying countries and geographic risk factors, reporting institutions may refer to credible sources such as mutual evaluation reports, detailed assessment Amendments to Guidance for Paragraphs 7.1.1, 7.1.2 and 7.1.3: Guidance for paragraphs 7.1.1, 7.1.2, 7.1.3 and 7.1.4: Insertion of new guidance for revised requirements under 7.1.1, 7.1.2, 7.1.3 and 7.1.4.

25 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments report, follow-up reports and other relevant reports published by international organisations and other inter-governmental bodies. In identifying countries and geographic risk factors, reporting institutions may refer to credible sources such as mutual evaluation records, detailed assessment report, follow up reports and other relevant reports published by international organisations and other inter governmental bodies. In conducting the ML/TF risk assessment, reporting institutions may consider whether: (a) they are susceptible to the key and emerging crimes as well as higher risk sectors identified in the NRA; and (b) enhancements to their AML/CFT compliance programme are warranted to ensure any areas of higher ML/TF risks are appropriately mitigated. 26. Paragraph 7.1.4 Deletion of previous Paragraph 7.14. Deleted as this requirement is subsumed under paragraph 7.5.3 on risk profiling of customers. 27. Paragraph 7.2: Risk management and mitigation Amendment to the title of Paragraph 7.2: ML/TF Risk management and mitigation Amendment to clarify scope of Paragraph 7.2.

26 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 28. Paragraph 7.2.1 (a): A reporting institution is required to– (a) have policies, procedures and controls, which are approved by the board of directors, to enable it to manage and mitigate effectively the ML/TF risks that have been identified; Amendment to Paragraph 7.2.1(a): A reporting institution is required to– (a) have policies, procedures and controls, which are approved by the board of directors, to enable it to manage and mitigate effectively the ML/TF risks that have been identified and assessed; To clarify that policies and procedures approved by the RIs board of directors enable it to manage and mitigate effectively the ML/TF risks that have been identified and assessed. 29. Not applicable. Insertion of new Paragraph 7.3 and its sub-paragraphs: 7.3 PF Risk assessment 7.3.1. A reporting institution must take appropriate steps to identify, assess and understand PF risks, in relation to their customers, countries or geographical areas and products, services, transactions or delivery channels, and other relevant risk factors where the extent of the assessment shall be appropriate to the nature, size and complexity of its business. The PF risk in this context is limited to potential breach, non-implementation or evasion of the targeted financial sanctions on PF under Part VIII of these Guidelines. Appendix A of these Insertion of requirement related to proliferation financing risk in line with FATF Recommendation.

27 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments Guidelines provides for the measures to be adopted in implementing a risk-based approach. 7.3.2. In conducting the risk assessment, a reporting institution may consider if the existing ML/TF risk assessments methodologies are adequate to incorporate PF risks and may not necessarily require a stand-alone or an entirely new methodology. 7.3.3. The risk assessment processes must incorporate the following: (a) Documenting the reporting institution’s PF risk assessments and findings; (b) Considering all the relevant risk factors before determining the level of overall risk and the appropriate level and type of mitigation to be applied; (c) Keeping the reporting institution’s risk assessment up-to-date taking into account changes in surrounding circumstances affecting the reporting institution; (d) Having a scheduled periodic assessment or

28 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments as and when specified by the SC; and (e) Having appropriate mechanisms to provide risk assessment information to the SC. 7.3.4 A reporting institution is also required to identify and assess the PF risks that may arise in relation to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products. The reporting institution must undertake risk assessments prior to the launch or use of such products, practices and technologies and take appropriate measures to manage and mitigate such risks. 30. Not applicable. Insertion of new Paragraph 7.4 and its sub-paragraphs: 7.4 PF Risk management and mitigation 7.4.1 A reporting institution is required to: (a) have policies, procedures and controls, which are approved by the board of directors, to enable it to manage and mitigate effectively the PF risks that have been identified and assessed; (b) monitor the implementation of those policies, Insertion of requirement related to proliferation financing risk in line with FATF Recommendation.

29 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments procedures and controls and to enhance them if necessary; and (c) take commensurate measures to manage and mitigate the risks: (a) where higher PF risks are identified, a reporting institution must ensure that it adequately address such higher PF risk by introducing enhanced controls to detect possible breaches, non-implementation or evasion of targeted financial sanctions on PF under Part VIII of these Guidelines; (ii) where lower PF risks are identified, reporting institution must ensure that the measures applied are commensurate with the level of PF risk while still ensuring full implementation of the targeted financial sanctions on PF under Part VIII of these Guidelines. 7.4.2 A reporting institution must ensure full implementation of the targeted financial sanctions on PF as per Part VIII of these Guidelines

30 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments irrespective of the institutional PF risk level. 31. Not applicable. Insertion of new Paragraph 7.5 and Sub-Paragraphs 7.5.1, 7.5.2 and 7.5.3 7.5 Risk Profiling of Customers 7.5.1 A reporting institution is required to also implement and maintain appropriate policiesand procedures to conduct risk profiling of its customer. 7.5.2 A reporting institution is required to conduct risk profiling on its customers during the establishment of the business relationship and assign a ML/TF/PF risk rating that commensurate with the customer’s risk profile. 7.5.3 In assessing the level of risk of a customer from a particular country, a reporting institution shall assess the standards of prevention of ML/TF/PF in that country based on the reporting institution’s knowledge, experience and other reliable sources of that country. The higher the risk, the greater the due diligence measures that should be applied when undertaking business with the customer from that country. Editorial amendment.

31 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 32. Paragraph 7.1.4: A reporting institution is required to also implement and maintain appropriate policies and procedures to conduct risk profiling of their customer during the 15 establishment of the business relationship and assign ML/TF risk rating that is commensurate with their risk profile. In determining the risk profile of a particular customer, the reporting institution must take into account, among others the following factors: (a) Customer risks e.g. residents or non-residents, occasional or one￾off, natural or legal person; (b) … Renumbered and amendment to the new Paragraph 7.5.4: In determining the risk profile of a particular customer, the reporting institution must take into account, among others the following factors: (a) Customer risks e.g. residents or non-residents, occasional or one-off, natural or legal person, types of PEP, types of occupation; (b) … Renumbered and amendment to include additional examples on customer risk factors ie; types of PEP and types of occupation. 33. Not applicable. Insertion of new paragraph 7.5.5 After the initial acceptance of the customer, reporting institutions are required to regularly update the customer’s risk profile based on their level of ML/TF/PF risks. Insertion to ensure consistency of approach taken across all financial sectors.

32 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 34. Guidance for Paragraph 7.1.4 Renumbered to new Guidance for Paragraph 7.5.3. Editorial amendment. 35. Paragraph 7.3: Risk management and mitigation in third-party deposits Renumbered and amendment to new Paragraph 7.6: 7.6 Risk management and mitigation in third-party deposits and payments Editorial amendment. PART III: CUSTOMER DUE DILIGENCE 8. CUSTOMER DUE DILIGENCE 36. Paragraph 8.1.3 (c): 8.1.3 For the purpose of conducting CDD, a reporting institution is required to– (c) identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, using relevant information or data obtained from reliable sources; and Amendment to Paragraph 8.1.3 (c): 8.1.3 For the purpose of conducting CDD, a reporting institution is required to– (c) identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, using relevant information or data obtained from reliable sources, such that the reporting institution is satisfied that it knows who the beneficial owner is; and Amendment to clarify that a RI is required to identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, such that the RI is satisfied that it knows who is the beneficial owner. 37. Not applicable. Insertion of new Paragraph 8.1.5: Amendment to clarify that RIs must comply with targeted financial sanction requirements as part of CDD.

33 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 8.1.5 Where applicable, in conducting CDD, a reporting institution is required to comply with requirements on targeted financial sanctions in relation to: (a) terrorism financing under Part VII of these Guidelines; and (b) proliferation financing under Part VIII of these Guidelines. 38. Paragraph 8.1.5: In conducting CDD, a reporting institution is required to identify an individual customer or beneficial owner, by obtaining at least the following information: (a) – (j) Insertion of new Sub-Paragraph 8.1.6 (h): (a) – (g) (h) income or range of income; (i) - (k) Amendment to prescribe income or range of income as additional minimum information required from customers. 39. Paragraph 8.1.5A: 8.1.5A If the reporting institution is of the view that the above information is not sufficient for it to complete its identification and verification process, the reporting institution must seek Renumbered and amendments to the new Paragraph 8.1.7: 8.1.7 If the reporting institution is of the view that Where the above information is not sufficient for the reporting institution to complete its identification and verification process, the reporting institution must seek further Amendments to clarify that the obligation to seek for further information arise where the minimum CDD information is not sufficient to complete the identification and verification process.

34 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments further relevant information from the individual customer or beneficial owner relevant information from the individual customer or beneficial owner. 40. CDD requirements for legal persons and legal arrangements Amendment to the title CDD requirements for legal persons and legal arrangements Editorial amendments. A separate section for CDD requirements for legal arrangements have been incorporated in the AML/CFT/CPF Guidelines. 41. Paragraph 8.1.6: 8.1.6 For customers that are legal persons or legal arrangements, a reporting institution is required to understand the nature of the customer’s business, its ownership and control structure. Renumbered and amendments to the new Paragraph 8.1.8: 8.1.8 For customers that are legal persons or legal arrangements, a reporting institution is required to understand the nature of the customer’s business, its ownership and control structure. A reporting institution is required to undertake the following: Editorial amendments. 42. Paragraph 8.1.6 (a) (i): …A reporting institution is required to undertake the following: Renumbered and amendments to the new Paragraph 8.1.9 (a): 8.1.9 A reporting institution is required to identify its customers and verify their its identity through the following information: Editorial amendments. Insertion of unique identifier as a type of information that is required in identification of customers.

35 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (a)Identify its customers and verify their identity through the following information: (i) Name, legal form and proof of existence, for instance the certified true copy or duly notarised copy of the constituent documents, as the case may be, or any other reliable references; (a)Name, legal form and proof of existence, for instance the certified true copy or duly notarised copy of the constituent documents, as the case may be, unique identifier such as tax identification number or any other reliable references; 43. Paragraph 8.1.6 (b) (I): (b) Identify and take reasonable measures to verify the identity of the beneficial owners – (I) In relation to the identity of the natural person (if any) who ultimately ….. Renumbered and amendments to the new Paragraph 8.1.10: A reporting institution is required to identify and take reasonable measures to verify the identity of the beneficial owner of a legal person by taking into consideration the following information or document: (a) Duly certified true copy/ duly notarised…. Editorial amendments. 44. Not applicable. Insertion of new Paragraph 8.1.11 and its Sub￾Paragraphs: 8.1.11 A reporting institution is required to identify and take reasonable measures to verify the identity of beneficial owners according to the following Insertion of new requirement to incorporate cascading steps in identifying and verifying beneficial owners in CDD requirements for legal persons and legal arrangement.

36 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments cascading steps: (a) the identity of the natural person(s) (if any) who ultimately has a controlling ownership interest in a legal person. Where applicable, this includes identifying: (i) shareholders with equity interest of more than twenty-five percent in a corporation; and (ii)in the case of a limited liability partnership, partners with capital contribution and/ or voting rights of more than twenty-five percent; (b) to the extent that there is doubt as to whether the person(s) with the controlling ownership interest is the beneficial owner(s) referred to in paragraph 8.1.11(a) or where no natural person(s) exert control through ownership interests, the identity of the natural person (if any) exercising control of the legal person through other means; and (c) where no natural person is identified under paragraphs 8.1.11(a) or (b), the identity of the relevant natural person who holds the position of

37 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments senior management. For the avoidance of doubt, a reporting institution is not required to pursue steps (b) and (c) in circumstances where beneficial owner(s) have been identified through step (a). Similarly, where beneficial owner(s) have been identified at step (b), reporting institutions are not required to pursue step (c). 45. Paragraph 8.1.7: Notwithstanding the above, a reporting institution is exempted from obtaining the constituent document, and from identifying and verifying the directors and shareholders of legal persons which fall under the following categories: Renumbered and amendments to the new Paragraph 8.1.12: 8.1.12 Notwithstanding the above, a reporting institution is exempted from obtaining the constituent document, and from identifying and verifying the identity of the directors and shareholders or partners of legal persons which fall under the following categories: Amendments to: (1) to clarify that the exemption only extends to verification and does not extend to identification; and (2) extend the requirement to partners in a limited liability partnership. 46. Not applicable. Insertion of new Paragraph 8.1.13: Notwithstanding the above, reporting institutions are required to identify and maintain the information relating to the identity of the directors and shareholders or partners of legal persons referred to in paragraph 8.1.12 Insertion of a new requirement to clarify that RIs required to identify and maintain the information relating to the identity of the directors and shareholders or partners of

38 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (a) to (g), through a public register, other reliable sources or based on information provided by the customer. legal persons through a public register, other reliable sources or based on information provided by the customer. 47. Paragraph 8.1.6 (a) Renumbered to Paragraphs 8.1.14 and 8.1.15: 8.1.14 For customers that are legal arrangements, a reporting institution is required to understand the nature of the customer’s business, its ownership and control structure. 8.1.15 A reporting institution is required to identify its customers and verify its identity through the following information: (a) Name, legal form and proof of existence, for instance the certified true copy or duly notarised copy of the constituent documents, as the case may be, unique identifier such as tax identification number or any other reliable references; (b) The powers that regulate and bind the customer, as well as names of relevant persons having a senior management position; and Renumbered and repositioned specifically under the header of ‘CDD requirements for legal arrangement’.

39 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (c) The address of the registered office and the principal place of business. 48. Paragraph 8.1.6 (b) (II) (i): II. in relation to legal arrangements, by way of – (i) in the case of a trust, the identity of the settlor, the trustee or the protector, the beneficiary or class of beneficiaries and any other natural person exercising ultimate effective control over the trust (including through a chain of control/ownership); or Renumbered and amendments to Paragraph 8.1.16: 8.1.16 A reporting institution is required to identify and take reasonable measures to verify the identity of the beneficial owner of a legal arrangement by taking into consideration the following information: (a) in the case of a trust, the identity of the settlor, the trustee or the protector, the beneficiary or class of beneficiaries and objects of a power, and any other natural person exercising ultimate effective control over the trust (including through a chain of control/ownership); or Amendments to include “objects of a power” in the case of a trust. 49. Not applicable. Insertion of new Paragraph 8.1.17: 8.1.17 A reporting institution is required to ensure that trustees or persons holding equivalent positions in similar legal arrangements disclose their status or function in the legal arrangements when establishing business relations. Insertion of new Paragraph to impose requirement on RIs in relation to disclosure of status by trustees or persons holding equivalent positions in similar legal arrangements. 50. Guidance for Paragraph 8.1.6(b) Renumbered paragraphs in Guidance: Editorial amendment.

40 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments Guidance for Paragraphs 8.1.8 to 8.1.20 51. Not applicable. Insertion of new Paragraphs 8.1.18 and 8.1.19: 8.1.18 A reporting institution may rely on a third party to verify the identity of the beneficiaries when it is not practical to identify every beneficiary. 8.1.19 Where reliance is placed on third parties under paragraph 8.1.19 a reporting institution is required to comply with paragraph 8.6 of these Guidelines. Insertion of new requirement to verify the identity of the beneficiaries. 52. Not applicable. Insertion of new Sub-Heading and Sub-Paragraphs 8.1.20, 8.1.21 and 8.1.11: CDD requirements for clubs, societies or charities 8.1.20 For customers that are clubs, societies or charities, a reporting institution must conduct the CDD requirements applicable for legal person or legal arrangements, as the case may be, and require them to furnish the relevant identification documents including Certificate of Registration and constituent documents. In addition, a reporting institution is required to identify and verify the office bearer or any person authorised Insertion of requirement to clarify CDD on clubs, societies or charities which was previously set out in Paragraph 8.1.6(b)(i) of the AML/CFT Guidelines.

41 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments to represent the club, society or charity, as the case may be. 8.1.21 A reporting institution is also required to take reasonable measures to identify and verify the beneficial owners of the clubs, societies or charities. 8.1.22 Where there is any doubt as to the identity of persons referred to under paragraphs 8.1.20 and 8.1.21, the reporting institution must verify the authenticity of the information provided by such person with the Registrar of Societies, Labuan Financial Services Authority, Companies Commission of Malaysia, Legal Affairs Division under the Prime Minister’s Department or any other relevant authority. 53. Paragraph 8.1.8 This section applies when a reporting institution chooses to establish non￾face-to-face business relationship. Paragraph 8.1.8 has been renumbered to Paragraph 8.1.23 amendments to the new Paragraph 8.1.23 (a): (a) A reporting institution must develop and implement policies and procedures to address and mitigate specific ML/TF/PF risks associated with establishing Editorial amendment and amendment to include ‘operational and information technology risk’.

42 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (a) A reporting institution must develop and implement policies and procedures to address and mitigate specific ML/TF risks associated with establishing non face to-face business relationship. (b) …. non face-to-face business relationship, as well as operational and information technology risk. (b) … 54. Guidance for paragraph 8.1.10 Renumbered paragraph in Guidance: Guidance for paragraph 8.1.29 Editorial amendment. 55. Paragraph 8.2.2: When conducting CDD for the purpose of opening an account or when conducting ongoing CDD, a reporting institution may take into account the following risk factors and risk parameters when determining circumstances of higher risk: Amendment to Paragraph 8.2.2: 8.2.2 When conducting CDD for the purpose of opening an account or when conducting ongoing CDD, reporting institution may take into account, amongst others, the following risk factors and risk parameters when determining circumstances of higher risk: Editorial amendment. 56. Paragraph 8.2.2 (b) (i): (i) Countries having inadequate AML/CFT systems. Amendments to Paragraph 8.2.2 (b) (i) and insertion of new Sub-Paragraph 8.2.2 (b) (v): (i) Countries identified by credible sources, such as mutual evaluation or published follow-up reports, as having inadequate AML/CFT/CPF systems. Amendments to clarify geographic risk factors.

43 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (v) Countries identified by the FATF, other FATF-style regional bodies or other international bodies as having higher ML/TF/PF risk. 57. Paragraph 8.4.4: … The reporting institution is required to assess the level of ML/TF risks posed by the business relationship with the domestic PEP or person entrusted with a prominent function by an international organisation based on sufficient and appropriate information gathered through publically available information or other reasonable means. Renumbered and amendment to Paragraph 8.4.5: 8.4.5 The reporting institution is required to assess the level of ML/TF/PF risks posed by the business relationship with the domestic PEP or person entrusted with a prominent function by an international organisation based on sufficient and appropriate information gathered through publicly available information or other reasonable means. The assessment of the ML/TF/PF risks also must take into account the profile of the customer under paragraph 7.5.4 of these Guidelines. Amendment to incorporate the risk profile of the customer as part of the ML/TF/PF risk of domestic PEP or person entrusted with a prominent functions by an international organisation (PEPFIO). 58. Not applicable. Insertion of new Paragraph 8.4.8 and its sub-paragraphs 8.4.8 A reporting institution must consider the following factors in determining whether the status of a domestic or foreign PEP who no longer holds a prominent public function should cease: Insertion of a requirement on factors to be considered in determining whether the status of a domestic or foreign PEP who no longer holds a prominent public function should cease. Similar factors

44 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (a) the level of informal influence that the domestic or foreign PEP could still exercise, even though the PEP no longer holds a prominent public function; and (b) whether the domestic or foreign PEP’s previous and current functions, in official capacity or otherwise, are linked to the same substantive matters. can be found in Appendix B of the AML/CFT/CPF Guidelines. 59. Paragraph 8.6.4: The relationship between a reporting institution and the third party relied upon to conduct the CDD … Amendments to Paragraph 8.6.4: The relationship between a reporting institution and the third party relied upon by the reporting institution to conduct the CDD … Amendment to provide clarity. 60. Paragraph 8.8.1 (a): monitoring and detecting patterns of transactions undertaken throughout the course of that business relationship to ensure that the transactions being conducted are consistent with the reporting institution’s knowledge of the customer, its business, and risk profile, Amendments to Paragraph 8.8.1(a): monitoring and detecting patterns of transactions undertaken throughout the course of that business relationship to ensure that the transactions being conducted are consistent with the reporting institution’s knowledge of the customer, its business, and risk profile, including where necessary, the source of funds monitoring, detecting and scrutinizing transactions Amendment to clarify that the ongoing due diligence measures covers monitoring, detecting and scrutinizing transactions.

45 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments including where necessary, the source of funds; and undertaken throughout the course of that business relationship to ensure that the transactions being conducted are consistent with the reporting institution’s knowledge of the customer, its business and risk profile, including where necessary, the source of funds; and… PART IIIA: WIRE TRANSFER 9. WIRE TRANSFER OF DIGITAL ASSETS 61. Paragraph 9.1.1: The requirements under this Part are applicable to a reporting institution providing wire transfer of digital assets. Amendments to Paragraph 9.1.1: The requirements under this Part are applicable to a reporting institution providing cross border wire transfer or domestic wire transfer of digital assets. Amendments to clarify that the requirements under Party IIIA apply to both cross border and domestic wire transfers. 62. Paragraph 9.1.3 (b): in relation to proliferation financing of weapon of mass destruction under Guidelines on Implementation of Targeted Financial Sanctions relating to Proliferation Financing for Capital Market Intermediaries. Amendments to Paragraph 9.1.3(b): in relation to proliferation financing of weapon of mass destruction under Guidelines on Implementation of Targeted Financial Sanctions relating to Proliferation Financing for Capital Market Intermediaries. Part VIII of these Guidelines. Editorial Amendment. 63. Paragraph 9.1.4: A reporting institution must maintain all originator and beneficiary information Amendments to Paragraph 9.1.4: A reporting institution must obtain, hold and maintain all originator and beneficiary information collected under this Amendment to clarify requirement in relation to collection of originator and beneficiary information.

46 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments collected in accordance with record keeping requirements under Part IV of these Guidelines. Part, in accordance with record keeping requirements under Part IV of these Guidelines. This information must be made available to regulators or relevant authorities when necessary. 64. Not applicable. Insertion of new Paragraph 9.1.5: A reporting institution must have in place adequate policies and procedures and the ability to trace all wire transfers. Insertion of new paragraph to enhance traceability of wire transfers. 65. Paragraph 9.2: Ordering Institutions Amendment to the title of Paragraph 9.2: 9.1 Ordering institutions Cross-Border or Domestic Wire Transfers Editorial amendment. 66. Paragraph 9.2.1: 9.2.1 A reporting institution which is an ordering institution must ensure that the message or instruction for cross￾border wire transfer are accompanied by the following: Amendments to Paragraph 9.2.1: 9.2.1 A reporting institution which is an ordering institution must ensure that the message for cross-border or domestic wire transfer are accompanied by the following: Amendments to clarify that the requirement apply to both cross border and domestic wire transfers.

47 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (a) Required and accurate originator information: (i) name; (ii) … (b) Required beneficiary information: (i) name; and (ii) … (a) Required and accurate originator information pertaining to: (i) name of originator; (ii) ... (b) Required beneficiary information pertaining to: (i) name of beneficiary; and (ii) … 67. Not applicable. Insertion of new Guidance for Paragraphs 9.2.1 (a) and 9.2.1 (b): Guidance for Paragraph 9.2.1 (a)

1. Accurate in the context of paragraph 9.2.1(a) means the required originator’s information has been verified for accuracy by the ordering institution as part of its KYC process. Guidance for Paragraph 9.2.1 (b)
2. The name of the beneficiary is not required to be verified for accuracy by the ordering institution. Notwithstanding this, the name of the beneficiary Insertion to provide guidance in line with FATF’s Updated Guidance for Risk-Based Approach on Virtual Assets and Virtual Asset Service Providers.

48 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments should be reviewed for the purpose of suspicious transaction monitoring and sanction screening. 68. Not applicable. Insertion of new Guidance for paragraph 9.2.2: 9.2.2 A reporting institution which is an ordering institution must submit the information set out in paragraph 9.2.1 to the beneficiary institution immediately and securely. Insertion to provide guidance in line with FATF’s Updated Guidance for Risk-Based Approach on Virtual Assets and Virtual Asset Service Providers. 69. Not applicable. Insertion of new Guidance for Paragraph 9.2.2: Guidance for Paragraph 9.2.2: a) The information can be submitted either directly or indirectly. It is not necessary for this information to be attached directly to the digital asset transfers. b) The phrase ‘immediately’ means that the reporting institutions should submit the required information prior, simultaneously or concurrently with the transfer itself. Post-facto submission of the required information should not be permitted. Insertion to provide guidance in line with FATF’s Updated Guidance for Risk-Based Approach on Virtual Assets and Virtual Asset Service Providers.

49 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments c) The phrase ‘securely’ means that the reporting institutions should transmit and store the required information in a secure manner. 70. Paragraph 9.3.1: A beneficiary institution is required to take reasonable measures, including post-event or real-time monitoring where feasible, to identify the transfers that lack the required originator information or required beneficiary information. Amendments to Paragraph 9.3.1: A beneficiary institution is required must take reasonable measures, including post-event or real-time monitoring where feasible, to identify cross border wire transfers or domestic wire transfers that lack the required originator information or required beneficiary information Amendment to clarify that the requirement apply to both cross border or domestic wire transfers. 71. Not applicable. Insertion of new Paragraph 9.3.3 A beneficiary institution must verify the following beneficiary information received from the ordering institution: (a)name of beneficiary; and (b) account number or digital wallet address or a unique transaction reference number used to process the transaction which permits traceability of the transaction. Insertion of new Paragraph to impose requirement on beneficiary institution and the types of information required to be verified.

50 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 72. Not applicable. Insertion of new Paragraph 9.4, its Sub-Paragraphs and guidance: Sanctions Screening 9.4.1 An ordering institution must conduct sanctions screening of the following persons: (a) its customer, at the point of onboarding and ongoing due diligence; and (b) the beneficiary, when a wire transfer is conducted. 9.4.2 A beneficiary institution must conduct sanctions screening of the following persons: (a) its beneficiary, at the point of onboarding and ongoing due diligence; and (b) the originator, when a wire transfer is conducted. 9.4.3 Once the person screened is identified as a designated person, the ordering or beneficiary institution must take freezing actions and prohibit transactions. Insertion to incorporate requirements under FATF’s Updated Guidance for Risk￾Based Approach on Virtual Assets and Virtual Asset Service Providers.

51 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 9.4.4 Ordering or beneficiary institutions must implement effective control frameworks to ensure that they can comply with their targeted financial sanction obligations. 9.4.5 A reporting institution must document their remediation control actions in their AML/CFT/CPF risk assessment. Guidance for Paragraph 9.4 : As a guide, control measures that could be taken in carrying out sanctions screening requirement include: a) Putting a wallet on hold until screening is completed and confirmed that no concern is raised; and b) Arranging to receive a wire-transfer with a provider’s wallet that links to a customer’s wallet and only then moving the transferred digital asset to the customer’s wallet after screening is completed and has confirmed no concern is raised.

52 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 73. Not applicable Insertion of new Paragraph 9.5, its sub-paragraphs and guidance: 9.5 Identification and Due Diligence on Counterparty VASP 9.5.1 A reporting institution must identify and conduct due diligence on the counterparty VASP before the reporting institution transmits the required originator or beneficiary information. Appendix F sets out the guide on how due diligence on counterparty VASP could be undertaken. Guidance for Paragraph 9.5.1: • As a guide, a reporting institution needs to conduct due diligence on their counterparty VASP before the reporting institution transmits the required information to avoid dealing with illicit actors or sanctioned actors unknowingly. • Additionally, a reporting institution should use this due diligence process to determine whether a counterparty VASP can reasonably be expected to Insertion to incorporate requirements under FATF’s Updated Guidance for Risk￾Based Approach on Virtual Assets and Virtual Asset Service Providers.

53 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments protect the confidentiality of information shared with it. 9.5.2 A reporting institution does not need to undertake due diligence process on the counterparty VASP for every individual wire transfer when dealing with a counterparty VASP for which it has previously conducted counterparty due diligence, unless there is a suspicious transaction history or other information (for example published adverse media information, published regulatory or criminal action involving the counterparty VASP) indicating that it should refresh the due diligence process. 9.5.3 A reporting institution must update its counterparty VASP due diligence information periodically or when risk emerges from the relationship in line with a reporting institution’s defined risk-based assessment control structure. PART IV: RETENTION OF RECORDS 10. RECORD KEEPING 74. Paragraph 10.4: Amendments to Paragraph 10.4: Amendments to enhance recordkeeping requirements aligned with FATF standards.

54 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments A reporting institution must retain, maintain and update the relevant records (including CDD records) in such a way that– (a) the relevant law enforcement agencies and internal and external auditors of the reporting institution will be able to reliably judge the reporting institution’s transactions and its compliance with the AMLA; (b) any transaction effected via the reporting institution can be reconstructed; and 10.4 A reporting institution must retain, maintain and update the relevant records (including CDD records and all relevant transaction records) in such a way that– (a) the relevant law enforcement agencies and internal and external auditors of the reporting institution will be able to reliably judge the reporting institution’s transactions and its compliance with the AMLA and TFS-PF legislations; (b) any transaction effected via the reporting institution can be reconstructed it is sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity; and PART V: SUSPICIOUS TRANSACTIONS 11. REPORTING OF SUSPICIOUS TRANSACTIONS 75. Not applicable. Insertion of new Paragraph 11.6A: 11.6A A reporting institution is required to have in place policies on the duration upon which internal Insertion of a requirement to to have in place policies on the duration upon which internal suspicious transaction reports

55 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments suspicious transaction reports must be reviewed by the reporting institution, including the circumstances when the timeframe can be exceeded, where necessary. must be reviewed by the reporting institution. PART VII: COMBATING TERRORISM FINANCING 14. IDENTIFCATION AND DESIGNATION 76. Not applicable. Insertion of new Paragraph 14.1: 14.1 For the purposes of this part, a reporting institution refers to reporting institution as defined in the Definition section under Part I of these Guidelines and includes a registered person under section 76 of the CMSA that is registered under the Guidelines on the Registration of Venture Capital and Private Equity Corporations and Management Corporation. Amendment to extend targeted financial sanctions related to terrorism financing obligations to a registered person under section 76 of the CMSA that is registered under the Guidelines on the Registration of Venture Capital and Private Equity Corporations and Management Corporation. 77. Paragraph 14.3: In ensuring efficient detection of suspected financing of terrorism, a reporting institution should maintain a database of names and particulars of listed persons in the UN Consolidated List and such orders as may be issued Renumbered and amendments to the new paragraph 14.3: 14.3 In ensuring efficient detection of suspected financing of terrorism, a reporting institution should maintain a database of names and particulars of listed persons in the UN Consolidated List and such orders as may Amendments to clarify that the orders under sections 66B and 66C of the AMLA may be issued to listed persons or listed entities as the case may be.

56 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments under sections 66B and 66C of the AMLA by the Minister of Home Affairs (collectively referred to as “listed persons”). be issued under sections 66B and 66C of the AMLA by the Minister of Home Affairs (collectively referred to as “listed persons” or “listed entities” as the case may be). [INSERTION OF NEW SECTION] PART VIII: COMBATING PROLIFERATION FINANCING 15. DEFINITION AND INTERPRETATION 78. Not applicable. Insertion of new Paragraph 15: 15. DEFINITION AND INTERPRETATION 15. For the purpose of Part VIII of these Guidelines, “reporting institution” refers to reporting institution as defined in the Definition section under Part I of these Guidelines and includes a registered person under section 76 of the CMSA that is registered under the Guidelines on the Registration of Venture Capital and Private Equity Corporations and Management Corporation. Consolidation of PF Guidelines into the AML/CFT Guidelines. 79. Not applicable. Insertion of new Paragraph 16 and its Sub-Paragraphs: Consolidation of PF Guidelines into the AML/CFT Guidelines.

57 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments MAINTENANCE OF SANCTIONS LIST

16.1 A reporting institution must put in place and implement policies and procedures to: (a) keep itself updated with the various resolutions passed by the United Nations Security Council on TFS-PF, in particular the list of countries and persons designated under the relevant UNSCR published on the UN website as and when there are new or subsequent decisions by the relevant UNSC Sanctions Committee; and (b) maintain an updated and current database of names and particulars of designated persons in the UN Consolidated List to enable it to detect suspected proliferators. 16.2 Explanatory notes in relation to maintenance of sanctions list are set out in Appendix H. 80. Not applicable. Insertion of new Paragraph 17, its sub-paragraphs and guidance box: Consolidation of PF Guidelines into the AML/CFT Guidelines.

58 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments CONDUCT SANCTIONS SCREENING ON CUSTOMERS 17.1 A reporting institution must conduct sanctions screening on its existing, new and potential customers, to check for any positive name matched with any designated person. 17.2 A reporting institution must screen its entire customer database without delay when new names are listed in an UNSCR. 17.3 The obligation to conduct sanctions screening on customers also includes funds derived from property owned or controlled directly or indirectly by the designated person or by any of its related party. In this regard, a reporting institution must conduct checks on: (a) relationship and transactions connected with the designated person; (b) properties or accounts that are jointly owned and/or indirectly controlled by the designated person; and

59 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (c) parties related to the frozen accounts including beneficial owners, signatories, power of attorney relationships, guarantors, nominees, trustees, assignees and payors. 17.4 If there is a positive name match, a reporting institution must take reasonable and appropriate measures to verify and confirm the identity of its customer against the designated person.

Guidance for Paragraph 17

(a) According to the standards prescribed by the FATF, “without delay” means, ideally within a matter of hours of a designation by the UNSC or its relevant Sanctions Committee. The phrase “without delay” should be interpreted in the context of the need to prevent the flight or dissipation of funds or other assets which are linked to the financing of proliferation of weapons of mass destruction. (b) A reporting institution is also advised to search, examine and analyse past financial activities of the designated person or related party, where relevant.

60 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (c) A reporting institution must always be wary of the possible use of among others, false identities, dual nationalities, multiple names and identities when performing name searches for each designated person to prevent unintended omissions. (d) The screening obligations under these Guidelines extend to the delisting of affected customers from the list of countries and persons designated under the relevant UNSCRs. 81. Not applicable. Insertion of new Paragraph 18, its sub-paragraphs and guidance: 18. REQUIREMENT TO FREEZE, BLOCK AND REJECT 18.1 Once a customer’s identity as a designated person is confirmed, a reporting institution must freeze the customer’s funds, properties or accounts or any transaction executed by the customer to prevent the flight or dissipation of the funds, other properties or assets or controlled directly or indirectly by the customer without delay. Consolidation of PF Guidelines into the AML/CFT Guidelines.

61 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 18.2 The freezing of funds, properties or accounts shall remain in effect until: (a) the designated person is delisted by the UNSC; or (b) it is confirmed that the customer’s funds, properties or accounts have been inadvertently affected by virtue of him having a same or similar name with a designated person (false positive). Guidance for False Positive under Paragraph 18.2(b) (a) A reporting institution may forward queries to the SC to determine whether the customer is a designated person in the case of similar or common names. (b) Any query submitted to the SC must include any additional information, copies of identification documents and relevant analysis conducted by the reporting institution.

62 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments (c) A reporting institution should advice any customers who complain about their accounts being inadvertently frozen or transactions being erroneously rejected or blocked to contact the Strategic Trade Controller under the STA to verify the false positive match. 18.3 If circumstances in paragraph 18.2(b) arose, an application may be made by the customer to the Strategic Trade Controller under the Strategic Trade (Unfreezing of Property in relation to Prohibited End-Users) Regulations 2014 (P.U.(A) 290/2014) for the unfreezing of such funds, properties and accounts. 18.4 Where the screening assessment results in a match with a potential or new customer, a reporting institution must reject the customer if the transaction has not commenced. Guidance for Paragraph 18

(a) Funds, properties or accounts that are owned or controlled indirectly by the designated person includes situation where the designated person is

63 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments a director of a customer. In such instance, once the reporting institution is satisfied that the director owns or controls directly or indirectly the funds, properties or accounts of the customer, the reporting institution is required to freeze. (b) The obligation to freeze funds, properties or accounts of a designated person continues until the person is delisted from the sanction lists. The freezing obligations remains even after the designated person passed away. (c) If an asset is owned or controlled by a designated person and the interest owned or controlled by the designated person cannot be segregated, then the entire asset should be subjected to freezing. (d) Notwithstanding the funds, properties or accounts are frozen, a reporting institution may continue receiving dividends, interests, or other benefits, but such benefits shall still remain frozen, so long as the designated person continue to be listed. (e) No outgoing payment should be made from the frozen funds, properties or accounts including

64 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments payment of any fees or service charges for maintaining the frozen fund without prior written authorisation of the Strategic Trade Controller in consultation with the SC. 82. Not applicable. Insertion of new Paragraph 19, its sub-paragraphs and guidance: 19. REPORTING REQUIREMENTS 19.1 A reporting institution must immediately report to the SC on any freezing, blocking or rejection actions undertaken in accordance with paragraph 18 towards the identified funds, properties or accounts. 19.12 The form for reporting to the SC upon determination of a name match and actions taken by the reporting institution is attached as Appendix I. 19.13 A reporting institution who has reported positive name matches and has control of frozen funds, properties or accounts of a designated person must report to the SC on any change to such frozen funds, properties or accounts by 31 January in the next calendar year (periodic reporting). Consolidation of PF Guidelines into the AML/CFT Guidelines.

65 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments Guidance for Paragraph 19.13 Examples of changes to the frozen funds, properties or accounts of customers includes among others, an increase in the funds or value of the property frozen due to interest payments or dividends pay outs. 19.14 The form for periodic reporting to the SC is set out in Appendix J. 19.15 A reporting institution must submit a suspicious transaction report (STR) to the FIED in the following circumstances: (c) In the event of positive name matches arising from ongoing screening of their customer database involving designated person or person identified as related party related to the designated person; and (d) Where there is an attempted transaction by any of the designated person or its related party.

66 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 19.16 The details on the lodgement of STR with FIED are set out in Appendix C. 19.17 The contact point for the SC and Strategic Trade Controller in relation to TFS-PF are: Securities Commission Malaysia Executive Director Surveillance, Authorisation and Supervision Securities Commission Malaysia, 3 Persiaran Bukit Kiara, Bukit Kiara, 50490 Kuala Lumpur Tel: 03-6204 8000 Website: www.sc.com.my Strategic Trade Controller Strategic Trade Secretariat, Ministry of International Trade and Industry, Level 4, MITI Tower, No. 7, Jalan Sultan Haji Ahmad Shah, 50622 Kuala Lumpur Tel: 03-8000 8000 E-mail: admin.sts@miti.gov.my Website: http://www.miti.gov.my/index.php/pages/view/sta2010

67 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments APPENDICES 83. Appendix A: Heading: Guidance on Risk-Based Approach (RBA) for the purpose of Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Paragraph 3.2: The reporting institution should evaluate the extent of its ML/TF risks at a macro level. When assessing the ML/TF risks, a reporting institution should consider all relevant risk factors that affect their business and operations which may include the following: Paragraph 3.2 (f): (f) Findings of the National Risk Assessment (NRA); and Paragraph 5.4: Amendments to Appendix A: Heading: Guidance on Risk-Based Approach (RBA) for the purpose of Anti-Money Laundering, and Countering the Financing of Terrorism and Countering Proliferation Financing (AML/CFT/ CPF) Paragraph 3.2: The reporting institution should evaluate the extent of its ML/TF/PF risks at a macro level. When assessing the ML/TF risks, a reporting institution should consider all relevant risk factors that affect their business and operations: which may include the following: Paragraph 3.2 (f): (f) Findings of the National Risk Assessment (NRA) or any other risk assessment issued by relevant authorities; and Paragraph 5.4: Amendments to apply the guidance in Appendix A to proliferation financing risks.

68 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments Identifying one high risk indicator for a customer does not necessarily mean that the customer is high risk1 . The RbRA ultimately requires the reporting institution to draw together all risk factors, parameters considered, including patterns of transaction and activity to determine how best to assess the risk of such customer on an ongoing basis. Identifying one high risk indicator for a customer does not necessarily mean that the customer is high risk, except for circumstances where a high-risk indicator is identified pursuant to high-risk customer relationships prescribed by FATF standards1 . The RbRA ultimately requires the reporting institution to draw together all risk factors, parameters considered, including patterns of transaction and activity to determine how best to assess the risk of such customer on an ongoing basis. 84. Appendix A1 Heading: Control Measures in Accepting Third￾Party Deposits (in relation to paragraph 7.3 of these Guidelines) Paragraph 2.2 A reporting institution is required to comply with the requirements of paragraph 7.3 of these Guidelines in establishing and implementing third party deposits policies and procedures. Amendments to Appendix A1: Heading: Control Measures in Accepting Third-Party Deposits (in relation to paragraph 7.3 6 of these Guidelines) Paragraph 2.2: A reporting institution is required to comply with the requirements of paragraph 7.3 6 of these Guidelines in establishing and implementing third party deposits policies and procedures. Editorial amendment.

69 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments 85. Paragraph 1.11 of Appendix B: For a domestic PEP or PEPFIO that is assessed as low risk, the reporting institution must apply the standard CDD measures and where he is assessed as high risk, enhanced CDD measures are applicable. Amendment to Paragraph 1.11 of Appendix B: 1.1 For family members or close associates of a domestic PEP or PEPFIO that is assessed as low risk pursuant to the rating assigned to the domestic PEP or PEPFIO, the reporting institution must apply the standard CDD measures and where he is assessed as higher risk, enhanced CDD measures are applicable. Amendments to clarify the application of Paragraph 1.11 on family members or close associates of a domestic PEP or PEPFIO. 86. Appendix E: Heading: Guidance on Beneficial Ownership for Legal Persons and Legal Arrangement (in relation to Paragraphs 8.1.6 of these Guidelines) Paragraph 1.7 (a): (a) Having ultimate controlling ownership interest over an entity includes having more than 25% ownership or equity interest in an entity which may be observed, among others, through share capital or voting rights. The ownership may either be direct Amendments to Appendix E: Heading: Guidance on Beneficial Ownership for Legal Persons and Legal Arrangement (in relation to Paragraphs 8.1.8 to 8.1.20 of these Guidelines) Paragraph 1.7 (a): (a) Having ultimate controlling ownership interest over an entity includes having more than 25% ownership or equity interest in an entity which may be observed, among others, through share capital, capital contribution or voting rights. The ownership may either be direct ownership (through ownership of shares within the entity itself) or indirect ownership Amendments to clarify beneficial ownership in relation to limited liability partnership.

70 Confidential (Sulit) No. Specific Amendments and Introduction of New Obligations to the AML/CFT/CPF Guidelines Reference in the Guidelines (version made effective on 26 April 2021) Revised Version dated 13 June 2024 Comments ownership (through ownership of shares within the entity itself) or indirect ownership (through chain of corporate vehicles). (through chain of corporate vehicles). In the case of a limited liability partnership - partners with capital contribution and/ or voting rights of more than 25%. 87. Not applicable. Insertion of Appendix F: Guidance on Identification and Due Diligence on Counterparty Virtual Asset Service Provider (VASP) (in relation to Paragraph 9.5 of the Guidelines) Guidance pursuant to the inclusion of the requirement on identification and due diligence on counterparty VASP. 88. Not applicable. Insertion of Appendix G: Regulation 3 of Strategic Trade (United Nations Security Council Resolutions) Regulations 2010 (P.U. (A) 481/2010) (in relation to Paragraph 1.1 (b)(ii) of the Guidelines) Consolidation of PF Guidelines into the AML/CFT Guidelines. 88. Not applicable. Insertion of Appendix H: EXPLANATORY NOTES IN RELATION TO MAINTENANCE OF SANCTIONS LIST (in relation to Paragraph 16.2 of the Guidelines) Consolidation of PF Guidelines into the AML/CFT Guidelines.