An Effective Approach to Ongoing Monitoring

1

2 Table of Contents Introduc)on................................................................................................................................3 Background.................................................................................................................................4 Prerequisites for Ongoing Monitoring.......................................................................................4 Outsourcing.............................................................................................................................5 Elements of an Effec)ve Ongoing Monitoring System ..............................................................6 Monitoring Legal Persons and Legal Arrangements..................................................................7 Monitoring of Legal Persons by TCSPs.....................................................................................7 Monitoring of Legal Arrangements .........................................................................................9 Trigger Events: Legal Person and Legal Arrangements............................................................9 Red Flags/Warnings Signs: Legal Persons and Legal Arrangements Monitoring ....................10 Scru)ny and Monitoring: Timing .............................................................................................11 Real Time vs Post Event Monitoring......................................................................................11 Manual vs Automated Monitoring ........................................................................................11 Monitoring Data Integrity......................................................................................................13 Higher Risk Scenarios and Sanc)ons Compliance ...................................................................14 Oversight of Monitoring Func)ons and Controls....................................................................15 Staff Training.............................................................................................................................15 Understanding what to do when a transac)on is suspicious..................................................16 Transac)on Monitoring: Customers Via Introduced Business................................................16 Key Takeaways..........................................................................................................................17 Overarching Requirement for Compliance ..............................................................................17 Table of Abbrevia)ons and Acronyms.....................................................................................18 Appendix 1................................................................................................................................19

3 Introduc*on These Guidelines are issued by the Financial Services Commission (the “FSC”) as the supervisor of financial insTtuTons (FIs) and the Financial InvesTgaTon Agency (the “FIA”) as the AnT-Money Laundering, Counter-Financing of Terrorism and Counter-ProliferaTon Financing (AML/CFT/CPF) supervisor of Designated Non-Financial Businesses and Professions (DNFBPs) in the Virgin Islands (VI). The FSC is responsible for the regulaTon and supervision of the financial services sector: (i) banking, (ii) insurance, (iii) trust and company services providers (“TSCPs”), (iv) investment business, (v) financing business (FB), (vi) money service businesses (“MSBs”), (vii) insolvency services, and (viii) virtual asset service providers (“VASPs”). The FIA is responsible for the supervision and monitoring of DNFBPs in the VI: (i) legal pracTToners, (ii) notaries public, (iii) accountants, (iv) real estate agents, (v) dealers in precious metals and stones (“DPMS”), (vi) high value goods dealers (“HVGD”), (vii) vehicle dealers, and (viii) persons engaged in the business of buying and selling boats. For the purposes of these Guidelines, the enTTes supervised by both the FSC and FIA are collecTvely referred to as “licensees”. As supervisors, the FSC and FIA are cognisant of the need to ensure all licensees are aware of the various risks related to their business. As members of the Council of Competent AuthoriTes’ Joint Supervisory Commiee, the FSC and FIA are commied to ongoing cooperaTon and collaboraTon on maers that impact licensees to ensure proper risk miTgaTon and enhance transparency, while maintaining the VI’s reputaTon as a place to conduct legiTmate and quality business. Comprehensive AML/CFT/CPF compliance by licensees is essenTal to remain up to date with evolving risks that could adversely impact operaTons. These Guidelines have been developed for the benefit of assisTng licensees in the implementaTon of a risk-based approach for applying measures to miTgate against money laundering (“ML”), terrorist financing (“TF”) and proliferaTon financing (“PF”) risks through ongoing monitoring of transacTons and business relaTonships. Importantly, these Guidelines also buress the provisions for compliance with the AnT-Money Laundering and Terrorist Financing Code of PracTce (the "AMLTFCOP"), the AnT-Money Laundering RegulaTons (the "AML RegulaTons"), the Regulatory Code (the "RC"), the Financial InvesTgaTon Agency Act (the “FIA Act”) and the Financial Services Commission Act (the "FSC Act"), including any Explanatory Notes to these documents. These Guidelines also serve as a complement to the ongoing need to report and engage with the FSC, FIA and other competent authoriTes, including law enforcement agencies, to achieve opTmal results in prevenTng ML, TF and PF risks from being realised. These agencies include the Office of the Governor (GO), A`orney General’s Chambers(AGC), Royal Virgin Islands Police Force (RVIPF) and the BVI InternaTonal Tax Authority (ITA).

4 Background Licensees have a responsibility to carry out ongoing monitoring of customers, including any legal persons and legal arrangements that are customers or to which customers may be connected. EffecTve monitoring involves an ongoing review of clients and business relaTonships as well as the monitoring of transacTons, including one-off transacTons in order to idenTfy: a) for the purpose of reassessing the client’s risk raTng, transacTons that may present elevated risk; b) unusual or suspicious transacTons that may require filing a SAR; and c) transacTons that are in breach of targeted financial sancTons. This duty is embedded in the VI’s AML/CFT/CPF laws and regulaTons. Primarily, the requirement to undertake ongoing monitoring is contained in secTon 21 of the AMLTFCOP. These legal requirements are derived from the internaTonal standards developed by the Financial AcTon Task Force (FATF) and are promulgated globally. Ongoing monitoring is an integral facet to the measures required of all licensees in miTgaTng against ML, TF, and PF. As a criTcal aspect of AML/CFT/CPF compliance, ongoing monitoring must be effecTvely and consistently carried out by licensees. Licensees should also establish procedures within their compliance manual outlining measures for effecTve ongoing monitoring of these enTTes. In addiTon, licenseesidenTfied through relevant risk assessments as presenTng a higher level of risk (e.g. those providing incorporaTon and formaTon services to legal persons and legal arrangements) may be`er miTgate these risks through robust ongoing monitoring systems. Prerequisites for Ongoing Monitoring To ensure that licensees are in a posiTon to carry out effecTve ongoing monitoring, it is important to collect proper due diligence on customers, including legal persons and legal arrangements, as customers can present varying levels of ML, TF and PF risks. Integral to ensuring that a licensee is posiToned to conduct effecTve ongoing monitoring is: (a) having a clear understanding of customers' business acTviTes; and (b) being able to establish whether there are connecTons, through the presence of legal persons or legal arrangements, that increase risks (this includes the presence of sancToned persons or those connected to sancToned persons or high risk countries, PoliTcally Exposed Persons (PEPs), high risk industries, etc.). Such iniTal due diligence enables the creaTon of a base profile of the nature of business and acTviTes of the customer and an iniTal understanding of the ML, TF and PF risks presented. However, the circumstances or profile of a customer may change, which may lead to a licensee having to make an adjustment in the risk profile of the customer. Therefore, carrying out ongoing

5 monitoring is vital to being able to idenTfy customers whose risk profile has changed to beer enable the licensee to detect customers who may become involved in, or misuse legal persons and/or legal arrangements to facilitate ML, TF or PF. Transac)on Monitoring Licensees must monitor all customer transacTons and acTvity to idenTfy notable transacTons or acTviTes that may indicate a change in customer circumstances or transacTons that: • are inconsistent with the licensee’s knowledge of the customer (unusual transacTons or acTvity); • are complex or unusually large; • form part of an unusual paern; or • present a higher risk of ML, TF or PF. Such unusual transacTons or pa`erns of transacTons may require a licensee to conduct an enquiry to determine whether the transacTons are indeed suspicious. Licensees must examine and enquire into, as far as possible, the background and purpose of transacTons meeTng the above criteria and record their findings in wriTng. If a licensee has knowledge or a suspicion that these transacTons are quesTonable, they must file an internal suspicious acTvity report with their money laundering reporTng officer. Proper policies and procedures should be established to: a) review customer transacTons and customer acTvity using a risk-based approach depending on the risk of the customer; b) provide training to staff on transacTon monitoring, as well as detecTng and handling unusual transacTons c) where appropriate, implement automated transacTon monitoring systems d) review the effecTveness of their transacTon monitoring program periodically and have a system to remediate any deficiencies found It is important to note that licensees’ scruTny of customer acTviTes also includes business relaTonships that do not generally involve transacTons, e.g., where a licensee provides investment advice, directorship services or nominee shareholder services. Outsourcing Where a licensee outsources and/or contracts a third party (including a Group enTty) to carry out its ongoing monitoring or elements of its funcTon, the licensee must ensure that it has adequate measures in place to confirm that the third party is effecTvely carrying on these funcTons as if that party was a licensee under the relevant legislaTon in the VI. The licensee’s monitoring of the

6 outsourced funcTons must include tesTng, recording the findings of such tesTng and taking steps to miTgate results of such tesTng. Where the results of the licensee’s tesTng of the relaTonship with the third party leads to less than acceptable findings, parTcularly findings not in compliance with the requirements of VI legislaTon and the third party is unable to correct the deficiencies in a Tmely manner, the licensee must terminate the agreement, seek an alternaTve service provider or perform the funcTons itself, including conducTng a risk assessment of all enTTes for which the third party was responsible for monitoring. This will ensure that the licensee is aware and understands the risks posed by each individual customer. Elements of an Effec*ve Ongoing Monitoring System An effecTve transacTon and acTviTes monitoring system would likely comprise the following elements: • Robust framework: The risks licensees face are dynamic, and the transacTons they carry out are varied and unique to certain types and categories of licensees. Certain licensees, based on class and type of licence and services provided, would also engage in a significant volume of transacTons. Licensees should, therefore, regularly review and enhance their monitoring frameworks, which should be targeted at sustaining and/or improving system effecTveness. Not all relaTonships or transacTons should be monitored the same way. The degree of monitoring employed will depend on the perceived risks presented by each customer or transacTon. Licensees with higher inherent ML, TF or PF risks or specific control deficiencies should ensure their monitoring frameworks account for these elevated risks and sufficiently allow for more frequent monitoring and reviews to be performed in order to adequately miTgate their risks. • Robust culture of risk awareness: Licensees must ensure that staff understand the importance of the licensees’ monitoring funcTons, and that these funcTons are executed by competent and well-trained staff who exercise sound judgment in targeTng unusual transacTons, acTviTes and behaviours. Staff should be fully versed in understanding the risks posed by the licensee’s business and customers. • Meaningful and iden)fiable integra)on: Licensees should ensure that their monitoring systems and frameworks reinforce, and are reinforced by, the broader AML/CFT/CPF controls that they employ, including by designaTng clear responsibiliTes for the effecTve conduct of the monitoring funcTon across all business lines by staff such as frontline and compliance staff. • Ac)ve and con)nuous oversight: Board and senior management must take an acTve role in overseeing the saTsfactory performance of monitoring funcTons and should drive conTnual enhancement with a view to ensuring that key risks are appropriately miTgated. When outputs or outcomes are compromised due to factors such as inappropriate comparison of data based on factors that are irrelevant or provide an inaccurate measurement, process inefficiencies, staff issues or system failures, it is incumbent on the board and senior management to adequately resolve these ma`ers in a prompt and

7 Tmely manner. The board and senior management should communicate clear risk appeTtes and set a firm tone from the top that the detecTon, prevenTon and miTgaTon of ML, TF and PF are a priority. Monitoring Legal Persons and Legal Arrangements Licensees will have legal persons and legal arrangements as customers or as part of the structure of customers’ acTviTes and therefore, will have to take measures to ensure ongoing monitoring is performed on these enTTes. Licensees should be mindful that the criteria for the idenTficaTon and verificaTon of legal persons and legal arrangements are different from those for natural persons. Generally speaking, each business relaTonship or occasional transacTon involving a legal person or legal arrangement will also contain a number of associated natural persons, for example, as beneficial owners and directors. However, the nature of the business relaTonship with the licensee would determine the manner in which ongoing monitoring should be undertaken. Further, monitoring of legal persons, trusts or other legal arrangements by a licensee should involve qualified personnel who are familiar with the parTcular characterisTcs of the various types of legal persons, trusts and similar legal arrangements. Where licensees’ business relaTonships involve the establishment of legal persons and legal arrangements, those relaTonships would require targeted monitoring mechanisms. Given the nature of company formaTon in the VI, where establishment of legal persons and legal arrangements can only be facilitated through TCSPs, the risk of inappropriate and inadequate monitoring of legal persons and legal arrangements elevaTng ML, TF and PF risk is greater for TCSPs. This secTon therefore is primarily focused on TCSPs and how ongoing monitoring can be undertaken for legal persons and legal arrangements created or administered by those licensees. This secTon should be read in conjuncTon with SecTon 21 of the AMLTFCOP and the Explanatory Notes to that secTon, which provides addiTonal guidance. Monitoring of Legal Persons by TCSPs Licensees that provide certain value-added services to legal persons, including corporate secretarial services, directorship services1, acTng as a nominee shareholder, or any other established service or service provided by the licensee where the licensee acts solely on the 1 It is important to note that the concept of a ‘nominee director’ is not recognised in the Virgin Islands. Under BVI law, all directors have a fiduciary duty to the corporate structures for which they act. However, where a director is ac@ng on instruc@ons of a third-party individual, this fact is required to be disclosed to the company. The agent is also required to enquire whether this is the case, and where this is the case the company is required to provide this informa@on to the Registrar. Sec@ons 120 through 125 of the BVI Business Companies Act, 2004 are relevant for BVI Business Companies. Similar provisions exist in other legisla@on that allows for the incorpora@on of other BVI corporate structures.

8 instrucTons of another party, should also understand that these same services may elevate the risk of misuse of these legal enTTes. The provision of addiTonal services beyond solely incorporaTon services expands the scope for a licensee to acTvely monitor these legal persons. Procedures should, therefore, be developed to ensure that robust AML/CFT/CPF measures, including ongoing periodic monitoring and transacTon monitoring, are in place during the provision of these services. Monitoring acTviTes of legal persons should also include monitoring of transacTons that involve transfers of value (i.e. fiat or virtual assets) as well as non-cash transacTons2. For TCSPs, transacTons that are non-cash transacTons would be parTcularly relevant for transacTon monitoring given the services provided to legal persons. For example, obtaining a cerTficate of good standing is a non-cash transacTon. A customer who owns a legal person may tradiTonally obtain one cerTficate of good standing annually for the purpose of maintaining a bank account. This establishes a transacTon paern. However, if the customer requests eight cerTficates of good standing, that is a deviaTon from the established transacTon paern. Therefore, a licensee should obtain informaTon in relaTon to such a transacTon that falls outside the expected transacTon pa`ern for the customer. Importantly, licensees also need to monitor changes to the business acTviTes of their customers, including where those customers are legal persons or connected to a legal person (e.g. through ownership, directorship or other means). The established business acTviTes at the Tme of onboarding a customer may change or expand over Tme. For example, a customer may own a legal person that provides commercial rental spaces in an EU country and those business acTviTes are properly disclosed. Aler a year, the legal person may expand its operaTons into a high-risk country. This expansion does not change the nature of the business acTviTes, but the potenTal risks have changed. If a licensee’s monitoring systems are not sufficiently robust, this expansion may be overlooked. AlternaTvely, a customer may diversify the business acTviTes of the legal person without properly disclosing the occurrence of this change. To ensure that licensees are aware of potenTal risks, they must ensure that they remain aware of the full scope of business acTviTes of the legal personsthat are connected to their customers, as well as be able to ascertain those acTviTes that are expanding in scope, geographic reach, customer base, etc. Licensees should also be aware of higher risk business acTviTes for ML, TF and PF. Such acTviTes may include acTviTes in industries such as mining, shipping (as it concerns proliferaTon financing) and VASPs. Financial records of legal persons can also aid in the monitoring process. Reviewing financial statements – which may include bank statements and other records – can provide addiTonal insights into the acTviTes of the legal persons, as well as the types of assets held or owned. By 2 Such monitoring also equally applies to legal arrangements as appropriate.

9 extension, the nature of the assets owned by a legal person can provide insights into its business acTviTes and associated risk factors. In some cases, these assets may trigger the need for heightened monitoring. For example, a customer that owns a company that processes and ships radiological materials for oncological treatments presents risks through the materials being shipped. These materials can be classified as dual-purpose goods which could be used illicitly for proliferaTon acTviTes. Therefore, the licensee would need to idenTfy this as a high-risk acTvity and its risk assessment framework should adequately respond to such higher risk scenarios. In such circumstances the licensee should implement measures to miTgate the risk including taking steps to ensure that the legal person is carrying on the acTvity for which it was established and that the acTviTes do not lead to the facilitaTon of, or direct conduct of illegal acTvity, including potenTal breaches of targeted financial sancTons or other sancTons applicable to the VI. For licensees that are TCSPs the financial returns3 submied by a company or a partnership can provide a source of monitoring. Monitoring of Legal Arrangements The monitoring of legal arrangements, which in the VI primarily relates to trusts, may have similariTes to the monitoring of legal persons as the case may dictate. However, there are unique elements related to legal arrangements that licensees should consider as well. Licensees may act in a number of fiduciary roles to a legal arrangement, such as being appointed as a trustee, protector, enforcer or administrator. The nature of a licensee’s role will impact its approach to monitoring the legal arrangement. Further, there are other specific characterisTcs of a trust that a licensee should be aware of and ensure it appropriately monitors. These include where the trust has flight clauses, as well as selors’ reserve powers including the power to revoke a trust, or where trusts are part of a larger complex ownership structure (i.e. a structure involving mulTple legal persons and mulTple connected jurisdicTons). While a trustee and other fiduciaries must act in the best interests of the beneficiaries, these fiduciaries also have AML/CFT/CPF obligaTons to develop a comprehensive policy for the monitoring of legal arrangements. As such, the monitoring mechanisms should be well documented to enable reviews by the licensee’s compliance staff, and its internal audit funcTon, as well as by the FSC or the FIA as the case may be. Trigger Events: Legal Person and Legal Arrangements Trigger events idenTfy acTons or condiTons that, when materialised, may cause a change in a customer’s circumstances. Licensees should have policies and procedures in place detailing systems and controls that will enable them to idenTfy, assess, monitor and manage the risks that such trigger events may present. 3 Financial returns required to be submiPed under the BVI Business Companies (Financial Returns) Order.

10 In addiTon to the scenarios outlined above, trigger events for legal persons may also include4 : i. Sudden increase/decrease in volume and/or value of transacTons; ii. Change in normal payment methods; iii. Change in directors, shareholders, beneficial owners or other connected persons; iv. Change in business acTviTes; v. Change in place of business; vi. IdenTfied news(posiTve or otherwise) involving the customer and/or connected persons such as mergers, acquisiTons, accusaTons of bad acTons and links to higher risk jurisdicTons; and vii. Change in circumstances of connected personssuch as addresses, PEP status, naTonality, sancTon designaTon or connecTon to sancTons persons etc. In relaTon to legal arrangements, trigger events may include5 : i. disbursements; ii. addiTons to trust assets; iii. changes in investment strategy for trust assets; iv. idenTficaTon of beneficiaries not previously idenTfied; v. change of domicile of the trust; and vi. disputes between beneficiaries and fully vesTng trust assets. The triggering events cited above can present opportuniTes to conduct more in-depth monitoring. AddiTonally, reviews of the financial records of trust assets can also aid a licensee in its obligaTon to carry out ongoing monitoring acTviTes. Red Flags/Warnings Signs: Legal Persons and Legal Arrangements Monitoring Licensees should be aware of and be able to idenTfy warning signs emanaTng from transacTon monitoring acTviTes that may consTtute a red flag. TransacTon monitoring of legal persons/arrangements is more effecTve where licensees understand or are aware of instances that may raise suspicion. Appendix 1 provides a list of potenTal red flags or warning signs that may emanate from transacTon monitoring acTviTes related specifically to legal persons/arrangements and which may require further assessment or filing of a suspicious acTvity report (“SAR”). While some red flags may appear suspicious on their own, it may be considered that a single red flag may not be a clear indicator of potenTal misuse of a legal person or legal arrangement for ML/TF/PF acTvity. However, a combinaTon of these red flags, in addiTon to 4 These trigger events should be read in conjunc@on with the red flags and warning signs examples contained in this guidance and the contents of the AMLTFCOP, including its Explanatory Notes. 5 These trigger events should be read in conjunc@on with the red flags and warning signs examples contained in this guidance and contents of AMLTFCOP including its explanatory notes.

11 analysis of overall financial acTvity or business profile may provide a clearer indicaTon that the legal person or legal arrangement is being potenTally misused for ML/TF/PF acTvity. These red flags also act as trigger events for a licensee to consider whether addiTonal measures, such as updaTng CDD or ECDD, are required to forestall any ML, TF or PF risk. These red flags or warning signs should be read in conjuncTon with those contained in the AMLTFCOP6 and any issued by the FIA. To assist staff and ensure the system remains effecTve, licensees should ensure that their lists of ML/TF/PF red flags/warning signs are conTnually updated to include new red flags as well as provide further guidance on exisTng ones, parTcularly when staff give feedback on a lack of clarity in interpreTng these red flags (for example, with regard to the treatment of complex transacTons or paerns, classifying higher risk geographies and business acTviTes, or determining whether certain transacTons and paerns make economic sense). Scru*ny and Monitoring: Timing TransacTon monitoring is only effecTve if it is based on accurate data that can idenTfy changes that may impact a licensee’s level of exposure to ML, TF and PF in order for such risks to be effecTvely addressed in a Tmely manner. The Tming of such monitoring is important, as well as the way in which monitoring is conducted. The integrity of the data used is also criTcal to ensuring licensees receive meaningful outputs that can be used to drive necessary changes to minimise their risk exposure. Real Time vs Post Event Monitoring Real Tme monitoring focuses on transacTons and acTviTes at the point when informaTon or instrucTons are received and are reviewed during or prior to being acToned. On the other hand, post event monitoring may involve end-of-day, weekly, monthly or annual reviews of customer transacTons and acTvity. Real Tme monitoring of transacTons and acTvity is generally more effecTve in reducing a licensee’s exposure to ML, TF and PF risk. Post event monitoring may be more effecTve at idenTfying unusual pa`erns. Licensees should incorporate both real Tme and post event monitoring to ensure they are able to idenTfy any unusual acTvity in a Tmely manner. Manual vs Automated Monitoring Monitoring may involve manual or automated procedures or both. Automated monitoring procedures may add value to manual procedures by recognising transacTons or acTvity that fall outside set parameters, parTcularly for licensees with a large number of customers and transacTons. However, where automated monitoring procedures are not in place, procedures for manual monitoring should ensure proper checks and balances to minimise human errors, which may lead to ineffecTve monitoring. 6 See Explanatory Note (iii) of Sec@on 21 of AMLTFCOP.

12 Automated monitoring methods may be effecTve in recognising notable transacTons and acTvity, and business relaTonships and one-off transacTons with persons connected to higher risk jurisdicTons, sancToned countries or territories, or sancToned persons. Automated systems that provide outputs like excepTon reports can provide a simple but effecTve means of monitoring all transacTons to, or from, parTcular accounts or geographical locaTons, as well as any acTvity that falls outside of pre-determined parameters, based on thresholds that reflect a customer’s business and risk profile. This could lead to the idenTficaTon of unusual transacTons in a Tmelier manner. However, defining what consTtutes unusual behaviour or transacTon pa`erns is the ulTmate responsibility of the licensee and must be determined based on the licensee’s understanding of the customer’s profile and the ensuing risks. It is expected that where an automated monitoring approach (group or otherwise) is used, a licensee must understand: • how the system works and when it is changed; • its coverage (who or what is monitored and what external data sources are used); • how to use the system, e.g., making full use of guidance; and • the nature of its output (excepTons, alerts etc.). When screening a business relaTonship (prior and subsequent to establishing that relaTonship) and transacTons, the use of electronic external data sources may also be parTcularly effecTve. However, where a licensee uses group screening arrangements, the licensee will need to be saTsfied that the group’s systems provide adequate miTgaTon of risks applicable to the VI business. FIA and FSC will be keen to see clear focus on VI business with evidence including how such business risk is miTgated7. ImplementaTon of an automated monitoring system does not remove the need for a licensee to remain vigilant and licensees should have regard for the fact that factors such as staff intuiTon, direct contact with a customer and the ability, through experience, to recognise transacTons and acTviTes that do not seem to make sense, cannot be automated. Automated screening may also lead to issues of fuzzy matches. Therefore, licensees’ systems and their understanding of such systems must lead to the ability to: • understand which business relaTonships and transacTon types are screened; • understand the system’s capacity for fuzzy matching (a technique used to recognise names that do not precisely match a target name but which are sTll potenTally relevant); 7 It is important that licensees have sufficient records to evidence full account of VI business within any group system.

13 • set clear procedures for dealing with potenTal matches, driven by risk consideraTons rather than resources; and • record the basis for discounTng alerts (e.g., false posiTves) to provide an audit trail. The audit trail should enable licensees to review the dates on which screening checks were undertaken and the results of those checks (e.g., the number of false posiTves), thus allowing them to assess if the system is operaTng effecTvely. Where a licensee is part of a wider group and uTlises a group-wide screening system, evidence would need to be obtained that such an audit trail exists. A copy of the records made would suffice in this instance. Licensees should periodically sample the quality of their alerts handling in order to detect and recTfy deficient cases, as well as any weaknesses observed in their transacTon monitoring systems or processes. This can be achieved through internal tesTng or independent quality assurance to conTnually sample alerts handling and test the robustness of these processes. IrrespecTve of which manner a licensee uses, the licensee must ensure that the level of tesTng performed is commensurate with the size of its business, volume of transacTons, and nature and complexity of risks faced. It is expected that any findings and issues idenTfied will be miTgated in a Tmely manner and reviewed by the licensee’s board and senior management. Licensees should, therefore, ensure that they have systems available to provide their senior management with an adequate overview and the context of the Tmeliness and quality of the licensee’s transacTon monitoring alerts handling and resoluTon, as well as any remedial measures; and whether these measures effecTvely miTgate the licensee’s ML/TF/PF risks. Records of these measures should be maintained for review by the FSC or FIA as applicable. Monitoring Data Integrity Output and effecTveness of a licensee’s transacTon monitoring system is directly correlated to the quality of its data. Licensees should periodically review the completeness and validity of data used in their transacTon monitoring systems, through for instance, the performance of data integrity checks to ensure that data being used is complete (i.e., covers relevant areas for review) and accurate (i.e. informaTon input is accurate, primarily with regard to risk criteria of customers). Where systems include mechanisms such as transacTon and other technological codes, licensees should have systems in place to periodically assess and monitor these codes. Further, licensees should have controls in place, such as procedures to conduct trend analyses and generate excepTon reports to idenTfy where the system is working outside agreed rules or scenarios caused by data integrity issues, so these may be properly assessed. ConsideraTon should be given as to whether root cause analyses should be performed, and the findings and remedial acTons escalated to the appropriate senior management. Licensees should ensure that staff’s access rights to their transacTon monitoring systems are commensurate with their roles, responsibiliTes and seniority to safeguard the integrity of data.

14 While sufficient access must be provided to key staff (e.g. analysts, compliance staff and quality assurance teams) in order to perform their duTes effecTvely, licensees should perform periodic checks on the levels of access being granted and take steps to idenTfy and reduce the number of unauthorised persons or those who no longer require access to the system. Higher Risk Scenarios and Sanc*ons Compliance The risk that a business relaTonship may be used for concealment of the proceeds of criminal conduct or instrumentaliTes, or for TF or PF, is elevated where the business relaTonship or one￾off transacTon involves a sancToned person or enTty, or a legal person or arrangement connected with a sancToned person, country or territory or a higher risk jurisdicTon for the purpose of ML, TF or PF8 . To minimise this risk, licensees must comply with all asset-freezing and reporTng obligaTons to prevent funds or other assets being made available, directly or indirectly, for the benefit of a designated person. FATF RecommendaTons 6 and 7, as implemented in VI legislaTon, require the implementaTon of UN TFS “without delay”, which should be understood as no more than 24 hours and interpreted in the context of: • the need to prevent the flight or dissipaTon of funds or other assets which are linked to TF or PF; and • the need for global, concerted acTon to swilly prevent and disrupt TF and PF flow. As a part of on-going monitoring procedures, licensees must establish and maintain appropriate policies, procedures and controls to monitor all customer transacTons and acTvity in order to recognise whether any business relaTonships or one-off transacTons are directly or indirectly connected to sancToned persons, organisaTons, or other parTes. Licensees must undertake sancTons screening for all business relaTonships and one-off transacTons. This screening must include the customer, any beneficial owners and other associated or connected parTes. The screening must be carried out at the Tme of client take-on, during periodic reviews and when there is a trigger event, e.g., amendments made to the sancTons designaTons lists. EffecTve sancTons compliance may include, but is not limited to: • having appropriate policies, procedures and controls in place to ensure that the content of targeted financial sancTons noTces is reviewed without delay, including screening of customer data against the sancTons designaTons lists; 8 Licensees should pay par@cular aPen@on to higher risk jurisdic@ons as iden@fied by the VI in its various risk assessments. Higher risk jurisdic@ons are separated for the purpose of ML, TF and PF as different jurisdic@ons pose different types of risk, threats and vulnerabili@es rela@ve to ML, TF, or PF.

15 • in the case of an idenTfied posiTve match, freezing of any accounts, and other funds or economic resources without noTce and without delay; • refraining from dealing with the funds or assets or making them available (directly or indirectly) to such persons unless a license is obtained from the SancTons Unit; and • ensuring required sancTons compliance reporTng forms are filed as soon as pracTcable with the SancTons Unit • criteria for filing a SAR with the FIA in instances where a breach of sancTons may be suspected/confirmed. A licensee must ensure its sancTons monitoring system includes an assessment of the effecTveness of its sancTons controls and its compliance with the VI sancTons regime. A record of such assessment should be maintained, and any findings should be appropriately corrected and/or miTgated. Oversight of Monitoring Func*ons and Controls The MLRO/Compliance Officer9 should have access to, and familiarise him or herself with, the results and output from the licensee’s monitoring processes. Such output should be reviewed by the MLRO/Compliance Officer who in turn should report regularly to the board, providing relevant staTsTcs and key performance indicators, together with details of any trends and acTons taken where concerns or discrepancies have been idenTfied, as well as any issues that cause elevaTon of ML, TF or PF risk to the licensee’s business. The board should consider the appropriateness and effecTveness of the licensee’s monitoring processes as part of its annual review of the licensee’s insTtuTonal risk assessments and associated policies, procedures and controls. This should include consideraTon of the extent and frequency of such monitoring, based on materiality and risk as set out in the insTtuTonal risk assessments. Where a licensee idenTfies weaknesses within its monitoring arrangements, it should ensure that these are recTfied in a Tmely manner and consideraTon should be given to noTfying the FSC or the FIA as appropriate, where these findings are considered material. Staff Training To ensure the quality and consistency of staff assessments of transacTons, licensees should periodically provide staff with training on idenTfying suspicious acTviTes, the insTtuTon’s policies and procedures for transacTon monitoring and how to communicate and idenTfy any anomalies found within the customer profile as a result of transacTon monitoring. Training should include, 9 Responsibili@es of the MLRO and Compliance Office must be clearly delineated within the organisa@on where the func@ons are separately performed.

16 amongst other things, any updates to ML/TF/PF red flags, and current risk understanding, and any new or emerging ML/TF/PF trends or typologies. Licensees should also ensure that training is commensurate with the specific tasks assigned to staff and the risks faced based on specific funcTons (i.e. one module for all staff may not be appropriate). Senior management should also receive specified training, including with respect to their oversight and approval funcTons. Training aendance should be tracked and enforced. A tesTng element should also be included. Licensees must also consider how to incorporate transacTon monitoring and other ML/TF/PF metrics into performance indicators to drive staff ownership and accountability of the process. Understanding what to do when a transac*on is suspicious Where transacTons are idenTfied as having sufficient grounds for suspicion of ML, TF or PF, licensees are required to file SARs with the FIA. Such reports must be filed in a Tmely manner using the prescribed form as contained on the FIA website. Internal processes must not unduly delay the prompt filing of SARs. Where a licensee idenTfies suspicious acTviTes in relaTon to a customer’s accounts or transacTons, in addiTon to filing a SAR, should the licensee decide to retain the relaTonship, it should ensure that appropriate enhanced measures are taken to manage the risks of these accounts being abused for ML/TF/PF purposes. These enhanced measures include subjecTng the accounts to increased scruTny, obtaining compliance and/or senior management approvals prior to execuTng further transacTons, and reviewing the risk classificaTon and/or further business relaTons with the customer. These acTons would be in keeping with ECDD requirements; licensees must, therefore, consider the Guidance on ECDD. It is also important that licensees pay parTcular aenTon to any obligaTons to, or ongoing cooperaTon they have with relevant competent authoriTes or law enforcement agencies, including having regard to the obligaTon not to Tp-off the customer. Transac*on Monitoring: Customers Via Introduced Business Licensees’ transacTon monitoring procedures must cover all customers including those introduced through third parTes. Therefore, licensees’ systems must account for the unique nature and elevated ML, TF and PF risk of business related to third party introducers. Licensees should incorporate the Guidance on MiTgaTng the Risk with Introduced Business within their transacTon monitoring system. For example, it is important that TCSPs, based on the risk of introduced business, appropriately monitor and test that their introducers employ effecTve monitoring systems in place and those monitoring systems are consistent and collaboraTve with their own transacTon monitoring systems to ensure they are able to accurately idenTfy the risks associated with the clients introduced by these third parTes.

17 Key Takeaways An effecTve transacTon monitoring system is essenTal for licensees to detect and report suspicious transacTons in a Tmely and effecTve manner and take appropriate steps to miTgate the associated ML/TF/PF risks. Licensees should prioriTse transacTon monitoring and embed it into their organisaTonal wide culture, including through ensuring a strong tone is set from senior management and the Board about its importance. Licensees are encouraged to consider the use of new technology and data analyTcs to improve their transacTon monitoring effecTveness. Licensees must be able to demonstrate that the systems employed are effecTve and that data inpu`ed into the system is appropriate and leads to the desired result of idenTfying suspicious acTviTes or acTviTes outside the normal behavior of a customer. Licensees should ensure that they review secTon 21 of the AMLTFCOP and the accompanying Explanatory Notes in their enTrety. The FSC and the FIA will be assessing compliance with the requirements of secTon 21 of the AMLTFCOP on an ongoing basis. Overarching Requirement for Compliance Licensees must remain vigilant in relaTon to evolving ML, TF and PF threats, as well as other threats that can negaTvely impact their operaTons. To miTgate against these threats and resulTng risks, licensees must be diligent in the applicaTon of AML/CFT/CPF measures. These measures must be holisTc and integrate prudent governance and modern risk management strategies with a robust compliance framework. Licensees must remain agile and embed systems to allow for conTnual improvement in the efficiency and effecTveness of their AML/CFT/CPF compliance.

18 Table of Abbrevia*ons and Acronyms AML/CFT/CPF Anti-money laundering, countering financing of terrorism and countering proliferation financing AML/CFT supervisors Financial Services Commission and Financial Investigation Agency AMLTFCOP Anti-Money Laundering and Terrorist Financing Code of Practice AML Regulations Anti-Money Laundering Regulations CDD Customer due diligence DNFBPs Designated Non-Financial Businesses and Professions ECDD Enhanced Customer Due Diligence EU European Union FATF Financial Action Task Force FIA Financial Investigation Agency FIs Financial Institutions FSC Financial Services Commission IRA Institutional Risk Assessment Licensees Financial Institutions and Designated Non-Financial Businesses and Professions ML Money laundering PEP Politically exposed person PF Proliferation financing RAF Risk Assessment Framework RBA Risk-based approach SAR Suspicious activity report SoF Source of funds SoW Source of wealth STR Suspicioustransaction report TF Terrorism financing TFS Targeted Financial Sanctions UN United Nations UNSC United Nations Security Council

19 Appendix 1 Transac)on Monitoring Warning Signs/Red Flags Legal Person/Arrangement Customer Behavior: • When a legal person/arrangement or its beneficial owner or any of its associated natural persons or transacTons originate from a high-risk jurisdicTon where the FATF has called for countermeasures or enhanced client due diligence measures, or a jurisdicTon known to have inadequate measures to prevent money laundering, the financing of terrorism and proliferaTon financing. • The legal person/arrangement is associated with terrorism acTviTes, or the legal person has been declared a designated person under UN, UK or other relevant VI sancTons regimes. • Any associated natural person of the legal person/arrangement is designated under UN, UK or other relevant VI sancTons regimes. • An employee, director, signatory, and/or beneficial owner of the person/arrangement is unusually concerned with the reporTng threshold or AML /CFT/CPF policies. • The legal person/arrangement is linked to negaTve/adverse news or criminal acTvity (e.g., named in a news report on a crime commied or under Law Enforcement invesTgaTon/inquiry). • The legal person/arrangement or any of its associated natural persons/enTTes are found to be a posiTve match while screening against sancTons lisTngs relaTve to UN Security Council ResoluTons (UNSCRs) for TF and PF. • The legal person/arrangement aempts to establish a business relaTonship but fails to provide adequate documentary proof regarding its beneficial ownership details to the saTsfacTon of the Financial InsTtuTon or DNFBP. • The legal person/arrangement is part of a complex structure that is not commensurate with the nature of business acTviTes of the legal person/arrangement. • The legal person/arrangement is consistently invoiced by organisaTons located in a jurisdicTon that does not have adequate AML/CFT/CPF laws. • The legal person/arrangement’s beneficial owners, shareholders or directors are also listed as beneficial owners, shareholders or directors in mulTple other companies. • Unexplained use of nominee shareholder arrangements. • Directors acTng on instrucTons of others who may not be disclosed.

20 Transac3onal Pa6erns: • TransacTons that are not consistent with the usual business profile of the legal person/arrangement: o transacTons that appear to be beyond the means of the legal person/arrangement based on its nature of business or declared business profile, o transacTons that appear to be above the usual amount, based on the nature of business in which the legal person/arrangement is involved. • Frequent/mulTple transacTons involving enTTes with the same beneficial owner with no or lile economic value. • The legal person/arrangement is engaged in a business that is not normally cash￾intensive but appears to have substanTal amounts of cash transacTons. • The legal person/arrangement deliberately avoids tradiTonal banking services without legiTmate reasons for doing so. • The legal person/arrangement’s transacTons are structured to avoid reporTng threshold requirements. • Large or frequent cash-based transacTons occur, which are not commensurate with the stated business profile/acTviTes of the legal person/arrangement. • Numerous small transacTons by a legal person/arrangement, especially over a short period, but taken together are material and do not match the transacTonal paern of the legal person/arrangement’s declared business profile. • Export/Import proceeds and other receipts and payments to/from unrelated counterparTes, which are not in line with the legal person/arrangement’s business nature. • No clear relaTonships between connected companies or transacTonal counterparTes of the legal person/arrangement. • Proceeds received from, or payments sent to, an unrelated foreign buyer against which no export shipments were sent or no imports were received. • Proceeds received/sent against under- or overvalued invoices of goods exported/imported. • The legal person/arrangement has demonstrated a long period of inacTvity post incorporaTon, followed by a sudden and unexplained increase in financial acTviTes. • The legal person/arrangement is registered at an address that does not match the profile of the enTty. • The legal person/arrangement is registered at an address that cannot be located on internet mapping services (such as Google Maps). • Directors, shareholders, beneficial owners and connected persons demonstrate limited business acumen despite substanTal interests in the legal person/arrangement. • The legal person/arrangement describes themself as a commercial business but cannot be found on the internet or social business network plaqorms (such as LinkedIn, Facebook, X, etc.).

21 • The legal person/arrangement is registered under a name that does not indicate the acTvity of the company. • The legal person/arrangement is registered under a name that indicates that the legal person/arrangement performs acTviTes or services that it does not provide. • The legal person/arrangement is registered under a name that appears to mimic the name of other companies, parTcularly high-profile mulTnaTonal corporaTons. • The legal person/arrangement has an unusually large number of beneficiaries and other controllers without any clear raTonale. • The legal person/arrangement has authorised numerous signatories without sufficient explanaTon or business jusTficaTon. • Directors or controlling shareholder(s) do not appear to have an acTve role in the legal person/arrangement without clear jusTficaTon. • The legal person/arrangement receives large sums of capital funding quickly following incorporaTon/formaTon, which is spent or transferred elsewhere in a short period of Tme without commercial jusTficaTon. • The legal person/arrangement maintains a bank balance of close to zero, despite frequent incoming and outgoing transacTons. • Unexplained use of powers of aorney by the legal person/arrangement. Legal Arrangements • Unexplained use of express trusts, and/or incongruous or unexplained relaTonships between beneficiaries and the selor. • Unexplained or incongruous classes of beneficiaries in a trust. • There is a discrepancy between the supposed wealth of the selor and the object of the selement.