1 9. Rules on Actions to Combat Money Laundering and Terrorist Financing 9.1. Objective These AML rules have been adopted in accordance with FATF s 40 Recommendations and 9 Special Recommendations and Act No. 64/2006, on Measures to Prevent Money Laundering and Terrorist Financing, with later amendments, and based on Directive 2005/60/EC of the European Parliament and of the Council. The objective of these rules is to seek to prevent the use of the operations and activities of the Bank, or those of its subsidiaries, for the purpose of money laundering or terrorist financing. In adopting these rules, the Bank seeks to fulfil in all respects the strictest requirements made domestically and internationally of the Bank with regard to money laundering and terrorist financing General Scope These rules set out the Anti-Money Laundering requirements of the Bank and apply to all employees of the Bank including the Board of Directors and senior management Risk assessment These rules can be applied based on risk assessment so that the scope of information gathering and other measures, as implemented towards individual customers, reflects the risk they present of money laundering and terrorist financing. In the event of exercising such permission special rules on the conduct of the risk assessment shall be established, which shall be approved by the Financial Supervisory Authority in Iceland Definitions For the purposes of these rules the following definitions shall apply: Money laundering: Money laundering is defined as in paragraph 1 of Article 3 of Act No. 64/2006, on Actions to Combat Money Laundering and Terrorist Financing, and the second paragraph of Article 1 of Directive 2005/60/EC as follows: "The conversion or transfer of property knowing that such property is derived from a criminal activity or from an act of participation in such activity, which is punishable under the Criminal Code or other legislative acts, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such activity to evade the legal consequences of his/her action; the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of property, knowing that such property is derived from a criminal activity or from an act of participation in such punishable activity; the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such activity;
2 participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the punishable actions previously mentioned." Terrorist financing: For the purpose of these rules, terrorist financing is defined as in paragraph 4 of Article 1 of Directive 2005/60/EC and paragraph 2 of Article 3 of Act No. 64/2006, on Actions to Combat Money Laundering and Terrorist Financing. In these acts the concept is defined as follows: "The provision or collection of funds with the intention that they be used, or the knowledge that they are to be used, to carry out an offence punishable under Article 100a of the Criminal Code." Gain: For the purpose of these rules, gain is defined as in paragraph 3 of Article 3 of Act No. 64/2006, on Measures to Prevent Money Laundering and Terrorist Financing, where the concept is defined as follows: "Any type of profit and asset, of any and every sort, including documents intended to ensure the holder access to assets or other rights to which a monetary value can be assigned." Beneficial owner: For the purpose of these rules, beneficial owner is defined as in paragraph 4 of Article 3 of Act No. 64/2006, on Measures to Prevent Money Laundering and Terrorist Financing, where the concept is defined as follows: "The natural person (or persons) who ultimately owns or controls a legal entity through direct or indirect ownership of a holding of more than 25% in the legal entity, controls over 25% of its voting rights or is deemed by other means to exercise control over a legal entity. The provision shall not apply, however, to legal entities registered on a regulated market as defined by the Act No. 110/2007 on Activities of Stock Exchanges; a person (or persons) who are the future beneficiaries of 25% or more of the property of a trust fund or similar legal arrangement, or who control over 25% or more of its property. Where the individuals that benefit from such a trust have yet to be determined, the beneficial owner shall be the person or persons in whose main interest the fund was established or operates. " Shell bank: A credit institution or an institution engaged in equivalent activities, incorporated in a jurisdiction in which it has no physical presence, is subject to no actual management or supervision, and is unaffiliated with a regulated financial group, cf. Point 10 of Article 3 of Directive 2005/60/EC. Politically exposed persons: Natural persons who are or have been entrusted with prominent public functions and their immediate family members, or persons known to be close associates, of such persons, cf. subparagraph a) of Article 12 of Act No. 64/2006, on Actions to Combat Money Laundering and Terrorist Financing. Prominent public functions in this connection shall mean senior public administrators and high-ranking military personnel; judges and public prosecutors; influential politicians; and senior management of public corporations Measures to ensure customer due diligence (CDD) Scope The measures specified in chapter 9.3 shall be applied each time: a) a business relationship is established with a new customer;
3 b) when carrying out occasional transactions equivalent to EUR 15,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked; c) when carrying out foreign currency transactions equivalent to EUR 1,000 or more, whether the transaction is carried out in a single operation or in several operations which appear to be linked; d) when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold provided for in these rules; e) when there are doubts as to the veracity and/or reliability of previously obtained customer identification data. Measures, according to chapter 9.3 shall also apply for all previous customers, who have not formerly verified their identity. A customer may not commence business transactions until his/her identity has been verified using the methods and taking into consideration the criteria laid down in chapter 9.3. Furthermore, the Bank must, after establishing a business relationship, conduct ongoing monitoring of customer transactions for the purpose of ensuring that such business relationships are not used for money laundering or terrorist financing Anonymous accounts The Bank may not establish or keep anonymous accounts or portfolios on behalf of customers whose identity has not been verified as provided for in chapter 9.3. If such accounts already exist, the Bank shall make every effort to contact their owners, if known, and instruct them to register as owners of the said accounts. Should the owners of such accounts fail to comply with such instructions, the business relationship shall be terminated and the option of sending a report to the Money Laundering Reporting Officer (MLRO) of their conduct, as provided for in chapter 9.6.2, considered Transactions on a customer s behalf The Bank is always authorised to hold accounts on behalf of a customer, if the Bank has taken suitable measures to verify the customer s identity, as provided for in chapter 9.3. Should it prove impossible to verify the ownership of such accounts in the above manner, enhanced due diligence, as provided for below, shall be applied. Chapter of these rules shall in no way limit the right of the Bank to conclude forward contracts with known customers, to hold equities for known customers in a nominee account in the company s name or to conduct other dealings as a normal part of its activities Transactions with shell banks The Bank may not enter into or continue a business relationship with a shell bank or with any other financial institution which is known to permit its accounts to be used for transactions by a shell bank Customer due diligence, etc. The following information must be obtained in order to verify a customer s identity: Icelandic Citizens Customers must verify their identity by presenting valid personal identification. The customer s a) name, b) Id. No. and c) legal domicile must be recorded, together with information on the customer s residence if this differs from the legal domicile. A passport, driver s licence or personal identification card shall constitute valid personal identification. The personal identification may not have expired.
4 To remove any doubt, payment cards, whether or not they have a photograph of the cardholder, are not valid personal identification for the above purpose either for individuals or legal entities, resident or non-resident in Iceland. Copies shall be taken of the personal identification presented Foreign Nationals In the case of non-residents, the customer s a) name, b) Id. No. and c) legal domicile must be recorded, together with his/her residence. The above information must be verified by presenting a valid passport issued by the authorities in the countries where the customer is a citizen. If the document does not contain information on the customer's residence, a copy of a utility bill for the address which the customer states as his residence must be obtained. Such a utility bill must demonstrate a link between the customer and the address given as residence. Non-resident individuals intending to rent a safety deposit box, or open an account for deposit or a custody account, must have obtained an Id. No. from Statistics Iceland. A prospective customer should preferably provide a bank reference from a bank in his/her home state Domestic legal entities 1) Information on the legal entity Legal entities shall be required to provide information on their a) name (registered company name), b) Id. No., c) legal domicile and d) activities. The legal entity shall also confirm which persons are authorised to oblige the legal entity. A certificate must be obtained from the appropriate public registry, e.g. Registrar of Limited Companies or other companies registry. An assessment shall be made in each instance as to whether to request a copy of the company's Articles of Association, audited annual financial statements, information on major owners/shareholders, or information on its Board of Directors. If the information is available from the website of the credit information provider Lánstraust ehf., this shall as a rule be considered sufficient. Information on who is the beneficial owner shall be obtained. In special cases, the possibility of requesting additional confirmation from a competent authority shall be considered. 2) Information on authorised signatories: a) Persons authorised to sign for legal entities and others that have the authority to represent the legal entity, including CEO and board members, must verify their identity by presenting personal identification as provided for in chapters or above. b) The persons authorised to sign for a legal entity must provide proof of such authorisation. A certified copy of the rules which apply concerning a legal entity s signing authorisation shall be required. Specimen signatures of authorised signatories must be obtained. c) The same rules shall apply to authorised signatories as to others intending to represent a legal entity (e.g. by virtue of a power of attorney or list of authorised signatures) in business transactions with the Bank Foreign legal entities 1) Information on the legal entity Legal entities shall be required to provide information on their a) name (registered company name), b) Id. No., c) legal domicile and d) activities. The legal entity shall also confirm which persons are authorised to oblige the legal entity.
5 A certificate must be obtained from a Registrar of Companies in the state concerned attesting to the registration of the legal entity (e.g. Certificate of Incorporation). The certificate must be as current as possible and never more than three months old. If the legal form of the entity is such that the aforementioned documentation does not exist, similar documentation may be considered sufficient. The legal entity must provide information as to what public authority can attest the submitted documents. Furthermore, information must be obtained, such as the identity of the legal entity's managers (Board of Directors, CEOs and managing directors). Furthermore a copy of its articles of association must be obtained. Information on the beneficial owner, pursuant to chapter 9.3.6, shall be obtained. Additional documentation on the legal entity in question shall be obtained if deemed necessary. Furthermore, the requirement should be set that the initial payment be made in the name of the legal entity from an account which it has established in an operating credit or a financial institution. Such additional information could include annual financial statements, a list of names and signatures of persons authorised to oblige the legal entity, it's Articles of Association, a confirmation from its bank of business or other documentation deemed advisable to request. A prospective customer should preferably provide a bank reference from a bank in his/her home state. 2) Information on authorised signatories a) Persons authorised to sign for legal entities and others that have the authority to represent the legal entity, including CEOs and board members must verify their identity by presenting a valid passport as provided for in chapters or above. b) The persons authorised to sign for a legal entity must provide proof of such authorisation. A certified copy of the rules which apply concerning a legal entity s signing authorisation shall be required. Specimen signatures of authorised signatories must be obtained. c) The same rules shall apply to authorised signatories as to others intending to represent a legal entity (e.g. by virtue of a power of attorney or list of authorised signatures) in business transactions with the Bank Online account opening It shall be ensured that all the requirements set out in these rules are fulfilled when a customer opens an account or makes other business transactions through the internet. Special attention should be paid to the provisions of the rules on enhanced due diligence in chapter (f) when establishing a business relationship when the client is not present in person. The MLRO and risk management are responsible for the establishment of special rules of procedure on online account opening which satisfy the provisions of these rules and reflect technology and methods available at any given time. The MLRO has the authorisation to assess what measures shall be implemented in order to fulfil the requirements of these rules when a business relationship is established through the internet. When making these assessments the MLRO shall always seek the opinion of the CEO Further information which must always be obtained a) Information as to whether transactions are carried out on behalf of a third party A party seeking to establish a business relationship shall always be required to state whether its proposed transactions with the Bank will be carried out on behalf of a third party (the beneficial owner, see definition in chapter 9.2.3), whether this is a natural person or legal entity. If this is the case, or there is suspicion that this is the case, the customer shall be
6 required to provide information as to whom this party is; in such a situation the provisions of chapter 9.3 shall apply concerning the information to be obtained concerning that party. b) Information on the nature and purpose of the proposed business relationship A party seeking to establish a business relationship shall, as a rule, be asked what the purpose of such a relationship is, as well as the nature of the transactions for which the Bank is to serve as an intermediary. Furthermore, a party seeking to establish a business relationship shall be asked to state the origin of the financial assets which will be handled by the Bank in the proposed transactions. This information shall be used as a basis for subsequently assessing whether or not a customer s transactions are normal and proper. c) Is the customer a politically exposed person? An individual or authorised representative of a legal entity domiciled abroad, seeking to establish a business relationship shall always be asked whether he/she is a politically exposed person; furthermore the employees of the Bank involved must check the databases or information providers available to them in order to investigate whether this is the case. Should the investigation reveal that the party is a politically exposed person; the instructions laid down in chapter shall be followed Collection of information postponed temporarily As a rule, a customer s identity shall be verified in accordance with the provisions of chapter 9.3 prior to establishing a contractual relationship. In exceptional cases, however, and after obtaining the authorisation of the MLRO, this may be postponed until after establishing a contractual relationship, in instances where there is deemed to be little risk of money laundering or terrorist financing, in order not to interfere with the normal course of transactions. In such instances, the customer must verify his/her identity as soon as practicable. A bank account may be opened for a customer before the customer s identity is verified provided that measures are taken to ensure that no transactions are carried out until his/her identity has been verified in accordance with these rules Simplified customer due diligence The provisions of chapter to above shall not apply to the following parties: - Credit or financial institutions licensed as such in the European Economic Area and subject to the rules of the 3rd EU Money Laundering Directive, apart from the fact that the provisions of chapter shall always be applied to such a party. The same applies to such institutions licensed outside of the EEA provided that they are subject to requirements to combat money laundering equivalent to or more stringent than stipulated in Act no. 64/2006 on Actions to Combat Money Laundering and Terrorist Financing. Legal entities registered on a regulated market as defined by the Act no. 110/2007 on Activities of Stock Exchanges. - Icelandic government authorities. Documentation must be obtained to prove that this exemption should apply. Information on the institution's name, ID number and address shall at all times be obtained and stored. When it is confirmed that the first payment into a new account is transferred from a bank account in the customer's name into another licensed financial institution within the EEA the Bank may also conduct simplified customer due diligence when there is no suspicion of money laundering or other illegal activities. Documentation shall be obtained to prove that this exemption should apply Third party information The Bank is not required to conduct customer due diligence pursuant to provisions of chapters to if corresponding due diligence data is revealed through the agency of a financial institution which has been granted an operating licence in Iceland or in the
7 European Economic Area. The same applies to information revealed through the agency of regulated credit or financial institutions from countries outside the European Economic Area which are subject to similar requirements as those stipulated in Act no 64/2006. The final responsibility, as regards to customer due diligence, rests with the recipient of the information. A third party providing information pursuant to this chapter shall, at the request of the recipient of the information, promptly make the information available or forward a copy of the appropriate personal data and other appropriate documents proving the identity of the customer or beneficial owner Actions in cases where a customer s identification cannot be confirmed If it is not possible to confirm the identification of a party requesting a transaction, as provided for in chapter 9.3, due to the fact that the party cannot or will not provide the information requested, the employee handling the transaction must report this as provided for in chapter Under such circumstances the Bank may not open an account nor carry out the transaction requested, while taking care to ensure that the customer s request is neither refused nor that the customer is made aware by other means that his/her behaviour is being investigated due to suspicions of money laundering or terrorist financing. If a contractual relationship has already been established, it must be ended immediately Special circumstances requiring enhanced customer due diligence Carrying out transactions requiring enhanced customer due diligence Enhanced customer due diligence shall be applied: a) when carrying out a transaction, or a series of connected transactions, amounting to over EUR 15,000 or the equivalent in another currency; b) when carrying out transactions involving bearer certificates (bonds, bills or shares not registered in a specific name) or cash; c) in the case of transfers. In such instances information should be obtained and stored on the remitter, his/her address, particulars of the amount and currency of the transfer and the accounts used in the transfer. Care shall also be taken to ensure that this information accompanies the transfer and related communications all along the chain of payment, to the extent that the Bank is to handle its execution. The Bank must adopt special operating procedures implementing precautionary measures when transferring assets: d) if there is suspicion that the proposed transaction is related to money laundering or terrorist financing; e) if the Bank doubts the veracity or adequacy of previously obtained customer identification data or information on the proposed transaction; f) when a transaction is requested without the physical presence of the customer (e.g. online banking services, telephone banking services, electronic transfers, etc.). If the Bank deems it necessary, the customer must provide a copy of valid personal identification certified by a notary public or similar officially approved party in the country in question, such as an attorney; the certified document itself shall be delivered to the Bank. Furthermore, the measures listed below shall be applied as appropriate g) when the transactions requested are large scale, i.e. involving very large amounts, or are unusually complex; h) in correspondent banking relationships. In this case the enhanced due diligence discussed in chapter must be applied: i) when the party requesting a transaction is a politically exposed person. In this case the enhanced due diligence discussed in chapter must be applied;
8 j) when the party requesting a transaction is resident in or has activities in a state which is known not to apply or to apply insufficiently international guidelines and rules on measures to prevent money laundering and terrorist financing; Obtaining such information may, for example, involve searching international databases or using the computer systems of the Bank for this purpose. k) when the party requesting a transaction, including a financial institution, is known not to comply with international guidelines and rules on measures to prevent money laundering and terrorist financing; Obtaining such information may, for example, involve searching international databases or using the computer systems of the Bank for this purpose. l) in the case of products or transactions where anonymity is encouraged or the transactions requested are anonymous. Enhanced customer due diligence in the above context includes demanding additional documents to verify a customer s identity, taking specific actions to verify the authenticity of documents, requiring that the first payment be made in the name of the legal entity and through an account opened at an approved credit institution, requiring a customer to conclude a written contract with a financial institution for the service or any other measure deemed appropriate. In such instances as are referred to in subparagraphs j) and k) above, all of the above precautionary measures shall be applied as appropriate and employees must report without delay all unusual aspects concerning transactions by such parties. Furthermore, the employees of the Bank shall point out to customers the risks related to money laundering and terrorist financing should they become aware of customers doing business with the parties referred to in subparagraphs j) and k) above. The Bank shall endeavour to reduce their business relationships with the parties referred to in subparagraphs j) and k) above Measures where politically exposed persons are involved Should a non-resident seeking to establish a business relationship prove to be a politically exposed person (see subparagraph i) of chapter ) an employee of the Bank may not establish a business relationship with such a party until the MLRO has given approval for the transaction. The following conditions must also be met: a) Appropriate possible measures must be taken to verify the origin of funds used in the business relationship. b) Conduct regular monitoring of the business relationship. If the status of the client changes after the business relationship has commenced so that he is considered a politically exposed person, it is necessary to obtain permission from the MLRO officer before the business relationship is continued Measures concerning correspondent banking When establishing correspondent banking relationships, or similar business connections, with foreign financial institutions outside the European Economic Area, the Bank must obtain the following information concerning the foreign institution in addition to the information required under chapter 9.3: a) Information on the nature of its operations and activities; b) information on the institution's reputation, as well as on the qualifications of its management, for instance, as to whether the company has been the object of an investigation concerning money laundering, terrorist financing or other investigation by a public authority; c) whether and to what extent the institution has anti-money laundering and antiterrorist financing controls; d) information as to what measures the institution has taken to verify the identity of parties with direct access to the institution's payable-through accounts, i.e.
9 accounts owned by the financial institution which are used directly by third parties to carry out transactions on own account. If such access is provided to third parties, relevant customer due diligence, as provided for in chapter 9.3, shall be applied concerning such parties. Employees of the Bank may not carry out transactions of the type described in this chapter until the MLRO has given approval for the transaction. Such approval shall not be given until satisfactory information on the above matters is available and it has been ascertained that the measures taken by the counterparty to prevent money laundering satisfy the requirements generally made of the Bank. If these measures are deemed unsatisfactory, the transactions shall be refused. Once such approval has been obtained, but before commencing a transaction, the obligations of each of the contracting parties under the contractual relationship concerning measures to prevent money laundering and terrorist financing must be established in writing Measures concerning US parties investing in US securities US parties investing in US securities must, in addition to providing identification in accordance with the above, fill out the documents required by US authorities. These shall include the W-9 form and the specific mandate requested by US authorities Ongoing monitoring during the contractual relationship While a customer maintains a contractual relationship with the Bank, his/her transactions shall be subject to regular monitoring for the purpose of examining whether such transactions are in accordance with the information provided on the customer and his/her activities when the business relationship was established. Care shall be taken to ensure that the information held on customers is always accurate and up to date. The customer s identity must be verified once more, as provided for in the rules laid down in chapter 9.3 under the following circumstances: a) where the customer requests that a transaction be carried out which is considered unusual or very substantial in comparison with the customer's business history; b) when major changes occur to the information available on the customer; c) when major changes occur as to how the customer s accounts are used or to the customer s business history in other respects; d) if the Bank becomes aware that documentation on the customer is insufficient; e) if the Bank becomes aware that the customer is regarded as a politically exposed person, cf. chapter ; Under such circumstances all transactions with the customer must be suspended until the MLRO has agreed that transactions with the customer may commence once more. In this regard, the provisions of chapter shall be followed as applicable. Furthermore, the Bank must, during its contractual relationship with the customer, pay special attention to any complex or unusually large transactions by the customer, as well as any unusual transaction patterns, which have no obvious financial or legitimate purpose. In all instances, the circumstances, background and purpose of such transactions should be investigated specifically, to the extent practicable, and the results of such an investigation summarised in a written report which must be preserved for five years, together with the documentation concerning the transaction, if the Bank sees no cause for action following the investigation. If the Bank does see reason to take action following such an investigation, it shall follow the provisions of chapter Preservation of information The Bank shall: 1) Preserve copies of personal identification and official documents, together with other particulars on the customer, for at least five years from the time occasional
10 transactions or a permanent business relationship concludes. The data shall be in a form accessible to the authorities if requested. 2) Care shall be taken to have sufficient data to enable the authorities to gain an understanding of how individual transactions were carried out. It should be borne in mind that the date could conceivably be required as evidence in a criminal prosecution. Therefore the preserved data shall include at least: a) information on the names of customers and their addresses, as well as the names of the customer s employees involved in the transaction in the case of a legal entity; b) information on the nature of the transaction; c) information on the amounts of the transactions and the currencies concerned; d) information on what accounts were used for the transactions Obligation to report suspicious behaviour of a customer and measures in this connection Suspension of transactions If the Bank suspects or if it has legitimate reason to expect that assets which a customer is intending to transmit through the Bank are the proceeds of illegal actions or are connected with terrorist financing, cf. chapter 9.2, it must ensure that: The transaction requested is not carried out, except in situations where the transaction is of such nature that it may not be postponed, the Bank is required to carry out the transaction or the suspension of a transaction could impede or encumber investigation by the authorities. If such is the case, however, the utmost care shall be taken to ensure that all information on the transaction is preserved and reported to the authorities as provided for in this chapter without delay. Care shall be taken not to refuse or by other means alert the customer wishing to carry out the transaction, cf. chapter Reporting to the MLRO All suspicious transactions as provided for in chapter 9.6.1, attempts to conclude such transactions or suspicious behaviour by customers, cf. chapter , shall be reported to the MLRO of the Bank without delay. The MLRO shall immediately, in consultation with the Bank s legal counsel, assess whether there are grounds to report the suspicious transaction or attempt to conclude a transaction to the National Commissioner of Police or other competent authority. The MLRO shall be responsible for having all the circumstances of such transactions carefully examined and the results of this examination reported to the authorities, concurrent to the report of the transaction. On the other hand, if no grounds are seen to make such a report, the outcome of the investigation by the MLRO shall be preserved as provided for in chapter Reporting to competent authorities If the MLRO is of the opinion, following a thorough investigation of the circumstances of the transaction or suspicious behaviour by as customer, that there are justified suspicions or reasonable grounds to suspect the transaction is connected to a violation of the type described in chapter 9.2.3, he shall immediately report this to the National Commissioner of Police or another competent authority. Such a report must at least: 1) be made in writing; 2) contain a detailed description of the customer s suspicious behaviour;
11 3) include copies of all the documentation and information connected with the MLRO s assessment as to whether the transaction is connected with money laundering or terrorist financing; 4) state the time limit which the Bank has to carry out the transaction; 5) contain any other data which may be necessary. A report to this effect shall generally be delivered before the suspicious transaction is carried out; failing this, in those instances referred to in subparagraph a) of chapter 9.6.1, immediately upon the conclusion of the transaction. It is reiterated that the Bank is responsible for sending the National Commissioner of Police or other competent authority a report in accordance with the above, even if the transaction has not been carried out and/or no entry has been made, or where only an attempted transaction was involved. Once such a report has been sent, a decision on carrying out the customer's transaction shall be taken in consultation with the National Commissioner of Police or the competent authority which handles the report. Care shall always be taken to ensure that the National Commissioner of Police or the competent authority which receives the report provides confirmation of receipt Confidentiality Management, employees and others working on behalf of the Bank must ensure that neither the customer nor other unauthorised party receives knowledge that a report as referred to in chapter has been sent to the National Commissioner of Police or another competent authority. Furthermore, the same parties may not inform a customer or indicate to the customer by any means that his/her transaction is the object of an investigation following a report from another party, should they become aware of such an investigation Responsibilities of the Bank towards its employees in connection with obligations pursuant to chapter 9.6 The Bank must ensure that information as to what employee reported a customer s suspicious transaction is kept secret and the employee s name shall not be disclosed, for instance, in reports to the National Commissioner of Police or another competent authority unless there is urgent reason for so doing. In such case, the Bank must also take necessary measures to protect those employees involved in the report on the customer s transaction against threats or hostile actions by customers following such reports. The Bank s MLRO shall ensure that these rules are followed Supervision of the enforcement of the Bank's money laundering policy The Bank must ensure that the substance of these rules always accords with currently valid rules and administrative provisions to prevent money laundering and terrorist financing. The Bank must always ensure that the procedures and working rules in their individual divisions reflect the substance of these rules to ensure that the guidelines and principles laid down here are implemented in all respects Obligations in connection with technological developments The Bank must, as appropriate: 1) inter alia in co-operation with the authorities in those states where the Bank or its subsidiaries operate, endeavour to discern what the impact of new technologies and business practices may be on customers possibilities of laundering money or financing terrorist activities;
12 2) take suitable measures to prevent such technologies or business practices from being used in transactions with the Bank or its subsidiaries for the purpose of money laundering or terrorist financing; 3) follow a specific policy and practices to respond to risk factors connected with non-face-to-face transactions Money laundering reporting officer (MLRO) etc. Ultimate authority in the Bank's defences against money laundering and terrorist financing lies with its Board of Directors, while the implementation of the Board s policy and the enforcement of both the policy and relevant legal provisions rests with the MLRO and the risk management department. The MLRO shall have direct access to the Board and senior management of the Bank concerning the tasks within the scope of these rules. The Bank's deputy Compliance Officer shall act as a deputy of the MLRO Employee training The MLRO shall ensure that all employees of the Bank are informed of these rules and the obligations they must fulfil pursuant to the rules, and that they are offered satisfactory training in the actions to prevent money laundering and terrorist financing currently followed by the Bank. Furthermore, it must be ensured that such knowledge and training is maintained and reflects the technologies and methods known to be currently used in money laundering. The managing directors of the Bank s individual divisions shall ensure that its employees attend the information meetings and courses on preventing money laundering and terrorist financing offered with the above intention. In training employees, regard shall be had for the following: Frontline employees in direct contact with customers Special training shall be arranged for employees in the front line twice each year. These courses shall cover the Acts and rules on measures to prevent money laundering and terrorist financing, what documentation need to be obtained when establishing a business relationship, ongoing monitoring of customers transactions, where reports of suspicion of money laundering should be sent, how relations with customers shall be conducted in the event of such reports and what the obligations of employees are under these rules and money laundering legislation. These employees shall receive special training to assist them in verifying what transactions could be connected with money laundering Other employees Other employees of the Bank shall attend a course once a year where the Bank s rules in this regard are reviewed, together with current legislation on preventing money laundering and terrorist financing New employees Upon commencing employment, a new employee shall be provided with the Bank s rules on measures against money laundering and terrorist financing. Every effort shall be made to have new employees attend the first information session on money laundering held after the commencement of their employment Supervision of the efficacy of measures to prevent money laundering and terrorist financing The internal audit department, in co-operation with the MLRO, shall see to it that regular tests are made by an independent outside party of the efficacy of the Bank s measures to prevent money laundering and terrorist financing. These measures shall be under constant review in the light of the outcome of such tests. For the avoidance of doubt, the MLRO shall also be subject to observation by the internal audit department.
13 Security in hiring employees Hiring procedures must, for instance, include authorisation to investigate an applicant s education and work background, his/her financial position, record of criminal offences and other factors which could affect whether prospective employees are in any situation which increases the risk of their becoming the accomplice of parties engaged laundering money or financing terrorist activities Penalties These AML rules are applicable to all employees of the Bank. Any violation of the rules may result in a caution and/or dismissal. The MLRO shall report any violation to the CEO or the Board of Directors, as necessary.