Standard 2.4. Customer identification and customer due diligence; Prevention of money laundering, terrorism financing and market abuse

Standard 2.4 Customer identification and customer due diligence; Prevention of money laundering, terrorism financing and market abuse Regulations and guidelines

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 2 (2) TABLE OF CONTENTS 1 Application 4 2 Objectives and background 7 3 International framework 9 4 Legal basis 11 4.1 EU legislation 11 4.2 Finnish legislation 12 4.3 FIN-FSA regulatory policy 12 5 Customer identification and customer due diligence procedures as well as prevention of money laundering and terrorism financing 14 5.1 General principles 14 5.1.1 Responsibilities and appointment of a contact person 15 5.1.2 Internal instructions and personnel training 15 5.2 Customer identification 16 5.2.1 General principles 16 5.2.2 Method of identification 17 5.2.3 Identification documents 19 5.3 Key principles of customer due diligence 20 5.4 Fulfilment of the due diligence requirements as per the Anti-Money Laundering Act 21 5.5 Prevention of terrorism financing and international financial sanctions21

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 3 (3) 5.6 Reporting requirement as per the Anti-Money Laundering Act 22 5.7 Documentation and storage of identification data 24 6 Requirement to notify suspicious securities transactions and other suspect transactions 26 7 Reporting to the FIN-FSA 28 8 Definitions 29 9 Further information 31

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 4 (4) 1 APPLICATION (1) Sections 1-5 of this standard shall be applied to the following entities referred to in section 5 of the Act on the Financial Supervision Authority (587/2003). credit institutions investment firms fund management companies holding companies of credit institutions' and investment firms' consolidation groups Finnish Central Securities Depository book entry registrar and registrar's agent parent companies of financial and insurance conglomerates, whose primary business is financial services central bodies as referred to in the Act on Cooperative Banks and Other Cooperative Credit Institutions entities pursuing limited credit institution activities pawnshops Finnish branches of foreign credit or financial institutions Finnish branches of foreign investment firms and fund management companies (2) Section 6 of this standard on notification obligation concerning suspicious securities transactions and other suspect transactions shall be applied to the following securities dealers as referred to in chapter 1 section 4 of the Securities Markets Act (495/1989) credit institutions providing investment services investment firms fund management companies providing investment services (portfolio management) Finnish branches of foreign investment firms Finnish branches of foreign credit or financial institutions providing investment services

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 5 (5) Finnish branches of foreign fund management companies providing investment services (portfolio management) (3) Supervision of Finnish branches of foreign credit or financial institutions and of foreign investment firms and fund management companies is primarily the responsibility of their home country authority. They must nevertheless comply with the rules and regulations of the host country (Finland) in respect of customer identification, customer due diligence (CDD) procedures, the prevention of money laundering and terrorism financing and reporting obligations concerning both suspected money laundering cases and suspicious securities transactions. (4) Providers of financial services providing their services from abroad without a place of business in Finland are not subject to the reporting obligations concerning money laundering nor to those concerning suspicious securities transactions as per Finnish legislation; instead they must abide by the rules and regulations of their home country. In problem situations, remote brokers may nevertheless contact the National Bureau of Investigation's Money Laundering Clearing House or the Finnish Financial Supervision Authority. (5) Entities within the same consolidation group shall comply with uniform operating practices. The foreign branch of a supervised entity shall comply with local rules and regulations. If, however, local rules and regulations are not in line with Community legislation or the recommendations issued by the Financial Action Task Force on Money Laundering (FATF), the supervised entity shall ensure that the foreign branch adheres to the principles of this FIN-FSA standard as the minimum. Parent companies of financial and insurance conglomerates primarily engaged in financial services shall ensure that all companies within the conglomerate comply with the obligations laid down in this FIN-FSA standard in a uniform manner. (6) Supervised entities differ from each other in terms of the scope of their business, their organisation, customer base as well as financial services and products. As a consequence, the obligations and risk management procedures related to the customer due diligence, the prevention of money laundering and terrorism financing can be implemented by adopting various practical solutions. (7) Applicable FIN-FSA standards include standard 4.1 on the establishment and maintenance of internal control and risk management, standard 4.4b on the management of operational risk [and standard 1.3 on corporate governance (in preparation)]. (8) A separate FIN-FSA reporting standard RA2.1 has been issued on the content and submission procedures governing the notification of suspicious

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 6 (6) securities transactions and other transactions. (9) Here the general expression supervised entity is used to refer to all entities under the scope of sections 1-5. Section 6 is only applied to securities dealers, which are referred to with the general expression parties subject to the obligation to notify throughout this standard.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 7 (7) 2 OBJECTIVES AND BACKGROUND (1) The obligations concerning customer identification, customer due diligence (CDD) procedures and the prevention of criminal abuse of the financial system constitute a key area of international regulation and supervision. International standards aim at harmonising legislation and market practices in order to expose and prevent criminal abuse of the financial system, such as money laundering and terrorism financing. (2) The aim is to enhance confidence in the securities markets by improving regulation on market abuse and harmonising supervisory procedures. In line with regulations on market abuse and cooperation between securities markets supervisory authorities, this standard and the related reporting standard give instructions on notifying the FIN-FSA of suspicious securities transactions or other suspect transactions. (3) In this standard the FIN-FSA's has compiled key obligations concerning the prevention of money laundering and terrorism financing. The FIN-FSA works in cooperation with other domestic and international authorities and keeps abreast of international developments. The FIN-FSA is under the obligation to notify the National Bureau of Investigation's Money Laundering Clearing House of any suspicious characteristics it may observe in the operations of its supervised entities and the financial markets. The FIN-FSA considers it important that the supervised entities develop risk management systems and procedures intended for customer relationship management. The FIN-FSA also values endeavours pursued by self-regulatory associations of the supervised entities aimed at enhancing uniform procedures among members. (4) The purpose of this standard is to promote prudential and harmonious procedures in the financial markets, good market practice and trust in service providers' operations. A prerequisite for reliable financial markets is that domestic and international service providers vigilantly comply with all relevant

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 8 (8) customer identification and customer due diligence obligations. Good customer due diligence practices are in line with good market practices and facilitate detection and prevention of malpractice. Supervised entities are to be aware of the risks associated with counterparties and customer relations and to adapt their operating procedures and risk management systems accordingly to reflect the special characteristics of their customers. Supervised entities must follow regulatory and technical advances and adapt their operating procedures accordingly.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 9 (9) 3 INTERNATIONAL FRAMEWORK Sections 1-5 (1) The principles related to customer identification and customer due diligence and to the prevention of money laundering and terrorism financing are based on international standards and recommendations. The principles are based on the premise that providers of financial services identify and know their customers. Good customer due diligence practices facilitate the detection of unusual or suspicious transactions. Financial services providers must notify authorities of any such findings. (2) The following recommendations include key principles on the basis of which national regulation and supervision are constructed and by which financial services providers are expected to abide: Financial Action Task Force on Money Laundering (FATF): 40 recommendations (2003) Financial Action Task Force on Money Laundering (FATF): 9 special recommendations for anti-terrorism financing (2001) Basel Committee on Banking Supervision (BCBS): Customer due diligence for banks (2001) Basel Committee on Banking Supervision (BCBS): Consolidated Know-Your-Customer Risk Management (2003) International Organization of Securities Commissions (IOSCO) Principles on Client Identification and Beneficial Ownership for the Securities Industry (2004) Basel Committee on Banking Supervision (1997): Core Principles for Effective Banking Supervision IOSCO: Objectives and Principles of Securities Regulation (2003). (3) Background material has also included the following: Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 10 (10) system for the purpose of money laundering and terrorist financing 1 IOSCO: Anti-money Laundering Guidelines for Collective Investment Schemes 2005. Section 6 (4) A guideline of the Committee of European Securities Regulators on the application of the directive on the prevention of market abuse has been taken into account in the preparation of this standard. The basic premise of the guideline is that a uniform notification procedure improves the exposure of malpractice: The Committee of European Securities Regulators (CESR): Market Abuse Directive, Level 3. First set of CESR guidance and information on the common operation of the Directive Cesr/04-505b. 1 http://europa.eu.int/eur-lex/lex/johtml.do?uri=oj:l:2005:309:som:en:html

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 11 (11) 4 LEGAL BASIS 4.1 EU legislation Sections 1-5 (1) National legislation on customer identification and customer due diligence and on the prevention of money laundering and terrorism financing is based on the following directives. Council Directive 91/308/EEC on the prevention of the use of the financial system for the purpose of money laundering (31991L0308) Directive 2001/97/EC of the European Parliament and of the Council amending Council Directive 91/308/EEC on the prevention of the use of the financial system for the purpose of money laundering. Section 6 (2) National legislation on notifying suspicious securities transactions and other suspect transactions is based on the following directives: Directive 2003/6/EC of the European Parliament and of the Council on insider dealing and market manipulation (market abuse directive). Commission directive 2004/72/EC implementing Directive 2003/6/EC of the European Parliament and of the Council as regards accepted market practices, the definition of inside information in relation to derivatives on commodities, the drawing up of lists of insiders, the notification of managers' transactions and the notification of suspicious transactions (articles 7-11).

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 12 (12) 4.2 Finnish legislation (3) Essential legislation related to sections 1-5 is as follows: Act on the prevention and clearing of money laundering (68/1998). Ministry of Interior Decree on the prevention and clearing of money laundering (890/2003). Ministry of Finance regulation 659/2003, section 15, on the reports to be appended to the authorisation application of a credit institution (not available in English) Ministry of Finance regulation 658/2003, section 11, on the reports to be appended to the authorisation application of an investment firm (not available in English) Ministry of Finance regulation 234/2004, section 11, on the reports to be appended to the authorisation application of a fund management company and custodian (not available in English) Act 699/2004, section 16; subsection 3, on the supervision of financial and insurance conglomerates. (4) Essential legislation related to section 6 is as follows: Sections 5 and 10 of the Securities Markets Act (495/1989) and section 51 of the Finnish Penal Code (1889/39). 4.3 FIN-FSA regulatory policy Sections 1-5 (5) The FSA ruling on risk management related to customer identification and customer due diligence and on the prevention of money laundering and terrorism financing is based on the following provisions: sections 68 and 95 of the Credit Institutions Act (1607/1993); section 29, subsection 3, and section 49 of the Investment Firms Act (579/1996) section 30, subsection 3, and section 144 of the Mutual Funds Act (48/1999) section 24 of the Act on Foreign Credit and Financial Institutions in Finland (1608/1993) section 16 of the Act on the right of foreign investment firms to provide investment services in Finland (580/1996) section 29 b of the Act on the Book Entry System (826/1991)

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 13 (13) Section 6 (6) FIN-FSA regulations on the notification of suspicious securities transactions and other suspect transactions is based on the following provisions: section 4 subsection 5 b and section 10 subsections 1, 1 a and 1 b of the Securities Markets Act (495/1989) section 15 subsection 2 of the Act on the Financial Supervision Authority (587/2003)

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 14 (14) 5 CUSTOMER IDENTIFICATION AND CUSTOMER DUE DILIGENCE PROCEDURES AS WELL AS PREVENTION OF MONEY LAUNDERING AND TERRORISM FINANCING 5.1 General principles 2 (1) Careful customer identification and customer due diligence procedures should be part of supervised entities' daily operations, not merely part of the prevention of money laundering and terrorism financing. (2) Customer identification and customer due diligence refer to procedures employed by supervised entities to assure themselves of the customer's true identity and of the fact that they know the customer's activities and background to such an extent as required by the customer relationship. (3) In practice, customer identification and customer due diligence procedures vary according to the nature and scope of the operations of the supervised entity or customer, the type of services offered and the risks involved in the customer relationship. For example, starting a customer relationship which involves particular risks in respect of the functioning of the financial markets or operations of the supervised entities requires more thorough procedures and a more extensive examination and monitoring of the customer's activities and background. Supervised entities generally have the possibility to choose their customers. For example, if a particular customer does not fit in with the 2 See standard 4.4b, section 6.8., on operational risk.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 15 (15) business strategy of the supervised entity, the supervised entity does not have to establish a customer relationship nor offer services to such a customer. However, legislation defines certain basic banking services that supervised entities cannot refuse to provide. (4) Supervised entities shall comply with such procedures and internal control measures that allow them to prove afterwards how the customer was identified, how they know the customer and how they have complied with due diligence and reporting requirements. 5.1.1 Responsibilities and appointment of a contact person 3 (5) Adherence to the obligations set out in the standard reflects the level of corporate governance and internal controls of the supervised entity. In legal cases, when evaluating compliance with the due diligence principle of the Anti-Money Laundering Act, it is considered whether the supervised entity has established appropriate risk management and internal control procedures. This includes, among other things, that the organisation structure and division of responsibilities in the supervised entity are clear, procedures have been agreed on and personnel is being instructed and trained. (6) The supervised entity s board of directors is responsible for the establishment and maintenance of internal control and risk management. Supervised entities must appoint a contact person responsible for money laundering/terrorism financing matters. Information concerning the supervised entity and the contact person must be submitted to the National Bureau of Investigation's Money Laundering Clearing House. The position and duties of the contact person may vary according to the organisational structure of the supervised entity. The contact person is responsible for liaising with authorities in matters relating to the prevention of money laundering and terrorism financing and coordinates the drawing up of internal instructions, personnel training and the notification procedure. The contact person needs to be in such a position that he/she has the authority to act on practical matters relating to the prevention of money laundering that require immediate action, such as reporting of suspicious transactions or responding to enquiries from authorities. 5.1.2 Internal instructions and personnel training 4 (7) Regulations issued by authorities are primarily on a general level so it is necessary for supervised entities to draw up their own, more detailed instructions applicable to their operations. Drawing up internal guidelines and informing personnel of them is part of the fulfilment of the due diligence principle of the Anti-Money Laundering Act. 3 See standard 4.4b, section 6.8., on operational risk. 4 See standard 4.4b, section 6.8, on operational risk.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 16 (16) (8) Supervised entities' internal guidelines need to contain instructions about their customer identification and customer due diligence procedures and about their fulfilment of the reporting obligations relating to the prevention of money laundering,. Internal guidelines need to cover different distribution channels and products, outsourced services as well as agent and subcontractor relationships. The obligations must also be taken into account in product and system development and when entering new markets. (9) The fulfilment of obligations relating to customer identification and customer due diligence needs to be included in personnel training programmes. Regular, systematic training shall be arranged at all levels of the organisation and particularly for such staff groups that are involved in customer relations, product development as well as depository, payment and settlement systems. 5.2 Customer identification 5.2.1 General principles (10) Supervised entities are responsible for ensuring that their customers are reliable identified. Customers must be identified by the supervised entity or by an agent or other third party. (11) When using an agent or otherwise outsourcing their functions, supervised entities must ensure that the agent or the party to whom functions have been outsourced complies with the rules on customer identification and customer due diligence that have been issued by authorities and by the supervised entity. The procedures to be employed and access by the supervised entity to the relevant identification documents must be agreed on in the contract between the agent and the supervised entity. The FIN-FSA retains its right of access to information and supervision. (12) Customers must be identified at the beginning of the customer relationship, before any business transactions are conducted. In exceptional cases, customer identity can be established afterwards, yet before the customer has an opportunity to use the assets related to the business. (13) When establishing a regular customer relationship, the customer must always be identified.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 17 (17) Recommendation (14) The identity of a occasional customer must be established when the total value of a single transaction or several related transactions exceeds EUR 15,000. Supervised entities can lower this limit themselves, but they cannot increase it. (15) When there is suspicion of money laundering, terrorism financing or other malpractice, customers must always be identified irrespective of the size of the transaction. (16) A person acting on behalf of a legal person or natural person must be identified and it must also be ascertained that they are authorised to carry out legal actions on behalf of a natural or legal person. If attempts are made to conceal the true identity of a customer or beneficiary, persons who stand to gain from the assignment or transaction or who can exercise real control over the customer must also be identified (beneficial owner). (17) In the event that the guardian of interest of a person lacking legal capacity conducts business or carries out a transaction on behalf of the person lacking legal capacity, the guardian of interest can be treated as the customer and the person lacking legal capacity does not need to be identified. (18) An exemption has been issued on the duty to identify. The exemption refers to cases where the customer has been authorised as a credit institution, financial institution, investment firm, mutual fund management or life insurance company in a country belonging to the European Economic Area (EEA). The same applies to a company originally from a non-eea country but whose branch office has been authorised to operate in an EEA country. Supervised entities must ensure, however, that the party they are dealing with falls into either of the above-mentioned categories and that it is subject to official supervision. (19) Supervised entities must refuse to establish a customer relationship or carry out a transaction if a customer cannot be identified. 5.2.2 Method of identification (20) Establishment of identity must be conducted so that the identification of a customer is reliably established. It requires verification and documentation of the customer's identity. When establishing a customer relationship, establishment of identity must essentially be based on an official ID document or a certificate, issued by authorities, which fulfils the criteria of an advanced electronic signature. 5 During the customer relationship, identification can also be based on a secure and authentic electronic user codes and passwords. 5 Act on Electronic Signatures (14/2003)

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 18 (18) Recommendation (21) Establishment of identity must be performed in meeting the customer face-to-face or it must be based on a certificate that fulfils the criteria of an electronic signature, at least when a customer opens the first bank account or when an Internet banking agreement is signed and the customer receives their first electronic user codes and passwords which enable them to enter into agreements with other service providers. (22) The following lists examples of identification methods. Reliable establishment of identity may require a combination of several methods and additional controls especially when a customer relationship is established without meeting the customer personally or when a customer is based in another country. Supervised entities (own personnel) establish their customers' identity in personal contact with the customer. Agents or other parties to whom operations have been outsourced establish a customer's identity on behalf of supervised entities through a personal contact with the customer. Postal authorities establish customer identity on behalf of supervised entities: contracts and other documents can be sent as registered mail against a notice of receipt, so that the customer collects the documents personally. Postal authorities establish customer identity and forward the notice of receipt to the supervised entity. Supervised entities do not meet the customer in person but the establishment of identity is based on a secure and authentic personal access code. As regards the risk of money laundering/terrorism finance or abuse of the financial system, some low-risk services may allow the non-faceto-face establishment of customer's identity. Thus the establishment of identity may be based on data provided by the customer and on payment and settlement details. This procedure is a series of steps in which the customer effects a payment from their own bank account in the credit institution and the securities are entered in the customer's book-entry account. Payments by the supervised entity are always effected to the customer's previously indicated bank account. When using this method, it is essential that supervised entities set up a control procedure and check the information given by the customer against information in other reliable registers or sources. Supervised entities can compare information about the customer against information found in the Population Register Centre, trade

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 19 (19) register, credit register or other registers. A specified, written consent can be requested from the customer for the verification of personal data. Supervised entities may request that customers supply other documents and information, such as a recommendation by the customer's own credit institution. It is not sufficient to establish the identity solely on the basis of the fact that the funds of the customer have been transferred from the customer's account in the credit institution. 5.2.3 Identification documents (23) The following identification documents can be used to establish the identity of a personal customer: valid Finnish driving licence valid passport (including an alien passport or diplomatic passport) valid ID card, issued by the police after 1 March 1999 valid electronic ID (certificate) valid social security card with a photograph refugee travel documents for a specific reason, some other official document or a secure user code that authenticate a person's identity. Recommendation (24) A Finnish driving licence granted prior to 1990 is accepted only if a customer can be identified based on it. Recommendation Recommendation (25) The identification document of a foreign natural person, who does not have a Finnish social security number, is generally a valid passport (or an alien passport). Refugee travel documents are also accepted as identification documents. The identity of Nordic citizens can also be established by using an official ID card. (26) Identification of a legal person is verified with a valid extract from the trade register or a corresponding extract from an official register, which establishes the existence and legal capacity of the legal person. The identity of a person acting on behalf of a legal person must be established by the same means as the identity of a personal customer. (27) The scope of authority of a person (persons) acting on behalf of a legal person must be verified, on a risk sensitive basis, by referring to an extract from the minutes or similar documents of the decision-making body.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 20 (20) 5.3 Key principles of customer due diligence Recommendation Recommendation Recommendation (28) The scope of customer due diligence (how widely a customer background is scrutinized) varies according to the services provided and type of customer relationship. Supervised entities must obtain sufficient information about the customer's prior and planned activities and use of financial services. Supervised entities can generally refuse to accept as a customer a party that refuses to give information or whose size, place of business or nature of operations are in conflict with the business strategy of the supervised entity. (29) Risk management related to customer relationships requires that supervised entities adapt their customer due diligence procedures to the services used by the customer or to other characteristics of the customer relationship. To ensure that the nature of the customer relationship is consistent with the understanding of the customer by the supervised entity, supervised entities must monitor the transactions undertaken and the development of the customer relationship. (30) In addition to identification and contact data, where personal customers are concerned it must also be established what the nature, scope and purpose of the customer relationship is as well as the origin and use of the funds. (31) In addition to contact and register data, where legal persons are concerned it must also be established who the members of the board or of a similar decision-making body are as well as the persons acting on behalf of the legal person. It must also be established what the nature and scope of the business carried out by the legal person are as well as the purpose and scope of the financial services used. 6 Customers may also be asked to give information of the origin of the funds and of the purposes for which the funds will be used. (32) It may be necessary to establish, on a risk sensitive basis, the corporate and ownership structure of the legal person as well as the bodies who exercise actual decision-making power or who are the beneficiaries, business partners or customers of the company. (33) Before entering into a customer relationship with a non-eea customer, information must be obtained of the purpose for which the services will be used and of the customer's connections to Finland must be carried out. 6 Subsection 3 of Ministry of Interior Decree on the prevention and clearing of money laundering (890/2003).

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 21 (21) 5.4 Fulfilment of the due diligence requirements as per the Anti-Money Laundering Act (34) Fulfilment of the due diligence requirements of the Anti-Money Laundering Act requires that supervised entities have adequate knowledge of their customers' business so that they can detect any unusual or suspicious transactions or orders relating to the customer or service in question. Unusual activities can take many forms; for example, the origin of the funds can be disguised or concealed with the use of financing products or various cover activities. If supervised entities neglect to fulfil of the due diligence requirement or advice or assist customers in the concealment of funds, supervised entities may run the risk of sanctions. (35) Supervised entities should, as professionals of financial services, evaluate if an order or transaction is unusual or suspicious in the financial sector. Unusual or suspicious orders or transactions may take, for example, the following forms, as outlined in the legislation: its structure or size deviate from ordinary its size or place of business in respect to the supervised entity is unusual it does not have an apparent financial purpose it is in conflict with the customer's financial standing or other business activities. (36) Supervised entities are obliged, within available reasonable means, to examine the background of an unusual / suspicious transaction as well as the origin and purpose of use of the funds associated with it. Information may be obtained from official registers or from the supervised entities' own registers or by requesting more detailed information on the transaction from the customer, for example, contracts or other documents supporting the transaction. If a transaction is suspicious even after the additional examination or if a customer is unwilling to provide the information as requested, supervised entities must submit a suspicious transaction report to the Money Laundering Clearing House. 5.5 Prevention of terrorism financing and international financial sanctions (37) International sanctions are restricting measures imposed by the UN Security Council or the European Council, directed at specific states, groups or individuals. The forms of sanctions include, for example, export and import sanctions and financial sanctions. Financial sanctions refer to the freezing of funds or other financial resources of members of governments or of other

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 22 (22) bodies occupying a controlling position. Since the terrorist attacks of September 2001, financial sanctions have become an increasingly used global anti-terrorism tool. Providers of financial services are under an obligation to prevent the use of the financial system for terrorism financing; such action can take the form of collection and distribution of funds. Recommendation (38) The decisions of the UN Security Council concerning sanctions are imposed within the EU in the form of regulations issued by the EU Council. The names of the individuals, associations, groups or other parties subject to sanctions are published as appendices to regulations. EU regulations are directly applicable legislation in all EU member states. (39) Financial sanctions oblige financial institutions and other bodies to freeze the funds of individuals, groups and associations as referred to in regulations without a separate decision by the authorities. It is also prohibited, directly or indirectly, to release funds and in some cases other financial resources to the parties referred to in the regulations. Failure to comply with the obligations is a punishable act under chapter 46 of the Finnish Penal Code. (40) Supervised entities must monitor changes in financial sanctions and check their customer register on a regular basis to ensure that they are not offering services to parties that are under financial sanctions. In the event that supervised entities find in their register a customer, whose identification details correspond to or are similar to the party subject to sanctions, they must notify the Ministry of Foreign Affairs or the Financial Supervision Authority. 5.6 Reporting requirement as per the Anti-Money Laundering Act (41) Suspicious transactions are to be reported to the National Bureau of Investigation's Money Laundering Clearing House. Reporting suspicions about money laundering does not constitute report of an offence (request for investigation); rather, it is the reporting of an irregular financial transaction or an attempt thereof, which has been detected by a supervised entity. There is no minimum monetary threshold governing when a report must be submitted. In the event that supervised entities neglect to fulfil their reporting obligation, sanctions may be imposed. (42) Supervised entities must evaluate, on a case-by-case basis, when a transaction is considered unusual or suspicious, based on overall experiences in the financial sector. It is not possible to draw an undisputable line between what constitutes an unusual transaction and what a suspicious transaction, on which a report must be submitted; rather, an overall evaluation of the

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 23 (23) situation must be made. In the event that customers do not provide the information needed to fulfil the due diligence requirements or if supervised entities consider the information to be unreliable, supervised entities must consider submitting a report to the National Bureau of Investigation's Money Laundering Clearing House. (43) Reporting obligation refer to the supervised entities' unprompted reports of suspicious transactions detected by them. It is not supervised entities' duty to evaluate what criminal offence may have been committed. Detection of the true nature of the business as an act portraying signs of a criminal act can only be determined in an ex post facto police investigation. Reports of suspected money laundering are dealt with by the Money Laundering Clearing House. It is entitled to receive from supervised entities all the information it needs for its investigations and to suspend a transaction for the duration of five days. (44) Supervised entities or their employees may be made liable for damages on account of submitting a report only if they have not acted diligently or with good faith. Submission of the report may not be tipped off to the customer which is the subject of the report, nor to any other parties unless they need the information for the prevention or investigation of money laundering or terrorism financing. (45) Supervised entities must act in such a manner that funds or other assets relating to a suspicious transaction are not transferred beyond access by the authorities. If their suspicions are aroused, supervised entities may, at their own discretion, apply the following courses of action: 1) suspension of unusual or suspicious transaction for the purpose of further inquiries 2) refusal to carry out the transaction or do business in the event, for example, that the customer's identity cannot be reliably established 3) execution of a transaction, if supervised entities cannot leave transactions unexecuted or if the suspension or refusal of transaction is likely to hinder discovery of the beneficiary of the transaction. (46) Suspicions transactions must be reported without delay to the Money Laundering Clearing House, when e.g. supervised entities carry out an unusual/suspicious transaction a suspended transaction is suspicious even after further inquiries supervised entities refuse to carry out an unusual/suspicious transaction supervised entities find out, after the execution of the transaction, details on the basis of which the transaction is or series of

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 24 (24) transactions are demonstrated to be suspicious. (47) Suspicions are reported in accordance with the detailed instructions of the Money Laundering Clearing House as to the content of the report and the reporting procedure. The report must be prepared in such a way that it enables the Clearing House to evaluate the course of events and the action taken by the supervised entity. Supervised entities must also submit to the Clearing House any information and documents which may be of importance to the investigation of the case. 5.7 Documentation and storage of identification data 7 (48) Supervised entities must keep sufficient data about their customers in order to comply with the obligations of the Anti-Money Laundering Act. The Anti-Money Laundering Act includes a specific obligation to store identification data. (49) The customer identification and customer due diligence procedure shall be documented and the identification data thus accumulated shall be stored for five years after the carrying out of the business transaction or the termination of the customer relationship, whichever is later. (50) The identification and customer due diligence data must be documented in such a way that it is possible to demonstrate afterwards how each customer was identified, which documents or what information was used as proof of identity and who carried out the identification. In addition, all reports prepared in order to fulfil the reporting obligation of the Anti-Money Laundering Act must be retained. (51) The data to be stored include data specific to the document used in the establishment of identification or any other data on which the identification is based or a copy of the documents used in the establishment of identification. The data can be stored electronically. If the documents are stored outside the supervised entity, supervised entities must ensure that they know where the documents are being stored and have immediate access to the storage place. (52) For personal customers, the full name, social security number and address details must be stored. If a foreign personal customer does not have a Finnish social security number, their name, date of birth and nationality must be established as well as the number of their passport or other travel document or comparable means of identification. 7 See Ministry of Interior Decree 890/2003, section 6.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 25 (25) Recommendation (53) For legal persons, the following details must be stored: full name,register number, register date, registering authority, details of the members of the board or of a similar decision-making body, as well as the full names, social security numbers and addresses of persons acting on behalf of the legal person. (54) For risk management purposes in the customer relationship it is also necessary to store data obtained for customer due diligence. Good personal register practices involve regular updating of this data in connection with, for example, meetings with a customer. (55) Customers are entitled to inspect their personal data, and supervised entities must give customers details of the data they have stored in the register. The right to inspect personal details does not extend to reports of suspicions of money laundering or of unusual securities transactions 8 submitted to the Money Laundering Clearing House or the FIN-FSA because they may not be divulged. 8 Section 6: Reporting suspicious securities transactions and other suspect transactions.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 26 (26) 6 REQUIREMENT TO NOTIFY SUSPICIOUS SECURITIES TRANSACTIONS AND OTHER SUSPECT TRANSACTIONS (1) If parties subject to the notification obligation have reason to suspect that a transaction may include abuse of inside information or the manipulation of share prices, as defined in chapter 5 of the Securities Markets Act or chapter 51 of the Finnish Penal Code, they must notify their suspicions to the FIN- FSA without delay 9 (see a separate reporting standard RA2.1). (2) The filing of a notification must not be revealed to the party subject to suspicions nor to any other party. (3) The Securities Markets Act may oblige parties subject to the reporting requirement to report suspicious securities transactions or other suspect transactions. The Securities Markets Act prescribes that suspicious securities transactions and other suspect transactions must be reported to the FIN-FSA. The notification obligation referred to in the Securities Markets Act applies to a smaller group of parties than that referred to in the Anti-Money Laundering Act. The notification does not constitute a report of an offence (request for investigation); rather it refers to an irregular securities transaction or other atypical trade (for example a derivatives transaction), detected by the party subject to the notification obligation, or to a situation where the party subject to the notification obligation otherwise has reason to suspect the unlawful use of inside information or the manipulation of share prices, in connection with a securities transaction or other transaction. There is no minimum monetary amount, based on the size of the trade or other transaction, for when a notification must be submitted. Failure to submit the notification may result in parties subject to the notification obligation being imposed an administrative 9 Chapter 4, section 5 of the Securities Markets Act.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 27 (27) sanction as referred to in the Act on the Financial Supervision Authority. (4) Submission of the notification may not be tipped off to the persons who are the subject of the notification nor to their legal or other representatives, as this can endanger investigation of the matter. The extent to which parties subject to the notification obligation are liable for damages is set out in chapter 5, section 5 c of the Securities Markets Act.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 28 (28) 7 REPORTING TO THE FIN-FSA (1) A separate FIN-FSA standard RA2.1 has been issued on the submission procedures concerning the notification of suspicious securities transactions and other suspect transactions.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 29 (29) 8 DEFINITIONS (1) Securities transactions or other transactions refer to securities trades and other types of acquisition or disposal of securities (for example, entering into a lending agreement or subscription to a share). Other transactions also refer to derivatives agreements and to the fulfilment of rights and obligations based on derivatives agreements. (2) Customers refer to natural persons or legal persons to whom supervised entities offer or who request or use the services provided by supervised entities. Customers can be regular customers or occasional customers. (3) Customer identification refers to the verification and establishment of the identity of the customer or of the person acting on behalf of the customer. The general rule is that the identity is verified from a valid legal ID document. (4) Persons acting on behalf of the customer refer to persons acting on behalf of another natural person or legal person, for example on behalf of a legal person as beneficiary of a transaction or holding a controlling interest in a business or on behalf of a beneficial owner of a business. (5) Customer due diligence also refers to the supervised entity obtaining information on the nature and scope of the customer's operations and on the purpose of using the services in order to be able to determine the type of customer in question and the services suitable for the customer. The term know-your-customer (KYC) means nearly the same, however, the term customer due diligence is currently used in the international standards. (6) A suspicious transaction or trade deviates from a typical transaction or trade of the field in terms of, for example, size, structure, the size of the customer or place of business. (7) The due diligence obligation as per Money Laundering Act requires that supervised entities monitor the development of a customer relationship and the services used so as to detect unusual or suspicious transactions or

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 30 (30) activities. Neglect of the due diligence obligation is defined in the penal code. Supervised entities are obliged to actively obtain information of the background of customer relationships, business transactions, the origin and purpose of use of the funds and to report their suspicions to the authorities. (8) The reporting or notification obligation refers to the submission of a report of suspicious securities transactions to the FIN-FSA (Securities Markets Act 495/1989, chapter 4, section 5b) or submission a suspected money laundering or terrorist financing report to the National Bureau of Investigation's Money Laundering Clearing House (Act on the prevention and clearing of money laundering 68/1998, section 10). (9) Anti-money laundering rules and regulations refer to all the obligations with which supervised entities need to comply in respect of the identification and knowing of a customer, the documentation and storing of identification data and the fulfilment of the due diligence and reporting obligations. (10) Regular customer refers to a relationship of a permanent nature, involving a customer that uses the services of the supervised entity on a regular basis as well as a customer, who has at least one contract with the supervised entity. (11) Occasional customers refers to customers that use the services of the supervised entity on a one-off basis, for example, to effect a single cash payment or to make a single subscription in a share issue.

THE FINANCIAL SUPERVISION AUTHORITY 2 Code of conduct until further notice J. No. 6/121/2005 31 (31) 9 FURTHER INFORMATION Please find the necessary contact information in the list of Persons in charge of standards on the FSA's website. For further information, please contact: Conduct of business, tel. +358 10 831 5336