Policy on Anti Money Laundering and Countering Terrorist Financing Adopted by Date of adoption Applies for Group Framework Owner Distribution Language version Information class Basis the Board 22 June 2016 (replaces 24 June 2015, and Directive on Anti Money Laundering and Countering Terrorist Financing 13 December 2012) the Bank and all Subsidiaries the Chief Compliance Officer Group Regulation section on the intranet English Internal The Swedish Act (2009:62) on measures against money laundering and terrorist financing and the S-FSA regulatory code FFFS 2009:1 1. Purpose 1.1. This Policy describes the Group s minimum requirements which must be established, maintained and operated in order to prevent, detect and take proper action against Money Laundering and Terrorist Financing. The requirements shall ensure compliance with legal requirements, best banking practice industry standard and protect the goodwill of the Group. The minimum requirements shall be complied with in addition to local legislation This Policy also covers Financial Sanctions to some extent, however, this area is mainly covered in the Group Policy on Financial Sanctions. 1.2. It is the responsibility for each Business Area (BA), Group Function (GF) when applicable, Group Products (GP) Head and subsidiary CEO to ensure compliance and that the requirements outlined in this Policy are implemented in their respective area of responsibility. 1.3. Money Laundering and Terrorist Financing activities are threats to the integrity and the stability of the international financial system. The aim of legislation in the area is to prevent organised crime, secure trust for the financial markets, and protect the society from corruption and other crimes threatening democracy. 1.4. Money Laundering and Terrorist Financing activities are threats against the Group's business which can cause significant losses, reputational risks and damages. 1.5. Defined terms used herein shall have the meaning set out in the list of Group common definitions. 2. Risk Principles 2.1. Money Laundering is based on an all-crime approach meaning the process by which proceeds from a criminal activity are disguised to conceal their illicit origin, or where legitimate proceeds are used for criminal purposes.
2.2. Financing of Terrorism includes the solicitation, collection or provision of funds with the intention that they may be used to support terrorists, terrorist acts including travelling and training, or organizations. Funds may stem from both legal and illicit sources. 2.3. Financial Sanctions involves withdrawal of customary trade and financial relations for foreign and security policy purposes. They may be comprehensive, restricting or prohibiting activities with regard to an entire country, or targeting an entity or individual, specific goods or trading in different securities. Non-acceptable Risk 2.4. Non-acceptable risk includes, but is not limited to: The Group shall not establish a business relationship or carry out an occasional transaction where the risk is non-acceptable, and should promptly terminate an existing business relationship in accordance with applicable legislation. The Group shall not keep anonymous accounts. The Group shall not engage in a correspondent banking relationship with a shell bank or a bank that is known to permit its accounts to be used by a shell bank. The Group shall not co-operate with external parties that do not observe requirements regarding Money Laundering and Terrorist Financing. The Group shall not engage in business relationships with persons listed on applicable national or international sanction lists as referred to in the Financial Sanctions Policy, or applicable lists from national financial supervisory authorities or similar. 3. Risk Management Resources 3.1. Each BA, GF, GP Head and subsidiary CEO is responsible for ensuring adequate resources to secure compliance with Policy minimum requirements. 3.2. Each legal entity within the Group shall appoint a Money Laundering Reporting Officer (MLRO) responsible for filing reports (Suspicious Activity Report, SAR) to respective Financial Intelligence Units, and execute disposition bans. Risk Based Approach (RBA) 3.3. The Group activities to combat Money Laundering and Terrorist Financing shall include identifying, understanding and assessing risks of Money Laundering and Terrorist Financing to which the Group is exposed, and take the appropriate, adequate and proportionate mitigation measures in accordance with the level of risk. Rule Based Approach (RuBA) 3.4. Financial Sanctions management shall be performed on a rule based approach, meaning the obligation for the Group to conform to applicable sanctions, and in line with the Group Policy on Financial Sanctions, without any exceptions. Risk Assessment (RA) 3.5. Each BA, GF, GP Head and subsidiary shall have a documented RA that is reviewed at least annually, or before any launch including changes in risk category assessment. The RA shall be relevant to the specific business area, based on the risk
categories and specifics for that business area. RA and the underlying documented analysis shall be granularly documented. 3.6. The objective of the RA is to identify, understand and assess the level of Money Laundering and Terrorist Financing risks for all relevant risk categories (at least but not limited to customer, product, channel, geography, transactions). The RA shall define measures on how to mitigate identified risks, including risk-based routines and processes. 3.7. Performing risk assessment includes, inter alia: Considering changes based on legislative environment and rulings and recommendations from financial supervisory authorities. Evaluation of best banking practice and industry standard. Evaluation and analysis of external intelligence from relevant national and international financial supervisory authorities and organizations, e.g. Financial Intelligence Units (FIU) and Financial Action Task Force (FATF), such as national risk assessments and other reports. On-going monitoring of information about new trends, patterns and methods that can be used for Money Laundering and Terrorist Financing, based on both internal and external intelligence, as well as empirical data. On-going monitoring of changes in markets, products/services, channels, customers and the surrounding environment. Covering the minimum requirements set in the Group Risk Assessment. Group Risk Assessment (GRA) 3.8. The Group shall have an updated and valid GRA that reflects the Money Laundering and Terrorist Financing risks on an aggregated level for the Group. The GRA is performed by the Compliance Function and is based on an overview of inherent risk factors identified in rules, regulations, and external intelligence. Risk Based Routines and Processes 3.9. The RA shall be implemented by setting necessary working routines and processes such as appropriate level of Customer Due Diligence, escalation and reporting routines, transaction monitoring, follow-up routines etc., assuring the RBA and all risk classes, including non-acceptable risk. Routines and processes shall be efficient and IT-based when necessary, and at all times updated according to the RA. 3.10. Money Laundering and Terrorist Financing risk shall be classified in at least four classes: Low: The risk that the subject of the category can be involved in or exploited for Money Laundering and Terrorist Financing purposes is typically deemed to be negligible. For low risk Standard Customer Due Diligence (Standard CDD) or Simplified Customer Due Diligence (Simplified CDD) is applicable when assessed legally possible. Medium/Normal: The risk that the subject of the category can be involved in or exploited for Money Laundering and Terrorist Financing purposes is typically deemed to be relatively low. For medium/normal risk Standard Customer Due Diligence (Standard CDD) is applicable. High: The risk that the subject of the category can be involved in or exploited for Money Laundering and Terrorist Financing purposes is typically deemed to be conceivable. For high risk, or when legally applicable, Enhanced Customer Due Diligence (Enhanced CDD) is applicable. Non-acceptable: The risk that the subject of the category can be involved in or exploited for Money Laundering and Terrorist Financing purposes is normally
deemed to be present. The Group shall not establish a business relationship or carry out an occasional transaction where the risk is non-acceptable, or when an individual, entity or country is sanctioned according to the Group Policy on Financial Sanctions, and should promptly terminate business relationships in accordance with applicable legislation. Customer Due Diligence Process (CDD) 3.11. A key process in combating Money Laundering and Terrorist Financing, prescribed by the legislation, is the Know Your Customer process that sets different levels of CDD based on the risk of Money Laundering and Terrorist Financing assessed in the RA. It includes e.g.: customer identification and verification, including beneficial owners, identification of possible domestic and international PEP (Politically Exposed Persons) and RCA (Relatives and Close Associates), screening against Financial Sanctions regulations as stated in the Group Policy for Financial Sanction, assess and obtain information of the purpose and nature of the customer relationship, obtain and assess information on source of funds when applicable, risk classification of the customer, and, ongoing follow up and monitoring, including assessment if the customer s business, transactions and use of bank products and services are in line with the Group s knowledge of the customer. 3.12. CDD shall be performed and properly documented to be able to determine the risk level of the customer and before establishing a business relationship or when carrying out an occasional transaction as stated in the legislation. CDD should be kept relevant and updated when there is a change in the customer relationship, including a different set of products and services, a suspicion of Money Laundering or Terrorist Financing, the change in customer behaviour etc. 3.13. Consolidated CDD processes may be applied and obtained information shared within the Group if technically and legally possible. Third Party 3.14. CDD conducted by a third party may be used if legally applicable, and if the information about the conducted CDD is, without delay, made available to relevant party within the Group and that the relevant party, upon request receive the collected documents supporting the gathered information. The responsibility for the compliance with regulations remains in all parts within the Group. Transaction Monitoring and External Reporting 3.15. The Group shall, with the objective to detect Money Laundering and Terrorist Financing, monitor its customers transactions in order to identify suspicious and deviating behaviour. 3.16. Reporting routines shall be established for reporting of suspicious and deviating transactions. The MLRO is responsible for reporting to the relevant law enforcement. 3.17. The Group shall cooperate with competent authorities, national and international organisations and other financial institutions on matters relating to Money Laundering and Terrorist Financing.
Record Keeping 3.18. Storage of CDD information must be organized in such form that it is traceable and available upon request for relevant personnel within the Group and competent authorities without delay. 3.19. After terminating a business relationship with a customer, CDD information must be preserved for a minimum of five (5) years. 3.20. Filed SARs shall be continuously cleared in accordance with local legislation. Training 3.21. The Compliance Function shall provide a basic training program for all relevant employees. In addition each BA, GF, GP Head and subsidiary shall with relevant frequency provide tailored trainings for different employee groups depending on specific needs. Such trainings shall conform with the respective RAs. Protection of Staff 3.22. Procedures shall be established to safe guard staff in case of threats or other similar actions following investigation or reporting of suspected Money Laundering and Terrorist Financing. Any incidents shall be investigated and documented. Internal Reporting 3.23. Each BA, GF, GP Head and subsidiary shall at least quarterly report on the status of issues related to Money Laundering, Terrorist Financing and Financial Sanctions to AML Compliance Sweden and Baltic Banking Compliance respectively in accordance with provided format. AML Compliance and Baltic Banking Compliance respectively report to the Chief Compliance Officer in accordance with the structure set in the Policy for the Compliance Function. 3.24. Systematic shortcomings or incidents shall be reported ad hoc to AML Compliance Sweden and Baltic Banking Compliance.