JOINT RESOLUTION OF THE GOVERNOR OF BANK OF MONGOLIA AND CHAIR OF THE FINANCIAL REGULATORY COMMISSION

JOINT RESOLUTION OF THE GOVERNOR OF BANK OF MONGOLIA AND CHAIR OF THE FINANCIAL REGULATORY COMMISSION Date: June 30, 2016 Ulaanbaatar No A-162/195 In terms of article 19.2.3 of The Law on Money laundering and terrorist financing and article 28.1.2 of the Law on Central Bank (The Bank of Mongolia) and article 6.1.2, 36.1 of Law on legal status of financial regulatory commission it enacts hereby: 1. Preventive measures regulations on combating money laundering and terrorism financing is being approved in terms of updated as in annex. 2. According to issuance of this resolution, below mentioned resolutions are being withdrawn: Decree number 312 of the governor of BOM on 2007; Decree number 253 of financial regulatory commission on 2009. 3. Actions to monitor enforcement of this resolution shall be assigned to Internal control and risk management Department (Mr. Kh. Delger), Supervision Department, BOM (Mr. D.Ganbat), Financial Intelligence Unit (Mr. B. Tomorbat), and Secretariat of Financial regulatory commission (Mr. Ts. Natsagdorj). THE GOVERNOR OF BOM (STAMP) N.ZOLJARGAL ACTING CHAIRMAN OF FRC (STAMP) E.BATBOLD

Annex of the joint resolution #A-162/195 of the Governor of BOM and Chair of FRC PREVENTIVE MEASURES REGULATIONS ON COMBATING MONEY LAUNDERING AND TERRORISM FINANCING 1.1 The purpose of these regulations is to establish a risk based approach to the prevention, detection and reporting of the abuse of reporting entities for the purposes of money laundering and terrorist financing. 1.2 Terms used in this regulation shall have following meaning: 1.2.1 Reporting entity refers to a person stipulated in Article 4.1 of the AML/CFT Law 1.2.2 Politically exposed person refers to as stipulated in Article 20.2 of Law on Preventing from Conflict of Interest and Regulate Public and Private Interest in Civil Service. 1.2.3 Correspondent banking relationship is allocation of funds by one bank /correspondent bank/ under the authorization of another bank /respondent /and providing services by correspondent bank such as cash management, payments, cheque clearing, and foreign currency exchange etc. 1.2.4 Legal person is defined as pursuant to the Article 3.1.1 of the State Registration Law of legal person 1.2.5 Occasional transaction - is a transaction carried out in a single operation by customer who hasn t account or hasn t established constant business relationship 1.2.5 Wire transfer refers to any transaction carried out on behalf of an originator person (both natural and legal) through a domestic of international bank or financial institution by electronic means with a view to making an amount of money available to a beneficiary person through another bank or financial institution. 1.2.6 Proceeds of crime means any direct and indirect funds, profits and income obtained from crime and illegal activity in Mongolia and in foreign country. CHAPTER TWO RISK ASSESSMENT

2.1 Reporting entity should approve and implement internal control program 1 to assess risk on ongoing basis, to take appropriate measures to manage and mitigate risk. 2.2 The internal control program shall be reviewed regularly to ensure that it provides an appropriate response to the money laundering (ML)/terrorist financing (TF) risks being faced by the reporting entity, and shall be amended as required to deal with the risks arising from new products, services and delivery channels and associated with particular geographical locations or types of customers. 2.3 Risk assessment shall have regard to the higher risk associated with business relations and transactions referred to Article 5.8 and 6 of the Law and giving consideration to the following factors: 2.3.1 Customer risk factors: 2.3.1.1 Business relationships established in unusual circumstances (for example relationships established from distance) 2.3.1.2 Non-resident customers 2.3.1.3 Customers that are legal person or natural person who manages property of someone by a legal arrangement 2.3.1.4 Legal persons that have nominee shareholders, issue bearer shares or that are part of an unusual or excessively complex ownership structure. 2.3.2 Geographic Risk Factors: 2.3.2.1 Countries with deficient AML/CFT regimes. 2.3.2.2 Countries subject to financial sanctions, embargoes or similar measures 2.3.2.3 Countries have significant level of corruption or other criminal activity 2.3.2.4 Countries or regions identified by credible source as financing or supporting terrorism and terrorist activities or have terrorist organizations operating there. 2.3.3 Product, Service, Transaction and Delivery Channel Risk Factors: 2.3.3.1 Private or exclusive banking 2.3.3.2 Anonymous transactions including cash transactions 2.3.3.3 Non-face-to face business relationships or transactions 1 Program stated in chapter 14 of AML/CFT Law

2.3.3.4 Transactions or payments originating from unknown or unassociated third parties: 2.3.4 The purpose of an account or relationship 2.3.5 Risks associated with transactions, (including the size of deposits or transactions undertaken by a customer; the frequency of transactions or duration of the relationship; whether the transactions is outside the scope of normal transactions conducted by the customer or whether the transaction originated from or conducted through high risk jurisdiction) 2.3.6 Other risk factors that could be faced by reporting entity during the business relationship 2.4 The risk assessment and any related information shall be documented, kept up-to-date and readily available for supervisors to review at their request. CHAPTER THREE ML/FT RISK MANAGEMENT AND INTERNAL CONTROL 3.1 Reporting entities shall adopt following measures based on ML/FT risk assessment: 3.1.1 obtain additional information on the customer, beneficial owner, beneficiary and transaction where appropriate. 3.1.2 create a risk profile on customers and transactions. The customer profile should held sufficient information about customer and relationships with the reporting entity, including purpose and nature of the relationship, and information related to source of funds and property. 3.1.3 apply enhanced due diligence for higher risk customers transactions considering products, services, delivery channel, and geographic locations. 3.1.4 monitor transaction and relationship with the customer on ongoing basis. Monitoring should include the scrutiny of customer transactions to ensure that transactions are being conducted according to the reporting entities knowledge about the customer and customer profile. Where necessary can use predetermined limits for volume and type of transaction. 3.2 Reporting entity shall have internal policy, procedures and internal control approved by its Board to prevent ML/ TF and other unlawful activities. 3.3 The internal policies, procedures, internal controls stated in 3.2 should be consistent with the reporting entities size, nature, risk, and structure but must be sufficient and effective to deal with ML/FT risk. 3.4 The internal policies, procedures, internal controls should be applicable to all domestic and foreign branches and majority owned subsidiaries of the entity.

3.5 Board, relative committees or Internal audit committee of reporting entity shall review implementation of the internal policies, procedures regularly and ensure that internal policies, procedures are sufficient and effective to deal with AML/CFT risk and update it, if necessary. 3.6 The internal control system referred to in Article 14 of the Law shall also contain the following components: 3.6.1 A specified AML/CFT training program for activities identified as higher risk activities 3.6.2 written procedures and manuals guiding staff on the operation of the reporting entities AML/CFT systems and controls 3.6.3 Procedures for the appointment of a compliance officer and the creation of a compliance unit (if required) and policies relating to the compliance officers power and responsibilities and reporting duties. 3.6.4 The Compliance officer should be senior level staff 3.6.5 The Compliance officer should have access and right to have all documents and information from subsidiaries, units, branches related to customer account and transactions. 3.6.6 Reporting entities must maintain an adequately resourced and independent audit function to ensure that the compliance officer and staff of reporting entity are performing their duties in accordance with the reporting entities AML/CFT internal policies, procedures, systems and control. 3.6.7 The Reporting entity should have a regulation that prohibits employing people with conflict of interest or committed and sentenced by fraudulent crimes other similar criminal activities. CHAPTER FOUR ENHANCED CUSTOMER DUE DILIGENCE FOR CUSTOMERS ANDTRANSACTIONS ASSESSED TO BE OF HIGH RISK FOR ML/TF\

4.1 Reporting entities shall apply enhanced customer due diligence (enhanced CDD) measures in following cases: 4.1.1 For customers and transactions identified as high risk customers and transactions according to the article 14.1.4 of AML/CFT Law; 4.1.2 In case of conducting transactions referred to the article 6 of the AML/CFT Law 4.1.3 Transactions with non-face-to-face customers or where customer due diligence (CDD) has been undertaken by a third party intermediary. 4.2 Enhanced CDD should include following measures: 4.2.1 Obtaining additional information from the customer relating to the customer s business, source of funds, the purpose of intended transactions and shall take possible measures to verify such information; 4.2.2 Obtaining the approval of senior management for continuation of the business relationship with the customer. This approval process should take place in the context of appropriate customer acceptance policies that include refusal of acceptance of business with customers who pose an excessively high ML/TF risk and who denied to supply with appropriate information; 4.2.3 To increase the frequency and depth of monitoring against accounts of customers, to conduct enhanced CDD for other parties of relationship and review information received from customers during CDD; 4.2.4 Other requirements relating to enhanced CDD that may be the subject of regulations pursuant to Article 5.3 of the Law or pursuant to Article 19.2.3 of Law. 4.3 Enhanced CDD should be applied to higher risk customers at each stage of relationship, to request additional information, to update existing information. CDD process should be an on-going process. CHAPTER FIVE CUSTOMER DUE DILIGENCE AND VERIFICATION OF INFORMATION 5.1 For the purpose of properly implementing Articles 5.1 and 5.2 of the Law and these regulations, CDD measures shall include the requirements set out in Tables 1 3 below. The objective of CDD procedures is to identify and verify both the customer of the reporting entity and beneficial owner, who manages, controls business relationship. Beneficial owner is a natural person who owns controlling interest, and established legal person. Where layered ownership structures are used it will be necessary to identify and verify the components of each layer until the ultimate beneficial owner or controller is identified. In case of legal arrangements, if customers represent interests of other legal person CDD should be applied according to the Table 3. 5.2 If customer is natural person:

Table 1 Information Required Documents to verify information 2 Surname Name Date of birth Number of registry Permanent address, telephone number Current address, telephone number Employment particulars or information about business: 1. To identify business type and scope of business, Citizen s identity card, or passport Citizen s identity card or passport Citizen s identity card or passport Citizen s identity card or passport The way to receive and verify this information should be regulated in internal control policy. The way to receive and verify this information should be regulated in internal control policy. The way to receive and verify this information should be regulated in internal control policy. 2. To identify address of office and position of customer. To identify whether customer is acting on their own behalf or on behalf of other person If the customer is acting on behalf of another person, all the information should be obtained in relation to that person and verified. If the customer is acting on behalf of other person information should be obtained according to the Table 1. If the customer is acting on behalf of legal entities information should be obtained according to the Table 2,3 and verified. 5.3 If customer is legal person Table 2 Information Required Documents to verify information 3 2 As stated in 5.2.1 of AML/CFT Law verified copies should be kept in customer profile 3 As stated in 5.2.2 of AML/CFT Law verified copies should be kept in customer profile

Name State registration number Registration number of taxpayer Shareholders State registry document State registry document Documents issued by Tax Authority State registry document Formation documents, documents of shareholders to establish legal entity, internal regulation of legal entity. Type of business State registry document Formation documents, documents of shareholders to establish legal entity, internal regulation of legal entity. Ownership structure, detailed information about management Permanent address of office, telephone number Beneficial ownership information 4 The way to receive and verify this information should be regulated in internal control policy. The way to receive and verify this information should be regulated in internal control policy. If beneficial ownership is not office bearer of the legal entity information should be obtained according to the Table1 and reporting entity should receive documents proving his beneficial ownership. 5.4 If the customer represents or is acting on behalf of a legal arrangement: Table 3 Information Required If the customer is a natural person: the information should be required according to the Table 1 If the customer is a legal person : the information should be required Documents to verify information Documents stated in Table 1 Documents stated in Table 2 4 This information not necessary for a company listed on a stock exchange

according to the Table 2 In case of legal arrangements information of related parties should be obtained: state registration information, including the name, address and registration details of (i) any person or entity with the authority to hold or deal in property held pursuant to the legal arrangement; (ii) any person or entity with powers to appoint or dismiss trustees or other persons responsible for implementing the legal arrangement and (iii) any person entitled to receive the benefit of property held by the legal arrangement. Where persons or legal entities are identified the verification required in either Table 1 or Table 2 should be completed as appropriate. 5.5 Reporting entities are required to gather and maintain customer and beneficial owner information throughout the course of the business relationship. 5.6 Documents, data, or information collected under the CDD process should be reviewed and updated with particular frequency. 5.7 Reporting entities should review information in following cases: 5.7.1 A t transaction with significant large amount is to take place 5.7.2 There is change in type, frequency, purpose, amount of transactions or there is a change in the way the account is operated, 5.7.3 Information held on the customer is insufficient to enable the reporting entity to understand the nature of the financial relationship or transactions being conducted. 5.8 Reporting entities must take reasonable measures to determine if a customer is acting on his/her own or on behalf of one or more beneficial owners. If so, reporting entities should take reasonable steps to verify the identity of the beneficial owner. The information to be obtained on a beneficial owner should be consistent with the requirements outlined in Tables 1, 2 and 3 of this Regulation. 5.9 Where a customer provides false or fictitious information to a reporting entity in the course of the CDD process the reporting entity shall make a suspicious transaction report to the FIU. 5.10 Where a reporting entity is unable to verify the identity of the customer and beneficial owner(s), it shall refrain from opening the account or commencing the business relationship or carrying out the transaction, or it shall terminate the business relationship. In such cases, the reporting entity shall consider filing a suspicious transaction report to the FIU.

5.11 If the reporting entity has sufficient grounds to suspect the asset, transaction or attempt of transaction is connected to MLTF or considered as proceeds of crime, and conducting or continuing a KYC will pose a risk of exposure of the process to the customer the RE will stop the KYC and submit a STR to the FIU immediately. 5.12 The Reporting entities are not allowed to open accounts, conduct transactions or provide any financial services to individuals or entities designated by the UN or domestic competent authorities as terrorist. 5.13 If a customer s name matches with the name of individuals or entities designated as terrorist, then reporting entity should verify additional information with the list designated by local authority and UN, and if it is matches or considered to be suspicious, then reporting entity should suspend the transaction and submit a STR to the Financial information unit and General Inspection Agency as soon as it is possible CHAPTER SIX RECORD KEEPING 6.1 For the purposes of complying with article 8 of the AML/CFT Law reporting entities shall retain records as follows: Table 4 Type of record Records relating to the establishment of a customer relationship including account opening documents and documents relating to KYC procedures, including copies of identification documents Records and documents relating to enhanced CDD procedure. The updates of customers information, additional information, documents, information about accounts. Agreement on correspondence relationship, memorandum, and records used to identify ML/TF risk, documents on analysis of ongoing CDD, analysis of enhanced monitoring of transactions, information and documents relating to suspicious transactions reports. Records relating to cash or non cash transactions Retention requirement 5 years after the customer relationship has ended, or where such documents have arisen from an occasional transaction, 5 years from that transaction 5 years after the customer relationship has ended 5 years from the date of completion of the transaction

6.2 Records that are required to be retained pursuant to the AML/CFT Law and these regulations should be sufficiently detailed to permit the reconstruction of each individual transaction and to enable them to comply swiftly with information requests from the competent authorities stated in the Law 6.3 Records should be archived to meet all the requirements and consistent with evidence rules. CHAPTER SEVEN POLITICALLY EXPOSED PERSONS /PEP/ 7.1 Internal control of reporting entity stated in article 14 of AML/CFT Law and in article 3 of this Regulations should include measures to identify PEP s, their family members, parties with common interests. All these persons should be subject to enhanced CDD procedure and transactions on their name should be subject to enhanced monitoring. 7.2 In addition to the PEP s identified in the article 3.1.5 of the AML/CFT Law, definition of PEP s should also include following persons: a. Head of State of foreign country, Head of Government, senior politicians, senior government, judicial or military officials, and senior executives of state owned corporations, important political party officials or ex-officials. b. A person who is or has been entrusted with a prominent function by an international organization refers to members of senior management, i.e. directors, deputy directors and members of the board. 7.3 Requirements relating to politically exposed persons shall also be applied to persons who are family members or close associates of the politically exposed person. CHAPTER EIGHT CORRESPONDENT BANKING RELATIONSHIP 8.1 Before establishing cross-border correspondent arrangements and similar relationships, reporting entities shall: 8.1.1 to obtain information whether this bank exists, 8.1.2 based on publicly-available information, evaluate the respondent institution s reputation and the nature of supervision to which it is subject and whether it has been subject to a money laundering or terrorist financing investigation or regulatory action; 8.1.3 obtain approval from senior management before establishing a correspondent relationship; 8.1.4 to evaluate the internal controls implemented by the respondent institution with respect to anti-money laundering and combating the financing of terrorism; 8.1.5 establish an agreement on the respective responsibilities of each party under the relationship;

8.1.6 in the case of a payable-through account, ensure that the respondent institution has verified its customer s identity, has implemented mechanisms for ongoing monitoring with respect to its clients, and is capable of providing relevant identifying information on request; 8.1.7 reporting entity shouldn t establish correspondent relationship with shell bank and financial institution; 8.1.8 reporting entity shouldn t establish or continue business relations with a respondent financial institution in a foreign country if the respondent institution permits its accounts to be used by a shell bank 8.2 Reporting entities should review existing correspondent relationships to meet requirements stated in this regulation. CHAPTER NINE NEW TECHNOLOGIES 9.1 The measures that should be implemented to reduce the risks associated with the use of new or developing technologies referred to in article 5.5 of the AML/CFT Law should include: 9.1.1 To undertake an assessment of the risks associated with new products, services and delivery mechanisms, and undertake risk assessment with the use of new or developing technologies with both new or existing products; and 9.1.2 Implementing appropriate measures designed to manage such risks and limit their impact. CHAPTER TEN WIRE TRANSFER 10.1 Reporting entities that engage in cross border wire transfers shall include accurate information about originator, recipient and correspondent banking in related messages. Messages should include following information: 10.1.1 The full name of originator; 10.1.2 The originator account number where such an account is used to process the transaction; 10.1.3 The originator s address, or customer identification, or date and place of birth 10.1.4 The name of the recipient and the recipient account number where such an account is used to process the transaction; 10.2 If the reporting entity is unable to comply with requirements stated in article 10.1, it shall refuse to conduct the wire transfer. 10.3 Where several individual cross-border wire transfers from a single originator are bundled in a batch transfer for transmission to beneficiaries, reporting entities are not

required to apply the provisions of 10.1 in respect of originator information, provided that they include the originator s account number or unique transaction reference number which permits traceability of the transaction, and the batch transfer contains required and accurate originator information, and full beneficiary information, that is fully traceable within the beneficiary country. 10.4 Reporting entities should ensure that non-routine wire transfers are not batched where this would increase the risk of money laundering or terrorism financing. 10.5 For domestic wire transfers (including transactions using a credit or debit card as a payment system to effects a money transfer), the ordering reporting entity must include either: 10.5.1 Full originator information in the message or payment form accompanying the wire transfer; or 10.5.2 Only the originator s account number, where no account number exists, a unique reference number, within the message or payment form. 10.6 Where full originator information has not been included in a domestic wire transfer, this information should be made available by the ordering reporting entity within three business days of receiving the request either from the beneficiary financial institution or from the FIU. 10.7 For cross-border wire transfers, reporting entities processing an intermediary element of the payment chain should keep all wire transfers information including originator and beneficiary information at least 5 years. 10.8 Reporting entities should have a risk-based policies and procedures for determining: when to execute, suspend, and reject wire transfer. This internal control program should be compliant with the programs to file STR to the FIU, terminate business relationship, and procedures to conduct enhanced monitoring. 10.9 When wire transfer received reporting entities should implement KYC procedure and reporting entities should keep all wire transfers information including originator and beneficiary information at least 5 years. CHAPTER ELEVEN RELIANCE ON THIRD PARTIES - KYC 11.1 Where a reporting entity uses a third party to undertake KYC procedures on its behalf it should ensure that all information that has been obtained by the third party is sent to it as soon as practicable and that copies of documents obtained as part of the KYC process are either provided or can be obtained upon request. 11.2 KYC procedures undertaken by third party shall be consistent with the requirements of the law and regulations on AML/CFT. 11.3 The third party who undertakes KYC procedures shall be subject to AML/CFT supervision.

11.4 The third party who undertakes KYC procedures shall maintain the collected information in accordance with the record keeping requirements of the law and regulations on AML/CFT. CHAPTER TWELVE FOREIGN BRANCHES AND MAJORITY OWNED SUBSIDIRIES 12.1 Reporting entities shall require their foreign branches (if any) and majority-owned subsidiaries to implement the requirements of the Law and Regulation to the extent that applicable laws and regulations in the country where the foreign branch or majority owned subsidiaries are domiciled so permit. If such laws prevent compliance with these obligations for any reason, the reporting entity shall so report its supervisor, which may take such steps as it believes to be appropriate to accomplish the purpose of the Act and this Regulation. CHAPTER THIRTEEN SECTOR SPECIFIC INSTRUCTTIONS 13.1 For purpose of assisting with compliance with the law on AML/CFT and this regulation, a supervisor may issue specific instructions to the type or sector of reporting entities that they regulate. CHAPTER FOURTEEN. REPORTING TRANSACTIONS 14.1 The Reporting entity is responsible for reporting Cash and non-cash transactions of 20 million togrogs (or equivalent foreign currency) or above to the Financial Information Unit in the prescribed form within 5 working days. 14.2 The Reporting entities shall report to the Financial Intelligence Unit any transactions that they suspect of money laundering or terrorism financing in prescribed form within 24 hours. 14.3 The Reporting entity is obliged to maintain the safety of the person responsible for reporting suspicious transactions and secrecy of the information. 14.4 The FIU will disclose the statistics of STR s, CTR s and FSTR s received quarterly on the website of the Central bank. 14.5 The regulation on reporting transactions stated in articles 14.1, 14.2 of this regulation will be approved by the Head of FIU. CHAPTER FIFTEEN RESPONSIBILITY 15.1 A reporting entity shall be responsible for the accuracy, veracity and truthfulness of the information in the reports sent to FIU. 15.2 Any reporting entity, including any director, partner, officer, principal or employee thereof who intentionally makes a false or misleading statement, provides false or misleading

information, or otherwise fails to state a material fact shall be penalized according to relevant law. 15.3 Any person who violates the provisions of this regulation shall be penalized according to relevant law and regulation.