IS6 Technologies (Pty) Ltd will not be associated with money laundering (ML), terrorist financing (TF) or proliferation finance (PF) or sanctions breaches or evasion and has introduced policies, principles, methodologies, processes, systems and training to ensure that it meets its statutory duties and regulatory obligations or, if they do not exist, agreed standards.

Inadequate customer due diligence (CDD) and understanding of a client's background, nature and intended purpose for establishing a business relationship may expose IS6 Technologies to undue ML, TF, PF or sanctions risk. IS6 Technologies must conduct enhanced due diligence (EDD) on clients who are likely to pose a higher risk to IS6 Technologies.

Inadequate employee due diligence and understanding of an employee’s background nature and integrity may expose IS6 Technologies to undue ML, TF, PF or sanctions risk.

In most jurisdictions it is a criminal offence to establish a business relationship or conclude a transaction in breach of financial sanctions legislation with individuals or entities that appear on sanctions lists or are involved in sanctioned activity or goods.

IS6 Technologies must take reasonable measures to identify any business relationship, transaction or prospective business relationship or transaction involving individuals, entities, countries, goods or activities targeted in applicable financial sanctions legislation and apply reasonable measures to combat the proliferation of weapons of mass destruction and other sanctioned activities.

IS6 Technologies will take reasonable steps to ensure that funds or any other form of financial services it provides is not used to benefit sanctioned individuals or entities or to carry out sanctioned activity or any activity involving sanctioned goods or the proliferation of weapons of mass destruction.

IS6 Technologies will take reasonable measures to mitigate the risk of establishing a business relationship with a person appearing on IS6 Technologies’ Do Not Engage (DNE) list.

IS6 Technologies will take reasonable measures to identify and manage any business/employment relationship or prospective business/employment relationship or single transaction involving:

• a person listed on IS6 Technologies’ ratified sanctions lists;
• a person listed on IS6 Technologies’ internal lists;
• a domestic politically exposed person (DPEP); or
• a foreign politically exposed person (FPEP)

This policy sets out the obligations of IS6 Technologies relating to the following:

• Anti-money-laundering (AML)
• The combating of financing of terrorist and related activities (CFT)
• The countering of proliferation financing and related activities (CPF)
• Sanctions risk and internal-lists management

The goals of this policy are the following:

• To support the Risk Management and Compliance Programme (RMCP), through which ML, TF, PF, sanctions risk and internal-list requirements are managed via risk-based principles, methodologies, processes, systems and training so that IS6 Technologies can carry out and meet its statutory duties and regulatory obligations.
• To reduce reputational, operational, concentration, financial and legal risks to IS6 Technologies, with IS6 Technologies thereby meeting local and international standards.

This policy summarises the responsibility of management and employees for establishing and implementing a RMCP with regard to the following:

• Establishing an AML, CFT, CPF and sanctions strategy.
• Establishing a ML, TF, PF and sanctions risk appetite.
• Creating and implementing AML, CFT, CPF and sanctions risk-based principles, methodologies, processes, systems and training.
• Declining or terminating business relationships or transactions due to ML, TF, PF, sanctions and internal-lists risks.
• Performing ML, TF, PF, sanctions and internal-lists reporting.
• Performing AML, CFT, CPF, sanctions and internal-lists recordkeeping.
• Conducting AML, CFT, CPF, sanctions and internal-lists training awareness and communication.
• Performing AML, CFT, CPF and sanctions governance and oversight, including ensuring clear and defined roles and responsibilities regarding AML, CFT, CPF and sanctions.
• Registering accountable institutions.
• Performing AML, CFT, CPF, sanctions and internal-lists monitoring.
• Performing AML, CFT, CPF, sanctions and internal-lists management reporting.
• Preventing, detecting, monitoring and reporting confirmed, suspected, detected or prevented ML, TF, PF, sanctions or internal-lists breaches.
• Identifying and managing any business relationship or prospective business relationship or single transactions involving individuals, entities, countries, goods or activities targeted in financial sanctions legislation.
• Identifying and managing any business relationship or prospective business relationship or single transaction involving persons listed on the internal lists of IS6 Technologies.
• Performing competence and integrity screening of employees specifically to identify any employee relationships or prospective employee relationships involving persons listed in financial sanctions legislation or posing an increased ML, TF, PF, or sanctions risk.
• Identifying and managing any vendors and suppliers targeted in financial sanctions legislation.
• Conducting sanctions and internal-list screening.
• Conducting DNE list screening.
• Implementing principles in branches, subsidiaries, representative offices and other operations.

This policy:

• affects IS6 Technologies;
• applies to IS6 Technologies’ Branches meeting IS6 Technologies’ AML Policies at a minimum having considered the in country legislation;
• applies to employees, contractors, temporary employees, consultants, clients, shareholders, vendors, and outside agencies;
• applies to majority owned subsidiaries (where a subsidiary is not majority owned/controlled by IS6 Technologies, IS6 Technologies should exercise its rights to ensure that, so far as practicable, the principles and standards contained within this policy are complied with);
• applies to representative offices; and
• is to be read in conjunction with:
  • specific legislation for the jurisdiction in which a business unit/subsidiary/branch or representative office operates;
  • country-specific regulatory and supervisory rules, guidance notes, public compliance communications, directives and circulars, etc; and
  • RMCP.

Employees in breach of this policy will be dealt with in terms of IS6 Technologies disciplinary code and processes and may lead to criminal prosecution.

Creation of policies, principles methodologies, processes, systems and training

IS6 Technologies has introduced risk-based policies, principles, methodologies, processes, systems and training to ensure that it:

• meets regulatory requirements;
• meets agreed standards;
• manages and mitigates the risk of possible ML, TF, PF and sanctions breaches associated with business relationships and single transactions and cross-border transactions;
• manages and mitigates the risk of possible ML, TF, PF and sanctions breaches associated with employee relationships;
• manages and mitigates the risk of possible sanctions breaches; and
• manages and mitigates the risk associated with a person listed on an internal list or the DNE list.

Policies, principles, methodologies, processes, systems and training on risk-based AML, CFT, CPF, sanctions risk and internal-list management must be:

• developed;
• implemented;
• monitored; and
• continually reviewed and refined.

Establishment of a Risk Management and Compliance Programme

IS6 Technologies has established a RMCP to manage risks associated with ML, TF, PF and sanctions.

ML, TF, PF and Sanctions risk strategy

IS6 Technologies endeavours to proactively and reactively identify and assess ML, TF, PF and sanctions risks in order to identify possible risk mitigation and risk strategies to enhance its ML, TF, PF and sanctions risk management.

ML, TF, PF and Sanction risk appetite

IS6 Technologies will not knowingly engage in or allow:

• the facilitation of ML, TF, PF and sanctioned activities;
• the establishment or continuation of business relationships or conclusion of a Single Transaction with high-risk clients in the absence of EDD being conducted;
• the establishment or continuation of business relationships or concluding a Single Transaction with clients that would expose IS6 Technologies to reputational, operational and legal risks due to non-compliance with the policies or any regulation associated with the policies;
• clients who insist on anonymity or who provide fictitious names;
• clients who are oral trusts which have not been reduced to writing;
• clients who are Crypto asset Service Providers (CASPs) that are unregulated, i.e. CASPs that have not obtained a Financial Services Provider (FSP) license under the Financial Advisory and Intermediary Services (FAIS) Act, and have not registered with the Financial Intelligence Centre (FIC) as Accountable Institutions; or
• clients who are shell entities;
• the establishment or continuation of a business relationship with persons/entities designated under section 311 of the Patriot Act; or
• the establishment or continuation of a business relationship with a specified entity identified in a notice issued by the President of the Republic of South Africa, under section 25 of the Protection of Constitutional Democracy against Terrorist and Related Activities Act 33 of 2004 (“POCDATARA”); and
• The establishment or continuation of a business relationship with a person or an entity identified pursuant to a resolution of the Security Council of the United Nations contemplated in a notice referred to in section 26A(1) of the Financial Intelligence Centre Act 38 of 2001, as amended (“the FIC Act”), unless such business relationship or transaction is a financial service or dealing of property permitted by the Minister in accordance with Section 26C(1) of the FICAA

IS6 Technologies recognises a breach of AML, CFT, CPF and Sanctions and risk appetite expressions could occur despite its best efforts. IS6 Technologies will at all times have risk mitigating and remediation plans in place to limit the chances of breaches from inadvertently occurring.

When establishing a business relationship or concluding a Single Transaction with a client, IS6 Technologies must apply appropriate CDD measures taking into account the regulatory requirements for CDD, as well as ML, TF, PF and Sanctions risk assessments.

Obtaining this information will facilitate the upfront risk profiling of prospective clients and the identification of suspicious or unusual activities and transactions.

IS6 Technologies must conduct ODD as required by the RMCP.

IS6 Technologies must conduct EDD on all clients who are deemed to be high-risk.

Agreed standards may require IS6 Technologies to consult other lists of entities and/or individuals.

IS6 Technologies must maintain principles and methodologies to ensure that prospective or existing business relationships or Single Transactions that do not appear to be legitimate are managed appropriately. This may result in the declining, terminating or reporting of a business relationship or Single Transaction or activity.

IS6 Technologies must establish and verify the identity of all clients in line with agreed standards.

A risk-based approach may be followed in line with guidelines from IS6 Technologies RMCP.

IS6 Technologies must not establish business relationships or conclude Single Transactions with clients, where such business relationship or Single Transaction is in contradiction with IS6 Technologies’ risk appetite.

IS6 Technologies is obliged to identify if a prospective or existing client, associated party or beneficial owner (where applicable):

• is a DPEP or FPEP;
• is an immediate family member of a DPEP or FPEP; or
• is a known close associate of a DPEP or FPEP;

to assess the ML, TF, PF and Sanctions risk introduced as a result of establishing or maintaining the business relationship.

IS6 Technologies will screen prospective clients, existing clients, associated parties, and beneficial owners (where applicable) against IS6 Technologies’ approved DPEP and FPEP lists prior to establishing a business relationship with the client and on an ongoing basis.

In addition, IS6 Technologies must screen all clients, associated parties and beneficial owners (where applicable) records on an ongoing basis and when any additions, amendments or deletions are made to IS6 Technologies’ approved DPEP and FPEP lists or identified party records.

IS6 Technologies will screen prospective and existing client records and cross-border transactions by comparing prospective and existing client information and/or cross-border transaction details against:

• IS6 Technologies ratified sanctions lists,
• identified internal lists, and
• the DNE list.

IS6 Technologies must, where required, refuse to establish a business relationship, continue with an existing business relationship or conclude a single transaction or a transaction in the course of a business relationship where a true positive match is identified in respect of:

• a specified entity identified in a notice issued by the President of the Republic of South Africa under section 25 of the Protection of Constitutional Democracy Against Terrorist and Related Activities Act, 33 of 2004 (POCDATARA);
• person or an entity identified pursuant to a resolution of the Security Council of the United Nations contemplated in a notice referred to in section 26A(1) of the Financial Intelligence Centre Act, 38 of 2001, as amended (the FIC Act),

unless that business relationship or transaction is a permitted financial service or permitted dealing of property.

IS6 Technologies must, where required, refuse to facilitate a transaction where a true positive match is identified in respect of an individual or entity or activity or good listed on a ratified sanctions list if that facilitation would be in breach of the applicable sanctions’ regime.

IS6 Technologies must, unless approved by the GRRC, refuse to establish a business relationship, or conclude a Single Transaction with an individual or entity listed on IS6 Technologies’ DNE List.

IS6 Technologies must, where required, escalate a transaction where a true positive match is identified in respect of an individual / entity / country / industry listed on an internal list where such facilitation would be in contravention of the applicable internal list requirements.

Reporting of individuals or entities identified on sanctions lists and internal lists

IS6 Technologies must report the true positive match of any client or cross-border transaction identified on any ratified sanctions / internal lists to the relevant internal reporting structures.

Declining or terminating business relationships or transactions

IS6 Technologies may decline or terminate business relationships or single transactions where the ML, TF, PF and/or sanctions risk presented by the client falls outside IS6 Technologies’ risk appetite.

Notifying a client

The decision to notify a client must be taken in accordance with the facts and circumstances of each case. As a basic principle, IS6 Technologies should seek to notify the client of a prohibition in relation to sanctions obligations as soon as practicable after the action has been taken.

Circumvention of Sanctions

IS6 Technologies must prohibit and detect attempts to circumvent sanctions.

Cash Threshold Reporting

IS6 Technologies must, within three (3) business days after becoming aware of the reportable transaction, report to the Financial Intelligence Centre (FIC) the prescribed particulars concerning a cash transaction within a 24-hour reporting period, concluded with a client if in terms of the transaction(s) an amount of cash in excess of the prescribed amount is paid by IS6 Technologies to the client, or to a person acting on behalf of the client, or to a person on whose behalf the client is acting, or received by IS6 Technologies from the client, or from a person acting on behalf of the client, or from a person on whose behalf the client is acting.

Reporting of individuals/entities identified on sanctions lists and/or any property associated with individuals/entities designated for terrorist activity or pursuant to a resolution of the Security Council of the United Nations contemplated in a notice referred to in Section 26A(1) of FICAA

IS6 Technologies must within five (5) business days after becoming aware of a reportable transaction report to the FIC the prescribed particulars concerning any property, which it has in its possession or under its control, which is owned or controlled by or on behalf of, or at the direction of:

• a specified entity identified in a notice issued by the President, under section 25 of POCDATARA; or
• a person or an entity identified pursuant to a resolution of the Security Council of the United Nations contemplated in a notice referred to in section 26A(1) of FICA.

Suspicious and Unusual Transaction or Activity Report and Terrorist Financing Transaction or Activity Report

IS6 Technologies is obliged to report knowledge or suspicion in relation to:

• a transaction or series of transactions; and
• activity, where no transaction is concluded

related to the proceeds of unlawful activity, ML, TF, PF or financial sanctions. IS6 Technologies is obliged to cooperate with the relevant authorities and release to them such information as required related to the proceeds of unlawful activity, ML, TF, PF or financial sanctions.

Period for reporting

IS6 Technologies must, as soon as possible but within 15 business days after becoming aware of the reportable transaction, report to the FIC the prescribed particulars concerning knowledge or suspicion in relation to:

• a transaction or series of transactions; and
• activity, where no transaction is concluded

related to the proceeds of unlawful activity, ML, TF, PF or financial sanctions.

Risk-based approach does not apply in case of suspicious and unusual transactions or activities

Irrespective of the risk-based approach applied to the establishment, and ODD, of a business relationship or conclusion of a Single Transaction, IS6 Technologies is not exempt from other relevant risk management obligations (e.g. suspicious activity reporting) in respect of those business relationships or Single Transactions.

International Electronic Funds Transfer Reporting

IS6 Technologies must report to the FIC all electronic transfers of funds in excess of R19 999.99 received from outside of the Republic or sent from the Republic.

Period for reporting

A report under section 31 of the FIC Act must be sent to the FIC as soon as possible but no later than three (3) business days after IS6 Technologies has become aware of the fact of an international funds transfer that has exceeded R19 999.99.

Inclusion of sanctions and proliferation finance obligations in credit agreements

IS6 Technologies will ensure that credit agreements make provision for the prohibition of clients making any of the finance provided by IS6 Technologies available to sanctioned individuals/entities or for the purposes of proliferation of weapons of mass destruction and sanctioned goods and/or activities.

US Citizens / Residents

Where IS6 Technologies employs a United States (“US”) citizen or resident in a senior decision-making position, caution needs to be applied. US citizens or residents must have no capacity to approve, facilitate or process payments or business relationships with any individual, entity or country on a US sanctions list. If they do, IS6 Technologies risks prosecution for a sanctions breach under the extra-territorial provisions of the United States of America (USA) Patriot Act.

Record-keeping

All CDD information and documentation, transactional information (including transaction monitoring, where applicable), client screening, external reporting and employee training records must be retained by IS6 Technologies.

All records of prospective clients, existing clients or cross-border transactions related to sanctions risk and internal list management must be retained by IS6 Technologies.

Training

IS6 Technologies must provide, and employees are obliged to undergo, appropriate ongoing training on AML, CFT, CPF and sanctions risk management.

Awareness and communication

Employees must be made aware of the contents of this policy, which includes communication regarding their responsibilities and actions expected of them.

Employees must be made aware of the contents of the relevant local policy for AML, CFT, CPF and Sanctions as implemented for their jurisdiction, which includes communication regarding their responsibilities and actions expected of them.

Roles and Responsibilities for AML, CFT, CPF and Sanctions

IS6 Technologies must clearly define ownership, accountability and responsibility across the three Lines of Defence pertaining to ML, TF, PF and Sanctions risk management.

Management reporting

Management reports must be produced to allow IS6 Technologies to actively and effectively monitor initiatives and risks relating to ML, TF, PF and Sanctions. These reports are to address the requirements of the various authorities and IS6 Technologies (Pty) Ltd structures.