CIH BANK GROUP POLICY

REGARDING THE FIGHT AGAINST MONEY LAUNDERING

AND THE FINANCING OF TERRORISM
January 2022
TABLE OF CONTENT

PREAMBLE
I- Objectives of the Group’s AML/CFT policy
II- Reminder of the legal and regulatory framework governing AML/CFT
III- Reminder of the legal definition of ML
IV- Reminder of the legal definition of FT
V- General AML/CFT principles
VI- General presentation of AML/CFT system
VII- Vigilance system
VIII- Procedures
IX- AML/CFT guide
X- Refusal and prohibition of entering into a relationship
XI- Customer acceptance rules
a) Entry into relationship of the General Management competence
b) Entry into relationship of the competence of the Compliance Division
c) Entry into relationship of other customer categories
XII- Know Your Customer (KYC) Rules
a) Case of foreign bank correspondents
b) Case of the private banks
c) Legal arrangements
d) occasional customers
XIII- Customer rating according to their ML/FT risk
XIV- Levels of vigilance
a) Reinforced vigilance
b) Simplified vigilance
c) Standard vigilance
XV- Operations monitoring system
a) Customer screening
b) Client profiling and transaction monitoring
c) Suspicious transaction report
XVI- Actors in the implementation of the AML/CFT policy
a) The administrative body
b) The management body
c) Compliance Division
d) The agency
e) The International Back Office
f) Private Management and the Dealing Room
g) CIH Bank Group Staff
XVII- AML/CFT Information System
XVIII- Review of customer files
XIX- Conservation and archiving
XX- Training and awareness
XXI- Auditability of the AML/CFT system
XXII - Reporting
XXIII- Group Vision
XXIV- Entry into force
PREAMBLE
Money laundering and terrorist financing are crimes that threaten economies regardless of their
level of development. They are all the more serious as their consequences are devastating, including
the spread of crimes, the endangerment of the legal sectors, the weakening of financial systems, the
deterioration of countries’ reputation, the loss of national and foreign investors’ confidence,
economic instability, with all that this entails as negative repercussions on the social and political
spheres.

Also, aware of these risks, Morocco, like other countries, has implemented mechanisms to protect
itself against money laundering and the financing of terrorism, within which banks assume a great
responsibility, given their important role in the economic life.

In this context, and to fulfill its obligations in this area, CIH Bank has set up a mechanism to combat
money laundering and the financing of terrorism (which we will designate in this document by the
acronym FML/FT), whose guidelines, in terms of objectives, fundamental principles, agents roles,
general organization and steering and control bodies, have been defined by the AML/FT policy,
approved by the Board of Directors on March 23, 2011.

The purpose of this document is to update this policy to take account of legal and regulatory
developments, as well as to allow for the lessons learned from the vigilance system since its
implementation in 2011. It is also based on the principles enacted by the policy of the Group of the
Caisse de Dépôt et de Gestion (CDG), parent company of CIH Bank.

Through this policy, the CIH Bank Group, in all its constituents, reiterates its unconditional and total
adherence to Moroccan regulations governing AML/CFT. As such, it undertakes to put in place the
appropriate measures to prevent and mitigate the related risks, while ensuring good collaboration
with the regulatory bodies and all of its partners in the marketplace.

The AML/CFT policy is an integral part of the overall governance system atht aims to provide the CIH
Bank Group with the systems that guarantee the harmonious reconciliation between the challenges
of growth and profitability on the one hand, and the imperatives of compliance with regulations and
good risk management on the other hand.

I. Objectives of the Group’s AML/CFT policy

The CIH Bank Group AML/CFT policy aims to:
• Present the principles governing AML/CFT within the CIH Bank Group;
• Translate these principles into operational systems for identifying, assessing and controlling
ML/FT risks, monitoring customers and risky transactions, declaring cases of strong suspicion
and reporting;
• Present the missions and attributions of the team in charge of steering the Group system as a
whole;
• Highlight the role of the various stakeholders in the AML/CFT process;
• Define the interactions between the entities forming the CIH Bank group in terms of
AML/CFT;
• Present the steering, monitoring and control bodies that ensure the proper functioning of the
system as a whole.

II. Reminder of the legal and regulatory framework governing AML/CFT

AML/CFT is governed by the following texts:

 • Law No. 03-03 relating to the fight against terrorism, of June 5, 2003;
• Law No. 43-05 relating to the fight against money laundering of May 3, 2007, as amended
and supplemented by subsequent texts;
• Circular of Bank Al-Maghrib (aka BAM) N°4/W/2014 relating to the internal control of credit
institutions;
• BAM Circular N° 5/W/2017 of July 24, 2017 relating to obligation of vigilance incumbent on
credit institutions;
• The decisions of the Financial Intelligence Processing Unit (aka UTRF).

The CIH Bank Group policy will take into account the legal and regulatory texts that modify,
supplement or replace the aforementioned texts.

III. Reminder of the legal definition of ML

• According to Article 1 of the aforementioned Law N° 43-05, incorporated into the Penal Code
under N° 574-1, “the following offenses constitute money laundering when committed
intentionally:
• The fact of acquiring, holding, using, converting, transferring or transporting goods or their
products with the aim of concealing or disguising the true nature or the illicit origin of these
goods, in the interest of the perpetrator or of a third party when they are the product of one of
the offenses provided for in article 574-2 below;
• The concealment or disguise of the true nature, origin, location, disposition, movement or
ownership of any property or rights thereto known to the author to be the proceeds of one of the
offenses provided for in article 574-2 below;
• The fact of helping any person involved in the perpetration of one of the offenses provided for
in article 574-2 below to escape the legal consequences of his acts;
• The fact of facilitating, by any means, the false justification of the origin of the goods or
products of the author of one of the offenses referred to in article 574-2 below, having procured
for the latter a direct or indirect benefit;
• The fact of assisting or giving advice in an operation of custody, investment, concealment,
conversion, transfer or transport of direct or indirect proceeds of one of the offenses provided for
in Article 574-2 below;
• The fact of attempting to commit the acts provided for in this article.»
According to Law 45-03, “The definition provided for in Article 574-1 above is applicable to the
following offences, even when committed outside Morocco:
• illicit trafficking of narcotics and psychotropic substances;
• human trafficking;
• immigrant trafficking;
• illicit trafficking of arms and ammunition;
• corruption, misappropriation, influence peddling and misappropriation of public and private
property;
• terrorism offences;
• the counterfeiting or falsification of currencies or public credit instruments or other means of
payment;
• membership in an organized gang, formed or established for the purpose of preparing or
committing one or more acts of terrorism;
• sexual exploitation;
• concealment of things resulting from a crime or misdemeanor;
• breach of trust;
• fraud;
• offenses affecting industrial property;
• infringements of copyright and neighboring rights;
• offenses against the environment;
 • intentional homicide, violence and intentional assault;
• kidnapping, forcible confinement and hostage taking;
• theft and extortion;
• smuggling;
• commodity and food fraud;
• forgery, the use of forgery and the usurpation or irregular use of functions, titles or names;
• hijacking, and damaging aircrafts or ships or any other means of transport, damaging air or
maritime navigation facilities and the destroying, damaging or deteriorating means of
communication;
• the fact of obtaining, as part of a profession or a function, privileged information by using it
to carry out or knowingly allow to carry out on the market one or more transactions;
• damaging automated data processing systems.

IV. Reminder of the legal definition of FT

According to article 2 of the aforementioned law N° 03-05, integrated into the Penal Code under N°
218-1, " the following offences constitute acts of terrorism, when they are intentionally committed in
relation to an individual or collective enterprise aimed at seriously undermining public order through
intimidation, terror or violence:
 intentional attack on people's lives or their integrity, or their freedoms, kidnapping or
sequestration of people;
 the counterfeiting or falsification of coins or public credit instruments, State seals and
hallmarks, stamps and marks, or the forgery or falsification referred to in articles 360, 361
and 362 of this code;
 destruction, degradation or deterioration;
 hijacking, damaging aircraft or ships or any other means of transport, damaging maritime
and land air navigation facilities and destroying, damaging or deteroying means of
communication;
 theft and extortion of property;
 the manufacture, possession, transport, distribution or illegal use of weapons, explosives or
ammunition;
 offenses relating to the automated data processing system;
 forgery or falsification of checks or any other means of payment covered respectively by
Articles 316 and 331 of the Commercial Code;
 participation in an association formed or an agreement established for the preparation or
perpetration of one of the acts of terrorism;
 knowingly receiving the proceeds of a terrorism offence; »

The following acts are considered terrorist financing acts when committed intentionally and
knowingly:
- The fact of deliberately providing, collecting or managing by any means whatsoever,
directly or indirectly, funds or goods, even lawful, with the intention of seeing them used
or knowing that they will be used, in whole in part, with a view to committing one or
more acts of terrorism by one or more persons, an organization or an organized gang;
- The fact that one or more persons, an organization or an organized gang uses funds to
commit one or more acts of terrorism;
- The fact of providing assistance or giving advice for this purpose;
- The fact of attempting to commit the aforementioned acts.

V. General AML/CFT Principles

  Beyond the legal obligation and the risks of legal, financial, image or reputational sanctions,
the CIH Bank Group considers AML/CFT as an orientation with a view to developing business
in a healthy and transparent climate;
 This orientation is certainly based on this policy but it is translated operationally through the
systems put in place and the behavior of all the components of the CIH Bank Group;
 Indeed, AML/CFT is everyone's business. The establishment of an entity within the
Compliance Division to take charge of the obligation of vigilance does exempt any of the
Group’s managers or employees from the responsibility of monitoring and the duty to warn
in the event of strong suspicion related to the behavior of a customer;
 Compliance staff in charge of AML/CFT carry out their mission under conditions ensuring
their independence of judgment and their ability to obtain the agreement of the General
Management body in the event of a declaration of suspicion to the UTRF ;
 The General Management guarantees, to the entities involved in AML/CFT, the allocation of
human, material and informational resources necessary for the accomplishment of their
missions in the best efficiency conditions.

VI. General presentation of the AML/CFT system

The CIH BANK Group's AML/CFT system can be schematized as follows:

The plicy

vigilance surveilliance systm AML/CFT

procedures of customers and information
approach ransactions system
- VII. Vigilance approach
The CIH Bank Group's AML/CFT system is based on a risk-based approach. In this context, a mapping
of ML/FT risks is drawn up and updated regularly to keep in line with changes in regulations and the
group's activities.
An assessment ML/FT risk is carried out at least one a year, taking into account categories of
customers, products, services, operations, geographical areas and distribution channels.

To implement this approach, the Group takes measures to prevent and mitigate the risks to which it
is exposed.

Also, in order allocate resources efficiently, three vigilance levels have been put in place:

 Reinforced vigilance in the event of high risks;

 Standard vigilance in the event of ordinary risks;
 Simplified vigilance in the event of low risks.

The level of vigilance gives rise to differentiations in terms of:

 Customer acceptance rules;

 Formalities for entering into a relationship;
 Customer and transaction monitoring system;
 File review rules.
Given its importance, the risk-based approach is therefore the cornerstone of the overall AML/CFT
system.

VIII. Procedures

Translating the ML/FT risk-based approach into operational terms, the group's procedures cover at
least the following areas:
 Customer acceptance rules;
 Identification and knowledge of customers and actual beneficiaries;
 The rules for filtering customers, principals, actual beneficiaries of transactions, in relation to
the lists of authorized international bodies;
 Monitoring and surveillance of transactions;
 Reporting suspicious transactions to the UTRF;
 The rules for keeping files and supporting documents for transactions;
 Raising awareness and training of the Group’s personnel in terms of ML/FT risks.

IX. AML/CFT MANUAL

The bank draws up and updates an AML/CFT guide bringing together the procedural and
documentary corpus relating to the vigilance obligation system and describing the:

 Regulatory framework of the AML/CFT system

 General AML/CFT principles
 Organization of the system
 Vigilance approach (Risk-based approach)
 AML/CFT system (EER rules, Customer classification by risk level, Monitoring of transactions,
document conservation, training and awareness raising)
 Agents of the system (Financial Security, Agency, BOI)
 System IT solutions (Filtering tool, Profiling tool)
 Description of tools (Scoring rules & Detection scenarios)
 the AML/CFT procedural corpus

X. Refusal and prohibition of entering into a relationship

In accordance with the regulations, the CIH Bank Group refuses and declines entering into a
relationship when:

 The bank is unable to validly identify the customer;

 The bank is unable to identify the exact activity of the customer and to obtain information on
the purpose of entering into the relationship;
 The bank finds serious negative information about the customer (judicial prohibition, ruling
for ML/FT, etc.);
 The bank prohibits the opening of anonymous accounts or accounts under fictitious names;
 The bank prohibits the opening of numbered accounts.
 The bank prohibits carrying out correspondent banking relationships with shell banks.
The CIH Bank Group may refuse to enter into a relationship for any other reasons that it deems
highly risky.

XI. Client Acceptance Rules

a) Entry into relations within the competence of General Management
 The entry into a relationship with the following categories of customers is subject to the prior
agreement of the General Management:
• Politically exposed figures defined by the regulations as all Moroccan or foreign persons
exercising or having exercised for less than a year public service (political, jurisdictional or
administrative) of high rank in Morocco or abroad, or an important position within or on
behalf of an international organization, in addition to the members of their family or the
persons known to be closely associated with them, whether they are of Moroccan or foreign
nationality;

• Foreign correspondent banks.

All other categories of customers may be subject to the prior agreement of the General Management
if the latter deems it necessary.

Similarly, the General Management may delegate to the DGAs in charge of banks (Personal and
Professional Banking, Real Estate Banking, Corporate Banking and Financing and Investment Banking)
the power to enter into relations with these categories of customers. It is incumbent on these
managers to inform it a posteriori.

b) Entry into relations within the competence of the Compliance Division

The entry into relations with the following categories of customers is subject to the prior agreement
of the Compliance Department:
• Non-resident foreign customers;
• Non-profit organizations (associations, cooperatives, economic interest groups, foundations,
etc.);
• Legal entities including trusts or any equivalent legal structures as well as offshore companies.
• Agents of payment establishments, money transfer companies, exchange offices.

In addition, the assessment of the AML/CFT aspect of foreign correspondent banks falls within the
competence of the Compliance Department, which issues its opinion thereon before entering into a
relationship with these intermediaries.

All other categories of customers may be subject to the prior agreement of the Compliance Division if
General Management so decides.

The decision of the Compliance Division relates to the ML/FT aspect only. The other areas, in
particular the business opportunities, are the responsibility of the sales managers (Private and
Professional Banking, Real Estate Banking and Corporate Banking).

c) Entry into relationship with other categories of customers

All categories that do not require the agreement of the General Management or the Compliance
Division fall within the competence of banks (Individuals and Professionals Banking, Real Estate
Banking and Corporate Banking), subject to compliance with the applicable rules of jurisdiction and
procedures.
Know your customers (KYC) is the first obligation when entering into a relationship. It is an essential
step insofar as it impacts the assessment of the ML/FT risk relating to the customer in question and,
consequently, the system for monitoring their transactions.

Also, before entering into a relationship, it is essential to collect and analyze all the information
allowing:
• to identify the applicant for opening an account;
• to identify the agent, persons benefiting from a power of attorney given by the applicant for
opening an account;
• to Identify the main shareholders;
• to identify the actual beneficiary defined by the regulations as any natural person who
ultimately exercises control over the customer and/or any natural person on whose behalf a
transaction is executed or an activity is carried out. Pursuant to this definition, and when the
client is a legal person incorporated in the form of a company, the regulations consider that the
actual beneficiary is the natural person who:
✔ holds, directly or indirectly, more than 25% of the company's capital or voting rights;
✔ or exercises, by any other means, effective control over the management, direction or
administrative bodies of the company or over the general shareholders assembly;
✔ the identification of the actual beneficiary is carried out, in accordance with the ordinance N°
2/W/2019, according to the two approaches (numerical approach or legal approach).

• To identify the occasional customer defined by the regulations as any person who:
✔ Performs a specific transaction with the CIH Bank, whether it is carried out in a single
transaction or in several transaction appearing to be related;
✔ Does not regularly use the services of the CIH Bank Group;

• To identify the business relationship defined by the regulations as any person who enters into a
relationship with the bank which is supposed, at the time the relationship is established, to be
long-term.

In compliance with the regulations, passing customers regularly carrying out several transactions
at the bank's counters are called upon to be converted into a business relationship.

The number of operations will be limited for passing customers during the same calendar year.
Beyond that, the latter must be created as a customer of the bank, involving an EER and the KYC
signature according to the procedure in force for the Entry into Relationship.

Knowing the client (applicant for opening the account, actual beneficiary, occasional client or
business relationship) consists of:
• Know the identity of these persons;
• Assess their professional, economic and financial situation, as well as the motivation for entering
into a relationship with the CIH Bank Group.
Know your customer (KYC) is done according to the rules and procedures in force.

a) Case of foreign correspondent banks

As stipulated above, entering into relations with foreign correspondent banks is the responsibility of
the General Management, which can delegate to the DGA in charge of the banks (Banks for
Individuals and Professionals, Real Estate Banks, Corporate Banks and Financing and Investment
Bank) the power to enter into a relationship with these categories of clients. It in incumbent on these
managers to inform it a posteriori.
The CIH Bank Group refuses to enter into a relationship in the event of:

• Serious negative information about the banking institution (legal prohibition, membership of a
blacklist, involvement or suspicion of ML/FT, etc.);
• A bank not subject to AML/CFT regulations at least equivalent to those applicable in Morocco;
• A bank incorporated in a state or territory where it has no physical presence (shell bank);
• Bank authorizing “transit accounts” which allow third parties to directly use the accounts of
correspondent banks or carry out transactions for their own account. However, this prohibition
 is lifted, on the basis of an authorization from the General Management or an authorized official,
provided that the said foreign correspondent:
✔ Has taken adequate due diligence measures with regard to customers who have direct access
to said Accounts.
✔ is able to provide, on first request, useful information on due diligence measures with regard
to said customers.

Similarly, the International Department ensures compliance with the procedure, mainly:

• Ensuring the completeness and authenticity of the documents constituting the foreign
correspondent banking files and foreign financial intermediaries;
• Ensuring an annual review of the files of foreign correspondent banks and foreign financial
intermediaries.

b) Case of private bank

Entering into a relationship with private banking clients must comply with enhanced vigilance
measures due to the complexity of the financial arrangements, the diversity of their sources of
income and the amounts at stake.

The measures of due diligence that the Private management must take are as follows:

• The elements of knowledge must be thorough, precise and recorded in the interview report. ;
• Identification of the actual beneficiary of the account;
• Collect information on the origin of the funds, the activity and the income of the client;
• Collect supporting documents;
• Ensure compliance with customer acceptance rules.

c) Legal arrangements:

The legal arrangement (trust), represents any company that does not have a classic legal form (Ltd.,
etc.) and which is generally under foreign law. The legal construction involves the exercise of control
by the "trustee" (agent) for the benefit of one or more beneficiaries under a trust agreement
(mandate) between the trustee (agent) and the principal (founder).

To comply with BAM ordinance N° 2/W/2019, the bank must understand the transaction of the legal
arrangement (Trust) by identifying the structure of the latter as well as the actual beneficiaries in
accordance with the procedure.

The validation of the entry into relationship with the legal organization is the responsibility of the
Compliance Department.

d) Occasional customers
• Subject to know-your-customer (KYC) rules, occasional customers benefit on a regular basis
from the intervention of the Bank for the performance of several transactions or a transaction of
a continuous nature. These customers will be considered as a business relationship.

The Bank defines, at the level of its internal procedures, operationally, the criteria according to the
characteristics of its activity, its customers and the nature of the products or services offered, in
order to distinguish between customers qualified as business relations from the occasional ones.

XIII. Customer rating according to their BC/FT risk

In application of the risk-based approach, customers are rated according to their degree of BC/FT risk
at the beginning of the relationship, as well as during the banking relationship with the CIH Bank
Group.

This rating is based on the following criteria:

• Customer data (customer activity, legal form, customer age, country of nationality, birth and
residence, length of existence of the legal entity, length of relationship with the bank, mail
domiciled in a PO box, direct debit address to others, return mail, PEP customer, etc.);
• Products and services used by the client (products promoting anonymity, online accounts,
private management, market activities, savings and investment products, etc.);
 Account behavior (transactions in dirhams or foreign currencies, amounts, frequencies, etc.);
• Geographical information (ML/FT havens, corrupt countries, countries under embargo, non-
cooperative countries, etc.);
• Distribution channel (agency, ATM, internet, call-center, etc.).

Scoring on the basis of this grid makes it possible to break down customers into three categories:
 High-risk customers;
• Medium risk customers;
• Low risk customers.

This rating determines the level of vigilance to be put in place to prevent and mitigate ML/FT risk.

It should be noted that since the Risk rating is dynamic (updated during the life of the relationship
with the CIH Bank Group), the level of vigilance is adapted accordingly.

XIV. Vigilance levels

 The CIH Bank Group's AML/CFT system includes three levels of vigilance:

a) Enhanced vigilance

Enhanced due diligence applies to the following cases:

• Customers belonging, by their rating, to high-risk categories, regardless of their status and
activities;
• Politically Exposed figures;
• Non-resident foreigners;
• Residents of ML/FT risk countries or countries not cooperating with the FATF;
• Foreign correspondent banks;
• Non-profit organizations;
• Money transfer companies;
• Exchange offices;
• Accounts opened remotely;
• Intermediaries in real estate transactions;
• Casinos;
• Newly incorporated companies;
• Customers whose mail is domiciled with a third party, in a post office box, at the bank's
counters;
• Customers whose address changes frequently;
• Legal arrangements or trusts.
Enhanced vigilance results in:
• Strict rules for entering into a relationship;
• Specific transaction monitoring rules (low thresholds, low transaction frequency, etc.);
• Strict file review rules (shorter frequency than standard or simplified due diligence).

b) Simplified vigilance

Simplified due diligence applies to the following cases:

• Customers belonging, by their rating, to low-risk categories;

• Companies making public calls for savings;
• Credit institutions and similar bodies;
• Insurance and reinsurance companies;
• Social insurance organizations;
• Brokerage companies;
• Holders of securities accounts;
• Management companies of UCITS, OPCRs, securitization collective investment funds;
• SICAVs;
• Public bodies.

However, if an index shows unusual or suspicious behavior, the customer in question is subject to
enhanced vigilance.

c) Standard vigilance

Standard due diligence applies to customers who are not subject to enhanced due diligence or
simplified due diligence.

XV. Operations monitoring system

The operations monitoring system has two components:

• Vetting of customers and transactions;
• Client profiling and transaction monitoring.

a) Customer screening

Filtering makes it possible to ensure that customers entering into a relationship with the bank as well
as those concerned by the transactions do not appear on the international sanctions lists.

The filtering is ensured by a dedicated tool, and is carried out on the basis of the United Nations
sanctions lists, Ofac and the European list.

For customers, screening is carried out at the beginning of the relationship, followed by regular
updates to the screening lists.
Customers, agents, actual beneficiaries and occasional customers are subject to screening.

Customer screening is also carried out on the basis of PEP lists.

Any transaction in which the originator or beneficiary is a person appearing on an official sanction list
or is subject to a freezing measure must be blocked.

b) Client profiling and transaction monitoring

Profiling is based on “risk views” which correspond to “money laundering or terrorist financing
scenarios”. Through criteria, they identify suspicious behavior that the bank wishes to identify on
transactions, third parties or accounts (increase in account activity, high accumulation of cash,
deposit of cash transferred abroad, awakening of account, threshold exceeded for new account, high
frequency of transactions, excessive number of accounts, etc.).

The objective is to monitor and analyze transactions so as to identify any abnormal behavior of the
account compared to the usual profile of the customer.

All transactions are analyzed through these "risk views", so that if one or more transactions meet the
detection criteria and rules, an warning is generated.

The detection thresholds are set according to the type of customer (individual, professional or legal
entity) and its level of risk defined from the score calculated by the tool.

c) Suspicious transaction report

In the event of strong suspicion, the customers and the transactions in question are declared by the
Compliance Department, after agreement from General Management, to the Financial Intelligence
Processing Unit (UTRF), according to the protocol adopted by the latter.

The declaration is subject to reporting to the bank's authorities.

XIV. Actors in the implementation of the AML/CFT policy

As we said above, AML/CFT is everyone's business. The distribution of responsibilities is as follows:

a) The administrative body

The Board of Directors and the Committees under it have the following missions:

• Approve the AML/CFT policy drawn up by the management body;

• Ensure the implementation of the AML/CFT vigilance system;
• Ensure the adequacy of the resources allocated to the AML/CFT system;
• Analyzing the reports on AML/CFT activities, produced by the management body;
• carry out, if necessary, audit missions on AML/CFT;
• monitor the regularization of malfunctions relating to AML/CFT systems, identified by the
internal and external control functions;
• Ensure the dissemination of the culture of vigilance within the CIH Bank Group.

b) The management body:

The General Management of the CIH Bank Group is responsible for:

• developing the AML/CFT policy and submiting it for the approval of the administrative body;
• implementing the AML/CFT system, as described by the policy and approved by the
Administrative Body;
• setting up the entity in charge of AML/CFT;
• Allocating to the functions involved in AML/CFT the means necessary for the accomplishment of
their missions;
• ensuring the proper functioning of the AML/CFT system;
• deciding or delegating the powers in terms of entering into a relationship with customers falling
within its scope;
• making decisions on declaration proposals made by the Compliance dvision;
• setting up Committees in charge of AML/CFT;
• ordering audit and control missions of the AML/CFT system and following up on the
regularization of any malfunctions;
• Reporting to the Administrative Body on AML/CFT;
• Ensuring the dissemination of the culture of vigilance within the CIH Bank Group.

c) The Compliance division:

The Compliance Department has the following missions:

• To contribute to the development of the AML/CFT policy;
• To Ensure regulatory monitoring in terms of AML/CFT;
• To establish and update the ML/FT risk map;
• To take charge of work related to AML/CFT, in accordance with this policy;
• To Process LAB warnings generated by the profiling tool;
• To process warnings on filtered Swift messages (Transfers and repatriations);
• To Ensure periodic reporting on cases of Swift messages that have been the subject of warning;
• To ensure the control of processed warnings;
• To submit suspicious transaction reports to the UTRF, after approval by General Management;
• To steer the committee in charge of AML/CFT;
• To apply the decisions issued by internal and external bodies with regard to AML/CFT;
• To play the role of interlocutor vis-à-vis external regulators with regard to AML/CFT (BAM, UTRF,
etc.);
• To be a source of proposals in terms of AML/CFT;
• To assume the duty of warning in terms of AML/CFT;
• To ensure reporting to the hierarchical and governance bodies on activities related to AML/CFT;
• To promote awareness and provide assistance and advice to CIH Bank Group entities in terms of
AML/CFT;
• To oarticipate in the dissemination of the culture of vigilance within the CIH Bank Group. d) The
agency

d) Branches

Branches have the duty of vigilance with regard to the behavior of their client and the transactions of
their accounts. They may find suspicious cases of money laundering or unsatisfactory justification of
transactions. They are required to inform the compliance division.

It is required to diligently provide the Compliance division with all relevant information on
customers, the subject of the request for information.

It is also required to make a spontaneous declaration of compliance of any behavior deemed

suspicious by the client, even when the relationship has not been concluded.

e) The International Back Office

The International Back-Office has the following missions:

 To manage the relationship with correspondents (or issuing banks) for cases of Swift messages
that have generated warning in the tool;
 To ensure regular follow-up of requests from the compliance division with regard to the
processing of AML/CFT warnings;
 To ensure the exchange of information on the processing of warnings with foreign
correspondent banks;
 To ensure the exchange of information on warnings concerning transactions issued and received
by similar banks via our bank.

f) Private Management and the Dealing Room

Given the sensitivity of their activities, conducive to ML/FT, Private Management and the Trading
Room have the following missions:
 To know the customers well and to complete the formalities for entering into a relationship in
accordance with the regulations and procedures in force;
 To demonstrate heightened vigilance with regard to high-risk customer categories;
 To Identify for each transaction the origin of the funds, the originator, the economic justification
and the actual beneficiary;
 To ensure, on the basis of documentary evidence, the legal origin of the funds to be invested;
 To assess whether the transactions requested by its client are in line with his assets, his
investment horizon and the type of risk he can bear;
 To refrain from carrying out any transaction that is unusual, complex or has no economic
justification;
 To inform the Compliance division, as part of the duty to warn of any suspicious customer or
transaction;
 To regularly update client files in their portfolio.

g) CIH Bank Group Staff

CIH Bank Group personnel have the obligation to:

 To become aware of their due diligence obligations;
 To process transactions in accordance with the procedures in force, in particular those relating
to AML/CFT;
 To inform the Compliance division of any suspicious behavior on the part of their colleagues or
their clients, as part of the duty to warn.

XVII. AML/CFT information system

To comply with BAM ordinance N° 5/W/2017, relating to the obligation of vigilance in credit
institutions, our bank has acquired LAB software for monitoring customer transactions and for
filtering through international blacklists.

 Filter solution

The filtering tool makes it possible to ensure that customers entering into a relationship with the
bank as well as those concerned by Swift transfer and repatriation operations do not appear on the
international sanctions lists. This IT solution includes two modules:
✔ Firco Multilist Manager (FMM): for the management of lists (Correction and updating of lists
before implementation by the information Systems Department);
✔ FOFA: for decision making on warnings generated by the filter on Swift messages.

The bank has opted for international lists in terms of filtering (UN, OFAC, European lists of
FACTIVA / DowJones) these lists also include PEPs (politically exposed persons)

 AML Solution
The bank has opted for a profiling tool to:
✔ Trace the client's profile on the basis of the nature of the activity carried out, the transactions
carried out and the history of the account;
✔ Detect movements of capital issued or received by our bank's customers presenting a risk of
money laundering;
✔ Monitor and analyze operations in order to identify any abnormal behavior of the account
compared to the usual profile of the client.

XVIII. Review of customer files

The updating of client files must be carried out regularly by the portfolio manager on the occasion of
each change in administrative data.

The frequency of reviewing customer files should be based on the level of customer risk.

Concerning the files of high-risk customers (associations, money transfer companies, exchange
offices, gambling companies and casinos, real estate developer, financial intermediaries, etc.) data
must be updated on an annual basis.

The private banking client files are to be reviewed every two years;

The files of the customers considered as at normal risk, the frequency of updating must be 3 years.

XIX. Preservation and archiving

The retention period for customer files is 10 years after the termination of the relationship and the
closing of the accounts, as for the supporting documents for the transactions, they are archived for
10 years after the date of their execution.

The bank’s information system makes it possible to reconstruct customer transactions.

XX. Training and awareness raising

The training of bank employees is a regulatory obligation which is provided for in several forms:
 Training of all new staff;
 Training during redeployment cycles;
 Training via a training kit;
 Interactive E-Learning training on due diligence.

XXI. Auditability of the AML/CFT system

The AML/CFT system comes under the control of the Audit and General Inspection Division.
The recommendations of this entity, after validation by the Compliance Department, are followed by
the bank's authorities.

XXII. Reporting

The AML/FT system is subject to periodic control assessment.

Also, the compliance division regularly reports on AML/CFT activity to the General Management
within the framework of following committees:
 Compliance Committee;
 Internal Control Committee;
 Audit Committee;

Reporting is also planned for the regulator.

XXIII. Group Vision

This policy is intended to apply to CIH Bank, as a legal structure subject to AML/CFT regulations, and
to the financial entities controlled by CIH Bank.

Each entity controlled by CIH Bank is called upon to adapt this policy to its context and its activities,
aware that the application and compliance with AML/CFT regulations are the legal responsibility of
the corporate officers of each Group entity.

CIH Bank, as parent company, is however required to:

 To appoint the group-wide AML/CFT manager, responsible for defining and coordinating a single
strategy and evaluating its implementation in Morocco and abroad;
 To ensure the establishment of the consolidated mapping of ML/FT risks at the group level;
 To ensure that AML/CFT risk assessments carried out by group entities comply with the group-
wide assessment policy;
 To implement policies and procedures in accordance with the regulations governing professional
secrecy and the protection of personal data,:

✔ sharing information required for the purposes of due diligence relating to ML/FT risk
management;
✔ the provision, within a reasonable time, by the entities of the Group, of information relating
to customers, accounts and transactions, when necessary for the purposes of the obligation of
vigilance;
 To collect, in a timely manner, from these entities information relating, in particular to
common customers (including related or affiliated parties) who present a high risk;
 Coordinate the monitoring of correspondent bank relationships entered into within the
group, and ensure that the appropriate mechanisms for sharing information are in place
within the group in this regard.

XXIV. Entry into force:

This policy repeals and replaces the current policy.

It comes into force as soon as it is approved by the bank's authorities (General Management, Board
of Directors through the Audit Committee).