The By-Law for Customer Identification and Verification (CDD) In the Capital Market
The By-Law for
Customer Identification and Verification (CDD)
In the Capital Market
In order to combat the money laundering (AML) activity and counter the financing of terrorism (CFT) and also to prepare the grounds required for implementation of paragraph A of article 7 of the Anti-Money Laundering Act (ratified on January 22, 2008 by the Parliament (Islamic Consultative Assembly) and chapter two of the executive By-Law of the Anti-Money Laundering Act subject of the directive No. K43182 T/181434 dated Dec. 5, 2009 approved by the ministers of the working group members charged with adopting the by-laws relevant to Anti-Money Laundering Act, the existing instrument entitled “the By-Law for Customer Identification and Verification in the Capital Market” is notified with the provisions set out below:
Article 1- In addition to the definitions provided in article 1 of the Securities Market Act of I.R.I ratified in November 2005 by the Parliament (Islamic Consultative Assembly), the terms and phrases used herein shall apply for the following purposes:
1-1- Act means the Anti-Money Laundering (AML) Act passed on January 22, 2008.
1-2- By-Law means the executive by-law of the Anti-Money Laundering Act approved on December 5, 2009 and the subsequent amendments thereof.
1-3- Organization means the Securities and Exchange Organization (SEO).
1-4- Council means the Anti-Money Laundering Supreme Council.
1-5- Secretariat means the secretariat of the Anti-Money Laundering Supreme Council.
1-6- Financial Intelligence Unit (FIU) means a centralized and independent unit which has responsibility to receive, analyze and refer the reports on suspicious transactions to the appropriate authorities (as described in article 38 of the by-law).
1-7- The SEO’s Anti-Money Laundering Unit means a unit based at the SEO’s premises which, as a unit charged with combat against money-laundering, shall be entrusted with the functions set out in articles 18 and 19 of the by-law.
1-8- Regulated institutions/entities means exchanges, OTC markets, associations, Central Securities Depository and Settlement Company and financial institutions as defined in the Securities Market Act that have been duly licensed by the Securities and Exchange High Council or by the SEO and their operations are regulated by the Organization.
Note - The securities issuers that are required to provide any type of services to their customers in connection with the securities fall into the category of the regulated/controlled entities/institutions.
1-9- Base services means the services which are, as per the rules, considered to be pre-requisite and requisite for providing other services in the capital market and whereby such service provision to customers will encourage them to contact the capital market to benefit from the frequent and continuous trend of services. Obtaining of the trading code shall be deemed as base service in the capital market.
1-10- Trading code means a unique identifier that each person is obligated to obtain so as to use it for the entry of securities ownership, financial transactions or the commodity traded in the capital market.
1-11- Customer’s information file means the information and data which are collected or completed by the regulated entities about the customer at the time of his verification and identification process and in the course of his activity.
1-12- Customer/Client means a natural or legal person that applies to one of the regulated entities so as to benefit from the services rendered by such entity.
1-13- Customer’s/Client’s identification/ (CDD) means the verification and confirmation of the customer’s identity on the strength of the information and evidence as well as independent, authentic and reliable data. The customer’s identification process shall fall into two the categories of “initial identification” and “full identification”.
1-13-1- Initial identification means the matching and entering of the particulars declared by the customer by producing his identification records and, if an act is done by the attorney or agent, the entering of the beneficial owner’s particulars in addition to those of the attorney or the agent.
1-13-2- full identification means the precise identification of the customer at the time of providing base services as described in the existing by-law.
1-14- KYC’s identity system (know your customer-KYC’s system) means a system at the Ministry of Economic Affairs and Finance which shall facilitate the reply to the inquires made by the regulated institutions on the identification proof of different persons and their addresses via the connection to the appropriate databases (such as those of the State Organization for Personal Status Registration, State Organization for Real Estates and Deeds Registration, Post Company, Tax Affairs Organization).
1-15- Credit Institutions means banks (including Iranian banks as well as branches and agencies of foreign banks based in the I.R.I.), non-banking credit institutions, credit cooperatives and interest-free loan funds (Gharzolhassaneh (a benevolent loan free from usury or Riba), which have been licensed by the Central Bank of I.R.I. to perform their operations.
Article 2- Financial and commodity transactions in the capital market shall be dependent on having a trading code by the customer. Each customer must only have one unique trading code.
Article 3- Prior to the base service provision, it shall be necessary to take measures for the full identification of the customer.
Article 4- The customer’s identification and verification process shall fall into the two categories of “initial identification” and “full identification” in respect of the type of service requested by him/it.
4-1- Initial Identification: the regulated institutions shall have to take measures for the customer’s initial identification– as described in the present by-law – when providing services to him/it and shall enter the relevant information in the databases and in the customer’s information file.
4-1-1- Initial identification of natural persons:
The information required for this purpose includes: name and surname, national code, date of birth, father’s name, address in full, zip (postal) code, place of residence and telephone number.
After the information has been received from the customer, the regulated institutions shall have to verify such information with the data contained in his national card.
Note 1- With respect to the incapacited person, it will be necessary to receive the foregoing information about his guardian(s) or trustee in addition to the information obtained about the incapacited person himself.
Note 2- When the on-line connection of the regulated entities (direct or indirect) to the State Organization of Civil Status Registration is possible for checking the particulars or data stated by the customer with the contents of the photo-affixed birth certificates or driving licenses or valid passports, the customer’s initial identification via such documents shall meet no impediment.
Note 3- In the circumstances that there is any erasure or ambiguity as to the authenticity of the identification records delivered by the customer, the officers in charge of initial identification at the regulated entities shall have to take proper action to remove ambiguity and verify the customer’s records through search in other relevant databases, receipt of valid documents (as indicated in the existing rules) and/or by inquiries from the authorities concerned. When such ambiguity cannot be lifted, it will deem necessary to report the matter to the SEO’s anti-money laundering unit.
Note 4- When there is a certainty that the given data are untrue or forged, the regulated institutions shall have to promptly report the matter to the SEO’s anti-money laundering unit on the same business day so as to prevent the continuation of service provision.
4-1-2- Initial identification of legal persons/entities:
The initial identification of a legal entity shall be implemented on the basis of the national code and zip (postal) code of the legal person’s domicile (as stated in the by-law requiring the use of national code of legal entities)
Note – If a customer’s data and particulars are available in the databases, the checking of such data with the valid identification documents in the course of initial identification shall not suffice.
4-2- Full Identification: In addition to the customer’s initial identification, the regulated institutions shall have to take action for his/its full identification when providing the base services to him/its.
4-2-1- Full Identification of Natural Persons: for the full identification of natural persons, the regulated institutions shall, in addition to the customer’s initial identification, be obligated to receive the information and evidence required for the customer’s full identification and assessment of his anticipated level of activity and enter them in the customer’s information file. Full identification of a natural person shall be performed through the receipt of data printed in the national card and inquiries from the database of the Civil Status Registry. Assessment of the customer’s anticipated level of activity and his information file records should have been arranged in a manner to allow consideration of the identifying data and transactional reports which may be inconsistent with the level of the assessed activity.
Note 1- Full identification of the natural person introduced by a legal person shall be accomplished in accordance with the criteria and standards prescribed for natural persons.
Note 2- The records and evidence required for assessing the customer’s level of activity shall have to meet the requirements set out by the SEO.
4-2-2- Full identification of legal persons/entities:
When the base services are being provided to legal persons, the regulated entities shall, in addition to initial identification, be obligated to receive the information and evidence required for the customer’s full identification and assessment of its anticipated level of activity and enter them in the customer’s identification records. Assessment of the customer’s anticipated level of activity and its identification file records should have been arranged in a manner to allow consideration of the identifying data and transactional reports which may be inconsistent with the level of the assessed activity. The information and evidence required for the full identification of legal persons are set out below:
1. type, nature, scope and track records of the legal entity;
2. the particulars of the individual and individuals who have the right to withdraw funds from the legal person’s accounts (name and surname, national code, father’s name, date and birth, address and zip/postal code) and their positions (along with their authorized signature specimen);
3. names, particulars, addresses, and zip/postal codes of the places of residence of the board members, executive board/managing director, independent auditor/auditors, legal inspector/inspectors as well as the shareholders/partners that hold over ten (10%) percent of shares (capital) of the legal entity (as regards the legal entities such as non-profit organizations, foundations and …, the particulars, data, addresses and zip/postal codes of their founders or board of trustees and similar bodies)
4. main places of business, addresses, zip/postal codes of the head offices (domiciles), telephone numbers and their fax numbers, names of authorized signatories and their signature specimen and the data and, information relating to the formal financial instruments and papers and the correspondence relating to the term and scope of the powers delegated to the board of the directors and the managing director and/or those of the similar bodies of the entity on accounts;
5. furnishing obligations by directors and authorized signatories indicating that they have already submitted the latest information and documents relevant to the legal person and that they undertake to promptly report to the regulated institutions any changes in the foregoing particulars;
6. information about the bank accounts with credit institutions which have been opened for engagement in the capital market;
7. information and evidence relevant to the rating of the company by the appropriate authorities;
Note – The criteria and standards relevant to the identification of foreign customers shall be in compliance with the guidelines governing the identification of foreign customers in the capital market.
Article 5- Documentation of the customer’s zip/postal code during the course of initial identification shall be performed by the matching of the postal code declared by the customer with the postal code printed on the back of the national card. To achieve this goal, it shall deem necessary that, if possible, the postal code indicated by the customer be matched with the information available in the country’s postal code database via the KYC’s system.
Article 6- The regulated institutions shall have to match the information and data obtained from customers with the contents of the valid identification records and to gain assurance about their accuracy.
a) The only valid identification documents used to identify natural persons shall be national cards.
b) The valid identification documents for legal persons include:
1. the proof of the company registration;
2. letter of declaration;
3. articles of incorporation/partnership;
4. articles of association/constitution;
5. state Gazette (official newspaper).
Note 1– With respect to the incapacited persons, it will also be necessary to receive an official deed indicating the attestation of guardianship or trusteeship in addition to the foregoing evidence and records.
Note 2– When an attorney or a legal agent is involved in the identification process, it shall be necessary to receive affirmative documents and evidence accordingly.
Note 3– It shall be necessary to maintain the attested copies of the documents stated in this article in the customer’s information file records.
Article 7- If a customer fails to produce the identification records and evidence stated in the foregoing articles, the regulated institutions shall have to avoid providing services to him/it and shall report the matter to the SEO’s anti-money laundering unit.
Article 8- The regulated institutions shall have to inform all the former customers to complete the documentation required for their identification and assessment of their activity level. Where they fail to produce the records and evidence within a period of three months, the service provision to them shall be ceased until when such requirement has been met.
Article 9- Providing of the base services electronically and without the customer’s full identification and performance of any type of electronically untraceable or unnamed financial transactions shall be forbidden.
Article 10- The regulated institutions shall, when providing base services to customers, have to make them be bound to act as follows:
a) to submit the information requested by the regulated institutions as specified in the existing instrument and comply with the anti-money laundering rules and regulations;
b) not to permit other entities/persons to use base services and, if so, promptly report the matter to the regulated institutions. The legal representation shall not apply to this paragraph providing that the particulars of the attorney or agent and the process of his initial identification have been recorded and entered.
Note – The foregoing obligations shall be clearly and precisely explained to the customer. Where the customer does not undertake such obligations or does not fulfill his/its obligations, the providing of services to him/it shall be stopped.
Article 11- The standards and criteria required to identify the applicants for licensing, establishing and operating the financial institutions and self-regulatory organizations (SROs) as well as obtaining license for securities issuance in the capital market shall be subject to the rules, directives and circulars approved by the SEO. In any event, the customer identification criteria as specified in the existing regulations shall also be enforceable.
Article 12- The regulated institutions shall have to provide proper spaces in all their applicable forms so as to put in one of the unique identifiers (national number, national code as the case may be) and the zip/postal code for addresses and shall have to accurately and thoroughly receive and check such particulars.
Article 13- The regulated institutions shall have to provide the required spaces in all softwares, systems and databases in which the financial operations are entered so as to put in one of the unique identifiers (national number, national code as the case may be) and the zip/postal code and shall also provide the opportunity for a search on the basis of the said numbers/codes in software.
Article 14- In the event that the regulated institutions have not matched the particulars of the persons and entities previously entered in their databases with those entered in the respective databases (through direct contact with the databases concerned and/or through indirect contact to KYC’s interface), it should be necessary to transmit the foregoing particulars to the said databases not later than six months after communication of the existing regulations so as to control the accuracy of such particulars.
Article 15- The regulated institutions shall have to update the information previously matched with the respective databases once every three months. If it is proved that the natural person has died during this period or the legal entity has been dissolved but the occurrence has not been reflected to the regulated institutions, it should be necessary that his/its trades be immediately blocked and that the matter be reported to the SEO’s anti-money laundering unit.
Article 16- The regulated institutions shall have to create a unit or introduce an agent aimed at establishing contacts with the SEO’s anti-money laundering unit so as to receive and send reports, examine inquiries and other money-laundering-related matters as provided in article 19 of the by-law and the requirements set out in the existing regulations.
Article 17- In order to perform the documentation of the information and data provided by customers, it should be required to have the copies of authentic documents certified by the staff concerned at the regulated institutions and be kept in customer’s records after verification of such information with the appropriate databases or authorities and upon gaining assurance about the veracity of the information so produced.
Article 18- Providing of services to customers shall be deemed to be the confirmation of performing the customer identification measures (customer due diligence (CDD)) by the regulated institutions which shall also bear the liability of any shortcomings and weaknesses within the framework of the existing provisions.
Article 19- The regulated institutions shall have to block all trading codes without a national number or code within a maximum period of three months as of the communication date of the existing rules. As soon as the national identifier or code is indicated, the said code shall be deblocked.
Note – When it is impossible to issue national identity number (NID) by the State Organization of Real Estates and Deeds Registration, it shall be possible to continue providing services to the customers without NID after their names and particulars have been transmitted to the financial intelligence (FIU) unit for its confirmation.
Article 20- In order to exercise an effective control over the risks from the customer’s inadequate identification, it should be required to monitor his transactions being appropriate to the allocated categories.
Article 21- The board of directors, senior management and/or the corresponding executives at the regulated institutions shall have to ensure the existence of effective customer due diligence measures and their performance through reasonable procedures. Such measures shall have to provide the possibility of effective managerial supervision over systems, controls, separation of functions and employee training. The ultimate responsibility for the decisions taken in this respect shall remain with the board of directors or its corresponding bodies.
Article 22- The regulated institutions shall have to reevaluate the information and data concerning the customer’s activity once every six months in accordance with the criteria and standards set forth by the SEO. Accordingly, upon the customer’s request and/or when material changes are made in the customer status, the regulated institutions shall have to perform full identification of the customer for the second time.
Article 23- It shall be forbidden to provide services to the following persons. Where services were provided in the following circumstances prior to notification of the existing rules, the regulated institutions shall have to discontinue service provision to them:
1. when the customer refuses to submit the information, data and records described in the existing regulation;
2. when the client’s agent does not have any records and legal documents as the proof of his agency;
3. when the regulated institutions directly and through the component authorities prove that the information and evidence submitted by the client are not true;
4. the persons/entities that have been banned from carrying out transactions upon the order issued by the competence authorities;
5. the Iranian persons having no national code or national identifier/number.
Note – When it is impossible to issue national identifier/number by the State Organization of Real Estates and Deeds Registration, it shall be possible to continue providing services to the customers without NID after their names and particulars have been transmitted to the financial intelligence (FIU) unit for its confirmation.
Article 24- The regulated institutions shall have to continually update the data and information concerning the full identification of customers, specifically in the following circumstances:
a) when, based on the evidence and causes, there will be a probability that the client’s statement of account has undergone material changes;
b) when the regulated institutions, based on the evidence and causes, sense a probability that the client has been involved in money laundering operations and/or terrorist financing;
c) when, for any reason, there exists an ambiguity in the veracity of the previously obtained identification data.
Article 25- The customers shall have to inform the regulated institutions of any change made in the information referred to in article 4 of the existing regulation as soon as possible. The regulated institutions shall have to obtain assurance about the accuracy of the information so produced prior to updating the given changes.
Note – The criteria and standards for ongoing supervision shall be set out and communicated upon the SEO’s recommendation and with the approval of the secretariat with a view to the type of customer (natural and legal), nature and subject-matter of the services and operations relating to securities and commodity in the capital market.
Article 26- In the event that the regulated institutions become suspicious of the beneficial owner of the transactions carried out by the identified customers, they shall have to report the particulars of such customers and of the prospective beneficiary to the SEO’s anti-money laundering unit as the operations/transactions which suspect of money laundering.
Article 27- The regulated institutions shall, upon the SEO’s approval, have to adopt effective procedures to identify customers pursuant to the rules in force and shall exercise regular monitoring along with a review if deemed necessary.
Article 28- The regulated institutions shall, if requested by the financial intelligence unit, have to deliver a summary of the information provided by users of base services in connection with the issue of anti-money laundering activities to the financial intelligence unit at the end of each month in the manner arranged by such unit.
Note – The summary of the foregoing information shall have to contain: the name, surname, national number and the date of providing base services with respect to natural persons; the name and national identifier/number or economic code with respect to legal persons as well as the specially designated number with respect to aliens. Other necessary items shall be communicated to the designated persons upon the council’s approval.
Article 29- The regulated entities shall have to organize continuing training courses on the procedures of customer identification and verification for their staff members. Such training courses shall at least include the following topics and shall be designed in a manner that the staff may gain adequate and rational knowledge about the necessity, significance and the method of performing the policies and procedures of customer identification and verification:
a) the policies relating to the reception of new customers and required documents;
b) the method of collection data and information concerning the customer previous records;
c) the method of performing policies relating to customer full identification;
d) the method of receiving documents and updating them;
e) the procedure of effective measures if inconsistencies are found in the customer identification data and records.
Article 30- The regulated institutions shall have to document the procedures used for customer identification as per the rules herein and shall notify such procedures to their staff and then shall reliably obtain assurance of their implementation.
Article 31- The regulated institutions shall have to make categories of their customers (natural and legal persons) with a view to the risk that will more likely exist on their part and on the grounds of factors such as social and occupational status, financial standing, type and nature of professional activity, customer record, original country, relevant accounts or other effective measures based on the procedure set out by the SEO.
Article 32- The categories stated in article 31 shall have such an arrangement that the receipt of information and data from the customers be performed on the basis of the category allocated to them. In this way, it shall be sufficient to receive the necessary information from the customers that run the minimum risk of money-laundering operations within the regulatory framework of the existing rules.
Note – As regards the customers that fall within the categories exposed to higher risk for money laundering operations, the information shall have to be received at a more extensive level and updated at shorter periods. The range of receiving information and the time periods for updating such information shall be in accordance with the requirements set out by the SEO.
Article 33- The regulated institutions shall have to retain the customer information pursuant to the guidelines for retention and destruction of records in capital market in the area of anti-money laundering activities and shall also have to take necessary measures to prevent the disclosure and unauthorized use of such information. The responsibility for the said information disclosure shall obviously rest with the regulated institutions and the parties that disclose information shall be prosecuted under the law.
Article 34- In order to update the information, the regulated institutions shall have to oblige the customer under contractual obligations or the relevant forms to inform the registrar (the State Organization of Civil status Registration and the like) any change in the information it/he has submitted along with relevant evidence as practically as possible.
Article 35- It is necessary to take measures to perform the identification process of former customers as soon as possible in the following manner:
1. that group of the former customers whose identification data are found to have inconsistencies at the matching stage shall have to remove the same within three months. If such inconsistencies are not rectified, the regulated institutions shall have to report the items to the SEO’s anti-money laundering unit. The SEO’s anti-money laundering unit shall accordingly have to transmit such report to the financial intelligence unit (FIU) as promptly as possible;
2. that group of the former customers whose average size of activities in a year is insignificant as per the rules approved by the Council shall be excluded from the application of this article.
Article 36- In the event that the regulated institutions, owing to certain reasons such as lack of cooperation on the part of the customer, cannot obtain the necessary information for his/its identification process or when the customer submits untrue information, the regulated institutions shall have to avoid providing services to the customer and, if possible, to inform the matter to him/it.
Article 37- The SEO’s anti-money laundering unit shall oversee the implementation of the existing regulations. For this purpose, the regulated institutions shall have to deliver the SEO’s anti-money laundering unit the information requested by this unit in the performance of the provisions herein.
Article 38- The existing regulation shall be binding on the branches and agencies of the regulated institutions and shall also apply to the regulated entities located in the free trade-industrial areas as well as in special economic zones.
Article 39- The existing regulation would become effective one month after it has been communicated by the SEO. During such period, the regulated institutions shall, while informing the customers, have to provide the facilities required for implementation of this regulation in a manner that its implementation may not disrupt the customer’s affairs as far as possible.
The existing regulation comprising 39 articles and 18 notes was approved on 11 October, 2011 at the 10th session of the Anti-money Laundering Supreme Council and would become effective as of the communication date.