AML Policy Summary

Purpose/Aim

The aim of this policy is to ensure the compliance of our bank with the obligations of the clearing of the money laundering and the prevention of terrorism financing and the strategies to reduce the risk that customers and their transactions and services can be exposed to by evaluating them with a risk based approach and by determining the internal controls and measures, and to increase their awareness.

Scope/Context

This Anti-Money Laundering and Combating the Financing of Terrorism Policy (“The Policy”) is designed to meet AML/CFT requirements as set out in the following.

• AML/CFT laws & regulations applicable in Turkey
• The Financial Action Task Force (FATF)
• The European Union (Directives)
• The Basel Committee on Banking Supervision
• The Egmont Group.
• The Wolfsberg Group
• International correspondent banks and their applicable regulations
• United Nations Security Council
• The Audi Group AML/CFT Policy

Our Bank compliance policy to be developed on a risk based approach for the purpose of ensuring the required compliance with the Law and Regulations and Communiques issued in accordance with the Law shall cover the following measures in order to prevent laundering proceeds of crime and financing of terrorism:

• Developing institutional policy and procedures,
• Carrying out risk management activities,
• Carrying out monitoring and controlling activities,
• Assigning compliance officer and establishing the compliance unit,
• Carrying out training activities,
• Carrying out internal control activities.

Identity Verification

The first step of customer identification can be classified as identification and verification. Identification of customers should be performed within the scope of the procedures specified in the Regulation on the AML and CFT. Our bank identify customers or those who act on behalf or for the benefit of their customers by receiving their identification information and verifying it:

• Regardless of the monetary amount when establishing permanent business relationships,
• When the amount of a single transaction or the total amount of multiple linked transactions is equal to or more than twenty thousand Turkish Liras,
• When the amount of a single electronic transaction or the total amount of multiple linked electronic transactions is equal to or more than two thousand Turkish Liras,
• Regardless of the monetary amount in cases requiring STR,
• Regardless of the monetary amounts in cases where there is suspicion about the adequacy and the accuracy of previously acquired identification information.

Customer identification shall be completed before the business relationship is established or the transaction is conducted. When establishing permanent business relationship, information on the purpose and intended nature of the business relationship shall be received.

Our bank shall be required to take necessary measures in order to detect whether action is carried out for the benefit of another person. In cases where the person requesting the transaction declares that he/she is acting for the benefit of someone else, the identity and the authority of the person requesting the transaction and the identity of the person for the benefit of whom the transaction is conducted shall be identified in accordance with regulations.

Customer Due Diligence (CDD)/ Know Your Customer (KYC)

Our bank has adopted the principles of strong and effective CDD/ KYC , which is the most effective way to combat laundering and terrorism financing, to achieve effective and robust compliance risk management.

It is essential that the CDD be carried out on an ongoing basis and within the framework of certain periods of continuous monitoring.

A sound AML/CFT Program includes the following elements:

• Identification and verification of customer and beneficial owners, and the source of fund / asset,
• Scanning customers names and beneficial owners against international sanction lists (primarily the UN, EU, US, UK, France, Canada, etc.),
• Checking negative media news,
• Obtaining nature and the purpose of the business relationship,
• Acquiring information on anticipated / estimated transaction volumes and types
• Systematic identification and customer risk grading according to legal regulations in accordance with customer types
• Establishing detailed customer identification, acceptance rules and warning mechanisms, including senior management approval for high risk individuals and institutions,
• Execution of customer and transaction monitoring activities with a risk-based approach,
• Examination and investigate unusual customers and transactions
• Keeping customer information and documentation up-to-date, documenting and storing information and detected situations,
• Effective and appropriate internal and external reporting,
• Increasing awareness of the contents of the KYC, identification, extraordinary and unusual procedures, reporting and making announcement for changes on the laws and related legislation through training sessions and announcements,
• Establishing and maintaining a business relationship on the basis of transparency and mutual trust with customers is essential.

Customer Acceptance Policy

As a result of customer evaluation within the principles stated above; the following are essential:

• Identification of the customer risk,
• Detailed assessment for customers classified as high risk
• Taking actions to establish, refuse and / or terminate the business relationship with the customer

It is strictly forbidden to enter into business relations, to provide products and services by the persons and institutions within the scope listed below with the risk-based approach established within the scope of local and international laws and Audi Group principles.

• Persons and institutions that request an account opening with anonymous / fake names and nicknames,
• Shell Banks,
• Casinos or people and organizations involved in illegal and / or illegal betting activities,
• Non-profit Organizations (foundations, associations, etc.) registered in a country other than Turkey,
• Companies having bearer shares in their ownership structure or issuing bearer shares,
• Customers where the CDD cannot be conducted because they do not want to provide the required information and documents and are not cooperative (such as the failure to verify the identity of the customer or the suspicion of the reliability of the shared information, etc.),
• Customers that shows reasonable grounds for suspicion or detected suspicion that property or fund is related to a laundering and terrorist financing
• Persons and institutions designated in local and international sanction lists (OFAC, EU, UN, France, UK, Canada or local list if any)
• Persons and institutions demanding services, products and transactions for tax evasion,
• No funds or assets must be accepted or made available by the Bank before the customer identification and verification has been done, including identifying the beneficial owner where applicable and information on the purpose and intended nature of the business relationship has been obtained.

In the cases of absence of identification in the Bank or lack of information regarding the purpose of business relations, then the business relation cannot be established and Bank personnel cannot execute the transactions requested by the customers.

If the identification and confirmation fails when they are required as a result of the suspicion about the sufficiency and accuracy of a customer’s identification information, which was obtained earlier, the relationship is terminated.

With the risk-based approach, our Bank determines the means, which provides defining the risk assessment criteria. Based on the determined framework, the Bank evaluates customer, product and geographical risk together and accordingly it performs risk rating of the customer and product services. The purpose of the risk rating method is to obtain a healthy risk classification. Our Bank’s risk classification is as (i) Low, (ii) Medium and (iii) High.

For low-risk classified customers, the customer situation assessment may be subject to relatively low and/or basic controls compared to other risk classes within the context of account review and audit review.

For middle-risk classified customers, the customer situation assessment can apply more controls as needed, in addition to the relatively basic controls compared to the low-risk classes under account review and oversight assessment.

Audi Group and our Bank principles for high-risk classified customers can be summarized as EDD and close monitoring and review of transactions and customer behavior.

When it is needed for high-risk classified customers, the Compliance Unit evaluation should be taken to include the Compliance Officer and the member of the Audit Committee which is in charge of the Audit Committee, and qualified customers who are considered to be more risky in the high-risk customers business line should be submitted to the Assistant General Manager and / or General Manager approvals.

In order to implement an effective risk-based approach, the Bank has identified the following criteria (risk categories) to assess potential money laundering risks:

Customer Risk

Customers who conduct business transactions in circumstances favorable to possibilities of money laundering are considered as posing a higher risk. Those customers include:

• Not know personnel / non face-to-face customers
• Non-resident customers
• Walk-in customers
• Cash (and cash equivalent) intensive businesses including (e.g. remittance houses, currency exchange houses, casas de cambio, bureaux de change, money transfer agents and bank note traders or other businesses offering money transfer facilities)
• Casinos, betting and other gambling related activities.
• Customers that are Politically Exposed Persons (PEPs)
• Customers that are Financially Exposed Persons (FEPs)
• Charities and other non-profit organizations, especially those that are not regulated or operating on a cross-border basis
• Gatekeepers such as accountants, lawyers, or other professionals holding accounts at a financial institution, acting on behalf of their clients, and where the financial institution places unreasonable reliance on the gatekeeper
• Shell banks
• Use of intermediaries within the relationship who are not subject to adequate AML/CFT laws and measures and who are not adequately supervised
• Weapons equipment manufacturers, dealers and agents
• Customers conducting their business relationship or transactions in unusual circumstances, such as:
• Significant or unexplained geographic distance between the institution and the location of the customer.
• Unexplained movement of accounts to different institutions.
• Unexplained movement of funds between institutions in various geographic locations.
• Significant volumes of transactions with high-risk countries
• Transfers do not contain operation-initiating information
• Customers with negative media news, cases and trials
• Customers where the structure or nature of the entity or relationship makes it difficult to identify the true owner or controlling interests
• Companies with bearer shares

Product/Service Risk

Compliance Department opinion and when needed senior management approval must be received regarding the types of transactions and services classified as high risky.

High-risk products and services include:

• Electronic and online banking
• Prepaid and credit cards
• Lending activities
• Trade finance activities
• International/correspondent banking services
• Payable through accounts
• Nested Accounts
• Trust and asset management services
• Investment and insurance products
• Safe deposit boxes

Country Risk

Within the scope of our Bank’s risk management, the high-risk countries and jurisdictions include:

• Tax havens and offshore financial centers
• Countries identified by credible sources as having tight banking secrecy laws
• Countries identified by credible sources as lacking appropriate AML/CFT laws and regulations (listed on the FATF list of Non-Cooperative Countries & Territories)
• Countries subject to sanctions or embargoes (e.g. OFAC sanctions list, state sponsors of terrorism)
• Countries identified by credible sources as having significant levels of criminal activities (e.g. drug trafficking) and corruption
• Countires in which it operates terrorist organization in themselfs
• Other countries identified by the Bank as high risk based on prior experience and/or based on Bank Audi decisions (e.g. for legal considerations, high levels of corruption).

Suspicious transaction is the case where there is any information, suspicion or reasonable grounds to suspect that the asset, which is subject to the transactions carried out or attempted to be carried out within or through the obliged parties, has been acquired through illegal ways or used for illegal purposes and is used, in this scope, for terrorist activities or by terrorist organizations, terrorists or those who finance terrorism.

Suspicion is determined according to the person’s own judgment that a transaction might involve an illegal activity taking into consideration the following information:

• The identity or behavior of the suspected party,
• The source/origin of the assets,
• The nature, aim or terms of the business relation,
• Cash and cash equivalent transactions over a certain amount,
• Transit/outgoing inbound transfer,
• Insufficient, inaccurate and suspicious information provided by the customer,
• Analysing multiple transactions performed by the customer when necessary.

Suspicious transactions shall be reported to MASAK by obliged parties, when there is suspicion or a matter raising suspicion. Suspicious transactions shall be reported to MASAK within ten workdays starting from the date when the suspicion occurred.

The customer and transaction monitoring process begins with confirming the asset/ funding source and analyzing the nature/purpose of the transaction. The transactions must be consistent with the customer's risk profile and financial profile. From this point of view, it is essential to make a reasonable assessment according to the following factors;

• Customer's risk level
• The nature and history of the business relationship
• Transaction risk level determined according to our bank's risk category and rating criteria

In order to ensure that our Bank is in compliance with the liabilities governed under the current legislation, periodic training activities are maintained to raise know-how and level of awareness of the Bank staff.

Trainings are delivered in four different methods including in-class, remote training, video conference and informing messages. All new hires must attend a money laundering induction presentation given by the Compliance Department. Planning and coordination of the training are performed by Compliance Officer and Human Resources Department. The effective implementation of the annual training program, which is approved by the Board of Directors, is under the responsibility of the Compliance Officer.

AML/CFT training program has been established under the supervision of Compliance Department with the following main subjects:

• Concepts of AML/CFT,
• The stages, methods of AML/CFT and current case studies on this subject,
• Risk areas,
• Corporate policy and procedures,
• Under the Law no. 5549 and related legislation and Law No. 6415 and related legislation; the principles regarding customer identification and suspicious transaction reporting; obligation of retaining and submitting;obligation of providing information and documents; sanctions to be implemented in violation of obligations; the international regulations on combating laundering and terrorist financing.