Version 1, August 2022 Table of Contents 1. Introduction A. Definitions B. Purpose and Scope C. Applicability D. Legal Status E. Training and Resources 2. Responsible Sourcing Due Diligence Framework Step 1: Establishing an Effective Governance Framework 1.1 Adopt and commit to a policy for gold Supply Chain due diligence 1.2 Establish management structures to support Supply Chain due diligence 1.3 Establish a system for transparency, information sharing and control on gold Supply Chain 1.4 Strengthen company engagement with gold supplying counterparties 1.5 Establish a confidential grievance mechanism Step 2: Identification and Assessment of the Supply Chain Risk 2.1 Conduct Supply Chain due diligence to identify potential risks 2.2 Identify red flags/ high risk Indicators in the gold Supply Chain 2.3 Undertake enhanced due diligence measures for high-risk Supply Chains Step 3: Management of the Supply Chain Risk 3.1 Devise a risk management strategy for the identified risk 3.2 Risk Control Plan 3.3 Continuous Monitoring 3.4 Senior Management Reporting Step 4: Independent Third-Party Audit of Due Diligence Measures 4.1 Audit Plan 4.2 Audit implementation Step 5: Annual Reporting on Due Diligence Measures 5.1 Management Systems 5.2 Risk Assessment 5.3 Risk Management 3. Annexures ANNEX I – Review Protocol ANNEX II - Minimum Reporting Requirements 1. Introduction A. Definitions Artisanal and Small-scale Mining (ASM): Formal or informal gold mining operations with predominantly simplified forms of exploration, extraction, processing, and transportation. ASM is normally low capital intensive and uses high labour intensive technology. “ASM” can include men and women working on an individual basis as well as those working in family groups, in partnership, or as members of cooperatives or other types of legal associations and enterprises involving hundreds or even thousands of miners. AML/CFT: Anti Money Laundering and Countering the Financing of Terrorism. AML/CFT Legislation: (i) Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combatting the Financing of Terrorism and Financing of Illegal Organizations (and its amendments) (ii) Cabinet Decision No. (10) of 2019 on the Executive Regulation of Federal Decree-Law No. 20 of 2018 (and its amendments). Applicable Laws and Regulations: All applicable laws, regulations, orders, judgments, decrees, rulings or other similar requirement enacted, adopted, promulgated or applied by a relevant governmental authority that is binding upon or applicable to a Regulated Entity (RE). Beneficial Owner: The natural person who ultimately owns or exercises effective control, directly or indirectly, over an entity (defined as 25% or more ownership) or the natural person on whose behalf a transaction is being conducted or, the natural person who exercises effective ultimate control over a legal person or legal arrangement. Bullion: The generic word for refined gold in bar or ingot form. Bullion Bank: A bank (including retail, commercial and investment banks) or financial institution that conducts financial transactions in refined gold. Chain of Custody: A record of the sequence of entities which have custody of gold as they move through a Supply Chain. Conflict-Affected and High-Risk Areas (CAHRA): Areas identified by the presence of armed conflict, widespread violence, including violence generated by criminal networks, or other risks of serious and widespread harm to people. Armed conflict may take a variety of forms, such as a conflict of international or non-international character, which may involve two or more states, or may consist of wars of liberation, or insurgencies, civil wars. High-risk areas are those where there is a high risk of conflict or of widespread or serious abuses as defined in Annex II of the OECD Due Diligence Guidance for Responsible for Responsible Supply Chains of Minerals from Conflict-Affected and/or High-Risk Areas. Such areas are often characterised by political instability or repression, institutional weakness, insecurity, collapse of civil infrastructure, widespread violence and violations of national or international law. Customer Due Diligence (CDD): Process of identifying or verifying the information of a Customer or Beneficial Owner, whether a natural or legal person or a legal arrangement, and the nature of its activity and the purpose of the business relationship and the ownership structure and control over it for the purposes of AML/CFT Legislation. Designated Non-Financial Business and Profession (DNFBP): Anyone who conducts one or several of the commercial or professional activities defined in Article (3) of Cabinet Decision No. (10) of 2019 on the Executive Regulation of Federal Decree-Law No. 20 of 2018. DPMS: Dealers in precious metals and precious stones carrying out any single cash transaction or several transactions that appear to be interrelated or equal to more than AED 55,000. Enhanced Due Diligence (EDD): Enhanced CDD measures for deeper understanding of risks elements identified in the Supply Chain. Extractive Industries Transparency Initiative: The global standard to promote the open and accountable management of oil, gas and mineral resources which requires the disclosure of information along the extractive industry value chain from the point of extraction, to how revenues make their way through the government, and how they benefit the public. FATF: Financial Action Task Force FIU: The Financial Intelligence Unit of the Central Bank of the UAE. Good Delivery: A standard of physical specifications for refined gold and for capabilities of gold refiners that is accepted on an exchange or in an over-the-counter market. Know Your Customer (KYC): The process of identifying and verifying the client's identity while conducting a transaction and periodically over time. Management System: Management processes and documentation that collectively provide a systematic framework for ensuring that tasks are performed correctly, consistently and effectively to achieve the desired outcomes, and that provide for continual improvement in performance. Medium and Large-Scale Mining (LSM): LSM refers to gold mining operations that are not considered to be artisanal or small-scale mining. Money Laundering: Any of the acts mentioned in Clause (1) Article (2) of the UAE Federal Decree-Law No. 20 of 2018. OECD: Organisation for Economic Co-operation and Development. OECD Guidance: The OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict- Affected and High-Risk Areas. PEP: Politically Exposed Person as defined in the AML/CFT Legislation. Recycler: An individual or entity that collects, consolidates and/or processes recyclable gold, prior to refining to begin a new life cycle. Refining: An activity that purifies gold to a commercial market quality, by removing other substances/impurities from doré, alluvial gold, recyclable/scrap or any other gold-bearing feed stocks. Regulated Entity: Gold Refineries which fall under the definition of a DPMS which in turn is categorised as Designated Non-Financial Businesses and Professions (DNFBPs). Regulations: Due Diligence Regulations for Responsible Sourcing of Gold Review: An independent audit of a Regulated Entity undertaken in accordance with Ministry of Economy (MoE) Due Diligence Regulations. Reviewer: An independent third party auditor accredited by the Ministry of Economy to conduct independent review of Supply Chain Due Diligence Risk Control Plan: As described in 3.2 of the Regulations. STR: A Suspicious Transaction Report as defined in the AML/CFT Legislation. Suppliers: This term refers to any individual or organisation who is considered to be a participant in the Supply Chain for the supply of gold and/or gold-bearing materials. Supply Chain: System of all the activities, organisations, actors, technology, information, resources and services involved in moving gold from the source to end consumers. Supply Chain Due Diligence: The steps entities should take to identify and mitigate actual and potential adverse impacts and ensure that they respect human rights, conserve environment and do not contribute to money laundering and conflict through their activities in the Supply Chain. Supervisory Authority: Ministry of Economy being the AML/CFT supervisor for the relevant DNFBP sectors in the UAE. Terrorism Financing: Any Physical or legal action aiming at providing support or funding to an illegal organisation as defined in the AML/CFT Legislation, or of its activities or members. UAE: The United Arab Emirates. Upstream Supply Chain: the gold Supply Chain from the mine to Refiners. B. Purpose and Scope Responsible sourcing of gold refers to commitment by refiners and other Supply Chain actor to consider the financial crime risks when managing their relationships with their suppliers. Gold is an extremely attractive vehicle for Money Laundering and Terrorism Financing. It provides a mechanism for organised crime groups to convert illicit funds into easily exchangeable assets to realise or reinvest the profits of their criminal activities. As volumes of gold baring high value can easily be moved, it’s frequently used as a Money Laundering vehicle by armed groups, criminal networks, and corrupt actors. These factors make gold highly attractive to criminal syndicates wishing to hide, move, or invest their illicit proceeds. Gold mining plays an important role in the economies of producing countries and it has high potential for development of nations. It also poses immense risks with regard to gold originated from CAHRAs, where revenues of illegal actors fuel the outbreak or continuation of violent conflict, undermining developmental aspirations of the nations and the rule of law. Businesses involved in the precious metals Supply Chain may also be at risk of contributing to or being associated with significant adverse impacts, including serious human rights abuses, conflict and environmental degradation. The Regulations aim to inform Regulated Entities of the measures to be adopted in relation to responsible sourcing of gold from CAHRAs as part of their overall AML/CFT controls framework. Regulated Entities must comply with all sections of the Regulations and should incorporate the requirements into their broader AML/CFT policy and procedures. The Regulated Entities should also inform themselves of the scope and application of all applicable AML/CFT Legislation targeted at DNFBPs. Regulated Entities should apply the Due Diligence proportionally to its identified risk in the business activities and to those involved in its gold Supply Chains. It should recognise the size, complexity and nature of business while applying the Due Diligence requirements. C. Applicability The Regulations apply to all Regulated Entities established and/or operating in the territory of the UAE and all commercial free zones and the members of their boards of directors, management and employees. Specifically, and without prejudice to the definition of a DNFBP, they are applicable to all such natural and legal persons involved in the activity of Refining. D. Legal Status Article (44) of Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations empowers Supervisory Authorities with “Putting in place the crime-combating regulations, instructions and forms for the entities subject to their supervision, when necessary.” Cabinet Decision No (3/1F) of 2019 and its amendment Cabinet Decision No (28M/4F) of 2019 appointed the Ministry of Economy with the duty of supervising and regulating DNFBPs operating in the UAE, including the entities operating in commercial free zones. Ministry of Economy’s regulatory mandate includes issuing regulations and guidelines and implementing measures to ensure adherence to AML/CFT obligations under the AML/CFT Legislation. Adherence to this Guideline forms part of the existing AML/CFT requirements set-out in the AML/CFT Legislation. Regulated Entities are responsible for adopting their own internal policies and procedures designed to comply with the applicable AML/CFT Legislation. Regulated Entities should perform their own assessments of the manner in which they should meet their statutory obligations, and they should seek legal or other professional advice if they are unsure of the application of the legal or regulatory frameworks to their particular circumstances. E. Training and Resources The Regulations are based on the OECD Guidance, and its supplement on gold. OECD provides a range of resources available to Refiners and other stakeholders in a gold Supply Chain to help them maintain competency in this area including guidance documents, newsletters and webinars on market trends. These resources can be accessed at the OECD’s website https://www.oecd.org/daf/inv/mne/mining.htm. The Ministry of Economy provides a range of resources on AML/CFT Legislation and guidelines applicable to DNFBPs which can be accessed at https://www.moec.gov.ae/en/aml. 2. Responsible Sourcing Due Diligence Framework Due diligence is an ongoing process through which parties in a gold Supply Chain reasonably ensure that the gold sourced by them do not constitute conflict gold. Regulated Entities are required to undertake Customer Due Diligence (CDD) measures to verify the identity of the Supplier and the Beneficial Owner before executing a transaction. Regulated Entities are required to identify, assess, and understand their risks of gold supplied from CAHRAs in accordance with their business, nature, and size. Regulated Entities are required to do so by considering the relevant risk factors to determine the level of risk. Regulated Entities should take appropriate steps to mitigate the identified risks using an effective framework including internal policies, controls and procedures that are commensurate with the nature and size of their business, and approved by senior management, to enable them to mitigate the identified risks. Regulated Entities should adopt Enhanced Due Diligence (EDD) measures to mitigate risks identified in the Supply Chain. It should be further evaluated to respond to identified risks in order to prevent or mitigate adverse impacts. Regulated Entities should establish Know Your Customer (KYC) procedures and assess the red flags in the Supply Chain in order to determine whether they deal in gold mined, transported or traded in a CAHRA. If Regulated Entity can reasonably determine on the basis of the information collected under Step 1 of the Regulations that it does not deal in gold mined, transported or traded in a CAHRA, no further EDD is required on that Supply Chain. The management systems established under Step 1 should be maintained and regularly reviewed on ongoing basis. However, Regulated Entities should ensure that the applicable AML/CFT measures in line with AML/CFT Legislation and other Applicable Laws and Regulations are complied with which are applicable to Regulated Entities being DNFBPs. Gold Supply Chain due diligence framework based on the OECD Guidance is described as below: *Regulated Entities should ensure that Supply Chain due diligence is carried out on each supply of gold, irrespective of: i. Non-CAHRA involvement in the previous supplies from the same supplier; or ii. non-presence of High Risk elements. In essence, due diligence should essentially be carried out on each Supply Chain, rather than the supplier. If a particular Supply Chain doesn’t have a CAHRA involvement as identified through Step 1 or the Supply Chain risk assessment reveals no high risk element(s) through Step 2, Regulated Entities should proceed to the independent third party audit process to assess whether Step 1 and 2 have been implemented effectively. Step 1: Establishing an Effective Governance Framework 1.1 Adopt and commit to a policy for managing risks in gold from CAHRAs. Regulated Entities must adopt a documented gold Supply Chain policy that incorporates the risks and risk mitigation measures. The policy and any supporting procedures should include details on the gold Supply Chain Due Diligence which the company will assess itself and the activities and relationships of suppliers. The policy should at least contain the following elements, which are consistent with OECD model Supply Chain policy as listed in Annex II of OECD Guidance. a) Scope b) Roles and responsibilities of employees, management and Board of Directors c) Know Your Counterparty (KYC) and Customer Due Diligence measures d) Supply Chain risk assessment and risk mitigation process e) Ongoing monitoring measures f) Independent audit mechanism g) Record retention requirements h) Training program 1.2 Establish management structures to implement Supply Chain Due Diligence. Regulated Entities must establish internal governance system to effectively implement and maintain a Supply Chain Due Diligence program on an ongoing basis. The minimum requirements are as follows: 1.2.1 The board of directors, or equivalent, should acquire the necessary knowledge and experience, or utilise external expert advisors, to: a. provide oversight of the Supply Chain Due Diligence framework and outcomes; b. ensure that effective structures and communication processes are in place for critical information sharing; c. assess the effectiveness of the Supply Chain Due Diligence policies and processes on an ongoing basis; d. ensure that the compliance officer’s responsibilities include gold Supply Chain Due Diligence matters; e. ensure the availability of required resources to manage the Supply Chain Due Diligence process; f. delegate authority and assign responsibility to staff whom are equipped with the necessary competence, knowledge and experience to manage the Supply Chain Due Diligence process; and put in-place an organizational structure that can effectively communicate critical information, including the Supply Chain Due Diligence policies and procedures, to relevant employees. 1.2.2 Regulated Entities must appoint a compliance officer, who must be a senior person in the organization, reporting directly to the Chief Executive Officer (CEO) (or equivalent) and has access to the board of directors, or equivalent. The compliance officer should be responsible for the overall management of the Supply Chain Due Diligence process, including: a. Monitor the Supply Chain Due Diligence process; b. improve the Supply Chain Due Diligence framework including by reviewing and updating the Supply Chain policy and procedures; c. manage and implement a training and awareness program with regard to due diligence; d. collaborate with the relevant Supervisory Authority and the FIU by providing all requested data, and allow their authorised employees to view the necessary records and documents that will allow them to perform their duties. 1.2.3 Regulated Entities shall perform a fit & proper test and conduct KYC checks of the compliance officer, and other employees involved in the procurement process, during recruitment and on annual basis. 1.2.4 Regulated Entities must develop and implement a training program for all persons involved in the responsible Supply Chain Due Diligence process. The training program: a. Should be provided during staff recruitment and on an ongoing basis; b. includes a mixture of topics between generic Supply Chain Due Diligence training and role- specific matters; c. should be provided at least on bi-annual basis via face to face or digital channels; d. effectiveness should be assessed through questionnaires and feedback forms; and e. records related to the training and subsequent assessments should be kept as part of the overall record keeping mechanism of the Regulated Entity and should be available upon request by the Supervisory Authority. 1.3 Establish a system for transparency, information sharing, and control on gold Supply Chain. Regulated Entities must document the Supply Chain Due Diligence findings and information in a systematic way which ensures visibility on the entire Supply Chain of gold. Regulated Entities should conduct Due Diligence on immediate counterparty in all cases and should extend this till the origin of the gold in case of any risk identified in the supply chain. This process must document the information as detailed below: 1.3.1 For natural persons, the name, as in the identification card or travel document, nationality, address, attaching a copy of a valid identification card or travel document, and approval needs to be obtained from the senior management, if the supplier or any of the Beneficial Owner is identified as a PEP. 1.3.2 For legal persons and legal arrangements: a. the name; b. legal form; c. memorandum of association or equivalent constitutional document; d. commercial license; e. country of incorporation; f. countries of operations; g. headquarter office address or the principal place of business; and h. names of relevant persons holding senior management positions and acting as authorised representatives in the legal person or legal arrangement, including authorisation letters. 1.3.3 Regulated Entities are required to verify that any person purporting to act on behalf of the supplier is authorized through official documents such as power of attorneys, and verify the identity of that person as prescribed in section (1.3.1) and (1.3.2) above. 1.3.4 Regulated Entities are exempted from identifying and verifying the identity of any shareholder, partner, or the Beneficial Owner, if such information is obtainable from reliable sources where the supplier or the owner holding the controlling interest are a company listed on a regulated stock exchange subject to disclosure requirements through any means that require adequate transparency requirements for the Beneficial Owner or a subsidiary whose majority shares or stocks are held by the shareholders of a holding company. 1.3.5 For gold supplied from ASM, the policy should provide for gathering additional information, including: a. Identification and verification of the local exporter through documents such as export licenses; b. mine location and ASM’s legal existence and conformity to legal framework (if available) or their willingness to formalize the legal framework; 1.3.6 Regulated Entities shall cease establishing or maintaining a business relationship or executing any transaction should they be unable to undertake CDD measures towards the supplier and should consider reporting such instances to FIU though Suspicious Activity Reports/ Suspicious Transactions Reports. 1.3.7 Regulated Entities shall create and maintain documents inventory related to Supply Chain Due Diligence carried out by the entity which should be accessible for the entity as well as the regulatory on a timely manner. The records inventory shall include, at least: a. Information regarding the form, type and physical description of gold/gold bearing material; b. proof of origin of mined gold through official government issued certificate of origin or equivalent document and invoices and packing list; c. information regarding the weight and assay of gold as provided by supplier; d. KYC information of supplier including identification and verification of entities and ultimate Beneficial Owners who owns 25% and above directly and indirectly; e. unique reference numbers for each input and output of gold; f. dates of input and output, purchases and sales; g. shipping/transportation documents (such as waybill/airway bill, pro forma invoice, and bill of lading) to establish Chain of custody from origin to refinery; h. date of arrival at the refinery and date of assay finalization and financial transactions details including amount, method of payment, currency, and banking information. 1.3.8 Regulated Entities should make and receive payments for gold through official banking channels where possible and for unavoidable cash transactions there should be proper verification of origin of cash and should be reported to the FIU where applicable. 1.3.9 Regulated Entities should cooperate fully with regulators and law enforcement agencies in the UAE regarding gold transactions. Regulated Entities should provide access to complete information regarding all shipments and transactions carried out with regard to gold refining. 1.3.10 All records, documents, data and information collected as part of Supply Chain Due Diligence of an actual and potential relationships should be kept, preferably, on a computerized database for not less than five years from completion of a transaction or termination of the business relationship with the supplier. The records, documents and data kept shall be organized so as to permit data analysis and tracking of financial transactions. All records, documents, data and information should be immediately available to regulators and law enforcement agencies upon request. 1.3.11 Regulated Entity’s policy must include adequate security requirements to ensure compliance with the Regulations in relation to material sourced from LSM or ASM mining entities. These requirements shall include the following measures: a. The use of identifiable sealed security boxes for each shipment to avoid any tampering or removal of content; b. physically segregating different shipments until verification is adequately completed and confirmed in accordance with Step 1.3.7; c. reporting any inconsistencies to senior management or the Compliance Officer (as appropriate); d. ensuring that any assessor of a shipment is independent from any conflict of interest; and e. if applicable, verify a supplier’s participation in the Extractive Industry Transparency Initiative 1.4 Strengthen company engagement with gold supplying counterparties. Regulated Entities should build long-term relationships with suppliers and should make their suppliers commit to a Supply Chain policy consistent with the Regulations and Appendix II of the OECD Guidance. This should be achieved by the following: 1.4.1 Communicating the expectations of the refiners to the supplier on due diligence for responsible Supply Chains of gold from CAHRA. This should be done by requiring the supplier to commit to refiner’s gold Supply Chain policy (as per section 1.1 of the Regulations); or through supplier’s own policy. 1.4.2 Sharing the AML/CFT Legislation, the Regulations, OECD Guidance, and Gold Supplement with all suppliers. 1.4.3 Incorporating the Supply Chain policy in line with this Regulations into commercial contracts and/or written agreements with suppliers which will be legally binding. 1.4.4 Supporting suppliers through capacity building measures and information sharing to improve Supply Chain practices of suppliers and other parties in the Supply Chain. 1.5 Establish a confidential grievance mechanism. Regulated Entities must implement a grievance mechanism through which the employees or other stakeholders in the Supply Chain should be able to raise concerns related to sourcing or trading of gold from a CAHRA. The mechanism should ensure that: a. employees or other stakeholders are enabled to report any misconduct, or an improper state of affairs or circumstances in a secured way that protects the identity and from criminal and administrative liabilities; b. it acts as a warning system in additional to refiners own system for risk assessments; c. all relevant parties should know the presence of such mechanism through appropriate communication channels such as policy and newsletters or through websites; d. it encourages users to submit such concerns without fear of reprisal; e. all submitted concerns be evaluated independently to ensure no undue influence of parties in the entity; f. ensure that all submissions should be treated fairly without prejudices and there should be documented procedures to share information on the status to stakeholders in a transparent manner; and g. all such submission should be utilized in improving the Supply Chain mechanism and should be utilized in the risk assessment process. Regulated Entities should use their own KYC tools and/or independent audit, assurance reports or certification of conformance with recognized responsible sourcing standards (other initiatives) can be considered as supporting evidence. Step 2: Identification and Assessment of the Supply Chain Risk 2.1 Conduct Supply Chain Due Diligence to identify potential risks Regulated Entities must identify and assess the risks in the Supply Chain to carry out required due diligence. Due diligence must be undertaken before entering a new business relationship with a supplier and should be carried out on an ongoing basis. Conducting risk assessment will help to tailor the due diligence according to the risks identified. Where high risk Supply Chain is identified, enhanced due diligence measures should be taken in order to mitigate the risks. Regulated Entities should use the management system put in place under Step 1 of the Regulations in order to effectively identify and assess risks through their Supply Chain. If a Regulated Entity can reasonably determine on the basis of the information collected under Step 1 of the Regulations that it does not deal in gold mined, transported or traded in a CAHRA, no additional due diligence is required. The management systems established under Step 1 should be maintained and regularly reviewed. However, Regulated Entities should ensure that the applicable AML/CFT measures in line with AML/CFT Legislation and other Applicable Laws and Regulations are complied with which are applicable to Regulated Entities being DNFBPs. The risk assessment should be carried out using risk factors broadly categorized in 2.1.1 to 2.1.5. 2.1.1 Counterparty Risk Factors a. KYC information of the Regulated Entity’s suppliers as identified under Step 1 of the Regulations (including information about the origin and transportation of the gold). b. Identified Red Flags (as defined in Step 2.2 of the Regulations) in the Supply Chain. c. Number of participants in the Supply Chain. d. Extent and effectiveness of due diligence practices of a counterparty. e. Counterparty’s conformance with OECD Guidance while engaging in sourcing of gold. f. Whether a counterparty’s due diligence practices have been audited by a qualified third-party auditor in line with applicable responsible sourcing mechanism. g. Length of establishment of supplier or other counterparties in the Supply Chain. h. Complexity in the ownership structure of the counterparties such as presence multiple layers of ownership and involvement of trust and similar vehicles apparently for purpose of anonymity. i. Size of mining operations of a supplier (ASM or LSM), if applicable j. Involvement of any PEPs that have been entrusted with prominent public functions or individuals who are closely related to such individuals. k. Adverse media/Sanctions listing findings through the screening the suppliers and other actors in the supply chain. 2.1.2 Geographical Risk Factors Regulated Entities should be able to identify the location and origin of the gold sourced by them using reasonable efforts. Different origins have different risks and require different treatments. Identification of gold origin should be evidence based and collected through suppliers and entity’s own research. a. Mined Gold: The origin of mined gold is the mine itself except in cases of a mining by-product such as gold obtained through mining of copper. A refiner should be able to identify misrepresentation of mined gold as by-product through appropriate due diligence. b. Recyclable Gold: The origin of recycled gold is the point at which it becomes recyclable such as when it is first sold back to a gold recycler/Refiner. A refiner’s due diligence should include measures to identify attempts to misrepresent the origin of newly mined gold through recycled gold. c. Grandfathered Stocks: If a verifiable date from prior to 1 January 2012, no determination of origin is required. However, if red flags (refer to Section 2.2) are identified with regard to violation of AML regulations or international sanctions, further scrutiny of the Supply Chain is warranted. Location-based risk identification should be carried out using reasonable efforts and recognized sources of information. At a minimum, following risk factors should be utilized for risk identification. a. The AML/CFT and other regulatory environment in the supplier’s jurisdiction or location which is part of Supply Chain. b. Level of conflicts or human rights abuses in any location comprising part of the Supply Chain through reliable resources. c. Level of involvement of wide spread bribery and corruption through reliable resources. d. The level of involvement or potential involvement of any criminal organization. e. The level of access from a location comprising part of the Supply Chain to nearby markets or processing operations that are termed as CAHRA. f. The level of enforcement of laws addressing significant criminal activity. g. Payment mechanism used (e.g. formal banking system vs. non-banking system). h. The existence of international sanctions and/or embargoes that have been directed against the country and/or individuals/entities in that country by UN Security Council and/or UAE from time to time. i. Involvement of countries identified as CAHRA. 2.1.3 Transactions Risk Factors a. Inconsistency of transaction with the local or market practices (amount, quality, potential profit, etc.). b. Inconsistency of volumes, types and concentrations of material compared with previous shipments with the same client. c. Use of excessive cash in transactions. d. Attempted structuring of transactions to make payments to avoid government thresholds. e. Identified risks and severability and probability of adverse impacts of the applicable transaction. f. Gold that are transported which are not reasonably reconciled with the declared location of the origin g. Unexplained geographic distance in the Supply Chain. 2.1.4 Product Risk Factors: a. The nature of the gold supplied such as, ASM or LSM gold, gold by-product, melted recyclable gold and unprocessed recyclable gold. The risk may vary from product to product. b. Level of concentration of gold in the supplied gold. 2.1.5 Delivery Channel Risk Factors: a. Physical delivery of gold to unrelated third parties which is not consistent with normal business practices. b. Courier/transport related risk factors including physical security practices such as sealed security boxes for shipment in which the tampering or removal of content during transport is likely. c. Extent of reliability and KYC information of third party transportation companies validated through accepted standards 2.2 Identify Red Flags/ High Risk Indicators in the gold Supply Chain Based on the information on origin of gold as stipulated in Section 2.1, and information generated through Step 1, Regulated Entities should identify the potential red flags in a Supply Chain of gold. Red flags can be broadly categorized as below: 2.2.1 Location Based Red Flags a. The gold originates from, or has been transported through, a CAHRA or countries subject to international sanctions. b. The gold originates from a country known to have limited discovered reserves and expected production levels. c. The gold originates from a country through which gold from CAHRAs is known or reasonably suspected to transit. d. The gold is claimed to originate from recyclable/scrap or mixed sources and has been refined in a country where gold from CAHRAs is known or reasonably suspected to transit. e. The gold originated or transported through countries known to have weak oversight of Money Laundering, corruption, bribery, presence of informal banking systems, and known cash intensiveness in the economy. 2.2.2 Supplier Red Flags a. Suppliers or other known upstream entities operate in one of the red flag locations, referred to in 2.2.1, of gold origin and transit, or have shareholder or other interests in suppliers of gold from one of the red flag locations of gold origin and transit, referred to in 2.2.1. b. Suppliers or other known upstream entities are known to have sourced gold from a red flag location of gold origin and transit in the last 12 months. c. Discrepant or inconsistent KYC information obtained through Identification and verification process of suppliers or refused to provide requested documentation. d. Supplier or Beneficial Owners are listed in any government lists for Money Laundering, fraud or terrorism or that are listed under international sanctions regulations. e. Supplier does not have policies and practices related to ethics, integrity, and combatting Money Laundering, bribery, and corruption. f. Lack of effective assessment of supplier’s counterparties risk assessment framework to identify risks in the upstream Supply Chains. Refiners with ASM gold should also consider the following aspects while identifying and assessing risk. a. Suppliers of ASM gold sources, gold ore processing plant, traders and local exporters. b. Whether the mining project can be considered legitimate ASM (i.e., legally registered, cooperative- based and/or government-recognized, or central bank supported initiative). c. Whether the mining practice is subject to standards and best practices. d. Whether the ASM gold source consider ethical and environmental elements while handling and processing gold. 2.3 Undertake Enhanced Due Diligence Measures for High-Risk Supply Chains If there are high-risk elements or red flags identified in the Supply Chain or unknown information, Regulated Entities should conduct EDD measures prior to engaging with such suppliers. If the Regulated Entity can reasonably determine that there are no high-risk elements or red flags as assessed through Step 2.2 in that Supply Chain, no additional due diligence is required for that Supply Chain. The management systems established under Step 1 should be continued and reviewed on an ongoing basis. EDD consists of site visits, desk based reviews, and reviewing of sample transactions of suppliers on an ongoing basis. EDD for high-risk relationships should be carried out during the establishment of relationship and on an ongoing basis (at least on bi-annual basis). 2.3.1 Conduct onsite visits to gold suppliers individually or through joint on-the-ground assessment teams or an industry mechanism using competent, suitably qualified, knowledgeable, and independent assessors, to generate and maintain information on the circumstances and processes of the supplier’s activities. Regulated Entities can establish such teams independently or jointly with other entities in the upstream Supply Chain. Onsite inspections should be aimed at substantiating the documented KYC information. Irrespective of whether the onsite visit was conducted by way of an assessment team or independently by the Regulated Entity, the factors in 2.3.2 and 2.3.3 must be considered during the onsite visit. The responsibility remains with the Regulated Entity irrespective of whether the on-site carried independently or jointly, 2.3.2 Determine if the Mined Gold is LSM Gold or ASM Gold. 2.3.3 Gather information/document such as, without limitation: a. Identification and verification of each entity in the Supply Chain through operating licenses or similar document; b. identification and verification of the ownership of each entity (direct or indirect ownership up to 25% and above) and connected parties (board of directors and senior management); c. identifying the mines of origin, the transportation routes, and points where gold is traded; d. for ASM, identify whether the mine is involved in a legitimate ASM; e. details of Beneficial Owners and controllers of ASM; f. the methods of gold processing and transportation; g. identification of the related businesses (subsidiaries, parents, and affiliates); h. verification of the identity of the entities using reliable, independent source documents, data or information (e.g. business registers, extract, certificate of incorporation); i. identification of any nexus with the government, political parties, military, criminal networks, or non-state armed groups through screening or publicly available data and research; j. evidence of any serious abuses committed by any party in mines, transportation routes and points where gold is traded and/or processed through the public domain findings or through screening process; k. information on any direct or indirect support to non-state armed groups or public or private security; and l. screening the entity name, ownership including ultimate Beneficial Owners and connected parties through government watch lists for finding any sanction listings or adverse media (at a minimum United Nations sanction lists and the UAE local terrorist list should be utilized); m. current production and capacity of mine(s), a comparative analysis of mine capacity against recorded mine production if possible, and record any discrepancies; n. current processing production and processing capacity of mine smelt house(s), and a comparative analysis of processing capacity against recorded processing production if possible, and record of any discrepancies; o. documents related to payments to government or other regulatory agencies related royalties, taxes or fees. p. all payments made to public or private security forces or other armed groups at all points in the Supply Chain from extraction onwards, unless prohibited under applicable law; q. militarization of mine sites, transportation routes, and points where gold is traded and exported; r. KYC information of the gold exporter and all actors in the Supply Chain, including international gold traders and all third party service providers handling the gold (e.g. logistics, processors and transportation entities) or providing security at mine sites and along transportation routes. KYC should consist of the below; and s. verification of sample documents related to transactions carried out by the supplier. Step 3: Management of the Supply Chain Risk Regulated Entities should evaluate and respond to identified risks through EDD in order to mitigate the identified risks. The following steps are minimum expected in order to mitigate the risks identified. Regulated Entities are encouraged to take into account the potential social and economic impacts of risk mitigation measures adopted by them. A risk management plan should be subject to continuous review based on changes in circumstances related to business, operations or supply base, risk nature, or a major change in applicable rules and regulations. 3.1 Devise a risk management strategy for the identified risk According to the risks identified as per procedures in Step 2 of this document, Regulated Entities should adopt risk appetite approach which should establish the methods of risk treatment as below. Risk appetite policy should be part of the overall Supply Chain risk policy. a. Establish or continue: Based on the documents and information gathered through EDD (Step 2.3), Regulated Entities may establish or continue existing relationships if it assesses that the supplier is managing the risks to a reasonable extent. This should be subject to remedial actions for improvement of suppliers due diligence program in agreement with the Regulated Entity. The Regulated Entity should measure the improvement through quantitative/qualitative analysis. The plan should be approved by senior management and Compliance officer. Regulated Entity should seek significant improvement within 6 months of adoption of the plan. After failed attempts of risk mitigation, in conformity with the recommended risk management plan, Regulated Entities should suspend or terminate the relationship. b. Suspend: If EDD concludes that there is a founded suspicion of Money Laundering, Terrorist Financing, human rights abuses, environmental degradation direct or indirect support to illegitimate non state armed groups, fraudulent misrepresentation of origin of goods, the Regulated Entity should suspend engagement with such supply chain till risk mitigation measures are adequately completed c. Terminate: Upon identifying instances of Money Laundering and Terrorist financing, human rights abuse and support to armed conflicts, Regulated Entities should immediately terminate its relationship with the supplier. During such instances, the Regulated Entity should submit an appropriate report to the FIU. 3.2 Risk Control Plan Regulated Entities that adopt an ‘Establish/Continue’ or ‘Suspend’ approach, shall adopt a Risk Control Plan which should include, at minimum: a. reporting mechanisms for identified risks to the senior management; b. enhanced engagement with suppliers through establishing a Chain of Custody and/or traceability system where a red flag has been identified; c. enhancement of the physical security practices; d. physical segregation and security of shipments where a red flag has been identified; e. an agreement with the supplier which facilitates timely and accurate provision of additional information related to supply chain with identified risks. f. disengaging with suppliers for at least 3 months, when they fail to comply with the mitigating controls within a period of 6 months, and/or disengaging entirely if such controls are not feasible and/or unacceptable in light of the cost-benefit analysis and the capabilities of the Regulated Entities conducting the due diligence; g. reviewing on a regular basis the results of the mitigation measures, undertaking additional fact & risk assessments for identified risks requiring mitigation or after a change of circumstances. 3.3 Continuous Monitoring Supply Chain Due Diligence is a dynamic process and requires ongoing risk monitoring. After implementing a Risk Control Plan, Regulated Entities should assess if Step 2 should be repeated or, any further enhanced measures are required. Any changes in the Supply Chain may require the Regulated Entity to repeat some due diligence steps to ensure effective monitoring of risk. 3.4 Senior Management Reporting The identified risks in the Supply Chain and Risk Control Plan should be reported to a Regulated Entity’s board of directors (or equivalent) and senior management on periodic basis (at least every 3 months). The report should include counterparties identified as high-risk and the respective Risk Control Plan. Step 4: Independent Third-Party Audit of Due Diligence Measures Regulated Entity’s compliance with the Regulations will be subject to annual independent third-party audit by an accredited Reviewer as stipulated in the Review Protocol (ANNEX I). Review of a Regulated Entity’s Supply Chain Due Diligence framework should be carried out by an approved Reviewer and should be arranged at the Regulated Entity’s own cost. The recommendations in this section shall not be considered as an audit standard; however, they outline some basic principles, scope, criteria, and other basic information for consideration by entities. The Review Protocol sets principles to be followed by Reviewers while conducing independent third party audit of a Regulated Entity which is mentioned in ANNEX I of this Regulations. 4.1 Audit Plan Regulated Entities should plan the audit in line with the Regulations and consider the below elements. 4.1.1 Audit scope: the audit scope should include all the major elements of a Supply Chain Due Diligence framework as outlined in the Regulations. These are Supply Chain Due Diligence policy and procedures, the processes and systems, Supply Chain risk assessment and risk mitigating measures, supplier engagement details, chain of custody, and other traceability information. 4.1.2 Audit criteria: The audit should determine the conformity of the implementation of a Regulated Entity’s Supply Chain Due Diligence framework against an audit standard that is based on the Regulations. This should also determine conformity to and compliance with the Regulations in all communications with participants across the entire Supply Chain. 4.1.3 Audit principles: a. Independence: The Reviewer organization and all of its members must be independent from the Regulated Entity as well as from the Regulated Entity’s subsidiaries, licensees, contractors, and suppliers. The auditors must not have conflicts of interests with the Regulated Entity, including business or financial relationships with the Regulated Entity. The Reviewer also should not have provided compliance consultancy (such as setting up a compliance framework or drafting compliance policies) services during the past 12 months. b. Competence: Reviewers should be competent enough to conduct the review efficiently. The review should be carried out in accordance with accepted auditing standards. Reviewers should also have personal attributes such as integrity, confidentially and professionalism. The Reviewers should also have specialist skill-set related to Supply Chain due diligence principles, procedures and techniques and internationally accepted guidelines i.e. OECD Guidelines. The knowledge of gold procurement practices, geographical context etc. are a prerequisite for reviewers. c. Accountability: List of accredited Reviewers shall be published on the MoE’s website. 4.1.4 The audit activities: a. Audit Preparation: The objectives, scope, language, and criteria for the audit should be clearly communicated to the Reviewers with any ambiguities clarified between the auditee and Reviewers before the initiation of the audit. b. Onsite Investigation: The reviewers must conduct onsite investigations and gather evidence and verify information by conducting interviews with management, making observations; and reviewing documents. The review should include visits of all sites where the Regulated Entity carries out business and should thoroughly review sample from suppliers of Regulated Entities. c. Document Review: Sample documents gathered during the review i.e., documents retained as part of a Regulated Entity’s Supply Chain Due Diligence framework, sample documents related to the Regulated Entity’s communication with their suppliers, contracts, and agreements with suppliers, documents related to risk assessment and risk mitigation. Sample selection should be based on risks identified. Samples size should be based on number and size of suppliers of the Regulated Entity and should be increased based on the Reviewer’s understanding of heightened risk. d. Audit Conclusions: Reviewers should generate audit findings based on the evidence gathered with the audit standard that is consistent with the recommendations of this section of the Regulations. Auditors should also make recommendations in the audit report for the Regulated Entity to improve their due diligence practices. Report should also be published in line with step 5 of this document. 4.2. Audit implementation: Audit should be implemented in accordance with the audit scope, criteria, principles and activities as documented in Step 4 of the Regulations. Regulated Entities should co-ordinate the relevant stakeholders to carry out audits in line with recommended audit standard as set out in this document. Step 5: Annual Reporting on Due Diligence Measures Regulated Entities should submit all audit reports stipulated under section 12 of ANNEX I to the MoE on annual basis. Accredited Members of the Emirates Good Delivery should submit the reports prepared for accreditation purposes to the MoE on annual basis to fulfill the reporting obligations under this Regulations. The Comprehensive Management Report issued by the Reviewer should consist of the following elements at a minimum (refer to ANNEX II for additional requirements): 5.1 Management Systems The Regulated Entities Comprehensive Management Report should include the management systems requirements as set out in Step 1 of the Regulations. The Comprehensive Management Report should include: a. the Regulated Entity’s management structure, roles and responsibilities with regard to Supply Chain Due Diligence; b. policy & procedures; c. KYC & information collection procedures; d. database & record keeping system; and e. procedures for identification and verification of all counterparties in the Supply Chain system. 5.2 Risk assessment Regulated Entities should include in their Comprehensive Management Report the risk assessment procedures (Step 2). In particular, Regulated Entities should include: a. how the red flags are identified; b. details of the red flags identified; c. describe the steps taken to map the factual circumstances of those red flag operations and red flagged Supply Chains; d. methods of assessment teams including collaboration with other stakeholders in the Supply Chain; and e. actual or potential risks identified. 5.3 Risk Management Regulated Entities should include, in their Comprehensive Management Report, the risk management procedures (Step 3). In particular, Regulated Entities should include: a. the internal controls that would have assisted in gathering required information on red flagged Supply Chain; b. describe the steps taken to manage risks, including a risk strategy for risk mitigation, procedures and mechanism in place to monitor remediation activities; and c. details of actions taken as part of risk mitigation (number of instances where a Regulated Entity has decided to continue, suspend or terminate relationships) without disclosing the identity of those suppliers, except where law allows to do so. 3. Annexures ANNEX I – Review Protocol 1 Introduction Ministry of Economy shall publish on its website a list of Reviewers (Reviewer List). Review of a Regulated Entity as required in the Step 4 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold must be carried out by an approved Reviewer by the MoE in line with MoE Review Protocol. 2 Minimum Criteria for Reviewers The Reviewer must have the appropriate infrastructure and management systems that meet the requirements of ISAE 3000 standards and be capable of assuring integrity, governance and confidentiality. 2.1 Reviewer must possess and be capable of demonstrating adequate subject matter knowledge of: I. MoE Due Diligence Regulations for Responsible Sourcing of Gold II. The OECD Guidance; III. Relevant local, regional and global regulatory frameworks; IV. MoE AML/CFT Guidelines for DNFBPs and Supplemental Guidance for Dealers in Precious Metals and Stones V. Supply Chain due diligence systems and procedures applicable to the gold and precious metals industries, including the review of functions such as transportation, transformation, chemical refining, inventory management, and trading; 2.2 The Reviewer must possess and be capable of demonstrating capabilities, competencies and proficiencies in relation to the following: a) independence from any parties it carries out an audit of; b) quality control procedures with appropriate follow-up systems; c) established functional systems of complaints handling and appeals; d) assurance of the integrity and confidentiality of the audits conducted; e) assurance of the integrity and confidentiality of its employees, seconders, staff members, subcontractors, agents assignee or any other person carrying out activities in relation to any audit; and f) the provision, storing and management of verifiable documentation, detailing the track record of the Supply Chain due diligence systems and procedures under review. 2.3 MoE may at any time provide guidance (in any format, unilaterally or bilaterally) to any Reviewer to ensure consistency in the Review process and compliance with minimum criteria for Reviewers, and each recipient Reviewer shall ensure that it adheres to and implements any recommendations set out in such guidance. 3 Review Plan At the outset of each Review, the Reviewer shall develop a detailed plan for the Review (Review Plan). Each Review Plan shall clearly set out the scope, timing and costs of the Review as agreed between the applicable Reviewer and Regulated Entity. 3.1 For each Review Plan, the Reviewer and Regulated Entity shall ensure that the following objectives are included in the Review Plan: (a) Assessment and conclusion by the Reviewer of the extent to which the Regulated Entity has established robust responsible Supply Chain management systems in accordance with MoE Due Diligence Regulations for Responsible Sourcing of Gold and Precious Metals and to the OECD Guidance; (b) Assessment and conclusion by the Reviewer of the extent to which the Regulated Entity is able to identify and adequately assess risks in the Supply Chain in accordance with Step 2 of MoE Due Diligence Regulations for Responsible Sourcing of Gold and Precious Metals and to the OECD Regulations (c) Assessment and conclusion by the Reviewer of the extent to which the Regulated Entity is reporting on the measures it implements for responsible Supply Chain due diligence in accordance with Step 1 to Step 5 of MoE Due Diligence Regulations for Responsible Sourcing of Gold. 3.2 The Reviewer shall assess and include in its Review Report the extent to which the Regulated Entity is compliant with MoE Due Diligence Regulations for Responsible Sourcing of Gold, which shall include: a) the implementation of a Policy in accordance with Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold; b) responsibilities and escalation channels that are clearly defined, established and implemented in accordance with the requirements of MoE Due Diligence Regulations for Responsible Sourcing of Gold; c) appropriate criteria for Supply Chain due diligence as established and implemented by the Regulated Entity, including systems and processes for identifying Red Flags in accordance with Step 2 of MoE Due Diligence Regulations for Responsible Sourcing of Gold; d) the implementation and application of KYC processes in accordance with Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold; the existence of a suitably qualified and competent compliance function in accordance with MoE Due Diligence Regulations for Responsible Sourcing of Gold; e) the existence and adequacy of internal documentation and records of Supply Chain due diligence covering inventory and transactions; f) tracking and tracing for all inventory and transactions in accordance with Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold; g) addressing relationships with suppliers in accordance with Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold h) maintaining appropriate confidentiality relating to whistleblowing and the reporting of suspicious activities and acting in an appropriate manner to avoid compromising any related investigations; i) the adequacy and consistent application of security requirements in accordance with Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold j) the training of relevant staff of the Regulated Entity in accordance with the Regulated Entity’ Supply Chain policies and procedures, including: I. providing different training programmes in accordance with the levels of risk related to different suppliers or staff functions; II. receiving and addressing feedback from attendees; and III. assessing the effectiveness and adequacy of contents of training programmes. 3.3 The Reviewer shall assess and include in its Review Report the extent to which the Regulated Entity is able to identify and adequately assess risks in the Supply Chain in accordance with Step 2 of MoE Due Diligence Regulations for Responsible Sourcing of Gold a) the consistent application of the Policy developed pursuant to Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold; b) The Regulated Entity’s assessment of the risks associated with the Supply Chain (including processing, distribution, and transportation and cross border trading) and the Regulated Entity’s assessment of every actor in the Supply Chain. 3.4 The Reviewer shall assess and include in its Review Report the extent to which the Regulated Entity has established and is applying adequate risk assessment tools and methodologies (e.g. screening systems for international sanctions lists) across its business divisions, including: a) evidence that all factors (including geographical, counterparty, transactional and product risk factors) are taken into consideration for risk assessments and the adequacy of the risk assessment findings (for example ability to detect falsification of evidence or adequate implementation of track and trace principles to link records for transactions, transportation and transformation of gold); b) evidence that the risk assessment findings enable the Regulated Entity to detect, evaluate and address Red Flags in accordance with Step 2 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold; c) evidence of enhanced due diligence where Red Flags or potential Red Flags are detected, including the use of the methods set out in MoE Due Diligence Regulations for Responsible Sourcing of Gold d) Evidence that all findings are being accurately documented and reported in a timely manner to all relevant persons. 3.5 The Reviewer shall assess and include in its Review Report the extent to which the Regulated Entity has developed and implemented a Risk Mitigation Plan in accordance with Step 3 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold including evidence of the adequacy and effectiveness of risk level classification and related control mechanisms for each level of risk classifications 3.6 The Reviewer shall assess and include in its Review Report the extent to which the Regulated Entity has implemented adequate measurable steps, monitoring and review performance, and reporting to senior management as part of the Member’s Risk Control Plan. 3.7 The Reviewer shall assess and include in its Review Report the extent to which the Regulated Entity is reporting annually on the measures it implements for responsible Supply Chain due diligence (including the methodology and results of any risk assessment and the steps taken to manage risks) in accordance to Step 4 and Step 5 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold, including: a) assessment of the completeness, adequacy and accuracy of the content of such reporting; and b) Assessment and evidence of the level of accessibility for the Regulated Entity’s regulators, and existing and potential counterparties to such reporting. 3.8 The Reviewer shall apply materiality in the development and execution of the Review Plan, taking into consideration the nature, scale and impact of the Regulated Entities’ business. 3.9 The Reviewer shall, when warranted by the circumstances, carry out sampling of sources of information by selecting a sampling method, determining an appropriate sample size, conducting the sampling and documenting the results. 4 Reviewer's Responsibilities, Resources and Procedures 4.1 A Reviewer’s responsibilities for each Review shall include: a) ensuring that the Review Plan is clearly established and is based on the objectives set out in Section 3 of Annex I of this Regulations; b) applying materiality in the development and execution of the Review Plan, taking into consideration c) the nature, scale and impact of the Regulated Entity’s business; d) ensuring that the Reviewer and individual auditors gain a good understanding of the Regulated Entity’s business, organisation, structure and Supply Chain; e) ensuring the responsibilities and procedures of the Reviewer’s assessment team and interactions with f) the applicable Regulated Entity throughout the course of a Review is clearly defined; g) ensuring that sufficient resources are provided by the applicable Regulated Entity to enable the Reviewer to conduct a comprehensive Review; h) ensuring that the Review is conducted in accordance with this Review Protocol and records are maintained; i) where applicable, applying an adequate level of sampling of the sources of information; j) ensuring that reports provided on the Review enable the monitoring, reviewing and implementation of a corrective action plan by the Regulated Entity; and k) Ensuring that MoE is informed of every circumstance of any breach of, or non-compliance with the Review Protocol. 4.2 A Reviewer’s resources for each Review shall include: a) sufficient financial resources to develop, implement, manage and improve the content of the Review Plan; b) sufficient operational resources to conduct a comprehensive Review; c) sufficient knowledge and competency of the Reviewer’s assessment team to perform a comprehensive review in accordance with this Review Protocol; and d) Appropriate review techniques, methodologies, frameworks and related systems to be used by the Reviewer’s assessment team in preparing and implementing the content of the Review Plan. 4.3 A Reviewer’s procedures for each Review shall include: a) planning and scheduling the Review Plan; b) assuring the competence of the Reviewer’s assessment team; c) assigning appropriate roles and responsibilities to the Reviewer’s assessment team members; d) monitoring the performance and effectiveness of the Review Plan and its implementation, to ensure meeting the review objectives; e) conducting any required follow-up actions; f) recording the findings of the Review and carrying out any required cross-validation of the evidence; and g) reporting the findings of the Review to the applicable Regulated Entity in a clear and comprehensible manner. 5 Implementation of the Review Plan In carrying out each Review Plan, the Reviewer shall: a) ensure that the Review has been conducted in accordance with the Review Plan and its objectives; b) communicate and circulate the initial findings of the Review to all relevant persons for their comments to be incorporated (if required) in the Final Review Report; c) coordinate the Review with all relevant persons and related activities; d) continuously evaluate the adequacy of the Review Plan and the Reviewer’s assessment team; and e) follow-up with the relevant persons on all outstanding matters or further actions required. 6 Recording the Review Plan Findings The Reviewer’s records of each Review shall include the following: a) records of all documents relating to the engagement of the Reviewer by the Regulated Entity; b) interim and final versions of the Review Plan; c) documents and correspondence relating to any findings of non-compliance with MoE Due Diligence Regulations for Responsible Sourcing of Gold d) documents and correspondence relating to all corrective actions; e) doc uments and correspondence relating to all follow-up actions; and f) Interim and final versions of the Review Report. g) The Reviewer shall maintain all records of each Review for a minimum period of five years from the date of conclusion of each the applicable Reviews. 7 On-going Monitoring and Assessment of the Review Plan The Reviewer shall continuously monitor the implementation of the Review Plan for each Review to confirm that: a) all objectives of the Review are met; and b) any required modifications to the Review Plan can be identified and implemented in a timely manner for the Review to be compliant with Review Protocol. 8 Pre-Review Activities a) agreement on all costs including standard disbursements (such as travel expenses, hotels and meals) for each location where any part of the Review shall be carried out; b) determining all locations including offsite premises (and related contact information) for all business operations that relate to the Supply Chain (including transportation, transformation, chemical refining, trading) and/or all locations that have a direct or indirect impact on comprehensive due diligence of the Supply Chain (including ensuring track and trace activities are carried out with regard to the handling, processing and/or transportation of the gold and/or precious metals); c) establishing a preliminary timeline for the Review, including a breakdown for each location; d) establishing an accurate assessment of all relevant documentation that may be subject to the Review (which for each relevant business operation should include a complete list of transactions and related ‘track and trace' information of the relevant supplier); e) establishing an accurate assessment of all relevant counterparties of the Regulated Entity (including the country of residence and risk classification) and related due diligence requirements; f) establishing an accurate assessment of all parts of the organisational structure of the Regulated Entity, including a detailed view of all business operations and nominated decision-making staff members of the Regulated Entity that are responsible for the implementation of and compliance with MoE Due Diligence Regulations for Responsible Sourcing of Gold; g) Regulated Entity shall be responsible to provide the Reviewer with accurate and complete information; and h) The Reviewer shall provide a copy of the Review Plan to the Regulated Entity in advance of commencing any of the On-site Review Activities, and shall ensure that the Review Plan clearly sets out all types of documentation for relevant activities across relevant departments that are to be reviewed, all individuals (which may be identified by role description alone) from relevant business departments or operations to be interviewed; and schedule for physical walkthroughs and inspections of relevant business departments and/or operations. 9 On-site Review Activities 9.1 The Reviewer shall conduct an opening meeting with the Regulated Entity. The objective of the opening meeting shall be for the Reviewer to present the Review Plan to the Regulated Entity's relevant business departments or operations and their respective staff members who will be contributing to the Review process to reconfirm the following: a) Various business departments or operations and the roles of relevant staff members for implementing MoE Due Diligence Regulations for Responsible Sourcing of Gold; b) the objectives, scope, timeline and procedures of the Review Plan; c) any locations that need to be reviewed and the availability of appropriate resources for conducting the Review; d) the confidentiality of the entire review process, including anticipated communication methods (such as meeting minutes, reports, interviews), information handling and the classification of risk for any non- compliance with MoE Due Diligence Regulations for Responsible Sourcing of Gold; e) the conditions for any early termination of the Review process; and f) the Reviewer’s complaints, handling and appeals processes in relation to any aspect of the Review process, both during the Review and upon completion of the Review. 9.2 During the progress of the Review, all evidence obtained by the Reviewer should be objective, relevant and conclusive to validate and verify the objectives of the Review. Sources of information for obtaining objective, relevant and conclusive evidence may include: a) interviews with management, employees and other persons related to the subject matter of the Review; b) visual observations of activities surrounding relevant working environments and conditions; c) documents and/or documentary evidence relating to policies, objectives, plans, procedures, standards, instructions, licences and permits, specifications, drawings, contracts, transactions or orders; d) documents and/or documentary evidence relating to inventory controls, inspections of records, minutes of meetings, audit reports, records of monitoring programmes and results of measurements; e) data summaries, analyses and performance indicators; f) information on sampling programmes and procedures to control related sampling and measurement processes; g) external sources reports or due diligence including customer feedback, relevant third party’s or supplier’s ratings and websites and primary and secondary research to enhance the due diligence methods; and related company databases (electronic or hardcopy). 9.3 The Reviewer should utilise the following methods in the collection of information and evidence required for the Review: a) conducting interviews with statistically acceptable sample sizes of management and employees, across all relevant business operations, directly or indirectly responsible for ensuring the implementation of, and compliance with, the MoE Due Diligence Regulations for Responsible Sourcing of Gold; b) making visual observations from carrying out physical walkthroughs of all relevant business operations for each relevant location required for confirming the implementation of, and compliance with, the MoE Due Diligence Regulations for Responsible Sourcing of Gold; and c) conducting detailed documentation reviews to confirm the implementation of, and compliance with, MoE Due Diligence Regulations for Responsible Sourcing of Gold, including reviews of: I. the Regulated Entity’s Supply Chain management systems (with emphasis on compliance and risk management structures, related operating policies and procedures, reporting mechanisms, and training and development programmes); II. the Regulated Entity’s due diligence measures (including KYC procedures, process and implementation and post-account opening and pre-transaction risk assessments including Red Flag assessment); and III. Minimum information recording to ensure track and trace i.e. date of gold receipt, physical form and weight of gold, source of origin, point of origin in transportation and/or customs documents (recording of seal numbers and/or packaging list). 10 Assessment of Compliance with the Regulations 10.1 Following the conclusion of the On-Site Review Activities set out in Section 9 and the evaluation of the results of such activities, the Reviewer shall conclude which one of the following ratings applies to the Regulated Entity: I. Fully Compliant with the MoE Due Diligence Regulations for Responsible Sourcing of Gold; II. Compliant with the MoE Due Diligence Regulations for Responsible Sourcing of Gold - Low Risk Deviations; III. Not compliant with the MoE Due Diligence Regulations for Responsible Sourcing of Gold - Medium Risk Deviations; or IV. Not compliant with the MoE Due Diligence Regulations for Responsible Sourcing of Gold - High Risk Deviations. 10.2 A Reviewer may provide the rating ‘Fully Compliant with the MoE Due Diligence Regulations for Responsible Sourcing of Gold’, provided that all the following criteria apply: a) The Regulated Entity fully participates in the Review process and provides full co-operation to the Reviewer’s assessment team as and when required to enable the Reviewer to carry out a comprehensive Review; and b) The Regulated Entity has objectively demonstrated that all the Review objectives as set out in this Annex have been fully met based on evaluation of the findings of the Review. 10.3 A Reviewer may provide the rating ‘Compliant with MoE Due Diligence Regulations for Responsible Sourcing of Gold - Low Risk Deviations’, if any one or more of the following criteria apply. a) the Regulated Entity has objectively demonstrated minor inadequacies or isolated issues with regards to its compliance with Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold and such minor inadequacies or isolated issues demonstrate no material impact on the overall objective of the MoE Due Diligence Regulations for Responsible Sourcing of Gold; b) the Regulated Entity has objectively demonstrated the existence and implementation of policies and procedures required under Step 1, Step 2 and Step 3 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold, but has also objectively demonstrated a minor lack of formalisation of such policies and procedures; c) the Regulated Entity has objectively demonstrated minor inadequacies of its collection of adequate supplier due diligence documentation and/or transactional records, but remains able to detect and take appropriate action on Red Flags in accordance with the MoE Due Diligence Regulations for Responsible Sourcing of Gold; or d) the Regulated Entity has objectively demonstrated minor inadequacies in relation to its use of appropriate internal controls mechanism to track and trace inventory movements. 10.4 A Reviewer may provide the rating ‘Not compliant with MoE Due Diligence Regulations for Responsible Sourcing of Gold - Medium Risk Deviations’, if any one or more of the following criteria apply: a) the Regulated Entity has objectively demonstrated multiple inadequacies with regards to its compliance with Step 1 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold; a) the Regulated Entity has objectively demonstrated multiple inadequacies with respect to its development and implementation of policies and procedures required under Step 1, Step 2 and Step 3 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold; b) the Regulated Entity has objectively demonstrated multiple inadequacies with respect to its collection of adequate supplier due diligence documentation and/or transactional records; c) the Regulated Entity has objectively demonstrated multiple inadequacies with respect to its ability to detect and take appropriate action on Red Flags in accordance with the MoE Due Diligence Regulations for Responsible Sourcing of Gold; d) the Regulated Entity has objectively demonstrated multiple inadequacies with respect to its use of appropriate internal control mechanisms to track and trace inventory movements; or e) the Regulated Entity has failed to address findings of the previous Review. 10.5 A Reviewer may provide the rating ‘Not compliant with the MoE Due Diligence Regulations for Responsible Sourcing of Gold - High Risk Deviations’, if any one or more of the following criteria apply. a) the Regulated Entity has objectively demonstrated major inadequacies with regards to its compliance with Step 1 of MoE Due Diligence Regulations for Responsible Sourcing of Gold; b) the Regulated Entity has objectively demonstrated major inadequacies with respect to its development and implementation of policies and procedures required under Step 1, Step 2 and Step 3 of MoE Due Diligence Regulations for Responsible Sourcing of Gold; c) the Regulated Entity has objectively demonstrated major inadequacies with respect to its collection of adequate supplier due diligence documentation and/or transactional records; d) the Regulated Entity has objectively demonstrated major inadequacies with respect to its ability to detect and take appropriate action on Red Flags in accordance with MoE Due Diligence Regulations for Responsible Sourcing of Gold; e) the Regulated Entity has objectively demonstrated major inadequacies with respect to its use of appropriate internal control mechanisms to track and trace inventory movements; or f) the Reviewer is required to make a report to MoE in accordance with provisions of this Regulations. 10.6 No other conclusions or variations of the assessment of compliance other than those described in this Section 10 are permitted. 11 Closing Meeting a) Upon establishing an assessment of compliance as per section 10, the Reviewer shall conduct a meeting with the Regulated Entity to present its conclusions of the Review. b) The Review shall provide its conclusions in a manner that is capable of being clearly understood and acknowledged by the Regulated Entity and shall set out in detail its recommendations for improvement, if required, based on the Regulated Entity’s level of conformity with the MoE Due Diligence Regulations for Responsible Sourcing of Gold. 12 Reporting of Review Plan Findings 12.1 Within 90 calendar days from the end of the review period, the Reviewer is expected to conclude the On- site Review Activities set out in Section 6 of this Appendix and provide copies of the review reports (Review Reports) to both MoE and the Regulated Entity. 12.2 Review Reports shall mean: a) the Comprehensive Management Report issued by the Reviewer in line with Section 13; b) the Regulated Entity’s Compliance Report issued by the Regulated Entity in line with Section 14, and c) the Reviewer’s Assurance Report issued by the Reviewer in line with Section 15. 12.3 The Regulated Entity’s Reviewer is required to submit annually the Review Reports to both the Regulated Entity and MoE. 12.4 It shall be the responsibility of the Regulated Entity to ensure that the terms and conditions of the Reviewer’s engagement permit the Reviewer to directly send copies of the Review Reports to MoE. 13 Comprehensive Management Report The Comprehensive Management Report shall set out in detail the conclusions of the Review Process in respect of the Regulated Entity’s compliance with the MoE Due Diligence Regulations for Responsible Sourcing of Gold in accordance with Annex II – Minimum Reporting Requirements, including: a) the Regulated Entity’s final overall rating on its level of compliance; b) a summary of the individual ratings of the Regulated Entity in respect of each of Steps 1 to 5 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold; c) details of relevant findings of the Review, including substantiations of any ratings; d) confirmation of any areas excluded from scope of the Review; e) an assessment of the Regulated Entity’s Supply Chain due diligence methods, processes and controls as measured against the OECD Guidance; and f) a corrective action plan, if required. If a corrective action plan is set out in the Comprehensive Management Report, the Regulated Entity will use its reasonable endeavours (by applying specific, measurable, achievable, relevant and timely methods) to adhere to the recommendations set out in the corrective action plan. 14 Regulated Entity’s Compliance Report a) The Regulated Entity’s Compliance Report shall be prepared by The Regulated Entity in a format selected by the Reviewer to be consistent with the Comprehensive Management Report to provide an overview of the detailed findings of the Comprehensive Management Report. b) The Regulated Entity’s Compliance Report shall include the Regulated Entity’s disclosure of its overall rating relative to the five steps identified in Steps 1 and 5, together with individual ratings for each Step 1 to 5 of MoE Due Diligence Regulations for Responsible Sourcing of Gold. 15 Reviewer’s Assurance Report a) The Reviewer's Assurance Report is to be prepared by the Reviewer on the basis of the Regulated Entity’s Compliance Report and serves as an assurance of the findings included in the Regulated Entity’s Compliance Report b) MoE shall use the Reviewer's final overall rating as set out in the Comprehensive Management Report as a basis for making a determination on the types of annual review. c) A Reviewer may make a Reviewer’s Assurance Report on either a ‘Reasonable Assurance' or ‘Limited Assurance' standard in accordance with the ISAE 3000 standard. d) The first Review of any Regulated Entity must be done in accordance with the ISAE 3000 standard on a Reasonable Assurance basis for the time period of the 12 months preceding the date of engagement of the Reviewer in conjunction to the financial year of the Regulated Entity. e) Following a first Review of a Regulated Entity based on the ‘Reasonable Assurance’ standard in accordance with the ISAE 3000 standard, a subsequent Review carried out in accordance with ISAE 3000 standard must be conducted no less than three years from the date of the previous Review of the same standard. For the intervening two-year period, a Reviewer may carry out a Review based on the ‘Limited Assurance’ standard in accordance with the ISAE 3000 standard. f) MoE may instruct the Regulated Entity to inform a Reviewer to carry out any Review based on the ‘Reasonable Assurance' basis in accordance with the ISAE 3000 standard and the Reviewer and Regulated Entity shall amend the terms and conditions of the Reviewer’s engagement accordingly. 16 Mandatory Follow-Up Review a) If any Review has resulted in the rating of ‘Not compliant with MoE Due Diligence Regulations for Responsible Sourcing of Gold - High Risk Deviations’, the Reviewer must conduct a follow up Review (Follow-up Review) based on the ‘Reasonable Assurance' standard in accordance with the ISAE 3000 within 90 days after the issuance of the applicable Regulated Entity's Review Reports. b) If a Follow-up Review is required, the Regulated Entity must confirm with MoE that it has concluded an engagement with a Reviewer and the Reviewer has commenced the Follow-up Review within the applicable 90-day period. c) The scope of any Follow-up Review shall be the Regulated Entity's corrective action plan as provided by the Reviewer who conducted the preceding Review and shall include details of the implementation of the Regulated Entity's corrective actions to address the rating. d) Upon completion of a Follow-up Review, the Regulated Entity shall issue a consolidated compliance report incorporating the corrective actions undertaken in areas of high or medium risk deviation from MoE Due Diligence Regulations for Responsible Sourcing of Gold and a disclosure of the individual rating of its level of compliance with each of Rules 1 to 5 of the MoE Due Diligence Regulations for Responsible Sourcing of Gold following the implementation of the corrective action plan. e) Upon completion of a Follow-up Review, the Reviewer shall issue an independent Reviewer’s Assurance Report on the Regulated Entity's consolidated compliance report and provide copies of both reports and the Regulated Entity’s associated corrective action plan available to MoE within 30 days of concluding the Follow-up Review. f) If a Regulated Entity is required to conduct a Follow-up Review, the next annual Review period will commence on the date of conclusion of the Follow-up Review. A Reviewer must carry out the next Review following a Follow-Up review on a ‘Reasonable Assurance' standard in accordance with the ISAE 3000 standard. 17 Breach of Review Protocol During any Review, any one or more of the following circumstances shall constitute a zero-tolerance breach of Review Protocol: a) the Reviewer is not provided with adequate access to any of the Regulated Entity's locations that are subject to the Review; b) the Regulated Entity has used unethical methods to influence the outcome of the Review; c) any misrepresentation or falsification of documentation has been carried out by the Regulated Entity and/or any Supply Chain participant (with the knowledge and acceptance of the Regulated Entity); or d) the Regulated Entity continues to have dealings with suppliers even though its due diligence has confirmed that the supplier is directly or indirectly associated with conflict gold, severe abuses of human rights, Money Laundering or Terrorism Financing. e) Upon the occurrence, or reasonable suspicion of the occurrence, of any of the events set out above under section a to d, the Reviewer must immediately and confidentially report the matter to MoE and such report shall be accompanied by the applicable supporting evidence. f) Upon receipt of a report, MoE shall at its sole discretion determine if the Reviewer’s claims or suspicions are valid and consider at its sole discretion whether to take appropriate action Annex II - Minimum Reporting Requirements 1. Introduction The purpose of this Annex II is to set out the mandatory minimum reporting requirements for the Comprehensive Management Reports as described in Review Protocol in Annex I. 2. Scope The minimum reporting requirements are applicable to the Comprehensive Management Report for Reviews performed in accordance with the ISAE 3000 standard detailed Review Protocol in Annex I. 3. Minimum Reporting Requirements 3.1 Each Review Report must: a) identify the Registered Entity and period under Review; b) include a description of the review activities conducted; c) clarify whether a corrective action plan or measures have been recommended; d) include details of any disengagement with suppliers during the audit period and its reasons; e) include an assessment of the actions taken/corrective actions implemented over the previous corrective action plan or measures recommended; and f) include a conclusion statement on compliance with MoE Due Diligence Regulations for Responsible Sourcing of Gold. The conclusion statement must demonstrate the level of compliance in accordance to MoE Due Diligence Regulations for Responsible Sourcing of Gold. The individual risks identified should be factored into the overall level of compliance. 3.2 In respect of Rule 1, the Review Report must detail: a) the adequacy of the Policy and robustness of its implementation taking into consideration the application of Step 1 g) the adequacy and implementation of KYC requirements taking into consideration the application of Step 2 3.3 In respect of Rule 2, the Review Report must detail: a) in relation to transactions: I. the number of transactions audited, and the number of high-risk transactions audited; Recommendation: at least 50 % of the high-risk transactions should be reviewed, if the number of high-risk transactions are less than 100, all the transition must be audited. II. the percentage of transactions audited as compared to the total number of transactions during the period subject to Review; Recommendation: The Reviewer should cover at least 5 % of samples in the case of non- high- risk transactions if the total sample size is less than 1000 transactions and at least 4 % if the total sample size is more than 1000. The Reviewer should use reasonable efforts and samples to draw a meaningful conclusion in the case of any unusual observations. III. the total number of customer on boarding (KYC) files reviewed by the reviewer; Recommendation: The Reviewer should audit all the files of suppliers who are supplying materials from CAHRA. The Reviewer should review at least 25 % of the new customer’s on boarded during the audit period and 10 % of the customers from the previous audit periods who have an ongoing relationship with the Regulated Entity. IV. the total volume of Mined Gold or Recycled Gold in relation to the transactions audited; V. the total volume of Mined Gold or Recycled Gold in relation to the total number of transactions during the period subject to Review; VI. the total volumes of cash transactions (if any) and their usage in excess of government thresholds as applicable in the Registered Entity’s place of domicile; VII. the total volumes of unrelated third-party payments (i.e. cash, bank transfers and metal accounts held with Bullion banks) and physical gold and/or precious metal deliveries in unusual circumstances that are not consistent with local and/or international market practices (for example, value, quantity, quality, profit); and VIII. adequacy and implementation of track and trace mechanisms from mine/supplier to sale and/or physical delivery to the Regulated Entities’ suppliers; b) in relation to geographical considerations: I. gold sourced from different geographical locations based on physical form; quantity; actual or declared purity; country of origin and transportation; and II. any transaction which is related to a sanctioned and/or embargoed country, entity, or individual; c) in relation to risk assessment, the alignment of the risk assessment methodology with Rule 2 and any deviations from those requirements of Rule 2; and d) the number of transactions and/or suppliers where enhanced due diligence was conducted during the period subject to Review. 3.4 In respect of Step 3, the Review Report must detail the adequacy and implementation of the Risk Management Plan. 3.5 In respect of Step 4, the Review Report must include a detailed assessment and rating of compliance Review Protocol (Annex I). 3.6 In respect of Step 5, the Review Report must provide confirmation as to the Regulated Entity’s public disclosure on the Regulated Entity’s website of the relevant Review Reports in accordance with Review Protocol in Annex I I. A description of the review activities conducted. II. Whether a corrective action plan or measures have been recommended. III. Assessment of the actions taken/corrective actions implemented over the previous corrective action plan or measures recommended.