You can read an auto-translated version below. Please use ONLY the official law, in spanish, for any official purposes. HomeFinder is not a translation firm, so keep in mind there might be translation errors. This is provided as a service to you but PLEASE PLEASE read the official spanish version before taking any descitions. There are formatting errors please use only the official spanish version for anything but a quick reference.

AUTO TRANSLATED DOCUMENT BEGINS :

THIS IS NOT AN OFFICIAL TRANSLATION:


COMPILED DOCUMENT INCLUDING DRAFT » TECHNICAL RULES TO FACILITATE THE APPLICATION OF THE BITCOIN LAW » , SUBMITTED TO CONSULTATION.

17-08 -2021

THE STANDARDS COMMITTEE OF THE CENTRAL RESERVE BANK OF EL SALVADOR,CONSIDERING:

That article 14 of Legislative Decree No. 57, dated June 8, 2021, which contains the Bitcoin Law, established Bitcoin as legal tender in the territory of El Salvador, unrestricted with liberating power, unlimited in any transaction already any title that public or private natural or legal persons require to carry out. The adoption of the Law Bitcoin makes necessary the entry into operation of different economic agents that allow offer financial services nimble, competitive and inclusive for the general population , considering transactions in currencies legal tender for the territory of El Salvador.

That the Bitcoin Law establishes in its article 11 that it is the responsibility of the Central Bank to issue the corresponding regulations.

That article 99 of the Financial System Supervision and Regulation Law in its fourth paragraph establishes that the Central Bank will be responsible for the approval of the other resolutions that, within the scope of its competence, are necessary for the proper functioning of the Financial System. Financial Supervision and Regulation, as well as for the application of this Law and in the other laws applicable to those supervised.

That technological advances in financial matters enable performing operations and transactions effectively and immediately through various electronic devices and digital which becomes essential to establish rules p ara operation.

THEREFORE,

By virtue of the regulatory powers conferred by article 99 of the Law on Supervision and Regulation of the Financial System,

AGREES, to issue the following:

TECHNICAL RULES TO FACILITATE THE APPLICATION OF THE BITCOIN LAW

CHAPTER I

OBJECT, SUBJECTS AND TERMS

O b j e t o

Art. 1. The s present s rules are designed to regulate l or s rights and obligations in trade relations between financial institutions and providers who contract for the proper functioning of transactions and digital payments only or $ bitcoin through various electronic mechanisms .

Subjects

Art. 2. Obligated subject to compliance with the provisions of these Rules are the Banks, Cooperative Banks and Savings and Credit Societies who are interested in providing the service convertibility of dollars and bitcoin and vice versa, through suppliers of:

a) Digital wallets of bitcoin and dollars ;

b) Digital Exchange Houses or Exchange for bitcoin and dollars ;

c) Payment service providers for bitcoin and dollars; Y

d) C ny other agent in the value chain service or product related to this rules , such as custodians and providers rela technology cionadas with bitcoin .

The products and services referred to in these Regulations shall only consider legal tender currencies in Salvadoran territory.

Terms of Service

Art. 3.- For the purposes of these Regulations, the terms indicated below have the following meaning:

a) Digital wallet for bitcoin and dollars : Digital registration of bitcoins or dollars in favor of a natural or legal person, which will be provided through a digital platform;

b) Central Bank: Central Reserve Bank of El Salvador;

c) Bitcoin: legal tender according to the Bitcoin Law that uses Blockchain technology ;

d) Cash Machine for bitcoin or ATM ( Automated Teller Machine) : These are machines equipped with electromechanical devices or digital that allow customers to, among other services, cash withdrawals , transfers between accounts and payments services ;

e) house i XCHANGE d igital or e xchange : House Exchange Bitcoin or $ incorporated as SA authorized by the Superintendency of the Financial System, whose regular business is buying and selling bitcoin through an electronic platform or applications at prices determined by market supply and demand;

f) Custodian of bitcoin: Companies that are dedicated to the provision of custody services, on behalf of third parties, of bitcoin or the means of access to said bitcoin, in the form of private cryptographic keys;

g) Dollars: refer to dollars of the United States of America;

h) Institution authorized and constituted in the country: They are s ociety is to nónimas fixed capital incorporated in E l Salvador and authorized by the Superintendency of the Financial System under this Act ;

i) institution incorporated abroad and authorized locally: company incorporated and licensed in another country that provides services regulated by this L ey, such as exchange houses digital or exchange , custodians of digital values or c ny other agents in the value chain of the product or service related to this Law ;

j) Payment Platform or Payment Gateway: means that facilitates electronic transactions of funds for payments between a client and a seller of goods or services . Payment platforms s on uses das in e – commerce , as they allow payments to e – business «online» business with physical presence and simultaneously online, or traditional businesses;

k) Payment service providers with bitcoin and dollars : They are public limited companies with fixed capital; Its purpose will be limited to providing payment services with bitcoin and dollars, observing the requirements established for that purpose ;

l) Superintendency: Superintendency of the Financial System ; Y

m) Blockchain or decentralized records technology : Support protocols and infrastructure that allow computers in different locations to propose and validate transactions and update records in a synchronized way through a network.

CHAPTER I I

OBLIGATIONS OF THE SUPERVISED

General Obligations

Art. 4.- The subjects of these Rules at all times must comply with the following :

a) R onduct business with honesty and integrity ;

b) P subtract due attention to the interests and needs of each and every one of your customers and communicate with them in a fair and, clearly not misleading ;

c) Maintain sufficient financial and non-financial resources to fulfill its services and clients ;

d) To manage and control their business effectively and carry it out with due skill, care and diligence; including the management right of the risks to their business and their customers ;

e) To have effective means for the protection of the assets and the money of the clients when it is responsible for them ;

f) Have effective corporate governance agreements ;

g) To ensure that their security access systems and protocols are maintained with high standards ;

h) Have systems to prevent, detect and disclose the risks of financial crimes, such as money and asset laundering , the financing of terrorism and the proliferation of weapons of mass destruction ; Y

i) S er resi ustomer and have contingency arrangements and solvent for the orderly winding business.

Spec obligations í ficas applicable to business models

Art. 5.- The subjects of these Rules , in accordance with their business model, must comply with the following:

a) Establish policies and procedures for consumer protection, in accordance with the applicable legal framework ;

b) Establish contingency mechanisms that provide the entity with the ability to continue providing the service in the event of contingency, failures or interruptions in any of the infrastructure components involved in providing the service;

c) Safeguard the information on the operations carried out on secure storage media, in compliance with its internal policies regarding the backup and recovery of information for a period of fifteen years, counted from the date of completion of each operation;

d) Comply as obligated subjects with the provisions of the Law Against Money and Asset Laundering, its Regulations and other regulations and instructions related to the matter of national application . Additionally, they must apply international regulations regarding the prevention of money and asset laundering and financing of terrorism and proliferation of weapons of mass destruction , for which they must establish a monitoring scheme and have software that allows the analysis of the transactions complying with at least the following:

Risk-based approach and management measures ;
Traceability and referral of customer information ;
Customer due diligence ;
Due diligence of politically exposed people ;
M itigación of new technologies ;
Monitoring , controls and reporting of electronic transfers ;
Internal controls ; Y
Report of suspicious operations and others .
e) Provide clients with clear and timely information regarding the services provided, the conditions of access to them, including rates and commissions;

f) P rovide information that is required by a competent UTHORITIES within the deadlines set by them;

g) Post on electronic devices the p ublic advert use and go to their customers of the hazards that are incurred on the use of the bitcoin ;

h) Provide financial education programs on the use of its products and bitcoin;

i) Provide training programs to staff on the use of their products and bitcoin ; Y

j) Ad ecuar its p olicy Corporate Governance and Risk Management in accordance with the provisions of these Rules.

Art. 6.- The entities subject to these Norms according to their business model will be obliged to have the personnel, equipment, technological platforms, financial resources, administrative control systems, security applications, business plan, manuals, procedures. s , policies, internal controls to ensure the proper functioning of the services set out in these Rules , all in accordance with the provisions of articles 4 and 5 of these Rules.

CHAPTER I I I

OF NO OBJECTION

Of No Objection

Art. 7.- Banks, Cooperative Banks and Credit Savings Societies interested in providing the services of convertibility of bitcoin and dollars and vice versa in accordance with the provisions of article 2 of these Norms must submit to the Superintendency a request for No Objection accompanied by the following information:

a) Copy of the agreement of the Administrative Body in which it has approved requesting the No Objection to provide the convertibility service of bitcoin and dollars and vice versa in accordance with the provisions of these Regulations;

b) Detailed description of the business operating model that must at least comply with the provisions of article 13 of these Regulations, with the approval of the Administration Body of the corresponding entity ;

c) Model Service Contract Convertibility bitcoin dollars , which must consider at least the regulations in Article 14 of the Rules, with the approval of the Appellate Body of the corresponding entity ;

d) Affidavit signed by the Legal Representative, with its respective authentic notarial, where it declares that:

It has been verified that the client meets the requirements and parameters contained in the internal regulations;
Has verified that the content of contracts to subscribe, arising from operations through suppliers to provide the convertibility of bitcoin and dollars and vice versa, as is the case, they do not contain clauses that go against the legislation and regulations related;
Has verified the proper functioning of computer systems, through which he represents, ensure adherence to practice healthy that promote the safety of operations and services convertibility b itcoin and dollars and vice versa and to seek appropriate care of users; Y
The adequate implementation of controls defined by its represented company through the corresponding areas has been verified, in order to fulfill the aforementioned purposes.

Sworn declaration

Art. 8. In the content of the Declaration affidavit referred to in the preceding article , the grantor must declare the truth of what was said, and that includes the realization of the efforts of the good implementation, adequacy and compliance with the requirements to its represented, in order to obtain the No Objection from the Superintendency to provide the service of convertibility of bitcoin and dollars through providers of digital wallets of bitcoin and dollars, Digital Exchange Houses or Exchange for bitcoin and dollars, Suppliers of payment services for bitcoin and dollars; and c ny other agent in the value chain product or service related to this s standards , such as custodians and providers rela technology cionadas with bitcoin.

Once the documentation is properly received, the Superintendency will proceed to analyze it and the Superintendent will communicate the No Objection of the request or will object to it, within a maximum period of thirty business days. Once this period has expired and if the Superintendency does not pronounce, it will be understood that the resolution of the No Objection is favorable for the entity.

If the application is not accompanied by full information in accordance with the provisions of the present rules, the Superintendency may require the entity, within ten working days counted from the day following the notification, submit documents missing.

The Superintendency, in the same prevention, will indicate to the entity that if it does not complete the information within the aforementioned period, it will proceed without further ado to file the request, saving its right to present a new request.

Analysis of the request

Art. 9.- The Superintendency, after analyzing the documentation established in article 7 of these Regulations, may prevent the entity from correcting the deficiencies found.

The entity will have a period of ten business days from the day following notification of the prevention to correct the observations or to present the documentation and information required by the Superintendency.

The Superintendency, through a grounded resolution, will extend the period indicated in the previous paragraph for up to another ten business days , when the nature of the observations or prevented deficiencies so require.

Extension period

Art. 10.- The entity may submit to the Superintendency a request for an extension of the periods indicated in articles 8 and 9, having to state the reasons on which it is based and propose, where appropriate, the pertinent evidence.

The term of the extension may not exceed ten business days and will start from the business day following the expiration date of the original term.

Suspension of the term

Art. 11.- The period of thirty business days indicated in article 8 of these Regulations will be suspended for the days between the notification of the request for information or documentation referred to in article 8 of these Regulations , until that the entity correct the observations required by the Superintendency.

Of the resolution

Art. 12.- Once the required documents have been duly submitted, the Superintendency will proceed to respond to the No Objection request.

Once the No Objection has been issued to carry out operations and provide convertibility services from dollars to bitcoin and vice versa, the entity will be responsible for ensuring compliance with these Rules and the applicable regulatory framework for its operation.

Minimum content of the description of the business operating model

Art. 13.- The business operating model must contain at least the following:

a) Terms and conditions for the use of the technological platform, as appropriate;

b) Volume of l business and the transaction is expected to handle specifying the time period;

c) General technical description of the type of technology to be used;

d) Mechanism of identification, subscription and registration of customer information to the services, as well as the activation, blocking, deactivation of the same , the reversal of the operations and the delivery of security keys, as well as the reasons for rejection of the operations and the procedure for notifying the client of the respective rejection;

e) Maximum balance limit and maximum amount for transactions per customer, as well as a description of the mechanisms to ensure compliance ;

f) Type of operations that the client may carry out, accompanied by the respective operating scheme that includes the role of the Provider and other participants, the phases considered in the provision of the service and the measures to ensure the confidentiality, availability, integrity and functionality of the operations ;

g) Commissions to be charged for the provision of the service;

h) Technical description of the electronic platform that will support the service by electronic means, as well as the mechanisms and computer systems for controlling and monitoring the services ;

i) Description of the information that will be displayed on the platform to be used to provide the service, such as : dollar amount and its equivalent in bitcoins and vice versa, market value of bitcoin in real time, contacts, among others;

j) Mechanism to guarantee the linking of a digital registry to a single natural or legal person, as long as it does not have a current registry with the same Provider; Y

k) Procedures, deadlines and other rules for the attention of the Provider to its clients in relation to: consultations made, attention and resolution of complaints, claims, among others. The means of receipt of the same , office address, telephone, email , in which the client can make their inquiries, complaints and claims must be specified .

To grant the No Objection of the business model regarding the maximum limits for transactions and amounts per user, the Superintendency may consider the parameters established in the Law to Facilitate Financial Inclusion and the Law against Money and Asset Laundering.

Service Contract s

Art. 14.- The subjects bound by these Rules may contract bitcoin to dollar convertibility services , digital wallets, custody and other services , on their own and under their responsibility , these contracts must contain at least:

a) Express declaration that the convertibility service provider acts on behalf and under the responsibility of the entity subject to these Norms , being its responsibility to verify compliance with the obligations contained in these Norms;

b) The provisions that the parties establish on convertibility operations between bitcoin and dollars and the management of risks inherent in these transactions;

c) The measures that the entity will require and implement with the provider for the prevention of money and asset laundering and terrorist financing and full compliance with the legal requirements as an obligated subject ;

d) The obligations of the provider of convertibility services to deliver to clients, on behalf of the contracting entity, the support and registration of transactions by electronic means; as well as, to maintain reserve and confidentiality on the information to which it has access regarding the client;

e) The economic obligations between the contracting parties;

f) The hours of attention to the public and levels of service, between the parties and that will be offered to users ;

g) The security measures and the availability of human resources that must be established to carry out operations and provide convertibility services between dollars and bitcoin ;

h) Operations carried out by each of the parties for the operation of the business model;

i) Term of the contract;

j) The clauses of suspension and termination of operations and provision of services, as well as their legal consequences; Y

k) Responsibilities and prohibitions of each of the parties, which must contain, among others, the responsibility for the commission of any crime that they commit in the exercise of their commercial activities, being in any case the entity subject to these Rules the person responsible for the user for any loss or damage.

In addition, clauses should be included that facilitate an adequate review of the respective performance of operations and provision of convertibility from bitcoin to dollars and vice versa , by the same entities or eventually by the Superintendency and other supervisory bodies.

No entity may develop services convertibility of bitcoin to dollars and vice versa with a natural person or legal entity without having signed the corresponding service contract that at least meets the provisions of this article.

Selection criteria

Art. 15.- For contracting , entities must establish the minimum selection criteria that their suppliers must meet, such as:

a) Be authorized and / or registered in a regulatory or supervisory body that has similar or higher regulatory and supervisory requirements with respect to those of El Salvador;

b) Comply with corporate governance standards in the management, direction and control of its operations;

c) Possess technical-financial capacity for the service to be provided;

d) Possess adequate risk management, information security and business continuity ; Y

e) Comply with the regulations related to the prevention of money and asset laundering and the financing of terrorism and the proliferation of weapons of mass destruction.

This s condition ones and requirements must n be validated years by the previous entity hiring.

Bitcoin custody

Art. 16.- The supervised entities that contract the custody service will enter into a contract to specify their obligations and responsibilities. This contract will include, at least in addition to what is considered in article 14 of these Rules , the following elements:

a) The identity of the parties to the contract;

b) The nature of the service provided and a description of said service;

c) The means of communication between the bitcoin custodian service provider and the client, including the client’s authentication system;

d) Description of the security systems used by the bitcoin custody service provider;

e) Fees charged by the bitcoin custodial service provider; Y

f) Comply with the regulations related to the prevention of money and asset laundering and the financing of terrorism and the proliferation of weapons of mass destruction .

Circumstances that prevent hiring

Art. 17.- The obligors to these Rules should check prior to hiring of entities providers Billeteras bitcoin digital and dollars, Digital Homes Exchange or Exchange of bitcoin to dollars and vice versa , service providers and $ bitcoin payments ; custodians and technology providers related to bitcoin and c ny other agents in the value chain of the product or service related to this s rules , its directors, managers and shareholders are not in any of the following circumstances:

a) Be a minor ;

b) Ser debtor of the Salvadoran financial system qualified and n categories of risk following: d and difficult recovery or unrecoverable; likewise, those who have been required to have a sanitation reserve of fifty percent or more of the balance ;

c) H to ber been convicted in final judgment or other resolution of similar effect in the country or abroad, for having intentionally committed or participated in the commission of any crime ;

d) E nc ontrarse in bankruptcy, receivership or bankruptcy ;

e) Having been judicially qualified as responsible for a negligent or fraudulent bankruptcy ;

f) To have judicially proven their participation in activities related to drug trafficking and crimes associated with money laundering and asset financing activities to terrorism and proliferation of weapons of mass destruction , both national jurisdiction or abroad ; Y

g) Having been sanctioned, administratively or judicially, for their participation in a serious infringement of the laws and regulations of a financial nature in the national jurisdiction or abroad, especially the raising of funds from the public without authorization .

Responsibilities of the digital wallet provider

Art. 18.- The financial institution must ensure that the electronic platform of the digital wallet allows the convertibility of bitcoin to dollars and from dollars to bitcoin . The electronic platform for the digital wallet must allow the Central Bank, the Superintendency and the Ministry of Finance immediate access and when required to all the information related to the operations carried out both individually and jointly.

Art. 19.- The p roveedor digital wallet assumes before the client full responsibility for all operations and services carried out through the electronic platform and will respond to your client for any breach by the Exchange, custodian or any other operator hired to the development and operation of your platform or business.

The supplier is the digital wallet will establish n mechanisms and procedures to address claims of transactions for their customers, specifying the official means of receiving them , must be resolved in a period which may not exceed ten days working as from the filing of the claim.

In any case, said procedure must incorporate internal controls on the consultations attended and the answers provided.

T rans parence of charges

Art. 20.- The subjects bound by these Rules must make public quarterly and each time they are modified, the commissions (the amount or percentage) and any other charge associated with the services they offer to their clients on their website, also being able to use any other mass communication medium. Said communications must be made in a prior, clear, legible and visible manner, being obliged to comply with what is offered or communicated to its clients.

CHAPTER I V

DIGITAL EXCHANGE HOUSES AND CUSTODY OF BITCOIN

Digital exchange house

Art. 21.- The entities subject to these Rules must ensure that the Digital Exchange Houses that contract for the purchase and sale of bitcoin, apply local regulations and international good practices in the matter of prevention of money laundering and assets, financing against terrorism and proliferation of weapons of mass destruction.

Likewise, the subjects of these Rules will have the obligation to deliver the respective digital receipt to the natural or legal persons that carry out with them operations of purchase and sale of bitcoin and dollars, in accordance with the provisions of these Rules, detailing the commissions of exchange and all transaction costs.

Custody record

Art. 22.- The entities that hire the service of custody must ensure that these LLEV in a register on behalf of each client as appropriate or right on the bitcoins , consigning real – time in that register any movement that is performed following the instructions Your clients. Its internal procedures will guarantee that any movement that affects the registration of bitcoins is reflected in an operation duly recorded in the customer’s position register.

When appropriate, the subject bound by these Rules will facilitate the exercise of the rights associated with bitcoins. Any event that may create or modify the client’s rights will be recorded in the client’s position register as soon as possible.

CHAPTER V

CASHIER S AUTOMATIC S Bitcoin A DOLLARS AND VICE VERSA

Liability of ATM owners

Art. 23.- The installation, operation, quality and security of the operations of the ATMs from bitcoin to dollars and vice versa, is the responsibility of the obligated subjects of these Regulations.

The above activities may be delegated to third parties that provide these types of services, which will be done by service contract in which the conditions and responsibilities to the supplier undertakes, based specifying a risk analysis s made by the entity .

Handling of confidential information

Art. 24.- In order to preserve the confidentiality of user data, the vouchers issued by the ATM that expose confidential information must hide part of said information.

When the operation is to withdraw cash through a digital wallet, ATMs must issue at the express request of the user the receipt of the transaction carried out by the user, and must contain at least the amount withdrawn and current balance, when applicable.

ATM identification

Art. 25.- All ATMs must be duly marked with the identification or logo of the entity to which it belongs and the international brands to which it is affiliated.

Check balances and latest applications

Art. 26.- All ATMs must be programmed so that the user can, at a minimum, consult their balances in their associated accounts .

Identification code

Art. 27.- The automatic teller machine must be programmed to require the user to enter their secret code (PIN) or other identification mechanism, before starting the session.

The user may change his secret code (PIN) each time he requires it and according to the provisions issued by the corresponding issuing entity .

Conditions of the location

Art. 28.- Automatic teller machines must be installed in places that provide the best service to users, so they must be installed in accessible places that have the minimum security conditions according to the risk analysis carried out by the entity.

CHAPTER V I

DISCLOSURE OF INFORMATION

Information prior to providing the client

Art. 29.- The entity must provide customers through electronic means, information prior to the conclusion of the service contract, with the following minimum content:

a) Volatility of the value of Bitcoin;

b) Commissions receivable;

c) Impossibility of reversing operations once executed, if applicable;

d) Inherent cyber and fraud risks;

e) Warning that, in case of loss of customer or customer passwords, you will not be able to access your account balance and there will be no way to reset or recover the password;

f) Explanatory legend on possible modification of the commissions; Y

g) Other information that is considered important to customers.

Entities must take into account the interests of different clients and distribute products and services, which must be promoted in a clear, fair and non-misleading manner.

Formal customer service

Art. 30.- The entities must have customer service mechanisms, to attend by any means the queries, complaints or disagreements of the customers, specifying the hours for the attention to the public and the communication media, such as: electronic media and telephone service, email, among others according to the entity’s business model. Likewise, it must inform about the mechanisms and procedures of attention, as well as estimated response times.

The entity must disclose on its website the most frequently asked questions, with their respective answers, which must be incorporated as part of the disclosure they make.

Training of personnel related to the formal care service

Art. 31.- The entity must train employees related to customer service on the content of the products or services offered.

The training program and the training carried out must be duly documented, and at the disposal of the Superintendency.

Generation of statistical information

Art. 32.- The entity must have specialized computer programs or other computer tools for the due control of complaints or non-conformities that clients present to the formal attention service, which must contain, among others, the number of cases, reason of complaints or non-conformities received, cases in process or completed, according to the format described in Annex No. 1 of these Regulations.

This program or computer tool will generate statistics to know which product is the one that is presenting the most complaints or nonconformities, in order for the management body to make decisions based on relevant and timely information in accordance with the provisions of article 35 literal d ), e), h) and j) of the Financial System Supervision and Regulation Law.

Said program will be available to the Superintendency in accordance with article 32 of the Law on Supervision and Regulation of the Financial System.

Statistical Summary Public Disclosure

Art. 33.- L to entity shall disclose on its website a link that addresses a statistical summary of the reason for complaints or disagreements received in the previous quarter , as well as efficiency indicators of resolved cases and time limits for resolution of these.

The entities must present the statistical summary taking into consideration what is established in Annex No. 1 of these Regulations.

Submission of statistical information

Art. 34.- The entity must send monthly to the Superintendency, the Consumer Defender and the Central Bank, within a period of five business days following the month in question, the statistical control established in Annex No. 1 of these Regulations. .

In the event that there are no queries or complaints, the entity will send the Superintendency, the Consumer Defender and the Central Bank a note stating such situation.

The entities must send to the Superintendency in the first five business days of the following month of operation, the first report that contains the statistical information of complaints or disagreements of the clients.

Technical details for the submission of information to the Superintendency

Art. 35.- The Superintendence shall transmit to the authorities, with a copy to the Central Bank within a period of thirty days after the date of entry into force of these Rules the technical details related to sending the information requested in this Chapter.

The technical details will be limited to the collection of information in accordance with what is regulated in these Regulations.

CHAPTER VI I

MANAGEMENT OF THE RISKS OF MONEY AND ASSET LAUNDERING (LDA), TERRORIST FINANCING (FT) AND PROLIFERATION OF WEAPONS OF MASS DESTRUCTION (PADM)

Organizational structure

Art. 36.- The entities must establish an organizational or functional structure appropriate to their business model and appropriately segregated, which clearly delimits functions and responsibilities, as well as the levels of dependence and interrelation that correspond to each of the areas involved in the ML / FT / PADM risk management . The structure and operation of the Compliance Office must be consistent with the complexity of the business. Its main objective is to ensure compliance with the legal and regulatory framework regarding LDA / FT / PADM risks. It must be chaired by a Compliance Officer who will be the official responsible for ensuring compliance with the applicable regulatory framework. The Officer must occupy at least one managerial position within the organization, have sufficient power and independence, in order to manage the risks associated with the LDA / FT / PADM.

In the case of financial conglomerates, in accordance with literal c) of Article 133 of the Banking Law, the same Compliance Officer may perform said function in different companies of the same conglomerate, when so determined by the Board of Directors of the conglomerate, or who takes their place, and is ratified by each of the boards of directors of the entities that comprise it. This agreement must be based on the number of clients, number of employees and volume of operations of said companies.

Committee for the prevention of money and asset laundering, the financing of organizational terrorism and the proliferation of weapons of mass destruction

Art. 37.- The obliged subjects must constitute a Committee for the prevention of money laundering in accordance with the provisions of the “Technical Standards for the Management of the Risks of Money and Asset Laundering, and Terrorism Financing” (NRP-08 ) , approved by the Central Bank through its Standards Committee .

Integration

Art . 38.- The Committee shall be composed of at least five (5) members: a director of J unta D IRECTIVE or equivalent; the Executive Director or General Manager; the Director, Manager or Chief of Risks or Operations; Legal Director or its equivalents and the Compliance Officer. The board member will serve as chair and the compliance officer as committee secretary.

The members of the committee will be appointed by the board of directors or its equivalent and the agreement will be presented to the supervisory body when required.

The appointment of persons to serve on the Committee shall be in accordance with the type of organization which each institution, organization or company, in order to avoid limitations or conflicts in naming them .

Financial Conglomerates and Business Groups may form a single Committee, as long as it is in harmony with what is defined for the Compliance Officer in the previous article .

Functions and other aspects related to the Prevention Committee shall be those included in the s » Technical Standards for Risk Management of Money Laundering and Asset and Financing to the Ter r orismo » ( NRP-08 ) adopted by the Central Bank through its Standards Committee.

Powers of the Compliance Office

Art. 39.- The Compliance Office, as the unit in charge of the prevention of the risks of LDA / FT / PADM, must only exercise functions of prevention of the risks of LDA / FT / PADM, having to comply with the powers established in article 16 of Chapter VIII of the UIF Instructions and additionally with the following responsibilities:

a) Strict compliance with the legal and regulatory framework regarding the prevention of money and asset laundering and terrorist financing and instructions issued by the FIU and the Superintendency;

b) Prepare the policies and procedures for the prevention of LDA / FT / PADM for their subsequent approval by the Board of Directors , the Entity’s Administrative Body or whoever acts in their stead;

c) Prepare a risk matrix in which evaluate and identify risks that the entity is exposed considering the risk factors defined by these N orms;

d) Carry out permanent monitoring through technological solutions or others that are appropriate according to the nature of the business and computer systems to the transactions carried out by its clients, to establish the existence of cases considered irregular or suspicious that warrant reporting to the FIU in accordance with the provisions of current legal provisions;

e) Communicate directly to the FIU and other competent authorities, in accordance with each case and where relevant, the following information:

R eportes irregular or suspicious transactions;
R eportes operations regulated in accordance with the threshold in the Law Against Money Laundering and Asset accordance with the legal provisions; Y
A cts of internal operations involving generating activities concern entities and, where appropriate, employees, officers or members of the Board or Administrative Body involved for that reason have been separated from their posts .
f) Implement computer tools for the control and monitoring of transactions carried out by the entity’s clients;

g) Prepare and maintain digital files of clients reported as irregular or suspicious to the FIU; during the period established in the Law Against Money and Asset Laundering ;

h) Inform the Board of Directors about the activities carried out by the Compliance Office; Y

i) Prepare the work plan and submit it to the Board of Directors for approval.

Training programs

Art. 40.- The obligors to comply with these standard s , should develop and implement training programs through the use of new technologies aimed at staff at least once a year, on prevention of money and asset laundering, financing of terrorism and financing of weapons of mass destruction, appropriate to the nature of the business .

Said training program must be able to register the full name and position of the personnel of the entity that has taken the training, as well as what is established in the UIF Instructions.

Stages of the LDA / PADM risk management process

Art. 41.- For the management of LDA / FT / PADM risks, the obligated subjects must have a continuous process in order to establish a methodology designed to identify, measure, control, monitor and communicate potential risk events. of LDA / FT / PADM that may affect you, with the purpose of preventing, detecting and mitigating them in a timely manner.

Risk factors for ML / FT

Art. 42.- Methodologies must be established to segment risk factors and identify the forms and types through which this risk can occur, the main generators of LDA / FT / PADM risk being , among others: customers, products, services, distribution channels, and location or geographic location.

Due diligence.

Art. 43.- The entities must apply due diligence, which will imply that they implement the procedures and controls, electronically, to assess, identify and verify the identity of their clients and final beneficiaries, monitor their operations, for the purpose of properly manage LDA / FT / PADM risk . It includes the documentation that justifies the origin of the funds, economic activity, geographic location and other information that is necessary to know your client and establish their transactional profile.

Entities must take reasonable measures to carry out due diligence procedures electronically to their clients, whether natural or legal persons, among others .

Identifying digital s and performed electronically substitutes physical presence with use of recording pronales data through authentication processes, involvement of biometric records, scanning of single identity document, geolocation, IP address recognition, etc. rigorous techniques or alternative technological methods of equal rigor, storable and non-manipulable, in accordance with the following specifications:

a) Identify the client reliably through their identity documents and other basic information that entities request, electronically, at the time of contracting, making sure that the document is original. In the case of legal persons, apart from identifying them, they must also know and document their legal nature, business name, economic activity in which they are engaged, accreditation and identification of the legal representative, shareholders and partners with an equity stake above 10% and members of the Board of Directors, among others. Having to adequately know the economic activity carried out by its clients, its magnitude, frequency, basic characteristics of the transactions in which they are currently involved, establish that the volume, value and movement of funds of its clients are related to their economic activity;

b) Any procedure that includes the original display of the client’s identification document may be used, such as, for example, the remote identification procedure by video. Likewise, you may comply with the requirement to display the documentation that proves identity through the Unique Digital Identity Document through official digital media ;

c) The electronic due diligence process must be stored with proof of date and time, kept in their computer systems, in accordance with the provisions of article 12 of the Law Against Money and Asset Laundering ;

d) It is the responsibility of the e ntidad implement the technical requirements to ensure the authenticity, validity and completeness of the information provided by the client object identification, as well as confidentiality and inalterability of the information obtained in the identification process ;

e) Verify updated lists of natural or legal persons involved in crimes related to the LDA / FT / PADM , from publications of countries or local and international organizations;

f) Verify lists related to countries considered jurisdictions with no or low taxation, natural or legal persons linked to criminal acts, including terrorism and who perform or have performed prominent public functions in the country or country of origin ( PEP’s ) , prior to establishing or starting any financial business with potential clients;

g) Request documentation according to the LDA / FT / PADM risk level , on the origin of the client’s funds and assets;

h) Establish transactional profiles of clients on the operations and services that they will carry out with the entity, based on their economic activity;

i) Entities must identify the final beneficiaries in all transactions or operations carried out by them;

j) Establish continuous procedures to update general information on existing clients;

k) Maintain a detailed record of the entity’s clients that have generated suspicious transaction reports;

l) Monitor the transactions made by customers during the course of the business relationship, in order to ensure that the transactions they are making are consistent with their transactional profile; Y

m) To monitor permanently to customers q ue are in countries or jurisdictions designated as high risk or non – cooperative by the FATF, or have business with people located in those territories; likewise, to clients or users who carry out financial business in countries considered to have low or no taxation.

Enhanced or Enhanced Due Diligence.

Art. 44.- Extended or improved due diligence must be applied , monitoring the operations of its clients, identifying the final beneficiary, in order to adequately manage the risk of LDA / FT / PADM. It includes the documentation that justifies the origin of the funds, economic activity, geographic location and other information that is necessary to know your client and establish their transactional profile. Likewise, it will be applied to those clients with high-risk economic activities, non-specific funding sources, with a change in transactionality, who use products / services not in accordance with their purpose, PEP’s clients, clients of Designated Non-Financial Activities and Professions ( DNFBP) among others, requiring additional supporting information.

Extended due diligence should also apply to clients located in countries that have been designated by the FATF as high-risk or non-cooperating jurisdictions and to clients who have business relationships with other clients in those territories or jurisdictions.

In addition, entities must make identification of the electronically extended customer on operations beyond the threshold designated by the current legal framework. Said entities must ensure that they maintain the mandatory and accurate information of the originator and the mandatory information of the beneficiary, about the operations they carry out with bitcoin and must be available to the competent authorities, upon request.

Due diligence to clients with unsupervised financial activities and DNFBPs

Art. 45.- Entities must apply due diligence, electronically, to clients with a financial line of business and clients with designated non-financial activities and professions.

P eople PEPs ( PEPs )

Art. 46.- The entities must verify updated lists of natural or legal persons involved in crimes related to the LDA / FT / PADM, coming from publications of countries or local and international organizations. As well as, verify lists related to countries considered jurisdictions of null or low taxation, also on natural or legal persons linked to criminal acts, including terrorism and who perform or have performed prominent public functions in the country or country of origin ( PEP ´s ), prior to establishing or starting any financial business with potential clients.

The customer will perform acceptance through the website of the e ntidad or alternative channels (telematic, telephone or equivalent), sending the documents set forth in Article 8 of the FIU Instructions, corresponding to its nature and characteristics.

The e ntidad deliver a personal and non – transferable key, including control questions, which should be used by the customer to operate.

Entities must have a database of high-ranking public officials to be classified as PEP’s in El Salvador or their equivalents in foreign countries, which , among others, will be the following:

a) Popularly elected public officials;

b) Public officials appointed by the President of the Republic;

c) Elected public officials of the second degree;

d) Appointed to the Presidency of the Republic;

e) Presidents of autonomous or semi-autonomous institutions, attached or not to the Executive Branch;

f) Departmental Governors;

g) Proprietary and Alternate Magistrates of the different Chambers of Second Instance of the country;

h) High-ranking officers of the armed forces starting with Captain;

i) Members of the Polic í to Civil Nacional, with the rank of commissioners who have branches or divisions under their responsibility;

j) Ambassadors and consuls of El Salvador posted abroad;

k) Ambassadors and consuls of other countries accredited in El Salvador; Y

l) Other high-ranking public officials considered by the entities.

In the case of politically exposed foreigners, the databases of international organizations should be used.

Information request to PEP’s and its update

Art. 47.- The entities must include in their electronic forms, the necessary fields so that their clients can declare their status as PEP’s , if they are close relatives or a commercial or business associate of a PEP’s , and the category to which they they belong. Additionally, said clients will be obliged to complete the information included in Annex No. 2 of these Regulations , as well as to update the documentation provided or inform the entity of any changes that may occur in relation to said condition .

Software

Art. 48.- It must have specialized computer programs or other computer tools that allow continuous monitoring of the accounts and services offered to customers or other operations, in order to generate alerts in real time when operations are not found. according to the transactional profile.

Said computer programs must comply with the following:

a) Robustness and high functionality in wide coverage of transactions;

b) Automated and test-based;

c) Use of secure networks to safeguard customer data and transactions;

d) Real-time access to data for digital due diligence controls;

e) Dynamic and automated deduplication ;

f) Facilitate the identification and verification of the client at the time of linking ;

g) Facilitate other customer due diligence measures ; Y

h) Assist in transaction monitoring for the purpose of detecting and reporting suspicious transactions, as well as general risk management and anti-fraud efforts .

The level of monitoring of transactions will be determined by the risk assessment of the entity’s clients. Based on its risk analysis and the parameterization established by the entity, it must establish particular warning signals for its business and consequently establish the types of monitoring necessary to identify unusual or suspicious operations. The computer programs must generate, automatically and in a timely manner, alerts on transactions that deviate from the expected behavior of the client.

Obliged subjects must have X.509 Certificates, which are digital certificates managed by authorities that use the X.509 PKI standard to verify that a public key belongs to the client , the computer or the identity of the service in the certificate and that they are used around the world in the public and private sectors;

X.509 attribute certificates, which can encode attributes (such as name, date of birth, address, and unique identification number), are cryptographically attached to the X.509 certificate, and are managed by attribute certificate authorities;

API technology, which provides routines, protocols, and tools for building software applications and specifies how software components should interact; as well as other commercially available technology or potential software or data exchange .

Alert analysis

Art. 49.- The Compliance Office and other responsible areas of the entity must carry out a review of the alerts in accordance with the level of risk identified, in order to identify unusual or suspicious transactions that should be followed up.

Traceability of Operations

Art. 50.- To comply with the information and traceability requirements of operations, each time a transfer of funds is greater than or equal to one thousand dollars of the United States of America (USD $ 1,000.00), the obligated subjects must include the following in the order of transmission: the name, the details of the account and the financial institution of the recipient and transmitter, according to described in Annex No. 3 of these Rules.

Reporting parties must comply with the requirements of FATF Recommendation 16, including the obligation to obtain, retain and transmit required information about the originator and the beneficiary , associated with transfers with Bitcoin to identify and report suspicious transactions, take freezing actions and prohibit transactions with designated persons and entities.

Requirements for transactions involving Bitcoin

Art. 51.- Obliged subjects must register, maintain and transmit the following information when dealing with transactions involving Bitcoin: Convertible Virtual Currency (CVC) or Legal Tender Digital Assets (LTDA) :

a) The name and address of the client of the financial institution;

b) Identification that Bitcoin has been used in the transaction;

c) The amount of Bitcoin used in the transaction;

d) The time of the transaction;

e) The appraised value of the transaction, in dollars, based on the exchange rate in effect at the time of the transaction;

f) Any payment instruction received from the client of the financial institution;

g) The name and physical address of each counterpart of the transaction of the client of the financial institution; Y

h) Any other information that uniquely identifies the transaction, the accounts and, to the extent reasonably available, the parties involved.

Additional Information for Suspicious Operation Report

Art. 52.- Transactions with Bitcoin generate a significant variety of information elements, for the effective sending of the Suspicious Operation Report, the obligated subjects must have the following information for analysis and subsequent filing:

a) Digital wallet addresses, ATMs for bitcoin ;b) Account information ;c) Transaction details (including the hash of the Bitcoin transaction and information about the originator and recipient) ;d) Relevant transaction history ;e) Available login information (including IP addresses) ;f) Mobile device information (such as device IMEI) ; g) Information obtained from the analysis of the online public profile and customer communications.

When submitting a Suspicious Operation Report, institutions must provide all pertinent information available in the form and narrative of the Suspicious Operation Report.

Records to be made and kept by obliged subjects

Art. 53.- Obliged subjects must maintain the registration requirements that they must safeguard during the commercial relationship with the client and for a period of 15 years from the end of said relationship.

CHAPTER V III

SANCTIONS, GROUNDS FOR REVOCATION, DISSOLUTION AND LIQUIDATION

Sanctions Art. 54.- Breaches of the provisions contained in these Regulations will be sanctioned by the Superintendency in accordance with the provisions of the Financial System Supervision and Regulation Law.

Unforeseen aspects Art. 55.- The aspects not foreseen in the matter of regulation in the present Norms, will be resolved by the Central Bank through its Norms Committee.

Validity Art. 56.- These Rules will come into force as of September xx of the year two thousand twenty-one.

See anexxes on original document: https://www.bcr.gob.sv/regulaciones/upload/Normas_Tecnicas_para_Facilitar_la_Aplicacion_de_la_Ley_Bitcoin.pdf