Sanctions Compliance Policy

Table of Contents

1. Introduction ............................................................................................................................................................... 5
1.1 Scope and Applicability ....................................................................................................................... 5
1.2 Objective..............................................................................................................................................6
2. Strategy and Vision .................................................................................................................................................. 6
3. Sanction Regimes ..................................................................................................................................................... 6
3.1 Home Country Regime - Pakistan ....................................................................................................... 7
3.2 US Economic Sanctions .......................................................................................................................8
4. Risk-Based Approach and Controls .................................................................................................................... 14
4.1 Entity Wide Internal Risk Assessment Report (IRAR) – Financial Crime Risk Assessment (FCRA) .... 14
4.2 Internal controls ................................................................................................................................ 14
5. Roles and Responsibilities..................................................................................................................................... 15
5.1 Board Oversight ................................................................................................................................. 15
5.2 Executive Oversight ........................................................................................................................... 16
5.3 Chief Compliance Officer (CCO) ...................................................................................................... 16
5.4 Head of Financial Crime Compliance (currently Head AMLD) ......................................................... 16
5.5 Country MLROs.................................................................................................................................. 16
5.6 Client Facing Business Units .............................................................................................................. 16
5.7 Staff Responsibilities.......................................................................................................................... 17
6. Standards, Guidelines and Controls ................................................................................................................... 17
6.1 List Management ............................................................................................................................... 17
6.2 Customer and Non-Customer Name Screening ............................................................................... 18
6.3 Transaction Screening ....................................................................................................................... 18
6.4 Screening Protocols ........................................................................................................................... 19
6.5 Investigation, Escalation and Reporting............................................................................................ 19
6.6 Rejecting, Blocking or Restricting Account Activity .........................................................................20
6.7 Internal and External Reporting ........................................................................................................ 21
6.8 Information Request - Regulators and Law Enforcement (LE).......................................................... 21
6.9 Specific OFAC Licence ....................................................................................................................... 21
6.10 Outsourcing and Third-Party Relationships ......................................................................................22

3
 6.11 Management Information (MI) .........................................................................................................22
6.12 Record Keeping ..................................................................................................................................22
7. Dispensation and Waivers ....................................................................................................................................22
7.1 Dispensations .....................................................................................................................................23
7.2 Waivers...............................................................................................................................................23
7.3 Applying for Dispensations and Waivers ...........................................................................................23
7.4 Policy Breaches and Circumvention ..................................................................................................23
8. People, Learning and Awareness .........................................................................................................................23
8.1 Resourcing .........................................................................................................................................23
8.2 Training and Awareness .....................................................................................................................23
8.3 Consequences of Non-Compliance by Staff .................................................................................... 24
9. Document Management ...................................................................................................................................... 24
10. Glossary ....................................................................................................................................................................25

4
1. Introduction
Habib Bank Limited (“HBL” or the “Bank”) as one of the largest domestic banks in Pakistan with significant
international presence is affected by international sanctions laws and regulations, by virtue of its physical
presence and involvement in international trade and financial transactions.
HBL, under the direction of its Board of Directors and executive management, are committed to carrying
out the Bank's business activities in compliance with all applicable laws, rules, and regulations. It is
therefore the policy of the Bank to fully comply with the economic sanctions law and regulations not only
of the Islamic Republic of Pakistan, including sanctions measures adopted by the United Nations (UN), but
also the United States (US), European Union (EU), United Kingdom (UK) and all other potentially relevant
jurisdictions, when applicable to the Bank's business (collectively, "Sanctions").
Sanctions are defined as measures or actions taken against a target to influence its behaviour, policy, or
actions. Simply stated, sanctions have three components:
 An economic action including financial and trade,
 Taken against a target (e.g., a state, class of persons, an individual person, or even a function),
 To influence the target’s actions.

Sanctions can restrict trade, financial transactions, diplomatic relations, and movement with certain
governments, countries or territories, persons, entities, groups, vessels, and aircraft (collectively,
"Sanctions Targets"). Sanctions can be specific or general in their implementation and enforcement.
Sanctions are also referred to as restrictive measures. Sanction’s compliance is the act of adhering to the
sanctions-related legislation, regulations, rules, and norms that make up the complex sanctions landscape.
Sanctions are administered by local regulators in territories where they hold jurisdiction and by some
regulators (particularly in the United States) on an extraterritorial basis.

The Sanctions Policy will be supported by operating procedures. The Policy and respective procedures set
the measures to protect the Bank from sanctions risks by detecting, preventing, and deterring those
attempting to circumvent sanctions in their dealings with the Bank.
This Policy provides standards to ensure that HBL does not render financial services, conduct transactions,
process payments, or send or receive funds involving individuals and entities or governments that are
subject to applicable Sanctions, in accordance with controls approved by HBL's Board of Directors based
on applicable regulatory requirements and to protect HBL from sanctions risks.

1.1 Scope and Applicability

This Policy sets out the baseline requirements & standards to be adopted by all HBL's domestic and
international branches. Compliance with this Policy and the related procedures is mandatory and
applies to:
 All HBL domestic / international Branches.
 All employees, including contractual and outsourced working on behalf of Bank; and
 The Board of Directors of the Bank

5
 All international branches must also comply with the economic sanction’s laws and regulations
applicable in the jurisdiction in which they operate.
In accordance with Approval Framework for Policies and Associated Documents (AFPAD), this Policy
shall act as a Global Policy, and as such will be applicable for domestic and overseas operations
wherever applicable. Each international branch is responsible for identifying any inconsistency in this
policy vis-a-vis the statutory/regulatory framework of the host country and developing an addendum
to this policy that incorporates all local regulatory requirements.
If the requirements in the host country or jurisdiction differ from those in Pakistan, the international
branch shall apply the higher of the two standards, to the extent that the law of the host country or
jurisdiction so permit. Any addendum to this policy developed by an international branch must be
approved by the Board in accordance with local regulations after concurrence of the local policy
owner.
HBL subsidiaries should use this policy as a guiding document while developing their own local
Sanctions policy.

1.2 Objective
The objective of the Sanctions Compliance Policy is to provide guidelines and standards to ensure
Bank's compliance with the sanctions applicable under different regimes.

2. Strategy and Vision

HBL's Board of Directors has established a sanctions control environment in line with leading regulatory
requirements and best standards. The executive management teams at the Group and local level are
responsible for implementing the policy as per the direction of the Board. An oversight mechanism is also
in place at Board and Management Committee level to monitor continuing compliance with the Bank’s
Sanctions Policy.

All employees of the Bank are responsible to conduct themselves in line with the Bank’s policy direction
and, keeping vigilance against those looking to exploit the Bank’s products and services through breaching
or circumventing the Sanctions controls.

Due to the Bank’s international presence, it must satisfy a range of regulatory standards and expectations
for sanction’s compliance and sanction’s risk mitigation designed to protect not only the Bank from
sanctions risks, but also the Bank's correspondent banking partners and other financial counterparties.

3. Sanction Regimes
The Bank maintains a zero-tolerance approach towards breaches of applicable financial, economic and
trade sanctions. HBL aims to remain compliant with all legal and regulatory requirements in every
jurisdiction where it operates as well as with all other relevant Sanctions regimes to avoid potential
breaches and reputational damage.
The Bank will not establish or maintain relationships with any "Sanctioned Party", which is:

6
  Any individual, entity or government which is a designated target of Sanctions, is ("Listed Person")
implemented, administered or enforced by any of the following:
a. The State Bank of Pakistan and National Counter Terrorism Authority, (NACTA).
b. The UN Security Council.
c. The European Union (EU).
d. The US Treasury Department's Office of Foreign Assets Control (OFAC); or
e. Her Majesty's Treasury (HMT) of the UK1.
 Any person owned or controlled by a Listed Person (e.g., if a UBO / Trustee / Director of a non-
sanctioned entity is a Listed Person, HBL will not establish or maintain a relationship with either
the designated person or the non-designated person).
 Any person resident incorporated or domiciled in a country or territory subject to a comprehensive
US country or territory-wide embargo (i.e., the "Embargoed Countries"), presently including
Crimea, Cuba, Iran, North Korea, Myanmar and Syria.
 Persons or companies owned or controlled by, or operating as agents of, the Governments of
Embargoed Countries or the Government of Venezuela.

Bank will not conduct any transactions (in any currency) that would breach applicable Sanctions, including
Sanctions implemented, administered, or enforced by the home country of the HBL entity involved.
Bank will not conduct any transactions (in any currency) with or involving, directly or indirectly, any
Sanctioned Party or any vessel or aircraft which is a designated target of Sanctions implemented,
administered, or enforced by the Sanctions authorities listed above.
HBL's international branches and subsidiaries should not establish or maintain relationships with any
individual, entity, or government which is a designated target of sanctions implemented, administered, or
enforced by its home / host country sanctions authority(ies), or any person owned or controlled by such
listed persons.

3.1 Home Country Regime - Pakistan

The Government of Pakistan under the United Nations (Security Council) Act, 1948 gives effect to the
decisions of UNSC. The Ministry of Foreign Affairs issues Statutory Regulatory Orders (SROs) to
provide legal cover for implementing sanctions measures under UNSC resolutions. These SROs in
respect of designated individuals/ entities require assets freeze, travel ban and arms embargo in
addition to other measures in accordance with the UNSC resolutions.

Similarly, for implementing sanctions measures under Security Council Resolutions, The Federal
Government (Ministry of Interior) may, by order published in the official gazette, list and organization
or persons as proscribed in the first and fourth Schedule of Anti-Terrorism Act 1997, respectively.

1
[Bank may transact with Russian entities subject to sectoral sanctions where such transaction does not involve a
breach of any applicable Sanctions.].

7
National Counter Terrorism Authority (NACTA) maintains updated database of all proscribed
organization and person at their website as notified by the Ministry of Interior.

State Bank of Pakistan (SBP) also circulates the SROs/ Notifications to its regulated entities for taking
immediate necessary action, which includes:
 Screening of customer database to identify relationships with designated/ proscribed individual or
entities
 Freezing of bank accounts, funds and other financial assets or economic resources without any prior
notice to the account holder/ customer;
 Reporting of such frozen assets and other actions taken in compliance with the relevant SRO/
Notification within the stipulated time to SBP; and
 Reporting to Financial Monitoring Unit (FMU) as per law

State of Pakistan has issued Anti-Money Laundering, Combating the Financing of Terrorism &
Countering Proliferation Financing (AML/ CFT / CPF) Regulations for SBP’s Regulated Entities (REs).
‘Regulation -4’ is the specific regulation that deals with the Targeted Financial Sanctions.

3.2 US Economic Sanctions

OFAC administers US economic sanctions programs for a variety of purposes, including:
 Diplomatic.
 Criminal Enforcement.
 Economic.
 Humanitarian; and
 National Security

3.2.1 OFAC Sanctions Programmes

OFAC administers a variety of Sanctions programmes. These sanctions can be either comprehensive
country sanctions or selective list-based designations, using the blocking of assets and trade restrictions
to accomplish US foreign policy and national security goals. These sanctions are divided into different
sanctions programs administered by OFAC. Both comprehensive and selective sanctions designations
as aforesaid are tagged by OFAC to indicate the relevant sanctions program. Moreover, these sanctions
are divided into primary and secondary sanctions as under:

8
 Primary Sanctions “Primary” sanctions (which apply to U.S. persons or
transactions with a U.S. nexus and carry potential monetary
penalties or imprisonment for violations).
US person
 U.S. citizens, wherever located.

Permanent U.S. resident aliens (also known as lawful

permanent residents or LPRs), wherever located.

Entities organized under U.S. law (e.g., corporations);

All entities and persons located in the United States; and

Entities owned or controlled by U.S. citizens.

Secondary Sanctions (or “Secondary” sanctions (which apply to non-U.S. persons for
“extraterritorial”) transactions outside the United States and which threaten
sanctions designations of foreign persons for sanctionable
conduct.
Due to enforcement and designation risks, US sanctions are
generally followed globally and expose non-US banks to risk
for facilitating OFAC-prohibited or sanctionable activity.

Specially Designated National and Blocked Persona List (SDN List)

As part of its enforcement efforts, OFAC publishes a list of individuals, companies, vessels and aircraft
that are designated sanctions targets. This list includes individuals and entities owned or controlled
by, or acting for or on behalf of, targeted countries, as well as individuals, groups, and entities that
were targeted because of nefarious activities such as terrorism, weapons proliferation, narcotics
trafficking, etc. Collectively, such individuals and companies are called "Specially Designated
Nationals" or "SDNs." Their assets/property and interests in property are blocked, and U.S. persons
are generally prohibited from dealing with them, either directly or indirectly.
Relating to the US Sanctions Programmes, HBL has zero tolerance for breaches and applies additional
controls in certain allowable scenarios with a ring-fencing approach to avoid any type of compromise
on the Bank’s sanctions compliance.

9
 Major OFAC Sanctions Programmes and Risk Appetite:

Program Short Name Sanctions Subject Risk Appetite

Comprehensive country Implemented through Zero Appetite

sanctions programmes different Executive (Please refer HBL
 Iran Orders in various time Country Risk
 North Korea horizons. Guidelines)
 Cuba Targets are subjected to
 Syria both Primary and
 Crimea Secondary Sanction. The
 Myanmar secondary sanctions
were initially introduced
for Iran and later
expanded.

Other selective country Through various Zero Appetite

sanctions program under Executive orders. The
which SDNs, as listed by targeted individual and
OFAC, and entities owned entities are listed in
50% or more by them are OFAC's Consolidated
blocked (significant) SDN list (Specially
 Balkans-related Designated Nationals
sanctions and Blocked Person List).
 Belarus
 Yemen
 Somalia
 Central African Republic
 Chinese military
companies’ sanctions
 Hong-Kong-related
sanctions
 Russia
 Venezuela
 Zimbabwe
Global Magnitsky GLOMAG Human rights violation Zero Appetite
HBL, its
branches/subsidiaries
will not onboard and,
will de-risk any
entity/individual that is

10
Program Short Name Sanctions Subject Risk Appetite
designated/blocked
under US OFAC Global
Magnitsky program of
Human Rights violation.
In continuation, any
non-designated entity
which is an
affiliate/subsidiary of
another entity
designated/blocked
under Global Magnitsky,
will also be subjected to
the similar zero risk
appetite

Weapons of mass NPWMD Proliferation violation Zero Appetite

destruction proliferators
sanctions regulations
Global terrorism sanctions Specially Designated Global Terrorism related Zero Appetite
regulations Global Terrorists
(SDGT)

Narcotics trafficking Specially Designated Narcotic Zero Appetite

sanctions regulations Narcotics Traffickers
(SDNT)

Foreign narcotics kingpin Specially Designated Foreign Narcotics Zero Appetite

sanctions regulations Narcotics Trafficker
Kingpins (SDNTK)

Terrorism sanctions Specially Designated Terrorism related Zero Appetite

regulation Terrorist (SDT)

Transnational criminal Transnational Criminal Organization – Zero Appetite

organizations sanctions Criminal specific Names
Organizations (TCO)

Foreign terrorist Foreign Terrorist Terrorism related Zero Appetite

organization Organizations (FTO) designation

11
Program Short Name Sanctions Subject Risk Appetite

List-based, Non-Blocking EDD required to

Sanctions: confirm any
SSI (Sectoral On specific economic transactions
Sectoral sanctions - Sanctions Identifier) sector of Russia including involving a sectoral
Ukraine-/ Russia- Financial, Energy & sanctions
(also known as Non- Defence target
related sanctions
SDN, Non-Blocking) comply with
(other than those
applicable
listed on SDN list)
Sanctions.
Specific menu-based
Non-blocking menu- NS-MBS sanctions that include
based sanctions restrictions on certain
transactions and activity

Export administration EAR – BIS Lists Restriction on certain Zero Appetite for
regulation of bureau of trade and investment becoming part of a
industry and security activities involving trade transaction
Export and Re-Export of involving both a BIS
US original goods Sanctioned Party
and export from US
or re-export of US
origin items from
anywhere

Transactions that involve counterparties on the OFAC SDN list but do not involve any US persons or
other US elements create secondary sanctions risk and thus HBL has zero appetite in relation to such
transactions.
In case of any transaction that might expose to HBL to US Sanctions risk where that case is not
addressed through HBL's defined policy and procedures, the participating HBL entities must consult
with Financial Crime Compliance Advisory at Head Office.

3.2.2 OFAC 50% Rule

OFAC's 50% Rule states that the property and interests in property of entities directly or indirectly
owned 50 percent or more in the aggregate by one or more blocked persons are considered blocked.
Hence, following will be the grid to be followed.

12
 Scenario APPETITE

A company, even if not designated by OFAC, that Zero Appetite

has 50% or more ownership held directly or
indirectly by SDNs is a blocked person

Example: SDN a directly owns 60% of company Zero Appetite

B. SDN C directly owns 60% of company D.
Company B and company D each own 25% of
company E. Although OFAC has not listed
companies B, D or E as SDN, companies B and D
are blocked because each has 50% or more
ownership by an SDN, and company E is blocked
because two blocked owners collectively own
50% of its equity.

A blocked / designated entity has less than 50 % Restricted appetite under a ring-fencing
shareholding in another entity and is not approach for HBL to maintain relationship
otherwise a sanctioned party. The other entity with non-blocked entity. Controls will be
will not be considered as blocked. defined on each specific risk acceptance with
the Approval of Relevant Ex Co members
along with President & CEO

3.2.3 US Person – Staff

HBL HOK and its Branches and Subsidiaries may have employees who are U.S. citizens or green card
holders, including Senior Management. U.S. sanctions laws apply to these “U.S. persons” wherever they
are located, even if it is outside the United States. Non-U.S. firms are subject to the same U.S. sanctions
laws as U.S. firms if their transactions involve U.S. persons, including their own U.S. person
employees. The Bank therefore requires the exclusion of all U.S. person employees from any
transaction involving an Embargo Country or other US sanctions target unless Compliance has first
confirmed that a US sanctions license or exemption applies. U.S. persons can still set general policies
and read reports about transactions that already have occurred, but due to the complexity of the rules
and risks of violations both by employees and the employer, U.S. person employees should take special
care to understand and observe the Bank's exclusion requirements.
The Bank’s HR processes will implement steps for ensuring adherence to the above-mentioned
requirements in consultation with Compliance.

13
4. Risk-Based Approach and Controls
Consistent with industry best practice, HBL adopts a risk-based approach to Financial Crime Compliance
of which sanctions compliance is a critical component. HBL operates in several geographies and the Board
has also approved Financial Crime Risk Appetite statements.

4.1 Entity Wide Internal Risk Assessment Report (IRAR) – Financial Crime Risk
Assessment (FCRA)
To ensure each Country can assess its exposure to inherent Sanctions risks, identify control weaknesses
and calculate residual risk ratings based on an approved, methodology, the Bank will undertake an
Internal Risk Assessment Report (IRAR) / Enterprise-Wide Risk Assessment (EWRA)/Financial Crime
Risk Assessment Report (FCRA) at least once every two years unless any country regulation requires it
at a shorter interval.
The assessment exercise should generally consist of a holistic review of the organization from top-to-
bottom and an assessment of external touchpoints where the organization may potentially, directly,
or indirectly, attract Sanctions risks or liability.
 The assessment may include risks posed by clients, customers, products, services, supply chain,
intermediaries, counterparties, transactions, and geographic locations.
 Assessments should inform the extent of due diligence to be conducted at various points in a
relationship or in a transaction, such as at onboarding or merger and acquisition activity.
 A developed risk assessment methodology should identify, analyse, and address risks, and
be updated to account for the conduct and root cause of any violations or systemic deficiencies
identified.

4.2 Internal controls

The purpose of internal controls is to outline clear expectations, define procedures and processes
pertaining to sanctions compliance (including reporting and escalation chains), and minimize the risks
identified by risks assessments. HBL’s internal controls should include:
 Policies and procedures that outline the sanctions compliance requirements and capture the day-
to-day operations and procedures designed to prevent breaches or other misconduct.
 Internal controls that enable the HBL to identify clearly and effectively, interdict, escalate, and
report potentially prohibited transactions and activities, as well as transactions and activities that
present an unacceptable degree of risk.
 Use of internal and/or external audits, including to reinforce policies and procedures.
 Processes to take immediate and effective action, as possible, to identify and implement
compensating controls until a root cause is determined and remediated.
 Clear communication of policies and procedures to all relevant staff including all three Line of
Defence (LOD)
 Personnel to integrate Sanctions Compliance policies and procedures into daily operations.

14
  To the extent technology solutions are part of internal controls, solutions should be calibrated
to the organization’s risk profile and compliance needs, and routinely tested.
 Periodic model validation / testing of Automated Control Systems (i.e., Sanctions Screening
system).
Effective governance of customer and transaction screening systems and the underlying data feeding
into them is essential for accurate risk identification and mitigation. The Bank has implemented and
will continue to upgrade its customer due diligence and sanctions screening systems across the Bank,
providing a platform to identify, assess and manage risks on a consistent basis.

5. Roles and Responsibilities

To effectively and sustainably implement the controls defined within this Policy, the Bank has aligned its
controls to the Three Lines of Defence (“LoD”) model consisting of:
 First Line of Defence (Business & Operations): Business units including front and back-office
teams. The first line of defence is primarily responsible for onboarding customers, selling product
& services and operationally supporting customers, products, and services and adhering to this
policy requirements in the conduct of their business responsibilities. It is their responsibility to
understand their roles and responsibilities, create and apply internal controls, and respond to risks
that their work, sales, and interactions may present. The first line of defence is also responsible for
assessing the sanctions risk of customers, transactions and the products/services offered by HBL.
 Second Line of Defence (Compliance): The second line of defence is the compliance- and risk-
related functions. They are responsible for providing guidance to and oversight of the first line of
defence. Additionally, they are responsible for proactively testing and monitoring high risk areas
to ensure policy, procedures and processes implemented by the first line are working as intended
to comply with rules and regulations and mitigate sanctions risk.
 Third Line of Defence (Internal Audit): Group Internal Audit, as the third line of defence,
independently evaluates the compliance risks and controls. The Internal Audit function reports to
the Board of Directors through the Board Audit Committee and should have sufficient authority,
skills, expertise and resources to carry out testing and audit procedures which address how FCC
programs are performing. These should be updated or recalibrated periodically to account for
changing risk assessments or sanctions environments.

5.1 Board Oversight

The Board will oversee the setting of the Bank’s Financial Crime Risk Appetite and a strong compliance
culture across the Bank. Bank’s Sanctions policy shall be approved by the Board with an appropriate
oversight mechanism and delegation. The Board has delegated its responsibility to the BCNC to provide
oversight of the sanctions related systems, controls and risks.
The Board (or BCNC) should also ensure that sufficient authority and autonomy is available to
compliance units to deploy their policies and procedures, with direct reporting lines between the
Compliance Function and President & CEO supported by regular meetings.

15
5.2 Executive Oversight
The management remains accountable for implementation of the Bank’s Financial Crime Compliance
Framework including Sanctions Policy. The Compliance Committee of Management (CCM) at head
office and country level is responsible for discussing/ reviewing Sanctions risks. The CCM is tasked with
effective management of compliance, including.
 Promotion of a “culture of compliance,” including through an ability to report misconduct without
fear of reprisal, senior management messaging, and Sanctions Compliance oversight of actions.
 Demonstrated recognition of compliance failings and implementation of necessary measures to
prevent future occurrences, including through addressing root causes and implementing systemic
solutions.
 Allocation of adequate resources (human capital, expertise, IT, and other resources) to the
compliance units

5.3 Chief Compliance Officer (CCO)

CCO is responsible for evaluating the adequacy and effectiveness of Compliance controls over
Sanctions Risk Management. CCO has a clearly defined and documented mandate, unrestricted access
with a direct reporting line to President & CEO and a dotted reporting line to the BCNC Committee.
Based on Financial Crime Risk Assessment and independent monitoring and reviews, CCO through
BCNC, shall advise the Board on the adequacy and strength of Sanctions controls to mitigate respective
risks.

5.4 Head of Financial Crime Compliance (currently Head AMLD)

The Head FCC is responsible for developing and implementing an effective and sustainable Sanctions
Framework, inclusive of policies, procedures, systems, and controls, and providing advice and guidance
to overseas locations as the subject matter expert.

5.5 Country MLROs

Each country is required to appoint a MLRO to take responsibility for overseeing compliance with this
Policy, associated procedures, and the overarching FCC Framework.
The appointment of the Country MLRO is subject to approval by the CCO, local management and/or
local regulators wherever required.
The position of MLRO must not be combined with functions that create potential conflicts of interest.

5.6 Client Facing Business Units

Business Units are responsible for identifying, assessing and controlling the risks of their business. They
should know and carry out the policies and procedures and allocate sufficient resources to do this
effectively. They also are responsible for implementing corrective actions to address process and
control deficiencies. The Business Units are also responsible for risk acceptance at the time of client
onboarding and ongoing monitoring of client relationships.

16
 5.7 Staff Responsibilities
All employees are required to fully comply with this policy, associated procedures, applicable laws,
regulations, and notices. Employees are also responsible for ensuring effective management of
sanctions risks as applicable to their role. In case of any ambiguity in relation to this policy staff should
consult Financial Crime Compliance Advisory at Head Office.

6. Standards, Guidelines and Controls

The proceeding sections capture the detailed standards, guidelines and controls to ensure Sanctions
Compliance.

6.1 List Management

Sanctions Lists
Global Compliance has defined Sanctions lists from independent data sources and means to be
deployed by Countries for screening as a minimum policy requirement (“Global Sanctions Lists”).
Countries are required to screen names of customers (including their UBOs and other connected
parties), suppliers, Bank employees, outsourced parties, and transactions against the Global Sanctions
Lists, which include the UN, OFAC, NACTA (National Counter Terrorism Authority, Pakistan), HMT
and EU sanctions lists, as well as the BIS lists. At present, HBL is using relevant lists from World Check
that also include the proscribed list as issued and updated by NACTA.
Specifically, with respect to Pakistan, the CNIC based list of NACTA and UNSC have been
implemented to restrict any proscribed entity / individual alongside rejecting occasional / walk-in
transactions. For walk in / occasional customers (non-account holder), the screening process will only
rely on those prescribed / designated targets where CNIC numbers are publicly available. Countries
(international locations) must also screen against local Sanctions lists as required or recommended by
the local regulators in their jurisdictions. Sanctions lists must be kept current for purpose of
onboarding and payments.
Internal Lists
In addition to the applicable sanctions lists described above, the Bank maintains internal (local) lists
related to sanctioned parties including those communicated by the SBP / local regulator. Countries
must ensure processes and controls are in place to manage the accuracy of internal (local) lists
including periodic testing to ensure completeness of names.
The internal list may also be used for identifying certain types of transactions that require Enhanced
Due Diligence before execution. It may include different words as red flags such as “Charity”,
“Donations”, “Weapons” etc. The internal(local) list may include names of parties that are not subject
to any economic sanctions but need transactional level Enhanced Due Diligence due to increased
country risk or any other reason that may require such monitoring.
The internal / (local) list may also include names of the persons / entities where the relationship was
de-risked due to AML / CFT/ Sanctions issues.

17
6.2 Customer and Non-Customer Name Screening
Countries must ensure that names of the customer (including UBO's and other connected parties) and
suppliers are screened against the Global Sanctions and Internal &local Lists, (collectively, "Sanctions
Screening Lists"), prior to account opening, in response to changes in the customer profile, entering a
contract for services (in the case of suppliers), or updates to the Sanctions Screening Lists. At a
minimum, names of the following must be screened against the Sanctions Screening Lists:
 All new customers.
 All existing customers (through Delta Screening Process.
 Connected parties identified as per the Bank’s CDD requirements, including UBOs.
 Names of beneficiaries to SWIFT payments.
 All parties to a trade finance transaction
 All walk-in / occasional customers as per the local country regulatory requirement for counter
transactions.
 Branchless banking customers
 The names of all parties required to be identified by the AML/ CFT & KYC Policy and Procedures
must also be screened against applicable Sanctions Lists.
 All major suppliers of the Bank where payments are made through banking channels. This will not
include the grocery shops / small stationery shops where office supplies are purchased through
petty cash.
 All new employees of the bank before issuance of offer letters. Opening of accounts at the Bank
will be mandatory for all bank employees including contractual and outsourced staff. This will
allow delta screening of such employees whenever any change happens in applicable sanctions
lists.
The following sanctions-based events require Enhanced Due Diligence of the customer profile:
 Media and / or Information on the customer, its connected parties or counterparties identifies a
potential link to Sanctions circumventing activity.
 Payments linked to the customer are blocked or rejected due to a positive sanctions match.
 Counterparty banks or regulatory authorities issue Sanctions-related requests for information
about the customer or its transactions; and
 Post transaction reviews identify a positive Sanctions match.

6.3 Transaction Screening

Payments and transactions must be screened against the Sanctions Screening Lists
 Prior to the movement of funds into or out of the Country.
 Prior to processing a Trade Finance transaction or service.

18
 Upon receipt of commercial/shipping documents under Trade Finance transactions,
 Prior to settlement of a trade finance transaction or service, where settlement occurs more than
one day after initial screening of related commercial documents.
 Cross border incoming and outgoing payments processed through SWIFT / non-Swift including
cover payments and those where the Bank acts as the intermediary bank. This includes Home
Remittance where the country may have a file based/ API based protocol.
 For Home Remittance beneficiaries where the beneficiary accounts are with other domestic banks
in Pakistan (i.e., the KYC of the payment beneficiary is held with the receiving bank), and HBL acts
as the intermediary bank.
 For Money Transfers Operators, where a pull-based mechanism is used for payment to a
beneficiary at HBL Counter, the relevant branch will ensure to sanctioned screen the customer
before releasing any payment at the counter.
 Foreign currency cheques issued on behalf of customers.
 Trade Finance transactions (i.e., during the entire transaction life cycle at various stages as
mentioned in TBML procedure. This includes all names, ports, vessel, etc.).
 For Trade Finance transactions, the Bank must screen the underlying goods or services to identify
potential ‘Dual Use’ goods.
 The origin of goods must also be established prior to settlement of a Trade Finance transaction or
service to comply with applicable Sanctions including Trade restrictions imposed by BIS.
6.4 Screening Protocols
All sanctions screening must be performed using automated screening systems approved by the CCO
that ideally apply fuzzy logic to the matching algorithm. HBL is currently using as an automated
sanctions screening system.
Presently, Global Compliance / Country Compliance is responsible for disposition of alerts on the
Bank’s sanctions filter. However, the Trade Finance Department also screens Trade Customers and
Trade Transactions at different stages of the transaction life cycle through World Check. Separate
procedures for such type of screening are in place.

6.5 Investigation, Escalation and Reporting

The Bank’s screening systems generate alerts for potential matches to applicable Sanctions Screening
Lists. It is the responsibility of Global Compliance / Country Compliance to ensure that systems and
controls are in place to effectively investigate, dispose of or escalate alerts and retain records of all
Sanctions alerts generated. To achieve this objective, alert disposition teams may engage the First Line
of Defence (FLOD) to perform due diligence on a particular customer who is the subject of an alert.
Countries must ensure that staff assigned responsibility for review or investigation of alerts meet
minimum competencies and receive appropriate training including on the identification of sanctions
red flags.

19
All alerts must be investigated until discounted or escalated where there is a potential or true match.
Results of investigations and narratives for elimination must be recorded within the alert record held
on the screening system.
Where upon investigation a positive match is confirmed, the payment and/or customer’s account
must be frozen, the case reported to the Country MLRO and funds held in a suspense account or
Customer’s account until further instruction from the Country MLRO / Head FCC. A positive match
on OFAC Non – SDN category (e.g., Sectoral Sanctions) will require a rejection of transaction as
needed to mitigate Sanctions risks. No freezing action will be required in this situation unless the name
is also included in SDN list or otherwise subject to blocking sanctions.
A potential match must be investigated fully before ruling out a suspicion and releasing a transaction
If the alerts disposition team is not able to make a final call on a particular potential match, the MLRO
/ Sanctions Compliance Officer / Head FCC may take certain actions that include rejecting the
transaction, filing STRs, taking guidance from the CCO, engaging internal legal counsel, and consulting
external legal counsel. However, in no situations can a potential sanctions alert be released to allow a
transaction until the suspicious is properly ruled out.

6.6 Rejecting, Blocking or Restricting Account Activity

In case of positive hits on Transactions and existing customer relationships during delta screening,
funds will be frozen as per the local requirements.
Rejecting a transaction may be required where no requirement exists from the local regulator to block
or freeze assets for the applicable sanctions regime or blocking is not otherwise required to mitigate
Sanctions risks.
De-Risking of an existing relationship as identified during the delta sanctions screening process must
be completed without any incremental risk where no requirement exists to block or freeze assets for
the applicable sanctions’ regime. The residual balances will only be released in local currency after
consulting with Legal Counsel.
Upon confirmation of a positive match where the payment is rejected due to a Sanctions risk
presented by the non-account holder counter party, the own customer profile must be subjected to
an enhanced due diligence review to identify possible Sanctions risks of maintaining the customer
relationship.
Blocking a customer account requires the freeze of all customer assets and property including Lockers.
Controls need to be in place to ensure access to the account is limited to employees with relevant
authority. Local Legal and Regulatory reporting should be made as required in the respective country.
Blocked assets report/ asset freeze report will be provided to the Regulator as and when required under
the local regulation.
HBL Head Office and international branches (while ensuring appropriate mechanism on client
confidentiality), will share blocked assets reports annually with the Board Compliance and Conduct
Committee for their information.

20
6.7 Internal and External Reporting
Country MLROs must report to the Head FCC / Head of International Compliance positive Sanctions
matches maximum within 3 business days of confirming such positive matches. However, such
reporting will only be made in the manner as allowed under the local regulation / information sharing
protocol.
It is a requirement by law in many jurisdictions to report to local regulators all confirmed positive
matches identified. The Country MLRO / Sanctions Compliance Officer/ Head FCC is responsible for
filing external reports to authorities as per their local regulations. Head FCC may delegate the
authority to other Unit Heads in domestic operations.
If the local Data Protection requirements prohibit Countries from reporting details of positive matches
to the Head FCC / Head International Compliance / CCO, a dispensation to this Policy must be
obtained as per the dispensation process.
Beside UNSC and Local Regulatory Sanctions regimes, a positive sanctions match should also be
reported to local regulatory authorities when required or expected. However, no reporting is required
on Non-SDN OFAC sanctions such as Sectoral Sanctions on Russia unless expected by local regulators.

6.8 Information Request - Regulators and Law Enforcement (LE)

The Country MLRO / Head FCC (or Delegates) is responsible for managing regulatory and LE request
related to Sanctions in their domain. However, before sharing of any information with a regulator
beyond the respective jurisdiction, Legal department must be consulted.

6.9 Specific OFAC Licence

The Bank or the impacted party may be required to obtain authorisation from respective regulators in
the form of a licence prior to execution of transactions under the following circumstances:
 To process a transaction prohibited by the relevant Sanctions programme.
 To recover funds from Sanctioned Parties where existing debt agreements are in place.
 Where an existing customer or counterparty to a transaction has been identified as being the
subject of applicable Sanctions and the Bank has an existing contractual obligation to honour the
transaction, such as a Usance Letter of Credit not yet settled.
In any other scenario, the Country MLROs will consult Head FCC / Head of International Compliance
who in turn may require further guidance from the CCO.
Application for a license by the Bank will not be made unless reviewed by Legal Counsel and the Head
FCC. It also requires preapproval the CCO and President & CEO.
Applications will only be considered where the licence is for the benefit of the Bank to recover funds
owed to it. In no situation will application be made to provide any benefit to the Sanctioned Party or
circumvent the intent of a Sanctions regulation.

21
 6.10 Outsourcing and Third-Party Relationships
It is unacceptable under this Policy to establish a contractual outsourcing or service providing
relationship with a third party if:
 It appears on any applicable Sanctions List.
 It is incorporated in or has its Head Office in a Sanctioned Country under OFAC Comprehensive
Country Sanctions Program defined within the Sanctions Policy. The same rule applies if an
Ultimate Beneficial Owner (UBO) of the third party resides in referred sanctioned countries.
 Any such scenarios prevail as defined in above point a and b at the time of implementation of this
policy, such relationship will be exited within six months from the date this policy becomes
effective. An extension in the time will require a BCNC recommendation along with BOD approval.
 This Policy does not allow outsourcing any management or operational control processes related
to the management of sanctions to non-HBL Group entities. If such outsourcing is already in place,
regularisation of the same will be required through the dispensation process along with a
supporting rationale.

6.11 Management Information (MI)

The Bank includes Sanctions related information in its MI to effectively manage the Banks Sanctions
exposure. Various sanctions MI capturing statistics and trends related to customer relationships and
transactions (trade/ payments) are collated by Global Compliance for the consumption of the Head
FCC and CCO and form part of compliance dashboard presented to CCM and BCNC Committee.

6.12 Record Keeping

All records, required to be maintained to adhere to this policy, must be retained for a minimum
retention period of 10 years. In case of international branches, the local regulatory requirements shall
take precedence. Overseas locations may submit a dispensation request if a shorter period is required
to be adopted due to any regulatory limitation.

7. Dispensation and Waivers

In the unlikely event where the Bank is unable to comply with this Policy for any reason, a Dispensation or
Waiver shall be raised by relevant Business to the Compliance Committee of Management (CCM) via
Global Compliance for onward recommendation to the Board for approval through Board Compliance and
Conduct Committee (BCNC). It should be ensured that granting the dispensation or waiver will not cause
a Sanctions breach. Any dispensation must ensure full compliance with the requirements of 4.4 (US Person
– Staff) above. Internal/external legal counsel/sanctions expert review shall be mandatory prior to
obtaining dispensation or waiver.

22
 7.1 Dispensations
A dispensation is a permanent permission to deviate from specific elements of this policy
where HoK / overseas locations can demonstrate to the relevant approving authority that a
local legislative or regulatory impediment prevents compliance with those specific elements.
Dispensation must always be on a pre-fact basis.

7.2 Waivers
(a) A waiver is a temporary permission to deviate from specific elements of this policy. Although
ideally pre-fact however in few instances a waiver may be obtained via circulation and/ or on
a post-fact basis.
(b) The Bank will not grant waivers or risk control inconsistencies without complete evidence of
an assessment of the risks associated with granting of waiver, evidence of interim mitigating
controls and confirmation that a remediation plan has been implemented to prevent sanctions
breaches.

7.3 Applying for Dispensations and Waivers

(a) Countries must apply for Dispensations and Waivers using the Dispensation and Waiver
procedure to be devised by Global Compliance as part of related Procedural Manual.

7.4 Policy Breaches and Circumvention

A Policy breach is defined as any instance where one or more requirements of this Policy has
not been met without having a dispensation or waiver. Countries must report breaches of
Policy as well as any actual Sanctions breaches to the Chief Compliance Officer (CCO) / Head
FCC / Head International Compliance. The Chief Compliance Officer (CCO) will raise it to
President & CEO and Board Compliance and Conduct Committee (BCNC) for further action.

8. People, Learning and Awareness

8.1 Resourcing
Applying the three lines of defence model requires resources with adequate knowledge of Sanctions
compliance across the organization.
In addition, Employee Due Diligence Procedures must be followed by HR / Countries to prevent
sanctioned individuals, criminals, or their associates from employment with the Bank. HR can consult
with Global Compliance wherever required to implement this policy.

8.2 Training and Awareness

Global Compliance will have the responsibility alongside HR to develop and implement training and
awareness programmes for managing Sanctions risk.
Mandatory sanction’s training must be completed by relevant employees within stipulated time
frames as per HR process after employees join the Bank and annually thereafter. Non-completion of
prescribed mandatory training may impact employee performance ratings.

23
 Training can be delivered via web-based learning or face to face, or through external courses and
presentations.
Staff performing sanction’s control processes within AML Department, as determined by Global
Compliance, must complete the mandatory roles-based training on an ongoing basis as determined
by Global Compliance.

8.3 Consequences of Non-Compliance by Staff

Failure to comply with applicable laws and regulations and this Policy, including the intentional
circumvention of Sanctions, can subject employees to disciplinary actions up to and including
dismissal from the service of the bank. Employees may also be liable for financial penalties and/or
imprisonment by external authorities for wilful violations of applicable law or regulations.
Further details on employee legal and regulatory obligations and the consequence of non-compliance
appear within the Code of Conduct of the Bank as well as Staff core trainings modules.

9. Document Management
This Policy will be reviewed annually by the policy owner and shall be updated in response to any changes
in the legal and regulatory environment. The HBL Board of Directors shall approve this Policy at issuance
and upon renewal thereafter. However, in case of any regulatory changes that require immediate
implementation, any corresponding changes to the Policy will be approved by CCO and President & CEO
and communicated through a circular. In case of overseas locations, approval authority will be the GM /
CEO along with Country Head of Compliance, however, the Head FCC and Head of Compliance,
International should also be notified of the changes.

24
 10. Glossary

AML Anti- Money Laundering

BCNC Board Compliance & Conduct Committee

BOD Board of Directors

CCM Compliance Committee of Management

CCO Chief Compliance Officer

CDD Customer Due Diligence

CFT Combating Financing for Terrorism

CFT Counter Financing Terrorism

FCC Financial Crime Compliance

KYC Know Your Customer

ML/TF Money Laundering / Terrorist Financing

MLRO Money Laundering Reporting officer

OFAC Office of Foreign Assets Control (Sanction List)

NACTA National Counter Terrorism Authority

SDN Specially designated Nationals List

STR Suspicious Transaction Reporting

SWIFT Society of Worldwide Interbank Financial Telecommunication

GLOMAG Global Magnitsky

NPWMD Weapons of mass destruction proliferators sanctions regulations

SDGT Specially Designated Global Terrorists

SDNT Specially Designated Narcotics Traffickers

SDNTK Specially Designated Narcotics Trafficker Kingpins

SDT Specially Designated Terrorist

TCO Transnational Criminal Organizations

FTO Foreign Terrorist Organizations

25
SSI Sectoral Sanctions Identifier

NS-MBS Non-blocking menu-based sanctions

EAR – BIS Export administration regulation of bureau of industry and security

26