Operational and Services External Circular DSP-470, Subject 19: Centralized Directory Regulation (DICE)

Document No: OT/PF/MAR/2026/128135 Hoja 19 - 00 Recipient: Low-Value Immediate Payment System Administrators Subject 19: Centralized Directory Regulation (DICE) This Circular replaces the Operational and Services External Circular DSP-470 of March 5, 2026, corresponding to Subject 19 “CENTRALIZED DIRECTORY REGULATION (DICE)” of the corporate manual of the Payment Systems Department. The Circular is replaced to modify the rules of operation in Annex 2 regarding scenarios of DICE unavailability and the applicable transition periods. Sincerely, MARCELA OCAMPO DUQUE Executive Manager DIONISIO VALDIVIESO BURBANO Deputy Manager of Payment Systems and Banking Operations

CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 DEPARTMENT OF PAYMENT SYSTEMS Date: Tuesday, March 31, 2026

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 1

1. Introduction The Bank of the Republic administers the database known as the Centralized Directory (DICE) as referred to in the second paragraph of Article 104 of Law 2294 of 2023, External Resolution No. 6 of 2023 of the Board of Directors of the Bank of the Republic, and External Regulatory Circular DSP-465 issued by the Bank of the Republic, or those that modify or replace them. The DICE stores the Keys, transmitted by the Federated Directories of the Low-Value Immediate Payment System Administrators (EASPBVI), which the Clients of the Participants of the Low-Value Immediate Payment Systems (SPBVI) link to a Payment Instrument to receive funds from an Immediate Payment Order and/or Immediate Funds Transfer (OP/TF Immediate). The DICE is also responsible for validating that the Key is unique and performs Key updates and Key Resolution when the Federated Directories make these requests.
2. Definitions For the purposes of this Circular, the following terms have the meaning established below, regardless of whether they are used in singular or plural, or in uppercase or lowercase: Beneficiary: Client recipient of the funds subject to an Immediate Payment Order and/or Immediate Funds Transfer. Client: as defined in letter a) of Article 2 of Law 1328 of 2009 and the regulations that modify, replace, or govern it. Centralized Directory: database administered by the Bank of the Republic that contains the Keys and other information associated with the Clients of the Participants of all Low-Value Immediate Payment Systems. Federated Directory: database administered by a Low-Value Immediate Payment System Administrator that contains the Keys and other information associated with the Clients of the Participants of a Low-Value Immediate Payment System. Low-Value Immediate Payment System Administrators (EASPBVI): are the administrators of low-value payment systems defined in numeral 7 of Article 2.17.1.1.1. of Decree 2555 of 2010, or the regulations that modify or replace them, that administer a Low-Value Immediate Payment System.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 2 Key: is the identifier that the Client links to their Payment Instrument. The types of Keys are those referred to in External Regulatory Circular DSP-465. Timestamp: date and time information that Low-Value Immediate Payment System Administrators and Participants must include in the messages required to carry out, among others, Key management and Resolution processes, and the Clearing and Settlement of Immediate Payment Orders and/or Immediate Funds Transfers. Payment Instrument: deposit product from which Immediate Payment Orders and/or Immediate Funds Transfers are debited or credited. Originator: Client who initiates an Immediate Payment Order and/or Immediate Funds Transfer to debit funds from their Payment Instrument. Immediate Payment Orders and/or Immediate Funds Transfers (OP/TF Immediate): is the instruction given in the Low-Value Immediate Payment Systems by an Originator on any day and hour to debit funds from their Payment Instrument and credit them to the Payment Instrument of a Beneficiary in real time, according to the characteristics established in External Regulatory Circular DSP-465 issued by the Bank of the Republic. Participants: are those defined in numeral 16 of Article 2.17.1.1.1. of Decree 2555 of 2010 or the regulations that modify or replace them, that process Immediate Payment Orders and/or Immediate Funds Transfers. Originating Participant: is the Participant where the Originator has their Payment Instrument from which an Immediate Payment Order and/or Immediate Funds Transfer is originated in a Low-Value Immediate Payment System. Receiving Participant: is the Participant where the Beneficiary has their Payment Instrument to receive funds from an Immediate Payment Order and/or Immediate Funds Transfer in a Low-Value Immediate Payment System. Key Resolution: query in the Federated Directory and/or Centralized Directory, based on the Key, to obtain the Beneficiary's Payment Instrument information and other information necessary to process the Immediate Payment Order and/or Immediate Funds Transfer. Low-Value Immediate Payment Systems (SPBVI): are low-value payment systems defined in numeral 22 of Article 2.17.1.1.1. of Decree 2555 of 2010 or the regulations that replace or modify them, that provide services related to Immediate Payment Orders and/or Immediate Funds Transfers.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 3 Access Technologies: devices and/or set of technological procedures that allow initiating Immediate Payment Orders and/or Immediate Funds Transfers. Time-Out: maximum time to complete or decline the process. 3. General Characteristics of the DICE The DICE stores the Keys that the Clients of the Participants of the SPBVI link to a Payment Instrument to receive the funds associated with an OP/TF Immediate. These Keys are transmitted to the DICE by the Federated Directories of the EASPBVI through a connection standard based on API-REST technology. The DICE stores the information associated with each Key, according to the structure defined in numeral 4.2.2 of External Regulatory Circular DSP-465. The DICE validates that each Key is unique and performs updates on the Keys according to the Key management processes described in numeral 3.4.3 and in Annex 1 of External Regulatory Circular DSP-465. Likewise, it performs Key Resolution when the Federated Directories make this type of request. 4. DICE Users DICE users are the EASPBVI that meet the technical requirements established in this Circular and its annexes for connection to the DICE and for its use. The DICE interconnects with the EASPBVI through the Federated Directories that these entities administer. The EASPBVI identify themselves to the DICE with the acronyms established in the “DICE Technical Specifications Document”, which will be sent by the Bank of the Republic to the EASPBVI in their linking process to this centralized module and when modifications are made. 5. Operational Characteristics of the DICE The DICE has the following operational characteristics: a) API-REST connection for Federated Directories.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 4 b) Key registration according to requests sent from the Federated Directories and sending of the response message with the process result. c) Key and status updates resulting from modification, cancellation, blocking, or reactivation requests, originated by Clients and/or Participants as applicable, sent from the Federated Directories and sending of the response message with the process result. d) Update of fields associated with Keys according to requests originated by Participants and sent from the Federated Directories and sending of the response message with the process result. e) Key Resolution according to the request sent from the Federated Directories and sending of the response message with the process result. f) Execution of Key information queries according to requests sent from the Federated Directories and sending of the response message with the process result. g) Verification of Key non-duplication in registration and modification processes, to ensure it is not associated with more than one Payment Instrument. 5.1. Hours and Support The DICE operates 24 hours a day, seven (7) days a week, 365 days a year (24/7/365). The Bank of the Republic provides 24/7/365 technical support via the email admidice@banrep.gov.co and the phone lines available at Phone Support | Bank of the Republic. In leap years, the DICE will also operate on February 29 and the Bank of the Republic will provide technical support on that date. The Bank of the Republic may temporarily suspend DICE operations or modify the schedules set forth in this Circular for: i) force majeure or fortuitous event reasons, or ii) when there are reasons that, in the Bank of the Republic's judgment, justify it. Whenever possible, the Bank of the Republic will previously notify the EASPBVI of the date the respective suspension or schedule modification will occur, indicating the operating conditions that will apply, as applicable.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 5 6. Linking of EASPBVI to the DICE The process for linking EASPBVI to the DICE is described in Annex 1 of this Circular, titled “Manual for Linking Low-Value Immediate Payment System Administrators to the Centralized Modules for Immediate Payment Interoperability”. The EASPBVI that during Phase 3 defined in numeral 9 of External Regulatory Circular DSP-465 have initiated the linking process to the centralized modules for immediate payment interoperability must continue it according to what is provided in the aforementioned Annex, according to the stage in which they are. 7. DICE Structure The fields stored by the DICE will follow the minimum structure of the Federated Directories, according to what is provided in numerals 4.2.1 and 4.2.2 of External Regulatory Circular DSP-465. The types of Keys and registered Keys in the DICE must follow the structure specifications provided in section 3.4.2 of External Regulatory Circular DSP-465. The other fields transmitted to the DICE must follow the structure specifications provided in section 4.2.2 of External Regulatory Circular DSP-465. The DICE does not store transactional information of Clients or other additional data different from the aforementioned. 8. Connection and Messaging Standards with the DICE The standard for the data exchange format to be used in the API-REST type interconnection between the Federated Directories and the DICE is JSON. The technical specifications, standards, and messaging format that EASPBVI must comply with in their connection to the DICE are found in the “DICE Technical Specifications Document”, which will be sent by the Bank of the Republic to the EASPBVI in their linking process to this centralized module and when modifications are made.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 6 9. Operational Controls Executed by the DICE a. The DICE executes the following operational controls once it receives the Key registration request from a Federated Directory: i. Validates compliance with the fields, according to the minimum structure that must be transmitted by the Federated Directory, following the structure defined in section 4.1.2 of External Regulatory Circular DSP-465. ii. Verifies that each field of the request complies with the specifications described in sections 3.4.2 and 4.2.2 of External Regulatory Circular DSP-465. iii. Validates that the Key requested for registration has not previously been associated with another Payment Instrument. b. The DICE executes the following operational controls once it receives the modification, cancellation, reactivation, or blocking request for a Key from a Federated Directory: i. Validates compliance with the fields, according to the minimum structure that must be transmitted by the Federated Directory, following the structure defined in section 4.1.2 of External Regulatory Circular DSP-465. ii. Verifies that each field of the request complies with the specifications described in sections 3.4.2 and 4.2.2 of External Regulatory Circular DSP-465. iii. In modification requests, validates that the Key is associated with a single Payment Instrument. iv. In cancellation requests, validates that the Key is active or blocked by the Client. v. In reactivation requests, validates that the Key is in a blocked state. vi. In blocking requests, validates that the Key was previously in an active state. c. The DICE executes the following operational control once it receives the Key Resolution request from a Federated Directory: i. Validates that the Key type and the Key to be resolved comply with their structure specifications.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 7 10. Key Resolution In Key Resolution requests, Federated Directories must send the DICE the Key Type and the Key to be resolved, following the structure specifications provided for both fields. The DICE executes Key Resolution for Keys that are in the “Active” state. In the event that the Key for which Resolution is requested is not active, the DICE informs the Federated Directory in the response message of the anomaly with the Key's status, that is, inactive or non-existent Key, or blocked Key. 11. Registration, Control, and Standard of DICE Timestamps The DICE clock maintains permanent synchronization with the Legal Time service of the National Institute of Metrology of Colombia (INM) or the one that replaces it. The Timestamps that the DICE incorporates in Key Resolution and Key management processes use the clock synchronized with the INM Legal Time service. These Timestamps are recorded under the ISO 8601 standard in local time and in the format defined by this standard, thus including year, month, day, hour, minutes, seconds, tenths, hundredths, and thousandths of a second. 11.1. DICE Timestamps for Key Resolution The DICE incorporates Timestamps upon receiving the Key Resolution request from the Federated Directory (Timestamp C310) and upon sending the Key Resolution response to the Federated Directory (Timestamp C320). The foregoing, in accordance with what is provided in Annex 5 of External Regulatory Circular DSP-465. 11.2. Timestamps for Key Management Processes The DICE incorporates Timestamps upon receiving the Key registration request from the Federated Directory (Timestamp R301) and upon sending the Key registration response to the Federated Directory (Timestamp R303). The foregoing, in accordance with what is provided in Annex 5 of External Regulatory Circular DSP-465.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 8 12. Obligations and Responsibilities Regarding Connection to the DICE and Its Use 12.1. Obligations and Responsibilities of EASPBVI In addition to what is provided in other sections of this Circular, in the contracts, and in any other regulation associated with the DICE, EASPBVI will have the following obligations and responsibilities regarding connection to the DICE and its use: a) Update the Keys and associated information in their Federated Directories, according to Key management processes carried out by Clients with SPBVI Participants, attending to the connection standards and messaging format defined by the Bank of the Republic in this Circular; and inform these updates to the DICE. b) Query the DICE in the event of Key registration or modification in their Federated Directory(ies), to ensure that said Key is not associated with another Payment Instrument. Once the DICE has notified the response to the Key query process, the Key may be registered in the respective SPBVI's Federated Directory. c) Send the DICE modification requests for the Key or Key type received from their Participants using two messages: the first, for cancellation of the previous Key or Key type, and the second, for registration of the new Key or Key type. In any case, EASPBVI may process Key or Key type modification requests with their Participants using a single message according to the technological mechanisms agreed upon in their regulations. d) Determine, based on the Key sent by the Participant, the type of Key in question and submit to the DICE the information on the Key and Key type in Key Resolution proceedings. e) Comply with the schedules, procedures, requirements, and technical and security standards contained in this Circular, as well as any other instruction issued by the Bank of the Republic for the operation of the DICE. f) Participate in the tests and training programs organized by the Bank of the Republic regarding the DICE. g) Notify the Bank of the Republic as soon as they become aware of incidents, inconveniences, and failures that occur in the operation or connection with the DICE. For this purpose, the relevant information must be reported to the inbox admidice@banrep.gov.co and the phone lines available at Phone Support | Bank of the Republic. h) Apply modifications to the DICE regulation and/or operations that the Bank of the Republic informs through circular letters, regulatory circulars, or periodic updates to the DICE user manuals.

Document No: OT/PF/MAR/2026/128135 CIRCULAR EXTERNA OPERATIVA Y DE SERVICIOS DSP-470 Date: Tuesday, March 31, 2026 Subject 19: Centralized Directory Regulation (DICE) Hoja 19 - 9 i) Design and maintain in due working order internal contingency schemes that guarantee the continuity of their Federated Directories and their interaction with the DICE. j) Apply the contingency plan established by the Bank of the Republic in this Circular, when necessary, according to the scenario that arises. Refrain from performing any act or incurring in any omission that affects the order, security, competition, transparency, and proper functioning of the DICE. 12.2. Obligations and Responsibilities of the Bank of the Republic The Bank of the Republic, as administrator of the DICE, has the following obligations and responsibilities regarding the DICE, in addition to those provided in the contracts and any other regulation associated with the DICE: a) Attend and respond promptly to inquiries, complaints, or requests presented by EASPBVI regarding the DICE. b) Ensure the integrity and confidentiality of the information received from EASPBVI, from the moment of receipt. c) Design, test, and implement a contingency plan aimed at ensuring continuity in DICE operations. d) Carry out Key registration, update, and Resolution processes according to requests sent by EASPBVI, with the operating scheme and procedures described in this Circular and its annexes. e) Promptly inform EASPBVI about modifications to the software, technical and operational conditions, or current DICE regulation, through circular letters or regulatory circulars, or periodic updates to user manuals, applying when appropriate the procedures defined in External Regulatory Circular DDE-304 of the Bank of the Republic. f) Formulate a response to anomalies reported by EASPBVI that prevent Key registration, update, or Resolution, informing the corporate inboxes of those about the causes and solution alternatives when the failures are attributable to the Bank of the Republic. 13. DICE Tariff The Bank of the Republic will apply the tariffs authorized by its Board of Administration under the terms and procedures established in Operational and Services External Circular DSP-272, corresponding to Subject 16 “Tariffs for the administration of Deposit Accounts, for operations in the CUD, and for the centralized modules for immediate payment interoperability” of the Payment Systems Department Manual, or those that modify or replace them. 14. Policies and Procedures for the Confidential Handling of Information Shared by Federated Directories with the DICE In compliance with the personal data protection regime (Political Constitution, Statutory Law 1581 of 2012, Decree 1074 of 2015, Title V of the Single Circular of the Superintendence of Industry and Commerce (SIC), and other provisions that modify, complement, or replace them), the Bank of the Republic informs its policy for the treatment of personal data contained in the DICE, which have been transmitted by the Federated Directories of the EASPBVI: a) General Data - Responsible: Bank of the Republic, Tax ID No. 8600052167, Main Office: Carrera 7 # 14-78 Bogotá D.C. Area: Citizen Attention. Contact: Through the email admidice@banrep.gov.co or the Citizen Attention System