Technical Standards for Environmental and Social Risk Management

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 1 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

THE STANDARDS COMMITTEE OF THE CENTRAL RESERVE BANK OF EL SALVADOR,

CONSIDERING: I. That Article 117 of the Constitution of the Republic of El Salvador establishes that it is the duty of the State to protect natural resources, as well as the diversity and integrity of the environment, to guarantee sustainable development; declaring of social interest the protection, conservation, rational use, restoration, or substitution of natural resources, prohibiting the introduction into the national territory of nuclear waste and toxic waste.

II. That Article 2, second paragraph, of the Law on Supervision and Regulation of the Financial System establishes that for the proper functioning of the Financial Supervision and Regulation System, it is required that the members of the financial system and other supervised entities comply with current regulations and the adoption of the highest standards of conduct in the development of their business, acts, and operations, in accordance with what is established in the aforementioned Law, in other applicable laws, in regulations, and in the technical standards issued for such effect.

III. That Article 3, letter c), of the Law on Supervision and Regulation of the Financial System establishes that it is the responsibility of the Superintendence of the Financial System to proactively monitor the risks of the members of the financial system and the manner in which they manage them, ensuring the prudent maintenance of their solvency and liquidity.

IV. That Article 3, letter i), of the Law on Supervision and Regulation of the Financial System establishes that it is the responsibility of the Superintendence of the Financial System to require that supervised entities and institutions be managed and controlled in accordance with international best practices referred to risk management and corporate governance, as well as the technical standards that are issued.

V. That Article 35, letter d), of the Law on Supervision and Regulation of the Financial System establishes that directors, managers, and other officials holding positions of direction or administration in the members of the financial system must conduct their business, acts, and operations complying with the highest ethical standards of conduct and acting with the due diligence of a good merchant in their own business, being obligated to comply with and ensure that in the institution they direct or work for, the adoption and updating of policies and mechanisms for risk management are fulfilled, including among other actions, identifying, evaluating, mitigating, and disclosing them in accordance with international best practices.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 2 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

VI. That in accordance with international standards, it is necessary to have a solid risk management framework that allows for the effective and efficient management of environmental and social risks according to the profile, volume of operations, nature of the business, entity resources, and best practices, in such a way as to promote the implementation of prudential measures that improve decision-making capacity and risk classification of entities, promoting security and confidence in financial markets.

THEREFORE, by virtue of the normative powers conferred by Article 99 of the Law on Supervision and Regulation of the Financial System, AGREES to issue the following:

TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

CHAPTER I OBJECT, SUBJECTS, AND TERMS

Object Art. 1.- These Standards aim to provide minimum criteria for the adequate management of environmental and social risk, and the adoption of the related policy and manual regarding the development of methodologies for risk management in accordance with applicable laws and international best practices in the matter, consistent with the nature, size, risk profile, and volume of their operations. Likewise, these Standards complement the provisions established in the "Technical Standards for the Comprehensive Risk Management of Financial Entities" (NRP-20), the "Technical Standards on Corporate Governance" (NRP-17), and the "Technical Standards for the Comprehensive Risk Management and Information Transparency of Investment Banks" (NRP-93), approved by the Central Bank of El Salvador through its Standards Committee. (1)

Subjects Art. 2.- The subjects obligated to comply with the provisions established in these Standards are: a) Banks constituted in El Salvador and their subsidiaries; b) Branches of foreign banks constituted in the country; c) Cooperative banks, savings and credit societies, and federations regulated by the Law on Cooperative Banks and Savings and Credit Societies; d) The Mortgage Bank of El Salvador, S.A.;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 3 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

e) The Agricultural Development Bank, insofar as it does not contradict its creation law, nor what is established by the Court of Accounts; (1) f) The Development Bank of the Republic of El Salvador, insofar as it does not contradict its creation law, nor what is established by the Court of Accounts; and (1) g) Investment Banks. (1)

Terms Art. 3.- For the purposes of these Standards, the terms indicated below have the following meaning: a) Senior Management: The Executive President, Executive Director, General Manager, or whoever acts in their place, and the executive positions that report to them. In the case of the Development Bank of the Republic of El Salvador, the President; b) Fragile Area: Degraded coastal-marine environment, protected wild areas and buffer zones, aquifer recharge zones, and slopes of more than thirty degrees without vegetation cover or conservation measures, and others that have been decreed as such by law, in accordance with the Environmental Law; c) Protected Natural Area: Part of the national territory owned by the State, the Municipality, autonomous entities, or private owners, legally established with the object of enabling the conservation, sustainable management, and restoration of wild flora and fauna, related resources, and their natural and cultural interactions, which has high significance due to its function or its genetic, historical, scenic, recreational, archaeological, and protective values, in such a way that it preserves the natural state of biotic communities and unique geomorphological phenomena, in accordance with what is provided in the Law on Protected Natural Areas; d) Central Bank: Central Reserve Bank of El Salvador; e) Environmental Damage: Any loss, decrease, deterioration, or harm caused to the environment or one or more of its components, in contravention of the legal framework. The damage may be serious when it endangers the health of human groups, ecosystems, or flora and fauna species, and irreversible when the effects it produces are irreparable and definitive, in accordance with the Environmental Law; f) Executive Director: That person who exercises the highest administrative authority within the entity, and who may also be part of the Board of Directors; frequently referred to as Executive President, General Manager, or whoever acts in their place; g) Entity: Subjects obligated as referred to in Article 2 of these Standards; h) Environmental Impact: Any significant alteration, positive or negative, of one or more of the components of the environment, caused by human action or natural phenomena in a defined area of influence, in accordance with Article 5 of the Environmental Law;

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 4 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

i) Board of Directors: A collegiate body or equivalent body in charge of the administration of the entity, with supervision, direction, and control functions; in the case of Cooperative Associations, it will be the Board of Directors or as defined in its Creation Law; j) Exclusion List: A list of specific activities to which the entity has decided not to provide financing, because they are not aligned with the strategic environmental and social objectives defined by the entity itself, in strict adherence to local legislation and regulations or international standards in environmental and social matters; k) Checklist: Minimum requirements that debtors must meet regarding their environmental and social performance; l) AS Action Plan: Document containing details of protective, corrective, or mitigation measures for negative impacts that are expected to be carried out or are already being carried out by the debtor; m) AS Risk Management Policy: Defines the environmental and social objectives and principles that guide the entity's actions within the framework of financial operations where environmental and social responsibility must be applied, which must be duly documented and approved by the Board of Directors; n) Environmental and Social Risk or AS Risk: The possibility of incurring losses generated by negative environmental and social impacts caused by granting credits for the financing of activities, works, or projects; o) Superintendence: Superintendence of the Financial System; and p) Buffer Zones: Fragile areas adjacent to and having direct incidence on Protected Natural Areas, subject to the promotion of activities friendly to natural resources, which support management objectives and minimize negative impacts inward and outward, in accordance with what is provided in the Law on Protected Natural Areas.

CHAPTER II GENERAL PROVISIONS

AS Risk Management Art. 4.- Entities must design an AS Risk Management System that allows for the identification, evaluation, monitoring, control, and mitigation of AS Risks associated with credit operations. For these purposes, they will prepare an AS Risk Management Policy, in which they must clearly describe the AS Risk Management System adopted by them. Entities must consider the minimum elements established in Article 8 of these Standards for the purpose of elaborating their AS Risk Management Policy.

Covered Operations Art. 5.- Each entity will define by internal policy the credit operations that will be evaluated under AS Risk Management, considering the environmental or social impacts associated with the activities, works, or projects it finances, considering as a minimum what is established in these Standards. The operations mentioned in the first paragraph of this article must be detailed in the AS Risk Management Policy approved by the Board of Directors. Credit operations granted to natural persons for housing and consumption purposes, including credit cards, are exempt from the application of the provisions contained in these Standards.

Limit of Responsibilities Art. 6.- Entities subject to these Standards do not assume functions or responsibilities of State entities in charge of granting permits or licenses in environmental or social matters. However, in their credit granting process, entities must request that debtors present the permits, licenses, and other legal requirements that correspond, as established by the State through the Central Government or municipalities.

CHAPTER III ENVIRONMENTAL AND SOCIAL RISK MANAGEMENT

Basic Elements of AS Risk Management Art. 7.- To implement AS Risk Management, entities must have at least the following: a) AS Risk Management Policy; b) Definition of Functions and Responsibilities; c) AS Risk Management Procedures Manual; and d) AS Risk Management Report.

The content of the manual established in letter c) of this article may be incorporated into the "Risk Management Manual," contemplated in the "Technical Standards for the Comprehensive Risk Management of Financial Entities" (NRP-20) and the "Technical Standards for the Comprehensive Risk Management and Information Transparency of Investment Banks" (NRP-93), approved by the Central Bank through its Standards Committee. (1)

AS Risk Management Policy Art. 8.- Entities must have a policy to define the AS Risk Management framework, which allows them to reduce their vulnerability and losses due to this risk and promote at the organizational level the culture of prevention and control of this risk, ensuring compliance with internal and external norms related to it. The AS Risk Management Policy must be formally approved by the Board of Directors, and must include at least the following aspects: a) Commitment of the entity with emphasis on integrating AS Risk considerations in the credit operations it grants; b) Definition of the objective and scope of the AS Risk Management Policy with respect to the environment, society, and contribution to sustainable development; c) Definition of roles and responsibilities for the application of the AS Risk Management Policy; d) Legislation and environmental regulations of the country and international standards considered as the basis of the scheme and as determining reference sources to establish excluded or sensitive activities, works, or projects; e) Definition of the general methodology to be used for the application of AS Risk Management in business operations; f) Definition of criteria to be used to determine credit operations that will be excluded from AS Risk evaluation according to the entity's internal policy; and g) The periodicity for the review and updating of the AS Risk Management Policy to adapt it to best practices regarding the matter;

Functions and Responsibilities Art. 9.- Entities must establish an organizational or functional structure adequate to their business model and appropriately segregated, which clearly delimits functions and responsibilities, as well as the levels of dependence and interrelation that correspond to each of the areas involved in carrying out activities related to AS Risk. All these aspects must be contemplated in the respective manual, approved by the Board of Directors of the entity. For AS Risk management, the entity must establish functions and responsibilities, considering the following levels: a) Board of Directors: It is responsible for ensuring that the entity has an adequate strategy for AS Risk management, for which it must perform at least the following: i. Approve the AS Risk Management Policy and AS Risk Management Procedures Manual, considering that it must contemplate at least what is established in these Standards; ii. Assign and approve the necessary resources to implement and maintain AS Risk management effectively and efficiently; and

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 5 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

iii. Approve the minimum requirements that debtors must meet in environmental and social matters, which must be included in their AS Risk Management Policy. b) Risk Committee: The Risk Committee, or whoever acts in their place, is in charge of ensuring sound AS Risk management of the entity, for which it must perform at least the following: i. Evaluate, review, and propose for Board of Directors approval the strategies, policies, and manuals for AS Risk management; ii. Supervise that AS Risk management is effective and that AS Risks are consistently identified, measured, evaluated, mitigated, and monitored; iii. Support the work of the Risk Unit or specialized area in the implementation of AS Risk management; and iv. Others that the Board of Directors or equivalent body considers necessary for the development of their functions. c) Senior Management: Is responsible for the implementation of AS Risk management, strategies, policies, and manuals, authorized by the Board of Directors. Senior Management of entities must perform at least the following: i. Ensure the effective implementation of the AS Risk Management Policy; ii. Approve credits according to their internal credit granting policies, considering what is related to AS Risk management; iii. Support the Risk Unit or specialized area in AS Risk to carry out AS evaluations, in accordance with what is provided in these Standards and the policies, procedures, and manuals approved for these effects by the entity; iv. Approve the modifications proposed to be made to the AS Risk Management Policy prior to its presentation to the Board of Directors; and v. Inform the Board of Directors, at least once a year, regarding AS Risk management; d) Risk Unit or specialized area in AS Risk: Depending on its size, nature, and complexity of products, services, and operations, AS risk management may be performed by the Risk Unit or specialized area. This unit or specialized area must be independent of the business units and operational areas of the entity.

The Board of Directors, or equivalent body of the entity, must define the unit or specialized area of AS Risk management that will be responsible for designing, implementing, and maintaining adequate management. This unit or specialized area must perform at least the following:

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 6 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

i. Elaborate and propose to the Risk Committee or whoever acts in their place, the AS Risk Management Policy and AS Risk Procedures Manual; ii. Carry out AS Risk evaluations in accordance with the policy, procedures, and manuals approved by the Board of Directors; iii. Ensure effective AS Risk management inherent to the credit portfolio; iv. Identify training and dissemination needs for adequate AS Risk management; v. Inform the Risk Committee of relevant aspects of AS Risk management for timely decision-making; and vi. Others that the Board of Directors or equivalent body considers necessary for the development of their functions. The personnel of the Risk Unit or specialized area in AS Risk management must possess a profile consistent with the functions to be performed; for this, the entity must consider their academic training, experience, and training in AS Risk management. e) Internal Audit: The Internal Audit Unit must support the entity in evaluating and improving the quality and efficiency of AS Risk management processes, for which it must observe what is established in the "Technical Standards on Internal Audit for Members of the Financial System" (NRP-15), approved by the Central Bank through its Standards Committee.

AS Risk Management Procedures Manual Art. 10.- The AS Risk Management Procedures Manual must contain at least provisions related to the following aspects: a) Exclusion List: The entity must detail a list of activities, works, or projects to which it will not finance due to their negative environmental and social implications. For this effect, the entity will take as reference the list coming from some international institution that provides financing aimed at combating climate change, such as the exclusion list of the International Finance Corporation of the World Bank, the Inter-American Development Bank, among others. The entity may include other activities that it will not finance due to their negative environmental and social implications, according to its internal policies.

b) AS Risk Categorization Methodology: The entity must define a methodology to assign the AS Risk categorization to the activity, work, or project. In this categorization methodology, it must consider the economic activity of the activity, work, or project being financed, the location of the activity (territorial sensitivity), the magnitude of the financial operation (proportionality), and social elements.

The economic activity is that which is assigned from the origin of the request for the activity that the debtor requests to finance. For the designation of the categorization linked to the economic activity, the classes of economic activities described in Annex F of the "Technical Standards on the Procedure for Information Collection of the Central Risk System" (NRP-41) will be used, and in the case of Investment Banks, the classes of economic activities described in Annex D of the "Technical Standards on the Information Collection Procedure of the Central Risk System for Investment Banks" (NRP-92), approved by the Central Bank through its Standards Committee. The entity may use as reference for AS risk categorization linked

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 7 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

to the economic activity, the classes of economic activities described in Annex D of the "Technical Standards on the Information Collection Procedure of the Central Risk System for Investment Banks" (NRP-92), approved by the Central Bank through its Standards Committee. The entity may use as reference for AS risk categorization linked to the economic activity, the classes of economic activities described in Annex D of the "Technical Standards on the Information Collection Procedure of the Central Risk System for Investment Banks" (NRP-92), approved by the Central Bank through its Standards Committee.

The categorization methodology must consider at least the following factors: i. Economic activity: The type of economic activity of the debtor or the project to be financed. ii. Location: The geographical location of the activity, work, or project, considering the sensitivity of the territory, such as protected areas, fragile areas, buffer zones, etc. iii. Magnitude: The size of the financial operation, considering the amount of the credit, the duration, and the percentage of the entity's portfolio. iv. Social elements: The impact on the population, considering aspects such as displacement, loss of livelihoods, impact on indigenous peoples, etc.

The categorization must be classified into at least three levels: Low, Medium, and High Risk.

Low Risk: Activities with low environmental and social impact, where negative impacts are minimal, reversible, and easily mitigated. Medium Risk: Activities with moderate environmental and social impact, where negative impacts are significant but reversible and manageable through mitigation measures. High Risk: Activities with high environmental and social impact, where negative impacts are severe, irreversible, or difficult to mitigate.

The entity must establish the criteria for classifying each operation into the corresponding risk category.

c) Environmental and Social Assessment: The entity must establish a process for the environmental and social assessment of credit operations, which must be carried out before granting the credit. The assessment must include at least the following steps: i. Identification of environmental and social risks associated with the activity, work, or project. ii. Evaluation of the significance of the identified risks. iii. Definition of mitigation measures to avoid, minimize, or compensate for negative impacts. iv. Development of an Environmental and Social Management Plan (ESMP) if necessary. v. Establishment of monitoring and reporting mechanisms.

The entity must define the level of assessment required for each risk category. For Low Risk operations, a simplified assessment may be sufficient. For Medium and High Risk operations, a more detailed assessment is required, which may include the preparation of an Environmental and Social Impact Assessment (ESIA) by qualified professionals.

The entity must ensure that the debtor complies with the mitigation measures and the ESMP. The entity must monitor the implementation of these measures throughout the life of the credit.

d) Grievance Mechanism: The entity must establish a grievance mechanism to receive and address complaints from stakeholders affected by the activities financed by the entity. The mechanism must be accessible, transparent, and effective. The entity must report on the operation of the grievance mechanism in its AS Risk Management Report.

e) Training and Awareness: The entity must provide training and awareness programs for its employees on AS Risk management. The training must cover the entity's AS Risk Management Policy, procedures, and tools. The entity must ensure that employees involved in AS Risk management have the necessary skills and knowledge.

f) Reporting: The entity must prepare an AS Risk Management Report at least annually. The report must include at least the following information: i. Description of the AS Risk Management System. ii. Summary of AS Risk management activities carried out during the period. iii. Summary of AS Risk events and incidents. iv. Status of mitigation measures and ESMPs. v. Information on the grievance mechanism. vi. Training and awareness activities. vii. Recommendations for improvement.

The AS Risk Management Report must be approved by the Board of Directors and made available to the Superintendence of the Financial System upon request.

Alameda Juan Pablo II, between 15 and 17 Av. Norte, San Salvador, El Salvador. Tel. (503) 2281 - 8000 www.bcr.gob.sv Page 8 of 16 CNBCR-01/2024 NRP-53 TECHNICAL STANDARDS FOR THE MANAGEMENT OF ENVIRONMENTAL AND SOCIAL RISKS

Approval: 01/31/2024 Validity: 02/15/2024

CHAPTER IV TRANSITIONAL PROVISIONS

Art. 11.- Entities subject to these Standards must comply with the provisions herein within six (6) months from the date of entry into force of these Standards.

Art. 12.- The Superintendence of the Financial System may grant extensions to entities that demonstrate justified difficulties in complying with the provisions of these Standards, provided that such extensions do not exceed six (6) months and are granted on a case-by-case basis.

Art. 13.- These Standards shall enter into force on February 15, 2024.

San Salvador, January 31, 2024.

THE STANDARDS COMMITTEE OF THE CENTRAL RESERVE BANK OF EL SALVADOR

[Signatures]

(1) These entities are subject to these Standards insofar as they do not contradict their specific creation laws or regulations issued by the Court of Accounts, where applicable.