Circular RUNOR 1-1946 CREFI 2-142: Minimum Requirements for the Management and Control of Information Technology and Security Risks. Expansion of Financial Entities. Amendments.

"YEAR OF ARGENTINE GREATNESS" COMMUNICATION “A” 8398 05/02/2026 TO FINANCIAL ENTITIES, ELECTRONIC CLEARING HOUSES, ATM NETWORKS, PAYMENT SERVICE PROVIDERS, FINANCIAL MARKET INFRASTRUCTURES: Ref.: Circular RUNOR 1-1946, CREFI 2-142: Minimum Requirements for the Management and Control of Information Technology and Security Risks. Expansion of Financial Entities. Amendments.

---

We address you to inform you that this Institution has adopted the resolution which, in its relevant part, establishes: “1- Incorporate as obligated subjects contemplated in point 1.1 of the consolidated text on Minimum Requirements for the Management and Control of Information Technology and Security Risks, Payment Service Providers (PSP) included in the Registry of PSPs of the Central Bank of the Argentine Republic, granting them a period of 180 (one hundred eighty) calendar days from the publication of this communication for implementation. 2- Substitute PRISMA with NEWPAY in point 1.1 of the consolidated text on Minimum Requirements for the Management and Control of Information Technology and Security Risks. 3- Substitute Section 10. of the consolidated text on Minimum Requirements for the Management and Control of Information Technology and Security Risks with the provisions contained in Annex I which forms an integral part of this communication. 4- Substitute and incorporate in Section 11. of the consolidated text on Minimum Requirements for the Management and Control of Information Technology and Security Risks the following terms: “Third party: who provides processes, services and/or activities outsourced by the entity.” “Subcontracting: practice whereby a third party assigns to a subcontractor (n-th party) part of what has been assigned to it.” “Critical services: those that are essential for the continuous functioning of the financial system and the entity, and for compliance with legal and regulatory obligations.” 5- Substitute Section 2. of the consolidated text on Expansion of Financial Entities with the provisions contained in Annex II which forms an integral part of this communication.”

2- Likewise, we inform you that we will subsequently send you the sheets which, replacing those duly provided, should be incorporated into the consolidated texts of reference. We remain, yours sincerely. CENTRAL BANK OF THE ARGENTINE REPUBLIC Darío C. Stefanelli Roberto A. Boccardo Chief Manager of Issuance and Regulatory Applications Deputy General Manager of Systems and Organization

ANEXO (Annex)

-1- Section 10. Management of third-party relationships. Entities may outsource processes, services and/or activities related to information technology and security processes, within the country as well as abroad. The following are not covered by the requirements of this section: • Services that provide general information on financial markets. • Services of mandatory adoption by regulation of the financial system. • Services provided by government bodies. • Banking correspondent activities. • Credit card payment processing services. Processes, services and/or activities cannot be outsourced to third parties that perform internal and/or external audit functions. Entities that outsource processes, services and/or activities related to information technology and security shall not be released from their present or future responsibilities, which correspond to them in accordance with legal and regulatory provisions and regulations issued by the BCRA. Based on their operations, processes and structure, entities must consider establishing a sector or function responsible for managing third-party relationships. The contracting or outsourcing must contain provisions ensuring that outsourced processes, services and activities comply with the requirements of these regulations, according to their risk assessment. The risk assessment of all service providers must be documented and approved by the entity's highest local authorities. 10.1. Prior notification requirement. Entities must inform the External Systems Audit Management of the Superintendence of Financial and Foreign Exchange Entities (SEFYC) about the characteristics of critical services to be outsourced, at least 60 (sixty) calendar days prior to the start of outsourcing. The prior notification of critical services to be outsourced must contain:

• The nature of the services, according to the following taxonomy: • Data processing in traditional infrastructures. • Infrastructure and processing in Infrastructure as a Service (IaaS) mode. • Solutions in Platform as a Service (PaaS) mode. • Solutions in Software as a Service (SaaS) mode. • Data administration and management. • Access control to infrastructure, systems and data. B.C.R.A. Minimum Requirements for the Management and Control of Information Technology and Security Risks Annex I to Com. “A” 8398

-2- • Security operations (includes SOC). • Cyber incident management (in any of its stages). • Back-office activities with technological support. • Payment management. • Communications and networks management. • Development, support and maintenance. • Backup copy management. • Other services considered critical.

• A description of the covered services and activities.
• The geographic locations (country, region, city) where each of the activities will take place.
• The geographic locations (country, region, city) where control tasks on the activities will be performed.
• The date of commissioning of the activities.
• Contact person data at the service provider third party (name, role, phone and email).
• When the activity contemplates subcontracting (“n-th parties”), each provider must be identified, along with the activity to be performed and geographic locations.
• Instruments formalizing outsourcing.
• An operational continuity plan complying with current regulatory requirements.
• Availability of alternative continuity solutions as provided in Sections 3. and 6.
• In the case of intra-group outsourcing abroad, a written certification from the supervisory body of the country of origin must be obtained indicating that: • It is aware and does not object to the outsourcing. • The outsourced services will be part of its normal supervision program. • It is subject to internationally accepted Anti-Money Laundering, Counter-Terrorist Financing and Combating the Financing of Proliferation of Weapons of Mass Destruction (AML/CFT/CFPMD) principles, standards or regulations, including those disseminated by the Financial Action Task Force (FATF-GAFI) and the Basel Committee on Banking Supervision. • Furthermore, regarding supervision form, it adheres to the “Basic Principles for Effective Banking Supervision” disseminated by the Basel Committee on Banking Supervision. It also applies consolidated supervision assuming oversight of liquidity and solvency, as well as evaluation and control of risks and equity situations considered on a consolidated basis.

-3- 10.2. Third-party relationship management framework. Entities must establish a policy and framework for managing outsourced processes, services and/or activities that considers: • Definition of roles and responsibilities for different management activities. • Security measures according to information technology and security risk management results; and risks inherent to outsourcing. • Procedures for selection and contracting of third parties. • Identification and documentation of outsourced services and activities. • Identification of contact points for legal aspects and those related to information technology, security and cyber incident management. • Preparation and maintenance of a catalog with information on outsourced services and activities. • Service continuity according to risk analysis results. • Continuous evaluation of exposure levels to risks throughout the outsourcing lifecycle. • Mechanisms for managing conflicts of interest. • Mechanisms for managing cyber incidents. • Preparation of procedures for supervising compliance with formalized agreements. • Implementation of independent audits on services and activities managed by third parties to evaluate risk management and alignment with the entity's information technology and security processes. Furthermore, entities must evaluate possible scenarios of planned or forced termination of processes, services or activities provided by third parties, and establish termination plans that allow them to mitigate risks of interruption, non-compliance with legal and regulatory requirements, or quality degradation. Termination plans must consider obtaining data, source programs, and documentation of systems and applications. Throughout the outsourcing lifecycle, any change related to the nature of the activity, geographic location where activities or control tasks are performed, as well as incorporation and/or modifications of subcontracting (“n-th parties”), must be interpreted as a new outsourcing process and must comply with all requirements contemplated in point 10.1. Relevant changes in the outsourcing abroad of critical intra-group services must be accompanied by a new written certification from the country of origin supervisor provided in point 10.1.

-4- 10.3. Relationship formalization. 10.3.1. Entities must formalize in all cases relationships with third parties that provide outsourced processes, services and/or activities according to established procedures. The following must be set at minimum: • Nature, scope of processes, services and/or activities to be outsourced and responsibilities of the parties. • Duration of contracting or outsourcing and specific clauses regulating automatic renewal. • Minimum service levels and performance metrics. • Existence of continuity plans. • Rights to conduct audits by the entity. • Communication mechanisms regarding changes that may affect service provision conditions. • Confidentiality agreements. • Dispute resolution mechanisms. • Coordinated procedures for cyber incident management. • Compliance with applicable legal and regulatory framework. • Provisions allowing the entity and SEFYC, at all levels of contracting, to request precise, complete and timely information related to outsourced services when deemed appropriate and unrestricted access to audit and obtain relevant information at facilities, control areas and documentation on all service providers. • Notification mechanisms regarding changes in shareholding control and management level changes of third parties. • Responsibilities in customer/user claim circuits for the entity's financial services. • Communication procedures and protocols allowing effective compliance with controls on outsourced processes, services and activities. • Formal designation of a responsible person representing the third party for handling outsourcing-related aspects, according to service characteristics and risk analysis results. • Mechanisms for eliminating entity data managed by third parties once the relationship expires.

-5- • Procedures for service termination according to risk assessment. Financial messaging services will be evaluated taking into account their particular contracting conditions such as SWIFT. 10.3.2. Third-party subcontracting. Documents instrumenting contracting or outsourcing must formally establish the primary provider's responsibility regarding:

• All processes, services and/or activities provided by itself or through subcontractors, regardless of geographic location.
• Notification to the entity of all subcontracting with identification of services and activities involved. Furthermore, all subcontractors must formally assume:
• Responsibility to comply with applicable legal and regulatory framework.
• Assignment of access and audit rights, both for the entity and SEFYC. 10.4. Control and monitoring. Entities must define a control process according to risk assessment that allows them to monitor and evaluate outsourced information technology and security processes, services and activities. Procedures must exist for executing controls on third parties, evaluating compliance with regulatory requirements and agreed service levels, and monitoring adaptation requests in case of non-compliance. The periodicity of control and monitoring activities must be defined according to the risk level and criticality of outsourced processes, services or activities. 10.4.1. Reports from independent third parties. Reports of evaluations performed by independent third parties on outsourced processes, services and activities will be considered complementary to the entity's control and monitoring activities, provided that:
• They are prepared according to internationally accepted processes.
• Scope and results allow verification of implemented controls.
• Additional audits or review activities are performed when scope does not cover all regulatory requirements and identified risks. 10.5. Internal and external audit reports.

-6- Internal audits on outsourced processes, services and activities must be performed including reviews of compliance with legal and regulatory requirements. The periodicity of audit reports must be defined according to the risk level and criticality of outsourced services or activities, evaluating their impact on the entity's internal control system. Together with internal audit reports, external auditor reports conducted during their reviews of outsourced services and activities must be sent to the External Systems Audit Management. The following must be available to SEFYC at all times:

• Reports from corporate internal and external auditors on intra-group outsourced services.
• Audit reports on different extra-group third-party service providers. In all cases, the entity's local internal audit must analyze received audit reports and evaluate reasonableness, consistency and integrity regarding compliance with current local regulations to determine, at all times, maintenance of initial conditions considered when contracting said services. 10.6. Additional considerations. 10.6.1. Expenses incurred by SEFYC to perform inspections of outsourced activities abroad (flights, accommodation, per diems, transfers, others) must be fully covered by the entity. 10.6.2. The foreign third party to which activities are outsourced must be incorporated in countries subject to internationally accepted Anti-Money Laundering, Counter-Terrorist Financing and Combating the Financing of Proliferation of Weapons of Mass Destruction (AML/CFT/CFPMD) principles, standards or regulations, including those disseminated by the Financial Action Task Force (FATF-GAFI).

-7- Section 2. Outsourcing of activities. 2.1. Prior communication requirement. Financial entities may outsource –in third-party facilities and/or infrastructures with technical and/or human resources of the third parties– processes, services and/or activities that do not consist in customer and/or general public attention (administration, services related to information technology and security processes, archiving, printing, etc.) prior communication submitted to the Superintendence of Financial and Foreign Exchange Entities (SEFYC) at least 60 (sixty) calendar days prior to the start of these activities. In cases of activities involving customer and general public attention, Section 9 applies. 2.2. Conditions. 2.2.1. Outsourced processes, services and/or activities are subject to corresponding technical regulations according to their nature and type. 2.2.2. For outsourcing of processes, services and/or activities related to information technology and security processes, the provisions in the consolidated texts on Minimum Requirements for the Management and Control of Information Technology and Security Risks and Minimum Requirements for the Management and Control of Information Technology and Security Risks Associated with Digital Financial Services must be met. 2.2.3. For the rest of services and/or activities. The outsourcing communication must state: 2.2.3.1. Nature of each process, service and/or activity included. 2.2.3.2. Address where processes, services and/or activities will take place. 2.2.3.3. Start date of outsourcing of processes, services and/or activities. 2.2.3.4. Attachment of contract copy. 2.2.3.5. Inclusion of information, commitments and documentation indicated in points 2.2.1. and 2.2.4. signed by a person with sufficient authority. Required documentation must be sent through the modality established by SEFYC in pdf format file, with originals kept at the financial entity available to SEFYC. The legal representative of the entity must declare via note with sworn character that all documentation sent electronically is a true copy of the documentation kept by the entity and available to SEFYC, detailing its location. B.C.R.A. Expansion of Financial Entities Annex II to Com. “A” 8398

-8- 2.2.4. The outsourcing contract must expressly stipulate the following: 2.2.4.1. Acceptance and commitment to comply with conditions referred to in point 2.2.1., by all intervening parties. 2.2.4.2. SEFYC's authority to periodically audit compliance with said conditions. 2.2.5. According to point 2.2.4.2., financial entities and third parties contracted by them must commit to allowing agents designated by SEFYC to access facilities and/or infrastructures where the process, service and/or activity takes place, when necessary to fulfill supervision functions. 2.2.6. The following must be maintained in the Argentine Republic: 2.2.6.1. Original accounting books and records established by current legal provisions, allowing both the local entity and SEFYC to reconstruct and verify operations and businesses at any time. 2.2.6.2. Archive of delivered information and documents signed by clients, supporting active and passive operations. 2.2.6.3. Debtor files, according to the Consolidated Text on Credit Management. 2.2.6.4. Documents and guarantees supporting current financings granted by the entity or acquired, when the purchasing entity has administration of the portfolio in charge, and original documentation demonstrating ownership of remaining assets. 2.2.6.5. Any original document safeguard, when legal, regulatory provisions and/or BCRA regulations determine specific courses of action. 2.3. Responsibilities. Financial entities that outsource processes, services and/or activities shall not be released from their present or future responsibilities, which correspond to them in accordance with legal and regulatory provisions and regulations issued by the BCRA.