Agreement No. 002-2022: Modification of Article 15 of Agreement No. 6-2011

Republic of Panama Banking Superintendence AGREEMENT No. 002-2022 (March 22, 2022) "By which Article 15 of Agreement No. 6-2011 is modified"

THE BOARD OF DIRECTORS In exercise of its legal powers, and CONSIDERING:

That following the issuance of Decree-Law No. 2 of February 22, 2008, the Executive Branch prepared a systematic ordering in the form of a Single Text of Decree-Law No. 9 of February 26, 1998, and all its modifications, which was approved via Executive Decree No. 52 of April 30, 2008, hereinafter referred to as the Banking Law;

That in accordance with items 1 and 2 of Article 5 of the Banking Law, it is the objective of the Banking Superintendence to ensure the maintenance of the solidity and efficiency of the banking system, as well as to strengthen and foster the conditions conducive to the development of the Republic of Panama as an international financial center;

That in accordance with items 3 and 4 of Article 5 of the Banking Law, it is the objective of the Banking Superintendence to promote public confidence in the banking system, and to ensure legal balance between the banking system and its clients;

That in accordance with Article 11, item 5 of the Banking Law, it is the responsibility of the Board of Directors to establish, within the administrative scope, the interpretation and scope of legal or regulatory provisions regarding banking matters;

That by means of Agreement No. 6-2011, modified by Agreements No. 9-2014 and Agreement 5-2021, guidelines on electronic banking and related risk management are established;

That in view of the increasing electronic fraud at the national and international levels that constantly test the vulnerabilities of the electronic channels of the banking sector, this Superintendence issued Agreement No. 5-2021 with the purpose of establishing requirements for banks that allow strengthening the guidelines on electronic banking, so that the services offered to clients are handled in a safer, more reliable, and efficient manner in the banks in the market;

That Agreement No. 5-2021 established a deadline until February 28, 2022, for banking entities to make the necessary technological adjustments to comply with the requirements established in paragraph 1 of item 2 of Article 15 of Agreement No. 6-2011;

That by means of Note ABP/PE No. 034-2022, the Banking Association of Panama requested an extension for the compliance of the provisions contemplated in paragraph 1 of item 2 of Article 15 of Agreement No. 6-2011, in order for banking entities to have an additional period to make the corresponding adjustments;

That in working sessions of this Board of Directors, the need and convenience of modifying Article 15 of Agreement No. 6-2011 has been manifested, with the purpose of extending the

Agreement No. 002-2022 Page 2 of 3 deadline for compliance with the guidelines established in paragraph 1 of item 2 of the aforementioned article.

AGREES:

ARTICLE 1. Item 2 of Article 15 of Agreement No. 6-2011 is hereby amended as follows:

“ … 2. Internet Banking and Mobile Banking At the level of internet banking and mobile banking, every bank must ensure the implementation, at a minimum, of the following security measures: a. Bank Authentication. For the client to recognize the bank, it will be necessary to have at least the following measures: a.1. A digital method that allows the client to identify that it is the bank to which they correspond; such as digital certificates, images preselected by the client, or equivalents, before they enter their password. a.2. Immediately after login, the client's full name and their last login date to the service must be displayed for verification by the client themselves. b. Client Authentication. For access to this service, it will be necessary to have the following authentication measures: b.1. Category 1 authentication factor, which must meet the following parameters: it must be initially set by the bank and subsequently modifiable by the client themselves, and contain a minimum of eight (8) alphanumeric characters. b.2. Category 2 authentication factor, which must meet the following parameters: implementation of a "dynamic validation" layer or similar technology and processes that offer at least the same level of security. This factor will be applicable when the client is conducting transactions with a third party, whether within the same banking entity or in another banking entity. In the case of dynamic validation, the bank must have an automated PIN generation system with a minimum of six (6) digits in their generation. The Category 2 authentication factor may be performed by both hardware devices and portable software solutions on mobile devices. This factor is mandatory for the execution of banking transactions and optional for queries made by a client through these channels.

PARAGRAPH 1. For the purposes of what is established in item b.2., subsection b., item 2 of Article 15 of this Agreement, banking entities must ensure that for the process of activating the security component (soft token), a secure client authentication process is carried out, for which the bank must ensure the use of the most secure authentication mechanisms, such as, for example, the hard token (category 2 factor), or category 3 factor and its derivatives with the highest level of certainty, or liveness tests or others that may arise. Likewise, for active clients of internet banking and mobile banking, the bank must ensure that any change linked to client information, such as changes to phone number, email address, address, or other sensitive data, includes in its process the Category 2 or Category 3 authentication factor. Banking entities will have a deadline until June 30, 2022, for compliance with the provisions established in this paragraph.

PARAGRAPH 2. The bank that, from the entry into force of this Agreement, requests authorization for the implementation of new electronic channels or for the addition of new services to a previously authorized channel in compliance with what is provided in Article 3 of this Agreement, must comply with the requirements

Agreement No. 002-2022 Page 3 of 3 established in paragraph 1 of this item, as part of good management of the risks of electronic channels. Notwithstanding the foregoing, until June 30, 2022, the Superintendence may approve the use of a channel or the addition of new services to a previously authorized channel; however, in these cases, the bank must assume the risks and costs for transactions not recognized by its clients as a consequence of the activation of the double authentication factor without the security measures provided for in paragraph 1 of this item. …”

ARTICLE 2. EFFECTIVENESS. This Agreement shall enter into force from its promulgation.

Given in the city of Panama, on the twenty-second (22) day of the month of March of two thousand twenty-two (2022).

NOTIFY, PUBLISH, AND COMPLY.

THE PRESIDENT, THE SECRETARY, Rafael Guardia Pérez Felipe Echandi