SBS Resolution No. 01586-2026: Approves the Regulation for the Implementation and Operation of the Financial Ownership Identification Mechanism and Incorporates Offenses into Annex 2 of the Regulations on Offenses and Sanctions

Los Laureles Nº 214 - Lima 27 - Peru Tel.: (511)6309000 Lima, June 09, 2026

SBS RESOLUTION No. 01586-2026 The Superintendent of Banks, Insurance and Private Pension Fund Administrators

CONSIDERING: That, within the framework of the delegation of legislative powers established in Law No. 32527, which delegates to the Executive Branch the power to legislate on matters of public safety and fighting organized crime, responsible economic growth, and institutional strengthening, the Executive Branch approved Legislative Decree No. 1732 implementing the Financial Ownership Identification Mechanism, providing that the Superintendent of Banks, Insurance and Private Pension Fund Administrators shall direct its implementation, operation, and supervision to ensure the timely provision of information by the companies specified in subsection a) of Article 16 of the General Law of the Financial and Insurance Systems and Organic Law of the Superintendent of Banks and Insurance (SBS), Law No. 26702 and its amendments, which capture public funds, as well as by the National Bank of Peru and unauthorized Savings and Credit Cooperatives (COOPAC); That, the purpose of the Financial Ownership Identification Mechanism is to confirm whether a natural or legal person holds accounts in financial system companies, the National Bank of Peru, and COOPACs, reducing the operational burden of individualized information requests and strengthening investigations related to money laundering offenses, their precursor crimes, and the crime of terrorism financing; That, it is necessary for the Superintendent to issue regulatory provisions for the implementation and proper operation of the Financial Ownership Identification Mechanism, in accordance with the Second Complementary Final Provision of Legislative Decree No. 1732, which granted the SBS a period of one hundred twenty (120) calendar days following its publication for said regulation; Having obtained the approval of the Adjunct Superintendencies of Regulation and Legal Affairs, Banking and Microfinance, the Financial Intelligence Unit, Risk Management, and Open Finance Department; In exercise of the powers conferred by the General Law and its amending regulations, in accordance with the Second Complementary Final Provision of Legislative Decree No. 1732 and, according to the exception in the Thirty-Second Final and Complementary Provision of said Law No. 26702;

RESOLVES:

Article First. - Approve the Regulation for the Implementation and Operation of the Financial Ownership Identification Mechanism, according to the following text: REGULATION FOR THE IMPLEMENTATION AND OPERATION OF THE FINANCIAL OWNERSHIP IDENTIFICATION MECHANISM Article 1.- Scope of Application This Regulation applies nationwide to the companies specified in subsection a) of Article 16 of the General Law of the Financial and Insurance Systems and Organic Law of the Superintendent of Banks and Insurance, Law No. 26702 and its amending regulations, which capture public funds, as well as to the National Bank of Peru and unauthorized Savings and Credit Cooperatives (COOPAC). Article 2.- Definitions a) Application Programming Interface (API): collection of invocation methods and associated parameters that software can use to request actions from other software, defining the terms in which they exchange data. Also known as API. b) COOPAC: Unauthorized Savings and Credit Cooperatives that do not capture public funds. c) Authorized entities: The Public Ministry through prosecutors designated by resolution of the head, and the National Police of Peru through Specialized Units of the National Directorate for Criminal Investigation. d) Companies: Legal persons specified in subsection a) of Article 16 of Law No. 26702 that capture public funds, the National Bank of Peru, and COOPACs under the supervision of the Superintendent. e) Superintendent: Superintendent of Banks, Insurance and Private Pension Fund Administrators. f) Traceability: capacity to fully register and audit each consultation and response event. g) Accredited responsible users: representatives duly designated by authorized entities and legitimated entities. h) Accounts: refers to passive accounts of customers of the companies and members in the case of COOPACs, such as savings accounts, time deposit accounts, CTS deposits, current accounts. i) Legitimated entities: The Prosecutor General; the Prosecutor General or a foreign government with which an agreement has been concluded to combat, repress, and sanction illicit drug trafficking, terrorism, or money laundering; judges and courts of the Judicial Branch; the President of an Investigative Commission of the Legislative Branch, with the agreement of the respective commission and regarding facts affecting public interest; the Comptroller General of the Republic concerning officials and civil servants who administer or manage state funds or funds supported by it, across all three levels of government, within the framework of a control action; the Superintendent in the exercise of its functions and for financial intelligence purposes; and those carried out pursuant to Article 6 of the Law Strengthening Supervision of the Securities Market, Law No. 29782.

Article 3.- Financial Ownership Identification Mechanism 3.1. The Financial Ownership Identification Mechanism is an instrument that enables authorized entities and legitimated entities, through accredited responsible users, to confirm whether a natural or legal person holds accounts in the companies; that is, whether they are or are not a customer in any of the companies or a member in a COOPAC. Each consultation and response by the companies are subject to traceability as defined in Article 7. 3.2. Through this instrument, information on movements, balances, operations, or other data subject to constitutional confidentiality may not be provided. Article 4.- Forms of Consultation through the Financial Ownership Identification Mechanism 4.1. Accredited responsible users may perform consultations using any of the following identification parameters: For natural persons: a) National Identity Document number, for Peruvians. b) Passport number, foreigner ID card, or legally established identification document, for foreigners. c) Account number in the company. d) Interbank account code (CLABE/CCI) number. For legal persons: a) Tax Identification Number (RUC) or its equivalent for foreign legal persons, if applicable. b) Account number in the company. c) Interbank account code (CLABE/CCI) number. 4.2. In cases where the consultation through the Financial Ownership Identification Mechanism is performed using the account number or interbank code of a natural or legal person, companies confirm whether the associated natural or legal person is a customer or non-customer or member of a COOPAC. 4.3. Consultations regarding foreign accounts of branches or subsidiaries of financial system companies are excluded from the Financial Ownership Identification Mechanism. Article 5.- Requirement for the Admissibility of Consultations through the Financial Ownership Identification Mechanism 5.1. The accredited responsible user of an authorized entity must attach the complaint, respective prosecutorial order, or other document evidencing the existence of an ongoing investigation for money laundering, precursor crimes, and terrorism financing or the relevance of the information request regarding legitimated entities, in which case each establishes the formality of said document. If such justification is not included, the request cannot be made. 5.2. In case of discrepancy, mismatch, or lack of correspondence between the identification parameter data entered for the consultation and the attached supporting documentation, the company will not process the consultation to safeguard the duty of confidentiality and third-party rights. 5.3. Responsibility for the authenticity, validity, and legal relevance of the supporting document attached to consultations through the Financial Ownership Identification Mechanism lies with the authorized or legitimated entities, as applicable. Article 6.- Designation of Accredited Responsible Users and Granting of Credentials to Perform Consultations 6.1. Accredited responsible users are those who, representing authorized and legitimated entities, are empowered to perform consultations through the Financial Ownership Identification Mechanism and receive information confirming whether a natural or legal person holds an account in the companies. 6.2. To this end, authorized and legitimated entities must designate one principal accredited responsible user and one alternate. The designation and communication shall be made by the highest authority of authorized and legitimated entities. In the case of the National Police of Peru, the head of the National Directorate for Criminal Investigation must designate a principal and alternate accredited responsible user for each specialized unit. In the case of the Public Ministry, the Prosecutor General must designate a principal and alternate accredited responsible user at the entity level; without prejudice to this, they may designate them in each specialized prosecutor's office. 6.3. Authorized and legitimated entities inform companies in writing of the name, position, telephone number, institutional email, and other contact data of the accredited responsible users -principal and alternate- who are duly authorized and solely responsible for performing consultations on their behalf through the Financial Ownership Identification Mechanism. Any change in the designation of the accredited responsible user and/or contact data must be communicated to companies immediately so that access is restricted promptly, and if it involves the designation of new accredited responsible users -principal or alternate-, authorized and legitimated entities must communicate this to companies within three (3) business days of the designation occurring so that they may be considered accredited to formulate consultations through the Financial Ownership Identification Mechanism. 6.4. Companies have one (1) business day, counted from receipt of the communication from authorized and legitimated entities, to grant access credentials to accredited responsible users. Companies must communicate this in writing to accredited responsible users, additionally indicating the structured electronic mechanism through which they can perform respective consultations and obtain requested information. 6.5. Companies may use a structured electronic mechanism at the industry level, to whom communication regarding the designation of accredited responsible users for granting respective accesses is directed. Article 7.- Mechanisms for Direct Information Provision by Companies to Authorized and Legitimated Entities 7.1. Companies directly provide information to the accredited responsible user of authorized and legitimated entities, through structured electronic information exchange mechanisms such as APIs, electronic platforms, electronic forms, or any other alternative mechanism that guarantees traceability, security, and confidentiality of information through measures compliant with current regulations on information security and cybersecurity. 7.2. If applicable, the Superintendent may determine certain minimum aspects or specific structure of the structured electronic information exchange mechanism that companies must implement, considering the volume of processed consultations, operational criticality, and the need to ensure efficient information provision by companies. 7.3. These structured electronic information exchange mechanisms must facilitate standardization in information provision by companies, solely confirming or denying account ownership; that is, whether they are a customer of a company or member of a COOPAC. 7.4. Information provision must be performed immediately, meaning within a timeframe allowing companies to validate the information and request justification, which in no case shall exceed three (3) business days from when the consultation is entered through the Financial Ownership Identification Mechanism, with a record of it being kept. Article 8.- Designation of Company Officials 8.1. Companies must designate a principal and an alternate official responsible for the operation, security, record safeguarding, and attention of supervision requests to the Financial Ownership Identification Mechanism by the Superintendent. Such official may be the same responsible for attending requests to lift bank secrecy established in the Standard regulating the procedure for attending bank secrecy lifting requests approved by SBS Resolution No. 1132-2015 and its amendments, or the resolution replacing it. 8.2. Companies implementing APIs as a structured electronic mechanism for information provision must comply with measures established in current regulations on information security and cybersecurity. 8.3. Companies communicate in writing to the Superintendent and the highest authority of authorized and legitimated entities the name, position, telephone number, institutional email, and other contact data of the officials -principal and alternate- responsible for attending consultations. Furthermore, any change in designation and/or data must be communicated to the Superintendent and the highest authority of authorized and legitimated entities immediately, and if it involves the designation of new officials -principal or alternate-, companies must communicate this to the Superintendent and the highest authority within three (3) business days of the designation occurring. Article 9.- Supervision by the Superintendent and Sanctions The Superintendent supervises the timely provision of information by companies to accredited responsible users of authorized and legitimated entities, whose non-compliance is sanctioned in accordance with the Regulations on Offenses and Sanctions approved by SBS Resolution No. 2755-2018 and its amendments. Article 10.- Duty to Protect Confidentiality of Information Consulted through the Financial Ownership Identification Mechanism Accredited responsible users, authorized entities, and legitimated entities must guarantee the confidentiality of information provided by companies, as well as its exclusive use for the purposes established in Legislative Decree No. 1732. Furthermore, companies are obligated to preserve the duty of confidentiality referenced in Article 12 of the Law creating Peru's Financial Intelligence Unit, Law No. 27693 and its amendments.

COMPLEMENTARY AND FINAL PROVISIONS First.- Companies, except COOPACs, must adapt to the provisions of this regulation within one hundred twenty (120) calendar days counted from its entry into force. Second.- Regarding COOPACs, the Superintendent establishes progressive deadlines for their integration into direct information provision through consultations via the Financial Ownership Identification Mechanism, considering structured electronic information exchange mechanisms that allow proper compliance with the obligation. Third.- Data processing executed through the Financial Ownership Identification Mechanism is subject to exceptions regarding the obligation to obtain the holder's consent, in accordance with Article 14 of Law No. 29733 - Personal Data Protection Law. Article Second.- Incorporate offense 89 in subsection II) of serious offenses and offense 22 in subsection III) of very serious offenses into Annex 2 of the Regulations on Offenses and Sanctions approved by SBS Resolution No. 2755-2018 and its amending regulations, according to the following text: Annex 2 SPECIFIC OFFENSES OF THE FINANCIAL SYSTEM AND COMPANIES OF COMPLEMENTARY AND CONNECTED SERVICES

(Multiple operation companies, specialized companies, investment banks and others of similar nature under supervision, as well as representatives of financial companies not established in the country and supervision collaborators of this group; to complementary and connected service companies and to shareholders, directors, managers, employees). (…) II. SERIOUS OFFENSES (…) 89) Failing to attend information requests for the purpose of the Superintendent's supervision over the Financial Ownership Identification Mechanism or failing to attend them within the timeframe established by this entity. III. VERY SERIOUS OFFENSES (…) 22) Failing to provide accredited responsible users of authorized and legitimated entities with information consulted through the Financial Ownership Identification Mechanism and/or failing to provide the information within the timeframe established in current regulations. Article Third.- This resolution enters into force the day following its publication in the Official Gazette El Peruano. Registered, communicated, and published. SERGIO JAVIER ESPINOSA CHIROQUE SUPERINTENDENT OF BANKS, INSURANCE AND AFP