Agreement No. 1 (2026) - Prevention of the Misuse of Banking and Trust Services

Republic of Panama Superintendency of Banks of Panama AGREEMENT No. 1-2026 (January 16, 2026) “Prevention of the Misuse of Banking and Trust Services”

THE BOARD OF DIRECTORS in exercise of its legal powers, and

CONSIDERING:

That as a result of the issuance of Law Decree No. 2 of February 22, 2008, the Executive Branch elaborated a systematic ordering in the form of a Single Text of Law Decree No. 9 of February 26, 1998, and all its modifications, which was approved through Executive Decree No. 52 of April 30, 2008, hereinafter the Banking Law;

That Article 36 of Law No. 1 of January 5, 1984 establishes that the Superintendency of Banks will supervise and ensure the proper functioning of the trust business;

That in accordance with numeral 1 of Article 5 of the Banking Law, it is an objective of the Superintendency of Banks to ensure the solidity and efficiency of the banking system;

That in accordance with numeral 2 of Article 5 of the Banking Law, it is an objective of the Superintendency of Banks to strengthen and foster favorable conditions for the development of the Republic of Panama as an International Financial Center;

That Article 112 of the Banking Law establishes that banks and other supervised entities shall have the obligation to establish policies, procedures, and internal control structures to prevent their services from being used improperly for the crime of money laundering, terrorist financing, and other related or similar nature crimes;

That the Banking Law establishes in its Article 113 that banks and other supervised entities by the Superintendency will supply the information required by laws, decrees, and other regulations for the prevention of money laundering, terrorist financing, and other related or similar nature or origin crimes, currently in force in the Republic of Panama. It also indicates that they will be obligated to supply such information to the Superintendency when it so requires;

That in accordance with what is established in Article 114 of the Banking Law, banks and other supervised entities by the Superintendency will adopt policies, practices, and procedures that allow them to know and identify their clients and employees with the greatest certainty possible, with the Superintendency retaining the faculty to develop pertinent norms that adjust to the policies and norms currently in force in the country;

That through Law No. 23 of April 27, 2015, measures are adopted to prevent money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction;

That Article 19 of Law No. 23 of 2015 establishes as a supervisory body, among others, the Superintendency of Banks;

That Article 20 numeral 7 of Law No. 23 of 2015 establishes among the attributions of the supervisory bodies, to issue guidelines and feedback norms to obligated financial subjects, non-financial obligated subjects, and activities carried out by professionals subject to supervision for their application, as well as procedures for the identification of beneficial owners of legal persons and other legal structures;

That in accordance with Article 22 of Law No. 23 of 2015, it corresponds to the Superintendency of Banks to supervise in matters of prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction; banks; trust companies and any other activity they carry out; financial companies, financial leasing companies; factoring companies; issuers or processors of debit, credit, and pre-paid cards, whether natural or legal persons; and entities issuing payment means and electronic money; money remittance companies; exchange houses; the Agricultural Development Bank; the National Mortgage Bank; and savings and loan associations for housing;

That through Agreement No. 10-2015, provisions are established for the prevention of the misuse of banking and trust services, developing the measures that banks and trust companies must take to prevent their operations from being carried out with funds or on funds originating from activities related to the crimes of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction;

That Law No. 23 of 2015 has been subject to modifications through Law No. 21 of 2017, Law No. 70 of 2019, Law No. 124 of 2020, and Law No. 254 of 2021, introducing important provisions to the money laundering prevention regime;

That through Executive Decree No. 35 of September 6, 2022, Law 23 of 2015 is regulated, substituting Executive Decree No. 363 of August 13, 2015, with the purpose of adapting the general guidelines of the regulatory framework in matters of prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction;

That in working sessions of this Board of Directors, the need and convenience of updating the measures for the prevention of the misuse of banking and trust services has been manifested in order to contemplate the new guidelines established in Executive Decree No. 35 of 2022 which regulates Law 23 of 2015, which adopts measures to prevent money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction, and with the purpose of making some adjustments that may clarify certain aspects of the norm.

AGREES:

CHAPTER I PREVENTION OF MONEY LAUNDERING, TERRORIST FINANCING, AND FINANCING OF THE PROLIFERATION OF WEAPONS OF MASS DESTRUCTION

ARTICLE 1. SCOPE OF APPLICATION. The provisions of this Agreement will apply to the following obligated subjects:

1. General license banks and international license banks.
2. Trust companies.
3. Banking Groups as established in Article 42 of this Agreement.

ARTICLE 2. PREVENTION OF MONEY LAUNDERING, TERRORIST FINANCING, AND FINANCING OF THE PROLIFERATION OF WEAPONS OF MASS DESTRUCTION. Banks and trust companies must take the necessary measures to prevent their operations and/or transactions from being carried out with funds or on funds originating from activities related to the crimes of money laundering, terrorist financing, or financing of the proliferation of weapons of mass destruction, hereinafter “Prevention of Money Laundering.” For this purpose, they have the obligation to comply with the terms in this Agreement and with the legal provisions related to this matter applying a risk-based approach.

Obligated subjects, according to their size, nature, complexity, and risk profile, must consider in the design of their risk-based approach the documents and recommendations issued by national or international bodies in matters of money laundering prevention.

The implementation of a risk-based approach implies establishing processes to identify, evaluate, monitor, manage, and mitigate money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction risks. When high risks exist, expanded or reinforced measures must be applied to manage and mitigate such risks; and when risks are low, they may opt to apply simplified measures.

ARTICLE 3. MANUAL FOR THE PREVENTION OF MONEY LAUNDERING. Banks and trust companies must have a Manual for the Prevention of Money Laundering, understood as the set of policies, procedures, formats, or any other document that is part of the money laundering prevention processes, with a risk-based approach, where the identification, evaluation, understanding, and mitigation of risks are established, duly approved by the board of directors, which will contain the policies, mechanisms, and procedures established by the bank or trust company to prevent their operations from being carried out with funds originating from these activities. This Manual must include policies for client and/or ultimate beneficiary identification and knowledge.

The policies adopted through this Manual must allow the effective and timely functioning of the bank or trust company's money laundering prevention system and translate into rules of conduct and procedures that guide the actions of the entity and its shareholders, which will be mandatory to comply with.

The Manual must be disseminated among all personnel of the banking entity or trust company, and its update must be carried out continuously.

Updates made to the Manual must be brought to the knowledge of the Money Laundering Prevention Committee, who will carry out a preliminary approval, which will be ratified and approved by the Board of Directors, at least once (1) a year.

The Manual must be sent annually to the Superintendency of Banks with the respective updates. In case there are no updates, the bank or trust company will send a certification signed by the President or Secretary of the Board of Directors or by the President of the Money Laundering Prevention Committee, indicating that the Manual for the Prevention of Money Laundering has not had updates in the last twelve (12) months. The approval of this certification must be recorded in the minutes of the Committee.

ARTICLE 4. CONSTITUTION OF THE MONEY LAUNDERING PREVENTION COMMITTEE IN BANKING ENTITIES. Banking entities must constitute a Money Laundering Prevention Committee, which will report directly to the bank's board of directors and must be integrated at minimum by two (2) members of the board of directors, the general manager, the highest-ranking responsible person of the risk, compliance, business, operations, and technology areas, who will have the right to speak and vote, and the highest-ranking responsible person of internal audit who will participate only with the right to speak.

This Committee will have among its functions, the approval of the planning and coordination of money laundering prevention activities and, in addition, must be aware of the work developed and operations analyzed by the compliance officer, who must be an executive-level official and member of senior management with sufficient independence and hierarchy, dependent on the prevention committee and administratively on the president, general manager, or their equivalent. The compliance officer may not participate in account opening processes, authorizations, or commercial approvals, nor carry out audit functions.

The Committee will elaborate its internal working regulations, duly approved by the board of directors, which will contain the policies and procedures for the fulfillment of its functions, as well as the periodicity in which they will carry out their meetings, which must be at least every two (2) months. The decisions adopted in the Committee meetings must be recorded in minutes, which, together with their presentations or support material, must be available to the Superintendency of Banks.

PARAGRAPH. In the case of branches of foreign banks in which this Superintendency exercises destination supervision and which, by virtue of their organizational structure, do not have presence in the country of members of their board of directors, and as a consequence thereof cannot comply with what is established in this article, this Committee will be formed, at minimum, by the general manager, the highest-ranking responsible person of the risk, compliance, business, operations, and technology areas, who will have the right to speak and vote, and the highest-ranking responsible person of internal audit who will participate only with the right to speak.

ARTICLE 5. CONCEPT OF CLIENT. For the purposes of this Agreement, a client will be understood as any natural or legal person who establishes, maintains, or has maintained, habitually or occasionally, a contractual or business relationship with a bank, or who receives trust services from a trust company.

ARTICLE 6. BENEFICIAL OWNER. For the purposes of this Agreement, beneficial owner will be understood as the natural person(s) who directly or indirectly own(s), control(s), or exercise(s) significant influence over the account relationship, contractual or business relationship, or the natural person in whose name or benefit a transaction is carried out, which also includes natural persons who exercise final effective control over a legal person, trusts, and other legal structures.

ARTICLE 7. INTERBANK OPERATIONS. Any operation or transaction that arises as a result of an interbank relationship provided by the bank to foreign banks will be subject to due diligence measures, which must be in accordance with the level of risk it represents.

Banks are prohibited from establishing or maintaining any type of interbank or correspondent relationship with banks that, whether they themselves or their head office, lack physical presence in their jurisdiction of origin or are not affiliated with a financial group subject to consolidated supervision.

Banks must ensure they maintain special attention with banking entities located in jurisdictions that have weak norms for money laundering prevention, according to lists issued by international bodies such as the Financial Action Task Force (FATF), among others.

ARTICLE 8. DUE DILIGENCE MEASURES FOR INTERBANK OPERATIONS. For the purposes of Article 7 of this Agreement, the due diligence process must include, among others, the following:

1. Ensure the existence and physical presence of the bank or its head office, and gather sufficient information on: a. The banking institution receiving the contracted service. b. Management. c. Their main commercial activities. d. The nature of the business of said entity. e. Determine, together with publicly available information, the reputation of the institution.
2. Confirm that the banking institution receiving the service has measures and controls for the prevention and detection of money laundering, in accordance with international standards.
3. Pay special attention when maintaining relationships with banks located in jurisdictions that have less demanding Know Your Customer norms than those established by this Superintendency.
4. Clearly establish and document, if necessary, the respective responsibilities of each bank on the due diligence processes regarding underlying clients in correspondent business.
5. Obtain senior management approval before establishing new correspondent relationships.

ARTICLE 9. CLIENT DUE DILIGENCE. Obligated subjects must maintain in their operations risk-based due diligence with their individual clients and with the resources of these that are the object of the contractual relationship, whether habitual or occasional, regardless of the amount of the operation, as well as keep it updated during its course.

Additionally, taking into consideration the category and risk profile of the client, they must pay special attention when carrying out transactions exceeding ten thousand balboas (B/.10,000.00), when unusual operations are detected, when there is suspicion of money laundering, as well as when the entity has doubts about the veracity or suitability of the information obtained regarding the identification of the client and/or ultimate beneficiary.

Obligated subjects must identify and verify the client and/or beneficial owner, requesting and consulting documents, data, or information from reliable open sources, internal to the same banking group, reliable and independent, such as systems or tools that consolidate local and international information on natural and legal persons.

Additionally, searches related to money laundering prevention lists must be contemplated. (For example, OFAC list, United Nations list, among others).

The mechanisms for client and ultimate beneficiary identification, as well as verification and documentation, will depend on the risk profile of the obligated subjects, considering the types of clients, countries or geographical areas, products and services, transactions, and distribution or marketing channels. In this sense, the following types of due diligence may be carried out:

1. Simplified due diligence: set of norms, policies, processes, and basic or elementary actions, which based on the results of identification, evaluation, and risk diagnosis, the entity will apply to prevent money laundering crimes. Among the simplified due diligence measures, banks and trust companies may reduce the documentary review process, reduce the frequency of client identification updates, reduce the monitoring of the business relationship, or abstain from gathering information on the client's professional or business activity.
2. Due diligence: set of norms, policies, processes, and actions that allow a reasonable knowledge of the qualitative and quantitative aspects of the client and the beneficial owner, with special attention to the client's financial and transactional profile, the source of the resources or their assets, and continuous monitoring of their transactions or operations. It refers to what is provided in Articles 12 and 13 of Decree No. 35 of 2022.
3. Enhanced or reinforced due diligence: set of norms, policies, processes, and actions more demanding and reasonably designed so that client knowledge is intensified based on the results of the identification, evaluation, and risk diagnosis that the entity applies. This process must allow greater knowledge of the qualitative and quantitative aspects of the client and the beneficial owner, with special attention to the financial and transactional profile and the origin of their assets, as well as more demanding continuous monitoring in their transactions or operations so that client knowledge is intensified based on the results of identification, evaluation, and risk diagnosis that the entity applies.

The possible existing variables can increase or decrease the potential risk they represent, thus impacting the level of due diligence measures. In case there is greater risk, stricter measures must be taken, and in case the risk is lower, simplified due diligence measures must be adopted, using available internal or external sources, provided there is an adequate analysis in accordance with the level of risk it represents.

In accordance with the Banking Law, banking entities are authorized to collaborate with any investigation carried out by competent authorities.

PARAGRAPH 1. The Superintendency of Banks may, in attention to the risk profile of each obligated subject, establish different amounts on which special attention must be paid when carrying out due diligence.

PARAGRAPH 2. Banks and trust companies must keep their database updated and available to the Superintendency of Banks supervisors.

PARAGRAPH 3. Banks and trust companies must have defined in their policies and procedures the criteria for classification and segmentation of their clients, properly applying the risk-based approach in the due diligence process and allowing a clear differentiation between each risk level. The obligated subject must ensure that there is a gradualness as well as a proportionality between the various risk levels and their due diligence.

ARTICLE 10. MINIMUM DUE DILIGENCE REQUIREMENTS. Each obligated subject must adopt a risk-based approach for the correct application of due diligence, which in all cases must contain the following elements at minimum, whether natural or legal person:

1. Elaborate a client profile, either physical or digital (through a form or other means).
2. Maintain documentation and monitoring of the financial transactions of their clients.
3. Give particular follow-up to those clients who carry out operations for amounts of ten thousand balboas (B/. 10,000.00) or more, taking into consideration the category and risk profile of the client.
4. Establish a procedure that contains the levels of approval and the amounts of habitualization of the client who carries out cash transactions for amounts of ten thousand balboas (B/.10,000.00) or more.
5. Review at least every six (6) months the operations of their clients, carried out habitually and in cash for amounts of ten thousand balboas (B/. 10,000.00) or more, with the purpose of determining if the habitualization criteria established by the entity are maintained.
6. Pay special attention and take pertinent measures for high-risk clients, including those clients identified as Politically Exposed Persons (PEPs).

Banks and trust companies must consider the following aspects in the due diligence process:

1. Client due diligence must be carried out by the client and not by product.
2. In cases where the client is acting as an intermediary for another person who is the ultimate beneficiary or usufructuary of the operation, banks and trust companies must carry out due diligence on said beneficial owner.
3. Banks and trust companies must understand and, as appropriate, obtain information on the purpose and character intended for the commercial or professional relationship.
4. Banks and trust companies must leave documented evidence in the respective file of all diligences carried out to be able to properly identify their client and/or beneficial owner.
5. Any service that arises as a result of a relationship between a bank or trust company with a foreign client will be subject to due diligence measures, which must be in accordance with the level of risk it represents, with international parameters and standards, and with the internal control policies and procedures established by the entity.
6. Trust companies must identify the beneficiary or beneficiaries of the trust, that is, the...