Technical Standards for the Generation of Information on Monetary Deposits and Their Holders

Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 1 of 41 CNBCR-11/2023 NRSF-03 TECHNICAL STANDARDS FOR THE GENERATION OF INFORMATION ON MONETARY DEPOSITS AND THEIR HOLDERS Approval: 12/14/2023 Validity: 05/01/2024

THE COMMITTEE OF NORMS OF THE CENTRAL RESERVE BANK OF EL SALVADOR,

CONSIDERING:

I. That Article 61 of the Banks Law establishes that it is the competence of the Financial System Superintendence to monitor preventively the risks of the members of the financial system and the way in which they manage them, ensuring the prudent maintenance of their solvency and liquidity.

II. That Article 89 of the Banks Law establishes that the requirement of a regularization plan for a banking entity must be immediately reported by the Superintendence to the Central Bank and the Deposit Guarantee Institute. From that moment on, the Deposit Guarantee Institute will have unrestricted access to all bank information that is in the regularization process, either through its own means or through the Superintendence, regardless of the material support thereof.

III. That Article 166 of the Banks Law establishes that all information and verifications required by the Deposit Guarantee Institute regarding member banks will be obtained and carried out through the Superintendence and the Central Bank.

IV. That Article 106 of the Law of Cooperative Banks and Savings and Credit Societies establishes that cooperative banks will be members of the Deposit Guarantee Institute with the same obligations and rights that the Law grants to banks; therefore, the provisions of the Banks Law contained in titles four and six will be applicable to them insofar as they are pertinent to their cooperative nature.

V. That Article 3, literal c) of the Law of Supervision and Regulation of the Financial System establishes that it is the competence of the Financial System Superintendence to monitor preventively the risks of the members of the financial system and the way in which they manage them, ensuring the prudent maintenance of their solvency and liquidity.

VI. That Article 32 of the Law of Supervision and Regulation of the Financial System establishes that the Superintendence, through the Superintendent, the Assistant Superintendents, or the persons to whom they delegate, may require supervised entities direct access to all data, reports, or documents regarding their operations by the means and form that it defines. When deemed convenient, the Superintendence may require direct real-time access to the information systems of the supervised entities. Likewise, without prior notice, it may carry out audits, inspections, reviews, and any other diligence necessary for compliance with the law. In those cases where the Superintendence finds that the supervised entity has published information that does not reflect its real financial situation, it must require the publication of corrected information, without prejudice to other legal actions that must be initiated.

VII. That Article 33 of the Law of Supervision and Regulation of the Financial System establishes that the information collected by the Superintendence will be confidential and may only be disclosed to the Central Bank, the Appeals Committee of the Financial System regulated by this Law, the Deposit Guarantee Institute, the Court of Accounts of the Republic in the audit of public funds, the Attorney General's Office, the judicial authorities when appropriate, the Supreme Court of Justice, and other institutions, when expressly authorized by law.

THEREFORE,

by virtue of the regulatory powers conferred by Article 99 of the Law of Supervision and Regulation of the Financial System,

AGREES to issue the following:

TECHNICAL STANDARDS FOR THE GENERATION OF INFORMATION ON MONETARY DEPOSITS AND THEIR HOLDERS

CHAPTER I OBJECT, SUBJECTS, AND TERMS

Object Art. 1.- These Standards aim to establish the basic information on monetary deposits and their holders, with which obligated subjects must have uniformly, establishing for this effect a set of files that must be available to the Financial System Superintendence and the Deposit Guarantee Institute. Compliance with these Standards will supersede Annex No. 1 of the Technical Standards to Report Guaranteed Deposits (NRSF-01), and the submission of physical files or documents containing depositor information to the Superintendence must be omitted.

Subjects Art. 2.- The subjects obligated to comply with the provisions established in these Standards are the following:

Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 2 of 41 CNBCR-11/2023 NRSF-03 TECHNICAL STANDARDS FOR THE GENERATION OF INFORMATION ON MONETARY DEPOSITS AND THEIR HOLDERS Approval: 12/14/2023 Validity: 05/01/2024

a) Banks constituted in El Salvador; b) Banco Hipotecario de El Salvador, S.A.; c) Banco de Fomento Agropecuario, insofar as it does not contradict its creation Law; d) Branches of foreign banks established in the country; e) Savings and credit societies; and f) Cooperative banks.

Terms Art. 3.- For the purposes of these Standards, the terms indicated below have the following meaning: a) Central Bank: Central Reserve Bank of El Salvador; b) Guaranteed Deposits: The sum of deposits up to the value of the guarantee limit per person stipulated according to Article 167 of the Banks Law; c) Non-Guaranteed Deposits: Those deposits that do not have the guarantee of the Deposit Guarantee Institute because they exceed the guarantee value limit, as well as those listed in Article 168 of the Banks Law; d) DUI: Unique Identity Document; e) Institute: Deposit Guarantee Institute; f) NIT: Tax Identification Number; g) Unique Client Identification Number (NIU): A numerical or alphanumeric formula or arrangement attributed exclusively to a bank client, so that there is no way to confuse them with another or assign more than one NIU to the same client. The NIU cannot be reassigned even if the person or asset associated ceases to have a business relationship with the bank, so that over time it maintains its number and each time they enter into a new operation they are identified. The NIU, associated with a client, allows linking them in all operations they carry out with the bank, permanently or occasionally, regardless of the capacity in which they act in said operations, primary or secondary, such as sole owner, co-owner, or alternative owner; debtor or co-debtor; h) Superintendence: Financial System Superintendence; and i) Holder or Depositor: Holder of one or several types of deposits.

CHAPTER II CHARACTERISTICS OF THE INFORMATION THAT MUST BE AVAILABLE

Files Art. 4.- The files that entities must maintain in their offices for the availability of the Superintendence and the Institute are the following:

No. File Name General Description 1 Clients Clients of the entity 2 Deposits Information on deposits in the entity. 3 Client Documents Client identification documents. 4 Holders Details of deposit holders, for cases where the type of ownership is co-ownership or alternative ownership. 5 Agencies Names and locations of the institution's branches. 6 Products Types of deposit products that the Institution has approved. 7 Officials and employees Data of the officials and employees of the Institution. 8 Summary of guaranteed deposits Information available from the entity regarding deposits for a possible guarantee payment 9 Adjustments Adjustments made, related to accounts with some type of restriction, adjustments for currency conversion or others depending on the characteristics of each entity. 10 Shareholders Data of the bank's shareholders according to the requirement of the Technical Standards for the Procedure for Information Collection for the Shareholder Registry -37); in the case of cooperative banks, this file will not be included. 11 Risk Assets Information according to the requirement of the Technical Standards on the Procedure for Information Collection from the Central Risk System -41), depending on the type of financial entity it is. 12 Statistical Accounting Information according to the requirement of the Technical Standards for Submission and Collection of Information for the Statistical Accounting System of Financial Entities (NRP-51), depending on the type of financial entity it is.

These files must be able to be related to each other through the unique client number, so that this number must be in the same format in all tables where it is included.

Data Structure Art. 5.- The data structures of the files must be exclusively in plain text files, in accordance with the details and characteristics established in Annex No. 1 of these Standards.

Validator Art. 6.- Entities are obligated to perform validations of the information and to update validation processes when the Superintendence communicates that a change has been made. The validations to be performed are detailed in Chapter IV of these Standards.

Update Art. 7.- The information contained in the files mentioned in Article 4 of these Standards must be kept updated with data coming from the entities' production systems, which must be generated automatically and under established procedures, at the close of each month, at the latest within the first ten business days of the following month. A notification letter must be sent to the Superintendence and the Institute, indicating the name and position of the official responsible for the truthfulness and reasonableness of the data, the medium used to store the information, the name of the person in charge of executing the validation process through the application provided by the Superintendence; as well as the location of the information. The notification letter must be sent during the first 10 business days of March of each year, through the means made available by both institutions, which may be electronic; it must also be updated in case of any change in the information at the latest within 10 days following the change.

Backup Art. 8.- Each entity must have in Removable Storage Devices (USB), or in another storage device of similar nature and easy access for the Superintendence and the Institute, the information files mentioned in Article 4 of these Standards. The removable storage devices referred to in the first paragraph of this article must be safeguarded in the entity's vaults and in accordance with the computer security policies approved by its Board of Directors. The backup must be validated to verify that it has been carried out correctly.

Art. 9.- The Device referred to in Article 8 of these Standards must include at least the following information: a) Data from the last 3 monthly closings of the files required in Article 4 of these Standards; b) Technical information on the generation and transformation process of the information; c) Source code of the module that generates the information; d) User manual of the module that generates the information;

e) Letter from the person who generates the information; f) Name of the person who safeguards the information; the name of the person responsible for it must be provided, the name of the operator who made the copy, the content of the backup, medium and backup application with its version and provider, if applicable; and g) Reconciliations with the balance.

Scope of available information Art. 10.- Entities must keep 100% of the client information available with all their operations in accordance with the detail established in the following Chapter. The client's NIU assigned by the entity must be unique, and its assignment must avoid errors of homonyms. The NIU must allow identifying both active and passive operations of each client with the entity.

Format of amounts Art. 11.- Monetary amounts must be expressed in United States dollars, with two decimals.

Identification of persons Art. 12.- The identification of clients, whether natural persons, legal entities, or autonomous assets, will be made through the NIU assigned by each entity and a second complementary document, whether this is the NIT, the DUI, or another valid identification document allowed, in accordance with the Technical Standards issued by the Committee of Norms of the Central Bank and the internal policies of each entity. Entities must seek the mechanism for updating and purging their databases corresponding to clients in general, whether through the NIU, NIT, or DUI, as these represent the consolidation key for individual deposits (sole holder) or joint by ownership in co-ownership or alternative ownership of a depositor, as well as the key to consolidate loans and other financial operations in the Financial System.

CHAPTER III NOMENCLATURE FOR THE ASSIGNMENT OF FILE NAMES

Description Art. 13.- The names of the files that form part of the structures required for each of the files enumerated in Article 4 of these Standards must be named according to a specific nomenclature, which will consist of 13 characters according to the following detail:

Data 1 Data 2 Data 3 Data 4 File Type Cut-off Date Point Institution Code

Data Length Description 1 2 FILE TYPE These characters identify the type of file, the keys are: 01 = Clients 02 = Deposits 03 = Client Documents 04 = Holders 05 = Agencies 06 = Products 07 = Officials and employees 08 = Summary of guaranteed deposits 09 = Adjustments 2 6 CUT-OFF DATE Format: YYMMDD Where YY = last two digits of the year M = Month DD = Day 3 1 Point (.) 4 4 INSTITUTION CODE It is the code assigned to each member institution by the Financial System Superintendence

The CTRI and shareholders files must be named according to what is established in the Technical Standards on the Procedure for Information Collection from the Central Risk System -41) and in Technical Standards for the Procedure for Information Collection for the Shareholder Registry -37), respectively. For Cooperative Banks, the information regarding shareholders does not apply. In the case of the COES file, in XML format, according to the structure required in the Statistical Accounting -51); depending on the type of financial entity it is.

The files must be stored without assigning any key or password. The description and characteristics of the fields of the required files are detailed in Annex No. 1 of these Standards.

Information transformation documentation Art. 14.- Each entity must prepare and update a document containing the detail of the calculations and operations performed to transform the information from their respective systems to that required in these Standards. The processes for generating the files required in these Standards must be executed on any date of the year. Additionally, it is required that in the removable storage medium (USB) for backup, or in another storage device of similar nature and easy access for the Superintendence and the Institute, the updated code, user manual, and technical manual of the process be included. They must inform the Superintendence of the name and position of the person responsible for safeguarding said document, its location within the entity, personal address, telephone numbers to contact them, and their electronic address.

CHAPTER IV INFORMATION VALIDATION SYSTEM FOR ACCOUNTING

Validations Art. 15.- In order for the provided information to satisfy minimum standards of consistency and quality, allowing the Superintendence to fulfill its purposes; before safeguarding the information, each entity must perform certain reconciliations with the figures contained in its Monthly Balance, considering the accounting information valid. The reconciliation performed must be documented, adding the accounting reconciliation of the corresponding month; it must be copied to the backup medium referred to in Article 8, third paragraph of these Standards. In said file, the adjustments made must be detailed, related to accounts with some type of restriction, adjustments for currency conversion, or others depending on the characteristics of each entity. The following validations are applicable for institutions that manage their accounting through the Bank Chart of Accounts. The validations to be performed between the files required in these Standards and the Statistical Accounting System (COES) are:

Accounts Deposit Files Statistical Accounting 1 Total Deposit Balance Sum of the saldo_tot field in the DEPOSITS file, with active status, inactive. Plus total adjustments. Sum of the items (characteristic) 2110, 2111, 2112, 2113 and 2114

• Total adjustments

Accounts Deposit Files Statistical Accounting 2 Checking Account Deposits Sum of the saldo_tot field in the DEPOSITS file, with active status and cod_prod equal to checking account. Plus adjustments Account 211001 + Adjustments 3 Savings Account Deposits Sum of the saldo_tot field in the DEPOSITS file, with active status and cod_prod equal to savings account. Plus total adjustments Account 211002 + 211003 + Adjustments 4 Time Deposits Sum of the saldo_tot field in the DEPOSITS file, with active status and cod_prod equal to time deposits. Plus adjustments Sum of accounts 2111, 2112 and 2113 minus 211202 + Adjustments 5 Certificates of deposits for housing and agricultural The sum of the saldo_tot field in the DEPOSITS file, with active status and cod_prod equal to certificates of deposits for housing and certificates of agricultural deposits. Plus Adjustments Account 211202 + Adjustments 6 Restricted and inactive deposits Sum of the sal_tot field in the DEPOSITS file, with special condition inactive status. Plus Adjustments Account 2114 + Adjustments

Additionally, entities will validate that no overdraft balances have been included in any of the deposit records. The letter generated by the validator must be sent to the Superintendence at the close of each month, at the latest within the first ten business days of the following month.

CHAPTER V OTHER PROVISIONS AND VALIDITY

Treatment of restricted deposits Art. 16.- All entities must detail in the Deposits File the special condition with which all records with restricted funds are provided, assigning the condition that applies to them. All deposits that register restricted funds must always have a special condition; on the contrary, if a deposit does not register restricted funds, it must not contain any special condition.

Responsibility Art. 17.- Directors, managers, and employees responsible for the reasonableness and review of the information that will be available to the Superintendence will respond in their personal capacity for errors, omissions, and irregularities that it contains; if irregularities in the safeguarded information are proven, they will be sanctioned in accordance with what is established in the Banks Law. The information safeguarded for these purposes may be modified within the period established for its update; once this period has expired, it will be considered definitive; however, the entity may request its substitution, justifying it appropriately, notwithstanding that having been authorized for it, the information will be considered not updated if done outside the period for pertinent legal effects.

On-site visits Art. 18.- Entities must facilitate the download of information from the files required in these Standards h