Resolution JPRFM-2026-002-F: Incorporates Chapter LXVI on Minimum Security Measures for Financial System Entities

RESOLUTION No. JPRFM-2026-002-F THE BOARD OF FINANCIAL AND MONETARY POLICY AND REGULATION CONSIDERING: That, Article 226 of the Constitution of the Republic of Ecuador prescribes that public servants and persons acting by virtue of state authority shall exercise only the competencies and powers attributed to them in the Constitution and the Law; That, Article 227 ibid states that Public Administration constitutes a service to the community governed by the principles of effectiveness, efficiency, quality, hierarchy, coordination, planning, among others; That, the first paragraph of Article 303 of the constitutional norm determines that the formulation of monetary, credit, exchange, and financial policies is the exclusive faculty of the Executive Branch and will be implemented through the Central Bank of Ecuador; That, Article 309 of the Constitution of the Republic establishes that the national financial system is composed of the public, private, and popular and solidarity sectors. Each of these sectors will have specific and differentiated control norms and entities, which will be responsible for preserving their security, stability, transparency, and solidity; That, on October 13, 2025, the Organic Law Reforming the Organic Monetary and Financial Code was published in the Sixth Supplement of the Official Register No. 142; That, Article 13 of the Organic Monetary and Financial Code creates the Board of Financial and Monetary Policy and Regulation, part of the Executive Branch, as an organ with functional, technical, and institutional autonomy, and in its decisions, responsible for the formulation of monetary, credit, financial, securities, insurance, and prepaid comprehensive health care services policy and regulation. The Board of Financial and Monetary Policy and Regulation will be the highest governing body of the Central Bank of Ecuador; That, Article 17 of the aforementioned Code, in its pertinent part, determines that:

RESOLUTION No. JPRFM-2026-002-F Page | 2

"(...) For the fulfillment of these functions, the Board will issue norms in matters within its competence, without altering legal provisions. The Board of Financial and Monetary Policy and Regulation may issue regulations by segments, economic activities, and other criteria. It may even reform or repeal regulations from the former Board of Monetary and Financial Policy and Regulation, the Board of Monetary Policy and Regulation, or the Board of Monetary and Financial Policy and Regulation. All norms and policies issued by the Board of Financial and Monetary Policy and Regulation in the exercise of its functions, duties, and powers must be backed by duly substantiated technical and legal reports (...)"; That, Article 18 ibid establishes the specific functions of the Board of Financial and Monetary Policy and Regulation in the financial sphere, especially in numeral 2, which authorizes this Institution to issue regulations that allow maintaining the integrity, solidity, sustainability, and stability of the national financial, securities, insurance, and prepaid comprehensive health care services systems; That, Article 24 of the same Code provides that the acts of the Board of Financial and Monetary Policy and Regulation enjoy the presumption of legality and will be expressed through resolutions that will have mandatory force, which will govern from their publication in the Official Register, or from the date of their issuance when so determined by the Board, in accordance with the subject matter; That, Article 25.2 ibid determines that the Technical Secretariat of the Board of Financial and Monetary Policy and Regulation is exercised by the Central Bank of Ecuador, and Article 25.3 establishes as its functions the preparation of technical and legal reports to support regulation proposals, provide technical and administrative support to the Board of Financial and Monetary Policy and Regulation, and those other tasks assigned to it by said Board; That, Article 444 of the same Code establishes that popular and solidarity financial entities are subject to the regulation of the Board of Monetary and Financial Policy and Regulation and to the control of the Superintendence of Popular and Solidarity Economy, who in the policies they issue will take into account the nature and specific characteristics of the solidarity financial sector; That, General Provision Twenty-Ninth ibid states: "In the current legislation in which mention is made, indistinctly, of the Board of Monetary and Financial Policy and Regulation, the Board of Monetary Policy and Regulation; or, the Board of Financial Policy and Regulation, replace and understand as 'Board of Financial and Monetary Policy and Regulation'; That, General Provision Ninth of the Organic Law of Private Surveillance and Security states that it corresponds to the Board of Financial and Monetary Policy and Regulation to establish the minimum security measures, whether physical or non-physical, for the operation and functioning of offices, service points, and any other of the entities of the national financial system; That, Article 4 of Chapter XXV "Financial Services Public and Private Financial Sector", Title II "National Financial System", Book I "Monetary and Financial System" of the Codification of Monetary, Financial, Securities, and Insurance Resolutions, financial entities must comply with security measures in accordance with current regulations, which allow mitigating the operational risks of the financial services provided by them; and may offer them through different duly registered and authorized channels and which have the corresponding security measures; That, First Transitional Provision of the Organic Law Reforming the Organic Monetary and Financial Code determines that the members of the Board of Financial and Monetary Policy and Regulation, sworn in on September 16, 2025, by the National Assembly, will continue to exercise their functions for the periods for which they were designated and will maintain their labor continuity and acquired rights; That, through Office No. T.233-SGJ-25-098, dated September 5, 2025, signed by the Constitutional President of the Republic, addressed to the President of the National Assembly, he sent the list of candidates for the designation of the Members of the Board of Financial and Monetary Policy and Regulation; as well as, the temporality of their stay within the initial period; That, the Plenary of the National Assembly, on September 16, 2025, designated and swore in the members of the Board of Financial and Monetary Policy and Regulation, in the persons of: Gustavo Estuardo Camacho Dávila; Silvia Daniela Moya Arteta; Roberto Javier Basantes Romero; María Isabel Camacho Cárdenas; and, Jeniffer Nathaly Rubio Abril; That, through Memorandum No. BCE-JPRFM-2026-0009-M of January 15, 2026, the

RESOLUTION No. JPRFM-2026-002-F Page | 4

Master Gustavo Estuardo Camacho Dávila, President of the Board of Financial and Monetary Policy and Regulation, informed of his service commission abroad from January 17 to 30, 2026, due to institutional commitments; disposing, in accordance with current regulations, the substitution of his functions in favor of Master María Isabel Camacho Cárdenas; That, the Board of Financial and Monetary Policy and Regulation, through ordinary session No. 001-2026, under hybrid modality, on January 30, 2026, reviewed the proposal sent via Memorandum No. BCE-BCE-2026-0029-M, of January 28, 2026, by the General Manager of the Central Bank of Ecuador to the President of the Board of Financial and Monetary Policy and Regulation; as well as, Technical Report No. BCE-SOSTV-2026-0010, of January 26, 2026; and, Legal Report No. BCE-GJ-007-2026, of January 27, 2026; and, In exercise of its functions and in attention to Article 24 of the Organic Monetary and Financial Code, the Board of Financial and Monetary Policy and Regulation, RESOLVES: Sole Article. – Following Chapter LXV "Of non-financial legal entities that, as part of their business, make installment sales or carry out credit operations", Title II "National Financial System", Book I "Monetary and Financial System" of the Codification of Monetary, Financial, Securities, and Insurance Resolutions, add the following chapter:

"CHAPTER LXVI: NORM FOR THE ESTABLISHMENT OF MINIMUM SECURITY MEASURES, WHETHER PHYSICAL OR NON-PHYSICAL, FOR THE OPERATION AND FUNCTIONING OF OFFICES, SERVICE POINTS, AND ANY OTHER OF THE ENTITIES OF THE NATIONAL FINANCIAL SYSTEM"

Art. 1. – Objective: This norm aims to establish minimum security measures, whether physical or non-physical, for the operation and functioning of offices, service points, and any other entities that comprise the national financial system. Art. 2. – Scope: This resolution applies to entities that comprise the national financial system under the control of the Superintendence of Banks or the Superintendence of Popular and Solidarity Economy, as applicable.

RESOLUTION No. JPRFM-2026-002-F Page | 5

Art. 3.- Minimum security measures applicable to entities of the national financial system: Entities that comprise the national financial system must implement and maintain minimum physical, electronic, and information security measures, applicable to their physical establishments, offices, service points, ATMs, channels, and operational systems and other dependencies, in accordance with what is established in this regulation and with the guidelines issued by the competent control body. The minimum security measures will comprehensively include those related to the organization, planning, and institutional management of security, the protection of facilities, assets, and patrimony, the custody and transport of money and valuables, the operation of ATMs, the hiring and management of physical and electronic security personnel, as applicable, the implementation of technological security systems, and the management of risks associated with information security. Art. 4. - General provisions for the implementation of security measures: For the implementation of the minimum security measures provided for in the previous article, entities that comprise the national financial system must observe the technical guidelines and parameters established by the competent control body, based on their risk profile, nature of operations, territorial coverage, and characteristics of the service they provide. The aforementioned entities may adopt additional measures to strengthen their security, provided that these are compatible with current regulations and do not contravene the technical provisions issued by the competent control body. The minimum security measures will include, at least, the following: a) Implement and maintain in operation devices, systems, mechanisms, and security equipment intended for the protection of clients, users, staff, employees, the general public, and institutional patrimony, in accordance with the technical, location, and operation criteria defined by the corresponding control body; b) Have permanently operational security systems, in accordance with the provisions established by the corresponding control body; c) Have areas with adequate, sufficient, and continuous lighting. In spaces where cash or valued documents are handled, such as vaults, safes, ATMs, self-service banks, and night consignors, as applicable to the sector, lighting and security must be reinforced, ensuring their permanent operation even in the event of power outages, as provided by the corresponding control body; d) Maintain access control mechanisms to the establishment, in the spaces where they serve the public and in restricted zones; e) Guarantee that the entrance doors to entities that comprise the national financial system have locks with coded keys or other equivalent systems, which require the presence and verification of authorized personnel for the opening and closing of daily operations; f) Implement effective security and surveillance systems inside their facilities, by hiring duly authorized private security companies, in accordance with applicable regulations; g) Ensure that the cashier area is restricted access to the public, unauthorized personnel of the entities that comprise the national financial system, and must be located in such a way as to minimize the risks of third parties stealing money or carrying out other illegal activities, in accordance with the parameters established by the corresponding control body; h) Prohibit personnel performing cashier functions and personnel with access to the cashier space from carrying or using communication or image capture equipment during the exercise of their functions. Only the use of institutional communication means, under control, authorization, and supervision of the financial entity, will be permitted; and, i) Those other measures determined by the corresponding control body. Art. 5.- Security and Protection Manuals and Policies: Entities of the national financial system must have Security and Protection Manuals and Policies, which must be approved by the board of directors, board of administration, or the body acting in its place. These manuals and policies must contain, at least, the fundamental aspects for the security of the entities, particularly the protection of their staff, employees, partners, clients, and financial users, as well as their establishments, assets, and patrimony, in accordance with the characteristics of the sector to which they belong, including protection in the transport of money and valuables. The Security and Protection Manuals and Policies must contemplate, as a minimum, the following elements:

RESOLUTION No. JPRFM-2026-002-F Page | 7

a) The policies, norms, principles, and basic processes according to which entities that comprise the national financial system will formulate, implement, and evaluate their security and protection measures; b) The minimum security measures provided for in this regulation, specifying their characteristics and, where applicable, technical specifications, dimensions, material quality, or other relevant aspects; c) Additional security measures that entities that comprise the national financial system decide to adopt, oriented towards the mitigation and reduction of risks, complementary to those established in this regulation, provided that they do not conflict with the technical provisions issued by the corresponding control body; d) Criteria for the design, adaptation, and construction of their establishments, including the installation, operation, and control of devices, mechanisms, data processing centers, communication systems, and other technical protection equipment necessary for the provision of financial services; e) Processes, systems, and operational controls intended for the prevention, detection, mitigation, and management of irregularities in the execution of operations and in the handling of money and valuables under their responsibility; f) The characteristics and requirements that monitoring and alarm systems must meet, including quality levels, availability, and reliability, as well as the technical and technological specifications necessary for the adequate emission, transmission, and recording of signals and images; g) Guidelines regarding information security, including, among others, physical security, and the security and protection of communication networks and systems; h) Criteria for the selection, recruitment, and training of human resources, as well as for the hiring of specialized services intended for the information, physical, and electronic security of entities that comprise the national financial system and their establishments; i) Guidelines and training and awareness plans directed at the personnel of entities that comprise the national financial system, particularly regarding training for the handling of accidents or acting during the commission of criminal acts, which must be updated at least once (1) per year; j) Devices, systems, and procedures for the control of entry and exit of personnel of entities that comprise the national financial system;

RESOLUTION No. JPRFM-2026-002-F Page | 8

k) Devices, systems, and procedures for the control of entry and exit of clients, partners, financial users, supervisors, suppliers, and other persons who access the facilities of entities that comprise the national financial system, as applicable; l) Procedures related to the handling, custody, and protection of information regarding clients or partners of entities that comprise the national financial system, as applicable; m) Security, emergency, contingency, and business continuity plans of entities that comprise the national financial system in the event of accidents, criminal acts, and vulnerabilities to information security, the effectiveness of which must be evaluated and proven through drills, in accordance with the periodicity and conditions determined by the competent control body; and, n) Those other measures determined by the corresponding control body. Art. 6.- Security measures applicable to vaults and safes: Regarding vaults and safes intended for the safeguarding of money and valuables, entities that comprise the national financial system must observe the following provisions: a) Vaults, safes, and their connected areas where money and valuables are deposited will have restricted access and must have elements, devices, and systems that guarantee integral security and protection, both of the content safeguarded, the facilities, personnel of the entities that comprise the national financial system, and the procedures for deposit, withdrawal, transport, and custody of money and valuables; b) Vaults, safes, and vault doors must meet the security characteristics established by competent control bodies, in accordance with applicable regulations. c) Entities must maintain adequate insurance policies for the coverage of risks associated with the nature of the entity's financial operations; d) Vaults must have timed locks on their doors, interior video surveillance systems, ventilation systems, and security devices, including smoke, motion, and vibration sensors. Additionally, they must have panic buttons and communication systems located strategically, to allow permanent monitoring of safeguarding areas, in accordance with the technical parameters determined by competent control bodies.

RESOLUTION No. JPRFM-2026-002-F Page | 9

e) Entities that comprise the national financial system must establish formal and documented procedures for the opening and closing of vaults, as well as specific protocols for the handling of emergency situations, in accordance with what is provided by competent control bodies. f) Safes and compartments intended for the safeguarding of reserve money and valuables must meet the technical requirements established by competent control bodies and have, at least, timed locks or other equivalent security mechanisms; and, g) Other measures determined by the competent control body, within the scope of its functions. Art. 7.- Security measures applicable to alarm systems: Regarding alarm systems, entities that comprise the national financial system must consider that: a) All installations of entities that comprise the national financial system must have anti-theft and fire alarm systems, linked, via radio frequency, cable, or other equivalent technological means, to monitoring and response centers, connected with competent citizen security entities; b) Alarm systems intended for the prevention and detection of theft risks will have certifications that guarantee their quality, reliability, and performance; c) Alarm systems must be verified, tested, and maintained permanently, in order to guarantee the correct functioning of the equipment and the adequate action of the responsible personnel. Likewise, communication systems with competent citizen security entities must be proven at least twice a year; d) All electronic systems, alarms, and other security devices of entities that comprise the national financial system must remain operational at all times and allow the capture and recording of alarm signals, as well as, where applicable, events associated with criminal acts or accidents. The recordings and records generated must be made available to competent authorities who require them, free of charge and without any restriction; and, e) Other measures determined by the corresponding control body, within the scope of its functions.

RESOLUTION No. JPRFM-2026-002-F Page | 10

Art. 8.- Security measures applicable to video surveillance systems: Regarding video surveillance systems, entities that comprise the national financial system must consider that: a) Entities that comprise the national financial system must have fixed and mobile closed-circuit television cameras, with high-resolution image capture capability, equipped with recording and storage systems, such as video recorders, hard drives, or other equivalent technological means, which allow continuous recording of images during the twenty-four (24) hours of the day, seven (7) days a week, as well as with other requirements determined by the competent control body; b) Fixed location cameras must be installed and operated in accordance with the technical, coverage, location, and operation criteria defined by the competent control body; and, c) Recording, storage, conservation, and access systems to captured images must comply with the technical and security guidelines established by the competent control body, guaranteeing their in